AUDIT 5.txt

  1. Four rules to audit sampling
    • 1) Central limit theorem (population is normally distributed into normal/bell-shaped curve)
    • 2) Samples must be unrestricted (equally chance of being selected) and randomly selected (no bias)
    • 3) If sample is large enough and randomly selected, sample will be representative of the population
    • 4) Standard deviation is a sample risk, the measure of variability
  2. Statistical sampling vs. nonstatistical sampling
    • - Both are GAAS
    • - Statistical sampling specifies risk willing to accept, calculate sample size, and results are evaluated quantitatively
    • - Nonstatistical sampling means auditor uses judgment to determine sample size and results are evaluated judgementally
  3. Advantages to statistical sampling
    • - Measure sufficiency of the audit evidence obtained
    • - Provide an objective basis for quantitatively evaluating sample results
    • - Design an efficient sample
    • - Quantify sampling risk so as to limit risk to an acceptable level
  4. Sampling concepts do not generally apply to
    • - Risk assessment procedures performed to obtain an understanding of internal controls
    • - Tests of automated application controls when effective general controls are present
    • - Analyses of security and access controls
    • - Some tests related to the operation of the control environment
  5. Sampling risks in substantive testing (variable sampling)
    • - Risk of incorrect acceptance (beta risk) = saying it's not materially misstated when it is
    • - Risk of incorrect rejection (alpha risk) = saying it's wrong when it's right (lack of efficiency since we do more work)
  6. Sampling risks in tests of controls (attribute sampling)
    • - Risk of assessing control risk too low (beta risk) = level of risk is not low but it really is (risk of over-reliance)
    • - Risk of assessing control risk too high (alpha risk) = level of risk is higher than it is (risk of under-reliance, lack of efficiency)
  7. Attribute sampling
    • - Estimating rate of occurrence of an attirubte, to test operating effectiveness of control
    • - Tolerable deviation rate is maximum rate of deviation (risk of misstatement)
    • - Deviation rate is auditor's best estimate of deviation rate in population from what was tested (upper deviation rate in range)
  8. Steps performed in attribute sampling
    • - Define the objective of the test
    • - Define the population
    • - Define the sampling unit
    • - Define the attributes of interest (unique to attribute sampling)
    • - Determine the sample size
    • - Select the sample (random selection, systematic selection, block sampling NOT acceptable)
    • - Evaluate the sample results
    • - Form conclusions about the internal control tested
    • - Document the sampling procedure
  9. Factors in determining the sample size of attribute sampling
    • - Risk of assessing control risk too low (inverse relationship to sample size)
    • - Tolerable deviation rate (max rate of error acceptable; inverse relationship to sample size)
    • - Expected deviation rate (best estimate, direct relationship to sample size)
    • - Population size isn't an issue
  10. Forming conclusions about internal control tests from attribute sampling
    • - If upper deviation rate (sample deviation + allowance) is less than or equal to auditor's tolerable deviation rate, auditor may rely on control
    • - If not, then auditor should modify NET of substantive testing or test compliance with other internal accounting control
  11. Discovery sampling
    Special type of attribute sampling appropriate when auditor believes population deviation rate is zero or near zero, and when no deviations are found in sample size then auditor can be 95% confident that rate of deviation doesn't exceed 1%
  12. Variable sampling
    • - Obtain evidence about reasonableness of monetary values
    • - Tolerable misstatement is maximum monetary misstatement auditor is willing to accept
    • - Use stratification to separate groups and increase efficiencies (when lots of variability)
  13. Types of variable sampling plans
    • - Mean-per-unit estimation (use average value of items in sample to estimate true population value), don't need to use BV of population
    • - Ratio estimation (audit items true value/audited items BV x total book value is point estimate), efficient when calculated audit amounts and approximately proportional to the client's book amounts
    • - Difference estimation (average difference between audited value and book value to project actual population value (divide by items tested and multiple by population to get adjustment rate), efficient when differences aren't as proportional to BV( instead of ratio estimation)
  14. Steps performed in variable sampling
    • - Define objective of test
    • - Define the population
    • - Define the sampling unit
    • - Determine the sample size
    • - Select the sample (random sampling)
    • - Evaluate the sample results
    • - Form conclusions about the balances/transactions tested
    • - Document the sampling procedure
  15. Factors in determining the sample size in variable sampling
    • - Tolerable misstatement = inverse
    • - Expected misstatement (size/frequency/etc) = direct
    • - Acceptable level of risk (audit risk/risk of incorrect acceptance/risk of incorrect rejection) = inverse
    • - Characteristics of the population = standard deviation = direct
    • - Assessed risk of matterial misstatment (IR x CR) = direct
  16. Evaluating sample results of variable sampling
    Project misstatements onto population, and obtain a "point estimate". Then add allowance for sampling risk and determine if record book value follows within acceptable range. If so, BV is fairly state (if sample is representative of population)
