END OF CHAPTER MATERIAL

CONCEPT CHECK

1. 1. Which of the following types of audits is most likely to be conducted for the purpose of identifying areas for cost savings?
   1. Financial statement audits
   2. Operational audits
   3. Regulatory audits
   4. Compliance audits
2. 2. Financial statement audits are required to be performed by
   1. government auditors
   2. CPAs
   3. internal auditors
   4. IT auditors
3. 3. Which of the following is not considered a cause of information risk?
   1. Management's geographic location is far from the source of the information needed to make effective decisions.
   2. The information is collected and prepared by persons who use the information for very different purposes.
   3. The information relates to business activities that are not well understood by those who collect and summarize the information for decision makers.
   4. The information has been tested by internal auditors and a CPA firm.
4. 4. Which of the following is not a part of generally accepted auditing standards?
   1. General standards
   2. Standards of fieldwork
   3. Standards of information systems
   4. Standards of reporting
5. 5. Which of the following best describes what is meant by the term “generally accepted auditing standards”?
   1. Procedures used to gather evidence to support the accuracy of a client's financial statements
   2. Measures of the quality of an auditor's conduct in carrying out professional responsibilities
   3. Professional pronouncements issued by the Auditing Standards Board
   4. Rules acknowledged by the accounting profession because of their widespread application
6. 6. In an audit of financial statements in accordance with generally accepted auditing standards, an auditor is required to
   1. document the auditor's understanding of the client company's internal controls
   2. search for weaknesses in the operation of the client company's internal controls
   3. perform tests of controls to evaluate the effectiveness of the client company's internal controls
   4. determine whether controls are appropriately operating to prevent or detect material misstatements
7. 7. Auditors should develop a written audit program so that
   1. all material transactions will be included in substantive testing
   2. substantive testing performed prior to year end will be minimized
   3. the procedures will achieve specific audit objectives related to specific management assertions
   4. each account balance will be tested under either a substantive test or a test of controls
8. 8. Which of the following audit objectives relates to the management assertion of existence?
   1. A transaction is recorded in the proper period.
   2. A transaction actually occurred (i.e., it is real).
   3. A transaction is properly presented in the financial statements.
   4. A transaction is supported by detailed evidence.
9. 9. Which of the following statements regarding an audit program is true?
   1. An audit program should be standardized so it may be use on any client engagement.
   2. The audit program should be completed by the client company before the audit planning stage begins.
   3. An audit program should be developed by the internal auditor during the audit's completion/reporting phase.
   4. An audit program establishes responsibility for each audit test by requiring the signature or initials of the auditor who performed the test.
10. 10. Risk assessment is a process designed to
    1. identify possible circumstances and events that may effect the business
    2. establish policies and procedures to carry out internal controls
    3. identify and capture information in a timely manner
    4. test the internal controls throughout the year
11. 11. Which of the following audit procedures is most likely to be performed during the planning phase of the audit?
    1. Obtain an understanding of the client's risk assessment process.
    2. Identify specific internal control activities that are designed to prevent fraud.
    3. Evaluate the reasonableness of the client's accounting estimates.
    4. Test the timely cutoff of cash payments and collections.
12. 12. Which of the following is the most significant disadvantage of auditing around the computer rather than through the computer?
    1. The time involved in testing processing controls is significant.
    2. The cost involved in testing processing controls is significant.
    3. A portion of the audit trail is not tested.
    4. The technical expertise required to test processing controls is extensive.
13. 13. The primary objective of compliance testing in a financial statement audit is to determine whether
    1. procedures have been updated regularly
    2. financial statement amounts are accurately stated
    3. internal controls are functioning as designed
    4. collusion is taking place
14. 14. Which of the following computer assisted auditing techniques processes actual client input data (or a copy of the real data) on a controlled program under the auditor's control to periodically test controls in the client's computer system?
    1. Test data method
    2. Embedded audit module
    3. Integrated test facility
    4. Parallel simulation
15. 15. Which of the following computer assisted auditing techniques allows fictitious and real transactions to be processed together without client personnel being aware of the testing process?
    1. Test data method
    2. Embedded audit module
    3. Integrated test facility
    4. Parallel simulation
16. 16. Which of the following is a general control to test for external access to a client's computerized systems?
    1. Penetration tests
    2. Hash totals
    3. Field checks
    4. Program tracing
17. 17. Suppose that during the planning phase of an audit, the auditor determines that weaknesses exist in the client's computerized systems. These weaknesses make the client company susceptible to the risk of an unauthorized break-in. Which type of audit procedures should be emphasized in the remaining phases of this audit?
    1. Tests of controls
    2. Penetration tests
    3. Substantive tests
    4. Rounding errors tests
18. 18. Generalized audit software can be used to
    1. examine the consistency of data maintained on computer files
    2. perform audit tests of multiple computer files concurrently
    3. verify the processing logic of operating system software
    4. process test data against master files that contain both real and fictitious data
19. 19. Independent auditors are generally actively involved in each of the following tasks except
    1. preparation of a client's financial statements and accompanying notes
    2. advising client management as to the applicability of a new accounting standard
    3. proposing adjustments to a client's financial statements
    4. advising client management about the presentation of the financial statements
20. 20. Which of the following is most likely to be an attribute unique to the financial statement audit work of CPAs, compared with work performed by attorneys or practitioners of other business professions?
    1. Due professional care
    2. Competence
    3. Independence
    4. A complex underlying body of professional knowledge
21. 21. Which of the following terms is not associated with a financial statement auditor's requirement to maintain independence?
    1. Objectivity
    2. Neutrality
    3. Professional skepticism
    4. Competence

