A3 - Audit Risk, Evidence, and Sampling

Question 1

What are 6 risk assessment procedures?

Answer 1

Risk Assessment Procedures
1. Obtain an Understanding of the Entity and its Environment
2. Obtain an Understanding of Internal Controls over Financial Reporting
3. Inquire of the AC, management, and others about the RMM
4. Perform analytical procedures
5. Discuss RMM with engagement team
6. Other procedures

Question 2

What are analytical procedures? What is the point of performing these during the planning stage? What account do we specifically need to perform analytical procedures over during planning?

Answer 2

• Looking at relationships between data over time
  ○ Analytical procedures often look at CY and compare to PY
  ○ Or compare CY to budget
  ○ Often compare ratios to industry
  • If we’re performing these during the planning stage, it’s because we’re trying to:
    ○ Enhance our understanding of the entity
    ○ Identify risky areas

Need to perform over revenue

Question 3

What is the risk assessment discussion?

Answer 3

• This is different than the fraud risk discussion!
  
  • The risk assessment discussion focuses on the susceptibility of the FS to material misstatements
  • Will discuss:
    ○ Risky areas of the audit and procedures to address those
    ○ Company’s selection and application of accounting principles, including disclosure requirements
    ○ Areas with unusual accounting practices (procedures, principles, etc.)
    ○ Important control systems
    ○ Materiality levels
  • There is some overlap between the risk assessment discussion and the fraud planning discussion such as:
    ○ Key members of the engagement team will be there
    ○ Discuss important matters
    ○ Emphasize need to have professional skepticism
    ○ Allow experienced team members to share insights with less experienced team members
  • Discussions will often be held at the same time since they are with the same people

Question 4

What are the scalability considerations in regards to how ICs are implemented at a company?

Answer 4

The size and complexity of a company will determine how ICs are designed, implemented, and maintained.

Question 5

What are the PCAOB standards for obtaining and understanding of the entity and its environment?

Answer 5

• PCAOB Standards for Issuers:
  ○ Read public information
  ○ Observe or read transcripts of earnings calls and other public meetings of the client
  § Either need to be on the call or read the transcript
  ○ Obtain information from SEC filing
  ○ Understand compensation agreements with management
  ○ Inquire with chair of compensation committee
  ○ Obtain understanding around policies and procedures around executive reimbursement

Question 6

Do audit objectives differ between manual and automated controls?

Answer 6

No

Question 7

What are factors that shift supply?
Hint: ECOST

Answer 7

• Expectations
  
  • Costs
  • Other goods
  • Subsidies
  • Technology

Question 8

What are factors that shift demand?
Hint: SPINE

Answer 8

• Substitutes/compliments
  
  • Popularity
  • Income
  • Number of buyers
  • Expectations

Question 9

What are elasticity, cross price elasticity, income elasticity, normal goods, and inferior goods? When is profit maximized?

Answer 9

Elasticity - how much the demand for a good changes in response to a change in price
Cross price elasticity - how much the demand for good X changes in response to a change in the price of good Y
Income elasticity - how much the demand for a good changes in response to a change in average income
Normal goods - demand increases as income increases
Inferior goods - demand decreases as income increases
Profit maximization - MC = MR

Question 10

What are the different business phases?

Answer 10

1. Expansionary Phase
   ○ Rising economic activity resulting in higher profits, growth, prices
   ○ Low unemployment
   
   2. Peak
      ○ Profits at highest level
      ○ Firms can’t produce enough
   3. Contractionary Phase
      ○ Economic activity decreases, reduced demand, lower profit, higher unemployment
   4. Trough
      ○ Firms have lots of excess, prices fall, unemployment very high
   5. Expansionary Phase (Again)
   • What is asked about this?
     ○ Order
     ○ What happens in each phase

Question 11

What is a recession vs a depression?

Answer 11

• Recession - two consecutive quarters of falling GDP
  
  • Depression - very severe recession, lasts for years

Question 12

What are leading, coincident, and lagging economic indicators?

