Auditing II

Applications

1
 CHAPTER 1
CONSIDERING MATERIALITY AND AUDIT RISK

1. Define the meaning of the term materiality as it is used in accounting

and auditing. What is the relationship between materiality and the
phrase obtain reasonable assurance used in the auditor's report?

Answer:

 Materiality defined as: the magnitude of an omission or

misstatement of accounting information that, in light of the
surrounding circumstances, makes it probable that the
judgment of reasonable person relying on the information
would have been changed or influenced by the omission or
misstatement.
 " Obtain reasonable assurance " as used in the audit report,
means that the auditor does not guarantee or insure the fair
presentation of the financial statements. There is some risk that
the financial statements contain a material misstatement.

2. Explain why materiality is important but difficult to apply in

practice.

Answer:

 Materiality is important because if financial statements are

materially misstated, users' decisions may be affected, and
thereby cause financial loss to them.
 It is difficult to apply because there are often many different
users of the financial statements.
 The auditor must therefore make an assessment of the likely
users and the decisions they will make. Materiality is also
difficult to apply because it is a relative concept. The
professional auditing standards offer little specific guidance

2
 regarding the application of materiality. The auditor must,
therefore, exercise considerable professional judgment in
the application of materiality.

3. What is meant by setting a preliminary judgment about materiality?.

Identify the most important factors affecting the preliminary judgment.

Answer:

 The preliminary judgment about materiality is the maximum

amount by which the auditor believes the financial statements
could be misstated and still not affect the decisions of
reasonable users.
 Several factors affect the preliminary judgment about
materiality and are as follows:
a. Materiality is a relative rather than an absolute concept
b. Bases are needed for evaluating materiality
c. Qualitative factors affect materiality decisions
d. Expected distribution of the financial statements will
affect the preliminary judgment of materiality. If the
financial statements are widely distributed to users, the
preliminary judgment of materiality will probably be se
lower than if the financial statements are not expected to
be widely distributed.
e. The level of acceptable audit risk will also affect the
preliminary judgment of materiality.

4. What is meant by using bases for setting a preliminary judgment

about materiality? How would those bases differ for the audit of a
manufacturing company and a government unit such as a school
district?

Answer:

 Because materiality is relative rather than absolute, it is

necessary to have bases for establishing whether misstatements
are material.
 For example, in the audit of a manufacturing company, the
auditor might use as bases: met income before taxes, total
assets, current assets, and working capital.

3
  For a governmental unit, such as a school district, there is no
net income before taxes, and therefore that would be an
unavailable base. Instead, the primary bases could likely be
fund balances, total assets, and perhaps total revenue.

5. Assume that a CPA is using 5% of net income before taxes, current

assets, or current liabilities as her major guidelines for evaluating
materiality. What qualitative factors should she also consider in
deciding whether misstatements may be material?

Answer:

The following qualitative factors are likely to be considered in

evaluating materiality:

a. Amounts involving fraud are usually considered more

important than unintentional errors of equal dollar amount.
b. Misstatements that are otherwise minor may be material if
there are possible consequences arising from contractual
obligations.
c. Misstatements that are otherwise immaterial may be material
if they affect a trend in earnings.

6. Distinguish between the terms tolerable misstatement and

preliminary judgment about materiality.

Answer:

 A preliminary judgment about materiality is set for the

financial statements as a whole.
 Tolerable misstatement is the maximum amount of
misstatement that could be considered material for an
individual account balance. The amount of tolerable
misstatement for any given account is dependent upon the
preliminary judgment about materiality.
 Ordinarily, tolerable misstatement for any given account
would have to be lower than the preliminary judgment about
materiality.

4
  In many cases, it will be considerably lower because of the
possibility of misstatements in different accounts that, in total,
cannot exceed the preliminary judgment about materiality.

7. Explain what is meant by making an estimate of the total

misstatement in a segment and in the overall financial statements. Why
is it important to make these estimates? What is done with them?

Answer:

 An estimate of the total misstatement in a segment is the

estimate of the total misstatements based upon the sample
results.
 If only a sample of the population is selected and audited, the
auditor must project the total sample misstatements to a total
estimate. This is done by audit area. The misstatements in each
audit area must be totaled to make an estimate of the total
misstatements in the overall financial statements. It is
important to make these estimates so that, the auditor can
evaluate whether the financial statements, taken as a whole,
may be materially misstated. The estimate for each segment is
compared to tolerable misstatement for that segment and the
estimate of the overall misstatement on the financial statements
is compared to the preliminary judgment about materiality.

8. Define the audit risk model and explain each term in the model.

 The audit risk model is as follows:

PDR = AAT / ( IR x CR )
Where: PDR = Planned detection risk
AAR= Acceptable audit risk
IR = Inherent risk
CR = Control risk
 Planned detection risk. A measure of the risk that audit
evidence for a segment will fail to detect misstatements
exceeding a tolerable amount, should such misstatements exist.
 Acceptable audit risk. A measure of how willing the auditor is
to accept that the financial statements may be materially

5
 misstated after the audit is completed and an unqualified
opinion has been issued.
 Inherent risk. A measure of the auditor's assessment of the
likelihood that there are material misstatements in a segment
before considering the effectiveness of internal control.
 Control risk. A measure of the auditor's assessment of the
likelihood that misstatements exceeding a tolerable amount in a
segment will not be prevented or detected by the client's
internal controls.

9. What is meant by planned detection risk? What is the effect on the

amount of evidence the auditor must accumulate when planned
detection risk is increased from medium to high?

Answer:

Planned detection risk is a measure of the risk that the audit

evidence for a segment will fail to detect misstatements exceeding a
tolerable amount, should such misstatements exist. When planned
detection risk is increased from medium to high, the amount of
evidence the auditor must accumulate is reduced.

10. Explain the causes of an increased or decreased planned detection

risk.

An increase in planned detection risk may be caused by an

increase in acceptable audit risk or a decrease in either control risk
or inherent risk. A decrease in either planned risk is caused by the
opposite: a decrease in acceptable audit risk or an increase in control
risk or inherent risk.

11. Define what is meant by inherent risk. Identify four factors that
make for high inherent risk in audits.

Inherent risk is a measure of the auditor's assessment of the

likelihood that there are material misstatements in a segment before
considering the effectiveness of internal control.

Factors affecting assessment of inherent risk include:

1. Nature of the client's business

6
 2. Results of previous audits
3. Initial vs. repeat engagement
4. Related parties
5. Non-routine transactions
6. Judgment required to correctly record transaction and
7. Makeup of the population.

12. Explain what is meant by the term acceptable audit risk. What is its
relevance to evidence accumulation?

Answer:

 Acceptable audit risk is a measure of how willing the auditor is

to accept that the financial statements may be materially
misstated after the audit is completed and an unqualified
opinion has been issued.
 Acceptable audit risk has an inverse relationship to evidence. If
acceptable audit risk is reduced, planned evidence should
increase.

13.Multiple choice Questions

1. If it is probably that the judgment of a reasonable person would
information is, by td have been changed or influenced by the
omission or misstatement of the information, then that information
is , by definition of FASB statement NO.2,
a. Material
b. Insignificant
c. Significant
d. Relevant
2. The preliminary judgment about materiality is the amount by which
the auditor believes the statements could be misstated and still not
affect the decisions of reasonable users.
a. Minimum
b. Maximum
c. Mean average
d. Median average

7
3. When auditors allocate the preliminary judgment about materiality
to account balances, the materiality allocated to any given account
balance is referred to in SAS NO. 39 as
a. The materiality range
b. The error range
c. Tolerable materiality
d. Tolerable misstatement
4. Why do auditors establish a preliminary judgment about
materiality?
a. To help the auditor plan the appropriate evidence to accumulate
b. So that the client can know what records to make available to
the auditor
c. To determine what level of staffing (i.e. Work experience) is
required for the auditor
d. None of the above
5. If an auditor establishes a relatively low level for materiality, then
the auditor will
a. Accumulated more evidence than if a higher level had been set
b. Accumulate less evidence than if a higher level had been set
c. Accumulate approximately the same evidence as would be the
case were a higher level set
d. Accumulate an undetermined amount of evidence
6. After the preliminary judgment about materiality has been
established, auditors may
a. Not adjust it
b. Adjust it downward only
c. Adjust it upward only
d. Adjust it either downward or upward
7. In an audit area that has a higher inherent risk, it would be prudent
to
a. Increase the amount of audit evidence gathered
b. Assign more experienced staff to that area
c. Review the completed audit files more thoroughly
d. Do all of the above

8
8. Which of the following is least likely to be appropriate as the basis
for determining the preliminary judgment about materiality in the
audit of a set of financial statements?
a. Net income before taxes
b. Current assets
c. Owners` equity
d. Inventory
9. Which of the following might not be a signal of a lack of integrity in
management?
a. Prior criminal conviction of an assembly line foreman
b. Frequent turnover of key internal audit personnel
c. Frequent disagreements with previous auditors
d. Frequent turnover of key financial personnel
10. Which of the following qualitative factors may significantly
influence whether an item is deemed to be material?
a. Misstatements that are otherwise minor may be material if
there are possible consequences arising from contractual
obligations
b. Misstatements that are otherwise immaterial may be material if
they affect a trend in earnings
c. Amounts involving fraud are usually considered more important
than unintentional errors of equal dollar amounts
d. All of the above may influence materially.
11. Auditors generally allocate the preliminary judgment about
materially to
a. The balance sheet only
b. The income statement only
c. The income statement and balance sheet
d. The statement of cash flow
12. Which of the following statements regarding inherent risk is
correct?
a. The inherent risk assigned in the audit risk model is unaffected by
the auditor`s experience with client`s organization
b. Most auditors set a low inherent risk in the first year of an audit
and increase it if experience shows that it was incorrect

