Anda di halaman 1dari 412

NPOT09

SELFSTUDY CONTINUING PROFESSIONAL EDUCATION

Companion to PPC's Guide to

Audits of Nonprofit
Organizations

Fort Worth, Texas


(800) 3238724
trainingcpe.thomson.com

NPOT09

Copyright 2009 Thomson Reuters/PPC


All Rights Reserved

This material, or parts thereof, may not be reproduced in another document or manuscript
in any form without the permission of the publisher.

This publication is designed to provide accurate and authoritative information in regard to the subject
matter covered. It is sold with the understanding that the publisher is not engaged in rendering legal,
accounting, or other professional service. If legal advice or other expert assistance is required, the
services of a competent professional person should be sought. From a Declaration of Principles
jointly adopted by a Committee of the American Bar Association and a Committee of Publishers and
Associations.
The following are registered trademarks filed with the United States Patent and Trademark Office:
PPC's Checkpoint Tools
PPC's Practice Aids
PPC's Workpapers
PPC's Engagement Letter Generator
PPC's Interactive Disclosure Libraries
PPC's SMART Practice Aids
Practitioners Publishing Company is registered with the National
Association of State Boards of Accountancy (NASBA) as a sponsor of
continuing professional education on the National Registry of CPE
Sponsors. State boards of accountancy have final authority on the
acceptance of individual courses for CPE credit. Complaints regarding
registered sponsors may be addressed to the National Registry of CPE
Sponsors, 150 Fourth Avenue North, Suite 700, Nashville, TN
372192417. Website: www.nasba.org.
Practitioners Publishing Company is registered with the National
Association of State Boards of Accountancy (NASBA) as a sponsor of
continuing professional education on the National Registry of CPE
Sponsors. State boards of accountancy have final authority on the
acceptance of individual courses for CPE credit. Complaints regarding
registered sponsors may be addressed to the National Registry of CPE
Sponsors, 150 Fourth Avenue North, Suite 700, Nashville, TN
372192417. Website: www.nasba.org.
Registration Numbers
New Jersey
20CE00206800 (CE 2068)
New York
001076
NASBA Registry
103166
NASBA QAS
006

ii

NPOT09

Interactive Selfstudy CPE


Companion to PPC's Guide to
Audits of Nonprofit Organizations
TABLE OF CONTENTS
Page
COURSE 1: RISK ASSESSMENT PROCEDURES AND PLANNING FOR NONPROFIT AUDITS
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Lesson 1:

Risk Assessment Procedures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Lesson 2:

Planning the Audit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

59

Glossary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

140

Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

141

COURSE 2: SUBSTANTIVE PROCEDURES AND SAMPLING


Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

143

Lesson 1:

Substantive Procedures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

145

Lesson 2:

Audit Sampling in a Nonprofit Organization Audit Engagement . . . . . . . . . . . . . . . . . . .

197

Glossary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

255

Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

259

COURSE 3: SPECIAL ACCOUNTING AND AUDITING CONSIDERATIONS


FOR NONPROFIT ORGANIZATIONS
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

261

Lesson 1:

Cash, Investments, and Contributions in the Nonprofit Environment . . . . . . . . . . . . . .

263

Lesson 2:

Other Activities Related to Nonprofits and Their Financials . . . . . . . . . . . . . . . . . . . . . . .

327

Glossary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

390

Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

391

iii

NPOT09

To enhance your learning experience, the examination questions are located throughout
the course reading materials. Please look for the exam questions following each lesson.
ANSWER SHEETS AND EVALUATIONS
Course 1: Examination for CPE Credit Answer Sheet . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Course 1: Selfstudy Course Evaluation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Course 2: Examination for CPE Credit Answer Sheet . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Course 2: Selfstudy Course Evaluation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Course 3: Examination for CPE Credit Answer Sheet . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Course 3: Selfstudy Course Evaluation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

iv

397
398
401
402
405
406

NPOT09

INTRODUCTION
Audits of Nonprofit Organizations consists of three interactive selfstudy CPE course. These are companion
courses to PPC's Guide to Audits of Nonprofit Organizations designed by our editors to enhance your
understanding of the latest issues in the field. To obtain credit, you must complete the learning process by logging
on to our Online Grading System at OnlineGrading.Thomson.com or by mailing or faxing your completed
Examination for CPE Credit Answer Sheet for print grading by March 31, 2010. Complete instructions are
included below and in the Test Instructions preceding the Examination for CPE Credit Answer Sheet.
Taking the Courses
Each course is divided into lessons. Each lesson addresses an aspect of auditing nonprofit organizations. You are
asked to read the material and, during the course, to test your comprehension of each of the learning objectives by
answering selfstudy quiz questions. After completing each quiz, you can evaluate your progress by comparing
your answers to both the correct and incorrect answers and the reason for each. References are also cited so you
can go back to the text where the topic is discussed in detail. Once you are satisfied that you understand the
material, answer the examination questions which follow each lesson. You may either record your answer
choices on the printed Examination for CPE Credit Answer Sheet or by logging on to our Online Grading System.
Qualifying Credit Hours QAS or Registry
PPC is registered with the National Association of State Boards of Accountancy as a sponsor of continuing
professional education on the National Registry of CPE Sponsors (Registry) and as a Quality Assurance Service
(QAS) sponsor. Part of the requirements for both Registry and QAS membership include conforming to the
Statement on Standards of Continuing Professional Education (CPE) Programs (the standards). The standards were
developed jointly by NASBA and the AICPA. As of this date, not all boards of public accountancy have adopted the
standards. Each course is designed to comply with the standards. For states adopting the standards, recognizing
QAS hours or Registry hours, credit hours are measured in 50minute contact hours. Some states, however, require
100minute contact hours for self study. Your state licensing board has final authority on accepting Registry hours,
QAS hours, or hours under the standards. Check with the state board of accountancy in the state in which you are
licensed to determine if they participate in the QAS program or have adopted the standards and allow QAS CPE
credit hours. Alternatively, you may visit the NASBA website at www.nasba.org for a listing of states that accept
QAS hours or have adopted the standards. Credit hours for CPE courses vary in length. Credit hours for each
course are listed on the Overview" page before each course.
CPE requirements are established by each state. You should check with your state board of accountancy to
determine the acceptability of this course. We have been informed by the North Carolina State Board of Certified
Public Accountant Examiners and the Mississippi State Board of Public Accountancy that they will not allow credit
for courses included in books or periodicals.
Obtaining CPE Credit
Online Grading. Log onto our Online Grading Center at OnlineGrading.Thomson.com to receive instant CPE
credit. Click the purchase link and a list of exams will appear. You may search for the exam using wildcards.
Payment for the exam is accepted over a secure site using your credit card. For further instructions regarding the
Online Grading Center, please refer to the Test Instructions preceding the Examination for CPE Credit Answer
Sheet. A certificate documenting the CPE credits will be issued for each examination score of 70% or higher.
Print Grading. You can receive CPE credit by mailing or faxing your completed Examination for CPE Credit Answer
Sheet to the Tax & Accounting business of Thomson Reuters for grading. Answer sheets are located at the end of
all course materials. Answer sheets may be printed from electronic products. The answer sheet is identified with the
course acronym. Please ensure you use the correct answer sheet for each course. Payment of $75 (by check or
credit card) must accompany each answer sheet submitted. We cannot process answer sheets that do not include
payment. Please take a few minutes to complete the Course Evaluation so that we can provide you with the best
possible CPE.
v

NPOT09

You may fax your completed Examination for CPE Credit Answer Sheet to the Tax & Accounting business of
Thomson Reuters at (817) 2524021, along with your credit card information.
If more than one person wants to complete this selfstudy course, each person should complete a separate
Examination for CPE Credit Answer Sheet. Payment of $75 must accompany each answer sheet submitted. We
would also appreciate a separate Course Evaluation from each person who completes an examination.
Express Grading. An express grading service is available for an additional $24.95 per examination. Course
results will be faxed to you by 5 p.m. CST of the business day following receipt of your Examination for CPE Credit
Answer Sheet. Expedited grading requests will be accepted by fax only if accompanied with credit card
information. Please fax express grading to the Tax & Accounting business of Thomson Reuters at (817) 2524021.
Retaining CPE Records
For all scores of 70% or higher, you will receive a Certificate of Completion. You should retain it and a copy of these
materials for at least five years.
PPC InHouse Training
A number of inhouse training classes are available that provide up to eight hours of CPE credit. Please call our
Sales Department at (800) 3238724 for more information.

vi

Companion to PPC's Guide to Audits of Nonprofit Organizations

NPOT09

COMPANION TO PPC'S GUIDE TO AUDITS OF NONPROFIT ORGANIZATIONS

COURSE 1
Risk Assessment Procedures and Planning for Nonprofit Audits (NPOTG091)
OVERVIEW
COURSE DESCRIPTION:

Continuing audit engagements for nonprofit organizations require the auditor to


consider a number of factors. For instance, how much does the auditor understand
about the client entity and its environment? How strong are the entity's internal
controls? What role does IT play concerning the entity's financial data and its
integrity? How much audit risk is acceptable? What is the auditor's responsibility for
detecting fraud during the audit? Fortunately for the auditor, some guidance is
available. This course will discuss that guidance and aspects of the nonprofit audit
from a general planning perspective.

PUBLICATION/REVISION
DATE:

February 2009

RECOMMENDED FOR:

Users of PPC's Guide to Audits of Nonprofit Organizations

PREREQUISITE/ADVANCE
PREPARATION:

Basic knowledge of auditing.

CPE CREDIT:

8 QAS Hours, 8 Registry Hours


Check with the state board of accountancy in the state in which you are licensed to
determine if they participate in the QAS program and allow QAS CPE credit hours.
This course is based on one CPE credit for each 50 minutes of study time in
accordance with standards issued by NASBA. Note that some states require
100minute contact hours for self study. You may also visit the NASBA website at
www.nasba.org for a listing of states that accept QAS hours.

FIELD OF STUDY:

Auditing

EXPIRATION DATE:

Postmark by March 31, 2010

KNOWLEDGE LEVEL:

Basic

Learning Objectives:
Lesson 1 Risk Assessment Procedures
Completion of this lesson will enable you to:
 Examine, in general terms, authoritative literature, and various issues related to risk assessment and audit
planning;
 Outline the types of risk assessment procedures, describe issues concerning audit inquiries, explain
preliminary analytical procedures to be performed, and discuss other issues related to the risk assessment and
planning process; and
 Discuss risk assessment and other issues related to gaining an understanding of the entity under audit.
Lesson 2 Planning the Audit
Completion of this lesson will enable you to:
 Examine the various elements and issues concerning internal control including the basic components, the
effect of IT, the control environment, risk assessment, etc.;
 Describe setting materiality benchmarks, assessing risk of misstatement at the financial statement level, and
establishing overall audit strategy;
 Explain the types of misstatements related to fraud, discuss the auditor's responsibility for fraud detection and
the fraud risk assessment process, etc.; and
1

Companion to PPC's Guide to Audits of Nonprofit Organizations

NPOT09

 Examine various issues concerning substantive procedures including transaction testing, establishing fiscal
cutoffs, etc., summarize general planning procedures, and summarize miscellaneous issues related to
performing the audit, including estimating and managing time.
TO COMPLETE THIS LEARNING PROCESS:
Send your completed Examination for CPE Credit Answer Sheet, Course Evaluation, and payment to:
Thomson Reuters
Tax & Accounting R&G
NPOTG091 Selfstudy CPE
P.O. Box 966
Fort Worth, TX 76101
See the test instructions included with the course materials for more information.
ADMINISTRATIVE POLICIES:
For information regarding refunds and complaint resolutions, dial (800) 3238724 for Customer Service and your
questions or concerns will be promptly addressed.

Companion to PPC's Guide to Audits of Nonprofit Organizations

NPOT09

Lesson 1: RISK ASSESSMENT PROCEDURES


INTRODUCTION
This lesson explains the start of an annual audit in a continuing engagement for a nonprofit organization. The same
suggested approach should be used for a new engagement, with some modification.
The focus of this lesson is general planning decisions. General or preliminary planning should be distinguished
from detailed planning of audit programs. Preliminary planning includes deciding on an overall strategy for the
audit; obtaining an understanding of the entity and its environment, including its internal control; making an initial
assessment of audit risk and materiality; and deciding on the overall timing of the engagement.
Learning Objectives
Completion of this lesson will enable you to:
 Examine, in general terms, authoritative literature, and various issues related to risk assessment and audit
planning;
 Outline the types of risk assessment procedures, describe issues concerning audit inquiries, explain
preliminary analytical procedures to be performed, and discuss other issues related to the risk assessment and
planning process; and
 Discuss risk assessment and other issues related to gaining an understanding of the entity under audit.
Authoritative Literature
The following standards establish key requirements and provide guidance that affect preliminary audit planning as
follows:
a. SAS No. 107 (AU 312), Audit Risk and Materiality in Conducting an Audit, requires auditors to consider audit
risk and determine and document materiality for the financial statements as a whole, as well as tolerable
misstatement, when planning the audit.
b. SAS No. 108 (AU 311), Planning and Supervision, addresses planning the audit, including topics such as
establishing an overall audit strategy, developing the audit plan, determining the extent of involvement of
professionals with specialized skills, supervision of assistants, communication with management and
those charged with governance, and considerations in initial audits.
c. SAS No. 109 (AU 314), Understanding the Entity and Its Environment and Assessing the Risks of Material
Misstatement, establishes the level of understanding of the entity and its environment, including its internal
control, the auditor should obtain for preliminary planning purposes. That standard also addresses risk
assessment procedures and assessing the risks of material misstatement.
d. SAS No. 110 (AU 318), Performing Audit Procedures in Response to Assessed Risks and Evaluating the
Audit Evidence Obtained, explains the requirements for establishing the nature, timing, and extent of further
audit procedures (both tests of controls and substantive procedures) in response to the assessed risks of
material misstatement. For example, the standard explains factors that affect decisions to test controls or
apply substantive procedures before the statement of financial position date.
In addition, aspects of the following standards also affect audit planning:
a. SAS No. 54 (AU 317), Illegal Acts by Clients, indicates that the auditor's responsibility for detecting
misstatements resulting from illegal acts having a direct and material effect on the determination of financial
statement amounts is the same as that for other errors and fraud. For other illegal acts, the auditor, in
conducting the audit, remains aware of their possibility but does not design the audit specifically to detect
them.
b. SAS No. 56 (AU 329), Analytical Procedures, requires the auditor to apply analytical procedures during the
planning stage (and the overall review stage) of the audit.
3

Companion to PPC's Guide to Audits of Nonprofit Organizations

NPOT09

c. SAS No. 65 (AU 322), The Auditor's Consideration of the Internal Audit Function in an Audit of Financial
Statements, provides guidance on considering the work of internal auditors and on using internal auditors
to provide direct assistance to the auditor.
d. SAS No. 70 (AU 324), Service Organizations, provides guidance on obtaining an understanding of internal
control of a client that uses a service organization.
e. SAS No. 73 (AU 336), Using the Work of a Specialist, provides guidance when the auditor plans to use the
work of a specialist hired by the client or the auditor. It does not apply to a specialist employed by the
auditor's firm who participates in the audit.
f. SAS No. 74 (AU 801), Compliance Auditing Considerations in Audits of Governmental Entities and
Recipients of Governmental Financial Assistance, requires the auditor to design the audit to provide
reasonable assurance that the financial statements are free of material misstatement resulting from
violations of laws and regulations that have a direct and material effect on the determination of financial
statement amounts.
g. SAS No. 99 (AU 316), Consideration of Fraud in a Financial Statement Audit, requires the auditor to identify
and assess risks of material misstatement due to fraud and to design the audit to provide reasonable
assurance of detecting fraud that results in the financial statements being materially misstated.
h. Government Auditing Standards (Yellow Book), issued by the Comptroller General of the United States,
establishes planning and other field work standards.
i. AICPA Audit Guide, Government Auditing Standards and Circular A133 Audits (GAS/A133 AICPA Audit
Guide), provides guidance on performing Yellow Book audits and Single Audits.
The AICPA Audit and Accounting Guide, NotforProfit Organizations, also provides guidance on audit planning.
These authoritative pronouncements are explained further at the relevant points in the following discussion.
Objectives of Audit Planning
The first standard of fieldwork states that the auditor must adequately plan the work and must properly supervise
any assistants" (AU 150.02). According to SAS No. 108 (AU 311.02), Planning and Supervision, audit planning
involves developing an overall audit strategy for the expected conduct, organization, and staffing of the audit."
Audit strategy is the auditor's operational approach to achieving the objectives of the audit. It is a highlevel
description of the audit scope. It includes matters such as identifying material locations and account balances,
identifying audit areas with a higher risk of material misstatement, the overall responses to those higher risks, and
the planned audit approach by area (for example, substantive procedures or a combined approach of substantive
procedures and tests of controls).
Auditors generally establish a preliminary audit strategy before performing extensive risk assessment procedures
based on knowledge from past experience with the client and the results of preliminary engagement activities. As
auditors gather additional information through the performance of risk assessment procedures, they complete the
overall audit strategy, including overall responses at the financial statement level.
An overriding objective throughout the planning process is the identification of risks that should be considered and
an assessment of whether the risks could result in material misstatement of the financial statements. According to
SAS No. 108, obtaining an understanding of the entity and its environment, including its internal control, is an
essential part of planning the audit. Auditors must plan the audit so that it is responsive to the assessment of the risk
of material misstatement based on the auditors' understanding of the entity and its environment, including its
internal control.
Audit planning also includes development of an audit plan (also called the audit program). The audit plan is more
detailed than the audit strategy and documents the nature, timing, and extent of procedures to be performed to
obtain sufficient appropriate audit evidence.
4

Companion to PPC's Guide to Audits of Nonprofit Organizations

NPOT09

The nature, timing and extent of audit planning varies with the size and complexity of the entity and with the
auditor's understanding of the entity and its environment, including internal control. However, audit planning
always includes a risk assessment process.
The Risk Assessment Process
The risk assessment process involves performing procedures, obtaining an understanding of various matters
about the entity and its environment, and making decisions and judgments about assessed risks and other matters
based on the understanding.
Procedures Performed. Risk assessment procedures include inquiry; analytical procedures; inspection; and
observation as well as related planning activities and procedures, including preliminary engagement activities
related to client acceptance and continuance and holding a discussion among the engagement team. The auditor
is required to perform all of these procedures when planning the audit.
The auditor's consideration of fraud required by SAS No. 99, Consideration of Fraud in a Financial Statement Audit,
is not separate from the consideration of audit risk but is integrated into the overall risk assessment process. That
is, the assessment of risks due to error occurs simultaneously with the assessment of risks due to fraud.
Understanding Obtained. Risk assessment procedures are performed to obtain an understanding of the entity
and its environment, including its internal control. The auditor obtains information about the following:
a. Industry, regulatory, and other external factors.
b. Nature of the entity.
c. Objectives and strategies and the related operating risks that may result in a material misstatement of the
financial statements.
d. Measurement and review of the entity's financial performance.
e. Internal control, which includes the selection and application of accounting policies.
f. Fraud risk factors.
Decisions and Judgments Made. The information obtained by applying risk assessment procedures is used to
make the important decisions and judgments that are part of audit planning. These decisions and judgments
include determining materiality levels and assessing risks of material misstatement at the financial statement and
relevant assertion levels.
Summary of Risk Assessment Process. Exhibit 11 summarizes the various elements in the risk assessment
process in the categories of procedures performed, understanding obtained, and decisions and judgments made.

Companion to PPC's Guide to Audits of Nonprofit Organizations

NPOT09

Exhibit 11
The Risk Assessment Process
Procedures Performed

Understanding Obtained

 Preliminary engagement
activities.
 Inquiries of management
and others.
 Preliminary analytical proce
dures.
 Observation and inspection.
 Discussion among the
engagement team.

 Industry, regulatory, and


other external factors.
 Nature of the entity.
 Objectives, strategies, and
related operating risks.
 Measurement and review of
the entity's financial perfor
mance.
 Internal control.
 Selection and application of
accounting policies.
 Fraud risk factors.

Decisions and Judgments Made


Decisions at the Financial State
ment Level:
 Materiality at the financial
statement level.
 Materiality for particular
items of lesser amounts.
 Risks of material misstate
ment at the financial state
ment level.
 Overall audit strategy.
Decisions at the Account Bal
ance, Transaction Class, and
Relevant Assertion Level:
 Tolerable misstatement.
 Risks of material misstate
ment at the relevant asser
tion level, including identifi
cation of significant risks.
 Nature, timing, and extent of
further audit procedures
(including tests of controls
and substantive proce
dures).

The Sequence of Audit Planning


Because an audit of financial statements is an iterative process, audit planning is not a discrete phase of the audit.
Audit planning continues throughout the audit even though many of the planning steps and procedures necessarily
are performed at the beginning of the audit process. Audit planning begins with engagement acceptance and
continues throughout the remainder of the audit. Also, many of the audit planning steps and procedures can be
performed simultaneously and tend to blend together. Nevertheless, having a logical sequence of steps and
procedures provides a useful framework. The suggested approach is presented in Exhibit 12.

NPOT09

Companion to PPC's Guide to Audits of Nonprofit Organizations

Exhibit 12
Steps in the Audit Process Related to Planning
Preliminary Engagement Activities
1. Perform procedures regarding acceptance or continuance of the client relationship and the specific audit
engagement.
2. Evaluate compliance with ethical requirements, including independence.
3. Establish an understanding with the client and communicate in an engagement letter.
General Audit Planning at the Financial Statement Level
4. Establish preliminary audit strategy.
5. Determine the nature, timing, and extent of risk assessment procedures and perform the procedures.
6. Determine the materiality level for the financial statements taken as a whole (preliminary planning materiality)
and materiality for particular items of lesser amounts.
7. Perform preliminary analytical procedures (a risk assessment procedure).
8. Hold a discussion among the engagement team.
9. Identify fraud risk factors, areas where special audit consideration may be necessary, and other areas where
there may be higher risks of material misstatement.
10. Assess audit risk at the overall financial statement level.
11. Complete the overall audit strategy, including overall responses at the financial statement level.
Detailed Audit Planning at the Relevant Assertion Level for Account Balances, Transaction Classes, and
Disclosures
12. Determine tolerable misstatement (often in conjunction with Step 6).
13. Assess audit risk in relation to relevant assertions for transactions classes, account balances, and disclosures.
14. Develop a detailed audit plan for the nature, timing, and extent of further audit procedures.

Depending on the auditor's knowledge and past experience with the client, as well as other factors, certain
planning steps might be performed at differing stages or sequences from one engagement to the next. For
example, the sixth step, determine the materiality level for the financial statements taken as a whole, and the twelfth
step, determine tolerable misstatement, are often performed concurrently. For the eighth step, the discussion
among the engagement team, the precise timing of this meeting can vary with the circumstances, but should occur
relatively early in planning, and it is not required to occur in any particular sequence.
In addition to a GAAS financial statement audit, many nonprofit organizations have a financial audit performed
under Government Auditing Standards and, possibly, a Single Audit. If this is the case, the audit will be subject to
several additional requirements, some of which affect planning and risk assessment activities.
Organization of This Lesson
This lesson focuses on those portions of the risk assessment process relating to general audit planning, the
performance of risk assessment procedures, and the determination of the overall audit strategy. Even though
7

Companion to PPC's Guide to Audits of Nonprofit Organizations

NPOT09

tolerable misstatement is applied at the account balance and transaction class level rather than at the financial
statement level, it is also addressed in this lesson because it is often determined concurrently with planning
materiality.
The organization of this lesson is as follows:
 Risk assessment and other planning procedures.
 The understanding of the nonprofit entity and its environment (excluding internal control).
 The general requirements for obtaining an understanding of internal control and a suggested approach.
 Obtaining an understanding of entity-level controls, including the control environment, risk assessment,
information and communication (excluding the financial reporting system), and monitoring.
 Obtaining an understanding of activity-level controls, including the financial reporting system, IT
environment and general computer controls, and control activities.
 The planning decisions and judgments made by the auditor culminating in the overall audit strategy.
 The auditor's consideration of fraud and how it integrates with the overall risk assessment process.
 The auditor's consideration of whether to perform substantive procedures before the statement of financial
position date.
 General planning procedures and forms.
 Planning the audit time estimate and documenting the time spent performing the audit.

Companion to PPC's Guide to Audits of Nonprofit Organizations

NPOT09

SELFSTUDY QUIZ
Determine the best answer for each question below. Then check your answers against the correct answers in the
following section.
1. Which of the following statements is correct concerning audit strategy and audit planning?
a. Audit strategy is a theoretical approach to achieving audit objectives.
b. Preliminary audit strategy is established after risk assessment.
c. Risk assessment is a component of audit planning.
d. The audit strategy is also referred to as the audit plan.
2. Which of the following is part of the decisions made at the financial statement level through the risk assessment
process?
a. Overall audit strategy.
b. Objectives and related operating risks.
c. Selection of accounting policies.
d. Risks of material misstatement at the relevant assertion level.

Companion to PPC's Guide to Audits of Nonprofit Organizations

NPOT09

SELFSTUDY ANSWERS
This section provides the correct answers to the selfstudy quiz. If you answered a question incorrectly, reread the
appropriate material. (References are in parentheses.)
1. Which of the following statements is correct concerning audit strategy and audit planning? (Page 4)
a. Audit strategy is a theoretical approach to achieving audit objectives. [This answer is incorrect. Audit
strategy is an auditor's operational approach to achieving audit objectives.]
b. Preliminary audit strategy is established after risk assessment. [This answer is incorrect. Preliminary audit
strategy is generally established before risk assessment procedures are performed.]
c. Risk assessment is a component of audit planning. [This answer is correct. Audit planning always
contains a risk assessment process.]
d. The audit strategy is also referred to as the audit plan. [This answer is incorrect. The audit plan is more
detailed than the audit strategy, documenting the procedures necessary to obtain sufficient audit
evidence.]
2. Which of the following is part of the decisions made at the financial statement level through the risk assessment
process? (Page 6)
a. Overall audit strategy. [This answer is correct. Developing the overall audit strategy is one of the
decisions made at the financial statement level via the risk assessment process.]
b. Objectives and related operating risks. [This answer is incorrect. Objectives, strategies, and related
operating risks are part of the understandings obtained through the risk assessment process.]
c. Selection of accounting policies. [This answer is incorrect. Selection and application of accounting policies
is an element of the understandings obtained through the risk assessment process.]
d. Risks of material misstatement at the relevant assertion level. [This answer is incorrect. The relevant
assertion level is a lower level than the financial statement level. At this level, the auditor is concerned with
account balances and transaction classifications.]

10

NPOT09

Companion to PPC's Guide to Audits of Nonprofit Organizations

OTHER PLANNING PROCEDURES AND RISK ASSESSMENT


An overriding objective throughout the planning process is the consideration of risks that should be assessed and
whether they could result in material misstatement of the financial statements. SAS No. 106 (AU 326.21) clearly
indicates the role of the risk assessment procedures within this process as follows:
The auditor must perform risk assessment procedures to provide a satisfactory basis for the
assessment of risks at the financial statement and relevant assertion levels.
Obtaining an understanding of the entity and its environment, including its internal control, is an essential aspect of
the consideration of risk. Thus auditing standards refer to the audit procedures performed to obtain that under
standing as risk assessment procedures because the information obtained by performing those procedures is
used to support the auditor's assessment of the risk of material misstatement. Auditors normally consider the
effectiveness of various types of risk assessment procedures in identifying risks during the planning process. The
risk assessment standards encourage this by requiring the use of a variety of risk assessment procedures when
obtaining an understanding of the entity and its environment. For example, an auditor cannot limit his or her risk
assessment procedures to only inquiry.
In addition to obtaining information about the entity and its environment, including its internal control, the perfor
mance of risk assessment procedures may provide audit evidence about relevant assertions related to account
balances, transaction classes, or disclosures, or about the operating effectiveness of controls. Therefore, risk
assessment procedures may also serve as tests of controls or substantive procedures, or may be performed
concurrently with those procedures.
Types of Risk Assessment Procedures
The risk assessment and other planning procedures required by SAS Nos. 108 and 109 to obtain information about
the entity and its environment, including its internal control, and to assess the risks of material misstatement include
the following:
a. Preliminary engagement activities, including establishing an understanding with the client.
b. Inquiries of management and others.
c. Preliminary analytical procedures.
d. Observation and inspection, such as visits to the entity's premises and tracing transactions through the
information system (that is, walkthroughs).
e. Discussion among the engagement team.
Each of the procedures listed is explicitly required by the risk assessment standards and, except for item d, is also
explicitly enumerated in SAS No. 99, Consideration of Fraud in a Financial Statement Audit, as a source of
information that should be considered when identifying risks of material misstatement due to fraud. SAS No. 109
requires the auditor to perform the procedures specified in items bd when obtaining an understanding of the entity
and its environment. There is no requirement that each of those procedures be performed for every component of
the required level of understanding outlined in the second standard of field work. However, the standards are
explicit in indicating that inquiry alone is not sufficient to evaluate the design and implementation of internal control.
Therefore, observation and inspection will most likely be coupled with inquiry procedures when obtaining the
understanding of internal control.
Nature, Timing, and Extent General Considerations. The nature, timing, and extent of some risk assessment
procedures may be relatively consistent across audit engagements, but some procedures will require tailoring in
response to the information gathered. For example, in all audits the auditor will make inquires of management
responsible for financial reporting about accounting policies and other aspects of the financial reporting process,
inquiries of development personnel concerning restrictions or conditions on contributions, inquiries of program
11

Companion to PPC's Guide to Audits of Nonprofit Organizations

NPOT09

directors about terms of government grants and contracts, and may make inquiries of legal counsel of restrictions
imposed by funding sources. However, determining others within the entity to whom related questions may be
directed will depend on the circumstances and the specific information gathered about the entity. Thus, perfor
mance of risk assessment procedures often can begin without extended consideration of their nature, timing, and
extent, but other aspects of the risk assessment procedures can only be determined after some information is
gathered about the entity and its environment.
Gathering Other Information Needed to Identify Fraud Risks. In connection with obtaining an understanding of
the nonprofit organization's environment, auditors may become aware of information that is relevant to identifying
fraud risks. In addition, auditors should perform the following procedures to obtain information that is used to
identify fraud risks:
 Inquire of management and others in the nonprofit organization about the risks of fraud and how they are
addressed.
 Consider the results of preliminary analytical procedures.
 Consider the existence of fraud risk factors.
 Consider certain other information such as identified inherent risks and information resulting from the
discussion among engagement team members, client acceptance and continuance procedures, and
reviews of interim financial statements.
Using the Results of Risk Assessment Procedures Performed in Prior Periods. Since professional standards
require the performance of risk assessment procedures to obtain an understanding of the entity and provide a
basis for the assessment of risks, can the auditor use information gathered from procedures performed in a prior
period and limit the extent of current year procedures? The answer is a qualified yes."
The process of understanding the nonprofit organization client's environment and culture is continual. For a new
engagement, a basic level of knowledge is needed to begin preliminary planning. However, a significant amount of
knowledge is gained during the audit. The auditor's previous experience with the entity also contributes to the
understanding of the entity and its environment. Audit procedures performed in previous audits ordinarily provide
useful audit evidence about the following:
 The entity's organizational structure, operations, and controls.
 Past misstatements and whether they were corrected on a timely basis.
Information about past misstatements assists the auditor in assessing risks of material misstatement in the current
audit. Before using information obtained in prior periods, however, the auditor should determine whether changes
have occurred that may affect its relevance in the current audit. According to SAS No. 109 (AU 314.11), The auditor
should make inquiries and perform other appropriate audit procedures, such as walkthroughs of systems, to
determine whether changes have occurred that may affect the relevance of such information." The typical nonprofit
organization is subject to rapid change, and the auditor should make an annual reassessment of whether changes
may be needed in audit strategy and approach. The auditor can update knowledge of the entity and its environ
ment through discussions with key client personnel, including operating personnel outside the accounting depart
ment combined with inspection of interim financial reports and budgets. The auditor is interested in identifying
changes in personnel; procedures; processes; contracts; funding sources; services; contingencies; facilities;
nature of the activities; management; financial condition; conditions and events or operating results that are
relevant to the going concern assumption; loan covenant compliance; litigation status; control environment or
activities; fraud risks; management attitude toward, or pressures on, the auditors; scope of the engagement; and
any other internal or external conditions that might be of audit significance. These changes may change the client's
activities risk or the auditor's assessment of risks of material misstatement. Therefore, the auditor should perform
some risk assessment procedures in the current audit to determine whether changes have occurred that affect the
relevance of information gathered in previous audits. For example, auditors might perform inquiries of client
management and key client personnel, including accounting personnel outside the accounting department or
other parties, supplemented by observation and inspection (for example, review of interim financial reports and
budgets and walkthroughs) to determine if changes have occurred.
12

NPOT09

Companion to PPC's Guide to Audits of Nonprofit Organizations

As a result, although the nature of the auditor's procedures always includes inquiries, observation, and inspection,
it is believed the extent of risk assessment procedures will often be considerably less in continuing engagements
than in initial engagements, consisting primarily of sufficient procedures to identify and evaluate changes. The
extent of current period risk assessment procedures may need to be increased, however, in response to the
following:
 The information relates directly to a past misstatement or risk of material misstatement identified in the prior
year.
 Other information obtained through risk assessment procedures indicates a possible significant change
in the current year.
 There is a greater likelihood that significant changes will occur given the nature of the information.
Specialized Considerations for Nonprofit Organizations. During the process of identifying risks unique to
nonprofit organizations that could affect the financial statements, the auditor should consider questions such as the
following:
 If the nonprofit organization is a foundation, are there concerns about jeopardizing the foundation's
charitable purpose due to improper investments for tax purposes?
 Are bond rating agencies considering changing the nonprofit organization's bond rating?
 Has the organization received unfavorable publicity that could affect its revenue streams?
 Is a performing arts organization or museum having trouble filling its event calendar because of dwindling
funding?
 Have there been changes in the terms of the nonprofit organization's grants (for example, are the grants
suddenly for shorter terms or are the grants for programs that are being phased out)?
 Does the nonprofit organization face issues concerning students or employees with foreign visas?
 Have changes in the local economy or fundraising efforts by other nonprofit organizations affected the
client's ability to raise funds for its own activities?
 Does the nonprofit organization rely heavily on contributions from a single source and how likely is it that
the source will discontinue contributions (for example, a company will relocate and discontinue local
contributions or a philanthropist will die and no longer contribute annually)?
 Has the organization obtained any required indirect cost audits?
 Are financial reports prepared and distributed to large funding sources (in addition to government grants)
and do these reports agree to the audited financial statements? Are such reports prepared on a timely
basis?
Past experience with the client is one of the primary ways of identifying the risk of misstatement from error. For
example, does the nonprofit organization's fundraising or development department fail to properly communicate
new pledges or changes in multiyear or existing pledges to the accounting department so that contributions
receivable are not accurately recorded? Or are the contributions receivable only recorded at year end? Does the
organization expense fixed asset purchases during the year to numerous programs and then attempt to capitalize
those expenses at year end? Does the nonprofit organization maintain its daytoday accounting records on a fund
basis and convert the financial statements to net asset classes as required by GAAP only at year end? Often, when
a nonprofit organization does not follow GAAP during the year and attempts to record material correcting entries at
year end, there is an increased risk that the financial statements will be materially misstated.
The competence of accounting personnel and the quality of the accounting and financial reporting system are the
other primary sources of information on the risk of misstatement arising from error. Employee training and skills can
13

Companion to PPC's Guide to Audits of Nonprofit Organizations

NPOT09

affect the effectiveness of internal control, particularly for smaller organizations. Accounting is sometimes seen as
less important than the organization's public service purposes. In some instances, limited resources may prevent
the organization from having a sufficient number of employees to permit an adequate segregation of duties. Also,
lower pay scales may result in the organization hiring accounting and bookkeeping personnel with limited account
ing education or experience. Similarly, rapid employee turnover can mean that replacements may not receive
adequate training.
The following paragraphs address the risk assessment procedures and their role in identifying and assessing risk.
Inquiries of Management and Others
Inquiry of management and others is used extensively throughout the audit planning process. In many cases, it
serves as a foundation for the performance of other risk assessment procedures in that the responses obtained
drive the need for additional or corroborating procedures. Inquiry consists of several elements posing a question
or requesting information on a matter, evaluating the response, and following up to obtain additional information as
needed. As such, inquiry can be an extremely effective procedure in identifying risks. For example, an auditor might
ask management about the level of cash contributions that the organization receives as compared to similar
organizations. The auditor would then evaluate the response obtained and determine if a potential risk exists. In this
case, the auditor is concerned about potential misappropriation of cash. If the auditor deems that there is an
indication of this risk, additional inquiries might be posed to further identify the risk and determine whether other
risk assessment procedures are necessary.
Although inquiry is a critical risk assessment procedure, inquiry cannot be used alone when identifying and
assessing risks. Professional standards require the use of inquiry, analytical procedures, and observation and
inspection during the risk assessment process. Furthermore, auditors are prohibited from only using inquiry when
evaluating the design and implementation of internal control.
Matters and Parties of Inquiry. The auditor should inquire of management about the following matters:
a. The aspects of the entity and its environment as enumerated in SAS No. 109 (AU 314.21).
b. The information about fraud, suspected fraud, fraudrelated programs and controls, and risks of fraud as
enumerated in SAS No. 99 (AU 316.20.21).
Examples of the members of management that auditors may consider interviewing include:
 The chief executive officer (president or executive director).
 The controller.
 The chief financial officer.
 Director of fundraising or development.
 Director of human resources.
 Director of information technology.
Some nonprofit organizations rely heavily on volunteers to help carry out the organization's mission, including
volunteer financial management, recordkeeping, or accounting services. In many cases, those volunteers function
like management or employees of the organization, and auditors should consider making the same inquiries of
them as those for management and employees. The terms employee and management in the following paragraphs
would also include volunteers performing employee or management functions.
The auditor might decide that inquiries of others within and outside the entity, in addition to management and those
responsible for financial reporting, would be useful. Examples of other inquiries that might be made include the
following:
a. Others Charged with Governance. Their involvement in the financial reporting process and how financial
statements are used. (SAS No. 99, AU 316.22, requires the auditor to inquire directly of the audit committee,
14

NPOT09

Companion to PPC's Guide to Audits of Nonprofit Organizations

or at least its chair, about the risks of fraud and knowledge of fraud or suspected fraud.) If the organization
does not have an audit committee, inquiries should be made of individuals with a level of authority and
responsibility equivalent to an audit committee, such as the board of directors, board of trustees, chair of
the governing board, the budget or finance committees, or others who may have engaged the auditor.
b. Internal Audit. Activities concerning the design and effectiveness of internal control and management's
responses to any findings by the internal audit function. (SAS No. 99, AU 316.23, requires inquiry of internal
audit personnel about risks of fraud, knowledge of fraud or suspected fraud, and activities concerning fraud
detection.)
c. Other Employees. Their role in the financial reporting process and additional or corroborating information
to support management's responses. (SAS No. 99, AU 316.24, requires inquiry of others within the entity,
determined through the auditor's judgment, about the existence or suspicion of fraud.) Auditors may
consider obtaining the perspective of employees from different functional areas and at varying levels of
authority when identifying risks of material misstatement. Examples of inquiries that may be made of other
employees include:
(1) Financial Reporting Personnel. Appropriateness of the selection and application of accounting
policies, including the initiation, authorization, processing, or recording of complex or unusual
transactions. (SAS No. 99, AU 316.58, explicitly requires inquiries about knowledge of inappropriate
or unusual activity relating to the processing of journal entries and other adjustments.)
(2) Inhouse Legal Counsel. Litigation, compliance with laws and regulations, knowledge of fraud or
suspected fraud, restrictions on resources imposed by funding sources and related legal
requirements.
(3) Fundraising or Development Personnel. Changes in fundraising strategies and contributor activity.
(4) IT Systems Users. Their role in identifying changes to IT systems, how frequently changes occur,
effectiveness of application and access controls, and excessive system downtime and other
functional issues.
d. Parties Outside the Entity. Inquiries of parties outside the entity are not required but are procedures that
might be helpful. For example, the auditor might find it useful to make inquiries of external legal counsel
or of valuation experts that management has engaged.
When deciding which individuals within the entity to make inquiries of, it may be helpful to consider
 Employees who may have additional knowledge of matters identified in discussions with management or
the audit committee, or during the engagement team discussion.
 Employees who may be able to corroborate information received from management or others.
 Employees who may offer a unique or different perspective about the risks of material misstatement due
to their background, tenure, etc.
 Employees who might provide information about the possibility of management override of controls.
In addition to those parties identified previously, examples of the types of individuals within the entity that auditors
may consider interviewing include
 Employees at varying levels of authority within the entity, from lowlevel clerical employees to senior
management, including employees the auditor comes in contact with while obtaining an understanding
of internal control, or obtaining explanations for significant differences or fluctuations arising from analytical
procedures.
 Employees outside the accounting department.
15

Companion to PPC's Guide to Audits of Nonprofit Organizations

NPOT09

 Operating personnel.
 Employees involved in recording or processing journal entries.
 Employees involved in initiating, recording, or processing complex or unusual transactions.
 Employees in areas identified as vulnerable to the risk of fraud or error during the engagement team
discussion.
 Employees with key roles in internal control.
 Employees referred to by other interviewees.
Government Auditing Standards Requirements. Government Auditing Standards require auditors to make inqui
ries about findings and recommendations from previous engagements and evaluate whether appropriate correc
tive actions have been taken to address findings that could have a material effect on the financial statements. The
Yellow Book, at Paragraph 4.09, states that auditors should ask management to identify previous audits, attesta
tion engagements, and other studies that directly relate to the objectives of the audit, including whether related
recommendations have been implemented." Auditors are required to use this information when assessing risk and
determining the nature, timing, and extent of audit work, including the testing of implementation of corrective
actions.
Fraudrelated Inquiries. As part of gathering the information needed to identify fraud risks, SAS No. 99 requires
auditors to inquire of management and others about:
 Their knowledge of any actual fraud or suspicions of fraud affecting the organization.
 Their awareness of any allegations of fraud or suspected fraud affecting the organization.
 Their understanding of the risks of fraud within the organization, including any specific fraud risks the
organization has identified or account balances or transaction classes that may be susceptible to fraud.
 How they communicate to employees the importance of ethical behavior and appropriate business
practices.
 Programs and controls the organization has implemented to address identified fraud risks or otherwise
help prevent, deter, and detect fraud and how those programs and controls are monitored.
 The nature and extent of monitoring multiple locations and whether any of them have a higher level of fraud
risk.
 Whether they have reported to the audit committee (or its equivalent) about how the organization's internal
control serves to prevent, deter, and detect material misstatements due to fraud.
The objective of the inquiry includes obtaining different perspectives on financial statement areas and organiza
tional areas and locations with a risk of fraud and identifying whether anyone has suspicions or actual knowledge
of fraud.
Exhibit 13 presents a list of questions the auditor might consider asking management at a nonprofit organization.

16

NPOT09

Companion to PPC's Guide to Audits of Nonprofit Organizations

Exhibit 13
Inquiries about Fraud Risks for Management
Required Inquiry

Possible Questions

Their knowledge of any actual fraud or suspicions of


fraud affecting the organization.

 Are you aware of any actual instances of fraud


within the organization?
 Do you have any reason to suspect fraud may be
occurring within the organization? If so, where and
how?
 Have you seen any changes in employee
behavior?

Their awareness of any allegations of fraud or


suspected fraud affecting the organization.

 Have you received any communications from


employees, former employees, regulators, or oth
ers alleging fraud?

Their understanding of the risks of fraud within the


organization, including any specific fraud risks the
organization has identified or account balances or
transaction classes that may be susceptible to
fraud.

 Which types of transactions, account balances,


financial statement classifications, or organization
locations are most at risk for intentional misstate
ment or theft?
 Have you identified any specific risks of fraud within
the organization?
 What would be the easiest way for someone to
misstate the financial statements or steal assets
without getting caught?
 If someone were going to overstate or understate
net income, how would they do it?
 If someone were going to steal and cover it up, how
would they do it?
 Does the organization use source documents that
could be easily accessed and forged?
 How could false entries be made to the accounting
system?
 What departures from GAAP are most common in
the sector? What departures from GAAP are most
likely at your organization?
 Where are the weaknesses in the organization's
internal controls?
 Which controls can be bypassed or overridden?
Are there instances where controls have been
bypassed or overridden in the past?
 Have other nonprofit organizations identified any
common frauds?
 Have there been any changes within the industry or
the organization that have created or changed risks
of fraud?

How they communicate to employees the impor


tance of ethical behavior and appropriate operating
practices.

 What instructions do you give to employees about


how they are expected to behave when conducting
activities?
 How do you make it clear to employees that
fraudulent or unethical behavior will not be
tolerated?

17

Companion to PPC's Guide to Audits of Nonprofit Organizations

Required Inquiry

NPOT09

Possible Questions

Programs and controls the organization has


implemented to address identified fraud risks or
otherwise help prevent, deter, and detect fraud and
how those programs and controls are monitored.

 What measures have you taken to address specific


risks of fraud within the organization?
 What controls have been implemented to prevent
one person from perpetrating and concealing a
fraud when segregation of duties is not possible?
 What procedures are in place for initiating, approv
ing, and processing nonroutine transactions?
 How have employees been told to communicate
suspected fraud?
 Are there any other programs and controls in place
to help prevent, deter, or detect fraud?
 How do you monitor the organization's antifraud
programs and controls to make sure they are
working as intended?

The nature and extent of monitoring multiple


locations or programs and whether any of them
have a higher level of fraud risk.

 Do fraud risks exist or are they more likely to exist


in particular organization locations or programs?
 How do you monitor the organization's operating
locations or programs to reduce the likelihood of
fraud occurring and going undetected?

Whether they have reported to the audit committee


(or its equivalent) about how the organization's
internal control serves to prevent, deter, and detect
material misstatements due to fraud.

 Have you reported to the audit committee (or its


equivalent) about how the organization's internal
control serves to prevent, deter, and detect material
misstatements due to fraud?

If applicable, the auditor should also inquire directly of the audit committee (or at least its chair) about the
committee's understanding of the risks of fraud and its knowledge of any actual or suspected instances of fraud. In
addition, the auditor should obtain an understanding of the audit committee's role in overseeing the organization's
fraud risk assessment and monitoring process. If the organization does not have an audit committee, inquiries
should be made of individuals with a level of authority and responsibility equivalent to an audit committee, such as
the governing board, board of trustees, the chair of the governing board, the budget or finance committees, or
others who may have engaged the auditor. Inquiries also should be made of internal auditors if the organization has
an internal audit function.
In addition to inquiries of management, the audit committee, and internal auditors, inquiries should be made of
other employees to determine whether they are aware of fraud that is occurring or have suspicions of fraudulent
activity. Deciding which employees to make inquiries of and the extent of those inquiries is a matter of professional
judgment that depends primarily on whether the auditor believes those employees may provide information that is
relevant to identifying fraud risks. At a minimum, the auditor should ask the following questions:
 Are you aware of any actual fraud within the organization?
 Do you have any reason to suspect fraud is occurring within the organization? If so, where and how?
 Do you have any reason to suspect your superior is committing fraud?
See Exhibit 14 for possible illustrative questions that might be appropriate for employees of different levels and
departments.

18

NPOT09

Companion to PPC's Guide to Audits of Nonprofit Organizations

Exhibit 14
Possible Inquiries about Fraud Risk for Nonprofit Organization Employees
Suggested Questions

Direct Inquiries to

 Do you know of anyone who is stealing from the organization?


All employees selected
 Do you suspect that anyone is stealing from the organization?
 Do you know of anyone in the organization who is manipulating the accounts
or records?
 How could someone steal from the organization without getting caught?
 If I were to do [indicate potential fraud], how would I get caught?
 How would you describe the organization's (and/or management's) values and
ethics?
 What is it like to work here? How is the overall morale?
 Are you upset with the organization for any reason? Do you know of anyone who
is?
 Have you ever been asked to ignore or override a policy or procedure that is part
of your job? Who asked you?
 Have you ever seen another employee circumventing organization policies,
procedures, or controls? What explanation did they give?
 Have you noticed any unusual changes in the behavior or lifestyle of
management or any other employees?
 Do you know of any employees who are under pressure to make ends meet
financially?
 How do you think this organization compares with others in terms of the honesty
of its employees?
 Do you think your coworkers are honest?
 Has anyone you work with ever asked you to do anything you thought was
illegal or unethical? What would you do if someone asked you?
 Have you ever been asked to enter false information in the system or records?
 Has anyone you work with ever asked you to withhold information from the
auditors or alter documents or records?
 Has the entity communicated how you should report suspected fraud? If so,
would you feel comfortable in reporting suspected fraud in this manner? Do you
believe that reporting suspected fraud would not be held against you by
management or others?
 Is there anything else you would like to add, or anyone else we should talk to?
 I must ask you one last question. Have you yourself done anything against the
organization that was illegal or unethical?
 What factors (such as market competition or changes in technology) may Fundraising, marketing,
threaten the organization's ability to continue operations?
and program managers
 How would reporting improved financial results (i.e., increased contribution or
earned revenue, improved expense ratios, projects within budget, etc.) help the
organization?
 What pressure is put on employees to achieve the organization's contribution
revenue targets or project or program budgets, and by whom? Are there
compensation incentives for reaching fundraising targets?
 Were any unusual contributions or promises to give received at or near the end
of the year?
 What types of donor or customer complaints do you typically receive?

19

Companion to PPC's Guide to Audits of Nonprofit Organizations

Suggested Questions

NPOT09

Direct Inquiries to

 How is management and/or the board compensated? Are there significant Human resources
fringe benefits such as travel, use of autos, or use of facilities?
 Has management exerted any pressure upon you or others to override, modify,
or falsify compensation awards, agreements, or plans without sufficient
justification and approval for the situation?
 Are there compensation incentives for reaching fundraising targets?
 Has there been any significant turnover in personnel? In what departments?
 Are there any recent or planned layoffs or changes in pay rates or benefit plans
that have or could upset the workforce?
 Have recent bonuses, raises, and promotions met employee expectations? Is
there anything planned in those areas that could cause resentment among
employees?
 Have employees complained about work conditions, management demands
or style, or other matters that could lead to pressures or incentives to commit
fraud?
 How active is management in supervising the accounting department?
Accounting and finance
 Does management (including senior finance executives) demonstrate an
attitude of shoot the messenger" when learning of unfavorable financial results
or incidents?
 What are the weaknesses in the organization's internal controls?
 Do any of the organization's accounting policies seem inappropriate or overly
aggressive?
 Does management always tend to favor amounts that are on the high (low) side
when developing accounting estimates, such as estimated liabilities and
valuation accounts?
 Does management often use materiality to justify questionable accounting
practices?
 Does it ever seem like the method of accounting for a transaction is more
important than the transaction itself? Can you give me an example?
 Does anyone run personal expenses through the organization?
 What aspect of the organization's performance is management most con
cerned about?
 Are there any changes in procedures or improvements in controls that could
easily be made, but management has chosen not to?
 Have there been any unusual changes in the way transactions are processed?
 Have you ever been asked to record any journal entries that seemed unusual
or lacked support?
 Have you ever been asked to make false entries in the accounting records?
 Has the organization's relationship with particular suppliers significantly Purchasing
changed (improved or deteriorated) in the past year?
 What types of vendor complaints do you typically receive?
 Do any vendors have a close or unusual relationship with management?
 Is there any inventory you have been told not to count?
Production and inventory
 Has there been any unusual movement of goods at or near yearend?
 Have there been any unusual changes in the way customer shipments are
handled?
 Are there any inventories that you suspect are unjustly overvalued or no longer
salable?
 Have you been asked to falsify inventory count sheets or records?

*
20

NPOT09

Companion to PPC's Guide to Audits of Nonprofit Organizations

Making inquiries of employees outside the accounting department or those at varying levels of authority may be
useful in providing a different perspective about the risks of fraud. Their responses may corroborate responses
received from management, or may provide information about the possibility of management override of controls.
For example, an employee may indicate there has been an unusual change in the way transactions are processed.
Inquiries of employees outside the accounting department may also provide information about the effectiveness of
management's communication and support of the organization's values or ethics throughout the organization.
Because management is often in the best position to perpetrate and conceal fraud, the need for professional
skepticism in making the auditor's inquiries of management cannot be overemphasized. Generally, it is necessary
to corroborate responses, especially those of management. Additional audit evidence should be obtained to
resolve any inconsistencies among responses.
Documentation. SAS No. 109 (AU 314.122) requires documentation of risk assessment procedures performed in
obtaining an understanding of the entity and its environment. When documenting inquiry procedures, SAS No. 103,
Audit Documentation (AU 339.21), provides the following guidance:
Audit documentation of procedures performed, including tests of operating effectiveness of
controls and substantive tests of details that involve inspection of documents or confirmation,
should include the identifying characteristics of the specific items tested.
In conjunction with this requirement, the standard provides an example for documenting inquiries of specific entity
personnel indicating that auditors may document the date of the inquiry, name and job description of the individual
queried, and the nature of the inquiry. Documenting these identifying characteristics when performing risk assess
ment inquiry procedures is recommended.
Preliminary Analytical Procedures
SAS No. 56 (AU 329.04) states that analytical procedures should be applied to some extent in all audits of financial
statements to assist the auditor in planning the nature, timing, and extent of other auditing procedures. To
accomplish this, SAS No. 56 (AU 329.06) indicates that analytical procedures used in planning the audit should
focus on
a. Enhancing the auditor's understanding of the client's activities and the transactions and events that have
occurred since the last audit date.
b. Identifying areas that may represent specific risks relevant to the audit.
Knowledge of the client and the activity or activities in which it operates is interrelated with the use of analytical
procedures in audit planning. Performing effective preliminary analytical procedures requires the auditor to under
stand the entity's activities to know what relationships would be expected to exist, what relationships would be
considered unusual or unlikely, and what plausible explanations might exist for observed relationships. That
knowledge is also important in assessing the significance of differences from expected relationships. For that
reason, the auditor generally needs an understanding of the entity's activities before performing preliminary
analytical procedures.
SAS No. 56 does not require the use of any particular analytical procedures. It recognizes that the sophistication,
extent, and timing of analytical procedures may vary widely, depending on the size and complexity of the client.
SAS No. 56 (AU 329.07) states:
For some entities, the procedures may consist of reviewing changes in account balances from
the prior to the current year using the general ledger or the auditor's preliminary or unadjusted
working trial balance.
For a nonprofit organization, other preliminary analytical procedures may consist primarily of analysis of ratios or
trends related to liquidity, solvency, and activity combined with inquiries of financial and operating management.
For example, comparing support and revenue by source for the past five years improves understanding of the
nonprofit organization's operations and may identify a revenue source that requires increased attention in the
current audit.
21

Companion to PPC's Guide to Audits of Nonprofit Organizations

NPOT09

Other than the analytical procedures performed to comply with SAS No. 99, analytical procedures used in the
planning stage only need to be designed to point out audit areas that may be indicative of potential risks and, thus,
need special emphasis. In the audit of a small nonprofit organization, simple comparisons and ratios are ordinarily
effective, and the auditor normally need not make use of complex mathematical or statistical models. Depending
on the facts and circumstances, analytical procedures may be limited to comparing the major account balances
shown in the unadjusted general ledger with the financial statements for the prior year. For example, information
acquired in prior audits may enable the auditor to make preliminary judgments about the inherent and control risks
for assertions about material accounts and about the substantive procedures that would reduce detection risk to
the desired low level. In that situation, the auditor would compare the unadjusted balances for this year with the
adjusted balances for last year to identify assertions that may require altering the planned substantive procedures.
For larger or more complex entities, however, more sophisticated preliminary analytical procedures, such as ratio
or trend analysis, may be used.
If ratio analysis is used, the auditor should focus on a few key relationships that provide an improved understanding
of the financial statements and significant operating or financial changes. For example, it might be possible to
compare receipts from annual fundraising drives to total support to detect improper revenue recognition. Another
example of a ratio that may detect improper revenue recognition for a nonprofit organization is the ratio of
fundraising expenses to contribution revenue. A recorded amount of expense that is significantly lower than the
amount needed to produce the recorded amount of revenue might indicate overreporting of revenue. On the other
hand, nonprofit organizations that report contribution revenue with little or no fundraising expenses may have
underreported expenses in order to maintain favorable expense ratios. The auditor's discussions with management
should identify the ratios and relationships that management considers important in running the business.
When using interim financial information in the analytical review, the auditor should be aware of factors, such as
seasonal trends, that should be considered in making comparisons. For example, if the auditor is using information
as of the end of November and the client's activities are highly seasonal with substantial activity in December
(frequently the case for nonprofit contributions received), a straight annualization of interim information will not
provide a meaningful comparison.
The auditor should avoid merely making mechanical computations and comparisons. The auditor should bring as
much creativity and insight to the review as possible. Auditors should consider tailoring the procedures to the
individual client by determining which trends, ratios, and relationships are most relevant.
In the audits of most small nonprofit organizations, the auditor normally has a sufficient understanding of the client
and its operations to judgmentally consider the expected relationships. A precise quantification of these relation
ships is not required and is often not a costeffective approach. No matter which financial relationships are selected
for comparison purposes, the analytical review should include a knowledgeable scanning of the financial informa
tion to identify unusual changes and unexpected relationships that indicate specific areas of risk of material
misstatement.
Using Analytical Procedures When Large Audit Adjustments Are Expected. Analytical procedures may not be
very useful in audit planning when several large audit adjustments are expected. In that case, auditors should
consider limiting the analytical procedures used for audit planning as follows:
a. Look at Major Fluctuations in Financial Statement Line Items or Large Account Balances. This procedure
can identify areas that may require additional audit attention. For example, large increases in a notes
payable account may mean there are new loans. Also, the auditor may identify large other income accounts
that require detail testing. Auditors should concentrate on fluctuations in accounts that have not typically
needed adjustments in the past.
b. Look at Changes in Bottom Line Numbers. Fluctuations in bottom line numbers such as change in total net
assets or changes in net assets by class (unrestricted, temporarily restricted, permanently restricted) can
identify unfavorable trends and going concern problems.
c. Look at Ratios That Should Not Change. Examine areas where major adjustments are not expected. For
example, if the auditor does not expect major adjustments to contributions receivable, then aging statistics
22

Companion to PPC's Guide to Audits of Nonprofit Organizations

NPOT09

and other ratios can be calculated in the planning phase to help determine the nature and extent of testing
of the allowance.
Auditors should remember that analytical procedures should be used to understand important relationships in the
client's financial and nonfinancial data. They should not be simply a mechanical exercise. Also, audit planning is
not confined to the start of the engagement. SAS No. 108 (AU 311.03) states that audit planning continues
throughout the audit. So analytical procedures also can be used for planning during fieldwork.
The Value of Preliminary Analytical Procedures in Risk Identification. To be effective in identifying potential
risks of material misstatement, analytical procedures should be designed to identify the absence of an expected
relationship or the presence of an unexpected relationship. For example, there should be a predictable relationship
among contributions, promises to give, and fundraising expenses based on historical patterns of the organization.
Also, the auditor would expect the relationship to change in predictable ways in response to known changes in
programs, contributor composition, fundraising methods, and the local economy. Therefore, a key element in the
performance of preliminary analytical procedures for the purpose of identifying potential risks of material misstate
ment is the auditor's development of expectations about plausible relationships that are reasonably expected to
exist. The expectations serve as the benchmark when comparing recorded amounts or ratios to determine unusual
or unexpected changes or the absence of expected changes that might be the result of misstatements.
Unusual or unexpected relationships can be anything out of the ordinary. They are relationships, account balances,
or transaction amounts that do not make sense. They may include trends and relationships that are at odds with
comparable industry data. Ratios may be too unusual or too unrealistic to be believable even if the client appears
to have a logical explanation. Account balances and transaction amounts may be too large or small, too high or
low, or result in too much or too little of something.
Welldesigned preliminary analytical procedures based on appropriate expectations of plausible relationships can
by very effective in identifying risks of material misstatement during the risk assessment stage of audit planning.
However, because preliminary analytical procedures are ideally performed early in the planning process, the
analytical procedures use information that is aggregated at a relatively high level (for example, recent interim
financial statements or, if financial statements are not available, a general ledger trial balance). Information aggre
gated at a relatively high level is appropriate at this stage because the auditor is attempting to identify potential
audit problems, not to reach a conclusion on the reasonableness of a specific balance. (However, the same
analytical procedures might be appropriate for both purposes.) When analytical procedures use data aggregated
at high level, SAS No. 109 states that the results of those analytical procedures provide only broad initial indications
about whether a material misstatement may exist. Accordingly, SAS No. 109 states that auditors should consider
the results of preliminary analytical procedures along with other information gathered in identifying the risks of
material misstatement.
In addition, although the preliminary analytical review serves broader purposes, the analytical procedures per
formed may identify declining trends in operations or significantly reduced liquidity or solvency that raise the issue
of whether the client can continue as a going concern in the foreseeable future. If there is substantial doubt about
the client's ability to continue as a going concern, the auditor should determine an appropriate audit response.
Normally, the auditor will obtain additional information about management plans and other potential mitigating
factors in the course of the audit. The auditor should also consider whether the potential goingconcern problem
creates an increased risk of management intentionally misstating the financial statements.
Specialized Considerations for Nonprofit Organizations. Nonprofit organizations have some unique considerations
as part of the auditors' process of updating knowledge of the entity and its environment. The auditor is interested
in identifying changes in the following:
 programs,
 nature of the organization's activities,
 grantors,
 fundraising events,
23

Companion to PPC's Guide to Audits of Nonprofit Organizations

NPOT09

 fundraising constraints,
 the political environment,
 impact of the economy on collection of promises to give, and
 grant and Single Audit compliance.
In regard to performing preliminary analytical procedures, industry statistics are helpful for comparison purposes.
Many nonprofit organizations know the comparable nonprofit organizations in their local area and may already
perform comparisons with those organizations as part of their own strategic planning. Also, nonprofit organizations
may report to either a national umbrella organization (such as the national office of United Way) or to an industry
specific national organization (such as the American Symphony Orchestra League) that can provide relevant
statistical information. The auditor should ask the nonprofit organization whether such statistical information is
available.
When using interim financial information, the auditor should also consider the ending dates for significant grants.
Nonprofit organizations frequently spend significant amounts of grant expenditures towards the end of the grant
period rather than expending amounts evenly over the grant period. Also, the auditor should be aware of the timing
of significant special events that would affect contribution revenue and whether the nonprofit organization is
beginning, in the midst of, or ending a capital campaign. Any of these items may make it difficult to calculate a
straight annualization of interim amounts.
The client may not prepare its interim financial statements in accordance with GAAP. For example, if the client has
numerous grants that require reporting that is not in accordance with GAAP, the client may maintain its accounting
records during the year to facilitate the preparation of grant reports. Then, at year end, the client may make
adjusting entries to the accounting records so that they are in accordance with GAAP. If that is the case, it may be
difficult to compare interim financial statements to GAAP financial statements of a prior period.
Some common ratios that are generally useful in performing a preliminary analytical review for a nonprofit organiza
tion are as follows:
 Accounts receivable turnover

NetRelatedRevenue
AverageAccountsReceivable

 Current ratio (for organizations with a classi


fied statement of financial position)

CurrentAssets
CurrentLiabilities
LongtermDebt
UnrestrictedNetAssets
ProgramExpenses
TotalExpenses
ContributionRevenue
TotalRevenue
FundraisingExpenses
TotalExpenses
FixedAssets
TotalUnrestrictedNetAssets
UnrestrictedNetAssets
TotalNetAssets

 Debt to unrestricted net assets ratio


 Program expenses to total expenses ratio
 Contribution revenue ratio
 Fundraising expense ratio
 Fixed assets ratio
 Unrestricted net assets ratio

There are also some additional ratios that may be useful depending on the specific nonprofit organization. For
example, the promises to give receivable ratio would generally only be useful if the nonprofit organization had
similar types of fundraising events each year that would lead the auditor to expect a similar ratio from year to year.
Some of the more specialized ratios are as follows:
24

Companion to PPC's Guide to Audits of Nonprofit Organizations

NPOT09

 Promises to give receivable turnover

Contribution Revenue
Average Promises to Give Receivable
Federal Grant Revenue
Total Revenue  Federal Grant Revenue
Scholarship Expense
Tuition Revenue

 Federal to nonfederal funds ratio


 Scholarship ratio

When performing the required analytical procedures relating to revenue per SAS No. 99, the auditor of a nonprofit
organization might consider comparing contribution revenue by month and by fundraising event. Additionally, the
auditor could consider if the increase in contribution receivable is unexpected in relationship to the decrease in
contribution revenue.
Analytical Procedures Related to Revenue. In addition to the requirement for preliminary analytical procedures
in SAS No. 56, SAS No. 99 specifically requires auditors to perform preliminary analytical procedures related to
revenue to identify unusual or unexpected relationships that may indicate fraudulent financial reporting. Ordinarily,
comparison of current and priorperiod account balances for revenue accounts will not be sufficient to achieve that
objective, and other types of analytical procedures should be used. Other analytical procedures that may be useful
in identifying unusual or unexpected relationships related to revenue include the following:
 Analysis of Relationships between Financial and Nonfinancial Amounts. When comparing financial and
nonfinancial amounts, it may be most effective to use a base that (a) would be expected to have a
reasonable relationship to revenue and (b) could not easily be manipulated by management. For example,
the auditor could analyze the number of service units provided by the organization and compare that to
the revenue associated with those service units. For example, the auditor could compare (a) the number
of members and membership dues, (b) the number of students and tuition revenue, (c) the number of
tickets sold and admissions revenue, or (d) attendance at a church and contribution revenue.
 Trend Analysis. Auditors may analyze trends in the components of revenue accounts or transaction types.
It may be helpful to look at several trends or relationships to identify inconsistencies or unusual patterns.
For example, a trend analysis of annual fundraising campaigns or special events by year might indicate
inconsistencies or unusual patterns that might be the result of fraudulent financial activity.
 Ratio Analysis. Ratio analysis is the analysis of relationships between financial statement items by
computing the ratio of one financial statement amount to another. The ratio may be compared to the same
ratio for a prior period (or several prior periods) to identify unusual or significant variations. For example,
it may be possible to compare cost amounts, such as the ratio of fundraising expenses to contribution
revenue. Ratios that use information management generally is unable to manipulate, such as cash flows,
may be most effective in revealing indications of fraudulent financial reporting.
 Budgetary Comparison. Comparison of actual amounts with budgets may also indicate unusual variations.
For example, revenue might significantly exceed budget because of improper revenue recognition.
The analytical procedures related to revenue should be updated in the final review stage of the audit.
Documentation. Documentation of preliminary analytical procedures can be limited, but it should be sufficient to
provide support for the auditor's risk assessment. The results of the preliminary analytical review ordinarily are
documented using a narrative memorandum, comparative carryforward schedule, or other form of workpaper.
Documentation may also include the effect on the audit plan or indicate that the results should be considered when
identifying fraud risks.
Observation and Inspection
Observation and inspection procedures are required when obtaining an understanding of the entity and its
environment, including its internal control, to assess risk. There are a number of ways to use observation and
inspection when assessing risk. When obtaining an understanding of the entity and its environment, observation or
inspection might be the key procedure that enables the auditor to fully obtain pertinent information and identify
25

Companion to PPC's Guide to Audits of Nonprofit Organizations

NPOT09

related risks. For example, in order to gain an understanding of the client's financing arrangements and underlying
covenants, the auditor might decide to review the client's loan agreements and other related documents. That
procedure, coupled with a review of the client's financial statements, might be the key procedure that helps the
auditor identify risks related to potential noncompliance with loan covenants. For nonprofit organizations, the
auditor may decide to review the organization's Form 990 and Form 1023 to obtain an understanding of some of
the entity's activities and potential risks.
More frequently, observation and inspection are used to corroborate or followup on the results of inquires made of
management and others. For example, when evaluating the design and implementation of the entity's system of
internal control, members of management might tell the auditor that they communicate the importance of ethical
values to employees through a written code of conduct and by example. The auditor might wish to corroborate this
response by examining the written code. In addition, the auditor may determine that a risk exists based on
observation of management's current and past interactions with employees that contradict the behavior standards
in the written code.
Other than the requirement to perform some observation and inspection procedures related to internal control,
however, determining when to use observation and inspection, as opposed to other risk assessment procedures,
is generally a matter that is left to the auditor's judgment. Ordinarily, it is believed that observation and inspection
procedures are effective in the following situations when obtaining an understanding of the entity:
 To understand the design of controls related to the audit.
 To verify that controls have been implemented, for example, as part of a walkthrough.
 When responses to inquiries indicate a potential risk for a significant account.
 When responses to inquiries are inconclusive, conflicting, or prove to be incorrect.
 In combination with inquiry to fully understand a matter.
 When required information can only or best be obtained through observation or inspection (for example,
understanding the client's fundraising activities might best be done through observation.)
 When the evidence gathered through observation and inspection can also be used for a substantive
procedure.
 In recurring engagements, to determine whether changes have occurred that affect the continued
relevance of the information gathered in a prior period.
Examples of how and when observation and inspection procedures might be used to identify risks are included in
Exhibit 15.

26

NPOT09

Companion to PPC's Guide to Audits of Nonprofit Organizations

Exhibit 15
Using Observation and Inspection Procedures in Risk Assessment

Audit Procedure

Example of When Used and


Procedure Performed

 Observation of entity activi


ties and operations.

 Understanding the nature


of the client's public fund
raising activities.
 Observe client's public
fundraising activities.
 Understanding the client's
objectives and strategies
and related operating risks.
 Review
the
most
recent operating plan.

 Inspection of operating plans


and strategies, internal con
trol manuals, and similar
documents and records.

 Reading governing board


meeting minutes.

 Understanding the partici


pation of those charged
with governance.
 Read minutes of the
governing board dur
ing the year.

 Visits to the entity's premises,


branches, or chapters.

 Understanding the nature


of the client's operations.
 Tour client's key facili
ties.

 Walkthroughs (tracing trans


actions through the informa
tion system to confirm the
auditor's understanding of
design and determine that
procedures and controls
have been implemented).

 Understanding the client's


financial reporting system,
including its design and
implementation.
 Select a contribution
and trace it through the
system.

Example of How a Potential Risk


Is Identified
 Auditor observes that admis
sion screening at the public
event is lax which indicates
potential misstatement of
admission fees.
 The plan reveals a shift in
strategy during the year to
emphasize donations of assets
rather than cash, which indi
cates increased risk related to
valuation of assets.
 Minutes indicate that the board
rubberstamps" all of man
agement's decisions and,
therefore, is deemed to be
ineffective, which indicates
overall risk due to weaknesses
in the control environment.
 During the tour of client's facili
ties, the auditor observes sig
nificant damage to uninsured
machinery and equipment due
to a recent storm, which indi
cates an increased risk of
impairment.
 During the walkthrough, the
auditor determines that control
procedures to followup on
meeting conditional promises
to give have not been imple
mented, which indicates an
increased risk of unrecorded
revenues.

Documentation. SAS No. 109 requires documentation of risk assessment procedures performed in obtaining an
understanding of the entity and its environment. SAS No. 103, Audit Documentation, requires documentation of the
identifying characteristics of specific items tested and provides examples for documenting the identifying charac
teristics of observation and inspection procedures. Based on that guidance, documenting the following is recom
mended:
 For an inspection of documents, identify the item inspected, for example, by indicating the title and date
of the report or the document name and number. (To facilitate inquiring about or requesting copies of the
report or document at a later time, the authors recommend referring to the report or document by the same
name that the client uses to refer to it.)
27

Companion to PPC's Guide to Audits of Nonprofit Organizations

NPOT09

 For an observation procedure, document the process or subject matter observed, individuals involved and
their titles, and where and when the observation was carried out.
Discussion among the Engagement Team
SAS No. 109 (AU 314.14) requires the members of the audit team to discuss the susceptibility of the entity's
financial statements to material misstatements. SAS No. 99 (AU 316.14) requires an exchange of ideas, or brain
storming" among audit team members about how and where they believe the entity's financial statements might be
susceptible to material misstatement due to fraud, how management could perpetrate and conceal fraudulent
financial reporting, and how assets of the entity could be misappropriated. These discussions can be held
concurrently, that is, one meeting can cover the susceptibility of the financial statements to material misstatements
from both error and fraud. However, it is important that the auditor consider the susceptibility to fraud as a distinct
part of this combined discussion to avoid the potential dilution of this critical consideration.
The focus of the audit team discussion should be on the individual members gaining a better understanding of the
potential for material misstatements resulting from error or fraud in the specific areas assigned to them, and
understanding how the results of audit procedures they perform affect other aspects of the audit. In this discussion,
the more experienced members of the audit team can share their insights based on their cumulative knowledge of
the entity and its environment.
Matters to be Discussed. This discussion is aimed at the susceptibility of the financial statements to material
misstatement, that is, the areas of vulnerability. The discussion is one of the sources of information used to assess
the risks of material misstatement. Thus, the discussion should not be a narrow one focused on risks already
identified, but one that opens the minds of members of the audit team to potential material misstatements from
error and, particularly, from fraud. Any high risk areas that have already been identified, however, should be
communicated to the team members. Among other matters, SAS No. 109 indicates that the discussion should
include the following:
a. Critical issues and areas of significant audit risk.
b. Areas susceptible to management override of controls.
c. Unusual accounting practices used by the client.
d. Application of GAAP to the entity's facts and circumstances in light of its accounting policies.
e. Important control systems.
f. Materiality at the financial statement level (planning materiality) and at the account level (tolerable
misstatement).
g. How materiality will be used to determine the extent of testing.
h. The need to exercise professional skepticism throughout the engagement, to be alert for information or
other conditions that indicate that a material misstatement due to fraud or error may have occurred, and
to be rigorous in following up on such indications.
It is believed the discussion also should address how the operating risks facing the client could result in a material
misstatement of the financial statements, focusing especially on changes from the prior year and new develop
ments.
Examples of other factors the engagement team might discuss that affect the likelihood of material misstatements
caused by error include the following:
 Past experience with the client.
 Changes in the client's organization (for example, changes in personnel or accounting systems).
28

NPOT09

Companion to PPC's Guide to Audits of Nonprofit Organizations

 The nature and complexity of transactions.


