Chapter 9

Audit Risk Assessment

Announcement

QUIZ TWO

• The second quiz for this course will open on 8am, Wednesday 26th August and will close on 11.59pm, Friday 28th August.

• Students are once again reminded that you have only one chance to attempt this quiz, and you should attempt within the allocated time. Failure to do so will result in a zero marks being awarded to the student.

• This quiz covers chapters 4, 5 & 6. It will comprise of 20 multiple choice questions. The time allocated for this quiz is only 20 minutes. The quiz is contributes 1% towards your course assessment.

Objectives

• Appreciate the importance of audit risk assessment and why it is linked to financial statement assertions

• Describe the procedures performed by an auditor to assess risk

• Appreciate the importance of internal control to an entity and to its independent auditors

• Indicate the procedures for obtaining and documenting an understanding of the entity’s internal control

• Explain why and how a preliminary assessment of control risk is made

• Explain the importance of the concept of audit risk and its three components

Managements financial statement assertions

Existence or occurrence• Assets or liabilities of the entity exist at a given date

and whether recorded transactions or events have occurred during the period

Completeness• Transactions, events and accounts that should be

presented in the financial statement are included

Cut-off•All transactions, events and accounts have been recorded in the correct period

Managements financial statement assertions

Rights and obligations Assets represent rights of the entity and liabilities are

the obligations of the entity at a given date

Valuation and allocation• Asset, liability, components have been included in the

financial statements at the appropriate amounts

Accuracy• Transactions have been appropriately recorded in the

proper accounts

Managements financial statement assertions

Presentation and disclosure• Particular components of the financial statements are

properly classified, described and disclosed

Business risk assessment

• A business risk approach allows the auditor to:– Identify threats faced by the organisation– Recognises that most business risks will eventually

have an effect on the financial statements– It increase the chances of identifying risks of material

misstatements in the financial reports• Categories of business risk:

– Financial risk– Operational risk– Compliance risk

Risk assessment procedures

• Enquiries– Management, staff, internal auditors, company

bankers, legal advisors • Analytical procedures

– Provide a broad indication of the likelihood of possible errors

• Observations and inspections– Inspection of manuals, visiting business premises,

observing procedures taking place

Importance of internal control

• The Committee of Sponsoring Organisations (COSO) of the Treadway Commission defines internal control as:– a process, affected by an entity’s board of directors,

management and other personnel, designed to provide reasonable assurance regarding the achievement of objectives in the following categories:• Effectiveness and efficiency of operations• Reliability of financial reporting• Compliance with applicable laws and regulations

10

Management responsibility

• Management (not the auditor), must establish and maintain the entity's control structure

• Control structure aids management to ensure:– irregularities are prevented or detected and corrected– assets are safeguarded– financial records are accurately reflected– adherence to management policies– operational efficiency is promoted that prevents

unnecessary duplication of effort

• Because of its inherent limitations, an internal control structure cannot be regarded as completely effective, regardless of the care taken in its design and implementation

11

Auditor responsibility

• ASA 315 para 12 states that:

The auditor shall obtain an understanding of internal control relevant to the audit

• The auditor’s understanding of the internal control is then used to plan the audit and to determine the nature, timing and extent of tests to be performed

• The above has to be done in the context of the internal control structure as defined in ASA 315

12

The internal control system

Five components (ASA 315 para A51)• Control environment• Risk assessment• Information system• Control activities• Monitoring

13

• Sets the tone of the entity towards control consciousness and includes:

• Enforcement of integrity and ethical values– e.g. setting the ‘tone at the top’ of the entity by

demonstrating integrity and ethical behaviour• Commitment to competence

– e.g. adequate knowledge and skills at every level in the entity

Control environment

14

• Participation by those charged with governance• Management’s philosophy and operating style

– e.g. approach to taking and monitoring business risks

• Organisational structure• Assignment of authority and responsibility• Human resource policies and practices

– e.g. screening prospective employees

Control environment

15

Risk assessment

• Risk assessment is the process used to identify, analyse and manage the relevant risks which may affect the achievement of the entity’s objectives, including the preparation of financial statements

Risk assessment

• Key factors include for example: – changes in the operating environment– new personnel– new or revamped information systems– rapid growth– corporate restructuring– expanded foreign operations

• All of the key factors have inherent risks with potential adverse financial consequences

17

Information systems and communication

• Information systems consist of procedures and records established to – initiate, record, process and report an entity's

transactions – maintain accountability for the related assets,

liabilities and equity • A major focus is that transactions are handled in such

a way that financial statements are presented fairly in accordance with accounting standards

18

Control activities

• Control activities are policies and procedures that help ensure that management directives are carried out to address risks that threaten the achievement of entity objectives

Control activities

• Key factors include:– performance reviews– information processing controls– e.g. general controls and application controls over

input, processing and output in a computerised system

– physical controls– segregation of duties– e.g. ensuring that individuals do not perform

incompatible duties such as banking cash and performing bank reconciliations

20

Information Processing Controls

• General controls

Apply to systems as a whole:– Organisational controls– Systems development and maintenance controls– Access controls– Data and procedural controls

• Application controls (input, processing & output controls)

• Segregation of duties• Physical controls• Performance reviews

21

Monitoring

• Monitoring is the process by which the entity monitors the quality of internal controls over time

• Involves assessing the design and operation of controls on a timely basis and taking the necessary corrective actions

• Ongoing monitoring activities could include:– internal audit– continual management review of exception and

operation reports

– review/response to customer complaints

22

Limitations of control

• Cost versus benefits• Management override• Non-routine transactions• Mistakes in judgment• Collusion• Breakdown• Changes in conditions

