B4555 - Chapter 6-10

Internal Control in a Financial Statement Audit

October 20, 2023

Internal Control

• Note: we only need to test internal controls if we need to rely on them
• Ultimately, we want to test control risk 🡪 audit risk = IR*CR*DR where RMM = IR*CR
• Management has the responsibility to maintain controls that provides reasonable assurance that adequate control exists over the entity’s assets and records
• The internal control system should …
  • (1) Ensure that assets and records are safeguarded
  • (2) Generate reliable info for decision making
• The auditor needs assurance about the reliability of the data generated by the info system
• The auditor uses risk assessment procedures to …
  • (1) Obtain an understanding of the entity’s internal control
  • (2) Identify key controls
  • (3) Recognize the types of potential misstatements
  • (4) Design tests of controls and substantive procedures
• There is an inverse relationship between the reliability of internal control and the amount of substantive evidence required by the auditor
• The auditor’s understanding of the internal control is a major factor in determining the overall audit strategy
• The auditor has the responsibility to …
  • (1) Obtain an understanding of internal controls
  • (2) Assess control risk

Definition of Internal Control

• The purpose of its framework is to help management better achieve the organization’s objectives and provide board of directors an added ability to oversee internal control
• An effective system of internal control allows management to focus on operations and financial performance goals while maintaining compliance with relevant laws and minimizing surprises

Controls Relevant to the Audit

• The controls that are of most direct relevance to a F/S audit are those that contribute to the reliability, timeliness, and transparency of external financial reporting
  • These controls are relevant to an audit because they help to prevent, or detect and correct, material misstatements in the entity’s F/S
• Controls relating to operations and compliance objectives may be relevant when they relate to data the auditor uses to apply auditing procedures

The Effect of Info Technology on Internal Control

• The extent of an entity’s use of IT can affect internal control because IT affects the way transactions are initiated, authorized, recorded, processed, and reported
• Controls in most info systems consist of a combination of …
  • (1) Interdependent automated
  • (2) Manual controls

Table 6.1 – the effect of info technology on internal control

The COSO Framework

Components of Internal Control

• Note: this is the first step to assessing your controls
• (1) Control environment is the set of standards, processes, and structures that provides the basis for carrying out internal control across the organization
  • The board of directors and senior management establish the tone at the top regarding the importance of internal control and expected standards of conduct
• (2) Entity’s risk assessment process involves a dynamic and iterative process for identifying the entity’s objectives, thereby forming a basis for determining how risks should be managed
  • Management considers possible changes in the external environment and within its own business model that may impede its ability to achieve its objectives
• (3) Control activities are the actions established by policies and procedures to help ensure that management commands to mitigate risks to the achievement of objectives are carried out
  • Control activities are performed at all levels of the entity and at various stages within the business processes, and over the technology environment
• (4) Info and communication
  • Information is necessary for the entity to carry out internal control responsibilities in support of achievement of its objectives
  • Communication occurs both internally and externally and provides the organization with the info needed to carry out day-to-day internal control activities
    • Enables personnel to understand internal control responsibilities and their importance to the achievement of objectives and allows for upward flow of operating info to management
• (5) Monitoring activities
  • Ongoing evaluations, separate evaluations, or some combination of the two are used to ascertain whether each of the 5 components of internal control, including controls to affect the principles within each component, are present and functioning
  • Findings are evaluated and deficiencies are communicated in a timely manner, with serious matters reported to senior management and to the board

Figure 6.1 – components of internal control A direct relationship exists between objectives, components, and the structure of the entity The relationship can be depicted in the form of a cube The auditor is mainly concerned with how the 5 components, evaluated individually and in terms of how they operate together, affect the external financial reporting objective In the COSO framework, each component includes principles that represent fundamental concepts underlying the effectiveness of each component An entity can achieve effective internal control by applying all 17 principles

The 17 Principles Underlying the Components of Internal Control

Control Environment

• Principle 1: The organization demonstrates a commitment to integrity and ethical values
• Principle 2: The board of directors demonstrates independence from management and exercises oversight of the development and performance of internal control
• Principle 3: Management establishes, with board oversight, structures, reporting lines, and appropriate authorities and responsibilities in the pursuit of objectives
• Principle 4: The organization demonstrates a commitment to attract, develop, and retain competent individuals in alignment with objectives
• Principle 5: The organization holds individuals accountable for their internal control responsibilities in the pursuit of objectives

The Entity’s Risk Assessment Process

• The risk assessment process identifies and responds to business risks in relation to achieving business objectives
• Principle 6: The organization specifies objectives with sufficient clarity to enable the identification and assessment of risks relating to objectives
• Principle 7: The organization identifies risks to the achievement of its objectives across the entity and analyzes risks as a basis for determining how the risks should be managed
• Principle 8: The organization considers the potential for fraud in assessing risks to the achievement of objectives
• Principle 9: The organization identifies and assesses changes that could significantly impact the system of internal control

Control Activities

• Control activities involve policies and procedures that help mitigate risks that endanger the achievement of objectives
• Principle 10: The organization selects and develops control activities that contribute to the mitigation of risks to the achievement of objectives to acceptable levels
  • Performance reviews
  • Physical controls
  • Segregation of duties
  • Info processing controls
• Principle 11: The organization selects and develops general control activities over technology to support the achievement of objectives
  • General controls relate to the overall info processing environment and include controls over data center and network operations
  • Application controls apply to the processing of individual applications and help ensure the occurrence (validity), completeness, and accuracy of transaction processing
• Principle 12: The organization deploys control activities through policies that establish what is expected and procedures that put policies into action
  • A policy is a rule or guideline that calls for certain activities to take place in certain circumstances

Info and Communication

• Principle 13: The organization obtains or generates and uses relevant, quality info to support the functioning of internal control
  • Identify and record all valid transactions
  • Classify transactions properly
  • Measure the value of transactions properly
  • Record transactions in the proper period
  • Properly present transactions and disclosures
• Principle 14: The organization internally communicates info, including objectives and responsibilities for internal control, necessary to support the functioning of internal control
• Principle 15: The organization communicates with external parties regarding matters affecting the functioning of internal control

Monitoring of Controls

• Monitoring of controls is a process that assesses the quality of internal control performance over time
• Principle 16: The organization selects, develops, and performs ongoing and/or separate evaluations to ascertain whether the components of internal control are present and functioning
• Principle 17: The organization evaluates and communicates internal control deficiencies in a timely manner to those parties responsible for taking corrective action, including senior management and the board of directors, as appropriate

Planning an Audit Strategy

• Audit risk model: AR = RMM*DR where RMM = IR*CR
  • The auditor’s assessment of RMM must consider the level of CR in applying the audit risk model
  • If IR and CR are high, then DR is low = more substantive evidence
• In applying the audit risk model, the auditor must assess control risk
• Step 1: gather info by performing risk assessment procedures to evaluate the design of controls and to determine whether the controls have been implemented
• Step 2: decide whether to rely on the entity’s controls for assurance about management’s F/S assertions
  • If the risk assessment procedures indicate that the controls are not properly designed or not implemented, the auditor will not rely on the controls – CR is set high, and the use of substantive procedures will be used to reduce the RMM to a low level
  • If the risk assessment procedures suggest that the controls are properly designed and implemented – auditor will rely on the controls and tests of controls are required to be performed to obtain audit evidence that the controls are operating effectively

Figure 6.2 presents a flowchart of the auditor’s decision process when considering internal control in planning an audit

Note: this is an important flowchart This flowchart tells us how we determine how much substantive work we have to do Ultimately, we want to determine what the level of control risk is for a particular class of transactions or account balances so then we can go ahead and plan our substantive procedures

Substantive Strategy

• Strategy 1: substantive audit
  • Understand what is there
  • Document what is there
  • It would be inefficient to take too much time to test these controls when we can say up front that these controls are not working
  • Conclusion: no tests of controls evidence
• Auditor has decided not to rely on the entity’s controls and instead use substantive procedures as the main source of evidence about the assertions in the F/S
• After obtaining an understanding of internal control, an auditor may choose to follow a substantive strategy and set control risk at high for some or all assertions because of one or all the following factors:
  • (1) Controls do not pertain to an assertion
  • (2) Controls are assessed as ineffective
  • (3) Testing the effectiveness of controls is inefficient
• Auditor documents the level of CR as being set at high and substantive procedures are designed and performed based on the assessment of a high level of CR
  • When the auditor follows a substantive strategy, the assurance bucket is filled with some evidence from the risk assessment procedures and an extensive amount of evidence from substantive procedures

Reliance Strategy

• Strategy 2: combined approach
  • Designed effectively
• Obtaining understanding of internal control
• Reliance strategy means the auditor plans to rely on internal control and assess control risk at a lower level
• The auditor uses the test results to assess the “achieved” level of control risk
  • If the test results indicate that achieved CR > planned = auditor will increase the planned substantive procedures and document the revised CR assessment
  • If tests of controls support the planned level of control risk, no revisions of the planned substantive procedures are required

Table 6.4 – assertions about classes of transactions and events and related control procedures

