Lesson1: what is audit?

Auditing lends credibility to the financial statements, which made the end
result as an opinion.
Lesson 3: auditing, attestation and assurance
Attestation is special to any assertions made by the management.
Those assertions can be:
 Preform
 Future projection
 Management discussion and analysis (MDA)
Assurance service lends credibility to any information (financial and non-
financial).
Lesson 4: types of audit opinion
4 types of audit opinion are:
 Unqualified opinion
The financial statements are presented fairly. This is clean opinion.
 Qualified opinion
The financial statements are presented fairly except for these is a single:
 Departure from GAAP
 Scope limitation.
 Adverse opinion
The financial statements are not presented fairly.
 Disclaimer of opinion
We do not express an opinion due to:
 The auditor lacks independence.
 There was ab extensive scope limitation.
 There is substantial uncertainty or doubts about company’s ability
to continue as a going concern.
Lesson 5: going concern
Going concern opinion is the assumption that the entity is going to continue to
the future.
Going concern explanatory paragraph raise substantial doubt about its ability
to continue as a going concern.
 Lesson 6: internal audit vs external audit
Internal audit External audit
Generally an employee of the company being Not an employee of the company
audited and performs a consulting role
Assess risks, identify areas for improvement Provides an opinion as to whether the financial
statements are misstated
Examines and recommends internal controls Reports on the effectiveness of the company’s
internal controls.
Ensure compliance with laws and regulations
Verify, that processes are cost effective
Check that financial reporting is reliable
Identify fraud

Lesson 7: Sarbanes Oxley

Sarbanes Oxley Act passed by U.S congress and it has:
1) New rules for the publicly traded companies.
Rules for companies:
a) CEO and CFO must certify the financial statements.
b) Enhanced criminal penalties.
c) Company must assess the effectiveness of its internal controls and
issue a report.
2) New rules for audit firms.
a) Must implement quality control if you have a publicly traded client.
b) A second partner must review approve audit reports.
c) Lead partner and reviewing partner must rotate out every 5 years.
d) Must audit the client’s internal control and issue a report.
e) Prohibited from providing many non-audit services to audit clients.
3) Created the publicly company accounting oversight board(PCAOB)
PCAOB handles:
a) Registration
b) Monitoring
c) Standard setting
d) Enforcement
Lesson 8: Audit committee
Audit committee is a subset of the board of directors.
The board of directors oversees company executives and forms audit committee
and hires external auditor.
Audit committee are all intendent, and at least one of them should be financial
expert.
Lesson 9: auditing standards
Auditing standards exist to improve the quality of audits, and serve as a guide
to conducting an audit.
There are multiple sets of standards:
 Auditing standards board (AICPA) issue statement on auditing standards
for the private companies in the U.S. (non-issuers).
 Public company accounting oversight board (PCAOB) issue auditing
standards for the public companies in the U.S. (issuers).
 International auditing and assurance standards board (IAASB) issue
international standards on auditing for the companies outside the U.S.
 Government accountability office (GAO) issue generally accepted
government auditing standards (GAGAS) which is known as yellow book
rule for the governmental entities in the U.S.
Lesson 10: PCAOB VS AICPA standards
AICPA:
 1939-1972 issue statements on auditing procedures.
 1972- Present issue statements on auditing.
 Post 2003- applicable for private companies.
PCAOB:
 Adopted AICPA standards as interim standards in 2003
 And has issued additional standards since that time.
 Post 2003- applicable for public companies.
Lesson 11: the audit process
The audit process are:
 Client acceptance or continuance
 Planning
 Risk assessment
 Substantive procedures
 Report
Lesson 12: client acceptance or continuance
You need to do the following steps:
 Avoid troublesome client for you.
  Ask the Processor auditor about the integrity of the management of the
company.
 Read annual report.
 Identify if you need expertise or specialist.
 Make sure you are independent.
Lesson 13: independence in facts vs independence in appearance
There are two types of independence:
 Independence in facts
Refers to the auditor’s state of mind. And the auditor is unbiased.
 Independence in appearance
Other people would think you are biased.
Lesson 14: The engagement letter
Engagement letter is a written contract that spells out:
 Engagement objectives.
 Management’s responsibilities
 Auditor’s responsibilities.
 Limitations (no absolute assurance)
 Additional services to be provided (e.g. tax services)
Lesson 15: types of audit tests
Types of audit tests:
 Risk assessment
 Inquiries of management e.g. has any fraud being detected among
employees in the past.
 Observation
 Inspection
 Conduct Analytical procedures
 Test of controls
Tests to determine the effectiveness of internal controls in preventing or
correcting material misstatements.
Examples:
 The auditor re-performs the control.
 The auditor observes the control being applied.
 Substantive analytical procedures
Tests to determine materials in transactions or ending balances.
There are two types of tests:
 Tests of details
 o Tests of transactions
o Tests of ending balances
 Substantive analytical procedures
Analyzing trends and relationships for financial and non-financial data.
Lesson 16: audit triangle
The audit triangle:
 Incentive
The person who commit fraud has high perceive financial needs and are
not shareable with others.
 Opportunity
Ineffective or non-existence of internal controls to prevent committing
fraud.
 Rationalization
Attitude that is ok to commit fraud
Lesson 17: the audit risk model
The audit risk model is:
Audit risk: inherent risk*control risk*detection risk.
Audit risk is the risk that the auditor issues an incorrect opinion when a
material misstatement exists.
Inherent risk is the susceptibility of an assertion to material misstatement
before considering controls.
Control risk is the likelihood a material misstatement will not be caught by the
client’s control.
Detection risk is the likelihood a material misstatement will not be caught by
the auditor.
Inherent risk+ control risk is called risk of material misstatement (RMM) is the
risk a material misstatement occurs prior to the auditor’s involvement.
The auditor assesses RMM and sets out the detection risk accordingly.
There is an inverse relationship between RMM and detection risk,
Examples:
Audit risk: inherent risk*control risk*detection risk.
0.02:0.8*0.5*0.05
Some auditors prefer qualitative assessments.
Low: high*high*low
Lesson 18: types of audit procedures and evidences
Types of audit procedures and evidences are as follow:
1) Inquiry
 Interview the client.
 Obtain written representations.
2) Confirmation
Obtain representations from a 3rd party.
Bank-cash balance
Customer –receivable balance
Lessor-lease terms
3) Inspection of records or documents
Two types of inspection:
 Tracing
 Vouching
4) Inspection of tangible assets
Verify the existence of property, plant and equipment, inventory,
livestock
5) Observation
 Watch the client count inventory
 Watch the client apply an internal control.
6) Recalculation
Check the mathematical accuracy of depreciation, bad debt, interest.
7) Re-performance
 Broader than recalculation
 Re-perform any client procedure
8) Analytical procedures
Evaluate the plausibility of financial information
Example: compare gross profit percentage (GPP) to last year’s GPP of
competing firms.

