INTERNAL AUDITING

AUDIT PROCEDURES, EVIDENCE,

DOCUMENTATION, AND SAMPLING
TOPICS
 Financial Statement Assertions
 Audit Procedures
 Audit Evidence
 Audit Documentation
 Audit Sampling
FINANCIAL STATEMENT ASSERTIONS
 Assertions – representations by management, explicit or otherwise, that
are embodied in the financial statements.
 Categories of assertions:
 Assertions about classes of transactions or events for the period under
audit. (Income Statement accounts)
 Assertions about account balances at the period end.
(Balance Sheet accounts)
 Assertions about presentation and disclosure. (Financial statements
presentation and disclosures)
FINANCIAL STATEMENT ASSERTIONS
 Assertions about classes of transactions and events for the period under audit:
 Occurrence – transactions or events that have been recorded and pertain to
the entity.
 Completeness – all transactions and events that should have been recorded
have been recorded.
 Accuracy – amounts or other data relating to recorded transactions and
events have been recorded appropriately.
 Cut-off – transaction and events have been recorded in the correct
accounting period.
 Classification – transactions and events have been recorded in the proper
accounts.
FINANCIAL STATEMENT ASSERTIONS
 Assertions about account balance at the period end:
 Existence – assets, liabilities, and equity interests exist.
 Rights and obligations – the entity holds or controls the rights to assets,
and liabilities are the obligations of the entity.
 Completeness – all assets, liabilities and equity interests that should
have been recorded have been recorded.
 Valuation and allocation – assets, liabilities, and equity interests are
included in the financial statements at appropriate amounts and any
resulting valuation or allocation adjustments are appropriately recorded.
FINANCIAL STATEMENT ASSERTIONS
 Assertions about presentation and disclosure:
 Occurrence and rights and obligations – disclosed events, transactions,
and other matters have occurred and pertain to the entity.
 Completeness – all disclosures that should have been included in the
financial statements have been included.
 Classification and understandability – financial information is
appropriately described, and disclosures are clearly expressed.
 Accuracy and valuation – financial and other information are disclosed
fairly and at appropriate amounts.
AUDIT PROCEDURES
 General classification of audit procedures
 Methods of gathering audit evidence
AUDIT PROCEDURES
 General classification of audit procedures:
 Risk assessment procedures – audit procedures performed to obtain an understanding of
the entity and its environment, including the entity’s internal control, to identify and assess
the risks of material misstatement, whether due to fraud or error.
 Further audit procedures – the additional procedures that are performed based on the
results of the auditor’s risk assessment procedures.
 Test of controls – an audit procedure designed to evaluate the operating effectiveness of
controls in preventing, or detecting and correcting material misstatements at the
assertion level.
 Substantive procedures – an audit procedure designed to detect material misstatements
at the assertion level. Substantive procedures comprise tests of details (classes of
transactions, account balances, and disclosures) and substantive analytical procedures.
 Dual-purpose tests – one which concurrently tests a control and is a substantive test
(test of details of a transaction, balance, or disclosure).
AUDIT PROCEDURES
 Methods of gathering audit evidence:
 Observation – consists of looking at a process or procedure being performed by
others.
 Inquiry – consists of seeking information from knowledgeable persons inside or
outside of the entity.
 Confirmation – consists of the response to an inquiry to corroborate information
contained in the accounting records.
 Recalculation – consists of checking the mathematical accuracy of source documents
and accounting records or performing independent calculations.
 Reperformance – consists of auditor’s independent execution of procedures or
controls that were originally performed as part of the entity’s internal control.
 Analytical procedures – consist of the analysis of significant ratios and trends,
including the resulting investigation of fluctuations and relationships that are
inconsistent with other relevant information or deviate from predicted amounts.
AUDIT PROCEDURES
 Methods of gathering audit evidence (continued):
 Inspection – involves examining records, documents, or tangible assets
 Means of inspection – tracing and vouching (please see table below).
Tracing Vouching
Definition Examination of documents Examination of documents
ensuring that the transaction ensuring that a recorded
was accounted for properly. amount is properly supported.
Flow or direction of testing From source documents to From final document (e.g.
final document (e.g. ledger) ledger) to source documents
Assertion tested Completeness Existence
Misstatements concerned Understatement Overstatement
AUDIT PROCEDURES
 Methods of gathering audit evidence (continued):
 Surveys – structured approaches to gathering information from a large population; ask
for responses expressed on point rating scale or other constrained response
categories
 Internal control questionnaire – used in preliminary appraisals of controls to be
tested
 Flowcharting – graphic representation of a process or system and provides a means
for analyzing complex transactions.
