Final Exam (8-10, 17) Flashcards
audit report
Providing an independent and expert opinion on the fairness of financial statements through an audit is the most frequent attestation service
When performing an audit under GAAS, the auditors obtain __________ that the statements are in conformity with GAAP
reasonable assurance
Reports on the financial statements ordinarily include an opinion that is on both the
financial statements themselves (BICs) and financial statement disclosures
what is considered an integral part of he financial statements
notes to the financial statements
auditors’ standard report - public clients must
1) Includes the words “Registered” and “Independent” in the title “Report of….”.
2) Must be addressed to shareholders and board of directors (additional parties are allowable).
3) References auditing standards of the PCAOB.
4) Provides a discussion of auditor and management responsibilities.
5) Includes a paragraph indicating that the auditors have also issued a report on the client’s internal control over financial reporting, or is a combined report on both the financial statements and internal control
6) Includes a Critical Audit Matters Section. (NEW requirement starting in 2019)
7) Includes statement on year audit firm began serving the client.
8) Signed with name of CPA firm not individual partner (but movement to have the partner’s name on the letter)
9) Includes the City of the office with responsibility for the audit
10) Dated no earlier than the date on which the auditors obtained sufficient appropriate audit evidence to support their opinion (typically the date used is the filing date of the 10K with the SEC)
auditors’ standard report - nonpublic clients
1) Title that includes the word independent
2) Ordinarily addressed to the company itself, the shareholders, the audit committee, and/or the board of directors
3) Signed with name of CPA firm not individual partner unless the firm is a sole practitioner
4) Dated no earlier than the date on which the auditors obtained sufficient appropriate audit evidence to support their opinion
PCAOB Critical Audit Matter includes
1) Identification of the CAM
2) Description of the principal considerations that led the auditor to determine that the matter was a CAM
3) Description of how the CAM was addressed in the audit
4) Reference to the relevant financial statement accounts or disclosures
condition required for issuance of unmodified opinion
The auditors are able to obtain sufficient appropriate audit evidence to obtain reasonable assurance so as to be able to conclude that the financial statements as a whole are free from material misstatements
Unmodified opinion - standard report
This report may be issued only when the auditors have obtained sufficient appropriate audit evidence to conclude the financial statements are not misstated and there is no need to alter the report for other situations
Unmodified opinion - with an emphasis of matter paragraph
To emphasize a matter appropriately presented in the financial statements (e.g., a change in accounting principle)
Unmodified opinion - with an other matter paragraph
To emphasize a matter other than those presented or disclosed in the financial statements (e.g., other information in documents containing audited financial statements) – special purpose example
Unmodified opinion on group financial statements
When two or more CPA firms are involved in an audit and the group auditor (firm that does most of the work) does not wish to take responsibility for the work of the component auditors
Qualified opinion
states that the financial statements are presented fairly in conformity with generally accepted accounting principles “except for” the effects of some matter
Adverse opinion
states that the financial statements are not presented fairly in conformity with generally accepted accounting principles
Disclaimer of opinion
means that due to a significant scope limitation, the auditors were unable to form an opinion or did not form an opinion on the financial statements
Going concern effect on audit report if the matter is properly presented
unmodified opinion with an emphasis of matter paragraph added after the opinion paragraph (may also lead to disclaimer of opinion)
Consistency effect on audit report if the matter is properly presented
unmodified opinion with an emphasis of matter paragraph added after the opinion paragraph
Auditor discretionary effect on audit report if the matter is properly presented
unmodified opinion with an emphasis of matter paragraph added after the opinion paragraph
Going concern effect on audit report if the matter is improperly presented in financial statements
a departure from GAAP is involved and the auditors modify the opinion paragraph to either a qualified or adverse opinion and add a basis for modification paragraph preceding the opinion paragraph
Group audits effect on audit report if the matter is properly presented