DISCUSSION QUESTIONS

1. 22. (SO 1) What are assurance services? What value do assurance services provide?
2. 23. (SO 2) Differentiate between a compliance audit and an operational audit.
3. 24. (SO 2) Which type of audit is most likely to be performed by government auditors? Which type of audit is most likely to be performed by internal auditors?
4. 25. (SO 2) Identify the three areas of an auditor's work that are significantly impacted by the presence of IT accounting systems.
5. 26. (SO 3) Describe the three causes of information risk.
6. 27. (SO 3) Explain how an audit trail might get “lost” within a computerized system.
7. 28. (SO 3) Explain how the presence of IT processes can improve the quality of information that management uses for decision making.
8. 29. (SO 4) Distinguish among the focuses of the GAAS standards of fieldwork and standards of reporting.
9. 30. (SP 4) Which professional standard-setting organization provides guidance on the conduct of an IT audit?
10. 31. (SO 5) If management is responsible for its own financial statements, why are auditors important?
11. 32. (SO 6) List the techniques used for gathering evidence.
12. 33. (SO 6) During which phase of an audit would an auditor consider risk assessment and materiality?
13. 34. (SO 7) Distinguish between auditing through the computer and auditing with the computer. When are auditors required to audit through the computer as opposed to auditing around the computer?
14. 35. (SO 8) Explain why it is customary to complete the testing of general controls before testing applications controls.
15. 36. (SO 8) Identify four important aspects of administrative control in an IT environment.
16. 37. (SO 8) Explain why Benford's Law is useful to auditors in the detection of fraud.
17. 38. (SO 8) Think about a place you have worked where computers were present. What are some physical and environmental controls that you have observed in the workplace? Provide at least two examples of each from your personal experience.
18. 39. (SO 8) Batch totals and hash totals are common input controls. Considering the fact that hash totals can be used with batch processing, differentiate between these two types of controls.
19. 40. (SO 8) The test data method and an integrated test facility are similar in that they are both tests of applications controls and they both rely on the use of test data. Explain the difference between these two audit techniques.
20. 41. (SO 9) Explain the necessity for performing substantive testing even for audit clients with strong internal controls and sophisticated IT systems.
21. 42. (SO 9) What kinds of audit tools are used to perform routine tests on electronic data files taken from databases? List the types of tests that can be performed with these tools.
22. 43. (SO 10) Which of the four types of audit reports is the most favorable for an audit client? Which is the least favorable?
23. 44. (SO 10) Why is it so important to obtain a letter of representation from an audit client?
24. 45. (SO 11) How can auditors evaluate internal controls when their clients use IT outsourcing?
25. 46. (SO 12) An auditor's characteristic of professional skepticism is most closely associated with which ethical principle of the AICPA Code of Professional Conduct?