 Known accounting and auditing issues.
In addition to discussing important control systems, it may be appropriate to discuss potential risks that may exist
due to limitations in the client's personnel and assignment of responsibilities. For some smaller entities, the
engagement team might consider issues regarding the background and competence of individuals in key process
ing and financial decisionmaking roles, especially if concerns had been noted in previous audits.
SAS No. 99 indicates that the discussion should also include the following fraudrelated matters:
 How and where the entity's financial statements (for example, which accounts or transaction classes) might
be susceptible to material misstatement due to fraud.
 How management could perpetrate and conceal fraudulent financial reporting.
 How the entity's assets could be stolen.
 External and internal factors that might create incentives/pressures, provide opportunities, or enable
rationalization of fraud.
The fraud aspect of the discussion should give appropriate consideration to financial statement misstatement from
both fraudulent financial reporting (i.e., cooking the books") and stealing. A key consideration when assessing
fraud risk is what motivations may exist for management to intentionally misstate the financial statements or what
controls may be lacking that could result in theft. By identifying the motives and opportunities for fraud, the auditor
should be able to assess the direction of the risk. For example, if the auditor identifies an unusual motivation for
management to maximize investment earnings to compensate for reduced contributions, the auditor would be alert
to misstatements related to the valuation of investments.
The discussion should also include the appropriate audit response to the areas identified as susceptible to material
misstatement due to error or fraud (for example, by identifying the accounts that would be affected and the nature
of procedures that could be performed to address the risks).
The discussion should include an open exchange of ideas. Participants should maintain an attitude of professional
skepticism throughout the discussion. Both SAS No. 99 and SAS No. 109 refer to a discussion; therefore, one
sided communication, such as a memo from the engagement partner, is not appropriate. (However, when the entire
engagement is performed by a single auditor, SAS No. 109 notes that the auditor can simply consider and
document the susceptibility of the entity's financial statements to material misstatements.) The medium for discus
sion (for example, a meeting or a conference call) should encourage interaction and an appropriate exchange of
ideas. Although SAS Nos. 99 and 109 both require the engagement team to have a specific discussion, commu
nication about the risks of material misstatement is not limited to that discussion, but should occur throughout the
audit.
The discussion should not be influenced by past favorable experience with the integrity of management. In fact,
SAS No. 99 states that the engagement team should abandon neutrality and any preconceptions about manage
ment's and employees' honesty, but instead presume the possibility of dishonesty at various levels of manage
ment. Thus, for example, auditors may use what if" scenarios that focus on the financial statement areas
vulnerable to fraud with the presumption that management or employees are inclined (either because of incentives/
pressures or attitudes/rationalizations) to perpetrate fraud. Engagement team members should not rely on less
than persuasive audit evidence because of a belief that management or employees are honest.
Impact on Significant Audit Areas. After discussing the risks that could result in a material misstatement of the
financial statements and determining how those risks affect specific audit areas, it is recommended that the
engagement team then discuss each significant audit area. The team should discuss the real risks affecting each
area and determine the most effective and efficient audit procedures that address those risks. Members of the audit
team should avoid relying on what procedures were performed during the prior year audit when discussing what
procedures to perform in the current year. In fact, it may be best to ignore the prior year workpapers when initially
29

Companion to PPC's Guide to Audits of Nonprofit Organizations

NPOT09

discussing each significant area. That way, the audit team starts with a clean slate when developing the audit
approach and avoids the temptation to just rely on what we did last year." The result is usually a more effective and
efficient audit approach. However, after the team has discussed each significant area, the prior year workpapers
should be reviewed to make sure there are not any issues that were overlooked.
Who Should Attend the Discussion? Both SAS No. 99 and SAS No. 109 require auditors to exercise judgment in
determining who should attend the discussion among the engagement team, but they indicate that the discussion
should include the auditor with final responsibility for the audit (generally the audit partner) and ordinarily should
comprise key members of the engagement team. Also, it may be appropriate to include specialists, such as IT
specialists, assigned to the engagement team. Executive level team members generally are aware of significant
accounting and auditing issues that could affect the audit, while staff members or specialists may be more familiar
with the client's accounting systems and controls. Both perspectives are important in considering the susceptibility
of the financial statement to material misstatements from error or fraud. It is recommended that all members of the
engagement team, including specialists with an ongoing role in the engagement, participate in the discussion.
When Should the Discussion Occur? Before holding the discussion with the engagement team, it is recom
mended that the incharge auditor and/or engagement partner have preliminary planning discussions with the
client. Issues to discuss with the client include the services to be provided, scheduling, and other administrative
matters. In addition, the auditor should discuss the client's operating environment (particularly changes from the
prior year), the client's view of the operating risks that the client is addressing, and other specific issues facing the
client. The auditor should also obtain additional information to be used in the planning process prior to meeting
with the engagement team. Specific information to obtain includes the following:
a. Interim financial information.
b. Client budgets and any related operating and strategic planning documents.
c. Minutes of the governing board meetings.
d. Copies of new debt or other significant agreements, contributions, grants, or contracts.
e. Significant internal audit reports.
f. Significant grantor agency audit reports.
Also, if an engagement summary memo was prepared for the prior year audit, it should be reviewed before the
engagement team discussion to identify risk areas identified in the prior audit.
The timing of the engagement team discussion and other logistics depend on the circumstances and are not
addressed in SAS No. 109, other than to note that for audits involving multiple locations, there may be discussions
involving engagement team members in those locations. SAS No. 99 states only that the engagement team
discussion may occur before or while obtaining an understanding of the client's business and industry and
gathering the information needed to identify fraud risks. Holding the discussion prior to performing the information
gathering procedures is recommended. It is believed important to set the proper tone of professional skepticism
and to inform less experienced staff members about the risks of material misstatement before performing those
procedures. However, nothing prevents the firm from holding discussions both before and during the information
gathering process. These decisions are normally made by the auditor with final responsibility for the audit, and
firms should exercise professional judgment to determine what works best in their particular audit process. In any
case, engagement team members should communicate and share information obtained throughout the audit
about the risks of material misstatement due to error or fraud.
Other Matters That May Be Discussed. While not a requirement of SAS No. 99 or SAS No. 109, the auditor might
also use the engagement team discussion as an opportunity to consider other planning matters related to the audit.
Those items could include, but are not to limited to, the following:
a. Critical dates and other timing considerations.
30

NPOT09

Companion to PPC's Guide to Audits of Nonprofit Organizations

b. Engagement budgets.
c. Key client contacts for assigned areas.
d. Other engagement administrative matters.
e. Other services that will be provided.
The engagement team discussion also provides an opportunity for the incharge auditor or partner to remind the
audit team members of the audit documentation requirements of SAS No. 103, Audit Documentation, that they
should observe while performing audit procedures, including the following:
a. Inclusion of abstracts or copies of significant contracts or agreements examined to evaluate the accounting
for significant transactions.
b. Identification of items tested in tests of operating effectiveness of controls.
c. Identification of documents inspected or items confirmed in substantive procedures.
d. Documentation relating to substantive analytical procedures used as the principal substantive test of
significant financial statement assertions.
e. Documentation relating to consideration of the entity's ability to continue as a going concern.
f. Documentation of the nature and effect of aggregated misstatements and the conclusion as to whether they
cause material misstatement of the financial statements.
g. Documentation of who performed and reviewed the audit work and the date the work was performed and
reviewed.
Documentation. SAS No. 109 requires that the following items be documented regarding the discussion among
the audit team:
 How and when the discussion occurred.
 Subject matter discussed.
 Participating audit team members.
 Significant decisions reached concerning planned responses at the financial statement and relevant
assertion levels.

31

Companion to PPC's Guide to Audits of Nonprofit Organizations

32

NPOT09

Companion to PPC's Guide to Audits of Nonprofit Organizations

NPOT09

SELFSTUDY QUIZ
Determine the best answer for each question below. Then check your answers against the correct answers in the
following section.
3. Which types of risk assessment procedures are most likely coupled by the auditor when obtaining an under
standing of the client's internal control?
a. Preliminary engagement activities coupled with preliminary analytical procedures.
b. Observation and inspection, with inquiry procedures.
c. Preliminary analytical procedures and engagement team discussion.
d. Walkthroughs with observation and inspection.
4. Which of the following statements is correct concerning the risk assessment process and procedures?
a. To be consistent, risk assessment procedures should not vary between clients or years.
b. The client's financial partners should be consulted to help identify fraud risks.
c. Results of prior audit procedures should not limit the extent of current procedures.
d. Risk assessment procedures will often be more extensive in the initial engagement.
5. Which of the following is correct concerning audits of nonprofit organizations?
a. They may involve risks unique from other organizations that can affect financials.
b. Past experience with the client is less important than with other organizations.
c. Volunteers may be excluded from risk assessment procedures.
d. Under SAS No. 99, assessment of fraud risk is unnecessary.
6. SAS No. 99 requires the auditor to make fraudrelated inquiries of management and others. According to the
text, what is the objective of such a requirement?
a. To determine if management understands the risks of fraud in the organization.
b. To obtain different perspectives on financial statement and organizational areas.
c. To permit employees a safe haven for admitting commission of fraud.
d. To prevent claims that the employee did not know the entity's ethical expectations.
7. According to the text, who is often in the best position to perpetrate fraud?
a. Purchasing personnel
b. Human resources personnel
c. General accounting personnel
d. Management personnel
33

Companion to PPC's Guide to Audits of Nonprofit Organizations

NPOT09

8. Preliminary analytical procedures used in audits of nonprofit organizations in compliance with SAS No. 56 and
99 have what goal or attribute in common?
a. A detailed ratio analysis
b. Trend analysis and exceptions detection
c. Complex mathematical and statistical analysis
d. Straight annualization of interim information for comparisons
9. Analytical procedures performed by George Patterson during preliminary analytical review in an audit con
ducted for Iglesia Worldwide indicate questions concerning the ability of the organization to continue as a going
concern. What should Patterson do in response?
a. Consider the risk of intentional misstatements in the financials.
b. Withdraw from the engagement to limit his exposure.
c. Prepare to issue a qualified opinion.
d. Notify management and offer to perform management consultation services.
10. Which of the following is not an analytical procedure related to revenue mentioned by the text as complying with
the requirements of SAS No. 99?
a. Analysis of relationships between financial and nonfinancial amounts
b. Trend analysis
c. BlackScholes analysis
d. Budgetary comparison
11. According to the text, the auditor might read governing board minutes as an observation and inspection proce
dure for what purpose?
a. To understand the nature of the organization's operations
b. To look for rubberstamping" of management decisions
c. Understanding the organization's objectives and strategies
d. Understanding the nature of the organizations public fundraising operations
12. Which of the following statements is correct concerning the audit team discussion prescribed by SAS No. 99
and, where applicable, SAS No. 109?
a. Onesided communications are encouraged.
b. An air of neutrality concerning management should be maintained.
c. The discussion may be eliminated where the audit is conducted by a single auditor.
d. Discussion of misstatement from error must be separated from that concerning fraud.

34

Companion to PPC's Guide to Audits of Nonprofit Organizations

NPOT09

SELFSTUDY ANSWERS
This section provides the correct answers to the selfstudy quiz. If you answered a question incorrectly, reread the
appropriate material. (References are in parentheses.)
3. Which types of risk assessment procedures are most likely coupled by the auditor when obtaining an under
standing of the client's internal control? (Page 11)
a. Preliminary engagement activities coupled with preliminary analytical procedures. [This answer is
incorrect. These procedures are required by SAS Nos. 108 and 109, but this would not be the most likely
coupling to obtain an understanding of internal control.]
b. Observation and inspection, with inquiry procedures. [This answer is correct. The combination of
types of risk assessment procedures can vary based on the auditor's judgment of the situation at
hand, but the standards are explicit that inquiry alone is insufficient to obtain an understanding of
the client's internal control. Inquiry will therefore most likely be coupled with observation and
inspection concerning internal control.]
c. Preliminary analytical procedures and engagement team discussion. [This answer is incorrect.
Engagement team discussion is a part of general audit planning at the financial statement level, and would
not necessarily be part of a coupling to obtain an understanding of internal control.]
d. Walkthroughs with observation and inspection. [This answer is incorrect. Walkthroughs are used to obtain
an understanding of internal control, but they are part of observation and inspection and therefore could
not be coupled as a separate procedure.]
4. Which of the following statements is correct concerning the risk assessment process and procedures? (Page
13)
a. To be consistent, risk assessment procedures should not vary between clients or years. [This answer is
incorrect. Risk assessment procedures may be fairly consistent across audit engagements, but the
procedures used may be affected by the client's particular circumstance and by factors affecting the
particular period under audit.]
b. The client's financial partners should be consulted to help identify fraud risks. [This answer is incorrect.
The auditor should consult management and others inside the client organization concerning fraud risk,
detection, and response. Inquiries of parties outside the entity are not required, though they may be useful
in some situations.]
c. Results of prior audit procedures should not limit the extent of current procedures. [This answer is
incorrect. The understanding of the client entity and its environment is ongoing. The results of prior audits
can be used to limit procedures performed in the current audit so long as the auditor believes this to be
a proper response to the client's current situation. Changing circumstances may render previous results
irrelevant to the present situation. On the other hand, prior results may justify revisiting a particular area
and increasing the extent of current period risk assessment procedures performed to ensure that problems
resolved in the previous audit continue to be handled appropriately in the period currently under audit.]
d. Risk assessment procedures will often be more extensive in the initial engagement. [This answer
is correct. Many factors can affect the auditor's decision to limit or increase the extent of risk
assessment procedures performed, but the extent of such procedures will often be less in
subsequent audits because of the ongoing nature of the understanding of the client entity and its
environment.]
5. Which of the following is correct concerning audits of nonprofit organizations? (Page 13)
a. They may involve risks unique from other organizations that can affect financials. [This answer is
correct. When auditing a nonprofit, the auditor must consider questions such as whether the entity
35

Companion to PPC's Guide to Audits of Nonprofit Organizations

NPOT09

has suffered unfavorable publicity that could affect donations and grants, whether the entity's
taxexempt status is jeopardized, etc.]
b. Past experience with the client is less important than with other organizations. [This answer is incorrect.
Past experience with the client helps build an understanding of the entity and its environment.]
c. Volunteers may be excluded from risk assessment procedures. [This answer is incorrect. Volunteers may
play an important part in the nonprofit organization, functioning in roles from governance to clerical. The
auditor should consider personnel from all levels as valid information resources, whether or not they are
volunteers.]
d. Under SAS No. 99, assessment of fraud risk is unnecessary. [This answer is incorrect. Indeed, SAS No.
99 is entitled Consideration of Fraud in a Financial Statement Audit, and prescribes procedures for
assessment of fraud risk.]
6. SAS No. 99 requires the auditor to make fraudrelated inquiries of management and others. According to the
text, what is the objective of such a requirement? (Page 16)
a. To determine if management understands the risks of fraud in the organization. [This answer is incorrect.
This is a required inquiry, but it is not the objective.]
b. To obtain different perspectives on financial statement and organizational areas. [This answer is
correct. SAS No. 99 requires the auditor to make inquiries concerning fraud in order obtain the
different perspectives noted and to determine if anyone suspected, or has actual knowledge, that
a fraud could have occurred.]
c. To permit employees a safe haven for admitting commission of fraud. [This answer is incorrect. Certain
inquiries concern the employee's knowledge of actual fraud, but the issue of safe haven is not relevant to
the auditor's inquiries.]
d. To prevent claims that the employee did not know the entity's ethical expectations. [This answer is
incorrect. Management is responsible for communicating the organizations ethical expectations to
employees. The auditor's question of how this is communicated, though required, does not relieve
management of that responsibility.]
7. According to the text, who is often in the best position to perpetrate fraud? (Page 21)
a. Purchasing personnel [This answer is incorrect. Purchasing and inventory are areas at risk for fraud, but
purchasing personnel were not the group specifically noted in the text.]
b. Human resources personnel [This answer is incorrect. Fictitious employees and unauthorized pay
increases are just two of the ways fraud can be perpetrated via human resources, but human resources
personnel were not the group specifically noted in the text.]
c. General accounting personnel [This answer is incorrect. General accounting personnel certainly have
access to journal entries and source documents, along with varying degrees of access to other data entry
points such as accounts payable and accounts receivable, but they were not the group specifically noted
in the text.]
d. Management personnel [This answer is correct. As a result, management assertions and responses
to fraudrelated inquiries should be treated with professional skepticism by the auditor.]
8. Preliminary analytical procedures used in audits of nonprofit organizations in compliance with SAS No. 56 and
99 have what goal or attribute in common? (Page 21)
a. A detailed ratio analysis [This answer is incorrect. Generally, the auditor should focus on a few key
relationships that contribute to improved understanding of the financial statements and significant
operational or financial changes.]
36

NPOT09

Companion to PPC's Guide to Audits of Nonprofit Organizations

b. Trend analysis and exceptions detection [This answer is correct. The analysis may be simple or
complex, depending on the size and complexity of the organization and the auditor's professional
judgment of the approach to be used.]
c. Complex mathematical and statistical analysis [This answer is incorrect. Such analysis may be
unnecessary in audits of smaller nonprofit organizations.]
d. Straight annualization of interim information for comparisons [This answer is incorrect. The seasonal
nature of some operations may cause straight annualizations to be of little use for comparisons.]
9. Analytical procedures performed by George Patterson during preliminary analytical review in an audit con
ducted for Iglesia Worldwide indicate questions concerning the ability of the organization to continue as a going
concern. What should Patterson do in response? (Page 23)
a. Consider the risk of intentional misstatements in the financials. [This answer is correct. During the
audit, the auditor should attempt to obtain information concerning mitigating factors such as
management plans to overcome the problems, but the potentially increased risk of intentional
financial statement misstatements cannot be ignored.]
b. Withdraw from the engagement to limit his exposure. [This answer is incorrect. Patterson should attempt
to obtain information concerning mitigating factors such as management plans to overcome the
problems.]
c. Prepare to issue a qualified opinion. [This answer is incorrect. There is no indication of a scope limitation
or other reason to issue a qualified opinion.]
d. Notify management and offer to perform management consultation services. [This answer is incorrect.
Management probably already knows of the problem. Patterson should attempt to obtain information
concerning mitigating factors such as management plans to overcome the problems.]
10. Which of the following is not an analytical procedure related to revenue mentioned by the text as complying with
the requirements of SAS No. 99? (Page 25)
a. Analysis of relationships between financial and nonfinancial amounts [This answer is incorrect. Such
analysis seeks a base that has a reasonable relationship to revenue and cannot be easily manipulated by
management. An example might be the ratio of ticket revenue to tickets sold compared to the price of an
individual ticket.]
b. Trend analysis [This answer is incorrect. Trend analysis is used to help spot inconsistencies or unusual
patterns in the client's data.]
c. BlackScholes analysis [This answer is correct. BlackScholes refers to mathematical calculations
and modeling related to equities and options pricing.]
d. Budgetary comparison [This answer is incorrect. Comparisons of budgeted and actual amounts may help
detect unusual variations cause by improper booking of transactions.]
11. According to the text, the auditor might read governing board minutes as an observation and inspection proce
dure for what purpose? (Page 27)
a. To understand the nature of the organization's operations [This answer is incorrect. Onsite visits and
physical tours would be a better way to understand the nature of the client's operations.]
b. To look for rubberstamping" of management decisions [This answer is correct. The auditor might
read board minutes to discover the level of involvement and participation by those charged with
governance of the organization.]
37

Companion to PPC's Guide to Audits of Nonprofit Organizations

NPOT09

c. Understanding the organization's objectives and strategies [This answer is incorrect. Inspecting the
strategic plan, internal control manuals, and similar documentation would be a better way to understand
the organization's objectives and strategies.]
d. Understanding the nature of the organizations public fundraising operations [This answer is incorrect.
Onsite observation of such activities would be a better way to achieve this understanding.]
12. Which of the following statements is correct concerning the audit team discussion prescribed by SAS No. 99
and, where applicable, SAS No. 109? (Page 28)
a. Onesided communications are encouraged. [This answer is incorrect. Both SAS No. 99 and SAS No. 109
encourage discussion, not onesided memos or edicts.]
b. An air of neutrality concerning management should be maintained. [This answer in incorrect. An air of
professional skepticism should be maintained concerning management and its representations.]
c. The discussion may be eliminated where the audit is conducted by a single auditor. [This answer is
incorrect. In such situations, the auditor should consider and document the entity's susceptibility to
material misstatements on the financials, in accordance with SAS No. 109.]
d. Discussion of misstatement from error must be separated from that concerning fraud. [This answer
is correct. Consideration of the potential for fraud should not be diluted by other considerations.]

38

NPOT09

Companion to PPC's Guide to Audits of Nonprofit Organizations

THE SECOND STANDARD OF FIELD WORK UNDERSTANDING THE


ENTITY AND ITS ENVIRONMENT
The second standard of field work requires an understanding of the entity and its environment, including its
internal control" (AU 150.02). Requiring an understanding of the entity and its environment focuses the auditor's
attention on the fact that the understanding establishes a frame of reference within which the auditor assesses the
risks of material misstatement and plans the audit in response to those risks. The auditor's focus in obtaining the
required level of understanding should be on attaining a knowledge level sufficient to identify the risks of material
misstatement of the financial statements and to design the nature, timing and extent of further audit procedures.
However, the understanding is a purposedriven audit focus and not a general knowledge level that might be
appropriate for some other purpose such as managing the entity.
Obtaining a solid indepth understanding of the client's activities and how it operates is fundamental to both audit
efficiency and effectiveness. Understanding the activities is the key to knowing what the risks are and where to look
to see if the risks have resulted in a material misstatement of the financial statements. Understanding the client's
activities includes not only understanding the risks the client faces in performing activities, but ideally, understand
ing what management's response is to those risks, and, consequently, what residual risk of material misstatement
of the financial statements remains. The auditor's process in obtaining this understanding should be focused on
those matters that could cause material misstatements in the financial statements, including potential goingcon
cern problems, fraud risk factors, undisclosed relatedparty transactions, illegal acts, or uncertainties.
The auditor's understanding of the entity also assists in:
 Establishing planning materiality and evaluating whether such judgments remain appropriate throughout
the audit.
 Evaluating whether certain observed conditions, such as unusual or unexpected relationships from
preliminary analytical procedures, do not make sense and indicate possible risk considerations.
 Considering fraud risk factors, for example, the existence of significant or complex relatedparty
transactions. Knowledge of the entity's contributors, grantors, and suppliers and other similar nonprofit
organizations might help the auditor consider possible collaborators in certain types of frauds, such as
kickback schemes. Knowledge of key personnel might help the auditor identify employees who could
provide relevant information in response to fraud risk inquiries.
 Evaluating the appropriateness and sufficiency of audit evidence.
The audit personnel working on the engagement must understand the client's activities sufficiently to effectively
analyze the risks and plan and perform an efficient and effective audit in response to those risks. The level of
understanding that is attainable by individual members of the audit team will vary with the experience, training, and
assigned engagement duties of the personnel, but the partner and manager should spend sufficient time in audit
team meetings or onthejob supervision to convey to the assigned staff the insight needed for effective perfor
mance of the audit.
The process of understanding the client's activities is continual. For a new engagement, a basic level of knowledge
is needed to begin preliminary planning. However, a significant amount of knowledge is gained during the audit.
Also, something changes each year. There are always important new developments with the client and within its
environment. For this reason, it is advisable for each member of the audit team to continually try to improve client
knowledge by such measures as reading trade publications, taking selfstudy courses, and above all, talking to
client personnel, including operating personnel outside the accounting department.
In a continuing engagement, the auditor should update knowledge of the entity and its environment focusing on
identifying changes from the prior year in internal or external conditions that might be of audit significance and
affect the client's operating risk or the auditor's assessment of audit risk.

39

Companion to PPC's Guide to Audits of Nonprofit Organizations

NPOT09

Specialized Considerations for Nonprofit Organizations


Obtaining information as part of obtaining an understanding of the entity and its environment, may often include
scrutiny of other information unique to nonprofit organizations such as the following:
 Reading any thirdparty reviews of grant programs, including federal award programs.
 Reviewing any publications or applications prepared by the nonprofit organization [such as its newsletters,
alumni newsletters, school catalogs, or grant applications (for foundations)].
 Review trade publications, internal communications, etc., that provide information on the organization's
activities, programs, and services.
In addition, the economy has continued to impact many nonprofit organizations. Accordingly, when gathering
information on the client's organization and the environment, the auditor should consider whether the client was
impacted by factors such as the following:
 Many organizations have experienced revenue shortfalls due to changes in corporate grantmaking and
a less stable government grant environment.
 Many nonprofit organizations are facing increased scrutiny from donors and other outside parties related
to governance, financial reporting, and compliance with restricted donations.
Components of the Understanding
The auditor's understanding of the entity and its environment consists of an understanding of the following items:
a. Activity, regulatory, and other external factors.
b. Nature of the entity.
c. Objectives, strategies, and related operating risks.
d. Measurement and review of the entity's financial performance.
e. Internal control.
As part of understanding the entity and its environment, the auditor obtains an understanding of the entity's
selection and application of accounting policies. The selection and application of accounting policies is considered
an aspect of internal control, but is presented separately in this discussion because of its significance to the
auditor's assessment of the risks of material misstatement. The selection and application of accounting policies is
an integral part of the control environment component of internal control, but merits separate and focused atten
tion. Similarly, the consideration of fraud risk factors is an important objective of performing risk assessment
procedures. Although considering the presence of fraud risk factors occurs simultaneously with obtaining informa
tion about the entity and its environment, it merits separate and focused attention. Items ad are discussed below.
Item e, internal control, is discussed later.
Documentation. SAS No. 109 (AU 314.122) indicates that auditors should document:
 Key elements of the understanding obtained for each of the aspects of the entity and its environment to
assess the risks of material misstatement in the financial statements.
 Sources of the information from which the understanding was obtained.
 Risk assessment procedures that were performed.
SAS No. 99 (AU 316) requires auditors to document their consideration of fraud risk factors.
40

Companion to PPC's Guide to Audits of Nonprofit Organizations

NPOT09

Purpose of This Section. The following paragraphs provide a detailed discussion of each of the aspects of the
entity and its environment that the auditor is required to understand, procedures the auditor may perform to gain
that understanding, and the types of risks the auditor may identify throughout that process.
Activity, Regulatory, and Other External Factors
The auditor should obtain an understanding of activity, regulatory, and other external factors relevant to the audit.
The objective of the auditor's understanding is to evaluate whether the entity is subject to specific risks of material
misstatement arising from the nature of the industry, the degree of regulation, or other external forces, such as
political, economic, social, technological, or competitive forces.
Matters the auditor might consider when obtaining an understanding of activity, regulatory, or other external factors
include the following:
a. Activity conditions, including factors that influence the revenue and expense transactions unique to the
nonprofit sector.
b. Regulatory environment, including relevant legislation and regulation, specific regulatory requirements (for
example, health issues, Medicare, or Medicaid), direct supervisory activities, and taxexempt status.
c. Government policies, including monetary, fiscal, financial incentives, and any restrictions.
d. Other external factors, including the general level of economic activity, interest rates, availability of credit,
and inflation.
Possible Risk Assessment Procedures and Factors to Consider. It is believed, in most situations, auditors will
initially gather information and identify risks related to industry, regulatory, and other external factors through
inquiry procedures. Many of the matters to be addressed are best approached through inquiry of appropriate client
management and other employees. The auditor may need to expand his or her inquiries based on the client's
responses to more fully understand the area and follow up on information that may be indicative of a potential risk.
AICPA Audit Risk Alert. The current financial and economic crisis may affect the entity's operations, risks, and
financial reporting. This in turn may affect the auditor's responsibilities in providing auditing services. The AICPA
issued an Audit Risk Alert, Current Economic Crisis Accounting and Auditing Considerations (AICPA Alert), to help
identify and respond to accounting and audit issues related to the current economic environment. The AICPA Alert
notes audit risks that may have been identified previously may become more significant or new risks may exist due
to current events, such as those affecting the economy, credit, and liquidity.
Two characteristics of the current environment are the high volatility and rapidness of changing conditions. The
AICPA Alert notes that the rapidly changing economic environment complicates the auditor's responsibility to
obtain sufficient understanding of the entity and its environment (including the industry, regulatory, and other
external factors) to assess the risks of material misstatement of the financial statements and design responsive
audit procedures. Changed conditions may require the auditor to update the understanding of how the current
economic environment affects the entity, reassess audit risks, and modify planned audit procedures as the audit
progresses.
The AICPA Alert provides an extensive review of the economic and financial events that led to the financial crisis and
resultant legislative and regulatory actions. The AICPA Alert covers issues arising from the economic crisis includ
ing
 Fair value accounting,
 Other than temporary impairment issues,


Tax exempt debt issues,

 Auditing accounting estimates,


41

Companion to PPC's Guide to Audits of Nonprofit Organizations

NPOT09

 Liquidity considerations,
 Going concern considerations, and
 Fraud considerations.
AICPA Financial Reporting Alert. The AICPA issued a Financial Reporting Alert titled, NotforProfit Organizations
Accounting Issues and Risks 2008: Strengthening Financial Management and Reporting. The Financial Reporting
Alert is intended to be used by members of an organization's financial management and audit committee to identify
and understand current accounting and regulatory developments affecting the organization's financial reporting.
This alert is intended to help the reader achieve a better understanding of the economic and business environment
in which the nonprofit organization operates and also to help identify the significant risks that may result in the
material misstatement of the organization's financial statements.
The Financial Reporting Alert contains information on recent issues affecting nonprofit organizations, including the
following:
 The state of the economy and its affect on nonprofit organizations.
 IRS activities that impact tax-exempt organizations.


The hierarchy of Generally Accepted Accounting Principles (SFAS No. 162).

 Disclosures about derivative instruments and hedging activities (SFAS No. 161).
 Business combinations [SFAS Nos. 160 and 141(R)].
 Fair value accounting standards (SFAS Nos. 157 and 159).
 Accounting for defined benefit pension and other postretirement pension plans (SFAS No. 158).
 Income tax accruals and deferred income taxes under FIN 48.
 Audit and attestation developments affecting the financial statements of nonprofit organizations.
The Financial Reporting Alert also contains information on emerging issues such as the following:
 Convergence with International Financial Reporting Standards.
 The FASB codification project.


The FASB Staff Position on UPMIFA.

Understanding the Industry or Regulatory Environment. The auditor might supplement inquiry procedures with
inspection or other risk assessment procedures. For example, when obtaining an understanding of the industry, the
auditor might read AICPA accounting and auditing guides, financial statements of similar entities in the industry,
textbooks, or trade journals or might subscribe to services that provide an indepth analysis of the client's industry.
Regarding the regulatory environment, the auditor might read correspondence from regulatory authorities, applica
ble regulations that were recently enacted, or proposed legislation that may affect the industry.
Funding Source and Legal Requirements. There are certain differences between nonprofit organizations and
business enterprises that have an effect on the audit. One of the most significant differences is the importance of
restrictions on resources imposed by funding sources and related legal requirements, including, particularly, audit
requirements of government agencies that provide financial assistance or that regulate charitable activities. Audit
requirements of a typical small nonprofit organization are usually more stringent than for a business enterprise of
similar size. For example, a nonprofit organization that receives as little as $500,000 in support from funding
sources may be under the scrutiny of a number of different funding sources. A nonpublic business enterprise with
42

Companion to PPC's Guide to Audits of Nonprofit Organizations

NPOT09

the same amount of annual revenue may not have any reason to submit financial statements to outside parties or
may be able to meet a lender's requirements by a compilation or review engagement rather than an audit. Funding
source and legal requirements can affect the nature and extent of auditing procedures considered necessary. This
is a particularly important consideration for a nonprofit organization because there may be several funding sources
with possibly overlapping or conflicting requirements. The auditor needs to understand any restrictions on the use
of resources and test compliance with those restrictions.
Economic and Political Considerations. Nonprofit organizations are often very sensitive to political and eco
nomic changes. A nonprofit organization has a continuing need for community support from business and govern
ment. Unfavorable economic conditions or disasters that draw large numbers of donations to relief efforts may
cause a reduction of funding from both private and government funding sources. Changes in tax laws or IRS
enforcement of existing laws may have a dramatic effect on the sources of revenue and types of expenditures of
nonprofit organizations. Because these changes may occur quickly, the auditor needs to reassess the economic
and political climate and the likely effect on the nonprofit organization annually. However, nonprofit organizations
seem to react to economic downturns more slowly than business enterprises. For instance, assistance from
governmental entities may continue for a while because grants are usually on an annual basis. This knowledge can
assist the auditor in his or her consideration of going concern matters. A discussion of the implications of current
economic conditions can be found in the AICPA's annual Audit Risk Alert titled NotforProfit Organizations Industry
Developments.
Nature of the Entity
The auditor should obtain an understanding of the nature of the entity relevant to the audit. The nature of the entity
includes its operations; its structure, and governance; the types of its investments; and its financing. Among other
things, the understanding of the nature of the entity helps the auditor to understand the classes of transactions,
account balances, and disclosures that would be expected in the financial statements.
Matters that the auditor might consider about the entity's operations and its structure, and governance include the
following:
a. Revenue sources.
b. Key contributors or grantors.
c. Involvement in ecommerce.
d. Major expenditures.
e. Conduct of operations, such as methods of operation or delivery of products or services.
f. Important suppliers.
g. Major assets and liabilities.
h. Major investment activities.
i. Employment and human resource matters, including compensation methods and employee benefits.
j. Research and development activities, grants, and expenditures.
k. Related parties and transactions with them.
l. Location of facilities.
m. Types of investments.
n. Financing activities.
43

Companion to PPC's Guide to Audits of Nonprofit Organizations

NPOT09

Depending on the type of nonprofit organization, contributions, membership dues, or program service fees are
generally a significant class of transactions; therefore, the auditor will normally place emphasis on understanding
matters related to the major source of revenue and revenue recognition.
Risk Assessment Procedures and Factors to Consider. Similar to the understanding of industry, regulatory and
other external factors, the auditor often initially makes inquiries of appropriate client personnel about matters
pertaining to the nature of the entity. To make effective riskbased inquiries, it is critical that the auditor identify the
right person within the entity that possesses not only the requisite knowledge about the matter queried, but also
about the nature of risks, how the entity has addressed them, and what the remaining risk is to the entity. In a small
entity, the executive director may be able to answer most inquiries while in a larger entity there may be several
individuals that the auditor should query.
The auditor's inquiries may be supplemented by additional inquiries and other risk assessment procedures as
deemed necessary to fully understand the entity, its operations, structure, governance, investments, and financing
so that related risks can be identified. The understanding also provides the auditor with an expectation of what
classes of transactions, account balances, and disclosures will be present in the financial statements. The auditor
may need to expand inquiries based on the client's responses to more fully understand the area and follow up on
information that may be indicative of a potential risk. For example, the sources of support and revenue and the
types of expenditures of the nonprofit organization can have a critical effect on the nature, extent, and timing of
audit procedures and the overall audit approach. An organization that derives revenue primarily from service fees
(such as ticket sales) might be audited in essentially the same manner as a business enterprise providing the same
services. An organization that depends on service fees may have to change its marketing approach if its customer
base changes significantly (for example, a nonprofit daycare center in an area with a declining population). This
could cause problems with the collectibility of revenue. An organization that depends primarily on contributions
may require a much different audit approach. An organization that depends primarily on general public contribu
tions generally has a higher risk of material misstatement of revenue than an organization that receives all of its
support from one or a few funding sources. Also, organizations soliciting significant contributions may be tempted
to present functional expenses on the statement of activities that show a favorable allocation between programs
and support service activities.
Objectives, Strategies, and Related Operating Risks
The auditor should obtain an understanding of the entity's objectives, strategies, and related operating risks. The
basic concept here is that most operating risks eventually have financial consequences and, thus, an effect on the
financial statements. Not all operating risks create risks of material misstatement, so the auditor needs to focus on
risks that have financial reporting implications in the entity's particular circumstances.
The auditor obtains an understanding of management's objectives and strategies to identify the related operating
risks. Management and directors determine the entity's objectives which are the overall plans for the entity.
Management's strategies are the operational approaches adopted to achieve the objectives. The related operating
risks are the significant conditions, events, circumstances, actions, or inactions that could adversely affect the
entity's ability to achieve its objectives or implement its strategies. When obtaining an understanding of the entity's
objectives and strategies, it is often helpful to consider whether strategies align with objectives and if strategies
have been implemented. By doing so, the auditor may become aware of heightened or additional business risks
and potential risks of material misstatement.
Risk Assessment Procedures and Factors to Consider. When obtaining an understanding of management's
objectives and strategies to identify the related operating risks, the risk assessment procedures employed by the
auditor may be influenced by the size and sophistication of the client. Smaller entities generally do not have formal
plans or processes that are documented, which forces the auditor to rely primarily on inquiries. In contrast, some
larger or more sophisticated entities may have written strategic plans that provide a road map for the objectives,
strategies, and associated operating risks that have been selected and identified by the management team.
When making inquiries, the auditor will generally restrict questioning to upper management of the entity given the
subject matter and the level of knowledge that is needed to sufficiently address it. These inquiries would prompt
management to describe the entity's future trends, expectations, objectives, and strategies. For example, a down
turn in the local economy can put nonprofit organizations under severe financial pressure. Not only may it be
44

Companion to PPC's Guide to Audits of Nonprofit Organizations

NPOT09

difficult to obtain new contributions, it may also be difficult to collect promises to give received in previous years.
Management's response may vary considerably, and the auditor should inquire about management's plans.
Management may cut costs and reduce activities or may attempt to develop new funding sources or engage in
aggressive investment strategies. These various responses can affect the audit areas considered to be key areas
as well as the risk of particular types of misstatements. Scrutiny by outside parties and externally imposed audit and
compliance requirements may influence management control consciousness and result in better or more extensive
administrative, accounting, and control policies or procedures than typically found in a similar size private busi
ness. On the other hand, the combination of a volunteer governing board and high personnel turnover may result
in a poor control environment and increased risk of material misstatement. Also, the organization's service orienta
tion may result in a lack of sound operating practices and the absence of clear lines of authority and responsibility.
The relative effect of these conflicting characteristics must be considered for the particular organization in assess
ing the risk of material misstatement. The governing board can be a positive control feature for a nonprofit
organization if the board is properly structured and functions effectively. The board should have at least some
members that are not members of management. In addition, the board members should also have a good
reputation for integrity. Also, the board can be more effective if it has a regular schedule for evaluating how the
organization is functioning and how management is carrying out the organization's mission. It is helpful if board
members selected to serve on the audit committee or its equivalent include outside members that have experience
in accounting, finance, or auditing.
Measurement and Review of the Entity's Financial Performance
The auditor should obtain an understanding of the measurement and review of the entity's financial performance
made by management and external parties. Information used by management for measurement and review might
include the following:
a. Key performance indicators (KPI), both financial and nonfinancial.
b. Trends.
c. Key ratios and other operating and financial statistics.
d. Forecasts, budgets, and variance analyses.
e. Periodonperiod financial performance.
f. Employee performance measures.
g. Program, grant, or other performance reports.
Information prepared by external parties might include grantor reports, charity watchdog group reports, and credit
rating agency reports.
Performance measures can affect the audit and the auditor's assessment of the risks of material misstatement in
several ways, including the following:
a. The pressure to meet performance targets, such as the ratio of program expenses to total expenses, could
motivate management actions, including intentional misstatements, such as misallocation of costs
between supporting activities and program services, and, thus, affect the auditor's risk assessment.
b. Use of performance measures might highlight unexpected results or trends such as unusually rapid
growth, which upon investigation result in detection of misstatements.
c. The auditor might be able to use key performance indicators or other measures used by management when
performing analytical procedures. However, the auditor should consider whether the information used by
management is reliable and provides the degree of precision that is needed for the analytical procedures.
As noted in item a, management may be motivated to manipulate account balances that affect key performance
indicators. For example, in a situation where management has guaranteed the debt of the organization, if the ratio
45

Companion to PPC's Guide to Audits of Nonprofit Organizations

NPOT09

of a key expense to revenue is an important metric, management might have an incentive to improperly capitalize
a portion of that expense. A small nonprofit entity might not have a formal process to measure and review financial
performance, but management will still likely be aware of key performance indicators that it uses and that can be
helpful to the auditor.
Risk Assessment Procedures and Factors to Consider. The procedures used by the auditor for understanding
the measurement and review of the entity's financial performance will often be driven by the size and sophistication
of the entity. For example, a sophisticated entity may have developed a dashboard" reporting system that
incorporates carefully selected key performance indicators that management has deemed to be the primary
metrics in achieving its goals and objectives. In that case, the auditor could inspect and review these measures
along with any accompanying analyses in order to identify risks that may be indicative of material misstatement.
In a smaller entity, management may have identified key financial performance indicators that it uses when
managing the organization, but it prepares no formal reporting or analyses. Instead, as management reviews
financial or other operating reports, a determination is made whether the organization has achieved the targets that
management has established for these indicators. For these situations, the auditor would likely use inquiry to
determine what indicators management believes are important in managing and measuring the entity's results and
inspect the reports that are used to monitor performance.
For all situations, the auditor should consider inquiring whether there is any external measurement of the entity's
performance such as by charity watchdog groups or grantors. If so, the auditor may review available reports to
identify potential risks.
Selection and Application of Accounting Policies
The auditor should obtain an understanding of management's selection and application of accounting policies and
evaluate whether the policies are appropriate for the entity's activities and consistent with policies used in the
relevant industry. This understanding is important for considering the risks of material misstatement at both the
financial statement and relevant assertion levels, including both misstatements due to fraud and those due to error.
The auditor's assessment of the appropriateness of the accounting policies that management has selected and
applied is an important element in determining what can go wrong in the preparation of financial statements and,
hence, in assessing risks of material misstatement.
APB Opinion No. 22, Disclosure of Accounting Policies (FASB ASC 23510053), explains that the accounting
policies of an entity are the specific accounting principles and the methods of applying those principles that are
judged by management of the entity as the most appropriate in the circumstance to present fairly financial position,
activities, and cash flows in conformity with GAAP (or an OCBOA). Thus, accounting policies include the account
ing principles as prescribed by relevant accounting pronouncements as well as the methods adopted to apply
those principles in the circumstances. When an accounting pronouncement permits an alternative in the way an
accounting principle is applied or does not dictate a specific method of application, management has to adopt a
method that is most appropriate in the circumstances. For example, SFAS No. 5, Accounting for Contingencies,
provides some guidance on estimating the loss for uncollectible receivables, but does not mandate a particular
method of estimation. Management needs to develop an accounting policy to determine when it is probable the
contractual amount of a receivable will not be collected and what the amount of the loss will be. The auditor needs
to obtain an understanding of the accounting policy and its application and evaluate the appropriateness in the
circumstances.
The auditor's understanding of management's selection and application of accounting policies includes the
following:
a. Relevant accounting pronouncements and industry specific practices.
b. The methods the entity uses to account for significant and unusual transactions.
c. The effect of significant accounting policies in controversial or emerging areas for which there is a lack of
authoritative guidance or consensus.
46

NPOT09

Companion to PPC's Guide to Audits of Nonprofit Organizations

d. Changes in the entity's policies, including the reasons for the change and whether the change is
appropriate and consistent with GAAP (or an OCBOA).
e. Financial reporting standards and regulations that are new to the entity and management's plans to adopt
such requirements, including new accounting pronouncements.
f. The process used by management in formulating particularly sensitive accounting estimates.
g. The methods used to identify matters for disclosure and how the entity achieves clarity in disclosure.
The auditor uses the understanding of these aspects of management's selection and application of accounting
policies to identify audit areas of higher risk and to identify what could go wrong at the relevant assertion level. For
example, if the entity has to apply a relatively complex accounting pronouncement to a new type of significant
transaction, there ordinarily is a higher risk of material misstatement for the account balance affected, such as
properly valuing donated noncash assets or use of facilities. For items of disclosure, many auditors of smaller
entities assist management in preparing the financial statements. In those cases, identification and clarity of
required disclosures are often heavily influenced by the auditor. Therefore, the potential for risk may be mitigated
with respect to disclosure.
The auditor should use the understanding of management's selection and application of accounting policies along
with the identification of fraud risk factors to evaluate whether an overall response is necessary. SAS No. 99 (AU
316.50) notes that one of the ways in which judgments about the risk of material misstatement due to fraud have an
overall effect relates to accounting principles:
The auditor should consider management's selection and application of accounting principles,
particularly those related to subjective measurements and complex transactions.
In establishing the overall audit strategy, the auditor focuses on whether the accounting principles selected and
policies adopted are being applied in an inappropriate manner. If the auditor identifies a risk in this area, it is often
addressed by an overall response, such as the assignment of more experienced personnel and a higher level of
supervision, as well as by the selection of specific further audit procedures.
Risk Assessment Procedures. The nature and extent of the risk assessment procedures to obtain an understand
ing of the selection and application of accounting policies normally depend on factors such as:
 The auditor's knowledge and experience with the client's industry.
 The auditor's past experience with the client.
 The degree of financial reporting sophistication of the client.
 The extent of new accounting standards that are recently effective for the client.
 The auditor's participation in assisting the client with the selection of accounting policies and the
preparation of the financial statements.
For many small nonprofit organization clients, the auditor is instrumental in both selecting accounting principles
and choosing the methods by which they are applied. Consideration of accounting policies for those clients
ordinarily will not be a timeconsuming process since the auditor already possesses much of the requisite knowl
edge. The auditor in those cases can generally confine inquiries of the client to matters such as the manner and
consistency of application.
For other situations where the auditor is not involved in the selection of accounting policies or has limited experi
ence with the client, the auditor may inquire about the matters discussed earlier. Also, the auditor may supplement
inquiries with a review of interim or prior year financial statements and supporting disclosures (for initial audits)
coupled with a thorough review and understanding of relevant accounting standards that are either new or
specifically applicable to the client's industry or its transactions.
47

Companion to PPC's Guide to Audits of Nonprofit Organizations

NPOT09

Fraud Risk Factors


When obtaining information about the entity and its environment, the auditor should consider whether the informa
tion indicates that fraud risk factors are present. That is, the auditor considers the existence of fraud risk factors
while performing other audit planning procedures. Auditors are not specifically required to look for fraud risk factors
during planning, but are required to consider, based on their knowledge of the entity and its environment, whether
fraud risk factors exist. Fraud risk factors are conditions or events that indicate incentives/pressure to perpetuate
fraud, opportunities to carry out the fraud, or attitudes/rationalizations to justify a fraudulent action. Fraud risk
factors may be related to fraudulent financial reporting or misappropriation of assets.
The identification of fraud risk factors is a natural byproduct of performing risk assessment procedures. Along with
the other information obtained about the entity and its environment, the fraud risk factors are an important
component in identifying the risks of material misstatement at the financial statement and relevant assertion levels.
The auditor's primary concern in considering fraud risk factors is to identify whether a risk factor is present and
should be considered in identifying and assessing risks of material misstatement due to fraud. The presence of a
particular fraud risk factor does not necessarily indicate the existence of fraud. Whether a risk factor is present and
should be considered in identifying and assessing the risks of material misstatement due to fraud is a matter of
professional judgment.
Examples of Fraud Risk Factors. SAS No. 99 provides examples of fraud risk factors that may be considered
when identifying and assessing the risks of material misstatement due to fraud. The risk factors presented in SAS
No. 99 are classified into factors related to fraudulent financial reporting and factors related to misappropriation of
assets. Because it may be helpful to consider fraud risk factors in the context of the conditions generally present
when fraud occurs, the standard further classifies the illustrative risk factors into conditions relating to incentives/
pressures, opportunities, and attitudes/rationalizations. It is important to note that these are only examples and the
auditor also may consider other risk factors not specifically listed in the standard. In fact, SAS No. 99 (AU 316.33)
states:
Although the risk factors cover a broad range of situations, they are only examples and,
accordingly, the auditor may wish to consider additional or different risk factors. Not all of these
examples are relevant in all circumstances, and some may be of greater or lesser significance in
entities of different size or with different ownership characteristics or circumstances.
Auditor's Considerations of Fraud Risk Factors. For misappropriation of assets, the consideration of fraud risk
factors is influenced by the degree to which assets susceptible to misappropriation are present. However, some
consideration should be given to risk factors related to incentives/pressures, opportunities arising from control
deficiencies, and attitudes/rationalizations for misappropriation, even if assets susceptible to misappropriation are
not material. One of the primary fraud risks in small nonprofit organizations is fraudulent cash disbursements, in
which case there is always an asset subject to misappropriation. Similarly, securities in the custody of a broker may
be susceptible to misappropriation through unauthorized trading. Therefore, there should always be some consid
eration of fraud risk factors related to misappropriation. In addition, when considering risk factors for misappropri
ation, the auditor may identify risk factors related to inadequate monitoring and weaknesses in internal control that
could also be present when fraudulent financial reporting occurs.
The presence of risk factors related to financial stress or dissatisfaction among employees is particularly important
when considering the risk of misappropriation of assets because those conditions often provide both incentive and
rationalization for theft. The auditor, during the course of the audit, may become aware of information that indicates
potential financial stress or dissatisfaction of employees with access to assets susceptible to misappropriation.
Examples include:
 Anticipated layoffs that are known to employees.
 Unfavorable changes in employee compensation or benefit plans.
 Failure to receive promotions or other expected rewards.
 Abusive or overbearing management coupled with unreasonable expectations.
48

NPOT09

Companion to PPC's Guide to Audits of Nonprofit Organizations

 Known unusual changes in behavior or lifestyle.


 Employees that are known to be experiencing significant personal financial obligations.
 Behavior indicating dissatisfaction with the entity, including disregard for organization policies and
procedures.
If the auditor becomes aware of the presence of these or similar risk factors, he or she should consider them when
identifying the risks of material misstatement due to fraud.
One of the fraud risk factors related to fraudulent financial reporting states, Management is dominated by a single
individual (such as the executive director, development director, or program director) or small group without
compensating controls such as effective oversight by a board of directors or audit committee." What about
management dominance, then, in the nonprofit organization? It is believed domination of management by a single
individual does not, in and of itself, indicate a failure by management to display and communicate an appropriate
attitude regarding internal control and the financial reporting process. In fact, in many small entities, strong
management involvement actually can be a control strength in that there is a great deal of oversight of employees
throughout the process.
Auditors should consider the importance of the modifying language in the risk factors (such as inappropriate
means, unduly aggressive, etc.). For example, one such factor is: There is an excessive interest by management
in manipulating the organization's trends in contribution revenue, the change in net assets, or expense allocations
through the use of unusually aggressive accounting practices." Many nonprofit organizations have an interest in
reporting positive trends in contributions revenue and in minimizing supporting services expenses. The key
consideration, however, is whether management has shown an interest in manipulating the financial statements
through unusually aggressive accounting practices. This situation would likely be considered a fraud risk factor.
However, if management is interested in minimizing supporting services expenses through legitimate means, such
as allocations based on detailed time and use studies, then the auditor most likely would not consider this to be a
fraud risk factor.
If fraud risks are present, SAS No. 109 (AU 314.12) requires that the auditor should consider whether the
assessment of the risk of material misstatement due to fraud calls for an overall response, one that is specific to a
particular account balance, class of transaction, or disclosure at the relevant assertion level, or both." An overall
response is considered in establishing the overall audit strategy and a specific response is considered in develop
ing the detailed audit plan.

49

Companion to PPC's Guide to Audits of Nonprofit Organizations

50

NPOT09

Companion to PPC's Guide to Audits of Nonprofit Organizations

NPOT09

SELFSTUDY QUIZ
Determine the best answer for each question below. Then check your answers against the correct answers in the
following section.
13. Which auditing standard requires an understanding of the entity's internal control?
a. The second general standard
b. The third general standard
c. The second standard of fieldwork
d. The third standard of fieldwork
14. Which of the following statements is correct concerning understanding an entity and its environment?
a. SAS No. 109 is topically limited to fraud risk as it relates to the entity audited.
b. SAS No. 109 requires auditors to document their understanding of external factors.
c. Initial data concerning external factors will be obtained via analytical procedures.
d. Differences between forprofit and nonprofit entities should not affect the audit.
15. Which of the following statements is correct concerning measurement and review of the entity's financial perfor
mance?
a. The auditor should calculate key performance measures rather than relying on calculation results supplied
by management.
b. External party statistics are only as good as the information supplied by the client entity.
c. Performance measures can increase the risk of material misstatement in the client's financial statements.
d. The sophistication of the entity has no bearing on the procedures used by the auditor concerning measure
ment and review of the entity's financial performance.
16. Which of the following statements is correct concerning fraud risk factors?
a. Auditors consider fraud risk factors as a separate procedure.
b. Auditors must look for fraud risk factors during planning.
c. Fraud risk factors may relate to fraudulent financial reporting or defalcation.
d. Events, opportunities, and attitudes must all be present to form a fraud risk factor.

51

Companion to PPC's Guide to Audits of Nonprofit Organizations

NPOT09

SELFSTUDY ANSWERS
This section provides the correct answers to the selfstudy quiz. If you answered a question incorrectly, reread the
appropriate material. (References are in parentheses.)
13. Which auditing standard requires an understanding of the entity's internal control? (Page 39)
a. The second general standard [This answer is incorrect. The second general standard requires the auditor
to maintain an attitude of independence.]
b. The third general standard [This answer is incorrect. The third general standard requires the auditor to
exercise due professional care.]
c. The second standard of fieldwork [This answer is correct. The second standard of fieldwork
requires the auditor to understand the entity and its environment, including its internal control,
sufficiently to assess the risk of material misstatement of the financials caused by error or fraud.]
d. The third standard of fieldwork [This answer is incorrect. The third standard of fieldwork concerns obtaining
sufficient audit evidence to afford a basis for an opinion regarding the financial statements being audited.]
14. Which of the following statements is correct concerning understanding an entity and its environment? (Page
40)
a. SAS No. 109 is topically limited to fraud risk as it relates to the entity audited. [This answer is incorrect. SAS
No. 99 is topically limited to fraud risk. SAS No. 109 concerns the risk of material misstatement of the
financial statements, whether from error or fraud.]
b. SAS No. 109 requires auditors to document their understanding of external factors. [This answer
is correct. SAS No. 109 requires auditors to document key elements of the understanding obtained
for each of the aspects of the entity and its environment. An understanding of external factors that
may affect the entity, its environment, and its performance is one such aspect.]
c. Initial data concerning external factors will be obtained via analytical procedures. [This answer is incorrect.
Normally, auditors will use inquiry procedures to gather initial information concerning external factors that
may affect the entity.]
d. Differences between forprofit and nonprofit entities should not affect the audit. [This answer is incorrect.
Differences such as donor and grant restrictions and legal requirements can create audit requirements for
a nonprofit that are more stringent than those for a forprofit enterprise of similar size.]
15. Which of the following statements is correct concerning measurement and review of the entity's financial perfor
mance? (Page 45)
a. The auditor should calculate key performance measures rather than relying on calculation results supplied
by management. [This answer is incorrect. The auditor should consider whether the information supplied
by management is reliable and suitable for the auditor's needs.]
b. External party statistics are only as good as the information supplied by the client entity. [This answer is
incorrect. External party information can include information concerning the industry as a whole, and
information from other third parties such as credit reports and reports of vendors and creditors.]
c. Performance measures can increase the risk of material misstatement in the client's financial
statements. [This answer is correct. Pressures and incentives resulting from the use of performance
measures may induce management to manipulate financial results in order to achieve the desired
target or stay within the desired parameters.]
d. The sophistication of the entity has no bearing on the procedures used by the auditor concerning
measurement and review of the entity's financial performance. [This answer is incorrect. Size and
52

NPOT09

Companion to PPC's Guide to Audits of Nonprofit Organizations

sophistication of the entity are often a factor in the procedures chosen by the auditor concerning
measurement and review of the client entity's financial performance. For instance, a small entity may not
prepare formal analysis and reports. In such a case, the auditor would begin with inquiry to determine the
indicators considered important and used by management.]
16. Which of the following statements is correct concerning fraud risk factors? (Page 48)
a. Auditors consider fraud risk factors as a separate procedure. [This answer is incorrect. Fraud risk factors
are considered during planning.]
b. Auditors must look for fraud risk factors during planning. [This answer is incorrect. Auditors are not
required to look for fraud risk factors during planning, but must consider whether such factors exist.]
c. Fraud risk factors may relate to fraudulent financial reporting or defalcation. [This answer is correct.
Fraud risk factors can relate to misappropriation of assets as well as to fraudulent financial
reporting.]
d. Events, opportunities, and attitudes must all be present to form a fraud risk factor. [This answer is incorrect.
Any combination of these factors should be taken into account as the auditor assesses fraud risk.]

53

Companion to PPC's Guide to Audits of Nonprofit Organizations

54

NPOT09

NPOT09

Companion to PPC's Guide to Audits of Nonprofit Organizations

EXAMINATION FOR CPE CREDIT


Lesson 1 (NPOTG091)
Determine the best answer for each question below. Then mark your answer choice on the Examination for CPE
Credit Answer Sheet located in the back of this workbook.
1. Which of these standards establishes key requirements and provides guidance affecting preliminary audit
planning?
a. SAS No. 56, Analytical Procedures
b. SAS No. 110, Performing Audit Procedures in Response to Assessed Risks
c. SAS No. 65, The Auditor's Consideration of the Internal Audit Function
d. SAS No. 99, Consideration of Fraud in a Financial Statement Audit
2. Which of the following is a preliminary engagement activity?
a. Establish preliminary audit strategy
b. Perform preliminary analytical procedures
c. Engagement team discussion
d. Issue an engagement letter
3. Which of the risk assessment procedures explicitly required by SAS Nos. 108 and 109 is not also required by
SAS 99?
a. Inquiries of management
b. Preliminary engagement activities
c. Observation and inspection
d. Engagement team discussion
4. Richard Jeffries, CPA, has been engaged by Kenco LTD to conduct an audit of the fiscal year just ended. This
is Jeffries third consecutive engagement for Kenco. During the previous year, Kenco paid off its line of credit
and ended the receivables assignment and lockbox arrangement with its bank; all receivable receipts are now
being handled inhouse. What should Jeffries do concerning risk assessment procedures in this area?
a. Increase the extent of the procedures and include walkthroughs
b. Contact bank management concerning the arrangement
c. Rely on previous audits to limit analytical procedures
d. Rely on management responses to auditor inquiries concerning the change

55

Companion to PPC's Guide to Audits of Nonprofit Organizations

NPOT09

5. The Yellow Book is an authoritative resource for audits of governmental entities.


a. True
b. False
c. Do not select this answer choice.
d. Do not select this answer choice.
6. Concerning fraudrelated inquiries, the auditor is not required to ask which of the following questions?
a. Are you aware of actual fraud within your organization?
b. Do you have reason to suspect fraud is occurring?
c. Are you now committing, or have you ever committed, fraud?
d. Do you have reason to suspect your superior of committing fraud now or in the past?
7. When documenting risk assessment procedures in compliance with SAS Nos. 109 and 103, documenting
which of the following characteristics is recommended?
a. The name and job title of the person suspected of fraud
b. The date of the inquiry
c. The nature of the infraction
d. The date the person was first suspected
8. Which of the following statements is correct concerning analytical procedures?
a. Analytical procedures should be completed prior to the beginning of fieldwork.
b. To be effective, there must be plausible relationships and reasonable expectations.
c. Benchmarks are unnecessary for analysis concerning small nonprofit organizations.
d. Such analysis normally uses information aggregated at a relatively low level.
9. Which of the following is one of the specialized ratios mentioned in the text for ratio analysis of a specific
nonprofit?
a. Federal to nonfederal funds ratio
b. Fundraising expense ratio
c. Contribution revenue ratio
d. Program expenses to total expenses ratio

56

Companion to PPC's Guide to Audits of Nonprofit Organizations

NPOT09

10. The auditor can limit documentation of preliminary analytical procedures.


a. True
b. False
c. Do not select this answer choice.
d. Do not select this answer choice.
11. SAS No. 99 indicates that which of the following should be discussed by the audit team as a specifically
fraudrelated matter?
a. Personnel changes in the client's organization
b. Complexity of transactions
c. Decisions concerning planning materiality and tolerable misstatement
d. Internal and external pressures
12. Which of the following is not one of the items required to be documented by SAS No. 109 regarding audit team
discussion?
a. When the discussion occurred
b. Subject matter discussed
c. Names and job titles of client management
d. Significant decisions concerning planned responses at the relevant assertion level
13. Which of the following statements is correct concerning the audit team's understanding of the entity and its
environment?
a. The process of understanding the client's activities should be completed by the end of the planning
process.
b. Each member of the audit team must fully understand the client's activities in order to properly assess risk.
c. The audit team should establish planning materiality that will remain appropriate throughout the audit.
d. Understanding regulatory factors is important to the audit team's understanding of the client entity.
14. Which of the following statements is correct concerning the nature of a nonprofit entity and risk assessment
factors to be considered by the auditor?
a. Program service fees are generally not material as a class of transactions concerning client revenue
sources.
b. A ratio of the number of contributors to the average contribution could indicate the level of risk of material
misstatement of revenue.
c. Determining whether strategies align with objectives is an issue for a management audit, and is outside
the scope of a financial statement audit.
d. The governing board for a nonprofit organization should not contain members of management.
57

Companion to PPC's Guide to Audits of Nonprofit Organizations

NPOT09

15. Which of the following statements is correct concerning the entity's selection, application, and disclosure of
accounting policies?
a. Risk of misstatement with respect to disclosure may actually increase if the auditor has helped prepare the
client's financial statements and items of disclosure.
b. According to APB Opinion No. 22, the entity's accounting policies are both the specific accounting
principles and the methods of applying them.
c. The auditor's understanding of the entity's selection, application, and disclosure of accounting policies is
limited to GAAP.
d. Consideration of the application and disclosure of accounting policies at the relevant assertion level
negates the need for financial statement level consideration.
16. Jason Malone, CPA, is conducting the annual audit of the financial statements of Gregory Inc. Malone is
determined that a risk of fraud exists. What should Malone do next?
a. Notify management immediately and prepare to issue a disclaimer
b. Notify the authorities
c. Consider this factor in risk assessment
d. Consult legal counsel

58

Companion to PPC's Guide to Audits of Nonprofit Organizations

NPOT09

Lesson 2: PLANNING THE AUDIT


INTRODUCTION
When planning the audit, knowledge and understanding of the client entity's internal controls is essential to
assessing risk and determining the audit procedures to be performed; this includes consideration of the role IT
plays in processing and securing the client's data, and how this may impact the audit. The auditor must also set
materiality benchmarks and develop an overall audit strategy. These issues, as well as the auditor's responsibility
related to fraud detection are discussed in this lesson.
Learning Objectives:
Completion of this lesson will enable you to:
 Examine the various elements and issues concerning internal control including the basic components, the
effect of IT, the control environment, risk assessment, etc.;
 Describe setting materiality benchmarks, assessing risk of misstatement at the financial statement level, and
establishing overall audit strategy;
 Explain the types of misstatements related to fraud, discuss the auditor's responsibility for fraud detection and
the fraud risk assessment process, etc.; and
 Examine various issues concerning substantive procedures including transaction testing, establishing fiscal
cutoffs, etc., summarize general planning procedures, and summarize miscellaneous issues related to
performing the audit, including estimating and managing time.

UNDERSTANDING INTERNAL CONTROL


SAS No. 109, Understanding the Entity and Its Environment and Assessing the Risks of Material Misstatement,
provides guidance to auditors related to consideration of internal control as part of an audit. It also provides
guidance about how the entity's use of information technology (IT) affects the auditor's consideration of internal
control in planning the audit. SAS No. 109 (AU 314.40) requires auditors to obtain an understanding of internal
control that is sufficient to assess the risk of material misstatement of the financial statements due to error or fraud
and design the nature, timing, and extent of further audit procedures. This section provides an overview of the
general requirements of SAS No. 109 related to obtaining an understanding of internal control. Guidance is
provided on the nature and extent of the auditor's understanding, the requirement to understand controls related to
significant risks and risks for which substantive procedures alone are not sufficient, and the effect of information
technology on internal control. This course also provides a practical stepbystep approach for obtaining an
understanding of internal control, which involves focusing on key controls and control objectives to effectively and
efficiently evaluate the design and implementation of controls relevant to the audit. Detailed guidance on evaluating
the design and implementation of entitylevel controls is provided. Detailed guidance on evaluating the design and
implementation of activitylevel controls is provided.
Components of Internal Control
SAS No. 109 requires an understanding of five interrelated components of internal control defined and described
in COSO's Internal Control Integrated Framework. Those components are as follows:
a. Control environment.
b. Risk assessment.
c. Information and communication.
d. Monitoring.
e. Control activities.
59

Companion to PPC's Guide to Audits of Nonprofit Organizations

NPOT09

In assessing the risk of material misstatement of the financial statements to develop an overall audit strategy,
auditors generally focus on obtaining an understanding of the control environment, risk assessment, information
and communication, and monitoring components, typically obtaining an understanding of the control environment
first. The understanding of control activities is not needed until planning the nature, timing, and extent of further
audit procedures at the assertion level. As a practical matter, however, auditors often obtain an understanding of
control activities while obtaining an understanding of the other control components. As an entity's operations and
systems become more complex, auditors often need to increase their understanding of the internal control
components to obtain a sufficient understanding to assess the risk of material misstatement of the financial
statements and to plan the nature, timing, and extent of further audit procedures.
Throughout this discussion, this course refers to the internal control components of control environment, risk
assessment, information and communication (excluding the financial reporting system), and monitoring as entity
level" controls. Those controls typically have a pervasive effect on the entity's system of internal control and can,
therefore, potentially influence the design and operating effectiveness of other controls. This course refers to the
financial reporting system (along with the IT environment and general computer controls) and the control activities
component of internal control as activitylevel" controls.
Nature of the Auditor's Understanding
SAS No. 109 requires auditors to obtain a sufficient understanding of the five components of internal control to
assess risk and design the nature, timing, and extent of further audit procedures. To obtain that understanding, the
SAS requires auditors to perform risk assessment procedures to (a) evaluate the design of controls that are relevant
to the audit and (b) determine if they have been implemented. A key consideration is whether and how the entity's
internal control prevents, or detects and corrects, material misstatements in relevant assertions related to transac
tion classes, account balances, or disclosures.
Thus, an understanding of internal controls incorporates two primary elements the evaluation of the design of the
control and a determination of whether it has been implemented. Evaluation of design considers whether the
control, individually or in combination with other controls, is capable of effectively preventing or detecting and
correcting material misstatements. In other words, the auditor considers the effectiveness of the control in achiev
ing its objective. If a control is improperly designed, a control deficiency may exist that needs to be communicated
to management and those charged with governance as more fully described in SAS No. 115, Communicating
Internal Control Related Matters Identified in an Audit (AU 325).
It is not enough to simply determine whether a control as described or documented is effective in design. Many
sophisticated entities have extensive policies and procedures manuals that provide intricate descriptions of con
trols, their objectives, and the procedures that should be followed to achieve the objectives. The documentation of
a control procedure, however, does not demonstrate that the control is actually being used. The auditor, therefore,
should also determine if the control, as documented or described, actually exists and the entity is using it. In other
words, the auditor should use risk assessment procedures to obtain audit evidence that the control has been
implemented. Generally, the auditor uses procedures such as observation or inspection, along with inquiries, to
verify implementation. Inquiry alone is not sufficient to evaluate the design of a control and determine if it has been
implemented.
Extent of the Auditor's Understanding
The overriding requirement for the understanding of internal control is that it should be sufficient to assess the risk
of material misstatement of the financial statements due to error or fraud and to design the nature, timing, and
extent of further audit procedures. Obtaining an understanding that is sufficient to assess the risks of material
misstatement requires the auditor to develop a fairly thorough and robust knowledge of the components of internal
control. That is primarily because the auditor is required to have, and document, the basis for his or her risk
assessment. Under the risk assessment standards, the auditor is not permitted to simply default to high control risk.
However, SAS No. 109 (AU 314.48) clearly indicates that the extent of the understanding of internal controls that is
sufficient is a matter of professional judgment.
In most cases, the auditor's understanding of internal control will be more comprehensive than the understanding
of the other aspects of the entity and its environment, and obtaining it will require more time. In addition, for initial
60

Companion to PPC's Guide to Audits of Nonprofit Organizations

NPOT09

audit engagements, the effort and time to gather information on the components of internal control that is sufficient
to assess risk will most likely exceed that necessary for engagements in following years. However, in general terms,
the extent of the understanding, along with the nature, timing, and extent of the risk assessment procedures
performed to obtain the understanding, are affected by factors such as the following:
 The auditor's prior experience with the client.
 Materiality and tolerable misstatement.
 Size of the entity.
 Organization and ownership (such as country club membership) characteristics.
 Number and nature of operating locations and subsidiaries.
 Degree of diversity of systems within the organization, including the use of service organizations.
 Nature of the client's industry.
 Applicable legal and regulatory requirements.
 Level of activity and financial sophistication of the client.
The results of preliminary engagement activities and the auditor's understanding of the entity and its environment
other than internal control generally influence the extent of the understanding of internal control components. Most
of the factors noted in the preceding paragraph are determined to a major degree when the auditor performs risk
assessment procedures to understand the entity and its environment. Furthermore, that understanding often
results in the identification of risks of material misstatement that further shape the direction, extent, and depth of the
auditor's understanding of internal control. (However, the auditor should be aware that additional risks of material
misstatement may be identified when obtaining an understanding of internal control and by performing further audit
procedures.) Therefore, it is recommended that the auditor perform risk assessment procedures related to the
understanding of the entity and its environment prior to obtaining an understanding of internal control.
Because the extent of understanding of internal control is a matter of professional judgment, auditors will often
struggle over what controls or combinations of controls to assess. The auditor should remember that it is not
necessary to obtain an understanding of every control at the client. To do so would be cost prohibitive and simply
unnecessary for most audit engagements. Rather, the auditor's focus should be on those key controls that are
relevant to the audit. As indicated previously, the auditor must make an informed judgment as to the controls or
combination of controls to assess. Although the extent of the auditor's understanding is a matter of professional
judgment, SAS No. 109 provides certain specific requirements related to the understanding of internal control
components. In addition, according to SAS No. 109, the auditor should understand and evaluate the following
matters, which may relate to any of the five components:
 The design and implementation of controls, including relevant control activities, related to significant risks
(AU 314.115).
 The design and implementation of controls, including relevant control activities, related to risks for which
substantive procedures alone are not sufficient (i.e., risks requiring tests of controls to obtain sufficient audit
evidence) (AU 314.117).
 The effect of IT on internal control, specifically how IT affects control activities that are relevant to the audit
(AU 314.92).
Understanding Controls Related to Significant Risks and Risks for Which Substantive Procedures Alone
are Not Sufficient
The auditor's understanding of internal control should include the entity's programs and controls that address risks
of material misstatement that are considered significant risks. Fraud risks are always considered to be significant
61

Companion to PPC's Guide to Audits of Nonprofit Organizations

NPOT09

risks. Therefore, after completing his or her risk assessment procedures to evaluate internal control design and
implementation, the auditor should consider whether a sufficient understanding has been obtained of controls that
would prevent, or detect and correct, material misstatements related to fraud risks or other significant risks. If not,
the auditor should perform additional risk assessment procedures directed at gaining an understanding of controls
relating to those risks.
Programs and controls addressing fraud risks or other significant risks may relate to any of the five components of
internal control; thus, the auditor should use care not to isolate the understanding to only the control activities
component. The auditor should be alert to the fact that fraud risks or other significant risks may not be subject to
routine controls given the nature of the risk. Also, the auditor's understanding should extend to whether and how
management responds to those risks.
Controls that address fraud risks frequently relate to the following:
a. Control Environment. Fraud programs designed to prevent, deter, and detect fraud. For example, programs
to promote a culture of honesty and ethical behavior.
b. Control Activities. Specific controls designed to mitigate specific risks of fraud. For example, controls to
address specific assets susceptible to misappropriation.
As with other controls, the auditor should evaluate whether the programs and controls that relate to significant risks
are suitably designed and implemented and assess the risks of material misstatement due to error or fraud in light
of this evaluation. The existence (or lack of) these programs and controls might either mitigate or increase the risks
of material misstatement. The auditor should be sure to consider the control activities that are relevant to account
balances with a significant inherent risk of misappropriation of assets. The risk of misstatement due to fraud for
misappropriation of assets always depends on whether there are controls to prevent or detect concealment or theft
in the accounting records.
In addition to understanding and evaluating controls related to significant risks, auditors are required to understand
and evaluate controls related to risks for which substantive procedures alone are not sufficient. For those risks, the
auditor will have to perform tests of the operating effectiveness of controls to obtain sufficient audit evidence.
Therefore, the auditor needs an understanding of the design of relevant controls and confirmation that they have
been implemented before he or she can design and perform appropriate control tests.
Effect of Information Technology (IT) on Internal Control
SAS No. 109 does not address IT as a separate component of internal control it discusses how IT fits into internal
control. While the SAS does not require that auditors take a different approach in considering internal control when
an entity uses IT, it indicates that auditors should consider how IT affects an entity's internal controls because IT
affects the way transactions are initiated, authorized, recorded, processed, and reported. The effect on the client's
internal control is related more to the nature and complexity of the system than to the client's size. Many small and
midsize nonprofit organizations have simple computer operations. Typically, they use personal computers, which
may be linked in a local area network (LAN), and purchased software packages for specific applications, such as
accounts receivable. However, some entities may have internal control that is heavily dependent on information
technology. Use of the Internet or any other information technology does not necessarily mean that an entity's
internal control is heavily dependent on IT.
An entity with a simple computer system may use primarily paperbased manual procedures to enter contributions,
and maintain accounts receivable. The client may also use manual controls, such as approvals, reconciliations,
reviews, and followup of exceptions. In a system that uses automated procedures to initiate, record, process, and
report transactions, electronic records replace many of the paper forms. Controls in that environment generally
consist of a combination of automated and manual controls. Automated controls include processes such as edit
and validation routines embedded in computer programs. In addition, the nature of the manual controls may be
different. Manual controls in an automated system may be independent of the computer system, may use informa
tion produced by the system, or may be limited to monitoring the automated controls and handling exceptions. The
mix of manual and automated controls varies with the nature and complexity of the client's system.
62

NPOT09

Companion to PPC's Guide to Audits of Nonprofit Organizations

As noted in SAS No. 109 (AU 314.62), the use of manual controls is often more effective when judgment and
discretion are needed. For example, manual controls would generally be more appropriate in the following
situations:
 Large, unusual, or nonrecurring transactions.
 When monitoring the effectiveness of automated controls.
 In changing circumstances where a control response may be needed outside of the scope of an automated
control.
 In circumstances where misstatements are difficult to anticipate, define, or predict.
However, automated controls may be more effective than manual control in other circumstances. Since manual
controls are performed by humans, they may be subject to override, misinterpretation, errors, or bypass. As a
result, automated controls may be more suitable in the following circumstances:
 Recurring transactions or high volume.
 Situations where errors can be anticipated or predicted and prevented or detected by control parameters
subject to automation.
 Control activities where their nature allows the use of properly designed automated control processes.
Benefits and Risks of IT. The use of computers may enhance the effectiveness and efficiency of the client's
internal control because of the consistency, timeliness, and accuracy inherent in automated systems. Use of
computers also offers benefits in terms of data analysis, monitoring entity performance, reduced risk of override,
and systems and data security. For example, in a computerized system, security controls can help achieve
segregation of duties. However, the use of computers also poses certain risks to a client's internal control, such as:
 Reliance on systems or programs that are inaccurately processing data or processing inaccurate data.
 Unauthorized access to data that may result in destruction of data or improper changes to data.
 Unauthorized changes to master file data.
 Unauthorized changes to systems or programs.
 Failure to change systems or programs when necessary.
 Inappropriate manual intervention.
 Loss or inability to access data.
The extent and nature of those risks depends on the nature and characteristics of the client's system. In many
systems, users can access a common database of information that affects financial reporting. A lack of control at
a single user entry point could compromise the security of the database and result in improper changes to or
destruction of data. For example, if there are improper controls over the rights and functions of a database
administrator, there may be a risk of error or fraud due to unauthorized data manipulation. Similarly, risks may be
higher if the client uses an integrated system where various software applications share data. If the applications
were provided by different vendors or their integration was not subject to proper controls, the entity may have a
higher risk of material misstatements.
In many IT environments, the processing of information is decentralized. For example, in a serverclient" arrange
ment, a central server hosts various clients and processing occurs both centrally on the server and remotely by
various clients. As a result, the IT environment is much more open than in the days when all IT processing was
confined to a mainframe computer. These environments can present a higher element of risk given a wider range
63

Companion to PPC's Guide to Audits of Nonprofit Organizations

NPOT09

of access to data and processing by a variety of users. The range of threats to data and financial reporting may
range from unauthorized access to data and processing to the introduction of computer viruses.
In today's IT computing environments, the processing of financial data often is not confined within formally
developed or vendor supplied software applications. In many cases, users may access a database warehouse and
import data into a spreadsheet program for processing outside of a formal" application. Among other things, the
output of the spreadsheet application might be used as input for a standard software application, support for
journal entries, or support for disclosure information. However, in many cases, unlike the controls over the develop
ment or integration of standard software applications, spreadsheet applications developed by users might not be
subject to any formalized controls. For example, spreadsheet results may not be subjected to formalized testing or
there may be no controls over access, modification, or the use of multiple versions of a spreadsheet application.
Considering IT Risks. SAS No. 109 (AU 314.96) notes that the auditor should consider whether the entity has
established effective controls that adequately respond to the risks that arise from IT. Such controls not only include
properly designed and implemented application controls, but the general controls upon which application controls
depend. The AICPA Risk Assessment Audit Guide (paragraph 4.63) notes that the auditor should evaluate the
design of IT general controls and determine whether they have been implemented when assessing the risks of
material misstatement. The auditor should consider testing general controls when they plan to rely on IT application
controls to modify the nature, timing, and extent of substantive tests.
Other Considerations. In addition to the risks of material misstatement due to error or fraud that IT may introduce,
the auditor should be aware that the use of IT may affect the availability of information needed for the audit.
Furthermore, in certain situations the auditor may be precluded from using only substantive procedures when the
role of IT is significant to the processing of transactions. For example, in highly automated processing with little or
no manual intervention where information is initiated, authorized, recorded, processed, or reported electronically,
the auditor may determine that detection risk cannot be adequately reduced without testing the operating effective
ness of controls.
Considering Whether Specialized IT Skills Are Needed to Understand Internal Control. Auditors should
consider whether specialized IT skills are needed to determine the effect of IT on the audit, understand the IT
controls, or design and perform tests of IT controls or substantive procedures. The decision to use an IT specialist
is a matter of auditor judgment. SAS No. 108 (AU 311.23) states that auditors should consider the following factors
in determining whether the audit team should include individuals that possess specialized IT skills:
 The complexity of the entity's systems and IT controls and the manner in which they are used in conducting
the entity's activities.
 The significance of changes made to existing systems or the implementation of new systems.
 The extent to which data is shared among systems.
 The extent of the entity's participation in electronic commerce.
 The entity's use of emerging technologies.
 The significance of audit evidence that is available only in electronic form.
An IT specialist may be either a member of the auditor's firm or an outside professional.
If the auditor uses an IT specialist on the engagement team, the auditor should be knowledgeable enough to
communicate the audit objectives to the specialist, evaluate whether the procedures performed by the specialist
meet the auditor's objectives, and determine the effects of the procedures on the nature, timing, and extent of other
planned procedures. That does not mean auditors have to be experts in information technology. The auditor's
responsibility when using a computer specialist is the same as for other members of the engagement team, as
provided by SAS No. 108, Planning and Supervision (AU 311). To effectively supervise an IT specialist, auditors
need a basic understanding of computer applications and controls, especially those most relevant to particular
client systems. That understanding can be gained from experience with the client or from attending training classes
64

NPOT09

Companion to PPC's Guide to Audits of Nonprofit Organizations

or seminars. The extent of the understanding will vary with the nature of the entity's IT environment. If the firm uses
an outside professional, the guidance in SAS No. 73 (AU 336) should be considered.
Government Auditing Standards Requirements. When specialists are used on Yellow Book audits, the auditor has
additional matters to consider. Those matters relate to independence, technical knowledge, and continuing profes
sional education.
How Are the Results of the Understanding Used?
The understanding of internal control should be sufficient to assess the risks of material misstatement and to design
the nature, timing, and extent of further audit procedures. Specifically, the understanding is used to:
 Identify types of potential misstatements.
 Consider factors that affect the risks of material misstatement.
 Design tests of controls, when applicable, and substantive procedures.
In addition, the understanding provides audit evidence that contributes to the auditors planned responses to
assessed risks and the performance of further audit procedures. This evidence is an element of the auditor's
cumulative audit evidence that ultimately supports the opinion on the financial statements. The auditor should be
alert for risks that may be identified during the process of obtaining an understanding of internal controls.
Normally, the auditor's understanding of internal control design and implementation is not sufficient to serve as
testing the operating effectiveness of controls. The same types of procedures performed to determine if a control
has been implemented (e.g., observation, inspection of documents, reperformance, and walkthroughs) are also
used when testing controls for operating effectiveness. However, the extent of the procedures to determine
implementation may fall short of what is needed to determine operating effectiveness because tests of operating
effectiveness need to provide audit evidence about how controls were applied throughout the period under audit
and the consistency with which they were applied. However, in some cases, the auditor's procedures may serve
both purposes. For example, a walkthrough can serve as a test of operating effectiveness and in some cases, along
with other procedures that test operating effectiveness, can provide a valid basis for assessing control risk at less
than high. In addition, for an automated control where consistency of application would normally occur assuming
the existence of effective IT general controls, the auditor may be able to determine operating effectiveness based
on procedures performed to establish that the control has been implemented and the auditor's assessment and
testing of the related general controls.

