Presentation is loading. Please wait.

Presentation is loading. Please wait.

Charteredaccountants.com.au/training Fundamentals of Auditing in 2007 ICAA Audit Training Series 2008 Module 2 – Planning, Materiality & Risk: An Integrated.

Published byOwen Anthony Modified over 7 years ago

Similar presentations

Presentation on theme: "Charteredaccountants.com.au/training Fundamentals of Auditing in 2007 ICAA Audit Training Series 2008 Module 2 – Planning, Materiality & Risk: An Integrated."— Presentation transcript:

1 charteredaccountants.com.au/training Fundamentals of Auditing in 2007 ICAA Audit Training Series 2008 Module 2 – Planning, Materiality & Risk: An Integrated Approach charteredaccountants.com.au Michael Cain, FCA Audit & Accounting Technical Director Nexia International – Australia and New Zealand

2 Slide 2 Module 2 - Overview  ASA 300 - Planning  ASA 500 – Audit Evidence (Assertions only)  ASA 200 - Risk  ASA 320 – Materiality  ASA 315 – Understanding the entity and assessing risk  ASA 240 – Fraud and error  ASA 250 – Consideration of laws and regulations  Integrating assertions, risks and materiality

3 charteredaccountants.com.au/training Fundamentals of Auditing in 2007 ICAA Audit Training Series 2008 ASA 300 – Audit Planning charteredaccountants.com.au

4 Slide 4 Planning and audit  Planning necessary to conduct effective audit  Preliminary activities  Continuance  Ethical considerations (e.g. independence)  Terms of engagement  Establish overall audit strategy  Prepare audit plan to reduce risk to acceptably low level  Changes to plan to be documented during course of the audit  Direction, supervision and review establish for audit team  Documentation

5 charteredaccountants.com.au/training Fundamentals of Auditing in 2007 ICAA Audit Training Series 2008 ASA 500 – Audit Evidence (Assertions Only) charteredaccountants.com.au

6 Slide 6 Objective of an Audit  Enable the auditor to express an opinion as to whether the financial report is prepared, in all material respects, in accordance with an applicable financial reporting framework.  The only reason auditors accumulate evidence is to enable them to reach conclusions about whether the financial report is fairly stated in all material respects and to issue an appropriate audit report.

7 Slide 7 ASA 500 deals with 4 key issues: 1. Concept of audit evidence 2. Sufficient appropriate audit evidence 3. The use of assertions in obtaining evidence 4. Audit procedures for obtaining audit evidence Audit Evidence

8 Slide 8 3.The use of assertions  Use assertions for classes of transactions, account balances and disclosures in sufficient detail to form a basis for the assessment of risks of material misstatement and the design and performance of further audit procedures.  See pg 6 for the new audit assertions. Audit Evidence

9 Slide 9 Financial report assertions and audit objectives  Directors and managers make assertions (embodied in the financial report) when they present a financial report.  Auditors use these assertions to assess risks by considering different types of potential misstatements that may occur and designing audit procedures in response to risks.  There are three categories of assertions:  Classes of transactions and events  Account balances  Presentation and disclosure.

10 Slide 10 Financial report assertions and audit objectives Assertions about classes of transactions and events for the period under audit:  Occurrence — transactions and events that have been recorded have occurred and pertain to the entity.  Completeness — all transactions and events that should have been recorded have been recorded.  Accuracy — amounts and other data relating to recorded transactions and events have been recorded appropriately.  Cutoff — transactions and events have been recorded in the correct accounting period.  Classification — transactions and events have been recorded in the proper accounts.

11 Slide 11 Financial report assertions and audit objectives Assertions about account balances at the period end:  Existence — assets, liabilities and equity interests exist.  Rights and obligations — the entity holds or controls the rights to assets, and liabilities are the obligation of the entity.  Completeness — all assets, liabilities and equity interests that should have been recorded have been recorded.  Valuation and allocation — assets, liability and equity interests are included in the financial report at appropriate amounts and any resulting valuation adjustments are appropriately recorded.

12 Slide 12 Financial report assertions and audit objectives Assertions about presentation and disclosure:  Occurrence and rights and obligations — disclosed events, transactions and other matters have occurred and pertain to the entity.  Completeness — all disclosures that should have been included in the financial report have been included.  Classification and understandability — financial information is appropriately presented and described, and disclosures are clearly expressed.  Accuracy and valuation — financial and other information is disclosed fairly and at appropriate amounts.