  17. Probability-proportional-to-size sampling
    • - Individual dollar in population selected and that account is audited (hybrid method), designed to detect overstatement errors
    • - Sampling interval = tolerable misstatement / reliability factor
    • - Sample size = recorded amount of population / sampling interval
    • - Start with random start and go with that
    • - Projected error is difference between recorded amount and audit amount (divided by recorded amount) and that percentage put on the sample interval
  18. Situations when internal-control matters are communicated
    • - Financial statement audit (non-issuers)
    • - Examination of internal control (non-issuers), integrated with audit of F/S
    • - Audit of internal controls (issuers), integrated with audit of F/S
  19. Definition of control deficiency
    Exists when design or operation of a control doesn't allow management or employees in the normal course of performing their assigned functions to prevent, detect and correct (or prevent and detect for issuers) misstatements on a timely basis, usually based on design or operation
  20. Definition of material weakness
    Deficiency or a combination of deficiencies in internal control over financial reporting so that there's a reasonable possibility that a material misstatement of the entity's F/S will not be prevented, detected or corrected (prevented or detected) on a timely basis
  21. Definition of significant deficiency
    A deficiency, or a combination of deficiencies, in internal control that is less severe than material weakness, yet important enough to merit attention by those charged with governance
  22. Indicators of material weakness
    • - Identification of any level of fraud (even immaterial fraud) perpetrated by senior management
    • - Restatement of previously issued F/S to correct a material misstatement
    • - Identification by the auditor of a material misstatement that wouldn't have been detected by entity's internal control
    • - Ineffective oversight by those charged with governance
  23. Required communication of control deficiencies in internal control matters noted during an audit (non-issuers)
    • - Previously existing deficiencies should be communication again that haven't been corrected
    • - Within 60 days, should communicate significant deficiencies and material weaknesses
    • - Report may not say "no significant deficiencies" (possible misinterpretation) but may say "no material weaknesses identified"
  24. Management requirements for an integrated audit
    • For issuers:
    • - State management responsibility for internal control
    • - Contains assessment of effectiveness
    • For non-issuers:
    • - Accepts responsibility, evaluated effectiveness and support the assertion with evidence
    • - Written assertion about effectiveness of internal control (if not given, auditor should withdraw)
  25. Written representation from management for integrated audit should contain:
    • - Acknowledgement of responsibility of internal control
    • - Assertion and criteria for assertion
    • - Affirms management didn't rely on auditor's procedures as basis for assertion
    • - Confirms all significant deficiencies and material weaknesses have been disclosed
    • - Describes any fraud
  26. - Any significant changes to internal control
    • Top-down approach in selecting controls to test for integrated audit
    • - Entity level controls ("CRIME")
    • - Identifying accounts, disclosures and assertions (qualitative and quantitative, and risk of material weakness in that are)
    • - Select controls to test
  27. Testing of controls in integrated audit
    • - Evaluate design and operating effectiveness
    • - Obtain sufficient appropriate evidence to support opinion of overall effectiveness
    • - Determine effect of any identified control deviations on assessment of risk associated with the control, amount of evidence to be obtained, and operating effectiveness of control
    • - Determine appropriate timing for tests of controls and knowledge obtained during past examinations
    • - Benchmark automated controls (make sure they haven't changed)
  28. Communications with management and those charged with governance (non-issuers)
    • - Communication to management and governance all significant deficiencies and material weaknesses found during examination (previously communicated but uncorrected ones should be communicated again) and done by report release date
    • - Communicate to management ALL deficiencies arise no longer than 60 days after report release, and tell governance communication has been made
  29. Communications with management and those charged with governance (issuers)
    • - Communicating to management and audit committee all material weaknesses identified, prior to issuance of report
    • - Communicate to management and audit committee any identified significant deficiencies
    • - Communicate to management ALL deficiencies in internal control, and inform audit committee of communication
  30. Reporting on internal control (non-issuers)
    • - Opinion directly on internal control should have inherent limitations paragraph
    • - Opinion on management's assertions should be similar to above
    • - Separate or combined reports (separate should make reference to each other)
  31. Material weakness in internal control of non-issuer combined audit
    • - Results in an adverse opinion
    • - Auditor should express opinion directly on effectiveness of internal control, and not on management's assertion
  32. Reporting on internal control (issuers)
    • - Report on both F/S and internal control over financial reporting through separate reports or one combined report
    • - Should have inherent limitations paragraph
    • - If separate, should make reference to each other
