AUDITING & ATTESTATION – 5 Audit Sampling: TIP PIE ACDO the risk of reaching the wrong conclusion based on the sample Evidence: Auditor must obtain sufficient appropriate audit evidence. Rule 1: Central limit theorem: Assume that population being sampled is a normal distribution = a bell-shaped curve Rule 2: For mathematical validity, the samples have to be unrestricted and randomly selected. Every item in population must have an equal chance of being selected. No bias and no substitution. This is the only area where CPA does not use judgment. Rule 3: If sample is large and randomly selected, it will be representative of the population. Rule 4: Standard deviation is a measure of variability. Variability = Uncertainty = Larger Sample Size Sampling risk: The probability that the sample is wrong Methods can be either statistical or non-statistical and both require professional judgment. Statistical Sampling: auditors specify the risk they are willing to accept and calculate the sample size. Evaluating quantitatively. Non-statistical Sampling: sample size is not determined mathematically, instead auditor’s judgment is used for sample size. Evaluated judgmentally. GAAS – Approves both, the statistical and non-statistical approach. Sufficiency depends on size of sample. Size of sample depends on objectives and design of the sample. Two types of Sampling: 1. Attribute Sampling Testing for specific characteristics (seeking errors) Test of Controls (occurrence) (yes/no questions) 2. Variable Sampling Estimating the dollar value of the population Test of Details and/or Substantive Tests Auditor still needs to use professional judgment regardless of the type of sampling used. Use judgement for: • Define the population and sampling unit • Select the appropriate sampling method • Evaluate the appropriateness of audit evidence • Evaluate the nature of deviations or errors • Consider sampling risk • Evaluate results obtained from sample and project those results of population ***Statistical sampling does NOT eliminate the need for auditing judgment! Advantages of Statistical Sampling – allows auditor to: • Measure the sufficiency of audit evidence obtained • Provide an objective basis for quantitatively evaluating sample results • Design an efficient sample • Quantify sampling risk so as to limit risk to an acceptable level Rule 2 Random sample selection should be used. It gives all population an equal chance to be included in sample Audit Risk: Risk of giving the wrong opinion. Includes Uncertainties due to sampling and uncertainties due to nonsampling factors Sampling Risk in Substantive Testing Variables Sampling: 1. Beta Risk: Risk of Incorrect Acceptance. Sample results say that account balance is good, when in fact it is misstated. Auditor’s Concern! Effectiveness Lost! 2. Alpha Risk: Risk of Incorrect Rejection. Sample results say that account balance is bad, when in fact it is not misstated. Efficiency Lost!
Becker Auditing – 2008 Edition
Chapter 5
1
Sampling Risks in Tests of Controls Attribute Sampling: 1. Beta Risk: Risk of Assessing Control Risk Too Low. Assessed level of control risk based on sample is less, when the actual control risk is higher. Auditor’s Concern! Effectiveness Lost! Risk of Over-reliance 2. Alpha Risk: Risk of Assessing Control Risk Too High. Assessed level of control risk based on sample too high, then the actual control risk is lower. Efficiency Lost! = Risk of Under-reliance ***Two types of mistakes the auditor can make: • Fail to identify an existing problem = incorrect acceptance and assessing control risk too low • Falsely identify a problem where none exists = incorrect rejection or assessing control risk too high Efficiency is always lost with alpha risk = incorrect rejection or assessing control risk too high = auditor does more audit work than needed Effectiveness is always lost with beta risk = incorrect rejection or assessing control risk too high= not detecting an existing misstatement Risk of being ineffective + Confidence Level = 100% Nonsampling Risk: Always present, cannot be measured • Using wrong audit procedures • Improperly evaluating evidence/results • Auditor can reduce risk through planning and supervision of audit and quality control of all firm practices Sampling Risk in Tests of Controls Attributes Sampling: Used to estimate the rate (%) of occurrence (exception) of a characteristic (attribute) Samples to test the operating effectiveness of controls Deals with yes/no questions (are time cards properly authorized – to assure recorded hours were worked) The Nature, Extent, and Timing of substantive tests are used to determine the sampling risk of tests of controls Planning Considerations: Relationship between sample to the objective of tests of controls Tolerable deviation rate (tolerable mistakes) – risk of misstatement. Maximum rate of errors auditor will tolerate without modifying planned reliance on internal control Risk of assessing control risk too low = Beta Risk Characteristics of population As conservative auditors, we are concerned with the worst case scenario. The top end of the range is known as “upper deviation rate” Deviation Rate in the sample is the auditor’s best estimate of the deviation rate in the population from which it was selected If auditor concludes that sample results do not support the planned assessed level of control risk for an assertion, the NET of substantive procedures should be re-evaluated. Steps for Attribute Testing (testing of controls) 1. Define the objective of the test 2. Define the population (including defining the time period. Ex. Entire year, first quarter) 3. Define the sampling unit (consider completeness of sampling unit 4. Define the attributes of interest. Deviations are where the control was not properly applied (i.e. missing credit approval, or items that cannot be located are considered deviations) 5. Determine the sample size: a. Risk of Assessing Control Risk too Low – Sample size Inverse relationship b. Tolerable Deviation (error) Rate – Sample size inverse relationship c. Expected Deviation (error) Rate – Sample size direct relationship d. Population size is not an issue Factor Sample Size Risk of Assessing Control Risk Too Low Want less risk More Accept more risk Less Tolerable Deviation (error) Rate Want less deviation More Accept more deviation Less
Becker Auditing – 2008 Edition
Chapter 5
2
Expected Deviation (error) Rate 6.
