Audit Program and Evidence

Questions and Answers

Which of the following is NOT a typical classification of audit evidence?

• Documentary
• Testimonial
• Physical
• Conclusive (correct)

What is the primary role of an audit program?

• To serve as a marketing tool for the auditing firm.
• To outline the auditor's personal goals during the audit process.
• To provide a detailed set of steps for gathering appropriate audit evidence. (correct)
• To provide a general overview of the company's financial status.

What is a key benefit of using a well-structured audit program?

• It eliminates the need for any auditor judgment.
• It provides a systematic plan for each phase of the audit work, aiding in assigning work to a team. (correct)
• It guarantees a perfectly accurate audit report.
• It helps to save time on the audit by skipping unnecessary checks.

Which of the following is LEAST likely to be included in the benefits of an audit program?

Guaranteed detection of all fraudulent activity. (C)

When should the final audit program be prepared?

Immediately after the preliminary survey. (D)

What should be the primary focus when preparing an audit program?

Focusing on areas that pose the greatest risk to the organization. (C)

Which of the following is NOT a key criterion for a successful audit program?

The program is rigidly structured and cannot be modified once initiated. (D)

In prioritizing work steps within an audit program, what evidence should be sought first?

Evidence of the most important control objectives. (A)

Which of the following is the MOST significant limitation of using test data as a transaction testing technique?

It can only be applied to a limited volume of data, potentially missing less frequent errors. (B)

An auditor is tasked with verifying a complex calculation performed by a live system. Due to security concerns, direct access to the system's source code is restricted. Which technique would BEST allow the auditor to independently validate the calculation?

Parallel simulation, developing separate software to replicate the calculation and comparing the outputs. (B)

An auditor discovers that sensitive data is being retained in computer records longer than necessary, creating a potential security risk. Considering the need for continuous monitoring, which automated technique would BEST address this issue?

Using GAS to compare data retention settings against established policies and flagging exceptions. (B)

An organization's IT department frequently uses utility programs for various data management tasks. What is the MOST important control consideration from an audit perspective regarding the use of these utilities?

Restricting access rights to utility programs to authorized personnel only. (A)

In a large organization with a complex IT infrastructure, the audit team wants to continuously monitor system-level activities, focusing on areas like telecommunications and the operating environment. What approach would be MOST effective for achieving this objective?

Implementing continuous auditing techniques and data analytics to identify anomalies and trends. (E)

Which of the following is NOT a potential cause of errors encountered during audit sampling?

Use of appropriate audit procedures for a given objective (B)

Which of the following is MOST critical for an audit supervisor to confirm when approving an audit program?

The audit scope aligns with the audit objectives. (A)

An effective audit approach should possess which combination of characteristics?

Simple, practical, quick, and technically competent. (A)

What does 'beta risk' represent in the context of compliance tests of internal controls?

The risk of over-reliance on controls, leading to an unjustified reliance on the control (C)

Which factor MOST justifies an auditor's decision to use statistical sampling instead of examining every transaction?

Examining every transaction is too time-consuming and costly. (C)

When performing substantive tests, what does 'alpha risk' refer to?

The risk of incorrect rejection (B)

To express an opinion on error rates within a population, which sampling technique would an auditor typically use?

Attributes sampling (B)

Which of the following scenarios BEST illustrates an appropriate use of non-statistical sampling?

Examining a few high-value transactions for potential fraud. (D)

What is the primary effect of increased variability within a population on the required sample size?

It increases the required sample size. (D)

What is a critical requirement for statistical sampling to be considered valid and allow extrapolation of results to the population?

An appropriate sample selection technique, such as random selection, and an adequate sample size must be chosen. (B)

Under what circumstances might an auditor consider using a confidence level lower than the standard 95%?

When the situation is evaluated as low risk (D)

If an auditor increases the sample size in a statistical sample, what is the expected impact on the accuracy of the extrapolation to the population?

The accuracy will increase. (C)

What happens to the impact of the population size on the sample size as the population increases beyond 5,000?

The population size has no practical impact on sample size. (D)

What is the PRIMARY goal of auditors when attempting to control sampling risk?

