Internal Factors And Governance Structure
Help Questions
CPA Auditing and Attestation (AUD) › Internal Factors And Governance Structure
You are conducting a review engagement for a nonissuer not-for-profit organization. The organization’s governance structure includes a volunteer board that approves the budget, but there is no documented conflict-of-interest policy and no record of annual disclosures by board members. Management informs you that a board member’s company provides significant services to the entity. Which factor would most likely affect the auditor's governance assessment?
Whether the entity is required to obtain an audit under Public Company Accounting Oversight Board standards because it receives donations.
Whether the auditor can design and implement the entity’s conflict-of-interest policy to improve governance before issuing the review report.
Whether the existence of a related-party transaction eliminates the need for the practitioner to perform inquiries in a review engagement.
Whether the board has documented conflict-of-interest policies and performs periodic related-party disclosures and approvals.
Explanation
This question tests governance considerations in a review engagement under AR-C 90. The key facts are a nonissuer not-for-profit review engagement with no documented conflict-of-interest policy, no annual board disclosures, and a board member's company providing significant services. The correct answer (A) focuses on whether proper policies and procedures exist for identifying and managing conflicts, which affects the practitioner's understanding of the entity under AR-C 90.28. Answer B is incorrect because the practitioner cannot design or implement entity policies, which would impair independence (ET 1.295). Answer C is incorrect because receiving donations does not trigger PCAOB audit requirements; only being an issuer does. Answer D is incorrect because related-party transactions require additional inquiries in reviews, not fewer (AR-C 90.A58). The professional framework is: in review engagements, assess whether governance structures adequately identify and manage conflicts of interest that could affect financial reporting.
You are auditing an issuer pharmaceutical distributor. The audit committee is independent, but management has not implemented a formal process to evaluate compliance risks related to new regulations, and internal audit reports are not shared with the audit committee. As part of understanding the control environment and governance oversight, you must determine how these conditions affect the audit approach. Based on the entity's control environment, which response is most appropriate?
Rely on the independence of the audit committee to conclude controls over compliance are effective without further work.
Increase the assessed risks of material misstatement related to compliance-sensitive accounts and disclosures, expand inquiries of the audit committee, and design procedures responsive to the heightened risk.
Delegate the auditor’s responsibility for risk assessment to internal audit because internal audit identified issues previously.
Assume compliance risks are outside the scope of financial reporting and therefore do not affect the audit plan.
Explanation
This question tests the impact of compliance risk management weaknesses on audit planning under AS 2110. The key facts are an issuer pharmaceutical distributor without formal compliance risk evaluation processes and internal audit reports not shared with the audit committee. The correct answer (A) properly requires increasing assessed risks for compliance-sensitive areas and designing responsive procedures, consistent with AS 2110.71 regarding fraud and compliance risks. Answer B is incorrect because compliance risks that could result in material misstatements are within the audit scope (AS 2110.12). Answer C is incorrect because audit committee independence alone doesn't ensure effective controls without proper information flow (AS 2110.25). Answer D is incorrect because the auditor must perform their own risk assessment and cannot delegate this responsibility (AS 2110.59). The professional framework is: when compliance risk management is weak in regulated industries, increase assessed risks and expand procedures for accounts and disclosures sensitive to noncompliance.
You are the auditor of a nonissuer manufacturing company in a financial statement audit. The entity has an owner-managed governance structure with a three-member board that meets quarterly, but minutes are not retained and the board does not review whistleblower complaints or related-party transactions. During planning, you note management override risk is elevated because the controller can post journal entries and approve vendor setup without independent review. Which action should the auditor take regarding governance weaknesses?
Rely on management representations about governance oversight because governance matters are outside the scope of a financial statement audit.
Issue an adverse opinion on internal control over financial reporting because board minutes are not retained.
Communicate the governance deficiencies and related control implications to those charged with governance in writing and adjust the risk assessment and planned procedures accordingly.
Perform an integrated audit under Public Company Accounting Oversight Board standards to address the governance weaknesses.