7. 8.
9.
Population size Select the Sample: there are two types allowed a. Random selection b. Systematic selection (every nth item) c. Block sampling is NOT acceptable Evaluate the Sample results:
Expect less deviation Expect more deviation n/a
Less More n/a
Sample deviation rate + Allowance for sampling risk (the cushion) = Upper deviation rate
Form conclusions a. Upper deviation rate is LESS THAN OR EQUAL to the tolerable deviation rate, the auditor may rely on the control b. Upper deviation rate EXCEEDS the tolerable deviation rate, the auditor would not rely on the control i. Select and test compliance with other internal accounting control, OR ii. OR, modify the NET of the substantive tests to reflect the reduced reliance *****it is the upper deviation rate (and not the rate found in the sample) that is compared to the tolerable rate Document the Sampling Procedure
Discovery Sampling: used for detecting fraud (critical items). It is a special type of attribute sampling appropriate when the auditor believes the population deviation rate is zero or near zero. Stop or Go Sampling: designed to avoid oversampling for attributes by allowing the auditor to stop an audit test before completing all steps. Used when few errors are expected in the population. Sampling in Substantive Tests: Variable Sampling (known as “Estimation Sampling”) Estimate the numerical measure, like the dollar value, of the population Objective: obtain evidence about the reasonableness of monetary amounts Estimates the true value of population by computing a point estimate of population and computing a precision interval around this point estimate. Planning considerations: 1. The relationship of sample to relevant audit objective 2. Preliminary estimates of materiality levels a. Tolerable misstatement = auditor’s desired precision = materiality. It is the maximum monetary misstatement in the population the auditor is willing to accept. Variable = misstatement attribute = deviation (“errors”) 3. Auditor’s allowable risk of incorrect acceptance (use the audit risk model) 4. Characteristics of the population Certain items may be individually examined, such as those for which potential misstatements could individually exceed tolerable misstatement. 100% of such items are examined and they are not considered to be part of the sample. Stratication: items subject to sampling may also be separated into relatively homogeneous groups. Each group is treated as a separate population. Results in a reduced sample size. Used when a population has highly variable recorded amounts. Rule 4: Variability = uncertainty = larger sample size Stratification reduces variability smaller sample size Rule 3: Auditor projects the misstatement results of the sample to the population. The auditor uses professional judgment when evaluating whether the projected misstatement is less or higher than the tolerable misstatement. Three variables sampling plans: 1. Mean-Per-Unit Estimation: uses the average value of the items in the sample to estimate the true population value a. Example: estimate = average sample value x number of items in population b. MPU does not require the book value of the population to estimate true population value $250 (audited items avg value) x 2000 items = $500,000 (point estimate)
Becker Auditing – 2008 Edition
Chapter 5
3
2.
3.