October 23, 2023

Obtain and Understanding of Internal Control

• The auditor should obtain an understanding of each of the components of internal control to plan the audit:
  • (1) Understand the control environment
  • (2) Understand the entity’s risk assessment process
  • (3) Understand the info system and communications
  • (4) Understand control activities
  • (5) Understand monitoring of controls
• This knowledge is used to …
  • (1) Identify types of potential misstatement
  • (2) Pinpoint the factors that affect the RMM
  • (3) Design tests of controls and substantive procedures
• In deciding on the nature and extent of the understanding of internal control needed for the audit, the auditor should consider the complexity and sophistication of the entity’s operations and systems, including the extent to which the entity relies on annual controls or on automated controls
• The auditor may determine that the engagement team needs an IT specialist:
  • (1) Evaluate the nature and complexity of the entity’s IT systems
  • (2) Determine whether the engagement team needs an IT specialist
• In determining whether an IT specialist is needed, the following factors should be considered:
  • (1) The complexity of the entity’s IT systems and controls and the manner in which they are used in conducting the entity’s business
  • (2) The significance of changes made to existing systems, or the implementation of new systems
  • (3) The extent to which data are shared among systems
  • (4) The extent of the entity’s participation in e-commerce
  • (5) The entity’s use of emerging technologies
  • (6) The significance of audit evidence that is available only in electronic form

Understanding the Control Environment

Exhibit 6.1 – example info & documentation excerpt

Documenting and Understanding of Internal Control

• Procedure manuals and organizational charts
  • Documents the entity’s policies and procedures
  • Includes documentation of the accounting system and related control activities
  • Organizational chart presents the designated lines of authority and responsibility
  • These can assist the auditor document their understanding of the internal control system
• Internal control questionnaires
  • Provide a systematic means for the auditor to investigate various areas
  • Generally used for entities with a complex internal control structure
  • Contains questions about the important factors or characteristics of the 5 internal control components
• Flowcharts
  • Provide a diagrammatic representation of the entity’s accounting system
  • Outlines the configuration of the system in terms of functions, documents, processes, and reports
  • Documentation facilities an auditor’s analysis of the system’s strengths and weaknesses
  • Used to document the auditor’s understanding of an entity’s internal control over financial reporting
• Narrative description
  • Understanding of internal controls may be documented in a memo
  • This approach is the most appropriate when the entity has a simple internal control system

Figure 6.3 – an example of a flowchart for the order entry portion of the revenue process

The Effect of Entity Size on Internal Control

• The size of an entity may affect how the various components of internal control are implemented
• While the basic concepts of the five components should be present in all entities, they are likely to be less formal in a small or midsize entity than in a large entity

The Limitation of an Entity’s Internal Control

• An internal control system should be designed and operated to provide reasonable assurance that an entity’s objectives are being achieved
• The concept of reasonable assurance recognizes that the cost of an entity’s internal control system should not exceed the benefits that are expected to be derived
• Limitations:
  • (1) Management override of internal control
  • (2) Human errors or mistakes
  • (3) Collusion

Figure 6.4 – primary internal control weakness observed by CFE

Assessing Control Risk

• Assessing control risk is the process of evaluating the effectiveness of an entity’s internal control in preventing, or detecting and correcting, material misstatements in the F/S
  • Auditor can set CR at high (substantive strategy) or at a low level (reliance strategy)
• To set CR below high (moderate or low), the auditor must …
  • (1) Identify specific controls that will be relied upon
  • (2) Perform tests of controls
  • (3) Conclude on the achieved level of control risk

Identify Specific Controls That Will Be Relied Upon

• The auditor’s understanding of internal control is used to identify the controls that are likely to prevent, or detect and correct, material misstatement in specific assertions
• We don’t necessarily need to rely on every single control
• We need to understand them all
• Prepare a narrative or a flowchart that documents these control procedures

Perform Tests of Controls

• Tests of controls are performed in order to provide evidence to support the lower level of CR when using a reliance strategy
  • Directed toward the effectiveness of the design of a control concerned with evaluating whether that control is suitably designed to prevent, or detect and correct, material misstatements
  • Directed toward operating effectiveness are concerned with assessing how the control was applied, the consistency with which it was applied during the audit period, and by whom it was applied
• Types of tests of controls:
  • Inquiry of appropriate entity personnel
  • Inspection of documents indicating the performance of the control
  • Observation of the application of the control
  • Reperformance of the application of the control by the auditor
• What controls will we rely on to help us assess whether the account balances or class of transactions are not materiality misstated?

Conclude on the Achieved Level of Control Risk

• The auditor uses the combination of the achieved level of CR and the assessed level of IR to determine the level of DR that is needed in order to bring audit risk to an acceptable low level
• When we are doing our planning, we need to do a planned level of control risk based on the organization
• We will only do this when we decided to use a reliance strategy (aka., combined approach)

Documenting the Achieved Level of Control Risk

• The auditor’s assessment of CR and the basis for the achieved level can be documented using a structured working paper, an internal control questionnaire, or a memorandum

Table 6.5 – an example of assessing control risks and its effects

• There is not one pattern/test description that fits all

1. Inquiry of entity personnel
2. Reperformance of the control by the auditor
3. Observation of entity personnel
4. Walkthrough

Substantive Procedures

• Last step in the decision process under either strategy
• Auditing standards require some substantive testing for all significant account balances or classes of transactions

Table 6.6 – performing substantive procedures

• Note: if an inventory count is taking place, the auditor must attend

Timing of Audit Procedures

• Interim
• Year end

Figure 6.5 – timeline for planning and performing the audit of EarthWear Clothiers

Interim Audit Procedures

• Interim tests of controls:
  • Assertion being tested not significant
  • Control has been effective in prior audits
  • Efficient use of staff time
• Interim substantive procedures:
  • Control environment
  • Availability of info later
  • The purpose of the substantive procedure
  • The assessed risk of material misstatement
  • The nature of the transactions or balances and relevant assertions
  • The ability of the auditor to perform appropriate procedures to cover the remaining period

Auditing Accounting Applications Processed by Service Organizations

• In some instances, an entity may have some or all its accounting transactions processed by an outside service organization
  • Because the entity’s transactions are subjected to the controls of the service organization, one of the auditor’s concerns is the internal control system in place at the service organization
• It is not uncommon for service organizations to have an auditor issue one of two types of reports on their operations
  • The type 1 report describes the service organization’s controls and assesses whether they are suitably designed to achieve specified internal control objectives
  • The type 2 report goes further by providing assurance on the operating effectiveness of the service organization’s controls based on the auditor’s tests of controls
• An auditor may reduce control risk below high only based on a service auditor’s Type 2 report

Communication of Internal Control-Related Maters

• Control deficiency exists when the design or operation of a control does not allow management or employees, in the normal course of performing their assigned function, to prevent, or detect and correct, misstatements on a timely basis
• Significant deficiency is a deficiency, or a combination of deficiencies, in internal control that is less severe than a material weakness but is important enough to merit attention by those charged with governance
• Material weakness is a deficiency, or combination of deficiencies, in internal control, such that there is a reasonable possibility that a material misstatement of the entity’s financial statements will not be prevented, or detected and corrected, on a timely basis

Table 6.7 – examples of reportable conditions

Types of Controls in an IT Environment

• General controls:
  • Data center and network operations
  • System software acquisition, change, and maintenance
  • Access security
  • Application system acquisition, development, and maintenance
• Application controls:
  • Data capture controls
  • Data validation controls
  • Processing controls
  • Output controls
  • Error controls

Table 6.8 – common data validation controls

Figure 6.6 – flowcharting symbols

Auditing Internal Control Over Financial Reporting

October 27, 2023

Check Nexus for 7 generally accepted internal control document

Management Responsibilities

Canada

• The national instruments 52-109 requires management’s of publicly traded companies to issue a report that certifies the effectiveness of their internal controls
  • This certification is not yet required to be audited
  • Management can choose to have it audited under Other Canadian Standard Section 5952

United States

• Management are required to comply with the following requirements for the external auditor to complete an audit of ICFR:
  • (1) Accept responsibility for the effectiveness of the entity’s ICFR
  • (2) Evaluate the effectiveness of the entity’s ICFR using suitable control criteria
  • (3) Support the evaluation with sufficient evidence, including documentation
  • (4) Present a written assessment regarding the effectiveness of the entity’s ICFR as of the end of the entity’s most recent fiscal year

Internal Control over Financial Reporting (ICFR) Defined

• ICFR is defined as a process designed to provide reasonable assurance regarding the reliability of financial reporting and the preparation of FS in accordance with GAAP
• Controls include procedures that:
  • (1) Pertain to the maintenance of records that accurately and fairly reflect the transactions and dispositions of the assets of the company
  • (2) Provide reasonable assurance that transactions are properly authorized and recorded in accordance with GAAP
  • (3) Provide reasonable assurance regarding prevention or timely detection of unauthorized acquisition, use, or disposition of the company’s asset that could have a material effect on the FS
• Points (1) and (2) relate directly to controls for initiating, authorizing, recording, processing, and reporting significant accounts and disclosures and related assertions embodied in the FS
  • These significant accounts are the ones that are likely to give us a material misstatement
• Point (3) is concerned with controls over safeguarding of assets that are moveable or can potentially be stolen (ex: inventory or cash on hand)

