the university of greenwich 1 september 2009 l9b audit and assurance j. e. spencer-wood lecture 9b...

theUNIVERSITYofGREENWICH

1September 2009

L9bAudit and assurance

J. E. Spencer-Wood

Lecture 9bThe audit risk approach & internal control

ISA 315

Auditing and assurance


2September 2009


J. E. Spencer-Wood

Communicationand information

Risk assessment

Controlenvironment

Controlactivities

Monitoring

Directors’ and control (from previous lecture)

The COSO model for IC


3September 2009


J. E. Spencer-Wood

• Auditors are required to…

'obtain an understanding of the entity and its environment, including its IC, sufficient to identify and assess the risks of material misstatement of the FS's whether due to fraud or error, and sufficient to design and perform further audit procedures'

ISA (UK and Ireland) 315 'Understanding the entity and its environment & assessing the risks of material misstatement'


4September 2009


J. E. Spencer-Wood

• 'Risk assessment procedures' - a term used to gain the understanding of the entity, its environment and its IC

• Risk has to be assessed at two levels• Financial statement level• Assertion level

1

ISA (UK and Ireland) 315 'Understanding the entity and its environment & assessing the risks of material misstatement'


5September 2009


J. E. Spencer-Wood

• ISA 315 (UK and Ireland) identifies five areas1. The external environment

2. The nature of the entity

3. The approach to business risks

4. Reporting and review of performance

5. IC

ISA 315 (UK and Ireland) 'Understanding the entity and its environment & assessing the risks of material misstatement'


6September 2009


J. E. Spencer-Wood


The auditor needs to consider -

The external environment

The nature of the entity

The approach to business risks

Reporting and review of performance

IC


7September 2009


J. E. Spencer-Wood

1. The external environment• Industry conditions

Market and competition

– demand; capacity; price competition Seasonal activity Product technology Energy supply and cost



8September 2009


J. E. Spencer-Wood

1. The external environment (cont.)• Regulatory environment

Industry specific accounting rules (SORP's - UK) Legislation that significantly affects the entity Taxation Government policies affecting the business Environmental requirements



9September 2009


J. E. Spencer-Wood

1. The external environment (cont.)• General

Economic activity

– Recession– Growth

Interest rates Availability of financing Inflation



10September 2009


J. E. Spencer-Wood







IC


11September 2009


J. E. Spencer-Wood

2. The nature of the entity• Nature of operations

products, key customers…

• Ownership and structure Corporate governance

• Investments

• Financing

• Financial reporting



12September 2009


J. E. Spencer-Wood







IC


13September 2009


J. E. Spencer-Wood

3. The approach to business risks• Objectives

related to industry developments, expansion…

• Strategies

4. Reporting and review of performance • Ratios, trends, budget use…

(see BPP manual)



14September 2009


J. E. Spencer-Wood







IC


15September 2009


J. E. Spencer-Wood

5. IC– Recall … Directors’ duties (UK)

• COMPLETE / ACCURATE RECORDS

• T&F FS’s

• SAFEGUARD OF ASSETS



16September 2009


J. E. Spencer-Wood

• Five elements of IC

1. Control environment (CE)

2. The client's risk assessment process

3. Information systems

4. Control activities

5. Monitoring of controls



17September 2009


J. E. Spencer-Wood

Communicationand information

Risk assessment

Controlenvironment

Controlactivities

Monitoring

Directors’ and control (cont.)The COSO model for IC


18September 2009


J. E. Spencer-Wood







IC


19September 2009


J. E. Spencer-Wood


Internal control

The control environment

The risk assessment process

Information systems

Control activities

Monitoring


20September 2009


J. E. Spencer-Wood

1. IC - The Control EnvironmentISA (UK and Ireland) 315

• IC’s operate in a wider ‘control environment’,

which includes governance and management's :

• Functions

• Attitudes, awareness and actions


21September 2009


J. E. Spencer-Wood

• Essential components of the CE• Integrity and ethical values

• Competence

• Governance

• Philosophy and operating style of management

• Organisation structure

• Staffing policies

1. IC - The Control Environment (cont.)ISA (UK and Ireland) 315


22September 2009


J. E. Spencer-Wood


Internal control



Information systems

Control activities

Monitoring


23September 2009


J. E. Spencer-Wood

• How the client…

• Identify business risks (BR’s)

• Estimate the significance thereof

• Assess the likelihood of BR occurrence

• The client’s…

• Processes for taking action

2. IC - The Client's Risk Assessment ProcessISA (UK and Ireland) 315


24September 2009


J. E. Spencer-Wood


Internal control



Information systems

Control activities

Monitoring


25September 2009


J. E. Spencer-Wood

• Information systems should be relevant to the financial reporting objective and consist of:• Classes of transaction• Initiation, recording, processing and reporting procedures of

transactions The procedures The accounting records

• Non-transaction events (fe depreciation) data capture

• FS preparation process estimates, disclosures

3. IC - The Client's Information SystemsISA (UK and Ireland) 315


26September 2009


J. E. Spencer-Wood


Internal control



Information systems

Control activities

Monitoring


27September 2009


J. E. Spencer-Wood

‘…those policies and procedures in addition to the control environment which are established to achieve the entity’s specific objectives’

ISA (UK and Ireland) 315

4. IC - Control Activities (Procedures) ISA (UK and Ireland) 315 definition


28September 2009


J. E. Spencer-Wood

4. IC - Control Activities (cont.) ISA (UK and Ireland) 315

• Control activities

• PREVENT,

• DETECT and

• CORRECT errors


29September 2009


J. E. Spencer-Wood

4. IC - Types of Control Activities (cont.) ISA (UK and Ireland) 315

• DOCUMENTS

• approved and controlled by appropriate person

• COMPUTER controls

• Controls over IT applications and environment

• ARITHMETIC

• checked


30September 2009


J. E. Spencer-Wood

• REVIEW & MAINTENANCE• of control a/c’s and TB’s

• RECONCILIATIONS• (Source audit trail FS’s audit trail source)

