the university of greenwich 1 september 2009 l9b audit and assurance j. e. spencer-wood lecture 9b...
TRANSCRIPT
theUNIVERSITYofGREENWICH
1September 2009
L9bAudit and assurance
J. E. Spencer-Wood
Lecture 9bThe audit risk approach & internal control
ISA 315
Auditing and assurance
theUNIVERSITYofGREENWICH
2September 2009
L9bAudit and assurance
J. E. Spencer-Wood
Communicationand information
Risk assessment
Controlenvironment
Controlactivities
Monitoring
Directors’ and control (from previous lecture)
The COSO model for IC
theUNIVERSITYofGREENWICH
3September 2009
L9bAudit and assurance
J. E. Spencer-Wood
• Auditors are required to…
'obtain an understanding of the entity and its environment, including its IC, sufficient to identify and assess the risks of material misstatement of the FS's whether due to fraud or error, and sufficient to design and perform further audit procedures'
ISA (UK and Ireland) 315 'Understanding the entity and its environment & assessing the risks of material misstatement'
theUNIVERSITYofGREENWICH
4September 2009
L9bAudit and assurance
J. E. Spencer-Wood
• 'Risk assessment procedures' - a term used to gain the understanding of the entity, its environment and its IC
• Risk has to be assessed at two levels• Financial statement level• Assertion level
1
ISA (UK and Ireland) 315 'Understanding the entity and its environment & assessing the risks of material misstatement'
theUNIVERSITYofGREENWICH
5September 2009
L9bAudit and assurance
J. E. Spencer-Wood
• ISA 315 (UK and Ireland) identifies five areas1. The external environment
2. The nature of the entity
3. The approach to business risks
4. Reporting and review of performance
5. IC
ISA 315 (UK and Ireland) 'Understanding the entity and its environment & assessing the risks of material misstatement'
theUNIVERSITYofGREENWICH
6September 2009
L9bAudit and assurance
J. E. Spencer-Wood
ISA 315 (UK and Ireland) 'Understanding the entity and its environment & assessing the risks of material misstatement'
The auditor needs to consider -
The external environment
The nature of the entity
The approach to business risks
Reporting and review of performance
IC
theUNIVERSITYofGREENWICH
7September 2009
L9bAudit and assurance
J. E. Spencer-Wood
1. The external environment• Industry conditions
Market and competition
– demand; capacity; price competition Seasonal activity Product technology Energy supply and cost
ISA 315 (UK and Ireland) 'Understanding the entity and its environment & assessing the risks of material misstatement'
theUNIVERSITYofGREENWICH
8September 2009
L9bAudit and assurance
J. E. Spencer-Wood
1. The external environment (cont.)• Regulatory environment
Industry specific accounting rules (SORP's - UK) Legislation that significantly affects the entity Taxation Government policies affecting the business Environmental requirements
ISA 315 (UK and Ireland) 'Understanding the entity and its environment & assessing the risks of material misstatement'
theUNIVERSITYofGREENWICH
9September 2009
L9bAudit and assurance
J. E. Spencer-Wood
1. The external environment (cont.)• General
Economic activity
– Recession– Growth
Interest rates Availability of financing Inflation
ISA 315 (UK and Ireland) 'Understanding the entity and its environment & assessing the risks of material misstatement'
theUNIVERSITYofGREENWICH
10September 2009
L9bAudit and assurance
J. E. Spencer-Wood
ISA 315 (UK and Ireland) 'Understanding the entity and its environment & assessing the risks of material misstatement'
The auditor needs to consider -
The external environment
The nature of the entity
The approach to business risks
Reporting and review of performance
IC
theUNIVERSITYofGREENWICH
11September 2009
L9bAudit and assurance
J. E. Spencer-Wood
2. The nature of the entity• Nature of operations
products, key customers…
• Ownership and structure Corporate governance
• Investments
• Financing
• Financial reporting
ISA 315 (UK and Ireland) 'Understanding the entity and its environment & assessing the risks of material misstatement'
