week 6 lecture handout - full
DESCRIPTION
LectureTRANSCRIPT
Chapter 9
Audit Risk Assessment
Announcement
QUIZ TWO
• The second quiz for this course will open on 8am, Wednesday 26th August and will close on 11.59pm, Friday 28th August.
• Students are once again reminded that you have only one chance to attempt this quiz, and you should attempt within the allocated time. Failure to do so will result in a zero marks being awarded to the student.
• This quiz covers chapters 4, 5 & 6. It will comprise of 20 multiple choice questions. The time allocated for this quiz is only 20 minutes. The quiz is contributes 1% towards your course assessment.
Objectives
• Appreciate the importance of audit risk assessment and why it is linked to financial statement assertions
• Describe the procedures performed by an auditor to assess risk
• Appreciate the importance of internal control to an entity and to its independent auditors
• Indicate the procedures for obtaining and documenting an understanding of the entity’s internal control
• Explain why and how a preliminary assessment of control risk is made
• Explain the importance of the concept of audit risk and its three components
Managements financial statement assertions
Existence or occurrence• Assets or liabilities of the entity exist at a given date
and whether recorded transactions or events have occurred during the period
Completeness• Transactions, events and accounts that should be
presented in the financial statement are included
Cut-off•All transactions, events and accounts have been recorded in the correct period
Managements financial statement assertions
Rights and obligations Assets represent rights of the entity and liabilities are
the obligations of the entity at a given date
Valuation and allocation• Asset, liability, components have been included in the
financial statements at the appropriate amounts
Accuracy• Transactions have been appropriately recorded in the
proper accounts
Managements financial statement assertions
Presentation and disclosure• Particular components of the financial statements are
properly classified, described and disclosed
Business risk assessment
• A business risk approach allows the auditor to:– Identify threats faced by the organisation– Recognises that most business risks will eventually
have an effect on the financial statements– It increase the chances of identifying risks of material
misstatements in the financial reports• Categories of business risk:
– Financial risk– Operational risk– Compliance risk
Risk assessment procedures
• Enquiries– Management, staff, internal auditors, company
bankers, legal advisors • Analytical procedures
– Provide a broad indication of the likelihood of possible errors
• Observations and inspections– Inspection of manuals, visiting business premises,
observing procedures taking place
Importance of internal control
• The Committee of Sponsoring Organisations (COSO) of the Treadway Commission defines internal control as:– a process, affected by an entity’s board of directors,
management and other personnel, designed to provide reasonable assurance regarding the achievement of objectives in the following categories:• Effectiveness and efficiency of operations• Reliability of financial reporting• Compliance with applicable laws and regulations
10
Management responsibility
• Management (not the auditor), must establish and maintain the entity's control structure
• Control structure aids management to ensure:– irregularities are prevented or detected and corrected– assets are safeguarded– financial records are accurately reflected– adherence to management policies– operational efficiency is promoted that prevents
unnecessary duplication of effort
• Because of its inherent limitations, an internal control structure cannot be regarded as completely effective, regardless of the care taken in its design and implementation
11
Auditor responsibility
• ASA 315 para 12 states that:
The auditor shall obtain an understanding of internal control relevant to the audit
• The auditor’s understanding of the internal control is then used to plan the audit and to determine the nature, timing and extent of tests to be performed
• The above has to be done in the context of the internal control structure as defined in ASA 315
12
The internal control system
Five components (ASA 315 para A51)• Control environment• Risk assessment• Information system• Control activities• Monitoring
13
• Sets the tone of the entity towards control consciousness and includes:
• Enforcement of integrity and ethical values– e.g. setting the ‘tone at the top’ of the entity by
demonstrating integrity and ethical behaviour• Commitment to competence
– e.g. adequate knowledge and skills at every level in the entity
Control environment
14
• Participation by those charged with governance• Management’s philosophy and operating style
– e.g. approach to taking and monitoring business risks
• Organisational structure• Assignment of authority and responsibility• Human resource policies and practices
