20024 - audit risk assessment the do's and don'ts, part 2 risk... · program...

1

Audit Risk Assessment:Audit Risk Assessment:The Do's and Don'ts, Part 2The Do's and Don'ts, Part 2

© 2011 DeVry/Becker Educational Development Corp. All rights reserved.

The copyright in this material is owned by DeVry/Becker Educational Development Corp., or where specifically indicated, by the original creator of the material. None of this material may be copied, reproduced, republished, or displayed in any form or by any means, including, but not limited to, electronic, mechanical, photocopying, or otherwise, without the prior written permission of DeVry/Becker Educational Development Corp. or the copyright owner.

Major Topic/Concept Index

Course Section Slide Number Major Topics/Concepts

AICPA Audit Risk Assessment Standards 9 – 12 • Statements on Auditing Standards

Audit Evidence 15 – 27• Audit evidence defined• Sources of audit evidence• Types of audit evidence

Audit Risk 4 – 8• Audit risk defined• Risk of material misstatement• Detection risk

Audit Sampling 69 – 72 • SAS 111 – Audit Sampling

Documentation 85 – 87 • Required documentation

Evaluating Audit Evidence 73 – 84• Results of further audit procedures• Evaluating control deficiencies and misstatements• Auditor's conclusion

• The financial statement level


Further Audit Procedures 28 – 43• The relevant assertion level• Nature, extent, and timing of further audit procedures• Possible audit approaches

Standards of Fieldwork 13 – 14 • SAS 105 – the three standards of fieldwork

Substantive Procedures 60 – 68• Significant risks• Nature, extent, and timing of substantive procedures

Tests of Controls 44 – 59• Selecting controls for testing• Nature, extent, and timing of controls• Results of tests of controls

2

Learning Objectives & Program Content

Learning Objectives: In the second of a two-part course, participants will learn about audit evidence, the testing of controls, and sampling. At the conclusion of this session you will be able to:• Define Audit Risk • Outline the AICPA's Audit Risk Assessment Standards• Compare and contrast the following concepts:

o The Standards of Fieldworko Audit Evidence o Further Audit Procedureso Tests of Controls o Substantive Procedureso Audit Samplingo Evaluating Audit Evidence

• List the documentation requirements within the audit risk assessment process


q pProgram Prerequisites: The successful completion of Becker's Audit Risk Assessment: The Do's and Don'ts, Pt. 1Program Level: BasicProgram Content: Auditors who unknowingly fail to appropriately modify their opinions on financial statements that are materially misstated pose a serious audit risk. In this two-part course, obtain the skills to navigate the currently evolving audit standards.Advanced Preparation: NoneField of Study: Audit

2

Audit RiskAICPA Audit Risk Assessment Standards

Standards of FieldworkStandards of FieldworkAudit Evidence

Further Audit ProceduresTests of Controls

Substantive Procedures

Audit Sampling

E l ti A dit E id

© 2011 DeVry/Becker Educational Development Corp. All rights reserved. 3

Evaluating Audit Evidence

Documentation

3





Audit Sampling

E l ti A dit E id



Documentation

Audit Risk

I. Audit Risk A. Audit Risk Defined

The risk that the auditor may unknowingly fail to appropriately modifyThe risk that the auditor may unknowingly fail to appropriately modify his or her opinion on financial statements that are materially misstated.

1. Audit Risk (AR) is a function of:

a. The Risk of Material Misstatement (RMM) – The risk that the

The Audit Risk Model

AR = RMM x DR or AR = IR x CR x DR


financial statements are materially misstated. The risk of material misstatement consists of Inherent Risk (IR) and Control Risk (CR).

b. Detection Risk (DR) – The risk that the auditor will not detect existing material misstatements.

5

4

Audit Risk

B. Risk of Material Misstatement (RMM = IR x CR) The risk of material misstatement is a function of inherent risk and control risk.co t o s1. Inherent Risk Defined

The risk that a relevant assertion could be materially misstated, either individually or when aggregated, with other misstatements, assuming that there are no related controls.

2. Control Risk DefinedThe risk that a material misstatement could occur and not be


prevented or detected and corrected on a timely basis by the entity's internal control. Control risk is a function of the effectiveness of the design and operation of an entity's internal controls related to financial reporting.

6

Audit Risk

3. Inherent risk and control risk are risks of the entity and exist independent of the audit. The auditor assesses the entity's risk of material misstatement by assessing the entity's inherent risk and control risk during the audit risk assessment process by:a. Obtaining an understanding of the entity and environment,

including its internal controls.b. Performing tests of controls to obtain evidence of the

operating effectiveness of controls.


5

Audit Risk

C. Detection RiskUnlike inherent risk and control risk, detection risk is controlled by the auditor. Detection risk is a function of:t e aud to etect o s s a u ct o o1. The effectiveness of audit procedures.2. The application of those audit procedures by the auditor. The auditor manages detection risk through the selection of substantive audit procedures in response to the assessed risk of material misstatement.