Unmodified opinion. The component auditors are referred to when they do not take the responsibility for the component auditors’ work. If they take responsibility, no modification of the audit report is necessary
Group audits effect on audit report if the matter is improperly presented in financial statements
Not applicable because it is an auditor reporting concern
Before opinion paragraph
basis for modification (qualified, adverse, disclaimer) paragraphs, for a modified opinion, such as a qualified or disclaimer, we want to prepare the reader for what is coming and provide context for our opinion, the emphasis of matter is BEFORE the opinion paragraph
After opinion paragraph - unqualified / unmodified
emphasis of matter and other matter paragraphs, for unmodified, the emphasis of matter is typically AFTER the opinion paragraph, in the case of an unmodified or unqualified opinion, as auditors we want to FIRST tell the reader what our conclusion is and THEN tell them so extra information that entered into our decision-making process
Disclaimer of opinion
1) Auditor has no opinion
2) Issued whenever unable to form an opinion as to fairness of financial statements
3) Circumstances resulting in a disclaimer are those in which the possible misstatements are material and pervasive
4) Multiple uncertainties may also lead to a disclaimer
5) Not an alternative to adverse opinion
Requirement for going concern
must evaluate
5 conditions indicating a going concern
1) Negative cash flows from operations
2) Defaults on loan agreements
3) Adverse financial ratios
4) Work stoppages
5) Legal proceedings
substantial doubt as to going concern status
Ordinarily an unmodified opinion with an emphasis of matter paragraph issued. Alternatively, a disclaimer of opinion may be issued
pervasive misstatements
1) Not confined to specific accounts
2) If confined, they represent a substantial proportion of the financial statements
3) In relation to disclosures, they are fundamental to users’ understanding of the financial statements
adverse opinion
1) Financial statements do not present fairly the financial position, results of operations, and cash flows of client in conformity with GAAP
2) Material and pervasive departures from GAAP
3) Auditor believes departure causes financial statements taken as a whole to be misleading
reporting on comparative financial statements
1) Report should cover current year as well as prior period audited by their firm
2) Can express different opinions on different years
different opinions on different statements
It is acceptable to express an unqualified opinion on one statement while expressing a qualified or adverse on the others
8-K report
major developments that investors should know about are described in the 10-K or 10-Q, but if those developments don’t make the two filings in time, they are presented here. Addresses specific events and provides further detail and exhibits
events that lead to the filing of the 8-K
bankruptcy or receivership, material impairments, completion of acquisition or disposition of assets, departures or appointments of executives
10-Q report
a truncated version of the 10-K, provided within 45 days of the end of the first three quarters of the company’s fiscal year, details company’s latest developments and provides a preview of the direction it plans to take
major differences between 10-K and 10-Q
10-Q has unaudited financial statements and less detailed reports
10-K
provides investors with a comprehensive analysis of the company, contains more information than an annual report, more detailed financial statements, submit within 90 days of the end of the fiscal year,
Sections of the 10-K
1) Business summary that describes the company’s operations, business segments, history, real estate, marketing, research and development, competition and employees
2) The management discussion and analysis that provides a good explanation of the company’s operations and financial outlook
3) Financial statements
4) Management team and legal proceedings
What does the filing time of the 10-Q and 10-K depend on?
market cap
What is the the primary resource for investors to determine if they want to invest in that business?
reports to the SEC
less expensive software
Electronic checkbooks (e.g., Quicken: checkbook only)
moderate system
Basic general ledger system (e.g., QuickBooks or Peachtree)
large and expensive
ERP systems (e.g., SAP, Oracle, JD Edwards)
National Institute of Standards and Technology (NIST)
1) Federal agency within the US Department of Commerce
2)Published a comprehensive cybersecurity framework (CSF) in response to President Obama’s executive order
3) Adoption is voluntary
4) HOWEVER, many companies have adopted this standard to govern their IT security AND most audit firms have adopted this as the standard by which they will measure their clients IT security efforts
5) Designed to not only to keep the cyber criminals out of your data, but to assure nothing happens internally to make your computing environment unavailable or subject to processing errors
What are the 5 governing controls of the NIST Cyber Security Framework?
