Audit Chapter 5
Terms in this set (166)
Audit sampling is the testing of less than 100% of the items within an account balance or class of transactions in order to evaluate some characteristic of the balance or class. Audit sampling is especially useful in cases where an auditor has no specific knowledge about the likely misstatements contained in account balances and transactions.
objective: obtain sufficient and appropriate audit evidence
Pass key: Rule 1
Always assume that the population being sampled is normally distributed, that is, it can be described by a normal, or bell shaped, curve
Pass Key: Rule 2
For estimates that the CPA makes about the population to have mathematical validity, the samples have to be unrestricted and randomly selected, which means that:
1. every item in a population must have an absolutely equal chance of being selected.
2. The CPA cannot use "bias" in deciding which items will be selected. No substitute items may be used.
only time that the auditor does not use professional judgement.
Pass Key: Rule 3
If the sample is large enough and is randomly selected, the sample will likely have the same statistical characteristics (mean and standard deviation) as the underlying population, i.e., it will be representative of the population
Pass Key: Rule 4
Standard deviation is the measure of "variability," which refer to the rage of values within the population.
more variable = more uncertainty = larger sample
if we are not looking at 100% of the sample there will be risk
- Inherent in audit sampling is the concept of
. This is the risk that the sample is not representative of the population and that the auditor's conclusion will be different from the conclusion had the auditor examined 100% of the population
Audit sampling methods can be either
. Both approaches require the use of professional judgement.
In statistical sampling, auditors specify the sampling risk they are willing to accept and then calculate the sample size that provides that degree of reliability. Results are evaluated quantitatively. (number crunching)
sampling, the sample size is not determined mathematically. Auditors use their judgement in determining sample size, and sample results are evaluated judgmentally.
Sufficient Audit Evidence
Either statistical or non statistical approach is acceptable under GAAS. When properly applied, either method should result in a sample size that provides sufficient audit evidence.
a. the sufficiency of audit evidence is related to the design and size of the sample
b. The size of the sample depends on both the objective and the design of the sample. Careful design generally produces a more efficient sample.
Pass Key:Professional Judgement
Many questions try to trick the candidate into thinking that statistical sampling eliminates the need for auditing judgement. This is completely false. While statistical sampling is a quantitative approach, judgement is still required to set many of the parameters and to evaluate the
Advantages of Statistical Sampling
Statistical Sampling enables the auditor too:
a. Measure the sufficiency of the audit evidenced obtained.
b. Provide an objective basis for quantitatively evaluating sample results.
c. Design an efficient sample
d. Quantify sampling risk so as to limit risk to an acceptable level.
Random Sample Selection
Random sample selection methods should be used in statistical sampling. Such methods give all items in the population an equal chance to be included in the sample to be audited.
Types of Sampling
Auditors may use sampling procedures to estimate many different characteristics of populations, but generally estimates are either of rate of occurrence (attribute sampling) or of a numerical quantity (variables sampling or probability-proportional-to-size sampling (PPS))
is primarily used for testing
sampling are typically used in
of account balances.
Pass Key: Attribute or Variable
Many exam questions can be answered by being able to distinguish between attribute sampling and variables sampling applications. Remember that attribute sampling is more likely to deal with tests of controls, while variables sampling generally deals with dollar values. Often the attribute sampling application can be identified by finding the option that deals with yes-no questions (e.g, is the invoice properly approved)
Situations where sampling may
1. Risk assessment procedures performed to obtain an understanding of internal control.
2. Tests of automated application controls when effective general controls are present
3. Analysis of security and access controls, or other controls that do not provide documentary evidence of performance.
4. Some tests related to the operation of the control environment or the accounting system.
Audit risk is the uncertainty inherent in applying audit procedures. Audit risk includes both:
1. uncertainties due to sampling; and
2. uncertainties due to factors other than sampling
arise from the possible that, when a test of controls or a substantive test is restricted to a sample, the auditor's conclusion may be different from the conclusions which would have been reached had the tests been applied to all items in the account balance of class of transactions.
Sampling Risk in Substantive Testing
a Risk of incorrect acceptance: the risk of incorrect acceptance is the risk that the sample supports the conclusion that the recorded account balance is not materially misstatement when in fact it is materially misstated. (Ineffective) (sample results
to identify an existing material misstatement) (Beta risk)
b. Risk of incorrect rejection: the risk of incorrect rejection is the risk that the sample supports the conclusion that the recorded account balance is materially misstated when in fact it is
. (sample results
indicate a material misstatement)(Alpha Risk) (inefficient)
Sampling Risk in tests of Controls
a. Risk of assessing control risk to low (over reliance) is the risk that the assessed level of control risk based on the sample is
than the true risk based on the actually operating effectiveness of the control. (Beta) (ineffective)
b. The risk of assessing control risk to high is the risk that the assessed level of control risk based on the sample is
than the true risk based on the actual operating effectiveness of the control. (Alpha) (inefficient)
Pass Key: Sampling Risk
Sampling risk can be thought of as the chance that, based on the results of a sample, the auditor will make a mistake. There are two primary mistakes the auditor can make: the auditor may fail to identify an existing problem (incorrect acceptance and assessing control risk to low) or the auditor may falsely identify a problem where non actually exists ( incorrect rejection or assessing control risk to high)
lost with alpha risk
-The risk of incorrect rejection and the risk of assessing control risk to high relate to the
of the audit (the auditor does more work than is necessary) when the auditor's evaluation of an audit sample leads the auditor to this erroneous conclusion, the application of additional audit procedures and consideration of other audit evidence ordinarily leads the auditor to the correct conclusion
Lost with beta risk
Danger: could lead to an inappropriate opinion
- The risk of incorrect acceptance and the risk of assessing control risk to low relate to the effectiveness of an audit in (possibly not) detecting an existing material misstatement. Auditors usually accept a risk of 5% or 10%. A related concept is that of confidence level (also called reliability). the auditor is 95% (or 90%) confident that the sample is representative of the population.