theUNIVERSITYofGREENWICH
12September 2009
L9bAudit and assurance
J. E. Spencer-Wood
ISA 315 (UK and Ireland) 'Understanding the entity and its environment & assessing the risks of material misstatement'
The auditor needs to consider -
The external environment
The nature of the entity
The approach to business risks
Reporting and review of performance
IC
theUNIVERSITYofGREENWICH
13September 2009
L9bAudit and assurance
J. E. Spencer-Wood
3. The approach to business risks• Objectives
related to industry developments, expansion…
• Strategies
4. Reporting and review of performance • Ratios, trends, budget use…
(see BPP manual)
ISA 315 (UK and Ireland) 'Understanding the entity and its environment & assessing the risks of material misstatement'
theUNIVERSITYofGREENWICH
14September 2009
L9bAudit and assurance
J. E. Spencer-Wood
ISA 315 (UK and Ireland) 'Understanding the entity and its environment & assessing the risks of material misstatement'
The auditor needs to consider -
The external environment
The nature of the entity
The approach to business risks
Reporting and review of performance
IC
theUNIVERSITYofGREENWICH
15September 2009
L9bAudit and assurance
J. E. Spencer-Wood
5. IC– Recall … Directors’ duties (UK)
• COMPLETE / ACCURATE RECORDS
• T&F FS’s
• SAFEGUARD OF ASSETS
ISA 315 (UK and Ireland) 'Understanding the entity and its environment & assessing the risks of material misstatement'
theUNIVERSITYofGREENWICH
16September 2009
L9bAudit and assurance
J. E. Spencer-Wood
• Five elements of IC
1. Control environment (CE)
2. The client's risk assessment process
3. Information systems
4. Control activities
5. Monitoring of controls
ISA 315 (UK and Ireland) 'Understanding the entity and its environment & assessing the risks of material misstatement'
theUNIVERSITYofGREENWICH
17September 2009
L9bAudit and assurance
J. E. Spencer-Wood
Communicationand information
Risk assessment
Controlenvironment
Controlactivities
Monitoring
Directors’ and control (cont.)The COSO model for IC
theUNIVERSITYofGREENWICH
18September 2009
L9bAudit and assurance
J. E. Spencer-Wood
ISA 315 (UK and Ireland) 'Understanding the entity and its environment & assessing the risks of material misstatement'
The auditor needs to consider -
The external environment
The nature of the entity
The approach to business risks
Reporting and review of performance
IC
theUNIVERSITYofGREENWICH
19September 2009
L9bAudit and assurance
J. E. Spencer-Wood
ISA 315 (UK and Ireland) 'Understanding the entity and its environment & assessing the risks of material misstatement'
Internal control
The control environment
The risk assessment process
Information systems
Control activities
Monitoring
theUNIVERSITYofGREENWICH
20September 2009
L9bAudit and assurance
J. E. Spencer-Wood
1. IC - The Control EnvironmentISA (UK and Ireland) 315
• IC’s operate in a wider ‘control environment’,
which includes governance and management's :
• Functions
• Attitudes, awareness and actions
theUNIVERSITYofGREENWICH
21September 2009
L9bAudit and assurance
J. E. Spencer-Wood
• Essential components of the CE• Integrity and ethical values
• Competence
• Governance
• Philosophy and operating style of management
• Organisation structure
• Staffing policies
1. IC - The Control Environment (cont.)ISA (UK and Ireland) 315
theUNIVERSITYofGREENWICH
22September 2009
L9bAudit and assurance
J. E. Spencer-Wood
ISA 315 (UK and Ireland) 'Understanding the entity and its environment & assessing the risks of material misstatement'
Internal control
The control environment
The risk assessment process
Information systems
Control activities
Monitoring
theUNIVERSITYofGREENWICH
23September 2009
L9bAudit and assurance
J. E. Spencer-Wood
• How the client…
• Identify business risks (BR’s)
• Estimate the significance thereof
• Assess the likelihood of BR occurrence
• The client’s…
• Processes for taking action
2. IC - The Client's Risk Assessment ProcessISA (UK and Ireland) 315
theUNIVERSITYofGREENWICH
24September 2009
