Instant Download with all chapters and Answers
*you will get solution manuals in PDF in best viewable format after buy*
Chapter 2, Overview of an Integrated Audit
A1 What is the term for an engagement to audit both the financial statements and
A2 What entity sets standards for audits of U.S. public companies? Nonpublic
A3 What is the difference between audits performed under PCAOB and AICPA
Audits performed for public companies (SEC registrants) are performed under
SEC registrants and include an audit of ICFR and an audit of financial statements that
must be performed as a single engagement. Audits of nonpublic companies under AICPA
standards address only the financial statements.
B1 What is the set of standards for internal control most frequently used in the
COSO Internal Control Framework
B2 What is the set of standards against which U.S. financial statements are usually
analyzed in an audit?
Generally Accepted Accounting Principles (GAAP)
B3 What are the client prerequisites in order for an audit to be performed?
Auditor confidence in management integrity
C1 What are preliminary engagement procedures?
Client acceptance or continuance
Establishing an understanding about the terms of the engagement with the client
Confirming the auditors independence, and in the first year of an audit of a public
company communicating that independence in writing to the audit committee
C2 What is the client acceptance and continuance process?
An active decision process regarding whether to perform the audit for the
company. It involves determining whether the auditor wants to be associated with the
client, is capable of providing the services required and the proposal process.
C3 What is ICFR?
Internal control over financial reporting (ICFR) is a process designed by, or under
the supervision of, the company’s principal executive and principal financial officers, or
persons performing similar functions, and effected by the company’s board of directors,
management, and other personnel, to provide reasonable assurance regarding the
reliability of financial reporting and the preparation of financial statements for external
purposes in accordance with GAAP.
C4 In general, how does the auditor obtain information about the client company
for planning and risk assessment?
The auditor obtains this information through
a. Information gathered in the client acceptance or continuance process
b. Understanding the management information system
c. Understanding the accounting information system and ICFR
d. Information obtained while reviewing interim reports filed with the SEC in
the case of public companies
e. Documentation created by management for its assessment of the effectiveness
C5 What are audit planning and risk assessment considered together, early in the
The initial audit planning process is grouped with risk assessment because as the
audit team obtains information about the nature of a client’s business, important
transactions and accounting information system, including internal control over financial
reporting, it can make preliminary decisions about the audit procedures necessary. The
procedures are planned to target the “risks” of the client, which can be important
accounts, characteristics and weaknesses. Once the auditor understands and assesses the
important characteristics or risks of the company, the preliminary audit plan can be
designed with audit procedures to collect evidence on those important areas.
C6 What does it mean when we say that an auditor assesses the design effectiveness
of the system?
The auditor considers the controls built into the system and decides whether those
controls are appropriate for the risks that are important to the company’s business and its
ability to prepare fair financial statements for external use. The assessment of design
effectiveness addresses only the controls that are described to the auditor as being in
place, and extends to investigating whether it seems that the controls actually exist.
Assessing design effectiveness does not gather evidence on whether the controls actually
C7 Why does audit planning continue throughout the audit? Give an example of
why the auditor might revise planning after testing the operating effectiveness of a
Audit planning is a continuous activity that is performed over the duration of the
audit because information collected during the audit can cause the audit team to revisit
and revise the audit plan.
The auditor might revise planning after testing the operating effectiveness of a
company’s controls if it is determined that the controls were not operating effectively.
This would require the auditor to modify the planned procedures, first to be sure that the
audit evidence collected is correct, and if so, then to obtain evidence needed to express an
opinion on the fairness of the financial statements. More evidence would be needed for
the financial statement audit than originally expected if, when planning the financial
statement audit, the auditor assumed the ICFR was effective.
C8 What audit results cause a preliminary conclusion that internal control over
financial reporting is effective?
Results indicating that controls are properly designed, implemented, and are
operating as described.
C9 What are substantive audit procedures?
Procedures that collect evidence on the company’s financial accounts and
C10 What are the final steps of an integrated audit?
Numerous steps include: reviews, obtaining specific communications from the
company’s management and lawyers, making a final conclusion on the appropriate audit
opinions, making specific communications from the auditor to management and the audit
committee, issuing the audit opinions.
D1 What is the relationship between management’s financial statement assertions
and audit evidence?
In preparing the company’s financial statements management makes
representations about the information that are called assertions. The assertions indicate
what management is communicating about information included in the financial
statements. In its report filed with the SEC, management also asserts whether the system
of internal control over financial reporting operates effectively at the report date. In order
to express an opinion on the fairness of the financial statements and effectiveness of
ICFR, the auditor is required to collect evidence supporting the audit conclusion. This is
accomplished by examining audit evidence about the correspondence between the
assertions and the actual events, activities and conditions of the company.
