MODF

Module F - Attribute Sampling
MODULE F Attribute Sampling LEARNING OBJECTIVES

Review Checkpoints 1. Identify the objectives of attribute sampling, define deviation conditions, and define the population for an attribute sampling application. Understand how various factors influence the size of an attribute sample. 1, 2, 3, 4 Exercises, Problems, and Simulations 51, 53, 54, 55, 71 (partial), 73 (parts a b), 74 (parts a b), 75 (part a), 76 (partial), 77 (partial), 79 52 (partial), 71 (partial), 72 (parts a b), 75 (parts b c), 76 (partial), 77 (partial), 78, 79 52 (partial), 60, 61, 62, 63, 64, 71 (partial), 72 (part c), 74 (part c), 75 (parts d e), 80 (partial) 56 (partial), 57, 58, 59, 71 (partial), 73 (parts c-d), 74 (part d) 52 (partial), 56 (partial), 65, 66, 67, 68, 69, 70, 71 (partial), 72 (parts d f), 73 (part d), 74 (parts e g), 75 (parts f h), 77 (parts g-h), 80 (partial)
2.
5, 6, 7
3.
Determine the sample size for an attribute sampling application.
8, 9
4.
Identify various methods of selecting an attribute sample.
10, 11, 12
5.
Evaluate the results of an attribute sampling application by determining the upper limit deviation rate (ULDR).
13, 14, 15, 16, 17, 18, 19, 20, 21, 22
6.
Define sequential sampling and discovery sampling and identify when these types of sampling applications would be used. Understand how to apply nonstatistical sampling to attribute testing.
23, 24
7.
24, 25
74
MODF-1
SOLUTIONS FOR REVIEW CHECKPOINTS

F.1 Attribute sampling is a method of sampling used to determine the extent to which some characteristic (or attribute) exists within a population of interest. Attribute sampling is used by the auditor in performing tests of controls to determine the operating effectiveness of internal control policies and procedures. The auditors objective in attribute sampling is to determine the operating effectiveness of key controls that influence the financial statement assertions of interest. As a result, the financial statement assertions ultimately determine which control(s) are tested and are the subject of the auditors attribute sampling application. Deviation conditions represent situations in which key controls are not functioning as intended. Deviation conditions are important in an attribute sampling application because they provide the auditor with evidence regarding the operating effectiveness of the clients internal control. An appropriate definition of the population is important because auditor conclusions can only be extended to the population from which the sample is selected. a. Sampling risk is the risk that the decision made by the auditor based on the sample is different from the decision that would have been made if the entire population were examined. The tolerable deviation rate is the maximum rate of deviations permissible by the auditor without modifying the reliance on an internal control policy or procedure. The expected deviation rate is the anticipated rate of deviations in the clients internal control policies or procedures.
F.2
F.3
F.4 F.5
b. c.
The sampling risk and tolerable deviation rate are determined judgmentally by the auditor based on the planned level of control risk (as the planned level of control risk is lower, the sampling risk and tolerable deviation rate should be lower) and the desired level of assurance. The expected deviation rate is assessed by the auditor based on either prior experience with the client (for recurring engagements) or a small pilot sample of controls (for first-year engagements). F.6 The risk of assessing control risk too high (risk of underreliance) occurs when the auditors sample indicates that the control is not functioning effectively when, in fact, it is functioning effectively. When this risk occurs, the auditors adjusted sample deviation rate exceeds the tolerable deviation rate. However, unknown to the auditor, the true population deviation rate is less than the tolerable deviation rate. The risk of assessing control risk too low (risk of overreliance) occurs when the auditors sample indicates that the control is functioning effectively when, in fact, it is not functioning effectively. When this risk occurs, the auditors adjusted sample deviation rate is less than the tolerable deviation rate. However, unknown to the auditor, the true population deviation rate exceeds the tolerable deviation rate.
MODF-2
F.7
The risk of assessing control risk too low is more important because this risk may result in a less effective audit being performed. That is, the auditor may not perform a sufficient level of substantive procedures upon which to base the opinion on the financial statements. F.8 a. Sample size has an inverse relationship with sampling risk; that is, as the acceptable sampling risk decreases, sample size increases. b. c. F.9 Sample size has an inverse relationship with the tolerable deviation rate; that is, as the tolerable deviation rate decreases, sample size increases. Sample size has a direct relationship with the expected deviation rate; that is, as the expected deviation rate increases, sample size increases.
In an attribute sampling application, the sample size is determined as follows: 1. Based on the acceptable level of the risk of assessing control risk too low, select the appropriate sample size table. 2. Identify the row of the table corresponding to the expected deviation rate for the control being examined. 3. Identify the column of the table representing the assessed tolerable deviation rate for the control being examined. 4. Determine the sample size by identifying the junction of the row from step (2) and the column from step (3).
F.10
When selecting sample items, the auditor should take steps to ensure that the sample is representative of the population from which it is drawn. For example, the auditor should select potential applications of control procedures performed throughout the year, performed for larger and smaller dollar amounts, performed by different individuals, and related to transactions with different parties or individuals in different geographic areas. Tests of controls are procedures performed by the auditor to determine the operating effectiveness of the clients key internal controls. The auditors goal in performing tests of controls is to determine the rate at which the clients controls are not functioning as intended, or the sample deviation rate. If the auditor is unable to find an item that provides evidence of the clients performance of a control, that item is classified as a deviation. The sample deviation rate is the rate of deviations from key controls noted by the auditor in the sample. It can be calculated by dividing the number of deviations by the sample size. The upper limit deviation rate is an adjusted rate of deviations that provides a conservative measure of the population deviation rate. This measure allows the auditor to control the exposure to sampling risk to acceptable levels. The upper limit deviation rate is the rate of deviation that has a (1 minus the risk of assessing control risk too low) probability of equaling or exceeding the true population deviation rate. Conversely, there is a (risk of assessing control risk too low) probability that the true population deviation rate exceeds the upper limit deviation rate.
F.11
F.12 F.13 F.14
MODF-3
F.15
F.16
The upper limit deviation rate is determined based on the risk of assessing control risk too low, sample size, and number of deviations. Since the sample size and number of deviations determine the sample deviation rate, the upper limit deviation rate is essentially based on the sample deviation rate and the risk of assessing control risk too low. The upper limit deviation rate is determined as follows: 1. 2. 3. 4. Based on the acceptable risk of assessing control risk too low, select the appropriate evaluation table. Read down the sample size column to find the row representing the appropriate sample size. Identify the column corresponding to the number of deviations found by the auditor. The upper limit deviation rate is the value found at the intersection of the row in step (2) and the column in step (3).
F.17
If the sample size examined by the auditor is not included in the AICPA sample evaluation tables, the auditor could (1) select additional items for examination to provide the auditor with the next highest sample size included on the tables, (2) evaluate the results of the sample using a smaller (more conservative) sample size, or (3) interpolate the table values and estimate a upper limit deviation rate for the number of items examined. Since the sample deviation rate is 6 percent (6 deviations 100 items = 6 percent) and the upper limit deviation rate is 8.3 percent, the allowance for sampling risk is 2.3 percent (8.3 percent - 6.0 percent = 2.3 percent). If the upper limit deviation rate is less than the tolerable deviation rate, the auditor would conclude that the control is functioning effectively. If the upper limit deviation rate is greater than or equal to the tolerable deviation rate, the auditor would conclude that the control is not functioning effectively. If the upper limit deviation rate is less than the tolerable deviation rate, the auditor can choose to rely on internal control at planned levels. If the upper limit deviation rate is greater than or equal to the tolerable deviation rate, the auditor can reduce the reliance on internal control and increase control risk or expand the sample to achieve an observed upper limit deviation rate less than the tolerable deviation rate. However, expanding the sample is generally not an effective response.
F.18
F.19
F.20 F.21
MODF-4
F.22
Information that is typically documented in an attribute sampling application includes: Information on the objective of sampling, definition of deviation conditions, and definition of the population from which the sample was selected. The levels of the risk of assessing control risk too low, tolerable deviation rate, and expected deviation rate, along with the rationale for these assessments. The sample size determined based on the factors discussed above. Information on the selection of sample items and a listing of items selected and examined by the auditor. Results of the tests of controls performed on each item selected. Information regarding the number of deviations and the upper limit deviation rate.
The auditors conclusion with respect to the operating effectiveness of the control and implications of this operating effectiveness on the auditors reliance on internal control and substantive procedures F.23 Sequential sampling is a sampling plan in which an initial sample is selected and the auditor (1) draws a final conclusion regarding the effectiveness of the control policy or procedure or (2) selects additional items before drawing a final conclusion regarding the effectiveness of the control policy or procedure. The primary advantage of sequential sampling is that these types of plans may allow the auditor to form a conclusion on internal control with a relatively small sample size. The primary disadvantage of sequential sampling is that the allowable rate of deviations in the sample is lower than that in a fixed sampling plan (i.e., sequential sampling is more conservative). In addition, sequential sampling may ultimately result in auditors examining an extremely large number of items if they decide to expand the sample. F.24 Discovery sampling is a form of attribute sampling that is used when deviations from controls are very critical, yet are expected to occur at a relatively low rate. Discovery sampling should be used when a control is extremely important for the auditors examination or when the auditor is suspicious of the existence of fraud. Step five, selecting the sample, may be performed differently for nonstatistical sampling than for statistical sampling. As nonstatistical sampling does not make use of tables based on probabilities, the sample is not required to be selected randomly. Haphazard or block selection may be used as well as random or sequential selection. However, it is step seven, evaluating sample results where the primary difference between the two methods arises. Auditors first calculate the sample deviation rate. If the sample deviation rate is greater than the tolerable deviation rate, the auditor can conclude that the control is not working effectively and revised planned detection risk. However, if the sample deviation rate is less than tolerable deviation rate, auditors cannot conclude that the control is operating effectively. They must use professional judgment to estimate the allowance for sampling risk to determine the likely deviation rate in the population.
F. 25
F. 26
MODF-5
SOLUTIONS FOR MULTIPLE-CHOICE QUESTIONS