Nonsampling risk includes all aspects of audit risk that are not due to sampling risk. Nonsampling risk is always present and cannot be measure; the auditor can only attempt to reduce this risk to a very low level through adequate planning and supervision of the audit engagement and quality control of all firm practices. Examples of nonsampling risk are selecting audit procedure that are not appropriate to achieve a specific objective, or failure by the auditor to recognize misstatements in documents examined.
Sampling in Test of Controls
Attribute sampling is a statistical sampling method used to estimate that rate (%) of occurrence (exception) of a specific characteristic (attribute). Samples taken to test the operating effectiveness of controls are intended to provide a basis for the auditor to conclude whether controls are being applied as prescribed. Attribute Sampling generally deals with yes/no questions. For example "are time cards properly authorized (to assure recorded hours were worked)?" or "Are invoiced properly voided (stamped "paid") to prevent duplicate payments.
When planning a particular audit sample for test of controls, the auditor applies professional judgement in considering:
1. the relationship of the sample to the
of the test of controls
2. Tolerable Deviation Rate
3. The auditor's allowable risk of assessing control risk to low. (Beta)
of the population
Tolerable Deviation Rate
tolerable deviation rate
is the maximum rate of deviation form a prescribed procedure the auditor will tolerate without modifying planned reliance on internal control:
a. in assessing the tolerable rate of deviation, the auditor should consider that, while deviations from pertinent controls increase the risk of material misstatement, such deviations do not necessarily result in misstatements.
in the sample is the auditor's
of the deviation rate in the populate from which it was selected. ( As conservative auditors, we are concerned with
the worse case scenario
, so we generally don't bother with the low end of the range). The top end of the range is formally know as the "upper deviation rate."
If the auditor concludes that the sample results do not support the planned assessed level of control risk for an assertion, the nature, extent, and timing of substantive procedures should be reevaluated based on a revised consideration of the assessed level of control risk for the relevant financial statement assertions.
The auditor performs the following steps when conducting an attribute sampling application:
1 Define the objective of the test
Assume the auditor wants to determine the percentage of sales orders that are missing credit approval
2. Define the population
it must be appropriate for the objective. The period covered but the test should also be defined.
a In this example, the population would consist of all sales orders used during the year.
b. If test of controls are performed at an interim date, the auditor must perform such additional procedures as are necessary to obtain reasonable assurance regarding the remaining period.
3. Define the Sampling UNIT
Consider the completeness of the population in defining the sampling unit.
a. each sales order is a sample unit.
b. The population must agree with the "physical representation"
4. Define the attributes of interest
only found in attribute testing
a variety of characteristics
- Deviations are situations where the control was not properly applied, such as:
a. missing credit approval
b. missing sales orders
Determine the Sample Size
The auditor must specify the following factors:
a. risk of assessing control risk too low
b. Tolerable deviation rate
c. Expected deviation rate
d. Population size
a. Risk of Assessing Control Risk to low
This is the risk that the assessed level of control risk based on the sample is
than the true level of controls risk based on the actual operating effectiveness of the control. There is an
relationship to sample size: as the auditor is willing to accept greater risk, a smaller sample size can be used.
b. Tolerable Deviation Rate
This is the maximum rate of error the auditor is willing to accept without changing control risk assessment or planned reliance on internal control. There is an inverse relationship to sample size: as the auditor is willing to accept a greater deviation rate, a smaller sample size can be used.
c. Expected Deviation Rate
This is the auditor's best estimate of the rate of deviation from prescribed control procedure. There is a direct relationship to sample size: as the auditor expects fewer deviations, a smaller sample size would be needed.
Population size is not an issue provided the population is larger (greater than 5,000)
6. Select the Sample
a. The most common technique is random selection, whereby each item in the population has an equal opportunity to be included in the sample.
b. Systematic selection (ever nth) is also acceptable, but a disadvantage is that results make be skewed if error occur in a systematic pattern.
c. Block (cluster) sampling, where groups of adjacent items are selected, is not acceptable.
Evaluate the Sample Rate
- Apply "rate"
- the auditor calculates the sample deviation rate and projects the results to the population.
- the upper (maximum) deviation rate is the sum of the sample deviation rate and the allowance for sampling risk. The allowance is a "cushion" for protection against undetected deviations.
Sample deviation rate + Allowance for Sampling risk = Upper deviation rate
Pass Key: Upper deviation rate
Students often have trouble with the concepts of upper deviation rate and allowance for sampling risk, both of which have been tested on the exam. The
allowance for sampling risk
simply recognizes that it is likely that what we found in the sample isn't exactly what we would find in the population. Assume a population of 1000 items, a sample of 100, and sample deviation rate of 7% ( 7 deviations out of a 100). If the upper deviation rate (from a table) is 8.5%, this implies a 1.5% allowance for sampling risk. Conversely, should the examiners provide the allowance for sampling risk (say, 2%), it would be added to the sample deviation rate (7%) to find an upper deviation rate of (95)
8. Form Conclusions about the Internal Controls tested
a. If the upper deviation rate is
to the auditor's tolerable deviation rate, the auditor may
on the control.
b. If the upper deviation rate
the auditor's tolerable deviation rate, the auditor would not rely on the control. Instead, the auditor would either:
1. select and test compliance with some other internal accounting control, or
2. modify the NET of related substantive tests to reflect the reduced reliance.
Assume the Upper deviation rate has been determined to be 4.7%
(1) if the tolerable rate is 3%, would the auditor rely on the control?
(2) if the tolerable rate is 6%, would the auditor rely on the control?
Pass Key: Trick
The examiners try to trick candidates into using the sampling deviation rate (instead of the upper deviation rate) in drawing conclusions about a population. In keeping with the concept of conservatism, auditors must consider the worst case scenario, or the high end of the range, in evaluating a population. It is therefore the
upper deviation rate
(and not the rate found in the sample) that is compared to the tolerable rate in developing conclusions.
