AUDITING & ATTESTATION – 5

Audit Sampling: TIP PIE ACDO
the risk of reaching the wrong conclusion based on the sample
Evidence: Auditor must obtain sufficient appropriate audit evidence.

Rule 1: Central limit theorem: Assume that population being sampled is a normal distribution = a bell-shaped curve

Rule 2: For mathematical validity, the samples have to be unrestricted and randomly selected. Every item in population must have an equal
chance of being selected. No bias and no substitution. This is the only area where CPA does not use judgment.

Rule 3: If sample is large and randomly selected, it will be representative of the population.

Rule 4: Standard deviation is a measure of variability. Variability = Uncertainty = Larger Sample Size

Sampling risk: The probability that the sample is wrong

Methods can be either statistical or non-statistical and both require professional judgment.

Statistical Sampling: auditors specify the risk they are willing to accept and calculate the sample size. Evaluating quantitatively.
Non-statistical Sampling: sample size is not determined mathematically, instead auditor’s judgment is used for sample size. Evaluated
judgmentally.

GAAS – Approves both, the statistical and non-statistical approach.

Sufficiency depends on size of sample. Size of sample depends on objectives and design of the sample.

Two types of Sampling:

1. Attribute Sampling
Testing for specific characteristics (seeking errors)
Test of Controls (occurrence) (yes/no questions)
2. Variable Sampling
Estimating the dollar value of the population
Test of Details and/or Substantive Tests

Auditor still needs to use professional judgment regardless of the type of sampling used. Use judgement for:
• Define the population and sampling unit
• Select the appropriate sampling method
• Evaluate the appropriateness of audit evidence
• Evaluate the nature of deviations or errors
• Consider sampling risk
• Evaluate results obtained from sample and project those results of population

***Statistical sampling does NOT eliminate the need for auditing judgment!

Advantages of Statistical Sampling – allows auditor to:

• Measure the sufficiency of audit evidence obtained
• Provide an objective basis for quantitatively evaluating sample results
• Design an efficient sample
• Quantify sampling risk so as to limit risk to an acceptable level

Rule 2
Random sample selection should be used. It gives all population an equal chance to be included in sample

Audit Risk: Risk of giving the wrong opinion. Includes Uncertainties due to sampling and uncertainties due to nonsampling factors

Sampling Risk in Substantive Testing
Variables Sampling:

1. Beta Risk: Risk of Incorrect Acceptance. Sample results say that account balance is good, when in fact it is misstated. Auditor’s
Concern! Effectiveness Lost!
2. Alpha Risk: Risk of Incorrect Rejection. Sample results say that account balance is bad, when in fact it is not misstated. Efficiency
Lost!

Becker Auditing – 2008 Edition Chapter 5 1

Sampling Risks in Tests of Controls
Attribute Sampling:
1. Beta Risk: Risk of Assessing Control Risk Too Low. Assessed level of control risk based on sample is less, when the actual control risk
is higher. Auditor’s Concern! Effectiveness Lost! Risk of Over-reliance
2. Alpha Risk: Risk of Assessing Control Risk Too High. Assessed level of control risk based on sample too high, then the actual control
risk is lower. Efficiency Lost! = Risk of Under-reliance

***Two types of mistakes the auditor can make:

• Fail to identify an existing problem = incorrect acceptance and assessing control risk too low
• Falsely identify a problem where none exists = incorrect rejection or assessing control risk too high

Efficiency is always lost with alpha risk = incorrect rejection or assessing control risk too high = auditor does more audit work than needed

Effectiveness is always lost with beta risk = incorrect rejection or assessing control risk too high= not detecting an existing misstatement
Risk of being ineffective + Confidence Level = 100%

Nonsampling Risk: Always present, cannot be measured

• Using wrong audit procedures
• Improperly evaluating evidence/results
• Auditor can reduce risk through planning and supervision of audit and quality control of all firm practices

Sampling Risk in Tests of Controls
Attributes Sampling:

Used to estimate the rate (%) of occurrence (exception) of a characteristic (attribute)
Samples to test the operating effectiveness of controls
Deals with yes/no questions (are time cards properly authorized – to assure recorded hours were worked)
The Nature, Extent, and Timing of substantive tests are used to determine the sampling risk of tests of controls

Planning Considerations:
 Relationship between sample to the objective of tests of controls
 Tolerable deviation rate (tolerable mistakes) – risk of misstatement. Maximum rate of errors auditor will tolerate without modifying
planned reliance on internal control
 Risk of assessing control risk too low = Beta Risk
 Characteristics of population

As conservative auditors, we are concerned with the worst case scenario. The top end of the range is known as “upper deviation rate”

Deviation Rate in the sample is the auditor’s best estimate of the deviation rate in the population from which it was selected

If auditor concludes that sample results do not support the planned assessed level of control risk for an assertion, the NET of substantive
procedures should be re-evaluated.