Reduce the likelihood that the sample does not accurately reflect the population. (D)

An auditor sets the acceptable sampling risk at 5%. What does this MOST accurately indicate?

There is a 5% risk that the sample does not accurately reflect the population. (D)

Which of the following quantitative methods is best suited for evaluating fluctuations in turnover over an extended period?

Trend analysis (B)

A company is implementing new inventory management procedures. The internal auditor wants to assess how quickly employees are adapting to the new procedures. Which analytical technique would be most suitable for this purpose?

Learning curve analysis (A)

What type of data is most appropriately analyzed using chi-square tests?

Qualitative data (A)

How does non-sampling risk DIFFER from sampling risk in the context of an audit?

Non-sampling risk arises from uncertainties not caused by the sampling process, while sampling risk arises because the sample may not represent the population. (C)

In correlation analysis, what does a correlation value approaching 0 indicate?

Little to no correlation between the variables (C)

An auditor relies on both statistical and judgmental sampling during an audit. How do the conclusions drawn from each approach MOST likely differ?

Statistical sampling allows for a quantitative measure of risk, while judgmental sampling relies on auditor expertise. (D)

Which of the following statements is true regarding correlation analysis and its limitations?

Correlation analysis primarily measures linear relationships, and its values can be distorted by outliers. (D)

A manufacturing company wants to optimize the use of its machining and finishing resources to maximize production output. Machining can process 120 units per machine, while finishing can handle 40 units per machine. Which operations research tool is most suitable for determining the optimal number of each machine to use?

Linear programming (A)

In project management, which technique is most effective for identifying the sequence of activities where delays would directly impact the project's overall completion date?

Critical Path Method (CPM) (D)

A retail company is experiencing long customer wait times at checkout counters. Which analytical technique would be most appropriate for determining the optimal number of checkout counters to minimize both customer waiting costs and the costs of operating the counters?

Queuing theory (D)

During a negotiation, a company aims to understand the potential outcomes and optimal strategies depending on the other party's actions. Which analytical technique would be most useful in this scenario?

Game theory (B)

A casino uses computer simulations to model the outcomes of various games, taking into account probabilities and uncertainties. This allows them to estimate average performance and potential risks. Which simulation method is being employed?

Monte Carlo Method (B)

An auditor is using generalized audit software (GAS) to perform various tasks. Which of the following is a typical function that GAS is designed to perform?

Examining records and testing calculations. (D)

A company observes that for every doubling of cumulative production, the time required per unit decreases by 20%. What is the learning curve percentage?

80% curve (A)

In project scheduling, which of the following best describes the primary limitation of using Gantt charts?

They do not effectively represent interdependencies between activities. (B)

Flashcards

Audit Evidence Procedures

The auditor gathers evidence by following the audit program.

Audit Program

A set of detailed steps that the auditor will follow in order to gain the appropriate evidence.

Evidence Gathering

Permits the expression of an opinion on the efficiency, economy, and effectiveness of the activities.

Audit Program Provides

Examination and evaluation of information; provides the primary link between the audit field work and the audit report.

Benefits of Audit Program

Systematic plan, progress control, summary record, reduces supervision.

When to Prepare Audit Program?

Immediately after the preliminary survey.

Audit Program Success

Objectives stated and agreed by the auditee up-front.

Audit Program Focus

Series of detailed instructions to obtain audit evidence.

Audit Supervisor Role

Ensures tasks are defined, organized, and monitored; staff are trained; and the audit program is approved.

Audit Program Purpose

Provides evidence related to structures, documentation standards, and systems documentation.

Overall Audit Approach

Simple, practical, quick, commonsense, business-oriented, and technically competent.

Statistical Sampling Definition

Testing a portion of items to draw conclusions about the entire group.

Underlying Assumption of Sampling

Yields accurate information about the population from which the sample was taken.

Judgmental Sampling

Relying on professional judgment to assess risk and evaluate the population.

Statistical Sampling Approach

Sample is selected to represent the population, allowing extrapolation of results.

Sampling Risk

The risk that the chosen sample does not accurately reflect the entire population.

Non-Sampling Risk

The risk the auditor misses a significant error, even with a representative sample.