9) Scanning
Search for unusual items to investigate.
Lesson 19: vouching vs tracing
Both pertain to the examination of documents.
The difference is the direction of testing
Tracing is started with source of documents and follow them forward to see if
they recorded in the journal or ledger. Tracing is going to test completeness.
Example: was a sale recorded?
Customer purchase order-shipping-sales invoice-journal entry
Vouching is started with the journal and go backward to the source of
documents. Vouching is going to test existence or occurrence
Lesson 20: management assertions
Management assertions are claims or confirmations made by members of
management regarding certain aspects of a business. Those assertions can be
explicit or implicit:
 Financial statements
 Management assertions
 Audit procedures
 Evidence and conclusion
 Report.
The 2 categories of assertions:
 Assertions about classes of transactions and events (and related
disclosure) for the period being audited.
Example: were all the expenses recorded?
 Assertions about account balances (and related disclosures) at period
end.
Example: is the ending balance of inventory accurate?
Lesson 21: assertions about classes of transactions and events
The transactions should have the following features:
 Occurrence- concern is that profit is overstatement.
 Completeness- concern is that liabilities is understatement.
 Authorization
 Accuracy
 Cutoff
 Classification
 Presentation
Lesson 22: assertions about account balances
Assertions made management about account balances at the end of the period
are as follow:
 Existence- do the assets, liabilities, and equity interests actually exist?
  Rights and obligations- does the company hold the rights to these
assets? Or are these the obligations of this entity?
 Accuracy, valuation, and allocation- are assets, liabilities, and equity
interests at the appropriate amounts? Or have valuation adjustments
been made?
 Classification- are assets, liabilities, and equity interests in the correct
accounts?
 Presentation- have assets, liabilities, and equity interests been
appropriately aggregated or disaggregated and clearly described? And are
discourses relevant and understandable?

Lesson 23: components of the internal controls

1) The control environment:
The standards, processes, and structures that provide the foundation for
internal control throughout the organization.
2) The organization’s risk assessment process
How well the organization sets objectives to identify and manage risks.
E.g. does the company assess the risk of financial statement fraud?
3) The control activities
The policies and procedures used to address risks.
E.g. segregation of duties, authorization, reconciliation.
4) Information and communication
Effective internal control depends on high quality information
E.g. the accounting system should accurately, record and present financial
data.
E.g. internal control responsibilities are communicated to employees through
policy manuals and by top management.
5) Monitoring activities
The organization should evaluate the performance of its internal controls
Lesson 24: the auditor’s consideration of internal control
The auditor’s consideration of internal control are:
 Understanding
 Learn how the controls are designed?
Learn whether the controls are being implemented?
Then document your understanding.
Then ask will the auditor rely on the internal controls?
If the answer is no, then assess control risk at the highest level.
If the answer is yes, then test the controls.
The result of test can be:
Ineffective------high control risk-------more substantive testing
Effective--------low control risk---------less substantive testing
 Assessment
 Tests of controls