Steps for Attribute Testing (testing of controls)

1. Define the objective of the test
2. Define the population (including defining the time period. Ex. Entire year, first quarter)
3. Define the sampling unit (consider completeness of sampling unit
4. Define the attributes of interest. Deviations are where the control was not properly applied (i.e. missing credit approval, or
items that cannot be located are considered deviations)
5. Determine the sample size:
a. Risk of Assessing Control Risk too Low – Sample size
Inverse relationship
b. Tolerable Deviation (error) Rate – Sample size
inverse relationship
c. Expected Deviation (error) Rate – Sample size
direct relationship
d. Population size is not an issue
Factor Sample Size
Risk of Assessing Control Risk Too Low Want less risk More
Accept more risk Less
Tolerable Deviation (error) Rate Want less deviation More
Accept more deviation Less
Becker Auditing – 2008 Edition Chapter 5 2
 Expected Deviation (error) Rate Expect less deviation Less
Expect more deviation More
Population size n/a n/a
6. Select the Sample: there are two types allowed
a. Random selection
b. Systematic selection (every nth item)
c. Block sampling is NOT acceptable
7. Evaluate the Sample results:
Sample deviation rate + Allowance for sampling risk (the cushion) = Upper deviation rate
8. Form conclusions
a. Upper deviation rate is LESS THAN OR EQUAL to the tolerable deviation rate, the auditor may rely on the control
b. Upper deviation rate EXCEEDS the tolerable deviation rate, the auditor would not rely on the control
i. Select and test compliance with other internal accounting control, OR
ii. OR, modify the NET of the substantive tests to reflect the reduced reliance

*****it is the upper deviation rate (and not the rate found in the sample) that is compared to the tolerable rate
9. Document the Sampling Procedure

Discovery Sampling: used for detecting fraud (critical items). It is a special type of attribute sampling appropriate when the auditor believes
the population deviation rate is zero or near zero.

Stop or Go Sampling: designed to avoid oversampling for attributes by allowing the auditor to stop an audit test before completing all steps.
Used when few errors are expected in the population.

Sampling in Substantive Tests: Variable Sampling (known as “Estimation Sampling”)

Estimate the numerical measure, like the dollar value, of the population
Objective: obtain evidence about the reasonableness of monetary amounts
Estimates the true value of population by computing a point estimate of population and computing a precision interval around this point
estimate.

Planning considerations:
1. The relationship of sample to relevant audit objective
2. Preliminary estimates of materiality levels
a. Tolerable misstatement = auditor’s desired precision = materiality. It is the maximum monetary misstatement in the
population the auditor is willing to accept. Variable = misstatement attribute = deviation (“errors”)
3. Auditor’s allowable risk of incorrect acceptance (use the audit risk model)
4. Characteristics of the population

Certain items may be individually examined, such as those for which potential misstatements could individually exceed tolerable
misstatement. 100% of such items are examined and they are not considered to be part of the sample.

Stratication: items subject to sampling may also be separated into relatively homogeneous groups. Each group is treated as a separate
population. Results in a reduced sample size. Used when a population has highly variable recorded amounts.

Rule 4: Variability = uncertainty = larger sample size

Stratification
reduces variability
smaller sample size

Rule 3: Auditor projects the misstatement results of the sample to the population.
The auditor uses professional judgment when evaluating whether the projected misstatement is less or higher than the tolerable
misstatement.

Three variables sampling plans:

1. Mean-Per-Unit Estimation: uses the average value of the items in the sample to estimate the true population value
a. Example: estimate = average sample value x number of items in population
b. MPU does not require the book value of the population to estimate true population value
$250 (audited items avg value) x 2000 items = $500,000 (point estimate)
Becker Auditing – 2008 Edition Chapter 5 3
 $10 (standard error of mean) x 2000 items = +-$20,000 (at 1 std dev.)
c. When using MPU, auditors normally stratify the population into similar groups to reduce the sample size.
2. Ratio Estimation: uses the ratio of the audited (correct) values of items to their book values to project the true population value.
a. Highly efficient technique when the calculated audit amounts are approximately proportional to client’s book amounts.
$25,000 (audited items true value) x $550,000 (total book value) = $500,000 (point estimate)
$27,500 (audited items book value)
3. Difference Estimation: uses the average difference between the audited (correct) values of items and their book values to project the
actual population value. Difference estimation is used instead of ratio estimation when the differences are not nearly proportional to
book values.
($27,500 (audited items book value) - $25,000 (audited items true value)) x 2,000 items = $50,000 (adjustment required)
100 (items tested)

Ratio and difference estimation methods usually require smaller sample sizes than the MPU method. But they are only effective when the
auditor expects large numbers of over and understatements

Steps for Substantive testing (variable sampling)

