Audit Sampling and IT Auditing
Terms in this set (59)
What planning factors would influence the sample size for a substantive test of details for a specific account?
Expected amount of misstatements, Measure of tolerable misstatement
Define incorrect rejection risk
Deciding that the sample results support the conclusion that the balance
is materially misstated when it is not
Define the risk of assessing control risk too high
The risk that the auditor will conclude that
the controls cannot be relied upon when, in fact, they can be relied upon.
Define the risk of assessing control risk too low
The risk that the auditor will conclude that
the controls can be relied upon when, in fact, they cannot.
Define the risk of incorrect acceptance
The risk that
the auditor will accept the balance as fairly stated when it is not
The risk of incorrect acceptance and the likelihood of assessing control risk too low relate to the
Define Nonsampling risk
the possibility of selecting audit procedures that are not appropriate to achieve the specific objective. (e.g. an auditor fail to recognize misstatements)
Define sampling risk
the possibility that, when a substantive test is restricted to a sample, conclusions might be different than if the auditor had tested each item in the population.
Statistical sampling allows an auditor to:
1) design an efficient sample;
2) measure the sufficiency of the evidential matter obtained; and
3) evaluate the sample results.
In determining the sample size for a test of controls, an auditor should consider
the likely rate of deviations, the allowable risk of assessing control risk too low, and the tolerable deviation rate.
How does population size affects the sampling size?
little or NO effect; In attributes sampling, the sample size is determined using available tables that do not explicitly consider population size. That is because the tables are based on an underlying assumption of very large population sizes.
If the sample deviation rate plus the allowance for sampling risk exceeds the tolerable rate, the auditor should
Modify the planned assessed level of control risk
What must happen for the auditor to assess control risk too low?
the true deviation rate in the population must have been higher than the deviation rate in the auditor's sample.
In sampling, if a voucher is properly voided, it would
be replaced by another voucher so that the internal controls could be tested on a valid sample item.
Why an increase in the expected population deviation rate would result in an increase in the planned sample size?
Because the more errors expected in the population, the bigger the sample has to be to try to detect them.
What does the auditor consider in determining tolerable rate?
the auditor considers the planned assessed level of control risk and the degree of assurance desired by the evidential matter in the sample.
Why do deviations from specific control activities at a given rate ordinarily result in misstatements at a lower rate?
because each failure to apply a control does not necessarily result in a misstatement.
The sample size of a test of controls varies directly/inversely with the tolerable deviation rate. It varies directly/inversely with the expected population rate.
If the auditor has incorrectly assessed control risk lower than appropriate, how can we describe this situation?
The deviation rate in the auditor's sample is less than the tolerable rate, but the deviation rate in the population exceeds the tolerable rate.
Planned reliance on a prescribed control should be reduced when
the sample rate of deviation plus the allowance for sampling risk exceeds the tolerable rate.
Stratified mean per unit (MPU) sampling is a statistical technique that may be more efficient than unstratified MPU because
It produces an estimate that has a desired level of precision with a smaller sample size. Stratification of the population enables the auditor to separate the population into size-related classes.
Increasing tolerable misstatement increases/decreases sample size, while increasing the assessed level of control risk increases/decreases sample size.
PPS sampling enables the auditor to
automatically identify and select individually significant amounts through the use of dollar units.
Ratio estimation sampling technique is most efficient when
the differences are proportional to book values.
When using classical variables sampling for estimation, an auditor normally evaluates the sampling results by calculating the possible error in either direction. How do we call this technique?
In statistical sampling methods used in substantive testing, an auditor most likely would stratify a population into meaningful groups if
The population has highly variable recorded amounts.
Stratification involves separating the population into homogeneous groups based on size or other factors. In this manner, the auditor could select transactions to meet specific audit objectives and perform substantive procedures more efficiently.
In a probability-proportional-to-size application, the projected error of the sample is
the amount of the difference between the book value and the audit value when the amount of the account examined is greater than the sampling interval.
The PPS is most effective when
1. few or no errors are expected 2. Overstatement is concerned
In PPS, when the recorded balance of the account involved is less than the sampling interval, the auditor must
determine the "tainting" percentage and apply that percentage to the sampling interval. Tainting% = amount of misstatement/Dollar amount of item. Projected misstatement = Taint % x sampling interval
A distributed data processing system links minicomputers in remote locations with a centralized computer. Therefore, the greatest control concern is _________ control and why?
Access Control. because each minicomputer will be able to access the central computer and it will be more difficult to control access to minicomputers in remote locations.
The essential elements of the audit trail in an electronic data interchange (EDI) system are
Network and sender/recipient acknowledgments.
What is an inherent limitation of any system of internal control?
faulty human judgment
An auditor most likely would test for the presence of unauthorized EDP program changes by running a
Source code comparison program.
Maintaining an audit trail for a computer system provides
a deterrent to irregularities, facilitates monitoring, and enables queries to be answered.
In a well-designed system of internal control, the following duties must be segregated, what are they?
1. systems analysis 2. programming 3. computer operations 4. transaction authorization 5. library functions, and 6. data control.
What controls most likely would assure that an entity can reconstruct its financial records?
storage of backups
Encryption is the process used to encode a message from plain text to a secret code.
Decoding is the process used to translate an encrypted message back into plain text.
Translation is the process by which messages are changed from one form to another form.
Mapping is the process by which the elements in the client's computer system are related to the standard data elements.
When evaluating internal control of an entity that processes sales transactions on the Internet, an auditor would be most concerned about the
Potential computer disruptions in recording sales
Does computer software used to help auditors assessing control risks?
NO. Assessments of control risk are a matter of auditor judgment;
Guidelines for choosing a "secure" password include the following:
the password should be at least seven characters in length;
the password should include special characters, such as punctuation marks or symbols;
the password should be a mixture of uppercase and lowercase letters;
the password should be unique.
Test data are used by auditors to
test the controls over data processing.
Define a hash total
A hash total is a meaningless total computed to verify the accuracy and completeness of input
A meaningful total computed to verify the accuracy and completeness of input is called
Define limit checks
check within predetermined range
Define validity check
A validity check is a check to see if the data carry valid values.
Define missing data check
check for any omission
Define check digits
an arithmetic manipulation
Misstatements in a batch computer system caused by incorrect programs or data may not be detected immediately because
there are time delays in processing transactions in a batch system.
a computer-assisted audit technique that permits an auditor to insert the auditor's version of a client's program to process data and compare the output with the client's output is called
Define test data
Test data are a means of testing a client program using fake (test) data.
Define frame relay
Frame relay is a protocol standard that allows local area networks (LAN) to quickly and efficiently transmit information from a user device to LAN bridges and routers.
Define remote node router
A remote node router enables access to the company local area network (LAN) from computers or terminals located away from the main network, e.g., a branch office or a traveling user with a laptop.
After testing a client's internal control activities, an auditor discovers a number of significant deficiencies in the operation of a client's internal controls. Under these circumstances the auditor most likely would
Increase the assessment of control risk and increase the extent of substantive tests.
sample size =
(reliability factors x book value of accounts)/tolerable misstatement, net of expected misstatements
An increase in the expected population deviation rate would result in an _________ in the planned sample size.
increase; The more errors expected in the population, the bigger the sample has to be to try to detect them.