AUD - Notes Chapter 5

http://www.cpa-cfa.org
Audit Sampling (statistic sampling)
Sampling risk – reach the wrong conclusion based on the sample

Although statistical sampling aids the auditor in quantitative ways, it is not a substitute for professional
judgement. Professional judgement is still needed/required to set parameters and evaluate the results.

2 main types of sampling

1. Attribute sampling (rate of occurrence) – used for testing internal controls (yes/no questions)
2. Variable sampling (probability-proportional to size PPS or estimation sampling or numerical quantity) –
used in substantive testing of account balances ($ values)

Audit risk – risk of getting the opinion wrong due to uncertainty in applying audit procedures (sampling and
other)

Risk of assessing control risk too low – risk that the assessed level of control risk based on the sample is less
than the true risk based on the actual operating effectiveness of the control (i.e. sample results indicate a lower
deviation rate than actually exists in the population)

Risk of assessing control risk too high – risk that the assessed level of control risk based on the sample is
greater than the true risk based on the actual operating effectiveness of the control. sample results indicate a
greater deviation rate than actually exists in the population

There are two sorts of mistakes an auditor can make with sampling:
1. The auditor may fail to identify an existing problem (incorrect acceptance and assessing control risk too low)
2. The auditor may falsely identify a problem where none exist (incorrect rejection and assessing control risk
too high)

The risk of incorrect acceptance and the risk of assessing control risk too low relate to the effectiveness of an
audit in (possibly not) detecting an existing material misstatement. Auditors usually accept a risk of 5% (or
10%). Inverse to the risk is the confidence level (also called reliability). The auditor is 95% confident that the
sample is representative of the population.

The risk of incorrect rejection and the risk of assessing control risk too high relate to the efficiency of the audit
(the auditor does more audit work than is necessary)

Attribute Sampling
Planning considerations
• Relationship between the sample to the objective of the test of controls
• Tolerable deviation rate – maximum rate of deviation from a prescribed procedure the auditor will tolerate
without modifying planned reliance (or changing control risk assessment) on internal control. Rate set by
the auditor
• Auditors allowable risk of assessing control risk too low
• Characteristics of the population

Deviation rate – auditors best estimate of the deviation rate in the population from which the sample was
selected. There is a direct relationship to sample size: the fewer the deviations expected, the smaller the sample
size would be needed.

Population of 1000 and sample 100 items and 7 deviations identified within the sample
7% sample deviation rate
Estimate 70 deviations in the population (7% sample deviation rate)

1
 AUD - Notes Chapter 5
http://www.cpa-cfa.org
If the estimated deviation rate for the entire population is less than the tolerable rate for the population, the
auditor should consider the risk that such a result might be obtained even though the true deviation rate for the
population exceeds the tolerable rate for the population. For example assume the tolerable rate for a population
is 5% and the sample consists of 60 items:
• If no deviations are found in the sample of 60, the auditor may conclude that there is an acceptably low
sampling risk that the true deviation rate in the population exceeds the tolerable rate of 5% (this is because
the sample deviation rate is much less than the tolerable rate)
• If the sample includes two or more deviations (2 in 60 = 3.33%), the auditor may conclude that there is an
unacceptably high sampling risk that the rate of deviations in the population exceeds the tolerable rate of
5% (this is because the sample deviation rate is close to the tolerable rate)
• The auditor applies professional judgement in making such evaluations

Perform the following steps when conducting attribute sampling

• Define the objective of the test
• Define the population
• Define the sampling unit
• Define the attributes of interest
• Determine the sample size including risk of assessing control risk, tolerable deviation rate, expected
deviation rate

Sample deviation rate + allowance for sampling risk = Upper deviation rate

Allowance for sampling risk = what we found in the sample isn’t representative of the population

If the upper deviation rate is less than or equal to the auditors tolerable deviation rate, the auditor may rely on
the control (assuming results of other audit tests do not contradict such results)

If the upper deviation rate exceeds the auditors tolerable deviation rate, the auditor would not rely on the
control. Instead the auditor would either:
• Select and test compliance with some other internal accounting control, or
• Modify the nature, extent, or timing of related substantive tests to reflect the reduced reliance

