Audit Exam #2

Nonstatistical selection (if any of the following occurs)

- Judgement used to determine sample size - Haphazard sample selection is used - Sample results are evaluated judgmentally

10% 5%

90% confidence = _____ sampling risk 95% confidence = _____ sampling risk

Risk of Incorrect Acceptance (Type 2)

Accept the population when its inaccurate - effectiveness problem - accepting controls that are ineffective - main concern when determining sample size

Receivables Turnover = Net Annual Credit Sales / (Beginning AR + Ending AR/ 2) Inventory Turnover = COGS / Average Inventory Days Sales on Hand = 365 / Inventory Turnover

Activity Ratios

1. Smaller sample sizes 2. Automatically results in a stratified sample 3. Sample can be designed and begin prior to availability of entire population 4. Auditors find easier to apply

Advantages of Monetary Unit Sampling (MUS)

1. Allows design of efficient sample 2. Allows measurement of evidence sufficiency 3. Quantify sampling risk

Advantages of Statistical Sampling Method

1. Risk Assessment Procedures 2. Substantive Analytical Procedures 3. Final Analytical Procedures

Analytical procedures can be used to accomplish 3 purposes

1. GAAS Standard of Fieldwork - Auditing standards require that auditors obtain a sufficient understanding of a company's internal control so that they can properly assess ROMM and plan the audit accordingly - understand and design implementation - effectively plan the audit - to lower CR below max level, must test controls 2. Procedures used to obtain an understanding - walkthrough (inquire, observe, inspect) 3. Documenting the understanding of I/C - flowcharts, walkthrough, procedural manuals, questionnaires (least effective), narratives (who, what, when, where)

Auditor I/C Responsibilities: Obtain an understanding of internal controls

1. Design Effectiveness: whether the control is suitably designed to prevent, or detect and correct, material misstatements 2. Operating Effectiveness: how well the control is applied, the consistency in which it was applied and who applied it Common Types of I/C Tests of Operating Effectiveness: - Inquiry - Inspection - Observation - Reperformance

Auditor I/C Responsibilities: Performing Tests of Controls

1. Substantive Strategy 2. Reliance Strategy

Auditor I/C Responsibilities: Planning an Audit Strategy

1. Obtain an understanding of internal controls 2. Planning an audit strategy 3. Performing tests of controls 4. Timing of Audit Procedures

Auditor Responsibilities Concerning Internal Control

For public company audits, auditors must perform integrated audits of ICFR and the financial statements

Auditor's Responsibilities of ICFR for Public Companies

Standardization and simplicity - Auditing standards recognize and permit both statistical and nonstatistical methods of audit sampling - Nonstatistical sampling allows CPA firms to standardize sampling applications, thereby promoting consistency across their many audit engagements

Benefits of Nonstatistical Sampling for Tests of Controls

Control environment

COSO Component: Actions, policies, and procedures that reflect the overall attitude of top management, directors, and owners of an entity about internal control ad its importance Principles: - Integrity and ethical values - Board of director and audit committee participation - Organizational structure - Commitment to competence - Accountability

Risk Assessment

COSO Component: Management's identification and analysis of risks relevant to the preparation of financial statements in accordance with appropriate accounting frameworks such as GAAP or IFRS Principles: - Have clear objectives in order to identify risks related to those objectives - Determine how risks should be managed - Consider the potential for fraud - Monitor changes

Monitoring

COSO Component: Management's ongoing and periodic assessment of the quality of internal control performance to determine whether controls are operating as intended and are modified when needed Principles: - Perform periodic evaluations - Communicate identified deficiencies to those who can remediate

Information and Communication

COSO Component: Methods used to initiate, record, process, and report an entity's transactions and to maintain accountability for related assets Principles: - Use relevant, quality information to support the functioning of internal controls - Communicate information internally, including objectives and responsibilities for internal control - Communicate with external parties for relevant information related to internal controls

Control Activities

COSO Component: Policies and procedures that management has established to meet its objectives for financial reporting Principles: - Develop control activities that mitigate risks to an acceptable level - Develop general controls over technology - Establish appropriate policies, procedures, and expectations

Yes No

Can you have a clean audit opinion of F/S and an adverse opinion on ICFR? Can you have an adverse opinion of F/S and a clean opinion on ICFR?