1. Define the objective of the test
2. Define the population
3. Define the sampling unit (consider completeness of sampling unit)
4. Determine the sample size:
a. Sample size will increase as the following increase (direct relationship)
i. Expected misstatement
ii. Standard deviation (population variability)
iii. Assessed level of risk
b. Sample size will decrease as the following increase (inverse relationship)
i. Tolerable misstatement
ii. Acceptable level of risk
5. Select the Sample: Random selection
6. Evaluate the Sample results:
a. Auditor projects the misstatements found in the sample to the population using one of the three methods. The projected
misstatement is applied to the recorded balance to obtain a “point estimate” of the true balance
b. The auditor must then add an allowance for the sampling risk (called precision interval) to this estimate
7. Form conclusions
a. Whether to accept the client’s book value, the auditor determines whether the recorded book value falls within the
acceptable range (point estimate +/- the allowance for sampling risk). If so, book value is fairly stated.
b. For lost items, it depends on their effect on the auditor’s evaluation.
8. Document the Sampling Procedure

Sampling in substantive tests: probability – proportional-to-size (PPS) Sampling (Dollar Unit Sampling)
PPS: sampling unit is defined as an individual dollar in a population
Hybrid method b/c it uses attribute sampling theory to express a conclusion in dollar amounts rather than as a rate of occurrence

Advantages:
1. PPS automatically emphasizes larger items by stratifying (done automatically) the sample). The chance of an item being selected is
proportionate to its dollar amount
2. If no errors are expected, PPS sampling generally requires a smaller sample than other methods

Disadvantages:
1. Zero balances, negative balances, and understated balances generally require special design considerations (i.e. A/R bal = $0)

Selects a PPS sample by dividing the total number of dollars in the population (book value) into uniform groups of dollars or intervals.
Selects a logical unit (the balance that includes the selected dollar) from each sampling interval.

Sampling interval = Tolerable misstatement / Reliability factor

Becker Auditing – 2008 Edition Chapter 5 4

Sample size = Recorded amount of the population / sampling interval

Tolerable misstatement is the maximum dollar error that may exist in the account without causing the FS to be materially misstated
Reliability factors correspond to the risk of incorrect acceptance and are generally obtained from a table

Sample selection: a random number between 1 and the sampling interval (inclusive) is selected. This number is the random start, and it will
also determine the first item selected. Systematic selection is then used to select the remainder of the sample.

Evaluation: if errors are found in an account, the errors need to be projected to the interval. If the account selected has a balance greater
than the interval, the actual dollar amount of the error should be used.
(recorded amount-audit amount)/(recorded amount) x sample interval = projected error

Deviations may be caused by errors (unintentional) or fraud (intentional)

Dual-Purpose Samples: the auditor may use the same sample to perform both tests of controls and tests of details. Dual-purpose samples
are generally used only when the auditor believes that there is an acceptably low risk that the deviation rate in the population exceeds the
tolerable rate.

The Effect of Information Technology on the Audit

Emphasis is on controls
Audit objectives in computerized environment are same as the manual environment

Applications Controls for: Input
Processing
Output

Difference between manual and computerized (IT) environments:

 Segregation of Duties: In IT, transaction processing often results in a combination of functions that are normally separated in a
manual environment (no ARC). Instead of ARC, the segregation of duties in IT environment is COPAL
 C – Control Group: monitor control, execute transactions, error logs
 O – Operators: data input, error detections on spot
 P – Programmers: write programs, debug programs, write run manuals
 A – Analysts: design programs, prepare flowchart
 L – Librarian: secure programs, store backups
 Disappearing Audit Trail: if client processes most of its financial data in electronic form, without paper documentation, audit tests
should be performed on a continuous basis. Computer systems should be designed to supply electronic audit trails, which are often
as effective as paper trails. Use of IT may make it more difficult to use physical inspection to identify nonstandard or unusual
transactions or adjustments
Analytical Procedures
 Uniform Transaction Processing: Processing consistency is improved because clerical errors are virtually eliminated. But there is
increased potential for systematic errors, such as errors in programming logic (i.e. using incorrect tax rate)
 Computer-Initiated Transactions: authorizations may not be as well documented. Inadvertent errors are reduced, but unauthorized
interventions may not be evident

C – Control Group: monitor control, execute transactions, error logs

O – Operators: data input, error detections on spot
P – Programmers: write programs, debug programs, write run manuals
A – Analysts: design programs, prepare flowchart
L – Librarian: secure programs, store backups

Potential for Increased Errors and Irregularities: Likelihood that fraud may occur and remain undetected for long periods of time
1. Opportunity for remote access to data in networked environments increases the likelihood of unauthorized access. Specific controls
should exist to ensure that users can only access and update authorized data elements.
2. Concentration of information in computerized systems means that, if system security is breached, the potential for damage is much
greater than in manual systems
3. Decreased human involvement = decreased opportunities for observation
4. Errors or fraud may occur in the design or maintenance of application programs

Becker Auditing – 2008 Edition Chapter 5 5

5. Computer disruptions may cause errors or delays in recording transactions

Potential for Increased Supervision and Review:

1. More opportunities for data analysis and review (i.e. integration of audit procedures in the application)
2. Utilization of these opportunities help mitigate the additional risks associated with a lack of segregation of duties
3. Increased availability of raw data and management reports affords greater opportunity for both the client and the auditor to perform
analytical procedures
Controls for specific applications are only as effective as the general controls in place in the IT department, which process transactions and
produce reports.