Identify
Protect
Detect
Respond
Recover
Identify
Understanding by management on how to manage cybersecurity risk to systems, assets, data, and capabilities
1) Asset Management
2) Business Environment
3) Governance
4) Risk Assessment
5) Risk Management Strategy
Protect
Standards to ensure delivery of critical infrastructure services
1) Access Control
2) Awareness and Training
3) Data Security
4) Info Protection Processes and Procedures
5) Maintenance
6) Protective Technology
Detect
Identify the occurrence of a cybersecurity event
1) Anomalies and Events
2) Security Continuous Monitoring
3) Detection Processes
Respond
Action regarding a detected cybersecurity event
1) Response Planning
2) Communications
3) Analysis
4) Mitigation
5) Improvements
Recover
Maintain plans for resilience and restore any capabilities or services
1) Recovery Planning
2) Improvements
3) Communications
Top 20 IT Security Controls
1) Inventory of Authorized Devices
2) Inventory of Authorized Software
3) Secure Configurations for mobile devices, servers, laptops, etc
4) Continuous Vulnerability Assessments
5) Controlled Use of Administrator Privileges
6) Monitoring of Server Audit Logs
7) Email Protection (Phishing) and web site restrictions
8) Control the Spread of Malware
9) Management of Network Ports
10) Effective Backup and Recovery Processes
11) Configure Routers and Firewalls
12) Keep Bad Guys Out of your Network and Alert for Intrusions (IDS, SIEM)
13) Use Data Loss Prevention Tools
14) “Need-to-Know” Only Access
15) Secure Wireless Access Points
16) Actively Manage User Accounts
17) Develop Plan to Assess/Remediate Gaps in IT Security
18) Application Software Security
19) Cyber Incident Response & Management
20) Penetration Tests & Simulations
IT systems usually consist of (2)
hardware and software
hardware
Digital computer and peripheral equipment
software
Various programs and routines for operating the system
two types of software
systems and application
systems software
Programs that control and coordinate hardware components and provide support to application software
Operating system (Examples: Unix, Windows)
application software
Programs designed to perform a specific data processing task
Written in programming language (Example: Java)
input/output devices
1) card readers
2) terminals
3) electronic cash registers
4) optical scanners
5) magnetic tape drives
6) magnetic disk drives
7) optical compact disks
central processing unit (CPU)
1) Arithmetic unit
2) Control unit
3) Primary storage
auxiliary storage
1) magnetic disks
2) magnetic drums
3) magnetic tapes
4) optical compact disks
5) flashdrives
6) cloud storage
system characteristics
Batch processing
Online capabilities
Database storage
IT networks
End user computing
batch processing
Input data gathered and processed periodically in groups
Often more efficient than other types of systems but does not provide up-to-minute information
example of batch processing
Accumulate all of a day’s sales transactions and process them as a batch at end of day
Weekly moving students in or out of canvas sections
two types of online capabilities
online transaction processing (OLTP) and online analytical processing (OLAP)
online transaction processing (OLTP)
Individual transactions entered from remote locations
Online real time (Example: Bank balance at ATM)
online analytical processing (OLAP)
Enables user to query a system for analysis
Example: Data warehouse, decision support systems, expert systems (SW: Expert Choice)
database system
allows users to access same integrated database file
Eliminates data redundancy
Creates need for data administrator for security against improper access
Commonly used term “Data Warehouse”
networks
Computers linked together through telecommunication links that enable computers to communicate information back and forth
WAN, LAN
Internet, intranet, extranet, VPN, Cloud computing, …
electronic commerce
Involves electronic processing and transmission of data between customer and client
Electronic Data Interchange (EDI)
Soon arriving on the scene – Block Chain Technology
end user computing
1) User departments (such as the Accounting Department) are responsible for the development and execution of certain IT applications (mostly on PCs)
Involves a decentralized processing system
2) IT department generally not involved
3) Controls needed to prevent unauthorized access and unauthorized modifications
4) Examples: Excel – the “IT solution” of choice for many businesses (large and small). Cloud-based solutions that allow company data to be easily processed with just the use of a provided credit card. Various “off-the-shelf” systems such as Access, Tableau, and UiPath (Robotic Process Automation) that allow the user to create their own “system” for analyzing data and potentially using that data to book accounting entries. HIGH FOCUS AREA for auditors due to risk
internal control in IT
Separation of duties
Clearly defined responsibilities
Augmented by controls written into computer programs
*** Key is preserving data integrity
audit trail impact
Can affect audit procedures
Consulting auditors during design stage of IT-based system helps ultimate auditability
computer-based fraud
History shows the person responsible for frauds in many situations set up the system and controlled its modifications
Segregation of duties – KEY!