F.27 a. b. c. d. F.28 a. Incorrect Correct Incorrect Incorrect Correct Incorrect Incorrect Incorrect Incorrect Correct Incorrect Incorrect Incorrect Incorrect Correct Incorrect Incorrect Incorrect Correct Incorrect Determining preliminary levels of materiality is related to variables sampling. Attribute sampling selects occurrences of key controls for the auditor to examine using tests of controls. Substantive procedures are related to variables sampling. Searching for the possible occurrence of subsequent events is not an example of sampling. Identifying key controls is necessary when determining the objective of sampling. Prior to defining a deviation condition, the key controls must be Prior to defining the population, the key controls must be identified. Prior to determining the sample size, the key controls must be The tolerable deviation rate has an inverse relationship with sample size. The expected deviation rate has a direct relationship with sample size; the tolerable deviation rate has an inverse relationship with sample size. The expected deviation rate has a direct relationship with sample size; the tolerable deviation rate has an inverse relationship with sample size. The expected deviation rate has a direct relationship with sample size. The auditor does not control the RACTH in an attribute sampling application. The auditor does not control the RACTH in an attribute sampling application; however, the auditor does control the RACTL. The auditor does not control the RACTH in an attribute sampling application; however, the auditor does control the RACTL. The auditor controls the RACTL in an attribute sampling application. Both sampling risks result in incorrect decisions by the auditor. The risk of assessing control risk too high is related to the study and evaluation of internal control The risk of assessing control risk too low may result in the failure to control audit risk to acceptable levels. Performing tests during an interim period does not influence the risk of assessing control risk too high.
b. identified. c. d. identified. F.29 a. b. c. d. F.30 a. b. c. d. F.31 a. b. c. d. F.32
Note to instructor: Since this question asks students to identify the statement that will not result in an increased sample size, the response labeled correct will not result in an increased sample size and those labeled incorrect will result in an increased sample size. a. b. c. d. Incorrect Correct Incorrect Incorrect Reducing the risk of assessing control risk too low will result in a larger sample size. Increasing the tolerable deviation rate will reduce (not increase) the sample size. Increasing the expected deviation rate will result in a larger sample size Choice (b) above will not result in a larger sample size.
MODF-6
F.33
a. b. c. d. a. b. c. d.
Incorrect Incorrect Incorrect Correct Incorrect Incorrect Incorrect Correct Incorrect Incorrect Incorrect Correct Correct Incorrect Incorrect
From the AICPA sampling tables, the sample size is 195. From the AICPA sampling tables, the sample size is 195. From the AICPA sampling tables, the sample size is 195. From the AICPA sampling tables, the sample size is 195. RACTL increases as control risk increases; as a result, a 1% RACTL cannot logically be associated with a control risk of 0.80. RACTL increases as a function of control risk; as a result, a 10% RACTL cannot logically be associated with a control risk of 0.20 if a 1% control risk is assigned to a control risk of 0.50. RACTL increases as a function of control risk; as a result, a 10% RACTL cannot logically be associated with a control risk of 0.50 if a 5% RACTL is assigned to a control risk of 0.80. RACTL increases as control risk increases; this series is consistent with this relationship. From the AICPA sample evaluation tables, the upper limit deviation rate is 6.9 percent. From the AICPA sample evaluation tables, the upper limit deviation rate is 6.9 percent. From the AICPA sample evaluation tables, the upper limit deviation rate is 6.9 percent. From the AICPA sample evaluation tables, the upper limit deviation rate is 6.9 percent. This is the correct interpretation of the upper limit deviation rate. The probability that the actual deviation rate in the population is lower than the upper limit deviation rate is (1 minus the risk of assessing control risk too low). The upper limit deviation rate does not provide an estimate with certainty; in addition, the probability that the actual deviation rate in the population is lower than the upper limit deviation rate is (1 minus the risk of assessing control risk too low). The upper limit deviation rate does not provide an estimate with certainty. See (d) below. See (d) below. See (d) below. Without knowledge of the risk of assessing control risk too low, it is impossible to calculate the upper limit deviation rate for a sample of 100 transactions with one deviation. For example, with a risk of assessing control risk too low of 5 percent, the upper limit deviation rate is 4.7 and options (a), (b), and (c) would not allow the auditor to assess control risk at the appropriate level. However, if the risk of assessing control risk too low is 10 percent, the upper limit deviation rate would be 3.9 and choice (c) would allow the auditor to assess control risk at the appropriate level.
F.34
F.35
a. b. c. d.
F.36
a. b. c.
d. F.37 a. b. c. d.
Incorrect Incorrect Incorrect Incorrect Correct
MODF-7
F.38
a. b. c. d.
Incorrect Correct Incorrect Incorrect Incorrect Incorrect Correct Incorrect Incorrect Correct
Because the upper limit deviation rate exceeds the tolerable deviation rate, the auditor cannot support a control risk assessment based on the tolerable deviation rate. The auditor should increase control risk because the upper limit deviation rate exceeds the tolerable deviation rate. Despite the fact that the upper limit deviation rate exceeds the tolerable deviation rate, the auditor can support a control risk assessment at less than the maximum level. Control risk should be increased not decreased. Selecting customer accounts for confirmation as a part of the audit of accounts receivable would use variables sampling. Selecting inventory items for verification as a part of the audit of inventory would use variables sampling. Selecting purchase orders for indication of authorization is a test of controls that would use attribute sampling. Selecting additions to property, plant and equipment for verification would use variables sampling. The auditor would compare the tolerable deviation rate to the sum of the allowance for sampling risk and sample deviation rate (not expected deviation rate). In this example, the sample deviation rate of 4 percent (5 125 = 4 percent) plus the allowance for sampling risk of 3 percent equals the upper limit deviation rate (7 percent). Since the upper limit deviation rate exceeds the tolerable deviation rate of 5 percent, the auditor should assess a higher control risk. The expected deviation rate is not considered in evaluating the results of the sample. The sample results would support a low control risk assessment if the sample deviation rate plus the allowance for sampling risk is less than (not greater than) the tolerable deviation rate. From the AICPA sample evaluation tables, the upper limit deviation rate is 12.8 percent. From the AICPA sample evaluation tables, the upper limit deviation rate is 12.8 percent. From the AICPA sample evaluation tables, the upper limit deviation rate is 12.8 percent. From the AICPA sample evaluation tables, the upper limit deviation rate is 12.8 percent. See the response to choice (b). The auditor noted 7 deviations in the 90 items examined; therefore, the sample deviation rate is 7.8 percent (7 90 = 7.8 percent). If the ULDR is 12.8 percent (see the answer to F.38), the allowance for sampling risk would be 5.0 percent (12.8 percent 7.8 percent = 5.0 percent). See the response to choice (b). See the response to choice (b).
F.39
a. b. c. d.
F.40
a. b.
c. d.
Incorrect Incorrect
F.41
a. b. c. d.
Incorrect Incorrect Incorrect Correct Incorrect Correct
F.42
a. b.
c. d.
Incorrect Incorrect
MODF-8
F.43
a. b. c. d.
Incorrect Correct Incorrect Incorrect Incorrect Incorrect Incorrect Correct Incorrect Incorrect Correct Incorrect
The tolerable deviation rate must exceed the upper limit deviation rate in order for the auditor to rely on internal control as planned. The tolerable deviation rate must exceed the upper limit deviation rate in order for the auditor to rely on internal control as planned. The expected deviation rate is not used in evaluating sample results. The expected deviation rate is not used in evaluating sample results. See the response to choice (d). See the response to choice (d). See the response to choice (d). While (a), (b), and (c) are correct responses, (d) is a more appropriate response because it includes all possible alternatives for the auditor. The upper limit deviation rate is the sum of the sample deviation rate (and not the expected deviation rate) and the allowance for sampling risk. The upper limit deviation rate is the sum of the sample deviation rate (and not the risk to assessing control risk too high) and allowance for sampling risk. The upper limit deviation rate is the sum of the sample deviation rate and the allowance for sampling risk. The upper limit deviation rate is the sum of the sample deviation rate (and not the tolerable deviation rate) and the allowance for sampling risk. The allowance for sampling risk is based on the allowable risk of assessing control risk too low. The expected deviation rate is based on the auditors experience in prior audits or a pilot sample of controls. The sample deviation rate is based on the number of deviations and the sample size. The tolerable deviation rate is based on the auditors reliance on internal control. When using attribute sampling, the auditor determines a single sample size. When using discovery sampling, the auditor determines a single sample size. When using sequential sampling, an initial sample is selected and decisions related to expanding that sample are based on the results of the initial sample. When using statistical sampling, the auditor determines a single sample size.
F.44
a. b. c. d. a. b. c. d.
F.45
F.46
a. b. c. d.
Incorrect Incorrect Incorrect Correct Incorrect Incorrect Correct Incorrect
F.47
a. b. c. d.
MODF-9
F.48
a.
Incorrect
b. c. d.
Correct Incorrect Incorrect
While a form of attribute sampling would be appropriate, the low level of deviations and importance of ensuring that deviations occur at extremely low levels would make the use of discovery sampling more appropriate. Discovery sampling is used when the rate of deviations is anticipated to be low and the auditor desires a high level of assurance that deviations occur at a low rate. Sequential sampling would not be used in this situation. While a form of attribute sampling would be appropriate, the low level of deviations and importance of ensuring that deviations occur at extremely low levels would make the use of discovery sampling more appropriate. In deciding whether to rely on internal control as planned, the upper limit deviation rate is compared to the tolerable deviation rate, not the risk of assessing control risk too low. While the upper limit deviation rate (6.5 percent) does exceed the tolerable deviation rate (6 percent), you would reduce reliance on internal control, not rely on internal control as planned. In deciding whether to rely on internal control as planned, the upper limit deviation rate is compared to the tolerable deviation rate, not the risk of assessing control risk too low. Because the upper limit deviation rate (6.5 percent) exceeds the tolerable deviation rate (6 percent), you would reduce reliance on the internal control from planned levels. Auditing standards clearly state the sample sizes using nonstatistical sampling should be comparable to sample sizes from statistical sampling Auditors must consider an allowance for sampling risk when using nonstatistical sampling. Using nonstatistical sampling is generally less complicated than statistical sampling. Only answer c. is true.
F.49
a. b. c. d.
Incorrect Incorrect Incorrect Correct
F.50
a. b. c. d.
Incorrect Incorrect Correct Incorrect
SOLUTIONS FOR EXERCISES, PROBLEMS, AND SIMULATIONS