D2 What is the relationship between due professional and negligence?
If an auditor exercises due professional care he or she is not behaving in a
D3 Do auditors need to find immaterial financial statement misstatements?
No, only those that would make the financial statements materially misleading.
D4 What is sufficient competent (appropriate) evidence? What is the trade-off
between sufficient and appropriate?
The auditor must accumulate enough evidence – in other words, sufficient
evidence. Evidence may vary in its quality (reliability) and relation to the assertion the
auditor is examining (relevance) – thus may vary in its level of appropriateness. When
evidence has a higher degree of appropriateness, it may take less of it to be sufficient.
D5 What is the difference between convincing and persuasive evidence?
Convincing evidence would be the ideal type of audit evidence supporting an
auditor’s conclusion beyond all doubt. Because of the possibility of fraud (and other
limitations) audit evidence is never convincing. Persuasive evidence, while not
convincing, provide strong support for the audit conclusion. Audit evidence is usually
D6 How does the source of evidence affect its reliability?
Evidence obtained from external sources or that comes directly to the auditor
(direct personal knowledge) has higher reliability than evidence generated inside the
company. This is logical since, unless the outsider is in collusion with the audit client,
information coming from the outsider has less of a chance of being manipulated or
changed. Evidence coming directly from the outsider to the auditor has the highest
reliability (like a confirmation); evidence coming from an outsider through the client to
the auditor (like an invoice or statement) has the next level of reliability. Evidence
generated within a client generally is viewed as having the lowest level of reliability.
However, the reliability of internally generated evidence is enhanced when it is produced
by a system with good internal controls.
(As you will learn later, auditors have much more concern over internal
transactions developed outside the controls – like adjusting entries that management
prepares as the financial statements are drafted – than over routine transactions like
typical sales that occur under a tested and strong system of ICFR.)
D7 When is evidence relevant?
Evidence is relevant when it relates to the audit conclusion being addressed.
D8 What is audit risk?
Audit risk is the likelihood that the auditor will issue an opinion stating that the
financial statements are fair or the ICFR is effective when that is not correct.
E1 What might influence an audit firm’s decision about whether it wants a company
as a client?
The company’s reputation
The company’s industry or nature of the company’s business
Financial condition of the company
Size of the company
Audit fee and ability of the audit firm to make a profit on the engagement
E2 What considerations help the audit firm decide whether it can effectively
perform an audit?
Does the firm have expertise in the client’s industry?
Does the firm have the resources needed to successfully complete the engagement
within the timeframe required? Enough people available generally? Enough people at the
right hierarchical levels? Enough people with the needed industry knowledge? Enough
people with any special knowledge required (experience with public companies, IT,
E3 What is engagement risk? How does the auditor reduce this risk during the
client acceptance process?
Engagement risk is the overall risk to the audit firm of being associated with a
client. It includes risks like being involved in litigation, not making a profit on the
engagement, and experiencing damage to the firm’s reputation. Engagement risk is
a. Verifying the firm’s understanding of the client’s situation and needs to be
sure the risk of performing the engagement is within the range it is willing to
b. Conducting comprehensive discussions with the company about its
organization and functioning.
c. Accessing any publicly available information about the company as well as
talking to the company’s prior auditors and when possible resources like the
company’s lawyers and bankers.
d. Conducting media searches and other investigations.
E4 What are other preliminary engagement procedures beyond client acceptance
Prepare an engagement letter and have it signed by the client.
Confirm that the firm is independent of the client. In the first year audit of a
public company, the audit firm must confirm its independence and communicate this in
writing to the audit committee prior to accepting the engagement. In practice, this is
actually more a re-confirming rather than confirming because the audit firm will have
assured that it is independent (or will quickly become independent) of the client company
before going through the process of proposing on the engagement.
F1 How do planning and risk assessment procedures change in subsequent years
after the auditor has already audited the client the first time?
Audit planning and risk assessment is likely easier in subsequent year audits
because the auditor is updating previous knowledge about the client company, and
considering any changes that the company has experienced.
F2 What sources of information about the client company are available early in
planning and risk assessment?
Information from prior audit(s)
Information obtained during the client acceptance and continuance process
The work performed on the quarterly information filed with the SEC.
Any documentation the client has prepared of its ICFR.
F3 What procedure does the auditor use to assess the risk of fraud early in the
Consider information obtained during client acceptance and continuance
Inquiry of management on risk of fraud and the company’s fraud controls
Brainstorming session of the audit team
Professional judgment based on what the auditor knows about the client
F4 What are entity-level controls? Why are they important?