$10 (standard error of mean) x 2000 items = +-$20,000 (at 1 std dev.) c. When using MPU, auditors normally stratify the population into similar groups to reduce the sample size. Ratio Estimation: uses the ratio of the audited (correct) values of items to their book values to project the true population value. a. Highly efficient technique when the calculated audit amounts are approximately proportional to client’s book amounts. $25,000 (audited items true value) x $550,000 (total book value) = $500,000 (point estimate) $27,500 (audited items book value) Difference Estimation: uses the average difference between the audited (correct) values of items and their book values to project the actual population value. Difference estimation is used instead of ratio estimation when the differences are not nearly proportional to book values. ($27,500 (audited items book value) - $25,000 (audited items true value)) x 2,000 items = $50,000 (adjustment required) 100 (items tested)
Ratio and difference estimation methods usually require smaller sample sizes than the MPU method. But they are only effective when the auditor expects large numbers of over and understatements Steps for Substantive testing (variable sampling) 1. Define the objective of the test 2. Define the population 3. Define the sampling unit (consider completeness of sampling unit) 4. Determine the sample size: a. Sample size will increase as the following increase (direct relationship) i. Expected misstatement ii. Standard deviation (population variability) iii. Assessed level of risk b. Sample size will decrease as the following increase (inverse relationship) i. Tolerable misstatement ii. Acceptable level of risk 5. Select the Sample: Random selection 6. Evaluate the Sample results: a. Auditor projects the misstatements found in the sample to the population using one of the three methods. The projected misstatement is applied to the recorded balance to obtain a “point estimate” of the true balance b. The auditor must then add an allowance for the sampling risk (called precision interval) to this estimate 7. Form conclusions a. Whether to accept the client’s book value, the auditor determines whether the recorded book value falls within the acceptable range (point estimate +/- the allowance for sampling risk). If so, book value is fairly stated. b. For lost items, it depends on their effect on the auditor’s evaluation. 8. Document the Sampling Procedure Sampling in substantive tests: probability – proportional-to-size (PPS) Sampling (Dollar Unit Sampling) PPS: sampling unit is defined as an individual dollar in a population Hybrid method b/c it uses attribute sampling theory to express a conclusion in dollar amounts rather than as a rate of occurrence Advantages: 1. PPS automatically emphasizes larger items by stratifying (done automatically) the sample). The chance of an item being selected is proportionate to its dollar amount 2. If no errors are expected, PPS sampling generally requires a smaller sample than other methods Disadvantages: 1. Zero balances, negative balances, and understated balances generally require special design considerations (i.e. A/R bal = $0) Selects a PPS sample by dividing the total number of dollars in the population (book value) into uniform groups of dollars or intervals. Selects a logical unit (the balance that includes the selected dollar) from each sampling interval. Sampling interval = Tolerable misstatement / Reliability factor
Becker Auditing – 2008 Edition
Chapter 5
4
Sample size = Recorded amount of the population / sampling interval Tolerable misstatement is the maximum dollar error that may exist in the account without causing the FS to be materially misstated Reliability factors correspond to the risk of incorrect acceptance and are generally obtained from a table Sample selection: a random number between 1 and the sampling interval (inclusive) is selected. This number is the random start, and it will also determine the first item selected. Systematic selection is then used to select the remainder of the sample. Evaluation: if errors are found in an account, the errors need to be projected to the interval. If the account selected has a balance greater than the interval, the actual dollar amount of the error should be used. (recorded amount-audit amount)/(recorded amount) x sample interval = projected error Deviations may be caused by errors (unintentional) or fraud (intentional) Dual-Purpose Samples: the auditor may use the same sample to perform both tests of controls and tests of details. Dual-purpose samples are generally used only when the auditor believes that there is an acceptably low risk that the deviation rate in the population exceeds the tolerable rate. The Effect of Information Technology on the Audit Emphasis is on controls Audit objectives in computerized environment are same as the manual environment Applications Controls for: Input Processing Output Difference between manual and computerized (IT) environments: Segregation of Duties: In IT, transaction processing often results in a combination of functions that are normally separated in a manual environment (no ARC). Instead of ARC, the segregation of duties in IT environment is COPAL C – Control Group: monitor control, execute transactions, error logs O – Operators: data input, error detections on spot P – Programmers: write programs, debug programs, write run manuals A – Analysts: design programs, prepare flowchart L – Librarian: secure programs, store backups Disappearing Audit Trail: if client processes most of its financial data in electronic form, without paper documentation, audit tests should be performed on a continuous basis. Computer systems should be designed to supply electronic audit trails, which are often as effective as paper trails. Use of IT may make it more difficult to use physical inspection to identify nonstandard or unusual transactions or adjustments Analytical Procedures Uniform Transaction Processing: Processing consistency is improved because clerical errors are virtually eliminated. But there is increased potential for systematic errors, such as errors in programming logic (i.e. using incorrect tax rate) Computer-Initiated Transactions: authorizations may not be as well documented. Inadvertent errors are reduced, but unauthorized interventions may not be evident C – Control Group: monitor control, execute transactions, error logs O – Operators: data input, error detections on spot P – Programmers: write programs, debug programs, write run manuals A – Analysts: design programs, prepare flowchart L – Librarian: secure programs, store backups Potential for Increased Errors and Irregularities: Likelihood that fraud may occur and remain undetected for long periods of time 1. Opportunity for remote access to data in networked environments increases the likelihood of unauthorized access. Specific controls should exist to ensure that users can only access and update authorized data elements. 2. Concentration of information in computerized systems means that, if system security is breached, the potential for damage is much greater than in manual systems 3. Decreased human involvement = decreased opportunities for observation 4. Errors or fraud may occur in the design or maintenance of application programs
Becker Auditing – 2008 Edition
Chapter 5
5
5.
