Exam 2 Flashcards
Internal controls
The auditor’s understanding of internal control is a major factor in determining the overall audit strategy.
•
The controls that are of the most relevance to auditors are those that contribute to the reliability, timeliness, and transparency of financial reporting.
Internal control as defined by COSO consists of 5 components:
The control environment • The entity’s risk assessment process • The information system and processes relevant to financial reporting • Control activities • Monitoring of controls
Control Environment
Sets the tone of an organization and is the foundation for all other components of IC
How is a strong control environment facilitated
INTEGRITY: • COMPETENCE: • GOVERNANCE: • ACCOUNTABILITY:
Entity’s RA Process
Identifying business risks related to the entity’s business objectives
•
The aspect that is most significant to the auditor is how management identifies risks relevant to the preparation of the financial statements, and then estimates their impact.
Control Activities
Policies and procedures used to addressed identified risks identified in the risk assessment process. • Performance reviews _ – • Information processing controls - • Physical controls – • Segregation of duties - LO 5
Monitoring of Controls
Management should assess their controls over time
2 examples of audit testing strategies
(1) Reliance strategy: plan and perform IC tests
•
(2) Substantive strategy: no reliance on IC’s
Reliance strategy
plan and perform IC tests
Substantive strategy
no reliance on IC’s
Auditors must gain an _______________ of internal controls
Understanding
Auditors ______ this understanding
utilize
There is generally an inverse relation between the _____________________and______________
reliability of internal controls
substantive procedures
The following slides focus on situations where the auditor plans to set control risk
below the maximum (i.e. < high)
In order to properly evaluate control risk, the auditor must
Identify specific controls • Perform tests of control • Conclude
ICFR Definition
This is the PCAOB’s definition, pay attention to the underlined portions and try to grasp an understanding of what the PCAOB is trying to enforce.
A process designed by, or under the supervision of, the company’s principal executive and principal financial officers
and affected by the company’s board of director’s, management, and other personnel, to provide reasonable assurance regarding the reliability of financial reporting and the preparation of financial statements in accordance with GAAP, and includes policies and procedures that:
Pertain to the maintenance of records
that accurately and fairly reflect transactions and disposition of assets of the company
Provide reasonable assurance that transactions are
recorded as necessary…and that receipts and expenditures are being made only in accordance with management’s authorization; and
Provide reasonable assurance regarding
prevention or detection of unauthorized material transactions.
Management’s responsibility
Section 404 of SOX requires that management of publicly traded companies issue a report that accepts responsibility for establishing and maintaining adequate ICFR and assert whether ICFR is effective as of the end of the year.
Management must comply with the following
Accept responsibility for the effectiveness of IFCR
•
Evaluate the effectiveness of ICFR using suitable criteria
•
Support the evaluation with appropriate evidence
•
Present a written assessment regarding the effectiveness of ICFR, as of the end of the year
Auditor’s responsibility
Auditor’s objective is “to express an opinion on the effectiveness of the company’s internal control over financial reporting” (AS5).
•
Still need reasonable assurance
There are three types of deficiencies
Control deficiency • Significant deficiency • Material Weakness
The auditor must consider two dimensions of identified deficiencies
Likelihood of misstatement that could result from the deficiency
•
Magnitude of misstatement that could result from the deficiency
Likelihood
of misstatement that could result from the deficiency
Magnitude
of misstatement that could result from the deficiency
Management’s Remediation
Management must correct any identified Material Weaknesses before the “as of” date, and must be far enough in advance of this date so that management and the auditor has time to appropriately re-asses the remediated control.
•
If not, an adverse opinion is necessary
material weaknesses
(not remediated) must be reported in the financial statements
significant deficiencies and material weaknesses
must be communicated to those charged with governance and management.
control deficiencies
must be communicated to management
Two overall objectives
Provide an introduction and overview of audit sampling
2.
Apply sampling techniques to tests of internal controls
Audit Sampling
The selection and evaluation of less than 100 percent of the items in a population of audit relevance, selected in such a way that the auditor expects the sample to be representative of the population and thus likely to provide a reasonable basis for conclusions about the population
Why is audit sampling necessary
Sampling is necessary because auditors must balance the cost of the audit with the need for precision
Sampling Risk
When sampling is used, an element of uncertainty exists – we’ll call it sampling risk.
•
The possibility that the sample drawn is not representative of the population, and as a result, the auditor will reach inappropriate conclusions
Formally, there are two types of potential errors
Type I error: deciding a population is not acceptable, when in actuality it is (e.g., risk of incorrect rejection)
•
Type II error: deciding a population is acceptable when it is not (e.g., risk of incorrect acceptance).
Distinctions with Nonsampling risk
the risk that the auditor reaches the wrong conclusion for any other reason.
Confidence level
Also known as the desired level of assurance
•
The complement of sampling risk
How confident do you need to be?
Depends on the amount of reliance to be placed on your tests and the cost of a Type II error
•
Larger sample = higher confidence & lower sampling risk
Tolerable error
The acceptable defect rate
Expected error
Generally based on historical rates or changing current environment
Types of Audit Sampling
Statistical sampling
•
Non-statistical sampling
Statistical Sampling
Statistical sampling uses the laws of probability in determining the sample size, selecting the sample, or evaluating results
•
Allows for the most efficient sample sizes and quantifies sampling risk
Types of Statistical Sampling
Attribute Sampling
Monetary-Unit Sampling
Attribute Sampling
Used to estimate the proportion of a population that exhibits a certain characteristic.