Key Point


The auditor must minimize audit risk. For a given level of audit risk, there is an inverse relationship between detection risk and the assessed risk of material misstatement (inherent risk and control risk):

Greater RMM Lower acceptable level of detection risk

Lower RMM Greater acceptable level of detection risk





Audit Sampling

E l ti A dit E id



Documentation

6

AICPA Audit Risk Assessment Standards

II. AICPA Audit Risk Assessment StandardsA. The AICPA's Auditing Standards Board (ASB) issued eight

Statements on Auditing Standards (SAS) related to the assessment State e ts o ud t g Sta da ds (S S) e ated to t e assess e tof risk in financial statement audits (hereafter referred to as the "Risk Assessment SAS"):1. SAS No. 104, Amendment to Statement on Auditing Standards

No. 1, Codification of Auditing Standards and Procedures ("Due Professional Care in the Performance of Work").

2. SAS No. 105, Amendment to Statement on Auditing Standards No 95 Generall Accepted A diting Standards


No. 95, Generally Accepted Auditing Standards. 3. SAS No. 106, Audit Evidence.

10


4. SAS No. 107, Audit Risk and Materiality in Conducting an Audit.

5. SAS No. 108, Planning and Supervision. 5 S S o 08, a g a d Supe s o6. SAS No. 109, Understanding the Entity and Its Environment

and Assessing the Risks of Material Misstatement. 7. SAS No. 110, Performing Audit Procedures in Response to

Assessed Risks and Evaluating the Audit Evidence Obtained. 8. SAS No. 111, Amendment to Statement on Auditing Standards

No. 39, Audit Sampling.


7


B. The primary objective of the Risk Assessment SAS is to enhance the auditors' application of the audit risk model by requiring:1. A more in-depth understanding of the entity and its o e dept u de sta d g o t e e t ty a d ts

environment, including its internal control. This understanding can be used to identify the risks of material misstatement in the financial statements and the entity's efforts to mitigate those risks.

2. A more rigorous assessment of the risk of material misstatement based on the understanding of the entity and its environment including its internal control


environment, including its internal control.3. Improved linkage between assessed risks and the nature,

extent, and timing of audit procedures performed in response to those risks.

12





Audit Sampling

E l ti A dit E id



Documentation

8

Standards of Fieldwork

III. Standards of FieldworkSAS No. 105, Amendment to Statement on Auditing Standards No. 95, Generally Accepted Auditing Standards, revised the three standards of fieldwork as follows:A. The auditor must adequately plan the work and properly supervise

any assistants.B. The auditor must obtain a sufficient understanding of the entity and

its environment, including its internal control, to assess the risk of material misstatement of the financial statements whether due to error or fraud and to design the nature extent and timing of


error or fraud, and to design the nature, extent, and timing of further audit procedures.

C. The auditor must obtain sufficient, appropriate audit evidence by performing audit procedures to afford a reasonable basis for an opinion regarding the financial statements under audit.

14





Audit Sampling

E l ti A dit E id



Documentation

9

Audit Evidence

IV. Audit EvidenceA. Audit Evidence Defined

All the information used by the auditor in arriving at the conclusionsAll the information used by the auditor in arriving at the conclusions on which the audit opinion is based, including the information contained in the accounting records underlying the financial statements and other information.Audit evidence is obtained from audit procedures, including:1. Risk assessment procedures.2. Tests of the operating effectiveness of internal controls.


3. Substantive procedures.Audit evidence is cumulative and can also include evidence gathered in previous audits and evidence gathered during client acceptance and continuance procedures.

16

Audit Evidence

B. Sources of Audit EvidenceThe auditor obtains evidence by testing the entity's accounting records to determine that they:y1. Are internally consistent.2. Agree with the financial statements.

3. Audit evidence is also obtained from:

Key Point

Evidence obtained from accounting records alone is not sufficient to provide a basis for an audit opinion.


a. Minutes of meetings.b. Third party confirmations.c. Data about competitors.d. Internal control manuals.e. Information provided by audit procedures.

17

10

Audit Evidence

C. The Third Standard of Fieldwork requires the auditor to obtain "sufficient appropriate audit evidence."1. Sufficiency DefinedSu c e cy e ed

A measure of the quantity of audit evidence to be obtained by the auditor. Sufficiency is affected by:a. The risk of material misstatement

b. The quality of the audit evidence

High RMM More evidence needed


High quality Less evidence needed

18

Key Point

More evidence is not necessarily better if the evidence is not appropriate.

Audit Evidence

D. Sufficient Appropriate Audit Evidence1. Appropriateness Defined

A measure of the quality of the audit evidence to be obtainedA measure of the quality of the audit evidence to be obtained by the auditor. Appropriate audit evidence should be relevant and reliable.

Key Point

The auditor must use professional judgment and professional skepticism to determine when sufficient, appropriate audit evidence has been obtained.


11

Audit Evidence

2. Relevance DefinedRelevant audit evidence is related to the relevant management assertions for each class of transactions, account balance, andassertions for each class of transactions, account balance, and presentation and disclosure. Relevant management assertions are those that have a bearing on whether an account is fairly stated. The auditor determines which assertions are relevant by:a. Considering the source of likely potential misstatements.b. Evaluating the nature of the assertion.


c. Determining the volume of transactions related to the assertion.

d. Evaluating the nature and complexity of the systems used to process information supporting the assertion.

20

Audit Evidence

Management Assertions Include:Assertions about classes of transactions and events:a Completeness – All transactions and events that shoulda. Completeness All transactions and events that should

have been recorded have been recorded.b. (Proper period) Cutoff – Transactions and events have

been recorded in the proper accounting period.c. Accuracy – Amounts and other data relating to

recorded transactions and events have been recorded appropriately.


d. Classification – Transactions and events have been recorded in the proper accounts.

e. Occurrence – Transactions and events that have been recorded have occurred and pertain to the entity.

