AUDIT V

AUDIT SAMPLING

Definition: testing of less than 100% o the items within an account balance or class of transactions in
order to evaluate some characteristics of the balance or class when an auditor has no special knowledge
about likely misstatements.

 Every item in the population must have equal chances of being selected
 CPA cannot use bias deciding. No substitutes may be used.
 If the sample is large enough and is randomly selected, the sample will be representative of the
population.
 Sufficiency of audit evidence is related to the design and size of the sample.
 Professional judgment MUST be used when sampling despite of the method of sampling used.
 STATISTICAL SAMPLING: auditors specify the sampling risk they are willing to accept and then
calculate sampling size that provide that degree of reliability.
 NON-STATISTICAL SAMPLING: sample size is not determined mathematically. Auditors use
judgment in determining sample size, and sample results are evaluated judgmentally.
 PROFESSIONAL JUDGMENT includes: defining the population, selecting appropriate method,
evaluating appropriateness of evidence, errors and deviations, sampling risks, and evaluation of
results against population.

Use of Sampling
1. Types of Sampling
a. Attribute sampling: rate of occurrence; primarily used for testing of INTERNAL CONTROLS. It
also often deals with yes or no questions (i.e. is the invoice properly approved?)
b. Variable sampling and PPS: deals with DOLLAR VALUES.

2. Situations where sampling may not apply;

a. To obtain understanding of internal control
b. Test of automated application controls when effective general controls are present
c. Analysis of security and access controls (controls related to segregation of duties).
d. Tests related to the operation of control environment or the accounting system.

Audit Risk

 Sampling risk in Substantive testing: (i) risk of incorrect acceptance; (ii) risk of incorrect
rejection.
 Sampling risk in test of controls: (i) risk of assessing control risk too low – sample risk indicate a
lower deviation risk than it exists; (ii) risk of assessing control risk too high.
 Incorrect acceptance: auditor may fail to identify existing problem.
  Incorrect rejection: auditor may falsely identify a problem.
 Efficiency: the risk of incorrect rejection and the risk of assessing the risk too high relate to the
efficiency of the audit (auditor does more audit work than is necessary).
 Effectiveness: risk of incorrect acceptance and the risk of assessing control risk too low relate to
the effectiveness of the audit. Auditors usually accept a risk of 5% or 10%.

ATTRIBUTE SAMPLING

 Statistical sampling method used to estimate the rate (%) of occurrence (exception) of a specific
characteristic (attribute).
 Concludes whether controls are being applied as prescribed; YES or NO test; “are time cards
properly authorized, are invoices properly voided?”

A. Deviation Rate vs. Tolerable Rate

 Deviation rate: the auditor’s best estimate of the deviation rate in the population from which it
was selected. As the auditor expects fewer deviations, a smaller sample size would be needed.
 Tolerable deviation: the maximum rate of deviation from a prescribed procedure the auditor
will tolerate without modifying planned reliance on internal control. As the auditor is willing to
accept a greater deviation rate, a smaller sample size can be used.
 Expected failure rate: this is what we expect to have. The auditor’s best estimate of control
failure (before sampling).
 Allowance for sampling error/Precision: the difference between tolerable and expected.

Formula: Deviation rate + allowance for sampling error = Upper deviation rate (after sampling)

Upper deviation < or = Tolerable rate: rely on control

Upper deviation > Tolerable rate: do NOT reply on control

a. Risk of assessing risk too low – inverse relationship

b. Tolerable deviation rate – inverse relationship
c. Expected deviation rate – direct relationship
d. Variability – direct relationship

SUBSTANTIVE TESTS: VARIABLE SAMPLING

Projected Misstatement: these are misstatements that the auditor projects before collecting the
sample. This is compared against tolerable misstatements. If projected misstatements are low in
relation to tolerable misstatements it means there is a LOW sampling risk.

