Audit 3 Flashcards
Define audit sample
The selection and evaluation of less than 100 percent of the items in a population of relevant audit evidence selected in such a way that the auditor expects the sample to be representative of the population and thus likely to provide a reasonable basis for conclusions about the population.
How has technology changed audit samples?
Technological advances have reduced the number of times auditors need to apply sampling techniques to gather audit evidence:
1 ) Development of well-controlled, automated accounting systems.
2) Advent of powerful audit and business analytics software to download and examine data.
Define Sampling Risk
Sampling risk is the element of uncertainty that enters into the auditor’s conclusions anytime sampling is used. There are two types of sampling risk:
Define Nonsampling Risk
Nonsampling risk is the risk that the auditor reaches an erroneous conclusion for any reason not related to sampling risk:
- Judgment error
- Selecting inappropriate procedures
- Failing to detect a misstatement when applying an audit procedure
Why do auditors often use nonstatistical sampling?
Define Statistical vs. Nonstatistical Sampling
Nonstatistical sampling: Audit sampling that relies on the auditor’s judgment to determine sample size, select the sample, and/or evaluate the results for the purpose of reaching a conclusion about the population.
. There are two types of sampling risk:
Risk of incorrect rejection (Type I)
Risk of incorrect acceptance (Type II)
Confidence Level
is the complement of sampling risk (i.e. 100% - sampling risk (as a %) = confidence level (as a %)
The auditor may set sampling risk for a particular sampling application at 5 percent.
This results in a confidence level of 95 percent for the sampling application.
Tolerable and Expected Error:
Once the desired confidence level is established, the appropriate sample size is determined largely by how the tolerable error exceeds expected error. The smaller the difference between these two variables, the more precise the sample must be, and therefore the larger the sample size required.
Example:
Tolerable error (or deviation) rate: 5%
Expected error (or deviation) rate: 2%
What happens if the tolerable error rate declines to 2.5%?
Procedures performed that commonly involve sampling include…
inspection of tangible assets, inspection of records and documents, reperformance, recalculation and confirmation.
Procedures performed that do NOT commonly involve sampling include…
analytical procedures, scanning, inquiry and observation.
Controls Tests:
Determine from a
sample whether a control is operating
effectively for the entire population.
Tests of details:
Determine from
a sample if an account balance or
class of transactions is recorded
accurately for the entire population.
the types of audit sampling:
Sampling in tests of controls
Sampling in tests of details of transactions
Tests of Controls:
Table 8-2 on page 279
.
Tests of Details:
Table 9-1 on page 315
.
COSO’s definition of internal controls
Policies, processes and procedures, which are designed and effected by an entity’s board of directors, management and other personnel to provide reasonable assurance about the achievement of the entity’s objectives in the following categories:
(1) reliability of financial reporting;
(2) effectiveness and efficiency of operations; and
(3) compliance with applicable laws and regulations.
COSO’s 5 internal control components
the control environment risk assesment the AI and communication systems control activites monitoring
the control environment
Sets the tone of an organization, influencing the control consciousness of its people. The foundation for effective internal control, providing discipline and structure. “Tone at the Top”
elements of the control enviroment
Elements: (1) Communication and enforcement of integrity and ethical values; (2) commitment to competence; (3) participation of those charged with governance; management’s philosophy and operating style; (4) organizational structure; (5) assignment of authority and responsibility; (6) H/R policies and procedures
risk assessment
The process for identifying and responding to business risks and the results thereof. Given that an entity’s objectives are broader than those of the auditor, this risk assessment will include risks not relevant to the audit.
three examples of risk assessment
(1) New technology; (2) New or revamped information systems; (3) New accounting pronouncements
Accounting information and communication systems
The information system relevant to financial reporting objectives, which includes the accounting system, consists of procedures (automated or manual) and records established to (1) initiate, (2) record, (3) process, and (4) report entity transactions and to maintain accountability for related assets, liabilities, and equity.
