|
|
|
 |
|
1.5. Auditing & Attestation - Lecture |
|
|
|
|
|
|
|
|
|
|
|
Auditing & Attestation 5
Auditing & Attestation 5
1. Audit sampling ..............................................................................................................
3
2. The effect of information technology on the audit .............................................................
22
3. Internal control communications ....................................................................................
27
4. Government auditing ...................................................................................................
45
5. Communication with those charged with governance ........................................................
54
6. Management representations ........................................................................................
59
7. Appendix 1: Reports on internal control required by the PCAOB..........................................
63
8. Appendix 2: Government auditing standards ...................................................................
65
8. Appendix 3: Contents of auditor's reports in government auditing.......................................
66
9. Class questions ...........................................................................................................
71
A5-
2
Becker CPA Review Auditing & Attestation 5
© 2009 DeVry/Becker Educational Development Corp. All rights reserved.
A5-3
AUDIT SAMPLING
I. INTRODUCTION
A. AUDIT SAMPLING
Audit sampling is the testing of less than 100% of the items within an account balance or
class of transactions in order to evaluate some characteristic of the balance or class. Audit
sampling is especially useful in cases where an auditor has no special knowledge about likely
misstatements contained in account balances and transactions.
PASS KEY
RULE 1:
Always assume that the population being sampled is normally distributed, that is, it can be described by a "normal,"
or "bell-shaped," curve.
RULE 2:
For the estimates that the CPA makes about the population to have mathematical validity, the samples have to be
unrestricted and randomly selected, which means that:
1. Every item in a population must have an absolutely equal chance of being selected.
2. The CPA cannot use "bias" in deciding which items will be selected. No substitute items may be used.
RULE 3:
If the sample is large enough and is randomly selected, the sample will likely have the same statistical
characteristics (mean and standard deviation) as the underlying population, i.e., it will be representative of the
population.
RULE 4:
Standard deviation is a measure of "variability," which refers to the range of values within the population.
B. REPRESENTATIVE OF THE POPULATION
When auditors sample from a population (universe), the assumption is that the sample is
representative of the population (i.e., the characteristics of the sample are comparable to the
characteristics of the population).
S
TATISTICAL
S
AMPLING
Auditing & Attestation 5 Becker CPA Review
A5-
4 © 2009 DeVry/Becker Educational Development Corp. All rights reserved.
C. SAMPLING RISK
Inherent in audit sampling is the concept of sampling risk. This is the risk that the sample is
not representative and that the auditor's conclusion will be different from the conclusion had
the auditor examined 100% of the population.
D. SAMPLING
Audit sampling methods can be either statistical or nonstatistical. Both approaches require
the use of professional judgment.
1. Statistical Sampling
In statistical sampling, auditors specify the sampling risk they are willing to accept and
then calculate the sample size that provides that degree of reliability. Results are
evaluated quantitatively.
2. Nonstatistical Sampling
In nonstatistical sampling, the sample size is not determined mathematically. Auditors
use their judgment in determining sample size, and sample results are evaluated
judgmentally.
3. Sufficient Audit Evidence
Either a statistical or a nonstatistical approach is acceptable under Generally Accepted
Auditing Standards. When properly applied, either method should result in a sample
size that provides sufficient audit evidence.
a. The sufficiency of audit evidence is related to the design and size of the sample.
b. The size of a sample depends on both the objectives and the design of the
sample. Careful design generally produces a more efficient sample (i.e., one
that achieves its objectives with a smaller sample size).
4. Professional Judgment
Although statistical sampling aids the auditor in quantitative ways, it is not a substitute
for professional judgment. The auditor must exercise professional judgment in both
statistical and nonstatistical sampling to:
(i) Define the population and the sampling unit;
(ii) Select the appropriate sampling method;
(iii) Evaluate the appropriateness of audit evidence;
(iv) Evaluate the nature of deviations or errors;
(v) Consider sampling risk; and
(vi) Evaluate the results obtained from the sample and project those results to the
population.
PASS KEY
Many questions try to trick the candidate into thinking that statistical sampling eliminates the need for auditing judgment.
This is completely false. While statistical sampling is a quantitative approach, judgment is still required to set many of the
parameters and to evaluate the overall results.
Becker CPA Review Auditing & Attestation 5
© 2009 DeVry/Becker Educational Development Corp. All rights reserved.
A5-5
E. STATISTICAL SAMPLING
1. Advantages of Statistical Sampling
Statistical sampling enables the auditor to:
a. Measure the sufficiency of the audit evidence obtained.
b. Provide an objective basis for quantitatively evaluating sample results.
c. Design an efficient sample.
d. Quantify sampling risk so as to limit risk to an acceptable level.
2. Random Sample Selection
Random sample selection methods should be used in statistical sampling. Such
methods give all items in the population an equal chance to be included in the sample
to be audited.
F. USE OF SAMPLING
1. Types of Sampling
Auditors may use sampling procedures to estimate many different characteristics of
populations, but generally estimates are either of a rate of occurrence (attribute
sampling) or of a numerical quantity (variables sampling or probability-proportional-tosize
[PPS] sampling).
a. Attribute sampling is primarily used for testing internal controls.
b. Variables sampling and PPS sampling are typically used in substantive testing of
account balances.
PASS KEY
Many exam questions can be answered by being able to distinguish between attribute sampling and variables sampling
applications. Remember that attribute sampling is more likely to deal with tests of controls, while variables sampling
generally deals with dollar values. Often the attribute sampling application can be identified by finding the option that deals
with yes-no questions (e.g., Is the invoice properly approved?).
2. Situations Where Sampling May Not Apply
Sampling concepts generally do not apply to:
a. Risk assessment procedures performed to obtain an understanding of internal
control.
b. Tests of automated application controls when effective general controls are
present. (Generally, such controls would only be tested once or a few times.)
c. Analyses of security and access controls, or other controls that do not provide
documentary evidence of performance (e.g., controls related to segregation of
duties).
d. Some tests related to the operation of the control environment or the accounting
system (e.g., examination of the effectiveness of activities performed by those
charged with governance).
Auditing & Attestation 5 Becker CPA Review
A5-
6 © 2009 DeVry/Becker Educational Development Corp. All rights reserved.
II. UNCERTAINTY AND AUDIT SAMPLING
A. AUDIT RISK
Audit risk is the uncertainty inherent in applying audit procedures. Audit risk includes both:
1. Uncertainties due to sampling, and
2. Uncertainties due to factors other than sampling.
B. SAMPLING RISK
Sampling risk arises from the possibility that, when a test of controls or a substantive test is
restricted to a sample, the auditor's conclusions may be different from the conclusions which
would have been reached had the tests been applied to all items in the account balance or
class of transactions.
1. Sampling Risks in Substantive Testing
In performing substantive tests of details, the auditor is concerned with two aspects of
sampling risk.
a. Risk of Incorrect Acceptance
The "risk of incorrect acceptance" is the risk that the sample supports the
conclusion that the recorded account balance is not materially misstated when in
fact it is materially misstated (i.e., sample results fail to identify an existing
material misstatement).
b. Risk of Incorrect Rejection
The "risk of incorrect rejection" is the risk that the sample supports the
conclusion that the recorded account balance is materially misstated when in fact
it is not materially misstated (i.e., sample results
misstatement).
mistakenly indicate a material
2. Sampling Risks in Tests of Controls
In performing tests of controls, the auditor is also concerned with two aspects of
sampling risk:
a. Risk of Assessing Control Risk Too Low
The "risk of assessing control risk too low" is the risk that the assessed level of
control risk based on the sample is less than the true risk based on the actual
operating effectiveness of the control (i.e., sample results indicate a lower
deviation rate than actually exists in the population).
b. Risk of Assessing Control Risk Too High
The "risk of assessing control risk too high" is the risk that the assessed level of
control risk based on the sample is greater than the true risk based on the actual
operating effectiveness of the control (i.e., sample results indicate a greater
deviation rate than actually exists in the population).
PASS KEY
Sampling risk can be thought of as the chance that, based on the results of a sample, the auditor will make a mistake. There
are two sorts of mistakes the auditor can make: the auditor may fail to identify an existing problem, (incorrect acceptance
and assessing control risk too low) or the auditor may falsely identify a problem where none actually exists (incorrect
rejection or assessing control risk too high).
S
AMPLING
R
ISK
Becker CPA Review Auditing & Attestation 5
© 2009 DeVry/Becker Educational Development Corp. All rights reserved.
A5-7
3. Efficiency
The risk of incorrect rejection and the risk of assessing control risk too high relate to the
efficiency of the audit (the auditor does more audit work than is necessary). When the
auditor's evaluation of an audit sample leads the auditor to this erroneous conclusion,
the application of additional audit procedures and consideration of other audit evidence
ordinarily leads the auditor to the correct conclusion.
4. Effectiveness
The risk of incorrect acceptance and the risk of assessing control risk too low relate to
the effectiveness of an audit in (possibly not) detecting an existing material
misstatement. Auditors usually accept a risk of 5% or 10%. A related concept is that
of confidence level (also called reliability). The auditor is 95% (or 90%) confident that
the sample is representative of the population. (
Note: risk (of being ineffective) +
confidence level
= 100%.)