BRIEF EXERCISES

1. 47. (SO 2) Why is it necessary for a CPA to be prohibited from having financial or personal connections with a client? Provide an example of how a financial connection to a company would impair an auditor's objectivity. Provide an example of how a personal relationship might impair an auditor's objectivity.
2. 48. (SO 3) From an internal control perspective, discuss the advantages and disadvantages of using IT-based accounting systems.
3. 49. (SO 4) Explain why standards of fieldwork for GAAS are not particularly helpful to an auditor who is trying to determine the types of testing to be used on an audit engagement.
4. 50. (SO 5) Ping and Pong are assigned to perform the audit of Paddle Company. During the audit, it was discovered that the amount of sales reported on Paddle's income statement was understated because one week's purchasing transactions were not recorded due to a computer glitch. Ping claims that this problem represents a violation of the management assertion regarding existence, because the reported account balance was not real. Pong argues that the completeness assertion was violated, because relevant data was omitted from the records. Which auditor is correct? Explain your answer.
5. 51. (SO 6) One of the most important tasks of the planning phase is for the auditor to gain an understanding of internal controls. How does this differ from the tasks performed during the tests of controls phase?
6. 52. (SO 8) How is it possible that a review of computer logs can be used to test for both internal access controls and external access controls? Other than reviewing the computer logs, identify and describe two types of audit procedures performed to test internal access controls, and two types of audit procedures performed to test external access controls.
7. 53. (SO 9) Explain why continuous auditing is growing in popularity. Identify and describe a computer-assisted audit technique useful for continuous auditing.
8. 54. (SO 11) Distinguish between the various service organization controls (SOC) reporting options available to auditors who evaluate cloud computing service providers.

PROBLEMS

1. 55. (SO 4) Given is a list of audit standard-setting bodies (shown on the left) and a description of their purpose (shown on the right). Match each standard-setting body with its purpose.

   

2. 56. (SO 8) Identify whether each of the following audit tests is used evaluate internal access controls (I), external access controls (E), or both (B):
   • Authenticity tests
   • Penetration tests
   • Vulnerability assessments
   • Review of access logs
   • Review of policies concerning the issuance of passwords and security tokens
3. 57. (SO 9) Refer to the notes payable audit program excerpt presented in Exhibit 7-3. If an auditor had a copy of this client's data file for its notes receivable, how could a general audit software or data analysis software package be used to assist with these audit tests?
4. 58. (SO 11) In order to preserve auditor independence, the Sarbanes–Oxley Act of 2002 restricts the types of nonaudit services that auditors can perform for their public-company audit clients. The list includes nine types of services that are prohibited because they are deemed to impair an auditor's independence. Included in the list are the following:
   • Financial information systems design and implementation
   • Internal audit outsourcing

   Describe how an auditor's independence could be impaired if she performed IT design and implementation functions for her audit client. Likewise, how could an auditor's involvement with internal audit outsourcing impair his or her independence with respect to auditing the same company?

5. 59. (SO 2) Visit the AICPA website at www.aicpa.org and select the tab for Career Paths. Click on “This Way to CPA” to locate information on audit careers.
6. 60. (SO 4 and 9) Visit the ISACA website at www.isaca.org and click the Knowledge Center tab, then select ITAF (Information Technology Assurance Framework) and click on the IT Audit Basics tab to find articles covering topics concerning the audit process. Locate an article on each of the following topics and answer the related question:
   1. Identify and briefly describe the four categories of CAATs used to sup port IT auditing.
   2. List three possible procedures to be performed by IT auditors who are evaluating controls pertaining to the backup and recovery of a client's data.
7. 61. (SO 8) Locate the stock tables for the two major stock exchanges in any issue of the Wall Street Journal. Beginning from any point within the table, prepare a list of the first digits of the daily volume for 100 stocks. Determine whether the listed numbers conform to Benford's Law.
8. 62. (SO 12) Perform an Internet search to determine the nature of Xerox Corporation's management fraud scheme and to find out what happened to the company after the problems were discovered.