L9bAudit and assurance
J. E. Spencer-Wood
ISA 315 (UK and Ireland) 'Understanding the entity and its environment & assessing the risks of material misstatement'
Internal control
The control environment
The risk assessment process
Information systems
Control activities
Monitoring
theUNIVERSITYofGREENWICH
25September 2009
L9bAudit and assurance
J. E. Spencer-Wood
• Information systems should be relevant to the financial reporting objective and consist of:• Classes of transaction• Initiation, recording, processing and reporting procedures of
transactions The procedures The accounting records
• Non-transaction events (fe depreciation) data capture
• FS preparation process estimates, disclosures
3. IC - The Client's Information SystemsISA (UK and Ireland) 315
theUNIVERSITYofGREENWICH
26September 2009
L9bAudit and assurance
J. E. Spencer-Wood
ISA 315 (UK and Ireland) 'Understanding the entity and its environment & assessing the risks of material misstatement'
Internal control
The control environment
The risk assessment process
Information systems
Control activities
Monitoring
theUNIVERSITYofGREENWICH
27September 2009
L9bAudit and assurance
J. E. Spencer-Wood
‘…those policies and procedures in addition to the control environment which are established to achieve the entity’s specific objectives’
ISA (UK and Ireland) 315
4. IC - Control Activities (Procedures) ISA (UK and Ireland) 315 definition
theUNIVERSITYofGREENWICH
28September 2009
L9bAudit and assurance
J. E. Spencer-Wood
4. IC - Control Activities (cont.) ISA (UK and Ireland) 315
• Control activities
• PREVENT,
• DETECT and
• CORRECT errors
theUNIVERSITYofGREENWICH
29September 2009
L9bAudit and assurance
J. E. Spencer-Wood
4. IC - Types of Control Activities (cont.) ISA (UK and Ireland) 315
• DOCUMENTS
• approved and controlled by appropriate person
• COMPUTER controls
• Controls over IT applications and environment
• ARITHMETIC
• checked
theUNIVERSITYofGREENWICH
30September 2009
L9bAudit and assurance
J. E. Spencer-Wood
• REVIEW & MAINTENANCE• of control a/c’s and TB’s
• RECONCILIATIONS• (Source audit trail FS’s audit trail source)
• Subsidiary ledgers (debtors, creditors)• Fixed asset registers; wages books; bank; budget
• COUNTS• physical recs. (fe cash, stock)
4. IC - Types of Control Activities (cont.) ISA (UK and Ireland) 315
theUNIVERSITYofGREENWICH
31September 2009
L9bAudit and assurance
J. E. Spencer-Wood
• EXTERNAL information
• compared to internal (fe comparing customer signature for goods rec’d with goods outwards’ records)
• ACCESS to assets and records• Authorised personnel only
4. IC - Types of Control Activities (cont.) ISA (UK and Ireland) 315
theUNIVERSITYofGREENWICH
32September 2009
L9bAudit and assurance
J. E. Spencer-Wood
4. IC - Types of Control Activities (cont.) ISA (UK and Ireland) 315
D
C
A
R
R
C
E
A
C
A
R
D
C
A
R
E
theUNIVERSITYofGREENWICH
33September 2009
L9bAudit and assurance
J. E. Spencer-Wood
4. IC - Control Activities (cont.) Segregation of duties
• More than one person involved in a process
• Helps uncover errors
• Make fraud more difficult
• Separation of:
AUTHORISATION
RECORDING
CUSTODY
theUNIVERSITYofGREENWICH
34September 2009
L9bAudit and assurance
J. E. Spencer-Wood
ISA 315 (UK and Ireland) 'Understanding the entity and its environment & assessing the risks of material misstatement'
Internal control
The control environment
The risk assessment process
Information systems
Control activities
Monitoring
theUNIVERSITYofGREENWICH
35September 2009
L9bAudit and assurance
J. E. Spencer-Wood
• Management reports• Internal audit
5. IC - Monitoring of Controls ISA (UK and Ireland) 315
theUNIVERSITYofGREENWICH
36September 2009
L9bAudit and assurance
J. E. Spencer-Wood
Limitations of IC’s
Cost v benefit One-off events Collusion / fraud Abuse of authority Management override Change Error
theUNIVERSITYofGREENWICH
37September 2009
L9bAudit and assurance
J. E. Spencer-Wood
Before we go on, do this:
• Don’t look back at your notes!!!
• What are the 5 elements of IC?
