AUDIT 5.txt

• 1) Central limit theorem (population is normally distributed into normal/bell-shaped curve)
• 2) Samples must be unrestricted (equally chance of being selected) and randomly selected (no bias)
• 3) If sample is large enough and randomly selected, sample will be representative of the population
• 4) Standard deviation is a sample risk, the measure of variability

• - Both are GAAS
• - Statistical sampling specifies risk willing to accept, calculate sample size, and results are evaluated quantitatively
• - Nonstatistical sampling means auditor uses judgment to determine sample size and results are evaluated judgementally

• - Measure sufficiency of the audit evidence obtained
• - Provide an objective basis for quantitatively evaluating sample results
• - Design an efficient sample
• - Quantify sampling risk so as to limit risk to an acceptable level

• - Risk assessment procedures performed to obtain an understanding of internal controls
• - Tests of automated application controls when effective general controls are present
• - Analyses of security and access controls
• - Some tests related to the operation of the control environment

• - Risk of incorrect acceptance (beta risk) = saying it's not materially misstated when it is
• - Risk of incorrect rejection (alpha risk) = saying it's wrong when it's right (lack of efficiency since we do more work)

• - Risk of assessing control risk too low (beta risk) = level of risk is not low but it really is (risk of over-reliance)
• - Risk of assessing control risk too high (alpha risk) = level of risk is higher than it is (risk of under-reliance, lack of efficiency)

• - Estimating rate of occurrence of an attirubte, to test operating effectiveness of control
• - Tolerable deviation rate is maximum rate of deviation (risk of misstatement)
• - Deviation rate is auditor's best estimate of deviation rate in population from what was tested (upper deviation rate in range)

• - Define the objective of the test
• - Define the population
• - Define the sampling unit
• - Define the attributes of interest (unique to attribute sampling)
• - Determine the sample size
• - Select the sample (random selection, systematic selection, block sampling NOT acceptable)
• - Evaluate the sample results
• - Form conclusions about the internal control tested
• - Document the sampling procedure

• - Risk of assessing control risk too low (inverse relationship to sample size)
• - Tolerable deviation rate (max rate of error acceptable; inverse relationship to sample size)
• - Expected deviation rate (best estimate, direct relationship to sample size)
• - Population size isn't an issue

• - If upper deviation rate (sample deviation + allowance) is less than or equal to auditor's tolerable deviation rate, auditor may rely on control
• - If not, then auditor should modify NET of substantive testing or test compliance with other internal accounting control

Special type of attribute sampling appropriate when auditor believes population deviation rate is zero or near zero, and when no deviations are found in sample size then auditor can be 95% confident that rate of deviation doesn't exceed 1%

• - Obtain evidence about reasonableness of monetary values
• - Tolerable misstatement is maximum monetary misstatement auditor is willing to accept
• - Use stratification to separate groups and increase efficiencies (when lots of variability)

• - Mean-per-unit estimation (use average value of items in sample to estimate true population value), don't need to use BV of population
• - Ratio estimation (audit items true value/audited items BV x total book value is point estimate), efficient when calculated audit amounts and approximately proportional to the client's book amounts
• - Difference estimation (average difference between audited value and book value to project actual population value (divide by items tested and multiple by population to get adjustment rate), efficient when differences aren't as proportional to BV( instead of ratio estimation)

• - Define objective of test
• - Define the population
• - Define the sampling unit
• - Determine the sample size
• - Select the sample (random sampling)
• - Evaluate the sample results
• - Form conclusions about the balances/transactions tested
• - Document the sampling procedure

• - Tolerable misstatement = inverse
• - Expected misstatement (size/frequency/etc) = direct
• - Acceptable level of risk (audit risk/risk of incorrect acceptance/risk of incorrect rejection) = inverse
• - Characteristics of the population = standard deviation = direct
• - Assessed risk of matterial misstatment (IR x CR) = direct

Project misstatements onto population, and obtain a "point estimate". Then add allowance for sampling risk and determine if record book value follows within acceptable range. If so, BV is fairly state (if sample is representative of population)

• - Individual dollar in population selected and that account is audited (hybrid method), designed to detect overstatement errors
• - Sampling interval = tolerable misstatement / reliability factor
• - Sample size = recorded amount of population / sampling interval
• - Start with random start and go with that
• - Projected error is difference between recorded amount and audit amount (divided by recorded amount) and that percentage put on the sample interval

• - Financial statement audit (non-issuers)
• - Examination of internal control (non-issuers), integrated with audit of F/S
• - Audit of internal controls (issuers), integrated with audit of F/S

Exists when design or operation of a control doesn't allow management or employees in the normal course of performing their assigned functions to prevent, detect and correct (or prevent and detect for issuers) misstatements on a timely basis, usually based on design or operation

Deficiency or a combination of deficiencies in internal control over financial reporting so that there's a reasonable possibility that a material misstatement of the entity's F/S will not be prevented, detected or corrected (prevented or detected) on a timely basis

A deficiency, or a combination of deficiencies, in internal control that is less severe than material weakness, yet important enough to merit attention by those charged with governance