Answer 12

1. Leading - help predict economy
   
   • Unemployment - average weekly unemployment insurance claims
     ○ Indicates economy is not heading in a good direction
   • Bond Yield Curve - if we see an increase in yield, good
   • Interest Rate Spreads - 10 year treasury vs federal funds rate
     ○ Federal funds rate used to speed up or slow down economy
     ○ If interest rate increases, means economy will probably slow soon
   • Producer Price Index (PPI) - cost increases for suppliers
     ○ Want to see a slight increase
2. Coincident Indicators - indicate what’s happening right now
   
   • Industrial production
   • Sales
   • GDP
3. Lagging indicators - follow economic activity (confirm prior thoughts)
   
   • Average duration of unemployment
     ○ Long means bad economy
     ○ Short means good economy
   • Consumer price index (CPI)
     ○ Change in prices over time
     ○ Small increase is okay, too much/little is bad

Question 13

What are the criteria in which you are required to test a control?

Answer 13

a) Addresses a sig risk
b) The control is over JEs or adjustments
c) We are relying on the control to test operating effectiveness in order to change/reduce substantive procedures

Question 14

What are GITCs? What is the auditor’s role related to GITCs?

Answer 14

General IT Controls - support effective and reliable operation of IT at a company

- Auditor's role
	○ Obtain understanding of risks related to IT
	○ Then evaluate GITCs

Question 15

What should an auditor be documenting about ICs?

Answer 15

• Key elements of understanding of each control component (CRIME)
• How did you obtain understanding (e.g. inquiry, inspection, etc.)
• Documentation can include one or more of the following (FIND)
  a. Flow charts
  § More appropriate than narratives for complex controls
  b. Internal control questionnaire or checklists
  c. Narratives
  § More appropriate for simple controls
  d. Document from client
  § If the client has documented their controls already, sometimes we can just use their work

Question 16

What are limitations of ICs?

Answer 16

• Internal controls can only provide reasonable assurance, not absolute assurance because:
  ○ Management override
  ○ Human error
  ○ Deliberate circumvention
  ○ Collusion by two or more people
  ○ External events
  ○ Issues related to suitability of entity’s objective - effectiveness of control depends on what the entity is trying to achieve

Question 17

What are the two levels where an auditor should assess RMM?

Answer 17

1. Financial Statement Level
2. Assertion Level

Question 18

What are FS level risks?

Answer 18

• Risks that could affect several different parts of the FS
  ○ Pervasive & far-reaching
  
  • Examples to be familiar with:
    a. Process to prepare the FS
    b. Overall system of internal controls
    c. Lack of qualified personnel in financial reporting roles
    d. Selection and application of significant accounting policies

Question 19

What are assertion level risks?

Answer 19

• RMMs that are not pervasive, they are specific to:
  ○ Transactions
  ○ Account balances
  ○ Disclosures
  
  • For assertion level risks, have to assess inherent risk and control risk separately
  • Auditor will also identify significant risks
    ○ Risks where IR is high magnitude and high likelihood
  • Significant risks to be familiar with:
    a. Risk of fraud
    b. Significant emerging economic or accounting developments
    c. Related party transactions
    d. Improper revenue recognition
    e. Nonroutine, unusual, or complex transactions
    f. Subjective measurements
    g. Accounting principles open to interpretation

Question 20

How do we alter the NET of procedures based on the assessed level of risk?

Answer 20

• Nature of procedures
  ○ Purpose - test of controls vs substantive
  ○ Type - inspection, observation, inquiry, etc.
  
  • Extent of procedures
    ○ Quantity
  • Timing of procedures
    ○ Year-end vs interim

Question 21

What is a dual-purpose test?

Answer 21

• Test of controls performed concurrently with test of details
  ○ E.g. test approval and that a transaction was recorded at the correct amount for the same invoice instead of two separate invoices

Question 22

When would we need to perform a test of controls?