21

12

Audit Evidence

Management Assertions Include:Assertions about account balances at period end:a Completeness – All assets liabilities and equity interestsa. Completeness All assets, liabilities, and equity interests

that should have been recorded have been recorded.b. Allocation and Valuation – Assets, liabilities, and equity

interests are included in the financial statements at appropriate amounts, and any resulting valuation or allocation adjustments are appropriately recorded.

c. Rights and Obligations – The entity holds or controls f


the rights to assets, and liabilities are the obligations of the entity.

d. Existence – Assets, liabilities, and equity interests exist.

22

Audit Evidence

Management Assertions Include:Assertions about presentation and disclosure:a Completeness – All disclosures that should have beena. Completeness All disclosures that should have been

included in the financial statements have been included.

b. Understandability and Classification – Financial information is appropriately presented and described and disclosures are clearly expressed.

c. Rights and Obligations, and Occurrence – Disclosed


events and transactions have occurred and pertain to the entity.

d. Valuation and Accuracy – Financial and other information are disclosed fairly and at appropriate amounts.

23

13

Audit Evidence

3. Reliability is influenced by the source and nature of the audit evidence. In general:a. Evidence obtained directly by the auditor is more reliable a de ce obta ed d ect y by t e aud to s o e e ab e

than inferred evidence or evidence obtained indirectly.b. Audit evidence is more reliable when obtained from

knowledgeable independent sources outside the entity.c. Internally generated evidence is more reliable when

internal controls are operating effectively.d. Documented evidence is more reliable than oral evidence.


e. Original documents are more reliable than copies or faxes.f. More assurance is provided by consistent audit evidence

obtained from different sources or of a different nature. When evidence is inconsistent, the auditor should apply additional procedures to resolve the inconsistency.

24

Audit Evidence

g. Before using information provided by the entity, the auditor should obtain evidence regarding its accuracy and completeness by testing related controls or by recalculating the information.

h. When selecting audit procedures, the auditor may consider the relationship between the cost of the information and its usefulness. However, if alternative procedures do not exist, cost is not a valid reason for omitting a necessary audit procedure.

i Audit evidence must be at least persuasive even if it is not


i. Audit evidence must be at least persuasive, even if it is not conclusive. Less than persuasive evidence is not acceptable.

25

14

Audit Evidence

E. Types of Audit EvidenceThe following types of evidence can be used in risk assessment procedures and further audit procedures:procedures and further audit procedures:1. Inspection of documents and records2. Inspection of intangible assets3. Observation4. Inquiry of internal and external parties5. Confirmation6. Recalculation


6. Recalculation7. Reperformance8. Analytical procedures

26

Audit Evidence

Key Point

The nature and timing of audit procedures are influenced by the availability of evidence. Some evidence may only be available in electronic format or at specific points or periods of time. When evidence is available in electronic format, the auditor can use computer assisted audit techniques (CAAT) to perform audit procedures.


15





Audit Sampling

E l ti A dit E id



Documentation

Further Audit Procedures

V. Further Audit ProceduresA. The Second Standard of Fieldwork:

"The auditor must obtain a sufficient understanding of the entityThe auditor must obtain a sufficient understanding of the entity and its environment, including its internal control, to assess the risk of material misstatement of the financial statements whether due to error or fraud, and to design the nature, extent, and timing of further audit procedures."Once the auditor has assessed the risk of material misstatement (RMM), the auditor must respond at:

f


1. The financial statement level 2. The relevant assertion level

29

16


B. Audit Response to RMM at the Financial Statement LevelFinancial statement level risks generally require an overall audit response, including:espo se, c ud g1. Providing more supervision of the engagement team.2. Assigning more experienced personnel to the engagement

team.3. Emphasizing the application of professional skepticism.4. Incorporating more unpredictability in the selection of audit

procedures.


5. Making overall changes to the nature, extent, and timing of further audit procedures.

30


C. Audit Response to RMM at the Relevant Assertion LevelThe risk assessment process culminates in a determination of the classes of transactions, account balances, or disclosures and c asses o t a sact o s, accou t ba a ces, o d sc osu es a drelated assertions where material misstatements are most likely to occur. These assertion level risks are addressed by the nature, extent, and timing (NET) of further audit procedures, which include:1. Tests of the operating effectiveness of internal controls.2. Substantive procedures.

Key Point


A decrease in the acceptable level of risk for a class of transactions, account or disclosure, or a decrease in the amount of misstatement that is considered material would require the auditor to:• Perform more effective procedures (nature)• Increase the amount of evidence gathered (extent)• Perform procedures closer to year-end (timing)

17


There should be a clear linkage between the auditor's understanding of the entity, the risk assessment, and the design of further audit procedures.Clear Linkage means that the further audit procedures are responsive to the assessed risk and that there is a close correlation between the assertions of the assessed risk and the assertions addressed by the audit procedures. An audit test should provide strong evidence about the assertion that is at risk of material misstatement.



D. Designing Further Audit ProceduresWhen designing further audit procedures in response to assessed risk, the auditor should consider:s , t e aud to s ou d co s de1. The significance of the risk.2. The likelihood that a material misstatement will occur.3. The characteristics of the class of transactions, account

balance, or disclosure.4. The nature of the internal controls.5. Whether the auditor will perform tests of controls to obtain


evidence of whether the entity's controls are effective in preventing or detecting and correcting material misstatements.