Explanation
This question tests the auditor's required response to governance deficiencies under AU-C 265, Communicating Internal Control Related Matters. The key facts are that this is a nonissuer financial statement audit with weak board oversight (no retained minutes, no review of whistleblower complaints or related-party transactions) and elevated management override risk due to lack of segregation of duties. The correct answer (B) aligns with AU-C 265.09, which requires written communication of significant deficiencies and material weaknesses to those charged with governance, and AU-C 315.A88, which requires adjusting the risk assessment when governance is weak. Answer A is incorrect because governance matters directly affect the auditor's risk assessment and are within the audit scope (AU-C 260). Answer C is incorrect because this is a financial statement audit, not an integrated audit, and the auditor does not issue an opinion on internal control for nonissuers. Answer D is incorrect because PCAOB standards apply only to issuers, not nonissuers. The professional judgment framework is: when governance weaknesses create or exacerbate risks of material misstatement, communicate in writing and modify the audit approach accordingly.
You are auditing a nonissuer retail chain. The governance structure includes a board with an independent chair, but day-to-day control is centralized with the chief executive officer, who also approves manual price overrides and has authority to modify user access. Your walkthroughs show that store managers can both receive inventory and approve vendor invoices when staffing is tight, and compensating controls are informal. Based on the entity's control environment, which response is most appropriate?
Reduce substantive testing because centralized oversight by the chief executive officer compensates for the lack of segregation of duties.
Rely on the board chair’s independence as sufficient evidence that control activities are operating effectively.
Treat the segregation of duties weakness as immaterial by default because it occurs only during staffing shortages.
Assess control risk at the maximum for affected assertions and design more substantive procedures because segregation of duties weaknesses increase the risk of material misstatement.
Explanation
This question tests the auditor's response to segregation of duties weaknesses under AU-C 315 and AU-C 330. The key facts are significant segregation of duties issues (CEO can approve overrides and modify access; store managers can receive inventory and approve invoices) with only informal compensating controls. The correct answer (A) properly requires assessing control risk at maximum for affected assertions and designing more substantive procedures, consistent with AU-C 330.08 when controls are not expected to be effective. Answer B is incorrect because centralized oversight by someone with override capabilities increases rather than decreases risk (AU-C 240.A28). Answer C is incorrect because segregation of duties weaknesses affecting significant processes are not immaterial by default, regardless of frequency (AU-C 265.A7). Answer D is incorrect because board independence alone cannot compensate for operational control deficiencies (AU-C 315.A79). The professional framework is: when segregation of duties is compromised and compensating controls are weak or informal, assess control risk at maximum and increase substantive testing accordingly.
You are auditing a nonissuer healthcare clinic. Governance consists of a physician-owner and an advisory board that meets semiannually; there are no retained minutes, no documented approval of significant accounting policies, and no formal process for reviewing related-party arrangements with physician-owned labs. During the audit, you identify several late journal entries posted by the owner after the trial balance was provided. Which action should the auditor take regarding governance weaknesses?
Perform only analytical procedures because governance weaknesses reduce the need for detailed tests of transactions.
Accept the late journal entries as routine because owner-managed entities typically do not maintain formal governance documentation.
Issue an adverse opinion on the financial statements because the advisory board does not retain minutes.
Expand procedures addressing management override (including testing journal entries and reviewing related-party transactions) and communicate governance and control deficiencies to those charged with governance.
Explanation
This question tests the auditor's response to management override risks in owner-managed entities under AU-C 240. The key facts are a physician-owned clinic with minimal governance documentation, no formal related-party review process, and late journal entries posted by the owner after providing the trial balance. The correct answer (A) requires expanding management override procedures including journal entry testing and related-party review, plus communicating deficiencies, consistent with AU-C 240.32 and AU-C 265. Answer B is incorrect because late post-closing entries by owners require investigation regardless of entity size (AU-C 240.A42). Answer C is incorrect because lack of board minutes doesn't automatically require an adverse opinion on financial statements (AU-C 705). Answer D is incorrect because governance weaknesses and override indicators require more detailed testing, not less (AU-C 240.33). The professional framework is: in owner-managed entities with weak governance, presume elevated override risk and expand procedures specifically addressing journal entries, estimates, and related-party transactions.