Answer 22

• Performed when:
  ○ Auditor’s risk assessment assumes the controls are operating effectively
  ○ When substantive procedures alone are insufficient (e.g. tech used extensively)

Question 23

What is the difference between testing design and operating effectiveness of controls?

Answer 23

Design effectiveness focuses on the concept of the control—whether it could work if implemented as intended.
- Inquiry
- Observation
- inspection

Operating effectiveness focuses on the execution of the control—whether it works in practice.
- Inquiry
- Observation
- inspection
- reperformance

Question 24

What does an auditor do in the case of a control deficiency?

Answer 24

• Consider compensating controls
• Significant deficiency or material weakness
• Could this result in a big misstatement
• Design substantive controls to work around the deficiency

Question 25

What audit procedures would be conducted to try and detect noncompliance by management or TCWG?

Answer 25

• Auditor should obtain an understanding of:
  ○ Legal and regulatory framework applicable to a client
  ○ How entity is complying with that framework
  
  • Then determine whether the laws and regs have a:
    a) Direct Impact
    § Material amount or disclosure on FS impacted by laws and regs (e.g. tax provisions)
    § Audit procedure it to obtain sufficient appropriate audit evidence
    b) Indirect Impact
    § Might not actually be on FS but could have an affect on the entity’s operations
    § E.g. HIPPA confidentiality
    § Auditor needs to inquire of management about their compliance
  • If you suspect that noncompliance is occurring:
    ○ Discuss with management one level above the committee

Question 26

What is estimation uncertainty and what is the auditor’s responsibility in relation to it?

Answer 26

Estimation Uncertainty - the susceptibility of an accounting estimate to error due to inherent variability or lack of precision in the underlying data, assumptions, or measurement techniques

Auditor’s responsibility:
- consider if estimates need to be changed or if specialists should be involved
- evaluate if it gives rise to a sig risk
- if it’s a very uncertain estimate, gain more assurance over it

Question 27

What audit procedures would be conducted to gain assurance over accounting estimates?

Answer 27

1. Obtain evidence up to the date of the auditor’s report and compare to estimate
   
   • Can use subsequent events to help provide better value of things on the FS
   • E.g. litigation resolved in Jan can be revalued on Dec 31 FS
2. Test how management made the estimate
   
   • Methods - ask what methods or tools they used and make sure they seem reasonable
   • Significant Assumptions - see if it’s consistent with other areas in the entity’s business
   • Data Used - any information put through the estimate should be tested for reliability and relevance
3. Develop auditor’s own estimate
   
   • Point Estimate - “I think the estimate is this”
   • Range Estimate - “the estimate should be between X and Y”

Question 28

What are an auditor’s responsibilities of related party transactions?

Answer 28

• Obtain understanding of related parties
  
  • Obtain conflict of interest statement from company
  • Know if there were any unapproved related party transactions
  • Ask TCWG about these
  • Review SEC filings to see affiliates of the company
  • Look at legal confirms, minutes, etc.
  • Look at PY audit documentation

Question 29

What if we do find unidentified/undisclosed related parties or transactions with related parties?

Answer 29

1. Communicate to ET
2. Request again that management identify all related party transactions (e.g. give them another chance)
3. If they don’t, figure out why they didn’t identify this one
4. Perform additional substantive procedures
5. Reconsider risk
6. Evaluate broader considerations (e.g. management is hiding something) or if it was just a control error

Question 30

How do we identify litigation, claims, or assessments?

Answer 30

• Management inquiry
  
  • Review of IRS report
  • Review minutes of board or stockholder meetings
  • Obtain letter from client’s attorney

Question 31

What happens if we ask management to send a legal confirm and they refuse? What if we send the legal confirm and the lawyer refuses to answer?

Answer 31

• If we ask management to send a letter to their attorney and they refuse:
  ○ Big issue
  ○ Results in a disclaimer (b/c of scope limitation) or withdrawal from the audit
  
  • If we send out the letters and the attorney refuses to answer:
    ○ Will result in a disclaimer or qualification

Question 32

What is the process for sending a legal confirm?