F.51 Test of Controls Objectives and Deviations 1. Credit Approval a. b. Objective: Determine whether credit is approved in accordance with company policy. Deviation: Absence of notation of approval or disapproval on customers orders.
MODF-10
2.
Validity of Sales and Proper Period Recording a. Objective: Determine whether (i) recorded sales invoices are supported by written notices of shipment, (ii) the sales record date is the same as the shipment date. Deviation: (i) Absence of written shipment notice, (ii) Sales record date and shipment date are not the same.
b. 3.
Accuracy of Sales Invoices a. Objective: Determine whether (i) quantities on shipping notices and invoices are the same, (ii) unit prices on the invoices are correct and agree with catalog prices, and (iii) invoices are arithmetically correct Deviation: (i) Quantities on shipping notices and invoices do not match; (ii) Unit prices do not agree with catalog prices, (iii) Invoices include mathematical mistakes.
b.
4.
Classification of Sales a. b. Objective: Determine whether invoices are properly coded for intercompany sales. Deviation: (i) Invoice to an affiliated company not marked 9 and (ii) Invoice to an outside customer marked 9.
F.52
General Attribute Sampling 1. Holyfield has incorrectly identified the population. By identifying the population as all invoiced sales and selecting sales invoices for examination, Holyfield will begin with a transaction that has been billed. The correct definition of the population if Holyfield wishes to verify that all shipments have been billed would be the population of shipping documents. Holyfields action in this situation is correct The risk of assessing control risk too low should be established at lower levels when a higher degree of reliance on Top Ranks internal control is planned. Holyfields action in this situation is correct While prior audits provide a guideline for establishing the expected deviation rate, Holyfield should consider any changes occurring since that time. While it is impossible to determine whether a 1 percent expected deviation rate is appropriate, it is certainly reasonable to reduce the expected deviation rate from that used in prior years if improvements in the processing of transactions have occurred.
2.
3.
MODF-11
F.52
General Attribute Sampling (Continued) 4. Holyfields action in this situation is partially correct While the initial sample size of 156 is appropriate for the parameters specified in the Top Rank engagement, it is not appropriate to adjust this sample size for the size of the population. AICPA sample size tables assume a large population in determining sample size. In addition, based on statistical theory, once a population reaches a certain size, increases in the size of the population have a minimal effect on sample size. Holyfields action in this situation is incorrect The sum of the sample deviation rate and allowance for sampling risk (the upper limit deviation rate) should be compared to the tolerable deviation rate, and not the risk of assessing control risk too low.
5.
F.53
Examples of Deviations a. 1. While not technically conforming to the control policy, the fact that some indication was placed next to the quantities suggests that this would not be classified as a deviation. Professional standards are explicit in noting that a missing document should be classified as a deviation. The fact that the invoice is marked as VOID provides some evidence that the shipment was not made; accordingly, it does not appear that this would be classified as a deviation. However, the invoice should be replaced with another randomly selected invoice. While the quantities may have been properly checked, the fact that this is not noted on an item-by-item basis may indicate that the employee hurriedly reviewed the invoice and did not perform the work. This would likely be classified as a deviation. The fact that check marks were only placed adjacent to items located in the same location of the warehouse indicates that only these quantities were verified. Accordingly, this invoice would be classified as a deviation.
2. 3.
4.
5.
b.
The fallacy in assuming that the controls relating to the remaining 95 invoices were being performed properly is that an employee could merely place a check mark on the invoice without reviewing the quantities (because of time pressure, lack of care, etc.).
F.54
Examples of Deviations a. Shown below are the most common tests of controls that could be used for the particular control described. Other possible tests of controls are acceptable, but would typically provide weaker evidence (for example, an auditor could observe various controls related to documentary evidence, but inspecting the documentary evidence generally provides stronger evidence as to the operating effectiveness of the control). 1. Observe the segregation of duties or inquire of appropriate individuals as to the segregation of duties.
MODF-12
2. 3.
Inspect documentary evidence of approval of purchase orders by appropriate personnel.
F.54
Inspect documentary evidence of matching vendor invoices to purchase orders by appropriate personnel. Examples of Deviations (part a, Continued) 4. 5. b. 1. 2. 3. 4. 5. c. 1. Inspect documentary evidence of mathematical verification of vendor invoices by appropriate personnel. For a sample of cash disbursements, identify an appropriately approved and mathematically verified vendor invoice. Individual(s) performing incompatible duties of authorizing the purchase, preparing the purchase order, and receiving goods and services being purchased. Failure of individuals verifying approval of purchases to include their initials on the purchase order. Failure of individuals matching vendor invoices to purchase orders to include notation of the purchase order number on the vendor invoice. Failure of individuals mathematically verifying vendor invoices to include their initials on the invoice. Existence of a payment for an unapproved vendor invoice. This should be classified as a deviation. The fact that this was a one time occurrence does not compensate for the potential problems that arise when the individual who authorizes a transaction also receives custody of the goods and services related to the transaction. While it may have been necessitated because of urgency, the goods and services could have been received by another party.
2.
This would likely not be classified as a deviation. In this particular instance, while the individual did not strictly comply with the control policy, her signature suggests that the purchase order was reviewed and appropriate verified. The classification of this item is debatable. On one hand, the fact that the words OK, approved were written suggests that client personnel reviewed the purchase order related to the vendor invoice. However, the fact that the specific purchase order number was not noted may indicate that the purchase order was not examined or was examined in a hurried manner. This would likely be classified as a deviation, primarily because the purchase order number was not included.
3.
MODF-13
4.
Professional standards are explicit in stating that a missing document should be classified as a deviation. Therefore, the failure to locate the vendor invoice should be classified as a deviation. This would not be classified as a deviation, since each of the invoices included in the payment were properly authorized by Parkers personnel. Once identified by Perry, the number of deviations (along with the acceptable level of the risk of assessing control risk too low and the sample size) are used to calculate the upper limit deviation rate. The upper limit deviation rate is then compared to the tolerable deviation rate. If the upper limit deviation rate exceeds the tolerable deviation rate, Perry would conclude that the control is not functioning effectively; in response, Perry would reduce the planned level of reliance on internal control and increase control risk. If the upper limit deviation rate is less than the tolerable deviation rate, Perry would conclude that the control is functioning effectively, rely on internal control as planned, and maintain control risk at planned levels. F.55 Examples of Deviations a. A deviation is an instance in which the client and/or its personnel do not follow prescribed controls. An example of a deviation from this control would be a sale processed to a customer without an approved credit authorization. The audit team considers deviations in (1) determining the necessary sample size and (2) evaluating the sample results. In determining the necessary sample size, the audit team considers both the extent of deviations that are likely to be present in the population (expected deviation rate) as well as the maximum rate of deviations permissible without modifying the planned reliance on internal controls(tolerable deviation rate). In evaluating sample results, the audit team considers the number of deviations actually identified during the tests of controls as well as the tolerable deviation rate. c. The audit team would select a sample of sales made to customers and verify the existence of a credit authorization.
5. d.
b.
d.
1. Because these deviations were inadvertent mistakes and omissions, Jones would not have increased concern about these deviations beyond their impact on the ability to rely on the internal control policy. The fact that they were made by a number of different employees and occurred throughout the period indicates that they may be the result of careless behavior on the part of Hicks employees and may suggest the need for a greater level of emphasis on important control policies by management. 2. Like (1), the inadvertent nature of these deviations does not increase Jones concern about the deviations beyond their impact on his ability to rely on the internal control policy. In this case, the fact that they were made by one individual during his first month with Hicks Company suggests that they were a result of his inexperience and not carelessness.
