Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Audit Risk Assessment Chapter 9


Published on

Audit Risk Assessment , Chapter 9

Published in: Education
  • Login to see the comments

Audit Risk Assessment Chapter 9

  1. 1. Chapter 9 Audit Risk Assessment Prepared by Dr Phil Saj 1
  2. 2. Learning objectives 1. Appreciate the importance of audit risk assessment and why it is linked to financial statement assertions. 2. Explain the importance of business risks in audit planning. 3. Describe the procedures performed by an auditor to assess risk. 4. Appreciate the importance of internal control to an entity and to its independent auditors. 2
  3. 3. Learning objectives 5. Indicate the procedures for obtaining and documenting an understanding of the entity’s internal control. 6. Explain why and how a preliminary assessment of control risk is made. 7. Explain the importance of the concept of audit risk and its three components. 3
  4. 4. Management’s financial statement assertions Existence or occurrence Assets or liabilities of the entity exist at a given date and whether recorded transactions or events have occurred during the period. Completeness Transactions, events and accounts that should be presented in the financial statement are included. Cut-off All transactions, events and accounts have been recorded in the correct period. 4
  5. 5. Management’s financial statement assertions Rights and obligations Assets represent rights of the entity and liabilities are the obligations of the entity at a given date. Valuation and allocation Asset, liability, components have been included in the financial statements at the appropriate amounts. Accuracy Transactions have been appropriately recorded in the proper accounts. 5
  6. 6. Management’s financial statement assertions Presentation and disclosure Particular components of the financial statements are properly classified, described and disclosed. Refer to the textbook Table 9.1, page 363, for illustrations of each of these assertions. 6
  7. 7. Business risk assessment A business risk approach allows the auditor to: Identify threats faced by the organisation. Recognises that most business risks will eventually have an effect on the financial statements. Increase the chances of identifying risks of material misstatements in the financial reports Categories of business risk: Financial risk Operational risk Compliance risk 7
  8. 8. Risk assessment procedures Enquiries Management, staff, internal auditors, company bankers, legal advisors. Analytical procedures Provide a broad indication of the likelihood of possible errors. Observations and inspections Inspection of manuals, visiting business premises, observing procedures taking place. 8
  9. 9. Importance of internal control The Committee of Sponsoring Organisations (COSO) of the Treadway Commission defines internal control as: a process, effected by an entity’s board of directors, management and other personnel, designed to provide reasonable assurance regarding the achievement of objectives in the following categories: Effectiveness and efficiency of operations Reliability of financial reporting Compliance with applicable laws and regulations 9
  10. 10. Management responsibility Management must establish and maintain the entity's control structure, which aids management by ensuring: irregularities are prevented or detected and corrected; assets are safeguarded; financial records are accurately reflected; adherence to management policies; operational efficiency is promoted that prevents; and unnecessary duplication of effort. Because of its inherent limitations, an internal control structure cannot be regarded as completely effective, regardless of the care taken in its design and implementation. 10
  11. 11. Auditor responsibility ASA 315 para 12 states that: The auditor shall obtain an understanding of internal control relevant to the audit The auditor’s understanding of the internal control is then used to plan the audit and to determine the nature, timing and extent of tests to be performed. The above has to be done in the context of the internal control structure as defined in ASA 315. 11
  12. 12. The internal control system Five components: Control environment Risk assessment processes Information system Control activities Monitoring controls (ASA 315 paragraph A58) 12
  13. 13. Control environment Sets the tone of the entity towards control consciousness and includes: Enforcement of integrity and ethical values example: setting the ‘tone at the top’ of the entity by demonstrating integrity and ethical behaviour. Commitment to competence example: adequate knowledge and skills at every level in the entity 13
  14. 14. Control environment Participation by those charged with governance Management’s philosophy and operating style example: approach to taking and monitoring business risks. Organisational structure Assignment of authority and responsibility Human resource policies and practices example: screening prospective employees. 14
  15. 15. Risk assessment Risk assessment is the process used to identify, analyse and manage the relevant risks which may affect the achievement of the entity’s objectives, including the preparation of financial statements. 15
  16. 16. Risk assessment Key factors include for example: changes in the operating environment new personnel new or revamped information systems rapid growth corporate restructuring expanded foreign operations All of the key factors have inherent risks with potential adverse financial consequences. 16
  17. 17. Information systems and communication Information systems consist of procedures and records established to: initiate, record, process and report an entity's transactions maintain accountability for the related assets, liabilities and equity A major focus is that transactions are handled in such a way that financial statements are presented fairly in accordance with accounting standards. 17
  18. 18. Control activities Control activities are policies and procedures that help ensure that management directives are carried out to address risks that threaten the achievement of entity objectives. 18
  19. 19. Control activities (examples include) Performance reviews Information processing controls example: general controls and application controls over input, processing and output in a computerised system. Physical controls Segregation of duties example: ensuring that individuals do not perform incompatible duties such as banking cash and performing bank reconciliations. 19
  20. 20. Information Processing Controls General controls (apply to systems as a whole): Organisational controls Systems development and maintenance controls Access controls Data and procedural controls Application controls (input, processing and output controls) Segregation of duties Physical controls Performance reviews 20