Effect of Information Technology on Evidence Gathering

Manual audit procedures
“auditing around the computer”
Computer-assisted audit techniques (CAAT)
“auditing through the computer”

The reliability of automated systems is highly dependent on the adequacy of control design and execution = critical that auditor gain a
thorough understanding of the structure and usage of the control system through inquiry and observation

Factors to consider in selecting appropriate audit procedures in computerized environment:

• Extent of computer utilization in each accounting application
• Complexity of the entity’s computer operations
• Organizational structure of the IT department
• Availability of an audit trail
• Use of computer-assisted audit techniques

Batch System: Manual transactions and periodic updating (audit around the computer-examine source documents)
On-line/Real time: No paper trail. Build electronic audit trail into system. Immediate updating (audit through the computer)

Use of an IT Professional: auditor can always use an expert (either from his staff or from outside)
Auditor should have enough IT-related knowledge to:
Communicate audit objectives to the IT professional
Evaluate the sufficiency of the procedures performed
Evaluate the results of the procedures performed
CPA’s responsibility to guide IT professionals is the same as for other accounting assistants
Auditor need not personally possess the required level of IT skills
Treat the IT professional like your staff:
R – Reputation
I – Independent
P – Professional Competency
P – Program Steps

Auditing around the computer: Manual procedures (batch)

• Auditor does not directly test the application program
• Auditor tests the input data, processes the data independently, and then compares the independently determined results to
program results.
• Emphasis is on the input and output stages of transaction processing
• Input (test)
Process (black box)
Output (test)
• Appropriate for simple batch systems with a good audit trail
• Risks: insufficient, paper-based evidence and insufficient audit procedures

Computer Assisted Audit Techniques (CAAT): Audit through the computer (on-line systems)
• Emphasis is on the input and processing stages
• Transaction Tagging: auditor uses to electronically mark (“tag”) specific transactions and follow them through the system
o Enables to test both computerized processing and manual handling of transactions
• Embedded audit Modules: sections of application program code that collect transaction data for auditor

Becker Auditing – 2008 Edition Chapter 5 6

 o Often built into the application program when the program is developed, for use in ensuring that controls are
operating effectively

Test Data (Test Deck): technique that uses the application program to process a set of test data, the results of which are already known.
Client’s system is used to process the auditor’s data, off-line, and while under the auditor’s control.
• Contains types of invalid conditions in which the auditor is interested
• Advantage: live computer files are not affected in any way

Integrated test Facility (ITF): similar to test data approach except that the test data is commingled with live data. Client’s system is used
to process the auditor’s data, on-line.
• Test data must be separated from live data before the reports are created. Process test data to dummy accounts
• Client personnel are not informed that the test is being run

Parallel Simulation (Reperformance Test): auditor re-processes some or all of the client’s live data into auditor’s system then compares
the results with the client’s files.

Generalized Audit Software Packages (GASPs): perform tests of controls and substantive tests directly on the client’s system. The auditor
first defines the client’s system (to the GASP) and then specifies the tests and selections that should be made. The GASP generates the
programs necessary to interrogate the files and extract and analyze the data. Auditor does not have to know much about client’s system.
Tasks performed by GASPs:
• Examine transactions for control compliance
• Selecting items meeting specified criteria
• Recalculating amounts and totals
• Reconciling data from two separate files
• Performing statistical analysis on transactions
Advantages of GASPs:
• Allows auditor to sample and test more transactions = more reliable audit
• Require little technical knowledge of the client’s system
• GASPs can significantly reduce audit time without sacrificing quality

Auditing with a Computer:

Example: FS (or trial balance) can be entered into a spreadsheet (or possibly a database) program

Advantages of Using a computer:

• Automatic performance of math = reduced errors
• Automatic cross-referencing (linking lead schedule to working trail balance and FS)
• Automatic preparation of FS, tax return schedules, and consolidating schedules
• Reduction in required supervisory review time.
• Automatic performance of certain analytical review procedures
• Enhanced client service. Client’s personnel can benefit from: no longer manually preparing, more legible
• Improved productivity of auditing team

Disadvantages of using a computer: audit documentation may not contain readily observable details of calculations

Internal Control Communications:

Control Deficiency: Can involve any or all of “CRIME”. Two types: deficiency in design and deficiency in operation

A deficiency in design: occurs when necessary control is missing or when an existing control does not achieve the desired objective
A deficiency in operation: occurs when a properly designed control does not operate as designed, or is performed by inappropriate person

Significant Deficiency: adversely affects the fairness of FS.