33

18


E. Nature of Further Audit ProceduresThe nature (appropriateness) of an audit procedure refers to:1 The purpose of the audit procedure (test of control or1. The purpose of the audit procedure (test of control or

substantive procedure).2. The type of procedure (inspection, observation, inquiry,

confirmation, recalculation, reperformance, or analytical procedure).

Key Point

The nature of an audit procedure is the most important factor when


The nature of an audit procedure is the most important factor when responding to assessed risks at the relevant assertion level. For example, a large quantity of less reliable audit evidence may not be sufficient to form a conclusion.


Audit procedures relate to specific financial statement assertions:

Assertion Auditing Procedure

C l t 1 I ti f d t t i t ti fCompleteness 1. Inspection of documents tracing transactions from source documents to the financial statements.

2. Analytical procedures to determine if items have been omitted from the account balance.

3. Observation of processes and procedures.

Proper Period Cutoff 1. Inspection of documents using cut-off procedures to determine whether transactions were recorded in the proper period.


p p p

Accuracy 1. Inspection of documents supporting transactions.2. Recalculation by footing and cross-footing

documents and schedules.

Classification 1. Inspection of documents supporting transactions.

35

19


Audit procedures relate to specific financial statement assertions:

Assertion Auditing Procedure

O 1 I ti f d t hi t tiOccurrence 1. Inspection of documents vouching transactions from the financial statements back to supporting documents.

Allocation and Valuation 1. Recalculation of estimates made by the client.2. Inspection and reconciliation of supporting

schedules to the general ledger.

Rights and Obligations 1. Inspection of documents supporting transactions.

E i t 1 C fi ti f t ith thi d ti


Existence 1. Confirmation of accounts with third parties.2. Observation and inspection of assets, processes

and procedures.

Understandability and Classification

1. Inspection of all disclosures for compliance with GAAP.

2. Inquiry of management regarding disclosures.

36


The selection of audit procedures is based on the assessed risk of material misstatement (RMM) and the source of the risk of material misstatement (inherent risk vs. control risk):

High RMM Few or no tests of controls & more relevant and reliable substantive procedures

Low RMM due to low IR Perform substantive procedures only

Low RMM due to low CR Perform tests of controls and


Low RMM due to low CR Perform tests of controls and substantive procedures

37

20


F. Extent of Further Audit ProceduresThe extent of an audit procedure is based on auditor judgment after considering:a te co s de g1. Tolerable misstatement.2. Degree of assurance required.3. Assessed risk of material misstatement.

CAATs can be used to more extensively test electronic

High RMM More extensive procedures


transactions and account files. Sampling can be used to form conclusions about large populations.

38


G. Timing of Further Audit ProceduresFurther audit procedures can be performed at an interim date, at period end or after period end. When considering timing, the pe od e d o a te pe od e d e co s de g t g, t eauditor should consider:1. The assessed risk of material misstatement.2. The control environment.3. When information is available.4. The nature of the risk.5. The period or date to which the audit evidence relates.


Key Point

A higher assessed risk of material misstatement will result in the auditor performing procedures at period end and performing procedures unannounced or at unpredictable times.

21


When the risk of material misstatement is low, interim procedures can be used. When performing interim procedures, the auditor:1. Can identify significant matters and then resolve those matters Ca de t y s g ca t atte s a d t e eso e t ose atte s

with management before year-end or design audit procedures to address the matters.

2. Must consider the additional evidence that is necessary for the remaining period.



H. Possible Audit Approaches1. Primarily Substantive Approach

Perform substantive procedures with little or no reliance onPerform substantive procedures with little or no reliance on evidence regarding the operating effectiveness of internal controls. A substantive approach can be used when:a. Risk assessment procedures indicate that there are no

effective internal controls.b. Testing controls would be inefficient.The auditor must be satisfied that the evidence obtained from


substantive tests for relevant assertions is effective in reducing detection risk to an acceptably low level.

41

22


Key Point

Although a substantive approach is permissible, tests of controls are generally required when:• An entity conducts its business using information technology and no

documentation of transactions is produced or maintained, other than through the IT system.

• Auditing assertions are related to routine day-to-day business transactions that permit highly automated processing with little or no manual intervention.

• Audit evidence is obtained in electronic form. The sufficiency and appropriateness of such evidence is dependent on the effectiveness of controls over the accuracy and completeness of the information.



2. Combined Audit ApproachPerform a combination of:a Tests of the operating effectiveness of internal controlsa. Tests of the operating effectiveness of internal controls.b. Substantive procedures.When controls are operating effectively, less evidence is required from substantive procedures.

Key Point

Even when the assessed risk of material misstatement is low, the auditor must perform substantive procedures for all relevant assertions related to


each material class of transactions, account balance and disclosure. Substantive procedures must always be performed because the auditor's assessment of risk is judgmental and the auditor may not identify all risks of material misstatement.

23





Audit Sampling

E l ti A dit E id



Documentation

Tests of Controls

VI. Tests of ControlsA. Tests of the operating effectiveness of internal controls are

performed when:pe o ed e1. When the auditor's risk assessment is based on the

assumption that internal controls are operating effectively, and the auditor wants to rely on the controls to modify the nature of substantive testing and reduce the extent of substantive testing.

2. Substantive procedures alone will not provide sufficient audit e idence (i e hen the entit makes e tensi e se of


evidence (i.e., when the entity makes extensive use of information technology).