13 Slide 13 Assertions and objectives for the account balance of inventory of a manufacturing company Financial report assertion Illustrative audit objectives Existence  Inventories included in the balance sheet physically exist.  Inventories represent items held for sale in normal course of business. Completeness  Inventory quantities as per the accounting records include all products, materials and supplies owned by the company that are on hand.  Inventory quantities include all products, materials and supplies owned by the company that are in transit or stored at outside locations. Rights & Obligations  The company has legal title or similar rights or ownership to the inventories.  Inventories exclude items billed to customers or owned by others. Valuation & Allocation  Inventories are properly stated at cost (except when the net realisable value is lower).  Slow-moving, excess, defective and obsolete items included in inventories are properly identified and value.

14 Slide 14 ICAA Audit Training Series 2008 ASA 200 – Objective and General Principles Governing an Audit of a Financial Report Audit Risk Model charteredaccountants.com.au

15 Slide 15 Overview of the audit risk model  Audit risk is the risk that the auditor will give an inappropriate audit opinion when the financial report is materially misstated.  Before issuing an opinion on the financial report, the auditor needs to reduce audit risk to an acceptable level to ensure the opinion is reliable.

16 Slide 16 Reducing audit risk  An auditor reduces audit risk by performing audit procedures until there is sufficient appropriate evidence for each assertion of each significant transaction class or account balance to provide reasonable assurance that the financial reports are not materially misstated.  The audit risk model focuses audit effort on those classes of transactions or balances (and the particular assertions) that are likely to contain material misstatements.

17 Slide 17 Components of audit risk (AR) There are three components. Refer ASA 200  Inherent risk (IR):  Susceptibility of an assertion to material misstatement given inherent and environmental characteristics, but without regard to prescribed control procedures.  Control risk (CR):  Risk that material misstatement might not be prevented or detected by internal control procedures.  Detection risk (DR):  Risk that auditors’ substantive procedures will lead auditor to conclude no material misstatement exists when, in fact, one does.

18 Slide 18 Components of audit risk (AR) AR = IR x CR x DR or DR = AR IR x CR

19 Slide 19 Graphical depiction of audit risk

20 Slide 20 Reducing audit risk  Auditors cannot change inherent risk.  Auditors cannot directly change control risk. An auditor can obtain evidence to support an assessed level of control risk less than high (expect to rely on internal control) by examining control environment, risk assessment process, information system, control activities and monitoring of controls, and testing their effectiveness.

21 Slide 21 Reducing audit risk The level of detection risk is the lever an auditor can pull to reduce audit risk by:  Appropriate planning, direction, supervision and review  Decisions on the nature, timing and extent of audit procedures  Effective performance of procedures and evaluation of results.

22 Slide 22 Interrelationship of the components of audit risk

23 Slide 23 Business risk Defined as: The risk that an entity’s business objectives will not be obtained as a result of external and internal factors, pressures and forces brought to bear on an entity and, ultimately, the risk associated with the entity’s survival and profitability. Requires extensive knowledge of client’s business and industry.

24 Slide 24 The relationship of business risk to the determination of audit risk

25 Slide 25 ICAA Audit Training Series 2008 ASA 320 – Materiality and Audit Adjustments charteredaccountants.com.au

26 Slide 26 Materiality  Auditor must make preliminary assessment of materiality when planning the audit.  ‘Materiality’ defined: information which, if misstated, omitted, or not disclosed separately in a financial report, may adversely affect either user decisions or the discharge of accountability by management (ASA 320.06)  Auditor uses materiality to:  Evaluate the presentation of financial data.  Determine the nature, timing and extent of audit procedures (sometimes called planning materiality).

27 Slide 27 An item is material if:  It influences the economic decisions of users  It affects the discharge of accountability by management/others Determining planning materiality

28 Slide 28  Auditors use materiality to plan the audit, when performing procedures and at the end of the audit to assess whether the financial report is true and fair.  At the planning stage, the materiality level gives you a benchmark to work with. Determining planning materiality

29 Slide 29 There are many ways to determine materiality - the auditing standards do not prescribe one particular method. Determining planning materiality

30 Slide 30 Setting the preliminary materiality judgment  When planning the audit, an auditor makes a preliminary estimate of the amount to be considered material for audit purposes.  Conceptually encompasses:  Known misstatements  Likely misstatements  Potential undetected misstatements.  A single amount is normally estimated for materiality because misstatements usually affect both the balance sheet and income statement. 5– 10% of net profit before tax is the most common for a company with publicly traded securities.