9
 c. Most auditors set a high inherent risk in the first year of an audit
and reduce it in subsequent years as they gain experience, even
there is inherent risk
d. The inherent risk assigned in the audit model is dependent upon
the strengths in client`s internal control system

13. Auditors begin their assessments of inherent risk during the

planning phase. Which of the following would not be a topic of the
planning phase that would also help to assess inherent risk?
a. Obtaining client`s agreement on the engagement letter
b. Obtaining knowledge about the client`s business and industry
c. Touring the client`s plant and offices
d. Identifying related parties
14. Which of the following isn`t a difficulty associated allocating the
preliminary judgment about material balance sheet accounts?
a. Auditor`s expect certain accounts to have more misstatement
than others
b. The allocation can have a significant effect on audit costs.
c. The auditor can expect to identify overstatements as well
understatements in the accounts.
d. All of the above are difficulties associated with the allocation of
materiality.
15. What is the primary means of dealing with risk in planning audit
evidence?
a. Selection of more effective tests of details of balances.
b. Application of the audit risk model.
c. Establish a lower preliminary judgment about materiality.
d. All of the above.
16. the opinion paragraph in auditor`s reports includes two important
phrases that are directly related to materiality and risk. The phrases are

a. "in our opinion" and 'in all material respects"

b. "presents fairly" and "in all material respects"
c. "in our opinion" and "presents fairly"
d. "in all material respects" and "reasonable assurance"

10
17. the phrase "in our opinion" in the auditor`s report is intended to
inform users that auditors
a. Guarantee fair presentation of the financial statements.
b. Act as insurers of the accuracy of the statements.
c. Certify the material presented in the statements by
management.
d. Base their conclusions about the statements on professional
judgment.
18. Inherent risk is related to detection risk and related to the
amount of audit evidence.
a. Directly, inversely
b. Directly, directly
c. Inversely, inversely
d. Inversely, directly
19. The five steps in applying materiality are listed below in random
order.
a. Estimate the combined misstatement.
b. Estimate the total misstatement in the segment.
c. Set preliminary judgment about materiality.
d. Allocate preliminary judgment about materiality to segments.
e. Compare combined estimate with preliminary judgment about
materiality.
The correct sequence from start to finish would be
a. 1 2 5 4 3.
b. 3 4 2 1 5.
c. 4 3 1 5 2.
d. 5 1 3 2 4.
20. SAS No. 47 defines the preliminary judgment about materiality as
the combined amount of misstatements in the financial statements
that would be considered material. This judgment
a. Need not be quantified.
b. Must be quantified.
c. Must be quantified in terms of dollars.
d. Must be quantified in terms of both dollars and of a percentage
of sales.

11
21. Which of the following statements is not correct?
a. Materiality is a relative rather than an absolute concept.
b. Normally, the most important base used as the criterion for
deciding materiality is total assets.
c. Qualitative factors as well as qualitative factors effect
materiality.
d. Given equal dollar amounts, frauds are usually considered more
important than errors.
22. Since materiality is relative, it is necessary to have bases for
establishing whether misstatements are material. Normally, the most
common base for deciding what is material is
a. Net income before taxes.
b. Net working capital.
c. Net income after taxes.
d. Total assets.
23. Certain types of misstatements are likely to be more important
than other types to users, even if the dollar amounts are the same.
Which of the following does not demonstrate this?
a. Amounts involving frauds are considered more important than
errors of equal amount.
b. Misstatements that are possible consequences arising from
contractual obligations.
c. Misstatements that ate otherwise immaterial may be material if
they affect a trend to earnings.
d. Each of the above demonstrates this concept.
24. The more effective the internal controls, the lower the risk factor
that assigned to control risk.
a. Should be.
b. Could be.
c. Is.
d. Must be.
25. Allocating the preliminary judgment about materiality is segments
of the financial statements is necessary because
a. Evidence is accumulated for the financial statements as a whole
so the materiality doesn`t apply to them.

12
 b. Evidence is accumulated by segments rather than for the
financial statements as a whole.
c. It is required by the AICPA`s code of professional conduct.
d. It is required by the SEC.
26. Which of the following statements in not correct?
a. Either an overstatement of an asset account or an
understatement of a liability account would have the same effect
on the income statement.
b. A misclassification in the balance sheet will have no effect on
operating income.
c. Either an overstatement of an asset account or an
overstatement of a liability account would have the same effect
on the income statement.
d. Either an understatement of an asset account or an
overstatement of a liability account would have the same effect
on the income statement.
27. Regardless of how the allocation of the preliminary judgment
about materiality was done, when the audit is complete the auditor
must be confident that the combined errors in all accounts are:
a. Less than the preliminary judgment.
b. Equal to the preliminary judgment.
c. More than the preliminary judgment.
d. Less than or equal to the preliminary judgment.
28. Auditors frequently refer to the terms audit assurance, overall
assurance, and level of assurance to refer to _________.
a. Detection risk.
b. Audit report risk.
c. Acceptable audit risk.
d. None of the above.
29. If planned detection risk is reduced, the amount of substantive
evidence the auditor accumulates will
a. Increase
b. Decrease
c. Remain unchanged
d. Be indeterminate.

13
30. When discussing control risk (CR) and the audit risk mode which of
the following statements is not true?
a. CR is measure of the auditor's assessment of the like likelihood
that misstatements exceeding a tolerable amount will not be
prevented or detected by the client's internal controls.
b. If the auditor concludes that internal control is completely
ineffective to prevent or detect errors. He/she would assign a 0%
to CR.
c. The relationship between control risk and detection risk is
inverse.
d. The relationship between control risk and evidence is direct.
31. Which of the following is not a good indicator of the degree to
which statements are relied on by external users?
a. Client's size, as measured by total assets or total revenue
b. Distribution of ownership among the public
c. Nature and amount of liabilities
d. Amount of net income or loss after taxes.
32 In situations in which the auditor believes the chance of financial
failure or loss is high, and there is a corresponding increase in client
business risk for the auditor, acceptable audit risk should
a. Be reduced
b. Be increased
c. Remain the same
d. Be calculated using a computerized statistical package.
33. When management has an adequate level of integrity for the
auditor to accept the engagement but cannot be regarded as
completely honest in all dealings, auditors normally
a. Reduce acceptable audit risk and increase inherent risk
b. Reduce inherent risk and control risk
c. Increase inherent risk and control risk
d. Increase acceptable audit risk and reduce inherent risk.

14
34. Many account balances require estimates and/or a great deal of
management judgment. One area that does not require such judgment
would be
a. Allowance for uncollectible accounts
b. Useful life of equipment for tax purposes
c. Obsolete inventory
d. Liability for warranty payments.
35. Inherent risk is reduced where the likelihood of defalcations is low.
This would be true for an account such as
a. Inventory
b. Marketable securities
c. Cash
d. The overall audit
36. The auditor assesses control risk and inherent risk. On a typical
engagement, the auditor would be least likely to assess these for
a. Each audit objective
b. Each cycle
c. Each account
d. The overall audit.
37. When the auditor is attempting to determine the extent to which
external users rely on a client's financial statements, they may consider
several factors including
a. Client size
b. Concentration of ownership
c. Types and amounts of liabilities
d. Types and amounts of liabilities
e. All of the above
38. When setting a preliminary judgment about materiality
a. More evidence is required for a low dollar amount than for a
high dollar amount
b. Less evidence is required for a low dollar amount than for a high
dollar amount

15
 c. The same amount of evidence is required for either low or high
dollar amounts
d. There is no relation between it and the dollar amount of
evidence needed.
39. When allocating materiality, most practitioners choose to allocate
to
a. the income statement accounts because they are more
important
b. the balance sheet accounts because there are fewer
c. both balance sheet and income statement accounts because
there could be errors on either one
d. all of the financial statements because there could be errors on
other statements besides the income statement and balance
sheet.
40. The expectation of misstatements after considering the effect of
internal control is most appropriately thought of as
a. control risk and acceptable audit risk
b. inherent risk
c. the combination of inherent risk and control risk
d. none of the above.
41. When the auditor has the same level of willingness to risk that
material errors will exist after the audit is finished for all five cycles
a. a different extent of evidence is needed for various cycles
b. the same amount of evidence will be gathered for each cycle
c. he/she has not followed generally accepted auditing standards
d. the level for each cycle must be no more than 2% so that the
entire audit does not exceed 10%.
42. Which of the following factors is least likely to contribute
opportunities leading to misappropriation of assets?
a. Inadequate controls instead to segregation of duties.
b. Not requiring mandatory vacation.
c. Disregard for the need to monitor or reduce risks of
misappropriating assets.
d. Presence of large sums of cash or inventory items of high value.