5. Summary Charts
The following two charts summarize the possible outcomes.
a. Substantive Tests of Details
The recorded value of the population is:
OK Not OK
OK Correct
Decision
Incorrect Decision
Risk of Incorrect
Acceptance
The sample
Not effective
indicates that the
population is:
Not OK
Incorrect Decision
Risk of Incorrect
Rejection
Not efficient
Correct
Decision
b. Tests of Controls
The true operation of the control is:
OK Not OK
OK Correct
Decision
Incorrect Decision
Risk of Assessing
Control Risk
Too Low
Not effective
The sample
indicates that
the control's
operation is:
Not OK
Incorrect Decision
Risk of Assessing
Control Risk
Too High
Not efficient
Correct
Decision
Auditing & Attestation 5 Becker CPA Review
A5-
8 © 2009 DeVry/Becker Educational Development Corp. All rights reserved.
C. NONSAMPLING RISK
Nonsampling risk includes all aspects of audit risk that are not due to sampling. Nonsampling
risk is always present and cannot be measured; the auditor can only attempt to reduce this
risk to a very low level through adequate planning and supervision of the audit engagement
and quality control of all firm practices. Examples of nonsampling risk are selecting audit
procedures that are not appropriate to achieve a specific objective, or failure by the auditor to
recognize misstatements in documents examined.
III. SAMPLING IN TESTS OF CONTROLS: ATTRIBUTE SAMPLING
A. PURPOSE
Attribute sampling is a statistical sampling method used to estimate the rate (%) of
occurrence (exception) of a specific characteristic (attribute). Samples taken to test the
operating effectiveness of controls are intended to provide a basis for the auditor to conclude
whether the controls are being applied as prescribed. Attribute sampling generally deals with
yes/no questions. For example, "Are time cards properly authorized (i.e., to assure recorded
hours were worked)?", or "Are invoices properly voided (e.g., stamped "paid") to prevent
duplicate payments?"
B. PLANNING CONSIDERATIONS
When planning a particular audit sample for tests of controls, the auditor applies professional
judgment in considering:
1. The relationship of the sample to the objective of the test of controls.
2. The Tolerable Deviation Rate
The tolerable deviation rate is the maximum rate of deviation from a prescribed
procedure the auditor will tolerate without modifying planned reliance on internal
control.
a. In assessing the tolerable rate of deviation, the auditor should consider that,
while deviations from pertinent controls increase the risk of material
misstatements in the accounting records, such deviations do not necessarily
result in misstatements.
3. The auditor's allowable risk of assessing control risk too low.
4. Characteristics of the population (i.e., the expected or likely rate of deviation).
C. DEVIATION RATE VERSUS TOLERABLE RATE
1. Deviation Rate
The deviation rate in the sample is the auditor's best estimate of the deviation rate in
the population from which it was selected.
PASS KEY
Students often mistakenly assume that the sample deviation rate also should be used as the estimated error rate in the total
population. Consider the following example: Assume a population of 1000 items, a sample of 100 items, and 7 deviations
identified within the sample of 100 (a 7% sample deviation rate). While our best guess would be that there are 70 deviations
in the entire population (also a 7% rate), it is unlikely that, if we were to individually examine each of those 1000 items, we
would find exactly 70 deviations. More likely, we might find 68, 69, 71, or 72 deviations. There are statistical formulae that
determine whether the actual range is 68 to 72, 60 to 80, or something different, and there are tables available that provide
the top end of the range. (As conservative auditors, we are concerned with the worst case scenario, so we generally don't
bother with the low end of the range.) The top end of the range is formally known as the "upper deviation rate."
A
TTRIBUTE
S
AMPLING
Becker CPA Review Auditing & Attestation 5
© 2009 DeVry/Becker Educational Development Corp. All rights reserved.
A5-9
2. Evaluation
If the estimated deviation rate is less than the tolerable rate for the population, the
auditor should consider the risk that such a result might be obtained even though the
true deviation rate for the population exceeds the tolerable rate for the population. For
example, assume the tolerable rate for a population is 5% and the sample consists of
60 items:
a. If no deviations are found in the sample of 60 items, the auditor may conclude
that there is an acceptably low sampling risk that the true deviation rate in the
population exceeds the tolerable rate of 5%. (This is because the sample
deviation rate is much less than the tolerable rate.)
b. If the sample includes two or more deviations (2 in 60
conclude that there is an unacceptably high sampling risk that the rate of
deviations in the population exceeds the tolerable rate of 5%. (This is because
the sample deviation rate is close to the tolerable rate.)
c. The auditor applies professional judgment in making such evaluations.
= 3.33%), the auditor may
3. Conclusion
If the auditor concludes that the sample results do not support the planned assessed
level of control risk for an assertion, the nature, extent, and timing of substantive
procedures should be reevaluated based on a revised consideration of the assessed
level of control risk for the relevant financial statement assertions.
D. EXAMPLE
The auditor performs the following steps when conducting an attribute sampling application.
1. Define the Objective of the Test
a. Assume the auditor wants to determine the percentage of sales orders that are
missing credit approval.
2. Define the Population
It must be appropriate for the objective. The period covered by the test should also be
defined.
a. In this example, the population would consist of all sales orders used during the
year.
b. If tests of controls are performed at an interim date, the auditor must perform
such additional procedures as are necessary to obtain reasonable assurance
regarding the remaining period.
3. Define the Sampling Unit
Consider the completeness of the population in defining the sampling unit.
a. Each sales order is a sampling unit.
b. The "population" must agree with the "physical representation." Completeness
would be more assured by a register of prenumbered sales orders than by the
physical file. For example, sales orders may be removed from the file, but the
sales order number will be in the register. Note that the size of a population of
consecutively numbered documents is the difference between the beginning and
ending numbers plus one.
Auditing & Attestation 5 Becker CPA Review
A5-
10 © 2009 DeVry/Becker Educational Development Corp. All rights reserved.
4. Define the Attributes of Interest
Deviations are situations where the control was not properly applied, such as:
a. Missing credit approval.
b. Missing sales order (items that cannot be located are generally considered
deviations).
5. Determine the Sample Size
The auditor must specify the following factors.
a. Risk of Assessing Control Risk Too Low
This is the risk that the assessed level of control risk based on the sample is less
than the true level of control risk based on the actual operating effectiveness of
the control. There is an inverse relationship to sample size: as the auditor is
willing to accept greater risk, a smaller sample size can be used.
b. Tolerable Deviation Rate
This is the maximum rate of error the auditor is willing to accept without changing
control risk assessment or planned reliance on internal control. There is an
inverse relationship to sample size: as the auditor is willing to accept a greater
deviation rate, a smaller sample size can be used.
c. Expected Deviation Rate
This is the auditor's best estimate of the rate of deviation from a prescribed
control procedure. There is a direct relationship to sample size: as the auditor
expects fewer deviations, a smaller sample size would be needed.
d. Population Size
Population size is not an issue provided the population is large (i.e., greater than
5,000 items).
e. Sample Size Example
Assume an auditor is testing the sales orders for credit approval deviations. Also
assume the auditor is willing to accept a 5% risk of assessing control risk too low.
The auditor expects a deviation rate of 1%, and the tolerable deviation rate is
6%.
Required:
(1) Determine the sample size using Table 1.
(2) Would the sample size increase or decrease if the expected deviation rate
decreased to 0%?
(3) Would the sample size increase or decrease if the tolerable deviation rate
increased to 7%?
(4) Would the sample size increase or decrease if the risk of assessing control
risk too low increased to 10%?
T
OLERABLE
D
EVIATION
R
ATE
Becker CPA Review Auditing & Attestation 5
© 2009 DeVry/Becker Educational Development Corp. All rights reserved.
A5-11
Table 1 – Attribute Sample Size Table –
5% Risk of Assessing Control Risk Too Low
Expected Tolerable Rate
Deviation
Rate 2% 3% 4% 5% 6% 7% 8% 9% 10% 15% 20%
0.00% 149 99 74 59 49 42 36 32 29 19 14
0.50 * 157 117 93 78 66 58 51 46 30 22
1.00 * * 156 93 78 66 58 51 46 30 22
1.50 * * 192 124 103 66 58 51 46 30 22
2.00 * * * 181 127 88 77 68 46 30 22
3.00 * * * * 195 129 95 84 61 30 22
4.00 * * * * * * 146 100 89 40 22
6. Select the Sample
a. The most common technique is random selection, whereby each item in the
population has an equal opportunity to be included in the sample.
b. Systematic selection (i.e., every nth item) is also acceptable, but a disadvantage
is that results may be skewed if errors occur in a systematic pattern.
c. Block (cluster) sampling, where groups of adjacent items are selected, is not
acceptable.