31 Slide 31 Quantitative guidelines: materiality  Material   10% of appropriate base amount  Immaterial   5% of appropriate base amount  Judgment  5-10% of appropriate base amount  Base amount for balance sheet items  equity, or the appropriate asset or liability class total.  Base amount for income statement items  net profit or loss and appropriate revenue and expense amount, either for year or, if significantly fluctuates, averaged over a number of years.

32 Slide 32 Using rules of thumb Range of percentages Common bases applied to base Total revenue0.5–1% Total assets0.5–1% Equity 1–2% Profit 5 – 10% Use same 6 step process as for accounting standards. Determining planning materiality

33 Slide 33 6 step process for calculating materiality: 1.Decide on the base amount/s 2.Decide on the degree of assurance required 3.Determine the preliminary materiality level = base amount/s x % 4.Consider last year’s materiality level 5.Choose final number 6. Allocate to segments Determining planning materiality

34 Slide 34 Financial information used as base  Can be taken from:  Financial report to be audited (if available);  Annualised interim financial information; or  Previous period’s financial reports.

35 Slide 35 Consideration of qualitative factors in materiality  An auditor should consider qualitative factors as well as quantitative assessment. Qualitative factors include:  The significance of the item to the particular entity  The pervasiveness of the misstatement (e.g. the misstatement might affect the presentation of numerous items in the financial report)  The effect of the misstatement on the financial report as a whole.

36 Slide 36 Allocation of materiality to account balances and classes of transactions  An auditor needs to allocate planning material to account balances and classes of transactions for audit testing. (Auditing standards are silent on this issue.)  No required or optimal method, but an auditor should consider:  Dollar value of account  Expectation of error.

37 Slide 37 There is an inverse relationship between risk and materiality:  Higher risk - lower materiality - more evidence from substantive procedures  Lower risk - higher materiality - less evidence from substantive procedures Relationship between materiality and audit risk

38 Slide 38 Discussion problem #2

39 Slide 39 ICAA Audit Training Series 2008 ASA 315 – Understanding the Entity and its Environment and Assessing the Risks of Material Misstatement charteredaccountants.com.au

40 Slide 40 Major steps in the audit process  In every audit of a financial report there are seven identifiable stages. These stages are:  Obtaining knowledge of the client’s business  Understanding internal controls  Assessing risks of material misstatement  Responses to assessed risks  Performing tests of controls  Performing substantive procedures  Completion and review.

41 Slide 41 Developing an overall audit strategy  Important aspect of audit planning process is obtaining knowledge of client’s business and its business risk, and through that understanding, making judgments in relation to areas of audit risk and materiality.  Interrelationship between materiality, audit risk and what constitutes sufficient appropriate audit evidence impacts on auditor’s strategy.  Audit strategies can range from a lower assessed level of control risk approach to a predominantly substantive approach.

42 Slide 42 Lower assessed level of control risk Predominantly substantive approach Audit strategy may be anywhere along this continuum Range of audit strategies

43 Slide 43 Predominantly substantive approach  If the auditor believes adequate controls do not exist or might be ineffective or testing controls are not cost effective, audit strategy will be to:  Use a planned assessed level of control risk of high  Plan to obtain a minimum understanding of internal control  Plan no tests of control  Plan extensive substantive audit procedures based on planned acceptable level of detection risk of low or medium.

44 Slide 44 Impact of business risk assessment on audit strategy  Substantial time is spent on the planning stage and on developing an expectation of what the entity’s financial report should look like. Audit strategy might include:  Increased use of sophisticated analytical procedures  Undertaking tests of controls for routine transactions  Increased substantive testing for non-routine transactions  Reduced detailed substantive testing if financial report is in accordance with auditor’s expectations.

45 Slide 45 Preparing detailed audit plan or program An audit plan or audit program is a detailed list of audit procedures that need to be applied to a particular balance or class of transactions to implement the audit strategy.

46 Slide 46 Purpose of detailed audit programs  Programs should provide:  Evidence of proper planning of work  Guidance to inexperienced staff (monkey programs)  Evidence of work performed  A means of controlling time spent on the engagement  Evidence of consideration of internal control in relation to proposed audit procedures.

47 Slide 47 Contents of audit plan/program  An audit plan/program will outline the following characteristics of audit procedures:  Nature — particular audit procedures to use and particular items to which a procedure will be applied  Extent — number of items to which procedures will be applied, and number of different tests to be performed  Timing — appropriate time to perform the procedure.