Becker Auditing – 2008 Edition Chapter 5 7

Material Weakness: significant deficiency that results in more than a remote likelihood that a material misstatement of FS will not be
prevented or detected.

Responsibility of Auditor:
1. Detection of Control Deficiencies: an auditor of FS is not required to search for control deficiencies
2. Evaluation of Control Deficiencies: must evaluate control deficiencies to determine whether they represent significant deficiencies or
material weaknesses
3. Indicates of significant deficiency:
a. Selection and application of accounting principles
b. Antifraud programs
c. Non-routine transactions
d. Period-end financial reporting
4. Indicators of material weakness:
a. Ineffective oversight
b. Restatement of previous FS
c. Auditor caught a material misstatement which was not identified by internal control
d. Ineffective internal audit
e. Ineffective regulatory compliance
f. Any level of fraud by senior management
g. Failure to appropriately address previously communicated significant deficiencies
h. Ineffective control environment

Significant deficiencies and material weaknesses must be communicated in writing to management and those charged with governance

Previously existing deficiencies: that have not been corrected, should be communicated again in writing during current audit

Timing: Written communication must be made within 60 days of report release date. For Public Companies, per PCAOB, communication
should occur before issuing of auditor’s report on internal control.

It is management’s responsibility to evaluate and address control deficiencies.

Reporting Requirements – Contents should include:

• Purpose of audit was to express an opinion on FS, and not on the effectiveness of internal control
• Auditor is not expressing an opinion on the effectiveness of internal control
• Definition of significant deficiency and material weakness
• Identify significant deficiencies and material weaknesses noted
• Only for use of management, those charged with governance, and others within organization. RESTRICTED USE

Absence of Significant deficiencies or material weakness:

• May not report the absence of significant deficiencies
• May issue a communication indicating that no material weakness were identified

Management’s Written Responses:

• May prepare a written response. Describe corrective actions or future plans, or indicate the Cost/Benefit Rule

Read report on page A5-30

Examples of Control Deficiencies:

Deficiencies in design of controls:
• Internal control over preparation of FS
• Insufficient control consciousness
• Lack of segregation of duties
• Inadequate design of IT controls
• Lack of personnel qualifications/training
• Inadequate design of monitoring controls
Becker Auditing – 2008 Edition Chapter 5 8
• Inadequate documentation

Failure in operation of control:

• Inappropriate authorization, reconciliations, and safeguard of assets
• Lack of objectivity
• Misrepresentation by client
• Management override
• Failure of an application control

Reporting on an entity’s internal control over financial reporting

CPA may report on management’s assertion or may report directly on the effectiveness of the internal control = attestation engagement,
separate from the internal control as part of an FS audit. This is performed according to Statements on Standards for Attestation
Engagement

Management accepts responsibility for the effectiveness of internal control. Failure to provide the written representation letter = scope
limitation = disclaimer or withdrawal. Management provides written assertion on the effectiveness of internal control.

Planning this engagement is similar to that performed for an audit.

When performing this engagement, the tasks are as follows:

1. Obtain written assertion from management. Management can present in either of two ways:
a. A separate report that will accompany the accountant’s report
b. A representation letter to the accountant
2. If management refuses, auditor should WITHDRAW, unless required by law, then = disclaim or adverse opinion. If adverse, then
RESTRICTED USE.
3. Obtain understanding of internal control through inquiry, inspection, and observation
4. Evaluate the design effectiveness of the controls
5. Test (inquiry, document inspection, observation, reperformance) and evaluate the operating effectiveness of controls
6. Form an opinion on the effectiveness of the entity’s internal control, or on management’s assertion

MUST READ sample report on page A5-33 ***Examiners have focused many questions in prior exams on the “inherent limitations
paragraph” which is included in that report

When CPA expresses an opinion directly on the effectiveness of an entity’s internal control (rather than the “assertion by management”:
- The introductory paragraph is almost same, except for first and last sentence where instead of “managements assertions” it reads
“effectiveness of internal control”
- Scope and Inherent limitations paragraph are SAME
- Opinion paragraph is NEW. “in our opinion, W company maintained, in all material respects, effective internal control over financial
reporting as of December 31, 20XX, based on (identify criteria)”

Deficiencies in Internal control:

1. Material weakness = qualified (“except for”) or adverse (not maintained effective internal control”). Add explanatory paragraph
PRECEDING the opinion paragraph
2. When a material weakness exists, CPA should express an opinion directly on the effectiveness of internal control, and not on
management’s assertion.
3. Communication of significant deficiencies and material weakness is similar to audit. Written to management and those charged
with governance
4. If client is not the responsible party, auditor has no responsibility to communicate deficiencies to responsible party.
5. If management uses cost/benefit rule as excuse, auditor should disclaim an opinion on management’s cost-benefit statement: “we
do not express an opinion or any other form of assurance on management Cost Benefit rule”

Scope limitations:
- Generally scope limitations = withdrawal
- When controls are implemented to correct a previously identified material weakness, but auditor is unable to test the new controls, a
qualified opinion should be expressed. Slightly modify the scope paragraph.

