76 terms

Auditing Exam 2

Internal control and sampling

Terms in this set (...)

Basic steps of the audit process
1. Plan the audit. 2. Obtain an understanding of the client and its environment, including internal control. 3. Assess the risks of misstatement and design further audit procedures. 4. Perform further audit procedures. 5. Complete the audit. 6. Form an opinion and issue the audit report (183).
Accepting a prospective client actions
Some of the actions a CPA firm may take include thoroughly investigating prospective clients in order to determine the amount of engagement risk. Also, the CPA firm needs to determine if they are independent and have adequate competency in the client's industry (187). CPA firms do not want to audit companies that have a large amount of risk. Companies do not have a right to be audited.
Questions for successor auditors
The new auditor has to get consent from the client to discuss with the predecessor auditor. The successor auditor should ask about disagreements with management over accounting principles, the predecessor's understanding of the reason for the change in auditors, about instances of fraud, and other matters that will assist the successor auditor in deciding whether to accept the engagement (189).
Engagement letter
An engagement letter outlines an understanding with the client regarding the services to be performed, including the objectives of the engagement, management's responsibilities, the auditor's responsibilities, and limitations of the engagement (190). This is significant because it reduces misunderstandings between the auditor and the client and represents an executory contract between the auditor and the client (190).
Audit program
An audit program is a detailed list of the audit procedures to be performed in the course of the audit. This differs from client to client because it is based on the auditor's risk assessments and test of controls which vary between clients (191). Auditing standards are almost silent on procedures, except for observing inventory.
Risk assessment procedures
Inquiries of management and others within the entity; analytical procedures; observation and inspection relating to client activities, operations, documents, reports, and premises; other procedures, such as inquiries of others outside the company and reviewing information from external sources (193). Basically the risk assessment procedures determine the further audit procedures required.
Five dimensions of understanding client
Nature of the client; industry, regulatory, and other external factors; objectives and strategies and related business risks; methods of measuring and reviewing performance; internal control
Nature of the client
This helps the auditor determine the client's critical business processes and therefore have a basis for developing expectations of the client's financial position.
Industry, regulatory, and other external factors
Helps the auditor determine if the client may be subject to specialized risks that will affect the audit.
Objectives, strategies, and related business risks
Based on the overall objectives of the client's management, the auditor may discover significant business risks and so the auditors will want to pay particular attention to management's risk assessment process to determine the risk of material misstatements.
Methods of measuring and reviewing performance
These standards may create pressure on management or employees to meet certain expectations and misstate the financials.
Internal Control
This helps the auditor determine the nature and extent of the audit work to be performed
Concept of materiality
The concept of materiality recognizes that some matters are important to the fair presentation of financial statements, while others are not (197). This is significant to audits because it allows the "pass over" certain conceptual accounting errors while planning the audit and determine the likelihood of material misstatements in evaluating audit findings (198).
Common material items
Anything illegal is material. Related party transactions are often material unless proven otherwise. Qualitative materiality includes an adjusting entry that makes net income into a net loss or vice versa.
Concept of allocating materiality
The concept of allocating materiality is meant to establish the scope of substantive procedures when audit sampling is used for one or more accounts. This is essentially done by determining the tolerable misstatement of an account (199). For example, cash should not be allocated anything, but inventory and A/R should be allocated more because of obsolescence and allowance for bad debts.
General approach to risk assessment
The general approach to risk assessment is to identify and assess risks of material misstatements for account balances, classes of transactions, and disclosures (202).
Significant risks
Significant risks are extra bad possibilities which require special audit consideration because they often relate to nonroutine transactions and estimation transactions (203). These are important in auditing because operating effectiveness of controls in prior periods and analytical procedures may not be as heavily relied on and design and implementation of related controls must be carefully considered (203).
Audit trail
The audit trail is the trail of evidence which links the thousands of individual transactions composing a year's business activity with the summary figures in the financial statements. This includes source documents, journal entries, and ledger entries (209).