7. Evaluate the Sample Results
The auditor calculates the sample deviation rate and projects the results to the
population. Table 2 is used to determine the upper deviation rate, which is based on
the deviation rate in the sample plus an allowance for sampling risk.
a. Be sure to use a table that corresponds to the appropriate risk of assessing
control risk too low (in this case, 5%).
b. Locate the sample size and the number of deviations found in the sample. The
number at this intersection is the auditor's estimate of the maximum deviation
rate in the population, or the upper deviation rate.
c. The upper (maximum) deviation rate is the sum of the sample deviation rate and
the allowance for sampling risk. This allowance is a "cushion" for protection
against undetected deviations.
Sample
deviation
rate
+
Allowance
for sampling
risk
=
Upper
deviation
rate
Auditing & Attestation 5 Becker CPA Review
A5-
12 © 2009 DeVry/Becker Educational Development Corp. All rights reserved.
PASS KEY
Students often have trouble with the concepts of upper deviation rate and allowance for sampling risk, both of which have
been tested on the exam. The allowance for sampling risk simply recognizes that it is likely that what we found in the sample
isn't exactly what we would find in the population. Assume a population of 1000 items, a sample of 100 items, and a sample
deviation rate of 7% (7 deviations out of 100). If the upper deviation rate (from a table) is 8.5%, this implies a 1.5%
allowance for sampling risk. Conversely, should the examiners provide the allowance for sampling risk (say, 2%), it would be
added to the sample deviation rate (7%) to find an upper deviation rate of 9%.
d. Evaluation Example
Assume the auditor finds one sales order that is missing the proper credit
approval in a sample of 100 sales orders (i.e., one deviation).
Required:
(1) Calculate the sample deviation rate.
(2) Determine (from the table) the upper deviation rate.
(3) What is the allowance for sampling risk?
(4) Conclusion: The auditor is _____% sure the deviation rate does not
exceed _____%.
Table 2 – Attribute Sample Evaluation Table – Upper Deviation Rate
5% Risk of Assessing Control Risk Too Low
Sample Actual Number of Deviations Found
Size 0 1 2 3 4 5 6 7 8 9 10
25 11.3 17.6 * * * * * * * * *
50 5.9 9.2 12.1 14.8 17.4 19.9 * * * * *
60 4.9 7.7 10.2 12.5 14.7 16.8 18.8 * * * *
70 4.2 6.6 8.8 10.8 12.6 14.5 16.3 18.0 19.7 * *
75 3.9 6.2 8.2 10.1 11.8 13.6 15.2 16.9 18.5 20.0 *
100 3.0 4.7 6.2 7.6 9.0 10.3 11.5 12.8 14.0 15.2 16.4
125 2.4 3.8 5.0 6.1 7.2 8.3 9.3 10.3 11.3 12.3 13.2
150 2.0 3.2 4.2 5.1 6.0 6.9 7.8 8.6 9.5 10.3 11.1
Becker CPA Review Auditing & Attestation 5
© 2009 DeVry/Becker Educational Development Corp. All rights reserved.
A5-13
8. Form Conclusions about the Internal Control Tested
a. If the upper deviation rate is less than or equal to the auditor's tolerable deviation
rate, the auditor may rely on the control (assuming the results of other audit tests
do not contradict such results).
b. If the upper deviation rate exceeds the auditor's tolerable deviation rate, the
auditor would not rely on the control. Instead, the auditor would either:
(1) Select and test compliance with some other internal accounting control, or
(2) Modify the nature, extent, or timing of related substantive tests to reflect
the reduced reliance.
c. Conclusion example—assume the upper deviation rate has been determined to
be 4.7%.
(1) If the tolerable rate is 3%, would the auditor rely on the control?
(2) If the tolerable rate is 6%, would the auditor rely on the control?
d. If the sample is representative of the population, the auditor will generally make a
correct decision regarding whether or not the control is operating effectively.
e. If the sample is not representative of the population, the auditor will make an
incorrect decision, either relying on a control that is not reliable, or not relying on
a control that is reliable.
PASS KEY
The examiners sometimes try to trick candidates into using the sample deviation rate (instead of the upper deviation rate) in
drawing conclusions about a population. In keeping with the concept of conservatism, auditors must consider the worst case
scenario, or the high end of the range, in evaluating a population. It is therefore the upper deviation rate (and not the rate
found in the sample) that is compared to the tolerable rate in developing conclusions.
9. Document the Sampling Procedure
Remember that as with all audit procedures, the auditor must document each step in
audit sampling, starting with planning and including the rationale for the auditor's
parameters, the performance of procedures, the observed results, and the evaluation
and interpretation of those results.
IV. OTHER ATTRIBUTE SAMPLING MODELS
A. DISCOVERY SAMPLING
Discovery sampling is a special type of attribute sampling appropriate when the auditor
believes the population deviation rate is zero or near zero. It is used when the auditor is
looking for a very critical characteristic (e.g., fraud). The auditor predetermines the desired
reliability (confidence) level (e.g., 95%) and the maximum acceptable tolerable rate (e.g.,
1%), and a table is then used to determine sample size.
If no deviations are found in the sample, the auditor can be 95% certain that the rate of
deviation in the population does not exceed 1%. If deviations are found, a regular attribute
sampling table may be used to estimate the deviation rate in the population, and audit
procedures may need to be expanded.
B. STOP-OR-GO SAMPLING
Stop-or-go sampling (sequential sampling) is designed to avoid oversampling for attributes by
allowing the auditor to stop an audit test before completing all steps. It is used when few
errors are expected in the population.
Auditing & Attestation 5 Becker CPA Review
A5-
14 © 2009 DeVry/Becker Educational Development Corp. All rights reserved.
V. SAMPLING IN SUBSTANTIVE TESTS: VARIABLES SAMPLING
A. PURPOSE
Variables sampling is a statistical sampling method used to estimate the numerical
measurement of a population, such as a dollar value (e.g., accounts receivable balance).
This sampling method is used primarily in substantive testing. The objective of variables
sampling is to obtain evidence about the reasonableness of monetary amounts. The auditor
estimates the true value of the population by computing a point estimate of the population
and computing a precision interval around this point estimate.
B. PLANNING CONSIDERATIONS
When planning a particular sample for a substantive test of details, the auditor should
consider:
1. The relationship of the sample to the relevant audit objective.
2. Preliminary estimates of materiality levels.
a. Tolerable Misstatement
Tolerable misstatement is the maximum monetary misstatement in the related
account balance or class of transactions that the auditor is willing to accept.
b. Tolerable misstatement, a planning concept, is related to the auditor's
preliminary judgments about materiality levels in such a way that tolerable
misstatement for one test, when combined with misstatements that may be found
in other tests, does not exceed materiality for the financial statements.
3. The auditor's allowable risk of incorrect acceptance.
a. The audit risk model (discussed in a previous class) may be useful in planning
the allowable risk of incorrect acceptance.
4. Characteristics of the population.
C. SAMPLE SELECTION CONSIDERATIONS
The auditor uses professional judgment to determine which items should be subject to
sampling. Certain items may be individually examined, such as those for which potential
misstatements could individually exceed tolerable misstatement. 100% of such items are
examined and they are not considered to be part of the sample.
Items subject to sampling may also be separated into relatively homogeneous groups. Each
group is treated as a separate population. This technique, known as stratification, generally
results in a reduced sample size. Stratification is commonly used when a population has
highly variable recorded amounts.
PASS KEY
When stratification is used, each group is treated as a separate population. For example, assume 1,000 items are stratified
into two groups: the 100 largest items will all be examined individually, but sampling techniques will be applied to the
remaining 900 items. In this case, the population size for the sampling application would be 900, not 1,000.
V
ARIABLES
S
AMPLING
Becker CPA Review Auditing & Attestation 5
© 2009 DeVry/Becker Educational Development Corp. All rights reserved.
A5-15
D. PROJECTED MISSTATEMENT VS. TOLERABLE MISSTATEMENT
1. Projected Misstatement
Upon completion of the sampling procedures, the auditor projects the misstatement
results of the sample to the items in the population.
2. Evaluation
If the total projected misstatement is less than the tolerable misstatement for the
account balance or class of transactions, the auditor should consider the risk that such
a result might be obtained even though the true monetary misstatement for the
population exceeds tolerable misstatement. For example, assume the tolerable
misstatement in an account balance of $1 million is $50,000:
a. If the total projected misstatement (based on the sample) is $10,000, the auditor
may be reasonably assured that there is an acceptably low sampling risk that the
true monetary misstatement for the population exceeds the tolerable
misstatement of $50,000. (This is because $10,000 is significantly less than
$50,000.)
b. If the total projected misstatement is close to the tolerable misstatement, the
auditor may conclude that there is an unacceptably high risk that the actual error
in the population exceeds the tolerable misstatement.
c. The auditor uses professional judgment in making such evaluations.
3. Conclusion
Projected misstatement results for all audit sampling applications and all known
misstatements from nonsampling applications should be considered in the aggregate
along with other relevant audit evidence when the auditor evaluates whether the
financial statements taken as a whole may be materially misstated.
E. VARIABLES SAMPLING PLANS
Classical variables sampling measures sampling risk by using the variation of the underlying
characteristic of interest. There are three commonly used classical variables sampling plans.
1. Mean-Per-Unit Estimation
Mean-Per-Unit (MPU) estimation is a sampling plan that uses the average value of the
items in the sample to estimate the true population value (i.e., estimate
sample value
of the population to estimate true population value.