Sampling Certainty Level

Acknowledge that 100% certainty is impossible, accepting a small chance of error.

Error Causes in Sampling

Mistakes in sample selection, incorrect audit procedures, failure to recognize misstatements, or improper population definition.

Risk of Over-Reliance (Beta Risk)

The risk that a sample leads the auditor to rely on a control that is not actually effective.

Risk of Under-Reliance (Alpha Risk)

The risk that a sample leads the auditor to believe a control is ineffective when it actually is effective.

Risk of Incorrect Acceptance (Beta Risk)

The risk the sample supports the conclusion that an amount is not misstated, when it actually is.

Risk of Incorrect Rejection (Alpha Risk)

The risk the sample leads the auditor to believe an amount is misstated, when it actually isn't.

Population Variability

The expected rate of deviations in the population.

Confidence Level

The likelihood that the sample results are accurate.

Trend Analysis

A quantitative method evaluating a variable's behavior over time.

Chi-Square Tests

A non-parametric test analyzing relationships between qualitative data.

Correlation Analysis

Measures the extent of association between two variables.

Generalized Audit Software (GAS)

Software used to compare data, analyze data and select audit samples. Improves audit quality by quantifying audit risk and sampling.

Customized Audit Software

Software tailored for unique audit tests in specific situations, offering customized output formats.

Information Retrieval Software

Software like report writers and query languages used to execute common audit routines, despite not being specifically designed for auditing.

Utilities

Programs performing common data tasks (copy, sort, etc.) that auditors can use to analyze data. Access to them should be restricted.

Test Transaction Techniques

Validates processing controls through tests such as edit and validation controls, exception reports, and data integrity controls.

Correlation Values

Measures linear relationships between two variables; however, it doesn't detect nonlinear relationships.

Learning Curve

Shows the decrease in time per unit as cumulative output doubles, reflecting improved efficiency.

Regression Analysis

Quantifies the interrelationship between two or more variables to facilitate predictions.

Linear Programming

Allocates scarce resources or determines optimal blends using algebraic formulas and simultaneous equations.

PERT (Program Evaluation Review Technique)

Diagrammatically identifies activity dependencies, helping allocate resources to tasks impacting deadlines.

CPM (Critical Path Method)

Uses a similar diagram to PERT but uses two time estimates: normal and 'crash' effort.

Gantt Chart

Simple planning tool using bar charts to show start and completion times of project activities.

Monte Carlo Simulation

Uses computer simulations to model uncertainty and estimate average performance based on probabilities.

Game Theory

Mathematical models of optimal strategies in competitive environments, exploring 'what if' scenarios.

Queuing Theory

Uses mathematical models to minimize the total cost of service points and waiting costs.

Study Notes

• Audit evidence is classified by sufficiency, competence, relevance, and usefulness.
• Audit evidence can be physical, testimonial, documentary, or analytical.

Audit Evidence Procedures

• Auditors gather evidence by following an audit program, a detailed plan to obtain evidence, potentially using computerized techniques.
• The IS auditor typically uses computerized techniques to perform their examinations, but this is not always the case
• Evidence gathered allows expressing an opinion on the activities' efficiency, economy, and effectiveness.
• The audit program provides instructions for examining and evaluating information and links audit fieldwork to the audit report.
• The program assists the auditor in sticking to the schedule and budget.
• Audit programs can be "pro-forma" or tailored, offering a systematic plan for each audit phase, enabling work assignment to team members.
• It aids in controlling and evaluating progress, training staff, summarizing work, reducing supervision, and assuring internal audit quality.
• The audit program should be prepared after the preliminary survey and can be modified during the audit.
• The program should focus on risks to the corporation and be thoughtful, relevant, effective, and economic.
• Not every item needs checking, and maintaining reasonableness and relevance is essential.

Criteria for Success

• Audited operations' objectives must be stated and agreed upon upfront.
• Programs should be tailor-made with reasoning for each step outlined.
• Avoid creating a list of questions; instead, provide detailed instructions for obtaining audit evidence.
• Prioritize work steps to seek evidence of the most critical control objectives first.
• Audit supervision utilizes project management techniques to match resources to requirements.
• This includes defining, organizing, and monitoring tasks, training staff, and approving the audit program.
• The audit supervisor must be satisfied with the audit subject, objective, scope, pre-audit planning, procedure selection, and evaluation.

