{Pooja: 9892124323 } Call Girl in Mumbai | Jas Kaur Rate 4500 Free Hotel Del...
Risk-Assessment-.pptx
1. Insert Presentation
Title Here
Challenging Risk Assessment
in Planning an Audit
–
PLANNING THE AUDIT FOR
EFFECTIVENESS AND
EFFICIENCY
Annette Eustice, CPA, CGFM
231.627.8381
annette.eustice@rehmann.com
March 5, 2017
2. OBJECTIVE
• Risk assessment is a key requirement in the planning
phase of an audit.
The objective of this presentation is to provide the
participant with a brief overview of the risk assessment
planning process of an audit, documentation
requirements, and how to best plan an audit around the
conclusions developed from the risk assessment planning
process.
3. EXAMPLES OF CHALLENGES IN RISK
ASSESSMENT
• Risks identified - no audit response
• Risks identified in planning are not considered
in the risk assessment.
• Fraud risks identified are not reflected in risk
assessment and no audit response is prepared.
• Areas identified as significant in other planning
are not identified as significant in the risk
assessment planning.
4. EXAMPLES OF CHALLENGES IN
RISK ASSESSMENT
• Audit responses crafted to address identified risks are
not reflected in the audit program.
• Audit procedures to be performed (added) which are
documented in risk assessment are not added in the
audit program (tailoring).
• Low risk areas identified during risk assessment as
areas being addressed using a limited approach and to
be documented on a lead sheet are actually supported
by a formal audit program with basic or extended
procedures in the audit program.
5. WHAT WOULD YOU DO IF?
• You had unlimited time to complete an audit and
the client was willing to pay you an unlimited
amount to do it right?
• You have a fixed fee contract of $20,000 and 100
hours to complete the engagement
6. WHAT IS RISK ASSESSMENT?
Audit Procedures
• Concentrate audit effort
in high risk areas
– Inherent risk
– Control risk
• Perform less extensive
procedures in low risk
areas
Linkage
Risk Assessment
• Obtain an
understanding of the
client, including
internal control
• Identify and assess
risks of material
misstatement of the
financial statements
• Evaluate both overall
risks and risks that
affect only specific
assertions
7. The Cycle of Risk Assessment
• Assess risks at the FS level
• Develop an audit strategy
• Assess risks at the relevant
assertion level
• Test controls (if applicable)
• Develop a detailed audit plan
• Substantive Audit Procedures
• Engagement Team Discussion
• Materiality
• Risk Assessment Procedures
• Understand the entity and its
environment, including
internal control
• Client acceptance/continuance
• Establishing an understanding
with the client.
Preliminary
Engagement
Activities
Planning
and Risk
Assessment
Procedures
Assessing
Risk and
Developing
Responses
Perform
Further
Audit
Procedures
8. Client Acceptance/Continuance
Consider:
Nature and purpose of engagement
Client’s reputation, integrity, and competence
Communication with predecessor
Compliance with ethical requirements, including
independence
Adequacy of accounting records
Firm resources and competence
Engagement economics
Other risk concerns
9. Planning and Risk Assessment Procedures
Perform a retrospective review of accounting estimates
Understand the entity and its environment, including internal control
Perform risk assessment procedures
Determine materiality
Hold an engagement team discussion
10. Engagement Team Discussion
Discuss the susceptibility of the financial
statements to material misstatement
Consider fraud risks and risks of error
Include:
Critical issues and areas of significant audit risk
Areas susceptible to management override of controls
Unusual accounting practices
Important control systems
Materiality considerations
Need to exercise professional skepticism
Business risks
Fraud considerations
11. Engagement Team Discussion
(cont.)
Attendance:
Auditor with final responsibility
Key members of engagement team
Tax Personnel
Concurring Reviewers
Document:
How the discussion occurred, the subject matter,
who participated, and decisions about planned
responses
12. Materiality
• Apply professional judgment
• Consider decisions that users make
• Use appropriate benchmarks, such as % of
assets or revenue
• Re-evaluate materiality as the audit progresses.