45

24

Tests of Controls

B. Selecting Controls for Testing1. Tests of controls are performed on controls that the auditor has

determined are properly designed to prevent or detect anddetermined are properly designed to prevent or detect and correct material misstatements. Tested controls should be directly related to assessed risks and the related management assertions.

2. In addition, the auditor may choose to test complimentary controls upon which the effectiveness of direct controls depends. Complimentary controls include:

IT l t l


a. IT general controls.b. Segregation of duties.c. The effective communication of control responsibilities

when the employee responsible for performing the control changed during the period.

46

Tests of Controls

C. Evidence Provided by Tests of Controls1. Tests of controls should provide evidence that internal controls

operated effectively during the period under audit. Tests of ope ated e ect e y du g t e pe od u de aud t ests ocontrols should focus on:a. Whether the controls were applied at relevant times.b. How the controls were applied. c. The consistency with which the controls were applied.d. By whom and by what means the controls were applied.

2. Auditor judgment is used to determine the nature, extent, and


timing (NET) of tests of controls.

47

25

Tests of Controls

D. Nature of Tests of Controls1. Tests of controls include:

a. Inquiries of entity personnel.a. Inquiries of entity personnel.b. Inspection of documents, reports and electronic files that

indicate that the control has been performed.c. Observation of the application of controls.d. Reperformance of the application of controls.

2. Inquiry alone is not sufficient; the auditor should use a combination of procedures to obtain sufficient evidence of operating effectiveness


effectiveness.

48

Key Point

Inquiry + Inspection/Reperformance provides better evidence than Inquiry + Observation because observation only provides evidence that controls functioned at a moment in time. Additionally, when the application of a control is observed, performance may be impacted by the auditors presence.

Tests of Controls

Documented Controls – When controls are documented, the auditor should inspect the documentation to obtain evidence. It may be necessary to use sampling when testing documented controls.

Undocumented Controls – When controls are not documented, the auditor must obtain evidence through inquiry and observation. Evidence can be obtained using CAATs.


26

Tests of Controls

3. Dual purpose tests are audit procedures that function as both tests of controls and substantive procedures. When performing dual purpose tests, it is important to consider the following:a. The outcome of tests of controls impacts the extent of

substantive testing. For example, if tests of controls indicate that controls are not operating effectively, the sample size for substantive testing must be increased.

b. If tests of controls reveal that the entity's internal controls are ineffective, this does not necessarily mean that material misstatements exist


misstatements exist. c. If substantive tests reveal material misstatements not identified

by management, this is considered a material weakness in internal control.

50

Tests of Controls

E. Extent of Tests of ControlsThe following factors must be considered when determining the extent of control testing needed to provide sufficient evidence to support a conclusion:1. The frequency of the performance of the control during the

period.2. The length of time during the audit period that the auditor is

relying on the control.3. The relevance and reliability of available audit evidence.


4. The extent to which the auditor plans to rely on the controls to reduce substantive testing.

5. Expected deviations.

51

More reliance on controls More extensive tests of controls

More expected deviation rate More extensive tests of controls

27

Tests of Controls

6. If a control is applied on a transaction basis throughout the period, then the auditor should use sampling to test the control.

7. If a control is performed periodically, the auditor should a co t o s pe o ed pe od ca y, t e aud to s ou dconsider guidance for testing smaller populations (SAS 39, Audit Sampling).

8. IT processing is inherently consistent, so it is possible to test only a few instances of control operation. Once the auditor has determined that an automated control is functioning as expected, the auditor should determine that it continues to function effectively


function effectively.

52

Tests of Controls

F. Timing of Tests of Controls1. The timing of control testing depends on the auditor's

objectives and the period of reliance on the control(s).object es a d t e pe od o e a ce o t e co t o (s)a. The auditor may choose to test the operating effectiveness

of controls while obtaining an understanding of the design and operation of internal controls, but is not required to do so.

b. Internal controls may be tested for a point in time (e.g., periodic inventory count) or over a period of time (e.g., internal controls related to sales)


internal controls related to sales).c. Interim testing is permitted.

53

28

Tests of Controls

2. If an auditor performs interim tests of controls, the auditor must determine what additional evidence needs to be obtained for the remaining period by considering:a. The assessed risk of material misstatement at the relevant

assertion level.b. The controls that were tested during the interim period.c. The degree to which audit evidence about the operating

effectiveness of those controls was obtained.d. The length of the remaining period.

Th t t t hi h th dit i t d t d


e. The extent to which the auditor intends to reduce substantive testing based on the results of the tests of controls.

f. The control environment.g. The volume and value of transactions processed in the

remaining period.54

Tests of Controls

3. The auditor can obtain evidence about the operating effectiveness of controls during the post-interim period by:a. Extending the testing of the operating effectiveness of a te d g t e test g o t e ope at g e ect e ess o

controls over the remaining period, orb. Testing the entity's monitoring of controls.

4. The auditor may perform:4. Inquiries and observations related to the performance of

the control, the monitoring of the control, or any changes in internal controls that occurred after the interim period.