Audit Scope

• The audit program provides for collecting audit evidence of structures, documentation standards, and system documentation.
• The audit approach must be simple, practical, quick, use common sense, be business-oriented, and technically competent.

Statistical Sampling

• Auditors can gain assurance regarding risk mitigation without examining every record or transaction.
• Auditors may use sampling techniques for satisfactory and competent evidence.
• They can choose non-statistical or statistical sampling techniques.
• Non-statistical sampling involves the auditor's judgment in selecting the number and which items to examine.
• The sampling technique applies when the auditor examines a few examples without drawing conclusions about the whole population.
• Statistical sampling tests a portion of items to evaluate and draw conclusions about the population.
• Statistical sampling is applying procedures to less than 100% of items in a transaction class or account balance to conclude its characteristics.

Why Sample?

• Sampling assumes that sample results yield accurate information about the population.
• If auditors didn't use sampling, they would have to review every item, which would be time-consuming and outweigh the benefit.

Sampling Types

• Judgmental/nonmathematical
• Statistical

Judgmental (or Non-Statistical) Sampling

• In judgmental sampling, the auditor uses professional judgment to assess sampling error risk and evaluate the population.
• Sample results cannot be extrapolated to the entire population because the sample isn't representative.
• This approach is used when the auditor intends to use the sample for limited purposes.
• Judgmental sampling should be avoided as a primary audit procedure if the auditors have no special knowledge about which items in the population are more likely to contain misstatements.

Statistical Approach

• In statistical sampling, the sample should be representative of the population.
• The relevant characteristics of the sample, such as the sizes or rates or errors, should be mathematically proportional to those of the population.
• An appropriate sample selection technique, such as random selection, and an adequate sample size must be chosen.
• Sample results may then be used to project to the population (extrapolate) in order to estimate a specific value for the population.
• The more representative the sample, the more accurate the extrapolation will be.
• Statistical sampling is less than 100% assured, and the auditor considers the effect of sampling risk.

Sampling Risk

• All auditing involves uncertainty.
• Audit risk refers to material irregularities or errors not detected by internal control or auditing procedures.
• Statistical sampling introduces the risk that conclusions about the population may contain material errors due to less than 100% certainty.
• Sampling risk is the risk that the chosen sample doesn't reflect the population, contrasting with non-sampling risk.
• Non-sampling risk is the risk that the auditor misses a significant error even with a representative sample.
• Statistical sampling attempts to control sampling error risk.
• An auditor working at a 95% certainty level accepts a 5% chance that the sample doesn't reflect the population accurately reflecting the nature of sampling certainty.
• In a normal distribution, a 95% certainty indicates that, should the auditor draw a sample of twenty 100 times, 95 of those times the full sample would be drawn from a representative part of the population, and five of those times the sample would include one or more items that are not representative of the population.
• Every sampling use is subject to non-sampling error risk, whether based on statistical methods or auditor judgment caused by other uncertainties that are not caused by the sampling process
• Causes of non-sampling error include mistakes in selecting the sample and incorrect audit procedures, failure to recognize misstatements, and an improper definition of the population.

Assessing Sampling Risk

• IIA Standards state that auditors should use their professional judgment in assessing sampling risk.
• Sampling risk in compliance tests includes over-reliance (beta risk) and under-reliance (alpha risk) on controls.
• The risk of over-reliance on controls (beta risk) is the risk that the sample leads the auditor to place reliance on the control when it is not justified.
• The risk of under-reliance on controls (alpha risk) is the risk that the sample leads the auditor to evaluate the population as beyond tolerance levels erroneously.
• When performing substantive tests Auditors should be concerned with the risk of incorrect acceptance (beta risk) which is the risk that the sample supports the auditor’s conclusion that the amount or quantity is not materially misstated when in fact it is, and the risk of incorrect rejection (alpha risk) is the risk that the sample leads the auditor to believe that the amount or quantity is materially misstated when in fact it is not.