65

Companion to PPC's Guide to Audits of Nonprofit Organizations

66

NPOT09

Companion to PPC's Guide to Audits of Nonprofit Organizations

NPOT09

SELFSTUDY QUIZ
Determine the best answer for each question below. Then check your answers against the correct answers in the
following section.
17. Which of the following items is considered an entitylevel control by the text?
a. Control environment
b. Risk tolerance
c. Information technology
d. Control activities
18. Which of the following IT environments has the lowest degree of risk to the client's internal control?
a. A dedicated data processing department entering accounting data received from other departments into a
mainframe computer.
b. A peertopeer network with one user PC designated to receive data entry and store accounting data for the
entity as a whole.
c. A clientserver LAN with a dedicated server, a robust server operating system, userlevel network security,
and secure, distributed processing of accounting data.
d. A wireless network storing accounting data on a multiuser filesharing networked hard drive, with client
processing via multiple offtheshelf software packages.

67

Companion to PPC's Guide to Audits of Nonprofit Organizations

NPOT09

SELFSTUDY ANSWERS
This section provides the correct answers to the selfstudy quiz. If you answered a question incorrectly, reread the
appropriate material. (References are in parentheses.)
17. Which of the following items is considered an entitylevel control by the text? (Page 60)
a. Control environment [This answer is correct. Control environment, risk assessment, information
and communication, and monitoring are all considered entitylevel controls.]
b. Risk tolerance [This answer is incorrect. Risk assessment is considered an entitylevel control.]
c. Information technology [This answer is incorrect. Information and communication is considered an
entitylevel control.]
d. Control activities [This answer is incorrect. Control activities are a component of internal control, but are
not considered an entitylevel control.]
18. Which of the following IT environments has the lowest degree of risk to the client's internal control? (Page 63)
a. A dedicated data processing department entering accounting data received from other departments
into a mainframe computer. [This answer is correct. This type of system is less prevalent in today's
PCdominated environment, but it is generally much more secure than peertopeer networks or a
LAN particularly one using multiple canned software packages that share a common database.]
b. A peertopeer network with one user PC designated to receive data entry and store accounting data for
the entity as a whole. [This answer is incorrect. The designated PC can serve as an access point for
unauthorized entry and data alteration. This PC can also crash while in use, leaving data in an unstable,
and perhaps unusable, state. The fact that the PC is also being used as a workstation also increases the
possibility of viruses being introduced from the Internet or from removable media.]
c. A clientserver LAN with a dedicated server, a robust server operating system, userlevel network security,
and secure, distributed processing of accounting data. [This answer is incorrect. Distributed processing
can be good for minimizing network traffic and server load, but bad for data integrity. Poor version control
can result in multiple versions of software being used to update the same data fields and databases. Client
computer problems involving the CPU, memory utilization, background services, registry problems, and
a host of other issues can cause the client to crash. Lack of rollback ability in the database software can
mean incomplete records or weak data bits reside in the database that can cause loss of data integrity.]
d. A wireless network storing accounting data on a multiuser filesharing networked hard drive, with client
processing via multiple offtheshelf software packages. [This answer is incorrect. Multiple offtheshelf
packages could mean that data can be adversely affected by the unintended consequences of such
canned software packages being improperly designed to share the same databases. It could also mean
manual points of entry are available to override or alter data. The wireless network can also be more
susceptible to hacking than a wired network via the broadcast signal.]

68

Companion to PPC's Guide to Audits of Nonprofit Organizations

NPOT09

UNDERSTANDING ENTITYLEVEL CONTROLS


This course refers to the internal control components of the control environment, risk assessment, information and
communication (excluding the financial reporting system), and monitoring as entitylevel" controls. These controls
typically have a pervasive effect on the entity's system of internal control and can, therefore, potentially influence
the design and operating effectiveness of other controls. Also, the auditor generally accumulates a significant
amount of knowledge about activitylevel controls, through the understanding of entitylevel controls. As a result,
the authors recommend that auditors obtain an understanding of the entitylevel control components first, begin
ning with the control environment.
Control Environment
What Is the Control Environment? The control environment sets the tone of an entity and influences the control
consciousness of its people. The control environment is the foundation for all other components of internal control
and provides structure and discipline. Among the important elements of the control environment are the attitude,
awareness, and actions of management, as well as those charged with governance, concerning internal control.
The control environment of an organization includes the following elements:
 Participation of those charged with governance.
 Communication and enforcement of integrity and ethical values.
 Management's philosophy and operating style.
 Organizational structure.
 Human resource policies and procedures.
 Assignment of authority and responsibility.
 Commitment to competence.
An entity's control environment is a significant factor when considering the risks of material misstatement due to
error or fraud. The integrity of management often plays a significant role in establishing a strong control environ
ment. For example, although an entity might not have a written code of conduct, it might still have a culture that
emphasizes the importance of integrity and ethical behavior. That culture will be instilled through the visibility and
direct involvement of top management. Obtaining an understanding of the control environment of a small or
midsize nonprofit organization need not be a complex process. The term is more formal and imposing than the idea
behind it. The control environment is simply the conditions and circumstances that exist within the entity that
demonstrate management's attitude about controls and other indicators of management's integrity and motivation.
The auditor should obtain a sufficient knowledge of the control environment as a result of performing risk assess
ment procedures to understand the attitudes, awareness, and actions of management and those charged with
governance concerning internal control and its importance in achieving reliable financial reporting. The responsibi
lities assumed by management and those charged with governance related to financial reporting are particularly
important. For example, the auditor should identify the members of management, and directors if any, who are
expected to understand the entity's operating transactions and to evaluate whether they are appropriately reflected
in the financial statements. The auditor considers both (a) the aspects of the control environment that help insure
the integrity of financial reporting (that is, the key control environment controls) and (b) any control environment
weaknesses that could have a pervasive effect on the financial statements.
Characteristics of Nonprofit Organizations That Affect Internal Control. The Audit Guide, Paragraphs 2.47.48,
describes characteristics that make nonprofit organizations different from other entities. A nonprofit organization
typically:
 Uses organization resources to accomplish its mission rather than to generate net income.
69

Companion to PPC's Guide to Audits of Nonprofit Organizations

NPOT09

 Must comply with provisions of statutes, contractual agreements, terms of grants and trust agreements,
or similar limitations.
 Is eligible for taxexempt status under Section 501 of the IRC, but may be subject to tax on income from
activities not related to its taxexempt purpose.
Also, the following general characteristics of nonprofit organizations usually affect internal control:
 A volunteer governing board, many of whose members serve for limited terms.
 A limited number of staff personnel, sometimes too few to provide the appropriate segregation of duties.
 A mixture of volunteers and employees participating in operations. Depending on the size and other
features of the organization, daytoday operations sometimes are conducted by volunteers instead of
employees. The manner in which responsibility and authority are delegated varies among organizations.
This may affect control over financial transactions, particularly with respect to authorization.
 A budget approved by the governing board. The budget may serve as authorization for the activities to be
carried out by management in attaining the organization's program objectives. Many nonprofit
organizations prepare budgets for both operating and capital expenditures.
The presence of scrutiny by outside parties and externally imposed audit and compliance requirements may have
a positive influence on control consciousness; however, the first three characteristics above may result in a poor
control environment in the typical nonprofit organization. This observation is not meant to impugn the integrity or
motivation of nonprofit management, but when these characteristics are present, the auditor usually must assess
control risk as high and take a primarily substantive approach to the audit in some key areas. The fourth character
istic of budgets approved by the governing board for operating and capital expenditures may provide a basis for
assessing control risk at less than high for some or all major classes of expense transactions. However, nonprofit
management must monitor variations from budget closely and follow up on significant variations promptly for this
characteristic to have any effect on the auditor's assessment of control risk.
Control Objectives. When obtaining an understanding of internal control, many auditors consider control objec
tives during the process of identifying controls and evaluating their design and implementation. Controls are
properly designed and implemented if (a) they achieve the control objectives and (b) the entity is using them.
Exhibit 21 provides a list of control objectives for each of the elements discussed above.
Exhibit 21
Control Objectives Control Environment
Control Environment Element

Control Objective

Participation of those charged with governance.

Those charged with governance are actively


involved and have significant influence over the
entity's internal control environment and its finan
cial reporting.

Communication and enforcement of integrity and


ethical values.

Management, through its attitudes and actions,


demonstrates character, integrity, and ethical val
ues. Sound integrity and ethical values, particularly
of top management, are developed and set the
standard of conduct for the organization and
financial reporting.

70

NPOT09

Companion to PPC's Guide to Audits of Nonprofit Organizations

Control Environment Element

Control Objective

Management's philosophy and operating style.

Management's philosophy and operating style are


consistent with a sound control environment and
have a pervasive effect on the entity. Management
analyzes the risks and benefits of new ventures,
assesses turnover among employees, investigates
and resolves improper business practices, views
accounting as a means to monitor and control the
various activities of the organization, and adopts
accounting policies that reflect the economic reali
ties of the organization.

Organizational structure.

The organizational structure of the entity is appro


priately designed to promote a sound control
environment. Authority and responsibility, appropri
ate reporting lines, and free flow of information
across the organization provide unfettered influ
ence to effectively run the entity and support
effective financial reporting.

Human resource policies and procedures.

Human resource policies and procedures send


messages to employees regarding expected levels
of integrity, ethical behavior, and competence.

Assignment of authority and responsibility.

The entity assigns authority and responsibility to


provide a basis for accountability and control.

Commitment to competence.

The entity is committed to competence in the


requirements of particular jobs and in translating
those requirements into knowledge and skills.

Risk Assessment Procedures and Factors to Consider. When obtaining an understanding of the control
environment, the auditor should concentrate on the implementation of control environment elements. The risk
assessment standards do not change the elements that comprise the control environment, but they place more
emphasis on corroborating management's and employees' responses to inquiries through observation or inspec
tion. For example, through inquiries of management and employees, the auditor obtains an understanding of
management's commitment to ethical values and competence. The auditor should follow through with observation
of the behavior and attitude demonstrated by management in managing the organization.
The Audit Guide, Paragraph 2.58, specifically notes the importance of obtaining an understanding of the following
characteristics of a nonprofit organization's control environment:
 The governing board, including its role, the frequency of its meetings, the qualifications of the members
and their involvement in the organization's activities.
 Management, including its role and its qualifications.
 The organizational structure.
A nonprofit organization's control environment is a significant factor when considering the risks of material mis
statement due to fraud. In a nonprofit organization, the integrity of management will often play a significant role in
establishing a strong control environment. For example, although a small nonprofit organization might not have a
written code of conduct, it might still have a culture that emphasizes the importance of integrity and ethical
behavior. That culture will be instilled through the visibility and direct involvement of management. Similarly, human
71

Companion to PPC's Guide to Audits of Nonprofit Organizations

NPOT09

resource policies may not be formally documented as they would in a larger entity. Even so, policies and practices
can still exist and be communicated orally. While formal documentation may be preferable and may be required for
entities receiving federal awards, it is not always necessary for a policy to be in place and operating effectively. This
is emphasized in a nonauthoritative AICPA Technical Practice Aid, Obtaining an Understanding of the Control
Environment, (TIS 8200.08). TIS 8200.08 notes that if an auditor decides to rely on these controls (whether
documented or not), they are required to test the controls.
Considering Management Control Consciousness. Management has to take the lead in creating an atmosphere
of control consciousness. If management has a high regard for maintaining reliable accounting records and
adhering to established policies and procedures, then employees are likely to be more conscientious in performing
their duties. Similarly, if management's attitude is cavalier and conveys a disregard for sound practices, then
employees are likely to be careless in discharging their responsibilities. In extreme cases of lack of control
consciousness, accounting records may be so undependable that the organization is unauditable. The control
consciousness of management can have an important influence on the extent of detailed testing of the accounting
records that is necessary.
Impact of the Control Environment in Assessing Risk. The existence of a satisfactory control environment, or the
lack of such an environment, is an important factor in assessing the risks of material misstatement at the financial
statement level. For this purpose, the auditor should concentrate on the collective effect of the strengths and
weaknesses in the various control environment elements on the risks of material misstatement. This assessment
usually affects decisions and judgments made in establishing the overall audit strategy. For example, weaknesses
in the control environment might cause the auditor to perform more substantive procedures as of the statement of
financial position date rather than at an interim date or to use only substantive procedures in more audit areas. Also,
while a strong control environment may not completely eliminate the risk of fraud due to the limitations of internal
control, it may help reduce the risks of fraud.
The auditor should normally obtain an understanding of the control environment prior to other components of
internal control. The reason for this is fairly straightforward the strengths or weaknesses in the control environ
ment (an entitylevel control) normally have a permeating effect on the remainder of the control components. For
example, if management demonstrates a poor attitude toward the need for a strong accounting and reporting
function, the chances of the nonprofit organization having robust risk assessment, information and communication,
monitoring, and control activities are significantly reduced.
Due to the role of the control environment, the auditor's understanding of this area may influence how the auditor
approaches obtaining an understanding of other areas of internal control, as well as the ultimate assessment of risk
at the overall financial statement level.
Risk Assessment
Risk assessment is the process of setting objectives; prioritizing and linking those objectives; and identifying,
analyzing, and managing risks relevant to achieving those objectives. With respect to the objective of reliable
financial reporting, the entitys risk assessment process involves the identification, analysis, and management of
the risks of material misstatement of the financial statements. An entity's risk assessment process includes the
following elements:
 Financial reporting objectives.
 Management of financial reporting risks.
 Consideration of fraud risk.
The auditor should obtain sufficient knowledge of management's risk assessment process as a result of applying
risk assessment procedures to understand how management considers risks relevant to reliable financial reporting
objectives and decides about actions to address those risks. In some cases there will be a formal risk assessment
process, but a formal process is not essential. The auditor should focus on the following issues:
a. How does management identify operating risks relevant to financial reporting?
b. How does management estimate the significance of the risks?
72

Companion to PPC's Guide to Audits of Nonprofit Organizations

NPOT09

c. How does management assess the likelihood of their occurrence?


d. How does management decide on actions to manage the risks?
The auditor should concentrate on the effectiveness of management's efforts to identify and deal with the risks of
material misstatements in financial reporting. The auditor considers both (a) the aspects of the entity's risk
assessment process that enable management to identify, analyze, and address operating risks and (b) any
difficulties in identifying and addressing those risks.
Risks relevant to material misstatements in financial reporting include internal and external events and circum
stances that adversely affect an entity's ability to appropriately initiate, authorize, record, process, and report
financial data. Risks are affected by events and circumstances such as the following:
a. Changes in operations.
b. New personnel.
c. New or revised information systems.
d. Rapid growth.
e. New technology.
f. Restructurings.
g. New accounting pronouncements.
Note that risk assessment as defined in SAS No. 109 is not the same as an auditor's consideration of audit risk
(inherent risk, control risk, and detection risk) in a financial statement audit discussed in SAS No. 107, Audit Risk
and Materiality in Conducting an Audit. In accordance with SAS No. 107, an auditor assesses inherent and control
risks to evaluate the likelihood that the financial statements could be materially misstated. An entity's risk assess
ment, on the other hand, is the process of identifying, analyzing, and managing risks that affect the entity's
objectives. However, the authors believe management's risk assessment process, as it relates to financial report
ing, is somewhat similar to the auditor's assessment of inherent risk. That is, it involves management identifying
potential areas of misstatement in the financial statements, including misstatements due to fraud. Management
then implements control activities or takes other steps as necessary to prevent or detect such misstatements.
Auditors may be able to leverage the client's documentation when obtaining and documenting their understanding
of the client's risk assessment process. However, even when the client has adequate documentation of its risk
assessment process, the auditor still must apply risk assessment procedures to the extent deemed necessary to
confirm the understanding.
The Entity's Fraud Risk Assessment and Monitoring. All entities should be proactive in reducing fraud opportu
nities by identifying and measuring fraud risks, taking steps to mitigate identified risks, and implementing and
monitoring appropriate preventive and detective controls and other antifraud measures. However, the nature and
extent of these risk assessment and monitoring activities should be commensurate with the size and complexity of
the entity. It is important for management to understand its responsibility for establishing and monitoring the entity's
fraud risk assessment process. That process is likely to be less formal and structured in a smaller entity than in a
larger entity, but should include a sufficient degree of fraud awareness on the part of management, and appropriate
fraud risk management activities, with oversight from those charged with governance. The fraud risk assessment
and monitoring process for a typical small to midsize nonprofit organization may include:
a. Communicating to employees management's views on operating practices and ethical behavior, either
orally or by example.
b. Thoroughly investigating any incidents of alleged fraud, taking appropriate and consistent actions against
violators, assessing how relevant controls could be improved, correcting any effects on the financial
statements, and reinforcing the entity's values and expectations through appropriate communication.
73

Companion to PPC's Guide to Audits of Nonprofit Organizations

NPOT09

c. Considering standards of ethical behavior and appropriate business practices in the entity's employee
training and evaluation procedures.
d. Identifying fraud risks and taking appropriate action to reduce or eliminate the risks.
e. Exercising appropriate oversight of the entity's fraud risk assessment and monitoring activities by means
of a board of directors or audit committee.
Control Objectives. When obtaining an understanding of internal control, many auditors consider control objec
tives during the process of identifying controls and evaluating their design and implementation. Controls are
properly designed and implemented if (a) they achieve the control objectives and (b) the entity is using them.
Exhibit 22 provides a list of control objectives for each of the risk assessment elements discussed previously.
Exhibit 22
Control Objectives Risk Assessment
Risk Assessment

Control Objectives

Financial reporting objectives.

 Entity and financial reporting objectives are


established, documented, and communicated.
 Accounting principles are properly applied in the
preparation of the financial statements.

Management of financial reporting risks.

 Management has established practices for the


identification of risks affecting the entity.
 Management considers the entire organization
as well as its extended relationships in its risk
assessment process.
 Management has implemented mechanisms to
anticipate, identify, and react to changes.
 Management evaluates and mitigates risk
appropriately.

Consideration of fraud risk.

 Management has developed an appropriate


fraud risk assessment and monitoring process.

Risk Assessment Procedures and Factors to Consider. The auditor should tailor risk assessment procedures
based on factors such as the size and complexity of the entity. The authors believe, however, that in most situations,
documented evidence of the entity's risk assessment process will be minimal and the auditor will rely heavily on
inquires of management about how risks are identified and addressed. For most small and midsize nonprofit
organizations, gaining an understanding of management's risk assessment process will not be a complex process.
It will be based on experience with the client, general observations of entity operations, and discussions with
management. Specifically, if the events or circumstances noted previously have occurred, the auditor should
consider asking management about the associated risks and what actions were taken to address them. Those
inquiries may be corroborated by inquiries of accounting and other personnel, as well as by inspecting any other
supporting written evidence or by determining if risks occurred that were not identified by management, as
illustrated in the following example:

74

Companion to PPC's Guide to Audits of Nonprofit Organizations

NPOT09

Example 21:

Evaluating the entity's risk assessment process.

During the audit planning process of Big Canyon Academy, the auditor learns that a new general
ledger system was implemented during the year. When making inquiries about the entity's risk assess
ment process, the auditor asks the executive director and controller what implementation risks were
identified and how they were addressed. Management indicates that they spent weeks" planning for
the implementation. They identified the following key risks:
 Posting from accounting transaction modules would not properly integrate with the new general
ledger system.
 The monthly close and financial reporting processes would be interrupted due to training issues,
changes in system performance, and modification in the timing of journal entry processing and
edits.
The controller indicates that they addressed these risks by thoroughly testing the system prior to
implementation and ensuring that all staff were properly trained and understood the processing
changes required by the new system.
Later, as the auditor begins to obtain an understanding of Big Canyons' financial reporting system, one
of the general ledger supervisors complains that the new system does not provide a history of general
ledger transactions prior to the implementation date and that some historical information can no longer
be obtained since the old system was decommissioned immediately after the implementation. The
auditor considers such facts when evaluating the overall effectiveness of the entity's risk assessment
process.

75

Companion to PPC's Guide to Audits of Nonprofit Organizations

76

NPOT09

Companion to PPC's Guide to Audits of Nonprofit Organizations

NPOT09

SELFSTUDY QUIZ
Determine the best answer for each question below. Then check your answers against the correct answers in the
following section.
19. The control environment is the foundation for all other elements of internal control.
a. True
b. False
20. The organization hires new employees only after performing due diligence such as background checks and
skills assessment. Employee skills are reassessed semiannually, and employees are involved in training and
crosstraining exercises inhouse. They are also encouraged to take advantage of employermatching educa
tional assistance. What control environment element does the foregoing illustrate?
a. Management's philosophy
b. Assignment of responsibility
c. Commitment to competence
d. Human resource policies
21. Which of the following statements is correct concerning the entity's risk and risk assessment?
a. Risk assessment and consideration of audit risk are different concepts.
b. Expecting employee integrity should be sufficient to manage fraud risk.
c. Management of financial reporting risk includes only internal events.
d. Risk assessment activities should not be affected by entity complexity.
22. Which of the following is not an element of the risk assessment control objective?
a. Financial reporting objectives
b. Governance participation
c. Financial reporting risks management
d. Consideration of fraud risk

77

Companion to PPC's Guide to Audits of Nonprofit Organizations

NPOT09

SELFSTUDY ANSWERS
This section provides the correct answers to the selfstudy quiz. If you answered a question incorrectly, reread the
appropriate material. (References are in parentheses.)
19. The control environment is the foundation for all other elements of internal control. (Page 69)
a. True [This answer is correct. The control environment sets the tone of an entity and provides
structure and discipline.]
b. False [This answer is incorrect. The control environment provides structure and discipline within the entity.]
20. The organization hires new employees only after performing due diligence such as background checks and
skills assessment. Employee skills are reassessed semiannually, and employees are involved in training and
crosstraining exercises inhouse. They are also encouraged to take advantage of employermatching educa
tional assistance. What control environment element does the foregoing illustrate? (Page 71)
a. Management's philosophy [This answer is incorrect. Management's philosophy and operating style have
more to do with business and accounting practice and philosophy than with the employees per se.]
b. Assignment of responsibility [This answer is incorrect. This is more about accountability and control than
about employee training and advancement per se.]
c. Commitment to competence [This answer is correct. The entity adequately illustrates its
commitment to competent, welltrained employees.]
d. Human resource policies [This answer is incorrect. Certain human resource policies are evident, but there
is a better answer.]
21. Which of the following statements is correct concerning the entity's risk and risk assessment? (Page 73)
a. Risk assessment and consideration of audit risk are different concepts. [This answer is correct. Risk
assessment pertains to risks that affect the entity's objectives. Consideration of audit risk pertains
to the auditor's assessment of the likelihood that the financial statements could be materially
misstated.]
b. Expecting employee integrity should be sufficient to manage fraud risk. [This answer is incorrect. Entities
should be proactive in identifying and managing fraud risk.]
c. Management of financial reporting risk includes only internal events. [This answer is incorrect. Such risks
include both internal and external events.]
d. Risk assessment activities should not be affected by entity complexity. [This answer is incorrect. The nature
and extent of such activities should vary with entity size and complexity.]
22. Which of the following is not an element of the risk assessment control objective? (Page 70)
a. Financial reporting objectives [This answer is incorrect. These objectives must be properly documented
and communicated, and accounting principles are properly applied.]
b. Governance participation [This answer is correct. This is a control environment control objective
element.]
c. Financial reporting risks management [This answer is incorrect. This pertains to management's ability and
commitment to respond to factors that could adversely impact the representational faithfulness of the
information presented in the financial statements.]
d. Consideration of fraud risk [This answer is incorrect. This pertains to management's fraud risk assessment
and monitoring process.]
78

NPOT09

Companion to PPC's Guide to Audits of Nonprofit Organizations

Information and Communication


Information refers to the financial reporting system, which includes the accounting system, and encompasses the
procedures and records established to initiate, authorize, record, process, and report the entity's transactions. It
also includes the accountability over assets, liabilities, and net assets. An information system may be computer
ized, manual, or a combination of the two depending on the size and complexity of the entity. Communication is the
process of providing an understanding of roles and responsibilities to individuals within the organization regarding
internal control over financial reporting.
The quality of information generated by the financial reporting system has significant implications for the audit
because it affects management's ability to control the entity's activities and prepare reliable financial statements.
However, auditors should not lose sight of the importance of the communication of accounting and financial
reporting roles within the net assets. Achievement of the objectives of a welldesigned financial reporting system
can easily fail if accounting personnel do not fully understand their roles and how proper performance mitigates the
risks of material misstatement. Although part of the same internal control component, the authors discuss the
information and communication processes separately in the following paragraphs.
Information. In applying the topdown" approach the evaluation of the entity's information process is divided into
two parts: (a) entitylevel considerations that affect the auditor's risk assessment at the financial statement level and
the overall audit strategy and (b) activitylevel considerations that affect the risk assessment at the account balance,
transaction class, and disclosure level. The auditor's consideration of the information process at the entity level
focuses on making an overall evaluation of the use and flow of information relevant to reliable financial reporting
rather than on obtaining an understanding of specific processes related to account balances, transaction classes,
and disclosures. For example, the auditor considers whether the client has entitylevel controls in place to effec
tively support it in identifying, capturing, and using all of the information needed to prepare reliable financial
statements, including disclosures. The auditor's understanding is at a high level but sufficiently detailed to identify
the significant accounting applications, how the computer is used in those applications, and the relative complexity
and importance of use of the computer. The auditor also should consider the qualifications of accounting personnel
and the time pressure they face. Inexperienced or harried accounting personnel make more errors. At the entity
level, the auditor evaluates whether the design and implementation of the financial reporting system has implica
tions for the assessment of risks at the financial statement level (that is, pervasive risks) or the overall audit strategy.
The risk assessment standards also impose specific requirements related to obtaining an understanding of the
financial reporting system at the account balance, transaction class, and disclosure level. That understanding often
directly provides information regarding the entity's control activities as well. Because the audit is an iterative
process, information obtained when evaluating the design and implementation of the financial reporting system at
the account balance, transaction class, and disclosure level may confirm or change the auditor's overall conclusion
about design and implementation of the information process at the entity level.
Control Objectives for Information. When obtaining an understanding of internal control, many auditors consider
control objectives during the process of identifying controls and evaluating their design and implementation.
Controls are properly designed and implemented if (a) they achieve the control objectives and (b) the entity is using
them. Exhibit 23 provides a list of entitylevel control objectives for the information process.

79

Companion to PPC's Guide to Audits of Nonprofit Organizations

NPOT09

Exhibit 23
Control Objectives Information Process
Control Objectives

Internal Control Area


Information

 Information is identified, captured, and used at


all levels of the entity to support the achieve
ment of financial reporting objectives.
 Information relevant to financial reporting is
identified, captured, processed, and distrib
uted within the parameters established by the
entity's control processes to support the
achievement of financial reporting objectives.

Risk Assessment Procedures and Factors to Consider. For most small and midsize nonprofit organizations, gaining
an entitylevel understanding of the entity's information process will not be complex. It will be based on experience
with the client; general observations of how financial information is identified, captured, and used within the entity;
and discussions with management.
Communication. The auditor should obtain a sufficient understanding of how management communicates finan
cial reporting roles and responsibilities and other significant matters. The communication process includes both
internal and external elements. For example, it includes communications between management and employees,
those charged with governance, and regulatory authorities. Communication may take the form of policy manuals,
memorandums, oral or electronic communications, etc. This will depend on the size and organizational structure of
the entity. Auditors consider both:
 The aspects of the communication process that help to ensure employees and those charged with
governance understand their jobs and responsibilities within the financial reporting system and are
encouraged to report any exceptions.
 Any areas where communication does not occur.
Communication is another way that management conveys the tone at the top. Management should communicate
the information necessary for employees to perform their assigned tasks, for managers to supervise, and for
responsible parties to make key operating and financial decisions. Communication also relates to the flow of
information upstream in an entity. For upstream communication to occur, there must be open channels of commu
nication and a willingness on the part of management to deal with problems. For control activities to be effective,
individuals should be able to report exceptions or fraud to the appropriate levels of management.
When considering whether an entity has communication controls in place, auditors consider whether management
has clearly communicated the following:
 That internal control responsibilities are a critical part of employee job duties.
 The role and responsibilities that each employee has in the internal control system.
 That unexpected events should be investigated, including determining the cause of the event.
 How job activities relate to the work of others.
 That communication from employees to management regarding problems, controls, potential fraud, or
other issues is welcomed and expected. One way management might encourage such communication is
80

Companion to PPC's Guide to Audits of Nonprofit Organizations

NPOT09

to establish a fraud hotline so that employees can report unethical behavior or fraud suspicions without fear
of retribution or exposure. In addition to serving as a fraud detection mechanism, the very existence of a
fraud hotline can serve as a deterrent to misconduct by creating among employees a perception that fraud
will be detected and reported. It also demonstrates management's serious intent to prevent and detect
fraud.
 That, should an employee feel that taking an issue through the normal upstream communication methods
would not be effective, alternative channels of communication are available (such as a direct
communication to senior management).
Control Objectives for Communication. When obtaining an understanding of internal control, many auditors
consider control objectives during the process of identifying controls and evaluating their design and implementa
tion. Controls are properly designed and implemented if (a) they achieve the control objectives and (b) the entity is
using them. Exhibit 24 provides a list of control objectives for the communication process.
Exhibit 24
Control Objectives Communication Process
Internal Control Area

Control Objectives

Communication

 Communication exists between management


and those charged with governance so that
both have relevant information to fulfill their
roles with respect to governance and to finan
cial reporting objectives.
 All personnel, particularly those in roles affect
ing financial reporting, receive a clear message
from top management that both internal con
trol over financial reporting and individual
control responsibilities must be taken seri
ously.
 Personnel have an effective and nonretributive
method to communicate significant informa
tion upstream in the entity.

Risk Assessment Procedures and Factors to Consider. Communication may be written, electronic, oral, or through
the direct actions and involvement of management. As a result, auditors often use a combination of risk assessment
procedures to understand the communication process. In addition to inquiries of management, the auditor may
consider the following types of procedures to corroborate management's responses and determine if the commu
nication process as designed has been implemented:
 Inquire of employees regarding the communication that they have received regarding their duties and
management's expectations as they relate to financial reporting.
 Review policy and procedures manuals or similar documents that have been provided to employees
regarding their duties.
 Review for the existence of training materials or programs on job functions and responsibilities.
 Discuss with human resources personnel the evaluation process and how job knowledge and the
performance of responsibilities are incorporated into personnel reviews.
81

Companion to PPC's Guide to Audits of Nonprofit Organizations

NPOT09

 Inquire of the audit committee and review minutes of meetings regarding the communication between
management and others charged with governance.
 Inquire of employees regarding how upstream financial communication is received and implemented by
management.
 Review whistleblower policies and inspect documentation regarding reported instances of suspected
financial improprieties.
 Inquire and review related documentation of how communication from external parties is processed.
Gaining an understanding of the client's communication processes should not be a complex process for auditors.
The auditor does not need to spend much time reviewing client accounting manuals, policies, or memoranda.
Ordinarily, the auditor can gain this understanding based on his or her experience with the client, general observa
tions of organization operations, and discussions with management.
Monitoring
Monitoring is a process by which an entity assesses the quality of its internal control over time. Monitoring involves
assessing the design and operation of controls on a timely basis, capturing and reporting identified control
deficiencies, and taking actions as necessary. Monitoring activities can also reveal evidence or symptoms of fraud.
Effective monitoring ensures that internal controls are modified as changes in conditions occur in the organization.
As a result, poor monitoring controls can allow error or fraud to remain undetected. The elements of an entity's
monitoring process include (a) ongoing internal evaluation and (b) reporting of internal control deficiencies. The
control objective for monitoring can be described as follows:
Management monitors controls over financial reporting through ongoing monitoring, indepen
dent evaluations, and remediation of identified deficiencies.
Monitoring can be accomplished through ongoing activities, separate evaluations, or a combination of the two.
Ongoing monitoring includes management and supervisory activities and other actions that personnel take in
performing their duties, such as performing comparisons, reconciliations, and other routine activities. For example,
management may question reports that differ significantly from his or her knowledge of operations. Because these
activities are performed in the normal course of business, ongoing monitoring procedures usually adapt to
changing conditions and may be timely in detecting problems. Separate evaluations may involve any aspect of the
entity's system of internal control such as management's review of a component (e.g., the control environment), an
element within a component, or the control activities associated with a specific class of transactions or processing
function. Regardless of the manner in which monitoring is accomplished, identified deficiencies should be reported
to the individuals responsible for taking corrective action and to management and those charged with governance,
as appropriate.
The auditor should obtain an understanding of the major types of activities that management uses to monitor
internal control over financial reporting. The auditor's understanding should include the sources of information
related to monitoring and the basis on which management considers information to be sufficiently reliable for that
purpose. The auditor considers both (a) the aspects of the monitoring process that enable management to
appropriately identify and correct control procedures that are not operating as intended and (b) any circumstances
that indicate management has failed to appropriately identify and correct such deficiencies.
Monitoring can be virtually any activity that ensures that controls are operating as intended and continue to be
properly designed. Monitoring may include activities such as the following:
 Review of whether bank reconciliations are prepared on a timely basis.
 Review of contributor complaints.
 Review of a reporting system that tracks timely followup on promises to give.
82

NPOT09

Companion to PPC's Guide to Audits of Nonprofit Organizations

 Analysis of reported disbursement errors.


 Legal department review of compliance with donor restrictions.
Frequently, a key difference between nonprofit organizations and forprofit entities is the active involvement of the
governing board in the daytoday activities of the nonprofit organization. When the governing board provides
significant oversight, it can help mitigate the risk of fraudulent financial reporting and possibly detect misappropri
ation of assets. However, nonprofit organizations frequently have turnover in their governing boards. Thus, the
auditor must continuously assess the impact that the governing board has on the nonprofit organization's internal
control.
Risk Assessment Procedures and Factors to Consider. An understanding of an entity's monitoring activities
may be obtained through the performance of risk assessment procedures such as direct inquiries of management,
review of entity policies and procedures manuals to determine monitoring functions, or procedures performed to
obtain an understanding of other components of the entity's internal control system. For example, when performing
a walkthrough of the cash receipts transaction processing system, upon inspection of the monthly bank reconcilia
tion, the auditor notices the reconciliation has been initialed. Upon inquiry of the bookkeeper, the auditor learns that
the initials were placed there by the manager to evidence his or her review of the reconciliation process. In this way,
the auditor obtains an understanding of both the design of the monitoring controls as well as their implementation.
For audits of small and midsize nonprofit organizations, the auditor should not have to spend a great deal of time
gaining an understanding of the client's monitoring process. Normally, the auditor can gain this understanding
based on his or her experience with the client, general observations of organization operations, and discussions
with management.
Consideration of Internal Audit Function. One method some entities use to monitor internal control is through
separate evaluations by internal auditors. Most small and midsize nonprofit organizations do not have internal
auditors. However, if there is a designated internal audit function, the auditor should obtain an understanding of that
function during audit planning. SAS Nos. 65 and 99 provide requirements for inquiries related to the internal audit
function.

UNDERSTANDING ACTIVITYLEVEL CONTROLS


The authors refer to the internal control component of control activities, along with the detailed aspects of the
financial reporting system, as activitylevel" controls. Activitylevel controls and processes operate at the assertion
level rather than at the overall financial statement level. Activitylevel controls are directly related to initiating,
authorizing, recording, processing, and reporting the entity's transactions. Consequently, the understanding of
activitylevel controls directly supports the auditor's risk assessment at the relevant assertion level for account
balances, transaction classes, and disclosures.
The auditor ordinarily obtains an understanding of entitylevel controls first because those controls have a perva
sive effect on the entity's financial statements. Also, the auditor generally accumulates a significant amount of
knowledge about activitylevel controls through the understanding of entitylevel controls. After obtaining an
understanding of entitylevel controls, the auditor focuses on obtaining an understanding of the financial reporting
system, which is part of the information and communication component of internal control. Obtaining an under
standing about how the entity initiates, authorizes, records, processes, and reports transactions through the
financial reporting system typically also provides a significant amount of information about control activities.
Controls throughout the system may be either manual or automated and may be significantly affected by IT.
Therefore, the auditor should also obtain an understanding of the entity's IT environment and general computer
controls. After obtaining an understanding of those aspects of transaction processing, the auditor considers
whether it is necessary to devote additional attention to obtaining an understanding of control activities.
This section discusses the understanding of the financial reporting system along with the risk assessment proce
dures auditors use to obtain that understanding. This section also discusses the understanding of the IT environ
ment and general computer controls since the auditor's consideration of IT often occurs as part of understanding
the financial reporting system, which includes how IT is used in various processes and applications. Finally, this
83

Companion to PPC's Guide to Audits of Nonprofit Organizations

NPOT09

section discusses when it might be necessary to obtain an additional understanding of control activities. Through
out the process of obtaining an understanding of activitylevel controls, the auditor should be aware of the
requirements to:
 Obtain an understanding of controls related to significant or fraud risks.
 Obtain an understanding of controls related to risks for which substantive procedures alone are not
adequate.
 Understand the effects of IT on the entity's control activities.
Financial Reporting System
The financial reporting system is part of the information and communication component of internal control. The
financial reporting system includes the accounting system and encompasses the procedures and records estab
lished to initiate, authorize, record, process, and report the entity's transactions. It also includes the accountability
over assets, liabilities, and net assets. Auditors are typically very familiar with the process of understanding the
financial reporting system. When obtaining an understanding of the entity's internal control, auditors often spend
most of their time in this area since it provides the auditor with other key information needed for the audit. For
example, the understanding of the financial reporting system contributes to the auditor's ability to design and
conduct efficient and effective substantive procedures because the auditor gains knowledge of the types, sources,
and locations of documents and other evidence and the individuals responsible for processing them.
During the process of obtaining an understanding about the financial reporting system, auditors typically gain
some knowledge about various monitoring controls or control activities that relate to the processing of transactions
and the financial reporting process. In other words, as the auditor learns about how transactions flow through the
accounting system and how those transactions are reported in the financial statements, a byproduct of that
knowledge is an understanding of how management monitors internal control and how certain control activities are
applied to achieve accuracy, completeness, cutoff, and other relevant assertions. As a result, many auditors find
that it is efficient to gain an understanding of the financial reporting system, internal control monitoring, and control
activities components of internal control at the same time. In fact, after the auditor obtains an understanding of the
control environment, risk assessment, information and communication, and monitoring, it may not be necessary to
devote additional attention to obtaining an understanding of control activities.
The auditor should obtain sufficient knowledge of the financial reporting system, including related business
processes, as a result of applying risk assessment procedures to understand the following:
 Classes of Transactions. The classes of transactions in the entity's operations that are significant to the
financial statements.
 Accounting Procedures. The procedures, within both automated and manual systems, by which those
transactions are initiated, authorized, recorded, processed, and reported in the financial statements.
 Accounting Records. The related accounting records, whether electronic or manual, supporting
information, and specific accounts in the financial statements involved in initiating, authorizing, recording,
processing, and reporting transactions.
 Other Events and Conditions. The methods used to capture events and conditions, other than classes of
transactions, that are significant to the financial statements. Examples include commitments and
contingencies, concentrations, subsequent events, compliance with debt covenants, related party
transactions, going concern uncertainties, and fair values of financial instruments.
 Financial Reporting Process. The financial reporting process (including the closing process) used to
prepare the entity's financial statements, including significant accounting estimates and disclosures.
A financial reporting system includes methods and records that:
 Identify and record all valid transactions.
84

Companion to PPC's Guide to Audits of Nonprofit Organizations

NPOT09

 Provide, on a timely basis, sufficient detailed information about transactions to permit proper classification
for financial reporting.
 Allow for the recording of transactions at their proper monetary value in the financial statements.
 Provide sufficient information to permit recording of transactions in the proper accounting period.
 Properly present the transactions and related disclosures in the financial statements.
Essentially, auditors need to be satisfied that they have a sufficient understanding of the entity's financial reporting
system to understand how material misstatements might occur anywhere in the cycle from the occurrence of
transactions to the final presentation of the entity's financial position and changes in net assets in the financial
statements. In a simple financial reporting system, where the auditor assists with the preparation of financial
statements and disclosures, it is believed that will generally involve:
a. Identifying the entity's significant transaction classes.
b. Understanding the flow of information through the financial reporting system for significant transaction
classes.
c. Understanding the financial close and reporting process, including how information about other events and
conditions (that is, other than items included in the entity's significant transaction classes) is captured for
inclusion in the general ledger and financial statements.
d. Understanding the extent to which IT is used in the entity's financial reporting system.
The following paragraphs provide additional guidance on the first three steps in understanding the financial
reporting system. Guidance is also provided on control objectives for the financial reporting system, risk assess
ment procedures auditors might use to obtain a sufficient understanding, including walkthroughs, and documenta
tion of the auditor's understanding. The fourth step in understanding the financial reporting system, that is,
understanding the extent to which IT affects financial reporting.
Identifying Significant Transaction Classes. The auditor should identify significant classes of transactions and
obtain an understanding of the flow of information (including electronic information) through the entity's financial
reporting system for each of those classes. Significant transaction classes are those classes of transactions in the
entity's operations that are significant to the financial statements, generally because of the volume or risk character
istics of transactions processed. When selecting significant transaction classes, the auditor should focus on those
that present a reasonable possibility of material misstatement of the financial statements or disclosures, including
those that involve significant or fraud risks. Qualitative and quantitative factors such as the following should be
considered:
 Volume of activity.
 Size and composition of the related accounts.
 Susceptibility to misstatement due to errors or fraud.
 Nature of the transactions, related account balances, or disclosures.
 Accounting and reporting complexities.
 Exposure to losses in the related accounts.
 Possibility of significant contingent liabilities arising from the activities being processed.
 Existence of related party transactions.
85

Companion to PPC's Guide to Audits of Nonprofit Organizations

NPOT09

 Changes from the prior period in the characteristics of the transactions, related account balances, or
disclosures.
Exhibit 25 provides examples of transaction classes for specified audit areas.
Exhibit 25
Examples of Transactions Classes for Specified Audit Areas
Financial Close and Reporting
 Defining the financial closing and reporting processa
 Performing the accounting period closea
 Capturing and processing other nonroutine information requiring significant estimates and judgments from
managementa
 Preparing and reviewing financial statement disclosuresa
 Reviewing and approving the financial statementsa
 Other (specify)
Cash
 Processing cash receiptsa
 Processing disbursementsa
 Other (specify)
Investments and Derivatives
 Managing investments
 Managing derivatives
 Assessing assets for impairment
 Other (specify)
Support, Receivables, and Receipts
 Processing cash contributionsa
 Initially recording promises to givea
 Subsequently adjusting promises to givea
 Estimating the allowance for uncollectible promises to give and bad debt expense
 Other (specify)
Program Service Fees, Revenue, and Receivables
 Processing billingsa
 Shipping and invoicing sales ordersa
 Processing sales adjustments and product returns
 Processing cash collectionsa
 Estimating the allowance for doubtful accounts receivable and bad debt expense
 Tracking accounts receivable
 Maintaining the customer master file
 Other (specify)
Donated Materials, Facilities, and Services
 Receiving and safeguarding donated materials, facilities, and services
 Valuing donated assets and services
 Recording expenses related to donated materials, facilities, and services
 Processing dispositions or other adjustments
 Other (specify)
Expenses for Program and Supporting Services and Accounts Payable and Other Liabilities
 Recording purchasesa
 Processing accounts payable and accrualsa
 Processing disbursementsa
86

Companion to PPC's Guide to Audits of Nonprofit Organizations

NPOT09

 Maintaining the supplier master file


 Other (specify)
Payroll and Related Liabilities
 Processing payrolla
 Maintaining the employee database master file
 Other (specify)
Inventories
 Recording purchases
 Receiving and storing inventory
 Costing inventory
 Managing inventory
 Estimating excess and obsolete inventory reserves
 Other (specify)
Property and Equipment
 Acquiring and safeguarding property and equipment
 Depreciating property and equipment
 Disposing of property and equipment (sales and retirements)
 Maintaining the property and equipment subledger
 Assessing assets for impairment
 Other (specify)
Other Assets
 Recording purchases of other assets
 Amortizing assets
 Other (specify)
Debt and Other Liabilities
 Managing borrowings
 Other (specify)
Net Assets
 Recording net asset transactions
 Other (specify)
Grant and Similar Programs
 Recording grants and similar programsa
 Processing program receiptsa
 Processing program expendituresa
 Reporting for grants and similar programsa
 Other (specify)
Note:
a

For many nonprofit organization audits, this will be considered a significant transaction class.

Understanding the Flow of Information for Significant Transaction Classes. When understanding the flow of
information through the entity's financial reporting system for significant transaction classes, the auditor should
focus on the entity's procedures for the following aspects of transaction processing:
a. Initiating and Authorizing.
(1) How and by whom are transactions initiated and authorized?
87

Companion to PPC's Guide to Audits of Nonprofit Organizations

NPOT09

(2) What source documents (or electronic means) are used to capture information for entry in the
accounting system?
(3) How and by whom are transactions originally entered in the accounting system for processing?
b. Recording and Processing.
(1) Is fund accounting used for internal record keeping? (If so, what fund types are used?)
(2) What are the accounting processing steps, both automated and manual, from original entry to
inclusion in the general ledger and who performs them? (Processing includes functions such as edit
and validation, calculation, measurement, valuation, summarization, and reconciliation.)
(3) What accounting records and supporting documents are used or created when processing
transactions?
(4) What subsidiary journals or ledgers are involved?
(5) How is the incorrect processing of transactions resolved?
c. Reconciling and Reporting.
(1) What procedures are used to enter transaction totals into the general ledger?
(2) What is the entity's process for reconciling account detail to the general ledger for material accounts?
(3) What management reports or other information are generated from the system and how are they used
by management or the owner/manager in managing and controlling the entity's activities?
(4) What types of financial reports are prepared and distributed to funding sources?
Throughout the process of obtaining the understanding, the auditor considers the effect of IT on the way the entity's
control activities are designed and implemented. The auditor also identifies and evaluates the controls, if any, the
entity has implemented to prevent or detect and correct material misstatements related to fraud risks or other
significant risks. And the auditor is alert for areas where controls must be tested because substantive procedures
alone will not be sufficient to address the assessed risks.
As indicated in item b(4), the auditor should obtain an understanding of how the incorrect processing of transac
tions is resolved. That is a specific requirement of the risk assessment standards. For example, some systems use
suspense accounts or files to capture failed transactions. For such situations, the auditor would understand the
procedures for suspense accounting including how such transactions are researched and cleared.
In connection with understanding significant classes of transactions, the auditor should identify the related
accounts that are material to the financial statements. As indicated in item c(2), for material accounts, the auditor
should understand the process for reconciling detail records to the general ledger. That is another specific
requirement of the risk assessment standards. For example, for the promises to give general ledger account, the
auditor should understand the process of reconciling the account to the subsidiary accounts receivable ledger.
While reconciling procedures are technically a control activity, the understanding is typically obtained when
developing a knowledge of the flow of transactions.
Understanding the Financial Close and Reporting Process. Events and conditions other than transaction
classes (that is, other than items processed through the entity's significant transaction processing systems) are
often material to the preparation of financial statements. Examples include the fair value of financial instruments,
accruals for contingencies, commitments, and related party transactions. Therefore, it is not enough for the auditor
to understand the flow of transactions through the financial reporting system for significant transaction classes. The
auditor should also understand how information about other significant events and conditions is captured. There
fore, for any accounts where material amounts enter the general ledger or financial statements from sources other
88

NPOT09

Companion to PPC's Guide to Audits of Nonprofit Organizations

than the entity's significant transaction processing systems, the auditor needs to understand how information
about those events and conditions is captured for inclusion in the general ledger and financial statements and how
material accounts are reconciled to the general ledger. Also, for audit areas that require significant disclosure
information that is not available from the entity's general ledger or related supporting documents and records, the
auditor needs an understanding of how information for disclosures is captured for inclusion in the financial
statements. For most nonprofit organizations, the authors believe that understanding is generally obtained as part
of the financial close and reporting process.
The financial close and reporting process is particularly important to achieving reliable financial reporting. Weak
nesses in the financial reporting process can create risks of material misstatement. The auditor should obtain an
understanding of how automated and manual procedures are used to accomplish the following:
a. Develop significant accounting estimates (for example, the allowance for uncollectible promises to give,
allocation of expenses to functional categories, and measurements of noncash contributions other than
marketable securities).
b. Initiate, authorize, record, and process standard and nonstandard journal entries in the general ledger.
c. Initiate and record recurring and nonrecurring adjustments to the financial statements that are not reflected
in formal journal entries.
d. Combine and consolidate general ledger data.
e. Prepare financial statements and disclosures.
The auditor should be aware that nonstandard journal entries and other topside adjustments made directly to the
financial statements have been used in numerous instances of fraudulent financial reporting.
Control Objectives. When obtaining an understanding of internal control, many auditors consider control objec
tives during the process of identifying controls and evaluating their design and implementation. Controls are
properly designed and implemented if (a) they achieve the control objectives and (b) the entity is using them.
Risk Assessment Procedures. Risk assessment procedures that are ordinarily performed to understand the
financial reporting system include inquiries of management and others, observation of entity procedures and
controls, inspection of documents and records, and tracing transactions through the system (i.e., walkthroughs).
The nature and extent of the procedures performed are affected by factors such as the size of the entity, its
complexity, and most certainly, the number of significant transaction classes that exist within the entity.
The existence of any internal documentation that describes classes of transactions and the transaction flow in the
accounting system is a key factor that may influence the risk assessment procedures used when obtaining an
understanding of the financial reporting system. Typically, such documentation exists for larger and more complex
entities and may consist of the following:
 Training manuals for employees.
 Policy and procedure manuals.
 Formal memoranda and flowcharts.
 Internal audit analyses.
When such documentation exists, the auditor's risk assessment procedures typically include inspection and review
of this documentation, corroborated by inquires of various personnel to determine if the information is current, and
observation to verify that procedures are being followed. While the client's internal control documentation is an
excellent source for understanding and evaluating the design of the financial reporting system, risk assessment
procedures consisting of inquiry, observation, and inspection are necessary to ensure that the system has been
implemented as designed.
89

Companion to PPC's Guide to Audits of Nonprofit Organizations

NPOT09

However, for many small entities, the range of control and daytoday involvement of management makes written
documentation of the processing systems unnecessary. For those entities the auditor often relies on inquiries of
management and accounting personnel to understand the design of the financial reporting system. The auditor
determines that the system as described has been implemented by performing observation and inspection
procedures, such as walkthroughs.
Walkthroughs. A common method of obtaining an understanding of the design and implementation of the
financial reporting system for a significant transaction class is to trace a transaction through the various processing
steps from initiation to inclusion in the general ledger and the financial statements. This is commonly referred to as
a walkthrough" or cradletograve" procedure. Walkthroughs may be used to confirm information obtained by
inquiry or from prior years' audits. Walkthroughs are also commonly used in gaining an understanding of related
control activities. The AICPA Audit and Accounting Guide, Audit Sampling, notes in paragraph 3.25 that a walkth
rough may be designed to include procedures that are also tests of the operating effectiveness of controls.
Walkthroughs of transactions usually involve document inspection, inquiry, and observation. The auditor judgmen
tally selects one or a few transactions from each of the major classes of transactions and walks those transactions
and related controls through the system from cradle to grave, that is, from initial creation of a source document to
final posting in the general ledger and inclusion in the financial statements. The auditor inspects the documents
and accounting records used in processing, talks to the personnel involved, and observes the handling of records
and related assets. At each step, the auditor does the following:
 Observes the demonstration of, or reperforms, the prescribed manual and automated processing
procedure or control.
 Identifies and examines the documents and IT involved.
 Identifies the name and position of the person who performs the procedure or control and considers the
competence and understanding of the person performing the procedure or control.
 Determines whether the procedure is performed as prescribed and on a timely basis.
 Identifies the kinds of errors found by the client and the client's responses to correct them.
 Determines whether the person has been asked to override the procedure or control.
 Identifies exceptions to the prescribed procedure or control.
Some auditors also query individuals about the preceding or succeeding processing step or control activity as a
means of obtaining corroborating information about each step in the process.
In performing a walkthrough, the auditor should follow the transaction through all of the processing steps in the
system. A walkthrough may not be effective if a different transaction is used to test each control separately rather
than walking a single transaction through the entire process or if the auditor does not use the same documents and
IT that client personnel use.
How Often Should Walkthroughs Occur? A nonauthoritative AICPA Technical Practice Aid, Use of Walkthroughs
(TIS 8200.12) discusses how often an auditor might perform walkthroughs. The use of walkthroughs is a common
practice for obtaining an understanding of the design and implementation of the financial reporting system. The TIS
notes, therefore, that auditors might perform walkthroughs every year for significant accounting cycles. Even
though SAS No. 109 (AU 314) allows the auditor to rely on audit evidence obtained in prior periods in certain
situations, the auditor is still required to perform audit procedures to determine the continued relevance of that
evidence. In many cases, the auditor can establish this relevance through the performance of a walkthrough. Thus,
walkthroughs are ordinarily performed in each audit period for significant transaction classes.
IT Environment and General Computer Controls
IT Environment. Auditors typically learn about the client's IT environment while obtaining an understanding of the
financial reporting system. They should consider what procedures the computer performs and what data is stored
90

NPOT09

Companion to PPC's Guide to Audits of Nonprofit Organizations

in electronic files. For example, some nonprofit organizations receive online contributions and maintain electronic
fund raising records that integrate with the accounting system.
In connection with the financial reporting system, the auditor should understand the extent to which IT is used for
significant transaction classes. Typically, the following matters relating to IT are determined:
 Automated applications and the software that is used.
 Whether software is internally or externally developed and if the client has access to the source code.
 Use of service organizations and whether it is necessary to obtain information about a service
organization's controls. That may occur, for example, when a bank provides deposit services, data
processing bureau provides payroll services, or brokerdealer provides securities services.
 Hardware, networks, and other aspects of the entity's computer system.
Also, as required by SAS No. 109, the auditor should obtain an understanding of how IT affects control activities
that are relevant to planning the audit. This typically means that when obtaining an understanding of the financial
reporting system, the auditor should obtain knowledge of relevant computer application controls.
As part of obtaining an understanding of the entity's IT environment, the auditor should consider whether the
client's use of IT is extensive and complex enough to require the involvement of an IT specialist. That determination
should be made relatively early in the planning process to assure that the necessary resources are available on a
timely basis.
General Computer Controls. The auditor is required to obtain an understanding of how IT affects control activities
that are relevant to planning the audit. SAS No. 109 (AU 314.96) further states that the auditor should consider
whether the entity has established effective controls to adequately respond to the risks that arise from IT. Such
controls not only include properly designed and implemented application controls, but the general controls upon
which those application controls depend.
General controls are policies and procedures that relate to many applications and support the effective functioning
of application controls. General controls ordinarily include controls related to:
 IT strategic planning and risk management.
 Data center and network operations.
 Physical security and access to programs and data.
 Program changes and systems acquisition and development.
General computer controls relate to all automated applications, including userdeveloped spreadsheet applica
tions.
The AICPA Risk Assessment Audit Guide (paragraph 4.63) notes that the auditor should evaluate the design of IT
general controls and determine whether they have been implemented when assessing the risks of material
misstatement. Poorly designed general controls do not by themselves cause misstatements in the financial
statements. However, deficient general controls may allow application controls to operate improperly which, in turn,
can result in material misstatements in the financial statements. SAS No. 109 (AU 314.95) indicates that general
controls should be assessed in relation to their effect on applications and data that become part of the financial
statements.
In some cases, certain general controls may not be relevant for the period under audit. For example, if the client has
an IT environment where application software is obtained from outside vendors with no modification and client
personnel do not have access to source code, general controls over the modification of software might not be
relevant. Similarly, if no new systems are implemented during the period of the financial statements, weaknesses in
91

Companion to PPC's Guide to Audits of Nonprofit Organizations

NPOT09

the general controls over systems acquisition and development may not be relevant to the financial statements
being audited. For smaller entities that use prepackaged software and do not have access to source code, relevant
general controls ordinarily include controls over access to critical hardware, software, and data; controls over
upgrades to the entity's operating system and significant prepackaged applications; systems and data backup
and recovery procedures; and controls over the creation, use, and maintenance of critical spreadsheet applica
tions.
When obtaining an understanding of internal control, many auditors consider control objectives during the process
of identifying controls and evaluating their design and implementation. Controls are properly designed and imple
mented if (a) they achieve the control objectives and (b) the entity is using them. Exhibit 26 presents a list of control
objectives for general computer controls.
Exhibit 26
Control Objectives General Computer Controls
 The entity has an IT strategic planning and risk management process in place to support its financial reporting
requirements.
 The entity maintains reliable systems that include appropriate data backup and recovery processes.
 Physical security and access to programs and data are appropriately controlled to prevent unauthorized use,
disclosure, modification, damage, or loss of data.
 Program changes and systems acquisition and development are appropriately managed to ensure that the
application software adequately supports financial reporting objectives.

The auditor's risk assessment procedures to obtain an understanding of general computer controls typically
include inquiry of client personnel; inspection of systems documentation, written policies and procedures, incident
reports or logs, etc.; and observation of facilities and equipment, the operation of access controls, the performance
of backup routines, etc., to understand how general computer control objectives are achieved.
Control Activities
Control activities are the policies and procedures that help ensure that management directives are carried out. That
is, control activities are those actions that are taken to address risks that threaten the entity's ability to achieve its
objectives, one of which is reliable financial reporting. Control activities usually involve two elements: (a) a policy
that establishes what should be done and (b) the procedure that implements the policy. The auditor's understand
ing of the other components of internal control, including the control environment, risk assessment, information
and communication, and monitoring, is used in assessing the risks of material misstatement at both the financial
statement and relevant assertion levels. Certain components, such as the control environment, are more important
for developing the overall audit strategy. In contrast, control activities are important at the relevant assertion level for
detailed planning of the nature, timing, and extent of further audit procedures.
Control activities, which can be either automated or manual, are performed at various levels within the entity. The
auditor should obtain an understanding of those control activities relevant to the audit. According to SAS No. 109
(AU 314.91), control activities relevant to the audit are those for which the auditor considers it necessary to obtain
an understanding in order to assess risks of material misstatement at the assertion level and to design and perform
further audit procedures responsive to the assessed risks." This seems a bit circular, but it essentially means that
the auditor should focus on identifying and obtaining an understanding of control activities that address areas in
which the auditor considers material misstatements more likely to occur. The auditor should concentrate on
whether and how a specific control activity, individually or in combination with others, prevents, or detects and
corrects material misstatements in the classes of transactions, accounts balances, or disclosures that are signifi
92

NPOT09

Companion to PPC's Guide to Audits of Nonprofit Organizations

cant to the financial statements. Specifically, the auditor is required to understand the entity's controls related to
significant and fraud risks and also the controls related to risks for which substantive procedures alone will not be
adequate. In addition, the auditor is required by SAS No. 109 (AU 314.92) to understand how IT affects control
activities that are relevant to planning the audit.
Control activities that are relevant to the audit are policies and procedures that pertain to the following:
 Performance Reviews. Comparisons of current financial reports to other information.
 Information Processing. Control activities that are performed to check the accuracy, completeness, and
authorization of transactions. For information processing systems, there are two broad categories of
control activities application controls and general controls. General controls are discussed beginning in
paragraph.
 Physical Controls. Controls that pertain to the physical security of assets, including adequate safeguards
that limit access to assets, authorization safeguards for access to computer programs and files, and
periodic counting and comparison of assets to control records.
 Segregation of Duties. The assignment of different people to authorize transactions, record transactions,
and maintain custody of assets.
 Asset Accountability. Controls relating to reconciliations of the detailed records to the general ledger.
Control policies may be communicated either orally or in writing. This depends to a great extent on the size of the
organization and the channels of communication within the entity. Also critical to control activities are the followup
actions taken in response to identified discrepancies (for example, investigation by management of unexpected
variances noted while comparing actual contributions to budgeted contributions). The risk assessment standards
specifically require the auditor to obtain an understanding of how the incorrect processing of transaction is
resolved. The risk assessment standards also specifically require the auditor to obtain an understanding of the
process of reconciling detail to the general ledger for material accounts.
The risk assessment standards carry forward the notions from prior standards that an audit of financial statements
does not require an understanding of all control activities related to each class of transactions, account balance,
and disclosure or to every relevant assertion, and that the auditor should first consider the knowledge about control
activities obtained from the understanding of the other components of internal control before devoting additional
attention to obtaining an understanding of control activities. (SAS No. 109, AU 314.90)
The Audit Guide, Paragraph 2.58, addresses some areas concerning internal control that are unique to nonprofit
organizations. The Audit Guide notes that the auditor should obtain an understanding of how the nonprofit
organization:
 Identifies, accepts, and evaluates donorrestricted contributions.
 Values and records promises to give.
 Values and records contributions of noncash assets (such as donated goods, services, utilities, facilities
and use of longlived assets).
 Monitors compliance with donor restrictions and board designations.
 Meets thirdparty reporting requirements (such as reporting to donors, grantors, contractors, and
regulators).
 Meets accounting presentation and disclosure requirements, including those related to functional and
natural expense recording and allocation of joint cost.
 Identifies and accounts for new programs.
93

Companion to PPC's Guide to Audits of Nonprofit Organizations

NPOT09

These matters are affected particularly by control activities, but might also involve other components of internal
control.
Obtaining an Understanding of Control Activities. As indicated previously, the auditor should first consider
knowledge about control activities obtained through the understanding of other components of internal control,
including the financial reporting system, before investing additional efforts. Generally, the auditor accumulates a
significant amount of knowledge about control activities through the process of obtaining an understanding of the
other components. Exhibit 27 illustrates situations where an auditor might learn of control activities when obtaining
an understanding of other components.
Exhibit 27
Examples of Control Activities Identified through Other Components
Control Component

Example of Control Activity Identified

Control Environment

 When obtaining an understanding of management's


philosophy and operating style regarding internal controls,
the auditor learns of control activities relating to significant
estimates which the auditor had identified as a risk area.
 When obtaining an understanding of the control environ
ment, the auditor learns about the assignment of authority
and responsibility, including whether there is a basic
segregation of duties related to assets subject to misap
propriation, such as cash, and whether there are effective
reconciliation procedures that systematically compare
assets with the accounting records.

Risk Assessment Process

 Management has identified and assessed inventory theft


risks associated with a new product line with a high cost per
unit that was introduced during the year. Management
describes the control activities that were developed to
safeguard inventory in response to this risk.

Monitoring

 When responding to monitoring queries, management


describes how the controller reviews sensitive valuation
procedures relating to the valuation of promises to give
noncash assets.

Information and Communication


(including the Financial Reporting
System)

 When performing the walkthrough of the billing process, the


auditor learns of a review activity by the revenue accounting
manager to ensure that components of complex contract
billings are properly recognized or deferred based on
relevant accounting standards.
 When obtaining an understanding of the accounting
processing and records for cash, the auditor learns about
the client's process for reconciling bank accounts.

The auditor may also learn of control activities while performing risk assessment procedures to obtain the under
standing of the entity and its environment. Most frequently, however, the auditor learns of control activities while
obtaining an understanding of the financial reporting system. A natural byproduct of the understanding of how
transactions are initiated, authorized, processed and recorded is knowledge of how control activities ensure that
relevant assertions are achieved.
When is an Additional Understanding of Control Activities Necessary? The risk assessment standards do not
require an understanding of all of the control activities related to each class of transactions, account balance, and
94

NPOT09

Companion to PPC's Guide to Audits of Nonprofit Organizations

disclosure in the financial statements or to every assertion. The auditor's emphasis under professional standards is
on understanding control activities that allow the auditor to assess risks of material misstatement at the relevant
assertion level and to design and perform further audit procedures that are responsive to those risks. Thus, after
considering the control activities previously identified, the auditor should evaluate whether a sufficient understand
ing of control activities has been obtained for those areas where the auditor considers material misstatements more
likely to occur. The auditor may need to devote additional attention to obtaining an understanding of control
activities in certain circumstances. For example, it is necessary to obtain an additional understanding if:
 The auditor does not understand what controls, if any, the entity has implemented to prevent or detect and
correct material misstatements in specific assertions related to fraud risks or other significant risks.
 The auditor plans or is required to test controls for one or more assertions but has not identified which
controls to test (that is, which manual or automated controls are most likely to prevent or detect and correct
material misstatements in that assertion).
Thus, even if the auditor concludes additional attention to control activities is necessary, the auditor can focus on
controls related to specific transactions, account balances, or assertions. The practical implication of this selective
approach is that it is not necessary to complete an internal control questionnaire or prepare additional documenta
tion to describe the control activities for all material account balances and transaction classes. The auditor may
identify key balances, classes, or assertions and conclude that a further understanding of control activities is
necessary only for those selected areas (such as completeness of cash contributions). Control activities that are
particularly important to a nonprofit organization are explained in the following paragraphs.
Control Activities for Contributions. If a nonprofit organization collects cash contributions, it will ordinarily be
necessary for the auditor to obtain an understanding of the relevant control activities (including controls to prevent,
deter, and detect fraud). Cash contributions include both cash received in the mail and cash received in direct
contact solicitations, but it is generally more difficult to establish effective controls over direct contact solicitation
such as doortodoor solicitation and street solicitation. The auditor's objective in auditing cash contributions is to
achieve reasonable assurance that such contributions are recorded correctly as to account, amount, and period.
Generally, the auditor's primary concern is the completeness of recorded cash contributions. Unless the nonprofit
organization has effective controls in this area, it is unlikely that the auditor will be able to design substantive tests
to provide the necessary assurance.
The Audit Guide, Paragraph 5.84, makes the following observation with respect to accounting systems and
controls for contributions:
In order to have an effective system of internal control, a notforprofit organization that receives
significant amounts of contributions should have an internal control system, that provide effective
controls to assure that all contributions received are recorded and that suitable collection efforts
are pursued for unconditional promises to give. The internal control system also should provide
effective controls to ensure that revenues arising from conditional promises to give are
recognized when the conditions have been substantially met and that restrictions on
contributions are recognized in the appropriate net asset class.
Control Activities for Governmental Financial Assistance Programs. If the nonprofit organization receives a
material amount of financial assistance from federal, state, or local government agencies, it is usually efficient and
effective to obtain a more detailed understanding of control activities and test controls in areas relevant to the
governmental assistance programs. The audit requirements of governmental grantor agencies often require
reports on internal control and compliance with laws and regulations. These requirements, plus the inherent
relation between the effectiveness of internal control and the likelihood of noncompliance with laws and regulations
that would have a material effect on the financial statements, necessitate greater attention to control procedures in
this area.
Control Activities for Other Areas. The need to obtain an understanding of control activities to design effective
substantive tests can vary considerably with the circumstances. Payroll is often a key audit area because a
substantial portion of the operating expenses of a nonprofit organization may be attributable to payroll. However,
the auditor may sometimes plan effective substantive tests without a detailed knowledge of payrollrelated control
95

Companion to PPC's Guide to Audits of Nonprofit Organizations

NPOT09

activities. If employee turnover is high because there are many new programs or program changes, there is an
increased need to obtain a greater understanding of control activities related to payroll.

96

Companion to PPC's Guide to Audits of Nonprofit Organizations

NPOT09

SELFSTUDY QUIZ
Determine the best answer for each question below. Then check your answers against the correct answers in the
following section.
23. Relevant to information and communication, information refers to providing understanding of roles and respon
sibilities to individuals in the entity.
a. True
b. False
24. Which of the following is correct concerning monitoring?
a. Monitoring ensures that internal control is an adaptive process.
b. Monitoring must be accomplished through ongoing activities.
c. Understanding the client's monitoring process requires substantial time.
d. Risk assessment procedures are not helpful to understanding these activities.
25. The level of governing board involvement in daytoday activities is frequently a key difference between forprofit
and nonprofit entities.
a. True
b. False
26. In understanding the effect of IT, which is not one of the matters typically determined by the auditor?
a. The software used
b. The software and hardware vendor
c. Whether the client has access to source code
d. The hardware used
27. Which of the following statements is correct concerning control activities?
a. Control activities involve automated processes only.
b. Performance reviews are controls performed to check transactional accuracy.
c. Control activities relate to the relevant assertion level.
d. Physical controls pertain to asset accountability.
28. Control policies must be communicated in writing.
a. True
b. False

97

Companion to PPC's Guide to Audits of Nonprofit Organizations

NPOT09

SELFSTUDY ANSWERS
This section provides the correct answers to the selfstudy quiz. If you answered a question incorrectly, reread the
appropriate material. (References are in parentheses.)
23. Relevant to information and communication, information refers to providing understanding of roles and respon
sibilities to individuals in the entity. (Page 79)
a. True [This answer is incorrect. Communication refers to providing understanding of roles and
responsibilities to individuals in the entity related to internal control over financial reporting.]
b. False [This answer is correct. Information refers to the financial reporting system, which includes
the accounting system.]
24. Which of the following is correct concerning monitoring? (Page 82)
a. Monitoring ensures that internal control is an adaptive process. [This answer is correct. Internal
controls must be monitored for effectiveness, and changed to respond to changing conditions.]
b. Monitoring must be accomplished through ongoing activities. [This answer is incorrect. Monitoring may
also be accomplished by separate evaluations.]
c. Understanding the client's monitoring process requires substantial time [This answer in incorrect. The
amount of time spent varies with the size and complexity of the organization.]
d. Risk assessment procedures are not helpful to understanding these activities. [This answer is incorrect.
Inquiry and observation can help the auditor understand entity monitoring activities.]
25. The level of governing board involvement in daytoday activities is frequently a key difference between forprofit
and nonprofit entities. (Page 83)
a. True [This answer is correct. Active boards can help mitigate fraud, but frequent turnovers can limit
that effectiveness.]
b. False [This answer is incorrect. The auditor must constantly assess the governing board's impact on the
nonprofit entity's internal control.]
26. In understanding the effect of IT, which is not one of the matters typically determined by the auditor? (Page 91)
a. The software used [This answer is incorrect. Automated applications and the software used are among
the matters typically determined by the auditor.]
b. The software and hardware vendor [This answer is correct. Typically, the auditor determines the
automated applications and software used, aspects of the computer system such as hardware and
networks, etc.]
c. Whether the client has access to source code [This answer is incorrect. The auditor should determine
whether the software was developed internally or externally, and whether the client has access to the
source code.]
d. The hardware used [This answer is incorrect. The auditor typically should determine aspects of the
computer system such as hardware and networks.]

98

NPOT09

Companion to PPC's Guide to Audits of Nonprofit Organizations

27. Which of the following statements is correct concerning control activities? (Page 92)
a. Control activities involve automated processes only. [This answer is incorrect. Control activities also
involve manual processes.]
b. Performance reviews are controls performed to check transactional accuracy. [This answer is incorrect.
Performance reviews are comparisons between current financials and other information.]
c. Control activities relate to the relevant assertion level. [This answer is correct. This is in contrast
to the control environment which relates to the overall audit strategy.]
d. Physical controls pertain to asset accountability. [This answer is incorrect. Physical controls pertain to the
physical security of assets. Asset accountability pertains to reconciliation of subledgers to the general
ledger.]
28. Control policies must be communicated in writing. (Page 93)
a. True [This answer is incorrect. They may also be communicated orally.]
b. False [This answer is correct. Control policies may be communicated either in written or oral form.
The decision of which format to use may depend on the size of the entity and the channels of
communication available.]

99

Companion to PPC's Guide to Audits of Nonprofit Organizations

NPOT09

IMPORTANT PLANNING DECISIONS AND JUDGMENTS


The information the auditor obtains about the entity and its environment by performing risk assessment procedures
is used to make several important planning decisions and judgments. The primary planning decisions and
judgments based on this information are as follows:
a. The materiality level for the financial statements taken as a whole (preliminary planning materiality).
b. Materiality for particular items of lesser amounts than planning materiality.
c. The risks of material misstatement at the financial statement level.
d. The overall audit strategy (a collective group of judgments about the audit approach, including overall
responses to risks).
e. Tolerable misstatement at the individual class of transactions, account balance, or disclosure level.
f. Risks of material misstatement at the relevant assertion level related to classes of transactions, account
balances, and disclosures.
g. The specific nature, timing, and extent of further audit procedures.
The audit planning process is iterative and continuous. Some risk assessment procedures are performed to
consider audit risk and materiality at the financial statement level and the judgments about those matters in turn
affect the considerations at the relevant assertion level for account balances, transaction classes, and disclosures.
Determining Materiality at the Financial Statement Level
According to SAS No. 107, Audit Risk and Materiality (AU 312.27), the auditor should determine a materiality level
for the financial statements taken as a whole when establishing the overall strategy for the audit. The preliminary
judgment about materiality at the financial statement level is generally referred to as planning materiality. SAS No.
107 (AU 312.69) states that the auditor should document the levels of materiality, including any changes thereto,
used in the audit and the basis on which those levels were determined. The need to establish planning materiality
is directly related to the auditor's objective of obtaining reasonable assurance of detecting misstatements that the
auditor believes could be large enough, individually or in the aggregate, to be quantitatively material to the financial
statements. According to SAS No. 107 (AU 312.36), the auditor should be alert for misstatements that could be
qualitatively material, but it ordinarily is not practical to design audit procedures to detect them.
Quantifying Planning Materiality. Materiality is determined based on the auditor's understanding of the needs
and expectations of users of financial statements, but this is a conceptual view. In other words, the auditor
considers the needs and expectations of hypothetical general users and does not survey the actual users. The
conceptual touchstone for determining materiality is the following definition from FASB Statement of Financial
Accounting Concepts No. 2, Qualitative Characteristics of Accounting Information:
The magnitude of an omission or misstatement of accounting information that, in light of
surrounding circumstances, makes it probable that the judgment of a reasonable person relying
on the information would have been changed or influenced by the omission or misstatement.
The reference to in light of surrounding circumstances" in that definition recognizes that both quantitative and
qualitative factors influence materiality judgments. As previously mentioned, however, in determining planning
materiality the focus is generally on quantitative factors. For this reason, auditors have historically used some
common rules of thumb in establishing planning materiality.