Programming separate from controlling data entry
Programming separate from the “move to production” of software changes
Business unit sign-off/approval of all changes/updates
Computer operator from custody or detailed knowledge of programs
If segregation not possible need:
Compensating controls like batch totals
Organizational controls not effective in mitigating collusion
if segregation is not possible what is needed
Compensating controls like batch totals
general control activities
Access to programs and data
Developing new programs and systems
Changing existing programs and systems
IT operations controls
application control activities
programmed (automated) control activities, manual follow-up activities
programmed (automated) control activities
input validation checks, batch controls, processing controls
input validation checks
Limit test (predefined upper and lower limit)
Validity test (data entered compared to master data)
Allowed character test (numeric or alpha or combo)
Missing data test (are all required fields entered)
Self-checking number (last digit in account # is mathematical calc of preceding numbers)
batch controls
Item count (record count)
Control total (total sales processed)
Hash total (similar to control total, but has no intrinsic meaning – ex: sum of social security numbers)
processing controls
Input controls noted above to assure data is processed accurately by the IT application
manual follow-up activities
Exception reports follow-up
user control activities
Designed to test the completeness and accuracy of IT-processed transactions
Designed to ensure reliability
Reconciliation of control totals generated by system to totals developed at input phase
Example: Sales invoices generated by IT-based system tested for clerical accuracy and pricing by the accounting clerk
Important for auditors to determine how does the user gain comfort that key reports that are computer generated contain accurate data
example of Reconciliation of control totals generated by system to totals developed at input phase
Sales invoices generated by IT-based system tested for clerical accuracy and pricing by the accounting clerk
control in decentralized and single workstation systems
Involves use of one or more user operated workstations to process data
needed controls for decentralized and single workstation systems
Train users
Document computer processing procedures
Backup files stored away from originals
Authorization controls (i.e. passwords)
Prohibit use of unauthorized programs
Use antivirus software
Lockdown workstations from installation of unauthorized software or for the user’s ability to turn off anti-virus programs
techniques for testing application controls
Auditing Around the Computer–Manually processing selected transactions and comparing results to computer output
Manual Tests of Computer Controls–Inspection of computer control reports and evidence of manual follow-up on exceptions
Auditing Through the Computer–Computer assisted techniques
auditing through the computer - computer assisted techniques
Test Data
Integrated Test Facility
Controlled Programs (or testing controls w/in program)
Program Analysis Techniques
Tagging and Tracing Transactions
Generalized audit software – parallel simulation
using generalized audit software to perform substantive procedures
Examine client’s records for overall quality, completeness and valid conditions
Rearrange data and perform analyses
Select audit samples
Compare data on separate files
Compare results of audit procedures with client’s records
typical inventory audit procedures using generalized audit software
1) observe the physical count, making appropriate test counts
2) test the mathematical accuracy of the inventory extensions and footings
3) compare the auditors’ test counts to the inventory records, book to floor
4) compare the client’s physical count data to the inventory records, floor to book
5) perform a lower of cost or market test by obtaining a list of current costs from per item from vendors
6) test purchase and sales cutoff
7) confirm the existence of items located in public warehouses
8) analyze inventory for evidence of obsolescence or slow moving items. Companies are generally reluctant to write off such items due to income statement impact
observe the physical count, making appropriate test counts
determine which items are to be test counted by selecting from the inventory file a sample of items that provides the desired dollar coverage
test the mathematical accuracy of the inventory extensions and footings
for each item in the inventory file, multiply the quantity on hand by the cost per unit and add the extended amounts
compare the auditors’ test counts to the inventory records, book to floor
organize the auditors’ test counts and compare them to inventory records
compare the client’s physical count data to the inventory records, floor to book
compare the quantity of each item counted to the quantity on hand in the inventory file
perform a lower of cost or market test by obtaining a list of current costs from per item from vendors
compare the current costs per unit to the cost per unit in the inventory file; print out the extended value for each item, using the lower of the two unit costs, and add extended amounts
test purchase and sales cutoff
list a sample of items on the inventory file for which the date of last purchase or last sale is on, or immediately before, the date of the physical count
confirm the existence of items located in public warehouses
list items located in local warehouses and print confirmations
analyze inventory for evidence of obsolescence or slow moving items. Companies are generally reluctant to write off such items due to income statement impact
list items from the inventory file for which the turnover ratio (quantity sold divided by quantity on hand) is low for which the date of last sale indicates a lack of recent transactions
controls when using cloud computing
management must take responsibility for controls
must be coordinated and integrated with provider
computer service centers
provide outsourced processing/computer infrastructure services to customers who decide not to invest in their own processing of particular data. Such providers are referred to as Infrastructure as a Service
examples of computer service centers
Microsoft Azure; Amazon Web Services; Google
outsourced service provider
also offer a Software as a Service (SaaS) solution. Rather than having the software installed locally, the software is owned and housed by the 3rd party in their own IT environment
outsourced service provider examples
QuickBooks on-line; Microsoft 360; Drips
what are computer service centers and outsourced service providers?
cloud service providers which opens up significant risk for the auditor to evaluate
cloud computing key concerns
How does the cloud provider and the client assure the completeness, accuracy and validity of the processed data.