Becker Auditing – 2008 Edition Chapter 5 9

- When restrictions significantly limit scope = disclaimer. Modify first sentence and omit last sentence. Omit scope paragraph, add
explanatory, omit inherent limitations paragraph, revise opinion paragraph

Foreign Corrupt Practices Act (FCPA): Compliance with FCPA is legal determination. Examination of internal control is NOT sufficient to
determine the compliance. We are NOT lawyers!

Internal control vs. Examination of internal control as part of an FS audit:

The results of one type may be used in the other type of engagement. The two different examination may be performed by different
practitioners. FS audit, report on internal control = restricted. In separate examination of internal control, use is not restricted (unless in
situations where the criteria used are appropriate for specific parties)

SOX Requirements for internal control = Public Companies. PCAOB standards require:
- Issuers report (within the annual report) on management’s assessment of effectiveness of the company’s internal control
- Auditors attest to (“audit”) the accuracy of management’s report. Audit of FS and internal control must be done together by same CPA
firm.
- Auditor’s report on internal control over financial reporting must include: opinion whether management’s assessment is fairly stated
and opinion on whether the company maintained effective internal control

Reports on the internal control of issuers – Public Companies

- Include opinion on management’s assessment and evaluation of effectiveness of internal control
- Significant deficiencies and material weaknesses= communicate in writing to management and audit committee BEFORE issuing the
auditor’s report on effectiveness of internal control. Control deficiencies = communicate in writing to management. All written
communications = RESTRICTED USE
- Opinion on effectiveness of internal control
o Unqualified opinion = NO material weaknesses
o Qualified or Disclaimer = could not perform all necessary procedures
o Adverse opinion = MUST express if one or more material weakness (nonissuers can have qualified or adverse, but PCAOB
strictly says its adverse if even 1 material weakness is found)
- Opinion on management’s assessment of internal control
o PCAOB requires opinion on management’s objective too. If management discloses ineffective internal control = Unqualified
opinion.

Government Auditing
Government auditing under US Government Accountability office’s (GAO) Government Auditing Standards (the “Yellow Book”) or GAGAS
applies to engagements that test and report on compliance with the laws and regulations that authorize the spending of public funds.
Audits of governments and governmental assistance require compliance with the requirements of GAAS, GAGAS, and for engagements
involving federal financial assistance, the Single Audit Act.

Management Responsibilities:
- Identification of applicable laws and regulations with compliance requirements
- Establishment of internal controls to provide reasonable assurance that the entity complies with those laws and regulations
- Preparation of supplementary financial reports, including a “schedule of expenditures of Federal Awards”
- Obtaining an audit that satisfies relevant legal, regulatory, or contractual requirements

Auditor’s Responsibilities:
- Obtain reasonable assurance that FS are free of material misstatements resulting from violations of laws and regulations that have
direct and material effect on the determination of FS amounts
- Understand possible effects on FS of laws and regulations that have direct and material effect on FS
- Assess whether management has identified laws and regulations that have direct and material effect on FS

There are two types of audits:

1) Financial Audits
2) Performance Audits

Financial audits with GAGAS determine whether the FS present fairly the financial position, results of operations, and cash flows in
accordance with GAAP (or OCBOA).

Becker Auditing – 2008 Edition Chapter 5 10

Attestation engagements:
Performed with GAGAS incorporate the AICPA’s standards for examinations, reviews, and agreed-upon procedures by reference and include
expanded requirements. Include:
 Compliance with specified laws, regulations, rules, contracts, or grants
 Effectiveness of internal control over compliance with specified requirements
 Presentation of MD&A
 Reliability of performance measures

Performance Audits – 3 objectives:

 Effectiveness, Economy, and Efficiency
o Achievement of legislative, regulatory, or organizational goals
o Evaluation of cost benefit or cost effectiveness
o Validity or reliability of performance measures
 Internal Control
o Organizational missions, goals, and objectives are achieved efficiently and effectively
o Resources are used in compliance with laws, rules, and regulations
o Security over computerized systems is effective
o Disaster plans for computerized systems are adequate
 Compliance
o Compliance criteria established by laws, regulations, contract have been met
o Appropriate target population has been served