MODF-14
3.
Because these deviations were the result of intentional actions on the part of Hicks Companys employees, they should be discussed with the client and its audit committee. The audit team should consider why employees committed these actions, and the effect on the financial statements of their actions. This would certainly increase the auditor's assessment of risk of material misstatement.
F.56 Timing of Test of Controls and Sample Selection TO: FROM: DATE: SUBJECT: Audit Manager Auditor Hill October 1 Interim evaluation of control over cash disbursement authorization
I audited 80 cash disbursements as of September 30 for compliance with the company control procedure requiring authorization of cash disbursements. I found no deviations. Had this audit sampling been performed at December 31 for the entire years disbursements, I would be prepared to assign a low control risk (20 percent). This favorable evaluation would enable us to perform the planned analytical procedures to expenses and perform the level of inventory observation work specified in the preliminary audit program. With a higher control risk, the audit team would need to do more work in both areas. Requirements According to auditing standards, the audit team needs to determine whether the authorization control procedure worked as well during October-December period as it did for the period January-September. I think the audit team should audit the other 20 disbursements to make this determination. Options 1. 2. The audit team cannot elect to forgo all further work on the control for the October-December remaining period. The audit team can complete the sampling application by examining 20 additional sampling units selected at random. This approach will probably be the least costly because it will be relatively easy to evaluate the additional 20 sampling units to determine whether the control is functioning effectively. The audit team could make inquiries about the operating effectiveness of the authorization control during the time period from October-December. However, declarations from client personnel that the control was functioning just fine would not be good evidence of continued operating effectiveness. Unless this inquiry reveals that the control is no longer performed, inquiry would not provide much information. The three-month length of the remaining period is enough for concern. The audit team should not merely presume the control continued to operate effectively during this period.
3.
4.
MODF-15
5.
If the dollar amount of transactions affected by the operating effectiveness of the authorization control were substantially reduced, the audit team would not need to be as concerned about the control. However, cash disbursements are not likely to become unimportant under these circumstances. The audit team could forgo examining an additional 20 items and take its chances that the planned amount of analytical procedures for expenses and work on inventory observation would also reveal any control breakdown in October-December. I do not recommend such action in the circumstances because (a) we should evaluate control risk in order to plan the extent of the other work, (b) the cost of examining an additional 20 items is not high, (c) audit completion might be delayed if we detect a control breakdown later in the audit, and (d) in these circumstances the dual-purpose nature of the other work may turn out to be circular and inefficient.
6.
F.57
I trust I have made my preference for completing the test of controls for the authorization control related to cash disbursements clear. I think this work should be done no earlier than December 20. Sample Selection a. In this case, the challenge is the fact that the checking accounts have overlapping check numbers. Checks written on Account 2 could be considered as numbers 0001 through 6,000 and checks written on Account 1 could be considered as 6001 through 9000 (simply add 2,368 to each check number). For unrestricted random selection, you could identify random numbers between 1 and 9,000 and select the associated check. For systematic random selection, you would choose a random starting point, calculate the sampling interval, and proceed through the population of checks. b. In this case, the challenge is that random numbers 1 through 8,999 would be discarded in an unrestricted random selection method. You could convert the five-digit sequence (9,000 13,999) to a four-digit sequence by subtracting the constant 8,999 from each purchase order number. This would yield purchase orders numbered 0001 through 5,000. If the above adjustments are made, when using unrestricted random selection, identifying random numbers between 0001 and 5,000 would provide you with the item selected. If you are concerned about discarding random numbers 5,001 through 9,999, you could create a duplicate set of purchase order numbers by adding the constant 5,000 to each number. As a result, item 1 would have two random numbers: 0001 and 5,001. However, you should be certain not to select the same item using two different random numbers. With respect to systematic random selection, you would choose a random starting point, calculate the sampling interval, and proceed through the population of purchase orders. However, you would not create a duplicate set of purchase orders; when you reached the end of the population; you merely begin applying the sampling interval to the beginning of the population until the appropriate number of items is selected. c. In this case, the challenge is the sheer magnitude of the listing and the time it would take to select the sample. You can think of this listing as containing a total of 3,750 records [(74 pages x 50 items = 3,700) + 40 items on last page = 3,740 items].
MODF-16
If unrestricted random selection is used, you would identify random numbers corresponding to items 0001 through 3,740. While this is relatively straightforward, the physical act of moving through the population is quite time consuming. If you are concerned about discarding random numbers 3,741 through 9,999, you could create a duplicate set of inventory line numbers by adding the constant 3,741 to each number. As a result, item 1 would have two random numbers: 0001 and 3,742. However, you should be certain not to select the same item using two different random numbers. If systematic random selection is used, you would choose a random starting point, calculate the sampling interval, and proceed through the perpetual inventory records. Depending upon the sample size, you may be able to bypass entire pages of the perpetual inventory records. F.58 Sample Selection
Based on the document numbers on the receiving reports, a total of 25,327 receiving reports (#38121 #12794 = 25327) were issued during the year.
1. Janice would select 50, 100, or 500 random numbers from a random number table or computer program and match those numbers to items in the population. For ease of selection, a computer program could be requested to generate the appropriate number of random numbers between 12,794 and 38,121. Janice would select a random starting point (a number somewhere between 12,794 and 38,121) and bypass a fixed number of items based on the sampling interval, as follows: Sample size of 50: Sample size of 100: Sample size of 500: F.59 Sample Selection a. For McNeals sample of invoices to be representative of the population of sales invoices, the sales invoices should (1) have been prepared throughout the year, (2) represent transactions of larger and smaller dollar amounts, (3) have been prepared by different individuals, and (4) represent sales made to different types of customers and/or customers in different geographic areas. Because systematic selection bypasses a fixed number of items within the population, it is important that the population be arranged in random order. If the population is not arranged in random order, a large number of items possessing similar characteristics may be bypassed for selection. 25,327 50 items = 507 items 25,327 100 items = 254 items 25,327 500 items = 51 items
2.
b.
c.
1. Because invoices are filed manually by date, this population cannot easily be rearranged in random order. However, since the invoices are arranged by date, the population is likely to be in random order. Unless the sales made by Branyon differ systematically across dates (for example, all of the large dollar sales are made in one relatively short period of time), this would not introduce any additional issues with respect to the use of systematic selection. However, McNeal must satisfy himself that the invoices in the files represent the complete population of sales.
MODF-17
2.
Because invoices are filed manually by customer classification, this population cannot be easily rearranged in random order. An additional concern is the fact that the invoices are not arranged in a random order with respect to sales volume. In this situation, if the proportion of high volume customers is relatively small, the use of systematic selection may result in this entire classification being bypassed by McNeal. This situation is similar to (1), with the exception that McNeal will not have direct access to the sales invoices. This introduces the concern that Branyons personnel will not provide invoices to McNeal that reflect deviations from internal control policies and procedures. McNeal should insist on visiting the off-site location and personally select the invoices for examination.
3.
F.59
Sample Selection (part c, Continued) Because invoices are maintained electronically, McNeal can arrange the population in whatever order he wishes. Since the electronic file of invoices is currently arranged by customer name (which would ordinarily be random), it appears that McNeal may proceed using systematic selection without considering any further matters. McNeal can satisfy himself that the population is complete by using a CAATT to total the invoices in the file and compare the total to the general ledger balance.