•
Such as the operating effectiveness of a control
Monetary-Unit Sampling
Used to estimate the monetary amount of misstatement for a population (e.g., account balance or class of transactions)
Non-statistical sampling
does not strictly follow statistical techniques in determining the sample size, selecting the sample, or evaluating results (does not consider sampling risk)
Firms typically establish a non-statistical sampling policy
Such a policy helps promote consistency in application and is normally grounded in statistical reasoning Desired level of controls reliance Sample size Low 15-20 Moderate 25-35 High 40-60
Random selection
Sampling units are identified using a random number generator
Systematic selection
Sampling units are identified systematically (i.e., every 50th item in the population)
Haphazard selection (only non-statistical)
Sampling units are manually selected by the auditor without any special reason for including or omitting the item in the sample. This is the most common non-statistical sampling method in audit practice (Hall 2001)
An approach is non-statistical
(1) judgment is used to determine the sample size; (2) a haphazard selection method is used; and/or (3) the sample results are evaluated judgmentally
Individually Significant Items
Auditors may segregate a population of transactions into two groups: (1) those that are individually significant and thus necessitate 100% inspection, and (2) the remainder of the population which is subject to sampling
Auditors commonly examine controls which are not performed frequently throughout a year. An example of such sample sizes follow
Control Frequency and Population Size Sample Size Quarterly (4) 1-2 Monthly (12) 2-4 Semimonthly (24) 3-8 Weekly (52) 5-10
Attribute Sampling: Planning
Planning1. Determine the test objectives.2. Define the population characteristics: • Define the sampling population. • Define the sampling unit. • Define the control deviation conditions.3. Determine the sample size, using the following inputs: • The desired confidence level or risk of incorrect acceptance. • The tolerable deviation rate. • The expected population deviation rate.
The objective of attribute sampling when used for tests of controls is to evaluate the operating effectiveness of the internal control.
- Define the population characteristics: • Define the sampling population. • Define the sampling unit. • Define the control deviation conditions
All of the items that constitute the class of transactions make up the sampling population
Define the sampling unit
Each sampling unit makes up one item in the population. The sampling unit should be defined in relation to the specific control being tested
Define the control deviation conditions.
A deviation is a departure from adequate performance of the internal control
The desired confidence level or risk of incorrect acceptance
Generally, when the auditor has decided to rely on controls, the confidence level is set at 90% or 95%. This means the auditor is willing to accept a 10% or 5% risk of accepting the control as effective when it is not.
The tolerable deviation rate
The maximum deviation rate from a prescribed control that the auditor is willing to accept and still consider the control effective: Assessed Importance of Control Tolerable Deviation Rate Highly Important 3-5% Moderately important 6-10%
The expected population deviation rate
The rate the auditor expects to exist in the population. The larger the expected population deviation rate, the larger the sample size must be, all else equal. This may be based on historical rates or current conditions that help develop an auditor’s expectations.
Population size
Population size is not an important factor in determining sample size for attributes sampling. The population size has little or no effect on the sample size, unless the population is relatively small, say less than 500 items
Select sample items: • Audit software such as ACL • Random-Number Selection. • Systematic Selection.
The auditor may select sample items using audit software, or may use a manual selection method.
Perform the Audit Procedures: • Voided documents. • Unused or inapplicable documents. • Inability to examine a sample item. • Stopping the test before completion.
For attribute sampling of internal controls, this is where you test the operating effectiveness of a control. These four bullets represent typical issues that may come up during testing
Calculate the Sample Deviation and Upper Deviation Rates
After completing the audit procedures, the auditor summarizes the deviations for each control tested and evaluates the results. For example, if the auditor discovered two deviations in a sample of 50, the deviation rate in the sample would be 4% (2 ÷ 50). The upper deviation rate is the sum of the sample deviation rate and an appropriate allowance for sampling risk.
Draw Final Conclusions
The auditor compares the tolerable deviation rate to the computed upper deviation rate.
Sampling Internal Controls
• Purpose: to determine the reliability of internal controls • Techniques: • Attribute (Statistical) • Non-statistical • Population: number of times a control was performed • Conclusion: reliability of the internal control • Purpose: to determine the reliability of internal controls • Techniques: • Attribute (Statistical) • Non-statistical • Population: number of times a control was performed • Conclusion: reliability of the internal control
Sampling Substantive
Evidence
Purpose: to determine if an account is fairly stated • Techniques: • Monetary-Unit (Statistical) • Non-statistical • Population: all transactions that make up an account balance • Conclusion: the magnitude of a misstatement
The sampling unit for nonstatistical sampling of
substantive evidence is normally
a customer account, an
individual transaction, or a line item on a transaction.
When using nonstatistical sampling, the following items
must be considered:
- Identifying individually significant items
- Determining the sample size
- Selecting sample items
- Calculating the sample results
• The items to be tested individually are items that may
contain misstatements that
individually exceed tolerable
misstatement. These items are tested 100% because the
auditor is not willing to accept any sampling risk.
• Accordingly, results from testing ISI items are not projected
to the population.
Sample
Size
Sampling Population book value
Tolerable – Expected misstatement
In certain instances, the auditor may also apply a
confidence factor that is multiplied by the sample size (not
common)
• Auditing standards require that the sample items be
selected in such a way that the sample is
representative of
the population
Sample selection for substantive testing is performed in
much the same manner as sampling for internal controls
testing
Random selection
• Systematic selection (based on dollar values)
• Haphazard selection
One way of projecting the sampling results to the population
is to apply the misstatement ratio in the sample to the
population. This approach is known as
ratio projection
difference projection
This
method projects the average misstatement of each item in
the sample to all items in the population