Transaction cycles
The significance is that the transactions cycles often drive the auditor's consideration of internal control and determining the amount of risk assessed to the various accounts (209). This is because the client's build internal controls around transactions cycles.
Two sections of the audit program
The two major sections are the systems portion which may not be done a 100% of the time because they cannot be tested for some companies (deals with the procedures to assess the effectiveness of the client's internal control) and the substantive test portion which will always be done (deals with the financial statement account balances (210).
Application of substantive tests
Much of the substantive tests deal with balance sheet accounts because of the ease of verification. Income statement accounts are harder to verify because they have no tangible form. Many income statement accounts are verified indirectly from the verification of balance sheet accounts (211). Some income statement accounts are verified directly with substantive tests, such as interest expense. On first audits of a company, income statements may be disclaimed.
Tests of controls evidence
Tests of controls provide evidence as to the likelihood that material misstatements have occurred.
Substantive tests evidence
Substantive tests provide evidence that material misstatements actually exist and size.
Interim work
Test of controls is more likely to be performed at interim because these provide the basis for the amount of substantive testing required (213). You can always audit an income statement account to date during the interim period. Also, you can audit balance sheet accounts which will not have any further activity during the interim period.
Audit objectives
Auditors derive their audit objectives from management's assertions that are contained in the client's financial statements. Generally the objectives do not change from account to account, client to client, or year to year because the assertions stay the same (213). The emphasis on the various assertions may vary from client to client, account to account, or year to year.
Cutoff refers to the process of determining that transactions occurring near year end are assigned to the proper accounting period. An auditor may be concerned with recording purchases, cash disbursements, sales, and cash receipts in the correct period (216).
COSO internal control objectives
COSO objectives cover the internal control over the areas of financial reporting, operations, and compliance. These control objectives are supported by a series of assertions which underlie the financial statements. Also, these objectives exist at various levels.
Foreign Corrupt Practices Act of 1977 internal control objectives
The objectives of the Foreign Corrupt Practices Act of 1977 include ensuring that transactions are executed with the knowledge and authorization of management, transactions are recorded as necessary to permit the preparation of reliable financial statements and maintain accountability for assets, access to assets is limited to authorized individuals, and accounting records of assets are compared to existing assets at reasonable intervals and appropriate action is taken with respect to any differences.
Inherent limitations of internal control
Cost considerations, mistakes in performance of controls, error in design maintenance (especially with computer), management override, and collusion are inherent limitations of internal control (254).
Performance of tests of controls
There cannot be a 100% test of controls audit according to the standards. Test of controls do not have to be performed if risk assessment has not identified any effective controls relevant to assertions or test of controls would be inefficient. Substantive procedures must always be done because of the inherent limitations of internal controls.
Auditor's understanding of internal controls
The auditor's understanding needs to be sufficient in order to identify types of potential misstatements, consider factors that affect the risks (likelihood) of material misstatements, and design tests of controls (when applicable) and substantive procedures (256).
Documentation of understanding of internal controls
Flowcharts, internal control questionnaires, or written narratives
When auditor must use tests of controls
The auditor should perform tests of controls when the risk assessment includes an expectation of the controls operating effectively or when substantive procedures alone do not provide sufficient appropriate audit evidence at the relevant assertion level. When a client has a sophisticated information technology system then the auditors may have no other option than using extensive tests of controls.
When auditor does not need to use tests of controls
If the auditor believes the controls are poorly designed (therefore not believed to be operating effectively anyways) or if testing those controls is not cost effective then the auditor need not perform them (265). This may include if the auditors determined that the controls from a prior year have not changed, they may rely on evidence of operating effectiveness from prior years' audits (267).
A walk-through is a test of the accuracy and completeness of the auditors' workpaper description of internal control. This is performed by tracing several transactions through each step of the related transaction cycle, noting whether the sequence of procedures actually performed corresponds to that described in the audit workpapers (279).