100

Companion to PPC's Guide to Audits of Nonprofit Organizations

NPOT09

These rules of thumb generally apply a percentage to a benchmark amount from the financial statements. SAS No.
107 (AU 312.28) acknowledges the appropriateness of this approach and suggests the following factors to
consider in selecting a benchmark:
 Elements of financial statements (for example, assets, liabilities, net assets, support, revenue, and
expenses) and GAAP financial statement measures (for example, financial position, financial performance,
and cash flows).
 Nature of the entity and the sector in which it operates.
 Size of the entity and the way it is financed.
 Focus of users' attention for the particular entity on particular financial statement items (for example, for
nonprofit organizations, users have tended to focus more on total support and revenues than net assets).
In addition, many nonprofit organizations must consider the needs of their funders (grantors and donors)
when preparing financial statements.
SAS No. 107 (AU 312.28) provides the following examples of benchmarks that might be appropriate depending on
the nature and circumstances of the entity:
 Total revenue.
 Gross profit.
 Profit from continuing operations before tax.
 Other categories of reported income.
 Net assets.
The appropriate benchmark and the related percentage applied to it can vary with the circumstances.
Desirability of a Single Benchmark. The desirability of a single benchmark arises from the practical requirements
of audit planning. To understand the use of materiality in planning, it is helpful to contrast planning with evaluation.
When the auditor is evaluating the materiality of misstatements at the conclusion of the audit, different materiality
levels may be used for different financial statements. In planning, the auditor does not know in advance whether the
misstatements that will be detected by a particular audit test will affect the statement of financial position only, the
statement of activities only, or both statements. Thus, using several levels of materiality is impractical in planning.
Also, the auditor should use a specific amount in making decisions about the scope of a test, for example, examine
all cash disbursements in the subsequent period or all additions to property above a specific dollar amount. A
range is not useful for making scope decisions but may be helpful in evaluation, for example, deciding that in
particular circumstances an error over $10,000 is material, an error under $5,000 is immaterial, and an error
between $5,000 and $10,000 may be material. That type of guide can be useful in evaluation, but it does not work
well in planning. The auditor needs to decide whether an audit test must be extensive enough to detect misstate
ments over $5,000 or over $10,000. A range is not useful for this purpose.
Benchmarks. Conceptually, materiality should be established based on the auditor's understanding of users'
needs and expectations. However, the nature and size of the entity are also important factors to consider in
selecting benchmarks to establish planning materiality. For many nonprofit organizations, total assets or total
support and revenue often provides a sound benchmark. Using either total assets or total revenue as a benchmark
has the advantages of relative stability, predictability, and representativeness of entity size.
Regardless of the benchmark the auditor uses for planning the extent of audit testing, he or she should be satisfied
that the combined effects of the nature, timing, and extent of planned procedures will be adequate to provide
reasonable assurance that the financial statements are free from material misstatement, even if a different material
ity benchmark is used for evaluation of audit differences.
101

Companion to PPC's Guide to Audits of Nonprofit Organizations

NPOT09

It is important to note that a planning materiality benchmark is used primarily to plan the extent of audit testing, but
does not purport to provide a basis for determining the adequacy of other aspects of audit planning, namely, the
nature and timing of procedures. Also, the choice of a benchmark for planning purposes does not predetermine
what will be relevant in evaluating detected misstatements at the conclusion of the audit. The auditor may use a
sizeofentity" benchmark such as assets or support and revenues to plan the scope of audit testing, but still use
a percentageofchange in net assets" benchmark for the evaluation of audit findings. Thus, if assets or support
and revenue are used to determine planning materiality, the auditor nonetheless probably would use a change in
net assets benchmark to determine materiality for evaluating audit differences affecting the statement of activities.
Government Auditing Standards Requirements. The Yellow Book, Paragraph 4.26, explains that additional material
ity considerations might apply when the audit is conducted under Government Auditing Standards. In Yellow Book
financial audits, it may be appropriate to use lower materiality levels than in a GAAS audit because of the public
accountability of governmental entities and entities receiving government funding, various legal or regulatory
requirements, and the sensitivity of government programs.
Selecting a Percentage. There are no authoritative percentage guides for materiality. SAS No. 107 contains no
guidance on selecting a percentage. Again, for intuitive reasons, many auditors believe that the materiality percent
age should be adjusted in relation to the size of an entity. They believe the percentage should be larger for a very
small entity to recognize the practical limits on the effectiveness of audit procedures, and smaller for a very large
entity to recognize the increased risks that usually accompany bigness" and the fact that a large enough absolute
amount may be considered material.
Adapting the Approach to Nonprofit Organizations. Given the variations possible in the financial statement
presentations of nonprofit organizations, what should an auditor use as the benchmark for the preliminary judg
ment about materiality? The Audit Guide, Paragraph2.16, provides a number of alternatives:
 Total net assets or various net asset classes.
 Changes in net assets or net asset classes.
 Total revenues.
 Revenues of each net asset class.
 Total expenses.
 Other measures, such as total unrestricted contributions, total program expenses, the ratio of program
expenses to total expenses, or the ratio of fundraising expenses to contributions.
Generally, it is believed that assets or support and revenue would be a more relevant benchmark for a nonprofit
organization than changes in net assets because most nonprofit organizations closely match revenue and
expenses and operate on small margins. However, the auditor must consider whether any adjustments should be
made to the benchmark because of the characteristics of nonprofit accounting. Experience has shown that the
approach recommended usually produces a preliminary judgment about materiality that is relevant to users,
sensible, and realistic. However, the experience supporting this approach uses financial statement amounts for
business enterprises. Certain adaptations are necessary to recognize the unique characteristics of nonprofit
accounting.
If total assets are to be used as the base, some auditors choose to reduce the amount in the financial statements
for interfund receivables, assets held on behalf of others, and any fixed assets not subject to depreciation. These
items should be removed because they cause a nonprofit organization's assets to be larger than the total assets of
a comparable business enterprise. Interfund receivables are not assets of the organization as a whole and are
required by footnote 8 to SFAS No.117 (FASB ASC 958210452) to be presented in the statement of financial
position in such a way that they are eliminated when displaying total assets of the organization. Assets held on
behalf of others do not belong to the entity (for example, amounts from agency transactions to be remitted to others
or assets held under splitinterest agreements where a thirdparty beneficiary will ultimately receive the assets).
Assets that are not being depreciated (such as capitalized collection items) overstate total assets. For convenience,
102

NPOT09

Companion to PPC's Guide to Audits of Nonprofit Organizations

the auditor may reduce the benchmark for the entire amount of the assets not being depreciated rather than
attempting to compute the depreciation that would have otherwise been taken.
If total support and revenue is to be used as the benchmark, auditors may exclude the amount of additions for
assets not subject to depreciation (such as donated land recognized as support) for the same reason that such
assets are excluded from the total asset benchmark. When using interim financial statements prepared by the client
to calculate planning materiality, the auditor should be aware of how the organization records revenue to determine
if it is consistent with GAAP. For example, if the organization has special events revenue, the auditor should make
sure such revenue is recorded gross and not net in the interim financial statements and should consider the timing
of significant fundraising events. Consideration should also be given to adjusting interim results if significant
onetime transactions have already occurred or are expected after the interim date.
Some nonprofit organizations have large investment portfolios in relation to the entity's total assets, liabilities,
support and revenue, and expenses. Some auditors choose to remove the amount of such investments from the
total asset benchmark, and investment income from the total revenue benchmark when calculating planning
materiality, while other auditors choose not to remove the amounts. Removing such amounts from the benchmarks
will result in a lower planning materiality. The decision is based on the auditor's determination of what planning
materiality is appropriate in order to detect material misstatements for a particular audit client. The Audit Guide,
paragraphs 2.142.16 discusses planning materiality in a financial statement audit and gives examples of appropri
ate benchmarks for nonprofit organizations. Regardless of how the auditor chooses to calculate planning material
ity, the auditor should document his or her decision process.
Planning materiality judgments should be reconsidered as the audit progresses. Because the calculation made
during initial planning often uses annualized interim financial information, the base amounts in the annual audited
financial statements might differ. If the auditor becomes aware of changes that would have affected the determina
tion of planning materiality, adjustments should made. At the conclusion of the audit, the auditor should consider
whether the scope of the audit has been adequate in the circumstances. If planning materiality based on interim
amounts is too large, then audit scope might not have been sufficient. If planning materiality based on interim
amounts was too small, then the audit would be less efficient than would have been possible because the auditor
may have done more audit work than was necessary.
Determining Materiality for Particular Items of Lesser Amounts
In addition to determining a planning materiality amount for the financial statements taken as a whole, the auditor
should consider whether, in the specific circumstances of the entity, misstatements of particular items of lesser
amounts than planning materiality could be expected to influence economic decisions of users. According to SAS
No. 107 (AU 312.31), any such amounts determined represent lower materiality levels to be considered in relation
to the particular items in the financial statements" for audit planning purposes. In other words, in addition to
determining materiality at the financial statement level, the auditor should determine whether there are particular
financial statement items for which a lower planning materiality amount is appropriate based on user perceptions
of the particular items.
SAS No. 107 (AU 312.32) provides the following factors to consider and related examples in making this planning
decision:
a. Whether accounting standards, laws, or regulations affect users' expectations regarding the measurement
or disclosure of certain items (for example, related party transactions and the remuneration of management
and those charged with governance).
b. The key disclosures in relation to the industry and the environment in which the entity operates (for
example, research and development costs for a pharmaceutical company).
c. Whether attention is focused on the financial performance of a particular subsidiary or division that is
separately disclosed in the consolidating financial statements (for example, a newly acquired business).
The auditor should consider consulting with management and those charged with governance about whether there
are particular financial statement items of lesser amounts than planning materiality that users would regard as
material.
103

Companion to PPC's Guide to Audits of Nonprofit Organizations

NPOT09

Another way of looking at this requirement is that it is an exception to the general notion that planning materiality is
a primarily quantitative determination and opens the determination to a limited group of qualitative factors, but only
for particular classes of transactions, account balances, or disclosures specified by the auditor.
Certain significant audit planning issues in the nonprofit audit environment normally require determining materiality
for particular items of lesser amounts. Auditors should use their judgment and determine a lower materiality
threshold for these items. For example, if the nonprofit organization is funded by governmental grant monies,
materiality takes on a whole new focus. Spending more governmental money than is specified in the contract
probably will create a budget overrun requiring funding from other sources. Spending money for ineligible recipi
ents could require that the organization refund to the funding sources all funds spent improperly. Other examples
are loans to board members by a nonprofit organization which are prohibited by state law in some states.
Similar considerations apply to private grants made by individuals or corporations. For example, money given by
a donor for a new building or athletic field must be used for expenditures related to that activity. If the money is
designated for use in a future year, then that time restriction must be honored by the organization and reviewed by
the auditor. Some grants are really donations, with no restrictions on their usage other than the monies are to be
used for charitable purposes in accordance with IRS guidelines. On the other hand, some grants have specific
requirements in the grant document. For example, those grants may require that a certain number of people have
counseling sessions take place, or that a certain class of people be served based on economic or other specifica
tions. An auditor could conceivably find a pristine set of accounting records. Yet, if the monies in a grant were not
used as specified by the grant contract, then in reality all the money was improperly spent and should be reported
not as grant expenditure, but as a payable back to the grantor. In a number of states, a law has been violated if a
donor makes a contribution to an endowment fund and the money is diverted to operations. Pennsylvania filed
criminal charges against board members and the executive staff of a nonprofit organization that used over fifty
million dollars of endowment funds for operations.
Another reason for establishing a lower materiality amount relates to the concept that the auditor is rendering an
opinion on a client that is a taxexempt organization. If the organization has failed to operate in accordance with IRC
regulations, then the client may no longer be tax exempt. If that is the case, then the auditor could issue an
erroneous opinion because corporate income taxes, penalties, and interest could be due. In addition, the auditee
might be misleading donors by making them think they are making donations that are tax deductible, when in
reality they are not.
Another example arises when the auditor is specifically engaged to audit and express an opinion on individual
programs, components, or branches. In that case, a separate preliminary judgment about materiality should be
determined for each program, component, or branch using the total assets or total support and revenue for that
program, component, or branch.
Determining Tolerable Misstatement
The auditor must perform the audit to obtain reasonable assurance of detecting misstatements that the auditor
believes could be large enough, individually or in the aggregate, to be quantitatively material to the financial
statements. For this purpose, the auditor needs to establish a tolerable misstatement at the individual account
balance, class of transaction, or disclosure level. SAS No. 107 (AU 312.34) defines tolerable misstatement as the
maximum error in a population (for example, the class of transactions or account balance) that the auditor is willing
to accept." SAS No. 107 (AU 312.69) requires documentation of the level of tolerable misstatement, the basis on
which it was determined, and any changes thereto as the audit progresses.
Guidance on determining tolerable misstatement is provided in SAS No. 107 (AU 312.35), which indicates, the
auditor should determine one or more levels of tolerable misstatement," and such levels are normally lower than
the materiality levels." In other words, tolerable misstatement should be lower than the materiality level for the
financial statements taken as a whole. Also, for particular items in the financial statements for which a lesser amount
than financial statement materiality has been determined the tolerable misstatement should be commensurately
lower as well. Therefore, the auditor may determine and document more than one level of planning materiality and
more than one level of tolerable misstatement.

104

NPOT09

Companion to PPC's Guide to Audits of Nonprofit Organizations

SAS No. 39, Audit Sampling (AU 350.18), as amended by SAS No. 111, provides the following additional guidance
on tolerable misstatement:
This maximum monetary misstatement that the auditor is willing to accept for the balance or class
is called tolerable misstatement for the sample. Tolerable misstatement is a planning concept and
is related to the auditor's determination of materiality for planning the financial statement audit in
such a way that tolerable misstatement, combined for all of the tests in the entire audit, does not
exceed materiality for the financial statements. This means that auditors should normally set
tolerable misstatement for a specific audit procedure at less than financial statement materiality
so that when the results of the audit procedures are aggregated, the required overall assurance
is attained.
Although this guidance appears in relation to audit sampling, it is applicable to all further audit procedures not just
those involving sampling.
A Practical Approach to Determining Tolerable Misstatement. Professional standards do not discuss how
tolerable misstatement should be calculated or any rules of thumb that have been used in practice to calculate
tolerable misstatement. SAS No. 107 (AU 312.50) explains that in evaluating audit findings, the auditor must
consider the effects, both individually and in the aggregate, of misstatements (known and likely) that are not
corrected by the entity.
This means that conceptually the combination of the (a) uncorrected known misstatement, (b) projected or
estimated misstatement from the application of audit sampling and analytical procedures, and (c) tolerable mis
statement for all account balances or transaction classes should be equal to or less than the amount the auditor
considers material to the financial statements taken as a whole. The implication is that total tolerable misstatement
could be calculated by deducting the auditor's estimate of total known and likely misstatement from planning
materiality.
At the planning stage, the auditor cannot know the amounts of known misstatements that will be detected and that
the client will not correct, or the projected or estimated misstatements that will result from the application of audit
procedures using audit sampling or analytical procedures. However, the auditor may be able to make reasonable
estimates of those amounts. In that case, the auditor could deduct the sum of those estimates from planning
materiality to calculate total tolerable misstatement. However, because of the difficulty of making these estimates,
many auditors prefer to use a rule of thumb approach that produces satisfactory results in most circumstances as
discussed in the following paragraph.
The approach suggested is to determine tolerable misstatement as a percentage of the auditor's judgment about
the amount material to the financial statements taken as a whole. The percentage used is based on the auditor's
expectation of uncorrected detected misstatements. Using this approach, a common rule of thumb is to calculate
tolerable misstatement as a fraction between 50% and 75% of materiality at the financial statement level (and
materiality for items of lesser amounts, if applicable) with the percentage being increased from 50% as the
likelihood of uncorrected detected misstatements decreases.
The 50% adjustment is based on the maximum adjustment normally made in monetary unit (MUS)probability
proportional to size (PPS) sampling applications to allow for the projected, or likely, misstatements expected in
sample results. Usually this 50% adjustment is very conservative, that is, larger sample sizes than necessary will be
used. Typically, for most entities it is believed that the larger adjustment of 75% will normally be satisfactory. When
the auditor expects a relatively large amount of known misstatements to remain uncorrected or relatively large likely
misstatements, an adjustment closer to 50% should be used.
The rule of thumb of calculating tolerable misstatement as 75% of planning materiality is appropriate when the
auditor uses MUS (PPS) sampling or an approximation of MUS (PPS) sampling for all audit sampling applications.
The approach to audit sampling recommended is an approximation of MUS (PPS) sampling. With this approach,
the same amount of tolerable misstatement can be used in all sampling applications. This is possible because MUS
(PPS) sampling views the financial statements taken as a whole as a pool of dollars. The tolerable misstatement for
the financial statements is applicable to all the account balances and transaction classes included within the
105

Companion to PPC's Guide to Audits of Nonprofit Organizations

NPOT09

financial statements. The materiality worksheet calculates tolerable misstatement as 75% of planning materiality.
This amount can also be used to compute individually significant items.
When the auditor uses a statistical sampling approach to substantive tests other than either MUS (PPS) sampling
or a nonstatistical approximation of MUS (PPS) sampling, another approach to computing tolerable misstatement
should be used. This approach is explained in articles and books on use of variables sampling in auditing and is not
discussed here. However, the auditor should be aware that when using statistical sampling for variables, the
planning materiality amount needs to be allocated to sampling applications for specific account balances or
transaction classes. This allocation process is necessary only when classical variables sampling is used.
Caution on Use of Planning Materiality for Evaluation. It is critically important to recognize that the planning
materiality amount calculated using the worksheet is the combined amount of misstatement. During the audit, an
auditor may detect some misstatements in an account balance and may need to decide whether to apply additional
procedures. In these circumstances, the auditor should not compare the potential misstatement to planning
materiality or to tolerable misstatement. The appropriate comparison for this purpose is to the calculated individu
ally significant amount.
Relating Planning Materiality and Tolerable Misstatement to Accounts and Transactions
The scope of audit procedures for specific account balances and transaction classes should be related to the
amount the auditor considers material to the financial statements. SAS No. 107 (AU 312.18) explains this point as
follows:
In determining the nature, timing, and extent of auditing procedures to be applied to a specific
account balance, class of transactions, or disclosure the auditor should design audit procedures
to obtain reasonable assurance of detecting misstatements that the auditor believes, based on
the judgment about materiality, could be material, when aggregated with misstatements in other
balances, classes, or disclosures to the financial statements taken as a whole.
Using an explicit amount for tolerable misstatement permits the auditor's decisions about the quality and extent of
evidence necessary to be influenced specifically by the size of a misstatement that would be material to the account
balance or transaction class.
Some consideration of the relationship between tolerable misstatement and individual accounts is obviously
necessary because it is not efficient or effective to apply a percentage guide to each account. For example, in
applying audit procedures to prepaid expense, it would not be reasonable to regard 10% of the amount as material
if the total amount of prepaid expense was immaterial to the financial statements. For some accounts and transac
tions, consideration of tolerable misstatement is unnecessary because the nature of the item and cost of possible
audit procedures is such that the account can be audited to very close tolerances. For example, longterm debt and
property, plant, and equipment can usually be examined to such close tolerances. For other accounts, such as
shortterm assets and liabilities, consideration of the tolerable misstatement for the account balance will be useful
in making planning decisions. An auditor, for example, might use the tolerable misstatement amount in deciding:
a. which items in a balance to examine 100%,
b. whether it is necessary to sample the remaining items, or
c. whether to apply analytical procedures instead of tests of details.
Trivial Misstatements
Some auditors set an amount below which detected misstatements need not be accumulated on the summary of
audit differences (often referred to as adjustments passed at the workpaper level). SAS No. 107 (AU 312.42) states
that the auditor must accumulate all known and likely misstatements identified during the audit, other than those
that the auditor believes are trivial." (Emphasis added.) Footnote 17 to AU 312.42 states that trivial matters are
amounts designated by the auditor below which misstatements need not be accumulated. This amount is set so
that any such misstatements either individually or when aggregated with other such misstatements, would not be
material to the financial statements, after the possibility of further undetected misstatements is considered."
106

Companion to PPC's Guide to Audits of Nonprofit Organizations

NPOT09

When determining whether the amount of a misstatement is below the amount that should be accumulated on the
summary of audit differences, the auditor should be careful not to net purposed adjustments at the workpaper level.
For example, assume the auditor has determined that only misstatements greater than $500 need to be accumu
lated on the summary or audit differences. If the auditor has a known misstatement that overstates income by
$10,000 and a likely misstatement that understates income by $10,500, both misstatements should be included on
the summary of audit differences.
Single Audit Materiality
In a Single Audit, the auditor should plan the audit of federal award programs so that there is only a relatively low
risk of failing to detect noncompliance with requirements governing each major program that, when taken together,
would be material to the program. For the Single Audit, the auditor's consideration of materiality for federal award
programs differs from that in the audit of financial statements. In the audit of financial statements, the auditor
considers materiality in relation to the financial statements being audited. However, when auditing compliance with
requirements governing federal award programs, the auditor must also consider materiality at the major program
level. The auditor's assessment of materiality for a specific instance of noncompliance will depend on the particular
compliance requirement that is being evaluated.
Materiality for Purposes of Compliance Testing and Reporting. OMB Circular A133 requires the auditor to test
and report on the nonprofit organization's compliance with compliance requirements governing major programs.
When testing compliance with compliance requirements governing major programs, the auditor should consider
materiality in relation to each major program being audited. OMB Circular A133, Section 510 requires auditors to
report material noncompliance with the provisions of laws, regulations, contracts, or grant agreements related to a
major program in a schedule of findings and questioned costs. OMB Circular A133, states:
The auditor's determination of whether an instance of noncompliance with the provisions of laws,
regulations, contracts, or grant agreements is material for the purpose of reporting an audit
finding is in relation to a type of compliance requirement. . . for a major program or an audit
objective identified in the. . . Compliance Supplement.
In determining whether a compliance finding is material, the auditor should give consideration to both qualitative
and quantitative factors.
OMB Circular A133 requires the auditor to consider a lower level of materiality for purposes of reporting audit
findings in the schedule of findings and questioned costs than for other purposes. The materiality level for reporting
an audit finding in a single audit is generally lower than (a) the materiality used for planning and performing the
single audit, (b) the materiality used for planning, performing, evaluating the results of, and reporting on the
financial statement audit, and (c) the materiality used for expressing an opinion on compliance with requirements
having a direct and material effect on each major program.
Because OMB Circular A133 requires an opinion on compliance for each major program, when considering
whether instances of noncompliance are material to a major program, the auditor should consider the type and
nature of each instance of noncompliance, as well as the actual and projected effect of noncompliance, on each
major program in which noncompliance was detected. The concept of materiality should be applied to each major
program taken as a whole, rather than to each individual compliance requirement. An amount that is material to one
major program may be considered immaterial to another major program. If the tests of compliance reveal material
noncompliance at the program level, the auditor should consider the effect of this noncompliance on the financial
statements.
Guidance on Determining Materiality for Compliance Testing and Reporting. As a rule of thumb, it is believed
that, in most situations, using 5% of total program awards expended will result in an appropriate materiality amount.
However, other factors may effect this decision, and the auditor should use professional judgment in making this
determination.
Assessing Risks of Material Misstatement at the Financial Statement Level
Audit risk is the risk that the auditor may unknowingly fail to appropriately modify his or her opinion on financial
statements that are materially misstated. It is a function of the risk that the financial statements are materially
107

Companion to PPC's Guide to Audits of Nonprofit Organizations

NPOT09

misstated and the risk that the auditor will not detect such material misstatement. In this sense, audit risk is the risk
of material misstatement remaining in the financial statements after the audit. Audit risk cannot be precisely
measured as a percentage; thus, consideration of audit risk is necessarily judgmental, not mathematical.
The auditor must consider audit risk for the financial statements taken as a whole. When considering audit risk at
the overall financial statement level, the auditor should consider risks of material misstatement that relate perva
sively to the financial statements taken as a whole and potentially affect many relevant assertions. (These risks are
also referred to as overall risks.)
Professional standards establish a presumptively mandatory requirement for the auditor to assess and document
the risks of material misstatement at the financial statement level (SAS No. 107, AU 312.12 and SAS No. 109, AU
314.122). Risks of material misstatement at the financial statement level often relate to the entity's control environ
ment and are not necessarily identifiable with specific relevant assertions at the class of transactions, account
balance, or disclosure level. These overall risks are often especially relevant to the auditor's consideration of the
risks of material misstatement arising from fraud, for example, through management override of internal control.
At the individual account balance, class of transaction, or disclosure level, the risk of material misstatement
consists of inherent risk and control risk. Some auditors have questioned whether these risk model components
also need to be considered at the financial statement level. The answer is, No." It is believed the risk assessment
at the financial statement level is directed to an overall or combined assessment of the risk of material misstate
ment. There is no requirement to separately assess inherent risk and control risk at the financial statement level.
The overall assessment of risk of material misstatement at the financial statement level is made relatively early in
audit planning, based on information such as the effectiveness of the entity's control environment and identification
of fraud risk factors.
Responding to Risks at the Financial Statement Level. SAS No. 110 provides guidance to auditors when
determining overall responses to address risks of material misstatement at the financial statement level. These
responses may include:
 Emphasis to the audit team to use professional skepticism.
 Assigning staff with higher experience levels or specialized skills.
 Increasing the level of supervision.
 Using a greater degree of unpredictability in selecting audit procedures.
 Changing the nature, timing, and extent of substantive procedures (e.g., instead of interim testing shift
testing to period end or modify the nature of audit procedures to obtain more persuasive evidence).
In addition, the auditor should consider any specific relevant assertions that might be affected by the overall risks
and develop responses at that level when designing the nature, timing, and extent of further audit procedures.
Exhibit 28 provides examples of overall risks and potential responses.

108

NPOT09

Companion to PPC's Guide to Audits of Nonprofit Organizations

Exhibit 28
Examples of Overall Risks and Responses
Overall Risk

Example Responses

No communication of ethical values. Manage


ment exhibits behavior that occasionally reflects
a loose regard for ethical operating practices.
(The auditor assumes a risk of management
override of controls. This also assumes that the
auditor does not perceive the risk to be so great
to either decline or withdraw from the engage
ment.)

 Place higher emphasis on the use of professional


skepticism.
 Assign staff with higher experience levels.
 Review accounting estimates for bias.
 Evaluate operating rationale for unusual transac
tions.
 Examine journal entries.
 Make greater use of unpredictability in audit
procedures.
 Increase the extent of fraudrelated inquiries.

Turnover in key management during the year.

 Increase the level of supervision.


 Review accounting estimates for bias.
 Evaluate operating rationale for unusual transac
tions.

Going concern considerations that may impact


future financing, investment, or other operating
opportunities.

 Increase the level of supervision or assign more


experienced staff.
 Shift substantive procedures to year end.
 Review accounting estimates for bias.
 Emphasize the use of professional skepticism.

A minimal degree of compliance with restrictive


loan covenants containing various required
operating ratios for significant financing agree
ments.

 Shift substantive procedures to year end.


 Review accounting estimates for bias.

Management exhibits a low regard for hiring


competent finance personnel.

 Increase the level of supervision or assign more


experienced staff.
 Shift substantive procedures to year end.

Because there is always at least one identified fraud risk (a risk of management override of controls), certain overall
responses are required in every audit, as follows:
 Auditors should consider whether the personnel assigned to the engagement possess the necessary
knowledge and skills.
 Auditors should consider whether the extent of supervision of personnel is appropriate.
 Auditors should consider the client's selection and application of accounting principles, especially in
subjective areas.
 Auditors should incorporate an element of unpredictability in the selection of audit procedures from year
to year.
Other overall responses may also be appropriate to address identified fraud risks. Exhibit 29 provides examples of
overall responses to fraud risks.

109

Companion to PPC's Guide to Audits of Nonprofit Organizations

NPOT09

Exhibit 29
Overall Responses to Fraud Risks
Staffing and Supervision:
 Assignment of more experienced audit personnel to the engagement or increased supervision of
engagement personnel.
 Assignment of personnel with industry or functional expertise.
 Involvement of specialists.
Selection and Application of Accounting Principles:
 Increased scrutiny of the client's selection and application of significant accounting policies, particularly
those that deal with revenue recognition, asset valuation, or capitalizing versus expensing.
Incorporating an Element of Unpredictability:
 Altering the timing of tests.
 Changing sampling methods.
 Performing procedures at different locations or on an unannounced basis.
 Performing a different combination of analytical procedures and substantive tests of details.
 Testing account balances and assertions otherwise considered immaterial or low risk.
Other Overall Responses:
 Increased sensitivity to the nature, timing, and extent of documentation examined in support of material
transactions.
 Increased recognition of the need to corroborate client explanations or representations concerning
material matters, such as through additional analytical procedures, examination of documentation, or
corroboration with others within or outside the organization.
 Further consideration of the auditor's control risk assessment (if control risk has been assessed at less
than a high level) if identified fraud risks have control implications.
 Increased scrutiny of the nature and business reasons for unusual and/or overly complex transactions.

Documentation. SAS No. 109 requires the auditor to document the assessment of risks of material misstatement
at the financial statement level and the basis for the assessment. The auditor is also required by SAS No. 110 to
document overall responses to such risks.(Note that the assessment of risks at the financial statements level is
really an acknowledgment that there are risks at the financial statement level. The auditor needs to document those
identified risks and their response.)
Establishing an Overall Audit Strategy
The auditor should establish an overall strategy for the audit. The audit strategy is the auditor's operational
approach to achieving the objectives of the audit. It is a high level determination of the audit approach. It includes
the identification of overall risks, the overall responses to those risks, and the general approach to each audit area
as being substantive procedures or a combination of substantive procedures and tests of controls.
SAS No. 108 (AU 311.14) provides that in establishing the overall audit strategy the auditor should do the following:
a. Determine the characteristics of the engagement that define its scope.
b. Ascertain the reporting objectives of the engagement to plan the timing of the audit and the nature of
communications required.
c. Consider the important factors that will determine the focus of the audit team's efforts.
110

NPOT09

Companion to PPC's Guide to Audits of Nonprofit Organizations

Steps a and b are relatively straightforward factual determinations of the information to be audited, reporting
objectives, the overall timing of the audit, and the written and other communications that will be required. Step b is
particularly important in an engagement for a nonprofit organization. The type of financial statements to be reported
on, special audit or reporting requirements of a funding source or regulatory agency, tax forms to be filed, and the
reporting deadlines for all of these matters can have a significant effect on the scope and sequence of audit
procedures. Step c is the heart of determining the nature, timing, and extent of audit procedures that will be
necessary. In establishing audit strategy, these matters are dealt with at a high level rather than at the detailed audit
plan level, which describes the nature, timing, and extent of procedures at the relevant assertion level.
The overall audit strategy includes and is significantly influenced by the auditor's judgments about materiality and
the risks of material misstatement at the financial statement level. Important aspects of overall audit strategy that
determine the focus of the audit team's efforts generally include the following:
 Materiality considerations, including:
 Planning materiality.
 Materiality for auditors of other locations, if any.
 Preliminary identification of material locations and account balances.
 Preliminary identification of areas where there may be higher risks of material misstatement, including
those due to fraud.
 Effect of assessed risk of material misstatement at the overall financial statement level.
 Evaluation by audit area of whether the auditor plans to obtain evidence regarding the operating
effectiveness of internal control, i.e., whether the auditor plans to use substantive procedures alone or a
combination of substantive procedures and tests of controls.
 Determination of the composition and deployment of the audit team (and if necessary, the engagement
quality control reviewer), including the assignment of audit work to team members, especially the
assignment of appropriately experienced team members to areas identified as having a higher risk of
material misstatement.
 Determination of the extent of involvement of professionals possessing specialized skills.
 Additional emphasis on the use of professional skepticism.
 Determination of general aspects of the nature, timing, and extent of further audit procedures, such as
performing testing at the statement of financial position date rather than at an interim date.
 Identification of recent significant developments affecting the entity, its industry, its financial reporting, or
its legal or economic environment.
 Determination of areas where client assistance is expected to be minimal.
In developing the overall audit strategy the auditor should incorporate decisions and judgments about overall
responses to the risks of material misstatement at the financial statement level. A key outcome of developing the
strategy is the determination of resources necessary to perform the engagement including:
 Personnel Resources for Specific Audit Areas. This includes the assignment of experienced team members
or the involvement of experts for high risk or complex areas as well as the amount of resources for specific
audit areas, including the timing of the deployment of such resources.
 Management and Supervision of Personnel. This includes management and supervision considerations
such as team briefing meetings, reviews by the partner and manager, and quality control reviews.
111

Companion to PPC's Guide to Audits of Nonprofit Organizations

NPOT09

Effect of Information Technology (IT) on Audit Strategy. A client's computer system also can affect the audit
strategy because it can affect the risk of material misstatement, which influences the auditor's substantive proce
dures, and also can affect the availability and sufficiency of audit evidence, including the audit trail. In computerized
financial reporting systems, much of the client's data is processed and stored only in electronic form. Thus, errors
and fraud involving computer programs and files may be less obvious than misstatements in manual records. Also,
data processing duties are often concentrated in one or two employees. Those factors can create a higher risk of
material misstatement. However, that risk may be reduced if the client uses only purchased software and simple
applications.
In addition, when information is available only in electronic form, its competence and sufficiency as audit evidence
usually depend on the effectiveness of controls over its accuracy and completeness. Accordingly, the risk of
improper initiation or alteration of information may be greater if the information is available only in electronic form
and controls are not operating effectively. For example, automated controls and processes may be overridden
leaving little or no visible evidence of the intervention. In that case, the auditor should perform tests of controls to
gather evidence for use in assessing control risk.
Before designing the audit plan, auditors should consider whether the client's computer system provides a clear
audit trail. If the system does not provide a clear trail for posting transactions to the general ledger, including journal
entries, the auditor may need to change the nature of planned substantive procedures, such as testing items
comprising yearend balances instead of testing transaction activity for the period.
Auditors also should consider the amount and type of available data when designing audit procedures. They may
need to time their tests based on when the accounting data is available. Data availability can be affected by both the
computer system and the client's data retention policies.
The impact of IT on an entity's internal control is generally related more to the nature and complexity of the entity's
systems than to the entity's size. However, before deciding not to test controls, auditors need to be satisfied that
performing only substantive procedures will be effective in reducing detection risk to an acceptable level. For
example, SAS No. 109 indicates that the auditor may find it impossible to design effective substantive procedures
that by themselves provide sufficient appropriate audit evidence at the relevant assertion level when an entity
conducts its activities using information technology (IT) and no documentation of transactions is produced or
maintained, other than through the IT system.
Timing of Developing the Audit Strategy. In some cases, the auditor may have sufficient information to establish
a preliminary audit strategy prior to performing extensive risk assessment procedures based on knowledge from
past experience with the client and the results of preliminary engagement activities. For example, in a continuing
engagement, the auditor may be able to establish a preliminary audit strategy after completing the client continu
ance procedures based on knowledge from the previous engagements and discussions with the client regarding
any new issues or changes in client circumstances.
For new engagements, the auditor may have gained sufficient information while performing client acceptance
procedures and gathering information for the fee proposal that would allow the development of a preliminary audit
strategy. In fact, many auditors collect enough information during this process to make preliminary decisions on the
assessment of overall risks, the determination of personnel requirements, use of specialists or other auditors, and
other overall strategy matters. In these situations, the auditor simply needs to gather additional information
throughout the performance of the risk assessment procedures to complete the overall audit strategy.
Communicating with Those Charged with Governance. The auditor may discuss elements of the overall audit
strategy with those charged with governance. SAS No. 114 requires the auditor to communicate with those
charged with governance about the planned scope and timing of the audit. When these discussions occur, the
auditor should be careful not to compromise the effectiveness of the audit, for example, by discussing the detailed
nature and timing of audit procedures.
Although professional standards do not require documentation of the audit strategy itself, they do require docu
mentation of any significant revisions to the overall audit strategy to respond to changes in circumstances.
However, SAS No. 108 (AU 311.18) observes that a brief memorandum prepared at the conclusion of the previous
audit, based on a review of audit documentation and highlighting issues identified in the audit just completed, can
112

NPOT09

Companion to PPC's Guide to Audits of Nonprofit Organizations

be updated and changed in the current period to provide a basis for planning the current audit. The update can be
based on discussions with management of the entity. As a practical matter, some auditors frequently prepare an
audit summary memo" as part of their engagement completion procedures to provide a convenient method of
establishing a basis for planning the following year's audit engagement. Exhibit 210 provides a list of suggested
content that might be contained in such a memo.
Exhibit 210
Suggested Content for an Audit Summary Memo
 A brief background of the nonprofit organization and a description of its operations.
 A brief recap of the results of the auditor's risk assessments and identification of areas, if any, designated as
high risk.
 A summary of the nonprofit organization's financial position, activities, and cash flows.
 Relevant information related to the Single Audit, if applicable.
 A discussion of significant accounting and auditing issues, including matters that require significant
professional judgment.
 An indication of the review performed by the engagement partner.
 A summary of audit differences.
 Overall opinion.
 Documentation of the report release date and the documentation completion date.
 Other matters, such as identification of engagement team members, summary of the closing meeting held with
the client, issues for inclusion in a management letter, known changes or efficiency considerations for
consideration when planning the subsequent year's engagement, and client service opportunities.

Documentation of Communications with Other Entities in a Single Audit. The auditor might communicate with
grantor agencies (including pass-through entities) or federal or state auditors or other oversight entities to aid in
planning the audit. The GAS/A-133 AICPA Audit Guide, paragraph 2.48, explains that as part of establishing the
overall audit strategy, the auditor should document such communications and any decisions reached as a result.

113

Companion to PPC's Guide to Audits of Nonprofit Organizations

114

NPOT09

Companion to PPC's Guide to Audits of Nonprofit Organizations

NPOT09

SELFSTUDY QUIZ
Determine the best answer for each question below. Then check your answers against the correct answers in the
following section.
29. Which of the following statements is correct concerning planning materiality?
a. Planning materiality concerns preliminary judgments at the relevant assertion level.
b. Planning materiality decisions are based on the needs of actual users.
c. The focus is generally on qualitative factors.
d. SFAC No. 2 applies a reasonable person" standard to determining materiality.
30. Which of the following statements is correct concerning the use of benchmarks?
a. Planning materiality benchmarks consider the nature but not the size of the entity.
b. Planning materiality benchmarks determine adequacy of the nature of procedures.
c. Planning materiality is established by applying a percentage to a benchmark.
d. Once a benchmark is chosen, it remains throughout the audit.
31. Which of the following statements is correct concerning tolerable misstatement?
a. Just as there is only one planning materiality level, there should be only one tolerable misstatement level.
b. Tolerable misstatement can exceed the level of materiality for the financial statements.
c. Tolerable misstatement is a monetary concept, used to set the maximum acceptable error in a population.
d. Professional standards are quite explicit concerning calculation of tolerable error.
32. OMB Circular A133 requires the auditor to provide an opinion on compliance for each major program.
a. True
b. False
33. According to the text, what is the correct auditor response when there has been a turnover in key management
during the year?
a. Shift substantive procedures to year end.
b. Review accounting estimates for bias.
c. Examine journal entries.
d. Increase unpredictability in audit procedures.
34. Which of the following statements is correct concerning risk and the financial statements?
a. Audit risk can be mathematically determined by the use of PPS or classical sampling means.
b. Risk of material misstatement applies to both the financial statement level and the relevant assertion level.
c. There is always at least one identified fraud risk.
d. A key outcome of identifying overall risks and developing an overall strategy is the determination of poten
tial auditor liability.
115

Companion to PPC's Guide to Audits of Nonprofit Organizations

NPOT09

SELFSTUDY ANSWERS
This section provides the correct answers to the selfstudy quiz. If you answered a question incorrectly, reread the
appropriate material. (References are in parentheses.)
29. Which of the following statements is correct concerning planning materiality? (Page 100)
a. Planning materiality concerns preliminary judgments at the relevant assertion level. [This answer is
incorrect. These judgments are made at the financial statement level.]
b. Planning materiality decisions are based on the needs of actual users. [This answer is incorrect. Such
decisions are based on a conceptual view. Actual users are not surveyed.]
c. The focus is generally on qualitative factors. [This answer is incorrect. The focus is on quantitative factors.]
d. SFAC No. 2 applies a reasonable person" standard to determining materiality. [This answer is
correct. SFAC No. 2 considers whether the judgments of a reasonable person would be affected by
the information presented.]
30. Which of the following statements is correct concerning the use of benchmarks? (Page 101)
a. Planning materiality benchmarks consider the nature but not the size of the entity. [This answer is incorrect.
Both factors are considered in the development of benchmarks for planning materiality.]
b. Planning materiality benchmarks determine adequacy of the nature of procedures. [This answer is
incorrect. Planning materiality benchmarks should not be used to determine the adequacy of the nature
and timing of procedures.]
c. Planning materiality is established by applying a percentage to a benchmark. [This answer is
correct. This approach is supported by SAS No. 107.]
d. Once a benchmark is chosen, it remains throughout the audit. [This answer is incorrect. Choice of
benchmarks may change as the auditor moves from planning to evaluation.]
31. Which of the following statements is correct concerning tolerable misstatement? (Page 105)
a. Just as there is only one planning materiality level, there should be only one tolerable misstatement level.
[This answer is incorrect. SAS No. 107 allows for multiple levels.]
b. Tolerable misstatement can exceed the level of materiality for the financial statements. [This answer is
incorrect. SAS No. 39 specifically rules out such an occurrence.]
c. Tolerable misstatement is a monetary concept, used to set the maximum acceptable error in a
population. [This answer is correct. Tolerable error is specifically addressed by SAS No. 39.]
d. Professional standards are quite explicit concerning calculation of tolerable error. [This answer is incorrect.
Professional standards do not address such calculations, nor do they address the rules of thumb used in
practice to make such calculations.]
32. OMB Circular A133 requires the auditor to provide an opinion on compliance for each major program. (Page
107)
a. True [This answer is correct. The concept of materiality should be applied to each major program
taken as a whole.]
b. False [This answer is incorrect. When considering whether instances of noncompliance are material to a
major program, OMB Circular A133 imposes such a requirement.]
116

NPOT09

Companion to PPC's Guide to Audits of Nonprofit Organizations

33. According to the text, what is the correct auditor response when there has been a turnover in key management
during the year? (Page 109)
a. Shift substantive procedures to year end. [This answer is incorrect. This is an appropriate response in
certain cases, such as when there are going concern considerations that may impact future financing.]
b. Review accounting estimates for bias. [This answer is correct. This is also an appropriate response
in certain cases involving restrictive loan covenants where a minimal degree of compliance is
considered an overall risk.]
c. Examine journal entries. [This answer is incorrect. This is an appropriate response when an overall risk is
no communication of ethical values.]
d. Increase unpredictability in audit procedures. [This answer is incorrect. This is an appropriate response
when an overall risk is no communication of ethical values.]
34. Which of the following statements is correct concerning risk and the financial statements? (Page 109)
a. Audit risk can be mathematically determined by the use of PPS or classical sampling means. [This answer
is incorrect. Audit risk is subjective, not mathematical.]
b. Risk of material misstatement applies to both the financial statement level and the relevant assertion level.
[This answer is incorrect. Risk of material misstatement is not necessarily identifiable with specific relevant
assertions.]
c. There is always at least one identified fraud risk. [This answer is correct. That being a risk of
management override of controls.]
d. A key outcome of identifying overall risks and developing an overall strategy is the determination of
potential auditor liability. [This answer is incorrect. A key outcome is the determination of resources
necessary to complete the audit.]

117

Companion to PPC's Guide to Audits of Nonprofit Organizations

NPOT09

FRAUD CONSIDERATIONS
SAS No. 99, Consideration of Fraud in a Financial Statement Audit, establishes standards and provides guidance on
the auditor's responsibility to consider the risks of fraud and to design the audit to provide reasonable assurance
of detecting fraud that results in the financial statements being materially misstated. This course discusses the
auditor's assessment of audit risk at the financial statement level and the account balance or transaction class
levels. The auditor's consideration of fraud is not separate from consideration of risk at those levels, but is
integrated into the overall risk assessment process. Therefore, this course integrates the requirements of SAS No.
99 within the overall risk assessment process by addressing those requirements at relevant points throughout the
course. This section, like SAS No. 99, provides more specific guidance on assessing the risk of material misstate
ment due to fraud when assessing the risk of material misstatement. Although the requirements and guidance
presented in this section may suggest a sequential process, the audit is a continuous process of gathering,
updating, and analyzing information about the fairness of presentation of amounts and disclosures in the financial
statements in conformity with GAAP (or an OCBOA). Therefore, the procedures outlined in this section may be
performed concurrently with other procedures, and the evaluation of fraud risks should occur continuously
throughout the audit.
Special Considerations for a Nonprofit Organization When Performing a Single Audit
A riskbased approach should be used when determining major programs. Adoption of a riskbased approach
shifts the audit away from traditional major programs (that is,those with large dollar expenditures) to an emphasis
on programs that show signs of managerial weakness or that by their nature are inherently risky. The approach
includes consideration of the following:
 Current and prior audit experience.
 Oversight by federal agencies and passthrough entities.
 Inherent risk of the program.
Section 525(a) of OMB Circular A133 indicates the auditor's determination [of federal program risk] should be
based on an overall evaluation of the risk of noncompliance occurring which could be material to the Federal
program." OMB Circular A133 describes a fourstep process to determine major programs. If major programs are
determined and documented in accordance with OMB Circular A133, Section 520(h) states the auditor's judg
ment in applying the riskbased approach to determine major programs shall be presumed correct."
Types of Misstatements Caused by Fraud
SAS No. 99 (AU 316.05) defines fraud as an intentional act that results in a material misstatement in financial
statements that are the subject of an audit." The SAS outlines three conditions that generally are present when
fraud occurs:
 Incentive/Pressure. Management or other employees have a reason to commit fraud.
 Opportunity. Circumstances, such as ineffective controls, the absence of controls, or the ability to override
controls, enable management or other employees to commit fraud.
 Attitude/Rationalization. Management or other employees are able to justify the acceptability of committing
fraud.
SAS No. 99 addresses two types of misstatements that are relevant to the auditor's consideration of fraud in a
financial statement audit:
 Misstatements resulting from fraudulent financial reporting (sometimes called cooking the books).
 Misstatements resulting from misappropriation of assets (sometimes called stealing).
118

NPOT09

Companion to PPC's Guide to Audits of Nonprofit Organizations

Misstatements Resulting from Fraudulent Financial Reporting. Misstatements resulting from fraudulent finan
cial reporting (often referred to as management fraud or cooking the books) are intentional misstatements, or
omissions, of amounts or disclosures from the financial statements with the intent of deceiving financial statement
users. The effect of those misstatements causes the financial statements not to be presented, in all material
respects, in conformity with GAAP (or an OCBOA). Examples that may be encountered with nonprofit organizations
include
 Overstating program accomplishments to earn higher bonuses or to mislead grantors about the success
of the program in order to ensure future funding.
 Understating unrestricted net assets to avoid potentially negative effects on fundraising.
 Understating unrelated business income to minimize income taxes.
Management may be under pressure to report certain financial results to bond reporting agencies in order to
maintain the organization's bond rating and to lenders to meet bond covenant requirements. Similarly, a nonprofit
organization may have a promise to give conditioned on receiving matching funds. Management of the organiza
tion may be under pressure to overstate promises to give receivable and contribution revenue to meet the matching
requirement. Another comparable situation may result if the nonprofit organization has a federal award with a
matching requirement. If the nonprofit organization has received a material grant, management of the organization
may be under pressure to keep recorded expenses within the grant budget limits. This could result in either an
understatement of total expenses and liabilities or the misclassification of expenses to functional areas other than
the appropriate grant. Conversely, a nonprofit organization may record fraudulent expenses under a specific grant
with excess funds in order to record related grant revenue. This could result in an overstatement of both expenses
and grant revenue.
Nonprofit organizations that face cash flow problems may face pressure to misclassify donorrestricted contribu
tions as unrestricted to free up cash for the organization's operations. This could result in an overstatement of
unrestricted net assets and an understatement of temporarily or permanently restricted net assets. However, for
other nonprofit organizations, the risk may run in the opposite direction. For example, nonprofit organizations
experiencing difficulty with fundraising due to large balances of unrestricted net assets may attempt to record
unrestricted contributions as restricted in order to lower the percentage of total net assets that is reflected as
unrestricted in the financial statements.
A nonprofit organization's financial statements may be reviewed by a national oversight organization or industry
watchdog group and are frequently available to the public over the Internet. As a result, the organization may be
under pressure to report certain financial results, such as fundraising expenses below certain percentages of
contribution revenue and total expenses. The auditor has to draw on knowledge of the nonprofit organization to
evaluate where in the financial statements material misstatement due to fraud would be likely to exist.
Many nonprofit organizations have an interest in reporting positive trends in contributions revenue and in minimiz
ing supporting services expenses. The key consideration, however, is whether management has shown an interest
in manipulating the financial statements through unusually aggressive accounting practices. The auditor may have
knowledge from prior audits of management trying to allocate supporting services to programs in an effort to
minimize the supporting services reported in the financial statements. This situation would most likely increase the
risk of material misstatement due to fraud. However, if management is interested in minimizing supporting services
expenses through legitimate means, such as allocations based on detailed time and use studies, then the auditor
most likely would not consider this to be an area of increased risk. Those practices are not the same as fraudulent
actions such as skimming revenue and falsifying documents. The independent auditor's focus is on whether the
financial statements are materially misstated.
In general terms, financial statements are fraudulently misstated through use of the following methods:
 Intentional misapplication of GAAP (or an OCBOA) involving measurement, and resulting misstatement of
amounts.
 Intentional omission or misrepresentation of information about transactions or events (or intentional
misapplication of GAAP involving disclosure).
119

Companion to PPC's Guide to Audits of Nonprofit Organizations

NPOT09

 Recording fictitious transactions.


 Recording sham transactions (transactions without economic substance, usually involving related parties).
These methods may be facilitated by the creation, falsification, alteration, or other manipulation of accounting
records or source documents. Misstatements resulting from fraudulent financial reporting are frequently perpe
trated by management through override of internal controls over financial reporting.
Misstatements Resulting from Misappropriation of Assets. Misstatements resulting from misappropriation of
assets (often referred to as defalcation, embezzlement, theft, or simply stealing) involve theft of the company's
assets that results in the financial statements not being presented, in all material respects, in conformity with GAAP
(or an OCBOA). Misappropriation of assets can be committed in many ways, including embezzlement of cash
receipts, stealing assets, or causing the entity to pay for goods and services not received (or paying inflated prices
for goods and services received). This type of fraud may be facilitated by the falsification, alteration, or other
manipulation of accounting records or source documents, possibly by circumventing controls. Misappropriation
may be committed by one or more individuals in management, by employees, or by third parties.
The Auditor's Responsibility for Fraud Detection
SAS No. 107 (AU 312.03) states: The auditor's responsibility is to plan and perform the audit to obtain reasonable
assurance that material misstatements whether caused by errors or fraud, are detected." SAS No. 99 does not
increase the auditor's responsibility for the detection of material misstatement due to fraud. However, SAS No. 99
does require the auditor to specifically identify and assess risks that may result in material misstatement of the
financial statements due to fraud and to respond to the results of the assessment when gathering and evaluating
audit evidence.
SAS No. 99 requires the auditor to make an assessment of the risk of material misstatement arising from both
fraudulent financial reporting and misappropriation of assets. When assessing the risk of material misstatement
due to fraud, the auditor should consider the type of risk, that is, whether it relates to cooking the books or stealing;
the significance of the risk, that is, whether it could result in material misstatement of the financial statements; the
likelihood of fraud occurring; and the pervasiveness of the risk, that is, whether it relates to the financial statements
as a whole or to specific areas of the financial statements. This analysis should also include consideration of the
direction of the risk for the area of the financial statements that would be affected. Is the risk of potential misstate
ment a risk of overstatement or a risk of understatement?
The auditor should consider who would have the motivation or incentive to intentionally misstate the financial
statements and the form the fraud would be likely to take. As explained previously, this is a consideration that
should be discussed among the engagement team members in a planning meeting. That way, team members can
exchange ideas about where the audited entity's financial statements might be susceptible to misstatement due to
fraud and the more experienced members can share their insights based on their knowledge of the entity. SAS No.
99 (AU 316.14.18) requires that key members of the audit engagement team have, and document, a brainstorm
ing discussion early in the audit about the potential for fraud.
SAS No. 99 (AU 316.20.27) requires specific fraudrelated inquiries of management, employees, internal auditors,
and the audit committee. The auditor should inquire of management about its understanding of the risks of fraud,
programs and controls in place to lessen fraud risks, and whether management knows of any actual fraud or is
aware of any alleged fraud in the entity. Similar inquiries should be made of others within the entity who the auditor
believes may be able to provide useful information (such as operating personnel not directly involved in financial
reporting and other employees at various levels of authority or involved in complex or unusual transactions),
internal auditors, and the audit committee, if there is one.
SAS No. 99 requires the auditor to specifically identify and assess risks that may result in material misstatement of
the financial statements due to fraud and to respond to the results of the assessment when gathering and
evaluating audit evidence. However, SAS No. 99 states that an auditor cannot obtain absolute assurance that the
financial statements are free of material misstatements caused by fraud. Because of the nature of audit evidence
and the characteristics of fraud, even a properly planned and performed audit may not detect a material misstate
ment resulting from fraud. Fraudulent activity often involves collusion, misrepresentation, or falsified documents. In
120

NPOT09

Companion to PPC's Guide to Audits of Nonprofit Organizations

addition, fraudulent financial reporting frequently involves management override of controls that in some cases
might appear to be operating effectively. As a result, auditors may unknowingly rely on audit evidence that appears
to be valid but is, in fact, fraudulent. In addition, audit procedures that are effective for detecting errors may not be
effective for detecting fraud.
Immaterial Misstatements Caused by Fraud. AU 110.02 states:
The auditor has no responsibility to plan and perform the audit to obtain reasonable assurance
that misstatements, whether caused by errors or fraud, that are not material to the financial
statements are detected.
However, many frauds may not result in the financial statements being materially misstated for any individual
period, but may be perceived to be material, especially if the amounts involved accumulate over time.
For example, assume that a bookkeeper in a small nonprofit organization embezzles $5,000 per year for several
years and hides the fraud by inflating expenses each year. That amount is immaterial to each year. After several
years, the fraud is detected and the amounts stolen aggregate $30,000, which might be considered material if the
financial statements for any individual period were misstated by this amount. Because the financial statements are
not materially misstated in any given period, the auditor is not responsible under professional standards for
detecting such a fraud. This situation does result in a business risk for the auditor because many clients may have
the expectation that the auditor should detect all cases of fraud, whether the financial statements are materially
misstated or not. This perception of the auditor's responsibility goes beyond what is required by professional
standards. To eliminate this expectation gap, it is important for auditors to inform their clients about the auditor's
responsibility under professional standards.
The Importance of Exercising Professional Skepticism
GAAS requires the auditor to exercise due professional care in planning and performing the audit. SAS No. 1 at AU
230.07 states that due professional care requires the auditor to exercise professional skepticism. Professional
skepticism is an attitude that includes a questioning mind and a critical assessment of audit evidence." Because the
characteristics of fraud include concealment, misrepresentation, falsified documents, and collusion, the need for
professional skepticism is especially important when considering the risks of material misstatement due to fraud.
When exercising professional skepticism, auditors should suspend any belief in management's honesty and
integrity and approach the audit with a questioning mind. Regardless of past experience with the client, auditors
acknowledge and remain open and alert to the possibility that material misstatement due to fraud may exist. All of
the information and evidence gathered by the auditor is critically evaluated and an ongoing assessment is made of
whether the evidence suggests that the financial statements are materially misstated due to fraud. The auditor
should not be willing to accept less than persuasive evidence based on a belief that management or key
employees are honest.
The Auditor's Fraud Risk Assessment Process
SAS No. 99 requires auditors to assess identified risks of material misstatement due to fraud. However, although the
SAS uses the term assess, this is not intended to require a separate, specific conclusion on the level of risk such as
high, moderate, or low. The SAS indicates that such an assessment is not useful in developing appropriate
responses. Rather, the assessment referred to in SAS No. 99 involves determining whether identified risks of
material misstatement due to fraud are mitigated by antifraud programs and controls, and the effect of those
considerations on the auditor's response.
SAS No. 99 outlines the following fraud risk assessment process (however, as discussed in paragraph [OLDREF],
the process is not necessarily sequential):
a. Hold a discussion among engagement team members to consider the susceptibility of the client's financial
statements to material misstatement due to fraud and to reinforce the importance of professional
skepticism.
b. Obtain other information needed to identify risks of material misstatement due to fraud.
121

Companion to PPC's Guide to Audits of Nonprofit Organizations

NPOT09

c. Identify risks that may result in material misstatement of the financial statements due to fraud.
d. Assess the identified risks after taking into account an evaluation of the entity's antifraud programs and
internal controls.
e. Respond to the results of the risk assessment.
Auditors gather other information that may be relevant to identifying risks of material misstatement due to fraud
while obtaining an understanding of the entity and its environment, its internal control, and its fraud risk factors, and
from the performance of preliminary analytical procedures. Other information auditors should consider in identify
ing risks of material misstatement due to fraud includes the discussion among engagement team members,
information from client acceptance and continuance procedures, the auditor's inherent risk assessment and, if
applicable, reviews of interim financial statements.
If the auditor identifies risks of material misstatement due to fraud, the audit response may be overall or specific,
and may include substantive procedures or tests of controls. (However, substantive analytical procedures alone are
not a sufficient response.) Specific responses are addressed in individual audit programs. Overall responses have
an overall effect on how the audit is conducted. Certain overall responses, such as the consideration of staffing and
supervision, scrutiny of the selection and application of accounting principles, and incorporating an element of
unpredictability in audit procedures, are considered in every audit and are incorporated into the audit programs in
this course. In addition, certain required responses to address the risk of management override of controls are
incorporated in the audit programs in this course.
Documenting the Fraud Risk Assessment. Although SAS No. 99 defines a fraud risk assessment process that
results in identifying and documenting risks of material misstatement due to fraud and the auditor's responses to
those risks, it does not change the overall audit risk assessment process in SAS No. 107. SAS No. 107 defines audit
risk at the account balance or transaction class level as consisting of three components: inherent risk, control risk,
and detection risk. SAS No. 99 requires the auditor to assess the identified risks of material misstatement due to
fraud, but it does not add another component to the audit risk model. This is because fraud risks encompass both
inherent and control risk attributes. Under the audit approach in this course, the auditor makes separate assess
ments of inherent and control risk (including the risks of fraud) and uses those assessments to determine the risk
of material misstatement. In addition, the auditor considers whether the audit programs are appropriate in light of
the assessed risk of material misstatement.
SAS No. 99 (AU 316.83) requires the auditor to document evidence that he or she assessed the risks of material
misstatement due to fraud. The auditor is required to document the following:
 The discussion among engagement team members in planning the audit.
 The procedures performed to gather information needed to identify and assess fraud risks.
 Fraud risks identified.
 The response to those risks.
 If applicable, how the auditor overcame the presumption that improper revenue recognition is a fraud risk.
 The results of procedures to address the risk of management override of controls.
 Additional conditions, if any, requiring a response and the response(s) to those conditions.
 The nature of communications about fraud.
A practical approach has been developed to fraud risk assessment that addresses the requirements in SAS No. 99.
This course includes audit program steps designed to assist auditors in meeting those requirements. Exhibit 211
illustrates how the approach in this course accomplishes the requirements outlined earlier.
122

Companion to PPC's Guide to Audits of Nonprofit Organizations

NPOT09

Exhibit 211
Practice Aids for Documenting the Fraud Risk Assessment
PPC Approach to Fraud Risk
Assessment

SAS No. 99 Requirements


Hold a discussion among engagement team members to consider the
susceptibility of the client's financial statements to material misstate
ment due to fraud and to reinforce the importance of professional
skepticism.

Step 1. Gather information about the


entity and its environment that may be
relevant in identifying risks of material
misstatement of the financial state
ments due to fraud:
 Discussion among engagement
team members.

Obtain other information needed to identify risks of material misstate


ment due to fraud.

Identify risks that may result in material misstatement of the financial


statements due to fraud.

 Inquiries of management and


others.
 Considering whether fraud risk
factors are present.
 Preliminary analytical procedures.
 Other procedures.
Step 2. Identify risks that could result
in material misstatement of the
financial statements due to fraud.

Assess the identified risks after taking into account an evaluation of the Step 3. Assess the identified risks:
entity's antifraud programs and internal controls.
 Evaluate programs and controls.
 Assess fraud risks.
Respond to the results of the risk assessment.

Step 4. Develop appropriate


responses to risks of material mis
statement of the financial statements
due to fraud:
 Overall responses.
 Specific responses.
 Responses to further address the
risk of management override of
controls.

Detection of Illegal Acts


SAS No. 54 (AU 317), Illegal Acts by Clients, indicates that the auditor's responsibility for detecting misstatements
resulting from illegal acts having a direct and material effect on the determination of financial statement lineitem
amounts is the same as that for other errors and fraud. For indirecteffect illegal acts, the auditor, in conducting the
audit, remains aware of their possibility but does not design the audit specifically to detect them. As part of audit
planning, the auditor should make inquiries of management or the owner/manager concerning the client's com
pliance with laws and regulations. Where applicable, the auditor should also inquire about (a) the client's policies
related to the prevention of illegal acts and (b) the use of directives (for example, a code of ethics) and periodic
representations obtained from managementlevel employees concerning compliance with laws and regulations. If
an illegal act is detected during the audit, SAS No. 54 requires that it be communicated to those charged with
governance, unless clearly inconsequential. (Auditors should be familiar with any applicable state statutes regard
ing communication to outside parties and should consider consulting with legal counsel.) Also, a representation
from management regarding the absence of violations of laws or regulations is ordinarily included in the manage
ment representation letter.
123

Companion to PPC's Guide to Audits of Nonprofit Organizations

NPOT09

Compliance Auditing and Illegal Acts. Nonprofit organizations often receive financial assistance from govern
mental entities and, as a result, become subject to laws and regulations that may have a direct and material effect
on financial statement amounts. The Audit Guide, Paragraph 2.26, addresses the auditor's planning responsibilities
related to laws and regulations in a GAAS audit as follows:
Some laws and regulations...may have a direct and material effect on the determination of
financial statement amounts. The auditor's responsibility to detect misstatements resulting from
directeffect illegal acts is the same as for errors and fraud. Accordingly, management generally
should identify federal, state, and local laws and regulations that may have a direct and material
effect on the determination of financial statement amounts. The auditor should assess the
appropriateness of that identification and obtain an understanding of the possible effects of those
laws and regulations on the financial statements.
If an auditor performs an audit in accordance with Government Auditing Standards (a Yellow Book audit), he or she
accepts additional responsibilities beyond GAAS.
Other Considerations for Fraud, Illegal Acts, Noncompliance, and Abuse
GAAS Requirements Related to Compliance with Laws and Regulations. In the audit of a nonprofit organiza
tion, substantial attention is given to compliance with laws and regulations. SAS No. 74 (AU 801) provides guidance
on applying this GAAS requirement when the auditor is engaged to audit a nonprofit organization under GAAS and
is engaged to test and report on compliance with laws and regulations under Government Auditing Standards, or in
certain other circumstances involving governmental financial assistance, such as Single Audits.
Specifically, AU 801 provides guidance to the auditor on:
 Applying the provisions of AU 317, Illegal Acts by Clients, relative to detecting misstatements resulting from
illegal acts related to laws and regulations that have a direct and material effect on financial statement
amounts in audits of nonprofit organizations and other recipients of governmental financial assistance.
 Performing a financial audit in accordance with Government Auditing Standards.
 Performing a Single Audit in accordance with federal audit requirements.
 Communicating with management if the auditor becomes aware that the entity is subject to an audit
requirement that may not be encompassed in the terms of the engagement.
Although management is responsible for ensuring that the nonprofit organization complies with laws and regula
tions applicable to its activities, the auditor is responsible for considering laws and regulations and how they affect
the audit. The GAS/A133 AICPA Audit Guide, paragraph 2.44, states that the auditor should obtain an understand
ing of the possible effects on financial statements of laws and regulations that will have a direct and material effect
on the determination of amounts in the entity's financial statements. The auditor should also assess whether
management has identified all the laws and regulations that have a direct and material effect on the financial
statements." Thus, the auditor has to design the audit to provide reasonable assurance that the financial state
ments are free of material misstatements resulting from violations of laws and regulations that have a direct and
material effect on the determination of financial statement amounts. In addition, the auditor should document the
procedures performed to evaluate compliance with laws and regulations (including violations of provisions of
contracts and grant agreements) that have a direct and material effect on the determination of financial statement
amounts.
Government Auditing Standards Requirements. Government Auditing Standards establish additional require
ments related to (a) noncompliance with contracts and grant agreements; (b) abuse; (c) ongoing investigations or
legal proceedings; and (d) communication of fraud, illegal acts, noncompliance, and abuse. The audit programs in
this course include procedures that might be performed to address these requirements, which are discussed in the
following paragraphs.
124

NPOT09

Companion to PPC's Guide to Audits of Nonprofit Organizations

Government Auditing Standards require auditors to design their audits to provide reasonable assurance of detect
ing misstatements resulting from noncompliance with the provisions of contracts or grant agreements that could
have a direct and material effect on financial statement amounts or other financial data significant to the audit
objectives. The Yellow Book also establishes requirements related to noncompliance that might have material
indirect effects. The 2007 Yellow Book, Paragraph 4.11, states that if information comes to the auditor's attention
about possible violations of provisions of contracts or grant agreements that could have a material indirect effect,
the auditor should perform procedures specifically to determine whether such violations have occurred. If the
auditor concludes that a violation has occurred or is likely to have occurred, the auditor has to determine the effect
on the financial statements and the implications for other aspects of the audit.
Requirements Related to Abuse. Government Auditing Standards also establish requirements related to abuse. The
concept of abuse is different from that of fraud, illegal acts, or noncompliance. The Yellow Book indicates that
abuse involves behavior that is deficient or improper when compared with behavior that a prudent person would
consider reasonable and necessary business practice given the facts and circumstances. Abuse also includes
misuse of authority or position for personal financial interests or those of an immediate or close family member or
business associate." It may or may not involve fraud, illegal acts, or noncompliance with contracts or grant
agreements.
The determination of abuse is subjective. Thus, auditors are not required to provide reasonable assurance of
detecting abuse. Instead, Paragraph 4.13 of the Yellow Book states that if auditors become aware of abuse that
could be material (either quantitatively or qualitatively) to the financial statements, they should perform additional
procedures to determine its potential effect on the financial statements or other financial data significant to the audit
objectives. These additional procedures involve (a) evaluating whether the situation or transaction meets the
definition of abuse or whether it also involves fraud or illegal acts and (b) evaluating whether the situation or
transaction involves behavior that is deficient or improper when compared with behavior that a prudent person
would consider reasonable and necessary business practice given the facts and circumstances. Section 1112
discusses considerations for evaluating abuse.
Requirements Related to Ongoing Investigations or Legal Proceedings. The Yellow Book clearly states that it is
important for auditors to avoid interfering with ongoing investigations or legal proceedings. Paragraph 4.29 of the
2007 Yellow Book explains that when investigations or legal proceedings have been initiated or are in process, the
auditor should evaluate the impact on the audit. It may be necessary for the auditor to work with investigators or
legal authorities, to withdraw from the engagement, or to defer further work on the engagement, or a portion
thereof, to avoid interfering with the process.
Developing Elements of a Finding. If the auditor finds fraud, illegal acts, noncompliance, abuse, or internal control
deficiencies, the auditor is required to plan and perform additional procedures to develop the elements of the
findings that are relevant and necessary to achieve the audit objectives. The Yellow Book, explains that these
elements are criteria, condition, cause, and effect or potential effect.
Communication Requirements. The Yellow Book establishes specific requirements for auditors to communicate
fraud, illegal acts, noncompliance, and abuse, including requirements for reporting to outside parties in certain
situations.
Applicability of SAS No. 99 to a Single Audit
SAS No. 99 establishes standards for financial statement audits. Paragraph 6.25 of the GAS/A133 AICPA Audit
Guide notes that SAS No. 99 only applies to an audit of financial statements and not to a compliance audit.
However, that guide also requires that the auditor specifically assess the risk of material noncompliance with a
major program's compliance requirements due to fraud in a Single Audit. The auditor should consider that
assessment in designing the audit procedures to be performed. Although SAS No. 99 applies only to an audit
of financial statements, the auditor may want to consider its guidance when planning and performing an audit of an
entity's compliance with specified requirements applicable to its major programs. Therefore, it is recommended
that the auditor assess the risk of major program material noncompliance as part of the financial statement fraud
risk assessment process required by SAS No. 99. The results of such assessment may affect which audit proce
dures are performed. However, while SAS No. 99 fraud risk factors relating to major programs should be consid
ered, the formal fraud risk assessment process and documentation requirements are not applicable to the federal
125

Companion to PPC's Guide to Audits of Nonprofit Organizations

NPOT09

award part of the audit. In many instances, however, it is believed that including the assessment of fraud risks
relating to major programs as part of the assessment of fraud risks in the financial statements will be effective and
efficient.
Fraud Consulting Services
If clients become aware that employees have committed fraud or suspect that fraud may be taking place, they may
attempt to engage the auditor to perform fraud investigation consulting services. Such an engagement can take
various forms. Before accepting such engagements for audit clients, auditors should assess the potential liability
associated with their services particularly if the alleged fraud, due to collusion or concealment, was not detected
during the firm's audit. To avoid any appearance of a conflict of interest, as required by Statement on Standards for
Consulting Services No. 1, the fraud investigation services should ordinarily be performed by someone other than
the personnel involved in the audit. If such an engagement is accepted, all communications and documentation
should be carefully considered to ensure that the firm's selfinterest is not abandoned. The firm needs to consider
whether it can be objective in the forensic investigation given the selfinterest created by its audit responsibilities.
The firm should also consider consulting legal counsel. In addition, the auditor's understanding with the client
regarding the performance of these nonattest services should be documented.

126

Companion to PPC's Guide to Audits of Nonprofit Organizations

NPOT09

SELFSTUDY QUIZ
Determine the best answer for each question below. Then check your answers against the correct answers in the
following section.
35. Which of the following is not noted by SAS No. 99 as a condition generally present when fraud occurs?
a. Pressure
b. Incompetence
c. Opportunity
d. Attitude
36. The text gives several examples of fraudulent misstatement of nonprofit financial statements. Which of the fol
lowing is not among them?
a. Overstating program accomplishments
b. Understating unrestricted net assets
c. Overstating restricted net assets
d. Understating unrelated business income
37. Which of the following statements is correct concerning the auditor and fraud detection?
a. SAS No. 99 does not require the auditor to assess fraud likelihood, only the possibility.
b. SAS No. 99 requires the auditor to obtain absolute assurance that financials are free of misstatements
related to fraud.
c. SAS No 99 does not require the auditor to obtain reasonable assurance concerning immaterial fraud
related misstatements.
38. Which of the following is not one of the authoritative resources mentioned in the text that provides guidance for
the auditor concerning detection of illegal acts?
a. SAS No. 54
b. The Audit Guide
c. SAS No. 74
d. SAS No. 99

127

Companion to PPC's Guide to Audits of Nonprofit Organizations

NPOT09

SELFSTUDY ANSWERS
This section provides the correct answers to the selfstudy quiz. If you answered a question incorrectly, reread the
appropriate material. (References are in parentheses.)
35. Which of the following is not noted by SAS No. 99 as a condition generally present when fraud occurs? (Page
118)
a. Pressure [This answer is incorrect. Incentives and pressures are noted as generally present when fraud
occurs.]
b. Incompetence [This answer is correct. This is not to say that management has not placed a low value
on hiring and maintaining a competent staff, but this is not one of the elements specifically
mentioned by SAS No. 99.]
c. Opportunity [This answer is incorrect. Opportunity, such as management's ability to override controls, is
often present when fraud occurs.]
d. Attitude [This answer is incorrect. The ability to rationalize and justify fraudulent actions is generally present
when fraud occurs.]
36. The text gives several examples of fraudulent misstatement of nonprofit financial statements. Which of the fol
lowing is not among them? (Page 119)
a. Overstating program accomplishments [This answer is incorrect. This has implications for bonuses and
inducements for future funding.]
b. Understating unrestricted net assets [This answer is incorrect. This can avoid potentially negative
fundraising implications.]
c. Overstating restricted net assets [This answer is correct. The examples given are overstating
program accomplishments, understating unrelated business income, and understating unre
stricted net assets.]
d. Understating unrelated business income. [This answer is incorrect. This may be related to income tax
evasion on nonprofit income that is deemed taxable.]
37. Which of the following statements is correct concerning the auditor and fraud detection? (Page 121)
a. SAS No. 99 does not require the auditor to assess fraud likelihood, only the possibility. [This answer is
incorrect. SAS No. 99 requires the auditor to assess the likelihood of fraud and the pervasiveness of the
risk.]
b. SAS No. 99 requires the auditor to obtain absolute assurance that financials are free of misstatements
related to fraud. [This answer is incorrect. SAS No. 99 acknowledges that such assurances are not
possible.]
c. SAS No 99 does not require the auditor to obtain reasonable assurance concerning immaterial
fraudrelated misstatements [This answer is correct. The auditor is not required to obtain
reasonable assurance concerning immaterial misstatements caused by fraud or error.]

128

NPOT09

Companion to PPC's Guide to Audits of Nonprofit Organizations

38. Which of the following is not one of the authoritative resources mentioned in the text that provides guidance for
the auditor concerning detection of illegal acts? (Page 123)
a. SAS No. 54 [This answer is incorrect. SAS No. 54 specifically addresses the auditor's responsibility where
illegal acts are concerned.]
b. The Audit Guide [This answer is incorrect. The Audit Guide indicates a shared responsibility between
management and the auditor for the identification of laws and the understanding of their effects on the
financial statements.]
c. SAS No. 74 [This answer is incorrect. SAS No. 74 provides guidance on application of provisions of other
standards related to illegal acts and the auditor's responsibility.]
d. SAS No. 99 [This answer is correct. SAS No. 99 specifically addresses fraudrelated misstatement
risks.]

129

Companion to PPC's Guide to Audits of Nonprofit Organizations

NPOT09

SUBSTANTIVE PROCEDURES AND TIMING


As part of audit planning, an auditor considers whether to apply any substantive procedures or tests of controls
before the statement of financial position date. In an initial engagement for the audit of a nonprofit organization, it
is not unusual for the auditor to be engaged on or after the fiscal year end. This eliminates the opportunity to even
consider spreading work during the year by interim testing. In a continuing engagement, there are opportunities to
spread work over the fiscal period. This may be desirable if the auditor has several nonprofit clients with identical
fiscal year ends. Because of the characteristics of nonprofit organizations that affect internal control, it is seldom
appropriate or desirable to perform substantive procedures for asset, liability, or net asset account balances prior
to the statement of financial position date, but transaction testing can be done at an interim date.
Tests of Transactions
Testing expenditure transactions for coding and classification may be performed in the audit of a nonprofit
organization. In testing transactions, the auditor should normally select transactions from the entire period under
audit. If the auditor can obtain reasonably accurate estimates of the number and total dollar amount of the
transactions for the fiscal period under audit, a portion of this work can be done at any convenient interim date. The
remainder of the testing would then be completed as part of yearend procedures.
Fiscal Year Cutoffs
The nonprofit organization may be subject to the requirements of differing regulatory bodies and funding sources
that have differing fiscal years. Financial reports may be required for a fiscal year, calendar year, or program year
different than the fiscal year of the nonprofit organization used for preparing annual financial statements. In that
case, the auditor will have to plan cutoff tests for each of the periods involved. Also,nonprofit organizations are
more likely to change fiscal years than commercial businesses. The auditor should consult with the nonprofit
organization if such a change in yearend occurs, as it may alter the timing of the audit and require additional
procedures to ensure that there is a proper cutoff for the new fiscal period. Auditing and accounting literature does
not specifically address changes in fiscal years. However, TIS 1800.03 notes that it is usually necessary to disclose
the change in fiscal year in the organization's financial statements.
Public Fundraising Events
When a nonprofit organization's major source of revenue is public fundraising events such as membership drives
or special events, the auditor may need to be present during the events to adequately test revenue. In some cases,
the auditor cannot obtain sufficient competent evidential matter for recorded revenue unless the organization has
effective controls. In those cases, the auditor usually must test controls during the operation of those controls at the
fundraising events. Thus, the auditor needs to obtain a schedule of events and arrange to be present at those
interim dates to apply the appropriate audit procedures.
Organizations Dependent on Cash Contributions
Some nonprofit organizations (such as churches) regularly collect significant cash contributions. Those nonprofit
organizations must have adequate controls in place to determine that all cash contributions are properly recorded.
The auditor may need to perform tests of those controls in order to test the completeness of cash contributions
adequately. Such tests may include observation of the organization's controls in operation. The observations may
need to be scheduled at various times throughout the year for the auditor to perform the appropriate audit
procedures.

GENERAL PLANNING PROCEDURES AND FORMS


Most CPA firms develop an overall administrative audit program, commonly referred to as the general program, to
document the technical and administrative matters needed to plan and complete an engagement. The important
consideration is the auditor's knowledge and understanding of these matters rather than the extent of the docu
mentation. However, auditors are required to document the (a) understanding of the entity, its environment and its
internal control, including the sources of the information from which the understanding was obtained and the risk
130

NPOT09

Companion to PPC's Guide to Audits of Nonprofit Organizations

assessment procedures that were performed, and (b) assessment of the risks of material misstatement both at the
financial statement level and the relevant assertion level and the basis for the assessment. In addition, SAS No. 99
requires auditors to document the specific risks of material misstatement due to fraud that are identified and, if
auditors do not identify improper revenue recognition as a fraud risk, the reasons supporting that conclusion.