F.60
Sample Size Determination a. Using the sample size tables for a 5 percent risk of assessing control risk too low, 3 percent expected deviation rate, and 9 percent tolerable deviation rate results in a sample size of 84 items. The risk of assessing control risk too low would be determined judgmentally by Landry based on the level of control risk (as the level of control risk is lower, the risk of assessing control risk too low should be established at lower levels). The expected deviation rate is established based on prior audits (for recurring engagements) or a pilot sample of controls (for first-year engagements). The tolerable deviation rate is established based on the level of control risk (as the level of control risk is lower, the tolerable deviation rate should be established at lower levels). c. d. The revised sample size is 58 items. Because the acceptable risk of assessing control risk too low has increased, Landrys sample does not need to be as effective as when acceptable risk of assessing control risk too low is lower (the original level of 5 percent). As a result, Landry can examine a smaller sample.
b.
MODF-18
F.61
Sample Size Determination a. b. c. d. Sample size = 42 Sample size = 129 Sample size = 195 Sample size = 32
Comparing the appropriate sample sizes in (a) and (b), the only difference in sample size is related to an increase in the expected deviation rate from 0 percent in (a) to 3 percent in (b). As a result, the increase in sample size from 42 to 129 indicates that the expected deviation rate has a direct relationship with sample size. Comparing the appropriate sample sizes in (b) and (c), the only difference in sample size is related to a decrease in the tolerable deviation rate from 7 percent in (b) to 6 percent in (c). As a result, the increase in sample size from 129 to 195 indicates that the tolerable deviation rate has an inverse relationship with sample size. Comparing the appropriate sample sizes in (a) and (d), the only difference in sample size is related to an increase in the risk of assessing control risk too low from 5 percent in (a) to 10 percent in (d). As a result, the decrease in sample size from 42 to 32 indicates that the risk of assessing control risk too low has an inverse relationship with sample size. F.62 Sample Size Determination a. b. c. d. Sample size = 156 Sample size = 192 Sample size = 103 Sample size = 132
Comparing the appropriate sample sizes in (a) and (b), the only difference in sample size is related to an increase in the expected deviation rate from 1 percent in (a) to 1.5 percent in (b). As a result, the increase in sample size from 156 to 192 indicates that the expected deviation rate has a direct relationship with sample size. Comparing the appropriate sample sizes in (b) and (c), the only difference in sample size is related to an increase in the tolerable deviation rate from 4 percent in (b) to 6 percent in (c). As a result, the decrease in sample size from 192 to 103 indicates that the tolerable deviation rate has an inverse relationship with sample size. Comparing the appropriate sample sizes in (b) and (d), the only difference in sample size is related to an increase in the risk of assessing control risk too low from 5 percent in (b) to 10 percent in (d). As a result, the decrease in sample size from 192 to 132 indicates that the risk of assessing control risk too low has an inverse relationship with sample size. F.63 Sample Size Determination a. b. c. d. 66 9 percent 3.25 percent 5 percent
MODF-19
F.64
Sample Size Determination a. Cambridge should consider the expected deviation rate, risk of assessing control risk too low, and tolerable deviation rate in determining the necessary sample size. These factors are determined as follows: Expected deviation rate: Determined based on prior audits (for recurring engagements) or a pilot sample of controls (for first-year engagements). Risk of assessing control risk too low: Determined based on the level of control risk. Tolerable deviation rate: Determined based on the level of control risk and desired degree of assurance. b. Cambridge would determine sample size as follows: (1) select appropriate sample size table based on risk of assessing control risk too low; (2) identify the row of the table corresponding to the expected deviation rate; (3) identify the column of the table corresponding to the assessed tolerable deviation rate; and, (4) determine the sample size by identifying the junction of the row from step 2 and the column from step 3. Based on an expected deviation rate of 1 percent, a risk of assessing control risk too low of 10 percent, and a tolerable deviation rate of 6 percent, the appropriate sample size is 64.
c.
F.64
Sample Size Determination (Continued) d. 1. 2. 3. 4. Changes in the size of the population do not affect any of the factors used to determine sample size or sample size itself. Remediation of control deficiencies would reduce the expected deviation rate, which would result in a smaller sample size. Turnover of personnel in the purchasing function would increase the expected deviation rate, which would result in a larger sample size. The reduction in control risk would influence both the risk of assessing control risk too low (decrease) and the tolerable deviation rate (decrease). Both of these factors would result in a larger sample size. Increases in control risk would influence both the risk of assessing control risk too low (increase) and the tolerable deviation rate (increase). Both of these factors would result in a smaller sample size. In most cases, the addition of new vendors should not influence any of the factors affecting sample size or sample size itself. A case could be made that some additional deviations would occur as the vendor listing is being modified, which would increase the expected deviation rate and result in a larger sample size.
5.
6.
MODF-20
e.
If Cambridge increases her reliance on internal control, she will reduce the necessary level of control risk, which will ultimately decrease the acceptable risk of assessing control risk too low and tolerable deviation rate. Both of these factors will result in a larger sample size. Therefore, one impact of increasing the reliance on internal control is that Cambridge will incur additional costs in the form of tests of controls. In addition, the lower tolerable deviation rate that would be required in this situation increases the likelihood that her tests of controls will not support the planned level of control risk. However, the advantage to Cambridge of increasing her reliance on internal control is cost savings in the form of less extensive substantive procedures. If Cambridge maintains her reliance on internal control at planned levels, the extent of her tests of controls will not be affected and will be lower than the necessary level if she increased her reliance on internal control. However, she will need to perform more extensive substantive procedures.
f.
When deciding whether to increase her reliance on internal control, Cambridge should consider the likelihood that her tests of controls would support an increased level of reliance on internal control as well as the relative cost savings (in the form of less extensive substantive procedures) that this increased reliance on internal control would provide.
F.65
Sample Results Evaluation
a. b.
Sample Deviation Rate = No. of Deviations Sample Size Sample Deviation Rate = 3 60 = 0.05 or 5 percent Using the sample evaluation table, the upper limit deviation rate is 12.5 percent Allowance for Sampling Risk = Upper limit deviation rate - Sample Deviation Rate Allowance for Sampling Risk = 12.5 percent - 5 percent = 7.5 percent
c.
The upper limit deviation rate considers the likelihood that the sample selected by the auditor may under represent the deviation rate in the population. The upper limit deviation rate provides a conservative measure of the population deviation rate to control the auditors exposure to sampling risk to acceptable levels. Because the upper limit deviation rate (12.5 percent) exceeds the tolerable deviation rate (6 percent), Joan would conclude that the control is not functioning effectively. At this point, she could either reduce her planned level of reliance on internal control or expand the sample to examine a larger number of controls. Using the sample evaluation table for a 10 percent risk of assessing control risk too low yields a upper limit deviation rate of 10.8 percent; while lower than the upper limit deviation rate determined for a 5 percent risk of assessing control risk too low (12.5 percent), this upper limit deviation rate still exceeds the tolerable deviation rate of 6 percent. As a result, Joan would still conclude that the control is not functioning effectively.
d.
e.
F.66
Sample Results Evaluation a. (1) (2) (3) Sample deviation rate = 4 60 = 6.7 percent ULDR = 14.7 percent Allowance for sampling risk = 14.7 percent 6.7 percent = 8.0 percent
MODF-21
b.
(1) (2) (3)
Sample deviation rate = 6 60 = 10 percent ULDR = 18.8 percent Allowance for sampling risk = 18.8 percent 10 percent = 8.8 percent
(3)
(1) Sample deviation rate = 6 60 = 10 percent (2) ULDR = 16.9 percent Allowance for sampling risk = 16.9 percent 10 percent = 6.9 percent
c.
Comparing the ULDR in (a) and (b), the only difference in the ULDR is related to an increase in the number of deviations from 4 in (a) to 6 in (b). As a result, the increase in ULDR from 14.7 percent to 18.8 percent indicates that the number of deviations (and sample deviation rate) has a direct relationship with the ULDR. Comparing the ULDR in (b) and (c), the only difference in the ULDR is related to an increase in the risk of assessing control risk too low from 5 percent in (b) to 10 percent in (c). As a result, the decrease in the ULDR from 18.8 percent to 16.9 percent indicates that the risk of assessing control risk too low has an inverse relationship with the ULDR. F.67 Sample Results Evaluation a. (1) (2) (3) (1) (2) (3) (1) (2) (3) Sample deviation rate = 8 100 = 8.0 percent ULDR = 14.0 percent Allowance for sampling risk = 14.0 percent 8.0 percent = 6.0 percent Sample deviation rate = 4 100 = 4.0 percent ULDR = 9.0 percent Allowance for sampling risk = 9.0 percent 4.0 percent = 5.0 percent Sample deviation rate = 8 100 = 8.0 percent ULDR = 12.7 percent Allowance for sampling risk = 12.7 percent 8.0 percent = 4.7 percent