 System flowchart – provides an overall view of the inputs, processes and outputs.
 Document flowchart – depicts value adding activities and critical controls.
 Modeling – use of mathematical and statistical models designed to simulate real
processes and help in decision making.
AUDIT PROCEDURES
 Methods of gathering audit evidence (continued):
 Control Self-Assessment – focused on having the members of a working group
identify and assess controls that govern their activities. It includes the identification of
all controls and focusing on the ones that are important or may be questionable as to
their effectiveness.
 Risk Self-Assessment – focused on having peer groups or knowledgeable
stakeholders identify the risks associated with one or a group of programs, activities
or initiatives.
AUDIT EVIDENCE
 Attributes of audit evidence
 Types/forms of audit evidence
 Levels of persuasiveness of evidence
AUDIT EVIDENCE
 Audit evidence – information used by the auditor in arriving at the conclusions on which
the auditor’s opinion is based. Audit evidence includes both information contained in the
accounting records underlying the financial statements and other information.
 Accounting records – the records of initial accounting entries and supporting records,
such as checks and records of electronic fund transfers; invoices; contracts; the general
and subsidiary ledgers, journal entries and other adjustments to the financial statements
that are not reflected in the journal entries; and records such as work sheets and
spreadsheets supporting cost allocations, reconciliations and disclosures.
 Other information – the information that the auditor may use as audit evidence such as
minutes of meetings; confirmations received from third parties; analysts’ reports;
comparable data about competitors (benchmarking); controls manuals; information
obtained by the audit from audit procedures such as inquiry, observation, and inspection;
and other information developed by, or available to, the auditor to reach conclusions
through valid reasoning.
AUDIT EVIDENCE
 Internal auditors must identify sufficient, reliable, relevant, and useful information to
achieve the engagement’s objectives.
 Determining whether information is adequate for the internal auditor’s purposes is a
matter of professional judgment that depends on the particular situation.
 Although the judgment is supposed to be objective, it inevitably varies with the internal
auditor’s training, experience, and other personal traits.
 Furthermore, the decision about the adequacy of information is not readily quantifiable.
AUDIT EVIDENCE
 Attributes of audit evidence:
 Sufficient information is factual, adequate, and convincing so that a prudent, informed
person would reach the same conclusions as the auditor.
 The sufficiency criterion is explicitly defined of objectives terms. The conclusions
reached should be those of a prudent, informed person.
 The basic issue is whether the information has the degree of persuasiveness needed
based on the circumstances.
 Sufficiency is the measure of the quantity of evidence.
 When considering the sufficiency of evidence, the internal auditor should consider the
following:
 Risks involved
 The quality of evidence
 Incomplete data may result in the inability to reach reasonable conclusions.
 Examination of extensive evidence may be uneconomical, inefficient and ineffective.
AUDIT EVIDENCE
 Attributes of audit evidence (continued):
 Reliable information is the best attainable information through the use of appropriate
engagement techniques.
 Information is reliable when the internal auditor’s results can be verified by others.
 Reliable information is valid. It accurately represents the observed facts and is free
from error and bias.
 Information should consist of what may be collected using reasonable efforts subject
to such inherent limitations as the cost-benefit constraint.
 Reliability is the measure of the quality of evidence.
AUDIT EVIDENCE
 Attributes of audit evidence (continued):
 Generalizations about the reliability of audit evidence:
 Audit evidence is more reliable when it is obtained from independent sources outside the
entity.
 Audit evidence that is generated internally is more reliable when the related controls imposed
by the entity are effective.
 Audit evidence obtained directly by the auditor (for example, observation of the application of
a control) is more reliable than audit evidence obtained indirectly by inference (for example,
inquiry about the application of a control).
 Audit evidence is more reliable when it exists in documentary form, whether paper, electronic,
or other medium (for example, a contemporaneously written record of a meeting is more
reliable than a subsequent oral representation of the matters discussed).
 Audit evidence provided by original documents is more reliable than audit evidence provided
by photocopies or fascimiles.
AUDIT EVIDENCE
 Attributes of audit evidence (continued):
 Relevant information supports engagement observations and recommendations and
is consistent with the objectives for the engagement.
 The definition of relevance emphasizes the need for work to be restricted to
achieving objectives. However, information also should be gathered on all matters
within the engagement scope.
 Relevant information has a logical relationship to what it is offered to prove. For
example, vouching journal entries to the original documents do not support the
completeness assertion about reported transactions. Instead, tracing transactions to