= average× number of items in population). MPU does not require the book value
2. Ratio Estimation
Ratio estimation is a sampling plan that uses the ratio of the audited (correct) values of
items to their book values to project the true population value. Ratio estimation is a
highly efficient technique when the calculated audit amounts are approximately
proportional to the client's book amounts.
3. Difference Estimation
Difference estimation is a sampling plan that uses the average difference between the
audited (correct) values of items and their book values to project the actual population
value. Difference estimation is used instead of ratio estimation when the differences
are not nearly proportional to book values.
Auditing & Attestation 5 Becker CPA Review
A5-
16 © 2009 DeVry/Becker Educational Development Corp. All rights reserved.
4. Comparison of Methods
a. MPU is very sensitive to the variability of the population. For that reason, when
using MPU, auditors normally stratify (or divide) the population into relatively
similar groups. The purpose of such stratification is to reduce sample size.
b. The ratio and difference methods usually require smaller sample sizes than the
MPU method; however, they are only effective when the auditor expects large
numbers of over- and understatements.
c. All three methods use the same sample size formulas and evaluation formulas.
The sample size for the three methods varies because the standard deviations of
the populations are calculated differently for each of the three methods.
F. EXAMPLE
The auditor must perform the following steps when conducting a variables sampling
application.
1. Define the Objective of the Test
a. Assume the auditor wishes to estimate the value of an account balance (e.g., the
client's accounts receivable balance).
2. Define the Population
It must be appropriate for the objective. Individually significant items should be
identified for possible stratification.
a. In this example, the population might consist of 5,000 accounts with a recorded
book value of $4,500,000.
b. The auditor would examine 100% of accounts for which potential errors could
equal or exceed the tolerable error and would exclude those accounts from the
population to be sampled.
3. Define the Sampling Unit
Consider the completeness of the population in defining the sampling unit.
a. In this case, each of the 5,000 accounts is a sampling unit
4. Determine the Sample Size
.
a. The auditor uses the following parameters, in conjunction with tables or formulas,
to determine sample size.
(1) Tolerable misstatement
(2) Expected misstatement (size, frequency, etc.)
(3) Acceptable level of risk: audit risk, risk of incorrect acceptance, and risk of
incorrect rejection
(4) Characteristics of the population (e.g., an estimate of the standard
deviation, or variability, of the population)
(5) Assessed risk: assessed risk of material misstatement (inherent risk and
control risk) and assessed risk for other substantive procedures related to
the same assertion
Becker CPA Review Auditing & Attestation 5
© 2009 DeVry/Becker Educational Development Corp. All rights reserved.
A5-17
b. Sample size will increase/decrease by changing any of the items in the formula.
(1) Sample size will increase as the following increase (direct relationship):
(a) Expected misstatement
(b) Standard deviation (population variability)
(c) Assessed level of risk
(2) Sample size will decrease as the following increase (inverse relationship):
(a) Tolerable misstatement
(b) Acceptable level of risk
Factors Influencing Sample Sizes for a Test of Details in Sample Planning
Conditions leading to
Factor
Smaller sample size Larger sample size
Related factor for
substantive sample
planning
a. Assessment of inherent
risk.
Low assessed level of
inherent risk.
High assessed level of
inherent risk.
Allowable risk of
incorrect acceptance.
b. Assessment of control
risk.
Low assessed level of
control risk.
High assessed level of
control risk.
Allowable risk of
incorrect acceptance.
c. Assessment of risk for
other substantive
procedures related to the
same assertion (including
substantive analytical
procedures and other
relevant substantive
procedures).
Low assessment of risk
associated with other
relevant substantive
procedures.
High assessment of risk
associated with other
relevant substantive
procedures.
Allowable risk of
incorrect acceptance.
d. Measure of tolerable
misstatement for a
specific account.
Larger measure of
tolerable misstatement.
Smaller measure of
tolerable misstatement.
Tolerable misstatement.
e. Expected size and
frequency of
misstatements.
Smaller misstatements
or lower frequency.
Larger misstatements
or higher frequency.
Assessment of
population
characteristics.
f. Number of items in the
population. Virtually no effect on sample size unless the population is very small.
g. Choice between
statistical and
nonstatistical sampling.
Ordinarily, sample sizes are comparable.
Auditing & Attestation 5 Becker CPA Review
A5-
18 © 2009 DeVry/Becker Educational Development Corp. All rights reserved.
5. Select the Sample
a. Sample items should be selected in such a way that the sample can be expected
to be representative of the population (e.g., random sampling).
b. In this example, an appropriate sample would consist of individual account
balances. Confirmations could then be used to determine the audited values for
sample items.
6. Evaluate the Sample Results
a. The auditor projects the misstatements found in the sample to the population
using one of several methods (e.g., MPU, ratio, difference, etc.). The projected
misstatement is applied to the recorded balance to obtain a "point estimate" of
the true balance.
b. The auditor must then add an allowance for sampling risk (sometimes called a
"precision interval") to this estimate.
7. Form Conclusions About the Balances (or Transactions) Tested
a. In deciding whether to accept the client's book value, the auditor determines
whether the recorded book value falls within the acceptable range (i.e., the point
estimate +/- the allowance for sampling risk). If so, the book value is fairly
stated.
b. The auditor's treatment of items selected for sampling that cannot be located
(e.g., are "lost") will depend on their effect on the auditor's evaluation of the
sample.
(1) If considering the missing items to be misstated would not alter the
auditor's evaluation of the sample results, it is not necessary to examine
the items.
(2) If considering the missing items to be misstated would lead to the
conclusion that the balance or class contains a material misstatement, the
auditor should consider alternative procedures.
c. If the sample is representative of the population, the auditor generally will make a
correct decision regarding whether the account balance is fairly stated.
d. If the sample is not representative of the population, the auditor will make an
incorrect decision, either accepting a materially misstated balance, or rejecting a
fairly stated balance.
8. Document the Sampling Procedure
Remember that as with all audit procedures, the auditor must document each step in
audit sampling, starting with planning and including the rationale for the auditor's
parameters, the performance of procedures, the observed results, and the evaluation
and interpretation of those results.
Becker CPA Review Auditing & Attestation 5
© 2009 DeVry/Becker Educational Development Corp. All rights reserved.
A5-19
PPS
S
AMPLING
VI. SAMPLING IN SUBSTANTIVE TESTS: PROBABILITY-PROPORTIONAL-TO-SIZE (PPS)
SAMPLING
A. PPS SAMPLING
PPS is a sampling technique where the sampling unit is defined as an individual
dollar in a population. Once a dollar is selected, the entire account (containing that dollar) is
audited. PPS sampling is considered to be a hybrid method, because it uses attribute
sampling theory to express a conclusion in dollar amounts rather than as a rate of
occurrence.
B. ADVANTAGES OF PPS SAMPLING
1. PPS automatically emphasizes larger items by stratifying the sample. The chance of
an item being selected is proportionate to its dollar amount.
2. If no errors are expected, PPS sampling generally requires a smaller sample than other
methods.
C. DISADVANTAGES OF PPS SAMPLING
A disadvantage of PPS sampling is that zero balances, negative balances, and understated
balances generally require special design considerations.
D. PPS SAMPLE SIZE DETERMINATION
The auditor selects a PPS sample by dividing the total number of dollars in the population
(book value) into uniform groups of dollars or intervals. The auditor then selects a logical unit
(the balance that includes the selected dollar) from each sampling interval.
The sampling interval is determined as follows:
Sampling interval
= Tolerable misstatement Reliability factor
The sample size is determined as follows:
Recorded amount of the population
Sample size
= Sampling interval
1. Tolerable misstatement is the maximum dollar error that may exist in the account
without causing the financial statements to be materially misstated.
2. Reliability factors correspond to the risk of incorrect acceptance and are generally
obtained from a table.
3. The above formula assumes that the auditor's expected misstatement is zero.
Otherwise, a more complex version of the formula is required.
Auditing & Attestation 5 Becker CPA Review
A5-
20 © 2009 DeVry/Becker Educational Development Corp. All rights reserved.
E. EXAMPLE
With zero expected errors, the reliability factors are as follows:
Risk of
Incorrect
Acceptance
Reliability
Factor
1% 4.6
5% 3.0
10% 2.3
1. Assume the auditor assesses tolerable misstatement at $15,000 and the risk of
incorrect acceptance at 5%. The recorded amount (book value) of the population is
$500,000.
a. Sampling interval
b. Sample size
= $15,000/3 = $5,000= $500,000/$5,000 = 100
F. SAMPLE SELECTION
A random number between 1 and the sampling interval (inclusive) is selected. This number
is the random start, and it will also determine the first item selected. Systematic selection is
then used to select the remainder of the sample. The recorded amounts of the logical units
(e.g., account balances) throughout the population are added and individual dollars are
selected based on the interval. Once a dollar in an account is selected, that entire account
will be audited.
1. Example
Assume the random start is 300 and the sampling interval is 5,000. Every 5,000
th
dollar will be selected, so the auditor will select the accounts that contain dollars 300;
5,300; 10,300; 15,300; 20,300; 25,300 etc.