Communication involves providing an understanding of individual roles and responsibilities pertaining to internal control over financial reporting.
Accounting Information and Communication Systems Elements:
- Identify and record all valid transactions
- Describe on a timely basis, the transactions in sufficient detail to permit proper classification of transactions for financial reporting
- Measure the value of transactions in a manner that permits recording their proper monetary value
- Determine the time period in which transactions occurred to permit recording transactions in the appropriate period
- Properly present the transactions and related disclosures in the financial statements
control activites
The policies, processes and procedures that help ensure that management directives are carried out. In particular, these control activities are implemented to address the risks to achieving any of the entity’s objectives.
types of control activities
(1) Performance reviews; (2) Information processing controls, including authorization and document-based controls; (3) Physical controls; and (4) Segregation of duties
Monitoring of controls
A process to assess the quality of internal control performance over time, which involves assessing the design and operation of controls on a timely basis and taking necessary corrective actions, where required
highlights of monitoring controls
(1) Risks change over time, controls should too; (2) Monitoring relates to each of the other four control components; (3) Monitoring can be done through (a) ongoing, or recurring, activities and/or (b) separate evaluations
Consideration of Internal Control includes…
- Develop an understanding of internal control
- Decided whether you (the auditor) intend to rely on the internal controls
Develop an understanding of internal control by…
(a) evaluating their design and (b) determining whether they have been implemented
Decided whether you (the auditor) intend to rely on the internal controls:
if yes…
if no…
If no, set control risk at a maximum, document the level of control risk and perform substantive tests (substantive strategy)
If yes, plan and perform tests of controls to evaluate the operating effectiveness; set control risk based on the tests of controls; compare achieved control risk to preliminary control risk and change audit programs as necessary; perform substantive tests (reliance strategy)
The auditor may elect to pursue a substantive strategy for some or all of the management assertions because of one or more of the following factors:
The implemented controls do not pertain to the assertion the auditor is considering
The implemented controls are assessed as ineffective
Testing the operating effectiveness of the controls would be inefficient
The auditor obtains an understanding of internal control in order to:
Identify the types of potential misstatement
Pinpoint the factors that affect the risk of material misstatement
Design tests of controls and substantive procedures
Factors to consider include for an IT specialist:
The complexity of the entity’s I/T systems and controls and the manner in which they are used to conduct business
The significance of changes made to existing systems , or the implementation of new systems
The extent to which data are shared among systems
The extent of the entity’s participation in e-commerce
The entity’s use of emerging technologies
The significance of audit evidence that is available only in electronic form
Procedure manuals and organizational charts (client-prepared)
Preliminary documents used to obtain an understanding
Flowcharts (client- or auditor-prepared)
Provide a “picture” of the client’s accounting system
Narrative Description (client- or auditor-prepared)
Provides a written summary of controls – more useful when the entity has a simple internal control system
Internal Control Questionnaires (auditor-prepared)
Provide a systematic means for the auditor to investigate a series of areas and topics (“memory jogging tool”) through inquiries; the questionnaire responses should be validated/verified using alternative audit procedures as appropriate
Limitations to Internal Control Include:
Management override of internal control
Human errors or mistakes
Collusion
Scope of Audit Procedures includes…
nature timing extent
nature
Primarily impacts the reliability of audit evidence. Bear in mind that more reliable procedures are typically more costly. However, the auditor must also ensure the tests correspond with the relevant assertion.
timing
Tests performed after year-end are deemed more reliable, but an auditor will typically need to perform some tests at an interim period.
extent
The quantity of evidence to be collected (e.g. limited or extensive testing; sample 5% of the population or 50% of the population; etc.)