Other attribute sampling models
a. Discovery Sampling - it is used when the auditor is looking for a critical characteristic (fraud) - one exception is bad enough
b. Stop or go Sampling- (sequential sampling) avoid oversampling for attributes by allowing the auditor to stop an audit test before completing all steps.
Sampling in Substantive tests
Test of details / balances
Purpose of Variable sampling
Variables sampling is a
method used to estimate the numerical measurement of a population, such as a dollar value. This sampling method is used primarily in
objective of variables sampling is too obtain evidence about the reasonableness of monetary amounts
. The auditor estimates the true value of the population by computing a point estimate of the population and computing a precision interval around this point estimate.
Planning Considerations -
When planning a particular sample for substantive test of details, the auditor should consider:
1. the relationship of the sample to the relevant audit objective.
2. Preliminary estimates of materiality levels
3. the audits allowable risk of incorrect acceptance
4. Characteristics of the population
Tolerable misstatement is the maximum monetary misstatement in the related account balance or class of transactions that the auditor is willing to accept.
Pass Key: Tolerable Misstatement
Tolerable misstatement is the application of performance materiality to a particular sampling procedures. Tolerable misstatement may be the same as performance materiality, or it may be an amount smaller the performance materiality, if for example, the population from which the sample is selected is smaller than the total account balance.
Sample Selection Considerations
The auditor uses professional judgement to determine which items should be subject to sampling. Certain items may be individually examined, such as those for which potential misstatements could be individually exceed tolerable misstatement. 100% of such items are examined and they are not considered to be part of the sample.
Items subject to sampling may also be separated into relatively homogeneous groups. Each group is treated as a different population. This technique. known as stratification, generally results in a reduced sample size. Stratification is commonly used when a population has highly variable recorded amounts
Pass Key: Stratification
When stratification is used, each group is treated as a separate population. For example, assume 1,000 items are stratified into two groups: the 100 largest items will all be examined individually, but sampling techniques will be applied to the remaining 900 items. In this case, the population size for the sampling application is 900.
Projected Misstatement v tolerable misstatement
1. Projected misstatement
- Upon completion of the sampling procedures, the auditor projects the misstatement results of the sample to the items in the population.
2. Evaluation: Projected misstatement compared to the tolerable misstatement
- if the total projected misstatement is less than the tolerable misstatement for the account balance or class of transactions, the auditor should consider the risk that such a result might be obtained even though true monetary misstatement for the population exceeds tolerable misstatements (professional judgement)
Projected misstatement results for all auditing sampling applications and all known misstatements from non-sampling applications should be considered in the aggregate along with other relevant audit evidence when the auditor evaluates whether the financial statements taken as a whole may be materially misstated.
Variables Sampling Plans
1. mean-per-unit estimation
2. ratio estimation
3. difference estimation
Mean-per-unit estimation is a sampling plan that uses the average value of the items in the sample to estimate the true population value (estimate = average sample value x number of items in population). MPU does not require the book amount of the population to estimate the true population value.
Ratio estimation is a sampling plan that uses the ratio of audited (correct) values of item to their book values to project the true population value. Ratio estimation is a highly efficient technique when the calculated audit amounts are approximately proportional to the clients amounts.
Difference estimation is a sampling plan that uses the average difference between the audited (correct) values of items and their book values to project the actual population value. Difference estimation is used instead of ratio estimation when the differences are not nearly proportional to book values.
Steps for Substantive (variable) testing
1. Define the objective of the test
Assume the auditor wishes to estimate the value of an account balance (the client's accts rec balance).
2. Define the population
it must be appropriate to the objective. Individaully significant items should be identified for possible stratification.
The auditor would examine 100% of accounts for which potential errors could equal or exceed the tolerable error and would exclude those accounts from the population being tested
3. Define the sampling unit
Consider the completeness of the population in defining the sampling unit.
4. Determine the Sample Size
The auditor uses the following parameters, in conjunction with tables or formulas to determine the sample size:
(1) Tolerable misstatement
(2) Expected misstatement
(3) Acceptable level of risk (audit risk)
(4) Characteristics of the population
(5) Assessed Risk: assess RoMM and risk for other substantive procedures related to the same assertion
1. Sample size will increase as the following increases (
a. Expected misstatement
b. Standard deviation (population variability)
c. Assessed level of risk
2. Sample size will decrease as the following increase (
a. Tolerable misstatement
b. Acceptable level of risk
5. Select the sample
Sample items should be selected in such a way that the sample can be expected to be representative of the population: Random Sampling.
Evaluate the Sample Results
The auditor projects the misstatements found in the sample of the population using one of the several methods (MPU, Ratio, difference). The projected misstatement is applied to the recorded balance to obtain a "point estimate" of the true balance. The auditor must then add an allowance for sampling risk (sometimes called a precision interval) to the point estimate.
Form Conclusions about the balances tested
In deciding whether to accept the client book value, the auditor determines whether the recorded book value falls within the acceptable range ( i.e. the point estimate +/- the allowance for sampling risk). If so, the book value is fairly stated.
Sampling in Substantive Tests: Probability - Proportional-to-size sampling
$ unit sampling
- PPS sampling is a technique where the sampling unit is defined as an individual dollar in a population. Once a dollar is selected, the entire account (containing that dollar) is audited. PPS sampling is considered to be a hybrid method, because it uses attribute sampling theory to express a conclusion in dollar amounts rather than as a rate of occurrence.
Advantages of PPS Sampling
1. PPS automatically emphasizes larger items by (automatically) stratifying the sample. The chances of an item being selected is proportionate to its dollar amounts.
2. If no errors are expected, PPS sampling generally requires a smaller sample than other methods.
Disadvantages of PPS
A disadvantage of PPS sampling is that zero balances, negative balances, and understated balances generally require special design considerations.