What controls are in place on the client’s side concerning the above (Some cloud providers actually specify these in their contracts)
How is data returned back to the client for inclusion in their financial system
What ITGC’s are in place to protect data while in transit and at rest from unauthorized viewing or manipulation while in the possession of the cloud provider
what reports are the auditor’s best friend
SOC 1 and/or SOC 2
what makes the cloud a very attractive option
its ease of setup for new applications and cost effectiveness
SSAE #18 report
For Service Providers that impact a company’s internal control environment
examples of service providers
Payroll Service
Bank Trust Departments
Claims Processing Centers
Data Centers
Third Party Administrators, etc.
In general, any provider that’s in the cloud
SOC 1 Report
For providers that “crunch the numbers” and provide the results back to the company for inclusion in their financials
SOC 2 Report
Mainly for companies that provide server hosting, such as Amazon Web Services, Microsoft Azure, & Google where you are mainly concerned with availability and security of your data
Type 1 and Type 2 Reports
Type 1’s are basically worthless in that it only covers a point in time and only looks at control design; Type 2 looks at the functioning of controls over a period of time, much like a traditional audit, AND offers an opinion by the auditor on the effectiveness of those controls
IT Auditor certification
110 Question Exam – Not just for folks with IT background
Distinguish yourself from your colleagues with specific knowledge in applying a risk based approach to plan, execute, and report on engagements involving IT technology
sources of cash
General checking account
Payroll checking accounts
Petty cash
Savings accounts
cash equivalents
Money market funds
Certificates of deposit
Savings certificates
objectives for the audit of cash
Consider inherent risk, including fraud risks, related to cash
Obtain understanding of internal control over cash
Assess the risks of material misstatement of cash and design compliance & substantive procedures that*:
Substantiate the existence of recorded cash and occurrence of the related transactions
Establish the completeness of recorded cash
Verify the cutoff and accuracy of cash transactions
Determine that the client has rights to recorded cash
Determine that the presentation and disclosure of cash, including restricted funds, are appropriate
why do we devote a large number of audit hours to cash
It is often the “heart of the organization”: liabilities, revenues, expenses and most other assets flow through cash
Our client’s most liquid asset so greater temptation for misappropriation
High risk account – cash gets “legs”
finance and accounting departments work together to provide assurance that
All cash that should have been received was in fact received, recorded accurately and deposited promptly
Cash disbursements have been made for authorized purposes only and have been properly recorded
Cash balances are maintained at adequate, but not excessive, levels by forecasting
9 guidelines for internal control over cash
Do not permit any one employee to handle a transaction from beginning to end.
Separate cash handling from recordkeeping.
Centralize receiving of cash to the extent practical.
Record cash receipts on a timely basis.
Encourage customers to obtain receipts and observe cash register totals.
Deposit cash receipts daily
Make all disbursements by check or electronic funds transfer, with the exception of small expenditures from petty cash.
Have monthly bank reconciliations prepared by employees not responsible for the issuance of checks or custody of cash. The completed reconciliation should be reviewed promptly by an appropriate official.
Monitor cash receipts and disbursements by comparing recorded amounts to forecasted amounts
Bank rec add what to per bank statement
deposit in transit, bank errors
Bank rec subtract what to per bank statement
outstanding checks, bank errors
bank rec add what to per books
notes collected by bank, book errors
bank rec subtract what to per books
NSF (bounced) checks, check printing or other service charges, book errors
bank account reconciliation procedures
Is it being done timely and consistently (for a monthly control, pull a random sample of 3 months – may want to stratify the sample for entities with large number of bank accounts – not all bank accounts carry the same value)
Typically, you would like to see it being done prior to the final closing of the books
This will allow for major issues to be reached prior to issuing the 10K/10Q
Is it being done for ALL bank accounts
Is there a “preparer” and a “reviewer” for it, in other words, is there another set of eyes on it
SOD issue: it must be performed by someone who has no responsibility or authority over the cash collection and disbursement process? This is KEY to assure validity of the recon
Is supporting documentation attached to it?
Copy of Bank Statement (Auditor should ask employee to log into bank’s web site and observe the on-line version of the bank statement to assure it matches what’s attached to it
Copy of G/L showing cash per books
What follow-up action is taken for outstanding checks or for NSF checks?