  33. Reporting on whether a previously reported internal control weakness continues to exist (issuers)
    • - Voluntary engagement letting public know that they fixed it
    • - Auditor's objective is to express an opinion on if material weakness has been eliminated (to obtain that evidence)
    • - Must perform only if auditor has sufficient overall knowledge and management accepts responsbility for internal control
    • - Testing is limited to controls specifically identified
  34. Required communications about auditor's responsibilties
    • - Responsibilities under GAAS (following GAAS, expressing opinion on F/S, etc)...can be done through engagement letter
    • - Internal control is part of designing audit, but not purpose of expressing opinion on effectiveness (non-issuers only)
    • - Audit doesn't relieve mgmt of their responsibiltiies
    • - Auditor should communicate audit'rs designed to provide reasonable but no absolute assurance
  35. Required communications about planned scope and timing of audit
    • - Provide insight into auditor's activities
    • - Communicate how significant risks of material misstatement will be addressed, planned approach toward internal control, factors affecting materiality, and and any potential use of internal audit staff
    • - Shouldn't reveal too much info, and may inquire information
    • - Include discussion of attitudes, awareness and actions of those charged with governance with respect to internal control, fraud, relevant changes and matters previously communicated by the auditor
  36. Required communications about significant audit findings
    • - View about qualitative aspects of practices (significant accounting policies, estimates, judgments and adequacy of F/S disclosures)
    • - Significant difficulties in performing the audit
    • - Uncorrected, nontrivial misstatements and possible effect on audit opinion
    • - Any circumstances that may appear to impair independence
    • - If governance != management, should discuss material, corrected misstatements brought to mgmt's attention as a result of the audit and other discussions with management
  37. SOX requirements of required communications
    • To audit committee:
    • - All critical accounting policies
    • - All material alternative GAAP accounting treatments
    • - Other material communications between auditor and management
  38. Form and timing of communication
    • - Oral or writing, while written communications should be about significant audit findings (and include limitation on use)
    • - Oral communications should be documented
    • Timing should be done in manner that allows appropriate action to be taken
    • - For issuers, communications are required to be made before the auditor's report on F/S is filed with the SEC
  39. Primary purposes of management representation letter
    • - Confirm representations explicitly or implicitly given to the auditor
    • - Indicate and document continuing appropriateness of such representations
    • - Reduce the possibility of misunderstanding concerning matters that are subject of the representations
  40. Requirements of management representation letter
    • - Assertion that all material matters have been adequately disclosed to independent auditor
    • - Final piece of evidential matter Oup to date of auditor's report)
    • - Letter is mandatory (refusal results in disclaimer or withdrawal)
    • - Dates same date as audit report and signed by CEO and CFO
    • Provides information on F/S, completeness of info, recognition, measurement and disclosure and subsequent events
    • - Limited to items that management and auditor agree are material
  41. Contents of management representation letter
    • - Acknowledgement of responsibility and belief of fair presentation of F/S and in conformity with GAAP
    • - Completeness of information (availability of records, minutes, communications) and absence of unrecorded transactions
    • - Recognition, measurement and disclosure (a lot of these)
    • - Subsequent events
    • - Additional representations regarding specific issues (new accounting principle, impairment of assets, intent to hold debt securities, restrictions on cash, plans to discontinue a line of business, etc)
  42. Recognition, measurement and disclosure in management representation letter
    • - Uncorrected misstatements are immaterial
    • - Acknowledgement to prevent and detect fraud through programs/controls
    • - Knowledge of fraud or suspected fraud involving management, employees in internal control, or others when has material affect
    • - Knowledge of allegations of fraud or suspected fraud from communications received
    • - Plans or intentions to affect carrying value/classification of assets/liabilities
    • - Related party transactions
    • - Guarantees cnotingently liable
    • - Significant estimates and material concentrations
    • - Violations or possible violations of laws
    • - Unasserted claims or assertions
    • - Gain/loss contingencies required to be accrued/disclosed
    • - Satisfactory title to assets, liens, etc
    • - Compliance with aspects to contractual agreements
  43. Four categories of things in management representation letter
    • - Financial statements
    • - Completeness
    • - Recognition, measurement and disclosure
    • - Subsequent events
  44. Audit requirements for federal financial assistance
    • - Expanded internal control documentation and testing requirements
    • - Expanded reporting to include formal written reports on the consideration of internal control and the assessment of control risk
    • - Expanded reporting to include whether the federal financial assistance has been administered in accordance with applicable laws and regulations
    • - Application of single audit standards to federal financial assistance