THE AUDIT TIME BUDGET


Authoritative literature does not require the preparation of a time estimate or the documentation of the actual time
spent in performing an audit. However, common sense suggests that an auditor is more likely to be efficient and
effective working under a time budget. Also, as a minimum, an auditor should have some estimate of audit time to
arrive at a fee estimate. Keeping track of the time spent as the audit progresses is important for billing the client and
for assessing whether adjustments are necessary to stay within the budget for the engagement.
Methods used in practice to budget and control time range from elaborate systems that budget time by each
program step to a single total time estimate for the entire audit. Neither extreme is likely to be effective. A system
that accounts for time by each major audit program area is recommended, i.e., total time for cash, total time for
contributions, etc. Other major engagement processes outside of audit program areas should also be considered
such as planning activities, review and supervision, and drafting financial statements and other reports. This
provides enough detail to highlight major areas of time commitment, monitor workinprogress, and arrive at a
reasonable fee estimate. Using this budget technique, the auditor is not required to post time to audit programs;
instead, time is posted to a summary schedule by major program area that is normally filed with the general or
administrative workpapers.
It should be emphasized that the final audit time estimate should be completed after the planning stage, i.e., after
the audit programs are developed and the auditor has a general feel for the extent of testing. This may not coincide
with the date that the auditor must present a fee estimate to a client, especially to a prospective client. However,
auditors should avoid the temptation to develop the audit time estimate based solely on the fee estimate, especially
if it is an extremely competitive fee estimate that is not representative of standard billing rates times realistic total
audit hours.
Managing Client Assistance to Improve Efficiency
Clients can have a significant effect on how efficiently an audit is completed. It is not unusual for the explanation of
audit budget overages to be the client did not prepare requested schedules" or requested schedules were
prepared incorrectly by the client." In some cases, audit inefficiencies result from the client not being available to
answer the auditor's questions or to retrieve needed information once fieldwork has begun. While it is often the
case that some audit budget overages caused by the client are beyond the auditor's control, in many cases the
auditor can improve the efficiency of the audit by effectively managing client assistance.
Schedules Prepared by the Client. In order to save audit fees, most clients are willing to prepare needed
schedules for the auditor. In fact, to be efficient, the auditor should try to get the client to prepare as many of the
necessary schedules as possible. However, many inefficiencies can result from the process of obtaining schedules
from the client. For example, schedules may not be prepared by the time the auditor needs them so that the auditor
ends up spending time preparing the schedules and exceeding the budget for the area. Or in other cases, the
schedules are prepared on a timely basis, but incorrectly; so the auditor spends additional time revising the
schedules to make them useable. The following paragraphs discuss steps the auditor can take to minimize the
inefficiencies often experienced when requesting schedules from the client.
List Everything Needed. When preparing a list of schedules to be prepared by the client (the PBC list"), the auditor
should make sure that the list is complete. Inefficiencies result from asking for more information after fieldwork has
begun because the auditor often must wait for the client to prepare the schedule. If a complete PBC list is provided
to the client before fieldwork begins, the client is more likely to have the schedules completed before the audit
starts. As a result, client personnel should have more time to answer the auditor's questions if they are not busy
trying to complete additional schedules. To make sure the PBC list is complete, the auditor should review it carefully
(and avoid just changing the dates on the prior year's PBC list) before sending it to the client. The interim general
ledger or trial balance requested during the planning process can be used to identify new accounts for which
schedules may be needed.
131

Companion to PPC's Guide to Audits of Nonprofit Organizations

NPOT09

Make Sure the Client Understands What Information Is Being Requested. When making requests for information
from the client, the auditor should be specific about what is needed. For example, the auditor should avoid making
requests such as provide an analysis of activity in the deferred revenue account." The client should be given an
example of the format in which the information should be provided. If requesting a spreadsheet or another type of
schedule, efficiencies may be gained by providing the client with an electronic template. As a result, the auditor will
receive the information in the requested format. The client can slot in the requested information and the auditor can
save time testing the mechanical accuracy of the schedule by reviewing the spreadsheet formulas. In any case, the
auditor should go over the PBC list in detail with the client to ensure that the client understands what information is
being requested.
Do Not Ask for Unneeded Information. The auditor should not be spending much (if any) time on insignificant
accounts. Therefore, the auditor should review the PBC list to make sure the client is not being asked to prepare
schedules for insignificant accounts or those that can be tested analytically. By eliminating the unnecessary
schedules, the client will have more time to focus on the schedules for the important areas.
Prioritize Requests for Information. One way to improve audit efficiency is for the auditor to work on the riskier, more
complex areas first. As a result, if the auditor identifies problems in the complex areas, the client has more time to
correct or research the problems. Efficiency can be improved because the auditor can work on other areas while
the client is correcting or researching the problems in the complex areas. To facilitate this approach, the auditor
should request that the client prepare the schedules for the more complicated areas first.
Stagger Due Dates for Requested Information. Ideally, the client should have all requested schedules prepared
when fieldwork begins. However, because there may be a tight deadline between year end and the due date of the
auditor's report, it may not be feasible for the client to have all information prepared before the beginning of
fieldwork. If this is the case, the auditor should be realistic when setting the due dates for requested information and
not ask for everything to be prepared at once. Information for the critical areas should be requested first.
Provide Adequate Notice. Although this seems obvious, many auditors are inefficient because they do not provide
the client with enough time to prepare for the audit before fieldwork begins. Early preparation of the PBC list is an
important step in the planning process and should not be a difficult task because the auditor generally spends time
in up front planning before fieldwork begins. The auditor should ask the client how much lead time is needed to
adequately prepare for the audit.
Work with the Client. In many cases, the auditor can use the client's existing internal reports to achieve the same
objectives as by using a schedule prepared solely for the audit. The auditor should work with the client to identify
reports or schedules already being prepared by client personnel before adding additional schedules to the client's
workload. However, if the auditor will spend time reworking the data to be in a useable format, the auditor should
attempt to get the client to do this task.
Return Incorrect Schedules to the Client. If the client provides the auditor with schedules that are prepared
incorrectly, the auditor should return them to the client for corrections. Staff auditors can spend many hours trying
to correct the schedules when the client may be able to obtain the correct information much more efficiently. If the
client does not have the time to revise the schedules, the auditor should discuss the resulting additional audit fees
with the client before the auditor incurs the additional time to correct the schedules.
Keep in Touch with the Client. Before the beginning of fieldwork, it is important for the auditor to keep in contact with
the client to determine whether the client will have the necessary schedules prepared before fieldwork begins. In
order to be effective, this communication requires more than a phone call the day before fieldwork begins to see if
the client is ready. Such communication should be made well enough in advance so that the auditor can resched
ule fieldwork if necessary. Many auditors use email to keep in contact with the client prior to fieldwork to check the
status of schedule preparation and to answer questions the client may have. If the client is preparing spreadsheets
for the auditor, email can be used to transfer the file to the auditor if the client has questions about how the schedule
should be prepared.

132

Companion to PPC's Guide to Audits of Nonprofit Organizations

NPOT09

SELFSTUDY QUIZ
Determine the best answer for each question below. Then check your answers against the correct answers in the
following section.
39. Which of the following is correct concerning the auditor's performance of substantive procedures?
a. Both substantive procedures and transaction testing should be begun prior to the statement of financial
position date for an audit of a nonprofit.
b. Testing of expenditure transactions can begin at an interim date that is convenient for the client entity.
c. A common fiscalyear cutoff can be established in situations where the nonprofit's funding sources have
different fiscal yearends.
d. Auditing literature specifically addresses changes in fiscal years for a nonprofit client entity.
40. Authoritative literature requires preparation of an estimate of the time necessary to perform an audit.
a. True
b. False

133

Companion to PPC's Guide to Audits of Nonprofit Organizations

NPOT09

SELFSTUDY ANSWERS
This section provides the correct answers to the selfstudy quiz. If you answered a question incorrectly, reread the
appropriate material. (References are in parentheses.)
39. Which of the following is correct concerning the auditor's performance of substantive procedures? (Page 130)
a. Both substantive procedures and transaction testing should be begun prior to the statement of financial
position date for an audit of a nonprofit. [This answer is incorrect. Transaction testing is okay, but
performance of substantive procedures before the financial position date may not be appropriate.]
b. Testing of expenditure transactions can begin at an interim date that is convenient for the client
entity. [This answer is correct. Testing would be completed as part of yearend procedures.]
c. A common fiscalyear cutoff can be established in situations where the nonprofit's funding sources have
different fiscal yearends. [This answer is incorrect. The auditor will have to plan cutoff tests for each of the
fiscal periods involved.]
d. Auditing literature specifically addresses changes in fiscal years for a nonprofit client entity. [This answer
is incorrect. Accounting and auditing literature do not specifically address such changes.]
40. Authoritative literature requires preparation of an estimate of the time necessary to perform an audit. (Page 131)
a. True [This answer is not correct. A time budget is advisable, however.]
b. False [This answer is correct. Neither a time estimate nor documentation of actual time spent is
required.]

134

Companion to PPC's Guide to Audits of Nonprofit Organizations

NPOT09

EXAMINATION FOR CPE CREDIT


Lesson 2 (NPOTG091)
Determine the best answer for each question below. Then mark your answer choice on the Examination for CPE
Credit Answer Sheet located in the back of this workbook.
17. In assessing risk to develop an overall audit strategy, auditors typically obtain an understanding of which of
these items first?
a. Risk assessment
b. Control environment
c. Monitoring
d. Control activities
18. Which of the following IT environments has the highest degree of internal control risk?
a. IT processing confined to a mainframe computer.
b. Central server hosting various clients with processing occurring both centrally and remotely.
c. Do not select this answer choice.
d. Do not select this answer choice.
19. Which of the following items is an important element of the control environment?
a. Vendor attitude
b. Customer goodwill
c. Financial partner structure
d. Organizational structure
20. A hierarchy of authority and responsibility, with appropriate communications and reporting lines, best exhibits
which control environment element?
a. Authority and responsibility
b. Human resource procedures
c. Management's operating style
d. Organizational structure
21. Which of the following items is included in SAS No. 109 risk assessment?
a. Inherent Risk
b. Objectives Risk
c. Control Risk
d. Detection Risk
135

Companion to PPC's Guide to Audits of Nonprofit Organizations

NPOT09

22. The quality of risk assessment corresponds to the size of the organization.
a. True
b. False
c. Do not select this answer choice.
d. Do not select this answer choice.
23. Which of the following statements is correct concerning the communication aspect of Information and
Communication?
a. Oneway memos are not considered.
b. Upstream communication alternatives are a bad idea because they violate hierachy.
c. Communication is an internal process, independent of the size of the entity.
d. Upstream communication relies on management openness.
24. Which of the following statements is correct concerning monitoring?
a. The auditor's focus is on management failures to correct deficiencies.
b. Monitoring involves a prescribed set of activities, adjusted for entity size.
c. Monitoring controls can be weakened by nonprofit board turnover.
d. Monitoring is static process, occurring at set points in time.
25. SAS No. 65 relates to auditor inquiries concerning the internal audit function.
a. True
b. False
c. Do not select this answer choice.
d. Do not select this answer choice.
26. Helen is auditing a nonprofit organization. She is selecting significant transaction classes. She should be
focusing on those presenting a ___________________ possibility of material misstatement of financial
statements or disclosures.
a. Low
b. Medium
c. Medium
d. High
27. Control activities usually involve how many elements?
a. 2
b. 3
c. 4
d. 5
136

Companion to PPC's Guide to Audits of Nonprofit Organizations

NPOT09

28. Where do control activities rank in terms of components of internal control for which the auditor should obtain
an understanding?
a. Second
b. Third
c. Fourth
d. Fifth
29. Which of the following statements is correct concerning planning materiality?
a. SAS No. 99 suggests factors to consider when selecting a materiality benchmark.
b. In practice, rules of thumb are used to establish planning materiality.
c. Using a single benchmark is impractical in planning.
d. A range is useful when making decisions about the scope of a test.
30. Which of the following is not one of the benchmarks mentioned in the text as being provided by the Audit Guide?
a. Total net assets
b. Total liabilities
c. Total revenues
d. Total expenses
31. According to the text, the implications of SAS No. 107 concerning tolerable misstatement are such that it equals
planning materiality minus the auditor's estimate of total known and likely misstatement.
a. True
b. False
c. Do not select this answer choice.
d. Do not select this answer choice.
32. Under OMB Circular A133, materiality of compliance findings should normally be considered in relation to
quantitative factors alone.
a. True
b. False
c. Do not select this answer choice.
d. Do not select this answer choice.
33. According to the text, what is the correct auditor response where management's attitude toward hiring
competent personnel is considered an overall risk?
a. Shift substantive procedures to year end.
137

Companion to PPC's Guide to Audits of Nonprofit Organizations

NPOT09

b. Examine journal entries.


c. Increase the extent of inquiries related to fraud risk.
d. Increase unpredictability in audit procedures.
34. One of the key outcomes of identifying overall risk and developing an overall strategy is:
a. the determination of personnel resources necessary to complete the audit.
b. the determination of material resources necessary to complete the audit.
c. the determination of capital outlay necessary to complete the audit.
d. the determination of computer mainframe time necessary to complete the audit.
35. OMB Circular A133 requires a riskbased approach to determining major programs, describing a process with
how many steps?
a. 2
b. 3
c. 4
d. 5
36. Which is not one of the methods noted in the text to fraudulently misstate financial statements?
a. Intentional misapplication of GAAP
b. Intentional omission
c. Sham transactions
d. Recording error
37. Which of the following is correct concerning the auditor and fraud risk?
a. SAS No. 99 requires a separate, specific conclusion on the level of risk.
b. Substantive analytical procedures are sufficient to satisfy SAS No. 99 requirements.
c. SAS No. 99 adds a fourth element to the audit risk model.
d. SAS No. 99 requires documentation of fraudrelated material misstatement risk.
38. Which of the following is not one of the elements defined in the Yellow Book for further testing if the auditor finds
evidence of illegal acts?
a. Opportunity
b. Criteria
c. Cause
d. Effect
138

Companion to PPC's Guide to Audits of Nonprofit Organizations

NPOT09

39. Most CPA firms develop an overall administrative audit program.


a. True
b. False
c. Do not select this answer choice.
d. Do not select this answer choice.
40. The acronym PBC" stands for prepared by client."
a. True
b. False
c. Do not select this answer choice.
d. Do not select this answer choice.

139

Companion to PPC's Guide to Audits of Nonprofit Organizations

NPOT09

GLOSSARY
Audit Guide: AICPA Audit Guide, Government Auditing Standards and Circular A133 Audits, provides guidance on
performing Yellow Book audits and Single Audits.
Control Activities: Control activities are the policies and procedures that help ensure that management directives
are carried out.
Control Environment: The control environment is the foundation for all other components of internal control and
provides structure and discipline.
Information and Communication: Information refers to the financial reporting system; communication is the
process of providing an understanding of roles and responsibilities to individuals within the organization regarding
internal control over financial reporting.
Monitoring: Monitoring is a process by which an entity assess the quality of its internal control over time.
PBC: This is an acronym referring to schedules prepared by client" at the auditors request.
Risk Assessment Process: The risk assessment process involves performing procedures, obtaining an
understanding of various matters about the entity and its environment, and making decisions and judgments about
assessed risks and other matters based on the understanding.
SAS No. 54: Illegal Acts by Clients.
SAS No. 56: Analytical Procedures.
SAS No. 65: The Auditor's Consideration of the Internal Audit Function in an Audit of Financial Statements.
SAS No. 99: Consideration of Fraud in a Financial Statement Audit.
SAS No. 103: Audit Documentation.
SAS No. 107: Audit Risk and Materiality in Conducting an Audit.
SAS No. 108: Planning and Supervision
SAS No. 109: Understanding the Entity and Its Environment and Assessing the Risks of Material Misstatement.
SAS No. 110: Performing Audit Procedures in Response to Audit Risks and Evaluating the Audit Evidence Obtained.
Yellow Book: Government Auditing Standards, issued by the Comptroller General of the United States, establishes
planning and other field work standards.
Yellow Book Audit: An audit performed in accordance with Government Auditing Standards.

140

Companion to PPC's Guide to Audits of Nonprofit Organizations

NPOT09

INDEX
A

ADMINISTRATION OF THE AUDIT


 Controlling time . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 131

ILLEGAL ACTS
 Other considerations for fraud, illegal acts,
noncompliance, and abuse
 GAAS requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 124
 Government auditing standards requirements . . . . . . . . . 124

ANALYTICAL PROCEDURES
 Preliminary analytical procedures
 Common ratios . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
AUDIT PLANNING
 Fraud, responsibility for . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
 General planning considerations . . . . . . . . . . . . . . . . . . . . . . . .
 Single Audit materiality . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
 Time estimate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
 Timing of substantive tests . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

INTERIM TESTING . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 130

118
130
107
131
130

MATERIALITY
 Determining planning materiality . . . . . . . . . . . . . . . . . . . . . . . .
 Benchmarks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
 Desirability of a single benchmark . . . . . . . . . . . . . . . . . . . .
 Quantifying planning materiality . . . . . . . . . . . . . . . . . . . . . .
 Selecting a percentage . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
 Evaluation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
 Relating materiality to accounts . . . . . . . . . . . . . . . . . . . . . . . . .
 Single Audit materiality . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

AUDIT PROCEDURES
 Basic substantive audit procedures
 General program procedures . . . . . . . . . . . . . . . . . . . . . . . . 130
AUDIT STRATEGY
 Timing of the audit strategy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 112

AUDIT TIME . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 131

PLANNING DECISIONS AND JUDGMENTS See also AUDIT


PLANNING
 Assessing risks of material misstatement at the financial
statement level . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108
 Documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107, 110
 Materiality for particular items of lesser amounts . . . . . . . . . . 103
 Timing of the audit strategy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 112
 Tolerable misstatements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105
 Trivial Misstatements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106

C
CHANGES IN AUDIT REQUIREMENTS
 Planning decisions and judgments . . . . . . . . . . . . . . . . . . . . . . 100
CLIENT ASSISTANCE
 Schedules prepared by the client . . . . . . . . . . . . . . . . . . . . . . .
 Do not ask for unneeded information . . . . . . . . . . . . . . . . .
 Keep in touch with the client . . . . . . . . . . . . . . . . . . . . . . . . .
 List everything needed . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
 Make sure the client understands what information
is being requested . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
 Prioritize requests for information . . . . . . . . . . . . . . . . . . . .
 Provide adequate notice . . . . . . . . . . . . . . . . . . . . . . . . . . . .
 Return incorrect schedules to the client . . . . . . . . . . . . . . .
 Stagger due dates for requested information . . . . . . . . . .
 Work with the client . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

100
101
101
100
102
106
106
107

131
132
132
131

R
RISK
 Risk of material misstatement due to fraud . . . . . . . . . . . . . . . 118

132
132
132
132
132
132

RISK ASSESSMENT PROCEDURES


 Observation and inspection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
 Preliminary analytical procedures . . . . . . . . . . . . . . . . . . . . . . . . 21
 Sequence of audit planning from the risk assessment
perspective . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
 The distinction among procedures, understanding, and
decisions and judgments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
 Types of risk assessment procedures . . . . . . . . . . . . . . . . . . . . . 11

D
DOCUMENTATION
 Planning decisions and judgments . . . . . . . . . . . . . . . . . 107, 110
 Preparing the detailed audit plan . . . . . . . . . . . . . . . . . . . . . . . . . 40
 Understanding the entity and its environment . . . . . . . . . . . . . . 40

SINGLE AUDIT
 Materiality . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107

EVALUATION OF AUDIT RESULTS


 Materiality . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106

STATEMENTS ON AUDITING STANDARDS SAS


 SAS No. 1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 121
 SAS No. 31 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102
 SAS No. 47 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106, 120
 SAS No. 99 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 118, 130

F
FRAUD
 Auditor's responsibility for fraud detection . . . . . . . . . . . . . . . . 120
 Immaterial misstatements . . . . . . . . . . . . . . . . . . . . . . . . . . . 121
 Fraud risk assessment
 Fraud risk factors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48
 Inquiries of management and others . . . . . . . . . . . . . . . . . . 16
 Required procedures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 121
 Types of misstatements caused by fraud . . . . . . . . . . . . . . . . . 118
 Fraudulent financial reporting . . . . . . . . . . . . . . . . . . . . . . . . 119
 Misappropriation of assets . . . . . . . . . . . . . . . . . . . . . . . . . . 120

T
TOLERABLE MISSTATEMENT
 Relating to accounts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106

U
UNDERSTANDING ABOUT THE ENTITY AND ITS
ENVIRONMENT
 Components of the understanding . . . . . . . . . . . . . . . . . . . . . . .
 Documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
 Fraud risk factors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
 Industry, regulatory, and other external factors . . . . . . . . . . . . .
 Measurement and review of the entity's financial
performance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

G
GAO GOVERNMENT AUDITING STANDARDS
 Requirements for fraud, illegal acts, noncompliance,
and abuse . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 124

141

40
40
48
41
45

Companion to PPC's Guide to Audits of Nonprofit Organizations


 Nature of the entity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
 Objectives, strategies, and related business risks . . . . . . . . . . 44
 Selection and application of accounting policies . . . . . . . . . . . 46
UNDERSTANDING OF THE CLIENT
 Determining planning materiality
 Desirability of benchmark . . . . . . . . . . . . . . . . . . . . . . . . . . . 101
 Quantifying planning materiality . . . . . . . . . . . . . . . . . . . . . . 100
 Recommended benchmark . . . . . . . . . . . . . . . . . . . . . . . . . 101

142

NPOT09

Companion to PPC's Guide to Audits of Nonprofit Organizations

NPOT09

COMPANION TO PPC'S GUIDE TO AUDITS OF NONPROFIT ORGANIZATIONS

COURSE 2
SUBSTANTIVE PROCEDURES AND SAMPLING (NPOTG092)
OVERVIEW
COURSE DESCRIPTION:

This interactive selfstudy course covers the basics of performing substantive


procedures and audit sampling procedures in an audit of a nonprofit organization.
Lesson 1 discusses various aspects of substantive procedures, such as when they
are required, designing them, performing them at an interim date, and fraud risks.
Lesson 2 goes into more detail on audit sampling, including basic requirements and
using sampling for substantive procedures, tests of details, and tests of controls.

PUBLICATION/REVISION
DATE:

February 2009

RECOMMENDED FOR:

Users of PPC's Guide to Audits of Nonprofit Organizations

PREREQUISITE/ADVANCE
PREPARATION:

Basic knowledge of auditing.

CPE CREDIT:

8 QAS Hours, 8 Registry Hours


Check with the state board of accountancy in the state in which you are licensed to
determine if they participate in the QAS program and allow QAS CPE credit hours.
This course is based on one CPE credit for each 50 minutes of study time in
accordance with standards issued by NASBA. Note that some states require
100minute contact hours for self study. You may also visit the NASBA website at
www.nasba.org for a listing of states that accept QAS hours.

FIELD OF STUDY:

Auditing

EXPIRATION DATE:

Postmark by March 31, 2010

KNOWLEDGE LEVEL:

Basic

Learning Objectives:
Lesson 1 Substantive Procedures
Completion of this lesson will enable you to:
 Identify the substantive procedures required for every audit and determine when additional substantive
procedures might be necessary.
 Design substantive analytical procedures including specialized considerations for nonprofit organizations.
 Assess other issues related to substantive procedures, such as responding to fraud risks.
 Describe interim audit procedures and related issues.
Lesson 2 Audit Sampling in a Nonprofit Organization Audit Engagement
Completion of this lesson will enable you to:
 Describe the authoritative literature and general considerations related to sampling in an audit engagement.
 Plan the extent of substantive procedures needed for an audit.
 Summarize the requirements of substantive samples.
 Describe sampling for substantive tests of details.
 Assess tests of controls that use audit sampling, and assess tests of compliance with laws and regulations.

143

Companion to PPC's Guide to Audits of Nonprofit Organizations

NPOT09

TO COMPLETE THIS LEARNING PROCESS:


Send your completed Examination for CPE Credit Answer Sheet, Course Evaluation, and payment to:
Thomson Reuters
Tax & Accounting R&G
NPOTG092 Selfstudy CPE
P.O. Box 966
Fort Worth, TX 76101
See the test instructions included with the course materials for more information.
ADMINISTRATIVE POLICIES:
For information regarding refunds and complaint resolutions, dial (800) 3238724 for Customer Service and your
questions or concerns will be promptly addressed.

144

Companion to PPC's Guide to Audits of Nonprofit Organizations

NPOT09

Lesson 1:SUBSTANTIVE PROCEDURES


INTRODUCTION
Further audit procedures performed for the purpose of detecting material misstatements at the relevant assertion
level are referred to as substantive procedures. For each relevant assertion within an account balance, class of
transactions, or disclosure, the auditor needs to determine the nature, timing, and extent of substantive procedures
necessary to obtain sufficient, appropriate audit evidence to express an opinion on the financial statements.
Substantive procedures consist of tests of details and substantive analytical procedures. Tests of details and
substantive analytical procedures are discussed in this course.
Learning Objectives:
Completion of this lesson will enable you to:
 Identify the substantive procedures required for every audit and determine when additional substantive
procedures might be necessary.
 Design substantive analytical procedures including specialized considerations for nonprofit organizations.
 Assess other issues related to substantive procedures, such as responding to fraud risks.
 Describe interim audit procedures and related issues.
Authoritative Literature
The authoritative pronouncements establishing requirements that most directly affect designing substantive proce
dures are as follows:
a. SAS No. 56 (AU 329), Analytical Procedures, explains the use of analytical procedures as substantive tests
to obtain sufficient appropriate audit evidence.
b. SAS No. 99 (AU 316), Consideration of Fraud in a Financial Statement Audit, requires the auditor to identify
and assess risks of material misstatement due to fraud, and to design the audit to provide reasonable
assurance of detecting fraud that results in the financial statements being materially misstated.
c. SAS No. 103 (AU 339), Audit Documentation, requires the auditor to document the work performed, the
audit evidence obtained and its source, and the conclusions reached. In addition, it establishes other
documentation requirements that need to be considered when designing audit programs and substantive
procedures.
d. SAS No. 106 (AU 326), Audit Evidence, describes audit procedures used to obtain audit evidence.
e. SAS No. 110 (AU 318), Performing Audit Procedures in Response to Assessed Risks and Evaluating the
Audit Evidence Obtained, addresses audit procedures that are responsive to risks at the relevant assertion
level.

SUBSTANTIVE PROCEDURES THAT ARE REQUIRED FOR EVERY AUDIT


Because of the judgmental nature of the auditor's risk assessments and the inherent limitations of internal control,
particularly the risk of management override, the auditing standards prescribe certain substantive procedures that
should be performed in every audit. The additional substantive procedures that are needed in particular circum
stances depend on the auditor's judgment about the sufficiency and appropriateness of audit evidence in the
circumstances.
Material Account Balance, Transaction Class, or Disclosure
Risk assessment procedures and tests of controls contribute to the formation of the auditor's opinion, but do not by
themselves provide sufficient, appropriate audit evidence. According to SAS No. 110 (AU 318.51), regardless of
the assessed risk of material misstatement, the auditor should design and perform substantive procedures for all
145

Companion to PPC's Guide to Audits of Nonprofit Organizations

NPOT09

relevant assertions related to each material class of transactions, account balance, and disclosure." The reasons
for this requirement are as follows:
 The auditor's assessment of risk is judgmental and might not be sufficiently precise to identify all risks of
material misstatement.
 There are inherent limitations to internal control, including management override, and even effective
internal controls generally reduce but do not eliminate, the risk of material misstatement.
In other words, even if the auditor concludes that the risk of material misstatement is low for a particular assertion
related to a material account balance, transaction class, or disclosure based on performing risk assessment
procedures and tests of controls, some substantive procedures are still required.
Financial Statement Reporting System. SAS No. 110 (AU 318.52) requires that the auditor perform the following
substantive procedures in every audit:
 Agree the financial statements, including the accompanying notes, to the underlying accounting records.
 Examine material journal entries and other adjustments made during the course of preparing the financial
statements.
Those requirements are related to the financial reporting process.
SAS No. 99 also requires certain substantive procedures in all audits to address the risk of management override
of controls. These required procedures are as follows:
 Examining journal entries and other adjustments for evidence of possible material misstatement due to
fraud (AU 316.58.62).
 Reviewing accounting estimates for biases that could result in material misstatement due to fraud (AU
316.63.65).
 Evaluating the business rationale for significant unusual transactions (AU 316.66).
Both SAS No. 110 and No. 99 require examining journal entries and other adjustments, but the requirement of SAS
No. 99 is focused on identifying fraudulent journal entries. As discussed in paragraph 6.69 of the AICPA Audit
Guide, Assessing and Responding to Audit Risk in a Financial Statement Audit (Audit Risk Audit Guide), the nature,
timing, and extent of procedures required by SAS No. 99 are different from those required by SAS No. 110. SAS No.
110 focuses on journal entries made during the course of preparing the financial statements and SAS No. 99
requires the auditor to consider reviewing journal entries made throughout the year. This distinction is also
emphasized in a nonauthoritative AICPA Technical Practice Aid, Examining Journal Entries (TIS 8200.16). Auditors
should ensure that their audit procedures satisfy both requirements.
Significant Risks. Significant risks are risks that require special audit attention. When the audit approach to
significant risks consists only of substantive procedures (that is, the auditor does not plan to rely on controls), the
substantive procedures should be tests of details only or a combination of tests of details and substantive analytical
procedures. The use of only substantive analytical procedures is not permitted. (AU 318.54)
Other Required Audit Procedures. There are also other SASs that impose presumptively mandatory require
ments for substantive procedures for particular account balances (for example, confirmation of accounts receivable
and other specific requirements to perform procedures, typically called general procedures, that do not relate to
particular account balances, such as sending a letter of audit inquiry to the client's lawyer and reading minutes of
meetings of the governing board.)

146

NPOT09

Companion to PPC's Guide to Audits of Nonprofit Organizations

WHEN TO CHOOSE SUBSTANTIVE PROCEDURES


Considering the Sufficiency and Appropriateness of Audit Evidence
The additional substantive procedures that are needed in particular circumstances depend on the auditor's
judgment about the sufficiency and appropriateness of audit evidence in the circumstances. Therefore, the auditor
should consider the sufficiency and appropriateness of audit evidence to be obtained when assessing risks and
designing further audit procedures. SAS No. 106 (AU 326.06) describes these characteristics of audit evidence as
follows:
 Sufficiency is the measure of the quantity of audit evidence.
 Appropriateness is the measure of the quality of audit evidence, that is, its relevance and its reliability in
providing support for, or detecting misstatements in, the classes of transactions, account balances, and
disclosures and related assertions.
The quantity and quality of audit evidence needed are interrelated and are dependent on the risk of material
misstatement.
The auditor performs risk assessment procedures to obtain an understanding of the entity and its environment,
including its internal control, to assess the risks of material misstatement. This assessment includes consideration
of the effectiveness of management's responses and controls to address risks. The auditor evaluates the quality
and quantity of the evidence obtained from the risk assessment procedures and, if applicable, tests of controls to
determine the further audit procedures necessary to obtain sufficient, appropriate evidence to afford a reasonable
basis for an opinion of the financial statements under audit.
An important quality of audit evidence is its reliability, which is affected by both the nature and source of the
evidence. SAS No. 106 (AU 326.08) provides the following generalizations about the reliability of audit evidence:
a. Audit evidence is more reliable when it is obtained from knowledgeable independent sources outside the
entity.
b. Audit evidence that is generated internally is more reliable when the related controls imposed by the entity
are effective.
c. Audit evidence obtained directly by the auditor (for example, observation of the application of a control)
is more reliable than audit evidence obtained indirectly or by inference (for example, inquiry about the
application of a control).
d. Audit evidence is more reliable when it exists in documentary form, whether paper, electronic, or other
medium. For example, a contemporaneously written record of a meeting is more reliable than a subsequent
oral representation of the matters discussed.
e. Audit evidence provided by original documents is more reliable than audit evidence provided by
photocopies or faxes.
Authoritative literature views audit evidence as being obtained from a variety of sources, including the auditor's
assessment of risk. SAS No. 106 (AU 326.02) defines audit evidence as all the information used by the auditor in
arriving at the conclusions on which the audit opinion is based and includes the information contained in the
accounting records underlying the financial statements and other information." Audit evidence includes evidence
obtained from procedures performed during the current audit as well as previous audits. Use of audit evidence from
previous audits is discussed later in this course, but one common form of such evidence is experience gained in
previous audits with respect to potential misstatements. Misstatements detected in previous audits are an impor
tant indicator of likely misstatements in the current audit. Generally, however, previous misstatements are a more
reliable indicator of error than fraud.
SAS No. 106, on audit evidence, notes that audit evidence includes the information contained in the accounting
records underlying the financial statements and other information. SAS No. 109 (AU 314.90) observes that control
activities relevant to the audit include reconciliation of the general ledger to the detailed records" and state that
147

Companion to PPC's Guide to Audits of Nonprofit Organizations

NPOT09

the auditor should obtain an understanding of the process of reconciling detail to the general ledger for significant
accounts." Further agreeing the financial statements to the underlying accounting records is now a required
procedure in every audit. Thus, without adequate attention to the propriety and accuracy of underlying accounting
data, an opinion on the financial statements is not warranted.
Nature, Timing, and Extent of Substantive Procedures
As the residual risk of material misstatement increases, the quantity and quality of necessary audit evidence from
substantive procedures should increase. SAS No. 110 (AU 318.12) states that the higher the auditor's assessment
of risk, the more reliable and relevant is the audit evidence sought by the auditor from substantive procedures. This
may affect both the types of audit procedures to be performed and their combination."
Generally, the auditor will have decided whether audit procedures will be performed at an interim date or at period
end as part of establishing the overall audit strategy. Therefore, in designing further audit procedures, the focus will
be on the nature and extent of substantive procedures rather than their timing. SAS No. 110 (AU 318.07) states that
the nature of audit procedures is of most importance in responding to the assessed risks." SAS No. 110 (AU
318.19) explains that increasing the extent of an audit procedure is effective only if the audit procedure itself is
relevant to the specific risk and reliable; therefore, the nature of the audit procedure is the most important
consideration."
Selecting Appropriate Substantive Procedures
The selection of specific substantive procedures needed to respond to the risk assessment is a matter of auditor
judgment. This involves consideration of all the relevant factors, including the following:
 Characteristics of the related account (or transaction class).
 Financial statement assertion(s) being tested.
 Nature of risks identified.
 Degree of the risk involved.
 Type and persuasiveness of the available audit evidence.
 Efficiency and effectiveness of the substantive procedures.
Considering the Account Being Tested. Some types of accounts lend themselves better to particular procedures.
For example, some accounts, such as receivables, can generally be tested by applying procedures to balances.
Other accounts, such as property accounts, are often tested most effectively by examining transactions during the
period. As another example, many types of accrued liabilities are based on financial relationships that can be
effectively tested through properly designed analytical procedures.
Considering the Financial Statement Assertion. Similarly, the financial statement assertion being tested can also
significantly affect the choice of procedures. For example, tests of existence are generally aimed at examining the
items comprising the account balance. Tests of completeness often involve (a) performing predictive tests of
account balances or (b) identifying items that should be included in the account and determining whether they are
included. Tests of valuation normally relate to assessing the reasonableness of computed or estimated amounts.
The financial statement assertion being considered can also provide indications of the types of misstatements that
might occur in the financial statements. For example, misstatements of the existence assertion result in overstate
ment of the account balance, and misstatements of the completeness assertion result in understatement.
Considering the Nature of Risks Identified. The auditor needs to document specific risks relating to each
significant audit area and related assertion, including fraud risks and other significant risks. Sometimes, the
identified risk will suggest the appropriate further audit procedures needed. For example, if the risk for receivables
is that sales cutoff errors are likely to occur, the auditor may simply choose to apply more procedures to test sales
cutoff. However, in other cases, the appropriate procedure may be less clear. In those cases, the auditor should
148

NPOT09

Companion to PPC's Guide to Audits of Nonprofit Organizations

consider the risks in terms of the types or direction and causes of potential misstatements to decide what steps may
be appropriate.
Determining the type, or direction, of misstatement can help the auditor determine the direction of the testing
procedures. To illustrate this process, consider how types of misstatement could affect the testing of supply
inventory quantities. If the auditor is concerned about understatement of supply inventory quantities, the focus
should be on tracing from external documents (purchase records, physical inventory counts, etc.) to the inventory
records and testing to assure that all supplies were counted. On the other hand, if the auditor is concerned about
overstatement of quantities, the focus would be on (a) vouching recorded quantities to physical count sheets or
other relevant documentation, (b) testing to assure that inventory counts were not duplicated, and (c) determining
whether items in transit were recorded in the proper period.
The auditor should also consider whether the likely cause of misstatements will tend to result in understatement or
overstatement of the account balance and design procedures accordingly. Consideration of the cause of misstate
ments becomes especially important if the auditor believes there is a significant risk of material misstatement due
to fraud. In that case, the auditor should carefully consider how fraud might result in misstatement of the financial
statements and then design appropriate procedures to detect those misstatements.
Considering the Degree of Risk. The auditor also needs to document the assessment of the risk of material
misstatement for each significant audit area or assertion. Generally, the higher the risk, the greater the degree of
assurance needed from substantive procedures. Even without testing controls, the degree of assurance can be
increased through one or more of the following means:
 Nature. The auditor can change the nature of the procedures. This normally involves adding more
procedures or choosing more persuasive procedures; that is, using more precise procedures, performing
more independent verifications, etc. (As indicated previously, generally the nature of procedures is the
most important consideration.)
 Extent. The auditor can increase the extent of testing. This can be done by testing more items or changing
the design of the test to focus on more items that are prone to misstatement. Lesson 2 discusses extent
of tests.
 Timing. The auditor can change the timing of the procedures to do more work as of year end.
Because audit programs deal primarily with the nature of procedures, an auditor's first response to a high risk of
material misstatement will normally be to consider adding more procedures. Before doing so, the auditor should
consider whether he or she is performing the most effective or the correct procedures. Then, the auditor should
consider whether changing the extent or timing of the procedures might be as effective as, and more efficient than,
adding more audit procedures. If the auditor responds to a high risk of material misstatement by altering the extent
or timing of the procedures, he or she can document that response as a comment next to the documented
assessment of risk.
Considering the Available Evidence. When planning the audit, the auditor should consider the audit evidence
needed and the evidence available. The evidence sought should be commensurate with the assessed level of risk.
Generally, the higher the assessed risk of material misstatement for an area or assertion, the more reliable the
evidence needs to be. The reliability of audit evidence was discussed previously in this lesson.
Considering the Effectiveness and Efficiency of Substantive Procedures. As previously noted, the auditor
should consider the degree of assurance needed from substantive procedures and select procedures that are
sufficiently effective. To be costeffective, the auditor should also consider the efficiency of the substantive proce
dures.
Substantive procedures include tests of details and substantive analytical procedures. Therefore, designing the
nature of substantive procedures involves deciding between the two. In some cases, substantive procedures might
be limited to substantive analytical procedures. Substantive analytical procedures alone are more likely to be
appropriate in the following circumstances:
 The risks of material misstatement, including particular risks due to fraud, are relatively low.
149

Companion to PPC's Guide to Audits of Nonprofit Organizations

NPOT09

 The account balance, transaction class, or disclosure relates to large volumes of transactions that tend to
be predictable over time.
 The account balance, transaction class, or disclosure is not affected by a significant degree of subjectivity.
A more detailed discussion of choosing between analytical procedures and tests of details is presented below.
Choosing between Analytical Procedures and Substantive Tests of Details
The authoritative literature does not explain how to apportion reliance on substantive procedures between tests of
details and analytical procedures except when testing significant risks. Analytical procedures may be used to
reinforce conclusions based on the results of other substantive procedures or as the sole source of evidence. That
decision is primarily based on the effectiveness of the procedures. Efficiency also may be a factor in deciding
between analytical procedures and substantive tests of details. That is, given two procedures of equal effective
ness, the auditor chooses the one that is most efficient. Therefore, the auditor would ordinarily use an analytical
procedure rather than a test of details if the analytical procedure is at least as effective in reducing detection risk to
the desired level as the test of details and is easier to apply.
Generally, the higher the assessed risk of material misstatement, the more effective analytical procedures need to
be before they can be relied on instead of tests of details. Accordingly, auditors tend to use tests of details more
extensively in high risk audit areas (such as areas containing fraud risks or other significant risks) and analytical
procedures more often in low risk areas or as secondary rather than primary auditing procedures. However, if the
auditor has highly effective analytical procedures, it may be possible to reduce the extent of detail testing needed
even in areas where significant risks exist. The effectiveness of analytical procedures in reducing detection risk in
comparison with the effectiveness of tests of details generally depends on the facts and circumstances. However,
the following are some general observations:
a. Analytical procedures are generally not effective in testing assertions about rights or obligations or
assertions related to presentation and disclosure because those assertions do not lend themselves to
testing through comparisons with expectations. Therefore, analytical procedures would not be effective
responses for risks related to matters such as parties to transactions lacking in economic substance or
intentional ambiguity in financial statement disclosures.
b. Relationships involving transactions over a period of time (that is, statement of activities accounts) tend to
be more predictable than relationships at a point in time (that is, statement of financial position accounts).
Because of the difficulty in developing expectations about a balance at a point in time with sufficient
precision, analytical procedures are often not as effective as tests of details for assertions about the
existence of assets and liabilities. Therefore, analytical procedures would not be as effective as tests of
details when responding to risks such as recording false receivables.
c. Analytical procedures are often equally or more effective than tests of details for assertions about the
completeness of assets, liabilities, revenues, and expenses. When testing for completeness, misstate
ments would often not be apparent from inspecting detailed evidence in the accounting records.
d. Analytical procedures are often equally or more effective than tests of details for assertions about the
occurrence of revenues. For example, comparing recorded service fee revenue with the amount expected,
based on a reliable record of units of service and average fees, may be as likely to detect a material
misstatement of assertions about the occurrence of revenues as inspecting supporting documentation.
Analytical procedures are more reliable if they are based on reliable data produced outside the accounting
system (for example, operating data used to manage the entity).
e. Analytical procedures are often equally or more effective than tests of details for assertions about the
occurrence of certain expenses. For example, comparing recorded labor costs with the amount expected,
based on the number of people required for the volume of activity during the year, may be as likely to detect
a material misstatement resulting from errors as looking at supporting documentation for a sample of
recorded compensation expense. However, if fraud is a concern, analytical procedures may not be
effective. For example, if management is able to manipulate expense accounts so that ratios appear
150

NPOT09

Companion to PPC's Guide to Audits of Nonprofit Organizations

reasonable, ratio analysis would not be an effective analytical procedure for detecting material
misstatements.
f. Analytical procedures may be as effective as tests of details for assertions about the valuation of some
assets and liabilities but not for others. Generally, whether an analytical procedure is as effective as a test
of details for a valuation assertion depends on whether an expectation can be developed.
g. Substantive tests of details may be more effective for valuation assertions in an unstable environment. The
ability to develop an expectation that approximates the recorded amount is greater when the environment
is stable. For example, when interest rates are fluctuating widely, it is difficult to develop a precise
expectation about interest expense. Similarly, when transactions involve management discretion, such as
the choice of repairing versus replacing existing assets, there is also less predictability in expected
relationships.

151

Companion to PPC's Guide to Audits of Nonprofit Organizations

152

NPOT09

Companion to PPC's Guide to Audits of Nonprofit Organizations

NPOT09

SELFSTUDY QUIZ
Determine the best answer for each question below. Then check your answers against the correct answers in the
following section.
1. To satisfy the requirements of SAS No. 110 and SAS No. 99, Michael must examine journal entries and other
adjustments during the course of his audit. Which of the following best illustrates how he should perform these
substantive procedures?
a. Michael can satisfy both SASs with one examination of journal entries and other adjustments focusing on
the same area.
b. To satisfy the requirements of SAS No. 110, Michael must examine journal entries performed during
financial statement preparation, and the requirements of SAS No. 99 include the examination of journal
entries made all year.
c. Michael is prohibited from using only substantive analytical procedures to satisfy these requirements, so
he must also perform tests of details.
2. Which of the following would be considered a general procedure?
a. Agreeing financial statements to underlying accounting records.
b. Evaluating business rationale for significant unusual transactions.
c. Sending a letter of audit inquiry to the client's lawyer.
d. Confirming accounts receivable.
3. Based on the guidance in SAS No. 106, which of the following sources of audit evidence is the most reliable?
a. Audit evidence obtained from sources within the entity.
b. Audit evidence generated under effective controls.
c. Audit evidence obtained indirectly.
d. Audit evidence provided by photocopies or faxes.
4. Margaret discovers information that increases the risk of material misstatement during her audit. To
compensate, she decides to change the nature of her substantive procedures. Which of the following actions
allows Margaret to change the nature of her substantive procedures?
a. She adds more procedures and chooses more persuasive procedures.
b. She tests more items and changes test design to focus more on items prone to misstatement.
c. She does more work at the balancesheet date than originally planned.
d. She designs procedures to detect material misstatement due to fraud.
5. Under which circumstances could substantive analytical procedures be used instead of tests of details?
a. Bob needs to test the completeness of assets to detect any material misappropriation of cash sales
receipts.
b. George needs to develop a plan for dealing with ambiguity in Clark, Jacobs, & Millhouse's financial
statement disclosures.
c. Fred needs to test the existence of assets and liabilities on HarrisonTaylor's statement of financial position
accounts for information on relationships of transactions at a moment in time.
d. Joe needs to test Sew Time's labor costs as related to its employees, but has reason to believe
management could manipulate the expense accounts.
153

Companion to PPC's Guide to Audits of Nonprofit Organizations

NPOT09

SELFSTUDY ANSWERS
This section provides the correct answers to the selfstudy quiz. If you answered a question incorrectly, reread the
appropriate material. (References are in parentheses.)
1. To satisfy the requirements of SAS No. 110 and SAS No. 99, Michael must examine journal entries and other
adjustments during the course of his audit. Which of the following best illustrates how he should perform these
substantive procedures? (Page 146)
a. Michael can satisfy both SASs with one examination of journal entries and other adjustments focusing on
the same area. [This answer is incorrect. Michael cannot satisfy the requirements of both SASs by focusing
his examination of the journal entries on one area. He will have to do more.]
b. To satisfy the requirements of SAS No. 110, Michael must examine journal entries performed during
financial statement preparation, and the requirements of SAS No. 99 include the examination of
journal entries made all year. [This answer is correct. SAS No. 99 focuses on finding fraudulent
journal entries, and SAS No. 110 is focused on the financial reporting process. Even though both
SASs require the same action (examining journal entries and other adjustments), that action must
be performed over different time periods to satisfy their individual requirements.]
c. Michael is prohibited from using only substantive analytical procedures to satisfy these requirements, so
he must also perform tests of details. [This answer is incorrect. This would be true of Michael were dealing
with significant risks (risks requiring special audit attention). It is not applicable to the situation in this
scenario.]
2. Which of the following would be considered a general procedure? (Page 146)
a. Agreeing financial statements to underlying accounting records. [This answer is incorrect. This
requirement of SAS No. 110 is related to the financial reporting process.]
b. Evaluating business rationale for significant unusual transactions. [This answer is incorrect. This
requirement of SAS No. 99 relates to the risk of management override of controls.]
c. Sending a letter of audit inquiry to the client's lawyer. [This answer is correct. Such general
procedures do not relate to specific account balances. Another example would be reading the
minutes of meetings of directors.]
d. Confirming accounts receivable. [This answer is incorrect. This is another required audit procedure that
relates to a particular account balance (required by SAS No. 67).]
3. Based on the guidance in SAS No. 106, which of the following sources of audit evidence is the most reliable?
(Page 147)
a. Audit evidence obtained from sources within the entity. [This answer is incorrect. Such evidence would be
more reliable if it were obtained from a knowledgeable independent source outside of the entity being
audited.]
b. Audit evidence generated under effective controls. [This answer is correct. If controls related to the
evidence that are imposed by the entity are effective, the internally generated audit evidence would
be considered more reliable.]
c. Audit evidence obtained indirectly. [This answer is incorrect. Evidence that the auditor obtains himself (or
herself) would be more reliable than evidence obtained by inference or indirectly.]
d. Audit evidence provided by photocopies or faxes. [This answer is incorrect. Audit evidence that is
documented (on paper, electronically, etc.) is more reliable than oral reports, and that provided by original
documents is considered more reliable than photocopies or faxes.]
154

NPOT09

Companion to PPC's Guide to Audits of Nonprofit Organizations

4. Margaret discovers information that increases the risk of material misstatement during her audit. To
compensate, she decides to change the nature of her substantive procedures. Which of the following actions
allows Margaret to change the nature of her substantive procedures? (Page 149)
a. She adds more procedures and chooses more persuasive procedures. [This answer is correct. By
doing this, Margaret has changed the nature of her substantive procedures. Usually, the nature of
the procedures is the auditor's most important consideration. More persuasive procedures entail
performing more precise procedures (such as, more independent verifications).]
b. She tests more items and changes test design to focus more on items prone to misstatement. [This answer
is incorrect. If Margaret makes this change, she has changed the extent, not the nature, of her substantive
procedures.]
c. She does more work at the balancesheet date than originally planned. [This answer is incorrect. If
Margaret wanted to change the timing of her procedures instead of their nature, she could make this
change.]
d. She designs procedures to detect material misstatement due to fraud. [This answer is incorrect. If the
information Margaret discovered had to do with significant risk of material misstatement due to fraud (one
of the three causes of misstatement), this might be the focus of her changes; however, that might not be
the case in this scenario.]
5. Under which circumstances could substantive analytical procedures be used instead of tests of details?
(Page 150)
a. Bob needs to test the completeness of assets to detect any material misappropriation of cash sales
receipts. [This answer is correct. Analytical procedures can be equally or more effective than tests
of details for an auditor who must make an assertion about the completeness of assets, liabilities,
revenues, and expenses, as Bob must do in this scenario.]
b. George needs to develop a plan for dealing with ambiguity in Clark, Jacobs, & Millhouse's financial
statement disclosures. [This answer is incorrect. Generally, assertions related to presentation or
disclosure, rights, or obligations do not lend themselves to testing through comparisons with expectations;
therefore, analytical procedures would not be as effective of a response for risks such as the one George
has encountered in this scenario.]
c. Fred needs to test the existence of assets and liabilities on HarrisonTaylor's statement of financial position
accounts for information on relationships of transactions at a moment in time. [This answer is incorrect.
Analytical procedures would not be most effective at testing assets and liabilities in this scenario because
of the difficulty Fred would have developing the expectation of a balance at a point in time with sufficient
precision. Instead, Fred should use tests of details.]
d. Joe needs to test Sew Time's labor costs as related to its employees, but has reason to believe
management could manipulate the expense accounts. [This answer is incorrect. If management can
manipulate Sew Time's expense accounts, ratio analysis would not be an effective analytical procedure
for Joe to use in this scenario. Because fraud is involved, he should use tests of details.]

155

Companion to PPC's Guide to Audits of Nonprofit Organizations

NPOT09

TESTS OF DETAILS REQUIREMENTS


Tests of details may be applied to transactions or to balances. Those tests can be described as follows:
a. Tests of Transactions. These are tests of the processing of individual transactions by inspection of the
documents and accounting records involved in processing (e.g., inspecting support documents for a cash
disbursement).
b. Tests of Balances. These are tests applied directly to the details of balances in general ledger accounts
(e.g., confirming an investment in securities with the custodian).
Tests of transactions and tests of balances are related because each class of transactions affects a related account
balance. For example, purchase transactions affect the accounts payable balance. An auditor may test the
transactions that enter an account balance, the individual items included in the ending balance, or both. Generally,
tests of balances are more efficient and effective than tests of transactions because transaction tests are applied to
individual transactions and may be more timeconsuming than direct tests of a balance that results from many
transactions. However, in the audit of a nonprofit organization, transaction testing is relatively more common than
it is for a business enterprise of comparable size. Substantive tests of expense transactions may be necessary
because of the use of complex coding and classification systems to identify costs by object, program, budget
category, etc. The audit approach to revenue transactions is more varied. Service fee revenue is often susceptible
to analytical testing or confirmation of billing. However, when classification of revenue by donor restrictions is
important, substantive tests of transactions may be an effective approach.
Confusion about Tests of Details of Transactions
Inspection of documents and accounting records may be involved in both tests of controls directed toward
operating effectiveness (if controls leave a documentary trail) and tests of details of transactions. For this reason,
some auditors have equated tests of details of transactions and tests of controls. The difference is in the objective
of the test. The mere fact that a transaction or balance is being tested does not make the test a test of controls. For
example, the inspection of invoices in support of additions to property, plant, and equipment is a substantive
procedure. The objective of the test is to substantiate the balance by testing the transactions, i.e., the additions. The
same principle applies to other types of transactions or balances. For example, individual revenue transactions
may be tested to substantiate total revenue without being concerned with the effectiveness of control policies and
procedure for processing revenue transactions. It is the objective of the test and not whether it is applied to a class
of transactions or a balance that determines whether the test is a test of controls or a substantive procedure.
Substantive procedures, including tests of details, are normally applied after the auditor has obtained an under
standing of internal control, but substantive tests of details in the current period may contribute to the auditor's
understanding in subsequent periods. Tests of details can be performed concurrently with tests of controls.
Required Documentation
For substantive tests of details involving inspection of documents or confirmation, SAS No. 103, Audit Documenta
tion, requires documentation to include identifying characteristics of the items tested. The authors believe items
tested can be identified by listing the items; by including a detail schedule in the workpapers, on which the items
are identified; or by documenting in the workpapers the source and selection criteria. For example:
 For tests of significant items, documentation may describe the auditor's scope and the source of the items
(for example, all cash disbursements greater than $5,000 from the January to March cash disbursements
journal).
 For haphazard or random samples, documentation may identify items by their dates and specific
document numbers, check numbers, etc.
 For systematic samples, documentation may indicate the source, starting point, and sampling interval (for
example, a selection of checks from the cash disbursements journal for the period 1/1/X2 to 12/31/X2,
starting with check number 2150 and selecting every 100th check thereafter).
In some cases, more than one file of the same documents may be maintained in different locations. The auditor
should document who maintains the file from which items were selected and where it is maintained.
156

NPOT09

Companion to PPC's Guide to Audits of Nonprofit Organizations

SUBSTANTIVE ANALYTICAL PROCEDURES


Types and Purposes of Analytical Procedures
What Are Analytical Procedures? Analytical procedures are evaluations of financial information made by a study
and comparison of plausible relationships among both financial and nonfinancial data. Analytical procedures
include trend analysis, ratio analysis, and predictive or reasonableness tests. Using analytical procedures generally
involves:
a. developing an expectation of what an account balance should be,
b. comparing the expected amount with the recorded amount,
c. determining whether any difference between the recorded and expected amount is significant,
d. investigating the cause of any unexpected significant difference,
e. evaluating the likelihood of material misstatement, and
f. documenting the analytical procedures.
As indicated by items a. and b., analytical procedures should involve comparisons of recorded amounts, or ratios
of recorded amounts, to expectations developed by the auditor. These expectations can be developed from a
variety of sources of financial and nonfinancial information, but the most important aspect of developing expecta
tions is having a thorough knowledge and understanding of the client and its industry and the risks the client faces
in doing business.
Analytical procedures include trend analysis, ratio analysis, and predictive or reasonableness tests. Analytical
procedures may consist of simple comparisons or complex models. For example, the following are analytical
procedures
a. Comparison of an account balance with the balance of the prior period or with a budgeted amount.
b. Computation of the ratio of one financial statement account balance to the balance in another account that
would be expected to have a predictable relationship to each other, such as computation of the ratio of
interest expense to debt and comparison of the resulting ratio to the known interest rate on that debt.
c. Estimation of investment income by considering the amount invested and the average earnings rate.
Most explanations of analytical procedures focus on the steps involved in comparing the recorded amount to the
expectation, but best practices think of analytical procedures as a coordinated family of procedures that include
scanning and inquiry as well as computations and comparisons.
Purposes of Analytical Procedures. SAS No. 56 identifies the following three categories of analytical procedures
based on the purpose of the procedures:
 Preliminary (Planning) Analytical Procedures. Used to enhance the auditor's understanding of the client's
business and assist in assessing areas of specific risk of misstatement by identifying unexpected
relationships among account balances or the absence of expected relationships.
 Substantive Analytical Procedures. Used to obtain audit evidence about potential misstatements.
 Overall Review Analytical Procedures. Used in the final review stage of the audit.
Both preliminary and overall review analytical procedures are required in an audit of financial statements, but use
of substantive analytical procedures is discretionary. Preliminary analytical procedures are an important step in
audit planning. Overall review analytical procedures are part of the final review of the financial statements to assure
157

Companion to PPC's Guide to Audits of Nonprofit Organizations

NPOT09

that the numbers make sense. This final step in the audit is made to be sure the auditor has obtained a sufficient
understanding of the financial statements during the audit. Substantive analytical procedures are explained below.
What Distinguishes Substantive Analytical Procedures? The purpose of the analytical procedures and the level
of assurance desired are what distinguish substantive analytical procedures from preliminary and overall review
analytical procedures. No particular types of analytical procedures are exclusively substantive procedures. The
same procedures, ratios, or relationships might be used for more than one of the three purposes of analytical
procedures. For example, comparing salaries and wages to budgeted amounts by function or department might be
used in planning or final review at an aggregate level or as a substantive analytical procedure at a more detailed
level.
Substantive analytical procedures are focused on particular account balances, and the auditor will have already
assessed the risk of misstatement of the account balance, including the likely direction of the misstatement, i.e.,
overstatement or understatement. The auditor will have decided that the performance of analytical procedures
alone or in combination with tests of details is likely to provide reasonable assurance that the account balance is
not materially misstated in relation to the overall financial statements. To accomplish this, the auditor will have
concluded that a sufficiently precise expectation of the recorded amount being tested can be developed from
reliable financial or nonfinancial data.
Substantive analytical procedures will either be the primary test of the account balance or will be used in combina
tion with tests of details. Essential features of substantive analytical procedures are developing expectations by
identifying plausibly related and reliable data, and identifying whether there are differences from those expectations
that require investigation. If the differences from expectations are sufficiently small, the auditor can conclude that
there is reasonable assurance the account balance is not misstated. Larger differences have to be investigated by
obtaining and corroborating explanations.
Consider the features of analytical procedures. When performing an audit for a nonprofit organization, the auditor
might use an analytic comparison of expense to budget for all three categories of analytical procedures. However,
those analytical procedures would more likely be applied at a more detailed level, by fundraising event or
program, when performed as a substantive analytical procedure.
How to Design Effective Substantive Analytical Procedures
Analytical procedures have been described as a natural extension of the process of understanding the client's
activities. Substantive analytical procedures are a focused way of translating this understanding into reasonable
assurance that a particular account balance is not materially misstated.
First Ask Management. A productive initial step in designing effective substantive analytical procedures is to first
ask management what ratios, relationships, and internal or external data management finds particularly useful in
identifying and monitoring risks. This also helps the auditor to get a better feeling for how the nonprofit organization
really works. What are the key factors that management monitors to stay on top of operations? Are there industry
or trade publications that provide particularly useful information? Do any published statistics on the economy or the
industry help management to be aware of important trends or patterns? In some cases, management may have
prepared reports with ratio analyses and comparisons the auditor can use. The auditor may have gained this
knowledge from management while performing risk assessment procedures.
Nonprofit organizations are often very sensitive to political and economic changes. Unfavorable economic condi
tions may cause a reduction of funding from both private and government funding sources. A downturn in the
economy makes it difficult for a nonprofit organization to obtain new contributions and collect promises to give
pledged in previous years. Many nonprofit organizations are experiencing revenue shortfalls due to losses on
investment portfolios caused by market declines, lower investment returns caused by decreasing interest rates,
reduced personal contributions, and a less stable government grant environment.
Consider the Budgetary Process. The auditor should review prior budgets and inquire about management's
followup of variances to assess the reliability and effectiveness of the budgetary process. If there is an effective
budgetary process, the budget data can be a good source of auditor expectations. In other words, the auditor can
use the budgeted amount for an account balance as the auditor's expectation of the recorded amount. However,
the auditor should consider using the original budget to determine variances from actual. The auditor should
158

NPOT09

Companion to PPC's Guide to Audits of Nonprofit Organizations

determine why actual amounts changed from the original estimate, especially if the entity amends the budget to
mirror actual activity. As a minimum, the inquiries about budget preparation and inspection of budgets and variance
reports should provide the auditor with a good working knowledge of the key factors that affect particular account
balances and the stability of plausible relationships. For example, is payroll expense driven by the number of
employees? How closely do property additions track the capital budget? What operating data are most useful for
predicting expense levels? The auditor could use such information in deciding what ratios to compute or predictive
tests to design.
Budgetary control is crucial to many nonprofit organizations because of the restricted nature of much of their
resources. This means many nonprofit organizations must prepare and closely adhere to detailed budgets for
specific programs or functions. Because of funding source constraints on revenue and expenditures, budgets in
the nonprofit sector are often a contractual agreement subject to limited flexibility. For many organizations, each
budget is a plan for spending specific amounts of money in specific cost categories by line item to achieve specific
goals within a set period of time. When a nonprofit organization wishes to modify a program budget, specific
funding source guidelines and procedures may have to be followed, which often include gaining written permission
from the funding source.
Additional questions an auditor might ask about an organization's budgetary process include
 Is a specific program over budget and are other programs under budget?
 Did the nonprofit organization raise the anticipated amount from its special event?
Identify Comparables. For years, there have been suggestions that auditors should make greater use of industry
statistics as a source of data for comparisons in performing analytical procedures. These comparisons provide
insight on how the client's performance compares to that of other nonprofit organizations of similar size, geo
graphic location, and demographic makeup. A significant variation from revenues and expenditures of comparable
nonprofits indicates a risk of potential misstatement and should be investigated.
If the client belongs to a trade organization, it might have access to financial trend information of the other members
accumulated by the trade organization. Industry statistics are, however, generally underused by auditors for a
variety of reasons. There might be no industry group that accumulates statistics. There might be no NAICS or SIC
code that corresponds sufficiently to the client's operations. Use of NAICS or SIC codes can also result in
comparing a client in a single industry with more diversified companies. Industry statistics blur differences caused
by different accounting methods or differences in operations related to class of customer, geographic location,
organizational or financial structure, or product quality. Also, industry statistics may be skewed because one or a
few major companies dominate the industry. The NAICS, which was developed in 1997 by the governments of
Canada, Mexico, and the United States, uses a six digit numerical code to categorize industry groups. The NAICS
codes will replace SIC codes, but the transition is taking time. In the meantime, some data bases still utilize SIC
codes, some have moved to NAICS, and many use both codes. During the transition from SIC codes to NAICS
codes, the CPA may wish to use the database that maps SIC codes to NAICS codes at www.naics.com/
search.htm.
Talk to Operating Personnel. The auditor should get outside the accounting department and talk to other than
financial management personnel when designing and performing analytical procedures. Discussions with operat
ing management and personnel can be invaluable in learning enough about the client's operations and risks to
design effective analytical procedures. For instance, in a nonprofit organization, discussions with the director of
fundraising or development can provide insight to develop a more reliable expectation of contributions.
Generally, operating departments can be a source of reliable data outside the influence of accounting personnel
who record transactions related to those operating functions. The auditor should consider whether the data in the
operating department is independent of the accounting department. The auditor should also consider whether the
preparation of the operating data is subject to manipulation by senior management in a manner that would permit
management to alter both the operating and related accounting data. For example, the auditor could compare (a)
the number of members and membership dues, (b) the number of students and tuition revenue, (c) the number of
tickets sold and admissions revenue, or (d) attendance at a church and contribution revenue.
159

Companion to PPC's Guide to Audits of Nonprofit Organizations

NPOT09

Discussions with operating personnel should at a minimum enhance the auditor's understanding of the significant
transactions and events that have affected the financial statements and might corroborate the auditor's riskassess
ment conclusions. The enhanced understanding can lead to improvements in the development of expectations of
recorded amounts as well as a more insightful evaluation of differences from those expectations.
Consider the development of reliable data. The auditor could interview the director of development to better
understand the process of setting the budget for special events. Additionally, the auditor could determine if there is
reliable data maintained in the development department for the number and unit prices of tickets sold that can be
used to analytically test revenue from special events. The director of development could also assist the auditor in
developing a reliable expectation for contribution revenue and fundraising expenses. The program directors could
assist in developing expectations of program revenue and expenses.
Consider Whether Circumstances Are Favorable to Substantive Analytical Procedures
Audit Area or Type of Account. Certain circumstances are favorable to the use of substantive analytical proce
dures as the primary, or an important, source of assurance on an account balance. Generally, relationships among
statement of activity account balances, or statement of activity and certain statement of financial position account
balances are more predictable than relationships only among statement of financial position items.
Generally, the higher the assessed risk of material misstatement, the more effective analytical procedures need to
be before they can be relied on instead of tests of details. Accordingly, auditors tend to use tests of details more
extensively in high risk audit areas and analytical procedures more often in low risk areas. However, if the auditor
has highly effective analytical procedures, it may be possible to reduce the extent of detail testing needed even in
high risk areas.
Likely Cause of Potential Misstatements. Substantive analytical procedures tend to be more useful as the
primary substantive procedure when the risk of misstatement has been assessed as being primarily from error. This
is because errors are random and are as likely to be understatements as overstatements. Generally, a substantive
analytical procedure is effective for simultaneously testing for both overstatements and understatements. Tests of
details tend to be directed to either overstatement or understatement. For example, a predictive test of revenue
developed from operating data should be effective for detecting either overstatement or understatement of
recorded revenue. In contrast, tests of details usually focus on a single direction. Detection of understatement, for
example, is the focus of tracing from records of service provided to recorded service revenue, while overstatement
is more likely to be detected by inspecting supporting documents or confirming balances. Also, errors are random
and no one is attempting to conceal them. For example, an executive director who has intentionally understated
fundraising expenses by improper capitalization of special event costs might reclassify other expenses as fund
raising expenses to maintain a normal fundraising efficiency ratio. This does not mean, however, that analytical
procedures are useless as tools in fraud detection. Analytical procedures are an important aid in detecting fraud.
Use of analytical procedures when the general risk analysis indicates a greater risk of fraud is explained later in this
lesson.
Availability of Reliable Data. Because substantive analytical procedures involve developing an expectation of a
recorded amount based on a plausible relationship between that amount and financial or nonfinancial data,
another circumstance that favors use of these procedures is the availability of reliable data to develop expectations.
Generally, data obtained from an independent outside source are better than internal data. Nonfinancial data from
an independent operating department tend to be more reliable than data under the influence and control of the
accounting department when there are effective controls over collection of the operating data. Data from the
accounting department are more reliable when controls over the accounting system are effective. Audited data are
more reliable than unaudited data. The data might be audited by the auditor or by internal auditors judged to be
objective and competent. Generally, the auditor should exercise professional skepticism in evaluating the reliability
of available data and seek more reliable data to achieve greater precision.
Precision of Expectation. Another related consideration is whether the expectation can be developed with
reasonable precision. Precision is the term used to describe the degree of accuracy of the expectation developed
by the auditor to the actual amount. Other things remaining equal, the larger the recorded amount, the more difficult
it is to develop a precise expectation. This is because a small percentage of a very large recorded amount can be
material to the financial statements taken as a whole. For example, the planning materiality amount calculated
160

NPOT09

Companion to PPC's Guide to Audits of Nonprofit Organizations

using total support and revenue as the benchmark might range from .5% to 1% of total support and revenue, and
tolerable misstatement would be less than planning materiality. This means that an expectation developed of
recorded total annual support and revenue would need to be within less than 1% of the recorded amount to be
used as the primary substantive test of total annual support and revenue without additional evidence. In some
cases, the data might be reliable enough to develop such a precise expectation; but, in other cases, the auditor
might need to break the recorded amount down into more predictable components. Expectations developed at a
more detailed level have a greater chance of detecting a misstatement of a given amount. For example, expecta
tions developed concerning monthly amounts are generally more precise than annual amounts. Comparisons by
program, location, or department are generally more precise than entitywide comparisons. Sometimes, an
account balance can be separated into different categories of transactions. For example, payroll expense might be
separated into salaried and hourly employees.
Efficiency. Another consideration that affects a primarily substantive analytical procedures approach is the relative
efficiency of tests of details for the account balance. Other things remaining equal, an account balance composed
of a small number of large items can be tested more efficiently and effectively using tests of details. If an account
balance has a large number of small items, efficiency can usually be improved by using substantive analytical
procedures to test the total recorded amount. Analytical procedures are also more efficient and effective when the
relationship between available data has proven to be relatively predictable and stable in the past. For example, the
precision of analytical procedures using trend analysis and ratio analysis is improved when the underlying relation
ships are known to be reasonably predictable and the business environment is relatively stable.
Specialized Considerations for Nonprofit Organizations. Many nonprofit organizations are well suited to the
application of analytical procedures. Account balances that are more susceptible to the use of substantive analyti
cal procedures were discussed previously. For nonprofit organizations, there is usually a predictable relationship
between contribution revenue and the related fundraising expense. Also, there may be a persistent pattern in the
investment income accounts and investment account balances (if the organization's investments would be
expected to earn a fairly constant rate of return).
Likely causes of potential misstatements were discussed previously. For nonprofit organizations, a predictive test
of contributions developed from operating data should be effective for detecting either overstatement or under
statement of recorded contributions. In contrast, tests of details usually focus on a single direction. For example,
detection of understatement is the focus of tracing from contribution records to recorded contributions. Overstate
ment of contributions is more likely to be detected by confirming promises to give or tracing from recorded
promises to give to contribution records.
An example of the precision of expectation for an organization with $3.5 million of adjusted total support and
revenue (which are larger than total adjusted assets), the planning materiality amount calculated would be rounded
to $39,000 and tolerable misstatement would be $30,000. This means that an expectation developed of recorded
total annual support and revenue would need to be within just over 1% of the recorded amount to be used as the
primary substantive test of total annual support and revenue without additional evidence.
As for an example for a nonprofit organization on how disaggregation can improve precision, assume that an
auditor is analytically testing the revenue earned by an organization's special event. The organization sponsors a
marathon in different cities around the country. The proceeds are used to support research. The direct benefits
provided to marathon participants are nominal in value. The auditor's expectation is that the entrance fee revenue
will vary according to the number of entrants in the races.
After interviewing the development department and reviewing supporting documentation, the auditor noted that
there were approximately 18,225 entrants in 17 marathons in the current year. There were no entry fees collected
in one fiscal year for a race held in another fiscal year. The entry fee for all of the races was $15 if paid in advance
and $20 if paid on the day of the race. Approximately 85% of the entrants paid their entry fees in advance. The
revenue recorded from the special event was $290,150. The first analytical procedure performed by the auditor
follows:
Total marathon revenue
Number of entrants

$ 290,150
 18,225

Average price per entrant

$
161

15.92

Companion to PPC's Guide to Audits of Nonprofit Organizations

NPOT09

If the auditor assessed the risk of material misstatement as low and/or the auditor performed other substantive
procedures with respect to the marathon special event revenue, the auditor might conclude that the average price
per entrant calculated in the previous paragraph appears reasonable and perform no additional testwork. However,
if the auditor assessed the risk of material misstatement as high and/or had performed no other substantive
procedures, the auditor might refine the test performed as follows:
Total marathon entrants
Percentage of entrants that paid in advance
Number of entrants that paid in advance
Fee paid in advance
Revenue paid in advance

18,225
.85
15,491

$15

$ 232,365

Total marathon entrants


Percentage of entrants that paid the day of the race
Number of entrants that paid the day of the race
Fee paid the day of the race

18,225
.15
2,734

$20


Revenue paid the day of the race

54,680

Revenue paid in advance


Revenue paid the day of the race

$ 232,365
+ 54,680
$ 287,045

Depending upon materiality for the organization, the auditor might conclude that revenue from that special event is
materially correct and no further testing would be considered necessary. If the auditor decided to further expand
testing, revenue per marathon (the amount earned per city) could be calculated or reviewed.
Analytical Procedures and Fraud Detection
An important factor behind the decision to require analytical procedures in all audits of financial statements was
research that indicated that use of analytical procedures was a frequent factor leading to detection of management
fraud or cooking the books. Analytical procedures are required in the planning stage of the audit to make sure the
auditor looks at the big picture first and recognizes areas where fraud risk is greater. Likewise, professional
standards require analytical procedures in the final review stage of the audit to make sure the auditor looks at the
financial statements in total at the end to see that they make sense based on the auditor's understanding of the
business obtained during the audit. More detailed preliminary analytical procedures or substantive analytical
procedures used during the audit can also be helpful in detecting whether the books have been cooked. SAS No.
99 (AU 316.69) requires that the auditor evaluate whether analytical procedures performed as substantive proce
dures or in the overall review stage of the audit indicate a previously unrecognized risk of material misstatement
due to fraud. (SAS No. 99 also requires analytical procedures relating to revenue in planning the audit.) For
example, significant and unusual relationships related to yearend revenue, such as unusually large amounts of
revenue or gains near the end of the reporting period from unusual transactions, might be indicative of fraud. Also,
the auditor should reflect on whether responses to inquiries about analytical relationships have been vague,
implausible, or inconsistent with the auditor's knowledge or other audit evidence. The auditor of a nonprofit
organization might also consider the following:
a. Trend analysis of annual fundraising campaigns or special events by year indicates unusual patterns.
b. Unexpected or unexplained relationships between recorded contribution revenue and statistics
maintained by the development department.
A word of caution on analytical procedures and fraud detection is necessary. Analytical procedures can be very
effective in identifying audit areas with an increased risk of fraudulent financial reporting, but the absence of
significant fluctuations is not reliable evidence of the absence of a risk of material misstatement due to fraud.
Management can manipulate recorded amounts to make relationships appear normal to conceal fraud.
162

NPOT09

Companion to PPC's Guide to Audits of Nonprofit Organizations

Generally, analytical procedures are useful for identifying audit areas in which there is an increased risk of material
misstatement from cooking the books. Analytical procedures usually do not provide sufficient evidence to resolve
whether a potential material misstatement is caused by fraud, but are efficient and effective for directing the
auditor's attention to account balances that require investigation of a potential fraud. In this area, particularly, it is
important to recognize that there are no magic ratios or relationships that work for all clients. Also, a solid
understanding of the client's activities is even more critical in designing effective analytical procedures in this area.
The auditor cannot recognize unusual relationships, the absence of expected relationships, or other anomalies in
the financial statements unless the auditor has a good sense of what the financial statements should look like in the
client's circumstances. In other words, the auditor needs to know what is usual what should be there before the
unusual can be recognized.
When there is a greater than normal risk of cooking the books, finding at least one comparable entity for analytical
comparisons as recommended previously can be extremely helpful and provide needed insight to what relation
ships are anomalous. By comparing the activity of the client to a comparable entity, the auditor can more readily
identify unexpected relationships or the absence of expected relationships as well as develop better expectations
of recorded amounts.
Substantive analytical procedures focused on particular recorded amounts are useful in refining the assessment of
the risk of misstatement from cooking the books. When the primary risk is cooking the books, the focus of analytical
procedures is generally on the revenues and expenses that might be misstated. For example, it might be possible
to compare receipts from annual fundraising drives to total support to detect improper revenue recognition.
Another example that may detect improper revenue recognition for a nonprofit organization is the relation of
fundraising expenses to contribution revenue. A recorded amount of expense that is significantly lower than the
amount needed to produce the recorded amount of revenue might indicate overreporting of revenue.
The particular analytical procedures have to be designed to fit the specialized circumstances of the client and its
industry. However, comparisons of actual cash flow with recorded accrued amounts and comparisons of the total
recorded amount with the portion that is dependent on a subjective estimate are generally useful. For example,
some nonprofit organizations may be motivated to understate the change in unrestricted net assets to make the
organization look more needy" to potential contributors while other organizations may be motivated to overstate
the change in unrestricted net assets to meet certain funding requirements. However, comparisons of actual cash
flow with recorded accrued amounts and comparisons of the total recorded amount with the portion that is
dependent on a subjective estimate are generally useful.
Whether the assessed risk is of stealing or cooking the books, imaginative use of analytical procedures can be
useful in refining the risk assessment for detecting the misstatement. If the auditor focuses on trends that are
difficult or impossible to manipulate by the perpetrator, analytical procedures will generally be more effective.
Volume data trends should follow reported amounts. For a nonprofit organization, the auditor could analyze the
number of service units provided by the organization and compare that to the revenue associated with those
service units. If service units are increasing, the auditor would anticipate that revenue would also increase. This
same type of analysis could be performed for the following:
 The number of members and membership dues.
 The number of students and tuition revenue.
 The number of tickets sold and admissions revenue.
 Attendance at a church and contribution revenue.
By comparing the trends of operating volume measures to recorded amounts, the auditor can identify account
balances with a risk of misstatement due to fraud. Generally, this approach is equally effective for stealing and
cooking the books.
Corroboration of Explanations. An important consideration related to fraud detection (as well as error detection)
is the evaluation and corroboration of management's explanations for significant differences from the auditor's
expectations. In this area, the main ingredients for effectiveness are healthy doses of common sense and profes
sional skepticism. An attitude that includes a questioning mind and a critical assessment of audit evidence is
163

Companion to PPC's Guide to Audits of Nonprofit Organizations

NPOT09

necessary to exercise professional skepticism. The auditor should adopt a show me" attitude and not accept
explanations that are contrary to common sense or that conflict with the auditor's understanding of the client's
circumstance.
Analytical Procedures and Interim Testing
As explained in more detail later in this lesson, audit efficiency and effectiveness can often be improved by shifting
more audit work to interim dates. This can permit earlier identification of issues and problems and allow corrective
action to be implemented before final work starts. Also, there are advantages to spreading out the audit work over
a longer period of time. This makes it easier for client personnel because their time preparing for the audit is also
spread out. Client personnel have more time to prepare schedules and answer questions. Also, because the audit
work is spread out, the engagement team can usually be smaller. This not only has budget advantages, but the
longer exposure to the client also can improve everyone's understanding of the client's activities.
When tests of details are performed at an interim date, the auditor may need to perform rollforward procedures for
the period between the interim date and the statement of financial position date. Analytical procedures are usually
an important part of rollforward procedures. SAS No. 110 (AU 318.62) on substantive tests prior to the statement
of financial position date states that these procedures may include comparison of information concerning the
balance at the statement of financial position date with comparable information at the interim date. This is an
analytical procedure to identify amounts that appear unusual and that therefore should be investigated. These
analytical procedures can be combined with other analytical procedures or tests of details. Substantive analytical
procedures are an efficient way to extend the audit conclusion from the interim date to the statement of financial
position date.
Analytical procedures are particularly useful because the auditor's objective in performing rollforward procedures
is to evaluate whether the recorded amount of transactions between the interim date and the statement of financial
position date is reasonable in relation to the auditor's expectation. Because the time period is much shorter than the
annual period, the auditor's expectations can generally be developed with more precision. The period may be only
one or two months. For example, if the auditor confirms promises to give for a June 30 yearend nonprofit
organization as of May 31, analytical procedures might be an effective method of extending the auditor's conclu
sion through year end. Examples of analytical procedures that might be used as rollforward procedures in this
circumstance follow:
 Compare currentyear June promises to give with prioryear June promises to give.
 Compare the actual currentyear June promises to give to the budget.
 Compare the currentyear June promises to give to the amount recorded in July of the next fiscal year.
 Review a monthbymonth comparison of contributions for the current year.
 Analyze the planned fundraising events or activities that generated the promises to give for June.
The auditor might also scan credit entries to promises to give for June and July of the next fiscal year. The scanning
and comparisons of ratios and amounts should be supplemented by inquiries of development department person
nel about significant or unusual promises to give pledged close to year end.
Analytical Procedures and Accounting Estimates
The auditor should identify and evaluate significant accounting estimates made by management. Analytical proce
dures can be used in evaluating the reasonableness of estimates by developing the auditor's own expectation of
the estimate and as basis for assessing the overall reasonableness of the estimate.
Tests of the reasonableness of an accounting estimate often include a combination of tests of details and analytical
procedures. Supporting data are tested for reliability using tests of details and analytical procedures are used to
assess the reasonableness of the estimate. For example, the auditor might test the aging of accounts receivable for
accuracy and then use the analytical procedures of scanning the aging, considering the historical trends of
chargeoffs per age category, and computing the ratio of days sales in receivables and comparing to the prior year.
The auditor might also scan the results of collection activity in the subsequent period.
164

NPOT09

Companion to PPC's Guide to Audits of Nonprofit Organizations

How to Identify and Evaluate Significant Differences


After the auditor has developed an expectation of a recorded amount or ratio of recorded amounts from reliable
data and compared the expectation to the recorded amount, the next step is to determine whether there is a
significant difference. Authoritative literature does not define significant differences. SAS No. 56 (AU 329.20) states
only that the criteria for a significant difference should be consistent with the level of assurance desired from the
analytical procedure. Evaluation of the significance of differences is discussed in the next paragraph. Consider
ations before posting differences to the summary of audit differences are discussed in the following paragraphs.
Evaluation of the Significance of Differences. The quantification of the significance of the difference should be
related to what is material to the financial statements, by financial statement line as well as in the aggregate, rather
than being evaluated in terms of the percentage of the account balance. In some cases, a 2% difference in total
annual revenue would be very material to the financial statements, but a 20% difference in miscellaneous expenses
would be immaterial.
There are complex mathematical models that can be used to compute the dividing line for significance of differ
ences in particular circumstances. However, this degree of complexity is not necessary if a conservative rule of
thumb is adopted. It is believed that the range of 10% to onethird (or 331/3%) of tolerable misstatement generally
provides a workable rule of thumb for the significance of a difference. Differences larger than the designated
percentage would be considered significant and require investigation and corroboration of explanations. This
guideline is based on the same framework that is used in many nonstatistical audit sampling plans. The choice of
a percentage within this range depends on the level of assurance desired from the substantive analytical proce
dure, which in turn depends on the auditor's risk assessment. If the substantive analytical procedure is the primary
source of assurance, the percentage should be toward the low end of the range, say 10% or 15%. If the substantive
analytical procedure is being used in combination with tests of details, then onethird of tolerable misstatement
might be used. If the substantive analytical procedure is only a supplement to a primary test of details, then a
slightly higher amount might be used.
Corroboration of the Explanation of the Difference. The auditor's expectation developed in performing substan
tive analytical procedures is an estimate or prediction of what should be the amount of an account balance. The
evaluation of the significance of the difference between the account balance and the expectation determines
whether the account balance can be accepted as not misstated without performing additional audit work. If the
auditor decides that the expectation is not effective enough (for example, based on reliable enough data, a precise
enough expectation, etc.), then the test should be refined (such as computed in more detail), or the degree of
assurance from the analytical procedure should be reduced and additional procedures should be applied.
If the auditor evaluates the difference as significant and concludes that the expectation is sufficiently effective (that
is, the expectation is precise enough), the auditor generally performs additional inquiry and analysis. The additional
inquiry and analysis might result in a conclusion that the risk of misstatement of the account balance is acceptable,
or alternatively, the quantification of a misstatement that will be proposed as an audit adjustment. Only the
quantified estimate of misstatement determined by investigation should be accumulated and posted to the sum
mary of audit differences. A difference should not be treated as a misstatement before investigating it. Although the
difference may indicate one side of the entry needed to adjust the financial statements, it may not indicate the other
side. For example, a difference that indicates that contribution revenue is overstated typically implies that promises
to give receivable also are overstated. However, if detection risk for the existence assertion about promises to give
receivable has already been reduced to an appropriate level, then the offset to the difference in contribution
revenue cannot be to promises to give receivable.
For significant differences, the auditor should obtain an explanation of the difference and corroborate the explana
tion. The auditor should avoid the temptation of first asking those responsible for preparing financial statements to
explain differences. The auditor should obtain an explanation from a knowledgeable person who is preferably
unrelated to financial statement preparation and analyze the support for that explanation. Explanations about the
reasons for differences might be obtained from accounting department personnel, but should be pursued with
operating personnel and, in some cases, outside parties. For example, in an audit of a community theatre, suppose
the auditor identifies an unexpected increase in contribution revenue and inventory. The organization's accounting
personnel explain that the local university donated lighting equipment and costumes to the theatre to be used in its
next production. The theatre valued the lighting equipment and costumes based on discounting quotes received
165

Companion to PPC's Guide to Audits of Nonprofit Organizations

NPOT09

on new equipment and costumes. The auditor might investigate the explanation by inspecting documentation of
the contribution, inspecting the donated items, and discussing the donation with the development department and
the executive producer of the theatre. When significant fraud risk factors are present, the auditor may consider
interviewing the donor to corroborate the explanation.
How to Document Substantive Analytical Procedures
Documentation of Principal Substantive Tests of a Significant Financial Statement Assertion. When an
analytical procedure is used as the principal substantive test of a significant financial statement assertion, SAS No.
56 (AU 329.22) requires the auditor to document the following:
 the expectation and the factors used in its development (unless readily determinable from the work
performed),
 the results of comparing recorded amounts to the expectation, and
 any additional procedures performed to address significant unexplained differences, and the results of
those procedures (for example, the amount of any misstatement quantified as a result of the analytical
procedures performed).
An analytical procedure is the principal substantive test of a significant financial statement assertion when it
provides the primary audit evidence. For example, an analytical procedure for revenue may provide the primary
audit evidence related to the occurrence and completeness assertions for revenue. Generally, for this purpose,
comparisons need to be made on a more detailed basis (for example, actual salaries and wages compared to
budgeted amounts by function or department) or need to be based on an expected total for a transaction class or
account balance (such as comparing recorded cash contributions in the current period with amounts received in
prior periods or budgeted amounts or predicting the revenue of a thrift shop based on its square footage).
Exhibit 11 illustrates documentation of a substantive analytical procedure for a nonprofit organization.
Exhibit 11
Documentation of a Substantive Analytical Procedure
The Primary Test of an Account Balance
630X1
Personnel expense

630X0

673,554

593,003

Change
$

80,551+

+ We noted during our discussions with the client regarding its operations that during the year
ended June 30, 20X0, the organization utilized the donated services of volunteers to perform
fundraising activities and various other administrative duties. During the year ended June 30,
20X1, the organization decided to hire employees to replace the volunteers in order to
increase the amounts raised from the fundraising efforts and to provide better administrative
support to the organization's other staff. Therefore, our expectation is that personnel expense
would increase from prior year. We noted during our review of the board of directors' minutes
that the total annual salaries for the new employees would approximate $65,000 per year. We
also noted per the minutes that the new employees started work on October 1, 20X0.
Additionally, the board minutes noted that raises for existing employees averaged 5% and
were effective July 1, 20X0. Therefore, our expectation of the current year personnel expense
is as follows:
Prior year expense
Current year raises

$


Total expense for new employees


Number of months employed in 20X1

$


166

65,000
9/12

593,003
1.05
622,653
48,750

Companion to PPC's Guide to Audits of Nonprofit Organizations

NPOT09

Expectation Expense for 20X1


Actual expense for 20X1

671,403
673,554

Difference

2,151

Based on the above, personnel expense appears reasonable and no further work is consid
ered necessary.