You are performing a financial statement audit of an issuer technology company. The audit committee is newly formed and receives management-prepared risk reports, but there is no documented process for identifying emerging cybersecurity and revenue-recognition risks, and the committee rarely challenges management assumptions. You need to understand whether the entity’s risk assessment process is adequate for identifying risks of material misstatement. What is the most appropriate procedure for assessing risk management frameworks?
Assume the risk assessment process is effective because an audit committee exists and meets periodically.
Replace the auditor’s risk assessment with management’s enterprise risk management conclusions without performing corroborating procedures.
Limit procedures to inquiries of management because risk management is not relevant to the auditor’s risk assessment.
Obtain an understanding of how management identifies and analyzes business risks, corroborate through inquiries of the audit committee and inspection of risk reports, and evaluate whether the process is implemented and monitored.
Explanation
This question tests understanding of risk assessment procedures for an issuer's risk management framework under AS 2110 (formerly AS 12). The key facts are that this is an issuer with a newly formed audit committee receiving management-prepared reports but lacking a documented risk identification process and rarely challenging management. The correct answer (A) requires obtaining an understanding through multiple sources (management and audit committee inquiries plus inspection of risk reports) and evaluating implementation, consistent with AS 2110.28-.30. Answer B is incorrect because AS 2110.11 explicitly requires understanding the entity's risk assessment process as it directly affects the auditor's risk assessment. Answer C is incorrect because the mere existence of an audit committee does not guarantee an effective risk assessment process (AS 2110.A5). Answer D is incorrect because AS 2110.28 requires the auditor to perform their own risk assessment and cannot simply adopt management's conclusions. The professional framework is: always corroborate management's risk assessment process through multiple procedures and evaluate whether it adequately identifies risks relevant to financial reporting.
You are performing an attestation engagement (examination) for a nonissuer on compliance with a loan covenant requiring quarterly board review of liquidity metrics. Board minutes show the review occurred only once during the year, and management prepared the covenant calculations without independent review. What type of report should be issued for these governance deficiencies?
An integrated-audit ICFR opinion describing the governance deficiency as a material weakness.
An unmodified examination report because governance deficiencies do not affect compliance with covenants.
A disclaimer of conclusion automatically because any missing board minutes is a pervasive scope limitation.
An examination report with a qualified or adverse conclusion (as appropriate) because the entity did not comply with the specified covenant requirement for board review.
Explanation
This question addresses reporting in a nonissuer attestation on compliance under AT-C Section 205. Key facts include covenant non-compliance with infrequent reviews and no independent calculations. Choice A is correct as AT-C 205 requires modified conclusions for non-compliance. Choice B is incorrect because deficiencies affect compliance; Choice C is wrong as limitations are not automatically disclaimers; Choice D is inappropriate as ICFR opinions are for integrated audits. Practitioners issue modified reports for material issues. A rule is to base conclusions on evidence against criteria, qualifying for deviations.
You are performing an attestation engagement for a nonissuer service organization’s management assertion about the effectiveness of its controls over customer billing (a SOC 1-type engagement). The entity has a risk management process that identifies billing risks, but it is informal and not consistently updated for new customer contract terms. You need to assess whether the risk assessment process supports the control design described in management’s assertion. What is the most appropriate procedure for assessing risk management frameworks?
Inspect documentation of risk identification and assessment, inquire of process owners about how changes in contracts are evaluated, and trace selected recent contract changes to updates in identified risks and control activities.
Evaluate risk management only by recalculating billed amounts for a sample of invoices, without considering how risks are identified or updated.
Accept management’s assertion without further procedures because the engagement is attestation and not an audit.