b.
c.
Comparing the ULDR in (a) and (b), the only difference in the ULDR is related to a decrease in the number of deviations from 8 in (a) to 4 in (b). As a result, the decrease in ULDR from 14.0 percent to 9.0 percent indicates that the number of deviations (and sample deviation rate) has a direct relationship with the ULDR. Comparing the ULDR in (a) and (c), the only difference in the ULDR is related to an increase in the risk of assessing control risk too low from 5 percent in (a) to 10 percent in (c). As a result, the decrease in the ULDR from 14.0 percent to 12.7 percent indicates that the risk of assessing control risk too low has an inverse relationship with the ULDR.
MODF-22
F.68
Sample Results Evaluation
a.
b. c. d.
Sample deviation rate = 2 30 = 0.0667 or 6.7 percent Upper limit deviation rate = 19.6 percent Allowance for sampling risk = 19.6 percent 6.7 percent = 12.9 percent Using 4 deviations, a risk of assessing control risk too low of 5 percent, and an upper limit deviation rate of 12.6 percent yields a sample size of 70. Sample deviation rate = 4 70 (see (d) above) = 0.057 or 5.7 percent Allowance for sampling risk = 12.6 percent 5.7 percent = 6.9 percent No. of deviations = 200 x 0.025 = 5 Upper limit deviation rate = 4.6 percent Sample deviation rate = 2 50 = 4 percent [Note: The student must complete (k) prior to completing (j)] Reviewing the sample evaluation tables for 2 deviations, a sample size of 50, and an upper limit deviation rate of 12.1% reveals a risk of assessing control risk too low of 5 percent. Upper limit deviation rate = 8.1 percent + 4 percent = 12.1 percent
e.
f. g. h.
i. j.
k. F.69
Sample Results Evaluation This case is one of Robert Ashtons behavioral decision cases (Accounting Review, January, 1984, pp. 78-97). He gives credit to W. Uecker and W. Kinney, Judgment Evaluation of Sample Results: A Study of the Type and Severity of Errors Made by Practicing CPAs, Accounting, Organizations and Society, Vol. 2, No. 3 (1977), pp. 269-75. The answer below is taken from Ashtons study (with modifications). NOTE TO INSTRUCTOR: Take a look at this answer. You may want to get the students to discuss Cases 1, 2, and 3 first, then give them a chance to think about Cases 4 and 5. See if they can be fooled to change their minds to choose the larger samples for Cases 4 and 5, and then discuss them. In this exercise, information about the sample size and sample deviation rates is available for each pair of outcomes. While sample size is independent of population parameters, sample deviation rate is representative of the population characteristic of interest (i.e., the population deviation rate). Use of the representativeness heuristic could cause one to ignore the size of the sample, and to base choices solely on the sample deviation rate. Thus one might choose Sample A in Case 1 and Sample B in Case 2 and 3, because their sample deviation rates are lower.
MODF-23
The AICPA sample evaluation tables show, however, that none of these three sample outcomes provides adequate assurance that the population deviation rate is below 5 percent. The other sample outcome (Sample B in Case 1 and Sample A in Case 2 and 3) does provide the desired assurance at a 95 percent confidence level (5 percent risk of assessing control risk too low). Thus reliance on the representativeness of the sample outcomes could lead one to choose the weaker evidence in these cases. Notice that the correct choice in Cases 1, 2, and 3 is the larger sample. It might be tempting to conclude that this will always be true (that is, larger samples are always superior to smaller samples). But this simplification will not always work either. Consider Cases 4 and 5. The correct answers are the smaller samples (although neither sample provides desired assurance in Case 5). Interestingly, use of the representativeness heuristic (i.e., focusing on the lower deviation rates) would lead to the correct choices in these two instances, but would result in incorrect choices in the first three pairs of sample outcomes. This illustrates that while use of simplifying heuristics can lead to good decisions, it can also lead the decision maker into making sub optimal decisions. F.70 Sample Results Evaluation a. Based on a sample size of 90 (rounded down from 93), a risk of assessing control risk too low of 5 percent, and zero deviations, the sample deviation rate is 0 percent (0 93 = 0 percent) and the upper limit deviation rate (using the AICPA sample evaluation tables) is 3.3 percent. The difference between the sample deviation rate and upper limit deviation rate is the allowance for sampling risk. The allowance for sampling risk controls the risk of assessing control risk too low to acceptable levels and reflects the possibility that Jackson has selected a nonrepresentative sample. Because the upper limit deviation rate (3.3 percent) is less than the tolerable deviation rate (5 percent), Jackson would conclude that the control is operating effectively and choose to rely on the internal control as planned. If 3 deviations were identified, the sample deviation rate is 3.2 percent (3 93 = 3.2 percent) and the upper limit deviation rate (using the AICPA sampling tables) is 8.4 percent. Because the upper limit deviation rate of 8.4 percent exceeds the tolerable deviation rate of 5 percent, Jackson would conclude that the control is not operating effectively and choose to reduce reliance on the internal control from planned levels. For a risk of assessing control risk too low of 5 percent and a sample size of 90, the upper limit deviation rate is 3.3 percent if zero deviations are found and 5.2 percent if one deviation is found. As a result, the maximum number of deviations that Jackson could permit without reducing his reliance on internal control is zero, since the upper limit deviation rate for one deviation (5.2 percent) exceeds the tolerable deviation rate. For a risk of assessing control risk too low of 10 percent and a sample size of 90, the upper limit deviation rate is 2.6 percent if zero deviations are found, 4.3 percent if one deviation is found, and 5.9 percent if two deviations are found. As a result, the maximum number of deviations that Jackson could permit without reducing his reliance on internal control is one, since the upper limit deviation rate for two deviations (5.9 percent) exceeds the tolerable deviation rate.
b.
c.
d.
e.
f.
MODF-24
This analysis reveals lower upper limit deviation rates compared to those for a 5 percent risk of assessing control risk too low. This difference results from the fact that Jackson is accepting a higher level of sampling risk, which reduces the allowance for sampling risk. Simply stated, a lower risk of assessing control risk too low provides Jackson with a more conservative (higher) upper limit deviation rate. F.71 Evaluating a Sampling Application
Mistake 1. The statistical criteria call for a sample of 181, not 100. Tom Barton used two test months for his selection of sample items.
Explanation 1. Tom Barton apparently did not use AICPA sampling tables in determining sample size or misread the AICPA sampling tables. A selection of two months does not make the sample representative of the years population; checks should be examined for selections from months throughout the year. Tom subsequently decided that the two deviations he found were not control deviations. The pay rate mistake has dollar-value impact that Tom made no effort to recognize (i.e., liability for underpayment of wages). When stratification is done properly, the two samples should be evaluated independently.
2.
2.
3.
Tom Barton did not define the deviation conditions carefully before beginning his sampling application. Tom Barton did not follow up sufficiently on the deviations he found. Tom Barton improperly combined a stratified sample into a single evaluation.
3.
4.
4.
5.
5.
6.
The reviewers (senior and partner) were not competent to review the statistical application.
6.
This is not Toms mistake, but it is worthwhile to point out that competence is as necessary at the review level as it is at the performance level.
MODF-25
F.72
Comprehensive Attribute Sampling a. The risk of assessing control risk too low would be determined judgmentally by Dodge based on the level of control risk (as the level of control risk is lower, the risk of assessing control risk too low should be established at lower levels). The expected deviation rate is established by Dodge based on prior audits (for recurring engagements) or a pilot sample of controls (for first-year engagements). The tolerable deviation rate is established by Dodge based on the level of control risk (as the level of control risk is lower, the tolerable deviation rate should be established at lower levels) and the desired degree of assurance. b. If Dodge wishes to place additional reliance on this control, she would reduce the risk of assessing control risk too low and the tolerable deviation rate. Dodges decision to place additional reliance on the control would not influence the level of the expected deviation rate. Using the AICPA sample size tables, the appropriate sample size corresponding to a risk of assessing control risk too low of 5 percent, an expected deviation rate of 2.75 percent, and a tolerable deviation rate of 7 percent would be 109 items. Sample deviation rate = 4 109 = 0.037 or 3.7 percent (rounded)
c.
d. Sample deviation rate = No. of deviations Sample size