5. A walkthrough covering the period between the interim date and period end.

6. The same procedures performed at interim, but directed to the period between the interim date and period end.

55

29

Tests of Controls

5. Tests of controls should be performed at least once every three years, with at least a portion of the control testing performed each year. Auditor judgment should be used to determine the length of time before retesting after considering the:a. Effectiveness of other elements of the entity's internal

control (i.e., the control environment, monitoring, and risk assessment).

b. Risks related to characteristics of the controls (i.e., automated vs. manual).

c Effectiveness of IT general controls


c. Effectiveness of IT general controls.d. The nature and extent of deviations in prior year control

testing.e. Whether a lack of change poses risks.f. The risk of material misstatement and the extent of reliance

on controls.56

Tests of Controls

6. Tests of controls should be performed more frequently when there is:a. Higher risk of material misstatement.a g e s o ate a sstate e tb. Greater reliance on the operating effectiveness of internal

controls.c. Weak control environment.d. Weak monitoring.e. Significant manual elements.f. Personnel changes.


g. Changes in circumstances that indicate that controls should be changed.

h. Weak IT controls.

57

30

Tests of Controls

7. In years that controls are not retested, the auditor must obtain evidence about whether changes have been made to the previously tested controls and perform procedures to establish the continuing relevance of the audit evidence obtained in prior audits.

8. The auditor may not rely on audit evidence about the operating effectiveness of controls obtained in prior audits for controls that:a. Changed significantly since the prior audit.b. Relate to business processes that have changed significantly

since the prior audit.c. Mitigate significant risks.


c. Mitigate significant risks.

58

Key Point

For significant risks where the auditor intends to rely on the operating effectiveness of relevant controls, the internal controls must be tested in the current audit.

Tests of Controls

G. Results of Tests of ControlsAfter performing tests of controls, the auditor may conclude the audit evidence indicates controls are:1. Operating effectively and can relied upon. The auditor then

proceeds to substantive testing based on the assessed risk of material misstatement.

2. Not operating effectively, in which case the auditor can:a. Test alternate controls, orb. Address the risk of material misstatement with more


reliable and extensive substantive testing.

59

Key Point

Generally, there is an inverse relationship between the sufficiency and adequacy of audit evidence obtained from tests of controls and the sufficiency and adequacy of audit evidence obtained from substantive procedures.

31





Audit Sampling

E l ti A dit E id



Documentation


VII. Substantive ProceduresA. Substantive procedures are performed to detect material

misstatements at the relevant assertion level and to determine sstate e ts at t e e e a t asse t o e e a d to dete ewhether material matters are adequately disclosed. Substantive procedures include:1. Tests of details of transaction classes, account balances, and

disclosure items.2. Substantive analytical procedures.The nature, extent, and timing (NET) of substantive procedures

f


should be responsive to the assessed risk of material misstatement, including the results of tests of controls and the planned level of detection risk.

61

32


B. The auditor is required to perform substantive procedures for all relevant assertions related to each material class of transactions, account balance, and disclosure to obtain sufficient appropriate audit evidence. In addition, the auditor should:1. Agree the financial statements, including disclosures, to the

underlying accounting records.2. Examine material journal entries and other adjustments made

during financial statement preparation.3. Perform procedures to evaluate the overall presentation of the

financial statements in accordance ith GAAP incl ding


financial statements in accordance with GAAP, including disclosures.

62


C. Significant RisksSubstantive procedures should be specifically responsive to significant risks identified during the risk assessment process. Such substantive procedures should:1. Consist of tests of details only, or tests of details combined

with substantive analytical procedures.2. Use more reliable evidence.


33


D. Nature of Substantive Procedures1. Based on auditor judgment, the results of tests of controls, and

the acceptable level of detection risk, the auditor can choose to t e acceptab e e e o detect o s , t e aud to ca c oose toperform the following substantive procedures for each class of transactions, account balance and disclosure:a. Substantive analytical procedures only.b. A combination of substantive analytical procedures and

substantive tests of details.c. Substantive tests of details only.


Key Point

If tests of controls indicate that controls are operating effectively, substantiveanalytical procedures may be sufficient to reduce detection risk to an acceptably low level. If tests of controls indicate that controls are not operating effectively (or tests of controls were not performed), the auditor may perform tests of details only.


2. When designing substantive analytical procedures, the auditor should consider:a. The suitability of substantive analytical procedures, given the

relevant assertion(s).b. Whether expectation is precise enough to identify the possibility

of material misstatement at the desired level of assurance.c. Whether differences between the recorded amounts and the

expected amounts is acceptable.d. The reliability of data from which analytical procedures will be

developed.


Key Point

When performing substantive analytical procedures, the auditor should consider testing controls over the preparation of the information to be used in analytical procedures. If the controls are effective, the results of the analytical procedures are more reliable.

34


E. Extent of Substantive Procedures1. There is a direct relationship between the risk of material

misstatement and the extent of substantive testing, and an sstate e t a d t e e te t o substa t e test g, a d aindirect relationship between the acceptable level of detection risk and the extent of substantive testing:

2. The extent of substantive testing can be reduced by tests of

High RMM More extensive substantive testingLow DR More extensive substantive testing


controls that show the relevant controls are operating effectively:

66

Low CR Low RMM Less extensive substantive testing


F. Timing of Substantive Procedures1. Substantive procedures can be performed at an interim period,

at period end, or after period end. When deciding whether at pe od e d, o a te pe od e d e dec d g et einterim testing is appropriate, the auditor should consider:a. The control environment and other relevant controls.b. The availability of information in the post-interim period.c. The objective of the substantive tests.d. The assessed risk of material misstatement.e. The nature of the class of transactions, account balance,


or disclosure.f. The ability of the auditor to reduce the risk that material

misstatements existing at period end will not be detected .