Discovery sampling – used for detecting fraud

Stop-or-go sampling – allows auditor to stop and audit test before completing all the steps (to avoid over
sampling) used when few error are expected in the population

Variable sampling (estimation sampling)

Stratification – items subject to sampling are separated into relatively homogenous groups and treated as a
separate population, which usually results in a reduced sample size. Commonly used when a population has
highly variable recorded amounts

Higher the tolerable misstatement the lower the sample size

The auditor projects the misstatements found in the sample to the population using one of several methods
(MPU, ratio, difference, etc). The projected misstatement is applied to the recorded balance to obtain a “point
estimate” of the true balance.

The auditor must then add an allowance for the sampling risk (sometimes called a precision interval) to this
estimate

2
 AUD - Notes Chapter 5
http://www.cpa-cfa.org
In deciding whether to accept the clients book value, the auditor determines whether the recorded book value
falls within the acceptable range (i.e. point estimate +/- the allowance for sampling risk). If so, the book value
is fairly stated

Probability-Proportional to size (PPS)

PPS – sampling unit is defined as an individual dollar in a population

Advantages
• Emphasizes larger items by stratifying the sample. The chance of an item being selected is proportionate to
its dollar amount
• If no errors are expected, PPS sampling generally requires a smaller sample than other methods
Disadvantages
• Items with zero, negative or understated balances require special design considerations

Sampling interval = tolerable misstatement ÷ reliability factor

Sample size = recorded amount of the population ÷ sampling interval

Tolerable misstatement - the maximum dollar error that may exist in the account without causing the F/S to be
materially misstated

Reliability factors correspond to the risk of incorrect acceptance and are generally obtained from a table

The Effect of Information Technology on the Audit

Test data (test deck) – technique that uses the application program to process a set of test data, the results of
which are already known. (the clients system is used to process the auditors data, off-line, and while under the
auditors control

Integrated test facility (ITF) – similar to test data approach except that the test data is commingled with live
data (the clients system is used to process the auditors data, on-line)
• Test data must be separated from the live data before the reports are created. This is usually accomplished
by processing the test data to dummy accounts (fictitious customer, branch, vendor)
• Client personnel are not informed that the test is being run

Parallel simulation (reperformance test) – auditor re-processes some or all the clients live data (using auditor
software) and then compares the results with the clients files (the auditors system is used to process client data)

Generalized audit software packages (GASPs) – allows the auditor to have little technical knowledge of the
clients system (computerized environment)

Internal Control Communication

2 types of control deficiency – deficiency in design and deficiency in operation

Significant deficiency – adversely affects the fairness of the F/S

Previously communicated significant deficiencies and material weaknesses that have not been corrected should
be communicated again

It is mgmt’s responsibility to evaluate and address control deficiencies

3
 AUD - Notes Chapter 5
http://www.cpa-cfa.org
Reporting on an entity’s internal control over financial reporting (not an audit, just hired to review internal
controls)

The CPA may report on mgmt’s assertion or may report directly on the effectiveness of the entity’s internal
control

Obtain from mgmt a written assertion about the effectiveness of the entity’s internal control. The assertion may
be presented in two ways:
1. a separate report that will accompany the accountants report
2. a representation letter to the accounts

When a material weakness exists, the CPA should express an opinion directly on the effectiveness of internal
control, and not on mgmt’s assertion

In a F/S audit, use of the report on the internal control is restricted, while
In a separate examination of internal control, use of the report is generally not restricted

SOX requirements related to internal controls

PCAOB standards require:
• Issuers report (within the annual report) on mgmt’s assessment of the effectiveness of the company’s
internal control over financial reporting, and
• Auditors attest to (audit) the accuracy of mgmt’s report

The auditors report must disclose material weaknesses in internal control, but is not required to disclose
significant deficiencies that are not material weakness (different than the attestation standards)

If an auditor conducts the audit (of a nonissuer) in accordance with both GAAS and PCAOB, the auditor may
indicate in the auditors report that the audit was conducted in accordance with both standards