– e.g. screening prospective employees
Control environment
15
Risk assessment
• Risk assessment is the process used to identify, analyse and manage the relevant risks which may affect the achievement of the entity’s objectives, including the preparation of financial statements
Risk assessment
• Key factors include for example: – changes in the operating environment– new personnel– new or revamped information systems– rapid growth– corporate restructuring– expanded foreign operations
• All of the key factors have inherent risks with potential adverse financial consequences
17
Information systems and communication
• Information systems consist of procedures and records established to – initiate, record, process and report an entity's
transactions – maintain accountability for the related assets,
liabilities and equity • A major focus is that transactions are handled in such
a way that financial statements are presented fairly in accordance with accounting standards
18
Control activities
• Control activities are policies and procedures that help ensure that management directives are carried out to address risks that threaten the achievement of entity objectives
Control activities
• Key factors include:– performance reviews– information processing controls– e.g. general controls and application controls over
input, processing and output in a computerised system
– physical controls– segregation of duties– e.g. ensuring that individuals do not perform
incompatible duties such as banking cash and performing bank reconciliations
20
Information Processing Controls
• General controls
Apply to systems as a whole:– Organisational controls– Systems development and maintenance controls– Access controls– Data and procedural controls
• Application controls (input, processing & output controls)
• Segregation of duties• Physical controls• Performance reviews
21
Monitoring
• Monitoring is the process by which the entity monitors the quality of internal controls over time
• Involves assessing the design and operation of controls on a timely basis and taking the necessary corrective actions
• Ongoing monitoring activities could include:– internal audit– continual management review of exception and
operation reports
– review/response to customer complaints
22
Limitations of control
• Cost versus benefits• Management override• Non-routine transactions• Mistakes in judgment• Collusion• Breakdown• Changes in conditions
23
Understanding internal control
Issues can include:• Identifying the types of potential misstatements that
may occur– e.g. where to look for potential errors and fraud
• Understanding factors that affect the risk of material misstatement– e.g. revenue recognition issues in some entities
• Designing further audit procedures– e.g. assess adequacy of risk assessment
procedures and plan tests of controls• Testing general and application controls in
computerised systems
24
Procedures to obtain an understanding
• Procedures can include:– reviewing previous experience with the entity
being audited– inquiries of management, supervisory and staff
personnel– inspection of documents and records– observation of the entity’s activities and operations– transaction walk-through reviews to confirm
documented understanding
Example 1
Refer to Professional Application Question 9.23
Example 1
(a) Business risks are threats that the organisation faces in attempting to achieve its goals. In this case there are a couple of main business risks to HealthyGlow, both are in relation to the purchase of the new full-body scanning machines.• Studies that have shown the potential side-effects of the new machines is
a concern, which is a risk in the longer term. In the short term, the bad publicity is a risk although it appears to have had little effect on the level of bookings.
• The potential ban of the use of the machines by the Medical Association of NSW is a much more significant short term business risk – even though management only assesses this likelihood at 20% (the auditor would want more evidence on this). HealthyGlow have significant capital investment in these machines and also significant revenue that is contingent on the continued operation of the machines.
Example 1
(b) i. The scanners (property, plant and equipment) ii. Revenue and unearned revenue(c) i. Valuation. The scanners may become worthless if they cannot be used due to the possible decision by the Medical Association of NSW. There may be an overseas market for them but this presumably would result in a significant discounting of value.ii. Accuracy and cut-off for revenue. There is a risk that HealthyGlow has been incorrectly recording revenue before the service is provided. The auditor will need to ensure that only those services provided before the end of June have been included in revenue and payments received for bookings after the end of June should be included as ‘Unearned revenue’.Completeness for unearned revenue. There is a risk that revenue that has not been earned has not been accounted for properly.