Three sources of auditing standards – depends on character of entity and type and amount of assistance received

GAAS: applicable to all audits

GAGAS: audits of:

- govt organizations, programs, activities, and functions
- govt assistance received by contractors, not-for-profit organizations, and other nongovernment organizations
EXTRA FIELDWORK AND REPORTING STANDARDS
- design audit to provide reasonable assurance of detecting material misstatements from noncompliance
- For financial statement audits, Yellow book audit in accordance to GAAS and GAGAS

Audit requirements for entities receiving federal financial assistance should be conducted according to GAAS and GAGAS. Additional
requirements:
- Expanded internal control documentation and testing requirements
- Expanded reporting to include formal written reports on consideration of internal control and assessed control risk
- Expanded report to include whether the federal financial assistance has been administered in accordance with applicable laws and
regulations
- Application of single audit standards to federal financial assistance

CPA
Peer Review
Every 3 years (same as GAAS), ADDITIONAL requirement: provide copy of peer review to govt audit clients

Audit documentation
- Follow GAAS guidance (working papers)
- Internal control docs should be based on GAGAS containing additional requirements:
o Must document an understanding of internal control established to ensure compliance with laws, rules, and regulations
o Basis for assessing control risk at maximum when controls are significantly dependent on IT systems
- Management representation letter. GAGAS requires additionally:
o There are no violations or possible violations of laws or regulations whose effects should be considered for disclosure in FS
or basis for recording loss contingency (same as GAAS)
o Management is responsible for compliance with laws and regulations (based on GAGAS)
o Management has identified and disclosed in writing to the auditor all the laws and regulations that have direct and
material effect on its FS (based on GAGAS)

Becker Auditing – 2008 Edition Chapter 5 11

Reporting under GAGAS for financial audits – additional requirements:
1) State that audit was conducted in accordance to GAGAS
2) Describe scope of testing of regulatory compliance and internal control. And present results of tests OR refer to separate report
3) Describe omitted information
4) Describe distribution of report: provide to the officials

Fraud and Illegal Acts: Report the conclusion that fraud or an illegal act has occurred, or likely to have occurred
Reporting Illegal act is required: report may be included in required audit reports or presented as separate audit reports
Auditor is required to directly report fraud and illegal acts to federal inspector if: management fails to disclose OR fails to take appropriate
remedial action

Reporting of Internal controls:

1. Obtain an understanding of design of controls and determine if implemented
2. Communicate significant deficiencies during audit, even if not material weakness
3. Written report on auditor’s understanding of internal control and assessment of control risk in all audits. This is different from
GAAS, which requires written communication only when significant deficiencies are noted
4. Significant deficiencies reported to legislative and regulatory bodies

***GAGAS: written report on internal control be prepared:

 Assertion that evaluating compliance with laws, rules, and regulations with a direct and material effect on FS is part of
developing an opinion on FS
 Assertion that specific controls relating to financial reporting are considered
 Indication that either no weaknesses were found or that significant deficiencies were found, and indication whether those
deficiencies were material

Responsibilities Under the Single Audit Act:

- Requires entities that expend total federal assistance equal to or in excess of $500,000 in a fiscal year to have audit performed in
accordance with the Act.
- Two objectives:
o Audit of FS and reporting on separate schedule of expenditures of federal awards in relation to those FS
o Compliance audit of federal awards expended during the year as a basis for issuing additional reports on compliance
related to major programs and on internal control over compliance
- Requires that materiality of transaction or other compliance finding be considered separately in relation to each major program, not
simply in relation to the FS taken as a whole.
- Generally, programs classified as major are those that expend $300,000 or more in federal financial assistance, but smaller programs
may be deemed major if they are classified as “high risk”, even if they do not met the monetary threshold.

Program-Specific Audits:
- Certain recipients under certain circumstances are permitted to have a program-specific audit instead of single-audit
- Auditor must contact the inspector general of applicable federal agency and obtain a current program-specific audit

All governmental audits carried out under the Single audit Act are not the same:
- Audits of an entire organization that include additional audit procedures on specific programs are called “single audits”
- These audits include a report on the FS of the whole organization and audit reports on specific programs
- Audits of specific programs are called “program specific audits” and do not include reports on FS of organization taken as a whole

For audits to perform a single audit must obtain understanding of internal control and support a low assessed level of control risk for major
programs.
- Test of controls must be performed to evaluate the effectiveness of internal control
- Controls that are ineffective = expand the audit procedures (assess CR at maximum, impact of weak controls on substantive compliance
testing, report deficiency or weakness.)

General Rule: Test
Effective Controls Report
Ineffective controls

For noncompliance w/ requirements for federal financing program, reports should be qualified (“except for”) or adverse.