Customer
Account
Book
Value
Cumulative
Total
1 150 150
2 800 950*
3 1,400 2,350
4 4,350 6,700*
5 2,300 9,000
6 4,900 13,900*
7 8,500 22,400*
8 990 23,390
9 1,000 24,390
10 1,500 25,890*
etc… etc…
900 1,000 500,000
Note:
methodology, all
account balances
greater than the
interval are
automatically
selected.
* Accounts including the selected dollars would be included in the sample.
Using this
Becker CPA Review Auditing & Attestation 5
© 2009 DeVry/Becker Educational Development Corp. All rights reserved.
A5-21
G. EVALUATION OF SAMPLE RESULTS
If no errors are found in the sample, the error projection is zero and the allowance for
sampling risk would not exceed the auditor's tolerable error. As a result, the auditor would
generally conclude that the recorded balance is fairly stated.
If, on the other hand, errors are found in an account, the errors need to be projected to the
interval as illustrated below. If the account selected has a balance greater than the interval,
the actual dollar amount of the error should be used.
1. Example
"A" Tainting
Recorded
Amount
"B"
Audit
Amount
A-B / A = %
Sample
Interval
Projected
Error
$ 800 $ 600 $5,000
$ 4,350 $ 4,350 $5,000
$ 4,900 $ 0 $5,000
$ 8,500 $ 6,900 N/A
$ 1,500 $ 1,200 $5,000
Projected Error
Note that, as with other variables sampling plans, an allowance for sampling risk would be
calculated and added to the projected error, and the result would be compared to the
tolerable misstatement.
VII. QUALITATIVE CONSIDERATIONS
For all types of sampling, the auditor should consider qualitative aspects of deviations. These
include:
A. THE NATURE AND CAUSE OF DEVIATIONS
Deviations may be caused by errors, which are unintentional, or fraud, which is intentional.
B. THE POSSIBLE RELATIONSHIP OF DEVIATIONS TO OTHER PHASES OF THE AUDIT
The discovery of fraud ordinarily requires a broader consideration of possible implications
than does the discovery of an error.
VIII. DUAL-PURPOSE SAMPLES
In some instances, the auditor may use the same sample to perform both tests of controls and tests
of details. Dual-purpose samples are generally used only when the auditor believes that there is an
acceptably low risk that the deviation rate in the population exceeds the tolerable rate. The size of
a sample designed for dual purposes should be the larger of the samples that would otherwise
have been designed for the two separate purposes.
In evaluating dual-purpose samples, deviations from the control and monetary misstatements
should be evaluated separately using the appropriate risk levels. The auditor should consider
whether the existence of misstatements is indicative of a control failure; however, the absence of
monetary misstatements does not necessarily imply that controls are operating effectively.
Auditing & Attestation 5 Becker CPA Review
A5-
22 © 2009 DeVry/Becker Educational Development Corp. All rights reserved.
THE EFFECT OF INFORMATION TECHNOLOGY ON THE AUDIT
Information technology (IT) encompasses automated means of originating, processing, storing, and
communicating information. The use of information technology affects the manner in which transactions
are initiated, recorded, processed, and reported. An entity's use of information technology affects both
the evaluation of internal control and the procedures used to gather evidence. Note, however, that the
audit objectives are the same in a computerized environment as they are in a manual environment.
I. DIFFERENCES BETWEEN MANUAL AND COMPUTERIZED (IT) ENVIRONMENTS
A. SEGREGATION OF DUTIES
1. In a computerized environment, transaction processing often results in a combination
of functions that are normally separated in a manual environment.
2. The additional risk associated with this (possibly incompatible) concentration of
functions may be mitigated by the implementation of compensating controls.
B. DISAPPEARING AUDIT TRAIL
1. Paper audit trails are substantially reduced in a computerized environment (particularly
in on-line, real-time systems). If a client processes most of its financial data in
electronic form, without any paper documentation, audit tests should be performed on a
continuous basis.
2. Computer systems should be designed to supply electronic audit trails, which are often
as effective as paper trails.
3. Use of IT may make it more difficult to use physical inspection to identify nonstandard
or unusual transactions or adjustments.
C. UNIFORM TRANSACTION PROCESSING
1. Processing consistency is improved in a computerized environment because clerical
errors (e.g., random arithmetic errors, missed postings, etc.) are virtually eliminated.
2. In a computerized environment, however, there is an increased potential for systematic
errors, such as errors in programming logic (e.g., using the incorrect tax rate).
D. COMPUTER-INITIATED TRANSACTIONS
1. Automated transactions are not subject to the same types of authorization as are used
for manual transactions, and may not be as well-documented.
2. When information is automatically transferred from transaction processing systems to
financial reporting systems, inadvertent errors are reduced, but unauthorized
interventions may not be evident.
Becker CPA Review Auditing & Attestation 5
© 2009 DeVry/Becker Educational Development Corp. All rights reserved.
A5-23
E. POTENTIAL FOR INCREASED ERRORS AND IRREGULARITIES
Several characteristics of computerized processing act to increase the likelihood that fraud
may occur and remain undetected for long periods of time.
1. The opportunity for remote access to data in networked environments increases the
likelihood of unauthorized access. Therefore, specific controls should exist to ensure
that users can only access and update authorized data elements.
2. Concentration of information in computerized systems means that, if system security is
breached, the potential for damage is much greater than in manual systems.
3. Decreased human involvement in transaction processing results in decreased
opportunities for observation.
4. Errors or fraud may occur in the design or maintenance of application programs.
5. Computer disruptions may cause errors or delays in recording transactions.
F. POTENTIAL FOR INCREASED SUPERVISION AND REVIEW
1. Computer systems provide more opportunities for data analysis and review, including
integration of audit procedures in the application programs themselves.
2. Utilization of these opportunities can help mitigate the additional risks associated with a
lack of segregation of duties.
3. In a computerized environment, the increased availability of raw data and management
reports affords greater opportunity for both the client and the auditor to perform
analytical procedures.
G. DEPENDENCE OF OTHER CONTROLS ON CONTROLS OVER COMPUTER
PROCESSING
Controls for specific applications are only as effective as the general controls in place in the
information technology department, which processes the transactions and produces the
reports.
II. THE EFFECT OF INFORMATION TECHNOLOGY ON EVIDENCE GATHERING
An auditor can use manual audit procedures (called "auditing around the computer"), computerassisted
audit techniques (CAAT, commonly called "auditing through the computer"), or a
combination of both. In either event, because the reliability of automated systems is highly
dependent on the adequacy of control design and execution, it is critical that the auditor gain a
thorough understanding of the structure and usage of the control system through inquiry and
observation.
A. FACTORS TO CONSIDER
In selecting the appropriate audit procedures in a computerized environment, the auditor
should consider:
1. The extent of computer utilization in each accounting application,
2. The complexity of the entity's computer operations,
3. The organizational structure of the information technology department,
4. The availability of an audit trail, and
5. The use of computer-assisted audit techniques (covered below).
Auditing & Attestation 5 Becker CPA Review
A5-
24 © 2009 DeVry/Becker Educational Development Corp. All rights reserved.
B. USE OF AN IT PROFESSIONAL
Because some systems depend so heavily on computerized processing, it may be difficult or
impossible for the auditor to access certain information without using computer assistance. If
specialized IT skills are needed, the auditor should seek the help of an IT professional from
his or her staff or from the outside.
1. The auditor should have enough IT-related knowledge to:
a. Communicate audit objectives to the IT professional,
b. Evaluate the sufficiency of the procedures performed, and
c. Evaluate the results of the procedures performed.
2. The CPA's responsibility to guide IT professionals is the same as for other accounting
assistants.
3. The auditor need not personally possess the required level of IT skills.
C. AUDITING AROUND THE COMPUTER
1. When auditing around the computer, the auditor does not directly test the application
program. The auditor tests the input data, processes the data independently, and then
compares the independently determined results to the program results. Emphasis is
on the input and output stages of transaction processing.
2. Auditing around the computer is often appropriate for simple batch systems with a good
audit trail, and it will result in the same level of confidence as would auditing through
the computer.
3. Risks of auditing around the computer include insufficient, paper-based evidence and
insufficient audit procedures.
D. COMPUTER ASSISTED AUDIT TECHNIQUES (CAAT)
When using CAATs, emphasis is on the input and processing stages of transaction
processing. In highly automated systems, complex audit trails and the elimination of physical
source documents may mean that CAATs are the only feasible way to complete the audit in a
timely manner. CAATs include:
1. Transaction Tagging
Transaction tagging is a technique the auditor uses to electronically mark (or "tag")
specific transactions and follow them through the client's system.
a. Tagging allows the auditor to test both the computerized processing and the
manual handling of transactions.
2. Embedded Audit Modules
Embedded audit modules are sections of the application program code that collect
transaction data for the auditor.
a. For example, an auditor might want to examine all transactions affecting a
specific account code that are greater than $500.
b. Embedded audit modules are most often built into the application program when
the program is developed, for use in ensuring that controls are operating
effectively.