CASES

1. 63. Cam Draker was auditing the financial statements of Palitt Wholesale Industries when she was presented with a curious situation. A member of Palitt's top management team approached her with an anonymous note that had been retrieved from the company's suggestion box. The note accused unnamed employees in Palitt's IT department of altering the accounts payable database by entering bogus transactions involving fictitious vendors. Payments made to this fictitious vendor were being intercepted and cashed by the fraudster.

   Required:

   1. What tests of controls would be effective in helping Draker determine whether Palitt's vendor database was susceptible to fraud?
   2. What computer-assisted audit technique would be effective in helping Draker determine whether Palitt's vendor database had actually been falsified?
2. 63. Cyrus Pannor is an auditor for a large CPA firm. Pannor was recently assigned to perform a financial statement audit of Kupp Die Besonderheit, Inc., a brewery and distributor of German specialty foods. Pannor's firm is auditing Kupp for the first time. The audit is nearly complete, but it has required more time than expected. The auditors who performed the planning and testing phases have now been assigned to another client engagement, so Pannor was called in to carry out the completion/reporting phase.

   In discussing the details of the audit engagement with the original audit team, Pannor learned that the original team expected that an unqualified audit opinion would be issued. This expectation was based on the extent of audit evidence accumulated, which led to the belief that the financial statements were fairly presented in accordance with GAAP.

   Henrik Hofmann, Kupp's CFO, is unhappy about the change in audit personnel. He is threatening to refuse to furnish a letter of representation.

   Required:

   1. Would it be appropriate for Pannor to reopen the audit testing phases in order to expand procedures, in light of the lack of representative evidence from management? Why, or why not?
   2. Will Pannor's firm still be able to issue an unqualified audit report if it does not receive the representation letter? Research the standard wording to be included in an unqualified audit report, as well as the typical wording included in a client representation letter. Base your answer on your findings.

CONTINUING CASE: ROBATELLI'S PIZZERIA

Consider the case of Robatelli's Pizzeria as presented at the end of Chapter 1. Imagine that you have been hired to perform the financial statement audit for Robatelli's Pizzeria. This is the first time the company has had an external audit.

Required:

1. What steps would your firm go through in the planning phase for this initial audit engagement?
2. What computer-assisted audit techniques could you use in conducting this audit? Use details from the case to explain why you believe these techniques would be appropriate for Robatelli's.