  21. 21. Monitoring Monitoring is the process by which the entity monitors t he quality of internal controls over time Involves assessing the design and operation of controls on a timely basis and taking the necessary corrective actions Ongoing monitoring activities could include: internal audit; continual management review of exception and operation reports; and review/response to customer complaints. 21
  22. 22. Limitations of control Cost versus benefits Management override Non-routine transactions Mistakes in judgment Collusion Breakdown Changes in conditions 22
  23. 23. Understanding internal control Issues can include: Identifying the types of potential misstatements that may occur example: where to look for potential errors and fraud Understanding factors that affect the risk of material misstatement example: revenue recognition issues in some entities Designing further audit procedures example: assess adequacy of risk assessment procedures and plan tests of controls. Testing general and application controls in computerised systems. 23
  24. 24. Procedures to obtain an understanding Procedures can include: reviewing previous experience with the entity being audited inquiries of management, supervisory and staff personnel inspection of documents and records observation of the entity’s activities and operations transaction walk-through reviews to confirm documented understanding 24
  25. 25. Documenting the understanding Internal Control Questionnaire (ICQ) Consists of a series of questions about accounting and control policies and procedures the auditor feels are necessary to prevent material misstatements in the financial statements. Flow chart Is a schematic diagram that uses standardised symbols, interconnecting flow lines and annotations to portray the steps involved in processing information through the information system. 25
  26. 26. Documenting the understanding Narrative memoranda May be used to supplement other forms of documentation by summarising the auditor’s overall understanding of the information system or specific control policies or procedures. 26
  27. 27. Preliminary assessment of Control Risk ASA 315 paragraph 25: The auditor shall identify and assess the risks of material misstatement at the financial report level, and the assertion level for classes of transactions, account balances and disclosures. Purpose of preliminary assessment Assessment to obtain a reasonable understanding of controls in place decide on appropriate audit strategy so as to design a detailed audit program. 27
  28. 28. Process of assessing control risk Use professional judgement to assess the control environment. Assess the design effectiveness of control procedures and their ability to prevent or correct misstatements. Assess whether controls were effectively applied throughout the period under audit. 28
  29. 29. The audit risk model Audit risk is the risk that the auditor gives an inappropriate audit opinion when the financial statement is materially misstated. In setting the desired audit risk, auditors seek an appropriate balance between the costs of an incorrect audit opinion and the costs of performing the additional audit procedures necessary to reduce audit risk. 29
  30. 30. Audit risk components Inherent risk (ASA 200) The possibility that a material misstatement could occur in an assertion, either individually or when aggregated with other misstatements, assuming there are no related controls. Inherent risk exists independently of the audit of financial statements and thus auditors cannot change the actual level of inherent risk. As defined by auditing standards, inherent risk is confined to the risk of material misstatements. 30
  31. 31. Audit risk components Control risk (ASA 200) Is the risk that a material misstatement could occur in an assertion, either individually or when aggregated with other misstatements, and not be prevented, detected, or corrected on a timely basis by the entity’s internal control structure? Control risk is a function of the effectiveness of the internal control structure as good controls reduce risk. 31
  32. 32. Audit risk components Detection risk (ASA 200) Is the risk that an auditor’s substantive procedures will not detect any material misstatements that exist in an assertion, either individually or when aggregated with other misstatements. It is a function of the effectiveness of substantive procedures and their application by an auditor and thus is fundamental to the amount of audit work undertaken. The level of detection risk is controllable by the auditor through: appropriate planning, direction, supervision and review variation in the nature, timing and extent of audit procedures effective performance of the audit procedures and evaluation of their results 32
  33. 33. The relationships among risk components An auditor’s objective is to achieve an acceptably low level of audit risk, as is practicable. Recognising the cost of performing audit procedures, there is an inverse relationship between the assessed levels of inherent and control risks and the level of detection risk that the auditor can accept Auditors, although unable to control inherent risk (IR) and control risk (CR), can assess these risks and design substantive procedures to produce an acceptable level of detection risk, thus reducing the audit risk to an acceptable level. 33
  34. 34. The relationships among risk components The audit risk model provides a framework for auditors to apply in responding to these assessed risks through their choice of audit procedures. The audit risk model expresses the relationship between the components audit risk (AR) as follows: AR = IR  CR  DR I.e. Audit risk = Inherent risk  Control risk  Detection risk 34
  35. 35. The relationships among risk components Auditor’s Assessment of Control Risk High Medium Low Auditor’s Assessment of Inherent Risk High Lowest Lower Medium Medium Lower Medium Higher Low Medium Highest Highest 35
  36. 36. Non-quantified audit risk model Auditors may use non-quantified expressions for risk. This is consistent with the quantified audit risk model, in that the acceptable levels of detection risk are inversely related to the assessments of inherent and control risks. If the assessments of control and inherent risks are both high, then the acceptable level of detection risk will generally have to be very low. 36
  37. 37. Non-quantified audit risk model That is, the risk that the auditor’s substantive procedures will not detect material misstatements will need to be low — which means more substantive testing by the auditor Conversely, if an auditor’s assessment of control and inherent risks are both low, then the acceptable level of detection risk can be high, i.e. the auditor’s substantive procedures can be reduced. 37