PPS Sample Size Determination
The auditor selects PPS sample by dividing the total number of dollars in the population (book value) into uniform groups of dollars or intervals. The auditor then selects a logical unit (the balance that includes the selected dollar) from each sampling interval. Tolerable misstatements is the maximum dollar error that may exist in the account without causing the financial statements to be materially misstated.
correspond to the risk of incorrect acceptance and are generally obtained from a table.
(check book Random # start then every 5,000th (sampling interval) dollar after that)
A random number between one and the sampling interval is selected. This number is the random start and it will also determine the first item selected. Systematic selection is then used to select the remainder of the sample. The recorded amounts of the logical units throughout the population are added and individual dollars are selected based on the interval. Once a dollar in an account is selected. That entire account will be audited.
Evaluation of Sample Results
If no errors are found in the sample, the error projection is zero and the allowance risk would not exceed the auditors tolerable error. As a result, the auditor would generally conclude that the recorded balance is fairly stated.
If, on the other hand, errors are found in an account, the errors need to be projected to the interval as illustrated below. If the account selected has balance greater than the interval, the actual dollar amount of the error should be used.
For all types of sampling, the auditor should consider qualitative aspects of deviations. These include:
a. The nature and cause of deviations (more consideration of Fraud)
b. the possible relationship of deviations to other phases of the audit.
Dual Purpose Samples
In some instances, the auditor may use the same sample to perform both tests of controls and tests of details. Dual-purpose samples are generally used when the auditor believes that there is an acceptably low risk that the deviation rate in the population exceeds the tolerable rate. The size of a sample designed for dual purposes should be the larger of the samples that would otherwise have been designed for the two separate purposes.
In evaluating dual-purpose samples, deviations from the control and monetary misstatements should be evaluated separately using the appropriate risk levels. The auditor should consider whether the existence of misstatements is indicative of a control failure; however, the absence of monetary misstatement does not necessarily imply that controls are operating effectively.
Internal Control Communications
An accountant communicates internal controls related to matters in the following situations:
1. Financial Statement Audits (non issuers)
2. Integrated Audits (non issuers and issuers)
1. Financial Statement audits (non issuers)
Although the purpose of an audit of a non issuer is to express an opinion on the financial statements and not to express an opinion on the effectiveness of internal control, certain deficiencies related to internal control may be noticed by the auditor during the audit. Such deficiencies create a reporting responsibility for the auditor.
The situation is governed by Statement on Auditing Standards
2. Integrated Audits (non issuer and issuers)
a. Examination of internal controls
- an auditor may be hired to perform an examination of a non issuer's internal control. The examination of internal control should be integrated with an audit of the financial statements.
- This situation is governed by Statement on Standards of Attestation Engagements
Audits of Internal Control (Issuers)
- All issuers are required to have an audit of internal control over financial reporting that is integrated with an audit of the financial statements.
- this situation is governed by the PCAOB
A control deficiency exists when the design or operation of a control does not allow management or employees, in the normal course of performing their assigned functions to
prevent, detect and correct
[prevent or detect] misstatements on a timely basis.
a. a deficiency in a design occurs when a necessary control is missing or when an existing control does not achieve the desired objective.
b. A deficiency in operation occurs when a properly designed control does not operate as designed, or is performed by an inappropriate person.
A significant deficiency is a deficiency, or a combination of deficiencies, in internal controls [over financial report] that is less severe than a material weakness, yet important enough to merit the attention by those
charged with governance
[responsible for oversight of the company's financial report]
A material weakness is a deficiency, or a combination of deficiencies, in internal control [over financial reporting], such that there is a reasonable probability that a material misstatement of the
[company's annual or interim] financial statements will not be
prevented, detected or correct
[Prevented or Corrected] on a timely basis.
a. Reasonable Possibility implies that the likelihood of an event is either reasonably possible or probable.
Indicators of Material Weakness
the following situations are considered indicators of a material weakness in internal control.
1. Identification of any level of fraud (even immaterial) perpetrated by senior management
2. Restatement of previously issued financial statements to correct a material misstatement
3. Identification by the auditor of a material misstatement that would not have been detected by the entity's internal control.
4. Ineffective oversight by
those charged with governance
( the company's audit committee)
Nonissuer: internal control matters noted during an audit
The auditor has a responsibility to evaluate control deficiencies identified during the audit and, in some cases, to report those deficiencies.
1. Detection of Control Deficiencies
An auditor of the financial statements is not required to perform procedures to identify deficiencies in internal control,
to express an opinion on the effectiveness of internal control. The auditor may, however, become aware of control deficiencies while performing the audit.
Pass Key: Communication
The auditor may discuss relevant facts and circumstances with management when determining whether the auditor has identified internal controls deficiencies. The level of management with whom it is appropriate to discuss the findings is on that is familiar with the internal control area concerned and that has authority to take remedial action. However, when findings call into questions management's integrity or competence, it may not be appropriate to discuss the findings directly with management.
2. Evaluation of Control deficiencies
the auditor must evaluate control deficiencies (both individual and in the aggregate) to determine whether they represent significant deficiencies or material weaknesses.
the severity of a deficiency, or a combination of deficiencies depends on not only whether a misstatement has actually occurred but also on:
1. the magnitude of the potential misstatement; and
2. whether there is a reasonable possibility that the entity's controls will fail to prevent, or detect and correct, a misstatement of an account balance or disclosure
Significant deficiencies and material weaknesses may exist even though the auditor has not identified any misstatements during the audit.
if more than one control deficiency affects the
account balance or disclosure, individually insignificant deficiencies may, in combination, constitute a significant deficiency or material weakness.
The auditor should consider whether any controls tend to
for the identified deficiency (may prevent it from being identified as a
Communication of Control Deficiencies
- Significant deficiencies and material weaknesses, even though that were corrected during the audit, must be communicated on a timely basis in
to management and those charged with governance.
Previously existing deficiencies
Previously communicated significant deficiencies and material weaknesses that have not been corrected should be communicated again, in writing, during the current audit by referring to the previously issued written communication and the date of that communication.