S - separation of duties C - cross checks/ comparisons A - adequate recordkeeping L - limited access P - proper approvals/ authorization

Control Activities (SCALP)

Unqualified opinion Adverse opinion

Control deficiency or significant deficiency -> ___________ Material weakness -> __________

Debt to Equity = (Short term debt + Long term debt) / Stockholders' equity Times interest earned = (Net income + Interest expense) / Interest expense

Coverage Ratio

1. Accounts with zero balance not selected 2. Accounts with negative balance 3. Accounts that are understated

Disadvantages of Monetary Unit Sampling (MUS)

1. Trains auditors in proper use 2. Designing and conducting the sampling application 3. Lacking consistent application across audit teams due to complexity

Disadvantages of Statistical Sampling Method

Tolerable Rate > Upper deviation rate = Controls are effective Tolerable Rate < Upper-deviation rate = Controls are not effective

Draw Final Conclusions for Attribute (Statistical) Sampling

1. If the Upper Misstatement Limit (UML) < Tolerable Misstatement then accept the population book value (no material misstatement) 2. If the Upper Misstatement Limit (UML) > Tolerable Misstatement then reject the population book value (material misstatement)

Drawing the Final Conclusion for Monetary Unit Sampling (MUS)

1. Calculate sample deviation rate # deviations / # of items in sample 2. Determine upper-deviation rate sample deviation rate + allowance for sampling risk

Evaluate Results of Control Tests for Attribute (Statistical) Sampling

1. Calculate sample deviation rate (# of deviations / # of items in sample) 2. No statistical upper deviation rate is computed * cannot quantify sampling risk 3. Judgmentally draw final conclusion about the effectiveness of internal control

Evaluate results of control tests for nonstatistical sampling

1. Calculate the Projected Misstatement for all "small" sampling units that are less than the amount of the sampling interval Projected Misstatement = $ Sampling Interval x % Overstatement % Overstatement = (Book Value - Audit Value) / Book Value 2. Calculate the Upper Misstatement Limit (UML) for all "small" sampling units to allow for sampling risk UML = Projected Misstatement x Misstatement Factor 3. Add misstatements that are equal to or greater than the sampling interval - These misstatements require no additional projection or adjustments for sampling risk because they had a 100% chance of being selected

Evaluating Results: Projecting Misstatements + Allowance for Sampling Risk for Monetary Unit Sampling (MUS)

1. Control Environment - corporate culture - management integrity - independent audit committee 2. Entity's Risk Assessment Process - identify relevant business risks that may impact financial reporting 3. Control Activities - mitigate risks and achieve objectives 4. Information and Communication - generate and maintain relevant, quality information - reliable, trustworthy AIS - supports the other 4 COSO frameworks 5. Monitoring Activities - Assess the quality of internal control performance over time - internal audit function - communicate identified deficiencies (to audit committee/ management)

Five Components of Internal Control

1. Accounting change (reasonable: LIFO to FIFO, change depreciable life) 2. General Economic/ Business event (reasonable/ explainable) 3. Error in financial statements 4. Fraud (Most concerned about 3 and 4)

Four possible causes for significant fluctuations and/or differences (during substantive analytical procedures)

1. Increase 2. Decrease 3. Decrease 4. Increase 5. Has no significant effect on sample size unless the population size is small

General affect on sample size: 1. Increase desired confidence level 2. Increase sampling risk 3. Increase tolerable deviation rate 4. Increase expected population deviation rate 5. Increase population rate

1. Increase sample size for substantive testing 2. Test same assertions and accounts using substantive tests 3 (a). Ask management to adjust and accept (unqualified) 3 (b). Management doesn't adjust (qualified/ adverse depending on materiality)