Developing technology – Robotic Process Automation (RPA) – can automate this relatively mundane but very important task
If your client is using RPA, also make contact with your IT audit group to review the integrity of the automated process
The same processes as noted above should still be observe
examples of cash audit procedures
Audit of Bank Reconciliation
Audit of Check Disbursements: 3-way match
Purchase Order
Receiving Report
Invoice
cash disbursement process
purchase requisition
purchase order
notify vendor
vendor shipment
goods receipt (no access to other role)
invoice receipt
payment to vendor
receiving document
The item quantity is confirmed by the company’s Receiving Department and manually entered line-by-line into the company’s ERP system under that PO number. In addition, once all items are received, the PO is closed in the system to prevent incidents of fraud such as re-ordering of the same materials without going through the proper approval process
invoice
3 Way Match Documents
PO
Receiving Report
Invoice
2 way match process
Similar in concept to a 3-way match process in that there needs to be a valid PO for the purchase. However, two major differences:
Used for SERVICES vs materials
NO receiving report
invoices are usually automatically routed to a designated individual to confirm the services were rendered. Once confirmation is received, and the PO is not over-spent, the invoice is paid.
cash disbursement
is only initiated via ACH, wire transfer or paper check after the 3-way match has been successfully completed and the invoice presented for payment. This is typically an automated process in an ERP system (SAP, Oracle, etc)
canceling a document
Once paid, the invoice is this. In addition, once the check is processed, it also is this (by the bank). Most companies use Positive Pay (verification of $ amount) and Positive Payee (verification of payee’s name)to prevent fraudulent cashing of the check
proof of cash
sometimes referred to as a 4 Column Reconciliation is essentially a roll forward of each line item in a bank reconciliation from one accounting period to the next, incorporating separate columns for cash receipts and cash disbursements
Highly recommended where volume of transactions and amount of cash is very large or where fraud is suspected
proof of cash equation
Beginning balance + Cash receipts in the period - Cash disbursements in the period = Ending balance
what is proof of cash used to identify
Cash receipts and disbursements recorded in the accounting records, but not on the bank statement.
Cash deposits and disbursements recorded on the bank statement, but not on the accounting records.
Cash receipts and disbursements recorded at different amounts by the bank than in the accounting records
internal controls over cash receipts
cash sales, collections of receivables
internal controls over cash sales
Involvement of two or more employees
Cash Registers
Electronic point of sale systems
internal controls over collection of receivables
Initial listing of cash receipts
Custody and depositing of cash receipts
Maintenance of customer account records
Reconciliation of customers’ ledgers with control accounts
Mailing monthly statements to customers
Collection activity and past-due accounts
Direct receipt of funds by financial institution
internal control over cash disbursements
Segregation of duties most critical
Payment of obligations by check, credit card, or electronic funds transfer vs paper cash
Use of pre-numbered checks
Match of purchase order and receiving document with vendor’s invoice (3 way match – automated process)
Review of supporting documents by authorized check signer or other designated invoice approver (for non-3 way match invoices)
Cancel of supporting documents (PO and Invoice)
Authorized check signer should mail checks
Not always feasible in large corporations where checks are printed off-site using an “electronic signature”
Monthly bank reconciliation
tests of controls over cash
Test the accounting records and reconciliations by reperformance.
Compare the details of a sample of cash receipts listings to the cash receipts journal, accounts receivable postings, and authenticated deposit slips.
Compare the details of a sample of recorded cash disbursements in the cash payments journal to account payable postings, purchase orders, receiving reports, invoices, and paid checks.
tests of balances
Reconcile cash balances to the general ledger.
2. Confirm cash balances with financial institutions.
3. Obtain or prepare bank reconciliations as of the balance sheet date and consider the need to reconcile for additional months.
4. Obtain a cutoff bank statement containing transactions of at least seven business days subsequent to balance sheet date.