the accounting records provides relevant information.
 Relevance is the measure of the pertinence of the evidence.
AUDIT EVIDENCE
 Attributes of audit evidence (continued):
 Useful information helps the organization meet its goals.
 Information is useful when it helps the organization meet its objectives.
 The organization’s ultimate objective is to create value for its owners, other
stakeholders, customers, and clients. Accordingly, this characteristic of information
is consistent with the definition of internal auditing. It should add value, improve
operations, and help an organization achieve its objectives.
 Furthermore, the identification of information that is useful to the organization is the
ultimate justification for the existence of an internal audit activity.
AUDIT EVIDENCE
 Forms of audit evidence:
 Physical evidence – consists of the internal auditor’s direct observation and inspection
of people, property, or activities (e.g. counting of inventory)
 Testimonial evidence – consists of written or spoken statements of client personnel
and others in response to inquiries or interview questions.
 Such evidence may give important indications about the direction of engagement
work.
 Testimonial evidence may not be conclusive and should be supported by other
forms of information when possible.
AUDIT EVIDENCE
 Forms of audit evidence (continued):
 Documentary evidence – exists in some permanent form, such as checks, invoices,
shipping records, receiving reports, and purchase orders.
 It is the most common type of evidence gathered by internal auditors.
 Documentary evidence may be internal or external:
 Examples of external evidence are replies to confirmation requests, invoices from
suppliers, and public information held by a governmental body, such as real estate
records.
 Examples of internal information include accounting records, receiving reports,
purchase orders, depreciation schedules and maintenance records
AUDIT EVIDENCE
 Forms of audit evidence (continued):
 Analytical evidence – is drawn from the consideration of the interrelationships among
data or, in the case of internal control, the particular policies and procedures of which
it is composed.
 Analysis produces circumstantial information in the form of inferences or
conclusions based on examining the components as a whole for consistencies,
inconsistencies, cause-and-effect relationships, relevant and irrelevant items, etc.
AUDIT EVIDENCE
 Levels of persuasiveness of evidence:
 An auditor’s physical examination provides the most persuasive form of evidence.
 Direct observation by the auditor is the next most persuasive. The lack of precise
measurement is a weakness.
 Information originating from a third party is less persuasive than information gathered
by the auditor but more persuasive than information originating from the client.
 Information originating with the client can be somewhat persuasive in documentary
form, especially if it is subject to effective internal control. But client oral testimony is
the least persuasive of all.
AUDIT DOCUMENTATION
 Functions of the working papers
 Form, content and extent of audit documentation
 Guidelines for the preparation of working papers
 Ownership and confidentiality of working papers
AUDIT DOCUMENTATION
 The sufficient and appropriate evidence required by the professional standards must be
clearly documented in the auditor’s working papers.
 Working papers are records kept by the auditor that document the audit procedures
applied, information obtained, and conclusions reached.
 The Standards requires the auditor to document matters that are important to support
an opinion and to support the representation that the audit was conducted in accordance
with the Standards.
 “If it’s not documented, it’s not done.”
AUDIT DOCUMENTATION
 Functions of the working papers:
 Provide the principal support for the engagement communications
 Aid in planning, performance, review and supervision of engagements
 Document whether the engagement objectives were achieved
 Facilitate third party reviews
 Provide a basis for evaluating the internal audit activity’s quality program
 Provide support in circumstances such as insurance claims, fraud cases, and lawsuits
 Aid in the professional development of the internal audit staff
 Demonstrate the internal audit activity’s compliance with the International Standards
for the Professional Practice of Internal Auditing
 AUDIT DOCUMENTATION
 Form, content and extent of audit documentation
 The CAE must develop retention requirements for engagement records, regardless of the medium in which each record is
stored.
 It is neither necessary to nor practicable to document every matter the auditor considers during the audit. In deciding on the
form, content and extent of audit documentation, the auditor should consider what would enable an experienced auditor,
having no previous connection with the audit, to understand:
 The nature, timing and extent of the audit procedures performed.
 The results of audit procedures and the audit evidence obtained.
 Significant matters arising during the audit and the conclusions reached thereon.
 The form, content and extent of audit documentation depend on factors such as:
 The size and complexity of the entity
 The nature of the audit procedures to be performed
 The identified risks of material misstatement
 The significance of audit evidence obtained
 The nature and extent of exceptions noted
 The audit methodology and tools used
AUDIT DOCUMENTATION
 Guidelines for the preparation of working papers:
 Working papers should be properly organized to facilitate their review.
 The following techniques may be used by the auditor when preparing working papers:
 A statement of purpose or objectives of the working papers.
 List of procedures to be performed, including the evidence of the application of the audit program
 The results of the audit, including the conclusions reached.
 Heading. Each working paper must be properly identified with such information as the name of the
client, type of working paper, a description of its content, and the date or period covered by the
examination.
 Indexing. Indexing refers to the use of lettering or numbering system. Each working paper must be
indexed to aid in cross-referencing essential information.
 Cross-indexing/ cross-referencing. Cross referencing is important to provide a trail useful to
supervisors in reviewing their working papers.
 Tick marks. Working papers must include symbols that describe the audit procedures performed.
AUDIT DOCUMENTATION
 Ownership and confidentiality of the working papers
 Working papers are the property of the auditor and the client has no right to the
working papers prepared by the auditor.
 The Code of Ethics requires the internal auditor to respect the confidentiality of
information obtained during the course of performing assurance engagements. Even
so, the duty of confidentiality may be overridden by the statute of law.
 The auditor can disclose confidential information without violating the Code of Ethics
under the following circumstances:
 When disclosure is required by law or when the working papers are subpoenaed by
a court.
 When there is a professional right to disclose information such as when the auditor
uses his working papers to defend himself when sued by the client for negligence.
AUDIT SAMPLING
 Basic audit sampling concepts
 Uncertainty and audit sampling
 General approaches to audit sampling
 Audit sampling plans
 Sample selection methods
 Factors affecting the determination of sample size
 Summary of basic steps when using audit sampling techniques
AUDIT SAMPLING
 Basic audit sampling concepts:
 Audit sampling – the application of audit procedures in less than 100% of the items within
a population of audit relevance such that all sampling units have a chance of selection in
order to provide the auditor with a reasonable basis on which to draw conclusions about
the entire population.
 Auditors usually draw conclusions about the account balance or transaction class by
examining only a sample of evidence.
 Representative sample – one that will result in conclusions that, subject to the limitations
of sampling risk, are similar to those that would have been drawn if the same procedures
were applied to the entire population.
 Audit sampling is performed on the assumption that the sample selected for testing is
representative of the population.
 Not all testing procedures performed by auditors involve audit sampling. For example, the
auditor may decide that it would be more appropriate to examine the entire population
(100% examination) of items that make up an account balance since the population
constitutes a small number of large value items.
AUDIT SAMPLING
 Uncertainty and audit sampling
 Non-sampling risk – refers to the risk that the auditor may draw incorrect conclusions
about the account balance or class of transactions due to the following:
 The failure to select appropriate audit procedures
 The failure to recognize misstatements in documents examined
 Misinterpreting the results of audit tests
 Non-sampling risk includes all aspects of audit risk that are not due to sampling.
 Sampling risk – refers to the possibility that the auditor’s conclusion, based on a
sample may be different from the conclusion reached if the entire population were
subjected to the same audit procedures.
 Sampling risk exists because the sample selected for testing may not be truly
representative of the a population.
AUDIT SAMPLING
 Uncertainty and audit sampling (continued):
 Types of sampling risk:
 Alpha risk (Type I error) is the risk that the auditor will conclude,
 In the case of tests of control, that internal control is not reliable when in fact it is
effective and can be relied upon (risk of underreliance or risk of assessing control
risk too high); or
 In the case of substantive test, that material misstatement exists in an account
balance or transaction class when in fact such misstatement does not exist
(risk of incorrect rejection).
 This type of sampling risk results in an auditor performing audit procedures more
than what is necessary, thus affecting audit efficiency.
AUDIT SAMPLING
 Uncertainty and audit sampling (continued):
 Types of sampling risk:
 Beta risk (Type II error) is the risk that the auditor will conclude,
 In the case of tests of control, that internal control is reliable when in fact it is not
effective and cannot be relied upon (risk of overreliance or risk of assessing control
risk too low); or
 In the case of substantive test, that material misstatement does not exists in an
account balance or transaction class when in fact such misstatement does exist
(risk of incorrect acceptance).
 This type of sampling risk results in an auditor performing audit procedures less
than what is necessary, thereby affecting the auditor’s ability to detect material
misstatements in the financial statements. Hence, beta risk affects the audit
effectiveness.
AUDIT SAMPLING
 Uncertainty and audit sampling (continued):
 Sampling risk for test of controls illustrated