16
43. When discussing inherent risk (IR) and the audit risk model, which
of the following isn`t true?
a. IR is inversely related to planned decision risk.
b. IR is inversely related to evidence.
c. IR is the susceptibility of the financial statements to material
error, assuming no internal controls.
d. IR is the auditor`s assessment of the likelihood that errors
exceeding a tolerable amount exist in a segment before
considering the effectiveness of internal accounting controls.
44. When discussing acceptable audit risk (AAR) and the audit risk
model, which of the following statements is true?
a. The terms audit assurance, overall, assurance, or level of
assurance are synonyms for AAR.
b. AAR Is objectively determined by the auditor.
c. AAR is the risk that the auditor is willing to take that the
financial statements are fairly stated after the audit is completed
and an unqualified opinion has been reached.
d. When the auditor decides on a lower acceptable audit risk, it
means the auditor wants to be more certain that the financial
statements are not materially misstated.
45. Which of the following is an example of the concept of inherent
risk?
a. Humans make more errors than computers; therefore, a manual
accounting system is riskier than a computerized system.
b. Accounting systems with vouchers have many more controls
built in, so the risk that there will be errors on the financial
statements is reduced.
c. Loans receivable for a finance company are less likely to be
collectible than those of a bank.
d. Audits with larger sample sizes are less risks than those with
smaller sample sizes.
46. Tolerable misstatement a set by the auditor
a. Decreases acceptable audit risk.
b. Increases inherent risk and control risk.
c. Affects planned detection risk.
d. Does not affect any of four risks.

17
47. The audit risk model is
a. A planning, testing, and evaluating model.
b. Useful in evaluating results but limited use in planning.
c. Useful in planning, but of limited value in evaluating results.
d. Useful when performing the tests of balances, but of little value
in either the planning or evaluation stages.
48. Which of the following underlies the application of generally
accepted auditing standards, particularly the standards of field work
and reporting?
a. The elements of materiality and relative risk.
b. The element of internal control.
c. The element of corroborating evidence.
d. The element of reasonable assurance.
Other objective answer format questions
49. Below are four situations that involve the audit risk model as it is
used for planning audit evidence requirements in the audit of
inventory. For each situation, calculate planned detection risk.
Situation
1 2 3 4
Acceptable 1% 10% 10% 5%
audit risk
Inherent risk 100% 100% 50% 20%
Control risk 100% 100% 40% 30%
Planned
detection
risk

50. using your knowledge of the relationships among acceptable audit

risk, inherent risk, control risk, planned detection risk, tolerable
misstatement, and planned evidence, state the effect on planned
evidence (increase or decrease) of changing each of the following
factors, while the other factors remain changed.
1. An increase in acceptable audit risk.
2. An increase in inherent risk.
3. A decrease in control risk.
4. An increase in planned detection risk.
18
 5. An increase in tolerable misstatement.

51. Match six of the terms (a-i) with the definitions provided below (1-
6):
a. Business risk.
b. Preliminary judgment about materiality.
c. Inherent risk.
d. Planned detection risk.
e. Audit assurance.
f. Acceptable audit risk.
g. Tolerable misstatement
h. Control risk.
i. Materiality.
1. A measure of the risk that audit evidence for a segment
will fail to detect misstatements exceeding a tolerable
amount, should such misstatements exist.
2. The risk that the client will fail to achieve its objectives.
3. A measure of the auditors assessment of the likelihood
that misstatements exceeding a tolerable amount in a
segment will not be prevented or detected by the client's
internal controls.
4. A measure of how much risk the auditor is willing to take
that the financial statements may be materially misstated
after the audit is completed and an unqualified audit
opinion has been issued
5. The materiality allocated to any given account balance
6. The maximum amount by which the auditor believes that
the statements could be misstated and still not affect the
decisions of reasonable users.
52. In practice, auditors rarely assign numerical probabilities to
inherent risk, control risk, or acceptable audit risk. It is more common
to assess these risks as high, medium, or low. For each of the four
situations below, fill in the blanks for planned detection risk and the
amount of evidence you would plan to gather (planned evidence) using
the terms high, medium, or low.

19
 Situation
1 2 3 4
Acceptable audit risk Low Low High High
Inherent risk High Low Low Low
Control risk High Low Medium low
Planned detection risk ______ ______ _______ ____
Planned evidence ---------- ---------- ---------- -------

True or False:
53. The auditor's preliminary judgment about materiality is the
maximum amount by which the auditor believes the financial
statements could be misstated and still not affect the decisions of
reasonable users.
a. True
b. False
54 There is no precise definition of materiality in the professional
literature.
a. True
b. False

55. Net income before taxes is normally the most important

base for deciding what is material.
a. True
b. False
56. Most practitioners allocate the preliminary judgment about
materiality to balance sheet, rather than income statement, accounts.
a. True
b. False
57. The primary purpose of allocating the preliminary judgment about
materiality to financial statement accounts is to help the auditor
decide the appropriate evidence to accumulate for each account.
a. True
b. False

20
58. Auditors often use prior year financial statement balances to
establish their preliminary judgment about materiality in planning the
current year's audit.
a. True
b. False
59. If acceptable audit risk is low, and inherent risk and control risk are
both high, then planned detection risk should be high.
a. True
b. False
60. Inherent risk and planned detection risk are inversely related, i.e.,
as inherent risk increase, planned detection risk should decrease,
ceteris paribus.
a. True
b. False
61. Acceptable audit risk and planned detection risk are inversely
related; i.e., as acceptable audit risk increases, planned detection risk
should decrease, ceteris paribus.
a. True
b. False
62. The most important element of the audit risk model is control risk.
a. True
b. False
63. Auditors are required to test any internal controls they believe
have not been operating effectively during the period under audit.
a. True
b. False
64. Auditors have difficulty applying the concept of materiality in
practice because they often do not know who the users of the financial
statements are or what decisions will be made.
a. True
b. False

21
65. If the preliminary judgment of materiality increase, the amount of
audit evidence required will also increase.
a. True
b. False
66. Tolerable misstatement is the maxim combined total of all
misstatements in the financial statements that the auditor is willing to
allow, or tolerate, when issuing a standard unqualified opinion.
a. True
b. False
67. If an auditor assigns a tolerable misstatement of $1000 to accounts
payable, he or she would need to obtain more audit evidence for
account than if $100000 had been assigned.
a. True
b. False
68. Inherent risk and control risk are directly related; i.e., as inherent
risk increase, control risk also increase.
a. True
b. False
69. An acceptable audit risk assessment of low indicates a risky client
requiring more extensive evidence, assignment of more experience
personnel, and/or a more extensive review of audit files.
a. True
b. False
70. Audit assurance is the complement of planned detection risk, that
is, one minus planned detection risk.
a. True
b. False

22
 Answers

M.C.O:

1-a 18-d 35-d

2-b 19-b 36-d
3-d 20-a 37-d
4-a 21-b 38-a
5-a 22-a 39-b
6-d 23-d 40-c
7-d 24-b 41-a
8-d 25-b 42-c
9-a 26-c 43-b
10-d 27-d 44-d
11-a 28-c 45-c
12-c 29-d 46-d
13-a 30-a 47-c
14-d 31-d 48-a
15-b 32-a
16-a 33-a
17-d 34-b
Other objective answer format questions:

49- 1. 1%, 2. 10%, 3. 50%. 4. 83%

50- 1. Decrease, 2. Increase, 3. Decrease, 4. Decrease, 5. Decrease.

51- 1. D, 2. A, 3. H, 4. F, 5. G, 6. B.

52- 1. Low, high – 2. High, low – 3. Medium, medium -4. High, low.

True or False:

53- a 57-a 61-b 65-a 69-a

54-a 58-a 62-b 66-b 70-b
55-a 59-b 63-b 67-a
56-a 60-a 64-b 68-b

23
Examples :
1) If an auditor decides to allocate $ 36,000 of a total preliminary
judgment about materiality of $ 500,000 to inventory, in auditing
inventory, the auditor found $ 3,500 of net overstated amounts in a
sample of $ 50,000 of the total population of $ 450,000

Required: Explain the auditor decision towards the acceptance of

inventory balance.

Solution

Total estimated misstatement amount of the inventory:

Direct Projection

Direct Projection
($3,5000÷ 50,000) × 450,000 $31,500
+
Sampling Error
($31,500× 50%) 15,750
$47,250
Where
 Tolerable misstatement = $36,000
 *Total estimated misstatement exceeds tolerable misstatement
 The auditor reject the inventory balance as it appears in the
balance sheet, and requires adjustments made by management.

2) If an auditor decides to allocate $35,000 of a total preliminary

judgment about materiality of $80,000 to accounts receivable, in
auditing accounts receivable, the auditor found $4,000 of overstated
amounts and $6,000 of understated amounts in a sample of $100,000
of the total population of $1000,000.

Required: Explain the auditor decision towards the acceptance of

accounts receivable balance.

24
Solution

 - Net misstatement in accounts receivable = $2,000 understand.

 -Total estimated misstatement amount of the accounts
receivable:

Direct projection
($2,000÷100,000)×1,000,000 $20,000
+
Sampling Error
($20,000×50%) 10,000
Where

Tolerable misstatement = $35,000

Total estimated misstatement lesser than tolerable misstatement

The auditor accepts the accounts receivable balance as it appears in

the balance sheet.

Problem: You are evaluating audit results for assets in the audit of El
Marwa Manufacturing. You set the preliminary judgment about
materiality at $50000. The account balances, tolerable misstatement,
and estimated overstatements in the accounts are shown next.