If lower, reconsider:
Level of performance materiality
Adequacy of procedures
13. Materiality
• Document:
Materiality at the financial statement level
If applicable, materiality level(s) for
particular transaction classes, account
balances, or disclosures
Performance materiality
Factors considered in their determination
Any revisions made during the audit
14. Perform Risk Assessment Procedures
Two categories of audit procedures:
Risk
Assessment
Procedures
Further
Audit
Procedures
Both
Provide
Audit
Evidence
16. Risk Assessment Procedures
• Performed to obtain an understanding of the
entity and its environment, including internal
control, for the purpose of assessing risks
• All of the procedures should be performed
• Inquiry alone is not sufficient to understand
internal control
• Provide audit evidence
17. Required Inquiries
Inquire about:
Fraud
Related parties
Accounting estimates
Compliance with laws and regulations
Service organizations
18. Observation and Inspection
• Inspect documents and records
• Read internal reports and minutes
• Read external information
• Visit premises and plant facilities
• Trace transactions through the system
(walkthroughs)
19. Analytical Procedures
• Preliminary analytical procedures
• Analytical procedures related to revenue
required by AU-C 240
• To enhance understanding of the business and
identify potential risk areas
20. Understanding the Entity and Its
Environment
• Perform risk assessment procedures (inquiry,
analytics, observation, and inspection) to gather
information about:
Industry, regulatory, and other external factors
Nature of the entity
Objectives, strategies, and related business risks
Measurement and review of the entity’s financial
performance
Selection and application of accounting policies
21. Understanding the Entity and Its
Environment
• Consider the presence of fraud risk factors
• Update information obtained in prior years by
performing risk assessment procedures to
determine if the information has changed
23. Understanding Internal Control
• Understand design and implementation
• Perform inquiry, observation, and inspection
• Inquiry alone is not sufficient to understand the
design and implementation of controls
23
24. Understanding Internal Control
• Evaluate the design and implementation of
controls—
Related to significant risks
Related to risks that cannot be tested effectively
using substantive procedures alone
• Understand—
How the incorrect processing of transactions is
resolved
How detail is reconciled to the general ledger for
material accounts
24
25. Understanding Internal Control
• Document the following:
Understanding of internal control
components
Sources of information
Procedures performed
Controls evaluated related to significant risks
and risks for which substantive procedures
alone are not effective
26. Understanding Internal Control
Document the processing of
transactions for each significant
transaction class
Document the financial close and
reporting process
27. Identifying Significant Transaction Classes
• Transaction classes that present a reasonable
possibility of material misstatement of the
financial statements or disclosures based on:
Volume of activity
Size and composition of accounts
Types of transactions
Presence of fraud risks or other significant
risks
Changes from the prior period
28. Understanding Significant Transaction
Classes
• How are transactions initiated and authorized?
• How are transactions recorded and processed?
• How are transactions reconciled?
• What reports are generated and how are they
used?
29. Understanding Significant Transaction
Classes
• Consider control objectives:
Completeness: All transactions are recorded
Occurrence: All recorded transactions occurred and
pertain to the entity
Accuracy: Transactions are recorded in the proper
amount
Classification: Transactions are recorded in the
proper account
Cutoff: Transactions are recorded in the proper
period
30. Documenting Significant
Transaction Classes
• Narrative description
• Focus on key controls and control objectives
related to identified risks
• How are control objectives achieved?
• What controls are in place to address
significant or fraud risks?
• Are controls properly designed and
implemented?
31. Performing Walkthroughs
• Select one or a few transactions
• Trace from initial creation of the source
document to final posting in the general ledger
• Inspect documents and records used in
processing, make inquiries, and observe
procedures being performed
32. Tests of Controls
• Perform tests of controls if:
Relying on them to reduce the risk
assessment
Substantive tests alone are not adequate
• Inquiry alone is not sufficient for testing
controls
32
33. Tests of Controls
• Rotational tests of controls are permitted:
Obtain evidence about whether the controls have
changed using inquiry, observation, and inspection
If controls have changed, rotation is not appropriate
Test a control at least once every three years
If several controls are rotationally tested, test some
controls each year
If relying on controls for significant risks, controls
must be tested in the current year
33
34. Retrospective Review of
Accounting Estimates
• Performed to evaluate:
Effectiveness of management’s estimation
process
Information relevant to current year
estimates
The need for disclosure
The existence of possible management bias
35. Assessing Risks and Developing
Responses
Develop the detailed audit plan
Assess risks at the relevant assertion level
Develop the overall audit strategy
Assess risks at the financial statement level
36. Assess Risks at the Financial
Statement Level
• Identify risks that are pervasive to the financial
statements and potentially affect many
assertions
• Assess the risk of material misstatement at the
financial statement level
• Develop overall responses
• Document the risk assessment and the
responses
36
37. Develop the Overall Audit Strategy
• Characteristics of the engagement that define its scope
• Reporting objectives of the engagement
• Important factors that determine audit focus
• Resources needed to perform the audit
37
38. Factors That Determine
Audit Focus
• Materiality levels
• Overall risks and responses
• Preliminary identification of high risk audit areas
• Preliminary identification of material locations and
accounts
• Whether you plan to test controls
• Composition and deployment of the audit team
38
39. Assess Risks at the Relevant
Assertion Level
• Identify risks of material misstatement (due to
error or fraud) for specific—
Account balances
Transaction classes
Disclosures
• Consider what can go wrong at the relevant
assertion level
39
40. Assess Risks at the Relevant
Assertion Level
Account
Balances,
Transaction
Classes,
Disclosures
Existence or
Occurrence
Completeness
Rights or
Obligations
Valuation or
Allocation
Accuracy or
Classification
Cutoff
40
41. Assess Risks at the Relevant
Assertion Level
• Assessing risks at the assertion level
Are the risks of a magnitude that could result in
material misstatement?