TRUE OPERATING EFFECTIVENESS OF THE CONTROLS IS

The test of controls Adequate for planned Inadequate for planned
sample indicates: assessed level of control risk assessed level of control risk
Extent of operating Correct decision Incorrect Decision
effectiveness is adequate (risk of assessing control
risk too low)
Extent of operating Incorrect decision Correct Decision
effectiveness is inadequate (risk of assessing control
risk too high)
AUDIT SAMPLING
 Uncertainty and audit sampling (continued):
 Sampling risk for substantive tests illustrated

THE POPULATION ACTUALLY IS

The Substantive Test Not Materially Misstated Materially Misstated
Sample Indicates
The population is not Correct Decision Incorrect Decision
materially misstated (risk of incorrect
acceptance)
The population is materially Incorrect Decision Correct Decision
misstated (risk of incorrect rejection)
AUDIT SAMPLING
 General approaches to audit sampling:
 Non-statistical sampling is a sampling approach that purely uses the auditors judgment in
estimating sampling risks, determining sample size, and evaluating sample results.
 Statistical sampling is a sampling approach that uses random based selection of sample
and uses the law of probability to measure sampling risk and evaluating sample results.
 Both sampling approaches are acceptable and will require the use of auditor’s judgment in
planning, executing the sampling plan, and evaluating the results of the sample.
 The only difference between the two methods is that statistical sampling allows the auditor
to measure or quantify sampling risk by using a mathematical formula.
 Statistical sampling helps the auditor to design an efficient sample, measure the
sufficiency of evidence obtained; and objectively evaluate sample results.
 However, these benefits can not be obtained without additional costs of training audit staff,
designing sampling plans, and selecting items for examination.
AUDIT SAMPLING
 Audit sampling plans
 Attribute sampling
 This is a sampling plan used to estimate the frequency of occurrence of a certain
characteristic in a population (occurrence rate).
 It is generally used when performing tests of controls to estimate the rate of
deviations from prescribed internal control policies.
 Variable sampling
 Sampling for variables is a sampling plan used to estimate a numerical
measurement of a population such as peso value.
 It is generally used in performing substantive tests to estimate the amount of
misstatements at the financial statements.
AUDIT SAMPLING
 Sample selection methods
 Random number sampling. Every sampling unit has the same probability of being
selected, and every combination of sampling units of equal size has the same
probability of being selected. Random numbers can be generated using a random
number table or a computer program. (TOC)
 Systematic sampling. Every nth (population size/sample size) item is selected after a
random start. When a random starting point is used, this method provides every
sampling unit in the population an equal chance of being selected. If the population is
arranged randomly, systematic selection is essentially the same as random number
selection. (TOC)
 Haphazard sampling. A sample consisting of units selected without any conscious
bias, that is, without any special reason for including or omitting items from the sample.
Haphazard sampling is not used for statistical sampling because it does not allow the
auditor to measure the probability of selecting a given combination of sampling units.
(TOC).
AUDIT SAMPLING
 Sample selection methods (continued):
 Block sampling. A sample consisting of contiguous units. (TOC)
 Sequential (stop-or-go) sampling. A sampling plan for which the sample is selected in
several steps, with the need to perform each step conditional on the results of the
previous steps. That is, the results may either be so poor as to indicate that the
control may not be relied upon, or so good as to justify reliance at each step. (TOC)
 Discovery sampling. A procedure for determining the sample size required to have a
stipulated probability of observing at least one occurrence when the expected
population deviation rate is at a designated level. It is most appropriate when the
expected deviation rate is zero or near zero. If a deviation is detected, the auditor
must either (1) use an alternate approach, or (2) if the deviation is of sufficient
importance, audit all transactions. (TOC)
AUDIT SAMPLING
 Sample selection methods (continued):
 Stratified sampling. Breaks down the population into subpopulations and applies
different selections to each subpopulation. (ST)
 Probability-Proportional-to-Size (PPS) sampling. A variables sampling procedure that
uses attributes theory to express a conclusion in monetary amounts. The probability of
an item to be selected, in this method of selection, is directly proportional to the
monetary value of such item. (ST)
 Classical variables sampling. Uses the normal distribution theory to evaluate selected
characteristics of a population on the basis of a sample of the items constituting the
population. (ST)
AUDIT SAMPLING
 Factors affecting the determination of sample size:
Test of Controls Substantive Test
Acceptable sampling risk. There is an inverse Acceptable sampling risk. There is an inverse
relationship between the sampling risk and relationship between the sampling risk and
sample size. sample size.
Tolerable deviation rate. The maximum rate of Tolerable misstatement (error). The maximum
deviations the auditor is willing to accept, without amount of misstatement the auditor will permit in
modifying the planned degree of reliance on the the population and still be willing to conclude that
internal control the account balance is fairly stated.
Expected population deviation rate. An estimate of Expected misstatement (error). The amount of
the deviation rate in the entire population. misstatement that the auditor believes to exist in
the population
Variation in the population. Increases in variation
(standard deviation in classical sampling) result in
increases in sample size.
AUDIT SAMPLING
 Summary of relationships to sample size:
ATTRIBUTES SAMPLING VARIABLES SAMPLING
Increases in Effect on sample size Increases in Effect on sampling size
Acceptable sampling Decrease Acceptable sampling Decrease
risk risk
Tolerable deviation rate Decrease Tolerable misstatement Decrease
(error)
Expected population Increase Expected misstatement Increase
deviation rate (error)
Population Increase (slightly for Population Increase
large samples)
Variation (standard Increase
deviation)
AUDIT SAMPLING
 Summary of basic steps when using audit sampling techniques:

Steps Tests of controls Substantive tests

1. Define the objective of the Specify the control procedures Specify the purpose of the test
test. to be performed. and its relationship to the
financial statement assertions.
2. Determine the procedures to Determine the appropriate Determine the appropriate
be performed. audit procedures to be audit procedures to be
performed to satisfy the performed to satisfy the
objective. objective.

Define the population and the Define the population and its
conditions that constitute a characteristics.
deviation.
AUDIT SAMPLING
 Summary of basic steps when using audit sampling techniques (continued):

Steps Tests of controls Substantive tests

3. Determine the sample size Consider the effects of the Consider the effects of the
following factors in determining following factors in determining
the sample size: the sample size:
 Acceptable sampling risk  Acceptable sampling risk
(Inverse) (Inverse)
 Tolerable deviation rate  Tolerable misstatement
(Inverse) (Inverse)
 Expected population  Expected misstatement
deviation rate (Direct) (Direct)
 Population variation (Direct)
AUDIT SAMPLING
 Summary of basic steps when using audit sampling techniques (continued):

Steps Tests of Controls Substantive tests

4. Select the sample. Use any one of the following Use any one of the following
techniques: techniques, and stratify the
 Random number selection population, when appropriate:
 Systematic selection  Random number selection
 Haphazard selection  Systematic selection
(applies only to non-  Haphazard selection
statistical sampling) (applies only to non-
statistical sampling)
 Value weighted selection
(PPS)
AUDIT SAMPLING
 Summary of basic steps when using audit sampling techniques (continued):

Steps Tests of controls Substantive tests

5. Apply the audit procedures. Apply the audit procedures to Apply the audit procedures to
the sample items. the sample items.
6. Evaluate the sample results. Decide whether the results Decide whether to accept
supported the planned degree account balance as fairly
of reliance on internal control. stated or to require further
actions.
END