Account Account Tolerable Estimate of

Balance Misstatement Total
Overstatement
Cash $ 50000 $ 5000 $ 1000
Acc. Receivable 1200000 30000 20000
Inventory 2500000 50000 25000
Other assets 250000 15000 12000
Total $ 4000000 $ 100000 $58000
Required:
a. Assume you tested inventory amounts totaling $1000000
and found $10000 in overstatements. Ignoring sampling risk,
what is your estimate of the total misstatement in
inventory.

25
 b. Based on the audit of the assets accounts and ignoring other
accounts, are the overall financial statements acceptable?
Explain.
c. What do you believe the auditor should do in the
circumstances?
Solution:
a. The Direct projection of the total misstatement in
inventory =
b. (Net Misstatement in the Sample/Total Sampled)x Total
Recorded Population Value
c. ($ 10000/$1000000) x $ 2500000 = $25000
d. No. the overall financial statements are not acceptable.
Including the projected error for inventory, the total
overstatement errors are $58000 which exceeds
materiality of $50000.
e. The auditor should either propose an audit adjustment so
that the unadjusted statement amount is less than
materiality, and/or perform more testing to obtain a
better estimate of the population misstatements. The
additional testing will likely focus on receivables and
inventory because they have the largest estimated
misstatement.

Case:
In allocating tolerable misstatement, the auditor of El Marwa
company uses judgment in the allocation, subject to the
following two arbitrary requirements:
1. Tolerable misstatements for any account cannot exceed 75%
of the preliminary judgment.
2. The sum of all tolerable misstatements cannot exceed twice
the preliminary judgment about materiality.
After the auditor completed the audit, he prepared the
following table which includes a comparison of estimated total
misstatement for preliminary judgment about materiality:

Comparison of Estimated Total Misstatement to Preliminary Judgment

26
about Materiality
Estimated Misstatement Amount
Account Tolerable Known Sampling Total
Misstatement Misstatemen
t Error
And Direct
Projection
Cash $4000 $2000 $ NA $2000
Acc. Receivable 20000 12000 6000 18000
Inventory 36000 31500 15750 47250
Total estimated $45500 $16800 $62300
misstatement amount
Preliminary judgment $50000
about materiality
NA=NOT
applicable.
Cash audited 100
%

Required:
1. What is the auditor's decision regarding the acceptability of the
financial statements?
2. What are the alternative actions that the auditor will take before he
issues the audit report?
Solution:
1. The total estimate misstatement of $62300 exceeds the preliminary
judgment about materiality of $50000. Because the estimated
combined misstatement exceeds the preliminary judgment, the
financial statements are not acceptable.
2. The auditor can either:
a. Determine whether the estimated likely misstatement actually
exceeds $50000 by performing additional audit procedures. If
the auditor decides to perform additional audit procedures, they
will concentrated in the inventory area, because it is the major
are of difficulty, where estimated misstatement of $47250 is
significantly greater than tolerable misstatement of $36000.
b. Require the client to make an adjustment for estimated
misstatement.
27
Example :
IR= 100%
CR=100%
AAR=5%
Answer :
PDR= 0.05/1×1=0.05 or 5%

Example : Study the effect of IR in PDR and accordingly on the amount

of evidence that should be accumulated.
AAR = 5%
IR = 20%, 60%, 80%, 95%
CR = 100%
PDR = ??
SOLUTION:
PDR = AAR / (IR X CR)

INHERENT RISK
Low HIGH
IR 20% IR 60% IR 80% IR 95%
PDR = PDR = PDR = PDR =
0.05/(0.2X1) = 0.05/(0.6X1) = 0.05/(0.8X1) = 0.05/(0.95X1)
0.25 0.08 0.06 = 0.05
PDR = 25% PDR = 8% PDR = 6% PDR = 5%
Less planned More planned
evidence evidence
Less planned More
staff experiences
staff

Example :

 IR= 100%
28
  CR= 100%
 ACDR= 4%
 AAR= 5%
Answer :
 ACAR= IR×CR ×ACDR
= 1 ×1 ×0.04=4%
Comment
The auditor compares ACAR (4%) with AAR (5%) and
concludes that sufficient evidence has been accumulated the
auditor is satisfied that achieved risk is less than or equal to
AAR.
If AAR is 3% more evidence accumulated.

CHAPTER 2
AUDIT OF INTERNAL CONTROL

29
 AND CONTROL RISK

1. Describe the three broad objectives management has when

designing effective internal control.

Answer :

 Reliability of financial reporting. Management is responsible for

preparing statements for investors, creditor, and other users.
Management has both a legal and professional responsibility to be
sure that the information is fairly presented in accordance with
reporting requirements such as GAAP.
 Efficiency and effectiveness of operations. Controls within a
company encourage efficient and effective use of its resources to
optimize the company's goals. An important objective of these
controls is accurate financial and non financial information about the
company's operations for decision making.
 Compliance with laws and regulations. All public companies required
to issue a report about the operating effectiveness of internal control
over financial reporting.

2. Describe which of the three categories of broad objectives for

internal controls are considered by the auditor in an audit of both
the financial statements and internal control over financial
reporting.
Answer :
The auditor's focus in both the audit of financial statements and the
audit of internal controls over the reliability of financial reporting
plus those controls over operations and compliance with laws and
regulations that could materially affect financial reporting.

3. Section 404 of the Sarbanes-Oxley Acts requires management to

issue a report on internal control over financial reporting. Identify
the specific Section 404 reporting requirements for management.
Answer :

30
Section 404 of Sarbanes-Oxley Act requires management of all public
companies to issue an internal control report that include the
following:
- A statement that management is responsible for establishing and
maintaining an adequate internal control structure and procedures
for financial reporting
- An assessment of the effectiveness of the internal control structure and
procedures for financial reporting as of the end of the company's
fiscal year.
Management's assessment of internal control over financial reporting
consists of two key components. First, management must evaluate
the design of internal control over financial reporting. Second,
management must test the operating effectiveness of those controls.

4. What is the auditor's responsibility for obtaining an understanding

of internal control? How does that responsibility differ for audits of
public and nonpublic companies?
Answer :
Because of its importance, knowledge about a client's internal control is
included in a separate generally accepted auditing standard. Recall that
the second GAAS field work standard. Auditors are primarily concerned
about controls over the reliability of financial reporting and controls over
classes of transactions

a. Controls Over the Reliability of Financial Reporting. The auditor

focuses primarily on controls related to the first of management's
internal control concerns: reliability of financial reporting.
Financial statements are not likely to correctly reflect GAAP if
internal controls over financial reporting are inadequate.
b. Controls over Classes of Transactions. Auditors emphasize
internal control over classes of transactions rather than account
balances because the accuracy of accounting system outputs
(account balances) depends heavily on the accuracy of inputs and
processing (transactions).

31
 Auditor Responsibilities for Testing Internal Control. Section 404
requires that the auditor attest to and issue a report on
management's assessment of internal control over financial
reporting. To express an opinion on these controls, the auditor
obtains an understanding of and performs tests of controls for all
significant account balances, classes of transactions, and disclosures
and related assertions in the financial statements.

5. What are the five components of internal control in the COSO

internal control framework?

Answer :

COSO's Internal Control-Integrated Framework, it describes five

components of internal control include the following:

1. Control environment
2. Risk assessment
3. Control activities
4. Information and communication
5. Monitoring

6. What is meant by the control environment? What are the factors

the auditor must evaluate to understand it?

The essence of an effectively controlled organization lies in the

attitude of its management. If top management believes that
control is important, others in the organization will sense that
and respond by conscientiously observing the controls
established. If members of the organization believe that
control is not an important concern to top management, it is
almost certain that management's control objectives will not
be effectively achieved.

To understand and assess the control environment, auditors should

consider the most important control subcomponents:

 Integrity and Ethical Values.

32
  Commitment to Competence.
 Board of director or audit committee participation
 Management's philosophy and operating style.
 Organizational structure.
 Human resource policies and practices

7. Explain the COSO's five components of internal control

TABLE 1. COSO Components of Internal Control
INTERNAL CONTROL
Component Description of Further Subdivision
Component (if applicable)

Control Actions, policies, and Subcomponents of the control

environment procedures that reflect
the overall attitude of to
management, directors,
and owners of an entity
about internal control
and its importance
environment:
-Integrity and ethical values
-Commitment to competence
-Board of director and audit committee
participation
-Organizational structure
-Human resource policies

Risk Management's Risk assessment processes:

assessment identification and
analysis of risks relevant
to the preparation of
financial statements in
accordance with GAAP
Control P0licies and procedures
activities that management has
established to meet its
objectives for financial
reporting
33
- Identify factors affecting risks
- Assess significance of risks and
likelihood of occurrence
-Determine actions necessary to mange
risks.
Categories of management assertions
that must be satisfied:
-Assertions about classes of transactions
and other events
- Assertions about account balances
-Assertions about presentation and
disclosure
Types of specific control activities:
-Adequate separation of duties
-Proper authorization of transactions
and activities
-Adequate documents and records
Physical control over assts and
records
 - Independent checks on
performance
Information Methods used to initiate, Transaction-related audit objectives
and record, process, and that must be satisfied:
communicati report an entity's - Occurrence
on transactions and to - Completeness
maintain accountability - Accuracy
for related assets -Posting and summarization
-Classification
-Timing
Monitoring Management's ongoing Not applicable
and periodic assessment of
the quality of internal
control performance to
determine whether
controls are operating as
intended and are modified
when needed

8. Describe the four phases performed by the auditor when obtaining

an understanding of internal control and assessing control risk.
Answer :
There are four phases of the process of understanding internal control
and assessing control risk for an integrated audit of the financial
statements and the effectiveness of internal control over financial
reporting.
Process for Understanding Internal Control and Assessing Control Risk

Phase 1: Obtain and document understanding of internal control:

design and operation
Phase 2: Assess control risk
Phase 3: Design, perform, and evaluate tests of control
Phase 4: Decide planned detection risk and substantive tests

9. What are management's responsibilities for documenting internal

control over financial reporting in a public company?