Audit Objectives

• Auditors start by considering the control objectives.
• From this can be derived the source of audit evidence and the nature of the audit testing required to evaluate that evidence.
• Where audit testing uses sampling techniques, the auditor focuses on achieving specific sampling tests objectives.
• Sampling technique selection depends on the auditor's opinion to express.
• An opinion on error rates dictates using attributes sampling techniques.
• Expressing an opinion on the probable values may call for monetary unit sampling or variable sampling.

Calculating Sample Size

• Deciding on the appropriate sample size depends on key factors to ensure sample objectives are met.
• The amount of variability in the population defines the spread of values, affecting accuracy and sample size when estimating value.
• The greater the variability, the larger the sample size required.
• The confidence level represents the likelihood that the results obtained from the sample lie within the associated precision.
• The higher the confidence level desired, the larger the sample size required.
• Auditors typically operate at a 95% confidence, with levels like 90% permissible in low-risk situations and 99% in higher-risk ones.
• Contrary to popular belief, the population size does not normally affect sample size since, the larger the population size, the greater is the likelihood that the sample will be representative.
• For populations under 5,000, the population size affects the sample size.
• Very low populations may invalidate standard sampling techniques and require non-parametric sampling.
• Auditors should be aware that some audit software does not take population size into consideration in calculating sample size, and such sampling will only be appropriate in larger populations.

Quantitative Methods

• Besides statistical analysis, internal auditors can select various quantitative methods.
• These mathematical tools aid understanding operations and drawing conclusions through complexities.

Trend Analysis

• Used for evaluating the behavior of variables like turnover over time.
• Such analyses can serve as evaluation criteria to determine the reasonableness of fluctuations of an extended period.
• Comparisons of this year’s turnover to last year’s turnover or, alternatively, this month’s turnover to the same month last year are popular.

Chi-Square Tests

• Non-parametric tests analyze relationships between qualitative data.
• For example, determining if operating units in the South run differently from those in the North.
• Chi-square tests can check for the independence of normal classifications and ordinal data, and require no particular distributional pattern for the data.

Correlation Analysis

• Measures the association extent between variables.
• Variables are correlated when moving together in a detectable pattern.
• Correlation is direct when variables increase or decrease simultaneously. Inventory decreasing as sales increase is an example.

Graphical Analysis

• Auditors commonly use scatter diagrams
• They show the relationship between variables.
• A discernible pattern suggests one variable's relation to and predictability of another's value.
• Random patterns indicate variables with little correlation.
• Strong positive or negative correlations approach a value of 1; weak correlations approach 0.
• Correlation values measure linear patterns only and can be skewed by a single nonconforming data point.

Learning Curves

• During operational audits of new procedure implementation or new staff training, a learning curve is expected.
• Task time in order to decrease as employees gain experience.
• Decrease in production time per unit of 25% would result in a 75% curve, whereas the 60% curve would result if the production time was reduced by 40%..
• The auditor can measure this curve to determine how quickly a new procedure or employee becomes productive.

Ratio and Regression Analysis

• Ratio analysis assumes a given proportional relationship between two numbers and compares them over time.
• Regression analysis attempts to quantify the interrelationship to make facilitate predictions.
• Regression analysis is used to estimate the effect that a movement in one variable (independent) has on another (dependent).
• Regression analysis helps note and investigate unusual variances between expected and recorded values.

Linear Programming

• An operations research tool for allocating scarce resources or determining optimal blends of raw materials.
• Constraints are reduced to algebraic formulas solved by simultaneous equations.
• For example, linear programming determines how many of each machine type should be used for optimum production.

Project Scheduling Techniques

• Project scheduling is essential in project management.
• Internal auditing frequently works in project teams that often suffer from the same poor project scheduling

Program Evaluation Review Techniques

• PERT diagrams dependent and independent activities.
• This shows graphically which activities cannot be started until the previous activities have been completed and, at the same time, which activities can proceed simultaneously, so planners can allocate resources.
• It takes into account operational constraints on resources needed to execute tasks.