• - Identification of any level of fraud (even immaterial fraud) perpetrated by senior management
• - Restatement of previously issued F/S to correct a material misstatement
• - Identification by the auditor of a material misstatement that wouldn't have been detected by entity's internal control
• - Ineffective oversight by those charged with governance

• - Previously existing deficiencies should be communication again that haven't been corrected
• - Within 60 days, should communicate significant deficiencies and material weaknesses
• - Report may not say "no significant deficiencies" (possible misinterpretation) but may say "no material weaknesses identified"

• For issuers:
• - State management responsibility for internal control
• - Contains assessment of effectiveness
• For non-issuers:
• - Accepts responsibility, evaluated effectiveness and support the assertion with evidence
• - Written assertion about effectiveness of internal control (if not given, auditor should withdraw)

• - Acknowledgement of responsibility of internal control
• - Assertion and criteria for assertion
• - Affirms management didn't rely on auditor's procedures as basis for assertion
• - Confirms all significant deficiencies and material weaknesses have been disclosed
• - Describes any fraud

• Top-down approach in selecting controls to test for integrated audit
• - Entity level controls ("CRIME")
• - Identifying accounts, disclosures and assertions (qualitative and quantitative, and risk of material weakness in that are)
• - Select controls to test

• - Evaluate design and operating effectiveness
• - Obtain sufficient appropriate evidence to support opinion of overall effectiveness
• - Determine effect of any identified control deviations on assessment of risk associated with the control, amount of evidence to be obtained, and operating effectiveness of control
• - Determine appropriate timing for tests of controls and knowledge obtained during past examinations
• - Benchmark automated controls (make sure they haven't changed)

• - Communication to management and governance all significant deficiencies and material weaknesses found during examination (previously communicated but uncorrected ones should be communicated again) and done by report release date
• - Communicate to management ALL deficiencies arise no longer than 60 days after report release, and tell governance communication has been made

• - Communicating to management and audit committee all material weaknesses identified, prior to issuance of report
• - Communicate to management and audit committee any identified significant deficiencies
• - Communicate to management ALL deficiencies in internal control, and inform audit committee of communication

• - Opinion directly on internal control should have inherent limitations paragraph
• - Opinion on management's assertions should be similar to above
• - Separate or combined reports (separate should make reference to each other)

• - Results in an adverse opinion
• - Auditor should express opinion directly on effectiveness of internal control, and not on management's assertion

• - Report on both F/S and internal control over financial reporting through separate reports or one combined report
• - Should have inherent limitations paragraph
• - If separate, should make reference to each other

• - Voluntary engagement letting public know that they fixed it
• - Auditor's objective is to express an opinion on if material weakness has been eliminated (to obtain that evidence)
• - Must perform only if auditor has sufficient overall knowledge and management accepts responsbility for internal control
• - Testing is limited to controls specifically identified

• - Responsibilities under GAAS (following GAAS, expressing opinion on F/S, etc)...can be done through engagement letter
• - Internal control is part of designing audit, but not purpose of expressing opinion on effectiveness (non-issuers only)
• - Audit doesn't relieve mgmt of their responsibiltiies
• - Auditor should communicate audit'rs designed to provide reasonable but no absolute assurance

• - Provide insight into auditor's activities
• - Communicate how significant risks of material misstatement will be addressed, planned approach toward internal control, factors affecting materiality, and and any potential use of internal audit staff
• - Shouldn't reveal too much info, and may inquire information
• - Include discussion of attitudes, awareness and actions of those charged with governance with respect to internal control, fraud, relevant changes and matters previously communicated by the auditor

• - View about qualitative aspects of practices (significant accounting policies, estimates, judgments and adequacy of F/S disclosures)
• - Significant difficulties in performing the audit
• - Uncorrected, nontrivial misstatements and possible effect on audit opinion
• - Any circumstances that may appear to impair independence
• - If governance != management, should discuss material, corrected misstatements brought to mgmt's attention as a result of the audit and other discussions with management

• To audit committee:
• - All critical accounting policies
• - All material alternative GAAP accounting treatments
• - Other material communications between auditor and management

• - Oral or writing, while written communications should be about significant audit findings (and include limitation on use)
• - Oral communications should be documented
• Timing should be done in manner that allows appropriate action to be taken
• - For issuers, communications are required to be made before the auditor's report on F/S is filed with the SEC

• - Confirm representations explicitly or implicitly given to the auditor
• - Indicate and document continuing appropriateness of such representations
• - Reduce the possibility of misunderstanding concerning matters that are subject of the representations

• - Assertion that all material matters have been adequately disclosed to independent auditor
• - Final piece of evidential matter Oup to date of auditor's report)
• - Letter is mandatory (refusal results in disclaimer or withdrawal)
• - Dates same date as audit report and signed by CEO and CFO
• Provides information on F/S, completeness of info, recognition, measurement and disclosure and subsequent events
• - Limited to items that management and auditor agree are material