34
 1. First: Design of Internal Control. Management must evaluate
whether the controls are designed and put in place to prevent
or detect material misstatements in the financial statements.
Management's focus is on controls over all relevant assertions
for all significant accounts and disclosures in the financial
statements.
2. Second: Operating Effectiveness of Controls. In addition,
management must test the operating effectiveness of controls.
The testing objective is to determine whether the control
possesses the necessary authority and qualifications to
perform the control effectively.

10. What two aspects of internal control must the auditor assess
when performing procedures to obtain an understanding of
internal control?
1. Controls Over the Reliability of Financial Reporting. To comply
with the second standard of field work, the auditor focuses
primarily on controls related to the first of management's
internal control concerns: reliability of financial reporting.
Financial statements are not likely to correctly reflect
GAAP if internal controls over financial reporting are
inadequate.
2. Controls over Classes of Transactions. Auditors emphasize
internal control over classes of transactions rather than
account balances because the accuracy of accounting
system outputs (account balances) depends heavily on the
accuracy of inputs and processing (transactions).

11. What is a walkthrough of internal control?

In a walkthrough, the auditor selects one or a few
documents of a transaction type and traces them from

35
 initiation through the entire accounting process. At each
stage of processing, the auditor makes inquiries,
observes activities, and examines completed documents
and records.

12. Describe what is meant by a key control and a control

deficiency.
Identify the absence of key controls. Internal control
questionnaires, flowcharts, and walkthroughs are useful
tools to identify where controls are lacking and the
likelihood of misstatement is therefore increased. It is
also useful to examine the control risk matrix.

Control deficiency. It exists if the design or preparation

of controls does not permit company personnel to
prevent or detect misstatements on a timely basis. A
design deficiency exists if a necessary control is missing
or not properly designed. An operation deficiency exists
if the person performing the control is insufficiently
qualified or authorized.

13.How does the sufficiency of evidence differ between

procedures to obtain an understanding of internal control
and tests of controls?
The auditor is likely to use four types of procedures to
support the operating effectiveness of internal controls.
The four types of procedures are as follows:
a- Make inquiries of appropriate client personnel.
Although inquiry is not a highly reliable source of
evidence about the effective operation of controls, it
is still appropriate.

36
b- Examine documents, records, and reports. Many
controls leave a clear trail of documentary evidence
that can be used to test controls.
c- Observe control-related activities. Some controls do
not leave an evidence trail, which means that it is
not possible to examine evidence that the control
was executed at a later date.
d- Re-perform client procedures. There are also
control-related activities for which there are related
documents and records, but their content is
insufficient for the auditor's purpose of assessing
whether controls are operating effectively.

CHAPTER 3

37
 IMPLICATIONS OF INFORMATION
TECHNOLOGY FOR THE AUDIT PROCESS

1. Companies frequently implement controls specific to their IT functions.

These controls are referred to as general controls and application
controls. Briefly describe each of these type of controls.
Answer:
1. General controls are those that relate to all aspects of the IT
function. They include controls related to administration,
software acquisition and maintenance, physical and on-line
security over access to hardware, software, and related data,
backup and disaster recovery planning, and hardware controls.
2. Application controls relate to the processing of individual
transactions. Application controls are specific to certain software
applications and typically do not affect all IT functions.
2. Discuss how the integration of IT into accounting systems enhances
internal control.
Answer:
Enhancements to internal control resulting from the integration of IT
into accounting systems include:
 Computer controls replace manual controls. Replacing manual
procedures with programmed controls that apply checks and
balances to each processed transaction and that process
information consistently can reduce human error that is likely to
occur in traditional manual environments.
 Higher quality information is available. IT systems typically
provide management with more and higher quality information
faster than most manual systems
3. Discuss the major factors associated with complex IT systems that
increase control risk and the likelihood of material misstatements in the
financial statements.

Answer:

38
Factors associated with complex IT systems that increase the likelihood
of material misstatements in the financial statements include:
a. Reliance on the functioning capabilities of hardware and software.
Without proper protection, hardware or software may not
function properly.
b. Reduced visibility of audit trail. Because much of the information
is entered directly into the computer, the use of IT often reduces
or eliminates source documents and records that allow the
organization to trace accounting information.
c. Reduced human involvement. In complex IT systems, there are
fewer opportunities for observing whether misstatements have
occurred.
d. Uniformity of processing increases risk of systematic errors.
Erroneous processing can result in the accumulation of a great
numbers of misstatements in a short period of time.
e. Unauthorized access. If not well controlled, data-processing
systems allow easy access to data and use of the data by
unauthorized persons.
f. Loss of data. When large amount of data are centralized, there is
an increased risk of there loss or destruction.
g. Reduced segregation of duties. In IT systems, computers perform
more duties that were traditional segregated, such as
authorization and record keeping.
h. Lack of traditional authorization. It is common in IT systems for
certain types of transactions to be initiated automatically by the
computer.
i. Need for IT experience. Personnel with knowledge and experience
to install, maintain, and use the computer system are essential.
The reliability of an IT system and the information it produces
often depend on whether the organization can employ personnel
with appropriate technology knowledge and experience.
4. Identify the three categories of application controls , and give one
example of each.
Answer:
Application controls fall into three categories:
a. Input controls. Key verification and check digits are examples of
input controls.

39
 b. Processing controls. One example is a reasonableness test for the
unit selling price of a sale.
c. Output control. One example is post-processing review of sales
transactions by the sales department.
5. Discuss what is meant by the term auditing around the computer.
Answer:
Auditing around the computer occurs when the auditor considers only
the non-IT controls when assessing control risk. Under this approach, the
auditor obtains an understanding of internal control and performs tests
of controls, substantive tests of transactions, and account balance
verification procedures in the same manner as in mutual systems.
However, there is no attempt to test, or rely on, the client`s IT controls.
6. Describe two computer auditing techniques available to the auditor.
Answer:
Computer auditing techniques available to the auditor are:
a. Test data approach. Using this approach, the auditor develops
different types of transactions that are processed under his or her
own control using the client`s computer programs on the client`s
IT equipment.
b. Parallel simulation. Using parallel simulation, the auditor writes a
computer program that replicates some part of the client`s
application system. The client`s data is then processed using the
auditor`s computer program. The auditor then compares the
output generated by his or her program with that generated by
the client`s program to test the correctness of thy client`s
program. Generalized audit software may be used.
c. Embedded audit module. Using this approach, the auditor inserts
an audit module in the client`s application system to capture
transactions with characteristics that are of interest to the
auditor.

7. What are the two software testing strategies that companies typically
use? Which strategy is more expensive?

40
Answer:
Companies may use pilot testing and parallel testing to test new
software. Pilot testing involves operating the new software at a limited
number of facilities, while continuing to operate the old software at all
other locations. Parallel testing is more expensive than pilot testing.
8. Discuss the advantages and benefits of using generalized audit
software.
Answer:
Advantages and benefits of using generalized audit software includes:
a. They are developed in such a manner that most of audit staff can
be trained to use the program even if they have a little formal IT
education.
b. A single program can be applied to a wide variety of clients with
minimal customization.
c. Generalize audit software can perform tests much faster and in
more detail than using traditional manual procedures.
9. Assume you are using generalized audit software (GAS) during your
audit of accounts receivable. Discuss four kinds of tests or audit
procedures you can perform with the GAS if the client`s data are in
machine-readable form.
Answer:
Examples of the types of tests that can be performed using GAS during
the audit of accounts receivable include:
a. Verifying extensions and footings.
b. Examining records for quality, completeness, consistency, and
correctness.
c. Comparing data on separate files.
d. Summarizing or re-sequencing data and performing analyses.
e. Comparing data obtained through other audit procedures with
company records.
f. Selecting audit samples.
g. Printing confirmation requests.
10. Discuss the four areas of responsibility under the IT function that
should be segregated in large companies.