Becker CPA Review Auditing & Attestation 5
© 2009 DeVry/Becker Educational Development Corp. All rights reserved.
A5-25
3. Test Data (Test Deck)
Test data refers to a technique that uses the application program to process a set of
test data, the results of which are already known. (The client's system is used to
process the auditor's data, off-line, and while under the auditor's control.)
a. The test data contains the types of invalid conditions in which the auditor is
interested (it is not necessary to test all combinations of invalid conditions).
b. An advantage of the test data technique is that the live computer files are not
affected in any way.
4. Integrated Test Facility (ITF)
An integrated test facility (ITF) is similar to the test data approach except that the test
data is commingled with live data. (The client's system is used to process the auditor's
data, on-line.)
a. The test data must be separated from the live data before the reports are
created. This is usually accomplished by processing the test data to dummy
accounts (e.g., a fictitious customer, branch, vendor, etc.).
b. Client personnel are not informed that the test is being run.
5. Parallel Simulation (Reperformance Test)
Parallel simulation (reperformance test) is a technique where the auditor re-processes
some or all of the client's live data (using software provided by the auditor) and then
compares the results with the client's files. (The auditor's system is used to process
the client's data.)
a. With controlled processing, the auditor observes an actual processing run and
compares the actual results to the expected results (based on the auditor's
program).
b. With controlled re-processing, the auditor uses an archived copy of the program
in question (generally the auditor's control copy) to re-process transactions. The
results are then compared to the results from the normal processing run.
(Differences indicate that there have been changes to the program.)
(1) Source code comparison programs are programs that compare two
versions of software to determine if they match. This type of software can
be used to look for unauthorized program changes.
c. Programs to accomplish parallel processing can be specifically developed for the
application, bought as a packaged program or utility, or produced by a
generalized audit software package.
E. GENERALIZED AUDIT SOFTWARE PACKAGES (GASPs)
Generalized audit software packages (GASPs) allow the auditor to perform tests of controls
and substantive tests directly on the client's system. The auditor first defines the client's
system (to the GASP) and then specifies the tests and selections that should be made. The
GASP generates the programs necessary to interrogate the files and extract and analyze the
data.
1. Tasks typically performed by GASPs include:
a. Examining transactions for control compliance,
b. Selecting items meeting specified criteria,
c. Recalculating amounts and totals,
d. Reconciling data from two separate files, and
e. Performing statistical analysis on transactions.
Auditing & Attestation 5 Becker CPA Review
A5-
26 © 2009 DeVry/Becker Educational Development Corp. All rights reserved.
2. Advantages of Using GASPs
a. GASPs allow the auditor to sample and test a much higher percentage of
transactions, which results in a more reliable audit.
b. GASPs require little technical knowledge.
c. After the initial use, GASPs can significantly reduce audit time without sacrificing
quality.
III. AUDITING WITH A COMPUTER
An auditor may achieve audit efficiency by utilizing a computer during the audit. For example,
financial statements (and related trial balances and lead schedules) may be entered into a
spreadsheet (or possibly a database) program. Achieving efficiency requires the selection of both
appropriate audit tasks and appropriate software for the selected tasks.
A. ADVANTAGES OF USING A COMPUTER
1. Automatic performance of math on all documents, which reduces errors.
2. Automatic cross-referencing of amounts by linking each lead schedule to the working
trial balance and to the financial statements. (This saves considerable time in posting
adjusting journal entries.)
3. Automatic preparation of financial statements, tax return schedules, and consolidating
schedules (all of which save time previously spent typing them, and which make late
changes easier to implement).
4. Reduction in required supervisory review time.
a. Computer printout is more legible than most handwriting.
b. Once the reliability of the software has been confirmed, less time is required to
review and prove such things as footings, postings, ratio calculations, and cross
references.
5. Automatic performance of certain analytical review procedures, such as:
a. Computing account differences from one year to the next, and
b. Computing the percentage increase or decrease in each account.
6. Enhanced client service—the client's personnel can benefit from:
a. No longer needing to manually prepare schedules that are now permanently in
the computer,
b. More legible adjusting journal entry listings,
c. Enhanced analytical information, and
d. The ability to review a draft of the financial statements while the auditors are still
in the field.
7. Improved morale and productivity for the audit team, as less time is spent on tedious
clerical tasks (such as preparing lead schedules, endlessly posting columns of
figures, etc.).
B. DISADVANTAGES
The primary disadvantage of auditing with a computer is that audit documentation may not
contain readily observable details of calculations.
Becker CPA Review Auditing & Attestation 5
© 2009 DeVry/Becker Educational Development Corp. All rights reserved.
A5-27
INTERNAL CONTROL COMMUNICATIONS
I. OVERVIEW
Guidelines for communicating matters related to internal control are different for nonissuers and
issuers.
A. NONISSUERS
1. Although the purpose of an audit is to express an opinion on the financial statements
and not to express an opinion on the effectiveness of internal control, certain
deficiencies related to internal control may be noticed by the auditor during the audit.
Such deficiencies create a reporting responsibility for the auditor.
2. An auditor may also be hired to perform an attest engagement (separate from the
audit) with respect to internal control. In such engagements, the auditor will look more
carefully at internal control, and will report on its effectiveness.
3. It is likely that auditing standards for nonissuers will be revised in the near future, to
more closely align the rules for nonissuers with those already in place for issuers. A
new standard would provide for the integration of the two engagements described
above, as well as aligning certain definitions that currently differ between SASs (for
nonissuers) and PCAOB standards (for issuers).
??????
Be sure to visit the Becker website for possible updates to this area.
B. ISSUERS
For issuers, an “integrated audit” is required. This means that auditors of issuers are
required to perform an audit of internal control in conjunction with their audit of the financial
statements.
II. NONISSUERS: INTERNAL CONTROL MATTERS NOTED DURING AN AUDIT
A. DEFICIENCIES IN INTERNAL CONTROL
1. Control Deficiency
A control deficiency exists when the design or operation of a control does not allow
management or employees, in the normal course of performing their assigned
functions, to prevent or detect misstatements on a timely basis.
a. A deficiency in design occurs when a necessary control is missing or when an
existing control does not achieve the desired objective.
b. A deficiency in operation occurs when a properly designed control does not
operate as designed, or is performed by an inappropriate person.
c. Control deficiencies may involve aspects of any or all of the five internal control
components.
2. Significant Deficiency
A significant deficiency is a control deficiency, or combination of control deficiencies,
that adversely affects the entity's ability to initiate, authorize, record, process, or report
financial data reliably in accordance with GAAP such that there is more than a remote
likelihood that a misstatement of the entity's financial statements that is more than
inconsequential will not be prevented or detected.
C
ONTROL
D
EFICIENCY
S
IGNIFICANT
D
EFICIENCY
Auditing & Attestation 5 Becker CPA Review
A5-
28 © 2009 DeVry/Becker Educational Development Corp. All rights reserved.
a. "More than remote" means a misstatement is at least reasonably possible.
b. "Inconsequential" means that a reasonable person would conclude that the
misstatement is clearly immaterial. If a reasonable person would not draw such
a conclusion, the misstatement is "more than inconsequential".
c. Both quantitative and qualitative factors should be considered in determining
whether a potential misstatement is "more than inconsequential".
3. Material Weakness
A material weakness is a significant deficiency, or combination of significant
deficiencies, that results in more than a remote likelihood that a material misstatement
of the entity's financial statements will not be prevented or detected.
B. RESPONSIBILITY OF THE AUDITOR
The auditor has a responsibility to evaluate control deficiencies identified during the audit
and, in some cases, to report those deficiencies.
1. Detection of Control Deficiencies
An auditor of financial statements is not required to search for control deficiencies, or to
express an opinion on the effectiveness of internal control. The auditor may, however,
become aware of control deficiencies while performing the audit.
2. Evaluation of Control Deficiencies
The auditor must evaluate control deficiencies to determine whether they represent
significant deficiencies or material weaknesses.
a. The auditor must consider the potential for misstatement, not whether a
misstatement has actually occurred. A significant deficiency or material
weakness may exist even in the absence of an identified misstatement.
b. The auditor should consider both the likelihood and the magnitude of potential
misstatements.
c. If more than one control deficiency affects the same account balance or
disclosure, individually insignificant deficiencies may, in combination, constitute a
significant deficiency or material weakness.
d. The auditor should consider whether any controls tend to compensate for the
identified deficiency. A compensating control is one that limits the severity of a
control deficiency, and may prevent it from being identified as a significant
deficiency or material weakness.
e. Indicators of a Significant Deficiency
A deficiency in controls related to the following areas will generally be considered
at least a significant deficiency.
(1) Selection and application of accounting principles.
(2) Antifraud programs.
(3) Nonroutine transactions.
(4) Period-end financial reporting.
M
ATERIAL
W
EAKNESS
Becker CPA Review Auditing & Attestation 5
© 2009 DeVry/Becker Educational Development Corp. All rights reserved.
A5-29
f. Indicators of a Material Weakness
A deficiency in controls related to the following areas will generally be considered
at least a significant deficiency, and more likely will be considered a material
weakness.