What is the likelihood that the risks could result in
material misstatement?
• Likelihood is a function of:
Inherent risk
Control risk
• Need a basis for the assessment
41
42. Assess Risks at the Relevant
Assertion Level
• Identify significant risks that require special audit
consideration
Fraud risks
Other significant risks
• Significant risks often relate to:
Significant economic, accounting, or other
developments
Complex, non-routine, or judgmental matters
Transactions with related parties
42
43. Assess Risks at the Relevant
Assertion Level
• Identify risks for which substantive procedures
alone are not adequate
• Revise the risk assessment and reconsider
planned audit procedures if audit evidence
contradicts the original risk assessment
44. Assess Risks at the Relevant
Assertion Level
• Document the following:
Risk assessment at the relevant assertion
level
Basis for the assessment
Significant risks
Risks for which substantive procedures alone
are not adequate
44
45. The Detailed Audit Plan
• The nature, timing, and extent of further audit
procedures to respond to the risk assessment
(i.e., the audit program)
• Provides linkage between the risk assessment
and the responses at the assertion level
45
46. Tailoring the Audit Programs
• No audit program
• Used for insignificant audit areas with low RMM
Low RMM
• Primarily substantive analytics
• Some tests of details (required by SASs)
Low to
Moderate RMM
• Tests of details and extended analytics
• For audit areas or assertions with higher risk
Moderate to
High RMM
47. Performing Further
Audit Procedures
Further Audit
Procedures
Tests of
Controls
Substantive
Procedures
Substantive
Procedures
Tests of
Details
Substantive
Analytical
Procedures
47
48. Substantive Procedures
• Test all relevant assertions for material
account balances, transaction classes, and
disclosures
• Perform procedures specifically to address
significant risks
• Substantive analytical procedures alone are not
sufficient for significant risks
48
49. Substantive Procedures
• Perform the following substantive procedures in
all audits:
Agree the financial statements and notes to
the accounting records
Examine material journal entries and other
adjustments made when preparing the
financial statements
Procedures required by AU-C 240 to address
the risk of management override of controls
49
50. IMPACT OF THE CLARITY
STANDARDS (AU-C-300)
• Engagement partner has to be involved in the
planning of the audit and must include key
members of the audit team.
• The auditor has to plan the nature, timing and
extent of the supervision of the team and the
review of its work. Planning the supervision and
review wasn’t explicit before.
• Auditor has to document the audit strategy and the
reasons for changes in the audit strategy or audit
plan.
51. IMPACT OF THE CLARITY
STANDARDS
– Auditor was expected to consider all other
non-audit services. Now it requires
considering ONLY the engagement partner’s
prior engagements for the entity. AU-300.08
52. IMPACT OF THE CLARITY
STANDARDS
– In addition to the features that didn’t change, the
auditor is now required to specifically consider
whether the control environment promotes a culture
of honesty. AU-C-315.15
– Auditor has to specifically consider whether the lack
of a risk assessment process is a material weakness
or significant deficiency. This was implicit in SAS
No. 115, but is explicit here. AU-C-315.18
– The auditor has to specifically consider the internal
audit function, if there is one,
in assessing risk. AU-C-315.24
53. IMPACT OF THE CLARITY
STANDARDS
– Auditor was expected to consider all other non-audit
services. Now it requires considering ONLY the
engagement partner’s prior engagements for the entity.