41
Answer:
The responsibilities for IT management, systems development,
operations, and data control should be separated:
a. IT Management. Oversight of the IT function should be
segregated from the systems development, operations and data
control functions. Oversight of IT should be the responsibility of
the chief information officer or IT manager.
b. Systems development. Systems analysts are responsible for the
overall design of each application system. Programmers
develop, test, and document applications software.
Programmers and analysts should not have access to input data
or computer operations.
c. Operations. Computer operators are responsible for the day-to-
day operations of the computer.
d. Data control. Data control personnel independently verify the
quality of input and the reasonableness of output.
11. Identify the six categories of general controls, and give one example
of each.
Answer:
General controls fall into the following six categories:
a. Administration of IT function. For example, the chief information
officer (CIO) should report to senior management and board of
directors.
b. Segregation of IT duties. For example, there should be separation
of duties between the computer programmers, operators, and
the data control group.
c. Systems development. Users, analysts, and programmers
develop and test software.
d. Physical and on-line security. For example, passwords should be
required for access to computer systems.
e. Backup and contingency planning. Written backup plans should
be prepared and tested on a regular basis throughout the year.
f. Hardware controls. For example, uninterruptable power supplies
should be used to avoid loss of data in the event of a power
blackout.
Multiple-Choice Question:

42
1. Which of the following is not a risk specific to IT environments?
a. Reliance on the functioning capabilities of hardware and software.
b. Increased human involvement.
c. Loss of data due to insufficient backup.
d. Reduced segregation of duties.
2. Which of the following are not an application control?
a. Processing controls
b. Output controls
c. Hardware controls
d. Input controls.
3. General controls include all of the following except:
a. Systems development
b. Online security
c. Processing controls
d. Hardware controls.
4. Which of the following IT duties should be separated from the others?
a. Systems development
b. Operations
c. IT management
d. All of the above should be separated.
5. In complex IT systems, which of the following factors does not
increase the likelihood of material misstatements in the financial
statements?
a. Reduced human involvement
b. Uniformity of processing
c. Ease of access to data
d. Specialists are needed to write computer programs.

6. A control which relates to all parts of the IT system is called a(n):

a. General control
b. Systems control
c. Universal control
d. Applications control.

43
7. Controls which apply to a specific use of the system are called
a. User controls
b. General controls
c. Systems controls
d. Applications controls.
8. Which of the following is not a general control?
a. Reasonableness test for unit selling price of a sale
b. Equipment failure causes error messages on monitor
c. Separation of duties between programmer and operators
d. Adequate program run instructions for operating the computer.
9. Controls which are built in by the manufacturer to detect equipment
failure are called
a. Input controls
b. Fail-safe controls
c. Hardware controls
d. Manufacturer's controls.
10. Auditors usually evaluate the effectiveness of
a. Hardware controls first
b. Sales-cycle controls first
c. General controls before applications controls
d. Applications controls first.
11. Controls which are designed to assure that the information
processed by the computer is authorized, complete and accurate are
called
a. Input controls
b. Processing controls
c. Output controls
d. General controls
12. Programmers should be allowed access to
a. Computer operations
b. All programmed code
c. Actual programs used in processing transactions
d. None of the above.

44
13. Which of the following is not a processing control?
a. Control totals
b. Logic tests
c. Check digits
d. Computations test.
14. Controls over output are not designed to assure that data generated
by the computer are
a. Accurate
b. Distributed only to authorized people
c. Complete
d. Relevant.
15. Auditors usually obtain information about general and application
controls through
a. Interviews with IT personnel
b. Examination of systems documentation
c. Reading program change requests
d. All of the above methods.
16. When the auditor considers only the non-IT controls in assessing
control risk, it is commonly referred to as
a. The single-stage audit
b. The test deck approach
c. Auditing around the computer
d. Generalized audit software GAS.
17. The audit approach in which the auditor runs his or her own program
on a controlled basis in order to verify the client's data recorded in a
machine language is
a. The test data
b. Called auditing around the computer
c. The generalized audit software
d. The microcomputer-aided auditing.
18. Generalized audit software
a. Is often used even when a client's data are not computerized
b. Is used when a client's software is not compatible with the
auditor's

45
 c. Is a method of verifying a client's data which are recorded in a
machine language
d. Can be used for all three of the above.
19. Because general controls have a _______ effect on the operating
effectiveness of application controls, auditors must consider general
controls.
a. Nominal
b. Pervasive
c. Mitigating
d. Worsening.
20. If a control total were to be computed on each of the following data
items, which would best be identified as a hash total for payroll IT
application?
a. Net pay
b. Department numbers
c. Hours worked
d. Total debits and total credits.
True or False:
21. Inherent risk is often greater in complex IT systems than in
noncomplex IT systems
a. True
b. False
22. Firewalls protect company data only and offer no protection for
software programs.
a. True
b. False
23. One disadvantage of IT systems is the potential elimination of the
control provided by division of duties of independent persons normally
present in manual systems.
a. True
b. False

46
24. One potential disadvantage of IT systems is the reduction or
elimination of source documents, which reduces the visibility of the
audit trail.
a. True
b. False
25. In IT systems, if general controls are effective, it increases the
auditor's ability to rely on application controls to reduce control risk.
a. True
b. False
26. Auditors do not normally link strengths and weaknesses in general
controls to specific transaction-related audit objectives.
a. True
b. False
27. The test data requires the auditor to insert an audit module in the
client's application system to test transaction data specifically identified
by the auditor as unusual.
a. True
b. False
28. General controls in smaller companies are usually less effective than
in more complex IT environments.
a. True
b. False
29. The objective of the computer audit technique known as the test
data is to determine whether the client's computer programs can
correctly process valid and invalid transaction.
a. True
b. False
30. Hardware controls is a category of application controls.
a. True
b. False
31. Controls that relate to a specific use of the IT system, such as the
processing of sales or cash receipt, are called application controls.

47
 a. True
b. False
32. Auditing around the computer is acceptable only if the auditor has
access to the client's data in a machine-readable language
a. True
b. False
33. IT controls are classified as either input controls or output controls.
a. True
b. false
34. One common use of generalized audit software is to help the auditor
identify weaknesses in the client's IT control procedures.
a. True
b. False
35. Tests of controls are normally performed only if the auditor believes
the client's internal control may be effective.
a. True
b. False
36. When auditing around the computer, the auditor makes no attempt
to test the client's IT controls.
a. True
b. False

Answers:
1- b 10- c 19- b 28- a
2- c 11- a 20- c 29- a
3- c 12- d 21- a 30- b
4- d 13- c 22- b 31- a
5- d 14- d 23- a 32- b

48
6- a 15- d 24- a 33- b
7- d 16- c 25- a 34- b
8- a 17- c 26- a 35- a
9- c 18- b 27- b 36- a

CHAPTER 4
AUDIT SAMPING FOR TESTS OF
CONTROLS AND SUBSTANTIVE TESTS
OF TRANSACIONS

49
Ex. Assume that the actual sample size in 70 items and one exception is
found when testing for certain attribute. The ARACR 10% and TER 6%.
Required:
a. Compute CUER, give its meaning
b. What's the decision of the auditor in this situation?
Solution:
 Using evaluation sample results of attribute the CUER is 5.5%
 This means that true exception rate in the population doesn't
exceed 5.5% and this result in right at a chance of (confidence
level) and a 10% chance that's wrong
 The population can be considered acceptable because the CUER
(5.5%) TER < 6% at10% of ARACR>
Ex. Assume that an auditor is willing to reduce assessed control risk for
the agreement between payroll sheet and time card does not exceed
5.5% TER at a 5% ARACR on the basis of past experience, EPER set at
1.5%. What is the initial sample size.
Solution:
a. Use the 5% ARACR table for determining sample size – there is no
directly 5.5% TER
b. Locate the 5% TER column
c. Read down to where the column interested with 1.5% EPER raw.
The initial sample size is determined to be 124 items
d. Locate the 6% TER column
e. Read down to where the column interested with 1.5%
f. Read down to where the column interested with 1.5% EPER, initial
sample size is determined to be 103 items.

TER Sample size

6% 103
5% 124
1% -21
0.5% -11

50
 Then the sample size that related to 5.5% TER, at a 5%ARACR and EPER
at 1.5% = 124-11=113 items.
Ex. Assume that the actual sample size is 75 items and two exceptions
are found when testing for certain attribute the ARACR 10%, and the TER
6%.
Required:
a. Compute CUER and give its meaning
b. What is the decision of the auditor in this situation.
Solution:
Sample size CUER
80 6.6%
70 7.5%
10 -0.9
5 -0.45
Then the CUER that related to 75 sample size at the ARACR 10% =
7.5% - 0.45% = 7.05%
a. This means that TPER (true population exception rate does not
exceed 7.05% and this result is right at a chance of 90% confidence
level and a 10% chance that is wrong.
b. when the CUER exceeds TER, the auditor may do one or more of
the following:
1. Revise the TER or the ARACR. This alternative should be
followed only when the auditor has concluded that the original
specifications were too conservative, and when he or she is
willing to accept the risk associated with the higher
specifications.
2. Expand the sample size. This alternative should be followed
when the auditor expects the additional benefits to exceed the
additional costs, that is, the sample tested was not
representative of the population.
3. Revise assessed control risk upward. This is likely to increase
substantive procedures. Revising assessed control risk may be
don if 1 or 2 is not practical and additional substantive
procedures are possible

51
 4. Write a letter to management. This action should be done in
conjunction with each of the three alternatives above.

Multiple-Choice Questions:
1. A sample in which the characteristics of the sample are the same as
those of the population is a(n)
a. Variables sample
b. Representative sample
c. Attribute sample
d. Random sample
2. When the auditor decides to select less than 100% of the population
for testing, the auditor is said to be using
a. Audit sampling
b. Representative sampling
c. Poor judgment
d. None of the above.
3. One cause of non-sampling risk is
a. Ineffective use of audit procedures
b. Testing less than the entire population
c. Use of extensive tests of controls
d. Any of the above.
4. When the auditor intends to evaluate a sample statistically, the only
acceptable selection method is
a. Probabilistic selection
b. Judgmental selection
c. Haphazard selection
d. Block sample selection
5. A sample in which every possible combination of items in the
population has an equal chance of constituting the sample is a
a. Random sample
b. Statistical sample
c. Judgment sample
d. Representative sample.