Answer 32

1. Letter of inquiry drafted by management
2. Send to legal counsel
3. Attorney responds
4. Response needs to be dated close to audit report date (w/in 2 weeks ish)
5. If dated earlier than 2 weeks, might need an updated response

Question 33

What are two things not to do when making legal inquiries?

Answer 33

• Confirm directly with the lawyer that all litigation in the FS is correct
  ○ Not the lawyer’s job to understand GAAP, that is our job
• Auditor goes to lawyer’s office to examine documents
  ○ Not our job to understand legal language
  ○ We can rely on lawyers

Question 34

What are factors that indicate substantial doubt around going concern?

Answer 34

• Financial difficulties
  
  • Internal matters - work stoppages, labor difficulties, issues with production
  • Negative trends
  • External matters - legal proceedings, bad market conditions

Question 35

Under going concern rules, we need to evaluate that companies can continue for a “reasonable period of time”. What is a reasonable period of time?

Answer 35

For issuers: 1 year after the date the financial statements are issued.
For nonissuers: 1 year after the date the financial statements are available to be issued.

Question 36

How would you amend the audit report for going concern issues that are or are not mitigated (issuers and nonissuers)?

Answer 36

• If auditor identified going concern issues and they ARE mitigated
  ○ May add (optional) emphasis of matter paragraph
  
  • If auditor identified going concern issues and they ARE NOT mitigated
    ○ Include a separate heading “Substantial Doubt of the Entity’s Ability to Continue as a Going Concern”

Question 37

What are two types of audit evidence?

Answer 37

1. Accounting Records
   
   • Don’t alone provide sufficient evidence to support opinion
   • E.g. JEs , ledgers, checks, invoices, worksheets
2. Corroborating/Contradictory Evidence
   
   • Corroborating evidence provides additional support to accounting records
   • Contradictory evidence shows that accounting records are incorrect
   • E.g. minutes, confirms, analyst reports, other things inspected or observed

Question 38

What is the hierarchy of audit evidence?
Hint: AEIO

Answer 38

1. Auditor’s direct personal knowledge and observation
   ○ Things you do yourself
   ○ Observations, inspection, etc.
   
   2. External evidence
      a) Sent directly to the auditor - e.g. confirmations
      b) Evidence received by the client and then sent to the auditor - e.g. bank statement
      ○ Sent directly is more reliable than from the client
   3. Internal evidence
      ○ Information produced by the client
      ○ More reliable if the client has good controls
      ○ If bad controls, then this is not very reliable
   4. Oral evidence
      ○ Inquiry
      ○ Not sufficient or persuasive on its own

Question 39

Define the following types of bias:
a) Availability bias
b) Confirmation bias
c) Overconfidence bias
d) Anchoring bias
e) Automation bias

Answer 39

• Availability Bias - put weight on events that are more recent or readily available
  
  • Confirmation Bias - put weight on things that corroborates rather than contradicts
  • Overconfidence Bias - tendence to overestimate one’s abilities
  • Anchoring Bias - tendency to use initial information as an anchor against subsequent information
  • Automation Bias - tendency to favor information generated from automated systems over something non-automated

Question 40

What are the common audit procedures?
Hint: C the FIVE CARROT WARS

Answer 40

1. Cutoff
2. Footing, cross footing, and recalculation
3. Inquiry
4. Vouching
5. Examination/inspection
6. Confirmation
7. Analytical procedures
8. Reconciliation
9. Reperformance
10. Observation
11. Tracing
12. Walk-throughs
13. Auditing related accounts simultaneously
14. Representation letters
15. Subsequent events review

Question 41

When are analytical procedures required?

Answer 41

• Required during the planning stage
  ○ Goal is to understand entity and environment
  
  • Also required during final review
    ○ Goal is to look at overall balances and ensure sufficient evidence has been obtained

Question 42

What is the process for using SAPs?