(1) Ineffective oversight by those charged with governance.
(2) Restatement of previously issued financial statements to correct a material
misstatement.
(3) Identification by the auditor of a material misstatement that was not initially
identified by the entity's internal control, even if management has since
corrected the misstatement.
(4) Ineffective internal audit or risk assessment functions in large or complex
entities.
(5) Ineffective regulatory compliance function in entities operating in highly
regulated industries.
(6) Identification of any level of fraud perpetrated by senior management.
(7) Failure to appropriately address previously communicated significant
deficiencies (appropriate actions may include correction of the deficiency
or a conscious decision not to correct the deficiency).
(8) An ineffective control environment.
3. Communication of Control Deficiencies
Significant deficiencies and material weaknesses must be communicated in writing to
management and those charged with governance.
a. Previously Existing Deficiencies
Previously communicated significant deficiencies and material weaknesses that
have not been corrected should be communicated again, in writing, during the
current audit.
b. Timing
(1) While it is recommended that the written communication be made by the
report release date, a window extending 60 days beyond this date is
acceptable.
(2) Earlier communication (i.e., during the audit) is also acceptable. While
such early communication need not be in writing, it does not negate the
requirement for eventual written communication of all significant
deficiencies and material weaknesses.
c. Management's Evaluation
It is management's responsibility to evaluate and address control deficiencies.
Management may decide to accept certain significant deficiencies or material
weaknesses, based upon the costs that would be incurred to correct them. Even
in such situations, the auditor is still required to communicate such deficiencies in
writing.
Auditing & Attestation 5 Becker CPA Review
A5-
30 © 2009 DeVry/Becker Educational Development Corp. All rights reserved.
d. Communication of Other Matters
The auditor may communicate other matters related to internal control, such as
suggested improvements in efficiency or, when requested, control deficiencies
that are not significant deficiencies or material weaknesses. Such
communications need not be in writing, but oral communications should be
documented.
C. REPORTING REQUIREMENTS
1. Report Contents
The report should include the following:
a. An indication that the purpose of the audit was to express an opinion on the
financial statements, not on the effectiveness of internal control;
b. A statement that the auditor is not expressing an opinion on the effectiveness of
internal control;
c. A definition of significant deficiency and, if applicable, material weakness;
d. Identification of significant deficiencies noted and, if applicable, material
weaknesses noted; and
e. A statement that the communication is intended solely for the information and
use of management, those charged with governance, and others within the
organization, and that it is not intended to be and should not be used by anyone
other than these specified parties.
The auditor may also choose to include additional comments regarding internal control.
2. Absence of Significant Deficiencies or Material Weaknesses
a. The auditor may not report the absence of significant deficiencies, since there is
too great a potential for misinterpretation of the very limited degree of assurance
the auditor would be providing in such instances.
b. The auditor may issue a communication indicating that no material weaknesses
were identified during the audit, typically for the client to submit to governmental
authorities.
3. Management's Written Response
Management may prepare a written response to the auditor's report, perhaps
describing corrective actions taken or planned for the future, or indicating that the cost
of correcting the identified deficiencies would exceed the benefits to be derived.
a. If such response is included in a document containing the auditor's written
communication, the auditor must add a paragraph disclaiming an opinion on
management's response.
Becker CPA Review Auditing & Attestation 5
© 2009 DeVry/Becker Educational Development Corp. All rights reserved.
A5-31
D. SAMPLE REPORT
J. Pinkerton Snoopington
Certified Public Accountant
July 19, Year X
To Management and [
In planning and performing our audit of the financial statements of ABC Company as of and for the year ended December 31,
20XX, in accordance with auditing standards generally accepted in the United States of America, we considered ABC
Company's internal control over financial reporting (internal control) as a basis for designing our auditing procedures for the
purpose of expressing our opinion on the financial statements, but not for the purpose of expressing an opinion on the
effectiveness of the Company's internal control. Accordingly, we do not express an opinion on the effectiveness of the
Company's internal control.
Our consideration of internal control was for the limited purpose described in the preceding paragraph and would not
necessarily identify all deficiencies in internal control that might be significant deficiencies or material weaknesses. However,
as discussed below, we identified certain deficiencies in internal control that we consider to be significant deficiencies
other deficiencies that we consider to be material weaknesses].
those charged with governance—list specific parties]:[and
A control deficiency exists when the design or operation of a control does not allow management or employees, in the normal
course of performing their assigned functions, to prevent or detect misstatements on a timely basis. A significant deficiency
is a control deficiency, or combination of control deficiencies, that adversely affects the entity's ability to initiate, authorize,
record, process, or report financial data reliably in accordance with generally accepted accounting principles such that there
is more than a remote likelihood that a misstatement of the entity's financial statements that is more than inconsequential will
not be prevented or detected by the entity's internal control. We consider the following deficiencies to be significant
deficiencies in internal control.
[Describe the significant deficiencies that were identified]
[A material weakness is a significant deficiency, or combination of significant deficiencies, that results in more than a remote
likelihood that a material misstatement of the financial statements will not be prevented or detected by the entity's internal
control. We believe that the following deficiencies constitute material weaknesses.]
[Describe the material weaknesses that were identified]
This communication is intended solely for the information and use of management, [
with governance]
be and should not be used by anyone other than these specified parties.
J. Pinkerton Snoopington, CPA
[
identify the body or individuals charged, others within the organization, and [identify any specified governmental authorities] and is not intended toSigned by CPA or Firm]
Auditing & Attestation 5 Becker CPA Review
A5-
32 © 2009 DeVry/Becker Educational Development Corp. All rights reserved.
E. EXAMPLES OF CONTROL DEFICIENCIES
Examples of control deficiencies that may be significant deficiencies or material weaknesses
include:
1. Deficiencies in the design of controls, such as:
a. Inadequate design of internal control over the preparation of financial statements
or over a significant account or process.
b. Insufficient control consciousness.
c. Lack of appropriate controls over segregation of duties or safeguarding of assets.
d. Inadequate design of IT controls.
e. Lack of appropriate qualifications or training of client personnel.
f. Inadequate design of monitoring controls or the absence of an appropriate
process to report control deficiencies.
g. Inadequate documentation of the components of internal control.
2. Failure in the operation of controls, such as evidence of:
a. Failure to obtain appropriate authorization for significant disbursements, to
perform reconciliations, to safeguard assets, or to provide complete, accurate,
and timely information.
b. Undue bias or lack of objectivity.
c. Misrepresentation by client personnel to the auditor.
d. Management override of controls.
e. Failure of an application control caused by a deficiency of a general control.
F. REPORTS ON THE FINANCIAL STATEMENTS OF NONISSUERS
1. GAAS Audits
The scope of the auditor's procedures required by the Auditing Standards Board with
respect to internal control is considerably less than that required by the PCAOB. To
clarify that an audit performed in accordance with GAAS does not require the same
level of testing and reporting on internal control, as does an audit of an issuer under
SOX, the auditor may expand his or her audit report. Additional language may be
added to the scope paragraph to describe this situation:
"We conducted our audit in accordance with auditing standards
generally accepted in the United States of America. Those
standards require that we plan and perform the audit to obtain
reasonable assurance about whether the financial statements are
free of material misstatement.
internal control over financial reporting as a basis for designing
audit procedures that are appropriate in the circumstances, but
not for the purpose of expressing an opinion on the
effectiveness of the Company's internal control over financial
reporting. Accordingly, we express no such opinion.
also includes examining, on a test basis, evidence supporting the
amounts and disclosures in the financial statements, assessing the
accounting principles used and significant estimates made by
management, as well as evaluating the overall financial statement
presentation. We believe that our audit provides a reasonable basis
for our opinion."
An audit includes consideration ofAn audit
Becker CPA Review Auditing & Attestation 5
© 2009 DeVry/Becker Educational Development Corp. All rights reserved.
A5-33
2. Audits Following Both Sets of Requirements
If an auditor conducts the audit (of a nonissuer) in accordance with GAAS
auditing standards of the PCAOB, the auditor may indicate in the auditor's report that
the audit was conducted in accordance with both sets of standards (covered in Audit &
Attestation 1). Since PCAOB standards do not require expanded testing and reporting
on internal control for nonissuers, additional language may be added to the scope
paragraph to describe this situation:
"…Those standards require that we plan and perform the audit to
obtain reasonable assurance about whether the financial statements
are free of material misstatement.
have, nor were we engaged to perform, an audit of its internal
control over financial reporting. Our audit included
consideration of internal control over financial reporting as a
basis for designing audit procedures that are appropriate in the
circumstances, but not for the purpose of expressing an
opinion on the effectiveness of the Company's internal control
over financial reporting. Accordingly we express no such
opinion.
and theThe Company is not required toAn audit also includes examining, on a test basis..."
III. NONISSUERS: REPORTING ON AN ENTITY'S INTERNAL CONTROL OVER FINANCIAL
REPORTING
An accountant may be engaged to examine and report on, that is, express an opinion on, the
written assertion of management concerning the design and/or operating effectiveness of the
entity's internal control over financial reporting at a specific point in time. The CPA may report on
management's assertion or may report directly on the effectiveness of the entity's internal control.