52
6. The process which requires the calculation of an interval and then
selects the items based on the size of the interval is
a. Statistical sample
b. Random sample selection
c. Systematic sample selection
d. Computerized sample selection.
7. Sampling risk may be controlled by
a. Adjusting the sample size
b. Always using random sampling
c. Using whatever sample selection technique is appropriate for the
population
d. A and C.
8. The risk which the auditor is willing to take of accepting a control as
being effective when it is not is the
a. Finite correction factor
b. Tolerable exception rate
c. Acceptable risk of assessing control risk too low
d. Estimated population exception rate.
9. The exception rate the auditor will permit in the population and still
be willing to use the assessed level of control risk is called the
a. Tolerable exception rate
b. Estimated population exception
c. Acceptable risk of overreliance
d. Sample exception rate.
10. If the auditor decides to asses control risk at the maximum
level ,tests of controls are
a. Increase in number
b. Reduced in number
c. Not performed
d. Unchanged from prior planned settings.

11. Which of the following factors is generally not considered in

determining sample size for a test of controls?

53
 a. Expected population exception rate
b. Risk of assessing control risk too low
c. Tolerable exception rate
d. Population size
12. Non-sampling errors occur when audit tests do not uncover existing
exceptions in the
a. Population
b. Sample
c. Planning stage
d. Financial statements.
13. One of the ways to reduce sampling risk is to
a. Carefully design the audit procedures to be used.
b. Use variable sampling rather than attributes sampling.
c. Provide proper supervision and instruction of the audit team.
d. Use an appropriate method of selecting sample items from the
population.
14. Which of the following methods of sample selection is appropriately
used when selecting a random sample?
a. Use of random number tables.
b. Use computer generated random numbers.
c. Auditor`s random selection of items.
d. A and b, but not c.
15. The acceptable risk of assessing control risk too low will normally be
assessed at a level when auditing a public company.
a. Higher
b. Compensating
c. Lower
d. Nominal
16. Auditors are concerned with which type of exceptions in populations
of accounting data?
a. Deviations from client established controls.
b. Monetary misstatements in transaction data.
c. Monetary misstatements in account balance details.
d. Auditors are concerned with all of these exceptions.

54
17. In using audit sampling for exception rates, the auditor is primarily
interested in determining the the exception rate might be.
a. Lowest
b. Most
c. Average range I which
d. None of the above.
18. The highest estimated exception rate in the population at a given
acceptable risk of assessing control risk too low is
a. The upper exception rate.
b. Estimated population exception rate.
c. The computed upper exception rate.
d. The tolerable exception rate.
19. the auditor`s best estimate of the population exception rate is the
a. Sample exception rate.
b. Tolerable exception rate (TER)
c. Experience of the previous year.
d. Computed upper exception rate (CUER)
20. Which of the following is the exception rate that the auditor expects
to find before testing?
a. Sample exception rate.
b. Estimated population exception rate.
c. Computed exception rate.
d. Tolerable exception rate.
21. The acceptable risk of assessing control risk too low (ARACR) is a
measure of the level o risk that
a. The auditor is willing to take.
b. Is predicted by the random number table.
c. Is predicted by the statistical frequency table.
d. Is generated as a result of the auditor`s knowledge of the true
population exception rate.
22. Before the population can be considered acceptable based on the
acceptable risk of assessing control risk too low (ARACR), the computed
upper exception rate (CUER) must be
a. Greater than or equal to the TER.

55
 b. Greater than the TER
c. Less than or equal to the TER.
d. Less than the tolerable exception rate (TER).
23. As an auditor selects a sample from the file of shipping documents to
determine whether invoices were prepared. This test is performed to
satisfy the audit objective of
a. Accuracy
b. Existence
c. Control
d. Completeness
24. When using statistical sampling, the auditor would probably require
a smaller sample if the
a. Population increases
b. Desired reliability decreases
c. Desired precision interval narrows
d. Expected exception rate increases.
25. Which of the following need not be known to evaluate the results of
a sample for a particular attribute?
a. Exception rate in the sample
b. Size of the sample
c. Acceptable risk of assessing control risk too low
d. Actual number of exceptions in the sample.
26. a means of reducing the potential bias in systematic sample selection
is to
a. Use multiple starts
b. Use a random number table
c. Include a large block of the population
d. Include only the high-dollar-value items.
27. If an auditor, planning to use statistical sampling, is concerned with
the number of a client's sales invoices that contain mathematical errors,
the auditor would most likely utilize
a. Random sampling with replacement
b. Sampling for attribute
c. Sampling for variables

56
 d. Stratified random sampling
Other Objective Answer Format Questions
Match five of the terms (a-k) with the definitions provided below (1-5):
a. Haphazard selection
b. Attributes sampling
c. Block sample selection
d. Judgmental sampling
e. Non-probabilistic sample selection
f. Probabilistic sample selection
g. Random sample
h. Representative sample
i. Statistical sampling
j. Systematic sample selection
k. Sampling distribution
1. ------- the use of mathematical measurement techniques to
calculate formal statistical results and quantify sampling risk
2. -------- A non-probabilistic method of sample selection in which
items are selected in measured sequences.
3. -------- A sample whose characteristics are the same as those of
the population
4. --------- A statistical, probabilistic method of sample evaluation
that results in an estimate of the proportion of items in a
population containing a characteristic of interest
5. --------- A non-probabilistic method of sample selection are chosen
without regard to their size, source, or other distinguishing
characteristics.
29. Sampling risk results from the auditor's failure to recognize
exceptions in transaction data.
a. True
b. False
30. Even when non-sampling risk is zero, there is always a chance that a
sample is not reasonably representative
a. True
b. False
31. In practice, auditors do not know whether a sample is
representative, even after all testing is complete.
57
 a. True
b. False
32. The only way to control sampling risk is to increase sample size
a. True
b. False
33. A sample of all items in a population will have a zero sampling risk
a. True
b. False
34. It is equally acceptable under professional auditing standards for
auditors to use either statistical or non-statistical sampling methods
a. True
b. False
35. When using non-statistical sampling the sample must be a
probabilistic one
a. True
b. False
36. The use of haphazard sample selection is not allowed under
professional auditing standards
a. True
b. False
37. Although systematic sample selection is easy to use, its primary
disadvantage is that it is not a probabilistic sampling method
a. True
b. False
38. Directed sample selection, block sample selection, and haphazard
sample selection are three types of probabilistic sample selection
methods
a. True
b. False
39. ARACR is normally lower for a public company audit than a private
company audit

58
 a. True
b. False
40. Estimated population exception rat is the auditor's best estimate of
the actual exception rate in the entire population
a. True
b. False
41. Tolerable exception rate TER is inversely related to sample size, that
is, as TER increases, sample size decreases
a. True
b. False
42. The higher the assessed control risk, the lower will be the acceptable
risk of assessing control risk too low.
a. True
b. False.
Results:
1. b 8. c 15. c 22. c 29. b 36. b
2. a 9. a 16. d 23. d 30. a 37. b
3. a 10. c 17. b 24. b 31. a 38. b
4. a 11. d 18. c 25. a 32. b 39. a
5. a 12. b 19. a 26. a 33. a 40. a
6. c 13. d 20. b 27. b 34. a 41. a
7. d 14. d 21. a 28. 35. b 42. b

28. 1- I, 2. C, 3. H, 4. B, 5. A.
DISCUSSION QUESTIONS AND PROBLEMS
1- The questions below relate to determining the CUER in audit
sampling for tests of controls, using the following table:
1 2 3 4 5 6 7 8
ARO % 5 5 10 5 5 5 5 5
Population size 50000 500 5000 5000 5000 900 5000 500
Sample size 200 100 200 200 50 100 100 25
No. of exception 4 2 4 4 1 10 0 0

59
 Required:
a. Using non-statistical sampling, calculate TER-SER for each of
columns 1 through 8 and evaluate whether or not sampling error is
large enough to accept the population.
Assume that TER is 5% for each column.
b. For each of the columns 1 through 8, determine CUER using
attributes sampling from the appropriate table.
c. Using your understanding of the relationship between the four
preceding factors and the CUER, state the effect on the CUER
(increase or decrease) of changing each of the following factors
while the other three are held constant:
1. A decrease in the ARO
2. A decrease in the population size
3. A decrease in the sample size
4. A decrease in the number of exceptions in the sample
d. Compare your answers in part c. with the results you determined in
part a. (non-statistical sampling) or part b. (attributes sampling).
Which of the factors appears to have the greatest effect on the CUER?
Which one appears to have the least effect?
e. Why is it necessary to compare the CUER with the TER?
Solution:
1. a:
SER TER-SER Allowance for sampling error
sufficient?
1. 2% 3% Probably*
2. 2% 3% No (due to smaller sample size)
3. 2% 3% Yes
4. 2% 3% Probably*
5. 2% 3% No (due to smaller sample size)
6. 10% NA No (SER exceeds TER)
7. 0% 5% Yes
8. 0% 5% No (due to smaller sample size)
1. b: Using the attributes sampling table in table 15-9, the CUERs for
columns1-8 are:
1. 4.6%
2. 6.2%
3. 4.0%
4. 4.6%
5. 9.2%
6. 16.4%

60
 7. 3.0%
8. 11.3%
1. c.
Changes in Effect on Illustrations in part a or
factors CUER b
1 Decrease in Increase Compare columns 3 and
ARACR 4
2 Decrease in No effect Compare columns 1 and
population or minor 4
decrease
3 Decrease in Increase Compare columns 4 and
sample size 5 (both sample
exception rates are 2%)
4 Decrease in the decrease Compare columns 6 and
number of 7
exceptions in the
sample
1.d. the factor that appears to have the greatest effect is the number of
exceptions found in the sample compared to sample size. For example, in
columns 2 and 6, the increase from 2% to 10% SER dramatically
increased the CUER. Population size appears to have the least effect. For
example, in columns 1 and 4, the CUER was the same using the attributes
sampling table even though the population in column 1 was 10 times
larger.
1.e. the CUER represents the results of the actual sample whereas the
TER represents what the auditor will allow. They must be compared to
determine whether or not the population is acceptable.
2. The following are the auditor judgments and attributes sampling results
for six populations. Assume large population sizes.