Answer 42

1. Figure out if SAPs are suitable
   - don’t provide as persuasive of evidence as TODs
2. Evaluate the reliability of the data you’re using
   - external is better than internal
   - also want controls in place
3. Develop the expectation
   
   • Methods used:
     a. Trend analysis - compare current periods with prior periods
     § Low assurance b/c even if something was $500k last year doesn’t really provide much assurance if it is $500k again this year
     b. Ratio analysis - compare ratios to PY or industry
     § Also not great for same reason as trend analysis
     c. Nonstatistical Predictive Modeling - use variables to come up with a predictive amount
     § Pretty high assurance
     § Don’t use computer or anything too sophisticated (e.g. payroll is 25% of sales or total expenses)
     d. Regression Analysis
     § Highest assurance
     § Use several independent variables
4. Compare to what the client has recorded
5. Investigate differences

Question 43

What assertion does vouching usually test?

Answer 43

Existence –> we’re picking something and moving down to the source document
e.g. pick an invoice from a GL listing and then get the original source document

Question 44

What is tracing and what assertion does it test?

Answer 44

Looking from source document to GL (e.g. floor to sheet count)

Tests completeness

Question 45

What is positive vs negative confirmation? What if management tries to prevent you from sending confirms?

Answer 45

Positive - write us back if X is correct
Negative - if you don’t write us back, we’ll assume X is correct

What if management tries to prevent you from sending confirms?
- If it is reasonable (e.g. you are inquiring of a celebrity), then maybe it’s okay
- If unreasonable, communicate with TCWG

Question 46

What procedures would you perform to test completeness?

Answer 46

1. Tracing - start with source document and go up to where it appears in the FS
2. Analytical Review - consider how items might be omitted from the account balances
3. Observation - of process and procedures to make sure they are recording correctly (e.g. watching them do an inventory count)

Question 47

What procedures would you perform to test cutoff?

Answer 47

Cutoff procedures around anything (e.g. AR, AP, prepaids, etc.)

Question 48

What procedures would you perform to test valuation, allocation, and accuracy?

Answer 48

1. Inspection - of documents supporting transactions
2. Footing and cross-footing
3. Recalculation

Question 49

What procedures would you perform to test existence and occurrence?

Answer 49

1. Confirmation - very important one
2. Observation, inspection, and examination
3. Vouching

Question 50

What procedures would you perform to test rights and obligations?

Answer 50

1. Inspection
2. Confirmation

Question 51

What procedures would you perform to test understandability of presentation and classification?

Answer 51

1. Inspection of documents supporting transactions
2. Review of related disclosures
3. Inquiry of management

Question 52

What are the different types of sampling?

Answer 52

1. Attribute Sampling - for internal controls
   - can be answered by yes/no questions
2. Variable Sampling or PPS (probability proportional to size) Sampling - for substantive testing
   - can’t be answered yes/no

Question 53

What is sampling risk in substantive and control testing?

Answer 53

1. Substantive Testing
   
   • Acceptance - samples and concludes that balance IS NOT misstated when in reality IT IS
     ○ Risk you take whenever you sample
   • Rejection - sample supports the conclusion that the balance IS materially misstated when it reality it ISN’T
2. Control Testing
   
   • Risk of Assessing Control Risk Too Low - sample shows controls ARE operating well, but they AREN’T
     ○ Can lead to ineffective audit b/c you then will gather less persuasive evidence throughout the audit
   • Risk of Assessing Control Risk Too High - sample shows controls ARE NOT operating well, but they ARE
     ○ Leads to inefficient audit b/c you do more work than you need to

Question 54

What are the steps to attribute sampling?