What is a control deficiency
A deficiency in internal control exists when the design or operation of a control does not allow management or employees, in the normal course of performing their assigned functions, to prevent, or detect and correct, misstatements on a timely basis.
material weakness
A material weakness is a deficiency, or combination of deficiencies, in internal control, such that there is a reasonable possibility that a material misstatement of the financial statements will not be prevented, or detected and corrected.
significant deficientcy
A Significant deficiency is a deficiency, or a combination of deficiencies, in internal control that is less severe than a material weakness, yet important enough to merit attention by those charged with governance.
IT controls 2 parts
general controls
application controls
general controls
Data center and network operations
System software acquisition, change, and maintenance
Access security
Application system acquisition, development, and maintenance
application controls
Data capture controls Data validation controls Processing controls Output controls Error controls
major sections of SOX
Creation of the PCAOB
Corporate Responsibility (e.g. Section 302)
Enhanced Financial Disclosures (Sections 404a and 404b)
Corporate and Criminal Fraud Accountability
White Collar Crime Penalty Enhancement
SOX MGMT requirements
Certify the integrity of their F/S (Section 302)
Issue a report on internal controls and explicitly take responsibility for maintaining adequate internal control over financial reporting (Section 404a)
SOX auditor requirements
Must perform an audit of an entity’s internal controls for all accelerated filers (Section 404b) – known as the “integrated audit”
Internal Control Over Financial Reporting (“ICOFR”) is defined as …
as a process designed to provide reasonable assurance regarding the reliability of financial reporting and the preparation of financial statements in accordance with GAAP
ICOFR includes procedures that:
Pertain to the maintenance of records that fairly reflect the transactions and dispositions of the assets of the company
Provide reasonable assurance that transactions are recorded in accordance with GAAP
Provide reasonable assurance regarding prevention or timely detection of unauthorized acquisition, use, or disposition of the company’s assets
The Integrated Audit topics
2-in-1: Internal Controls & Financial Statement Audit
Top-down Risk-based Approach
Identifying Significant Accounts
Evaluating Control Deficiencies
Opining on Internal Controls and Related Reports
Remediation of Control Weaknesses
An integrated audit definition
is composed of the audits of internal control and the financial statements. The control testing impacts the planned substantive procedures. Also, the results of the substantive procedures are considered in the evaluation of internal control.
Identifying significant accounts
Size and composition of the account
Susceptibility to misstatement due to errors or fraud
Volume of activity, complexity, and homogeneity of the individual transactions processed through the account or reflected in the disclosure
Nature of the account or disclosure
Accounting and reporting complexities associated with the account or disclosure
Exposure to losses in the account
Possibility of significant contingent liabilities arising from the activities reflected in the account or disclosure
Existence of related-party transactions in the account
Changes from the prior period in account or disclosure characteristics
Evaluating control deficientcy
As discussed previously, the auditor must consider the likelihood and magnitude of the control deficiency.
If a deficiency, or combination of deficiencies, prevents the auditor from having reasonable assurance that transactions are recorded properly, then the auditor should treat the deficiency as an indicator of a material weakness.
remediation of control weaknesses
Remediation is the process of correcting a material weakness in the ICFR
If a material weakness is corrected before the “as of” date, there must be sufficient time for both management and the auditor to test the operating effectiveness of the control – if not, an adverse opinion is still issued.
In a financial statement audit:
No requirement that an auditor confirm the client has effective ICOFR. The auditor may elect to test NO controls and set control risk at the maximum level (substantive approach) or may test controls to assess control risk at less than the maximum level (reliance strategy).
