A3 - Risk, Evidence, and Sampling Flashcards
During an audit, the auditor should maintain an attitude of:
- Professional skepticism
- Which includes a questioning mind and a critical assessment of audit evidence
The auditor’s responsibility is to plan and perform the audit to obtain:
- Reasonable assurance about whether the FS are free of material misstatement, whether caused by error or fraud
- This includes a specific assessment of the RMM due to fraud
The disclosure of fraudulent activities to parties other than the client’s senior management and those charged with governance is:
- NOT ordinarily part of the auditor’s responsibility
Inquiries the auditor should make to identify the RMM due to fraud:
- How management has communicated to those charged with governance regarding IC and how it functions to prevent, deter or detect MM due to fraud
- How management communicates to employees its views on acceptable business practices
- Whether there are any particular business segments for which a risk of fraud may exist
- Whether management is aware of any allegations of fraud
The auditor should consider implications of an act of noncompliance with laws and regulations in relation to other aspects of the audit, particularly:
- The reliability of the management representation letter (representations of management)
Lack of ownership identification on the entity’s fixed assets would heighten:
- An auditor’s concern about the RMM arising from the misappropriation of assets
If evidence is not reliable, the auditor should:
- Reevaluate the risk of fraud and design alternate tests
What attributes should be considered in the process of identifying client risks that may result in a MM due to fraud?
- Type of risk
- Significance of the risk
- Likelihood of the risk
- Pervasiveness of the risk
How does inherent risk and control risk differ from detection risk?
- They exist independently of the audit
Judgmental misstatement:
- Differences arising from judgments of management and the auditor
Factual misstatement:
- Misstatements about which there is no doubt
Projected Misstatement:
- The auditor’s best estimate of misstatements in populations, involving the projection of misstatements identified in audit samples to the entire population
Control risk:
- Risk that a material misstatement that could occur in a relevant assertion will not be prevented or detected (and corrected) on a timely basis by the entity’s internal control
The ultimate purpose of assessing control risk is to contribute to the auditor’s evaluation of the:
- Risk that material misstatements exist in the financial statements
The auditor assesses control risk because it:
- Affects the level of detection risk that the auditor may accept
- To obtain an understanding of internal control
To determine the assessed RMM, the auditor:
- Uses the assessed level of control risk along with the assessed level of inherent risk
- This affects the acceptable level of detection risk for FS asserstions
If the assessed level of fraud risk is high, the auditor should attempt to reduce:
- Detection risk
- This helps ensure that the auditor will obtain reasonable assurance about whether the FS are free of material misstatement caused by fraud
Audit risk is comprised of:
- The risk of material misstatement and detection risk
Audit risk:
The risk that the auditor may unknowingly fail to modify appropriately the opinion of the FS that are materially misstated
Fraud risk:
- The risk that misstatements will arise from fraudulent financial reporting or misappropriation of assets
Detection risk:
- The risk that the audit procedures implemented will not detect a misstatement that exists in a relevant assertion
- This is not assessed, but rather controlled by the auditor through the level of testing performed
Inherent Risk:
- The susceptibility of a FS assertion to a material misstatement assuming there are no related controls
Regardless of the assessed level of control risk, an auditor would perform some:
- Substantive tests to restrict detection risk for significant transaction classes
In an audit of FS, substantive procedures:
- Will always be necessary for all relevant assertions related to material transaction classes
If an auditor assesses control risk at the maximum level:
- Document the assessment and make decisions to potentially perform more substantive procedures
The acceptable level of detection risk is INVERSELY related to the:
- Assurance provided by substantive tests (perform more tests/change extent of tests)
- Risk of material misstatements (IR x CR)
- Increasing the assessed level of control risk would increase the:
- Extent of test of details
What is always necessary in a FS audit:
- Analytical procedures
- Risk assessment procedures
When are tests of operating effectiveness in controls performed?