Answer 54

1. Objective - define objective of test
2. Population - define population
3. Sampling Unit
4. Attributes of Interest - what are we looking at to determine deviations
5. Determine Sample Size
   a) Risk of assessing control risk too low - if we want less risk we want a bigger sample size
   b) Tolerable Deviation - if we want a lower deviation, we want a bigger sample
   c) Expected Deviation - if we expect the deviation to be higher, we pick a larger sampe
6. Select the sample (randomly or systematically, not block)
7. Evaluate Results
   
   • Sample deviation rate + allowance for sampling risk = upper deviation rate
     ○ Sample deviation rate - deviation rate in sample
     ○ Allowance for sampling risk - cushion added to sample deviation rate that we expect might reasonably be incorrect
8. Form Conclusions
   
   • If upper deviation rate ≤ tolerable deviation rate = auditor may rely on controls
   • If upper deviation rate ≥ tolerable deviation rate = auditor CANNOT rely on controls
9. Document results

Question 55

What are two other attribute sampling methods?

Answer 55

• Discover Sampling - used when auditor believes population deviation rate is 0 or near 0 (often used when looking for fraud)
  
  • Stop-or-go Sampling - designed to avoid oversampling attributes by allowing auditor to stop midway through (used when errors are expected to be very low)

Question 56

What is the formula for mean per unit estimation, ratio estimation, and differences estimation?

Answer 56

1. Mean-per-Unit (MPU) Estimation - uses the average value of the items in the sample to estimate the true population value
   
   • Mean per unit estimation=(Total audited value)/(Number of samples audited)∗Number of items in population
2. Ratio Estimation - uses ratios to project true value
   
   • Ratio estimation=(Audited value of sample)/(Book value of sample)∗Total book value
3. Differences Estimation - average difference between audited value and book value projected to entire population
   
   • Projected error=(Book value of sample−Audited value of sample)/(Number of items audited)∗Population of items
   • Point estimate=Total book value of population −projected error

Question 57

How does probability proportional to size sampling work?

Answer 57

• Each sampling unit is an individual dollar (e.g. not each customer account)
• Advantages:
  
  • Emphasizes larger amounts –> automatically stratifies population
  • Generally results in a smaller sample
• Disadvantages:
  
  • Zero balances, negative balances, or understated balances require special considerations

Question 58

How do you determine sample size in probability proportional to size sampling?

Answer 58

• Sampling Interval=(Tolerable Misstatement)/(Reliability Factor)
• Sample size=(Recorded amount of population)/(Sampling Interval)

Question 59

What are descriptive, diagnostic, predictive, and prescriptive data analytics?

Answer 59

1. Descriptive Analytics
   
   • Describes what happens
   • E.g. summary statistics, data sorting and filtering, aging data
2. Diagnostic Analytics
   
   • Explains why something happened
   • Tries to find correlations, patters, or relationships in data
   • E.g. clustering, drill down/through, data mining, variance analysis, period over period analysis, data profiling, sequence checks
3. Predictive Analytics
   
   • Try to forecast what will happen in the future
   • E.g. regression analysis, forecasting, time-series modeling, classification, sentiment analysis
4. Prescriptive Analytics
   
   • Recommend what action to take based on predictive future analysis
   • E.g. what-if analysis, decision support and automation, machine learning, natural language processing

Question 60

What is a:
- Data lake
- Data warehouse
- Data mart
- Data cube
- Database
- Table
- Spreadsheet

Answer 60

• Data Lake - all structured and unstructured data (stored in raw form)
• Data Warehouse - structured and organized database tables (easily searchable and accessible, cleaned and organized already)
• Data Mart - smaller, more focused version of data warehouse. Contains data for fewer sources
• Data Cubes - data tables transformed for drilling down (e.g. particular year, area, or product)
• Databases - structured tables for specific analysis
• Table - single sheet of attributes and records
• Spreadsheets - has tables and/or other values

Question 61

Define the following data analytics terms:
a) Normalization
b) Primary key
c) Foreign key
d) Composite Key

Answer 61

a) Normalization - Reduces redundancies by taking larger tables and breaking them into smaller tables
b) Primary key - unique identifier of a table that allows it to be linked to another table
c) Foreign key - Attribute in one table that contains values from a primary key in another table
d) Composite Key - unique key created when a single record can’t identify an entry