Documentation of the expectation and the factors considered in its development is required if not apparent from the
work performed. When prior year balances or budgeted amounts are used for comparative purposes, those
amounts implicitly represent the auditor's expectation. In that case, if the workpapers include a comparative
schedule showing the prior year or budgeted amounts and indicating the source of those amounts (for example,
prioryear workpapers or the 20X2 budget), it is believed that the expectation is apparent and that no additional
documentation of the expectation is required. For an expectation developed based on the key factors affecting an
account, such as an expectation of compensation expense developed using information about the number of
employees and pay rates, auditors should document the factors used in its development and the source of
information about those factors. The results of comparing the expectation with recorded amounts may be docu
mented by including a variance column on the auditor's comparative schedule or by documenting the comparison
of the expected amount and the recorded amount on the face of the auditor's calculation. Although not required by
authoritative literature, documentation might also include information about the auditor's approach to evaluating
the significance of the difference between the recorded amount and the expectation (for example, a percentage of
tolerable misstatement rule of thumb).
Documentation of Other Types of Analytical Procedures. When an auditor performs an analytical procedure that
is not a principal substantive test of a significant financial statement assertion, professional standards do not
specify the form or content of documentation other than to state that audit documentation should include identify
ing characteristics of any specific items tested. For example, assume that an auditor's principal substantive test of
the valuation/allocation assertion for interest expense is an analytical procedure that consists of analyzing recorded
interest expense to isolate amounts recorded for the notes with the largest principal balances and comparing those
amounts with the amount calculated by applying rates for the individual notes to average principal balances
outstanding. Assume further that the auditor believes the expectation underlying the analytical procedure has most
of the required precision, and to provide additional assurance about the valuation/allocation assertion for interest
expense, the auditor computes an overall effective interest rate and compares it with the prioryear overall effective
interest rate, with the expectation that the two rates will not differ significantly. The auditor has therefore used two
analytical procedures as substantive tests of the valuation/allocation assertion for interest expense. However, the
first analytical procedure provides most of the assurance and is therefore the primary substantive test of the
assertion. In this case, the second test would not be a principal substantive test and would not be subject to the
same documentation requirements as the first one. In those instances, the detail of documentation will vary with the
circumstances, including the materiality of the recorded amount, the assessed risk of material misstatement, and
the level of assurance desired from the analytical procedure.
Documentation Required
The auditor needs to document the performance of analytical procedures that involve the development of an
expected amount. The auditor needs to document calculations of ratios. Some auditors may prefer to use elec
tronic spreadsheets. By using such a spreadsheet, once the information is captured, all computations and compar
isons can be automated. PPC's Workpapers includes a set of automated spreadsheet templates. These templates
include a number of the analytical ratios. PPC's Workpapers can be ordered by calling your Thomson Reuters
representative at (800) 3238724.

167

Companion to PPC's Guide to Audits of Nonprofit Organizations

168

NPOT09

Companion to PPC's Guide to Audits of Nonprofit Organizations

NPOT09

SELFSTUDY QUIZ
Determine the best answer for each question below. Then check your answers against the correct answers in the
following section.
6. As part of her audit, Joan inspects documents supporting cash disbursements to determine if they were
recorded properly. What type of test of details has she performed?
a. Test of transactions.
b. Test of balances
c. Test of controls.
7. Which of these statements best describes substantive analytical procedures?
a. They are required in all audits of financial statements.
b. They are made up of a finite set of ratios and procedures
c. They are focused on particular account balances.
d. They are part of the final review of the financial statements.
8. When devising substantive analytical procedures, what information should auditors gain from talking with their
clients' operating personnel?
a. A comparison of how a client's performance compares to that of other similar nonprofit organizations.
b. An enhanced understanding of significant transactions and events that affect the financial statements.
c. A working knowledge of key factors affecting the client's account balances and the stability of plausible
relationships.
d. A feel for how the nonprofit organization really works and an understanding of the information
management uses when running operations.
9. Which auditor dealt with his scenario in the most appropriate way?
a. Dave assesses the risk of material misstatement as high for his audit; accordingly, he relies exclusively on
substantive analytical procedures to provide his audit evidence.
b. Greg uses nonfinancial data obtained from an independent outside source as audit evidence as opposed
to using the internal data supplied by management.
c. An account balance for Jim's audit consists of a small number of large items, so Jim relies primarily on
substantive analytical procedures for his audit evidence.
d. In an audit that requires a precise expectation, Karl performs substantive analytical procedures on annual
support and revenue instead of breaking it down into monthly amounts.
10. Which statement below indicates a valid analytical procedure applied to a nonprofit organization?
a. Understatement of contributions would best be detected by confirming promises to give.
b. Tracing from contribution records to recorded contributions is a good test for detecting overstatement of
contributions
c. Testing the relationship of contribution revenue to fundraising expenses.
169

Companion to PPC's Guide to Audits of Nonprofit Organizations

NPOT09

11. Ethel determines during the course of her audit that there is a risk that management has cooked the books.
How could she proceed?
a. She could devise substantive analytical procedures that prove whether potential misstatements were
caused by fraud.
b. She could use certain specific ratios developed by her firm that will catch fraud in any client's financial
statements.
c. She could find a comparable entity to make analytical comparisons with client data to help her identify any
unexpected relationships.
d. The substantive analytical procedures she needs to devise are those that compare actual cash flow with
recorded accrued amounts.
12. Canyon Ranch Church is the largest growing church in the state of Montana. Two Sunday morning services
and one Saturday evening service were added in 2007 as well as ten new support groups or church programs.
When Kelly audits Canyon Ranch Church, what substantive analytical procedure would give her the best
information about fraud or cooking the books related to the organization's annual contribution revenue?
a. Studying the number of Sunday School students and resources provided for classes.
b. Studying trends of congregation growth in other churches in the area.
c. Studying the number of employees and the hours worked.
d. Studying the attendance at each service.
13. While auditing Healthy Lives Org, Cindy must identify and evaluate significant accounting estimates made by
management. Which substantive analytical procedure would be appropriate in this instance?
a. Scanning the aging, considering the historical trends of chargeoffs related to the age category, and then
computing the ratio of days sales in receivables and comparing it to the prior year.
b. Scanning credit entries to promises to give for June and July of the next fiscal year and supplementing
ratios and amounts with inquiries of development department personnel about unusual promises to give
pledged close to year end.
c. Performing a comparison of the actual currentyear June promises to give to the budget.
d. Analyzing recorded interest expense to isolate amounts with the largest principal balances that were
recorded in the notes and comparing them with an amount calculated by applying rates to each note.
14. During the course of her audit, Rachel discovers a significant difference between her expectation and the
amount of an account balance, but upon further examination of the analytical procedures Rachel determines
that her expectation is precise enough. Which of the following best illustrates how she should proceed?
a. She should reduce the degree of assurance from her analytical procedures and apply additional
procedures.
b. She should perform additional inquiry and analysis to determine if there is a risk of misstatement due to
the difference.
c. She should request an explanation of the difference from her client's management or the accounting
department.
d. She should begin treating the difference as a misstatement and post it to the summary of audit differences.
170

Companion to PPC's Guide to Audits of Nonprofit Organizations

NPOT09

SELFSTUDY ANSWERS
This section provides the correct answers to the selfstudy quiz. If you answered a question incorrectly, reread the
appropriate material. (References are in parentheses.)
6. As part of her audit, Joan inspects documents supporting cash disbursements to determine if they were
recorded properly. What type of test of details has she performed? (Page 156)
a. Test of transactions. [This answer is correct. Like Joan does in the example above, tests of
transactions test the processing of individual transactions.]
b. Test of balances. [This answer is incorrect. Tests of balances are applied directly to balance details in the
general ledger accounts. An example of this kind of test would be if Joan confirmed an investment in
securities with the custodian.]
c. Test of controls. [This answer is incorrect. Though some auditors equate tests of controls with tests of
details, the difference is the objective of the test. Merely because a transaction or balance is tested does
not mean a test is a test of controls; however tests of controls can be performed at the same time as tests
of details.]
7. Which of these statements best describes substantive analytical procedures? (Page 158)
a. They are required in all audits of financial statements. [This answer is incorrect. Preliminary and overall
review analytical procedures are both required parts of an audit, but the use of substantive analytical
procedures is up to the discretion of the auditor.]
b. They are made up of a finite set of ratios and procedures. [This answer is incorrect. No analytical
procedures are considered exclusively substantive analytical procedures. The same ratios, procedures,
and relationships can be used as preliminary, substantive, and overall review analytical procedures.]
c. They are focused on particular account balances. [This answer is correct. The auditor should have
already assessed the risk of misstatement with respect to a particular account balance and then
decided that the substantive analytical procedures are likely to provide reasonable assurance that
the balance is not materially misstated.]
d. They are part of the final review of the financial statements. [This answer is incorrect. Overall review
analytical procedures, not substantive analytical procedures, are part of the final review of the financial
statements. They help the auditor ensure that the numbers make sense.]
8. When devising substantive analytical procedures, what information should auditors gain from talking with their
clients' operating personnel? (Page 160)
a. A comparison of how a client's performance compares to that of other similar nonprofit organizations. [This
answer is incorrect. Auditors can determine this information by identifying comparables between their
client and other nonprofits of similar size, geographic location, and demographic makeup.]
b. An enhanced understanding of significant transactions and events that affect the financial
statements. [This answer is correct. Such conversations might also corroborate any riskassess
ment conclusions made by the auditor, lead to improvements developing expectations of recorded
amounts, and more insightful evaluations of any differences from those expectations.]
c. A working knowledge of key factors affecting the client's account balances and the stability of plausible
relationships. [This answer is incorrect. Auditors will find out this information by considering their clients'
budgetary processes.]
d. A feel for how the nonprofit organization really works and an understanding of the information
management uses when running operations. [This answer is incorrect. Auditors can get this information
by asking management about the relationships, ratios, and external and internal data it finds useful in
identifying and monitoring risks.]
171

Companion to PPC's Guide to Audits of Nonprofit Organizations

NPOT09

9. Which auditor dealt with his scenario in the most appropriate way? (Page 160)
a. Dave assesses the risk of material misstatement as high for his audit; accordingly, he relies exclusively on
substantive analytical procedures to provide his audit evidence. [This answer is incorrect. Generally, when
risk of misstatement is assessed at a higher level, substantive analytical procedures must be more effective
to be relied on; therefore, in this situation, unless he has very highly effective analytical procedures, Dave
should rely on tests of details instead.]
b. Greg uses nonfinancial data obtained from an independent outside source as audit evidence as
opposed to using the internal data supplied by management. [This answer is correct. Greg has
properly used his professional skepticism by seeking more reliable data, which will allow him to
achieve greater precision in his audit. Data from an independent source outside of the client is more
reliable than internal data.]
c. An account balance for Jim's audit consists of a small number of large items, so Jim relies primarily on
substantive analytical procedures for his audit evidence. [This answer is incorrect. If the account balance
consisted of a large number of small items, substantive analytical procedures would be more helpful, all
other things being equal. In this instance, Jim would generally be better off using tests of details.]
d. In an audit that requires a precise expectation, Karl performs substantive analytical procedures on annual
support and revenue instead of breaking it down into monthly amounts. [This answer is incorrect.
Generally, breaking the recorded amount down into more predictive components would make it easier for
an auditor in Karl's position to develop a more precise expectation.]
10. Which statement below indicates a valid analytical procedure applied to a nonprofit organization? (Page 161)
a. Understatement of contributions would best be detected by confirming promises to give. [This answer is
incorrect. This test would be used to detect overstatements of contributions. Another test for overstatement
of contributions would be to trace from recorded promises to give to the contribution records.]
b. Tracing from contribution records to recorded contributions is a good test for detecting overstatement of
contributions. [This answer is incorrect. This test would be used to detect understatements of
contributions.]
c. Testing the relationship of contribution revenue to fundraising expenses. [This answer is correct.
The predictable relationship between these accounts makes this a good analytical procedure.]
11. Ethel determines during the course of her audit that there is a risk that management has cooked the books.
How could she proceed? (Page 163)
a. She could devise substantive analytical procedures that prove whether potential misstatements were
caused by fraud. [This answer is incorrect. Generally, substantive analytical procedures will not provide
enough evidence to resolve the issue of potential material misstatement; however, they are both efficient
and effective means of directing an auditor's attention to account balances that require more
investigation.]
b. She could use certain specific ratios developed by her firm that will catch fraud in any client's financial
statements. [This answer is incorrect. There are no ratios or relationships that will magically work for all
clients. Ethyl will have to devise her own substantive analytical procedures that will be effective in the
context of her client and her client's industry.]
c. She could find a comparable entity to make analytical comparisons with client data to help her
identify any unexpected relationships. [This answer is correct. Because Ethyl has determined there
is a greater than normal risk of cooking the books, finding a comparable entity could be extremely
helpful. She also must make sure she has a solid understanding of her client's operations so she
can recognize anything unusual.]
172

NPOT09

Companion to PPC's Guide to Audits of Nonprofit Organizations

d. The substantive analytical procedures she needs to devise are those that compare actual cash flow with
recorded accrued amounts. [This answer is incorrect. Such procedures would generally be useful, as
would comparisons of the total recorded amount with the portion dependent on a subjective estimate;
however, to ensure the most effectiveness, Ethyl will need to design substantive analytical procedures that
are specific to her client and her client's industry.]
12. Canyon Ranch Church is the largest growing church in the state of Montana. Two Sunday morning services
and one Saturday evening service were added in 2007 as well as ten new support groups or church programs.
When Kelly audits Canyon Ranch Church, what substantive analytical procedure would give her the best
information about fraud or cooking the books related to the organization's annual contribution revenue?
(Page 163)
a. Studying the number of Sunday School students and resources provided for classes. [This answer is
incorrect. This could be used for analysis of expenses. It would not be an effective procedure in Kelly's
situation.]
b. Studying trends of congregation growth in other churches in the area. [This answer is incorrect. Studying
trends related to congregation growth would not help discover fraud in Canyon Ranch Church's audit
related to contribution revenue.]
c. Studying the number of employees and the hours worked. [This answer is incorrect. This could be a valid
analytical procedure in some instances, but labor comparisons would not be helpful in the Canyon Ranch
Church audit.]
d. Studying the attendance at each service. [This answer is correct. Because the church is growing,
attendance is increasing. By comparing the trend in attendance growth to recorded contribution
revenue, Kelly can identify account balances with a risk of misstatement due to fraud.]
13. While auditing Healthy Lives Org, Cindy must identify and evaluate significant accounting estimates made by
management. Which substantive analytical procedure would be appropriate in this instance? (Page 164)
a. Scanning the aging, considering the historical trends of chargeoffs related to the age category, and
then computing the ratio of days sales in receivables and comparing it to the prior year. [This answer
is correct. Testing the reasonableness of an accounting estimate will often include a combination
of tests such at those listed here.]
b. Scanning credit entries to promises to give for June and July of the next fiscal year and supplementing
ratios and amounts with inquiries of development department personnel about unusual promises to give
pledged close to year end. [This answer is incorrect. This is an example of analytical procedures that could
be used as rollforward procedures when the auditor performed work at an interim date. Since Cindy is
trying to verify the accounting estimate in this scenario, these procedures would not be helpful.]
c. Performing a comparison of the actual currentyear June promises to give to the budget. [This answer is
incorrect. If Cindy performed work at an interim date and needed rollforward procedures to complete her
audit of Healthy Lives Org, these procedures would be options; however, they are not applicable to
verification of the accounting estimate.]
d. Analyzing recorded interest expense to isolate amounts with the largest principal balances that were
recorded in the notes and comparing them with an amount calculated by applying rates to each note. [This
answer is incorrect. This would give Cindy the average principal balances outstanding and would be of
use if he were testing the valuation/allocation assertion for interest expense. It would not be useful in
Cindy's current situation.]

173

Companion to PPC's Guide to Audits of Nonprofit Organizations

NPOT09

14. During the course of her audit, Rachel discovers a significant difference between her expectation and the
amount of an account balance, but upon further examination of the analytical procedures Rachel determines
that her expectation is precise enough. Which of the following best illustrates how she should proceed?
(Page 165)
a. She should reduce the degree of assurance from her analytical procedures and apply additional
procedures. [This answer is incorrect. This would be an option for Rachel if she determined that her
expectation was not effective enough and needed to be refined.]
b. She should perform additional inquiry and analysis to determine if there is a risk of misstatement
due to the difference. [This answer is correct. This additional inquiry and analysis should allow
Rachel to determine if the risk of misstatement based on the difference is acceptable or not.]
c. She should request an explanation of the difference from her client's management or the accounting
department. [This answer is incorrect. If the difference is deemed significant, Rachel would need to find
an explanation; however, if an explanation is needed, she should try to obtain it from someone unrelated
to the financial statement preparation.]
d. She should begin treating the difference as a misstatement and post it to the summary of audit differences.
[This answer is incorrect. A difference should not be treated as a misstatement immediately. There are
steps Rachel must complete before she can decide whether the difference is an actual misstatement.]

174

Companion to PPC's Guide to Audits of Nonprofit Organizations

NPOT09

OTHER SUBSTANTIVE PROCEDURES RELATED ISSUES


The Use of Audit Evidence from Prior Periods
The ability to use audit evidence from the performance of substantive procedures in a prior audit is highly restricted.
SAS No. 110 (AU 318.64) states that this evidence is not sufficient to reduce detection risk to an acceptably low
level in the current period" and observes that in most cases it provides little or no evidence for the current period."
SAS No. 110 provides one example of an instance in which audit evidence obtained from the performance of
substantive procedures in a prior period may be relevant in the current period: prior audit evidence substantiating
the purchase cost of a building or building addition. This example is the common audit approach to auditing
property and equipment by substantiating the changes to the beginning balance additions and retirements to
reach a conclusion about the ending balance. Before using audit evidence obtained from the performance of
substantive procedures in a prior audit, the auditor should perform audit procedures during the current period to
establish the continuing relevance of the audit evidence. (SAS No. 106, AU 326.24)
Responding to Fraud Risks
The auditor is responsible for designing the audit to detect material misstatements, whether caused by error or
fraud. The auditor does not routinely select procedures designed solely to detect fraud in ordinary circumstances.
However, SAS No. 99, Consideration of Fraud in a Financial Statement Audit (AU 316), requires the auditor to
specifically identify and assess risks of material misstatement due to fraud and develop an appropriate response.
Based on the auditor's assessment of fraud risks, he or she may alter the nature of procedures performed (that is,
apply additional procedures designed to detect fraud), or alter the timing or extent of procedures performed. The
auditor may also require more or different evidence to support material transactions or balances than would be the
case if the auditor did not identify any specific fraud risks. In addition, SAS No. 99 also requires auditors to perform
certain specific procedures to address the risk of management override of controls, including examining the entity's
journal entries and other adjustments, reviewing accounting estimates for bias, and evaluating the business
rationale for significant unusual transactions.
Overall Responses. Auditors generally use overall responses to address fraud risks that are pervasive to the
financial statements. Overall responses affect the audit strategy (that is, the way the audit is conducted). Because
there is always at least one identified fraud risk (the risk of management override of controls), certain overall
responses are required in every audit.
Specific Responses. Specific responses to fraud risks involve the nature, timing, and extent of auditing proce
dures. Specific responses at the account balance, transaction class, or financial statement assertion level will vary
depending on the types and combinations of fraud risks identified and the account balances, classes of transac
tions, or assertions that may be affected. Responses may involve both substantive procedures and tests of
controls. However, tests of controls alone generally will not reduce audit risk to an appropriately low level because
of the risk that management may override controls; therefore, tests of controls alone are generally not sufficient to
respond to fraud risks.
When responding to fraud risks, the auditor may need to modify the nature, timing, and extent of audit procedures
in the following ways:
 The nature of audit procedures may be modified to obtain more reliable evidence (such as evidence from
independent sources outside the entity or evidence from tests of details rather than analytical procedures)
or additional corroboration.
 The timing of audit procedures may be modified to perform more substantive procedures at yearend (for
example, if interim audit procedures are planned, but there are unusual incentives for management to
engage in fraudulent financial reporting). Also, substantive tests of transactions throughout the year may
be performed to respond to the risk of fraud perpetrated during the period.
 The extent of audit procedures may be modified through larger sample sizes or by performing analytical
procedures at a more detailed level to achieve a higher degree of precision.
175

Companion to PPC's Guide to Audits of Nonprofit Organizations

NPOT09

If inherent risk is assessed at high because of the presence of fraud risks, the auditor might decide to increase the
extent of procedures (for example, by performing analytical procedures at a more detailed level, obtaining a higher
percentage of coverage when performing scope testing, or increasing sample sizes). A more likely response,
however, might be to modify the nature of audit procedures in the area of concern rather than the extent. Examples
of specific responses affecting the nature, timing, and extent of procedures are included in Exhibit 12.
Exhibit 12
Examples of Specific Responses to Fraud Risks
Nature of Audit Procedures
 Obtain evidence from more independent sources.
 Perform more physical observation and inspection procedures.
 Contact major suppliers, donors, or contributors orally.
 Review of correspondence with donor.
 Send confirmation requests to a specific party in an organization.
 Confirm additional information from donors such as restrictions on donations.
 Seek more or different information.
 Use computerassisted audit techniques to gather more extensive evidence or perform different types of tests.
 Perform a different combination of tests of details and analytical procedures, using more focused analytical
procedures, such as using programspecific budgets.
 Interview personnel involved in areas where identified fraud risks exist to obtain their insights about the risk and
whether or how controls address the risk.
 If the work of specialists is especially significant to the financial statements, engage another specialist or perform
additional procedures on the assumptions, methods, and findings.
 Confirm with donors or grantors relevant grant or contract terms and the absence of side agreements. (Possibly
confirm both orally and in writing.)
 Apply additional procedures during inventory observation, such as more rigorously examining product
contents or quality, or the way boxes are stacked.
 Apply additional procedures to inventory tags, count sheets, etc.
 Obtain a further understanding of and test controls over assets that are highly prone to misappropriation, the
receipt of noncash asset contributions, or direct contact solicitations.
Timing of Audit Procedures
 Confirm promises to give at year end rather than at interim.
 Perform certain procedures on a surprise or unannounced basis.
 Observe inventory at all locations at once.
 Request physical inventories to be taken at or near year end.
 Apply substantive procedures to transactions occurring throughout the period under audit.
Extent of Audit Procedures
 Increase sample sizes.
 Obtain a higher percentage of coverage when performing scope testing, for example, by reducing the scope
for detail tests of expense accounts.
 Observe inventory at special locations or all locations.
 When using the work of other auditors, discuss with them the extent of work needed to address identified fraud
risks resulting from transactions and activities involving the two entities or components.
 Additional testing of inventory tags, count sheets, etc.
 Performing more analysis and testing the support for all assumptions underlying allocation or costs to a
program.
 Perform substantive analytical procedures, including the development of an expected dollar amount, using
disaggregated data to achieve a high level of precision.
 Use computerassisted audit techniques to test an entire population instead of a sample.

*
176

NPOT09

Companion to PPC's Guide to Audits of Nonprofit Organizations

Professional Skepticism. When gathering and evaluating audit evidence in response to identified fraud risks,
auditors must maintain an appropriate degree of professional skepticism. Examples of applying professional
skepticism in response to risks of material misstatement due to fraud include:
 An increased recognition of the need to corroborate client explanations or representations (for example,
through further analytical procedures, thirdparty confirmation, examination of independent documenta
tion, or discussions with others within or outside the entity).
 Performing additional or different auditing procedures to obtain more reliable evidence in support of the
auditor's objectives.
Responding to the Risk of Misappropriation of Assets. Auditors may be faced with unique considerations when
determining how to respond to the risk of material misstatement due to misappropriation of assets. The auditor's
response most likely will be directed at a specific account balance or transaction class. Responding to an apparent
risk of misappropriation can be challenging. Misappropriation of immaterial amounts may be relatively common,
but it is less common for misappropriation to occur in amounts considered material to financial statements.
When a client has assets that are particularly susceptible to misappropriation (such as large amounts of cash on
hand or other assets that are valuable and easily stolen) and the auditor has concluded there is a risk of material
misstatement of the financial statements due to misappropriation, an appropriate audit response generally would
be to perform extensive substantive testing of the balance recorded in the financial statements. That may include
physically inspecting the assets at or near year end. The auditor also might want to examine accounts in which
misappropriation could be concealed, such as accounts with a large number of small debit transactions. Substan
tive analytical procedures using expectations developed with a high degree of precision also may be effective. In
some cases, the auditor might decide it is necessary to test the effectiveness of controls designed to prevent or
detect such misappropriation. Deciding which procedures are necessary is left to the judgment of the auditor. SAS
No. 99 (AU 316.56) states that the scope of work should be linked to the specific information about the misappropri
ation risk that has been identified.
In many entities, one of the primary fraud risks is fraudulent, unauthorized disbursements (for example, bookkeep
ers writing checks to themselves). Many small nonprofit organizations are particularly susceptible to such fraud
because of a lack of segregation of duties. If the auditor concludes there is a risk that such disbursements may
occur in amounts that could result in material misstatement of the financial statements, an audit response is
required. Substantive tests of the cash balance recorded in the financial statements may not be sufficient to
respond to a material risk of fraudulent cash disbursements. However, in some cases, when such fraud occurs, it
does not involve amounts material to the financial statements. In addition, practitioners disagree on whether
financial statements actually are misstated if such disbursements are recorded as expenses.
Generally, the auditor will consider the client's controls over disbursements, such as the following:
 Segregation of duties and effective management oversight (for example, a senior officer or volunteer board
treasurer receives the bank statement unopened).
 Authorization and approval of transactions (for example, in purchasing or payroll disbursements).
If, after considering controls and the risk that fraudulent disbursements could be material to the financial state
ments, the auditor determines that an additional audit response is necessary, the following procedures might be
considered:
 Reviewing selected disbursements for unusual payees, signatures, or endorsements.
 Reviewing vendor lists for unusual patterns.
 Performing analytical procedures to determine the propriety of functional expense allocations (such as
comparisons of current year allocations to prior year allocations and to budgeted amounts).
 Reviewing payroll registers for unusual items.
177

Companion to PPC's Guide to Audits of Nonprofit Organizations

NPOT09

 Performing paymaster procedures (that is, distributing payroll checks or observing their distribution).
 Proof of cash.
As previously noted, deciding which procedures are necessary is left to the judgment of the auditor.
Regardless of the auditor's judgments about whether the risk of material, fraudulent disbursements is an identified
fraud risk, the auditor should communicate significant deficiencies in accordance with professional standards. In
addition, the auditor should consider working with the client, when necessary, to establish effective controls over
disbursements.
Responses to Further Address the Risk of Management Override of Controls. Because management has the
ability to override controls that may otherwise appear to be operating effectively, and because that occurrence is
unpredictable, SAS No. 99 requires auditors to address that risk. In addition to the auditor's overall and specific
responses to identified fraud risks, SAS No.99 requires auditors to perform the following procedures to further
address the risk of management override of controls:
 Examine the entity's journal entries and other adjustments.
 Review accounting estimates for bias.
 Evaluate the business rationale for significant unusual transactions.
Examining Journal Entries. Auditors should examine both journal entries recorded in the general ledger and other
adjustments (such as postclosing or reclassifying entries) made in preparing the financial statements. Practice
Alert 200302, Journal Entries and Other Adjustments," provides guidance on the design and performance of audit
procedures to meet the requirements in SAS No. 99 for tests of journal entries and other adjustments. Examining
the entity's journal entries involves obtaining an understanding of the entity's financial reporting process and the
controls over journal entries and other adjustments, selecting entries for testing, and determining the nature and
timing of tests. Auditors should also make inquiries of employees involved in financial reporting about the possibil
ity of unusual or improper journal entry activity, including unsupported entries, and specifically whether they have
been asked to make such entries. Tests ordinarily should focus on entries made at or near year end. Auditors also
may consider scanning the general ledger immediately following year end for unusual entries, including entries that
were reversed at the beginning of the subsequent period. Auditors should consider placing greater emphasis on
entries not subject to the entity's normal internal controls (such as nonrecurring and postclosing entries).
Exhibit 13
Indications of Unusual Journal Entries in General Ledger Accounts
Unusual Condition

Examples

Unexpected posting source.

 Postings to revenue accounts from


unusual sources.
 Postings to accounts payable from
other than purchases and cash dis
bursements.

Unexpected debits or credits.

 Credit postings in expense accounts.


 Debit postings in revenue accounts.

Unexpected combination of accounts.

 Debit to a reserve and credit to


revenue.
 Debit to longterm debt and credit to
interest income.
 Debit to depreciation and credit to
revenue.

178

NPOT09

Companion to PPC's Guide to Audits of Nonprofit Organizations

Unusual Condition

Examples

Unusually large or small dollar amounts


based on normal activity in an account.

 Large credits to contribution revenue


accounts when only small donations
are normal.
 Numerous small debit adjustments
to expense accounts.

Unusually large or small numbers of


entries based on normal activity in an
account.

 Expected entries are missing.


 Large numbers of journal entries in
accounts with very little transaction
activity.

Dollar amounts appear suspicious.

 Entries containing rounded num


bers.
 Entries containing consistent ending
numbers.

Another procedure that is important in detecting unusual changes in account balances that may reflect inappropri
ate journal entries is to ensure that the trial balance provided to the auditor agrees with the entity's general ledger.
If the client prepares the financial statements, the auditor should reconcile the trial balance with the financial
statements.
Auditors can document the review of journal entries by (a) describing the procedures used to establish the
population of journal entries was complete, (b) describing the method used to select journal entries for examina
tion, and (c) identifying the specific journal entries examined.
Reviewing Accounting Estimates. SAS No. 107 (AU 312.58) suggests that the auditor consider the possibility of
management bias in the development of accounting estimates. In other words, an auditor should consider whether
differences between estimates best supported by the audit evidence, and the estimates included in the financial
statements that are individually reasonable, indicate (in the aggregate) a possible bias on the part of management.
In that case, the auditor should consider whether other recorded estimates reflect a similar bias and perform
additional procedures to address those estimates. For example, do the allowance for uncollectible promises to
give, present value calculation for such promises, and measurement of noncash contributions all indicate a similar
bias?
SAS No. 99 further requires auditors to perform a retrospective review of significant prioryear accounting esti
mates. The intent of the review is not to question the client's or the auditor's judgment in the prior year, but to
determine, with the benefit of hindsight, whether the underlying assumptions in the prior year might indicate
possible bias on the part of management. The review may provide additional information about whether the current
year's estimates could be biased.
Evaluating Significant Unusual Transactions. SAS No. 99 requires auditors to gain an understanding of the
business rationale for significant unusual transactions. Understanding the rationale (or lack thereof) for transac
tions outside the normal course of operations may provide an indication that transactions were entered into for the
purpose of engaging in fraudulent financial reporting or to conceal misappropriation. In evaluating business
rationale, auditors should consider whether:
 The transaction is overly complex in relation to its stated purpose.
 Management is overly concerned that the transaction receives a particular accounting treatment.
 The transaction involves previously unidentified related parties.
179

Companion to PPC's Guide to Audits of Nonprofit Organizations

NPOT09

 The parties to the transaction lack economic substance.


 The transaction and the manner of accounting have been reviewed and approved at an appropriate level,
such as by the governing board or audit committee (if the organization has one).
 The transaction makes business sense from the perspective of the other party.
Effect on Audit Programs. The auditor may respond to fraud risks using basic procedures; however, consider
ation should be given to increasing the extent of those procedures. If the auditor chooses to respond to fraud risks
by changing the nature of his or her auditing procedures, the additional procedures to many of the core audit
programs include procedures the auditor may consider performing in response to his or her assessment of fraud
risks.
Auditors use professional judgment in determining the nature, timing, and extent of the procedures that should be
performed to respond to identified fraud risks. Due to the nature of fraud and the methods in which it may be
committed, it is not possible to develop a comprehensive set of standardized procedures that should be performed
in response to an auditor's assessment of fraud risks. In some cases, the auditor may need to develop his or her
own procedures in response to specific facts and circumstances of the engagement.
Documenting Fraud Risk Responses. SAS No. 99 (AU 316.83) requires the auditor to document responses to
risks of material misstatement due to fraud. The auditor is required to document the following:
 The responses to identified fraud risks.
 The results of procedures to address the risk of management override of controls.
 Additional conditions, if any, requiring a response and the response(s) to those conditions.
The SAS does not require a onetoone correlation between risks and responses. That is, one response may
address several fraud risks, and one risk may require several responses. The responses to identified fraud risks
may be documented individually or in combination.
Completeness the Elusive Assertion
Another relatively complex and somewhat controversial issue is how to test the completeness assertion. Some
auditors believe that sufficient audit evidence about completeness cannot be obtained without some tests of
controls because substantive procedures are not very effective in testing completeness. In particular, they believe
that controls are needed to assure the recording of all transactions that should be recorded. In a small nonprofit
organization, lack of segregation of duties may preclude testable completeness controls. Does that mean that such
a small nonprofit organization is unauditable? Not necessarily. An AICPA auditing interpretation (AU 326.24.27)
states that a reduced assessment of control risk is not required to satisfy audit objectives about the completeness
assertion (except for some transactions, such as cash revenues of a retailer, casino, or charitable organization,
where it may be difficult to limit audit risk without relying on the operating effectiveness of controls).
The auditing interpretation states that if the auditor believes there is a risk that transactions have been improperly
omitted from the financial statements, the auditor should restrict that risk by performing some substantive proce
dures to obtain evidence about the completeness assertion. The substantive procedures will be either analytical
procedures or tests of related populations. (A related population is an account balance or transaction class other
than the one being assessed for completeness that would be expected to contain evidence of whether all transac
tions are included in the balance or class being assessed.) The following paragraphs discuss procedures that are
ordinarily effective.
Procedures Related to Completeness. A variety of procedures are available that provide evidence relevant to
completeness. Some provide direct evidence that for a particular account balance or class of transactions there is
reasonable assurance of completeness. Others are less direct but increase an auditor's confidence that the
financial reporting system has captured all transactions. These procedures are as follows:
a. Observation and Inquiry. To obtain information about the control consciousness of management, the
competence and integrity of employees, and the condition of the accounting records and operation of the
financial reporting system.
180

NPOT09

Companion to PPC's Guide to Audits of Nonprofit Organizations

b. Analytical Procedures. To obtain information about the reasonableness and completeness of account
balances and the totals of classes of transactions.
c. Tests of Details of Transactions. To obtain direct evidence that a population of accounting data is complete.
d. Management Representations. To obtain corroboration from management on the completeness of
recorded transactions and other relevant representations. Although management representations are not
a substitute for other audit procedures and, according to the audit interpretation, may not be solely relied
on, the representations can complement other procedures.
Use of these procedures is explained in the following discussion.
Observation and Inquiry. By touring a client's facilities and observing it in operation, an auditor can gain a general
impression of operating efficiency and effectiveness. An auditor can see whether the level of activity observed is
what would generally be expected for the activity shown in the accounting records. Assets on hand can be
inspected and compared to recorded amounts. Also, an auditor can, by observing and asking questions, gain an
impression of the control consciousness of management and the general level of competence and integrity of
employees. Does management demonstrate a concern for control by performing important approval and checking
functions? Do accounting personnel understand their duties and appear mindful of controlling the quality of their
work? Is there a formal accounting system with a chart of accounts and clear lines of responsibility for accounting
personnel? These procedures are tests of controls. However, observation and inquiry usually provide evidence that
controls were in operation only during the period observed, not the entire audit period. Thus, these procedures
alone are not usually sufficient to support an assessment of control risk at moderate or low.
Analytical Procedures. In some cases, operating data independent of the accounting records may be used to test
completeness. An account balance, in some cases, might be sufficiently tested by computation. A comparison of
investment income to average investments tests whether all income earned on investments is recorded, and
average pay times the number of employees may substantiate that all salaries are recorded. Membership fee
revenue can be related to total members; also if available, industry averages for expense to sales ratios might
detect unrecorded sales.
Tests of Details of Transactions. A basic condition for effective tests of transactions is some type of formal
financial reporting system. Documents that are the initial record of transactions should be sequentially numbered
as soon as possible; the documents should preferably be prenumbered, and all numbers should be accounted for
after processing. Control totals and transaction logs or registers also contribute to assuring completeness if totals
are reconciled at various stages in processing. An auditor can inspect the client's use of those means of assuring
completeness or make independent tests of the sequence of prenumbered documents and reconciliation of totals.
Files of open items, such as open purchase orders and open sales orders, provide some assurance of complete
ness if the open items are periodically matched with transactions and deleted when processing is done.
Unmatched items could indicate uncompleted transactions or unrecorded transactions. An auditor can also
perform tests to reconcile recorded transactions with the record of physical movement to test completeness. For
example, an auditor can trace records of goods received to amounts recorded as purchase transactions. Note that
the direction of testing is from the independent evidence of the transaction to the accounting record.
Management Representations. In every audit of financial statements, an auditor is required by SAS No.85 to
obtain certain written representations from management. Those representations cannot substitute for audit proce
dures necessary to obtain sufficient audit evidence, but they can complement those procedures. A written repre
sentation on the availability of all financial records and related data is ordinarily included and, for a small nonprofit
organization, the authors believe it is generally advisable to obtain a representation that there are no undisclosed
liabilities or transactions. In some cases, representations on specific transactions may be advisable.

181

Companion to PPC's Guide to Audits of Nonprofit Organizations

182

NPOT09

Companion to PPC's Guide to Audits of Nonprofit Organizations

NPOT09

SELFSTUDY QUIZ
Determine the best answer for each question below. Then check your answers against the correct answers in the
following section.
15. Which of the following statements best illustrates a strategy auditors can use when responding to fraud risks?
a. Overall responses are only necessary if fraud risk is deemed high.
b. Tests of controls alone can reduce fraud risk to acceptably low levels.
c. Specific responses vary based on the types of fraud risk identified and what they affect.
d. Increasing the extent of procedures is the most likely response to high fraud risk.
16. Which of the following specific responses to fraud risk changes the timing of the audit procedures?
a. Observe inventory at all locations at once.
b. Send confirmation requests to a specific party in an organization.
c. Contact major suppliers, donors, or contributors orally.
d. Use computerassisted audit techniques to test the entire population.
17. As part of her audit, Tabitha must examine her client's journal entries. In which of the following instances has
she acted appropriately?
a. Tabitha focuses her examination solely on journal entries that occur in the general ledger.
b. Tabitha focuses her tests on journal entries made during the entity's highest grossing quarter.
c. Tabitha places the greatest emphasis on entries subject to the client's normal internal controls.
d. Tabitha obtains an understanding of the financial reporting process and related controls.
18. During her examination of the general ledger accounts, Kim notices credit postings in expense accounts. What
unusual condition could these credits indicate?
a. Unexpected credits or debits.
b. Dollar amounts appear suspicious.
c. Unexpected posting source.
d. Unexpected combination of accounts.
19. Jordan must test the completeness assertion during his audit. What type of procedure would best allow him
to obtain direct evidence that the population of accounting data is complete?
a. Observation and inquiry.
b. Analytical procedures.
c. Tests of details of transactions.
d. Management representations.
183

Companion to PPC's Guide to Audits of Nonprofit Organizations

NPOT09

SELFSTUDY ANSWERS
This section provides the correct answers to the selfstudy quiz. If you answered a question incorrectly, reread the
appropriate material. (References are in parentheses.)
15. Which of the following statements best illustrates a strategy auditors can use when responding to fraud risks?
(Page 175)
a. Overall responses are only necessary if fraud risk is deemed high. [This answer is incorrect. Generally,
overall procedures are used to address fraud risks that are pervasive to the financial statements. Certain
overall responses will be required in every audit, as there will always be at least one identified fraud
risk risk of management override of controls.]
b. Tests of controls alone can reduce fraud risk to acceptably low levels. [This answer is incorrect. Generally,
this will not be the case, as management could override controls. Substantive procedures should be used
in addition to tests of controls.]
c. Specific responses vary based on the types of fraud risk identified and what they affect. [This
answer is correct. The combinations and types of fraud risk and the account balances, transaction
classes, and assertions that the fraud risk may affect can vary, so the specific responses will also
vary. Specific responses involve the nature, extent, and timing of auditing procedures.]
d. Increasing the extent of procedures is the most likely response to high fraud risk. [This answer is incorrect.
The more likely response might be to modify the nature of the audit procedures in the area of concern
instead of modifying the extent of the procedures.]
16. Which of the following specific responses to fraud risk changes the timing of the audit procedures? (Page 176)
a. Observe inventory at all locations at once. [This answer is correct. This response changes the timing
of the audit procedures. Another example would be to confirm receivables at year end instead of
at an interim date.]
b. Send confirmation requests to a specific party in an organization. [This answer is incorrect. This response
to fraud risk affects the nature of the audit procedure.]
c. Contact major suppliers, donors, or contributors orally. [This answer is incorrect. The nature of the audit
procedure would be changed if the auditor chose to use this specific response to fraud risk.]
d. Use computerassisted audit techniques to test the entire population. [This answer is incorrect. This
response would affect the extent if the audit procedure, not the timing.]
17. As part of her audit, Tabitha must examine her client's journal entries. In which of the following instances has
she acted appropriately? (Page 178)
a. Tabitha focuses her examination solely on journal entries that occur in the general ledger. [This answer is
incorrect. She should also study other adjustments, such as reclassifying or postclosing entries.]
b. Tabitha focuses her tests on journal entries made during the entity's highest grossing quarter. [This answer
is incorrect. Ordinarily, Tabitha should focus on entries made at year end or immediately following year
end.]
c. Tabitha places the greatest emphasis on entries subject to the client's normal internal controls. [This
answer is incorrect. She should put a greater emphasis on entries that are not subject to the client's normal
internal control process (e.g., postclosing or nonrecurring entries).]
d. Tabitha obtains an understanding of the financial reporting process and related controls. [This
answer is correct. Tabitha must have this understanding to accurately examine the journal entries.
184

NPOT09

Companion to PPC's Guide to Audits of Nonprofit Organizations

The process of examining journal entries also includes selecting entries for testing and determining
the nature, timing, and extent she should use for the tests.]
18. During her examination of the general ledger accounts, Kim notices credit postings in expense accounts. What
unusual condition could these credits indicate? (Page 178)
a. Unexpected credits or debits. [This answer is correct. Another example of this unusual condition
would be debit postings in revenue accounts. Such unexpected credits or debits should alert Kim
that further investigation is warranted.]
b. Dollar amounts appear suspicious. [This answer is incorrect. An example of this condition would be entries
containing rounded numbers or numbers that end consistently.]
c. Unexpected posting source. [This answer is incorrect. Postings to revenue accounts from unusual sources
would be an example of this unusual condition.]
d. Unexpected combination of accounts. [This answer is incorrect. If Kim noticed a debit to a reserve and a
credit to revenue, she would have noticed an unexpected combination of accounts.]
19. Jordan must test the completeness assertion during his audit. What type of procedure would best allow him
to obtain direct evidence that the population of accounting data is complete? (Page 180)
a. Observation and inquiry. [This answer is incorrect. These procedures will give Jordan information about
the competence and integrity of employees, the control consciousness of management, and the condition
of the financial reporting system and the accounting records.]
b. Analytical procedures. [This answer is incorrect. Performing analytical procedures will give Jordan
information about the completeness and reasonableness of account balances and the totals of classes
of transactions.]
c. Tests of details of transactions. [This answer is correct. By performing tests of details of
transactions, Jordan can find direct evidence that a population of accounting data is complete. A
basic condition for performing effective tests of transactions is for the client to have some form of
formal financial reporting system.]
d. Management representations. [This answer is incorrect. These are not a substitute for other procedures,
but getting corroboration on the completeness of recorded transactions from management could
compliment Jordan's other audit procedures.]

185

Companion to PPC's Guide to Audits of Nonprofit Organizations

NPOT09

TIMING OF SUBSTANTIVE PROCEDURES


As part of audit planning, an auditor can consider whether any substantive procedures should be applied before
the financial statement date. Generally, the most efficient approach for audits of small and midsize nonprofit
organizations is to perform the audit tests as of the financial statement date. However, the auditor may wish to
perform audit procedures before the financial statement date in the following situations:
 Convenience. If the auditor has several clients with the same year end, interim procedures may be used
to spread the auditor's workload more evenly.
 Deadline. If the client has a tight deadline for issuing its financial statements, the auditor may need to
perform some procedures at an interim date to meet that deadline.
 Issue Identification. Interim audit work allows the auditor to identify and address critical audit issues as soon
in the engagement as possible. Then the auditor and client can more easily deal with issues without
deadline pressures arising near year end, which in turn can enhance audit efficiency and client relations.
 Assessed Risks of Material Misstatement. Modifying the timing of substantive procedures is one response
to the assessed risks of material misstatement due to error or fraud. In general terms, the higher the
assessed risk of material misstatement, the more likely it is that the auditor will determine that it is more
effective (or necessary due to certain fraud risks) to perform substantive procedures near the period end.
However, as the assessed risks diminish, the auditor may determine that an appropriate response would
include the performance of certain substantive procedures at an interim date. Also, as SAS No. 99 points
out (AU 316.52), a response to some identified fraud risks, such as fraudulent revenue recognition, might
be to apply substantive procedures to transactions occurring earlier in or throughout the reporting period.
SAS Nos. 99 and 110 also suggests that an overall response to identified risks might be to add an element
of unpredictability in the timing of audit procedures from year to year, such as by performing tests at a time
other than that expected.
Many auditors find that the benefits of interim audit procedures outweigh the disadvantages. In many cases, there
is simply no way to meet the audit firm's and clients' needs without some interim work. Thus, the issue often
becomes not whether to do interim work but how to do it to maximize audit efficiency and effectiveness.
There are generally two types of substantive procedures that may be performed before the statement of financial
position date
a. Flexible Timing Procedures. Flexible timing substantive procedures can be applied at any time, including
an interim date. These procedures generally consist of examining transactions or gathering information
without attempting to reach a conclusion about an entire account balance as of an interim date. The
procedures can be performed through an interim date and later extended to the statement of financial
position date. The auditor can then reach one conclusion covering the balance for the entire year. Examples
of such procedures include:
(1) Tests of transactions in statement of financial position accounts with a low turnover or activity rate,
such as property, longterm debt, lease obligations, or investments.
(2) Tests of transactions that affect revenues and expenses.
(3) Analytical procedures for revenues and expenses.
b. Interim Audit Procedures. Interim audit procedures are performed to arrive at a conclusion about an
account balance as of an interim date. Additional procedures are then performed to extend the interim
conclusion to the statement of financial position date.
Interim audit procedures involve additional considerations, which are discussed in the following paragraphs.
Interim Audit Procedures
Evaluating the Practicality of Performing Interim Audit Procedures. When evaluating whether it is practical to
perform interim audit procedures, the auditor should consider the following factors:
a. Feasibility. SAS No. 110 (AU 318.17) lists several factors that should be considered before applying
substantive procedures at an interim date. Also, there are practical considerations such as the availability
186

NPOT09

Companion to PPC's Guide to Audits of Nonprofit Organizations

of sufficient information to effectively test the remaining period (that is, the period from the interim date to
the statement of financial position date).
b. Efficiency. Interim tests of details of asset and liability account balances may not be costeffective unless
substantive procedures covering the remaining period can be restricted. If testing of the remaining period
cannot be restricted, the auditor may have to reperform the interim procedures as of the statement of
financial position date, which could result in a substantial increase in audit time and cost.
Choosing an Interim Date. When interim audit procedures are performed, the risk that misstatement may exist in
the related audit area and not be detected by the auditor generally increases as the length of the remaining period
increases. Thus, the selection of an interim date (which determines the length of the remaining period) can
significantly affect the nature and extent of audit procedures for the remaining period. SAS No. 110 does not
specifically address selection of interim audit dates. Many auditors believe that the interim date should not be more
than three months before the statement of financial position date. Generally, an interim date of one month before
the statement of financial position date is preferable. However, the ultimate choice of interim dates is a matter of
auditor judgment based on the circumstances.
Audit Risk Considerations. When interim audit procedures are performed, there is a risk that the conclusions
reached at the interim date are not extended properly to the statement of financial position date. This remaining
period risk tends to rise with increases in the following factors:
 Assessed risk of material misstatement from either error or fraud.
 Length of the remaining period (that is, the period from the interim date to the statement of financial position
date).
Generally, the greater the remaining period risk, the greater the assurance needed from tests of the remaining
period. For example, if the remaining period risk is low, the auditor can generally test the remaining period through
limited analytical procedures. However, if the remaining period risk is high, the auditor would generally need to
apply more reliable procedures, such as tests of details. In some highrisk cases, the auditor might even need to
reapply some of the interim procedures to yearend balances. When deciding whether to perform substantive
procedures at an interim period, the auditor should consider whether the tests that would be performed for the
remaining period will adequately reduce the risk that misstatements that exist at period end are not detected.
Account Considerations. The characteristics of the accounts should be considered in deciding whether it is
practical to audit an area or assertion at an interim date. For some account assertions, it may be more effective
and/or efficient to perform the substantive testing at period end. In many cases, especially when substantive
analytical procedures will be applied for the remaining period, the accounts that are best suited to interim testing
have predictable balances and consistent activity levels. This makes it easier to develop more precise estimates of
ending balances. Also, the accounts should be regularly analyzed and adjusted and subjected to appropriate
cutoff procedures. It is inefficient to test an account before the client has attempted to accurately determine what
the balance should be.
Financial Reporting System Considerations. The auditor should also consider the financial reporting system
when selecting audit areas for interim testing. The system for the area to be tested should be capable of generating
sufficient reliable data to allow the auditor to apply the planned procedures.
Testing the Remaining Period. The auditor should perform sufficient tests of the remaining period to extend the
conclusion from the interim date to the statement of financial position date. SAS No. 110 (AU 318.59) states that
although the auditor is not required to test controls to have a reasonable basis for extending audit conclusions from
an interim date to the period end, the auditor should consider whether performing only substantive procedures to
cover the remaining period is sufficient. If the auditor concludes that substantive procedures alone would not be
sufficient to cover the remaining period, the auditor should perform tests of controls or should perform substantive
procedures as of the period end. If, on the other hand, the auditor decides that substantive procedures for the
remaining period will be sufficient, SAS No. 110 states that those tests should include
a. Comparison or reconciliation of information regarding the balance at the interim date with corresponding
information at the statement of financial position date (and investigation of unusual amounts).
b. Analytical procedures and/or tests of details.
187

Companion to PPC's Guide to Audits of Nonprofit Organizations

NPOT09

The auditor should determine the specific procedures to be performed based on the assessed risk associated with
the remaining period. Tests of details should be used instead of (or in addition to) analytical procedures as
considered necessary to obtain sufficient audit evidence.
Procedures performed to test the remaining period should be documented in the workpapers. For example, if
performing a test of details for activity in accounts payable between the interim date and the yearend date, the
workpapers should describe the procedures performed to test purchases, cash disbursements, and other transac
tions during the rollforward period.
Evaluating Audit Results. As discussed previously, when interim audit procedures are performed, the auditor
forms a conclusion at an interim date and then extends that conclusion to the statement of financial position date.
If interim procedures reveal misstatements, SAS No. 110 indicates that the auditor should assess the risk of
misstatement related to those classes of transactions or account balances. Depending on that assessment, the
auditor may be required to either (a) modify the nature, timing, or extent of tests of the remaining period or (b)
reperform or extend the interim procedures at year end. The assessment should be based on consideration of the
following factors:
 The possible implications of the nature and cause of the misstatements detected at the interim date.
 The possible relationship to other areas of the audit.
 The correcting entries subsequently recorded by the client.
 The results of audit procedures relating to the remaining period, especially those that might provide
evidence regarding possible misstatements.

RISK ASSESSMENT STANDARDS SUBSTANTIVE PROCEDURES


REQUIREMENTS
The risk assessment standards made sweeping changes to generally accepted auditing standards. The following
are new requirements under the risk assessment standards related to substantive procedures:
 Regardless of the assessed risk of material misstatement, the auditor should perform substantive
procedures for all relevant assertions related to each material class of transactions, account balance, and
disclosure.
 The following substantive procedures should be performed in every audit:
 Agree the financial statements, including the accompanying notes, to the underlying accounting
records.
 Examine material journal entries and other adjustments made during the course of preparing the
financial statements.
 When an assessed risk of material misstatement at the relevant assertion level is a significant risk, the
auditor should perform substantive procedures that are specifically responsive to that risk.
 When the audit approach to significant risks consists only of substantive procedures (the auditor does not
plan to rely on controls), the substantive procedures should be tests of details only or a combination of tests
of details and substantive analytical procedures, that is, the use of only substantive analytical procedures
is not permitted.
 The auditor should document:
 The nature, timing, and extent of substantive procedures.
 The linkage of substantive procedures with the assessed risks at the relevant assertion level.
 The results of substantive procedures.

188

Companion to PPC's Guide to Audits of Nonprofit Organizations

NPOT09

SELFSTUDY QUIZ
Determine the best answer for each question below. Then check your answers against the correct answers in the
following section.
20. Joseph must evaluate whether it is practical for him to perform interim audit procedures rather than to perform
all procedures at year end. What two factors are the most important to evaluate?
a. Feasibility and efficiency.
b. Convenience and issue identification.
c. Deadline and risk of material misstatement.
d. The interim date and the nature of audit procedures.
21. After evaluating the situation and determining that it is practical, Andrea decides to perform some of her auditing
procedures at an interim date. What must she do after she has completed the interim audit procedures?
a. Consider her client's financial reporting system.
b. Determine if any flexible timing procedures are also necessary.
c. Form a conclusion that will be extended to the statement of financial position date.

189

Companion to PPC's Guide to Audits of Nonprofit Organizations

NPOT09

SELFSTUDY ANSWERS
This section provides the correct answers to the selfstudy quiz. If you answered a question incorrectly, reread the
appropriate material. (References are in parentheses.)
20. Joseph must evaluate whether it is practical for him to perform interim audit procedures rather than to perform
all procedures at year end. What two factors are the most important to evaluate? (Page 186)
a. Feasibility and efficiency. [This answer is correct. To evaluate the feasibility of using interim
procedures, Joseph must look at several factors listed in SAS No. 110, as well as practical
considerations, such as availability of information in the remaining period. To evaluate efficiency,
Joseph must determine if substantive procedures covering the remaining period can be restricted,
because performing audit procedures again at the statement of financial position date increases
audit time and cost.]
b. Convenience and issue identification. [This answer is incorrect. These are two situations in which
performing interim audit procedures could be desirable. If Joseph has several clients with the same year
end or would like to be able to identify and address critical audit issues as soon as possible, he might wish
to perform interim audit procedures.]
c. Deadline and risk of material misstatement. [This answer is incorrect. In these two situations, performing
interim audit procedures could be desirable. For example, if Joseph's audit client has a tight deadline for
issuing its financial statements or if the risks of material misstatement are deemed low, interim audit
procedures could be desirable.]
d. The interim date and the nature of audit procedures. [This answer is incorrect. These are not the factors
Joseph must evaluate before deciding to perform interim audit procedures. However, choosing an interim
audit date is important once Joseph has decided to perform the interim audit procedures, as the interim
date determines the length of the remaining period and will affect the nature and extent of audit procedures
for the remaining period.]
21. After evaluating the situation and determining that it is practical, Andrea decides to perform some of her auditing
procedures at an interim date. What must she do after she has completed the interim audit procedures?
(Page 188)
a. Consider her client's financial reporting system. [This answer is incorrect. Andrea should have done this
before she performed her interim audit procedures.]
b. Determine if any flexible timing procedures are also necessary. [This answer is incorrect. Flexible timing
procedures can be performed at any time, including an interim date. They are not required to be performed
after interim audit procedures.]
c. Form a conclusion that will be extended to the statement of financial position date. [This answer is
correct. Andrea must evaluate the audit results of her interim procedures by forming a conclusion
at the interim date and then extending that conclusion to the statement of financial position date.
Additional procedures may be necessary if Andrea's interim procedures revealed any misstate
ments.]

190

Companion to PPC's Guide to Audits of Nonprofit Organizations

NPOT09

EXAMINATION FOR CPE CREDIT


Lesson 1 (NPOTG092)
Determine the best answer for each question below. Then mark your answer choice on the Examination for CPE
Credit Answer Sheet located in the back of this workbook or by logging onto the Online Grading System.
1. After performing risk assessment procedures and tests of controls on an assertion related to her nonprofit audit
client's accounts receivable balance, Mary concludes that risk of material misstatement is low. How should
Mary proceed with this audit?
a. Because the risk of material misstatement is low, Mary can choose to proceed with the audit without
performing substantive procedures.
b. If management agrees with Mary's assessment that risk of material misstatement is low, Mary can choose
to proceed with the audit without performing substantive procedures.
c. Because the risk of material misstatement is low, authoritative literature states that Mary is required to
continue with the audit without performing substantive procedures.
d. Despite Mary's judgment on the risk of material misstatement, authoritative literature requires her to
perform certain substantive procedures in every audit.
2. Match the following required substantive procedures with the relevant piece of authoritative literature.
1. Agree financial statements to underlying
accounting records.

i. SAS No. 99

2. Review accounting estimates for biases


that could result in material misstatement
due to fraud.

ii. SAS No. 110

3. Examine journal entries and other adjust


ments for evidence of possible material
misstatement due to fraud.
4. Examine material journal entries and other
adjustments made during financial state
ment preparation.
a. 1 ii; 2 i; 3 i; 4 ii.
b. 1 i; 2 ii; 3 i; 4 ii.
c. 1 i; 2 i; 3 ii; 4 i.
d. 1 ii; 2 i; 3 ii; 4 ii.
3. In the context of SAS No. 106, what is the sufficiency of audit evidence that an auditor must consider when
choosing additional substantive procedures?
a. Quality.
b. Quantity.
c. Appropriateness.
d. Reliability.
191

Companion to PPC's Guide to Audits of Nonprofit Organizations

NPOT09

4. In which of the following scenarios has the auditor dealt with additional substantive procedures in the best way?
a. Leo tests his client's property accounts by applying procedures to the account balances.
b. Carlos focuses his planning of additional substantive procedures on the timing.
c. Mick performs predictive tests to test the completeness of a financial statement assertion.
d. Howie assesses estimated amounts for inventory costing to test existence.
5. When would substantive analytical procedures alone (without tests of details) be most appropriate for the
audit?
a. The risk of material misstatement due to fraud is high.
b. The account balance is affected by a significant degree of subjectivity.
c. The disclosure relates to a large volume of predictable transactions.
d. Substantive analytical procedures are more cost effective than tests of details.
6. Which of the following statements correctly describes tests of details?
a. Tests of details can only be applied to transactions or balances, but not both.
b. Tests of balances are usually more efficient and effective than tests of transactions.
c. Documentation for tests of significant items should identify items by date and specific number.
d. Performing tests of controls eliminates the need for tests of details.
7. Tom needs to enhance his understanding of his audit client's business and identify unexpected relationships
(or the absence of expected relationships) among account balances. What type of analytical procedures
should he use?
a. Preliminary.
b. Substantive.
c. Overall review.
d. Tom can use professional judgment to select analytical procedures from all three types.
8. Sandy accepts an audit engagement and determines that substantive analytical procedures are necessary.
What would be the most productive first step for Sandy to take toward designing those procedures?
a. Compare her client to other similar nonprofits to see if the client has any significant variations from the
industry average.
b. Talk to operating personnel outside the accounting department, such as the director of fundraising.
c. Review prior budgets and find information about how management follows up on variances from the plan.
d. Ask her client's management what ratios, relationships, and data it finds useful in identifying and
monitoring risk.

192

NPOT09

Companion to PPC's Guide to Audits of Nonprofit Organizations

9. Which of the following best describes substantive analytical procedures?


a. They can be used to test for overstatements and understatements simultaneously.
b. They cannot be used for fraud detection.
c. They are less useful when misstatement risk is primarily from error.
d. They focus on a single direction overstatement or understatement.
10. Jules Lynn is auditing the special event revenue of Best Life Org (BLO). BLO sponsors a blue grass contest
somewhere in the tricounty area every 3rd Sunday of every month. The participants receive a tshirt and the
winners receive inexpensive trophies. All funds raised are used to sponsor special needs kids' summer camp
fees. In 2009 there were approximately 365 entries. Entry fees were $250 if paid 30 days in advance, $275 if
paid 2 weeks in advance and $300 if paid the day of the contest. Approximately 30% of the entrants paid their
fees 30 days in advance; and 55% paid their fees 2 weeks in advance. The annual revenue recorded from this
special event was $105,050. Total 2009 BLO revenue was approximately $5,000,000. Due to the high turnover
in the accounting department, Jules assessed the risk of material misstatement with this special event as high.
Which of the tests below would Jules find most reasonable?
a. Total blue grass contest revenue of $105,050 divided by 365 entries = $287.81.
b. (Total blue grass entrants of 365 times 30% times $250) plus (365 times 55% times $275) plus (365 times
15% times $300) = $99,006.25.
c. Revenue from each of the twelve contests should be calculated and reviewed.
d. Even though special event revenue is deemed immaterial for the organization, Jules can not conclude that
the revenue is materially correct without comparing entry fees to 2008 to assure reasonableness.
11. Substantive analytical procedures can help auditors discern if their client is affected by management fraud or
cooking the books. If analytical procedures produced the results listed below, which one indicates the highest
risk of fraud?
a. Unusual pattern of revenue from annual special events by year found during trend analysis.
b. Low contributions for a year in which there was a downturn in the economy.
c. A large amount of revenue from fund raising campaign at end of reporting period.
d. Statistics maintained by development department consistent with recorded contribution revenue.
12. June's firm has her engagement team shift work for a particular audit to interim dates. What is an advantage
of this shift?
a. Identification of issues or problems could be delayed until the statement of financial position date.
b. More rollforward procedures will be necessary to complete the audit.
c. June can work with a smaller engagement team, allowing her more familiarity with the client.
d. Analytical procedures will not need to be used because the work is spread out over a longer time.

193

Companion to PPC's Guide to Audits of Nonprofit Organizations

NPOT09

13. During the course of his audit, Hal discovers several differences between his client's recorded amounts and
Hal's expectations of what those amounts should be. Which of the following is a rule of thumb Hal can use to
determine if those differences are significant enough to require additional audit procedures?
a. Investigate differences greater than 10% to onethird of tolerable misstatement.
b. Investigate differences greater than 20% to onethird of tolerable misstatement.
c. Investigate differences greater than 25% of tolerable misstatement.
d. Because each audit is different, there is no magic rule of thumb. Hal must investigate all differences.
14. List all of the following that must be documented under SAS No. 56 if an analytical procedure is the principal
substantive test of a significant financial statement assertion.
i.
ii.
iii.
iv.

Prioryear workpapers and budget.


The expectation and factors used in its development.
Results from comparing recorded amounts to the expectation.
Information on the auditor's approach to evaluating the significance of any
differences between the expectation and recorded amounts.
v. Any additional procedures performed to address significant differences and
results of the procedures.

a. ii and iii.
b. ii, iii, and v.
c. i, ii, iii, and iv.
d. i, ii, iii, iv, and v.
15. In what instance does SAS No. 110 condone using audit evidence from substantive procedures performed in
a prior audit?
a. When the auditor's expectation amounts are the same as in the prior audit.
b. When the tolerable misstatement amount has not been exceeded.
c. When the auditor determines there is no risk of material misstatement due to fraud.
d. When the purchase cost of a building or building addition is substantiated.
16. Maggie's audit client keeps a large stock of valuable items on hand which are small enough to be easily stolen.
This makes the client's assets particularly susceptible to misappropriation. Which of the following procedures
would be specifically targeted to respond to this fraud risk?
a. Physically inspecting the assets at year end.
b. Obtaining information from independent sources.
c. Increasing sample sizes.
d. Engaging a specialist to perform additional procedures.

194

Companion to PPC's Guide to Audits of Nonprofit Organizations

NPOT09

17. James is auditing CalPlus, a small business. After considering the controls and the risk that any fraudulent
disbursements would be material to the company's financial statements, James decides an additional audit
response is required. Which of the following procedures could he consider?
i. Reviewing selected disbursements for unusual endorsements, signatures, or
payees.
ii. Examine the company's journal entries and other adjustments.
iii. Performing paymaster procedures (such as observing the distribution of
payroll checks).
iv. Review accounting estimates for bias.
v. Reviewing vendor lists for any unusual patterns.
vi. Determine the propriety of functional expense allocation by performing
analytical procedures.
a. iv and vi.
b. iii and iv.
c. i, ii, and v.
d. i, iii, v, and vi.
18. As required by SAS No. 99, John must evaluate the business rationale behind several of his audit client's
significant unusual transactions. Which of the following is one thing that he should consider during this
evaluation?
a. Whether responses to identified fraud risks have been documented.
b. Whether parties to the transaction lack substance.
c. Whether estimates in the financial statements indicate management bias.
d. Whether the trial balance agrees with the company's general ledger.
19. As part of his audit, Henry must test the completeness assertion. There are basic categories of procedures
Henry can use to perform these tests. Which of these procedures performed by Henry would fall into the
analytical procedures category?
a. Inspecting assets on hand and comparing them with recorded amounts.
b. Comparing industry averages for expense to sales ratios.
c. Performing tests of the sequence of prenumbered documents.
d. Obtaining written representations of completeness from management.
20. Which of the following would be considered a flexible timing procedure, as opposed to an interim audit
procedure?
a. Confirmation of accounts receivable.
b. Inventory observation.
c. Inventory price testing.
d. Tests of transactions for revenues and expenses.
195

Companion to PPC's Guide to Audits of Nonprofit Organizations

NPOT09

21. Nikki performs interim audit procedures during the course of her audit. She then decides that substantive tests
of the remaining period will be sufficient to complete the audit. Under SAS No. 110, what should she include
in her tests of the remaining period?
a. Analytical procedures and/or tests of details.
b. Verification of the balance as of the interim date.
c. An evaluation of the accounts involved in the interim procedures.
d. An assessment of the audit risk for the remaining period.