Computer disruptions may cause errors or delays in recording transactions
Potential for Increased Supervision and Review: 1. More opportunities for data analysis and review (i.e. integration of audit procedures in the application) 2. Utilization of these opportunities help mitigate the additional risks associated with a lack of segregation of duties 3. Increased availability of raw data and management reports affords greater opportunity for both the client and the auditor to perform analytical procedures Controls for specific applications are only as effective as the general controls in place in the IT department, which process transactions and produce reports. Effect of Information Technology on Evidence Gathering Manual audit procedures “auditing around the computer” Computer-assisted audit techniques (CAAT) “auditing through the computer” The reliability of automated systems is highly dependent on the adequacy of control design and execution = critical that auditor gain a thorough understanding of the structure and usage of the control system through inquiry and observation Factors to consider in selecting appropriate audit procedures in computerized environment: • Extent of computer utilization in each accounting application • Complexity of the entity’s computer operations • Organizational structure of the IT department • Availability of an audit trail • Use of computer-assisted audit techniques Batch System: Manual transactions and periodic updating (audit around the computer-examine source documents) On-line/Real time: No paper trail. Build electronic audit trail into system. Immediate updating (audit through the computer) Use of an IT Professional: auditor can always use an expert (either from his staff or from outside) Auditor should have enough IT-related knowledge to: Communicate audit objectives to the IT professional Evaluate the sufficiency of the procedures performed Evaluate the results of the procedures performed CPA’s responsibility to guide IT professionals is the same as for other accounting assistants Auditor need not personally possess the required level of IT skills Treat the IT professional like your staff:
R – Reputation I – Independent P – Professional Competency P – Program Steps
Auditing around the computer: Manual procedures (batch) • Auditor does not directly test the application program • Auditor tests the input data, processes the data independently, and then compares the independently determined results to program results. • Emphasis is on the input and output stages of transaction processing • Input (test) Process (black box) Output (test) • Appropriate for simple batch systems with a good audit trail • Risks: insufficient, paper-based evidence and insufficient audit procedures Computer Assisted Audit Techniques (CAAT): Audit through the computer (on-line systems) • Emphasis is on the input and processing stages • Transaction Tagging: auditor uses to electronically mark (“tag”) specific transactions and follow them through the system o Enables to test both computerized processing and manual handling of transactions • Embedded audit Modules: sections of application program code that collect transaction data for auditor
Becker Auditing – 2008 Edition
Chapter 5
6
o
Often built into the application program when the program is developed, for use in ensuring that controls are operating effectively
Test Data (Test Deck): technique that uses the application program to process a set of test data, the results of which are already known. Client’s system is used to process the auditor’s data, off-line, and while under the auditor’s control. • Contains types of invalid conditions in which the auditor is interested • Advantage: live computer files are not affected in any way Integrated test Facility (ITF): similar to test data approach except that the test data is commingled with live data. Client’s system is used to process the auditor’s data, on-line. • Test data must be separated from live data before the reports are created. Process test data to dummy accounts • Client personnel are not informed that the test is being run Parallel Simulation (Reperformance Test): auditor re-processes some or all of the client’s live data into auditor’s system then compares the results with the client’s files. Generalized Audit Software Packages (GASPs): perform tests of controls and substantive tests directly on the client’s system. The auditor first defines the client’s system (to the GASP) and then specifies the tests and selections that should be made. The GASP generates the programs necessary to interrogate the files and extract and analyze the data. Auditor does not have to know much about client’s system. Tasks performed by GASPs: • Examine transactions for control compliance • Selecting items meeting specified criteria • Recalculating amounts and totals • Reconciling data from two separate files • Performing statistical analysis on transactions Advantages of GASPs: • Allows auditor to sample and test more transactions = more reliable audit • Require little technical knowledge of the client’s system • GASPs can significantly reduce audit time without sacrificing quality Auditing with a Computer: Example: FS (or trial balance) can be entered into a spreadsheet (or possibly a database) program Advantages of Using a computer: • Automatic performance of math = reduced errors • Automatic cross-referencing (linking lead schedule to working trail balance and FS) • Automatic preparation of FS, tax return schedules, and consolidating schedules • Reduction in required supervisory review time. • Automatic performance of certain analytical review procedures • Enhanced client service. Client’s personnel can benefit from: no longer manually preparing, more legible • Improved productivity of auditing team Disadvantages of using a computer: audit documentation may not contain readily observable details of calculations Internal Control Communications: Control Deficiency: Can involve any or all of “CRIME”. Two types: deficiency in design and deficiency in operation A deficiency in design: occurs when necessary control is missing or when an existing control does not achieve the desired objective A deficiency in operation: occurs when a properly designed control does not operate as designed, or is performed by inappropriate person Significant Deficiency: adversely affects the fairness of FS.