• - Acknowledgement of responsibility and belief of fair presentation of F/S and in conformity with GAAP
• - Completeness of information (availability of records, minutes, communications) and absence of unrecorded transactions
• - Recognition, measurement and disclosure (a lot of these)
• - Subsequent events
• - Additional representations regarding specific issues (new accounting principle, impairment of assets, intent to hold debt securities, restrictions on cash, plans to discontinue a line of business, etc)

• - Uncorrected misstatements are immaterial
• - Acknowledgement to prevent and detect fraud through programs/controls
• - Knowledge of fraud or suspected fraud involving management, employees in internal control, or others when has material affect
• - Knowledge of allegations of fraud or suspected fraud from communications received
• - Plans or intentions to affect carrying value/classification of assets/liabilities
• - Related party transactions
• - Guarantees cnotingently liable
• - Significant estimates and material concentrations
• - Violations or possible violations of laws
• - Unasserted claims or assertions
• - Gain/loss contingencies required to be accrued/disclosed
• - Satisfactory title to assets, liens, etc
• - Compliance with aspects to contractual agreements

• - Financial statements
• - Completeness
• - Recognition, measurement and disclosure
• - Subsequent events

• - Expanded internal control documentation and testing requirements
• - Expanded reporting to include formal written reports on the consideration of internal control and the assessment of control risk
• - Expanded reporting to include whether the federal financial assistance has been administered in accordance with applicable laws and regulations
• - Application of single audit standards to federal financial assistance

• - Financial audit (GAAP basis and OCBOA F/S)
• - Attestation engagements (compliance, effective of internal control, etc)
• - Performance audits (effectiveness/economy/efficiency, internal control, compliance)

• Increased management responsibilities identified by GAGAS
• - Identification of applicable laws and regulations with compliance requirements
• - Establishment of internal controls to provide assurance entity complies with these laws/regulations
• - Preparation of supplementation financial reports (schedule of expenditures of financial awards)
• - Obtaining an audit that satisfies relevant legal, regulatory or contractual requirements

• - Obtaining reasonable assurance that the F/S are free of material misstatements resulting from violations of laws and regulations that have direct/material effect on determination of F/S amounts (but not abuse)
• - Obtaining understanding of possible effects on F/S of laws/regulations
• - Assessing whether management has identified laws/regulations that have direct and material effect on determination of amounts in the entity's F/S, and obtaining and understanding of these
• - Communicating with management/governance that GAAS audit may not be sufficient in certain cases

• - Audit Risk of Noncompliance = Risk of Material Noncompliance x Detection risk by Auditor
• - RMN consists of inherent risk of noncompliance and control risk of noncompliance
• - Detection risk can be changed by varying NET of audit procedures

• - The risk assessment includes expectation of operating effectiveness of controls
• - Substantiev procedures do not provide enough evidence to support a conclusion
• - Tests of controls are required by the applicable governmental audit requirements

• - Assessed risk of material noncompliance (including procedures performed and documentation of internal control)
• - Responses to the risk assessment (including procedures to test compliance, results, and test of controls)
• - The basis or rationale of materiality levels
• - Compliance with supplemental requirements

• - Quality control peer review ever 3 years
• - Independence is impaired if auditor does his/her own work and performs management functions (personal impairments to independence, external impairments to independence, organizational impairments to independence)

• - Internal control documentation should be based on GAGAS, which contains additional requirements (must document understanding of internal control established to ensure compliance, and document basis for assessing control risk)
• - Contain written representation from management (no violations of laws, responsibility for compliance, and identified direct/material effect laws/regulations)

• - Include an affirmative statement of compliance with GAGAS
• - Describe the scope of testing of regulatory compliance and internal control
• - Describe omitted information
• - Describe the distribution of the report
• - Opinion on F/S and supplementary schedule of expenditures of federal awards

• - Auditor must obtain understanding of the design of relevant controls and determine whether they have been implemented
• - Communicate ALL significant deficiencies noted during audit (even not material weaknesses)
• - Report all fraud and illegal acts
• - GAGAS requires a written report on the auditor's understanding of internal control and the assessment of control risk in all audits (GAAS only requires when significant deficiencies)

• - Assertion that evaluating compliance with laws, rules and regulations with a direct and material effect on the F/S is part of developing an opinion on F/S
• - The assertion that specific controls relating to financial reporting are considered
• - An indication either no weaknesses were found or that significant deficiencies were found, and an indication whether those deficiencies were material

• - Entities that expend total federal assistance > or = to $500k have audit performed in accordance with the act
• - Audit's objectives are to report on separate schedule of expenditures of federal awards, and compliance audit of federal awards expended during year as basis for issuing additional report on compliance related to major programs and on internal control over compliance
• - Materiality is considered separately related to each major program (major program = $300k or more, or 'high risk')
• - Program specific audits under certain circumstances by a guide
• - Obtaining an understanding of internal control pertaining to the compliance requirements to federal programs (test effective controls and report ineffective controls)
• - Evaluate degree of compliance with federal financial assistance program requirements and reporting noncompliance (modify report and should be qualified/adverse)

• - Included in Single Audit
• - Summary of auditor's results (financial statement audit results and federal award results)
• - Financial statement findings
• - Federal award findings and questioned costs