Internal Control Deficiencies Defined

Control Deficiency

• A control deficiency exists when the design or operation of a control does not allow management or employees, in the normal course of performing their assigned functions, to prevent or detect misstatements on a timely basis
• A design deficiency exists when:
  • (1) A control necessary to meet the relevant control objective is missing
    • Has it been designed correctly?
    • Is it intended to do what it has to do?
    • There is no control in place to ensure that the 2^nd signature is properly authorized
  • (2) An existing control is not properly designed so that, even if the controls operates as designed, the control objective would not be met
• A deficiency in operation exists when:
  • (1) A properly designed control does not operate as designed
  • (2) When the person performing the control does not possess the necessary authority or qualifications to perform the control effectively

Significant Deficiency

• A significant deficiency is a control deficiency, or a combination of control deficiencies, in ICFR that is less severe than a material weakness, yet important enough to merit attention by those responsible for oversight of the company's financial reporting
  • If we find these in controls, we want to be able to report that to the audit committee
• A control deficiency may be serious enough that it is to be considered not only a significant deficiency but also a material weakness in the system of internal control

Material Weakness

• A material weakness is a deficiency, or a combination of deficiencies, in ICFR, such that there is a reasonable possibility that a material misstatement of the annual or interim FS will not be prevented or detected on a timely basis
  • This is a bigger issue
  • If we find this, we have to report that info ASAP to the audit committee and we can no longer rely on that control to work 🡪 increase substantive testing

Likelihood and Magnitude

• The auditor must consider two dimensions of the control deficiency:
  • (1) Likelihood means reasonably possible (50% or more)
  • (2) Magnitude means material, significant, or insignificant
• If likelihood is assessed as “remote”, an identified control issue does not rise to the level of control deficiency
• If likelihood is assessed as more than remote, the control issue will be considered a deficiency, a significant deficiency, or a material weakness depending on the magnitude of the deficiency

Figure 7.1 – the relationship of likelihood and magnitude in determining the materiality of a control deficiency

1. Deficiency in design
   • We can argue that this is right
   • According to the definition, the control is missing to prevent or detect the misstatement and/or it doesn’t matter if the control is there, it will not work
2. Deficiency in operation
3. Significant deficiency
   • It is not this because we can’t determine the magnitude of material weakness
4. Material weakness

Management’s Assessment Process

• Steps in the evaluation process:
  • (1) Identify financial reporting risks and related controls
  • (2) Consider which locations to include in the evaluation
  • (3) Evaluate evidence about the operating effectiveness of ICFR
• Most entities use the framework developed by COSO
• This framework identifies primary objectives of internal control:
  • (1) Reliable financial reporting
  • (2) Efficiency and effectiveness of operations
  • (3) Compliance with laws and regulations

Identify Financial Reporting Risks and Related Controls

Table 7.1 – examples of entity-level controls

Management’s Documentation

• Documentation should include the design of the controls management has placed in operation to adequately address identified financial reporting risks, including the entity-level controls and other pervasive elements necessary for effective ICFR
• Management is not required to identify and document every control in the process or to document the business process impacting ICFR
• Management must develop sufficient documentation to support its assessment of the effectiveness of internal control
• This documentation may take many forms (ex: paper, electronic files, or other media)
  • It also includes policy manuals, process models, flowcharts, job descriptions, documents, and forms

Performing an Audit of ICFR

Integrating the Audits of Internal Control and Financial Statements

• An integrated audit is composed of the audits of internal control and the FS
• The control testing impacts the planned substantive procedures
• Also, the results of the substantive procedures are considered in the evaluation of internal control
• The tests and the discussions related to control testing in this chapter are relevant even if we are not doing an entire audit on the internal controls
  • We still evaluate the effectiveness of internal controls & decide whether we are relying on them

Figure 7.2 – steps in performing an audit of ICFR Abbreviation: PISE Key terms are in brackets The audit of ICFR involves an iterative process of gathering, updating, and analyzing info

Planning the Audit of ICFR

• The planning process is like the process used for the audit of FS
• Consider the following:
  • Role of risk assessment and the risk of fraud
  • Scaling the audit
  • Using the work of others

Table 7.3 – factors that may affect planning an audit of ICFR

Using the Work of Others

• A major consideration for the external auditor is how much work is to be performed by others
• In determining the extent to which the auditor may use the work of others, the auditor should:
  • (1) Evaluate the nature of the controls subjected to the work of others
  • (2) Evaluate the competence and objectivity of the individuals who performed the work
  • (3) Test some of the work performed by others to evaluate the quality and effectiveness of their work
• As the risk associated with control being tested increases, the external auditor should do more of the work

Identify Controls to Test

Figure 7.3 – identifying the controls to test (3) A relevant assurance is those that have a possibility to determine a statement to be materially misstated Occurrence is a relevant assertion related to revenue (4) We don’t have to test all the controls related to an account or a disclosure – we only want to test those that are important to our conclusion as to whether or not our entity’s controls address material misstatements = key controls

Identifying Significant Accounts

• To identify significant accounts and disclosures and their relevant assertions, the auditor assesses the following risk factors:
  • Size and composition of the account
  • Susceptibility to misstatement due to errors or fraud
  • Volume of activity, complexity, and homogeneity of the individual transactions processed through the account or reflected in the disclosure
  • Nature of the account or disclosure
  • Accounting and reporting complexities associated with the account or disclosure
  • Exposure to losses in the account
  • Possibility of significant contingent liabilities arising from the activities reflected in the account or disclosure
  • Existence of related party transactions in the account
  • Changes from the prior period in account or disclosure characteristics

Sources of Misstatements

• To understand the likely sources of potential misstatements, the auditor needs to do the following:
  • Understand the flow of transactions related to the relevant assertions
  • Identify the points within the entity’s processes at which a misstatement could arise that would be material
  • Identify the controls that management has implemented to address these potential misstatements
  • Identify the controls that management has implemented over the prevention or timely detection of unauthorized acquisition, use, or disposition of the company’s assets that could result in a material misstatement of the FS
• Performing walkthroughs is the best way to identify potential sources of misstatements
• Preforming a walkthrough involves auditors tracing a transaction from origination through the entity’s process and info system until it is reflected in the entity’s financial reports

Select Controls to Test

• Auditor does not need to test all controls – only the ones that are important to the auditor’s conclusion about whether the entity’s controls sufficiently address the assessed risk of misstatement to each relevant assertion 🡪 key controls
• This is a subjective task and therefore requires professional judgement
• The auditor should evaluate whether to test preventive controls, detective controls, or a combination of both

Table 7.4 – select controls to test

Evaluate, Design, and Test Operating Effectiveness of Controls

• Evaluate design effectiveness of controls
  • Controls are effectively designed when they prevent or detect errors or fraud that could result in material misstatements in the FS
  • Evaluate key controls through inquiry, observation, walkthrough, inspection of relevant documentation and subjective evaluation
• Test and evaluate operating effectiveness
  • An auditor evaluates the operating effectiveness of a control by determining whether the control is operating as designed and whether the person performing the control possesses the necessary authority and competence to perform the control effectively
  • (1) Nature: inquiry, inspection of documents, observation, and reperformance
  • (2) Timing: interim vs. “as of” date
    • This is when we decide when to do these tests
    • Testing at interim gives management time to correct any deficiencies they do find
  • (3) Extent:
    • (a) Nature of the control
      • Manual or automated
      • We want to be able to test manual controls more – easier to manipulate & find human error
    • (b) Frequency of operation
      • The more frequent a manual control operates, the greater the number of operations of control that the auditor should test
    • (c) Importance of the control
      • The more important the control = the more extensively it should be tested

• No
• The auditor should corroborate the sales manager’s responses by performing other procedures, such as inspecting reports generated by the performance of the control and evaluating whether appropriate actions were taken

Evaluate Identified Control Deficiencies

• As discussed previously, the auditor must consider the likelihood and magnitude of the control deficiency à see table 7.6
• Factors that affect whether the magnitude of the misstatement may result in a material weakness include …
  • (1) The FS amounts or total of transactions exposed to the deficiency
  • (2) The volume of activity in the account balance or class of transactions exposed to t he deficiency that has occurred in the current period or that is expected in future periods
• If a deficiency, or combination of deficiencies, prevents the auditor from having reasonable assurance that transactions are recorded properly, then the auditor should treat the deficiency as an indicator of a material weakness à see table 7.7

Note: these tables are useful when identifying the likelihood

Table 7.6 – risk factors that affect the likelihood that a control deficiency will result in a misstatement of an account balance or disclosure

Table 7.7 – indicators of material weaknesses

October 30, 2023

Remediation of a Material Weakness

• Remediation is the process of correcting a material weakness in the ICFR
• If a material weakness is corrected before the “as of” date, there must be sufficient time for both management and the auditor to test the operating effectiveness of the control – if not, an adverse opinion is still issued

Auditor Documentation Requirements

• The auditor should document the processes, procedures, judgments, and results relating to the audit of internal control consistent with audit quality documentation standards
• Documentation must include …
  • (1) Auditor’s understanding and evaluation of the design of each of the components of the entity’s ICFR
  • (2) Documentation of the process used to determine the points at which misstatements could occur within significant accounts and disclosures
  • (3) Extent to which they relied on work performed by others
  • (4) Scope of the testing

Special Considerations When Auditing Internal Control

Use of Service Organizations

• Many companies use a service organization to process transactions
  • If the service organization’s services make up part of a company’s information system, then it is considered part of the information and communication component of the company’s internal control over financial reporting
  • Thus, both management and the auditor must consider the activities of the service organization
• Management and the auditor should perform the following procedures with respect to the activities performed by the service organization:
  • (1) Obtain an understanding of the nature and significance of the services provided by the service organization and their effect of the user entity’s internal control relevant to the audit, sufficient to identify and assess the risks of material misstatement
  • (2) Design and perform audit procedures responsive to those risks