Becker Auditing – 2008 Edition
Chapter 5
7
Material Weakness: significant deficiency that results in more than a remote likelihood that a material misstatement of FS will not be prevented or detected. Responsibility of Auditor: 1. Detection of Control Deficiencies: an auditor of FS is not required to search for control deficiencies 2. Evaluation of Control Deficiencies: must evaluate control deficiencies to determine whether they represent significant deficiencies or material weaknesses 3. Indicates of significant deficiency: a. Selection and application of accounting principles b. Antifraud programs c. Non-routine transactions d. Period-end financial reporting 4. Indicators of material weakness: a. Ineffective oversight b. Restatement of previous FS c. Auditor caught a material misstatement which was not identified by internal control d. Ineffective internal audit e. Ineffective regulatory compliance f. Any level of fraud by senior management g. Failure to appropriately address previously communicated significant deficiencies h. Ineffective control environment Significant deficiencies and material weaknesses must be communicated in writing to management and those charged with governance Previously existing deficiencies: that have not been corrected, should be communicated again in writing during current audit Timing: Written communication must be made within 60 days of report release date. For Public Companies, per PCAOB, communication should occur before issuing of auditor’s report on internal control. It is management’s responsibility to evaluate and address control deficiencies. Reporting Requirements – Contents should include: • Purpose of audit was to express an opinion on FS, and not on the effectiveness of internal control • Auditor is not expressing an opinion on the effectiveness of internal control • Definition of significant deficiency and material weakness • Identify significant deficiencies and material weaknesses noted • Only for use of management, those charged with governance, and others within organization. RESTRICTED USE Absence of Significant deficiencies or material weakness: • May not report the absence of significant deficiencies • May issue a communication indicating that no material weakness were identified Management’s Written Responses: • May prepare a written response. Describe corrective actions or future plans, or indicate the Cost/Benefit Rule Read report on page A5-30 Examples of Control Deficiencies: Deficiencies in design of controls: • Internal control over preparation of FS • Insufficient control consciousness • Lack of segregation of duties • Inadequate design of IT controls • Lack of personnel qualifications/training • Inadequate design of monitoring controls
Becker Auditing – 2008 Edition
Chapter 5
8
•
Inadequate documentation
Failure in operation of control: • Inappropriate authorization, reconciliations, and safeguard of assets • Lack of objectivity • Misrepresentation by client • Management override • Failure of an application control Reporting on an entity’s internal control over financial reporting CPA may report on management’s assertion or may report directly on the effectiveness of the internal control = attestation engagement, separate from the internal control as part of an FS audit. This is performed according to Statements on Standards for Attestation Engagement Management accepts responsibility for the effectiveness of internal control. Failure to provide the written representation letter = scope limitation = disclaimer or withdrawal. Management provides written assertion on the effectiveness of internal control. Planning this engagement is similar to that performed for an audit. When performing this engagement, the tasks are as follows: 1. Obtain written assertion from management. Management can present in either of two ways: a. A separate report that will accompany the accountant’s report b. A representation letter to the accountant 2. If management refuses, auditor should WITHDRAW, unless required by law, then = disclaim or adverse opinion. If adverse, then RESTRICTED USE. 3. Obtain understanding of internal control through inquiry, inspection, and observation 4. Evaluate the design effectiveness of the controls 5. Test (inquiry, document inspection, observation, reperformance) and evaluate the operating effectiveness of controls 6. Form an opinion on the effectiveness of the entity’s internal control, or on management’s assertion MUST READ sample report on page A5-33 ***Examiners have focused many questions in prior exams on the “inherent limitations paragraph” which is included in that report When CPA expresses an opinion directly on the effectiveness of an entity’s internal control (rather than the “assertion by management”: The introductory paragraph is almost same, except for first and last sentence where instead of “managements assertions” it reads “effectiveness of internal control” Scope and Inherent limitations paragraph are SAME Opinion paragraph is NEW. “in our opinion, W company maintained, in all material respects, effective internal control over financial reporting as of December 31, 20XX, based on (identify criteria)” Deficiencies in Internal control: 1. Material weakness = qualified (“except for”) or adverse (not maintained effective internal control”). Add explanatory paragraph PRECEDING the opinion paragraph 2. When a material weakness exists, CPA should express an opinion directly on the effectiveness of internal control, and not on management’s assertion. 3. Communication of significant deficiencies and material weakness is similar to audit. Written to management and those charged with governance 4. If client is not the responsible party, auditor has no responsibility to communicate deficiencies to responsible party. 5. If management uses cost/benefit rule as excuse, auditor should disclaim an opinion on management’s cost-benefit statement: “we do not express an opinion or any other form of assurance on management Cost Benefit rule” Scope limitations: Generally scope limitations = withdrawal When controls are implemented to correct a previously identified material weakness, but auditor is unable to test the new controls, a qualified opinion should be expressed. Slightly modify the scope paragraph.