  45. Purpose and types of government audits
    • - Financial audit (GAAP basis and OCBOA F/S)
    • - Attestation engagements (compliance, effective of internal control, etc)
    • - Performance audits (effectiveness/economy/efficiency, internal control, compliance)
  46. Effects of laws on financial statements
    • Increased management responsibilities identified by GAGAS
    • - Identification of applicable laws and regulations with compliance requirements
    • - Establishment of internal controls to provide assurance entity complies with these laws/regulations
    • - Preparation of supplementation financial reports (schedule of expenditures of financial awards)
    • - Obtaining an audit that satisfies relevant legal, regulatory or contractual requirements
  47. Increased auditor responsibilities identified by GAGAS
    • - Obtaining reasonable assurance that the F/S are free of material misstatements resulting from violations of laws and regulations that have direct/material effect on determination of F/S amounts (but not abuse)
    • - Obtaining understanding of possible effects on F/S of laws/regulations
    • - Assessing whether management has identified laws/regulations that have direct and material effect on determination of amounts in the entity's F/S, and obtaining and understanding of these
    • - Communicating with management/governance that GAAS audit may not be sufficient in certain cases
  48. Audit risk of Noncompliance model
    • - Audit Risk of Noncompliance = Risk of Material Noncompliance x Detection risk by Auditor
    • - RMN consists of inherent risk of noncompliance and control risk of noncompliance
    • - Detection risk can be changed by varying NET of audit procedures
  49. Conditions of which tests of operating effectiveness of controls may be required for a compliance auditr
    • - The risk assessment includes expectation of operating effectiveness of controls
    • - Substantiev procedures do not provide enough evidence to support a conclusion
    • - Tests of controls are required by the applicable governmental audit requirements
  50. Required documentation of a compliance audit
    • - Assessed risk of material noncompliance (including procedures performed and documentation of internal control)
    • - Responses to the risk assessment (including procedures to test compliance, results, and test of controls)
    • - The basis or rationale of materiality levels
    • - Compliance with supplemental requirements
  51. GAGAS - general consideration
    • - Quality control peer review ever 3 years
    • - Independence is impaired if auditor does his/her own work and performs management functions (personal impairments to independence, external impairments to independence, organizational impairments to independence)
  52. GAGAS - fieldwork
    • - Internal control documentation should be based on GAGAS, which contains additional requirements (must document understanding of internal control established to ensure compliance, and document basis for assessing control risk)
    • - Contain written representation from management (no violations of laws, responsibility for compliance, and identified direct/material effect laws/regulations)
  53. GAGAS - reporting
    • - Include an affirmative statement of compliance with GAGAS
    • - Describe the scope of testing of regulatory compliance and internal control
    • - Describe omitted information
    • - Describe the distribution of the report
    • - Opinion on F/S and supplementary schedule of expenditures of federal awards
  54. GAGAS - internal control reporting requirements
    • - Auditor must obtain understanding of the design of relevant controls and determine whether they have been implemented
    • - Communicate ALL significant deficiencies noted during audit (even not material weaknesses)
    • - Report all fraud and illegal acts
    • - GAGAS requires a written report on the auditor's understanding of internal control and the assessment of control risk in all audits (GAAS only requires when significant deficiencies)
  55. Contents of written report on auditor's understanding of internal control required by GAGAS
    • - Assertion that evaluating compliance with laws, rules and regulations with a direct and material effect on the F/S is part of developing an opinion on F/S
    • - The assertion that specific controls relating to financial reporting are considered
    • - An indication either no weaknesses were found or that significant deficiencies were found, and an indication whether those deficiencies were material
  56. Responsibilities under the Single Audit Act
    • - Entities that expend total federal assistance > or = to $500k have audit performed in accordance with the act
    • - Audit's objectives are to report on separate schedule of expenditures of federal awards, and compliance audit of federal awards expended during year as basis for issuing additional report on compliance related to major programs and on internal control over compliance
    • - Materiality is considered separately related to each major program (major program = $300k or more, or 'high risk')
    • - Program specific audits under certain circumstances by a guide
    • - Obtaining an understanding of internal control pertaining to the compliance requirements to federal programs (test effective controls and report ineffective controls)
    • - Evaluate degree of compliance with federal financial assistance program requirements and reporting noncompliance (modify report and should be qualified/adverse)
  57. Schedule of findings and questioned costs
    • - Included in Single Audit
    • - Summary of auditor's results (financial statement audit results and federal award results)
    • - Financial statement findings
    • - Federal award findings and questioned costs
Card Set
AUDIT 5.txt