Safeguarding of Assets

• Safeguarding of assets are policies and procedures that “provide reasonable assurance regarding prevention or timely detection of unauthorized acquisition, use, or disposition of the entity’s assets that could have a material effect on the financial statements”

Computer-Assisted Audit Techniques

• Computer-assisted audit techniques (CAATs) include:
  • Generalized audit software
  • Custom audit software
  • Test data

Table 7.9 – generalized audit software

Custom Audit Software

• Custom audit software is generally written by auditors for specific audit tasks and it may be required when the entity’s computer system is not compatible with the auditor’s generalized audit software
• Custom software:
  • Is expensive to develop
  • May require long development time
  • May required extensive modification if the entity changes its accounting application programs

Test Data

• Test data are developed by the auditor to test the application controls in the entity’s computer programs
• The technique can be used to check:
  • Data validation controls and error detection routines
  • Processing logic controls
  • Arithmetic calculations
  • The inclusion of transactions in the records, files, and reports

Management Responsibilities Under Section 404

• Section 404 of the Sarbanes-Oxley Act requires managements of publicly traded companies to issue a report that accepts responsibility for establishing and maintaining “adequate” internal control over financial reporting (ICFR) and assert whether ICFR is effective as of the end of the fiscal year
• Management must comply with the following requirements for the external auditor to complete an audit of ICFR:
  • (1) Accept responsibility for the effectiveness of the entity’s ICFR
  • (2) Evaluate the effectiveness of the entity’s ICFR using suitable control criteria
  • (3) Support the evaluation with sufficient evidence, including documentation
  • (4) Present a written assessment regarding the effectiveness of the entity’s ICFR as of the end of the entity’s most recent fiscal year

Auditor Responsibilities Under Section 404 and AS5

• The entity’s independent auditor must audit and report on the effectiveness of ICFR
• The auditor is required to conduct an integrated audit of the entity’s ICFR and its F/S

Written Representations

• In addition to the management representations obtained as part of a F/S audit, the auditor also obtains written representations from management related to the audit of ICFR
• Failure to obtain written representations from management, including management’s refusal to furnish them, constitutes a limitation on the scope of the audit sufficient to preclude an unqualified opinion

Auditor Reporting on ICFR

Types of Reports

	Figure 7.5a – report modification based on control deficiencies An unqualified opinion signifies that the entity’s internal control is designed and operating effectively (no material weaknesses) A serious (more than minor) scope limitation requires the auditor to disclaim an opinion An adverse opinion is required if a material weakness is identified
	Figure 7.5b – report modification based on scope limitation

Other Reporting Issues

• Management’s report is incomplete or improperly presented
• The auditor decides to refer to the report of other auditors
• A significant subsequent event has occurred
• There is additional information contained in management’s report on internal control
• There is a remediated material weakness at an interim date

Additional Required Communications in an Audit of ICFR

• Significant deficiencies and material weaknesses:
  • The auditor must communicate in writing to management and the audit committee all significant deficiencies and material weaknesses identified during the audit (AS5)
  • This communication should be made prior to the issuance of the auditor’s report on ICFR
• Control deficiencies:
  • In addition, the auditor should communicate to management, in writing, all control deficiencies identified during the audit
  • As well as inform the audit committee when such a communication has been made

Audit Sampling: An Overview and Application to Tests of Controls

November 01, 2023

Introduction

• Given the size and complexity of most entities needing a FS audit, it is usually not economical to examine all of the accounting records and supporting documents
  • Auditors often find it necessary to draw conclusions about the fairness of FS assertions based on examinations of samples of the records and transactions
  • As a result, the auditor provides reasonable, not absolute, assurance that the FS are fairly presented
  • Accepting uncertainty is the trade-off between the cost of examining all the data and the cost of making an incorrect decision based on a sample of the data
• Auditing standards recognize and permit both statistical and nonstatistical methods of audit sampling
  • With nonstatistical sampling, the auditor does not strictly apply statistical techniques and can apply some judgement to evaluate the results
  • The steps and techniques used for these two sampling approaches are similar than they are different
• Technological advances have reduced the number of times auditors need to apply sampling techniques to gather audit evidence:
  • (1) Development of well-controlled, automated accounting systems
  • (2) Powerful audit software to download and examine entire population of data
• Technology will never eliminate the need for auditors to rely on sampling to some degree because:
  • (1) Many control processes require human involvement
  • (2) Many testing procedures require the auditor to physically inspect an asset or inspect characteristics of a transaction or balance
  • (3) In many cases, auditors are required to obtain and evaluate evidence from third parties
  • (4) Audit data analytics are only as good as the quality of the underlying data and often the completeness, accuracy, and validity of the underlying data need to be tested and sampling can be an effective and efficient technique
  • (5) Audit data analytics often identify many potential exceptions that the auditor may test using sampling

Definitions and Key Concepts

Audit Sampling

• Audit sampling is the selection and evaluation of less than 100 percent of the items in a population of audit relevance selected in such a way that the auditor expects the sample to be representative of the population and thus likely to provide a reasonable basis for conclusions about the population

Sampling Risk

• Sampling risk is the possibility that the sample drawn is not representative of the population and that, as a result, the auditor will reach an incorrect conclusion about the account balance or class of transactions based on the sample
• A representative sample is one where the evaluation of the sample results lead to the same conclusions that would be drawn if the same audit procedures were applied to the entire population
• When using audit sampling to obtain evidence, the auditor must always accept some sampling risk because they are not examining all items in a population
• Types of sampling risk:
  • (1) Type I - risk of incorrect rejection
    • In a test of internal controls, if the risk that the sample supports a conclusion that the control is not operating effectively when, in fact, it is operating effectively
    • In substantive testing, it is the risk that the sample indicates that the recorded balance is materially misstated when, in fact, it is not
    • This relates to the efficiency of the audit
    • This type of decision error can result in the auditor conducting more audit work than necessary to reach the correct conclusion
  • (2) Type II - risk of incorrect acceptance
    • In a test of internal controls, it is the risk that the sample supports a conclusion that the control is operating effectively when, in fact, it is not operating effectively
    • In substantive testing, it is the risk that a sample supports the recorded balance when it is, in fact materially misstated
    • This relates to effectiveness of the audit
    • This type of decision error can result in the auditor failing to detect a material misstatement in the FS, which can lead to litigation against the auditor by parties that rely on the FS
• Auditors focus only on Type II decision errors in determining their sample sizes, because Type I decision errors affect efficiency and not effectiveness
• Important factors in determining sample size:
  • (1) The desired level of assurance in the results (confidence level)
  • (2) Acceptable defect rate (tolerable error)
  • (3) The historical defect rate (expected error)

Confidence Level

• Confidence level is the complement of sampling risk
• The auditor may set sampling risk for a particular sampling application at 5%, which results in a confidence level of 95%

Tolerable and Expected Error

• Once the desired confidence level is established, the sample size is determined largely by how much the tolerable error exceeds expected error
• Precision at the planning state of audit sampling is the difference between the expected and tolerable deviation rates
  • Auditing standards refer to precision as the “allowance for sampling risk”

Auditing Evidence

To Sample or Not to Sample

• Inspection of tangible assets is when auditors attend the entity’s year-end inventory count
  • When there are many items in inventory, the auditor will select a sample to physically inspect and count
• Inspection of records or documents is when certain controls may require the matching of documents
  • The procedure may take place many times a day
  • The auditor may gather evidence on the effectiveness of the control by testing a sample of the documentation packages
• Reperformance is to comply with PCAOB standards, publicly traded entities must document and test controls over important assertions for significant accounts
  • The auditor may reperform a sample of the tests performed by the entity.
• Confirmation is the practice of rather than confirming all customer account receivable balances, the auditor may select a sample of customers

Testing All Items with a Particular Characteristic

• When an account or class of transactions is made up of a few large items, the auditor may examine all the items in the account or class of transaction
• When a small number of large transactions make up a relatively large percent of an account or class of transactions, auditors will typically test all the transactions greater than a particular dollar amount

Testing Only One or a Few Items

• Automated info systems process transactions consistently unless the system or programs are changed
• The auditor may test the general controls over the system and any program changes, but test only a few transactions processed by the IT system

Types of Audit Sampling

• This depends on the firm
• The idea is that it allows us to use probability theory in order to determine a precise error in the account, in the test, in the sample, or in the population – but it doesn’t always work
• Auditing standards recognize and permit both statistical and nonstatistical methods of audit sampling
  • (1) In nonstatistical (or judgmental) sampling, the auditor does not use statistical techniques to determine sample size, select the sample items, or measure sampling risk
  • (2) Statistical sampling uses the laws of probability to compute sample size and evaluate results
    • The auditor can use the most efficient sample size and quantify sampling risk
• Advantages of statistical sampling:
  • Design an efficient sample
  • Measure the sufficiency of evidence obtained
  • Quantify sampling risk
• Disadvantages of statistical sampling:
  • Cost of training auditors in proper use
  • Cost to design and conduct sampling application
  • Lack of consistent application across audit teams

