You are on page 1of 6

AUD - Notes Chapter 5


Audit Sampling (statistic sampling)
Sampling risk – reach the wrong conclusion based on the sample Although statistical sampling aids the auditor in quantitative ways, it is not a substitute for professional judgement. Professional judgement is still needed/required to set parameters and evaluate the results. 2 main types of sampling 1. Attribute sampling (rate of occurrence) – used for testing internal controls (yes/no questions) 2. Variable sampling (probability-proportional to size PPS or estimation sampling or numerical quantity) – used in substantive testing of account balances ($ values) Audit risk – risk of getting the opinion wrong due to uncertainty in applying audit procedures (sampling and other) Risk of assessing control risk too low – risk that the assessed level of control risk based on the sample is less than the true risk based on the actual operating effectiveness of the control (i.e. sample results indicate a lower deviation rate than actually exists in the population) Risk of assessing control risk too high – risk that the assessed level of control risk based on the sample is greater than the true risk based on the actual operating effectiveness of the control. sample results indicate a greater deviation rate than actually exists in the population There are two sorts of mistakes an auditor can make with sampling: 1. The auditor may fail to identify an existing problem (incorrect acceptance and assessing control risk too low) 2. The auditor may falsely identify a problem where none exist (incorrect rejection and assessing control risk too high) The risk of incorrect acceptance and the risk of assessing control risk too low relate to the effectiveness of an audit in (possibly not) detecting an existing material misstatement. Auditors usually accept a risk of 5% (or 10%). Inverse to the risk is the confidence level (also called reliability). The auditor is 95% confident that the sample is representative of the population. The risk of incorrect rejection and the risk of assessing control risk too high relate to the efficiency of the audit (the auditor does more audit work than is necessary) Attribute Sampling Planning considerations • Relationship between the sample to the objective of the test of controls • Tolerable deviation rate – maximum rate of deviation from a prescribed procedure the auditor will tolerate without modifying planned reliance (or changing control risk assessment) on internal control. Rate set by the auditor • Auditors allowable risk of assessing control risk too low • Characteristics of the population Deviation rate – auditors best estimate of the deviation rate in the population from which the sample was selected. There is a direct relationship to sample size: the fewer the deviations expected, the smaller the sample size would be needed. Population of 1000 and sample 100 items and 7 deviations identified within the sample 7% sample deviation rate Estimate 70 deviations in the population (7% sample deviation rate) 1

AUD - Notes Chapter 5

If the estimated deviation rate for the entire population is less than the tolerable rate for the population, the auditor should consider the risk that such a result might be obtained even though the true deviation rate for the population exceeds the tolerable rate for the population. For example assume the tolerable rate for a population is 5% and the sample consists of 60 items: • If no deviations are found in the sample of 60, the auditor may conclude that there is an acceptably low sampling risk that the true deviation rate in the population exceeds the tolerable rate of 5% (this is because the sample deviation rate is much less than the tolerable rate) • If the sample includes two or more deviations (2 in 60 = 3.33%), the auditor may conclude that there is an unacceptably high sampling risk that the rate of deviations in the population exceeds the tolerable rate of 5% (this is because the sample deviation rate is close to the tolerable rate) • The auditor applies professional judgement in making such evaluations Perform the following steps when conducting attribute sampling • Define the objective of the test • Define the population • Define the sampling unit • Define the attributes of interest • Determine the sample size including risk of assessing control risk, tolerable deviation rate, expected deviation rate Sample deviation rate + allowance for sampling risk = Upper deviation rate Allowance for sampling risk = what we found in the sample isn’t representative of the population If the upper deviation rate is less than or equal to the auditors tolerable deviation rate, the auditor may rely on the control (assuming results of other audit tests do not contradict such results) If the upper deviation rate exceeds the auditors tolerable deviation rate, the auditor would not rely on the control. Instead the auditor would either: • Select and test compliance with some other internal accounting control, or • Modify the nature, extent, or timing of related substantive tests to reflect the reduced reliance Discovery sampling – used for detecting fraud Stop-or-go sampling – allows auditor to stop and audit test before completing all the steps (to avoid over sampling) used when few error are expected in the population Variable sampling (estimation sampling) Stratification – items subject to sampling are separated into relatively homogenous groups and treated as a separate population, which usually results in a reduced sample size. Commonly used when a population has highly variable recorded amounts Higher the tolerable misstatement the lower the sample size The auditor projects the misstatements found in the sample to the population using one of several methods (MPU, ratio, difference, etc). The projected misstatement is applied to the recorded balance to obtain a “point estimate” of the true balance. The auditor must then add an allowance for the sampling risk (sometimes called a precision interval) to this estimate 2

AUD - Notes Chapter 5

In deciding whether to accept the clients book value, the auditor determines whether the recorded book value falls within the acceptable range (i.e. point estimate +/- the allowance for sampling risk). If so, the book value is fairly stated Probability-Proportional to size (PPS) PPS – sampling unit is defined as an individual dollar in a population Advantages • Emphasizes larger items by stratifying the sample. The chance of an item being selected is proportionate to its dollar amount • If no errors are expected, PPS sampling generally requires a smaller sample than other methods Disadvantages • Items with zero, negative or understated balances require special design considerations Sampling interval = tolerable misstatement ÷ reliability factor Sample size = recorded amount of the population ÷ sampling interval Tolerable misstatement - the maximum dollar error that may exist in the account without causing the F/S to be materially misstated Reliability factors correspond to the risk of incorrect acceptance and are generally obtained from a table