Government Auditing
Auditors responsibilities
• Obtaining reasonable assurance that the F/S are free of material misstatements resulting from violations of
laws and regulations that have direct and material effect on the F/S
• Obtaining an understanding of the possible effects on F/S of laws and regulations
• Assessing whether mgmt has identified laws and regulations that have direct and material effect
• Communicating to mgmt and the audit committee that an audit in accordance with GAAP may not be
sufficient if, during the audit, the auditor becomes aware that the entity is subject to additional audit
requirements that may not be encompassed in the terms of the engagement

Attestation engagements performed in conformity with Generally Accepted Government Auditing Standards
(GAGAS) (the yellow book) incorporate the AICPA’s standards for examinations, reviews, and agreed upon
procedures by reference and include expanded requirements

Audit requirements for federal financial assistance

1. Expanded internal control documentation and testing requirements
2. Expanded reporting to include formal written reports on the consideration of internal control and the
assessment of control risk
3. Expanded reporting to include whether the federal financial assistance has been administered in
accordance with applicable laws and regulations (compliance requirements)
4. Application of single audit standards to federal financial assistance
5. Auditors provide a copy of their peer review to government audit clients
4
 AUD - Notes Chapter 5
http://www.cpa-cfa.org

Mgmt is responsible for the entity’s compliance with laws and regulations
Mgmt has identified and disclosed in writing to the auditor all the laws and regulations that have a direct and
material effect on its F/S

Audit reports should be distributed to the appropriate officials of the entity requiring or arranging for the audit
(including external funding sources)

GAGAS requires a written report on the auditors understanding of internal control and the assessment of
control risk in all audits. This is different from GAAS, which requires written communication only when
significant deficiencies are noted

Single audits: OMB Circular A-133

The single audit act (OMB Circular A-133) requires entities that expend total federal assistance equal to or in
excess of $500,00 in a fiscal year to have an audit performed in accordance with the Act
• Programs classified as major are those that expend $300,000 or more in federal financial assistance, but
smaller programs may be deemed major is they are classified as high risk
• Materiality evaluation in a single audit includes a separate evaluation of materiality for each major program
selected
• Single audits - audits of an entire organization that include additional audit procedures on specific programs
and include a report on the F/S of the whole organization and audit reports on the specific programs
• program-specific audits - audits of specific programs and do not include reports on the F/S of the
organization taken as a whole

Auditor communication requirements increase in government settings. Auditors often have the responsibility of
reporting significant deficiencies to specific regulatory bodies or grantor agencies

A5-47 chart memorize

Communication with the Audit Committee

Audit committee – committee of the board of directors, composed of 3-5 members of the board who are outside
directors. Outside directors are not employees of the firm and do not have a material financial interest in the
firm
• main purpose is to enhance the internal control by creating a means of direct communication between the
committee and the auditors. An audit committee is considered to be part of the internal control structure
• SOX requires the audit committee to approve the engagement of an auditor, and oversee the services
• All material communications must be made to the audit committee before the auditors report is filed with
the SEC
• Communication may be oral or written. If its oral the auditor should document the conversation
• Do not communicate with the audit committee on how we (the auditor) plan to implement the audit

Management Representations
Obtained from mgmt at the conclusion of fieldwork and should address all F/S covered by the report even if
current mgmt was not present during all such periods
Purpose:
1. To confirm representations explicitly or implicitly given to auditor
2. To indicate and document the continuing appropriateness of such representations
3. To reduce the possibility of misunderstanding concerning matter that are the subject of the
representations

5
 AUD - Notes Chapter 5
http://www.cpa-cfa.org

• Letter is mandatory to issue an unqualified opinion, otherwise issue disclaimer or withdraw

• Dated same as the audit report
• Signed by the CEO and CFO
• Representations may be limited to items that mgmt and the auditor agree are material
• The auditor should obtain additional representations from mgmt for special or specific situations. Changes
in the business that may impact the F/S (new acctg principle, impairment of an asset, inventory
obsolescence)