48 Slide 48  Key new standards have been released which change the way risk assessments are carried out.  ASA 315, 330 and 500 are the key standards  The audit risk model has been replaced by a business risk method of assessing risk Assessing the risk of material misstatements

49 Slide 49 Overview of the audit risk standards Perform risk assessment procedures to understand the entity and its environment. See ASA 315.10-.116 Assess the risks of material misstatement at the financial report level and at assertion level. See ASA 315.117-.140 Respond to the risks at the financial report level and assertion level. See ASA 330.08-.28 Perform further audit procedures that are clearly linked to risks at the assertion level. See ASA 330.29-.89 Evaluate whether sufficient and appropriate audit evidence has been obtained. See ASA 330.90-.98 and ASA 500

50 Slide 50 ASA 315 deals with 5 key issues: 1.Risk assessment procedures, including internal controls 2.Understanding the entity and its environment, including internal controls 3.Assessing the risks of material misstatement, including identifying significant risks 4.Communicating with management regarding weaknesses in controls 5.Documenting the work done Assessing the risk of material misstatements

51 Slide 51 Knowledge of client’s business

52 Slide 52 Knowledge obtained by the auditor An auditor shall obtain an understanding of:  Client’s organisational structure  Client’s operational and legal structure  Relevant industry and economic conditions

53 Slide 53 Knowledge of the client’s business Purpose: help to assess business risk, assist the auditor to identify events, transactions, practices and risks that might have a significant effect on financial report, particularly on the appropriateness of accounting policies adopted and the reasonableness of assumptions and estimates incorporated in client’s financial report.

54 Slide 54 Procedures for obtaining an understanding of a client’s business These include:  Reviewing the auditor’s previous experience with the client and industry  Discussion with client personnel, other advisers or previous auditors of the entity  Reviewing the industry or government publications and legislations  Visiting the client’s premises  Reviewing documentation produced by the client.

55 Slide 55 Business risk Business risk can be defined as:  Risk that an entity’s business objectives will not be attained as a result of external and internal forces brought to bear on an entity and, ultimately, the risk associated with the entity’s profitability and survival.

56 Slide 56 Assessing business risk The auditor must obtain a thorough understanding of the industry, including:  Profitability and structure of the industry  Relationship between the industry and the broad economic and business environment  Critical issues facing the industry  Significant industry business risks.

57 Slide 57 Assessing business risk The auditor must also understand how the entity fits within the industry, including:  Entity’s position within the industry in terms of profitability and market share  Opportunities and plans the entity has for increasing or maintaining profitability and market share  Threats to the entity’s position in the industry  Ways in which the entity deals with customers and competitors  Methods the entity uses to measure and monitor its performance.

58 Slide 58 Techniques for assessing business risk: SWOT analysis S trengths — Internal aspects that can improve competitive situation. W eaknesses — Internal aspects, vulnerability to competitors’ strategic moves. O pportunities — Environmental aspects that can improve entity’s situation relative to competitors. T hreats — Environmental aspects that can undermine entity’s competitive situation.

59 Slide 59 Techniques for assessing business risk — PEST analysis Identifies: P olitical E conomic S ocial T echnological … influences on entity.

60 Slide 60 Response to assessed risks An auditor should determine overall responses to assessed risks at financial report level, and perform audit procedures at the assertion level. Responses at financial report level include:  Assigning more experienced staff  Using experts  Incorporating unpredictability into selection of further audit procedures.

61 Slide 61 Performing further audit procedures at the assertion level An auditor must consider:  Significance of the risk  Likelihood of misstatement occurring  Nature of the specific controls used by the entity  Whether auditor expects to obtain evidence to determine if entity’s controls are effective in preventing or detecting and correcting, material misstatement (planned control risk < HIGH).

62 Slide 62 Assessing specific business risks

63 Slide 63 Assessing risk of material misstatement  ASA 330 points out that, when considering assessment of risk of material misstatement at assertion level, an auditor must relate these back to account balances/classes of transactions / disclosures.  Need to consider both the particular characteristics of each class of transaction, account balance or disclosure (inherent risks) and whether the auditor’s assessment takes account of the entity’s controls (control risk).

64 Slide 64 Business risk (BR) and IR  An entity’s business strategy and associated risks will affect an auditor’s assessment of IR at the financial report level.  Where possible, an auditor traces BRs to areas of a financial report which are likely to be misstated.