28
Documenting the understanding
• Internal Control Questionnaire (ICQ)– consists of a series of questions about accounting
and control policies and procedures the auditor feels are necessary to prevent material misstatements in the financial statements
• Flow chart– is a schematic diagram that uses standardised
symbols, interconnecting flow lines and annotations to portray the steps involved in processing information through the information system
Documenting the understanding
• Narrative memoranda– may be used to supplement other forms of
documentation by summarising the auditor’s overall understanding of the information system or specific control policies or procedures
30
Preliminary assessment of Control Risk
• ASA 315 para 25:The auditor shall identify and assess the risks of material misstatement at the financial report level, and the assertion level for classes of transactions, account balances and disclosures
• Purpose of preliminary assessment– Assessment to obtain a reasonable understanding
of controls in place– decide on appropriate audit strategy so as to
design a detailed audit program
31
Process of assessing control risk
• Use professional judgement to assess the control environment
• Assess the design effectiveness of control procedures and their ability to prevent or correct misstatements
• Assess whether controls were effectively applied throughout the period under audit
32
The audit risk model
• Audit risk is the risk that the auditor gives an inappropriate audit opinion when the financial statement is materially misstated– In setting the desired audit risk, auditors seek an
appropriate balance between the costs of an incorrect audit opinion and the costs of performing the additional audit procedures necessary to reduce audit risk
33
Audit risk components
Inherent risk (ASA 200)• Is the possibility that a material misstatement could
occur in an assertion, either individually or when aggregated with other misstatements, assuming there are no related controls
• Inherent risk exists independently of the audit of financial statements and thus auditors cannot change the actual level of inherent risk
• As defined by auditing standards, inherent risk is confined to the risk of material misstatements
34
Control risk (ASA 200)• Is the risk that a material misstatement could occur in
an assertion, either individually or when aggregated with other misstatements, and not be prevented, detected, or corrected on a timely basis by the entity’s internal control structure?
• Control risk is a function of the effectiveness of the internal control structure as good controls reduce risk
Audit risk components
35
Detection risk (ASA 200)• Is the risk that an auditor’s substantive procedures will not
detect any material misstatements that exist in an assertion, either individually or when aggregated with other misstatements
• a function of the effectiveness of substantive procedures and their application by an auditor and thus is fundamental to the amount of audit work undertaken
• actual level of detection risk is controllable by the auditor through:– appropriate planning, direction, supervision and review– variation in the nature, timing and extent of audit
procedures – effective performance of the audit procedures and
evaluation of their results
Audit risk components
36
The relationships among risk components
• An auditor’s objective is to achieve an acceptably low level of audit risk, as is practicable
• Recognising the cost of performing audit procedures, there is an inverse relationship between the assessed levels of inherent and control risks and the level of detection risk that the auditor can accept
• Auditors, although unable to control inherent risk (IR) and control risk (CR), can assess these risks and design substantive procedures to produce an acceptable level of detection risk, thus reducing the audit risk to an acceptable level
37
• The audit risk model provides a framework for auditors to follow in responding to these assessed risks through their choice of audit procedures
• The audit risk model expresses the relationship among the audit risk (AR) components as follows:
AR = IR CR DR
That is, Audit risk = Inherent risk Control risk Detection risk
The relationships among risk components
The relationships among risk components
• Acceptable detection risk matrix
39
Non-quantified audit risk model
• Auditors may use non-quantified expressions for risk
• Is consistent with the quantified audit risk model, in that the acceptable levels of detection risk are inversely related to the assessments of inherent and control risks
• If assessment of control and inherent risks are both high, then the acceptable level of detection risk will generally have to be very low
• That is, the risk that the auditor’s substantive procedures will not detect material misstatements will need to be low — which means more substantive testing by the auditor
• Conversely, if an auditor’s assessment of control and inherent risks are both low, then the acceptable level of detection risk can be high, i.e. the auditor’s substantive procedures can be reduced