1. while it is recommended that the written communication be made by the report release date, a window extending 60 days beyond this date is acceptable.
2. Earlier communication is also acceptable. While such early communication need not be in writing, it does not negate the requirement for eventual written communication of all significant deficiencies and material weaknesses.
It is management's responsibility to evaluate and address control deficiencies. Management may decide to accept certain significant deficiencies or material weaknesses based on the costs that would be incurred to correct them. Even in such situations, the auditor is still required to communicate such deficiencies in writing. `
Communication of other deficiencies
the auditor should communicate to management only, in writing or orally, other deficiencies in internal control identified during the audit that are of sufficient importance to merit management's attention but that are not significant deficiencies or material weaknesses. If other deficiencies are communicated should be documented.
- if the auditor has communicated other deficiencies and management decided against correcting it then there is no need to communicate it again
- the auditor is not required to repeat information about other deficiencies if the information has already been communicated to management by other parties, such as internal auditors or regulators.
The written communication of significant deficiencies and material weaknesses should include the following:
a. the definition of the term material weakness and, when relevant, the definition of term significant deficiency.
b. a description of the deficiency or weakness (no need to quantify)
c. Sufficient information to enable those charged with governance and management to understand the context of the communication^
regarding the use of the communication to management, those charged with governance, others within the organization, and any governmental authority to which the auditor is required to report.
c. Sufficient information to enable those charged with governance and management to understand the context of the communication
a. the purpose of the audit was for the auditor to express an opinion on the financial statements
b. the audit included consideration of internal control over financial reporting in order to design audit procedures that are appropriate in the circumstance but
for the purpose of expressing an opinion on the effectiveness of internal controls.
c. the auditor is not expressing an opinion on the effectiveness of internal controls
d. the auditors consideration of internal control was not designed to identify all deficiencies in internal control that might be material weaknesses or significant deficiencies, and therefore, material weaknesses and significant deficiencies may exist that we not identified.
Optional Communication Content
The auditor may also include the following statements in the communication when appropriate:
a. a description of the inherent limitations of internal controls.
b. the specific nature and event of the auditor's consideration of internal control during the audit.
Absences of significant deficiencies or material weaknesses
a. the auditor may not report the absence of significant deficiencies, since there is too great a potential for misinterpretation of the very limited degree of assurance the auditor would be providing in such instances.
b. the auditor may issue communications indicating that no material weaknesses we identified during the audit, typically for the client to submit to governmental authorities
Management's written response
Management may prepare a written response to the auditors communication regarding significant deficiencies and material weaknesses identified during the audit. Management's response may describe 1. corrective action taken 2. corrective action planned for the future 3. indicate that the cost of correcting the identified deficiencies would exceed the benefit to be derived.
Integrated Audits (issuers and nonissuers)
Under PCAOB standards, auditors of issuers are required to perform an integrate audit, auditing both the financial statements and management's assessment of the effectiveness of internal control over financial reporting. The audit of management's assessment is commonly referred to as an "audit of internal control over financial reporting"
Dodd Frank Act amended rule 404 of SOX to provide that an audit of an issuers internal control over financial reporting is *only required for issuers that are large accelerated files or accelerate files. (exempts small companies)
Objective of the Engagement (issuers and Nonissuers)
The auditor's objective in an audit or examination of internal control is to express an opinion on the effectiveness of the entity's internal control over financial reporting. Because an entity's internal control cannot be considered effective if one or more material weaknesses exist, the auditor should plan and perform the engagement to obtain sufficient appropriate evidence to obtain reasonable assurance about whether material weaknesses exist as of the date specified in management's assertion.
Auditors' requirements (issuers and nonissuers)
a. The audit or examination of internal control should be integrate (same time) with an audit of the financial statements. The auditor should plan and perform the integrated audit to achieve the objectives of both engagements.
b. The auditor should use the same control criteria to perform the audit or examination of internal control as management uses for its evaluation of the effectiveness of the entity's internal control.
c. Test of controls should be designed to provide sufficient appropriate evidence to support both the opinion on internal control and the control risk assessment need for the financial statement audit.
Management Requirements (issuers only)
Section 404 of the Sarbanes Oxley Act of 2002 requires each issuer's annual report to contain internal control report that:
a. State's management's responsibility for establishing and maintaining an adequate internal control structure and procedures for financial reporting; and
b. contains an assessment, as of the end of the most recent fiscal year of the issuer, of the effectiveness of the internal control structure and procedures of issuer for financial reporting.
Management's Responsibility (NONissuers only)
An SSAE examination of internal control can only be performed if management:
a. accepts responsibility for the effectiveness of internal control
b. evaluates the effectiveness of the entity's internal control using suitable and available criteria, such as criteria issued by the AICPA or by regulatory agencies.
c. Supports its assertion about the effectiveness of internal control with sufficient appropriate evidence.
1. management is responsible for identifying and documenting control objective and the controls that meet those objectives
2. management's monitoring activities
asset ion about the effectiveness of the entity's internal control in a report that accompanies the auditor's report.
-as of date should coincide with the date of the FS
- the auditor should withdraw from the engagement if management refuses to furnish a written assertion.
Written Representation (both)
a. the auditor should obtain a written representation letter from management in which management:
1. acknowledges its responsibilities
2. States the assertion and specifies the criteria used to evaluate the assertion
3. affirms that management did not rely n the auditor's procedures as the basis for the assertion.
4. Confirms that all significant deficiencies and material weaknesses have been disclosed to the auditor and indicates whether any such deficiencies identified in previous engagements remain unsolved
5. describes fraud resulting in material misstatement or fraud involving senior management
6. states whether there were any significant changes to internal control after the "as of" date of the report.