This is a type of attestation engagement, an engagement separate and different from, but which
does not change, the auditor's consideration of internal control as a part of an audit of the financial
statements. This engagement is performed according to Statements on Standards for Attestation
Engagements, as covered in Auditing & Attestation 2. Note that these guidelines permit neither a
review of nor an expression of negative assurance on internal control. Agreed-upon procedures
engagements related to internal control are acceptable.
A. CONDITIONS FOR ENGAGEMENT PERFORMANCE
1. Management accepts responsibility for the effectiveness of internal control.
a. Generally, management provides a written representation letter acknowledging
this responsibility, stating the assertion, and specifying the criteria used to
evaluate the assertion. The letter would also include discussion of significant
deficiencies in internal control, any subsequent changes in internal control, and
fraud.
b. Failure to provide such written representations is a scope limitation that will
generally result in a disclaimer of opinion or in withdrawal from the engagement.
2. Management evaluates the effectiveness of the entity's internal control using suitable
criteria (also called "control criteria"), such as criteria issued by the AICPA or by
regulatory agencies.
3. Sufficient audit evidence exists or can be developed to support management's
evaluation.
4. Generally, management must provide a written assertion on the effectiveness of the
entity's internal control. (Covered further in item C below.)
Auditing & Attestation 5 Becker CPA Review
A5-
34 © 2009 DeVry/Becker Educational Development Corp. All rights reserved.
B. PLANNING THE ENGAGEMENT
Planning is similar to that performed for an audit and involves developing an overall strategy
for the scope and performance of the engagement. The auditor should consider:
1. Matters affecting the industry of the entity—reporting practices, economic conditions,
laws and regulations, and technological change.
2. Prior knowledge of the entity's internal control (obtained during other professional
engagements).
3. Matters concerning the entity and its business—organization, operations, capital
structure, and distribution methods.
4. Extent of any recent changes in the entity, its operations, or its internal control.
5. Management's method of evaluating control effectiveness.
6. Judgments about materiality and risk.
7. The nature and extent of evidence available.
8. The nature and significance of specific controls, and preliminary judgments about their
effectiveness.
C. PERFORMING THE ENGAGEMENT
As part of the engagement, the accountant should perform the following tasks:
1. Obtain from management a written assertion about the effectiveness of the entity's
internal control. The assertion may be presented in one of two ways:
a. A separate report that will accompany the accountant's report.
b. A representation letter to the accountant.
2. If management refuses to provide a written assertion:
a. Generally the auditor should withdraw from the engagement.
b. Exception: if the examination is required by law or regulation, the auditor should
disclaim an opinion or, if the situation warrants, express an adverse opinion.
(1) If an adverse opinion is expressed, the report should be restricted as to
use.
3. Obtain an understanding of internal control through inquiry, inspection, and
observation.
4. Evaluate the
5. Test and evaluate the
whom, and with what consistency the policies and procedures are applied.
Examination procedures primarily include inquiry, inspection of documentation,
observation, and reperformance.
6. Form an opinion on the effectiveness of the entity's internal control, or on
management's assertion thereon, based on the control criteria.
design effectiveness of the controls.operating effectiveness of the controls. Tests address how, by
Becker CPA Review Auditing & Attestation 5
© 2009 DeVry/Becker Educational Development Corp. All rights reserved.
A5-35
D. REPORTING ON THE ENGAGEMENT
As mentioned previously, the accountant may report on management's assertion regarding
internal control, or directly on the operating effectiveness of the entity's internal control.
1. Sample standard report expressing an opinion on management's written assertion
about the effectiveness of internal control:
Independent Accountant's Report
[Introductory Paragraph]
We have examined management's assertion included in the accompanying [title of management report] that W Company
maintained effective internal control over financial reporting as of December 31, 20XX based on
Company's management is responsible for maintaining effective internal control over financial reporting. Our responsibility is
to express an opinion on management's assertion based on our examination.
[identify criteria]. W
(Note: A statement of management's assertion should be included in the introductory paragraph when such assertion does not
accompany this report. The phrase "included in the accompanying [title of management report]" would be omitted in such
cases.)
[Scope Paragraph]
Our examination was conducted in accordance with attestation standards established by the American Institute of Certified
Public Accountants and, accordingly, included obtaining an understanding of internal control over financial reporting, testing,
and evaluating the design and operating effectiveness of internal control, and performing such other procedures as we
considered necessary in the circumstances. We believe that our examination provides a reasonable basis for our opinion.
[Inherent limitations paragraph]
Because of inherent limitations in any internal control, misstatements due to error or fraud may occur and not be detected.
Also, projections of any evaluation of internal control over financial reporting to future periods are subject to the risk that the
internal control may become inadequate because of changes in conditions, or that the degree of compliance with the policies
or procedures may deteriorate.
[Opinion Paragraph]
In our opinion, management's assertion that W Company maintained effective internal control over financial reporting as of
December 31, 20XX is fairly stated, in all material respects, based on [
identify criteria].
[Signature]
[Date]
PASS KEY
The examiners have focused many questions in prior exams on the "Inherent Limitations Paragraph."
Auditing & Attestation 5 Becker CPA Review
A5-
36 © 2009 DeVry/Becker Educational Development Corp. All rights reserved.
2. When a CPA expresses an opinion directly on the effectiveness of an entity's internal
control:
a. The introductory paragraph is almost the same. The first sentence is revised to
read: "We have examined the effectiveness of W Company's internal control over
financial reporting as of December 31, 20XX, based on [
last sentence, reference is to an opinion on "the effectiveness of internal control"
instead of "management's assertion."
b. The scope paragraph and the inherent limitations paragraph are the same.
c. The opinion paragraph is new. It reads:
identify criteria]." In the
"In our opinion, W company maintained, in all material respects, effective internal control
over financial reporting as of December 31, 20XX, based on
[identify criteria]."
3. If the criteria used to evaluate internal control are only appropriate for or available to
specific parties, the report should also contain a statement restricting its use to those
specified parties.
E. DEFICIENCIES IN INTERNAL CONTROL
1. The presence of a material weakness in internal control generally will result in a
qualified or adverse opinion. The CPA should:
a. Describe the weakness and its effects in an explanatory paragraph preceding the
opinion paragraph. This paragraph should also include the definition of material
weakness and significant deficiency.
b. For qualified opinions, include in the opinion paragraph the conclusion that,
"…except for the effect of the material weakness…W Company maintained, in all
material respects, effective internal control…"
c. For adverse opinions, include in the opinion paragraph the conclusion that, "W
Company has not maintained effective internal control over financial reporting…"
2. When a material weakness exists, the CPA should express an opinion directly on the
effectiveness of internal control, and not on management's assertion.
3. Communication of significant deficiencies and material weaknesses is generally similar
to such communications with respect to an audit.
a. The CPA should communicate significant deficiencies and material weaknesses
to management and those charged with governance. This communication is
required to be in writing.
b. The auditor may communicate significant matters during the examination rather
than after the examination is concluded.
c. The auditor should not issue a report stating, "No significant deficiencies were
noted."
4. If the client is not the responsible party (i.e., the auditor is engaged by a third party), the
auditor has no responsibility to communicate significant deficiencies or material
weaknesses to the responsible party, but is not precluded from doing so.
Becker CPA Review Auditing & Attestation 5
© 2009 DeVry/Becker Educational Development Corp. All rights reserved.
A5-37
5. If management's assertion contains a statement that management believes the cost of
correcting the weakness would exceed the benefits to be derived from implementing
new policies and procedures, the practitioner should disclaim an opinion on
management's "cost-benefit statement":
"We do not express an opinion or any other form of assurance on
management's cost-benefit statement."
F. SCOPE LIMITATIONS
1. Restrictions on the scope of the engagement will generally result in withdrawal from the
engagement, expression of a qualified opinion, or a disclaimer of opinion, depending
on the importance of the omitted procedures.
2. When controls are implemented to correct a previously identified material weakness,
but the auditor is unable to appropriately test the new controls, a qualified opinion
should be expressed. The auditor should:
a. Modify the scope paragraph slightly: "Except as described below, our
examination was conducted…"
b. In an explanatory paragraph preceding the inherent limitations paragraph,
describe the material weakness and state that sufficient evidence was not
obtained about the operating effectiveness of the new controls. This paragraph
should also include the definition of material weakness and significant deficiency.
c. Include in the opinion paragraph the conclusion that, "…except for the effect of
matters we may have discovered had we been able to [
procedures
control…"
3. When restrictions significantly limit the scope of the examination, a disclaimer of
opinion should be expressed. The auditor should:
a. Modify the first sentence of the introductory paragraph slightly ("We were
engaged to examine…") and omit the last sentence.
b. Omit the scope paragraph.
c. Include an explanatory paragraph describing the scope restrictions.
d. Omit the inherent limitations paragraph.
e. Revise the opinion paragraph to read, "Since [
scope of our work was not sufficient to enable us to express, and we do not
express, an opinion on the effectiveness of the entity's internal control over
financial reporting."
describe omitted], W Company maintained, in all material respects, effective internal | | | | |