If sample results indicate that a material misstatement likely exists in the population, the auditor has 3 options:

accept at the planned assessed level of control risk low = low, moderate = moderate can't go lower than planned

If sample results of internal controls indicate that controls are effective:

1. Increase the sample size for control OR 2. increase CR, decrease DR, and do more substantive audit procedures OR 3. Test other controls for the same account and same assertion (need to show effective to have CR at planned level)

If sample results of internal controls indicate that controls might not be effective:

the individual dollars of the population book value

In MUS and PPS (probability-proportional-to-size) the population is _________

judgmentally Table: Low level of control reliance = 10-15 Sample size Moderate = 20-30 High = 40-60+

In nonstatistical sampling, determining the appropriate sample size is made __________ by the auditor but must be comparable to statistical sampling tables

- identification of fraud, whether or not material, committed by senior management (management override) - restatement of previously issued financial statements to reflect the correction of a material misstatement - identification by the auditor of a material misstatement of financial statements in the current period in circumstances that indicate that the misstatement would not have been detected by the entity's ICFR - ineffective oversight of the entity's external financial reporting and ICFE by the entity's audit committee

Indicators of material weakness

- Desired confidence level (sampling risk) - Tolerable deviation rate How many deviations willing to tolerate in the sample - Expected deviation rate Historical rate if adjustment *all before testing

Key inputs affecting sample size for tests of controls

1. Cost/ benefit 2. Management override (require inconsistent transaction) 3. Personnel errors (errors in maintaining/ monitoring) 4. Collusion (fraud) *only reasonable assurance

Limitations of an entity's internal control

stratification (larger balance have a larger chance of being selected)

MUS by nature utilizes a _______ approach

overstatement mistakes (because larger balances have a greater probability of being selected for testing)

MUS sampling and nonstatistical sampling techniques are best suited for detecting ________

1. CEO and CFO accept responsibility for ICFR 2. Evaluate (test) ICFR operating effectiveness 3. Document results from ICFR testing 4. Provide a written report of its ICFR evaluation

Management's Responsibilities of ICFR for Public Companies

Material weakness

Material and Reasonably possible or probable - report externally to audit committee and to management - adverse audit opinion

Significant deficiency

Not material but significant and reasonable possible or probable - report to audit committee and to management - clean audit opinion

Control deficiency

Not material or significant and reasonably possible or probable - report to management - clean audit opinion

1. Select sample items: all items have an equal chance of selection - Random number selection (use of spreadsheet or audit software) - Systematic selection compute sampling interval = sampling population/sample size 2. Perform control test procedure (e.g., inspection, reperformance)

Performance for Attribute (statistical) sampling

1. Select sample items: probability-proportional-to-size - "every 'nth' dollar will be selected for testing" - All accounts/ transactions greater than the interval will always be selected 2. Perform the substantive test procedure (e.g., inspection, recalculation, confirmation, etc.)

Performance for Monetary Unit Sampling (MUS)

1. Select sample items: can include random number selection, systematic selection, OR haphazard selection 2. Perform control test procedure (e.g., inspection, reperformance, etc)

Performance for Nonstatistical Sampling

Plan: Plan the audit Identify: Identify controls to test Scope: Evaluate the design and test the operating effectiveness of selected controls Evaluate: Evaluate identified control deficiencies Report: Form an opinion on the effectiveness of ICFR

Performing an audit of ICFR

1. Identify entry-level controls - control environment 2. Identify significant accounts and disclosures and their relevant assertions 3. Understand likely sources of misstatement - flow of transactions 4. Select controls to test - key controls (important for assertion and account) - only test what's important to CR conclusion

Performing an audit of ICFR: Identify Controls to Test

1. The role of risk assessment - auditors should devote more attention to areas that have a higher risk of a material misstatement 2. Using the work of others - auditors are permitted to use the work performed by, or receive direct assistance from, internal auditors and entity personnel - only use IAF for lower risk (assess competence and objectivity)