Failure to obtain such written representations is a scope limitation that will generally result in the auditor's withdrawal from the engagement or in a disclaimer of opinion
Planning the engagement
(should be the same as the planning of the an audit in chapter 1)
a. the same level of materiality and the same risk assessment process should be used for both the financial statement audit and the examination of internal control.
b. More attention should due focused on areas of higher risk
c. the results of the fraud risk assessment performed in the financial statement audit should be considered in the examination of internal control, and the audit should evaluate whether controls sufficiently address fraud risk.
Scaling the audit
Smaller or less complex companies might achieve their control objectives different than would a more complex company, so the audit should be scaled appropriately. -this is okay
Fraud Risk Assessment
the auditor's fraud risk assessment (required in the financial statement audit) should be integrated into the audit or examination of internal control, and the auto should consider management fraud and management override of controls as areas of high risk. Controls that might address these risks include controls over:
a. Significant or unusual transactions
b. period-end journal entries and adjustments
c. related party transactions
d. significant management estimates
The auditor should also consider controls that mitigate incentives and pressures that may lead management to falsify or inappropriately manage financial results.
Using the work of others
the auditor may use the work of others (internal auditors, other company personnel, and certain third parties) who are sufficiently competent and objective, in evaluating the effectiveness of internal control.
a. the auditor should consider the risk associated with a particular control, in determining whether and to what extent to use the work of others.
(i) as risk increases, a greater degree of competence and objectivity is required.
(ii) for HIGH risk areas, use of the work of others might be reduced or eliminated.
Top down Approach
a top down approach is used in selecting controls to test. The auditor evaluates overall risk at the financial statement level, considers controls at the entity level and then focuses on accounts, disclosures, and assertions for which there is a reasonable possibility of material misstatement.
Entity Level Controls
Entity level controls include controls related to:
2. management override
3. company's risk assessment process
4. centralized processing
5. monitoring other controls
6. monitoring results of operations
Period end financial reporting
8. Policies that address significant business control and risk management practices.
Entity level controls that are working effectively may allow the auditor to reduce the testing of lower level controls, or might affect the NET of the auditors test of lower level controls.
Identifying accounts, disclosures and assertions
a. the auditor should evaluate qualitative and quantitative risk factors to identify significant accounts and disclosures, and their relevant assertions.
b. in determining what amount of audit attention should be applied to a particular account, disclosure or assertion, the auditor should assess the risk that a material weakness in that area may exist as well as the risk that suck weakness will lead to a material misstatement in the financial statements.
1. a greater risk implies that more audit attention should be applied and more evidence be obtained.
is one of the most effective ways to identify LSPMs.
Selecting Controls to Test
the auditor should test those controls that are important in addressing the risk of material misstatement.
Test of Controls
in testing controls, the auditor should:
a. evaluate the design effectiveness
b. test and evaluate the operating effectiveness of the controls
c. obtain relatively more evidence for controls that are subject to greater risk
d. obtain sufficient appropriate audit evidence to support the opinion about the
e. Determine the effect of any identified control deviations
f. determine the appropriate timing for test of controls
g. consider knowledge obtained during past examinations.
h. Incorporate an element of unpredictability into the testing.
Evaluate the design effectiveness
which include inquiry, observation, and inspection of documentation, are often used to evaluate design effectiveness.
Test and evaluate the operating effectiveness
(1) operating effectiveness is typically tested throughout inquiry, inspection of documentation, observation, recalculation, and reperformance.
(2) Inquiry alone is not sufficient to support a conclusion about operating effectiveness.
Use of Service Organizations
A service organization may be part of an entity's internal control. In such cases the auditor should:
a. obtain an understanding of relevant controls
b. Obtain evidence that the controls are operating effectively (by performing one or more of the follow: obtaining a service auditor's report, testing the entity's controls over the activities of the service organization, and/or performing tests of controls at the service organization.
(i) if the date specified in management's assertion is significantly beyond the time period covered by the service auditor's report, the auditor should perform additional procedures.
Benchmarking of automated controls
Automate application controls are not particularly susceptible to human error. if general controls with respect to program modifications, access, and operations are tested and continue to be effective and if the automated controls have not changed from one year to the next, the auditor may not need to repeat specific testing performed in the previous year (but would need to verify that the control has not changed). The "benchmarking" strategy is most appropriate in low risk situations
Evaluating control deficiencies
1. the auditor should determine whether identified deficiencies represent significant deficiencies or material weaknesses (either alone or in the aggregate). This determination should be based on the magnitude and likelihood.
2. a control weakness may be a material weakness even if no misstatement has occurred
3. compensating controls, if found to be operating effectively, may limit the severity of an identified deficiency and prevent it from being a material weakness.
Indication of material weakness
1. senior management fraud
2. restatement of previous financial statement to correct a material error
3. identification by the auditor of a material misstatement that the entity's controls would not have detected
4. ineffective oversight by those charged with governance.
Forming an opinion
the auditor should form an opinion about the effectiveness of internal control.
a. the auditor should base this opinion on all evidence, including both evidence obtained form the financial statement audit and evidence obtained during the examination of internal control.
2. after forming an opinion on the effectiveness of the entity's internal control over financial reporting, the auditor should evaluate management's report on internal control
Management's report on internal control includes:
a. indicate that management is responsible for internal control
b. describe the subject matter of the examination
c. identify the criteria used by management to measure the effectiveness of the entity's internal controls
d. include a statement of management's assertion about the effectiveness of internal control, including ask "as of" date.
e. describe any material weaknesses identified by management.
Management's report not up to par
a. If management's report is
, the auditor should modify his or her own report to discuss the situation
b. if the auditor determines that the required disclosures for one or more material weaknesses have not been included in management's report, this should be stated in the auditors' report. The auditor's report should include a description of each material weakness not include in management's report.
c. if management refuses to supply a report, the auditor should withdraw from the engagement
d. other information in managements report - if management report contains additional information beyond noted above, the audit should disclaim an opinion on such information (cost benefit statement)
Communication with Management and those charged with governance (non issuers)
1. the auditor should
communicate to management and those charged with governance, in writing, all significant deficiencies and material weaknesses
found during the examination of the internal controls of a non issuer.