Apply issuer internal control reporting requirements and require management to provide an annual internal control report under securities regulations.
Explanation
This question tests risk assessment procedures in a SOC 1 attestation engagement under AT-C 320. The key facts are a service organization attestation on billing controls with an informal risk assessment process not consistently updated for contract changes. The correct answer (A) appropriately requires inspecting documentation, making inquiries, and tracing changes through the risk management process, consistent with AT-C 320.28 requirements to evaluate control design. Answer B is incorrect because attestation engagements require obtaining evidence about the subject matter, not just accepting assertions (AT-C 105.A28). Answer C is incorrect because SOC engagements follow AICPA attestation standards, not PCAOB requirements for issuers (AT-C 320.01). Answer D is incorrect because evaluating risk assessment requires understanding how risks are identified and managed, not just testing outputs (AT-C 320.A35). The professional framework is: in SOC engagements, evaluate whether the risk assessment process adequately identifies changes that could affect control objectives and whether controls are updated accordingly.
You are the auditor of an issuer in an integrated audit of financial statements and internal control over financial reporting. The company has an audit committee that meets regularly, but internal audit reports repeated failures in the entity-level control for monitoring user access changes, and management has not remediated them. You conclude the monitoring control deficiency is pervasive and affects multiple significant accounts. What type of report should be issued for these governance deficiencies?
An adverse opinion on internal control over financial reporting if the deficiency constitutes a material weakness, while still issuing the appropriate financial statement opinion based on the audit evidence obtained.
A qualified opinion on internal control over financial reporting because material weaknesses are reported as qualifications under issuer standards.
An unmodified opinion on internal control over financial reporting because entity-level controls are not relevant if substantive testing is increased.
A disclaimer of opinion on the financial statements because governance deficiencies automatically create a scope limitation.
Explanation
This question tests integrated audit reporting requirements for issuers under AS 2201. The key facts are an issuer integrated audit with pervasive entity-level monitoring control deficiencies affecting multiple significant accounts that management has not remediated despite internal audit findings. The correct answer (C) correctly identifies that a material weakness in internal control requires an adverse ICFR opinion under AS 2201.90, while the financial statement opinion depends on audit evidence obtained (AS 2201.86). Answer A is incorrect because entity-level control deficiencies cannot be ignored even with increased substantive testing (AS 2201.24). Answer B is incorrect because governance deficiencies do not automatically create a scope limitation for the financial statement audit (AS 3101). Answer D is incorrect because PCAOB standards require adverse opinions, not qualified opinions, for material weaknesses (AS 2201.90). The professional framework is: material weaknesses in ICFR require an adverse ICFR opinion, but the financial statement opinion depends on whether sufficient appropriate audit evidence was obtained through alternative procedures.
You are the auditor of an issuer in an integrated audit. Management’s entity-level control over financial reporting includes a quarterly disclosure committee meeting, but attendance is inconsistent and key members do not review draft filings before submission. The audit committee is unaware that the disclosure committee process is not functioning as designed. Which action should the auditor take regarding governance weaknesses?
Treat the issue as a minor documentation matter and avoid communication to the audit committee.
Assume the control is effective because it is documented and therefore no testing is required.
Test the design and operating effectiveness of the disclosure committee control, communicate deficiencies to the audit committee, and assess the impact on ICFR and financial statement audit procedures.
Conclude the deficiency is irrelevant because disclosure committees relate to legal compliance, not financial reporting.
Explanation
This question tests governance weakness handling in an issuer integrated audit under PCAOB AS 2201 and AS 265. Key facts include inconsistent disclosure committee attendance and unawareness by audit committee. Choice A is correct as AS 2201 requires testing entity-level controls and deficiency communication. Choice B is incorrect because documentation does not ensure effectiveness; Choice C is wrong as communication is required; Choice D is inappropriate since disclosures affect ICFR. Auditors test and communicate control gaps. A framework is to evaluate operating effectiveness, classifying based on misstatement potential.