5. Count and list cash on hand.
6. Verify the client’s cutoff of cash receipts and cash disbursements.
7. Analyze bank transfers for the weeks around year end.
8. Investigate any checks to/from related parties.
9. Evaluate proper financial statement presentation and disclosure of cash.
obtain analyses of cash balances and reconcile them to general ledger
existence and accuracy
send standard confirmation forms to financial institutions. obtain reconciliations of bank balances and consider reconciling bank activity. obtain bank cutoff statement. count cash on hand
existence, occurrence, accuracy, cutoff, and rights
verify the client’s cutoff of cash transactions. analyze bank transfers occurring year end
cutoff, existence, occurrence, rights and completeness
investigate payments to related parties. evaluate financial statement presentation and disclosure
presentation and disclosure
bank cutoff statement
a bank statement subsequent to the date of the balance sheet
Check 21 Act
Checks may be processed electronically vs physically moving a paper check from bank to bank which is costly and time consuming
Electronic processing creates a substitute check which is an electronic image of the original check
You no longer receive your original cancelled check from the bank
Legal equivalent of original check for all purposes
Audit implications
Need to rely on substitute check for evidence of check
Almost impossible for clients to kite checks (manipulate bank balances to conceal cash shortage) due to enhanced speed for which checks are now cleared
Kiting
Manipulations that utilize temporarily overstated bank balances to conceal cash shortage or meet short-term cash needs
these schemes rely upon the existence of a “float period” in which transactions are not processed in real time
Increased electronic processing has made this more difficult through reducing (or eliminating) the float period
Auditors can detect this by preparing a schedule of bank transfers for a few days before and after balance sheet date
what is the first indication that fraud is being committed
the observation that someone is living beyond their means
one standard deviation from the mean
accounts for 68% of the set
two standard deviations from the mean
accounts for 95% of the set
three deviations from the mean
accounts for 99.7% of the set
audit sampling
Applying a procedure to less than 100% of a population for the purpose of drawing a general conclusion about the account balance, or the entire group of transactions, based on the characteristics detected in this
allows an auditor to draw conclusions about transactions or balances without incurring the time and cost of examining every transaction
when is sampling used in field audits
when it is not efficient to review 100% of the record
audit sampling
Used to estimate some characteristic of the population, either:
Qualitative: attribute sampling
Compliance Test: Tests of Controls
Quantitative: variables sampling
Substantive Test: Tests of Account Balances
representative sample
one in which the characteristics in the sample of audit interest are approximately the same as those of the entire population
what is the auditor’s primary objective when selecting a sample to review
making sure it is representative of the entire population
two risks cause a sample to be non-representative
Sampling risk
Non-sampling risk
sampling risk
Risk that an auditor reaches an incorrect conclusion because the sample is not representative of the population
Risk that the auditors’ conclusions based on a sample may be different from the conclusion they would reach IF they examined every item in the population
two types of sampling risk
assessing risk too high and assessing risk too low
assessing risk too high
Relates to the efficiency of the audit. Results in the auditors performing more substantive testing than necessary. Does not impact audit effectiveness
assessing risk too low
Relates to the auditors assessing the control risk lower than it actually is which lessens the probability of detecting material financial misstatements. Has huge implications for the effectiveness of audit
non-sampling risk
Risk that the audit tests do not uncover existing exceptions in the sample, caused by:
Auditor failure to recognize errors or exceptions
Inappropriate or ineffective audit procedures
Basically, the auditor messed up the testing
statistical sampling
Applies the laws of probability theory to assist the auditor in designing a sampling plan and subsequently evaluating the results of the sample
non-statistical sampling
Solely based on the auditor’s judgment
judgmental sampling
The auditor estimates sampling risk by using professional judgment rather than statistical techniques
Provides no means of quantifying sampling risk
Best practice: After you select the statistical sample, review all data from the entire population and find the “outliers”
Example: Look for data points that are in the far right side of the bell curve (3 standard deviations off the mean)
advantages of statistical sampling
Allows auditors to measure and control sampling risk which helps:
Design efficient samples (IE: You don’t have an unlimited amount of time to do your work)
Measure sufficient amount of evidence
Objectively evaluate sample results
selection of random sample
results in a statistically unbiased sample that may or may not be a representative sample
KEY: You have to make sure you have the entire population of the data your are trying to audit prior to using any methodology to select your sample. In other words “garbage-in; garbage-out”
Not always as easy at it looks
Data in ERP system may be segregated by cost center, geographic area, company code, business segment, etc.
Random sample techniques
Random number tables – IE: “stone tablet” approach.
Although in your book, we will not cover since there are much better tools readily available
Random number generators – See Excel illustration
Systematic selection
two types of statistical sampling plans
attributes sampling and discovery sampling
attributes sampling (control testing)
“On” or “Off” – Look for the presence or the absence of some attribute (EX: Signature, Bill of Lading, etc)
discovery sampling (special purpose testing)
Designed to detect at least one error in population or for critical deviations that are not expected to be frequent in number
Mainly used for fraud/forensics testing
classical variables testing (substantive testing) mean per unit estimation
Helpful to estimate the appropriate account balance when the underlying documentation is not available.
Total population of 3,000 items in accounts receivable
Sample size is 50.