- Only when the auditor’s risk assessment is based on the assumption that controls are operating effectively
When substantive procedures alone are insufficient
An auditor may decide not to perform tests of controls after performing risk assessment procedures because:
- The time required to perform tests of controls would be greater than the reduction in time spent on substantive testing
In assessing control risk, an auditor would perform:
- Inquiry
- Inspection
- Observation
- Reperformance
When risk assessment is based on the effective operations of controls, an audit will involve:
- Identifying specific internal controls relevant to specific assertions
An auditor should design tests of details to ensure that evidence supports:
- the planned level of assurance at the relevant assertion level
Auditor should consider when determining the appropriate extent of testing controls:
- Frequency of performance of control during the period
- Length of time auditor wishes to rely on control
- Relevance and reliability of evidence obtained
- Extent to which other tests provide evidence about the same assertion
- Extent auditor wishes to rely on operating effectiveness on the control to reduce substantive procedures
- Expected deviation rate from the control
What level would address the RMM by the auditor’s consideration of an entity’s control environment?
- Financial statement
If substantive tests solely do not reduce detection risk, an auditor would:
- Perform tests of controls to support a lower level of assessed control risk
During the planning phase of the audit, an auditor obtains an understanding of IC system by considering:
- Type of misstatements that may occur
- Risks that misstatements may occur
- Factors that influence the deign of tests of controls and substantive tests
- Assessment of inherent risk
- Judgements about materiality
- Complexity and sophistication of the entity’s operations and systems
- Use of manual vs. computerized control procedures
AN auditor determines whether a risk is significant by:
- Its inherent risk alone
What procedure would assist an auditor in identifying related party transactions?
- Reviewing confirmations of loans receivable and payable for indications of guarantees
What procedure would assist an auditor in determining whether management has identified all accounting estimates that could be material to FS?
- Review the lawyer’s letters for information about litigation
Reliability of audit evidence:
- Auditor’s direct personal knowledge (and observation)
- External
- Internal
- Orally
PCAOB standards state that RELEVANCE of audit evidence depends on:
- Timing of the audit procedure
- Whether audit procedure is designed to tests for an understatement or overstatement
- Whether the audit procedure is designed to directly test an assertion
Corroborating evidence:
- Includes minutes of meetings, confirmations industry analysts’ report, data about competitors, evidence obtained from management specialists, and information obtained through OBSERVATION, INQUIRT, and INSPECTION
Risk of incorrect rejection:
- Risk that the sample supports the conclusion that the recorded account balance is materially misstated when it is not materially misstated
Risk of incorrect acceptance:
- Risk that the sample supports the conclusion that the recorded account balance is NOT materially misstated when it is
Deviation rate:
- The auditor’s best estimate of the deviation rate in the population from which it was selected
Tolerable deviation rate:
- The maximum rate of deviation from the prescribed procedure the auditor will tolerate without modifying planned reliance on internal control
- INVERSE relationship with the sample size
Attribute sampling (used to determine the NET of the substantive testing):
- Define objective of the test
- Define the population
- Define the sampling unit
- Define attributes of interest
- Determine the sample size
- Select the sample
- Evaluate the results
- Form conclusions
- Document the procedure
Upper deviation rate =
Sample deviation rate + Allowance for sampling risk
In determining the sample size, the auditor must determine the following factors:
- Risk of assessing control risk too low
- Tolerable deviation rate
- Expected deviation rate
Risk of assessing control risk too low:
- Risk that the assessed level of control risk based on the sample is less than the true level of control risk based on the actual operating effectiveness of the control
- Inverse relationship to sample size
What effect does the population size have on the sample size?