196

Companion to PPC's Guide to Audits of Nonprofit Organizations

NPOT09

Lesson 2:AUDIT SAMPLING IN A NONPROFIT


ORGANIZATION AUDIT ENGAGEMENT
INTRODUCTION
This lesson explains the use of audit sampling in a nonprofit organization audit engagement. It identifies those
aspects of such an engagement that involve the use of audit sampling and the most efficient and effective approach
to sampling in those circumstances. It also explains an alternative to sampling determining the extent of an audit
test without sampling that may be more efficient and effective in certain circumstances.
Learning Objectives:
Completion of this lesson will enable you to:
 Describe the authoritative literature and general considerations related to sampling in an audit engagement.
 Plan the extent of substantive procedures needed for an audit.
 Summarize the requirements of substantive samples.
 Describe sampling for substantive tests of details.
 Assess tests of controls that use audit sampling, and assess tests of compliance with laws and regulations.
Authoritative Literature
The authoritative pronouncements that establish requirements or provide suggestions that most directly affect the
use of audit sampling are as follows:
 SAS No.39 (AU 350), Audit Sampling, as amended by SAS No. 111, establishes several specific
requirements that apply whenever an auditor uses audit sampling statistical or nonstatistical.
 AICPA Audit and Accounting Guide, Audit Sampling, (referred to in this lesson as the AICPA Sampling
Guide") explains how to apply SAS No.39. The AICPA Sampling Guide is an interpretive publication under
the GAAS hierarchy outlined in SAS No.95, Generally Accepted Auditing Standards. Auditors are required
to consider interpretive publications when conducting the audit. If the guidance in the AICPA Sampling
Guide is not applied, auditors should be prepared to explain how they complied with the provisions of SAS
No.39. The AICPA Sampling Guide currently does not include guidance from SAS No. 111 and the other
risk assessment standards.
SAS No. 111, Amendment to Statement on Auditing Standards No. 39, Audit Sampling, incorporates guidance from
SAS No. 99, Consideration of Fraud in a Financial Statement Audit, and SAS No. 110, Performing Audit Procedures
in Response to Assessed Risks and Evaluating the Audit Evidence Obtained, and expands guidance involving the
auditor's judgment in establishing tolerable misstatement and applying sampling to tests of controls in SAS No. 39.
In addition, SAS No. 107, Audit Risk and Materiality in Conducting an Audit, includes guidance formerly included in
the Appendix to SAS No. 39.
Single Audit Literature. If the nonprofit organization is required to have an audit in accordance with the Single
Audit Act, the auditor may also wish to refer to the following documents:
 OMB Circular A133, Audits of States, Local Governments, and NonProfit Organizations.
 AICPA Audit Guide, Government Auditing Standards and Circular A133 Audits (the GAS/A133 AICPA Audit
Guide).
Definition and Uses of Audit Sampling
Audit sampling is defined by SAS No.39 (AU 350.01) as:
the application of an audit procedure to less than 100 percent of the items within an account
balance or class of transactions for the purpose of evaluating some characteristic of the balance
or class.
197

Companion to PPC's Guide to Audits of Nonprofit Organizations

NPOT09

This definition is important in the selection of audit procedures. Some audit procedures are not sampling by this
definition, including the following:
 Application of an audit procedure limited to a specific group of items within a balance or class of
transactions that have a distinct characteristic, such as all fixed asset additions over $5,000.
 Examining a few transactions within a balance or class of transactions to obtain an understanding of the
nature of the client's activities.
 Applying an audit procedure to a few transactions to clarify the understanding of the design of the
organization's internal control.
The important difference in these three examples is that the purpose of the test is not to reach a conclusion that
applies to the entire balance or class of transactions. In each of these cases, authoritative pronouncements on
sampling would not apply to the test performed.
The definition of audit sampling in SAS No.39 (AU 350.01) allows some alternatives to sampling in deciding the
extent of procedures. This is important since it may allow the auditor to apply procedures in a more efficient manner.
If audit sampling is used, SAS No.39 imposes certain requirements. The key to distinguishing audit sampling from
other audit approaches for the types of audit tests that might possibly involve sampling is as follows:
A test that involves application of procedures to less than 100 percent of the items in the
population but that does not involve projecting the results to the entire account balance or class
of transactions is not audit sampling.
However, the auditor cannot ignore the requirements of SAS No.39 by arbitrarily failing to project the results of a
sample.
Thus, when the auditor evaluates some aspect of an entire account balance or transaction class on the basis of
examining less than 100% of the population, the auditor must follow the requirements of SAS No.39 and project the
test results.
Relation of Types of Audit Procedures to Audit Sampling
In a nonprofit organization engagement, four distinct types of audit procedures may involve the use of audit
sampling as follows:
 Substantive tests of details of account balances.
 Substantive tests of details of transactions.
 Tests of controls directed toward operating effectiveness.
 Tests of compliance with laws and regulations.
Exhibit 21 presents common examples of audit sampling applications for these types of audit procedures. The
examples in Exhibit 21 assume the auditor has decided that sampling is necessary. In some cases, the auditor may
be able to design an efficient and effective approach without sampling.
Exhibit 21
Audit Sampling Applications
Common Examples in Nonprofit
Organization Engagements

Type of Audit Procedures


Substantive Tests of Account Balances

 Confirmation of service fee receivables.

Substantive Tests of Transactions

 Vouching cash disbursements for goods and


services.
198

Companion to PPC's Guide to Audits of Nonprofit Organizations

NPOT09

Common Examples in Nonprofit


Organization Engagements

Type of Audit Procedures


Tests of Controls

 Inspecting documents supporting transactions


selected for substantive tests for indications of
performance of control activities.

Tests of Compliance with Laws and Regulations

 Inspecting documents supporting expenses


charged to grant programs for compliance with
laws and regulations.

Substantive Tests of Account Balances. The auditor's objective in using a substantive test of a general ledger
account balance is to decide whether the balance is materially misstated. Audit sampling is usually necessary in
applying a substantive test of an account balance when the balance is composed of a large number of items and
the remaining balance, after identifying individually significant items, exceeds tolerable misstatement. In a nonprofit
organization engagement, examples of this type of test are confirmation of service fee receivables or unconditional
promises to give with donors.
Substantive Tests of Transactions. The auditor's objective in using a substantive test of transactions is to decide
whether the total of a transaction class presented in an activity statement is materially misstated. The auditor
inspects documents supporting recorded transactions to determine whether the transactions are valid and valued
and coded properly, that is, recorded correctly as to account, amount, program, function, and period. Tests of
transactions are often unnecessary in a nonprofit organization audit if the statement of activities does not present
unnecessary detail or if alternatives such as effective analytical procedures can be applied to transaction classes.
However, in some nonprofit organization engagements, this type of test may be a common audit sampling
application. It can be used for most types of expenses, such as payroll or goods and services.
Tests of Controls. Risk assessment procedures performed to obtain an understanding of internal control do not
involve sampling. Also, sampling concepts might not apply to the following types of tests of controls:
 Analyses of controls for determining the appropriate segregation of duties or other analyses that do not
examine documentary evidence of performance.
 Analyses of the effectiveness of security and access controls.
 Tests directed toward obtaining audit evidence about the operation of the control environment, for example,
inquiry or observation of the explanation of variances from budgets when the auditor does not plan to
estimate the rate of deviation from the prescribed control.
 Examining actions of those charged with governance for assessing their effectiveness, for example,
evaluating whether the audit committee is appropriately involved in the financial reporting process. (SAS
No. 39, as amended, AU 350.32)
Generally, the use of audit sampling for tests of controls will be efficient and effective in the following circumstances
(SAS No. 110, AU 318.46):
 The control is applied on a transaction basis, for example, matching approved purchase orders to supplier
invoices.
 The control operates frequently and the population is relatively large.
In these circumstances, the auditor can select a sample of transactions and reperform the related control activities
to see whether compliance with the control procedures is acceptable. According to SAS No. 39, as amended (AU
350.32), sampling applies when the auditor needs to decide whether the rate of deviation from a prescribed
procedure is no greater than the tolerable rate, for example, in testing a matching process or an approval process."
199

Companion to PPC's Guide to Audits of Nonprofit Organizations

NPOT09

When the control operates infrequently or the population is not relatively large, additional consideration needs to be
given to the use of audit sampling.
In a nonprofit organization engagement, the need to use tests of controls depends on whether (a) the auditor's risk
assessment includes an expectation of the operating effectiveness of controls or (b) substantive procedures alone
do not provide sufficient appropriate evidence at the relevant assertion level. However, not all tests of controls
involve audit sampling.
Tests of Compliance with Laws and Regulations. This type of test is used in audits of governmental units,
nonprofit organizations, and certain business enterprises, such as vocational schools, that receive funds from
government agencies for services provided to eligible recipients. The purpose of tests of compliance with laws and
regulations is to determine whether there have been instances of noncompliance that may have a material effect on
the financial statements or to provide a basis of reporting on the nonprofit organization's compliance with such laws
and regulations. As a result, tests of compliance with laws and regulations are substantive procedures usually
accomplished by examining supporting documentation. In a Single Audit, or in the audit of a nonprofit organization
with other significant grant or similar programs, this type of audit procedure is frequently applied using audit
sampling. The auditor usually selects a sample of revenue or expenditure transactions and inspects supporting
documentation to determine compliance with relevant laws and regulations. For example, the auditor selects a
sample of expenditures charged to a federal award program and inspects documentation to determine whether
expenditures were for activities allowed. The most efficient approach is usually to conduct these procedures
simultaneously with tests of transactions, that is, concurrently with selecting samples of cash receipts or disburse
ments to test recording accuracy.

200

Companion to PPC's Guide to Audits of Nonprofit Organizations

NPOT09

SELFSTUDY QUIZ
Determine the best answer for each question below. Then check your answers against the correct answers in the
following section.
22. Which of the following pieces of authoritative literature directly addresses audits of nonprofit organizations?
a. OMB Circular A133.
b. SAS No. 39.
c. SAS No. 111.
d. AICPA Sampling Guide.
23. Jane needs to decide whether her audit client's general ledger account is materially misstated. Which of the
following should she use?
a. Substantive tests of details of account balances.
b. Substantive tests of details of transactions.
c. Tests of controls directed toward the operation of the control environment.
d. Examination of the actions of those charged with governance.

201

Companion to PPC's Guide to Audits of Nonprofit Organizations

NPOT09

SELFSTUDY ANSWERS
This section provides the correct answers to the selfstudy quiz. If you answered a question incorrectly, reread the
appropriate material. (References are in parentheses.)
22. Which of the following pieces of authoritative literature directly addresses audits of nonprofit organizations?
(Page 197)
a. OMB Circular A133. [This answer is correct. This guidance is titled Audits of States, Local
Governments, and NonProfit Organizations.]
b. SAS No. 39. [This answer is incorrect. SAS No. 39, Audit Sampling, lists requirements for audit sampling
for all entities.]
c. SAS No. 111. [This answer is incorrect. SAS No. 111, Amendment to Statement on Auditing Standards No.
39, Audit Sampling, is one of the risk assessment standards providing new guidance on audit sampling
to all entities.]
d. AICPA Sampling Guide. [This answer is incorrect. The AICPA Sampling Guide interprets SAS No. 39 and
explains the application of SAS No. 39.]
23. Jane needs to decide whether her audit client's general ledger account is materially misstated. Which of the
following should she use? (Page 199)
a. Substantive tests of details of account balances. [This answer is correct. Jane will normally need
to use audit sampling when applying a substantive test of an account balance if the balance is made
up of a large number of items and if the balance remaining after individually significant items are
identified exceeds tolerable misstatement.]
b. Substantive tests of details of transactions. [This answer is incorrect. If Jane performed this type of test,
her objective would be to decide whether the total of one of her client's transaction classes is materially
misstated.]
c. Tests of controls directed toward the operation of the control environment. [This answer is incorrect. This
is not appropriate for Jane's purposes; however, if she were to perform these tests, she would not use audit
sampling.]
d. Examination of the actions of those charged with governance. [This answer is incorrect. This would allow
Jane to assess the effectiveness of those charged with governance, and is one type of tests of controls in
which audit sampling concepts generally would not apply. However, this is not what Jane should do in this
scenario.]

202

NPOT09

Companion to PPC's Guide to Audits of Nonprofit Organizations

DEVISING A PLAN TO DETERMINE THE EXTENT OF SUBSTANTIVE


PROCEDURES
In general, SAS No. 110 (AU 318) indicates that the extent of further audit procedures is a matter of auditor
judgement based consideration of tolerable misstatement, the assessed risk of material misstatement, and the
degree of assurance required. As the risk of material misstatement increases, the extent of substantive procedures
also increases.
Substantive procedures consist of tests of details and substantive analytical procedures. The extent of a substan
tive analytical procedure is primarily a function of the precision of the auditor's expectation. Determining the extent
of substantive procedures when the auditor performs substantive tests of details is addressed here.
Use of audit sampling is more common in a nonprofit organization engagement than in the audit of a business
enterprise of similar size. However, because of the increased cost associated with using sampling, it is important for
the auditor to consider the effectiveness of alternative approaches before concluding that sampling is necessary.
Exhibit 22 shows a practical approach for planning the extent of substantive procedures involving tests of details
for a nonprofit organization. The following paragraphs discuss the auditor's considerations in applying that
approach.
Exhibit 22
Planning the Extent of Substantive Procedures Involving Tests of Details
Step Description

Result

1. Assess the appropriate level of tolerable


misstatement.

Tolerable misstatement (as a rule of thumb, use 50% to


75% of planning materiality).

2. Determine an amount for individually


significant dollar items.

Any amount less than tolerable misstatement may be


used (as a rule of thumb, use onethird of tolerable
misstatement).

3. Identify unusual items.

Identification of additional items to be tested 100%.

4. Calculate the remaining balance after


selecting individually significant items
(Steps 2 and 3).

Calculated amount.

5. Determine what procedures, if any, are


needed to test the remaining balance.

Procedures, if any, needed to test remaining balance.

STEP 1Assessing the Appropriate Level of Tolerable Misstatement


As a rule of thumb, when relatively few misstatements are expected and past experience indicates management will
likely correct those detected, tolerable misstatement may be determined as 50% to 75% of planning materiality.
STEP 2Determining an Amount for Individually Significant Dollar Items
The term individually significant items encompasses two types of items in a financial statement component
a. Individually significant dollar items.
b. Unusual items (that is, items that have audit significance by their nature).
In determining the extent of substantive procedures involving tests of details, the auditor should first select an
amount for individually significant dollar items and then consider any unusual items.
203

Companion to PPC's Guide to Audits of Nonprofit Organizations

NPOT09

Generally, when performing tests of details, the auditor should at least examine all items that equal or exceed
tolerable misstatement. Accordingly, the cutoff amount for determining individually significant dollar items cannot
exceed tolerable misstatement. As a rule of thumb, the auditor may use onethird of tolerable misstatement as the
cutoff for individually significant dollar items. However, the auditor may choose any amount less than tolerable
misstatement to limit the remaining balance to an amount that will reduce the risk of material misstatement to an
acceptable level.
STEP 3Identifying Unusual Items
An item also may be individually significant if, because of its nature, it is prone to misstatement or otherwise
requires audit attention. The lesson refers to these items as unusual items.
Examples might include related party transactions and negative receivable balances. It is important for auditors to
look for unusual items whenever a test of details is performed. Unusual items may be identified based on:
 Prior experience.
 Results of analytical procedures.
 Unusual characteristics.
Prior Experience. Based on historical experience with a client, an auditor may be aware of types of items that are
highly susceptible to misstatement. The audit may need to be structured to select items that have historically been
a problem and subject these items to individual examination. This approach can add efficiency by going directly to
the problem.
Results of Analytical Procedures. Welldesigned preliminary analytical procedures coupled with appropriate
expectations of plausible relationships can be extremely effective in identifying risks of material misstatement
during the risk assessment stage of the engagement. In the payroll area, an effective analytical procedure is to
compare current expenditures to prior period actual and current budget by department and relate to the number of
employees by department. In this manner, the auditor may eliminate the need to perform tests of details, or the
auditor may reduce the extent of payroll testing to departments with significant unexpected differences.
Unusual Characteristics. This category is by nature difficult to define because it includes virtually any characteris
tic that the auditor identifies as worth investigating, such as related party transactions or balances and unusual or
unfamiliar vendor names. In a nonprofit organization engagement, the auditor may regard a category of items as
unusual because of concern with compliance with laws, regulations, or donor or grantor restrictions. Exhibit 23
lists some common types of items that might be selected for individual examination due to their unusual nature:
Exhibit 23
Examples of Unusual Items
Audit Area

Unusual Items

Receivables







Large credit balances.


Very delinquent balances.
Customers whose names cause some significant question.
Large contributions recorded just prior to year end.
Balances with special terms outside the organization's normal
policy.

Property, Plant, and Equipment

 Additions that do not seem appropriate for the organization.


 Additions that involve capitalization of interest.

204

Companion to PPC's Guide to Audits of Nonprofit Organizations

NPOT09

Audit Area

Unusual Items

Accounts Payable

 Vendors whose names do not seem appropriate or could be


related parties.
 Large debit balances.
 Vendor accounts in dispute.
 Nonspecific accruals or broad, evendollar accruals for a vendor.

Expenses

 Expense entries that appear to be inappropriate.


 Expense amounts paid to possible related parties or potentially
inappropriate payees.

STEPS 4 and 5Considering the Remaining Balance


After the individually significant items have been selected, the remaining balance should be computed. The
remaining balance is calculated by subtracting the individually significant and unusual items from the total account
balance.
Comparing the Remaining Balance to Tolerable Misstatement. After computing the remaining balance, the
auditor should compare it to tolerable misstatement. Normally, the auditor will not need to apply additional audit
procedures to the remaining balance if it is less than tolerable misstatement. However, the decision of whether to
apply additional audit procedures to the remaining balance is a matter of professional judgment. Misstatements
detected in applying audit procedures to individually significant items may be so large or so numerous that the
auditor may decide to apply additional audit procedures to the remaining balance even if it is less than tolerable
misstatement.
Considering the Need to Apply Additional Audit Procedures to the Remaining Balance. If the remaining
balance exceeds tolerable misstatement, the auditor considers what procedures, if any, are needed to obtain
sufficient audit evidence concerning that balance. Generally, the following options should be considered:
a. Determining that no additional audit procedures are needed.
b. Performing analytical procedures.
c. Considering the contribution of other substantive procedures.
d. Applying audit sampling.
e. Expanding the audit procedures performed on individually significant items.
Exhibit 24 illustrates the thought process involved in considering these options. Each option is discussed sepa
rately in the following paragraphs. However, the auditor may use a combination of these options with respect to the
remaining balance.

205

Companion to PPC's Guide to Audits of Nonprofit Organizations

NPOT09

Exhibit 24
Planning the Extent of Substantive Procedures Involving Tests of Details
Assess tolerable misstatement.

Identify individually significant items


(ISIs) and compute remaining
balance.

Yes

Is remaining balance less than


tolerable misstatement?

No
Yes

Has the risk of material misstate


ment of the remaining balance been
reduced to an acceptable level?

No
Do analytical procedures or other
substantive procedures contribute
sufficiently to meeting the
auditobjective?

Yes

No
Is sampling preferable for obtaining
audit evidence relevant to the
remaining balance?

Yes

No
Perform audit pro
cedures on ISIs
only.

Perform audit pro


cedures on ISIs and
sample remaining
balance.

Expand audit pro


cedures performed
on ISIs.

*
206

Perform audit procedures


on ISIs and perform ana
lytical procedures or other
substantive procedures on
the remaining balance.

NPOT09

Companion to PPC's Guide to Audits of Nonprofit Organizations

Determining That No Additional Audit Procedures Are Needed. The auditor may decide to perform no further audit
procedures on the remaining balance after considering the risk of material misstatement of the remaining balance.
In assessing the risk of material misstatement of the remaining balance, the auditor should consider the following
factors:
a. Characteristics of the Remaining Balance. The auditor may have some knowledge of the account based
on prior experience and other audit procedures performed, including audit procedures performed on
individually significant items. Using that knowledge, the auditor should consider the nature, size, and
frequency of misstatements necessary for the remaining balance to be materially misstated. For example,
if the auditor determines that the remaining balance is composed of many small dollar items and believes
there is a low rate of misstatements in the remaining balance, then it may be possible to assess the risk of
material misstatement of the remaining balance as low.
b. Risk of Material Misstatement of the Account. The risk of material misstatement of the remaining balance
is related to the risk of material misstatement of the entire account. However, those risks would not
necessarily be the same because (1)the remaining balance is smaller and (2)the auditor may be able to
separately identify items that are prone to misstatement and perform audit procedures on them individually.
Accordingly, the risk of material misstatement of the remaining balance may be lower than the risk for the
account.
As is the case at the account balance level, the higher the risk of material misstatement of the remaining balance,
the greater the assurance that is needed from substantive procedures. The auditor generally will need to perform
additional audit procedures unless the risk of material misstatement of the remaining balance is low.
Furthermore, even if the risk of material misstatement is low, it is generally advisable for the auditor to at least scan
the remaining balance for unusual items.
Performing Analytical Procedures. In many cases, analytical procedures can be both effective and efficient audit
procedures relevant to the remaining balance. In evaluating whether analytical procedures provide adequate
evidence with respect to the remaining balance, the auditor should consider the risk of material misstatement of the
remaining balance and the effectiveness of those analytical procedures.
Considering the Contribution of Other Substantive Procedures. Sometimes the auditor may plan to perform other
substantive procedures that contribute, either directly or indirectly, to the same audit objective as the test of details.
In such cases, the auditor may decide that the contribution of the other procedures, along with audit procedures
performed on individually significant items, adequately achieves the audit objectives for the account balance. For
example, for organizations with rapid collections of receivables, the auditor may be able to reduce the remaining
balance by examining subsequent cash receipts instead of confirming accounts in the remaining balance, assum
ing the risk of material misstatement is low. As when considering analytical procedures, the auditor should consider
the risk of material misstatement and the degree of effectiveness of the other substantive procedures.
Applying Audit Sampling. If the auditor decides that analytical procedures or other substantive procedures do not
provide sufficient appropriate audit evidence with respect to the remaining balance, then tests of details must be
applied to the remaining balance. Consequently, the auditor has two remaining options using audit sampling or
expanding the audit procedures performed on individually significant items. In choosing between those options,
the auditor should consider the following factors:
a. Number of Items in the Remaining Balance. If the remaining balance consists of numerous items (such as
200 items or more), sampling generally is more efficient. However, if the auditor can further reduce the
amount of the remaining balance by performing audit procedures on only a few of the larger items in the
remaining balance, then it is probably more efficient to perform audit procedures on those larger items
instead of sampling.
b. Expected Misstatement in the Remaining Balance. Generally, if the expected misstatement in the remaining
balance exceeds onethird of tolerable misstatement, sampling risk would be too high and sampling would
not be appropriate. However, it may be possible to isolate the items that are most prone to misstatement,
perform audit procedures on 100% of those items, and sample the remaining population.
207

Companion to PPC's Guide to Audits of Nonprofit Organizations

NPOT09

Assuming that sampling risk is at an acceptable level, the consideration is a matter of efficiency (that is, which
option results in applying audit procedures to the fewest items). For large populations of small dollar items,
sampling generally is more efficient.
Expanding the Audit Procedures Performed on Individually Significant Items. As discussed in the preceding
paragraph, the auditor should consider this option only after determining that:
a. tests of details are needed to obtain sufficient appropriate audit evidence concerning the remaining
balance, and
b. this option is preferable to sampling the remaining balance.
Expanding the audit procedures performed on individually significant items normally is accomplished by:
a. lowering the amount for individually significant dollar items and, possibly,
b. choosing additional unusual items.
Also, the auditor should consider the possibility of using analytical procedures or other substantive procedures to
reduce the assurance needed from tests of details.

208

Companion to PPC's Guide to Audits of Nonprofit Organizations

NPOT09

SELFSTUDY QUIZ
Determine the best answer for each question below. Then check your answers against the correct answers in the
following section.
24. Define unusual items as related to audit sampling and the data population.
a. Individually significant dollar items.
b. Items prone to misstatement or that otherwise require audit attention.
c. All items that equal or exceed tolerable misstatement.
25. Dwayne is conducting an audit. He assesses the tolerable misstatement and identifies individually significant
items. Then Dwayne computes the remaining balance, which is less than the tolerable misstatement. Refer to
the table at Exhibit 24, and determine what Dwayne should do next.
a. Perform audit procedures on the individually significant items only.
b. Expand audit procedures performed on the individually significant items.
c. Perform audit procedures on the individually significant items and sample the remaining balance.
d. Perform audit procedures on the individually significant items and perform analytical procedures or other
substantive procedures on the remaining balance.
26. In which of the following scenarios would audit sampling generally be the auditor's most appropriate response?
a. After Tom examines the individually significant items, the remaining balance consists of 250 items with
small dollar amounts.
b. Jessie assesses expected misstatement in the remaining balance as half of the tolerable misstatement
amount.
c. Clementine is performing an inventory count observation for a client that has a small inventory population.
d. Grayson is performing a test of disbursements during the course of an audit without a significant risk of
fraudulent disbursements.

209

Companion to PPC's Guide to Audits of Nonprofit Organizations

NPOT09

SELFSTUDY ANSWERS
This section provides the correct answers to the selfstudy quiz. If you answered a question incorrectly, reread the
appropriate material. (References are in parentheses.)
24. Define unusual items as related to audit sampling and the data population. (Page 204)
a. Individually significant dollar items. [This answer is incorrect. Individually significant items fit into two
categories, unusual items and individually significant dollar items. When determining the amount of
substantive procedures needed for an audit, the auditor should first select an amount for the individually
significant dollar items and then consider any unusual items that might exist.]
b. Items prone to misstatement or that otherwise require audit attention. [This answer is correct. This
is the definition of unusual items. Some examples are negative customer receivable balances and
related party transactions.]
c. All items that equal or exceed tolerable misstatement. [This answer is incorrect. This is the minimum
amount of items that an auditor should examine in his or her engagement.]
25. Dwayne is conducting an audit. He assesses the tolerable misstatement and identifies individually significant
items. Then Dwayne computes the remaining balance, which is less than the tolerable misstatement. Refer to
the table at Page 206, and determine what Dwayne should do next. (Page 206)
a. Perform audit procedures on the individually significant items only. [This answer is correct. Because
the remaining balance is less than tolerable misstatement, Dwayne can perform audit procedures
on the individually significant procedures without performing further tests on the remaining
balance.]
b. Expand audit procedures performed on the individually significant items. [This answer is incorrect.
Dwayne would need to do this if the remaining balance was more than tolerable misstatement, the
percentage of coverage from individually significant items was inadequate (considering the risk of material
misstatement), analytical procedures (or other substantive procedures) did not contribute sufficiently to
meeting the audit objective, and sampling was not preferable for obtaining audit evidence based on the
remaining balance.]
c. Perform audit procedures on the individually significant items and sample the remaining balance. [This
answer is incorrect. If the remaining balance was greater than tolerable misstatement, the percentage of
coverage from individually significant items was not adequate (considering the risk of material
misstatement), analytical procedures (or other substantive procedures) did not contribute sufficiently to
meeting the audit objective, but sampling was the preferred method for obtaining audit evidence based
on the remaining balance, Dwayne would need to perform procedures on the individually significant items
as well as sample the remaining balance.]
d. Perform audit procedures on the individually significant items and perform analytical procedures or other
substantive procedures on the remaining balance. [This answer is incorrect. Dwayne would need to do
this if the remaining balance was more than tolerable misstatement, the percentage of coverage from
individually significant items was inadequate (considering the risk of material misstatement), and analytical
procedures (or other substantive procedures) sufficiently contributed to meeting the audit objective.]
26. In which of the following scenarios would audit sampling generally be the auditor's most appropriate response?
(Page 207)
a. After Tom examines the individually significant items, the remaining balance consists of 250 items
with small dollar amounts. [This answer is correct. Audit sampling would be the most efficient
approach when the remaining balance consists of numerous items (200 or more), especially if they
are small dollar items.]
210

NPOT09

Companion to PPC's Guide to Audits of Nonprofit Organizations

b. Jessie assesses expected misstatement in the remaining balance as half of the tolerable misstatement
amount. [This answer is incorrect. In this case, the misstatement risk is too high for Jessie to use audit
sampling. She could consider it if the expected misstatement amount was less than onethird of tolerable
misstatement. However, if Jessie could isolate the items most prone to misstatement, she could test all of
those items and sample the remaining population.]
c. Clementine is performing an inventory count observation for a client that has a small inventory population.
[This answer is incorrect. Sampling is rarely used in this situation. To be susceptible to sampling,
Clementine's audit client would need to have a relatively large inventory population. Also, there are
conflicting views about whether sampling can effectively accomplish the objective of observation
procedures. Thus, it would be better for Clementine to choose other procedures for this audit.]
d. Grayson is performing a test of disbursements during the course of an audit without a significant risk of
fraudulent disbursements. [This answer is incorrect. Sampling disbursements would not be a very effective
or efficient audit approach for Grayson to use. Typically, a test of disbursements does not address the risks
of material misstatement as efficiently as other audit procedures.]

211

Companion to PPC's Guide to Audits of Nonprofit Organizations

NPOT09

REQUIREMENTS THAT APPLY TO ALL SUBSTANTIVE SAMPLES


The two possible approaches to audit sampling are statistical and nonstatistical. SAS No.39 (AU 350.04) indicates
that both of these approaches are capable of producing sufficient appropriate audit evidence, if properly applied.
In fact, SAS 39 at AU 350.23 observes that, in general, when the same sampling parameters are applied, compara
ble sample sizes result from either approach. The types of procedures that the auditor applies are not determined
by the sampling approach used. Either approach may be used to apply whatever tests of details the auditor deems
necessary in the circumstances. The importance of professional judgment cannot be overemphasized as it applies
to the evaluation of the sufficiency of audit evidence generated by the sampling approach. Regardless of the
sampling approach selected, an auditor must properly plan, perform, and evaluate the results of the sample.
Professional judgment must be used to relate the sample results to other audit evidence when the auditor forms a
conclusion about a particular account balance or class of transactions.
Once an auditor decides to use audit sampling, attention is focused on which sampling approach (statistical or
nonstatistical) to use. Substantial information is available in SAS No.39, as amended by SAS No. 111, the AICPA
Sampling Guide, and other sources on the use of various statistical sampling approaches. This lesson emphasizes
using nonstatistical sampling but explains the relation of the nonstatistical methods discussed to statistical sam
pling.
The Basic Requirements
The basic requirements that relate to all substantive audit samples statistical and nonstatistical are as follows:
 Defining. The auditor must relate the population (account balance or transaction class or portion of balance
or class) to the objective of the audit procedure, that is, define the population and sampling unit.
 Selection. The auditor needs to select items that can be expected to be representative of the population.
 Evaluation. The auditor must project sample results to the population and consider sampling risk.
Defining Population and Sampling Unit
Defining the Population. In a sampling application, the population is usually all items that constitute the account
balance or class of transactions, excluding those items selected for individual testing. Sampling results can be
projected only to the population from which the sample is drawn. The use of the wrong population for a sampling
application could mean that conclusions based on the sample are invalid for an auditor's purpose.
Population Approach
 Examining a sample of recorded cash contributions in the year to support the completeness assertion for
cash contributions.
Problem
 Sampling recorded amounts allows no conclusion to be projected about potentially unrecorded amounts.
Alternative
 Define nonaccounting documents (for example, copies of receipts given to donors or field solicitors`
reports) as the population for the audit procedure and trace to recorded receipts.
Defining the Sampling Unit. The sampling units are the individual items that are subjected to audit procedures
and that represent the components of the population. It is important to properly identify the sampling unit before the
sample is selected in order to produce an efficient and effective sampling application. Examples of sampling units
include promises to give balances, expense checks, and payroll checks. The determination of the specific sam
pling unit is influenced by the following considerations.
 The sampling unit should produce an efficient sampling plan.
212

Companion to PPC's Guide to Audits of Nonprofit Organizations

NPOT09

 The sampling plan must be effective to accomplish its objectives.


 The nature of the audit procedures can determine the sampling unit.
Representative Selection
Selecting Sample Items. SAS No.39 , as amended, (AU 350.24) requires a representative sample," which means
the sample items should be selected in such a manner that all items have an opportunity to be selected. There are
several commonly used methods of selecting representative samples in accordance with the guidance in SAS
No.39. The following are some of those methods.
 Random Selection. Regardless of the method of sampling used (statistical or nonstatistical), a random
selection provides each item in the population an equal chance of being selected.
 Systematic Sampling. This method can be used with nonstatistical or statistical sampling to give every item
in the population an equal chance of being selected if a random start is used. However, it does not produce
an equal opportunity for all combinations of sampling units to be selected unless numerous random starts
are made. The population is divided by the number of sample items to determine the sampling interval to
use.
 Haphazard Selection. In this sense, haphazard does not mean careless"; it means without conscious
bias." Under this method, sample items are selected in no specific pattern without bias for or against any
items in the population. This could be done by selecting a sample of items from the paid invoices for the
year if there were no bias for or against large ones. The auditor may use this method provided care is taken
to be sure no conscious bias is added to the selection process. However, the AICPA Audit Sampling Guide
3.27 states that although haphazard sampling is useful for nonstatistical sampling, it is not used for
statistical sampling because it does not allow the auditor to measure the probability of selecting the
combination of sampling units."
An auditor should qualitatively evaluate whether the sample selected seems representative of the population
subject to the audit procedures. For instance, if the auditor is selecting a sample of expenditure checks with a
sample size of 50, a sample that included 15 employee expense reimbursement checks might not be considered
representative of the population being subjected to the audit procedures. If the sample does not seem representa
tive, it should be reselected.
The auditor should, if practical, stratify the remaining population. Generally, the remaining population should be
divided into at least two subgroups that are more similar in amount. Here is one useful approach to stratification:
a. Determine the average amount of the population to be sampled (amount of population divided by number
of items in the population).
b. Allocate twothirds of the computed sample size to the items greater than the average and the remaining
onethird to items below the average.
c. The auditor would apply the sample selection method (random, systematic, or haphazard) separately to
each stratum based on the sample size allocated. First, the auditor would select twothirds of the sample
items from the upper stratum and then onethird from the lower stratum.
Choosing a Method. The auditor might consider using random selection (with a random number table or micro
computergenerated numbers) or systematic selection with several random starts when performing nonstatistical
sampling. However, using one of these randombased methods does not make the sampling application statistical.
Haphazard selection may be used when the population is not numbered or when other circumstances make use of
a randombased method impractical.
Random Selection Using Random Numbers. SAS No.39, as amended requires that sample items be selected in
such a manner that each item in the population has an opportunity to be selected. The following randombased
213

Companion to PPC's Guide to Audits of Nonprofit Organizations

NPOT09

selection methods meet this requirement and are commonly used in selecting statistical audit samples (and may
be used when selecting nonstatistical samples):
 Random number table.
 Computergenerated random numbers.
Evaluation and Other Requirements
Projecting Sample Results. The evaluation of sample results has two aspects. The auditor must project the
misstatement. (Various approaches to projecting misstatement are explained later in this lesson.) Also, the auditor
must consider the sampling risk. In a statistical sample, sampling risk is objectively measured using probability
theory. In a nonstatistical sample, sampling risk must still be considered and restricted to a relatively low level, but
cannot be objectively measured. This is the primary conceptual distinction between statistical and nonstatistical
sampling.
Additional Requirements. SAS No.39 imposes additional requirements for certain types of audit procedures
using sampling. These requirements are considered in the following discussion.

214

Companion to PPC's Guide to Audits of Nonprofit Organizations

NPOT09

SELFSTUDY QUIZ
Determine the best answer for each question below. Then check your answers against the correct answers in the
following section.
27. Clint plans to use substantive audit sampling during the course of his audit engagement, and must choose
between statistical and nonstatistical sampling. Which of the following factors accurately describes the
sampling approach(es)?
a. Statistical sampling will give him the most reliable sample size.
b. Nonstatistical sampling requires more planning tasks beforehand.
c. The sampling approach he chooses will determine the audit procedures he applies.
d. For both approaches, he must define the population and select sample items.
28. Define sampling unit as related to audit sampling.
a. The individual items that are subjected to audit procedures.
b. All items that constitute the account balance or class of transactions.
c. Sample items selected in a way that gives all items a chance to be selected.
d. Items selected in a haphazard manner without conscious bias.

215

Companion to PPC's Guide to Audits of Nonprofit Organizations

NPOT09

SELFSTUDY ANSWERS
This section provides the correct answers to the selfstudy quiz. If you answered a question incorrectly, reread the
appropriate material. (References are in parentheses.)
27. Clint plans to use substantive audit sampling during the course of his audit engagement, and must choose
between statistical and nonstatistical sampling. Which of the following factors accurately describes the
sampling approach(es)? (Page 212)
a. Statistical sampling will give him the most reliable sample size. [This answer is incorrect. According to SAS
No. 39, generally, comparable sample sizes will result from the statistical and the nonstatistical approach,
if the same sampling parameters are applied.]
b. Nonstatistical sampling requires more planning tasks beforehand. [This answer is incorrect. Regardless
of which approach Clint chooses, he must properly plan, perform, and evaluate the results of the sample.]
c. The sampling approach he chooses will determine the audit procedures he applies. [This answer is
incorrect. The types of procedures Clint applies will not be determined by whether he selects the statistical
or nonstatistical sampling approach.]
d. For both approaches, he must define the population and select sample items. [This answer is
correct. In addition, Clint will also need to project the sample results to the population and consider
the risk of sampling.]
28. Define sampling unit as related to audit sampling. (Page 212)
a. The individual items that are subjected to audit procedures. [This answer is incorrect. This is the definition
of the term population.]
b. All items that constitute the account balance or class of transactions. [This answer is correct.
Examples include expense checks, payroll, checks, and customer account balances. Sampling
units must be properly identified before the sample is selected to produce an effective and efficient
sampling application.]
c. Sample items selected in a way that gives all items a chance to be selected. [This answer is incorrect. This
is the definition of a representative sample, as explained in SAS No. 39.]
d. Items selected in a haphazard manner without conscious bias. [This answer is incorrect. Sample items can
be selected using random selection, systematic sampling, or haphazard selection.]

216

Companion to PPC's Guide to Audits of Nonprofit Organizations

NPOT09

CONSIDERATIONS FOR SUBSTANTIVE TESTS OF DETAILS


The guidance in SAS No.39 is divided between substantive tests of details (or transactions) and tests of controls.
For tests of details, no distinction is made between tests of details of transactions and tests of details of account
balances. According to SAS No.39 (AU 350.15), as amended, in planning an audit sample for a particular test of
details, an auditor should consider the following:
a. The relationship of the sample to the audit objective.
b. Preliminary judgments about materiality levels (tolerable misstatement).
c. The risk of incorrectly accepting a materially misstated population (allowable risk of incorrect acceptance).
d. Characteristics of the population; that is, the items that make up the account balance or class of
transactions of interest.
At this point in planning, an auditor would have already developed specific audit objectives, selected a procedure
to achieve a particular audit objective, and determined that it was necessary to use audit sampling in applying the
procedure.
Planning Considerations
Assessing Risk of Incorrect Acceptance. The risk of incorrect acceptance is the risk that the auditor will, after
performing audit procedures on the sample and projecting the results, fail to detect that the population being
sampled is materially misstated. The allowable risk of incorrect acceptance is the sampling aspect of the audit risk
model. Theoretically, if no procedures besides the one being applied using sampling are relevant to achieving an
audit objective and both inherent risk and control risk are assessed as high, then audit risk is equal to the allowable
risk of incorrect acceptance. In practice, the auditor first assesses the risk of material misstatement of the related
account and the audit evidence provided by other substantive procedures. Then the auditor determines the
allowable risk of incorrect acceptance based on those assessments.
In audit sampling, there is an inverse relationship between the allowable risk of incorrect acceptance and required
sample sizes. Generally, as the allowable risk of incorrect acceptance decreases, the required sample size
increases. Statistical sampling allows an auditor to determine a specific percentage of allowable risk of incorrect
acceptance, such as 5%, and either hold the risk to that level or measure the risk actually achieved by the sample
results. Although nonstatistical sampling does not allow the auditor to measure the risk achieved, the relationship
between the sample size and the allowable risk of incorrect acceptance still applies. The lower the allowable risk,
the larger the required sample size. In the PPC sampling approach, this relationship is achieved through the
selection of risk factors.
Assessing Tolerable Misstatement. Tolerable misstatement is a concept defined in SAS No.39, as amended,
(AU350.17) as amended. SAS No. 39 states that the auditor considers how much monetary misstatement in the
related account balance or class of transactions may exist when combined with misstatements that may be found
in other tests without causing the financial statements to be materially misstated. This maximum monetary misstate
ment that the auditor is willing to accept for the balance or class is called tolerable misstatement for the sample."
This reference also indicates that tolerable misstatement relates to the auditor's determination of materiality for
planning the financial statement audit (or planning materiality) such that tolerable misstatement for all balances
when combined does not exceed the financial statement materiality. This means that tolerable misstatement is just
another term for planning materiality at the account balance level. The term is used in this course both because it
is shorter and because it is the term used in the risk assessment standards including SAS Nos. 107 and 111. The
sample size for a balance or class of transactions will increase as the tolerable misstatement for the balance or
class decreases. As the tolerable misstatement increases, the sample size required will decrease. In other words,
if a large percentage of the balance could be misstated without causing a material misstatement of the financial
statements, then the sample size can be very small. In contrast, if a small percentage misstatement in the balance
could cause a material misstatement of the financial statements, then the sample size should be larger.
Assessing Expected Misstatement. Another factor that affects sample size is the size or frequency of expected
misstatements. With any sample selected, there is a certain degree of expected misstatement. It is anticipated at
217

Companion to PPC's Guide to Audits of Nonprofit Organizations

NPOT09

the beginning of the sampling process that the misstatement will be equal to or less than the tolerable misstate
ment. Otherwise, there would be no point in sampling because the account would be expected to be misstated by
a material amount. As the size or frequency of expected misstatement increases, the sample size required to
accomplish the objectives also increases. If the expected misstatement decreases, the sample size decreases. The
determination of the expected misstatement is based on knowledge of the population and previous experience.
In assessing expected misstatement, the auditor should avoid two possible sources of confusion. First, expected
misstatement does not include accounting adjustments that are typically necessary and expected to close the
books, such as normal accruals and deferrals. Second, the expected misstatement is that amount of misstatement
expected for the remaining population (after individually significant items have been removed) from which the
sample is drawn, so it is the expected projected misstatement.
Considering Population Size. The number of items in the population is not usually an important factor in
determining sample size for a statistical sample or a nonstatistical sample. Sample size for a substantive procedure
is influenced much more by the amount of variance in the population than by the number of items in the population.
The most important practical implication of this fact is that it is either inefficient or ineffective to determine sample
size as a fixed percentage of the population. No one recommends this approach, but some auditors have custom
arily used a fixed percentage of the number of items in the population (such as10%) as sample size. If the
population is very large (for example, over 5,000 items), this approach normally results in unnecessarily large
sample sizes. If the population is very small (for example, 100 items), the sample size is normally too small.
While the size of the population in sample units (i.e., the number of items in the population) is generally not an
important factor in determining sample size, there can be unusual situations in which population characteristics
create problems in using the approach recommended in this lesson. When tolerable misstatement is approximately
equal to the average size of items in the population, the indicated sample size will be approximately the entire
population. In these circumstances, the auditor should consider whether there are other ways to substantiate the
balance that are more efficient, such as by performing an analytical procedure with a high degree of precision.
Relating Factors to Determine Sample Size. The AICPA Sampling Guide in Table 44 summarizes the effects of
changes in various factors, such as tolerable misstatement and inherent and control risk, on sample sizes for
substantive tests of details. Table 44 illustrates the relative effect of the factors (that is, smaller or larger) on sample
size rather than providing specific numerical sample sizes. Table 45 of the AICPA Sampling Guide illustrates
specific numerical sample sizes that might be used for statistical or nonstatistical sampling based on the Monetary
Unit Sampling (MUS) statistical approach [sometimes called the Probability Proportional to Size (PPS) approach].
The nonstatistical sampling approach discussed in this lesson is based on the same underlying statistical
approaches as Table 45 in the AICPA Sampling Guide. This nonstatistical approach draws on statistical sampling
theory, but combines that theory with practical judgments and the collective experience of many auditors to
facilitate implementation.
A Practical Approach to Nonstatistical Sampling
The most significant problem facing an auditor trying to use audit sampling is how to deal with essentially statistical
concepts, such as tolerable misstatement, risk of incorrect acceptance, and expected misstatement for the popula
tion, when a nonstatistical sampling approach is used. The use of the following approach in conjunction with the
related practice aid on planning materiality is recommended. As noted in the preceding paragraph, this approach
is based on the statistical theory underlying MUS sampling. The use of this model as a practical method of
determining sample size for nonstatistical sampling is recommended. The steps in Exhibit 25 are applied in this
method. The following paragraphs describe the auditor's considerations for each step.

218

NPOT09

Companion to PPC's Guide to Audits of Nonprofit Organizations

Exhibit 25
A Practical Approach to Nonstatistical Sampling
Step Description
1. Assess appropriate level of tolerable misstatement.

2. Assess the risk of material misstatement.

3. Assess the other substantive procedures risk.


4. Use the table in Exhibit 27 to determine a risk factor.
5. Estimate population balance after removal of items to
be examined 100% (individually significant items).
6. Consider the amount of expected likely misstatement
in the population to be sampled.

Required Result
Tolerable misstatement amount (normally
calculated as 50%75% of planning material
ity).
One of three qualitative levels of risk high,
moderate, or low based on the assessment
of inherent and control risk.
One of three qualitative levels of risk high,
moderate, or low.
A factor between 0.9 and 3.0.
Quantified amount.
If expected misstatement exceeds onethird
of tolerablemisstatement, sampling nor
mally should not be used.

7. Estimate the sample size using the following formula:


Dollar value of remaining
population (step 5)
Risk factor
Tolerable misstatement  (steps 2, 3, and 4)
(step 1)
8. Adjust sample size for lack of stratification in the
sample, if applicable.

Sample size.
Possible sample size increase.

Step 1 Assess Tolerable Misstatement. The amount that should be used for tolerable misstatement is normally
75% of planning materiality. Planning materiality relates to financial statements taken as a whole and is used to
derive a total tolerable misstatement that also relates to the financial statements taken as a whole. Because the
financial statements may be viewed as a single population of dollars when using MUS sampling, the same tolerable
misstatement amount may be used in all sampling applications using the recommended approach. Note that this
is not true for classical statistical sampling.
Step 2 Assess the Risk of Material Misstatement. The risk of material misstatement is the combination of
inherent risk and control risk. Exhibit 26 shows how the assessments of inherent risk and control risk may be
combined to determine the risk of material misstatement. The auditor can document inherent risk, control risk, and
the resulting risk of material misstatement.

219

Companion to PPC's Guide to Audits of Nonprofit Organizations

NPOT09

Exhibit 26
Combined Risk of Material Misstatement
Control Risk Assessment

IInherent
h
t Ri
Risk
k
Assessment

High

Moderate

Low

High

High

High

Moderate

Moderate

Low

Low

Low

Low

Low

Moderate
Low

Theoretically, the auditor should assess the risk of material misstatement of the population to be sampled (that is,
the account balance excluding individually significant items). However, in sampling applications, the risk of material
misstatement for the account normally is a reasonable approximation of the risk of material misstatement of the
remaining balance. Because the risk of material misstatement in the remaining balance is almost always equal to
or less than the risk for the entire account balance, using the risk of material misstatement for the entire account is
both reasonable and conservative.
Step 3 Assess the Other Substantive Procedures Risk. As previously discussed, other substantive procedures
risk is the risk that related substantive procedures besides sampling, such as analytical procedures, will fail to
detect a material misstatement. This risk assessment is inversely related to the effectiveness of the other substan
tive procedures (that is, the more effectively the other substantive procedures contribute to addressing the same
assessed risks as the sampling procedure, the lower the risk assessment).
Step 4 Identify a Risk Factor. The fourth step is to identify a risk factor using the table presented at Exhibit 27.
The factors in the table correspond to levels for the risk of incorrect acceptance. The factors range from 3.0 to 0.9,
which is analogous to a range of 5% to 40% of the risk of incorrect acceptance. A factor of 3.0 is used when the
auditor assesses the risk of material misstatement as high and there are no effective related procedures being
applied. A factor of 0.9 is used when the risk of the account balance or transaction class being materially misstated
is assessed as low and very effective related substantive procedures are being applied. Use of the table permits the
auditor to hold the audit risk to an appropriately low level while adjusting the level of the risk of incorrect acceptance
in response to the other assessed levels of risk. This table permits the auditor to adjust sample size to various
combinations of assessed risk levels.
Exhibit 27
Table for Determination of Risk Factor
Other Substantive Procedures Risk
High

Moderate

Low

High

3.0

2.3

1.9

Moderate

2.3

1.6

1.2

Low

1.9

1.2

0.9

Risk of Material Misstatement

*
220

Companion to PPC's Guide to Audits of Nonprofit Organizations

NPOT09

Step 5 Estimate Remaining Population. The next step is to determine the dollar amount of items to be sampled
by reducing the total amount of the balance or transaction class by individually significant items. As explained
earlier, an item may be individually significant because of its nature or size. Generally, the most efficient approach
is to identify individually significant dollar items as all items greater than or equal to tolerable misstatement divided
by the applicable risk factor as determined in Step 4. That is, the fewest total number of items will be tested when
individually significant dollar items are defined as tolerable misstatement divided by the applicable risk factor.
Often, however, the efficiency gained between using onethird, onehalf, or some other fraction of tolerable mis
statement is minimal. Consequently, it is recommended that individually significant dollar items be defined as all
items greater than or equal to onethird of tolerable misstatement. However, the cutoff amount for individually
significant dollar items can be any amount up to tolerable misstatement. The choice of a cutoff amount is a matter
of efficiency.
Step 6 Consider Expected Misstatement. The last step before determining the sample size is to consider the
amount of expected likely misstatement in the population to be sampled based on the auditor's knowledge of the
population and prior experience. If the amount of likely (that is, projected) misstatement is expected to exceed
onethird of tolerable misstatement, sampling normally is not appropriate. If expected misstatement exceeds
onethird of tolerable misstatement, the auditor should ask the client to correct the population. After the client has
taken steps to correct the population, then it may be appropriate to sample the corrected population, if necessary.
Step 7 Estimate Sample Size. To calculate the sample size, divide the total of the population to be sampled
(account balance or transaction class less individually significant items) by tolerable misstatement, and multiply
that result by the risk factor determined in Step 4.
Step 8 Increase Sample Size for Lack of Stratification. This sampling approach depends on dividing the items
being tested into at least three groups: individually significant items and an upper and lower group of remaining
items. If the auditor finds it impractical to stratify after identifying individually significant items, the sample size
calculated in Step 7 must be increased. The AICPA Sampling Guide (paragraph 4.32) notes that auditors typically
increase the sample size from 10% to 50% if the sample is not stratified but notes that an adjustment of 100% or
more may be needed when there is extreme variability in the characteristic of audit interest. It has been noted that
firms with nonstatistical sampling plans advocate different percentage increases ranging from 10% to 100%. It is
recommended that sample size be increased approximately 20% if stratification is not practical and there is not a
significant variation in the items being sampled.
Selecting the Sample
The auditor may use one of several methods to select a substantive sample (such as, random selection, systematic
selection, or haphazard selection). The important point is that the auditor should ensure that all items in the
population have a chance to be selected. Accordingly, the auditor should determine that the sample population
actually includes all of the items comprising the balance. There are many ways to determine the completeness of
a sample population, including:
a. If the sample is selected from a trial balance, the auditor can foot the trial balance and reconcile the total
to the account balance.
b. If the items are numerically sequenced, the auditor can scan the accounting records to account for the
numerical sequence of items in the population and select the sample from that sequence.
Document how the completeness of the sample population was considered.
Using Data Extraction Software to Select the Sample. Some auditors may use data extraction software in audit
sampling. The discussion in the following paragraphs assumes auditors use the approach presented in here to
calculate the sample size and evaluate the sample results; data extraction software is used only to select the
sample.
The ability of data extraction software to quickly process large volumes of data can save time spent on sample
selection. Using data extraction software, the auditor can check a control total of the file being sampled to ensure
the completeness of the population prior to selecting the sample. Alternatively, if the items in the population are
221

Companion to PPC's Guide to Audits of Nonprofit Organizations

NPOT09

numerically sequenced, the auditor can test for gaps and duplicates to account for the numerical sequence of
items in the population prior to sampling. The auditor can also use data extraction software to extract individually
significant and unusual items from the population (based on criteria specified by the auditor) prior to sampling.
Projecting the Misstatement
The auditor may use one of several methods to satisfy the requirement of SAS No.39 (AU 350.26) to project the
sample misstatement to the population. Two of the more commonly used methods are as follows:
a. Ratio Method. This method is also called the rate of misstatement method. The ratio of sample misstatement
to sample dollars (the total of all items selected) is multiplied by population dollars (the total of the
population from which the sample was selected) to project the misstatement as follows:
Sample misstatement
 Population dollars = Projected population misstatement
Sample dollars
Thus, if an auditor has identified $500 of sample misstatement, sample dollars are $60,000, and population
dollars are $600,000, the projected misstatement would be calculated as:
$500
 $600,000 = $5,000 (projected population misstatement)
$60,000
b. Difference Method. Using this method, the auditor calculates the average amount of misstatement in the
sample and multiplies that average by the number of items in the population, as follows:
Sample misstatement
 Population items = Projected population misstatement
Sample items
If the previous example included a sample of 100 items and the population had 1,000 items, the calculation
would be as follows:
$500
 1,000 = $5,000 (projected population misstatement)
100
The ratio and difference methods only produce the same result if the proportion of the number of sample items to
population items is the same as the ratio of sample dollars to population dollars. Usually, the two methods do not
produce the same results. The auditor should select one of the methods based on whether there is reason to
expect a relationship between the amount of the misstatement and the amount of the item.
Factor

Method

1. Misstatement relates to size of the item.

Ratio (or Rate of Mis


statement) Method.

2. Misstatement relatively constant for all items.

Difference Method.

The AICPA Sampling Guide discusses the ratio and difference methods (Paragraphs 4.764.78) as well as a third
method the MUS method (Paragraph 4.79). The MUS method uses tainting factors (that is, the ratio of each
detected misstatement to the book value of that item) to project the sample misstatement. The sum of the tainting
factors is multiplied by the sampling interval (that is, the total population amount in dollars divided by the sample
size) to obtain an estimate of the total misstatement.
Considering Sampling Risk
SAS No.39, as amended (AU 350.26), states that the total projected misstatement should be compared with the
tolerable misstatement for the account balance or class of transactions, and appropriate consideration should be
given to sampling risk." Sampling risk is the risk that the auditor may reach a different conclusion if audit proce
dures are applied to a sample than if they are applied to all items in a population.
222

Companion to PPC's Guide to Audits of Nonprofit Organizations

NPOT09

In a statistical sample, sampling risk can be measured based on sample results. In a nonstatistical sample, precise
measurement is impossible. However, using the sampling model discussed here, the auditor may consider sam
pling risk through answering the following questions:
a. Does projected misstatement exceed expected misstatement? If yes,
b. Does projected misstatement exceed onethird of tolerable misstatement?
If the answer to these questions is no," the auditor usually need not be concerned about unacceptable sampling
risk under this sampling model. If the answer to both questions is yes," the auditor would normally assume there
is an unacceptable risk that true misstatement exceeds tolerable misstatement. The following example summarizes
this analysis:
 Grants and contracts receivable balance $1,675,000.
 Tolerable misstatement $150,000 (onethird of $150,000 = $50,000).
 Expected misstatement $25,000.
Projected
Misstatement

Acceptable
Sampling
Risk

$15,000

25,000

50,000

Unacceptable
Sampling
Risk

(could be either)

60,000

70,000

In this case, projected misstatement over $50,000 (onethird of tolerable misstatement) would indicate unaccept
able sampling risk and in the $25,000 to $50,000 range would indicate potentially unacceptable sampling risk. A
qualitative analysis of detected misstatements should always be made to determine the nature and cause of the
misstatement. When the auditor concludes that there is unacceptable sampling risk, qualitative analysis of mis
statements is especially important so the auditor can determine the best way to reduce the unacceptable sampling
risk (for example, consideration of what kinds of misstatements are occurring and what items in the population are
most likely to be misstated).
Considering Qualitative Characteristics
The size or frequency of misstatements in a sampling application are not the only factors that should be consid
ered. An auditor should, according to SAS No. 39 (AU 350.27), as amended by SAS No. 111, consider the following
qualitative factors:
a. Nature and cause of any misstatements:
(1) Is the misstatement an error (unintentional) or is it possible fraud (intentional)?
(2) If the misstatement is an error, is it due to misunderstanding of instructions or carelessness?
b. Relationship of misstatements to other phases of the audit.
Documentation of Substantive Sampling Applications
When audit sampling is used in tests of controls and substantive tests of details, SAS No. 103, Audit Documentation
(AU 339.20), requires auditors to identify in the workpapers the items tested. There is no other specific requirement
to document factors related to audit sampling applications, except the requirement to document tolerable misstate
223

Companion to PPC's Guide to Audits of Nonprofit Organizations

NPOT09

ment in SAS No. 107 (AU 312.69) and the requirement to document the assessment of the risk of material
misstatement at the relevant assertion level in SAS No. 109 (AU 314.122). However, the AICPA Sampling Guide
(Paragraph 4.93) identifies examples of items that the auditor typically documents for substantive audit samples.
The auditor does not need to document a matter that is implicit in the form or practice aid that a firm has adopted.
Alternative Approach for Substantive Tests of Transactions
The sampling method explained here is an approach to nonstatistical sampling that may be applied either to
account balances or transaction classes. This approach will always be effective for a substantive test of transac
tions. However, this approach may not be the most efficient when the audit procedure being applied using
sampling is not intended solely to validate the total amount of a transaction class, for example, when the auditor is
testing the classification of disbursements, or when the population is composed of a large number of items all
similar in amount. An alternative approach to this type of substantive test of transactions that uses attribute
sampling as a model is explained later in this course.

224

Companion to PPC's Guide to Audits of Nonprofit Organizations

NPOT09

SELFSTUDY QUIZ
Determine the best answer for each question below. Then check your answers against the correct answers in the
following section.
29. This course recommends using an eightstep approach to deal with nonstatistical sampling. What is the first
step of this approach?
a. Assess the risk of material misstatement.
b. Estimate population balance.
c. Adjust sample size for lack of stratification.
d. Assess appropriate level of tolerable misstatement.
30. Based on the information in Exhibit 26, which of the following audits has the lowest risk of material
misstatement?
a. Zoey's client has high inherent risk and moderate control risk.
b. Carlos's client has low control risk and high inherent risk.
c. Leo's client has moderate inherent risk and high control risk.
d. Julie's client has moderate control risk and moderate inherent risk.
31. Dave needs to estimate the sample size for his test of details. The total remaining balance of the population is
$50,000. Tolerable misstatement is $2,500. Using the table at Exhibit 27, Dave estimated that the risk of material
misstatement is low, but the risk of assessment of other substantive procedures is high. Calculate Dave's
sample size.
a. 20.
b. 38.
c. 60.
d. 1,316.
32. Alice plans to project the misstatement from her audit sampling to the entire population using the ratio method.
The amount of sample misstatement is $600, the amount of sample dollars is $50,000, and the amount of
population dollars is $500,000. The number of sample items Alice used is 150, and the total number of items
in the population is 2,000. Calculate the projected population misstatement.
a. $60.
b. $6,000
c. $8,000.
d. $150,000.

225

Companion to PPC's Guide to Audits of Nonprofit Organizations

NPOT09

33. According to the SAS No. 39 (AU 350.27), as amended by SAS No. 111, which of the following is a qualitative
factor that an auditor should consider when using audit sampling?
a. Whether the projected misstatement exceeds expected misstatement.
b. Whether the projected misstatement exceeds onethird of tolerable misstatement.
c. Whether misstatement is relatively constant for all items.
d. Whether any misstatements are related to other phases of the audit.

226

Companion to PPC's Guide to Audits of Nonprofit Organizations

NPOT09

SELFSTUDY ANSWERS
This section provides the correct answers to the selfstudy quiz. If you answered a question incorrectly, reread the
appropriate material. (References are in parentheses.)
29. This course recommends using an eightstep approach to deal with nonstatistical sampling. What is the first
step of this approach? (Page 219)
a. Assess the risk of material misstatement. [This answer is incorrect. This is the second step of the approach.
After the auditor assesses the risk of material misstatement, he or she should assess the other substantive
procedures risk.]
b. Estimate population balance. [This answer is incorrect. This is the fifth step of the recommended approach,
and the auditor would do this after individually significant items have been removed.]
c. Adjust sample size for lack of stratification. [This answer is incorrect. If this step is applicable to the audit
in question, it would be done last. If the auditor performs this step, it is possible that the sample size will
increase.]
d. Assess appropriate level of tolerable misstatement. [This answer is correct. The tolerable
misstatement amount would normally be calculated as 5075% of planning materiality.]
30. Based on the information on Page 220, which of the following audits has the lowest risk of material
misstatement? (Page 218 and Page 220)
a. Zoey's client has high inherent risk and moderate control risk. [This answer is incorrect. In this scenario,
the risk of material misstatement is high.]
b. Carlos's client has low control risk and high inherent risk. [This answer is incorrect. In this situation, the risk
of material misstatement would be assessed as moderate.]
c. Leo's client has moderate inherent risk and high control risk. [This answer is incorrect. The risk of material
misstatement in this scenario is assessed as moderate.]
d. Julie's client has moderate control risk and moderate inherent risk. [This answer is correct. The risk
of material misstatement in this situation would be assessed as low, even though both types of risk
are considered moderate.]
31. Dave needs to estimate the sample size for his test of details. The total remaining balance of the population is
$50,000. Tolerable misstatement is $2,500. Using the table on Page 220, Dave estimated that the risk of material
misstatement is low, but the risk of assessment of other substantive procedures is high. Calculate Dave's
sample size. (Page 220)
a. 20. [This answer is incorrect. This is the total of the population ($50,000) divided by the tolerable
misstatement ($2,500), but the risk factor was not taken into account.]
b. 38. [This answer is correct. The correct calculation to estimate the sample size is to divide the total
of the population ($50,000) by the tolerable misstatement ($2,500) and multiply that by the risk factor
(in this case, 1.9).]
c. 60. [This answer is incorrect. In this calculation, the wrong risk factor number was used (3.0).]
d. 1,316. [This answer is incorrect. In this calculation, the tolerable misstatement ($2,500) was divided by the
risk factor (1.9). The total of the population was not taken into account.]
32. Alice plans to project the misstatement from her audit sampling to the entire population using the ratio method.
The amount of sample misstatement is $600, the amount of sample dollars is $50,000, and the amount of
227

Companion to PPC's Guide to Audits of Nonprofit Organizations

NPOT09

population dollars is $500,000. The number of sample items Alice used is 150, and the total number of items
in the population is 2,000. Calculate the projected population misstatement. (Page 221)
a. $60. [This answer is incorrect. This answer is the result of the following incorrect formula: $600/$500,000
 $50,000.]
b. $6,000. [This answer is correct. To calculate projected misstatement using the ratio method, the
amount of sample misstatement ($600) should be divided by the sample dollars ($50,000), and the
result should be multiplied by the population dollars ($500,000).]
c. $8,000. [This answer is incorrect. To get this answer, the difference method was used to calculate the
projected misstatement. The difference method calculation is the sample misstatement ($600) divided by
the sample items (150) multiplied by the number of population items (2,000).]
d. $150,000. [This answer is incorrect. To get this answer, the number of items was incorrectly used in the
formula ($600/2,000  $500,000).]
33. According to the SAS No. 39 (AU 350.27), as amended by SAS No. 111, which of the following is a qualitative
factor that an auditor should consider when using audit sampling? (Page 223)
a. Whether the projected misstatement exceeds expected misstatement. [This answer is incorrect. This is a
consideration that an auditor should have if a nonstatistical sampling model is used. This consideration
will help the auditor evaluate sampling risk.]
b. Whether the projected misstatement exceeds onethird of tolerable misstatement. [This answer is
incorrect. If an auditor used a nonstatistical sampling method, this consideration would help him or her
determine if the amount of sampling risk is acceptable.]
c. Whether misstatement is relatively constant for all items. [This answer is incorrect. This would be a
consideration for determining what method to use to project the misstatement to the rest of the population.
If this were true, the auditor should use the difference method.]
d. Whether any misstatements are related to other phases of the audit. [This answer is correct. The
other qualitative factor that the auditor should consider is the nature and cause of any
misstatements (e.g., if the misstatement is an error or fraud).

228

NPOT09

Companion to PPC's Guide to Audits of Nonprofit Organizations

AUDIT SAMPLING AND TESTS OF CONTROLS


Tests of controls should be performed only when the auditor's risk assessment includes an expectation of the
operating effectiveness of controls (i.e., an expectation of assessing control risk as either low" or moderate") or
when substantive procedures alone do not provide sufficient appropriate audit evidence at the relevant assertion
level. In many engagements, tests of controls using audit sampling are tests of details of transactions. All of the
requirements of SAS No. 39 apply to this type of test. When performing a Single Audit, auditors are required to
perform tests of controls. The mechanics of sampling for tests of controls, whether in a financial statement audit or
a Single Audit are discussed here.
Generally, audit sampling is used for tests of controls directed toward operating effectiveness where there is
documentation of the control's operation. These tests normally include inspecting the documents and reperforming
the application of the control. In practice, the most common test of controls that uses audit sampling is a test of
transactions. This test is directed to the effectiveness of controls. In some cases, it may be efficient to perform this
test of controls in combination with a substantive test of transactions. SAS No. 110 (AU 318.33) describes this type
of dualpurpose test as follows:
When responding to the risk assessment, the auditor may design a test of controls to be
performed concurrently with a test of details on the same transaction. The objective of tests of
controls is to evaluate whether a control operated effectively. The objective of tests of details is to
support relevant assertions or detect material misstatements at the relevant assertion level.
Although these objectives are different, both may be accomplished concurrently through
performance of a test of controls and a test of details on the same transaction, known as a
dualpurpose test.
SAS No. 39 (AU 350.44), as amended, provides the following guidance when a sample is used for dual purposes
(i.e., testing the operating effectiveness of an identified control and testing whether the recorded monetary amount
or transaction is correct):
The size of a sample designed for dual purposes should be the larger of the samples that would
otherwise have been designed for the two separate purposes. In evaluating such tests, deviations
from the prescribed control and monetary misstatements should be evaluated separately using
the risk levels acceptable for the respective purposes.
An efficient approach to dualpurpose testing that can be used when appropriate and is presented later in this
lesson.
Terminology for Sampling in Tests of Controls
The following discussion uses these sampling terms:
 Deviation. Departure from the prescribed control policy or procedure.
 Tolerable Rate. The maximum rate of deviations that would still support the planned assessed level of
control risk.
 Risk of Assessing Control Risk Too Low. The auditor's allowable risk of assessing control risk too low, an
aspect of sampling risk. If control risk is assessed too low, the auditor may inappropriately rely on a control.
Thus, this risk is also called the risk of overreliance.
 Expected Rate. The rate of deviations the auditor expects based on prior experience and knowledge of the
characteristics of the population.
 Population. The class of transactions being sampled.
The basic approach to applying tests of controls is the same regardless of whether sampling is used. However,
there are additional matters to consider when using audit sampling methods. Exhibit 28 illustrates how those
additional considerations are integrated into the basic approach to testing controls. Discussion of those additional
considerations and how they affect tests of controls follows.
229

Companion to PPC's Guide to Audits of Nonprofit Organizations

NPOT09

Exhibit 28
Tests of Controls Using Audit Sampling
Step Description
1. Identify suitable controls to be tested and, if applicable, the related substantive procedures to be
reduced.
2. Consider whether testing controls is practical.a Consider whether there is documented evidence of the
application of the controls.
3. Select appropriate tests of controls.
a. Define deviation for purposes of the test.
b. Define the population to be sampled.
c. Determine the tolerable rate of deviations.
d. Determine the allowable risk of assessing control risk too low (risk of overreliance).
e. Determine the expected rate of deviations.
f. Compute the required sample size.
g. Determine the method of sample selection.
4. Perform tests of controls. Select sample and apply audit procedures to the sample.
5. Evaluate the results of the tests of controls. Compare sample rate of deviations to tolerable rate of
deviations and consider the effect of sampling risk.
6. Assess control risk.
7. Document the tests performed and conclusions reached.
Note:
a

The auditor may wish to compute an estimated sample size for the test of controls (Step3f.) before
determining whether testing controls is practical. However, OMB Circular A133 requires tests of
controls in Single Audits.

STEP 1Identify Controls and Related Substantive Procedures


The first step in planning the sample is to identify the controls to be tested and, if applicable, the related substantive
procedures to be reduced. This step requires identifying controls relevant to specific assertions. Some auditors
specify audit objectives and control objectives for each major transaction class as an aid in linking controls with
financial statement assertions.
STEP 2Consider Whether Testing Controls Is Practical
A test of controls using audit sampling is a test directed toward operating effectiveness. The auditor should perform
tests of controls in the following circumstances:
a. When the auditor's risk assessment includes an expectation of the operating effectiveness of controls. This
would only apply to controls that the auditor has determined are designed to prevent or detect a material
misstatement in a relevant assertion.
230

Companion to PPC's Guide to Audits of Nonprofit Organizations

NPOT09

b. When substantive procedures alone do not provide sufficient appropriate evidence at the relevant assertion
level (AU 318.23 and AU 326.22).
c. When required for a Single Audit.
When sampling is used in tests of controls, the auditor should also consider whether there is documented evidence
of the application of the identified controls (such as rubber stamps, initials, matched source documents, etc.).
Without documented evidence, it may be difficult to test those controls using audit sampling.
STEPS 3 and 4Select and Perform Tests of Controls
Documented controls are normally readily susceptible to testing through sampling. A common type of control
activity tested is a checking routine or approval evidenced by initials, signatures, or stamps on documents. The
approach is usually to sample the documents, inspect items selected for evidence that control activities were
performed, and reperform the procedure to test its effectiveness.
Performing tests of controls when sampling is used involves many considerations besides the type of test proce
dure. The auditor also must:
a. Define deviation for purposes of the test.
b. Define the population to be sampled.
c. Determine the tolerable rate of deviations.
d. Determine the allowable risk of assessing control risk too low (risk of overreliance).
e. Determine the expected rate of deviations.
f. Compute the required sample size.
g. Determine the method of sample selection.
Exhibit 29 compares the sampling considerations in tests of controls to those for substantive tests of details.
Exhibit 29
Distinguishing Features of Sampling in Tests of Controls
Feature
Objective

Distinguishing Trait
 A controltransaction objective (for example, all receipts are
recorded) is specified to link with the related assertion (such as
completeness).
 Should identify particular substantive procedures that will be modi
fied in response to results of tests of controls.

Deviation

 The characteristic of interest is adherence to a control; an exception


or deviation is defined as a lack of adherence rather than monetary
misstatement.

Population

 Definition has to include time period covered.


 Units may be unpriced, so completeness may be considered by
accounting for sequence of prenumbered documents rather than
footing.

Selection

 No stratification. (The characteristic is an attribute, present or not


present, so variance depends entirely on the deviation rate.)

Sample Size

 Factors that influence size differ; the primary difference is concern


with the rate, rather than the dollar amount.
231

Companion to PPC's Guide to Audits of Nonprofit Organizations

Feature

NPOT09

Distinguishing Trait

Performance

 Procedures applied include inspecting evidential matter of design


and operation of controls.

Evaluation

 Relation should be established between deviation rate and risk of


monetary misstatement (precisely how sample results will relate to
substantive tests).

Documentation

 As indicated in establishing the objective, the relation to particular


substantive procedures should be specified.
 Specific items tested must be documented.