The Effect of Information Technology on the Audit
Test data (test deck) – technique that uses the application program to process a set of test data, the results of which are already known. (the clients system is used to process the auditors data, off-line, and while under the auditors control Integrated test facility (ITF) – similar to test data approach except that the test data is commingled with live data (the clients system is used to process the auditors data, on-line) • Test data must be separated from the live data before the reports are created. This is usually accomplished by processing the test data to dummy accounts (fictitious customer, branch, vendor) • Client personnel are not informed that the test is being run Parallel simulation (reperformance test) – auditor re-processes some or all the clients live data (using auditor software) and then compares the results with the clients files (the auditors system is used to process client data) Generalized audit software packages (GASPs) – allows the auditor to have little technical knowledge of the clients system (computerized environment)

Internal Control Communication
2 types of control deficiency – deficiency in design and deficiency in operation Significant deficiency – adversely affects the fairness of the F/S Previously communicated significant deficiencies and material weaknesses that have not been corrected should be communicated again It is mgmt’s responsibility to evaluate and address control deficiencies 3

AUD - Notes Chapter 5

Reporting on an entity’s internal control over financial reporting (not an audit, just hired to review internal controls) The CPA may report on mgmt’s assertion or may report directly on the effectiveness of the entity’s internal control Obtain from mgmt a written assertion about the effectiveness of the entity’s internal control. The assertion may be presented in two ways: 1. a separate report that will accompany the accountants report 2. a representation letter to the accounts When a material weakness exists, the CPA should express an opinion directly on the effectiveness of internal control, and not on mgmt’s assertion In a F/S audit, use of the report on the internal control is restricted, while In a separate examination of internal control, use of the report is generally not restricted SOX requirements related to internal controls PCAOB standards require: • Issuers report (within the annual report) on mgmt’s assessment of the effectiveness of the company’s internal control over financial reporting, and • Auditors attest to (audit) the accuracy of mgmt’s report The auditors report must disclose material weaknesses in internal control, but is not required to disclose significant deficiencies that are not material weakness (different than the attestation standards) If an auditor conducts the audit (of a nonissuer) in accordance with both GAAS and PCAOB, the auditor may indicate in the auditors report that the audit was conducted in accordance with both standards

Government Auditing
Auditors responsibilities • Obtaining reasonable assurance that the F/S are free of material misstatements resulting from violations of laws and regulations that have direct and material effect on the F/S • Obtaining an understanding of the possible effects on F/S of laws and regulations • Assessing whether mgmt has identified laws and regulations that have direct and material effect • Communicating to mgmt and the audit committee that an audit in accordance with GAAP may not be sufficient if, during the audit, the auditor becomes aware that the entity is subject to additional audit requirements that may not be encompassed in the terms of the engagement Attestation engagements performed in conformity with Generally Accepted Government Auditing Standards (GAGAS) (the yellow book) incorporate the AICPA’s standards for examinations, reviews, and agreed upon procedures by reference and include expanded requirements Audit requirements for federal financial assistance 1. Expanded internal control documentation and testing requirements 2. Expanded reporting to include formal written reports on the consideration of internal control and the assessment of control risk 3. Expanded reporting to include whether the federal financial assistance has been administered in accordance with applicable laws and regulations (compliance requirements) 4. Application of single audit standards to federal financial assistance 5. Auditors provide a copy of their peer review to government audit clients 4

AUD - Notes Chapter 5

Mgmt is responsible for the entity’s compliance with laws and regulations Mgmt has identified and disclosed in writing to the auditor all the laws and regulations that have a direct and material effect on its F/S Audit reports should be distributed to the appropriate officials of the entity requiring or arranging for the audit (including external funding sources) GAGAS requires a written report on the auditors understanding of internal control and the assessment of control risk in all audits. This is different from GAAS, which requires written communication only when significant deficiencies are noted Single audits: OMB Circular A-133 The single audit act (OMB Circular A-133) requires entities that expend total federal assistance equal to or in excess of $500,00 in a fiscal year to have an audit performed in accordance with the Act • Programs classified as major are those that expend $300,000 or more in federal financial assistance, but smaller programs may be deemed major is they are classified as high risk • Materiality evaluation in a single audit includes a separate evaluation of materiality for each major program selected • Single audits - audits of an entire organization that include additional audit procedures on specific programs and include a report on the F/S of the whole organization and audit reports on the specific programs • program-specific audits - audits of specific programs and do not include reports on the F/S of the organization taken as a whole Auditor communication requirements increase in government settings. Auditors often have the responsibility of reporting significant deficiencies to specific regulatory bodies or grantor agencies A5-47 chart memorize

Communication with the Audit Committee
Audit committee – committee of the board of directors, composed of 3-5 members of the board who are outside directors. Outside directors are not employees of the firm and do not have a material financial interest in the firm • main purpose is to enhance the internal control by creating a means of direct communication between the committee and the auditors. An audit committee is considered to be part of the internal control structure • SOX requires the audit committee to approve the engagement of an auditor, and oversee the services • All material communications must be made to the audit committee before the auditors report is filed with the SEC • Communication may be oral or written. If its oral the auditor should document the conversation • Do not communicate with the audit committee on how we (the auditor) plan to implement the audit

Management Representations
Obtained from mgmt at the conclusion of fieldwork and should address all F/S covered by the report even if current mgmt was not present during all such periods Purpose: 1. To confirm representations explicitly or implicitly given to auditor 2. To indicate and document the continuing appropriateness of such representations 3. To reduce the possibility of misunderstanding concerning matter that are the subject of the representations 5

AUD - Notes Chapter 5

• • • • •

Letter is mandatory to issue an unqualified opinion, otherwise issue disclaimer or withdraw Dated same as the audit report Signed by the CEO and CFO Representations may be limited to items that mgmt and the auditor agree are material The auditor should obtain additional representations from mgmt for special or specific situations. Changes in the business that may impact the F/S (new acctg principle, impairment of an asset, inventory obsolescence)