Statistical Sampling Techniques

Attribute Sampling

• Attribute sampling is used to estimate the proportion of a population that possess a specified characteristic
• The most common use of attribute sampling is for tests of controls
• For example:
  • The entity’s controls require that all checks have two independent signatures
  • The auditors plan a test of that control using attribute sampling

Monetary-Unit Sampling

• Monetary-unit sampling uses attribute sampling theory to estimate the dollar amount of misstatement for a class of transactions or an account balance
• This technique is used extensively because it has several advantages over classical variables sampling

Classical Variables Sampling

• Auditors sometimes use classical variables sampling to estimate the dollar value of a class of transactions or account balance
• It is more frequently used to determine whether an account is materially misstated

Attribute Sampling Applied to Tests of Controls

• In conducting a statistical sample for a test of controls, auditing standards require the auditor to properly plan, perform, and evaluate the sampling application and to adequately document each phase of the sampling application

Planning

• (1) Determine the test objectives
  • The objective of attributable sampling when used for tests of controls is to evaluate the operating effectiveness of the internal control
• (2) Define the population characteristics:
  • Define the sampling population
    • All or a subset of the items that constitute the class of transactions make up the sampling population
  • Define the sampling unit
    • Each sampling unit makes up one item in the population
    • The sampling unit should be defined in relation to the control being tested
  • Define the control deviation conditions
    • A deviation is a departure from adequate performance of the internal control
• (3) Determine the sample size using the following inputs:
  • The desired confidence level or risk of incorrect acceptance
    • The confidence level is the desired level of assurance that the sample results will support a conclusion that the control is functioning effectively
    • Generally, when the auditor has decided to rely on controls, the confidence level is set at 90% or 95%
    • This means the auditor is willing to accept a 10% or 5% risk of accepting the control as effective when it is not
  • The tolerable deviation rate is the maximum deviation rate from a prescribed control that the auditor is willing to accept and still consider the control effective
  • Example: suggested tolerable deviation rates

• • The expected population deviation rate is the rate the auditor expects to exist in the population
    • The larger the expected population deviation rate, the larger the sample size must be, all else equal
    • Example: assume a desired confidence level of 95%, and a large population, the effect of the expected population deviation rate on sample size is shown below

Population Size: Attributes Sampling

• Population size is not an important factor in determining sample size for attributes sampling
• The population size has little or no effect on the sample size, unless the population is relatively small, say less than 1,000 items

Performance

• (4) Select sample items:
  • Random-number selection is when every item in the population has the same probability of being selected as every other sampling unit in the population
  • Systematic Selection is when the auditor determines the sampling interval by dividing the population by the sample size
    • A starting number is randomly selected in the first interval and then every n^th item is selected
• (5) Perform the auditing procedures:
  • Voided documents
    • Example: assume a sales invoice should not be prepared unless there is a related shipping document
      • If the shipping document is present, there is evidence the control is working properly
      • If the shipping document is not present, a control deviation exists
  • Unused or inapplicable documents
    • Unless the auditor finds something unusual about either of these items, they should be replaced with a new sample item
  • Inability to examine a sample item
    • If the auditor is unable to examine a document or to use an alternative procedure to test the control, the sample item is a deviation for purposes of evaluating the sample results
  • Stopping the test before completion
    • If many deviations are detected early in the tests of controls, the auditor should consider stopping the test, as soon as the results of the test will not support the planned assessed level of control risk

November 03, 2023

Evaluation

• (6) Calculate the sample deviation and upper deviation rates
  • After completing the audit procedures, the auditor summarizes the deviations for each control tested and evaluates the results
  • Example: if the auditor discovered two deviations in a sample of 50, the deviation rate in the sample would be 4% (# of deviation/sample size = 2/50)
  • The upper deviation rate is the sum of the sample deviation rate and an appropriate allowance for sampling risk
• (7) Draw final conclusions
  • The auditor compares the tolerable deviation rate to the computed upper deviation rate

Attribute Sampling Example

• The auditor has decided to test a control at Calabro Wireless Services
  • The test is to determine that the sales and service contracts are properly authorized for credit approval
    • This is a common type of control test
  • A deviation in this test is defined as the failure of the credit department personnel to follow proper credit approval procedures for new and existing customers
• Here is info relating to the test:
  • Desired confidence level = 95%
    • Overstating sales is an important part of our testing to ensure that all of the sales actually occurred
  • Tolerable deviation rate = 6%
  • Expected population deviation rate = 1%
    • This is based on past experience
  • Sample size = 78 contracts
• Pat of the table used to determine sample size when the auditor specifies a 95% desired confidence level

• If there are 125,000 items in the population numbered from 1 to 125,000, the auditor can use Excel to generate random selections from the population for testing
• The auditor examines each selected contract for credit approval and determines the following:
  • Number of deviations = 2
  • Sample size = 78
  • Sample deviation rate = 2.6% (# of deviation/sample size = 2/78)
  • Computed upper deviation rate = 8.2%
  • Tolerable deviation rate = 6.0%
• Part of the table used to determine the computed upper deviation rate at 95% desired confidence level:

By rounding down our sample size, we have a more conservative estimate of the deviation rate – we do not wan to make a Type I decision error Computed upper deviation rate (8.2%) > tolerable deviation rate (6%) Auditor’s decision: does not support reliance on the control

1. Deviations from controls at a given rate usually result in misstatements at a higher rate
   • There is no linear relationship
2. As the population size doubles, the sample size should also double
   • Population size does not matter when we do these tests
   • Our sample size is based on expected population deviation rate and the tolerable deviation rate
3. The qualitative aspects of deviations are not considered by the auditor
4. There is an inverse relationship between the sample size and the tolerable deviation rate

Nonstatistical Sampling for Tests of Controls

Determining the Sample Size

• An auditing firm may establish a non-statistical sampling policy like the one below:

• Such a policy will promote consistency in sampling applications
• We want our sample size to be approximately comparable to the factor tables (we don’t want to go too far below or too far above)

Selecting the Sample Items

• Non-statistical sampling allows the use of random or systematic selection, but also permits the use of other methods (ex: haphazard sampling)
• When haphazard sampling selection is used, sampling units are selected without any bias without a special reason for including or omitting items from the sample
  • This is only used under non-statistical sampling
  • This is difficult because humans tend to select things that are easy
• Key: have enough samples

Calculating the Upper Deviation Rate

• With a non-statistical sample, the auditor can calculate the sample deviation rate, but cannot mathematically quantify the computed upper deviation rate and sampling risk associated with the test
• Tables can be used to guide conclusions but cannot be used to verify conclusions

Control Tests for Low Control Frequency

• The sample size tables in the chapter assume a large population
• Sample size can be adjusted using the “finite correction factor” in the Advanced Module or by using the table below for very small populations (control performed less frequently):

Advanced Module 2: Comparing Terminology for Attributable Sampling between IDEA and Sampling Tables

Audit Sampling: An Application to Substantive Tests of Account Balances

November 06, 2023

Substantive Tests of Details of Account Balances

• The statistical concepts we discussed in the last chapter apply to this chapter as well
• Three important determinants of sample size are:
  • (1) Desired confidence level
  • (2) Tolerable misstatement
  • (3) Estimated misstatement
• Population plays a bigger role in some of the sampling techniques used for substantive testing
• Misstatements discovered in the audit sample must be extrapolated to the population, and there must be an allowance for sampling risk
• Consider the following info about the inventory account balance of an entity:

• • The ratio of misstatement in the sample is 2% ($2,000/$100,000)
    • This is the sample misstatement
    • We can use this ratio (ratio projection) to project what the dollar error in a population is
  • Applying the ratio to the entire population produces a best estimate of misstatement of inventory of $60,000 ($3,000,000*2%)
• The results of our audit test depend upon the tolerable misstatement associated with the inventory account
  • If the tolerable misstatement is $50,000, we cannot conclude that the account is fairly stated because our best estimate of the extrapolated misstatement is greater than the tolerable misstatement

Monetary-Unit Sampling (MUS)

• MUS uses attribute-sampling theory to express a monetary conclusion rather than a rate of occurrence
• It is commonly used by auditors to test accounts such as AR, loans receivable, investment securities, and inventory
• MUS uses attribute-sampling theory (used primarily to test controls) to estimate the percentage of monetary units in a population that might be misstated and then multiplies this percentage by an estimate of how much the dollars are misstated

Advantages of MUS

• These advantages are important – we need to understand when it is appropriate to use this technique
• When the auditor expects a little misstatement, MUS usually results in a smaller sample size than classical variables sampling
• When applied using the probability-proportional-to-size procedure, MUS automatically results in a stratified sample
  • This is a systematic selection process
• MUS does not require the user to make assumptions about the distribution of misstatements

Disadvantages of MUS

• The selection of zero or negative balances generally requires special design consideration
• When more than a few misstatements are detected, the sample results calculations may overstate the allowance for sampling risk

Steps in MUS Application

• Planning
  • (1) Determine the test objectives
  • (2) Define the population characteristics:
    • Define the population
    • Define the sampling unit
    • Define a misstatement
  • (3) Determine the sample size using the following inputs:
    • Desired confidence level or risk of incorrect acceptance
    • Tolerable misstatement
    • Expected population misstatement
    • Population size
• Performance
  • (4) Select sample items
  • (5) Perform the auditing procedures
• Evaluation
  • (6) Calculate the extrapolated misstatement and the upper limit on misstatement
  • (7) Draw final conclusions