Becker Auditing – 2008 Edition Chapter 5 12

Modify Report: Qualified
Adverse
When auditor’s procedures disclose material instances of noncompliance = modify report
Immaterial instances of noncompliance should be reported but need not be specifically identified

***Auditor communication requirements increase in government settings. Have the responsibility of reporting significant deficiencies to
specific regulatory bodies or grantor agencies. Reporting illegal acts is required.

***Government audit requires more work and responsibility of auditor. Study the additional audit requirements

***Government audit reports focus the reader on compliance with laws, rules, and regulations, the internal controls associated with
maintaining compliance, and any findings of noncompliance.

Must study the chart on pg. A5-47

Communication with Those Charged with Governance

- Includes Board of Directors and Audit Committee

Audit Committee:
- is board of directors, generally made up of 3-5 members of the board who are “outside directors” (non-management)
- Audit committee is a sub-group of those charged with governance
- SEC recommends and NYSE requires all companies to have audit committees
- Main function: Enhance internal control by direct communication between “outside directors” and independent auditor
- Part of internal control structure
- Selects and appoints the independent auditor
- Determines recommendations made by the auditor are given proper attention
- Evaluates internal control of company with help of independent auditor
- The auditor should communicate with audit committee:
o Meet with audit committee without management present at least once each year
- SOX, for public companies, ADDITIONAL requirement: audit committee to approve the engagement of the auditor, to pre-approve the
services to be performed, and to have ongoing communications with the auditor. The auditors of issues report to and are overseen by
audit committee and not by management

Auditor’s responsibilities – communicate to those charged with governance:

- Expressing an opinion on FS, Follow GAAS, matters relate to FS
- The scope and timing of the audit (inform those charged with governance re: auditor’s activities and understanding of entity)
- Communicate how significant risks of material misstatement will be addressed, the planned approach toward internal control, factors
affecting materiality, and any potential use of internal audit staff
- Discussion of attitudes, awareness, and actions of those charged with governance with respect to internal control, fraud, relevant
changes, and matters previously communicated by auditor

Significant Audit Findings- auditor should communicate:

- Auditor’s views about qualitative aspects of the entity’s accounting practices, including the initial selection of, changes in, and
appropriateness of significant accounting policies; the process used by management in formulating significant accounting policies; the
process used by management in formulating significant accounting estimates; significant management judgments; and the adequacy of
FS disclosures
- Significant difficulties encountered in performing the audit
- Uncorrected, nontrivial misstatements and their possible effect on audit opinion
- Any circumstances that may appear to impair independence

If all of those charged with governance are not involved with managing the entity, the auditor should also communicate:
- Material, corrected misstatements brought to management’s attention as a result of the audit. Auditor may choose to communicate
corrected misstatements that are immaterial but frequently recurring.

Communication should be two-way: those charged with governance should also communicate relevant matters to the auditor.
Inadequate two-way communication may be indicative of an unsatisfactory control environment, which may affect the auditor’s
assessment of the risk of material misstatement.

Becker Auditing – 2008 Edition Chapter 5 13

Generally, auditor may discuss matters with management prior to communicating them with those charged with governance

SOX (for public companies): auditors are required to report (to the audit committee) all critical accounting policies, all material alternative
GAAP accounting treatments, and other material communications between the auditor and management.

Communications may be oral or in writing. Significant audit findings should be communicated in writing. Written communications should
include a limitation on the use of the communication = RESTRICTED USE. Oral communications should be documented. Timing of
communication should occur in a manner that allows appropriate action to be taken. For PUBLIC companies, communications should be
made BEFORE auditor’s report on FS is filed with SEC.

Management Representatives

At the end of fieldwork, the independent auditor must obtain management represnetaiton letter from client. Failure to get a rep letter =
scope limitation.

Purpose of rep letter:

- Confirm represnations explicitly or implicitly given to the auditor
- Indicate and document the continuing appropriateness of such representations
- Reduce the possiblility of misunderstanding concerning matters that are the subject of representations

Requirements of rep letter:

- State all material matters have been adequately disclosed to independent auditor
- Rep letter is obtained at the END of auditor’s fieldwork
- Letter is mandatory! Otherwise disclaimer or withdrawal
- Signed by CEO and CFO
- Dated same date as audit report
- Management provides information on the FS, completeness of info, recognition, measurement, and disclosure and subsequent events
- All minutes and financial records should be made available to the auditor
- There have been no communications from regulatory agencies concerning noncompliance with or deficiencies in financial reporting
practices
- Absence of unrecorded transactions

Contents of letter:
- Management’s acknowledgment of its reponsiblity for the fiar presentation in the FS of financial position, results of operations, and
cash flows in conformity with GAAP
- Management’s belief that the FS are fairly presented in conformity with GAAP
- Information concerning subsequent events

Becker Auditing – 2008 Edition Chapter 5 14