SOLUTIONS TO CONCEPT CHECK

1. (CIA Adapted) (SO 2) Of the given types of audits, b. the operational audit is most likely to be conducted for the purpose of identifying areas for cost savings. The primary purpose is to enhance efficiency and effectiveness, which is likely to result in cost savings.
2. (SO 2) Financial statement audits are required to be performed by b. CPAs. CPAs have extensive knowledge of GAAP, which is the required criteria in a financial statement audit. On the other hand, government auditors are specialists in governmental regulations, internal auditors work with gauging compliance with management's directives and operating effectiveness, and IT auditors focus on the effectiveness of computerized processes.
3. (SO 3) That d. the information has been tested by internal auditors and a CPA firm is not considered a cause of information risk. This is a way to reduce information risk, not a cause of information risk. Answer a. relates to the remoteness of information, b. relates to the motive of the preparer, and c. relates to the complexity of the transactions, which are each associated with increased information risk.
4. (SO 4) c. Standards of information systems are not a part of generally accepted auditing standards. The three categories of GAAS are general standards, standards of fieldwork, and standards of reporting.
5. (CPA Adapted) (SO 4) b. “Measures of the quality of an auditor's conduct in carrying out professional responsibilities” best describes what is meant by the term “generally accepted auditing standards.”
6. (CPA Adapted) (SO 4) In an audit of financial statements in accordance with generally accepted auditing standards, an auditor is required to a. document the auditor's understanding of the client company's internal control. Each of the other responses pertain to testing of controls, which are required only if the auditor plans to rely upon the effectiveness of internal controls.
7. (CPA Adapted) (SO 5) Auditors should design a written audit program so that c. the procedures will achieve specific audit objectives related to specific management assertions.
8. (SO 5) The audit objective which relates to the management assertion of existence is that b. a transaction actually occurred (i.e., it is real). Answer a. relates to cutoff; answer c. relates to presentation and disclosure; answer d. relates to valuation.
9. (SO 6) The statement regarding an audit program which is true is that d. an audit program establishes responsibility for each audit test by requiring the signature or initials of the auditor who performed the test. Answer a. is incorrect because audit programs need to be developed to address the unique nature of each client company. Answers b. and c. are incorrect because the client, including its internal auditors, should not be involved in the development or completion of the audit program; rather, the audit is the independent auditor's responsibility.
10. (CMA Adapted) (SO 6) Risk assessment is a process designed to a. identify possible circumstances and events that may effect the business.
11. (CPA Adapted) (SO 6) The audit procedure most likely to be performed during the planning phase of the audit is to a. obtain an understanding of the client's risk assessment process. Response b. is performed during tests of controls. Responses c. and d. are performed as part of substantive testing.
12. (CIA Adapted) (SO 7) The most significant disadvantage of auditing around the computer rather than through the computer is that c. a portion of the audit trail is not tested. The other three responses would each be considered disadvantages of auditing through the computer.
13. (CMA Adapted) (SO 8) The primary objective of compliance testing in a financial statement audit is to determine whether c. internal controls are functioning as designed. Compliance testing is another term for tests of controls, the purpose of which is to determine whether internal controls are functioning in compliance with management's intentions.
14. (CPA Adapted, CIA Adapted) (SO 8) The computer assisted auditing technique that processes actual client input data (or a copy of the real data) on a controlled program under the auditor's control to periodically test controls in the client's computer system is d. parallel simulation. Each of the other responses involves use of the client company's computer system.
15. (CPA Adapted) (SO 8) The computer assisted auditing technique that allows fictitious and real transactions to be processed together without client personnel being aware of the testing process is the c. integrated test facility.
16. (SO 8) The general control to test for external access to a client's computerized systems is a. penetration tests. Answers b., c., and d. are application controls.
17. (SO 8 and 9) During the planning phase of an audit, the auditor determines that weaknesses exist in the client's computerized systems. These weaknesses make the client company susceptible to the risk of an unauthorized break-in. The type of audit procedures that should be emphasized in the remaining phases of this audit is c. substantive tests. Answers a., b., and d. each relate to tests of controls, which are to be performed only when good controls have been found to be in place. It is not worthwhile to test weak or ineffective controls, since the purpose of tests of controls is to prove the usefulness of controls as a basis for reducing substantive testing.
18. (CIA Adapted) (SO 9) Generalized audit software can be used to a. examine the consistency of data maintained on computer files. This response applies to the use of generalized audit software to perform comparisons. None of the other responses relates to the uses described under Study Objective 9.
19. (CMA Adapted) (SO 12) Independent auditors are generally actively involved in each of the given tasks except a. preparation of a client's financial statements and accompanying notes. Auditors would be placed in a position of auditing their own work if they prepared financial statements for an audit client.
20. (CPA Adapted) (SO 12) The attribute most likely to be unique to the audit work of CPAs, compared with work performed by attorneys or practitioners of other business professions, is c. Independence. Most other professionals are advocates for their clients, whereas auditors must be independent with respect to their audit clients.
21. (SO 4 and 12) The term not associated with the auditor's requirement to maintain independence is d. Competence. Competence relates to the first general standard within GAAS; each of the other answers relate to independence (the second general standard).