Planning

• (1) Determine the test objectives:
  • Sampling may be used for substantive testing to:
    • Test the reasonableness of assertions about a financial statement amount (ie., accuracy, existence) – most common use of sampling for substantive testing
    • Develop an estimate of some amount
• (2) Define the population characteristics
  • Population: for MUS, the population is defined as the monetary value of an account balance, such as accounts receivable, investment securities, or inventory
  • Sampling unit: an individual dollar represents the sampling unit
  • A misstatement is defined as the difference between monetary amounts in the entity’s records and amounts supported by audit evidence
• (3) Determine the sample size

Performance

• (4) Select sample items
  • The auditor selects a sample for MUS by using a systematic selection approach called probability-proportional-to-size selection
  • Sampling interval = book value of the population/sample size
  • Each individual dollar in the population has an equal chance of being selected and items or “logical units” greater than the interval will always be selected

• • Figuring out how we got a sample size = 93
  • (a) What percentage of our tolerable misstatement is divided by our total population value?
    • TM = 125,000
    • Population size = 2,500,000
    • Expected misstatement = 25,000
  • (b) Change the book values into percentages
    • TM = 125,000/2,500,000 = 5%
    • Estimated misstatement = 25,000/2,500,000 = 1%
  • (c) What sample size do we get when we look at table 8.5?
    • With a TM of 5% and estimated misstatement of 1%, we get a sample size of 93
  • Figuring out our sampling interval
    • BV of population = 2,500,000/93 = $26,882
  • Find the cumulative dollar amount (previous total balance + next balance)
  • Find the cumulative dollar amount that contains the random sample amount
    • In our case, it would be the cumulative value of $17,825
  • (a) Add the sampling interval
    • We are looking for the $30,859 ($3,977 + $26,882)
    • This is found in the cumulative dollar amount $40,683
  • (b) Add the sampling interval again
    • We are looking for the $57,741 ($30,859 + $26,882)
    • This is found in the cumulative dollar amount $77,200
• (5) Perform the auditing procedures
  • After the sample items have been selected, the auditor conducts the planned audit procedures on the logical units containing the selected dollar sampling units

Evaluation

• (6) Calculate the extrapolated misstatement and the upper limit on misstatement
  • The misstatements detected in the sample must be extrapolated to the population

• • Basic precision using the table (9.4): if no misstatements are found in the sample, the best estimate of the population misstatement would be $0

• • • This table is giving us the info we need to calculate the allowance for sampling risk which is added to the extrapolated error that we calculated
    • Upper misstatement limit: $26,882 (sampling interval) *3.0 (misstatement factor) = $80,646
    • If our upper limit is greater than our tolerable statement = the account is not fairly stated
  • Misstatements detected: in the sample of 93 items, the following misstatements were found:

• • • The tainting factor is the % of misstatements in the logical unit
    • Tainting factor = (book value – audit value)/book value
    • Because the Axa balance of $32,549 is greater than the interval of $26,882, no sampling risk is added
    • Since all the dollars in the large accounts are audited, there is no sampling risk associated with large accounts
  • Computed upper misstatement limit: we compute the upper misstatement limit by calculating basic precision and ranking the detected misstatements based on the size of the tainting factor from the largest to the smallest 🡪 see table 9.4

• • • Basic precision always goes first
    • We extrapolate the misstatement (sample interval/tainting factor)
    • We use table 9-4 to find the 95% upper limit by finding the increment
• (7) Draw final conclusions
  • In our example, the final decision is whether the AR balance is materially misstated or not
  • We compare the tolerable misstatement to the upper misstatement limit
    • If the upper misstatement limit is less than or equal to the tolerable misstatement = balance is not materially misstatement

Steps in MUS Application

• In our example, the upper misstatement limit of $150,621 is greater than the tolerable misstatement of $125,000, so the auditor concludes that the accounts receivable balance is materially misstated
• When faced with this situation, the auditor may:
  • Increase the sample size
  • Perform other substantive procedures
  • Request the entity adjust the accounts receivable balance
  • If management refuses to adjust the account balance, the auditor would consider issuing a qualified or an adverse opinion

Risks When Evaluating Account Balances

Effect of Understatement Misstatements

• MUS is not particularly effective at detecting understatements
• An understated account is less likely to be selected than an overstated account

• • The most likely error will be reduced by $2,688 (-0.10*$26,882)

November 08, 2023

Nonstatistical Sampling for Tests of Account Balances

• The sampling unit for nonstatistical sampling is normally a customer account, an individual transaction, or a line item on a transaction
• When using nonstatistical sampling, the following items must be considered:
  • (1) Identifying individually significant items
  • (2) Determining the sample size
  • (3) Selecting sample items
  • (4) Calculating the sample results
• Nonstatistical sampling differences from statistical sampling:
  • Test objective
  • Define population
    • Monetary value of the account balance
    • When we are defining the sampling unit, our sampling unit may be a customer account, a transaction, line in the transaction (ex: sale discounts, price discounts)
  • Misstatement will be the same
• We will extract the large accounts and the remaining amounts will be tested using sampling
• Example: if AR balance is $10,000,000 then we will test 10 accounts greater than $200,000
  • The book value of those accounts = $2,400,000
    • Proportion = 24% (2,400,000/10,000,000)
  • The remaining amounts will be our sample population = $7,600,000 (10,000,000 – 2,400,000)
    • Proportion = 76% (7,600,000/10,000,000)

Identifying Individually Significant Items

• The items to be tested individually are items that may contain potential misstatements that individually exceed the tolerable misstatement
• These items are tested 100% because the auditor is not willing to accept any sampling risk

Determining the Sample Size and Selecting the Sample

Table 9.6 – confidence factors for nonstatistical sampling (page 316)

• Auditing standards require that the sample items be selected in such a way that the sample can be expected to represent the population

Calculating the Sample Results

• (1) Ratio projection is the method of projecting the sampling results to the population is to apply the misstatement ratio in the sample to the population
  • Example: Assume the auditor finds $1,500 in misstatements in a sample of $15,000
    • The misstatement ratio is 10% (15,000/1,500)
    • If the population total is $200,000, the extrapolated misstatement would be $20,000 (200,000*10%)
• (2) Difference projection is a method that projects the average misstatement of each item in the sample to all items in the population
  • Example: Assume misstatements in a sample of 100 items total $300, and the population contains 10,000 items
    • Average misstatement is $3 (300/100)
    • The extrapolated misstatement would be $30,000 (3*10,000)

• The auditors stratify the accounts as follows:

• The auditor decides …
  • Based on the results of the tests of controls, the RMM is assessed as low
  • The tolerable misstatement is $55,000, and the expected misstatement is $15,000
  • The desired level of confidence is moderate based on the other audit evidence already gathered
  • All customer account balances greater than $25,000 are to be audited

• The auditor sent positive confirmations to each of the 110 (95+15) accounts selected
  • Either the confirmations were returned, or alternative procedures were successfully used
  • 4 customers indicated that their accounts were overstated, and the auditors determined that the misstatements were the result of unintentional error by entity personnel
  • Results of the audit testing:

• When we are doing nonstatistical sampling, we will project the error to the population
• As a result of the audit procedures, the following extrapolated misstatement was prepared:

• • This is the ratio projection technique
  • The total extrapolated misstatement of $10,800 is less than the expected misstatement of $15,000
  • Auditors may conclude that there is an acceptably low risk that the true misstatement exceeds the tolerable misstatement

1. Judgement, rather than statistical table or formula, can be used to determine the sample size
2. A haphazard sample selection technique can be used
3. The sample size can be much smaller than under statistical sampling
4. The sample results can be evaluated judgementally

Advanced Module 1: Classical Variable Sampling

• Note: we will look at this after term test 2
• Classical variables sampling uses normal distribution theory to evaluate the characteristics of a population based on sample data
• Auditors most commonly use classical variables sampling to estimate the size of misstatement
• Sampling distributions are formed by plotting the extrapolated misstatements yielded by an infinite number of audit samples of the same size taken from the underlying population

Figure 9.1 – normally distributed sampling distributions A sampling distribution is useful because it allows us to estimate the probability of observing any single sample result In classical variables sampling, the sample mean is the best estimate of the population mean

Advantages

• When the auditor expects a relatively large number of differences between book and audited values, this method will normally result in a smaller sample size than MUS
• The techniques are effective for both overstatements and understatements
• The selection of zero balances generally does not require special sample design considerations

Disadvantages

• Does not work well when little or no misstatement is expected in the population
• To determine sample size, the auditor must estimate the standard deviation of the audit differences
• If few misstatements are detected in the sample data, the estimated variance used for evaluation may underestimate the true variance, and the resulting projection of the misstatements and the related confidence limits are not likely to be reliable

Applying Classical Variables Sampling

Defining the Sampling Unit

• The sampling unit can be a …
  • Customer account
  • An individual transaction
  • Line item
• In auditing AR, the auditor can define the sampling unit to be a customer’s account balance or an individual sales invoice included in the account balance

Determining the Sample Size

• • CC = confidence coefficient
  • SD = estimated standard deviation
• The confidence coefficient (CC) is associated with the desired level of confidence
• The desired level of confidence is the complement of the risk that the auditor will mistakenly accept a population as fairly stated when the true population misstatement is greater tha the tolerable misstatement