I. Variable Sampling Plan

a. Mean-Per-Unit Estimation: uses the average value of the items in the sample. This method
is sensitive to the variability of the population – auditors usually stratify to reduce sample
size.
 Estimate= average sample value x number of items in population
b. Ratio Estimation: uses ratio of the audited (correct) values of items to their book values to
project the true population value. Effective when the calculated audit amounts are
approximately proportional to the client’s book amount. Require smaller sample size then
MPU; although not as effective when expect large numbers of over-and understatements.
c. Difference Estimation: uses the average difference between the audited (corrected) values
of items and their book values to project the actual population value. Difference estimation
is used instead of ratio estimation when the differences are not nearly proportional to BV.
Require smaller sample size then MPU; although not as effective when expect large
numbers of over-and understatements.
(1) Sample size will Increase if the following increase (direct relationship)
a. Expected misstatements
b. Standard deviation (population variability)
c. Assessed level of risk
(2) Sample size will decrease as the following increase (inverse relationship)
a. Tolerable misstatement
b. Acceptable level of risk

SUBSTANTIVE TESTS: Probability –Proportional-To-Size (PPS)

In a probability-proportional-to-size sample with a sampling interval of $10,000, an auditor discovered

that a selected account receivable with a recorded amount of $5,000 had an audited amount of
$4,000. If this were the only misstatement discovered by the auditor, the projected misstatement of
this sample would be:

Answer: The sample error of $1,000 ($5,000  $4,000) is projected to the entire interval through use
of a "tainting factor" of 20% ($1,000/$5,000). If this were the only misstatement discovered by the
auditor, the projected misstatement of this sample would be 20% of $10,000, or $2,000

Formula: (a) Actual – (b) Audited = (c) / (a) x sampling interval = projected misstatement

 An auditor established a $60,000 tolerable misstatement for an asset with an account balance of
$1,000,000. The auditor selected a sample of every twentieth item from the population that
represented the asset account balance and discovered overstatements of $3,700 and
understatements of $200. Under these circumstances, the auditor most likely would conclude
that:

Answer: Selection of every twentieth item results in a sample that is 5% (1/20  .05) of the
population. The sample results indicate a net overstatement of $3,500 ( $3,700  $200), which is
then projected to the total population as $70,000 ( $3,500 / .05).
(Alternatively, 3,500  20  70,000). Since the projected misstatement of $70,000 exceeds the
tolerable misstatement of $60,000, there is an unacceptably high risk that the actual
misstatement in the population will exceed the tolerable misstatement
 EFFECTS OF INFORMATION TECHNOLOGY ON THE AUDIT

 If a client processes most of its financial data in electronic form, without any paper
documentation, audit tests should be performed on a continuous basis.
 Computer systems should be designed to supply electronic audit trails.
 Computer systems provide more opportunities for data analysis and review.
A. Auditing around the computer
(i) Auditor tests the input data, processes the data independently, and then compares the
independently determined results to the program results. Emphasis is on the input and
output stages of transaction processing.
B. Computer assisted audit techniques (CAAT) – input and processing
(i) Transaction tagging: electronic tag specific transactions and follow them through the
client’s system. Tagging allows the auditor to test the computerized processing and the
manual handling of transactions.
(ii) Embedded audit modules: sections of the application that collect transaction data for
the auditor (i.e. collect all transactions affecting a specific code greater than $500) -
Embedded audit modules are usually built into the application program when the program
is developed. This would require that the auditors be involved in the system design of the
application to be monitored.
(iii) Test data: uses the application program to process a set of test data for results which
are already known. (test auditor’s data off-line) The test data approach refers to a
technique in which the client's application program is used to process a set of test data,
the results of which are already known by the auditor. If the client's program is operating
effectively, it should generate the same results determined by the auditor.
(iv) Integrated Test Facility: similar to the test data approach except that the test data is
commingled with live data. (test auditor’s data on-line) – Use of fake customers,
vendors – client personnel are not informed that the test is being run.
(v) Parallel Simulation (re-performance test): auditor re-processes some or all of the client’s
live data using software provided by the auditor, then compares to actual results from
the software provided by the client.
C. Generalized Audit Software Package (GASPs)
(i) Allow the auditor to perform test of controls and substantive tests directly on client’s
system. Tasks performed by GASPs include:
a. Examining transactions for control compliance
b. Selecting items meeting specified criteria
c. Recalculating amounts and totals
d. Reconciling amounts and totals
e. Performing statistical analysis of transactions
(ii) Advantages:
a. Sample and test a much higher % of transactions; more reliable audit.
b. Require little technical knowledge
c. Can significantly reduce audit time without sacrificing quality.
D. Auditing with a Computer
(i) Advantages of using a computer
a. Reduce mathematical errors
b. Automatic cross reference
c. Automatic preparation of FS, tax return schedules, and consolidation.
d. Reduction in required supervisory review time
e. Automatic performance of certain analytical review procedures
f. Enhanced client service
g. Improved moral of audit team; less time spent on tedious tasks.
(ii) Disadvantages
a. Audit documentation may not contain readily observable details of calculations.