Risks of material misstatements at the financial statement level
Some of the risks at the financial statement level include preparing the period end financial statements, including the development of significant accounting estimates and the preparation of the notes; the selection and application of significant accounting policies; IT general controls; the control environment (264).
How an auditor identifies risks of material misstatement
An auditor identifies risks at the relevant assertion level by considering both the design of the control and its implementation (265).
Action after assessing risk of material misstatement
After assessing the risk of material misstatement, the auditor will then need to decide the specific substantive procedures (further audit procedures) to determine whether a material misstatement exists (265).
Tests of controls activities
Inquiries of client personnel, inspection of documents and reports, observation of the application of controls, and re-performance of the controls (266).
Consideration of internal auditor's work
External auditors must obtain an understanding first about the work of the internal auditors in order to determine its relevance to the audit. Then they must consider the competence (education and certifications) and objectivity (internal auditors' reporting requirements to board of directors) of the internal auditors before relying on their help in the planning and conducting of an audit. If the internal auditors are considered competent and objective then they may assist the external auditor in understanding internal controls, assessing risk, preparing workpapers, and performing certain audit procedures (270). Ultimately, however, the internal auditor's judgement should not be relied on in assessing inherent and control risks, materiality, sufficiency of tests performed, accounting estimates and other matters affecting the auditor's opinion (271).
Control deficiencies
Exist when the design or operation of a control does not allow management or employees, in the normal course of performing their assigned functions, to prevent or detect material misstatements on a timely basis.
Significant deficiencies
Deficiencies in internal control over financial reporting (or combination of deficiencies) that is less severe than a material weakness, yet important enough to merit attention by those responsible for oversight of the company's financial reporting. Must be communicated to management and those charged with governance.
Material weaknesses
A deficiency in internal control over financial reporting (or a combination of deficiencies) such that there is a reasonable possibility that a material misstatement of the company's financial statements will not be prevented or detected on a timely basis (278-279). Must be communicated to management and those charged with governance.
Management letter
A management letter is a report to management containing the auditors' recommendations for correcting any deficiencies disclosed by the auditors' consideration of internal control. The management letter also provides recommendations on where the company can do better (put cash into interest-bearing accounts). The management letter may also help limit the auditors' liability in the event of a control weakness subsequently resulting in a loss to the client (278).
Management's responsibilities under SOX 404a
Under SOX Sec. 404a, management must acknowledge its responsibility for establishing and maintaining adequate internal control over financial reporting and provides an assessment of internal control effectiveness as of the end of the most recent fiscal year (272).
Auditor's responsibilities under SOX 404b
The auditor's responsibilities are to attest to, and report on, internal control over financial reporting (272). Auditor's attestation of internal control may be in a separate report or included in audit report.
Top-down approach to tests of controls
The goal of the top-down approach is to focus the auditor's focus on testing those controls that are the most important for the auditor's conclusion on internal controls, while avoiding those that are not (275). PCAOB AS 5 outlines the need to test key controls to make sure that they are effective.
Audit sampling
Audit sampling is the application of an audit procedure to less than 100 percent of the items within an account balance or class of transactions for the purpose of evaluating some characteristic of the balance or class (AU 350.01). The purpose of audit sampling is to be able to more efficiently make inferences about the characteristics of the entire population of transactions without having to look at all of them individually. You want the smallest sample possible in order to get the job done.
Sampling risk
Sampling risk is the risk that an auditors' conclusions (is wrong because of a non-representative sample) based on a sample may be different from the conclusions they would reach if they examined every item in the population.
Non-sampling risk
Nonsampling risk is all the other aspects of audit risk not due to sampling (applying the wrong procedures, failing to recognize proper results, or misinterpreting the results). Minimized by planning, supervision, and quality control.
Difference between statistical sampling and non-statistical sampling
The essential difference is that non-statistical sampling determines sampling risk by using professional judgment rather than statistical techniques (327). Statistical sampling can measure and control sampling risk, non-statistical cannot.