AU 314.13
– Audit team discussion was to include critical issues and
need for skepticism. Skepticism still applies but does not
required to be explicitly discussed. AU 314.18-19
– Auditor had to consider the reliability and precision of
information used in performance measures. AU 314.38
– Auditor was required to understand reconciliation
procedures for significant accounts – now only for
material accounts. AU 314.90
54. IMPACT OF THE CLARITY
STANDARDS
– The auditor should revise FS materiality during the
audit in light of information that would have suggested
a different amount if the auditor had the information
when originally calculating materiality. Implied before
but explicit now. AU-C-320.12
– The auditor has to document separate materiality
levels for transaction classes, account balances, or
disclosures when he or she determines that otherwise
immaterial misstatements in them would affect the
decision of users. AU-C-320.14
55. IMPACT OF THE CLARITY
STANDARDS
– The auditor should obtain more persuasive evidence
the higher the risk assessment. AU-C-330.07
– When tests of controls reveal deviations, the auditor
should make specific inquiries to understand the
consequences of deviations and determine whether
there is a basis for reliance, whether additional tests
are necessary, and whether the risk of material
misstatement needs to be addressed through
substantive procedures. AU-C-330.17
– Accounts receivable should be confirmed. This was
only presumption under SAS 67. AU-C-330.20
56. IMPACT OF THE CLARITY
STANDARDS
– If unexpected misstatements are found at an interim
date, the auditor should determine whether the plan
should be modified. AU-C-330.22
– The method of item selection should be effective to
meet the purpose of the procedure. AU-C-330.23
57. 1. Can you use a standard audit
program?
An auditor can use a standard program as the core of
the procedures to be applied rather than starting with a
blank piece of paper. But, the programs have to be
tailored to address the risks specific to the
engagement. On recurring engagements, it is
reasonable to use the prior year’s audit programs as a
starting point and revise them for new conditions or to
introduce additional efficiencies or an element of
unpredictability.
58. 2. Who should attend a planning
meeting?
• The standards do not specify who should attend, but some auditors
recommend that, when practical, all members of the team participate
in the discussion. There are advantages to this
• Everyone, including the newest staff, can learn from the partner’s
perspective.
• In many cases, the partner has the most perspective on the
business.
• The manager and in-charge have knowledge that the partner may
not have.
• Each team member who participated in the prior engagement has a
different perspective to bring to the table.
• Even staff level people may know things, such as available reports
or systems information, that more senior people may have forgotten
or not be as familiar with.
The standards DO state that the Partner and Key Members of the Audit
Team should be involved in planning.
59. 3. Are walkthroughs required on
all controls? Every year?
AU-C-315.14 says the auditor should evaluate the design of
controls and determine whether they have been implemented.
Implementation means that the control exists and the entity is
using it. So, the auditor has to apply a procedure – a walk
through – to make sure the controls that he or she understands
to be in existence have been put into operation. However, AU-
C315.A68 notes that assessing implementation of an
ineffectively-designed control is of little use, so walkthroughs of
those controls are unnecessary. Assessing effectiveness of the
controls’ design before determining implementation can limit
walkthroughs to only those controls that appear to be effective.
• On the other hand, if controls are deemed ineffective, the
auditor has to consider the ramifications in assessing risk and
has to consider whether the control weaknesses have to be
reported to management and those charged with governance.
60. 4. If the entire audit is conducted by the Engagement
Partner, is documentation of the engagement team
discussion necessary?
AU-C230 A19 says that in such an audit, the
documentation need not include items that
serve solely to inform or instruct members
of the engagement team or evidence review
of the work. (This acknowledgement is new
to SAS 122). Accordingly, the discussion
does not have to be documented. But risks
identified and the responses to them would
still have to be documented.
61. 5. Is the calculation of performance materiality the same as
for tolerable misstatement?
There is no new requirement, merely a new term. The
same factors for performance materiality are used for
tolerable misstatement.
62. 6. Did the clarification standards raise the bar on the need
to confirm accounts receivable?
SAS 67 did not contain an explicit requirement to confirm
accounts receivable. The standard stopped just short of a
requirement; it said that unless any of three conditions
are present, there is a presumption that receivables
would be confirmed. The auditor could overcome this
presumption, but had to document how the presumption
was overcome. Under the clarified standard, it is a
requirement, if the auditor does not comply, he or she has
to document how, in the absence of obtaining accounts
receivable confirmations, the intent of the requirement
was achieved. So, while the standard technically raises
the bar, it is unlikely to cause much change in practice.
•