67

35


2. Interim testing increases the likelihood that misstatements existing at period end may not be detected. If fraud risk is high, the auditor may determine interim testing is not sufficient and may perform substantive procedures at or near period end. When performing interim substantive procedures, the auditor should perform:a. Further substantive procedures, orb. Further substantive procedures and tests of controls

over the remaining period to provide a basis for extending concl sions from the interim period to period end


conclusions from the interim period to period end.

68

Key Point

If a material misstatement is discovered during interim testing, the auditor may modify the risk of material misstatement and the nature, timing and extent of procedures and extend or repeat audit procedures at period end.





Audit Sampling

E l ti A dit E id



Documentation

36

Audit Sampling

VIII. Audit SamplingA. SAS No. 111 is an amendment to SAS No. 39, Audit Sampling, that

provides additional guidance in sampling applications, consistent with the other Risk Assessment SAS (SAS 104 – SAS 110). Key provisions of SAS No. 111 are as follows:1. When performing tests of details, the auditor must consider not just

the amount of monetary misstatement that would be material for a given class of transactions, account balance or disclosure, but the amount that would be material when combined with misstatements found as a result of other audit procedures.

2 Tolerable misstatement is the maximum monetary misstatement that


2. Tolerable misstatement is the maximum monetary misstatement that the auditor is willing to accept for a balance or class of transactions.a. Tolerable misstatement combined for all audit tests should not

exceed financial statement materiality.b. Tolerable misstatement for any specific audit procedure will

generally be less than financial statement materiality.

70

Audit Sampling

B. Guidance on Sampling Used for Tests of Controls1. SAS No. 111 states that sampling is used in tests of controls

when the auditor needs to decide if the rate of deviation from a prescribed procedure is greater than the tolerable rate. However, sampling does not apply to all tests of controls. For example, sampling may not be appropriate for:a. Tests of automated controls, which are generally only tested

once or a few times when effective general IT controls are present.

b Analysis of controls for determining the appropriateness of


b. Analysis of controls for determining the appropriateness of segregation of duties or other analyses that do not examine documentary evidence of control performance.

c. Analysis of the effectiveness of security and access controls.d. Examining the actions of those charged with governance to

assess their effectiveness.71

37

Audit Sampling

2. SAS No. 111 states that when using sampling to perform substantive procedures, the sample size is impacted by:a. Tolerable misstatement.a o e ab e sstate e tb. Expected misstatement.c. Audit risk.d. The characteristics of the population.e. The assessed risk of material misstatement (inherent risk

and control risk).f. The assessed risk for other substantive procedures related


to the same assertion.3. These factors should be considered for both nonstatistical

sampling and statistical sampling and should result in comparable sample sizes under both sampling methods.

72





Audit Sampling

E l ti A dit E id



Documentation

38


IX. Evaluating Audit EvidenceA. Results of Further Audit Procedures

1 The results of further audit procedures may lead the auditor to:1. The results of further audit procedures may lead the auditor to:a. Reassess the risk of material misstatement.b. Identify control deficiencies as a result of tests of controls

or substantive procedures.c. Identify misstatements as result of substantive procedures.

2. Misstatements and certain control deficiencies must be communicated with management and those charged with


governance.

74


B. Revising the Assessed Risk of Material MisstatementThe results of further audit procedures should be used to determine whether the assessed risk of material misstatement at the relevant assertion level is still appropriate.1. The results of tests of controls may indicate controls are not

functioning effectively, which will result in a higher assessment of the risk of material misstatement and more extensive and reliable substantive procedures.

2. Material misstatements discovered while performing substantive procedures that were not detected by the entity's controls are considered a material weakness which cause the auditor to change


considered a material weakness, which cause the auditor to change the judgment regarding the effectiveness of internal controls and revise the assessed risk of material misstatement.

3. If fraud is discovered, the auditor should assume that the fraud is not an isolated occurrence and should reassess the risk of material misstatement.

75

39


C. Evaluating Control DeficienciesThe auditor has the responsibility to evaluate control deficiencies identified during the audit to determine whether they represent de t ed du g t e aud t to dete e et e t ey ep ese tsignificant deficiencies or material weaknesses.1. Significant Deficiency Defined

A significant deficiency is a deficiency, or combination of deficiencies, in internal control that is less severe than a material weakness, but important enough to merit attention by those charge with governance.

2 Material Weakness Defined


2. Material Weakness DefinedA material weakness is a deficiency, or combination of deficiencies, in internal control, such that there is a reasonable possibility that a material misstatement of the entity's financial statements will not be prevented, or detected and corrected on a timely basis.

76


3. Deficiencies in the design of controls or failures in the operation of controls may be significant deficiencies or material weaknesses. The following situations are considered to be material weaknesses:a. Identification of any type of fraud by senior management.b. Restatement of previously issued financial statements to

correct a material misstatement.c. Identification by the auditor of a material misstatement that

would not have been identified by the entity's internal controls


controls.d. Ineffective oversight by those charged with governance.

4. All significant deficiencies and material weaknesses must be communicated in writing to management and those charged with governance.

77

40


D. Evaluating MisstatementsWhen performing substantive procedures, the auditor may find misstatements. Misstatements, whether due to errors or fraud, can sstate e ts sstate e ts, et e due to e o s o aud, cabe classified as known or likely.1. Known Misstatements Defined

Specific misstatement identified during the audit arising from the incorrect selection or application of accounting principles, or misstatements of facts.