INTERNAL CONTROL COMMUNICATION

1. Control Deficiency: exists when the design or operation of a control does not allow
management or employees while performing their functions, to prevent or detect
misstatements on a timely basis.
2. Significant Deficiency: combination of control deficiencies, that affects the entity’s ability to
initiate, authorize, record, process, or report financial data reliably in accordance with GAAP
such that there is more than a remote change that a misstatement of the FS that is more than
inconsequential will not be prevented or detected. (i.e. selection and application of accounting
principles, antifraud programs, non-routine transactions, period-end financial reporting).
3. Material Weakness: a combination of significant deficiencies, that a material misstatement will
not be detected or prevented.

A. Responsibility of the Audit

(i) Detection of control deficiencies: auditor is NOT required to search for control
deficiencies or to express an opinion, but the auditor may become aware of deficiencies
when performing the audit.
(ii) Evaluation of Control deficiencies: auditor MUST evaluate deficiencies to determine
whether they represent significant deficiencies or material weaknesses.

 Current and Previous deficiencies and material weaknesses must be communicated to those
charged with governance in writing.
 It is recommended that a written communication to management regarding any deficiencies be
made by the report date, although a window extending to 60 days beyond this date is
acceptable.
 For issuers, the communication should occur before issuance of the auditor’s report.
B. The written report should include: Report should be in writing and addressed to management;
restricted in use; and issued no later than 60 days after the report release date.
a. Indication that the purpose of the audit is to express an opinion on the FS, not on the
effectiveness of the internal control
b. Statement that the auditor is not expressing an opinion on internal control
c. Definition of the significant deficiency and, if applicable, material weakness
d. Identification of those deficiencies
e. Statement that the communication is intended solely for the information use of
management (restricted use).

 If management provides the auditor with a written response, the auditor MUST add a paragraph
disclaiming an opinion on management’s response.

REPORTING ON INTERNAL CONTROL

 This is a type of attestation engagement according to the Statements on Standards for
Attestation Engagements. (SSAE)
 Auditor may report on management’s assertions regarding internal control, or directly on the
operating effectiveness of it.
 Management must accept responsibility for the effectiveness of internal control.
 Management must provide a (1) written representation letter acknowledging responsibility and
(2) a written assertion on the effectiveness of internal control. Failure to provide this letter will
result in a SCOPE limitation.
 A written communication should be made to management regarding any deficiencies or
material weakness.
 A statement that errors or irregularities may occur and not be detected due to inherent limitations
in internal control is included in the report when an auditor is engaged to express an opinion on
internal control, not when the auditor is reporting as part of an audit.

Performing the Engagement

1. Obtain management’s written assertion about the effectiveness of the internal controls.
2. Obtain an understanding of internal control through INQUIRY, OBSERVATION, AND
INSPECTION.
3. Evaluate the design effectiveness of the controls
4. Test and evaluate the operating effectiveness of the controls: inquiry, inspection, inspection
of documentation, observation, and re-performance.
5. Form an opinion.
 GOVERNMENT AUDIT
Audit of government entities often focuses on compliance with laws, rules, and regulations that
have a direct material effect on financial statement presentation.

Government engagements may be financial audit, attestation (compliance with specific laws), or
performance audits (evaluation of effectiveness, economy, and efficiency).