Lesson 25: types of tests of controls

The whole purpose of tests of controls is to assess control risk.
When you testing the controls, you can look at:
 Tests of control design.
 Tests of control effectiveness.
 How was the control applied?
 By whom was the control applied?
 Was the control applied consistently?
Types of tests of internal controls:
 inquiry
 Inspection of documents to verify the control was applied
 Observation of the control being applied.
 Re-performance of the application of the control by the auditor
Lesson 26: segregation of duties
Benefits of segregation of duties are:
 Reduces errors.
 Reduce fraud.
No employee should have 2 or more of the following duties:
 custody of assets
 Authorization of transactions
 Recording of transactions
 Reconciling existing assets to recorded amounts.
Lesson 27: types of internal deficiencies
 A control deficiency is when the operation or design of a control does not
prevent misstatement.
Control deficiency can take the following phases:
 Deficiency in design
 The control is missing
 The control is not properly designed.
 Deficiency in operation
 The control exists and is properly designed but is not being applied
effectively.
Once you have identified a control deficiency, you must assess its severity.
More serious internal control deficiencies are significant deficiencies and
material weaknesses.
Lesson 28: material weakness vs significant deficiency
Assess the magnitude and the likelihood of a misstatement occurring as a
result of the control deficiency.
Magnitude Categorization Report
Material Material weakness In financial statements to the audit
committee, and to the management
Not material, but significant Significant deficiency To audit committee and to the
management
Not material, not significant Control deficiency To management

Lesson 29: 4 indicators of a material weakness

 The auditor finds a material misstatement that the client’s internal
controls did not catch.
 The auditor finds that the audit committee is doing its job.
 The company restates its financial statements to correct a previous
material misstatement.
 The auditor learns that a member of a senior management committed
fraud.
Lesson 30: reporting a material misstatement
Material weakness is a deficiency that could result in a material misstatement
not being prevented or detected by the internal controls.
The auditor must issue an adverse opinion on the effectiveness of internal
controls.
The auditor’s report must:
Define a material weakness.
Describe the material weakness
Note: the auditor can still issue an unqualified opinion on the financial
statements.
Note: if the management later remediates the material weakness, the auditor
can issue an unqualified opinion on the internal control at an interim date.

Lesson 31: check kitting

Check kiting involves floating funds between bank accounts to inflate your
cash balance.
A company might do this to:
 Gain access to short term credit.
 Overstate its cash balance to an auditor.

Lesson 32: lapping (fraud scheme)

Lapping is a type of skimming in which the perpetrator steals money from one
account and uses money from a different account to cover it up.
Skimming is a type of skim or someone removing cash from the company
before it recorded in the accounting system.
Lapping can be prevented by the segregation of duties.

Lesson 33: audit sampling

Audit sampling is application of an audit procedure to less than 100% of the
items within an account balance or class of transactions for the purpose of
evaluating some characteristic of the balance or class.
Sampling is used to test internal controls and to perform substantive
procedures.
Types of sampling:
 Internal control
The auditor wants to know whether the rate at which the controls are
ineffective exceeds the auditor’s tolerable rate of deviation.
This is known as attributes sampling.
 Substantive procedures
The auditor wants to know whether an account balance or class of transactions
follows GAAP. The auditor compares the dollar misstatement to the auditor’s
permissible amount.
This is known as variable sampling.
With any type of sampling, there is a tradeoff between efficiency and
effectiveness.
Lesson 34: statistical vs non statistical sampling
Approaches of audit sampling:
 Statistical sampling
 Tends to be objective.
 Uses probability to choose the most efficient sample size
 Measures the sufficiency of evidence obtained
 Quantifies sampling risk.
 Non statistical sampling
 Does not employ probability
 Relies more on the auditor’s judgement.
Both involve sampling risk.
Statistical sampling, however, allows sampling risk to be quantified and
controlled.

Lesson35: sampling risk vs non sampling risk

Both have to do with an auditor making an incorrect decision.
 Sampling risk
 The risk that the sample will not be truly representative of the population
and that the auditor will draw an incorrect conclusion as a result
 Type 1 error (risk of incorrect rejection)
The auditor concludes a control is not effective, when in fact it is.
The auditor concludes a balance is materially misstated, when it is not.
 Type 2 error ( risk of incorrect acceptance)
 Non-sampling risk
  Auditor error (unrelated to sampling)
 The auditor draws the wrong conclusion due to a mistake mad by the
auditor.
 Example:
 Using the wrong audit procedure
 Making a calculation error
 Failing to interpret evidence correctly.
Note: sampling risk can be quantified, but non sampling risk cannot
Sampling risk can be controlled by ensuring you have the appropriate sample
size.