Becker Auditing – 2008 Edition
Chapter 5
9
-
When restrictions significantly limit scope = disclaimer. Modify first sentence and omit last sentence. Omit scope paragraph, add explanatory, omit inherent limitations paragraph, revise opinion paragraph
Foreign Corrupt Practices Act (FCPA): Compliance with FCPA is legal determination. Examination of internal control is NOT sufficient to determine the compliance. We are NOT lawyers! Internal control vs. Examination of internal control as part of an FS audit: The results of one type may be used in the other type of engagement. The two different examination may be performed by different practitioners. FS audit, report on internal control = restricted. In separate examination of internal control, use is not restricted (unless in situations where the criteria used are appropriate for specific parties) SOX Requirements for internal control = Public Companies. PCAOB standards require: Issuers report (within the annual report) on management’s assessment of effectiveness of the company’s internal control Auditors attest to (“audit”) the accuracy of management’s report. Audit of FS and internal control must be done together by same CPA firm. Auditor’s report on internal control over financial reporting must include: opinion whether management’s assessment is fairly stated and opinion on whether the company maintained effective internal control Reports on the internal control of issuers – Public Companies Include opinion on management’s assessment and evaluation of effectiveness of internal control Significant deficiencies and material weaknesses= communicate in writing to management and audit committee BEFORE issuing the auditor’s report on effectiveness of internal control. Control deficiencies = communicate in writing to management. All written communications = RESTRICTED USE Opinion on effectiveness of internal control o Unqualified opinion = NO material weaknesses o Qualified or Disclaimer = could not perform all necessary procedures o Adverse opinion = MUST express if one or more material weakness (nonissuers can have qualified or adverse, but PCAOB strictly says its adverse if even 1 material weakness is found) Opinion on management’s assessment of internal control o PCAOB requires opinion on management’s objective too. If management discloses ineffective internal control = Unqualified opinion. Government Auditing Government auditing under US Government Accountability office’s (GAO) Government Auditing Standards (the “Yellow Book”) or GAGAS applies to engagements that test and report on compliance with the laws and regulations that authorize the spending of public funds. Audits of governments and governmental assistance require compliance with the requirements of GAAS, GAGAS, and for engagements involving federal financial assistance, the Single Audit Act. Management Responsibilities: Identification of applicable laws and regulations with compliance requirements Establishment of internal controls to provide reasonable assurance that the entity complies with those laws and regulations Preparation of supplementary financial reports, including a “schedule of expenditures of Federal Awards” Obtaining an audit that satisfies relevant legal, regulatory, or contractual requirements Auditor’s Responsibilities: Obtain reasonable assurance that FS are free of material misstatements resulting from violations of laws and regulations that have direct and material effect on the determination of FS amounts Understand possible effects on FS of laws and regulations that have direct and material effect on FS Assess whether management has identified laws and regulations that have direct and material effect on FS There are two types of audits: 1) Financial Audits 2) Performance Audits Financial audits with GAGAS determine whether the FS present fairly the financial position, results of operations, and cash flows in accordance with GAAP (or OCBOA).
