Acceptable risk of assessing control risk too low Inverse.. Acceptable risk of assessing control risk too high Inverse.. The “connection” is a direct relationship between control risk an
Trang 1AUDIT SAMPLING FOR TESTS OF CONTROLS
I Review Questions
1 A test of control procedure is a statement of
a Identification of a population from which sampling units are to be drawn
b Expression of an action taken to produce evidence about a client control procedure
2 Compliance deviations should be defined in advance so auditors will know what
to look for and will know one when they see it
Seven Examples – Based on Seven General Control Objectives:
1 Validity 1 Sale recorded without supporting shipping
orders
2 Authorization 2 Lack of credit manager approval for a credit
sale
3 Accuracy 3 Mathematical errors in sales invoice
calculations
4 Classification 4 Sales classified in wrong product line revenue
account
5 Proper Period 5 Sales recorded in month (quarter, year) before
the actual shipment
6 Accounting 6 Sales charges fail to be posted to a customer’s
account
7 Completeness 7 Shipments fail to be billed to customers and
recorded as sales and receivables
3 Judgments affecting sample size for test of controls auditing
1 Acceptable risk of
assessing control risk
too low
Inverse The greater the acceptable risk,
the smaller the sample
Trang 22 Acceptable risk of
assessing control risk
too high
Inverse The greater the acceptable risk,
the smaller the sample
3 Tolerable deviation
rate
Inverse The higher the tolerable rate, the
smaller the sample
4 Expected population
deviation rate (an
estimate rather than a
judgment)
Direct The higher the expected rate, the
larger the sample
The sample size is also directly related to the population size, although the influence is generally minor The larger the population, the larger the sample, but not much
4 The risk of assessing the control risk too low has the potential of affecting audit
effectiveness, thus damaging the quality of the audit for users Professionally, in light of responsibility to users, effectiveness is more important than efficiency,
which is affected by the risk of assessing the control risk too high
5 Expanded risk model: AR = IR x CR x AP x TD
Solve for TD, when: 048 = 1.0 x 4 x 6 x TD
The tolerable misstatement (P10,000) and estimated standard deviation (P25.00) are “noise” in the question
6 The “connection” is a direct relationship between control risk and the tolerable deviation rate (1) When larger values are planned for control risk (say, 0.95, 0.90) in an audit plan, more analytical procedure and test of detail work will be done Auditors will not rely very much on internal controls Therefore, not much help is expected from the controls anyway, so the tolerable deviation rate can be larger The direct relation is: The higher the control risk, the higher the tolerable deviation rate can be (2) When lower values are assigned to control risk (say, 0.10, 0.20) in an audit plan, less analytical procedure and test of detail work will be done Auditors intend to rely on internal accounting controls Therefore, effective compliance with control policies and procedures is important, and the tolerable deviation rate ought to be low The direct relation is: The higher the planned control risk, the higher the tolerable deviation rate can be
.048 1.0 x 4 x 6
Trang 37 Based on the specifications of risk of assessing control risk too low, tolerable deviation rate and expected population deviation rate, sample sizes would be determined independently for the two populations in the subdivision If the criteria are at least as stringent for each of the two as they would be for the undivided population, the sum of the two sample sizes would be at least twice the size of the sample figured for the single population (provided both subdivided populations have 1,000 or more units)
8 Further reduction of the assessed level of control risk is justified only when the upper occurrence limit is <= the tolerable occurrence rate Recall that the tolerable occurrence rate is that rate of error beyond which the auditor cannot justify further reduction in the assessed level of control risk A calculated rate which exceeds the tolerable rate, therefore, would suggest a level of error which precludes any lowering of assessed control risk
9 Expected occurrence rate is the anticipated error rate in a population It is set on
the basis of one or a combination of: The prior year’s audit; the auditor’s initial understanding of internal control policies and procedures relative to the transaction cycle subset; or a pilot sample of documents The expected occurrence rate has a positive effect on sample size
The tolerable occurrence rate is the maximum error rate which the auditor
would accept while still lowering assessed control risk below maximum The auditor bases the tolerable rate on materiality of the attribute being tested The more critical an attribute to effective internal control, the lower the tolerable occurrence rate The tolerable occurrence rate has an inverse effect on sample size
10 Inherent risk is the risk that, in the absence of internal control, material errors or
irregularities will occur
Control risk is the risk that internal financial control policies and procedures will
fail to prevent or detect material errors and irregularities
Detection risk is the risk that material errors and irregularities, which are not
prevented or detected by internal financial control policies and procedures, will not be detected by the independent audit
II Multiple Choice Questions
Trang 4III Comprehensive Cases
Case 1 a Control testing may be approached in three different ways, depending on
the nature of the controls If a visible audit trail exists in the form of documentation, the auditor examines documents, as appropriate, for the purpose of evaluating the operating effectiveness of internal control procedures Evidence as to whether transactions have been executed in accordance with management’s authorization and recorded in accordance with GAAP is gathered through such examination In the absence of a visible audit trail, the auditor tests controls through observation or reprocessing The auditor observes the control environment and control procedures, such as physical safeguards In the presence of complex EDP systems, the auditor may find transaction reprocessing the most effective means for testing selected controls Statistical sampling methods, involving attribute sampling, are commonly applied to the first form of control testing Observation and reprocessing ordinarily do not require the use of statistical sampling, although reprocessing may involve judgment sampling in developing hypothetical transactions to process through the system
b 1 attribute sampling application;
2 observation to determine effectiveness of the data processing function, and to support accuracy of financial data; possibly reprocess a sample
of transactions through the system to test effectiveness;
3 observation and inquiry to determine separation of functional responsibilities necessary to prevent employee fraud;
4 attribute sampling application;
5 observation (inspection of bank reconciliations) to support accuracy of cash balances;
6 attribute sampling application;
7 observation (inspect client workpapers evidencing periodic check) to support adequate safeguarding of documents and periodic inventories and comparisons;
8 observation (inspect voided documents) to support document retention control and prevent unauthorized use of documents to conceal fraud;
9 attribute sampling application;
10 observation (observe cash receipts processing) to support adequate separation of functional responsibilities and prevent employee fraud
Case 2 a Effect on sample size:
1 Positive effect (but only in population sizes under 2,000)
2 Positive effect
3 Inverse effect
4 Inverse effect
Trang 5b How determined:
2 Prior year’s audit; initial understanding of internal control; pilot sample
3 Materiality;
4 Materiality (but normally not to exceed 10%)
Case 3 a The remaining steps are as follows:
4 Define the attributes (characteristics) of interest to be tested (including the criteria for establishing the existence of errors or deviant conditions)
5 Set the tolerable occurrence rate that would support the initial assessment
6 Select a confidence level (quantify the risk of underassessment)
7 Estimate the population error rate (expected occurrence rate)
8 Determine the sample size
9 Choose a method for randomly selecting a sample
10 Perform the tests of control procedures
b Statistical sampling methodology helps the auditor (a) to design an efficient sample, (b) to measure the sufficiency of the evidential matter obtained, and (c) to evaluate the sample results By using a statistical sampling methodology, the auditor can quantify sampling risk to assist in limiting it
to an acceptable level