2. the auditor should
communicate to management, in writing, all deficiencies
identified during the integrated audit. This written communication should be made
no later than 60 days following the report release date.
The auditor should also inform those charged with governance when such a communication has been made. Deficiencies previously communicated in writing need not be repeated.
3. if the auditor concludes that the oversight of financial reporting and internal control by the company's audit committee (or similar body) is ineffective, the auditor must communicate that conclusion in writing.
4. the auditor is not required to search for control deficiencies that less sever than a
, but those that are identified should be reported.
Communications with management and the audit committee (issuers only)
a. the auditor must communication in writing to management and the audit committee all material weakness identified during the audit. Written communication should be made prior to the issuance of the auditor's report on internal control over financial reporting.
b. the auditor is required to communicate any identified significant deficiencies, in writing, to the audit committee.
c. the auditor should communicate to management, in writing, all deficiencies in internal control over financial reporting identified during the audit and inform the audit committee when such a communication has been made.
d. oversight by company's audit committee = communicate that to the BOD
e. the auditor is not required to search for control or significant deficiencies, but those that are identified should be communicated.
f. an audit does not provide assurance that all control deficiencies or significant deficiencies have been identified, so the auditor should not issue a report stating that no such deficiency were noted.
Reporting on internal control
Under SSAEs, the auditor may report directly on the effectiveness of the entity's internal controls
may report on management's assertion with respect to internal control.
Separate or combined Reports
The auditor is required to report on both the company's financial statements and on its internal control over financial reporting. Two separate report,
one combined report, may be issued.
if separate reports are issued, each report should contain an explanatory paragraph making reference to the other report and indicating the nature of the opinion expressed.
a. The report should be date no earlier than the date n which sufficient appropriate evidence has been obtained.
b. the date of the report on internal controls should coincide with the date of the audit report on the financial statements.
Material weakness in internal control
a. The presence of a material weakness in internal control results in an
opinion. The auditor's report should include an explanatory paragraph defining the term material weakness, stating the one or more material weaknesses were noted, and referring to the material weakness described in management's assertion.
b. when a material weakness exists, the auditor should express an opinion directly on the effectiveness of internal control, and not on management's assertion.
c. the auditor should consider the effect of this adverse opinion on the financial statement opinion, and should indicate whether the opinion on the financial statements was affected by the material weakness.
Reporting on internal controls (issuers)
the auditor is required to report on both the company's financial statements and on its internal control over financial reporting. Two separate reports
one combined report may be issued.
if a separate reports are issued, each report should contain an explanatory paragraph making reference to the other report and indicating the nature of the opinion expressed.
Material weakness in internal control (issuer)
a. a material weakness requires the auditor to issue an
- no qualified
b. the auditor's report must include the definition of a material weakness, a statement that a material weakness has been identified, and an identification of the material weakness described in management's assessment.
Reporting on whether a previously reported internal control weakness continues to exist
a. The auditor's objective is to express an opinion on whether a previously reported material weakness has been eliminated.
b. the auditor may perform such an engagement only if:
(1) he or she has sufficient overall knowledge of both the company and its internal controls over financial reporting
(2) Management accepts responsibility for the effectiveness of internal control, evaluates its effectiveness, asserts that internal control is effective, provides support for this assertion, and presents a writer report that will accompany the auditor's report
d. the auditor's testing is limited to the controls specifically identified by management as eliminating the material weakness.
the auditor should withdraw from the engagement or issue a disclaimer of opinion if the scope of the audit is restricted.
Any material weaknesses identified should be described, and the definition of a material weakness should be included, in the disclaimer.
as is the case with financial statement audit, another audit may be involved in the audit of an entity's internal control. The principal auditor decides whether the involvement of the other auditor warrants reference in the auditors report (private company only)
Financial Statement Audit vs Examination of internal control (non issuer)
Differences between the two
the purpose of an examination of the effectiveness of an entity's internal control is to express an opinion about whether the entity maintained, in all material respects, effective internal control as of a point in time based on the control criteria. The purpose of an auditor's consideration of internal control in an audit of financial statements conducted in accordance with GAAS is to enable the auditor to plan the audit and determine the NET of tests to be performed
An examination of internal control results in an opinion of internal control as of a
point in time
, while an opinion on the financial statements relates to a longer period of time, such as a year.
Extent of testing
An auditor's consideration of internal control in a financial statement audit is more limited than that of an auditor engaged to examine the effectiveness of the entity's internal control. In order to render an opinion on internal control, the auditor should obtain evidence about the effectiveness of selected controls over ALL relevant assertions. In a financial statement audit, the auditor is not required to test controls over all relevant assertions.
Communication of Control Deficiencies
1. In a financial statement audit, there is no requirement to communicate control deficiencies that are not significant deficiencies or material weakness.
2. In a financial statement audit, the communication of significant deficiencies and material weaknesses must be made within 60 days of the report release date.
3. In a financial statement audit, the communication of significant deficiencies and material weaknesses should include restricted use language, but in an audit of internal control, no restriction on the use of the report is required.
Foreign Corrupt Practices Act
the FCPA includes provisions regarding internal accounting control for certain entities. Compliance with the FCPA is a legal determination. An examination of the effectiveness of internal control under statement on standards for attestation engagement generally would not be sufficient to determine whether an entity is in compliance with this act. (WE ARE NOT LAWYERS)
Those charged with governance
refers to those who bear responsibility to oversee the obligations and strategic direction of an entity, including the financial reporting process. This term is broadly interpreted to encompass the terms BOD and Audit committee.
What is an audit committee
An audit committee is a committee of the BOD, generally made up of three to five members of the board who are "outside directors."
are individuals who are neither employees nor part of management and who do not have a material financial interest in the company.
Purpose of an audit committee
1. The SEC has strongly recommended this action, and the NYSE requires all companies listed on the exchange to have audit committees.
2. Many large accounting firms and leading accountants in the country have strongly supported the formation of audit committee.