Becker Auditing – 2008 Edition
Chapter 5
10
Attestation engagements: Performed with GAGAS incorporate the AICPA’s standards for examinations, reviews, and agreed-upon procedures by reference and include expanded requirements. Include: Compliance with specified laws, regulations, rules, contracts, or grants Effectiveness of internal control over compliance with specified requirements Presentation of MD&A Reliability of performance measures Performance Audits – 3 objectives: Effectiveness, Economy, and Efficiency o Achievement of legislative, regulatory, or organizational goals o Evaluation of cost benefit or cost effectiveness o Validity or reliability of performance measures Internal Control o Organizational missions, goals, and objectives are achieved efficiently and effectively o Resources are used in compliance with laws, rules, and regulations o Security over computerized systems is effective o Disaster plans for computerized systems are adequate Compliance o Compliance criteria established by laws, regulations, contract have been met o Appropriate target population has been served Three sources of auditing standards – depends on character of entity and type and amount of assistance received GAAS: applicable to all audits GAGAS: audits of: govt organizations, programs, activities, and functions govt assistance received by contractors, not-for-profit organizations, and other nongovernment organizations EXTRA FIELDWORK AND REPORTING STANDARDS design audit to provide reasonable assurance of detecting material misstatements from noncompliance For financial statement audits, Yellow book audit in accordance to GAAS and GAGAS Audit requirements for entities receiving federal financial assistance should be conducted according to GAAS and GAGAS. Additional requirements: Expanded internal control documentation and testing requirements Expanded reporting to include formal written reports on consideration of internal control and assessed control risk Expanded report to include whether the federal financial assistance has been administered in accordance with applicable laws and regulations Application of single audit standards to federal financial assistance CPA Peer Review Every 3 years (same as GAAS), ADDITIONAL requirement: provide copy of peer review to govt audit clients Audit documentation Follow GAAS guidance (working papers) Internal control docs should be based on GAGAS containing additional requirements: o Must document an understanding of internal control established to ensure compliance with laws, rules, and regulations o Basis for assessing control risk at maximum when controls are significantly dependent on IT systems Management representation letter. GAGAS requires additionally: o There are no violations or possible violations of laws or regulations whose effects should be considered for disclosure in FS or basis for recording loss contingency (same as GAAS) o Management is responsible for compliance with laws and regulations (based on GAGAS) o Management has identified and disclosed in writing to the auditor all the laws and regulations that have direct and material effect on its FS (based on GAGAS)
Becker Auditing – 2008 Edition
Chapter 5
11
Reporting under GAGAS for financial audits – additional requirements: 1) State that audit was conducted in accordance to GAGAS 2) Describe scope of testing of regulatory compliance and internal control. And present results of tests OR refer to separate report 3) Describe omitted information 4) Describe distribution of report: provide to the officials Fraud and Illegal Acts: Report the conclusion that fraud or an illegal act has occurred, or likely to have occurred Reporting Illegal act is required: report may be included in required audit reports or presented as separate audit reports Auditor is required to directly report fraud and illegal acts to federal inspector if: management fails to disclose OR fails to take appropriate remedial action Reporting of Internal controls: 1. Obtain an understanding of design of controls and determine if implemented 2. Communicate significant deficiencies during audit, even if not material weakness 3. Written report on auditor’s understanding of internal control and assessment of control risk in all audits. This is different from GAAS, which requires written communication only when significant deficiencies are noted 4. Significant deficiencies reported to legislative and regulatory bodies ***GAGAS: written report on internal control be prepared: Assertion that evaluating compliance with laws, rules, and regulations with a direct and material effect on FS is part of developing an opinion on FS Assertion that specific controls relating to financial reporting are considered Indication that either no weaknesses were found or that significant deficiencies were found, and indication whether those deficiencies were material Responsibilities Under the Single Audit Act: Requires entities that expend total federal assistance equal to or in excess of $500,000 in a fiscal year to have audit performed in accordance with the Act. Two objectives: o Audit of FS and reporting on separate schedule of expenditures of federal awards in relation to those FS o Compliance audit of federal awards expended during the year as a basis for issuing additional reports on compliance related to major programs and on internal control over compliance Requires that materiality of transaction or other compliance finding be considered separately in relation to each major program, not simply in relation to the FS taken as a whole. Generally, programs classified as major are those that expend $300,000 or more in federal financial assistance, but smaller programs may be deemed major if they are classified as “high risk”, even if they do not met the monetary threshold. Program-Specific Audits: Certain recipients under certain circumstances are permitted to have a program-specific audit instead of single-audit Auditor must contact the inspector general of applicable federal agency and obtain a current program-specific audit All governmental audits carried out under the Single audit Act are not the same: Audits of an entire organization that include additional audit procedures on specific programs are called “single audits” These audits include a report on the FS of the whole organization and audit reports on specific programs Audits of specific programs are called “program specific audits” and do not include reports on FS of organization taken as a whole For audits to perform a single audit must obtain understanding of internal control and support a low assessed level of control risk for major programs. Test of controls must be performed to evaluate the effectiveness of internal control Controls that are ineffective = expand the audit procedures (assess CR at maximum, impact of weak controls on substantive compliance testing, report deficiency or weakness.) General Rule: Test Effective Controls
Report Ineffective controls
For noncompliance w/ requirements for federal financing program, reports should be qualified (“except for”) or adverse.