1 2 3 4 5 6
EPER 2 1 1 0 3 8
TER 6 5 20 3 8 15
ARO 5 5 10 5 10 10
Actual sample size 100 100 20 100 60 60
Actual number 2 4 1 0 1 8
exceptions in the
sample
Required:
61
 a. For each population, did the auditor select a smaller size than is
indicated by using the attributes sampling tables in table 15-8 for
determining sample size? Evaluate selecting either a larger or
smaller size than those determined in the tables.
b. Calculate the SER and CUER for each population.
c. For which of the six populations should the sample results be
considered unacceptable? What options are available to the
auditor?
d. Why is analysis of the exceptions necessary even when the
populations are considered acceptable?
e. For the following terms, identify which is an audit decision, a non-
statistical estimate made by the auditor, a sample result, and a
statistical conclusion about the population:
1. EPER
2. TER
3. ARO
4. Actual sample size
5. Actual number of exceptions in the sample
6. SER
7. CUER
Solution
2. A and b the sample sizes and CUERs are shown in the following table:
Actual Initial sample size SER CUER from TER
sample from table 15-8 table 15-9
size
1 100 127 2.0% 6.2% 6.0%
2 100 93 4.0 9.0 5.0
3 20 18 5.0 18.1 20.0
4 100 99 0.0 3.0 3.0
5 60 65 1.7 6.4 8.0
6 60 60 13.3 20.0 15.0
a. The auditor selected a sample size smaller than that determined
from the tables in populations 1 and 5. The effect of selecting a
smaller sample size than the initial sample size required from the
table is the increased likelihood of having the CUER exceed the
TER. If a larger sample size is selected, the result may be a sample
size larger than needed to satisfy TER, that results in excess audit
cost. Ultimately, however, the comparison of CUER to TER
determines whether the sample size was too large or too small.

62
 b. The SER and CUER are shown in columns 4 and 5 in the preceding
table.
c. The population results are unacceptable for populations 1,2 and 6.
In each of those cases, the CUER exceeds TER.
The auditor`s options are to change TER or ARACR, increase the
sample size, or perform other substantive tests to determine
whether there are actually material misstatements in the
population.
An increase in sample size may be worthwhile in population 1
because the CUER exceeds TER by only a small amount. Increasing
sample size would not likely result in improved results for either
population 2 or 6 because the CUER exceeds TER by a large
amount.
d. analysis of exceptions in necessary even when the population is
acceptable because the auditor wants to determine the nature and
cause of all exceptions. If, for example, the auditor determines that a
misstatements was intentional, additional action would be required
even if the CUER were less than TER.

e.
TERM Nature of term
1. Estimated population - Non-statistical estimate
rate made by auditor.
2. Tolerable exception - Audit decision
rate.
3. Acceptable risk of - Audit decision
assessing control risk
too low.
4. Actual sample size - Audit decision (determined
by other audit decisions)
5. Actual number of - Sample results
exceptions in the sample.
6. Sample exception rate. - Sample results
7. Computed upper - Statistical conclusion about
exception rate. the population.
3. The questions below relate to determining the CUER in audit for tests
of controls, using the following table:
1 2 3 4

63
-ARO (in percent). 10 10 5 5
- Population size 5,000 50,000 5,000 50,000
-sample size 50 100 50 100
-number of exceptions 2 4 2 3
-CUER 10.3 7.9 12.1 7.6

Required:
a. Calculate SER for each of columns 1 through 4 and use this to
calculate the actual allowance fo sampling risk.
b. Explain why the CUER is higher for the attribute in column 1 than
the attribute in column 2.
c. Explain why the CUER higher for the attribute in column 3 than
the attribute in column 1.
d. Assume that the TER for attribute 4 is 6 percent. Your senior
indicates that he would like to be able to rely on this control and
has asked you to increase the sample by an additional 50 items.
Use the appropriate statistical sampling table to evaluate whether
the increase in the sample is likely to result in favorable results for
the entire sample of 150 items.
Solution:

3. a. The actual allowance for sampling risk is shown in the

following table:
SER CUER Actual allowance for sampling
% % risk (CUER-SER) %
1 4 10.3 6.3
2 4 7.9 4.9
3 4 12.1 8.1
4 3 6.7 4.6

b. The CUER is higher for attribute 1 than attribute 2 because the sample
size is smaller for attribute 1, resulting in a larger allowance for sampling
risk.
c. The CUER is higher for attribute 3 than attribute 1 because the auditor
selected a lower ARACR. This resulted in a larger allowance for sampling
risk to achieve the lower ARACR.

64
d. If auditor increases the sample size for attribute 4 by 50 items and
finds no additional exceptions, the CUER is 5.1% (sample size of 150 and
three exceptions). If the auditor finds one exception in the additional
items, the CUER is 6% (sampled size of 150, four exceptions). With a TER
of 6%, the sample results will be acceptable if one or no exceptions are
found in the additional 50 items. This would require a lower SER in the
additional sample than the SER in the original sample of 3%. Whether a
lower rate of exception is likely in the additional sample depends on the
rate of exception the auditor expected in designing the sample, and
whether the auditor believe the original sample to be representative.

CHPTER 5
AUDIT SAMPLING FOR
TESTS OF DETAILS OF BALNCES

65
Problem
 You are planning to use non-statistical sampling to evaluate the
results of accounts receivables confirmation for the El Esraa
Company. You have already performed tests of controls for sales,
sales returns and allowances, and each receipt, and they are
considered excellent. Because of the quality of the controls, you
decide to use an acceptable risk of incorrect acceptance of 10%.
There are 3000 accounts receivable with a gross value of
$6,900,000. The accounts are similar in size and will be treated as
a single stratum. An overstatement or understatement of more
than $150,000 would be considered material.
Required
a- Calculate the required sample size.
Assurance factor:
5% ARIA = 3
10% ARIA = 2
20% ARIA = 1
b- Assume that instead of good results, poor results were obtained for
tests of controls and substantive tests of transactions for sales, sales
returns and allowances, and receipts. How would this affect your
required sample size? How would you see this information in your
sample size determination?
c- Assume a total book value of $230,000 for the 100 accounts selected
for testing. You uncover three overstatements totaling 1500 in the
sample.
Evaluate whether the population is fairly stated.

Solution
a- Sample size = (Book value of population / Tolerable misstatements) x
Assurance factor
Sample size = (6,900,000 / 150,000) x 2 = 92 items.

66
b- If the poor results were obtained for tests of controls and substantive
tests of transactions for sales, sales returns and allowances, and cash
receipts, the required sample size for tests of detail of balances would
need to be increased. Using the formula of determining sample size, the
auditor will increase sample size by increasing assurance factor lowering
(ARIA).
Deciding the acceptability of the population using MUS
The rule:
 Population can be accepted if it is not overstated or understated
by more than tolerable misstatements.
Example
Assume that the auditor sets a tolerable misstatement amounts for
A/R of $40,000 (overstatement) or (understatement) and the calculated
lower bound is 27,526 and upper 50,860. What is the auditor decision
about the acceptance of A/R balance?
Solution
The population (A/R) is not accepted because upper misstatement
bound is more than tolerable misstatement.
When a population is not considered acceptable, there are several
possible courses of action:
1) Perform expanded audit tests in specific areas. If an analysis of
the misstatements indicates that most of the misstatements are
of a specific type, it may be desirable to restrict the additional
audit effort to the problem area.

2) Increase the sample size. When the auditor increases the sample
size, sampling error is reduced if the rate of misstatements In the
expanded sample, their dollar amount, and their direction are
similar to those in the original sample. Increasing the sample size,
therefore, may satisfy the auditor's tolerable misstatement
requirements.
 Increasing the sample size enough to satisfy the auditor's
tolerable misstatement standards is often costly, especially when
the difference between tolerable misstatement and projected
misstatement is small.

67
3) Adjust the account balance. When the auditor concludes that an
account balance is materially misstated, the client may be willing
to adjust the book value.
4) Request the client to correct the population. In some cases the
client's records are so inadequate that a correction of the entire
population is required before the audit can be completed.
5) Refuse to give an unqualified opinion. If the auditor believes the
recorded amount in accounts receivable or any other account is
not fairly stated, it is necessary to follow at least one of the above
alternatives or to qualify the audit opinion in an appropriate
manner.

68