Lesson 36: attributes sampling

Attribute sampling is used to estimate the percentage of a population that
possesses a specific attribute, and used when assessing the effectiveness of
internal controls.
Example:
What percent of the time do employees sign in when entering the warehouse?
Steps:
 Identify the goal
 Define what constitutes on occurrence
 Identify the population
 Choose a sampling method (statistical on non-statistical)
 Determine the appropriate sample size
 Choose the sample
 Evaluate the sample results (compare deviation rate to tolerable rate)
note your findings in your working papers.

Lesson 37: sampling approaches

4 sampling approaches:
 Random- each item in the population has an equal chance of being
selected.
 Systematic- every nth item is selected
100 transaction- 20 sample size- 100 divide by 20= 5 interval
5th
  Block- a group pf adjacent items is selected
 Haphazard- items are arbitrarily selected

Lesson 38: Variables sampling

Variable sampling used to estimate the amount or value of a characteristic in
the population.
Two approaches of variable sampling:
 Classical variables sampling is used in the normal distribution.
 Monetary unit sampling- tend to choose larger monetary unit, and is
more concern on the overstatement.
Lesson 39: Monetary unit sampling
Is a type of variables sampling.
It used to determine whether account balances contain misstatements.
It tends to select larger balances or transactions.
This is because it treats each individual dollar as a sampling unit.
Typically used to detect overstatements.
More frequently used than classical variables sampling
It’s easier to used (you don’t need to know anything about distribution.
It’s better when there are small (or no) misstatement.

Lesson 40: classical variables sampling

Uses probability and the normal distribution to provide a range of estimates
that has a certain probability of including the true audited value or
misstatement.
Not as helpful when the population has small or not misstatement.
Is most helpful when understatements are a concern, or if there are many
balances with a value of zero.
3 estimators:
 Difference estimation
 Ration estimation
 Mean per unit estimation.
 Lesson 41: factors that affects sample size
# Factor Relationship to the sample size Explanation
1 Sampling Invers The lower the acceptable sampling risk
risk you willing to accept, the largest sample
size that you have to draw
2 Tolerable Inverse The lower the acceptable tolerable rate of
rate of deviation you willing to accept, the
deviation largest sample size that you have to draw
3 Expected Direct As expected population deviation rate to
population be high, the largest sample size that you
deviation have to draw
rate
4 Population Direct As population is largest, the largest
size sample size that you have to draw

Lesson 42: how to calculate sample size for the classical variable sampling
Sample size: [(population size * confidence coefficient * standard deviation) /
(tolerable misstatement - estimated misstatement)] ^2
Example:
You have a population of 10,000 accounts receivable balances.
You desired confidence level is 1.64
The estimated standard deviation is $20
The tolerable misstatement is $40,000
The estimated misstatement is $15,000
Solution:
Sample size: [(10,000 * 1.64 * 20) / (40,000 – 15,000)] ^2
Sample size: 173
Lesson 43: difference estimation (variable sampling)
Let’s say we are auditing accounts payable, you draw a sample of 500 accounts
and find the following?
# of accounts Book value Audit value
Sample 500 $450,000 $462,000
Population 6,500 $6,025,500 ?
Step1: calculate the difference between the audit value and book value for the
sample.
462,000-450,000=12,000
Step2: divide the difference (from step 1) by the number of accounts in the
sample to get the averaged difference
12,000/500=24
Step 3: multiply the average difference (from step2) by the number of accounts
in the population
24*6,500=156,000
Step4: add the number calculated in step 3 to the book value of the population.
156,000+6,025,500=6,181,500
Then the result is the implied audit value for the population
Lesson 44: ration estimation
Goal: calculate the implied audit value for a population
Let’s say we are auditing accounting payable
You draw a sample of 500 accounts and find the following?
# of accounts Book value Audit value
Sample 500 $450,000 $462,000
Population 6,500 $6,025,500 ?
Step1: divide the sample’s audit value by the sample’s book value
462,000/450,000= 1.026667
Step 2: multiply the ratio (from step 1) by the book value of the population
1.026667*6,025,500= $6,186,200

Lesson 45: mean per unit estimation

Goal: calculate the implied audit value for a population
Let’s say we are auditing accounts payable
You draw a sample of 500 accounts and find the following?
# of accounts Book value Audit value
Sample 500 $450,000 $462,000
Population 6,500 $6,025,500 ?
Solution:
Step1: divide the sample’s audit value by the number of accounts in the sample
MPU: 462,000/500=924
Step2: multiply the mean per unit (from step 1) by the number of accounts in
the population
294*6,500=6,006,000