Performing an audit of ICFR: Plan the Audit

1. Nature of testing - inquiry - observation - inspection - reperformance 2. Timing of tests of controls - in many instances the auditor obtains evidence about the operating effectiveness of controls at an interim date 3. Extent of tests of controls - auditors consider the nature of the control (manual vs. automated), the frequency in which the control operates, and the importance of the control when determining the extent (i.e., "how much") of testing to perform

Performing an audit of ICFR: Test Operating Effectiveness of Controls

1. Define the objective - determine whether an account balance or transaction class is fairly stated 2. Define a misstatement 3. Determine the appropriate sample size by setting each of the following: a) Desired confidence level (typically 90% or 95%) b) Tolerable Misstatement rate = $ Tolerable Misstatement / $ Population Book Value c) Expected Misstatement Rate = $ Expected Misstatement / $ Population Book Value

Planning for Monetary Unit Sampling (MUS)

1. Define the objective - Testing operating effectiveness of internal control control and determining level of control risk 2. Determine the sampling population and sampling unit - Sampling population is typically the transactions covered by the control procedures tested - Sampling "frame" 3. Define control deviation conditions 4. Determine the appropriate sample size by setting each of the following: a) Desired confidence level (typically set at 90% or 95%) b) Tolerable deviation rate (typically set between 3-10%) c) Expected population deviation rate (prior history)

Planning for attribute (statistical) sampling

draw inferences about the entire population based on the results of testing only a subset of the population

Primary purpose of audit sampling

Determine whether a financial statement account (e.g. asset accounts) and/or class of transaction (e.g. revenue) is fairly stated

Primary purpose of statistical sampling for substantive tests (DR)

Gross Profit Percentage = Gross Profit / Net Sales Return on Assets = Net income / Total assets

Profitability Ratios

Risk Assessment Procedures

Purpose: Better understand the business and identify unusual or large fluctuations in accounts to assist in determining the nature, timing, and extent (i.e. the scope) of audit procedures Examples: Comparing current-year financial information with comparable prior period(s), comparing financial ratios to prior periods or industry competitors - Required procedure during audit planning - Often performed using data aggregated at a high level and may be based on interim financial statements

Substantive Analytical Procedures

Purpose: Obtain evidential matter about particular assertions related to account balances or classes of transactions to detect material misstatements Examples: Testing the reasonableness of interest expense by computing a model (e.g., using prevailing interest rates and the book value of the debt) and comparing the amount to the company's recorded expense amount - corroborating evidence for management explanations for causes of significant fluctuations is required - Efficient Procedure often performed (but NOT required) when: 1. ROMM in the account is low and/or 2. The level of precision available when forming an expectation is high (e.g., when reliable, disaggregated data is available)

Final Analytical Procedures

Purpose: Overall review of financial information during audit completion Examples: Often include (re)comparing the current year audited balances with the audited balances from the prior year. Any material differences should be explained by audit procedures performed and documented in the working papers - Required procedure during the completion of the audit

do not expect that IC will detect all errors or fraud (inherent limitation)

Reasonable Assurance in an ICFR Context for Public Companies

- less busy for auditors July-November - must know CR to be able to determine DR - more time to reassess CR and correct before the rest of the audit (management can remediate and then auditor's retest) - if control is in non-significant risk area

Reasons to test internal control at an interim date

Risk of Incorrect Rejection (Type 1)

Reject population when its good - efficiency problem - rejecting controls that are, in fact, working properly - over sample control failures

book value / sample size

Sampling interval =

Current Ratio = Current Assets / Current Liabilities Quick Ratio = Liquid Assets / Current Liabilities

Short Term Liquidity Ratios

sampling risk non-sampling risk

Statistical sampling allows auditors to quantify ___________ No audit method allows us to quantify __________

1. Develop an expectation 2. Define a tolerable difference 3. Compare the expectation to recorded amount If the difference is greater than the tolerable difference => 4. Investigate difference. Consider patterns, trends, relationships, and possible causes. Make inquiries of management and obtain corroborative evidence