e. f.
Using a 5 percent risk of assessing control risk too low, 4 deviations, and a sample size of 100 (the next highest sample size on the table), the upper limit deviation rate is 9.0 percent. Because the upper limit deviation rate (9.0 percent) exceeds the tolerable deviation rate (7.0 percent), Dodge would not be able to conclude that the control is functioning effectively. She would either reduce her reliance on internal control (increase the assessed level of control risk) or select additional items and reevaluate the results of her tests of controls.
F.73
Comprehensive Attribute Sampling a. A deviation would be defined as a situation in which the receiving reports do not have an indication that they have been verified by Rocks receiving personnel (this indication is in the form of marks adjacent to the quantities verified and a signature on the receiving report). The population would be defined as all receiving reports prepared during the year (or period) under audit. The completeness of the population would be verified by identifying the document numbers corresponding to the first and last receiving reports prepared by Rocks personnel during the year (or period) under audit. Rocks electronic listing can be used to select items for examination using the following selection methods:
b.
c.
MODF-26
1.
Unrestricted random selection: Alicia could use computer programs to identify 192 random numbers that correspond to receiving reports and select the related reports.
F.73
Systematic random selection: Alicia could use computer programs to randomly select a starting point in the population and select every nth (corresponding to the sampling interval) receiving report in the population. Comprehensive Attribute Sampling (part c, Continued) 3. Haphazard selection: Alicia could nonsystematically select receiving reports from the electronic listing without any rationale for including or excluding various receiving reports. Block selection: Alicia could use computer programs to reorganize the electronic listing to select receiving reports prepared by certain individuals, for certain types of vendors, or during certain dates.
2.
4.
The primary precaution that should be taken by Alicia is to be sure that the electronic listing is randomly arranged, particularly if systematic random selection is used.
d.
1.
Sample deviation rate = 2 100 = 2.0 percent Because the sample deviation rate is lower than the tolerable deviation rate (4 percent), Alicia might rely on the internal control as planned. However, since the sample deviation rate is higher than the expected deviation rate (1.5 percent), she might decide to increase her sample size
2.
Sample deviation rate = 4 100 = 4.0 percent Upper limit deviation rate = 9.0 percent Allowance for sampling risk = 9.0 percent 4.0 percent = 5.0 percent Because the sample deviation rate equals the tolerable deviation rate (4 percent), Alicia could not rely on the internal control as planned. There has to be some allowance for sampling risk, which would place the upper limit deviation rate over the tolerable deviation rate. Alicia would need to reduce her reliance on internal control or expand her sample to examine additional items.
3.
Sample deviation rate = 10 100 = 10.0 percent Upper limit deviation rate = 16.4 percent Allowance for sampling risk = 16.4 percent 10.0 percent = 6.4 percent Because the sample deviation rate exceeds the tolerable deviation rate (4 percent), Alicia could not rely on the internal control as planned and would need to reduce her reliance on internal control or expand her sample to examine additional items.
MODF-27
e.
Increasing the risk of assessing control risk too low from 5 percent to 10 percent would affect both the sample size selected for examination (by decreasing the sample size) and the calculation of the upper limit deviation rate used to evaluate the sample (by decreasing the upper limit deviation rate). The advantages of increasing the risk of assessing control risk too low is that Alicia would examine a smaller sample and would have a higher likelihood (all other factors held constant) of obtaining results that would allow her to rely on Rocks internal control. The primary disadvantage is that Alicia would increase the likelihood that she is inappropriately relying on Rocks internal control and, ultimately, failing to control audit risk at the acceptable level.
F.74
Nonstatistical Attribute Sampling a. Nonstatiscal sampling differs from statistical sampling in that it does not allow measurement of sampling risk. Therefore, samples may be selected using nonrandom techniques such as haphazard or block sampling. b. Because nonrandom techniques can be used, nonstatistical sampling is often faster and easier to perform. c. Curtis can select her sample by any method since she is not using statistical sampling. Thus, she can select a block of invoices or she can choose 50 invoices haphazardly, She can also use random or systematic selection. She must, however, be careful to try to obtain a representative sample.
d.
Because Curtis's expected deviation rate is zero and her sample deviation rate is 2% (1 50), Curtis must either expand her sample size or increase control risk. Increasing control risk will lead to decreased detection risk and expanded substantive procedures. F.75 Audit Simulation: Comprehensive Attribute Sampling a. Based on the parameters identified by the staff accountant, it appears that a sample size of 55 invoices was appropriate. In addition, the calculation of the upper limit deviation rate and decision to reduce reliance on the control policy was also appropriate. b. In the prior audit, your firm was unable to conclude that the control was operating effectively with a 10 percent risk of assessing control risk too low. Given this finding, as well as the fact that you did not observe any major changes or remediation with respect to these controls in the current year, it seems unlikely that an increased reliance on the control policy is viable. c. To increase the reliance on this control policy in the current audit, you will need to reduce both the risk of assessing control risk too low and the tolerable deviation rate. The result of these actions will be a larger sample size.
MODF-28
d. Using a risk of assessing control risk too low of 5 percent, a tolerable deviation rate of 6 percent, and an expected deviation rate of 1 percent, the sample size in the current audit is 78 items. As anticipated, this is a larger sample size than that used in the prior audit (55 items). e. While it is impossible to determine the exact increase resulting from changes in these individual factors, the sample size for the prior audit and changes in the parameters in the current audit are as follows (RACTL = risk of assessing control risk too low, EDR = expected deviation rate, TDR = tolerable deviation rate): (1) RACTL = 10 percent, EDR = 1 percent, TDR = 7 percent: (2) RACTL = 5 percent, EDR = 1 percent, TDR = 7 percent: (3) RACTL = 10 percent, EDR = 1 percent, TDR = 6 percent: 55 items 66 items 64 items
F.75
The parameters in set 1 represents those used in last years audit. Note that reducing the risk of assessing control risk too low from 10 percent to 5 percent (set 2) results in an increase in the sample size of 11 items (66 items 55 items = 11 items). Reducing the tolerable deviation rate from 7 percent to 6 percent (comparing sets (1) and (3) above) results in an increase in the sample size of 9 items (64 items 55 items = 9 items). As a result, changes in both factors do independently result in an increase in the sample size. Audit Simulation: Comprehensive Attribute Sampling (part e, Continued) You should note that the final sample size for the current set of parameters (noted in (d)) is 78 items. This sample size is larger than the sample size obtained by adding the individual effect(s) of decreasing the risk of assessing control risk too low and decreasing the tolerable deviation rate, indicating that the interactive effects of these changes are greater than the individual effects. f. Based on a sample size of 100 items and a risk of assessing control risk too low of 5 percent, the upper limit deviation rate for zero deviations is 3 percent, the upper limit deviation rate for one deviation is 4.7 percent, and the upper limit deviation rate for two deviations is 6.2 percent. Because the tolerable deviation rate is 6 percent, you would need to find one or fewer deviations to rely on the control policy at the planned level. Given the rate of deviations noted in last years audit, as well as the lack of changes in internal control or remediation with respect to these controls during the current year, increasing your reliance on internal control does not appear to be feasible. g. Based on a sample size of 100 items and a risk of assessing control risk too low of 10 percent, the upper limit deviation rate for zero deviations is 2.3 percent, the upper limit deviation rate for one deviation is 3.9 percent, the upper limit deviation rate for two deviations is 5.3 percent, and the upper limit deviation rate for three deviations is 6.6 percent. For a tolerable deviation rate of 6 percent, you could allow up to two deviations and choose to rely on the control at the planned level. h. The upper limit deviation rate is inversely related to the risk of assessing control risk too low; that is, as the risk of assessing control risk too low decreases, the upper limit deviation rate increases (and vice versa). From a practical standpoint, this means that, for higher levels of the risk of assessing control risk too low, the auditor can observe a higher number of deviations and still rely on internal control at the planned level.
MODF-29
F.76
Audit Simulation: General Attribute Sampling a. b. Joes statement is not correct Generally accepted auditing standards permit the use of either statistical sampling or nonstatistical sampling (AU 350.04). Joes statement is not correct Control risk should be determined prior to the determination of detection risk. In fact, the level of detection risk will be dependent upon the assessed level of control risk (AU 312.32, AU 319.03, and AU 319.05). Joes statement is correct The risk of assessing control risk too low relates to the effectiveness of an audit. If control risk is assessed at inappropriately low levels, the extent of substantive procedures will not be sufficient to control audit risk to acceptable levels (AU 350.14). Joes statement is not correct While segregation of duties is an important control, sampling is generally not appropriate for controls that do not provide documentary evidence (such as segregation of duties) (AU 350.32). Joes statement is correct As the degree of assurance required by a control increases, the necessary tolerable deviation rate decreases (AU 350.34). Joes statement is not correct Joe needs to consider the sampling risk that may be present in this situation (AU 350.41).
c.
d.
e. f. F.76
Audit Simulation: General Attribute Sampling (Continued) g. Joes statement is not correct While all deviations do have the same effect on the upper limit deviation rate, it is important for auditors to consider qualitative aspects of deviations, such as (1) whether deviations are intentional or unintentional and (2) the possible relationship of the deviation to other phases of the audit (AU 350.42). Joe's statement is not correct. Even when the upper limit deviation rate is lower than the tolerable deviation rate, auditors must be careful to follow up on all deviations to understand their cause.
h.
F.77
Audit Simulation: Comprehensive Attribute Sampling a. Control risk is the risk that a material misstatement that could occur in an assertion will not be prevented or detected on a timely basis by the entitys internal control (AU 312.21). John would assess control risk at the maximum level because his risk assessment procedures have not identified any effective controls relevant to the assertion or because testing the operating effectiveness of controls would be inefficient. However, he needs to be satisfied that performing only substantive procedures for the relevant assertions would be effective in reducing detection risk to an acceptably low level. (AU 318.08) John would assess control risk at less than the maximum level when controls pertain to an assertion, controls are likely to be effective, and doing so would be more efficient than performing only substantive procedures (AU 318).
MODF-30
b.
The three objectives of internal control are financial reporting, operations, and compliance. The five components of internal control are the control environment, risk assessment, control activities, information and communications, and monitoring (AU 314.41). The combination of objectives and components that is most closely related to attribute sampling is the control activities related to the financial reporting objective, since this objective relates to the fairness of the companys financial statements (AU314.48).
c.
The two broad types of sampling risk related to attribute sampling are (AU 350.12): The risk of assessing control risk too low is the likelihood that the auditors sample provides evidence that the clients controls are functioning effectively when the population would indicate they are not functioning effectively. The risk of assessing control risk too high is the risk that the auditors sample provides evidence that the clients controls are not functioning effectively when the population would indicate that they are functioning effectively. The risk of assessing control risk too low exposes John to effectiveness losses, in terms of impacting his ability to detect material misstatements. The risk of assessing control risk too high exposes John to efficiency losses, through performing additional substantive procedures (AU 350.13 AU 350.14).
d.
F.77
John should consider (1) the relationship of the sample to the objective of the tests of controls, (2) the maximum rate of deviations from prescribed controls that would support his planned assessed level of control risk (tolerable deviation rate), (3) the allowable risk of assessing control risk too low, and (4) characteristics of the population (AU 350.31). Audit Simulation: Comprehensive Attribute Sampling (Continued) e. The tolerable deviation rate is the maximum rate of deviations from the prescribed control that the auditor would be willing to accept without altering his planned assessed level of control risk (AU 350.34). In assessing the appropriate level of the tolerable deviation rate, John should consider the level of control risk and the degree of assurance desired by the audit evidence in the sample (AU 350.34). f. In establishing the acceptable level of sampling risk, John should consider the degree of assurance desired from his tests of controls. As the degree of assurance desired from his tests of controls is higher, John would assess sampling risk at lower levels (AU 350.37). If John cannot locate an item for examination, he should consider the reasons for this limitation and ordinarily consider these items to be deviations (AU 350.40). John should consider whether additional evidence to support a further reduction in control risk is likely to be available and whether it would be efficient to perform tests of controls to obtain that evidence (AU 319.87).
g. h.
MODF-31
F.78
Kaplan CPA Exam Simulation: Factors Affecting Sample Size The audit team initially had anticipated an error rate for this particular procedure of 3 percent but, upon further review, decided that the anticipated error rate should be only 2 percent. The audit team initially had believed that an upper deviation rate of up to 6 percent could be tolerated. Upon further review, the tolerable deviation rate has been increased by the team to 7 percent. The audit team had originally anticipated that misstatement in the reported balance of accounts receivable of up to $26,000 could be tolerated. However, upon further review, that amount has been increase to $31,000. Initially, the audit team felt that it needed for the allowable risk of over relying on this particular control procedure to be relatively low. Later, though, upon further review of other available controls, the team decided that the allowable risk could be a bit higher. Sample size should be decreased
Sample size should be decreased
No impact on this sample size
Sample size should be decreased
F.79
Kaplan CPA Exam Simulation: Communications Regarding Sampling Terminology To: From: The President of the Hardi Company Partner, Lee & Associates CPAs
Sampling refers to making a decision about a whole (a population) by testing only a part of that group (called a sample). In practice and from a cost-benefit point of view, it is usually not beneficial for auditors to audit every single transaction or piece of evidence in order to provide reasonable assurance. Sampling risk is the chance that an auditor's conclusion will be wrong because only a portion of the population was examined. Sampling risk is the chance that a sample may not be representative of the population. An attributes sampling plan requires the auditor to formulate an expected deviation rate for the control activity being tested. The expected deviation rate is based on many factors, including the complexity of the activity, the results found in previous audits and any changes in circumstances which would reasonably increase the deviation (i.e. errors or defects) rate. The more deviations that are anticipated, the larger the sample must be.
F.80
ACL Assignment Go to the ACL Web site at www.mhhe.com/louwers3e, click on ACL Assignments and review the solution for Module F.
MODF-32