Random sample
A random sample has the benefit of giving every item in the population an equal chance of being included in the sample. The main limitation is that a random sample may not be a representative sample of the population (328). Another limitation is if the population is not pre-numbered, then it is more difficult to assign numbers to the population in order to sample it.
Stratified sampling
Stratified sampling is beneficial statistically because it places the items into homogeneous groups from which a smaller number of sample items can be taken to determine the characteristics of the entire population. The practical benefit to auditors is that they can relate the sample strata to materiality so that they can reduce the risk of incorrect acceptance of accounts with amounts greater than the tolerable misstatement to a lower level (331).
Attribute sampling
Used with tests of controls
Variables sampling
Used with substantive tests
Sampling error
Sampling error is the difference between the sample mean and the population mean.
Sampling risk
Sampling risk is the chance that the auditors' conclusions may be different if they had examined the entire population.
Allowance for sampling risk
The allowance for sampling risk is the amount used to create a range within which the true value of the population characteristics being measured is likely to lie. The allowance for sampling risk is derived statistically (332).
Risk of assessing control risk too high
The risk of assessing control risk too high is a matter of auditing efficiency in which the auditor determines the control risk is higher, when the controls really where operating effectively.
Risk of assessing control risk too low
The risk of assessing control risk too low is a matter of auditing effectiveness in which the auditor determines that the control risk is lower, when really it should have been increased.
An attribute is a characteristic of a control which shows that the control was actually performed.
Judgmentally determined inputs to sample size for attribute sampling
The judgmentally-determined inputs necessary for determining sample size are the tolerable deviation (strictly judgmental), the expected population deviation rate, and risk of assessing control risk too low (strictly judgmental) (335).
Development of the expected population deviation rate
An auditor develops the expected population deviation rate from the sample results from prior years, based on the auditors' experience with similar tests on other engagements, and a pilot sample (small beginning sample).
Achieved upper deviation rate
Sample deviation rate (# of deviations/ sample size) + Allowance for sampling risk
Risk of incorrect rejection
Effects efficiency of audit
Risk of incorrect acceptance
Effects effectiveness of audit. Failure to detect a material misstatement may lead to accusations of negligence and to extensive legal liability (343).
Ratio estimation
Auditors use a sample to estimate the ratio of the misstatement in a sample to its book value and project it to the entire population. Cancel out book values
Difference estimation
Auditors use a sample to estimate the average difference between the audited value and book value of items in a population. Cancel out items (sample items vs. population items)
Circumstances in which ratio or difference analysis are more beneficial
Ratio or difference estimation are more advantageous because it yields a smaller sample size, but only if misstatements are assumed. Such as when (1) each population item has a book value, (2) an audited value may be determined for each sample item, and (3) differences between audited and book values (misstatements) are relatively frequent.
When difference estimation is preferred
Difference estimation is most appropriate when the size of misstatements does not vary significantly in comparison to book value (such as random errors).
When ratio estimation is preferred
Ratio estimation is most appropriate when the size of misstatements is nearly proportional to the book value of the items (350).
Probability-Proportional-to-Size (PPS) sample size formula
= (Population book value x Reliability factor)/[Tolerable misstatement - (Expected misstatement x Expansion factor)]
Tainting percentage
The tainting percentage is calculated by taking the misstatement dollar amount and dividing it by the book value of the account. It is applied by taking the percentage and multiplying it by the sampling interval in order to come up with the projected misstatement for that interval of the book values of the accounts (368).
PPS Upper limit on misstatement
= Projected misstatement + Basic Precision (Reliability factor x sampling interval) + Incremental allowance
PPS advantages to classical variable sampling
1. No estimate of population standard deviation needed. 2. Automatically stratifies population. 3. Results in smaller sample size when there are few misstatements. 4. Sample selection can begin before entire population is available
PPS disadvantages to classical variable sampling
1. Special consideration required for understated and negative accounts. 2. Each item in population must have a book value. 3. Might overstate allowance for sampling risk when misstatements found. 4. Sample size may be larger for accounts with a moderate number of misstatements.