Substantive Analytical Procedures

Incorrect Rejection (type 1)

The auditor does not support the fairness of the account balance but the financial statement account is not materially misstated

1. Gain an understanding of the entity's internal control (walkthroughs) 2. Assess ROMM and design appropriate risk-based audit response (detection risk, test internal controls- required for public companies)

The auditor has a responsibility to:

Incorrect Acceptance (type 2)

The auditor supports the fairness of the account balance but the financial statement account is materially misstated

Audit Importance

The auditor's understanding of the internal control is a major factor in determining the overall audit strategy plan

inquiry with management

The effectiveness of the analytical procedure is enhanced when auditors develop potential causes for significant differences before __________

1. Reliability of financial reporting 1. Reliability of financial reporting 2. Effectiveness and efficiency of operations 3. Compliance with laws and regulations

The external auditor tests _______ categories of internal controls The internal auditor tests _______ categories of internal controls

Internal Control

The policies and procedures put in place by management and the board of directors provide reasonable assurance about the achievement of the entity's objectives in the following categories: 1. Reliability of financial reporting 2. Effectiveness and efficiency of operations 3. Compliance with laws and regulations

Inverse Direct

There is an ______ relationship between internal control effectiveness (i.e., control risk) and the amount of substantive evidence (via planned detection risk) required of the auditor and a _______ relationship with the amount of evidence required

- controls can't stop collusion - management override exists - never be set to 0 - always must do substantive audit procedures

Why can only reasonable assurance of internal controls be provided?

- human error - subjectivity involved - based on planned assessed level of control risk

Why tolerate any deviation in control effectiveness?

Management reasonable assurance

___________ has the responsibility to maintain a system of internal controls that provides ____________ that assets and records are properly safeguarded, and that the entity's information system generates information that is reliable for decision making

Deviation

a departure from adequate performance of the internal control (e.g., a transaction lacking proper authorization of approval)

Probability-proportional-to-size

a systematic approach to selecting "dollars" in the population for testing that uses a sampling interval

The COSO Internal Control Framework

a universally adopted framework covering key components of an entity's entire system of internal control 3 Controls: - Operating - Reporting - Compliance Crime Components: - Control environment - Risk Assessment - Control activities - Information and communication - Monitoring activities Where exist: - Entity level - Division - Operating unit - Function

Precision tolerable rate > expected deviation rate

at the planning stages of sampling, the difference between the tolerable and expected deviation rates

Analytical procedures

evaluation of financial information through analysis of plausible relationships among both financial and non-financial data

Non-sampling Risk

human judgment errors cause by: 1. Choosing the wrong audit procedure (ask/see/do) 2. Failing to catch a mistake by misinterpreting evidence

a group of accounts or transactions

in classical variables sampling, the population is __________

more

increase deviation rate, allowed to have _______ differences

increase

increase expected deviation rate, _______ sample size

decrease

increase sampling risk, ________ sample size

Haphazard selection

manually selecting items to sample without conscious bias

Sampling Frame

physical representation of the population (e.g., applicable accounting records that support the transaction)

Reliance strategy

rely on controls, so must test controls in order to reduce control risk below the maximum level Reasons: - controls are implemented and believed to be working properly - makes audit more efficient from a cost perspective Assessment of CR: - set a planned assessed level of control risk (what we think we can lower CR to)

Substantive strategy

relying solely on substantive procedures (DR), control risk will be at the maximum because not testing controls Reasons: - insufficient/ lack of controls implemented - not effective controls or people don't follow - testing controls is not efficient from a cost perspective (won't lower CR)

dual purpose testing

same sample for internal control and substantive procedures

$ Population book value / Sample size

sampling interval =

Misstatement

the difference between an entity's recorded amount and amounts supported by audit evidence (e.g. customer confirmations)

Sampling Risk

the trade-off between the cost of examining all the data and the cost of making an incorrect decision based on a sample of the data (not representative of the population)