2. Likely Misstatements DefinedMisstatements that arise from differences bet een


Misstatements that arise from differences between management and auditor judgment concerning accounting estimates that the auditor considers unreasonable or inappropriate and misstatements the auditor considers likely to exist based on an extrapolation of audit evidence (i.e., projection of sample misstatements to the population).

78


3. All nontrivial known and likely misstatements must be communicated with management on a timely basis.a. The auditor should request that management record the

adjustments necessary to correct all known misstatements, including uncorrected prior period misstatements.

b. For likely misstatements, the auditor should request that management examine the class of transactions, account balance, or disclosure in order to identify and correct all existing misstatements.

c. When a likely misstatement involves differences in estimates,


the auditor should request that management review the assumptions and methods used to calculate the estimate.

4. Management may decide not to correct some or all of the known and likely misstatements communicated by the auditor. The auditor must evaluate managements reasons for not making the corrections.

79

41


5. In order to determine whether the financial statements are presented fairly, in all material respects, in conformity with GAAP, the auditor must consider the effects, individually and in aggregate, of all nontrivial known and likely misstatements not corrected by management. When considering each noncorrected misstatement individually, the auditor should evaluate:a. Its effect in relation to the individual class of transactions,

account balance, or disclosure, including whether tolerable misstatement has been exceeded.

b. Whether it is appropriate to offset misstatements.


c. The effect of misstatements related to prior periods.6. The auditor should then aggregate the uncorrected misstatements

in a way that allows the auditor to determine whether they materially misstate the financial statements as a whole.

80


7. The following qualitative factors should be considered when determining whether uncorrected misstatements are material:a. The potential impact of the misstatement on trends, especially

profitability trends.b. Whether the misstatement changes a loss into income or vice

versa.c. The effect of the misstatement on compliance with loan

covenants, contracts, or regulations.d. Statutory or regulatory reporting requirements that impact

materiality thresholds.


e. Whether the misstatement masks a change in earnings or other trends.

f. Whether the misstatement increases management compensation.

g. The risk that possible additional misstatements would impact the auditor's evaluation.

81

42


h. The implications of misstatements involving fraud or illegal acts.

i. The significance of the financial statement element affected by the misstatement.

j. The effects of misclassifications.k. The significance of the misstatement relative to reasonable

user needs.l. Whether the misstatement is precise or subjective.m. The motivation of management with respect to the

misstatement


misstatement.n. The offsetting effects of significant but different

misstatements.o. The likelihood that a currently immaterial misstatement will

become material in future periods.p. The cost of making the correction.

82


8. Auditor's Conclusion – Uncorrected Misstatements are MaterialIf the auditor believes that the financials statements taken as a whole are materially misstated due to uncorrected misstatements, the auditor should request that management make the necessary corrections. If management refuses to make the corrections, the auditor must consider the implications for the audit report.

9. Auditor's Conclusion – Uncorrected Misstatements are Not MaterialIf the auditor concludes that the uncorrected misstatements do not cause the financial statements to be materially misstated then the


cause the financial statements to be materially misstated, then the auditor should consider the effect of undetected misstatements. If the aggregate uncorrected misstatements approach materiality, the risk that the financial statements may be materially misstated due to additional undetected misstatements increases. If this risk is high, the auditor should perform additional procedures.

83

43


E. Evaluating the Sufficiency and Appropriateness of Audit EvidenceAuditor judgment must be used to evaluate the sufficiency and j g yappropriateness of audit evidence, after considering:1. The significance of potential misstatements in a relevant assertion

and the likelihood that the misstatement is material.2. The effectiveness of management's responses and controls.3. Evidence gathered in previous audits related to similar potential

misstatements.4 The results of audit procedures including identified errors and


4. The results of audit procedures, including identified errors and fraud.

5. The source and reliability of evidence.6. The persuasiveness of evidence.7. The understanding of the entity and environment, including

internal controls.84





Audit Sampling

E l ti A dit E id



Documentation

44

Documentation

X. DocumentationWith regard to further audit procedures and the evaluation of the sufficiency and appropriateness of audit evidence, the auditor should su c e cy a d app op ate ess o aud t e de ce, t e aud to s ou ddocument:A. The overall response to the assessed risk of material misstatement

at the financial statement level.B. The nature, extent, and timing of further audit procedures.C. The linkage of further audit procedures with the assessed risks at

the relevant assertion level.


D. The results of audit procedures.E. The conclusions reached regarding the use in the current audit of

evidence of the operating effective of internal controls obtained in prior year audits.

F. All known and likely misstatements corrected by management.

86

Documentation

G. A summary of nontrivial uncorrected known and likely misstatements.

H. The auditor's conclusion about whether uncorrected e aud to s co c us o about et e u co ectedmisstatements, individually or in aggregate, cause the financial statements to be materially misstated and the basis for the conclusion.

I. Uncorrected misstatements should be documented in a manner that allows the auditor to:1. Separately consider known and likely misstatements, including

ncorrected misstatements from prior periods


uncorrected misstatements from prior periods.2. Consider the aggregate impact of misstatements on the

financial statements.3. Consider qualitative factors that are relevant to the materiality

decision.

87

45

Thank You!


20024 - audit risk assessment the do's and don'ts, part 2 risk... · program...

Documents