Critical Path Method

• CPM is a scheduling tool similar to PERT but uses two time estimates: normal and "crash" effort.
• "Crash" time is the completion time when all resources are committed to the task.

GANTT or Bar Charts

• Gantt charts are simple planning tools that organize work through project stages.
• They consist of bar charts showing the start and completion times of individual project activities.
• The major drawback to these charts is the poorer representation of interdependencies.

Simulations

• Computers accelerate timescales by rapidly repeating activities.
• Combining this with event probability builds a sophisticated model.
• The Monte Carlo Method uses computers to simulate uncertainty based on probabilities and estimates models to determining average performance.

Game Theory

• Refers to mathematical models of optimal strategies under various incentive schemes like exploring “what if” solutions used in competitive environments
• A profit generated in which it is possible for both participants to share is a non-zero-sum game.
• A zero-sum game denotes a situation where a profit simply transfers from a loser to a winner.
• Game theory assists internal auditors in understanding strategies in negotiations or price setting.

Queuing Theory

• Queuing theory uses mathematical models to minimize the total cost for a given rate of arrivals.
• the minimized cost includes both service costs (facility and operating costs) and waiting costs (the idle resources waiting in line or having service points idle).

Generalized Audit Software

• Generalized audit software (GAS) is tailored for auditors to examine records, test calculations, and make computations.
• A common audit technique is to take a copy of a file of standard data for later comparison to a changed version of the same data with GAS being able to conduct the comparison and analysis.
• GAS can improve audit quality by allowing the quantification of audit and sampling risk when Selecting, analyzing, and printing audit samples.
• Computerized sampling usage and interpretation is simplified with GAS complete with sampling and analysis functions.

Application and Industry-Related Audit Software

• Audit procedures are available for applications like accounts receivable, payrolls, and general ledgers, either stand-alone or as add-ons to GAS.
• Industry-specific software exists for insurance, health care, and financial services, but typically requires IS skills for conversion.
• Software, in general, is cost-effective and efficient.

Customized Audit Software

• Software designed for unique circumstances and tests may be expensive and require high IS skills.
• Customized audit must be handled with care due to running it may not tell you what you think it does; however, it may be the only viable solution in a unique processing situation.

Information Retrieval Software

• Report writers and query languages can perform common audit routines.

Utilities

• Utilities perform tasks like copying, sorting, and editing, and should have restricted access.
• They show data as it exists, increasing audit reliance.

On-line Inquiry

• Interactive interrogation provides data for audit reports and confirmation of corrective action which requires an understanding of the information.
• Armed with the appropriate access authority, the auditor can obtain adequate audit evidence to meet their requirements but needs to be sure what they are looking at because there is ample opportunity for drawing erroneous conclusions.

Test Transaction Techniques

• Test transaction techniques confirm the processing controls functioning (edit and validation controls, exception reports, data integrity controls).
• Performed via a copy of the live computer system through which a series of transactions is passed in order to produce predetermined results, which can be limited by data volume and auditor bias.

Integrated Test Facility

• The ITF is similar to test data involving the creation of a dummy entity within the live system and the processing of test data against the dummy entity together with the live data.
• It tests the system as it operates, but all test transitions must be removed and also carries the real danger of destroying the live system, requiring the use of extra great care.

Source-code review

• Source-code review reviews the source code utilizing generalized audit software to establish weaknesses in the source code.

Embedded audit modules

• Embedded audit modules (SCARFs [System Collection Audit Review Files]) can collect and retain selected information to serve as an audit trail for subsequent examination in systems where audit trails only exist as computer records, briefly, or discontinuously.
• Collected data can be a target for destruction.
• Parallel simulation is a technique involving the creation of software to simulate some functional capability of the live system such as a calculation, wherein the live data is processed through the simulating program in parallel with the live system and then the outputs are compared.

Review of system-level activity

• Review of system-level activity involves the examination of control areas with a pervasive influence such as telecoms, operating environment, systems development and change control.
• End-user computing is treated as a general threat.

Description

Questions about audit evidence classification, audit program roles and benefits, audit program preparation, and limitations of using test data. It also covers validation techniques where there's restricted access.