Adding up the individual values of the 50 items, you get a total of $2,000; therefore, your mean is $40 ($2,000/50). Your mean estimate of the true value of accounts receivable is $120,000 ($40 x 3,000)
application of classical variables testing mean per unit estimation
Confidence level is 95 percent
Error rate is 10 percent
Conclusion: you can say that you’re 95 percent confident that the total value of accounts receivable is $120,000, plus or minus $12,000 ($120,000 times your error rate of 10 percent)
classical variables testing ratio estimation (extrapolation)
Applies the sample ratio to an entire population
Sample for any of your client’s accounts shows errors of $1,000 in a total sample of $10,000, your misstatement ratio is 10 percent ($1,000/$10,000)
classical variables testing ratio estimation (extrapolation) application
The above ratio is applied to the entire population.
If the entire population totals $50,000, your projected misstatement of the entire population, is $5,000 ($50,000 x 10 percent)
If this is lower than your tolerable error rate, you are good to go
classical variables testing difference estimation
Similar to ratio estimation
However, it incorporates the items in the population.
classical variables testing difference estimation
Total population consists of 5,000 items and your sample consists of 1,000 items. Your audit procedures find errors totaling $500. The projected misstatement is $2,500 [($500/1000 items) = $.50/item x 5,000 items].
If this is less than your tolerable error rate, you are good to go
classical variables testing Probability-proportional-to-size (PPS) sampling (Substantiate Testing – sometimes called “monetary unit sampling”)
defines the sampling unit as each individual dollar making up the book value of the population
With this method, the bigger the size of the unit, the higher the chance it has of being included in the sample. For this method to bring increased efficiency, the measure of size needs to be accurate.
Contrast to random sampling where each object (invoice, inventory item, etc) has an equal probability of being selected
allowance for sampling risk employed
Amount used to create a range, set by “+ or –” limits from the sample results, within which the true value of the population characteristic being measured is likely to lie (for example, plus or minus 2% error)
The wider the interval, the more confident that the true population falls within that interval; however, the increased interval size also leads to a less precise conclusion:
Sample deviation = 2%
If Allowance for Sampling Risk = +/- 1%; Actual deviation range = 1% to 3%
If Allowance for Sampling Risk = +/- 2%; Actual deviation range = 0% to 4%
Can be used to construct a dollar interval
sample size
Significant effect on Allowance for Sampling Risk and Sampling Risk
As it increases, Sampling Risk and Allowance for Sampling Risk decreases
affected by characteristics of population
General rule: as population increases, it increases
when planning the sample consider
The relationship of the sample to the relevant audit objective
Materiality or the maximum tolerable misstatement or deviation rate
Allowable sampling risk
Characteristics of the population
requirements of audit sampling plans
Select sample items in such a manner that they can be expected to be representative of the population
Sample results should be projected to the population
Items that cannot be audited should be treated as misstatements or deviations in evaluating sample results
Nature and cause of misstatements or deviations should be evaluated
other sample selection methods
haphazard selection, block selection, stratification
haphazard selection
Select items on an arbitrary basis, without any conscious bias
block selection
all items in a selected time period, numerical sequence or alphabetical sequence
Least desirable for use in control/substantiate testing; primaly use for fraud/ forensic investigations
stratification
Technique of dividing population into relatively homogeneous subgroups
advantages of classical variables sampling
when there are many misstatements in the population, it will result in a small sample size
items with zero and negative balances do not require any special treatment
sample size may be somewhat easier to expand if that becomes necessary
disadvantages of classical variables sampling
to determine the sample size, the standard deviation of the population must be estimated
to evaluate results, the sample’s standard deviation must be calculated
it (especially means per unit) must be stratified, requiring a use of a computer to perform the computations
advantages of monetary unit sampling (MUS)
the technique is generally easier to use
no estimate of the standard deviation of the population is needed
the technique automatically stratifies the population because items are selected based on their dollar amount
when there are few misstatements, the technique will generally result in a smaller sample size
sample selection can begin before the entire population is available
disadvantages of monetary unit sampling (MUS)
special considerations are required to handle understated accounts and negative balances
each item in the population must have a book value
when misstatements are found, the technique might overstate the allowance for sampling risk
for accounts with a moderate number of misstatements, the sample size may exceed that of classical techniques
audit risk =
inherent risk x control risk x detection risk
audit risk
The allowable audit risk that a material misstatement might remain undetected for the account balance and related assertions
inherent risk
the risk of a material misstatement in an assertion, assuming there were no related controls
control risk
the risk that a material misstatement that could occur in an assertion will not be prevented or detected on a timely basis by internal control
detection risk
the risk that the auditors’ procedures will fail to detect a material misstatement if it exists