- Little effect
If the upper deviation rate is LESS than or equal to the tolerable deviation rate:
- The auditor MAY rely on the control
If the upper deviation rate EXCEEDS the tolerable deviation rate:
- The auditor would NOT rely on the control
Sample size of a test of controls is INVERSELY related to:
- Tolerable rate
Statistical compared to nonstatistical sampling provides a basis for planning the:
- Sample size
- Provides an objective basis for quantitatively evaluating sample risk
Statistical sampling advantages:
- Provide a scientific basis for planning the sample size
- Provide an objective basis for quantitatively evaluating sample risk
- Measure the sufficiency of the audit evidence obtained
Deviations from specific control activities at a given rate ordinarily result in:
- Misstatements at a lower rate
Nonsampling risk
- Includes all aspects of audit risk that are not due to sampling
- Always present and cannot be measured; can only attempt to REDUCE this risk through planning and supervision
Sampling risk:
- Arises from the possibility that a conclusion may be different from the conclusions that would have been reached had the tests been applied to all items
If deviation rate in the sample is less than the tolerable rate, but the deviation rate in the population exceeds the tolerable rate:
- The control risk was assessed too low
If sample rate of deviation + allowance for sample risk exceeds tolerable rate, the auditor would reduce:
- The planned reliance on the prescribed control
In statistical sampling for substantive tests, and auditor would stratify the population into meaningful groups if:
- The population has highly variable recorded amounts
Tolerable misstatement:
- A planning concept related to the auditor’s preliminary judgment about materiality levels
- The maximum monetary misstatement in an account balance that may exist without causing the FS to be materially misstated
When planning a sample for a test of subsequent cash receipts, the auditor should consider:
- Preliminary judgments about materiality levels
Ratio estimation is most effective if:
- There is a correlation between book values and audit amounts
Which sample method results in a smaller sample if no errors are expected?
-Probability-Proportional-to-size (PPS)
What is an advantage of variable sampling compared to PPS?
- The selection of negative balances requires NO special design considerations
Probability-Proportional-to-Size Sampling:
- The sampling unit is defined as an individual dollar in a population. Once a dollar is selected, the entire account (containing that dollar) is audited
- Advantages:
- Automatically emphasized larger items by stratifying the sample
- In no errors are expected, generally smaller samples - Disadvantages:
- Zero balances, negative balances, and understated balances generally require special design considerations - Recorded amount in the population/the sample size
- Auditor controls the risk of incorrect acceptance by specifying that risk level for the sampling plan
Mean-per-Unit Estimation:
- A sampling plan that uses the average value of the items in the sample to estimate the true population value (i.e. Estimate = Average sample value x Number of items in the population)
Stratified vs. Unstratified MPU:
- Stratified is more efficient produces an estimate having a desired level of precision with a smaller sample size
Projected error:
- The auditor’s best estimate of the error in the total population based upon evaluating the actual error rate in the sample results
Statistical concept of precision:
- The auditor’s evaluation of sampling results by calculating the possible errors in either direction
An auditor may decide to decrease the acceptable level of risk when:
- The cost and effort of selecting additional sample items is low
PPS Sample Size Determination:
Sampling Interval = Tolerable misstatement/Reliability factor
Sample size = Recorded amount of the population/Sampling interval
Projected error = (Recorded amount - Audit amount)/Recorded amount
Smaller tolerable misstatement results in:
- Increase in sample size
Higher risk of incorrect acceptance results in:
- Smaller sample size
Scatter plots:
- Allow for the auditor to graphically show the relationships among variables
- Allow for regression lines to be added to show the direction and strength of correlation
Best type of visualization when performing a trend analysis?
- Line chart
- They appropriately address the forward-moving concept of time
Structured data:
- Organized, has consistent data types and formats, and is easily searchable
- i.e. Information systems, spreadsheets, databases, data warehouses, and data marts
Unstructured data:
- Not structured
- Data is typically in its original unmodified format and remains that way until transformed and modified for analysis
- Not organized and difficult to sort
- i.e. Social media posts, interview or phone transcrips, data sourced from sensors (internet of things), videos or images
Descriptive analytics:
- Explain what happened or what is happening with data
Diagnostic analytics:
- Utilized when an org wants to understand the underlying cause of results, essentially, why something happened with the data
Predictive analytics:
- Use historical data and facts to make predictions, estimates, and assertions about future events
- What will happen in the future
Prescriptive analytics:
- Most advanced and complex type
- Builds on predictive analytics
- How to make something happen
- Prescribes courses of actions to help optimize decisions
Benefits of Audit Data Analytics:
- Better understanding of clients and operations
- Advanced assessment of risk
- Expanded audit coverage
- Increase efficiency of applied procedures
- Enhanced fraud detection
- Improved communication through visualizations