Calculating the Sample Results

• The sample selection usually relies on random-selection techniques
• Upon completion, 30 of the customer accounts selected contained misstatements that totaled $330.20
• Our first calculation is the mean misstatement in an individual account, which is calculated as follows
  • The mean misstatement must be extrapolated to the population

Figure 9.2 – a comparison of the lower and upper misstatement limits to tolerable misstatement If both limits are within the bounds of tolerable misstatement, the evidence supports the conclusion that the account is not materially misstated

Auditing the Revenue Process

November 15, 2023

Revenue Recognition

• Revenue must be recognized in conformity with GAAP in order for an auditor to issue an unqualified opinion
• Revenue is defined as inflows or other enhancements of assets of an entity or settlements of its liabilities (or a combination of both) from delivery or producing goods, rendering services, or other activities that constitute the entity’s major or central operations
• The accounting standard for revenue contains principles that an entity should apply to determine the measurement of revenue and timing of when it is recognized
• The underlying principle is that “an entity recognizes revenue to depict the transfer of promised goods/services to customers in an amount that reflects the consideration to which the entity expects to be entitled in exchange for those goods/services”

Five-Step Approach to Revenue Recognition

• (1) Identify the contract(s) with a customer
• (2) Identify the performance obligations in the contract
• (3) Determine the transaction price
• (4) Allocate the transaction price to the performance obligations in the contract
• (5) Recognize revenue when the entity satisfies a performance obligation

Fraud Risks in Revenue Recognition

• (1) Side agreements are arrangements that are used to alter the terms and conditions of recorded sales to entice customers to accept delivery of goods/services
• (2) Channel stuffing (aka., trade loading) is a marketing practice that suppliers use to boost sales by inducing distributors to buy substantially more inventory than they can promptly resell
  • Revenue is overstated
• (3) Related party transactions are transactions that are not considered arms-length and they require special consideration because related parties can be difficult to identify and may pose significant “substance over form” issues
• (4) Bill and hold sales (aka., parked inventory schemes) are sales where the customer agrees to purchase the goods, but the seller retains physical possession until the customer requests shipments, unless certain conditions are met

Overview of the Revenue Process

• Cash sale: purchases 🡪 inventory 🡪 cash sales
• Credit sale: purchases 🡪 inventory 🡪 credit sales 🡪 AR 🡪 cash collection

Types of Transactions and FS Accounts Affected

• Three types of transactions are processed through the revenue process:
  • (1) The sale of goods or rendering of a service for cash or credit
  • (2) The receipt of cash from the customer in payment for goods or services
  • (3) The return of goods by the customer for credit or cash
• The revenue process affects numerous accounts in the FS – the most significant accounts are:
  • (1) Sales transactions
    • Trade AR
    • Sales
    • Allowance for uncollectible accounts
    • Bad debt expense
  • (2) Cash receipts transactions
    • Cash
    • Trade AR
    • Cash discounts
  • (3) Sales return and allowance transactions
    • Sales returns
    • Sales allowances
    • Trade AR

Types of Documents and Records

• Credit approval form – for credit sales, the entity must have a formal procedure for investigating the creditworthiness of the customer
• Customer sales order – contains the details of the type and quantity of products or services ordered by the customer
• Open order report – a report of all customer orders for which processing has not been completed
• Shipping document – this document generally serves as a bill of lading and contains info on the type of product shipped, the quantity shipped, and other relevant info
• Sales invoice – the document is used to bill the customer and it contains info on the type of product or service, the quantity, the price, and the terms of trade
• Sales journal – once a sales invoice has been issued, the sale needs to be recorded in the accounting records
  • The sales journal is used to record info about the sales transaction
• Customer statement – this document is mailed to the customer and contains details of all sales, cash receipts, and credit memorandum transactions
• AR subsidiary ledger – this ledger contains an account and the details of transactions for each customer
• Aged TB of AR – this report summarizes all the customer balances in the accounts receivable subsidiary ledger
  • Each account is classified as current or placed into one of several past due categories
• Remittance advice – this is usually the part of the customer’s bill that should be returned with the payment
• Cash receipts journal – this journal is used to record the cash receipts of the entity
• Credit memorandum – this document is used to record credits for the return of goods by a customer
• Write off authorization – this document authorizes the write-off of an uncollectible account receivable
  • Final approval is generally authorized by the treasurer

The Major Functions

• Functions of the revenue process:
  • Order entry is the acceptance of customer orders of goods/services into the system in accordance with management criteria
    • The initial function in the revenue process is the entity of a new sales order into the system
  • Credit authorization is the appropriate approval of customer orders for creditworthiness
    • The credit authorization process must determine that the customer is able to pay for the goods or services purchased
    • Failure to properly authorize credit can lead to extensive bad debts for the entity
  • Shipping is the shipping of goods that has been authorized
    • Goods should not be shipped, nor should services be provided without proper authorization
    • The main control is payment or proper credit authorization
  • Billing is the issuance of sales invoices to customers or goods shipped or services provided; also, processing of billing adjustments for allowances, discounts, and returns
    • The objective of proper billing is to ensure that all goods shipped, and all services rendered are billed to the customer
  • Cash receipts is the processing of the receipt of cash from customers
    • All cash collected must be properly identified and promptly deposited intact at the bank
  • AR is the recording of all sales invoices, collections, and credit memoranda in individual customer accounts
    • All billings, adjustments, and cash collections must be properly recorded in the customers’ accounts receivable records
  • GL is the proper accumulation, classification, and summarization of revenues, collections, and receivables in the FS accounts
    • As related to the revenue process, the general ledger function must ensure that all revenues, collections, and receivables are properly recorded and classified

Key Segregation of Duties

• Important in the revenue process because of the potential for theft and fraud
• Individuals involved in the order entry, credit, shipping, or billing functions should not have access to the AR records, the GL, or any cash receipts activities

Table 10.4 – segregation of duties for the revenue process functions by department:

Inherent Risk Assessment

• The four inherent risk factors that may affect the revenue process are:
  • (1) Industry related factors
  • (2) The complexity and contentiousness of revenue recognition issues
  • (3) The difficulty of auditing transactions and account balances
  • (4) Misstatements detected in prior audits

Control Risk Assessment

• (1) Understand and document the revenue process based on a reliance strategy
• (2) Plan and perform tests of controls on revenue transactions
• (3) Set and document the control risk for the revenue process

Understanding and Documenting Internal Control

• (1) Control environment
  • Understanding the control environment is generally completed on an overall entity basis
• (2) The entity’s risk assessment process
  • The auditor must understand how management considers risks that are relevant to the revenue process
  • The auditor should estimate the significance of the risk and assess the likelihood of occurrence
• (3) Control activities
  • The auditor identifies what controls ensure that the assertions for transactions and events are being met
  • Documentation of the auditor’s understanding of the revenue process can be accomplished by using …
    • (1) Procedures manuals
    • (2) Narrative descriptions
    • (3) Internal control questionnaire
    • (4) Flowcharts
• (4) Info systems and communication
  • The process by which sales, cash receipts, and sales returns and allowances transactions are initiated
  • The flow of each transaction from initiation to inclusion in the FS
  • The accounting records, supporting documents, and accounts that are involved in sales, cash receipts, and sales returns
  • The process used to prepare estimates for accounts such as bad debts and sales returns
• (5) Monitoring of controls
  • The auditor must understand how management assesses the design and operation of controls in the revenue process
  • This understanding should include how supervisory personnel review the personnel who perform the controls and evaluate the performance of the entity’s IT function

Plan and Perform Tests of Controls

• The auditor systematically examines the entity’s revenue process to identify relevant controls that help to prevent, or detect and correct, material misstatement
• To properly set control risk, the auditor must test controls over the revenue process – such tests may include …
  • Inquiry of client personnel
  • Inspection of documents and records
  • Observations of the operation of the control
  • Walkthroughs
  • Reperformance of the control activities

Set and Document the Control Risk

• If the results of the tests of controls support the planned level of control risk, the auditor conducts the planned level of substantive procedures for the account balances
• The level of control risk for the revenue process can be set using either quantitative amounts or
  qualitative terms such as “low,” “medium,” or “high”

Control Activities and Test of Controls – Revenue Transactions

Table 10.5 – assertions about classes of transactions and events for the period under audit:

Table 10.6 – example tests of controls for revenue transactions

Occurrence of Revenue Transactions

• The auditor is concerned about two major types of material misstatements:
  • (1) Sales to fictitious customers
  • (2) Recording revenue when goods have not been shipped or services have not been performed
• The auditor needs assurance that all recorded revenue transactions are valid

Completeness of Revenue Transactions

• The major misstatement that concerns both management and the auditor is that goods are shipped, or services are performed, and no revenue is recognized
• Controls concerning completeness include:
  • (1) Accounting for numerical sequence of shipping documents and sales invoices
  • (2) Matching shipping documents with sales invoices
  • (3) Reconciling sales invoices to daily sales reports
  • (4) Maintaining and reviewing the open-order file

Authorization and Accuracy of Revenue Transactions

• Possible misstatements due to improper authorization include shipping goods to, or performing services for, customers who are bad credit risks and making sales at unauthorized prices or terms
• The presence of an authorized price list and terms of trade reduces the risk of inaccuracies
  • The sales invoice should also be verified for mathematical accuracy before being sent to the customer