In an integrated audit:
When an entity has effective ICOFR, the auditor should be able to perform sufficient testing of controls to assess control risk for all relevant assertions at a low level.
management assertions
Completeness
Existence / Occurrence
Accuracy (Numerical / Classification / Cutoff or Timing)
Valuation / Allocation
Obligations / Rights / Authorization
Presentation
Three important concepts pertaining to audit evidence:
Nature of audit evidence*
——–Accounting records and other available information
Sufficiency and appropriateness of audit evidence (Objective 5 Reliability)**
——–Quantity and quality (relevance and reliability)
Evaluation of audit evidence
———“Trust but verify” (professional skepticism)
journal or ledger—->source docs
vouching(occurance)
source docs—–>journal or ledger
tracing (completeness)
Generally, audit evidence is more reliable if it is:
Obtained from knowledgeable sources outside the client company
Generated internally through a system of effective internal controls
Obtained directly by the auditor rather than indirectly or by inference
Documentary in form rather than an oral representation
Provided by original documents rather than photocopies or facsimiles
Specific actsperformed by the auditorto gather evidence about whether specific assertions
are being met.
(3)
Risk assessment procedures
Test of controls
Substantiveprocedures
Audit procedures (actions):
Inspection of records or documents Inspection of physical/tangible assets Observation Inquiry Confirmation Recalculation Reperformance Analytical Procedures (Planning, substantive, and final analytical procedures) Scanning
Audit documentation has two primary functions:
To provide support for the audit report.
To support the auditor’s compliance with applicable
standards.
– Audit Documentation (Secondary purposes)
Assist continuing and new audit team members in planning and performing the audit
Serves as a record of matters of continuing audit interest (permanent file)
Assists in supervision and review of the audit
Demonstrates the accountability of audit team members
Assists internal reviewers, external peer/PCAOB reviewers and successor auditors in performing their required duties
Audit documentation should have the following characteristics:
Enable an experienced auditor to understand the work performed and the significant conclusions reached
Identify who performed and reviewed the work
Show that the accounting agrees or reconciles to the financial statements
Audit documentation should include all significant audit findings and the actions taken to address them.
Current Files:
The auditors’ report in a given year is supported by the working papers contained in the current file. It is typical to organize this file based around the accounts in the client’s financial statements, or around the client’s business cycles. (Examples?)
Permanent Files:
Serves three purposes: (1) to refresh the auditors’ memories on items applicable over a period of many years; (2) to provide new staff members with a quick summary of policies and organization of the client; (3) to preserve working papers on items that show relatively few or no changes from year-to-year. (Examples?)
Ownership:
The audit documentation is the property of the auditor, including those files completed by the client at the auditor’s request. SOX requires that audit documentation be retained for seven years from the completion date of the audit.
Format:
topics
heading
Indexing and cross-referencing
Tickmarks
heading
Date, Completed by, Client’s name, Reference number, Title
Indexing and cross-referencing
Notations that provide a trail from the F/S to the supporting workpapers
tickmarks
Notations made next to workpaper items denoting auditor/reviewer actions
Risk Assessment Procedures
Used to assist the auditor to better understand the business and to plan the nature, timing, and extent of audit procedures.
Substantive Analytical Procedures
Used to obtain evidential matter about particular assertions related to account balances or classes of transactions.
Final Analytical Procedures
Used as an overall review of the financial information in the final review stage of the audit.
Steps for Analytical Procedures
Develop expectation of account (or ratio) balance
Determine amount of difference that can be accepted without investigation
Compare the company’s account (ratio) with the expectation
Investigate and evaluate significant differences (must do so for substantive analytical procedures and final analytical procedures)
Expectations may be developed using:
Prior period information (historical)
Anticipated results (forecasts)
Relationships among elements of financial information
Industry information
Relationships between financial information and relevant non-financial data
Type of expectations:
Trend analysis – analyze changes in accounts of a company over time
Ratio analysis – compare relationships between two or more financial statement accounts and/or non-financial data
Short-term Liquidity
Current Ratio, Quick Ratio, Operating Cash Flow Ratio
Activity Ratios:
Receivables turnover, inventory turnover, days inventory on hand
Profitability Ratios:
Gross profit percentage, profit margin, return on assets, return on equity
Coverage Ratios:
Debt to equity, times interest earned
common validation controls
limit test range test sequence check existence validity test field test sign test check digit verification page 214