Controls that exist throughout the company, for example, policies and procedures
and IT general controls (ITGC). Entity level controls are important because they are the
one of the first considerations in the “top down” approach to a audit.
(As you will learn later, entity level controls can provide various levels of controls
to a company. They may be very general such as the existence, use and enforcement of a
company Code of Ethics. They may be more specific — required in order for other
controls to be effective – such as an overall requirement for security over computer
access that makes other computer controls more reliable. Or, entity level controls can
actually provide control that is sufficiently specific for the auditor to rely on it when
considering the fairness of the financial statements. An example of this is when the
company uses the same IT system throughout its organizational structure, and the system
has very specific and effective controls that prevent entry of non-routine transactions
from any locations or by any person lacking a high level of clearance.)
F5 What is remediation of internal control problems?
This term refers to the process of management correcting ICFR problems.
F6 What is included in audit documentation? What is an audit plan document?
Audit documentation includes a record of the work performed by the auditor and
evidence obtained to enable the auditor to express an opinion on the various management
assertions of the financial statements and ICFR. The auditor begins building
documentation during client acceptance or continuance, an the process of documenting
continues until the audit is completed. The term audit plan typically is used to refer to the
document that specifies what procedures are to be followed, linking them to the accounts,
assertions and risks.
G1 What is a test of controls?
A test of controls is a test to determine whether a control is functioning as
designed. In other words, it targets operating effectiveness of an ICFR.
G2 How does an auditor perform an analytical procedure? What might be an
Analytical procedures primarily address amounts, trends, etc. that have an
expected systematic relationship. These procedures can address amounts within a single
year’s financial statements, trends across years or the relationship of the company’s
situation to events external to the company. An easy to understand example of an
analytical procedure is comparing the principle amount of debt to the interest expense
recorded for that debt. A clear cut relationship is expected between the two amounts.
Before relying on analytical procedures the audit must determine that the
underlying information is complete and has been prepared under a system of effective
G3 How are tests of details of balances different from tests of controls and dual
purpose tests? How are tests of details of balances related to evidence?
Tests of controls examine whether an ICFR is operating as expected. Tests of
details of balances examine audit evidence to determine the level of correspondence
between what a company shows in its accounting records and financial statements and
the underlying evidence. Dual purpose tests is the term used for an audit procedure that
uses the same item of evidence to accomplish the purpose of both a test of controls and a
test of details of a balance. Tests of details of balances usually include some kind of
documentary evidence. Tests of controls may include documentary evidence, but some
controls tests, such as observing an employee performing an activity, do not. If a test of
controls does not utilize documentary evidence it probably cannot be combined with a
test of details of balances to form a dual purposes test.
G4 What is detection risk, and how does the definition relate to inherent risk and
Detection risk is the risk that an audit procedure will fail to detect a financial
statement misstatement or an internal control weakness.
H1 What entity creates the auditing standards that are followed in the audit of a
H2 What is the fundamental difference in the audit purpose and reports for a public
and nonpublic company?
A public company is required to have an integrated audit of the financial
statements and management’s report on ICFR that are included in the 10K and filed with
the SEC. A nonpublic company is not required by law or regulation to have an audit. If it
chooses to have an audit (or is required to by, for example, lenders or minority
shareholders) the audit provides an opinion only on the financial statements.
(As is presented in later chapters, a nonpublic company may hire an auditor to
perform an examination of ICFR, but this type of engagement is covered under the
AICPA attestation standards – not the AICPA audit standards.)
H3 Why might the auditor of a nonpublic company choose to omit testing of
The auditor of a nonpublic company must understand the company’s information
system and must identify and address the company’s significant risks. However, the
auditor is not required by the AICPA auditing standards to test the operating
effectiveness of an audit client’s internal controls. An auditor may choose to test the
operating effectiveness of a company’s ICFR. This is more likely to happen if it is
expected that the results of those tests will permit the auditor to rely to a greater extent on
the client’s system to produce reliable financial information, and as a result reduce the
substantive testing that must be performed in order to accumulate persuasive audit
I1 What are the generally accepted auditing standards, and what do they mean?
The 10 GAAS are the underpinning for all the more detailed auditing standards.
The 10 GAAS (general, field work and report) all apply to financial statement audits.
Only the general standards apply to an audit of ICFR.
I2 What is the source of the field work and reporting standards for an audit of
PCAOB AS 5, An Audit of Internal Control Over Financial Reporting That is
Integrated with an Audit of Financial Statements