• Subsidiary ledgers (debtors, creditors)• Fixed asset registers; wages books; bank; budget

• COUNTS• physical recs. (fe cash, stock)



31September 2009


J. E. Spencer-Wood

• EXTERNAL information

• compared to internal (fe comparing customer signature for goods rec’d with goods outwards’ records)

• ACCESS to assets and records• Authorised personnel only



32September 2009


J. E. Spencer-Wood


D

C

A

R

R

C

E

A

C

A

R

D

C

A

R

E


33September 2009


J. E. Spencer-Wood

4. IC - Control Activities (cont.) Segregation of duties

• More than one person involved in a process

• Helps uncover errors

• Make fraud more difficult

• Separation of:

AUTHORISATION

RECORDING

CUSTODY


34September 2009


J. E. Spencer-Wood


Internal control



Information systems

Control activities

Monitoring


35September 2009


J. E. Spencer-Wood

• Management reports• Internal audit

5. IC - Monitoring of Controls ISA (UK and Ireland) 315


36September 2009


J. E. Spencer-Wood

Limitations of IC’s

Cost v benefit One-off events Collusion / fraud Abuse of authority Management override Change Error


37September 2009


J. E. Spencer-Wood

Before we go on, do this:

• Don’t look back at your notes!!!

• What are the 5 elements of IC?

1. …

2. …

3. …

4. …

5. …

…Now back to auditing…


38September 2009


J. E. Spencer-Wood

• Audit risk is the risk that the auditors will give the wrong opinion - the risk that the FS's, or an assertion therein, contains material misstatement

• Audit risk assessment has to be discussed by the engagement team and fully documented - ISA (UK and

Ireland) 315

AUDIT RISK (AR)


39September 2009


J. E. Spencer-Wood

• A moment, let’s just recall…

Accounting system

Financialstatements

The accounting system


40September 2009


J. E. Spencer-Wood


Inherent risk (IR)

FinancialStatements(not T&F)


Inherent risks of material misstatement


41September 2009


J. E. Spencer-Wood

• Client based risk• Inherent risk (IR)

The likelihood of material misstatement

• Control risk (CR) The likelihood that IC’s fail to pick up material misstatement

• Auditor-based risk• Detection risk (DR)

The likelihood that the audit procedures fail to pick up material misstatement

AUDIT RISK (AR)


42September 2009


J. E. Spencer-Wood


Control risk (CR)

Financialstatements



IC stopsIR’s


43September 2009


J. E. Spencer-Wood

• But…

Control risk (CR)

FinancialStatements(Not T&F)



IC’s stopIR’s

If there is a controlthat is not working


44September 2009


J. E. Spencer-Wood


The likelihood of material misstatement (ignoring IC’s)




AUDIT RISK (AR)


45September 2009


J. E. Spencer-Wood

Detection risk (DR)

Financialstatements



IC’s stopIR’s

If there is a controlthat is not working

AuditworkfindsanyMM


46September 2009


J. E. Spencer-Wood

• But…But…

Detection risk (DR)

FinancialStatements(not T&F)



IC’s stopIR’s

If the auditor failsto identify a MM

Auditwork


47September 2009


J. E. Spencer-Wood


The likelihood of material misstatement (ignoring IC’s)




AUDIT RISK (AR)


48September 2009


J. E. Spencer-Wood

AUDIT RISK (AR)

AR = (IR x CR) x DR


49September 2009


J. E. Spencer-Wood

Try to think of one example of each of the following:

1. A detection risk

2. A control risk

3. An inherent risk


50September 2009


J. E. Spencer-Wood

IC system & accounting system

• Financial statements

• Financial records

• Budgets

• Management a/c’s

• Sales analyses

• Production reports

• Materials testing reports + + +


51September 2009


J. E. Spencer-Wood

Key Points – Lecture 9b

• The Audit Process• Understanding client (5)

1. External environment

2. Entity

3. BR approach

4. Reporting and review

5. IC (5)

i. CE

ii. Risk assessment

iii. Information systems

iv. Control activities

v. Monitoring

• Assessing risks (of material misstatement)

• Prevent, detect and correct

CARDCARE

ARC

Limitations of IC

(7)


52September 2009


J. E. Spencer-Wood

• Assessing risks (of material misstatement) AR = (IR x CR) x DR

DR is based on the assessment (and is reducedas more audit work is done)

Acceptable ‘risk’ Ascertained and assessed by auditorfe 5% (= 95% confidence)

Key Points – Lecture 9b (cont.)


53September 2009


J. E. Spencer-Wood

Try to think of one example of each of the following:

1. A detection risk

• The risk that the auditor may miss an omission of a material liability (such

as a loan)

2. A control risk

• The risk that a control ‘fails’ (such as an order being sign by someone who

does not has the authority to do so)

3. An inherent risk

• The risk that an assertion will not be true and fair (that is, will be materially

misstated) if there are no controls (such as cash sales – completeness)


54September 2009


J. E. Spencer-Wood

IC system & accounting system

• Financial statements CERTAINLY

• Financial records CERTAINLY

• Budgets CERTAINLY

• Management a/c’s ALMOST CERTAINLY

• Sales analyses PROBABLY

• Production reports POSSIBLY

• Materials testing reports + + + …. UNLIKELY, but….

the university of greenwich 1 september 2009 l9b audit and assurance j. e. spencer-wood lecture 9b...

Documents

assurance slide

university of greenwich

l9b audit

spencerwood isa

audit procedures isa

ic isa

spencerwood lecture

spencerwood communication