Becker Auditing – 2008 Edition
Chapter 5
12
Modify Report: Qualified Adverse When auditor’s procedures disclose material instances of noncompliance = modify report Immaterial instances of noncompliance should be reported but need not be specifically identified ***Auditor communication requirements increase in government settings. Have the responsibility of reporting significant deficiencies to specific regulatory bodies or grantor agencies. Reporting illegal acts is required. ***Government audit requires more work and responsibility of auditor. Study the additional audit requirements ***Government audit reports focus the reader on compliance with laws, rules, and regulations, the internal controls associated with maintaining compliance, and any findings of noncompliance. Must study the chart on pg. A5-47 Communication with Those Charged with Governance Includes Board of Directors and Audit Committee Audit Committee: is board of directors, generally made up of 3-5 members of the board who are “outside directors” (non-management) Audit committee is a sub-group of those charged with governance SEC recommends and NYSE requires all companies to have audit committees Main function: Enhance internal control by direct communication between “outside directors” and independent auditor Part of internal control structure Selects and appoints the independent auditor Determines recommendations made by the auditor are given proper attention Evaluates internal control of company with help of independent auditor The auditor should communicate with audit committee: o Meet with audit committee without management present at least once each year SOX, for public companies, ADDITIONAL requirement: audit committee to approve the engagement of the auditor, to pre-approve the services to be performed, and to have ongoing communications with the auditor. The auditors of issues report to and are overseen by audit committee and not by management Auditor’s responsibilities – communicate to those charged with governance: Expressing an opinion on FS, Follow GAAS, matters relate to FS The scope and timing of the audit (inform those charged with governance re: auditor’s activities and understanding of entity) Communicate how significant risks of material misstatement will be addressed, the planned approach toward internal control, factors affecting materiality, and any potential use of internal audit staff Discussion of attitudes, awareness, and actions of those charged with governance with respect to internal control, fraud, relevant changes, and matters previously communicated by auditor Significant Audit Findings- auditor should communicate: Auditor’s views about qualitative aspects of the entity’s accounting practices, including the initial selection of, changes in, and appropriateness of significant accounting policies; the process used by management in formulating significant accounting policies; the process used by management in formulating significant accounting estimates; significant management judgments; and the adequacy of FS disclosures Significant difficulties encountered in performing the audit Uncorrected, nontrivial misstatements and their possible effect on audit opinion Any circumstances that may appear to impair independence If all of those charged with governance are not involved with managing the entity, the auditor should also communicate: Material, corrected misstatements brought to management’s attention as a result of the audit. Auditor may choose to communicate corrected misstatements that are immaterial but frequently recurring. Communication should be two-way: those charged with governance should also communicate relevant matters to the auditor. Inadequate two-way communication may be indicative of an unsatisfactory control environment, which may affect the auditor’s assessment of the risk of material misstatement.
Becker Auditing – 2008 Edition
Chapter 5
13
Generally, auditor may discuss matters with management prior to communicating them with those charged with governance SOX (for public companies): auditors are required to report (to the audit committee) all critical accounting policies, all material alternative GAAP accounting treatments, and other material communications between the auditor and management. Communications may be oral or in writing. Significant audit findings should be communicated in writing. Written communications should include a limitation on the use of the communication = RESTRICTED USE. Oral communications should be documented. Timing of communication should occur in a manner that allows appropriate action to be taken. For PUBLIC companies, communications should be made BEFORE auditor’s report on FS is filed with SEC. Management Representatives At the end of fieldwork, the independent auditor must obtain management represnetaiton letter from client. Failure to get a rep letter = scope limitation. Purpose of rep letter: Confirm represnations explicitly or implicitly given to the auditor Indicate and document the continuing appropriateness of such representations Reduce the possiblility of misunderstanding concerning matters that are the subject of representations Requirements of rep letter: State all material matters have been adequately disclosed to independent auditor Rep letter is obtained at the END of auditor’s fieldwork Letter is mandatory! Otherwise disclaimer or withdrawal Signed by CEO and CFO Dated same date as audit report Management provides information on the FS, completeness of info, recognition, measurement, and disclosure and subsequent events All minutes and financial records should be made available to the auditor There have been no communications from regulatory agencies concerning noncompliance with or deficiencies in financial reporting practices Absence of unrecorded transactions Contents of letter: Management’s acknowledgment of its reponsiblity for the fiar presentation in the FS of financial position, results of operations, and cash flows in conformity with GAAP Management’s belief that the FS are fairly presented in conformity with GAAP Information concerning subsequent events
Becker Auditing – 2008 Edition
Chapter 5
14