23

Understanding internal control

Issues can include:• Identifying the types of potential misstatements that

may occur– e.g. where to look for potential errors and fraud

• Understanding factors that affect the risk of material misstatement– e.g. revenue recognition issues in some entities

• Designing further audit procedures– e.g. assess adequacy of risk assessment

procedures and plan tests of controls• Testing general and application controls in

computerised systems

24

Procedures to obtain an understanding

• Procedures can include:– reviewing previous experience with the entity

being audited– inquiries of management, supervisory and staff

personnel– inspection of documents and records– observation of the entity’s activities and operations– transaction walk-through reviews to confirm

documented understanding

Example 1

Refer to Professional Application Question 9.23

Example 1

(a) Business risks are threats that the organisation faces in attempting to achieve its goals. In this case there are a couple of main business risks to HealthyGlow, both are in relation to the purchase of the new full-body scanning machines.• Studies that have shown the potential side-effects of the new machines is

a concern, which is a risk in the longer term. In the short term, the bad publicity is a risk although it appears to have had little effect on the level of bookings.

• The potential ban of the use of the machines by the Medical Association of NSW is a much more significant short term business risk – even though management only assesses this likelihood at 20% (the auditor would want more evidence on this). HealthyGlow have significant capital investment in these machines and also significant revenue that is contingent on the continued operation of the machines.

Example 1

(b) i. The scanners (property, plant and equipment) ii. Revenue and unearned revenue(c) i. Valuation. The scanners may become worthless if they cannot be used due to the possible decision by the Medical Association of NSW. There may be an overseas market for them but this presumably would result in a significant discounting of value.ii. Accuracy and cut-off for revenue. There is a risk that HealthyGlow has been incorrectly recording revenue before the service is provided. The auditor will need to ensure that only those services provided before the end of June have been included in revenue and payments received for bookings after the end of June should be included as ‘Unearned revenue’.Completeness for unearned revenue. There is a risk that revenue that has not been earned has not been accounted for properly.

28

Documenting the understanding

• Internal Control Questionnaire (ICQ)– consists of a series of questions about accounting

and control policies and procedures the auditor feels are necessary to prevent material misstatements in the financial statements

• Flow chart– is a schematic diagram that uses standardised

symbols, interconnecting flow lines and annotations to portray the steps involved in processing information through the information system

Documenting the understanding

• Narrative memoranda– may be used to supplement other forms of

documentation by summarising the auditor’s overall understanding of the information system or specific control policies or procedures

30

Preliminary assessment of Control Risk

• ASA 315 para 25:The auditor shall identify and assess the risks of material misstatement at the financial report level, and the assertion level for classes of transactions, account balances and disclosures

• Purpose of preliminary assessment– Assessment to obtain a reasonable understanding

of controls in place– decide on appropriate audit strategy so as to

design a detailed audit program

31

Process of assessing control risk

• Use professional judgement to assess the control environment

• Assess the design effectiveness of control procedures and their ability to prevent or correct misstatements

• Assess whether controls were effectively applied throughout the period under audit

32

The audit risk model

• Audit risk is the risk that the auditor gives an inappropriate audit opinion when the financial statement is materially misstated– In setting the desired audit risk, auditors seek an

appropriate balance between the costs of an incorrect audit opinion and the costs of performing the additional audit procedures necessary to reduce audit risk

33

Audit risk components

Inherent risk (ASA 200)• Is the possibility that a material misstatement could

occur in an assertion, either individually or when aggregated with other misstatements, assuming there are no related controls

• Inherent risk exists independently of the audit of financial statements and thus auditors cannot change the actual level of inherent risk

• As defined by auditing standards, inherent risk is confined to the risk of material misstatements

34

Control risk (ASA 200)• Is the risk that a material misstatement could occur in

an assertion, either individually or when aggregated with other misstatements, and not be prevented, detected, or corrected on a timely basis by the entity’s internal control structure?

• Control risk is a function of the effectiveness of the internal control structure as good controls reduce risk

Audit risk components

35

Detection risk (ASA 200)• Is the risk that an auditor’s substantive procedures will not

detect any material misstatements that exist in an assertion, either individually or when aggregated with other misstatements

• a function of the effectiveness of substantive procedures and their application by an auditor and thus is fundamental to the amount of audit work undertaken

• actual level of detection risk is controllable by the auditor through:– appropriate planning, direction, supervision and review– variation in the nature, timing and extent of audit

procedures – effective performance of the audit procedures and

evaluation of their results

Audit risk components

36

The relationships among risk components

• An auditor’s objective is to achieve an acceptably low level of audit risk, as is practicable

• Recognising the cost of performing audit procedures, there is an inverse relationship between the assessed levels of inherent and control risks and the level of detection risk that the auditor can accept

• Auditors, although unable to control inherent risk (IR) and control risk (CR), can assess these risks and design substantive procedures to produce an acceptable level of detection risk, thus reducing the audit risk to an acceptable level

37

• The audit risk model provides a framework for auditors to follow in responding to these assessed risks through their choice of audit procedures

• The audit risk model expresses the relationship among the audit risk (AR) components as follows:

AR = IR CR DR

That is, Audit risk = Inherent risk Control risk Detection risk

The relationships among risk components

The relationships among risk components

• Acceptable detection risk matrix

39

Non-quantified audit risk model

• Auditors may use non-quantified expressions for risk

• Is consistent with the quantified audit risk model, in that the acceptable levels of detection risk are inversely related to the assessments of inherent and control risks

• If assessment of control and inherent risks are both high, then the acceptable level of detection risk will generally have to be very low

• That is, the risk that the auditor’s substantive procedures will not detect material misstatements will need to be low — which means more substantive testing by the auditor

• Conversely, if an auditor’s assessment of control and inherent risks are both low, then the acceptable level of detection risk can be high, i.e. the auditor’s substantive procedures can be reduced