MODF

Hochgeladen von

Dokumentinformationen

Originalbeschreibung:

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

MODF

Hochgeladen von

Copyright:

Verfügbare Formate

Module F - Attribute Sampling

MODULE F Attribute Sampling LEARNING OBJECTIVES

Determine the sample size for an attribute sampling application.

Identify various methods of selecting an attribute sample.

13, 14, 15, 16, 17, 18, 19, 20, 21, 22

Module F - Attribute Sampling

SOLUTIONS FOR REVIEW CHECKPOINTS

Module F - Attribute Sampling

F.12 F.13 F.14

Module F - Attribute Sampling

Module F - Attribute Sampling

Module F - Attribute Sampling

SOLUTIONS FOR MULTIPLE-CHOICE QUESTIONS

b. identified. c. d. identified. F.29 a. b. c. d. F.30 a. b. c. d. F.31 a. b. c. d. F.32

Module F - Attribute Sampling

Incorrect Incorrect Incorrect Incorrect Correct

Module F - Attribute Sampling

Incorrect Incorrect Incorrect Correct Incorrect Correct

Module F - Attribute Sampling

Incorrect Incorrect Incorrect Correct Incorrect Incorrect Correct Incorrect

Module F - Attribute Sampling

Correct Incorrect Incorrect

Incorrect Incorrect Incorrect Correct

Incorrect Incorrect Correct Incorrect

SOLUTIONS FOR EXERCISES, PROBLEMS, AND SIMULATIONS

Module F - Attribute Sampling

Module F - Attribute Sampling

Module F - Attribute Sampling

Inspect documentary evidence of approval of purchase orders by appropriate personnel.

Module F - Attribute Sampling

Module F - Attribute Sampling

Module F - Attribute Sampling

Module F - Attribute Sampling

Module F - Attribute Sampling

Module F - Attribute Sampling

Module F - Attribute Sampling

Module F - Attribute Sampling

Sample Results Evaluation

Module F - Attribute Sampling

(1) (2) (3)

Module F - Attribute Sampling

Sample Results Evaluation

Module F - Attribute Sampling

Module F - Attribute Sampling

Module F - Attribute Sampling

d. Sample deviation rate = No. of deviations Sample size

Module F - Attribute Sampling

Module F - Attribute Sampling

Module F - Attribute Sampling

Module F - Attribute Sampling

Module F - Attribute Sampling

Module F - Attribute Sampling

Sample size should be decreased

No impact on this sample size

Sample size should be decreased

Das könnte Ihnen auch gefallen