Cutoff and Classification of Revenue Transactions

• Sales may be recorded in the wrong accounting period unless proper controls are in place
  • All shipping documents should be forwarded to the billing department daily
• The use of a chart of accounts and proper codes for recording transactions should provide adequate assurance about the proper classification of revenue transactions

Presentation of Revenue Transactions

• Auditor’s tests of controls around management’s use of a chart of accounts, proper codes for recording revenue transactions, and the financial reporting process, including the use of a disclosure checklist, should provide adequate assurance for the presentation assertion

November 17, 2023

Control Activities and Test of Controls – Cash Receipts Transactions

Table 10.7 – example tests of controls for cash receipts transactions

Occurrence of Cash Receipts Transactions

• The possible misstatement that concerns the auditor when considering the occurrence assertion is that cash receipts are recorded but not deposited in the entity’s bank account

Completeness of Cash Receipts and Authorization of Discounts

• A major misstatement is that cash or checks are stolen or lost before being recorded in the cash receipts records
  • Proper segregation of duties and a lockbox system are strong controls
• 2/10, n/30 – terms of trade generally include discounts for payment within a specified period as a way of encouraging customers to pay on time
• Controls in the accounting system and data analytics should ensure that management’s policies concerning cash discounts are followed

Accuracy of Cash Transactions

• The wrong amount of cash could be recorded from the remittance advice, or the receipt could be incorrectly processed during data entry
  • To minimize these types of errors, daily remittance reports should be reconciled to a control listing of remittance advices
• The use of monthly customer statements provides a check on posting to the correct customer account

Cutoff and Classification of Cash Receipts Transactions

• If the entity uses a lockbox system or if cash is deposited daily in the bank, there is a small possibility of cash being recorded in the wrong accounting period
• The auditor seldom has major concerns about cash receipts being recorded in the wrong FS account

Control Activities and Tests of Controls – Sales Returns and Allowances

• Sales returns and allowances is usually not a material amount in the FS
• However, credit memoranda that are used to process sales returns can also be used to cover an unauthorized shipment of goods or conceal a misappropriation of cash
  • As a result, all credit memoranda should be properly authorized
  • A credit for returned goods should be supported by a receiving document indicating that the goods have been returned

Relating the Assessed Level of Control Risk to Substantive Procedures

• The auditor’s testing of control for revenue processing impacts the detection risk and therefore the level of substantive procedures impacted by the control
  • AR, sales, cash, allowance for bad debts, sales returns and allowances, and bad debt expense

Auditing Revenue Related Accounts

• Substantive analytical procedures are used to examine plausible relationships among revenue related accounts
  • This gives us an idea as to where we will spend most of our time during our audit testing
• Tests of details focus on transactions, account balances, or disclosures
  • Tests of details concentrate on the ending balance for AR and related accounts as well as related disclosures
• What account balances would we want to test to make sure that they’re fairly stated?
  • AR, sales (tests of controls & tests of transactions)
  • If we are confident that the sale transactions and receipts, then our account balances that we want to look at are our AR, AFDA, and the BS

Review of Revenue Recognition

T account for AR:

• DR. Sales
• CR. Cash receipts
• CR. Sales discounts
• CR. Sales returns and allowances
• We want to make sure that the balance is not misstated materially

T account for inventory:

• DR. Purchases
  • Associated with AP
  • We can do dual-purpose tests when we’re doing purchase and payables
• DR. Sales returns (returned inventory)
  • This is related to AR 🡪 customers are getting credit for goods that are returned 🡪 ensure that the receiving documents matches the credit memo
• CR. Cost of goods sold
  • We can do dual-purpose tests
• CR. Inventory write-offs
• CR. Purchase discounts
• CR. Purchase returns
• Common test for the balance of inventory 🡪 inventory count & test counts
  • Test counts = choosing a sample of inventory and ensure that it exists, it has been counted correctly and been recognized in the GL correctly

Substantive Analytical Procedures

• Ratios used for comparative purposes include:
  • (1) Receivables turnover and days outstanding in AR
  • (2) Aging categories on aged trial balance of AR
    • We can age it ourselves using IDEA
    • We can do our own estimates of what the uncollectible balance should be and more easily support/provide evidence for the AFDA
  • (3) Bad-debts expense as a percent of revenue
  • (4) Allowance for uncollectible accounts as a percent of AR or credit sales
  • (5) Large customer account balances compared to last period

Table 10.10 – for AR, allowance for uncollectible accounts, and bad debt expense:

*Each of these substantive tests of transactions could be conducted as a test of controls or a dual-purpose test. Of these six assertions, the cutoff assertion is the one that is most often conducted as a substantive test of transactions

Tests of Details of Account Balances

For AR, allowance for uncollectible accounts, and bad debt expense:

• Existence: we want to make sure that the balance exists – confirmations are the best way (high quality evidence)
• Rights and obligations: we want to make sure we have the right to record the asset & make sure that from a receivable perspective, that none of that has happened – talk to management and look at bank confirmations/agreements, may be associated with loans & examine documentation
• Completeness: we want to ensure that everything that should be recorded is recorded – Are there some transactions missing? Are there cash receipts missing because they’re being misappropriated?
• Classification: ensure that no trade receivables are being recorded as a current asset when it should be a long-term asset

Exhibit 10.4 – example of an aged TB of AR working paper

Completeness

• The auditor’s primary concern is whether all AR have been included in the AR subsidiary ledger and the GL AR account
• Reconciliation of the aged TB to the GL account should detect an omission of a receivable from either the subsidiary or GL

Cutoff

• The cutoff test attempts to determine whether all revenue transactions and related AR are recorded in the proper period

• Are all transactions tested recorded in the proper period?

Existence and Rights and Obligations

• Existence is one of the more important assertions for AR because the auditor wants assurance that this account balance is not overstated through the inclusion of fictitious customer accounts or amounts
• Confirmation is the major audit procedure used for testing this assertion
• The auditor must determine that all AR are owned by the entity
  • This is usually not a problem, however, in some cases, AR may be sold or factored with or without recourse

Accuracy, Valuation, and Allocation

• AR should be shown on the BS at net realizable value (gross amount less allowance for uncollectible accounts)
• The auditor must verify the adequacy of the allowance for uncollectible accounts
  • (1) Prepare an aged trial balance and discuss results with the credit manager
  • (2) A comparison with last year’s results should be examined

Classification

• The major issues related to presentation disclosure, and classification are:
  • (1) Identifying and reclassifying any material credits contained in AR
  • (2) Segregating ST and LT receivables
  • (3) Ensuring that different types of receivables are properly classified

Presentation

• The auditor must ensure that all necessary disclosures are made
• Most public accounting firms use some type of FS reporting checklist to ensure that all necessary disclosures are made for each account

The Confirmation Process – AR

• Confirmation is audit evidence that is a direct written response from third parties about the AR balance
• Confirmation is a good source of evidence about the existence of the AR
• The confirmation process should be controlled by the auditor

Omitting Confirmations

• AR balance is immaterial
• External confirmations would be ineffective
• The auditor’s assessed level of risk of material misstatement at the relevant assertion level is low, and the other planned substantive procedures address the assessed risk

Factors Affecting the Reliability of AR Confirmations

• (1) Type of confirmation request (positive versus negative)
• (2) Prior experience with the client or similar engagements (ex: response rate, accuracy of returned confirmations, misstatements identified)
• (3) The intended respondent (competence, knowledge, ability, and objectivity)

Types of Confirmations

• Positive Confirmation – requests that customers indicate whether they agree with the amount due to the client
  • A response is expected whether the customer agrees or disagrees with the balance indicated
• Negative Confirmation – requests that the customer respond only when they disagree with the amount due to the client
  • Negative confirmations are used when the client has many small account balances and control risk is assessed as low

Timing

• AR may be confirmed at an interim date or at year-end
• The confirmation request should be sent soon after the end of the accounting period in order to maximize the response rate

Confirmation Procedures

• The auditor should mail the confirmation requests outside the entity’s facilities
  • A record should be maintained of the confirmations mailed and those returned
  • A second request may be necessary in some cases
• For each exception received, the auditor should examine the reasons for the difference between the balance on the client’s books and the balance indicated by the customer
• In many cases, exceptions result from what are referred to as timing differences
  • Such differences occur because of delays in recording transactions in either the client’s or the customer’s records

Alternative Procedures

• When the auditor does not receive responses to positive confirmations, alternative audit procedures are used
• These alternative procedures include:
  • (1) Examination of specific subsequent cash receipts
  • (2) Examination of shipping documentation
  • (3) Examination of other client documentation

Auditing Other Receivables

• Other types of receivables that are reported on the BS may include:
  • Receivables from officers and employees
  • Receivables from related parties
  • Notes receivable
• The auditor’s concern with satisfying the assertions for these receivables is like that for trade AR
  • Each of these types of receivables is confirmed and evaluated for collectability
  • The transactions that result in receivables from related parties are examined to determine if they were at “arm’s length”
  • Notes receivable would also be confirmed and examined for repayment terms and whether interest income has been properly recognized

Evaluating the Audit Findings – Revenue Related Accounts

• When the auditor has completed the planned substantive procedures, the likely misstatement (projected misstatement plus an allowance for sampling risk) for AR is determined
  • Aggregate misstatement < tolerable misstatement = accept the account as fairly represented
  • Aggregate misstatement > tolerable misstatement = account is not fairly presented