Define Deviations. The auditor should specify the conditions that will be regarded as a deviation from prescribed
controls. To be efficient, the auditor should focus only on those controls that are important to respond to identified
risks of material misstatements. The auditor should not test all of the controls involved in processing the transaction
being sampled, but only those that will have a significant bearing on the related substantive procedures. For
example, do not bother to test credit approvals on sales transactions when substantive procedures related to
collectibility will not be restricted anyway.
Define the Population. For a test of controls using audit sampling, the population is usually all transactions of a
particular type (for example, expenditures for goods and services for a specified time period, such as January 1,
20X1 to September30, 20X1). The time period may be the entire period covered by the financial statements, but
tests of controls may be applied at an interim date. SAS No.110 (AU318.37) indicates that when the auditor obtains
audit evidence about controls during an interim period, the auditor should determine what audit evidence should
be obtained for the remaining period by considering the following:
a. Significance of the assessed risks of material misstatement at the relevant assertion level.
b. The specific controls that were tested during the interim period.
c. The degree to which audit evidence about the operating effectiveness of those controls was obtained.
d. The length of the remaining period.
e. The extent to which the auditor intends to reduce further substantive procedures based on the reliance on
controls.
f. The control environment.
Tests of controls using audit sampling are usually tests of transactions. The sample unit in tests of controls is
individual transactions of a particular type, and the auditor must specify the physical sample unit that will be
selected (such as canceled checks when the population is cash disbursements).
Determine the Tolerable Rate. Deciding on the appropriate tolerable rate is strictly an audit judgment. Sampling
only forces the auditor to specify in advance what rate of deviation would correspond to the levels of control risk to
be used, that is, high, moderate, or low. Examples of tolerable rates commonly used in practice are as follows:
Planned Assessed
Level of Control Risk

Tolerable Rate

Low

5%7%

Moderate

10%12%

High

Omit Test
232

NPOT09

Companion to PPC's Guide to Audits of Nonprofit Organizations

Determine the Allowable Risk of Assessing Control Risk Too Low (Risk of Overreliance). This risk is similar to
the risk of incorrect acceptance in a substantive sample. This means that it
a. is an aspect of sampling risk, and
b. has a corresponding opposite risk (the risk of assessing control risk too high or risk of underreliance), which
does not have to be considered under authoritative pronouncements because it relates solely to efficiency.
Authoritative pronouncements are more specific about allowable risk than tolerable rate. SAS No.39, as amended,
(AU 350.37) explains that when a test of controls using audit sampling is the primary source of evidence of whether
the procedure is being applied as prescribed, the auditor should allow for a low level of risk of assessing control risk
too low (that is, sampling risk). SAS No. 39 (AU 350.37, footnote 13) even specifies how low: The auditor who
prefers to think of risk levels in quantitative terms might consider, for example, a 5 percent to 10 percent risk of
assessing control risk too low." Generally, the risk level is fixed at 10% in practice. This means there is 90%
assurance that the auditor is not assessing control risk too low or overrelying on controls. A 10% sampling risk is
allowed because the auditor never places complete reliance on the control risk assessment. In statistical theory,
either the risk or the tolerable rate could be varied in response to the assessed level of control risk. However, that
does not fit audit logic. The tolerable rate is more directly related to the risk of monetary misstatement.
Determine the Expected Rate of Deviations. The auditor should also consider the expected rate of deviation from
a particular control. Generally, if the expected rate is over onehalf the tolerable rate, sampling is not efficient.
However, if the expected rate is high, the auditor would not plan to assess control risk below the high" level. In
practice, many tests of controls using sampling plans assume a zero expected rate. This is analogous to the
statistical method of discovery sampling, and it is highly efficient. The established tolerable rate, allowable risk of
assessing control risk too low (risk of overreliance), and expected rate are the only factors that need to be specified
for determining sample size in a statistical sample size table. For example, TableA.2 to AppendixA in the AICPA
Sampling Guide gives sample sizes for a 10% sampling risk.
Compute Sample Size. In determining the sample size for a test of controls, SAS No.39 requires that the auditor
consider the tolerable rate, the risk of assessing control risk too low (risk of overreliance), and the expected rate of
deviations from prescribed controls. The only relevant population characteristic is usually the expected rate of
deviations. Population size is usually assumed to be infinite for convenience. Only very small population sizes
would influence sample size. Generally, if the population is smaller than 2,000 items, the conclusions are conserva
tive, that is, characteristics of the population are actually better than the statistical evaluation indicates, but there is
little efficiency to be gained by reducing the sample size until the population falls below approximately 200 items.
However, if the population is less than 200 items, the auditor should be aware that sample sizes in statistical
sampling tables or nonstatistical sampling approaches based on statistical methods may have a larger than
necessary sample size. In other words, the sample size is effective, but not efficient. Therefore, sample sizes are
provided for three ranges of population size: greater than 200, 100200, and less than 100.
A special case of small population size is a control that operates infrequently. For example, controls over a bank
reconciliation operate monthly or twelve times a year and controls over a weekly payroll operate 52 times a year.
The AICPA Sampling Guide (Paragraph 3.61) provides reasonable minimum sample sizes related to the frequency
of operation of controls as illustrated in Exhibit 210. The guidelines are based on the experience and judgment of
practicing auditors rather than being statistically derived.
Exhibit 210
Minimum Sample Sizes for Infrequently Operating Controls
Control Frequency and Population Size
Quarterly (4)
Monthly (12)
Semimonthly (24)
Weekly (52)

Sample Size
2
24
38
59

*
233

Companion to PPC's Guide to Audits of Nonprofit Organizations

NPOT09

The sample sizes in Exhibit 210 are based on the assumption that the test of controls being performed is
supplemented by other sources of evidence, such as a walkthrough, corroborating inquiries, past experience with
the competence and diligence of the personnel, or other control testing. Also, the testing is assumed to be for one
or a few locations. For example, a weekly control performed at 50 locations would represent a population of 2,600,
which would be a large population.
An approach to sampling for tests of controls was developed that allows effective and efficient determination of
sample size. This approach is based on the statistical theory of attribute sampling, but it does not require special
ized statistical knowledge or training. This approach uses tolerable rates, a 10% risk of assessing control risk too
low (risk of overreliance) (90% confidence or assurance level), and a zero expected deviation rate. That means
when there is greater than a 10% risk that the deviation rate in the population exceeds approximately 12%, control
risk is assessed as high, and tests of controls would be inefficient. This recommended approach to sample size
determination is presented in Exhibit 211 for both large and small populations (however, for infrequently operating
controls, use the table in Exhibit 210).
Exhibit 211
Determination of Sample Size for a Test of Controls
Population Size
> 200
100200
< 100

Sample Size
40
35
30

25
22
20

Number of Deviations
(Expected or Actual)
0
1
2
3

60
50
45

Control Risk Assessment


Moderate
Low
Low
High
Moderate
Low
High
High
Moderate
High
High
Moderate

(High, moderate, and low indicate the planned or supported assessed level of control risk.)
Determine Sample Selection Method. The same selection methods described previously are appropriate for tests
of controls using audit sampling. However, it should be emphasized that block sampling (selecting all the transac
tions of a particular type for a day, week, or month) is not acceptable. A distinctive aspect of selecting a sample for
a test of controls is that, if any documents necessary to perform the test are missing, the items normally should be
counted as deviations. According to SAS No.39, as amended (AU350.40):
If the auditor is not able to apply the planned audit procedures or appropriate alternative
procedures to selected items, he should consider the reasons for this limitation, and he should
ordinarily consider those selected items to be deviations from the prescribed policy or procedure
for the purpose of evaluating the sample.
However, unused and legitimately voided documents do not have to be considered as deviations.
Statistical versus Nonstatistical Approaches. There are really no nonstatistical sampling plans for tests of controls
similar to those for substantive procedures. Some CPA firms use tables that relate qualitative levels of control risk
to sample size. However, the sample sizes are the same as would be determined from a statistical formula or
attribute sampling table using the same factors for tolerable rate, risk of assessing control risk too low (risk of
overreliance), and expected rate. That does not mean an auditor should necessarily use statistical tables in
planning and evaluating samples for tests of controls. If each individual auditor had to determine the appropriate
tolerable rate, risk of assessing control risk too low (risk of overreliance), and expected rate in planning every
sample, the results would be very inefficient. Audit time that could be spent more effectively in other areas would be
234

NPOT09

Companion to PPC's Guide to Audits of Nonprofit Organizations

consumed in planning sample sizes. Also, there could be substantial variation in sample sizes in identical circum
stances because of differences in judgment about the determinants of sample size. It makes sense for a CPA firm
to adopt a uniform policy on sample sizes for tests of controls.
STEP 5Evaluate the Results of Tests of Controls Involving Sampling
Once the sample is selected and tested, the results of the test of controls must be evaluated. The table in Exhibit
211 can be used both to determine sample size during planning and to evaluate sample results. The table in
Exhibit 211 incorporates the consideration of sampling risk. The auditor cannot simply compare the projected rate
of deviation to the tolerable rate and assess controls as effective if the projected rate is lower. The auditor needs to
consider the effect of sampling risk (i.e., the risk that the true rate of deviation in the population may be higher than
the projected rate). If the table in Exhibit 211 is not used, the auditor needs to judgmentally consider the risk that
the true rate of deviation may differ from the sample rate. For example, if the auditor wants to assess control risk as
low for a population of 2,000 items and believes the sample results may include a single deviation, then a sample
size of 60 would be necessary. If more than one deviation is found in the sample, then the assessed level of control
risk would be at best moderate. Note that a sample size of 25 with no deviations for a population of 2,000 items will
at best support an assessed level of control risk of moderate. If one or more deviations are found, control risk will
have to be assessed at the high level. This occurs because of the high sampling risk associated with a small sample
size. A single deviation in a sample of 25 is an actual deviation rate of 4%. However, at a 10% risk of assessing
control risk too low, the true deviation rate in the population could be as high as 15%, and there is a 10% risk that
it is higher.
Practical Implications if Deviations Are Found. One practical implication of the table in Exhibit 211 is that, if the
auditor finds more than three deviations when the audit procedure is applied to the first few selected items, the
auditor should stop and assess control risk as high. Auditors often ask: If a deviation is found, can the sample size
be increased so that assessment of control risk at less than high is possible if no more deviations are found? The
answer is a qualified yes. The AICPA Sampling Guide (Paragraph 3.63) observes that a practical and conservative
ruleofthumb for expanding sample size is to at least double the sample size. If no additional deviations are found,
the auditor can support the planned control risk assessment. The AICPA Sampling Guide (Paragraphs 3.79.81),
however, also cautions the auditor that extending the sample when the initial sample was indicative of the true error
rate will likely result in further deviations being identified. That is, if the auditor expected no deviations when
planning the sample, then an unexpected deviation in the sample results may be indicative of other deviations in
the population. For that reason, and because it is believed that sample sizes of over 60 are inefficient, expanding
the sample is discouraged when unexpected deviations are found. It makes more sense for the auditor to increase
the extent of the substantive procedure and not attempt to restrict the substantive procedure by assessing control
risk as low or moderate. In using the table, it is important to remember that the sample results only indicate the
satisfactory functioning of a control procedure that the auditor has judgmentally concluded is effective as designed.
The initial judgment that the design of the control activity permits restricting the extent of substantive procedures if
the control activity functions effectively is strictly an audit judgment.
STEP 6Assess Control Risk
Essentially, assessing control risk involves applying the evaluation of the test (Step 5) to the assertions they were
matched with in Step 1. SAS No. 110 (AU 318.72) states that the auditor should determine whether the audit
evidence obtained from the test of controls:
a. provides a basis for reliance on the controls tested,
b. indicates the auditor should perform additional tests of controls, or
c. indicates the auditor needs to address the potential risk of material misstatement through substantive
procedures.
For controls that are determined to be effective, control risk for the related assertions is assessed as moderate or
low, depending on the sufficiency and appropriateness of the evidence obtained. Control risk is assessed as high
for remaining assertions because either (a) no related tests of controls were performed or (b) the related controls
were tested and determined to be ineffective. Using the table in Exhibit 211, the auditor can determine the
appropriate level of control risk given the sample size and number of deviations in the sample.
235

Companion to PPC's Guide to Audits of Nonprofit Organizations

NPOT09

STEP 7Documenting Tests of Controls Involving Sampling


When using audit sampling for tests of controls, the auditor should consider the documentation requirements of
SAS Nos. 39, 103, and 109. SAS No. 109 at AU 314.122 requires the auditor to document the assessment of the
risks of material misstatement (which is a combination of both control risk and detection risk at the relevant
assertion level) both at the financial statement level and at the relevant assertion level, as well as the basis for the
assessment. SAS No. 103, Audit Documentation, requires the auditor performing tests of operating effectiveness of
controls involving inspection of documents to identify in the workpapers the items tested. A walkthrough ordinarily
is not a test of the operating effectiveness of controls. However, the auditor's documentation, which ordinarily is in
the form of a memo, should indicate which transaction(s) were selected for walkthrough. For reperformance tests
involving review of reconciliations and similar recordkeeping routines, it is believed documentation should identify
which routines were reperformed and the nature of the auditor's tests. SAS No.39 does not impose specific
documentation requirements for audit sampling, but the AICPA Sampling Guide (Paragraph3.93) suggests that the
auditor document the following matters:
a. A description of the control being tested.
b. The control objectives related to the sampling application, including the relevant assertions.
c. The definitions of the population and sampling unit, including how the auditor considered the
completeness of the population.
d. The definition of the deviation condition.
e. The acceptable risk of overreliance on controls (or desired confidence or assurance level), the tolerable
deviation rate, and the expected population deviation in rate used in the application.
f. The method of sample size determination.
g. The method of sample selection.
h. The selected sample items.
i. A description of how the sampling procedure was performed.
j. The evaluation of the sample and the overall conclusion.
When matters, such as sample size determination or expected deviation rate, are implicit in the tables or forms used
in a firm's sampling approach, those matters need not be separately documented.
SAS No. 110 (AU 318.77) states that the auditor should document the nature, timing, and extent of the further audit
procedures (the test of controls in this instance) and the linkage of those procedures to the assessed risks at the
relevant assertion level.
The nature and extent of documentation are matters for the auditor's judgment in particular circumstances.
Test of Controls in a Single Audit
Circular A133 requires that test of controls over federal program compliance requirements be planned to achieve
a low level of assessed control risk. Note that based on the assumptions described at Exhibit 211 for large
populations, a sample size of 25 with no deviations will at best support an assessed level of control risk of
moderate. To achieve a low level of assessed control, a sample size of 40 with no deviations or 60 with one
deviation is necessary.
Many practitioners have asked if they can use a sample of 25 to test controls. Starting with the information and the
assumptions referred to in the preceding paragraph, the question is: Can a low control risk assessment be
supported with a sample of 25? Note that a determination of a sample size is a matter of professional judgment, and
SAS No.39 does not require the auditor to compare the sample size for a nonstatistical sampling application with
236

Companion to PPC's Guide to Audits of Nonprofit Organizations

NPOT09

a corresponding sample size calculated using statistical theory. SAS No. 39 (AU 350.23), as amended by SAS No.
111, states as follows:
An auditor who applies nonstatistical sampling uses professional judgment to relate these factors
in determining the appropriate sample size. Ordinarily, this would result in a sample size compa
rable to the sample size resulting from an efficient and effectively designed statistical sample,
considering the same sampling parameters.
The auditor will need to apply careful professional judgment in reviewing the risk levels and expected deviation
rates in relation to the sample sizes to meet the requirements of Circular A133.
In statistical theory, either the confidence level or the tolerable error rate can be varied in response to the assessed
level of control risk. Or stated differently, as the sample size decreases, either the confidence level decreases or the
tolerable error rate increases for a given level of control risk assessment. Because it does not seem logical for the
risk of assessing control risk too low (risk of overreliance) to be greater than 10% (less than a 90% confidence level),
the question becomes: What is the effect on the tolerable rate? With a sample of 25 and no deviations, you have a
10% risk that the deviation rate will exceed 9%. With one or two deviations, there is a 10% risk that the deviation rate
will exceed 15% or 20% respectively. Based on a 95% confidence level, a sample of 25, and zero, one, or two
deviations, you have a 5% risk that the error rate will exceed approximately 12%, 18%, and 25% respectively.
The maximum rate that is allowable and still assesses the control risk as low is a matter or professional judgment.
It is believed that auditors may make their own judgment and that judgment can vary from situation to situation. For
example, if four procedures contribute to control over a transaction and all four are being tested (by inquiry,
observation, or inspection), it might be reasonable to accept a higher deviation rate for one of the procedures and
still assess overall control risk as low. It would be a matter of judgment and would depend on what the procedures
are, and the nature of the deviation. Just how high the accepted error rate could go is strictly a matter of judgment.
The same rationale may be made for other sample sizes in given situations. It is recommended that practitioners
who wish to know more about sampling, including the determination of sample sizes, should be familiar with the
AICPA Sampling Guide.

TESTS OF COMPLIANCE WITH LAWS AND REGULATIONS


The auditor may combine compliance tests of laws and regulations that involve the inspection of documentation
supporting transactions with tests of details or tests of controls. In other words, a triplepurpose test of transactions
is possible. The auditor selects a sample of transactions and inspects supporting documentation to determine the
following:
a. Recording in the correct amount, account, program or other function, and period.
b. Indications of performance of controls.
c. Indications of compliance with relevant laws and regulations.
When this approach is taken, the sample size should be the largest sample size necessary to satisfy any of the three
purposes of the test.
Auditors must assess the risk of material misstatement resulting from violations of laws and regulations having a
direct and material effect on the determination of financial statement amounts. These laws and regulations can
relate to items such as budgetary compliance, purchasing compliance, and cash and investment compliance,
especially for organizations that receive federal awards. This part of the lesson focuses on testing compliance with
laws and regulations in a Single Audit. However, the approach is based on attribute sampling and may also be used
for other compliance procedures.
Single Audit Requirements
OMB Circular A133, section500(d), describes the single audit requirement for compliance testing in order to
determine whether the recipient has complied with laws and regulations, contracts, and grant agreements that may
have a direct and material effect on each major federal award program.
237

Companion to PPC's Guide to Audits of Nonprofit Organizations

NPOT09

Both OMB Circular A133 and SAS No. 74, Compliance Auditing Considerations in Audits of Governmental Entities
and Recipients of Governmental Financial Assistance, require the auditor to determine both the known questioned
costs and likely questioned costs associated with audit findings. Determining likely questioned costs may require
projecting the sample results to conclude whether a finding has to be reported in the schedule of findings and
questioned costs. OMB Circular A133 does not require the auditor to report an exact amount or a statistical
projection of likely questioned costs. Instead, the auditor should report an audit finding when estimated likely
questioned costs exceed $10,000.
Sample Size Considerations in Single Audits. Paragraph 10.33 of the GAS/A133 AICPA Audit Guide explains
that in determining the nature, timing, and extent of tests to perform, the auditor should exercise professional
judgment regarding the appropriate level of detection risk to accept. In applying judgment, be aware that small
sample sizes for tests of details with a low dollar value and from a large population generally do not, by themselves,
provide sufficient appropriate evidence."
Paragraph 10.41 of the GAS/A133 AICPA Audit Guide explains that when planning to test a particular sample of
transactions, the auditor should consider the specific audit objective to be achieved and should determine that the
audit procedure, or combination of procedures, will achieve that objective. The size of a sample necessary to
provide sufficient appropriate audit evidence depends on both the objectives and the efficiency of the sample.
Although the auditor is required to obtain sufficient appropriate audit evidence to support an opinion on com
pliance for each major program, there is no requirement to use a separate sample for each major program.
However, Paragraph 10.44 of the GAS/A133 AICPA Audit Guide explains that it is preferable to select separate
samples from each major program because the separate sample provides clear evidence of the tests performed,
the results of those tests, and the conclusions reached." If audit samples are selected from transactions for all major
programs, the audit documentation should clearly indicate that the results of such samples, together with other
audit evidence, are sufficient to support the opinion on each major program's compliance.
Requirement for Representative Number. The OMB CircularA133 Compliance Supplement (Compliance Sup
plement) uses the phrase select a sample" for testing transactions at various locations. SAS No.39, as amended
(AU350.24) requires that a sample be a representative sample (that is, the sample items should be selected in such
a manner that all items have an opportunity to be selected). The auditor should select a representative number of
transactions from each major program but is not required to select separate samples from each major program.
Agency and IG Concerns about Sample Size. As federal awarding agencies and their offices of the Inspector
General (IG) review audits performed under OMB Circular A133, the size of audit samples for tests of compliance
is a frequent cause for concern. In some cases, IGs have concluded that the small size of the sample selected and
tested may not have been sufficient to support an opinion on compliance. The Report on National Single Audit
Sampling Project" highlighted sampling techniques, which would include selection of appropriate sample sizes, as
a problem area that affects the overall quality of single audits. This concern was reiterated in other meetings
attended by representatives of federal agencies, federal IGs, program personnel, the AICPA, GAO, OMB, state
auditors, and practitioners. Auditors should be aware of such concerns and any audit alerts or other reports issued
by IGs or other federal agency representatives that provide guidance or comments concerning audit sampling, as
well as other issues.
Factors That Affect Sample Size. CircularA133 at section525 (the paragraphnumbers are indicated) states that
selecting the test of transactions should be based on the auditor's professional judgment considering such risk
factors as the following:
 Size of Program. The larger or smaller the amount, the greater or lower the risk. [Sec.525(d)(4)]
 Program Maturity at the Federal Agency. The newer the program, the greater the risk. Also, significant
changes in the law, regulations, or the provisions of contracts or grant agreements may increase risk.
[Sec.525(d)(2)]
 Program Maturity at the Auditee. The risk may be higher in the first and last year of a program due to the
peculiarities related to startup and closeout of program activities and staff. [Sec.525(d)(3)]
 Complexity. The more complex the program (eligibility, calculations, etc.), the greater the risk. The simpler
the program, the less the risk. [Sec.525(d)(1)]
238

NPOT09

Companion to PPC's Guide to Audits of Nonprofit Organizations

 Extent of Contracting. The greater the amount of program contracting for goods and services, the greater
the risk. [Sec.525(d)(1)]
 Use of Subrecipients. When significant parts of a federal program are passed through to subrecipients, a
weak system for monitoring subrecipients would indicate higher risk. [Sec.525(b)(1)(ii)]
 Level of Oversight. The greater the level to which the program is subject to review or other forms of
independent oversight, the lower the risk. Recent oversight that disclosed no significant problems would
boost the lowrisk assessment. Recent oversight that disclosed significant problems would indicate higher
risk. [Sec.525(c)(1)]
 Prior Audit Findings. Prior audit findings relative to the program may indicate a higher risk, particularly when
the situation identified in the audit findings could have a significant impact on the program or have not been
corrected. [Sec.525(b)(2)]
Report on National Single Audit Sampling Project. In June 2007, the President's Council on Integrity and
Efficiency (PCIE) and the Executive Council on Integrity and Efficiency (ECIE) released the Report on National
Single Audit Sampling Project" (the Report). Among the Report's findings was that inconsistent numbers of
transactions were being selected for testing of internal controls and compliance testing for the allowable costs/cost
principles compliance requirement. In addition, many auditors did not document the number of transactions and
the associated dollars of the universe from which the transactions were dawn.
The Report discusses a need to provide for consistency in sample sizes and recommends that OMB and AICPA
guidance be amended to require that compliance testing in Single Audits be performed using sampling in a
manner prescribed by SAS No. 39, as amended. Among other things, the Report also recommends specific
documentation requirements and indicates that guidance should include examples that illustrate proper documen
tation based on real compliance requirements and situations typically encountered when performing a Single
Audit. The Report is available at www.ignet.gov/pande/audit/NatSamProjRptFINAL2.pdf.
The AICPA and OMB (in conjunction with PCIE) have each formed task force groups to respond to the Report's
recommendation to provide more specific guidance for auditors on sampling in single audits. According to the
AICPA Audit Risk Alert, Government Auditing Standards and Circular A133 Developments 2008, it is expected this
guidance will be incorporated as a new chapter in the 2009 edition of the GAS/A133 AICPA Audit Guide. These task
force projects could result in revisions to OMB requirements, the GAS/A133 AICPA Audit Guide, and other
standards, regulations, and guidance. Auditors should be alert for further developments in this area.
Practical Guidance on Sample Size
The PPC approach described earlier is also a practical approach to determine a sample size for testing compliance
in a Single Audit. The approach is the same as that summarized at Exhibit 25 and explained in the paragraphs
preceding the exhibit with one difference. Instead of using a tolerable misstatement a tolerable noncompliance is
used. For purposes of auditing federal award programs, planning materiality and tolerable noncompliance are
estimated at five percent of federal program expenditures instead of using the tables typically used in a financial
statement audit. This approach will result in maximum sample sizes of 38, 46, and 60items (assuming the
population is stratified), based on the auditor's assessment of the combined risk of material noncompliance as low,
moderate, or high, respectively. (The sample sizes will be less if other audit procedures are also performed that
lower the risk.)
This approach to performing substantive tests of compliance is adapted from the AICPA Sampling Guide and is
based on the statistical theory of MUS (PPS) sampling. Exhibit 212 outlines the steps to applying this sampling
method. The auditor's consideration for each step is discussed in the paragraphs following the exhibit.

239

Companion to PPC's Guide to Audits of Nonprofit Organizations

NPOT09

Exhibit 212
Steps for a Nonstatistical Sampling Approach
to Substantive Tests of Compliance
Step Description

Required Result

1. Assess appropriate level of tolerable noncom


pliance.
2. Assess the risk of material noncompliance.
3. Use the table in Exhibit 214 to determine a risk
factor.
4. Estimate population balance after removal of items
to be examined 100% (individually significant
items).
5. Consider the amount of expected likely noncom
pliance in the population to be sampled.
6. Estimate the sample size using the following
formula:
Dollar value
of remaining
population (step 4)
Risk factor
 (steps 2 and 3)
Tolerable
noncompliance
(step 1)
7. Adjust sample size for lack of stratification in the
sample, if applicable.
8. Adjust sample size for items previously tested.

Tolerable noncompliance amount (normally


calculated as 5% of total program expendi
tures).
One of three qualitative levels of risk high,
moderate, or low for each of the categories of
risk assessment.
A factor between 1.9 and 3.0.
Quantified amount.
If expected noncompliance exceeds 1/3 of
tolerable noncompliance, sampling normally
should not be used.

Sample size

Possible sample size increase.


Possible sample size decrease.

Step 1 Assess Tolerable Noncompliance. The amount that should be used for tolerable noncompliance (ques
tioned costs) is normally 5% of total expenditures for the program.
Step 2 Assess the Risk of Material Noncompliance. The risk of material noncompliance (questioned cost) is
the combination of inherent risk and control risk. Exhibit 213 shows how the assessments of inherent risk and
control risk may be combined to determine the risk of material noncompliance (questioned costs). Documentation
of the assessment of the risk of material misstatement should be done whenever sampling methods are used.
Exhibit 213
Combined Risk of Material Noncompliance
Control Risk Assessment

Inherent
Inherent Risk
Assessment

High

Moderate

Low

High

High

High

Moderate

Moderate

Moderate

Low

Low

Low

Low

Low

Low

*
240

NPOT09

Companion to PPC's Guide to Audits of Nonprofit Organizations

Theoretically, the auditor should assess the risk of material noncompliance of the population to be sampled (that is,
the balance of program expenditures excluding individually significant items). However, in sampling applications,
the risk of material noncompliance for the program normally is a reasonable approximation of the risk of material
noncompliance of the remaining balance. Because the risk of material noncompliance in the remaining balance is
almost always equal to or less than the risk for the entire program, using the risk of material noncompliance for the
entire program is both reasonable and conservative.
Step 3 Identify a Risk Factor. Using the table presented in Exhibit 214, identify a risk factor based upon the
auditor's assessment of the program's combined risk of material noncompliance. The factors in the table corre
spond to levels for the risk of incorrect acceptance:
Exhibit 214
Table for Determination of Risk Factor
Risk of Material
Noncompliance

Risk Factor

High

3.0

Moderate

2.3

Low

1.9

Step 4 Estimate Remaining Population. The next step is to determine the dollar amount of items to be sampled
by reducing the total amount of the balance or transaction class (for example, total major program expenditures) by
individually significant items. As explained earlier, an item may be individually significant because of its nature or
size. Generally, the most efficient approach is to identify individually significant dollar items as all items greater than
or equal to tolerable noncompliance divided by the applicable risk factor as determined in Step 3. That is, the
fewest total number of items will be tested when individually significant dollar items are defined as tolerable
noncompliance divided by the applicable risk factor. Oftentimes, however, the efficiency gained between using
onethird, onehalf, or some other fraction of tolerable noncompliance is minimal. Consequently, it is recommended
that individually significant dollar items be defined as all items greater than or equal to onethird of tolerable
noncompliance. However, the cutoff amount for individually significant dollar items can be any amount up to
tolerable noncompliance. The choice of a cutoff amount is a matter of efficiency.
Step 5 Consider Expected Noncompliance. The last step before determining the sample size is to consider the
amount of expected likely noncompliance in the population to be sampled based on the auditor's knowledge of the
population and prior experience. If the amount of likely (i.e., projected) noncompliance is expected to exceed
onethird of tolerable noncompliance, sampling normally is not appropriate.
Step 6 Estimate Sample Size. To calculate the sample size, divide the total of the population to be sampled
(account balance or transaction class less individually significant items) by tolerable noncompliance, and multiply
that result by the risk factor determined in Step3.
Step 7 Increase Sample Size for Lack of Stratification. This sampling approach depends on dividing the items
being tested into at least three groups: individually significant items and an upper and lower group of remaining
items. If the auditor finds it impractical to stratify after identifying individually significant items, the sample size
calculated in Step6 must be increased. It is recommended that sample size be increased approximately 20% if
stratification is not practical, and there is not a significant variation in the items being sampled.
Step 8 Adjust Sample Size for Items Tested. The sample size calculated in either Step6 or Step7 should be
reduced for the items selected, and tested for compliance, as part of the financial statement audit and for those
items selected for tests of controls that were also tested for compliance in a dualpurpose test.
241

Companion to PPC's Guide to Audits of Nonprofit Organizations

NPOT09

All items of noncompliance identified in either the items tested for financial statement audit purposes, items
selected for tests of controls that were also tested for compliance, or the remaining items tested for compliance
must be included when projecting noncompliance.
Alternative Guidance on Sample Size
A practical alternative approach to determining sample size has been developed. Essentially, it involves a choice
between a sample size of 25 and 60. A sample size of 25 is approximately a 10% tolerable rate and a 10% risk of
assessing control risk too low (risk of overreliance). A sample size of 60 is approximately a 5% tolerable rate and a
5% sampling risk. This sampling approach is useful when the concern is with the rate of a characteristic rather than
a dollar amount. The analogous statistical approach for this type of sampling is attribute sampling. This seems
appropriate for tests of compliance with laws and regulations in a Single Audit because the auditor is more
concerned with the rate of noncompliance than the dollar amount (that is, all instances of noncompliance detected
are reported), and the effect on the financial statements depends on grantor agency action and not the dollar
amount of noncompliance. Documenting such a sample is recommended.
Selecting the Sample. Sample selection will generally be made from each major program's transactions. The
auditor should be alert, however, for those instances where selection of only one sample from all major program
transactions would be appropriate. The GAS/A133 AICPA Audit Guide discusses sample selection in Paragraph
10.44, which states:
Experience has shown, however, that it is preferable to select separate samples from each major
program because the separate sample provides clear evidence of the tests performed, the results
of those tests, and the conclusions reached. If the auditor chooses to select audit samples from
the entire universe of major program transactions, the auditor should prepare the audit
documentation such that it clearly indicates that the results of such samples, together with other
audit evidence, are sufficient to support the opinion on each [emphasis added] major program's
compliance.
Evaluating Sample Results. When testing compliance in a Single Audit, the auditor is concerned not only with the
dollar amount of noncompliance but also the rate of noncompliance in the population. Therefore, the auditor
should consider not only the dollar amount of questioned costs but also the number of items of noncompliance
identified. Even though the dollar value of questioned costs may be insignificant, if it results from numerous
instances of small dollar items of noncompliance, the auditor should consider the overall effect on determining
whether the program is or is not in compliance. The qualitative aspect of the instances of noncompliance should
also be considered.
Considering Qualitative Characteristics. Size or frequency of noncompliance in a sampling application are not
the only factors that should be considered. An auditor should consider the following qualitative aspects of the
noncompliance (questioned costs):
a. The nature and cause of any questioned costs:
(1) Do the questioned costs result from an error (unintentional) or is it from a possible fraud (intentional)?
(2) If the noncompliance is the result of an error, is it due to misunderstanding of instructions or
carelessness?
b. The possible relationship of questioned costs to other phases of the audit.
Projecting Sample Results. SAS No. 39, as amended, (AU 350.26) states, The auditor should project the
misstatement results of the sample to the items from which the sample was selected. . . " OMB Circular A133 and
SAS No. 74 also require the auditor to determine the amount of likely questioned costs associated with audit
findings. These requirements are met by projecting the amount of questioned costs found in the sample. In
evaluating the sampling results in a Single Audit, the auditor compares total projected questioned costs for each
major federal award program to the amount of questioned costs considered material for that program and
considers the risk that such result might be obtained even if the amount of questioned costs exceeds the amount
considered material (i.e., sampling risk).
242

NPOT09

Companion to PPC's Guide to Audits of Nonprofit Organizations

If the auditor determines that the projected amount of questioned costs are material to the individual program or
that sampling risk is unacceptable, the auditor's report should be modified. The auditor's estimate of projected
costs is also necessary to determine whether a finding must be reported in the schedule of findings and questioned
costs because likely questioned costs in excess of $10,000 trigger reporting of known questioned costs for the
particular compliance requirement. Even though the auditor is required to project the questioned costs identified
from the items sampled to the population as a whole, only the known questioned costs in the items tested need to
be reported in the schedule of findings and questioned costs. Also, the scope of the audit is not required to be
expanded. However, the auditor must consider the potential effect of the questioned costs in reporting on the
entity's financial statements and on compliance of the individual financial award programs.
Documenting the Sampling Application. Although SAS No. 39 does not impose specific documentation require
ments for audit sampling, SAS No. 103 (AU 339.03) requires that audit documentation be sufficient to provide a
clear understanding of the work performed (including the nature, timing, extent, and results of audit procedures
performed). In other words, the audit documentation should show that SAS No. 39 has been complied with. The
lack of documentation of sampling is one of the most common topics in letters of comments for peer reviews and
findings in quality control reviews. Both AICPA standards and the Yellow Book state that the audit documentation
should be sufficient to enable an experienced auditor with no connection with the audit to understand the nature,
timing, extent, and results of the audit procedures performed. In addition, SAS No. 103 states that documentation
of audit procedures, including those involving sampling, should include identifying characteristics of the specific
items that were tested. This requirement specifically includes tests of the operating effectiveness of controls and
substantive tests of details involving inspection of documents. Thus, audit documentation should document all
important aspects of the engagement, including the sampling and other selection criteria used, and should be
sufficiently detailed to permit reasonable identification of the work done and conclusions reached.
Circumstances Indicating a Need for Statistical Sampling
In certain circumstances, the auditor will not be able to follow the alternative guidance on sample size. One such
circumstance is the auditor's expectation for high rates of deficiencies in samples. The sample sizes of 25 or 60 are
appropriate for the conditions indicated when few or no deficiencies are expected. When the auditor expects to find
many deficiencies, it may be advisable to use statistical sampling with relatively large sample sizes to estimate the
upper limit on the rate or monetary amount involved.

AN EFFICIENT APPROACH TO TESTS OF TRANSACTIONS USING


ATTRIBUTE SAMPLING
For some nonprofit organizations, tests of transactions may be a common audit procedure. Many nonprofit
organizations use a single cash disbursements system and rely on proper coding of checks to achieve a correct
classification. To test classifications, the auditor may perform a test of transactions to test that aspect of transaction
processing. When the auditor's primary concern in selecting a sample of transactions and applying audit proce
dures to the supporting documentation is to evaluate an aspect of transaction processing such as classification, an
attribute sampling approach may be the most efficient.
Conditions for Using Attribute Sampling Approach
The basic conditions for using an attribute sampling approach are as follows:
a. the audit procedures being applied using sampling are not the only procedures that contribute to achieving
the auditor's objectives (that is, there are other related procedures); and
b. the auditor expects a low rate of monetary misstatement in the transaction class being sampled.
Other Related Procedures. When the audit procedure being applied using sampling is the sole basis for substan
tiating an amount that is a transaction total, the auditor should use the sampling approach described in substantive
tests of details discussed earlier in this lesson. However, if other audit procedures such as analytical procedures
provide persuasive evidence, the auditor's primary concern in testing transactions may be to test some aspect of
transaction processing (such as classification of expenditures). In this case, the auditor may use the attribute
sampling approach described here.
243

Companion to PPC's Guide to Audits of Nonprofit Organizations

NPOT09

Low Rate of Monetary Misstatement. If many misstatements are expected, the auditor must be concerned with
projecting monetary misstatement to assess whether the misstatement could be material. In that case, the
approach explained in substantive tests of details, or perhaps statistical sampling, should be used. When a low rate
of monetary misstatement is expected and the auditor's primary concern is in making an assessment of the
effectiveness of some aspect of processing, such as coding and classification, an attribute sampling approach as
described in this section may be used. This alternative approach is based on the mathematics of a statistical
attribute sampling plan. An attribute is a characteristic rather than a quantity; it is either present or not present, for
example, compliance or noncompliance with a pertinent control activity. This type of sampling plan can be
appropriate for a test of transactions when the primary concern is with an aspect of transaction processing. In this
case, the auditor is normally primarily concerned with the rate rather than the dollar amount of processing
misstatements. The rationale for concern with a rate rather than a dollar amount is that all transactions of that type
are processed through the same system, and the likelihood of misstatement for a particular transaction is indepen
dent of its size. In that respect, a misstatement is looked upon simply as a deviation.
Sample Size for Substantive Tests of Transactions
Using the underlying theory of an attribute sampling model results in the following:
 With a sample of 25, when no deviations are expected or found, there is approximately a 10% tolerable rate
and a 10% risk of assessing control risk too low (risk or overreliance).
 With a sample of 60, when no deviations or one deviation is expected or found, there is approximately a
5%8% tolerable rate and a 5% risk of assessing control risk too low (risk or overreliance).
These same sample sizes may be used for a test of transactions when the auditor's primary concern is an aspect
of processing effectiveness. The factors to consider in determining the appropriate sample size for a particular test
are explained in the following paragraphs.
Sample Size of 25. The auditor may use a sample size of 25 for a test of transactions when the basic conditions for
using an attribute sampling approach are met and the same sample is also being used to test controls pertinent to
the aspect of transaction processing being tested, i.e. the procedure is a dualpurpose test.
A sample size of 25 may also be used when the auditor wants to test the same sample of transactions for aspects
of transaction processing, the operating effectiveness of controls, and tests of compliance with funding source
restrictions or laws and regulations. However, the conditions for a sample size of 25 for a test of compliance with
laws and regulations must be met and all the transactions must be pertinent to the grant program.
Sample Size of 60. The auditor should use a sample size of 60 for a test of transactions when the basic conditions
for using an attribute sampling approach are met, but there are no effective controls pertinent to the aspect of
transaction processing being tested. This will be the case when the nonprofit organization has no policies and
procedures pertinent to the aspect of processing being tested, or when past experience, or a sample of 25
transactions in the current audit, indicates a lack of compliance.
This sampling approach is not designed to allow the auditor to project the amount of monetary misstatement in the
population. When deviations are detected, the auditor should make a careful qualitative evaluation of the nature
and cause of the deviation. Generally, a single deviation in a sample of 60 will still allow the auditor to conclude that
processing is effective. However, if two or more deviations are detected, additional procedures will generally be
needed. In some instances, the auditor may be able to identify the transactions that are likely to result in monetary
misstatement and examine those transactions 100%. Otherwise, the auditor should consider using the nonstatisti
cal sampling approach described in substantive tests of details or statistical sampling to estimate the amount of
likely misstatement in the population and evaluate whether the misstatement could be material.

244

Companion to PPC's Guide to Audits of Nonprofit Organizations

NPOT09

SELFSTUDY QUIZ
Determine the best answer for each question below. Then check your answers against the correct answers in the
following section.
34. Which of the following is true about using audit sampling in conjunction with tests of controls?
a. Tests of controls using audit sampling have different requirements than tests of details of transactions.
b. A test of controls and a test of details cannot be performed on the same transaction.
c. Audit sampling is often used for tests of controls when a client has no effective policies.
d. The basic approach for applying tests of controls does not change if sampling is used.
35. This course outlines a sevenstep process for performing tests of controls using audit sampling. Put the
following steps in the correct order.
i. Select appropriate tests of controls.
ii. Assess control risk.
iii. Identify suitable controls for testing and, if applicable, related substantive
procedures to be reduced.
iv. Perform tests of controls.
v. Document the conclusions reached and tests performed.
vi. Evaluate results from the tests of controls.
vii. Consider if testing controls is practical.
a. vii, iii, i, iv, vi, v, and ii.
b. ii, vii, iii, i, iv, vi, and v.
c. iii, vii, i, iv, vi, ii, and v.
d. i, iii, iv, vi, vii, v, and ii.
36. Allie uses audit sampling in her tests of controls on a population greater than 200. She uses a sample size of
40. During the test, she discovers one deviation. What level of control risk would be assessed?
a. Low.
b. Moderate.
c. High.
37. In which of these examples does the auditor correctly perform audit sampling procedures related to tests of
controls?
a. Matthew uses block sampling while selecting samples for the tests of controls.
b. Terry finds a document necessary to perform the test missing and counts it as a deviation.
c. Victoria follows the guidance in SAS No. 39 to document her audit sampling procedures.
d. Bob uses a 75% confidence level to calculate the sample size using data extraction software.
38. What is meant by the requirement of SAS No. 39 that states that a selected sample must be a representative
sample?
a. Selection method allowing all items to have the opportunity to be selected.
245

Companion to PPC's Guide to Audits of Nonprofit Organizations

NPOT09

b. Selection method of larger samples required when there is a greater risk of misstatement.
c. Selection method must be based on the auditor's professional judgment considering several risk factors.
d. Selection method of small sample size for tests of details with low dollar value and from a large population.
39. JulesLyn is auditing CreationOrg and is calculating sample size for a substantive test of compliance. Total
expenditures for the program are $1,000,000. The inherent risk assessment is low, but the control risk
assessment is high. JulesLyn determined for efficiency reasons to define individually significant items as all
items equal to or greater than 1/3 of tolerable noncompliance. Large dollar items that needed to be looked at
to see if they fall within the range of individually significant items were $10,000; $15,000; $22,000; $28,000; and
$50,000. JulesLyn determined that there was no expectation of noncompliance in the population to be
sampled. She further determined that no adjustments needed to be made for stratification or for items
previously tested. What would her calculated sample size be?
a. 54.
b. 41.
c. 44.
d. 46.
40. When would it be appropriate for an auditor to use an attribute sampling approach in a substantive test of
transactions?
a. This procedure is the sole basis for substantiating the total transaction amount.
b. The auditor wants to assess the effectiveness of an aspect of transaction processing.
c. The auditor expects high rate of monetary misstatement.
d. The auditor is concerned with a dollar amount of transaction misstatement.

246

Companion to PPC's Guide to Audits of Nonprofit Organizations

NPOT09

SELFSTUDY ANSWERS
This section provides the correct answers to the selfstudy quiz. If you answered a question incorrectly, reread the
appropriate material. (References are in parentheses.)
34. Which of the following is true about using audit sampling in conjunction with tests of controls? (Page 229)
a. Tests of controls using audit sampling have different requirements than tests of details of transactions. [This
answer is incorrect. Many times, tests of controls that use audit sampling are tests of details of transactions.
The requirements discussed in SAS No. 39 apply to this type of test.]
b. A test of controls and a test of details cannot be performed on the same transaction. [This answer is
incorrect. A test of details and a test of controls can often be performed simultaneously on the same
transaction.]
c. Audit sampling is often used for tests of controls when a client has no effective policies. [This answer is
incorrect. Audit sampling is generally used for tests of controls that are directed toward operating
effectiveness when the audit client has documentation of the operation of controls.]
d. The basic approach for applying tests of controls does not change if sampling is used. [This answer
is correct. However, though the basic approach does not change, adding audit sampling methods
to the tests of controls means the auditor will have additional matters to consider.]
35. This course outlines a sevenstep process for performing tests of controls using audit sampling. Put the
following steps in the correct order. (Page 229 and Page 230)
i. Select appropriate tests of controls.
ii. Assess control risk.
iii. Identify suitable controls for testing and, if applicable, related substantive
procedures to be reduced.
iv. Perform tests of controls.
v. Document the conclusions reached and tests performed.
vi. Evaluate results from the tests of controls.
vii. Consider if testing controls is practical.
a. vii, iii, i, iv, vi, v, and ii. [This answer is incorrect. Suitable controls must be identified for testing before
considering if testing controls is practical.]
b. ii, vii, iii, i, iv, vi, and v. [This answer is incorrect. Control risk cannot be assessed until after the tests are
performed and evaluated.]
c. iii, vii, i, iv, vi, ii, and v. [This answer is correct. The additional procedures for using audit sampling
methods have been integrated into a stepbystep approach for applying tests of controls.]
d. i, iii, iv, vi, vii, v, and ii. [This answer is incorrect. Control risk must be assessed before the documentation
procedures are performed.]
36. Allie uses audit sampling in her tests of controls on a population greater than 200. She uses a sample size of
40. During the test, she discovers one deviation. What level of control risk would be assessed? (Page 234)
a. Low. [This answer is incorrect. The only way Allie can assess control risk as low with a sample size of 40
is if there are zero deviations. One deviation would have a low control risk if she used a sample size of 60.]
b. Moderate. [This answer is correct. The control risk for this test would be assessed as moderate. If
she had used a sample size of 25, her control risk would be high, and if she had used a sample size
of 60, her control risk would have been low with one deviation.]
247

Companion to PPC's Guide to Audits of Nonprofit Organizations

NPOT09

c. High. [This answer is incorrect. With a sample size of 40, Allie would only have to assess control risk as
high if she had two or more deviations.]
37. In which of these examples does the auditor correctly perform audit sampling procedures related to tests of
controls? (Page 234)
a. Matthew uses block sampling while selecting samples for the tests of controls. [This answer is incorrect.
Block sampling means that Matthew has selected all the transactions of the type of transaction he is testing
that occurred for a day, week, or month. This type of sample selection is not appropriate for either tests
of controls or substantive procedures.]
b. Terry finds a document necessary to perform the test missing and counts it as a deviation. [This
answer is correct. When performing tests of controls, the absence of any documents needed to
perform the test means that item is counted as a deviation. This is unique to tests of controls.]
c. Victoria follows the guidance in SAS No. 39 to document her audit sampling procedures. [This answer is
incorrect. SAS No. 39 does not impose documentation requirements. However, Victoria can look to the
AICPA Sampling Guide for suggestions, including documentation of the objectives of the test of controls,
the method for determining sample size, and the method of sample selection.]
d. Bob uses a 75% confidence level to calculate the sample size using data extraction software. [This answer
is incorrect. In generally, a 90% confidence level should be used when data extraction software calculates
the sample size for a test of controls. The upper error limits should then correspond with Bob's planned
assessed level of control risk.]
38. What is meant by the requirement of SAS No. 39 that states that a selected sample must be a representative
sample? (Page 238)
a. Selection method allowing all items to have the opportunity to be selected. [This answer is correct.
The auditor should select a representative sample from each major program.]
b. Selection method of larger samples required when there is a greater risk of misstatement. [This answer
is incorrect. Although Circular A133 at section 525 lists the risk factors that must be considered when
determining sample size, this answer is not the definition of representative sample.]
c. Selection method must be based on the auditor's professional judgment considering several risk factors.
[This answer is incorrect. Circular A133 states that test of transactions selections should be based on the
professional judgment of the auditor taking the risk factors into consideration, however, this answer is not
the definition of representative sample.]
d. Selection method of small sample size for tests of details with low dollar value and from a large population.
[This answer is incorrect. This is not the definition of representative sample. The GAS/A133 AICPA Audit
Guide says that small sample sizes for tests of details with a low dollar value and from a large population
generally do not, by themselves, provide sufficient evidence."]
39. JulesLyn is auditing CreationOrg and is calculating sample size for a substantive test of compliance. Total
expenditures for the program are $1,000,000. The inherent risk assessment is low, but the control risk
assessment is high. JulesLyn determined for efficiency reasons to define individually significant items as all
items equal to or greater than 1/3 of tolerable noncompliance. Large dollar items that needed to be looked at
to see if they fall within the range of individually significant items were $10,000; $15,000; $22,000; $28,000; and
$50,000. JulesLyn determined that there was no expectation of noncompliance in the population to be
sampled. She further determined that no adjustments needed to be made for stratification or for items
previously tested. What would her calculated sample size be? (Page 239Page 241)
a. 54. [This answer is incorrect. This answer comes from using an incorrect risk factor.]
b. 41. [This answer is correct. The answer comes from the formula $900,000 divided by $50,000 times
2.3. Tolerable noncompliance is calculated as 5% of total program expenditures or $1,000,000 times
248

NPOT09

Companion to PPC's Guide to Audits of Nonprofit Organizations

.05 equal $50,000. Risk of material noncompliance is moderate when inherent risk is low and control
risk is high. This calculates out as a risk factor of 2.3. One third of tolerable noncompliance is
$50,000 divided by 3 equal to $16,667. There are 3 items that will need to be examined 100%: $22,000
plus $28,000 plus $50,000 or $100,000. The estimated population balance after removal of those
items is $900,000 (1,000,000 less 100,000). The estimated sample size is calculated using the
formula: Dollar value of remaining population divided by tolerable noncompliance times risk factor
or $900,000 divided by $50,000 times 2.3.]
c. 44. [This answer is incorrect. This answer comes from calculating the amount of individually significant
items incorrectly.]
d. 46. [This answer is incorrect. This answer comes from calculating the population balance after removal of
individually significant items.]
40. When would it be appropriate for an auditor to use an attribute sampling approach in a substantive test of
transactions? (Page 244)
a. This procedure is the sole basis for substantiating the total transaction amount. [This answer is incorrect.
This approach should only be used when other procedures (e.g., analytical procedures) also provide
persuasive audit evidence.]
b. The auditor wants to assess the effectiveness of an aspect of transaction processing. [This answer
is correct. When the auditor's primary concern is whether an aspect of transaction processing is
working (such a characteristic is either present or not present), this could be a viable approach,
assuming other conditions are met.]
c. The auditor expects high rate of monetary misstatement. [This answer is incorrect. Attribute sampling
would only be acceptable if a low rate of monetary misstatement were expected by the auditor. If many
misstatements were expected, the auditor would have to be concerned with projecting monetary
misstatement to assess whether it could be material.]
d. The auditor is concerned with a dollar amount of transaction misstatement. [This answer is incorrect. Using
this approach allows the auditor to focus on a rate, not a dollar amount. All transactions of the type being
tested are processed through the same system; therefore, the likelihood of misstatement is independent
of the transaction's size.]

249

Companion to PPC's Guide to Audits of Nonprofit Organizations

NPOT09

EXAMINATION FOR CPE CREDIT


Lesson 2 (NPOTG092)
Determine the best answer for each question below. Then mark your answer choice on the Examination for CPE
Credit Answer Sheet located in the back of this workbook or by logging onto the Online Grading System.
22. What piece of authoritative literature provides guidance that most directly affects the extent of audit tests?
a. SAS No. 39.
b. SAS No. 39, amended by SAS No. 111.
c. SAS No. 99.
d. The AICPA Audit and Accounting Guide, Audit Sampling.
23. Define audit sampling.
a. The application of an audit procedure to less than 100% of the items in an account balance or class of
transactions to evaluate some characteristic of the balance or class.
b. Application of an audit procedure limited to a specific group of items in a balance or class of transactions
that share a distinct characteristic.
c. Examining a few transactions in a balance or class of transactions for the purpose of obtaining an
understanding of the nature of the client's operations.
d. Applying audit procedures to one or a few transactions of each type with the purpose of clarifying the
auditor's understanding of the design of the company's internal controls.
24. Which of the following procedures would most likely involve audit sampling?
a. Risk assessment procedures to obtain an understanding of internal control.
b. Tests of automated application controls when effective general IT controls are present.
c. Substantive tests of details of account balances and transactions.
d. Analyses of the effectiveness of access and security controls.
25. The following are steps to an approach for planning the extent of substantive procedures involving tests of
details needed when auditing a nonprofit organization. Arrange them in the correct order.
i.
ii.
iii.
iv.
v.

Determine an amount for the individually significant dollar items.


Determine what procedures, if any, are needed to test the remaining balance.
Calculate the remaining balance.
Assess the appropriate level of tolerable misstatement.
Identify unusual items.

a. v, i, iii, ii, iv.


b. ii, iv, i, v, iii.
c. iii, i, v, ii, iv.
d. iv, i, v, iii, ii.
250

Companion to PPC's Guide to Audits of Nonprofit Organizations

NPOT09

26. Match the following unusual items to the appropriate audit area.
1. Accounts receivable

i. Slowmoving large dollar items.

2. Plant, property, and equipment

ii. Large debit balances.

3. Accounts payable

iii. Units with highly volatile values.

4. Expenses

iv. Large credit balances.


v. Vendor accounts in dispute.
vi. Additions involving capitalization of inter
est.
vii. Customers whose names cause a signifi
cant question.
viii. Expense entries that appear to be inap
propriate.

a. 1 viii; 2 ii and i; 3 v; and 4 vi and vii.


b. 1 iv and vii; 2 vi; 3 ii and v; 4 viii.
c. 1 ii and iv; 2 i; 3 vii and iii; 4 vii.
d. 1 vii; 2 viii; 3 i and iv; 4 iii and v.
27. Chelsea has finished examining the individually significant items for her audit engagement, and now must
decide what else, if anything, must be done for the remaining balance. She has assessed the risk of material
misstatement on the remaining balance as low and the individually significant items made up 75% of the
account balance as a whole. Which of the following best illustrates what Chelsea should do next?
a. Chelsea does not need to perform any additional procedures on the remaining balance.
b. At a minimum, Chelsea should scan the remaining balance for any unusual items.
c. Chelsea must perform additional analytical procedures to the remaining balance.
d. Chelsea must apply audit sampling procedures to the remaining balance.
28. Which of the following sampling types can be used for both the statistical and nonstatistical sampling
approach?
i. Random selection
ii. Systematic sampling
iii. Haphazard selection
a. i and ii.
b. i and iii.
c. ii and iii.
d. i, ii, and iii.
251

Companion to PPC's Guide to Audits of Nonprofit Organizations

NPOT09

29. Sam needs to select the sample items for his audit sampling engagement using the random selection method.
Which of the following methods should he use?
a. Use several random starts during selection.
b. Use the probability theory.
c. Stratify the population into two equal parts.
d. Create a random number table.
30. In which of the following scenarios has the auditor dealt with audit sampling in tests of details appropriately?
a. Maria determines that the allowable risk should be 5% instead of the 7% she'd originally estimated, so she
increases the required sample size.
b. In Will's audit, a large percentage of the balance could be misstated without causing material
misstatement, so he uses a large sample size to compensate.
c. Dawn includes accounting adjustments in the expected projected misstatement for her audit sampling
engagement.
d. Reginald determines the sample size for his audit sampling engagement using a fixed percentage of the
population.
31. The risk of material misstatement is the combination of what?
a. Tolerable misstatement and inherent risk.
b. Control risk and the risk of incorrect acceptance.
c. Inherent risk and control risk.
d. The risk of incorrect acceptance and tolerable misstatement.
32. Annie uses nonstatistical audit sampling to perform tests of details. Then she estimates the remaining
population. When identifying the risk factor, Annie determines that the risk of material misstatement is moderate
and the risk from assessment of other substantive procedures is low. Annie assesses tolerable misstatement
at $6,000. Use the most efficient method to calculate the cutoff amount for individually significant items.
a. $72.
b. $2,000.
c. $5,000.
d. $6,720.

252

Companion to PPC's Guide to Audits of Nonprofit Organizations

NPOT09

33. Mark is contemplating using data extraction software to select his audit sample. What is one advantage Mark
would gain by using data extraction software?
a. He will be able to scan numerically sequenced items to account for their sequence and select the sample
more efficiently.
b. The data extraction software will calculate the sample size and evaluate the sample results more effectively
than Mark could on his own.
c. The data extraction software will verify the completeness of the population, which will save Mark time
during the sampling process.
d. Mark can use the data extraction software to extract unusual and individually significant items from the
population after sampling.
34. Lisa plans to project the misstatement from her audit sampling to the entire populating using the difference
method. The amount of sample misstatement is $300, the amount of sample dollars is $40,000, and the amount
of population dollars is $400,000. The number of sample items Alice used is 100, and the total number of items
in the population is 1,500. Calculate the projected population misstatement.
a. $3,000.
b. $4,500.
c. $80,000.
d. $133,333.
35. Walter must project the misstatement of his audit sampling to the population. When determining the risk of
misstatement, Walter concluded that the greatest risk of misstatement related to the size of the items. What
method should he use to project the misstatement?
a. The ratio method.
b. The difference method.
c. The population approach.
d. Walter can use any method as they generally produce the same results.
36. If an audit included the following amounts, what projected misstatement amount ensures an acceptable level
of sampling risk?
Accounts receivable balance:

$ 500,000

Tolerable misstatement:

$ 50,000

Expected misstatement:

$ 10,000

a. $8,500.
b. $11,000.
c. $16,667.
d. $17,000.
253

Companion to PPC's Guide to Audits of Nonprofit Organizations

NPOT09

37. Match the following sampling terms to their definitions as they relate to tests of controls.
1. Deviation

i. Maximum rate of deviations that still support the


planned assessed level of control risk.

2. Tolerable rate

ii. The class of transactions being sampled.

3. Risk of assessing control


risk too low

iii. Departure from a prescribed control policy or


procedure.

4. Expected rate

iv. An auditor's allowable risk of assessing control risk


too low.

5. Population

v. The rate of deviations an auditor expects based on


his or her prior experience and knowledge of the
population's characteristics.

a. 1 v; 2 iv; 3 iii; 4 ii; 5 i.


b. 1 ii; 2 v; 3 i; 4 iii; 5 iv.
c. 1 v; 2 iii; 3 iv; 4 i; 5 ii.
d. 1 iii; 2 i; 3 iv; 4 v; 5 ii.
38. Which of the following is a distinguishing feature of tests of controls that use audit sampling?
a. Deviation from the control must be expressed as a monetary misstatement.
b. Footing will determine completeness of the population from which the sample will be taken.
c. The deviation rate must be related to the risk of monetary misstatement.
d. During the course of the sampling, the remaining population must be stratified.
39. Under SAS No. 103, which of the following should be documented by an auditor performing tests of controls
with sampling?
a. The items tested.
b. The definition of the population.
c. The tolerable deviation rate.
d. The evaluation of the sample.
40. What is the difference in the approach to determine sample size for testing compliance in a federal award
program rather than a financial statement audit?
a. A tolerable noncompliance is used rather than a tolerable misstatement.
b. Results of approach taken with financial statement audit yields sample sizes of 38, 46, and 60 items.
c. Planning materiality and tolerable noncompliance are estimated at 3% rather than 5%.
d. Do not select this answer choice.
254

NPOT09

Companion to PPC's Guide to Audits of Nonprofit Organizations

GLOSSARY
Appropriateness: The measure of the quality of audit evidence; its relevance and its reliability in providing support
for, or detecting misstatements in, the classes of transactions, account balances, and disclosures and related
assertions.
Analytical procedures: Evaluations of financial information made by a study and comparison of plausible
relationships among both financial and nonfinancial data. This includes trend analysis, ratio analysis, and predictive
or reasonableness tests.
Audit evidence: Evidence, the third fieldwork standard, requires the auditor to obtain sufficient competent evidential
matter to provide a reasonable basis for an opinion on financial statements. Evidential matter begins with the client's
accounting records; however, the client's accounting records alone are not considered sufficient or competent
enough to support an opinion. The auditor must obtain and analyze evidence from external sources (e.g.,
confirmations) and through personal observation and inspection (e.g., physical inventory), recalculation, inquiry,
reconciliation, and other testing methods to corroborate the accounting records. Evidential matter must be sufficient
(is there enough evidence?) and competent (is it valid and relevant?) enough to withstand the scrutiny of other
auditors or outsiders. The evidence must be convincing enough to enable the outsiders to reach the same conclusion
as the auditor.
Audit sampling: The application of an audit procedure to less than 100 percent of the items within an account
balance or class of transactions for the purpose of evaluating some characteristic of the balance or class, according
to SAS No. 39. Any test that involves application of procedures to less than 100% of the items in the population without
projecting the results to the entire account balance or class of transactions is not audit sampling.
Control risk: The risk that a material misstatement that could occur will not be prevented or detected on a timely
basis by the entity's internal control. It is an element of audit risk.
Deviation: Departure from the prescribed control policy or procedure.
Data extraction software: Some auditors may use data extraction software in audit sampling. The ability of data
extraction software to quickly process large volumes of data can save time spent on sample selection. Data extraction
software can also be used to assist in performing analytical procedures, where it allows the practitioner to analyze
information downloaded from a client's computer system. Procedures such as calculating and sorting percentage
variances in accounts between periods and calculating financial ratios can be performed using data extraction
software, and those procedures can be performed at a detailed level as easily as at an aggregated level, resulting
in a higher level of precision.
Expected rate: The rate of deviations the auditor expects based on prior experience and knowledge of the
characteristics of the population
Flexible timing procedures: Flexible timing substantive procedures can be applied at any time, including an interim
date. These procedures generally consist of examining transactions or gathering information without attempting to
reach a conclusion about an entire account balance as of an interim date. The procedures can be performed through
an interim date and later extended to the balance sheet date. The auditor can then reach one conclusion covering
the balance for the entire year.
General procedures: Procedures auditors are specifically required to perform that do not relate to particular account
balances, such as sending a letter of audit inquiry to the client's lawyer and reading minutes of meetings of directors.
Haphazard sampling: A sampling method in which sampling items are selected in no specific pattern without bias
for or against any items in the population. It can be used for nonstatistical samples if care is taken to be sure no
conscious bias is added to the selection process.
Individually significant items: This term encompasses two types of items in a financial statement component: (a)
individually significant dollar items and (b) unusual items.
255

Companion to PPC's Guide to Audits of Nonprofit Organizations

NPOT09

Inherent risk: The susceptibility of an assertion to a material misstatement, assuming that there are no related
internal controls. It is an element of audit risk. Inherent risk exists as an inseparable part of certain assertions and/or
account balances or classes (e.g., cash, complex calculations, and accounts dependent on accounting estimates).
Inherent risk may also arise from external factors (e.g., technological obsolescence) or internal factors (e.g., lack of
sufficient working capital).
Interim audit procedures: Procedures performed to arrive at a conclusion about an account balance as of an interim
date. Additional procedures are then performed to extend the interim conclusion to the balance sheet date.
Misstatement: A reported amount that is over (overstated) or under (understated) the actual amount. It may result
from errors (mistakes) or fraud. The objective of the audit is to detect any material misstatements that exist in the
financial statements taken as a whole. Individual misstatements are aggregated and analyzed to determine if the
aggregate is material to financial statement elements and as a whole. Judgments regarding audit risk depend on
the level of misstatement that can be accepted (tolerable misstatement) before the misstatement is considered
material.
Nonstatistical sampling: A sampling technique for which the auditor considers sampling risk in evaluating an audit
sample without using statistical theory to measure that risk. It does not enable the auditor to quantify sampling risk
but can provide sufficient competent evidential matter. It is a plan which does not meet the requirements to be
statistical.
Overall review analytical procedures: A category of analytical procedures identified by SAS No. 56. These are used
in the final review stage of the audit.
Population: In an audit sampling application, the population is usually all items that constitute the account balance
or class of transactions, excluding those items selected for individual testing.
Preliminary analytical procedures: A category of analytical procedures identified by SAS No. 56. These are used
to enhance the auditor's understanding of the client's business and assist in assessing areas of specific risk of
misstatement by identifying unexpected relationships among account balances or the absence of expected
relationships.
Random sampling: A sampling method that provides each item in the population an equal chance to be selected
for both sampling approaches statistical and nonstatistical sampling.
Representative sample: According to SAS No. 39, a sample in which the sample items are selected in such a
manner that all items have an opportunity to be selected.
Sampling unit: The individual items that are subjected to audit procedures and that represent the components of
the population.
Significant risk: Risk that requires special audit attention.
Statistical sampling: A sampling plan in which the laws of probability are used for selecting and evaluating a sample
from a population for the purpose of reaching a conclusion about the population. It allows the auditor to design an
efficient sample, to measure the sufficiency of the evidential matter obtained, and to evaluate the sample results. It
enables the auditor to quantify sampling risk. For a sampling plan to be statistical the sample must be statistically
selected (e.g., using random selection) and the sample results must be mathematically evaluated.
Substantive procedures: Further audit procedures performed for the purpose of detecting material misstatements
at the relevant assertion level. They consist of tests of details and substantive analytical procedures.
Substantive analytical procedures: A category of analytical procedures identified by SAS No. 56. These are used
to obtain audit evidence about potential misstatements.
Sufficiency: The measure of the quantity of audit evidence.
256

NPOT09

Companion to PPC's Guide to Audits of Nonprofit Organizations

Systematic sampling: A sampling method in which the sampling interval is determined by dividing the population
by the number of items to be sampled. It can be used with nonstatistical or statistical sampling to give every item
in the population an equal chance of being selected if a random start is used. However, it may not produce an equal
opportunity for all combinations of sampling units to be selected unless numerous random starts are made.
Tests of controls: Tests directed toward the design or operation of internal controls to assess their effectiveness in
preventing or detecting material misstatements in a financial statement assertion. They are used to test the specific
controls the auditor would like to use to reduce control risk. The auditor is testing for the number of deviations from
the control (e.g., the number of credit sales invoices that do not show proper credit approval).
Tests of transactions: The auditor's objective in using a substantive test of transactions is to decide whether the total
of a transaction class is materially misstated. The auditor inspects documents supporting recorded transactions to
determine whether transactions are valid, and valued and coded properly (i.e., recorded correctly as to account,
amount, and period).
Tolerable rate: The maximum rate of deviations that would still support the planned assessed level of control risk.
Unusual items: An item that may be individually significant if, because of its nature, it is prone to misstatement or
otherwise requires audit attention, such as related party transactions and negative customer receivable balances.

257

Companion to PPC's Guide to Audits of Nonprofit Organizations

258

NPOT09

Companion to PPC's Guide to Audits of Nonprofit Organizations

NPOT09

INDEX
A
ANALYTICAL PROCEDURES
 Completeness . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
 Interim testing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
 Types and purposes of analytical procedures
 Purposes of analytical procedures . . . . . . . . . . . . . . . . . . .
 What are analytical procedures? . . . . . . . . . . . . . . . . . . . . .
 What distinguishes substantive analytical
procedures? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

S
SAMPLING
 Attribute sampling approach to substantive tests of transactions
 Conditions for use . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 243
 Sample size for . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 244
 Authoritative literature . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 197
 Case studies
 Definition and uses of sampling . . . . . . . . . . . . . . . . . . . . . . . . . 197
 Determining whether sampling is necessary
 Factors to consider . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 203
 Documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 223, 236
 Nonsampling approach to substantive procedures . . . . . . . . 203
 Nonsampling approach to substantive tests
 Considering the need to apply additional audit
procedures remaining items . . . . . . . . . . . . . . . . . . . . . . . . . 205
 Identifying individually significant items . . . . . . . . . . . . . . . 203
 Relation of types of audit tests to audit sampling
 Substantive tests of balances . . . . . . . . . . . . . . . . . . . . . . . . 199
 Substantive tests of transactions . . . . . . . . . . . . . . . . . . . . . 199
 Tests of compliance with laws and regulations . . . . . . . . . 200
 Tests of controls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 199
 Requirements that apply to all audit samples
 Basic requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . 212, 214
 Choosing a selection method . . . . . . . . . . . . . . . . . . . . . . . 213
 Defining the population . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 212
 Defining the sampling unit . . . . . . . . . . . . . . . . . . . . . . . . . . 212
 Projecting sample results . . . . . . . . . . . . . . . . . . . . . . . . . . . 214
 Random selection using random numbers . . . . . . . . . . . . 213
 Selecting sample items . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 213
 Substantive tests of details using sampling
 Alternative approach for substantive tests of
transactions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 224
 Considering qualitative characteristics . . . . . . . . . . . . . . . . 223
 Considering sampling risk . . . . . . . . . . . . . . . . . . . . . . . . . . 222
 Documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 223
 Planning considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . 217
 Practical approach to nonstatistical sampling . . . . . . . . . . 218
 Projecting the misstatement . . . . . . . . . . . . . . . . . . . . . . . . . 222
 Selecting the sample . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 221
 Tests of compliance with laws and regulations using sampling
 Alternative nonstatistical sampling approach . . . . . . . . . . 242
 Sample size . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 238, 239
 Single Audit requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . 237
 Statistical sampling, circumstances indicating
need for . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 243
 Tests of controls using sampling
 Assess control risk . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 235
 Consider whether testing is practical . . . . . . . . . . . . . . . . . 230
 Define the population . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 232
 Document tests . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 236
 Evaluate results . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 235
 Expected rate of deviation . . . . . . . . . . . . . . . . . . . . . . . . . . 233
 Identifying controls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 230
 Risk of assessing control risk too low . . . . . . . . . . . . . . . . . 233
 Selecting and performing tests . . . . . . . . . . . . . . . . . . . . . . 231
 Single Audit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 236
 Statistical versus nonstatistical sampling . . . . . . . . . . . . . . 234
 Terminology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 229
 Tolerable rate of deviation . . . . . . . . . . . . . . . . . . . . . . . . . . . 232

181
164
157
157
158

AUDIT PLANNING
 Fraud, responsibility for . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 175
 Timing of substantive tests . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 186
AUDIT PROCEDURES
 Basic substantive audit procedures
 Completeness . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 180
 Tests of details . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 156
AUTHORITATIVE LITERATURE
 AICPA pronouncements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 197
 Auditing literature . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 197
 Single Audit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 197

C
CHANGES IN AUDIT REQUIREMENTS
 Substantive procedures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 148
CHECKLISTS
 Sampling planning and evaluation form substantive
tests . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 223
 Test of controls form, sampling planning and
evaluation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 236
CONFIRMATION LETTERS
 Representation letter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 181

D
DATA EXTRACTION SOFTWARE
 Sample selection using . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 221

F
FRAUD
 Auditor's responsibility for fraud detection . . . . . . . . . . . . . . . .
 Fraud risk assessment
 Documenting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
 Required procedures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
 Responding to fraud risk assessment
 Addressing the risk of management controls
override . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
 Effect on audit programs . . . . . . . . . . . . . . . . . . . . . . . . . . . .
 Misappropriation of assets, unique considerations . . . . .
 Professional skepticism . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
 Specific responses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

175
180
178
178
180
177
177
175

FURTHER AUDIT PROCEDURES


 Substantive procedures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 175

SINGLE AUDIT
 Sampling requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 237

GENERAL RISK ANALYSIS AND INITIAL PLANNING


 Fraud risk assessment
 Analytical procedures and . . . . . . . . . . . . . . . . . . . . . 162, 163

STATEMENTS ON AUDITING STANDARDS (SAS)


 SAS No. 103 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 156
 SAS No. 106 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 147
 SAS No. 110 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 148
 SAS No. 56 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 157, 166
 SAS No. 85 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 181
 SAS No. 99 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 175

I
ILLEGAL ACTS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 175
INTERIM TESTING . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 186

259

Companion to PPC's Guide to Audits of Nonprofit Organizations


SUBSTANTIVE PROCEDURES
 Analytical procedures and accounting estimates . . . . . . . . . .
 Analytical procedures and fraud detection . . . . . . . . . . . . . . . .
 Corroboration of explanations . . . . . . . . . . . . . . . . . . . . . . .
 Analytical procedures and interim testing . . . . . . . . . . . . . . . . .
 Appropriate procedures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
 Authoritative literature . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
 Changes from previous standards . . . . . . . . . . . . . . . . . . . . . . .
 Choosing between analytical procedures and
substantive tests of details . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
 Considering whether circumstances are favorable
to substantive analytical procedures . . . . . . . . . . . . . . . . . . . . .
 Availability of data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
 Efficiency . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
 Likely cause of potential misstatements . . . . . . . . . . . . . . .
 Precision of expectation . . . . . . . . . . . . . . . . . . . . . . . . . . . .

NPOT09

 Type of account . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 160


 Designing effective substantive analytical procedures
 First ask management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 158
 Identify comparables . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 159
 Talk to operating personnel . . . . . . . . . . . . . . . . . . . . . . . . . 159
 Documenting substantive analytical procedures . . . . . . . . . . . 166
 Other types of analytical procedures . . . . . . . . . . . . . . . . . 167
 Principal substantive tests of significant assertion . . . . . . 166
 Identifying and evaluating significant differences revealed by
substantive analytical procedures
 Corroboration of the explanation of the difference . . . . . . 165
 Evaluation of the significance of differences . . . . . . . . . . . 165
 Nature, timing, and extent of substantive procedures . . . . . . 148
 Required in every audit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 145
 Risk assessment standards requirements . . . . . . . . . . . . . . . . 188
 Sufficiency and appropriateness of audit evidence . . . . . . . . 147

164
162
163
164
148
145
148
148
160
160
161
160
160

260

Companion to PPC's Guide to Audits of Nonprofit Organizations

NPOT09

COMPANION TO PPC'S GUIDE TO AUDITS OF NONPROFIT ORGANIZATIONS

COURSE 3
Special Accounting and Auditing Considerations for Nonprofit Organizations
(NPOTG093)
OVERVIEW
COURSE DESCRIPTION:

This interactive selfstudy course discusses special accounting and auditing


considerations and is generally relevant to all types of nonprofit organizations; but,
when necessary, distinctions are made between accounting and auditing
considerations that apply to voluntary health and welfare organizations and those
that apply to other nonprofit organizations.

PUBLICATION/REVISION
DATE:

February 2009

RECOMMENDED FOR:

Users of PPC's Guide to Nonprofit Organizations

PREREQUISITE/ADVANCE
PREPARATION:

Basic knowledge of accounting and auditing

CPE CREDIT:

8 QAS Hours, 8 Registry Hours


Check with the state board of accountancy in the state in which you are licensed to
determine if they participate in the QAS program and allow QAS CPE credit hours.
This course is based on one CPE credit for each 50 minutes of study time in
accordance with standards issued by NASBA. Note that some states require
100minute contact hours for self study. You may also visit the NASBA website at
www.nasba.org for a listing of states that accept QAS hours.

FIELD OF STUDY:

Accounting, 4 hrs.; Auditing, 4 hrs.

EXPIRATION DATE:

Postmark by March 31, 2010

KNOWLEDGE LEVEL:

Basic

Learning Objectives:
Lesson 1 Cash, Investments, and Contributions in the Nonprofit Environment
Completion of this lesson will enable you to:
 Examine nonprofit client accounting and auditing considerations generally, and identify auditing consider
ations related to cash.
 Describe accounting and auditing considerations related to nonprofit clients and investments including those
related to SFAS 124 and SAS 92.
 Outline nonprofit client accounting and auditing issues concerning contributions and promises to give,
including debt guarantees, promises to pay in the future, and splitinterest agreements.
Lesson 2 Other Activities Related to Nonprofits and Their Financials
Completion of this lesson will enable you to:
 Explain nonprofit accounting and auditing issues associated with program service fees, revenue, and
receivables in exchange transactions.
 Examine accounting and auditing issues related to nonprofits that involve donations of services or physical
items such as goods and facilities.
 Summarize nonprofit accounting and auditing issues related to program and support services costs and
expenses.
 Describe accounting and auditing considerations related to payroll and related liabilities.
261

Companion to PPC's Guide to Audits of Nonprofit Organizations

NPOT09

 Explain nonprofit accounting and auditing concerns related to inventories, and property and equipment.
 Outline nonprofit accounting and auditing issues related to other topics such as debt and statement of activities
accounts.
TO COMPLETE THIS LEARNING PROCESS:
Send your completed Examination for CPE Credit Answer Sheet, Course Evaluation, and payment to:
Thomson Reuters
Tax & Accounting R&G
NPOTG093 Selfstudy CPE
P.O. Box 966
Fort Worth, TX 76101
See the test instructions included with the course materials for more information.
ADMINISTRATIVE POLICIES:
For information regarding refunds and complaint resolutions, dial (800) 3238724 for Customer Service and your
questions or concerns will be promptly addressed.

262

Companion to PPC's Guide to Audits of Nonprofit Organizations

NPOT09

Lesson 1:CASH, INVESTMENTS, AND


CONTRIBUTIONS IN THE NONPROFIT
ENVIRONMENT
INTRODUCTION
This lesson includes various accounting and auditing aspects associated with the cash, investments, and contribu
tions of nonprofit clients. Confirmations, valuations, and consideration of fraud are among the topics discussed.
Learning Objectives:
Completion of this lesson will enable you to:
 Examine nonprofit client accounting and auditing considerations generally, and identify auditing considerations
related to cash.
 Describe accounting and auditing considerations related to nonprofit clients and investments including those
related to SFAS 124 and SAS 92.
 Outline nonprofit client accounting and auditing issues concerning contributions and promises to give,
including debt guarantees, promises to pay in the future, and splitinterest agreements.
The following authoritative pronouncements specifically relate to nonprofit organizations and are referred to
frequently throughout this lesson:
 SFAS No.116, Accounting for Contributions Received and Contributions Made (FASB ASC 958605),
requires measuring contributions received and promises to give at their fair value and reporting them as
increases in net assets immediately, even if the donor has restricted their use and the restriction will be met
in a future reporting period.
 SFAS No.117, Financial Statements of NotforProfit Organizations (FASB ASC 958205, 958210, 958225,
958720), requires the general purpose external financial statements of nonprofit organizations to consist
of statements of financial position, activities, and cash flows. Voluntary health and welfare organizations
are required to present an additional statement of functional expenses.
 SFAS No.136, Transfers of Assets to a NotforProfit Organization or Charitable Trust That Raises or Holds
Contributions for Others (FASB ASC 95820, 958605), as amended, establishes standards for transactions
in which a donor transfers assets to a recipient organization that (a)uses the assets on behalf of or
(b)transfers the assets, the return on investment of the assets, or both, to a beneficiary named by the donor.
It also establishes standards for revocable or reciprocal transfers for similar transactions that are not
contributions.
 AICPA Audit and Accounting Guide, NotforProfit Organizations (Audit Guide) (FASB ASC 958), provides
additional guidance in the areas of splitinterest agreements and accounting for contributions that expands
on the original guidance in SFAS No.116.
Responsibility for Fraud Detection
The auditor is responsible for designing the audit to detect material misstatements, whether caused by error or
fraud. The auditor does not routinely select procedures designed specifically to detect fraud in ordinary circum
stances. However, SAS No.99, as amended (AU 316), Consideration of Fraud in a Financial Statement Audit,
requires the auditor to specifically identify and assess risks of material misstatement due to fraud and to respond
to the results of the assessment when gathering and evaluating audit evidence. SAS No. 113, Omnibus 2006,
amended SAS No. 99 to provide a clear link between the auditor's consideration of fraud and the auditor's risk
assessment and procedures in response to those risks by referring to SAS Nos. 109 and 110.
Based on the auditor's assessment of fraud risks, he or she may alter the nature of procedures performed (i.e.,
apply additional procedures designed to detect fraud), or alter the timing or extent of procedures performed. The
263

Companion to PPC's Guide to Audits of Nonprofit Organizations

NPOT09

auditor also may require more or different evidence to support material transactions or balances than would be the
case if the auditor did not identify any specific fraud risks. In addition, SAS No. 99 also requires auditors to perform
certain specific procedures to address the risk of management override of controls, including examining the
organization's journal entries and other adjustments, reviewing accounting estimates for bias, and evaluating the
business rationale for significant unusual transactions.
A risk of misappropriation of assets will exist in many nonprofit organizations. However, the auditor is not responsi
ble for immaterial fraud, and many frauds involving misappropriation of assets are not material to the financial
statements. Consequently, auditors need not automatically perform additional procedures related to misappropri
ation simply because a risk of misappropriation exists. The auditor should consider the level of risk that material
misappropriation has occurred.
SAS No. 99 (AU 316.41) requires auditors to ordinarily presume that improper revenue recognition is a risk that may
result in material misstatement of the financial statements due to fraud. In addition, even if the auditor does not
identify specific risks of material misstatement due to fraud, SAS No.99 requires the auditor to perform procedures
to address the risk of management override of controls. The SAS also indicates that account balances or classes
of transactions that are particularly susceptible to manipulation, such as those involving significant estimates or the
application of complex accounting principles, may present risks of material misstatement due to fraud. Auditors
should consider whether it is necessary to identify risks relating to specific operating locations as well as to the
organization as a whole.
Responsibility for Communicating Internal Control Related Matters
SAS No. 112 (AU 325A), Communicating Internal Control Related Matters Identified in an Audit, requires auditors to
report certain matters relating to an entity's internal control that they have identified during the audit. SAS No. 112
describes those matters as significant deficiencies" and material weaknesses." The significant deficiencies and
material weaknesses must be reported in writing to management and those charged with governance. SAS No.
112 notes in AU 325A.02 that the term those charged with governance refers to the individuals or bodies (such as
the audit committee) that have responsibility for overseeing the entity's strategic direction and its obligations
related to accountability, including overseeing its financial reporting process. SAS No. 112 also discusses the form
of reporting when there are significant deficiencies and material weaknesses.
Auditing Fair Value
Recent accounting standards indicate a move to providing more fair value information. Under generally accepted
accounting principles, fair value measurements are used for specific items in the financial statements or, in some
cases, as a comprehensive basis for all items in the financial statements. In addition, GAAP requires disclosures in
several areas, such as investments and derivatives and donated materials and services. Fair value measurements
of assets, liabilities, and components of net assets may arise from the initial recording of transactions and the
subsequent changes in value.
SAS No. 101 (AU 328), Auditing Fair Value Measurements and Disclosures, provides guidance on auditing fair value
measurements and disclosures contained in financial statements. SAS No. 101 provides overall guidance for
auditing fair values, but it does not provide detailed auditing guidance for specific assets, liabilities, transactions, or
industries. For more specific guidance, auditors might also consider other sources such as SAS No. 92 (AU 332),
Auditing Derivative Instruments, Hedging Activities, and Investments in Securities, SFAS No. 144, Accounting for the
Impairment or Disposal of LongLived Assets (FASB ASC 36010), SFAS No. 157, Fair Value Measurements (FASB
ASC 82010), and the AICPA Audit and Accounting Guide, NotforProfit Organizations (FASB ASC 958).
According to SAS No. 101, the auditor should obtain an understanding of the organization's process for determin
ing fair value and assess the risk that the fair value measurement would result in material misstatement of the
financial statements. Some fair values are readily determinable because there are relevant quoted market prices.
For such items, published price quotations in an active market are the best evidence of fair value. When there is no
observable market price or items have characteristics requiring an estimate to be made, a valuation method
acceptable under GAAP should be used.
When a valuation method is used, the auditor considers the appropriateness of the method, including manage
ment's rationale for selecting the method. Auditors may consider whether management has evaluated the range of
264

NPOT09

Companion to PPC's Guide to Audits of Nonprofit Organizations

values resulting from different methods and investigated the reasons for the differences. Changes in circumstances
or authoritative literature may require changes in the method used to determine fair value.
The following approaches may be used to obtain evidence supporting a fair value estimate determined using a
valuation model:
 Test the client's valuation, including manage