1. …
2. …
3. …
4. …
5. …
…Now back to auditing…
theUNIVERSITYofGREENWICH
38September 2009
L9bAudit and assurance
J. E. Spencer-Wood
• Audit risk is the risk that the auditors will give the wrong opinion - the risk that the FS's, or an assertion therein, contains material misstatement
• Audit risk assessment has to be discussed by the engagement team and fully documented - ISA (UK and
Ireland) 315
AUDIT RISK (AR)
theUNIVERSITYofGREENWICH
39September 2009
L9bAudit and assurance
J. E. Spencer-Wood
• A moment, let’s just recall…
Accounting system
Financialstatements
The accounting system
theUNIVERSITYofGREENWICH
40September 2009
L9bAudit and assurance
J. E. Spencer-Wood
• A moment, let’s just recall…
Inherent risk (IR)
FinancialStatements(not T&F)
The accounting system
Inherent risks of material misstatement
theUNIVERSITYofGREENWICH
41September 2009
L9bAudit and assurance
J. E. Spencer-Wood
• Client based risk• Inherent risk (IR)
The likelihood of material misstatement
• Control risk (CR) The likelihood that IC’s fail to pick up material misstatement
• Auditor-based risk• Detection risk (DR)
The likelihood that the audit procedures fail to pick up material misstatement
AUDIT RISK (AR)
theUNIVERSITYofGREENWICH
42September 2009
L9bAudit and assurance
J. E. Spencer-Wood
• A moment, let’s just recall…
Control risk (CR)
Financialstatements
The accounting system
Inherent risks of material misstatement
IC stopsIR’s
theUNIVERSITYofGREENWICH
43September 2009
L9bAudit and assurance
J. E. Spencer-Wood
• But…
Control risk (CR)
FinancialStatements(Not T&F)
The accounting system
Inherent risks of material misstatement
IC’s stopIR’s
If there is a controlthat is not working
theUNIVERSITYofGREENWICH
44September 2009
L9bAudit and assurance
J. E. Spencer-Wood
• Client based risk• Inherent risk (IR)
The likelihood of material misstatement (ignoring IC’s)
• Control risk (CR) The likelihood that IC’s fail to pick up material misstatement
• Auditor-based risk• Detection risk (DR)
The likelihood that the audit procedures fail to pick up material misstatement
AUDIT RISK (AR)
theUNIVERSITYofGREENWICH
45September 2009
L9bAudit and assurance
J. E. Spencer-Wood
Detection risk (DR)
Financialstatements
The accounting system
Inherent risks of material misstatement
IC’s stopIR’s
If there is a controlthat is not working
AuditworkfindsanyMM
theUNIVERSITYofGREENWICH
46September 2009
L9bAudit and assurance
J. E. Spencer-Wood
• But…But…
Detection risk (DR)
FinancialStatements(not T&F)
The accounting system
Inherent risks of material misstatement
IC’s stopIR’s
If the auditor failsto identify a MM
Auditwork
theUNIVERSITYofGREENWICH
47September 2009
L9bAudit and assurance
J. E. Spencer-Wood
• Client based risk• Inherent risk (IR)
The likelihood of material misstatement (ignoring IC’s)
• Control risk (CR) The likelihood that IC’s fail to pick up material misstatement
• Auditor-based risk• Detection risk (DR)
The likelihood that the audit procedures fail to pick up material misstatement
AUDIT RISK (AR)
theUNIVERSITYofGREENWICH
48September 2009
L9bAudit and assurance
J. E. Spencer-Wood
AUDIT RISK (AR)
AR = (IR x CR) x DR
theUNIVERSITYofGREENWICH
49September 2009
L9bAudit and assurance
J. E. Spencer-Wood
Try to think of one example of each of the following:
1. A detection risk
2. A control risk
3. An inherent risk
theUNIVERSITYofGREENWICH
50September 2009
L9bAudit and assurance
J. E. Spencer-Wood
IC system & accounting system
• Financial statements
• Financial records
• Budgets
• Management a/c’s
• Sales analyses
• Production reports
• Materials testing reports + + +
theUNIVERSITYofGREENWICH
51September 2009
L9bAudit and assurance
J. E. Spencer-Wood
Key Points – Lecture 9b
• The Audit Process• Understanding client (5)
1. External environment
2. Entity
3. BR approach
4. Reporting and review
5. IC (5)
i. CE
ii. Risk assessment
iii. Information systems
iv. Control activities
v. Monitoring
• Assessing risks (of material misstatement)
• Prevent, detect and correct
CARDCARE
ARC
Limitations of IC
(7)
theUNIVERSITYofGREENWICH
52September 2009
L9bAudit and assurance
J. E. Spencer-Wood
• Assessing risks (of material misstatement) AR = (IR x CR) x DR
DR is based on the assessment (and is reducedas more audit work is done)
Acceptable ‘risk’ Ascertained and assessed by auditorfe 5% (= 95% confidence)
Key Points – Lecture 9b (cont.)
theUNIVERSITYofGREENWICH
53September 2009
L9bAudit and assurance
J. E. Spencer-Wood
Try to think of one example of each of the following:
1. A detection risk
• The risk that the auditor may miss an omission of a material liability (such
as a loan)
2. A control risk
• The risk that a control ‘fails’ (such as an order being sign by someone who
does not has the authority to do so)
3. An inherent risk
• The risk that an assertion will not be true and fair (that is, will be materially
misstated) if there are no controls (such as cash sales – completeness)
theUNIVERSITYofGREENWICH
54September 2009
L9bAudit and assurance
J. E. Spencer-Wood
IC system & accounting system
• Financial statements CERTAINLY
• Financial records CERTAINLY
• Budgets CERTAINLY
• Management a/c’s ALMOST CERTAINLY
• Sales analyses PROBABLY
• Production reports POSSIBLY
• Materials testing reports + + + …. UNLIKELY, but….