Sources of government auditing standards:

a. GAAS applicable to all audits

b. GAGAS (yellow book): applicable to most government audits, including attestation and
performance audits.

Rule: Reporting responsibilities under GAGAS are expanded to include:

1. Reports on compliance with laws, rules, and regulations, violations of which may affect
financial statement amounts, and
2. Reports on internal control over financial reporting.

Requirements:

 Government auditors need a quality control review every 3 years.

 Internal control documentation must identify controls applicable to compliance.
 Representation letter should include specific assertions regarding compliance with laws,
rules, and regulations.
 GAGAS ALWAYS require a written report on internal control.
 Reporting of illegal acts is required.
 Audits of recipients of federal financial assistance should be conducted with both GAAS
and GAGAS with:
a. Expanded internal control documentation
b. Expanded reporting on internal control and assessment of control risk
c. Expanded reporting on whether assistance has been properly administered in
accordance with applicable laws and regulations.
d. Application of single audit standards to federal financial assistance.

Reporting Under GAGAS

In addition to GAAS reporting requirements, GAGAS must:

1. Include an affirmative statement of compliance with GAGAS.

2. Describe the scope of testing of regulatory compliance and internal control: present results
of tests, or refer to separate report.
3. Describe omitted information: due to prohibitions on general disclosure.
4. Describe the distribution of the report
 Reporting on Internal Control

Objective: safeguarding of assets and compliance with laws and regulations.

1. Obtain an understanding of the DESIGN of relevant controls and whether they have been
IMPLEMENTED.
2. Communicate all significance deficiencies noted during the audit.
3. GAGAS requires a written report on the auditor understands of internal control and
assessment of control risk in ALL audits. This is different from GAAS, which require written
communication only when deficiencies are noted.

Contents of Report on Internal Control

 Assertion that evaluating compliance with laws, rules, regulations with a direct material
effect on the FS is part of developing an opinion on the FS.
 Assertion that specific controls relating to financial reporting is reported.
 Indication whether significant deficiencies were found and whether they were material.

Single Audit: OMB CIRCULAR A-133 – Single Audit Act

a. Entities that expend a total assistance equal or in excess of $500,000 must have an audit in
accordance with this act.
b. Objective: (i) audit of financial statements, and reporting on a separate schedule of
expenditures of federal awards in relation to those financial statements; (ii) compliance
audits are expended throughout the year for issuing additional reports on compliance
related to major programs and on internal control over compliance.
c. The single act requires that materiality of the transaction be considered separately in
relation to each major program, not simply in relation to the FS.
d. Major transactions: $300,000 or more.
e. Auditors can also use the risk approach to determine major programs.
f. A single audit represents a combined audit of both an entity's financial statements and
federal financial assistance programs. The single audit provides audited organizations with
the opportunity to capitalize on the efficiency of satisfying their audit requirements with a
single audit. Auditors are governed by the Single Audit Act and OMB Circular A-133.
Henderson, CPA has decided to use probability-proportional-to-size (PPS) sampling, sometimes referred
to as dollar-unit or cumulative-dollar-amount sampling, in the audit of a client's accounts receivable.
Henderson will use the following PPS sampling table:

Reliability Factors for Errors of Overstatement

Number of
Overstatement Risk of Incorrect Acceptance
Misstatements 1% 5% 10%
0 4.61 3.00 2.31
1 6.64 4.75 3.89
2 8.41 6.30 5.33
3 10.05 7.76 6.69
4 11.61 9.16 8.00

Additional Information:

Tolerable misstatement
(net of effect of expected misstatement) $126,000
Risk of incorrect acceptance 5%
Number of misstatements allowed 2
Recorded amount of accounts receivable $700,000
Number of accounts 500

The reliability factor, as determined from the table, is 6.3. Sampling interval is then calculated as
tolerable misstatement divided by the reliability factor, or $126,000 / 6.3 = $20,000. In a population of
$700,000 with a sampling interval of $20,000, the sample size will be $700,0000 / $20,000, or 35
accounts.