3. The use of audit committees tend to strengthen the public's sense of the
of the public accountant.
Specific Function of the audit committee
the main function of the audit committee is to enhance internal control by creating a means of direct communication between the "outside directors" and the independent auditor. an audit committee is considered to be part of the internal control structure. The audit committee typically:
a. Selects and appoints the independent auditor and sets the audit fee.
b. Assures the auditor is independent
c. reviews the nature and details of the audit engagement
d. reviews the quality of the auditor's work
e. reviews the scope of the audit
f. ensures that any recommendations made by the auditor are given the proper attention
g. maintains lines of communication between the auditor and BOD
h. helps solve any disagreements related to the accounting treatment of any material items in the financial statements.
i. evaluates the internal control of the company with the help of the independent auditor.
Communication with the audit team
Communication with the audit committee is a key element in the auditor's communication with those charged with governance. The auditor should:
a. have appropriate access to the audit committee
b. meet with the audit committee without management present at least once each year.
c. consider whether communication with the audit committee is sufficient whether there is also a need to communicate with others charged with governance.
- requires the audit committe to:
i. approve the engagement of the auditor
ii. preapprove the services to be performed
iii. have ongoing communication with the auditor
in effect, auditors of issuers report to and are overseen by the audit committee
, not by management.
Required Communications - Matters related to the Auditors responsibility
a. The auditor is responsible for forming and expressing an opinion about whether the financial statements are prepared, in all material respects, in conformity with the applicable financial reporting framework.
b. the audit is designed to provide reasonable, rather than absolute, assurance about whether the financial statements are free from material misstatement.
c. pg 51 for other things
in engagement letter or contract form.
Required communication - Overview of the planned scope and timing of the audit
a. the auditor may communicate how significant risks of material misstatements will be addressed, the planned approach toward internal control, factors affecting materiality and any potential use of internal audit.
b. the auditor should be careful not to compromise the effectiveness of audit procedures, for example making them too predictable.
c. the communication may also include discussion of the attitudes, awareness, and actions of those charged with governance with respect to internal control, fraud, relevant changes, and matters previously communicated by the auditor.
Significant audit findings
the auditor should communicate:
a. the auditor's views about qualitiative aspects of the entity's accounting practices, such as: significant accounting policies, significant accounting estimates, significant management judgement, and adequacy of financial statement disclosures.
b Significant difficulties encountered during the audit (delays, unreasonable time tables, lack of cooperation)
c. Disagreements with management, whether or not resolved.
d. Uncorrected, nontrivial misstatements and their possible effect on the audit opinion.
e. any circumstances that may appear to impair independence.
If all of those charged with governance are
involved with managing the entity, the audit should also communicate:
a. significant issues and findings arising from the audit that were discussed with management
b. material, corrected misstatements brought to management's attention as a result of the audit. (the auditor may choose to communication immaterial corrected misstatements that are frequently recurring
c. management representation requested by the auditor.
d. management's consultation with other accountants.
Two way communication
1. communication should be two-way. Those charged with governance should also communicate relevant matters to the auditor.
2. The auditor may request additional information from those charged with governance as a means of obtaining further audit evidence.
3. Inadequate two way communication may be indicative of an unsatisfactory control environment, which may affect the auditor's assessment of the risk of material misstatement.
Communication with management
1. Generally, the auditor may discuss matters with management prior to communicating those matters to those charged with governance.
2. Certain matters communicated to those charged with governance, such as those related to the competence and integrity of management, might not be appropriate for discussion with management.
Sarbanes Oxley Act Requirements
Auditors of issuers are required to report ( to the audit committee) all critical accounting policies, all material alternative GAAP accounting treatments, and other material communications between the auditor and management. If no formal audit committee exists, communications should be made to the full BOD.
Form of communication
In general, communications may be oral or in writing.
1. Significant audit findings should be communicated in writing when, in the auditors judgement, oral would be insufficient
2. Written communication should include a limitation on the use of the communication
3. oral communications should be documented.
Timing of Communication
1. timing of the communications may vary according to circumstance, but should occur on a timely basis in a manner that allows appropriate actions to be taken.
2. for audits of issuers, communications are required to be made before issuance of the auditor's report.
Representation Letter - Overview
At the conclusion of fieldwork, the independent auditor
obtain a management representation letter from the client. The auditor prepares the test for the rep letter, which is then printed on the client letterhead and signed by the client.
Failure to obtained a rep letter = scope limitation
1. Final Piece of Evidential Matter
2. Letter is
3. Dated Same Date as auditors report
4. Signed by CEO
Dated same date as audit report
Occasionally, circumstances may prevent management from signing the rep letter and returning it to the auditor on the date of the auditor's report. When this happens, the auditor may accept management's oral confirmation, on or before the date of the auditor's report, that management has reviewed the final representation letter and will sign the representation letter without exception as of the date of the auditor's report.
In the rep letter, management provides information on the financial statements, the completeness of information, recognition, measurement, and disclosure, and sub events.
Representations may be limited to items that management and the auditor agree are material. Materiality considerations do not apply to items not directly related to financial statement amounts.
Doubt about the reliability of written representations
If the auditor concludes that written representations are not reliable, the auditor should consider the possible effect on the audit opinion. When the auditor concludes that there is sufficient doubt about the integrity of management, the auditor should disclaim an opinion or withdraw from the engagement.
Contents of management rep letter
a. Financial Statement (MR DIM)
b. Completeness of information
c. Fraud (DIM) (disclosure of any possible fraud)
d. Laws and regulations (noncompliance disclosed)
e. Uncorrected Misstatements (managements belief the uncorrected misstatements are immaterial)
f. Litigation and claims
g. Estimates (are reasonable)
h. Related Parties
I. Subsequent Events
Pass Key: Management Rep
remember that the management representation letter is
. Management's refusal to furnish written representations will generally results in either a disclaimer of opinion or in withdraw from the engagement