65 Slide 65 Factors affecting IR at financial report level  Integrity of management  Management experience, knowledge and changes during the period  Unusual pressure on management  Nature of entity’s business  Factors affecting the industry

66 Slide 66 Inherent risk and Information Technology (IT)  As IT risks can be pervasive to the entity, factors affecting overall IR associated with IT are:  Significant changes in IT  Insufficient IT skills and resources  Lack of entity support and focus  High dependence on IT  Reliance on external IT  Reliability and complexity of IT.

67 Slide 67 Inherent risk assessment at assertion level  IR is greater for some assertions and related classes of transactions, account balances and disclosures than for others.  Auditors will normally focus on:  Accounts likely to require adjustment  Complexity of underlying transactions  Judgment involved in determining account balance  Susceptibility of assets to loss or misappropriation  Occurrence of unusual and complex transactions, particularly at or near year-end  Transactions not subject to ordinary processing.

68 Slide 68 Effect of inherent risk on account balance assertion

69 Slide 69 Preliminary assessment of going concern basis  Going concern: Entity expected to pay debts as and when they fall due, and continue to operate without any intention necessarily to liquidate or otherwise wind up operations. Refer ASA 570.06  ASA 570 requires auditors to assess going concern at planning stage, as imminent business failure might have an effect on appropriateness of presentation of financial report or might motivate management misrepresentations.

70 Slide 70 Preliminary assessment of going concern basis  Early identification helps focus audit effort on appropriate assertions in the financial report, and permits early communication with management.  An auditor focuses primarily on anticipated events during the relevant period, approximately 12 months from the date of the current audit report to the expected date of the next audit report.

71 Slide 71 Examples of indications of going concern problems Operating indicators include:  Lack of strategic direction  Deficiencies in the governing body  Lack of management expertise  Concentration of risk in few products  Loss of major market  Prolonged industrial action  Shortages of important supplies  Deficiencies in management information systems  Rapid or unplanned development of business  Uninsured or underinsured disasters.

72 Slide 72 Examples of indications of going concern problems Financial indicators:  High gearing  Fixed-term borrowings  Reliance on short-term borrowings  Adverse key financial ratios  Lack of sustainable operating profits  Dividend arrears  Inability to pay  Difficulty in complying with terms of loan agreements  Denial of trade credit  Inability to obtain necessary financing.

73 Slide 73 Examples of indications of going concern problems Other indications:  Non-compliance with capital requirements  Undue influence of market-dominant competitor  Legal proceedings against the entity  Technical developments making key product obsolete  Adverse changes in legislation  Failure of other entities in industry.

74 Slide 74 Discussion Problem #3

75 Slide 75 Understanding internal control

76 Slide 76 Audit strategy and internal control ‘Internal control’ is the process designed and implemented by those charged with governance, management and other personnel to provide reasonable assurance regarding the achievement of the entity’s objectives concerning financial reporting, the effectiveness and efficiency of operations, and compliance with laws and regulations. (ASA 315.54)

77 Slide 77 Audit strategy and internal control  It is designed and implemented to address business risks that threaten any of these objectives.  The importance of internal control has increased as business entities become larger and more complex.

78 Slide 78 Auditor’s requirements  ASA 315.52 requires that the auditor obtain an understanding of internal control relevant to the audit.  At the financial report level the auditor’s assessment of risk of material misstatement is affected by his or her understanding of the control environment. Refer ASA 330.10  At the assertion level, the auditor needs to consider control risk in his or her assessment of the risk of material misstatement. Refer ASA 330.19

79 Slide 79 Responsibility for internal control  Achieving satisfactory internal control is initially a management responsibility, although ultimate responsibility rests with the directors.  To maintain control over operations and accounting data, management needs to adopt, maintain and supervise an appropriate internal control system.

80 Slide 80 Inherent limitations of internal control  Internal control cannot assure a reliable financial report because it has inherent limitations. Therefore, an auditor can never rely completely on the internal control.  Inherent limitations arise because of:  Control breakdowns as a result of the actions of careless, fatigued or deviant staff  The possibility of management override  The existence of non-routine transactions for which internal controls were not devised.

81 Slide 81 Reasonable assurance  Internal control should be designed to provide reasonable assurance that assets are safeguarded and accounting records are reliable.  The concept of reasonable assurance recognises that, in some cases, the cost of establishing and maintaining controls can outweigh the benefits of adopting controls.

82 Slide 82 Internal control objectives  Risks are identified and minimised.  Management decision making is effective and business processes efficient.  Transactions are carried out in accordance with management’s authorisation.  Laws, rules and regulations are complied with.  Transactions are promptly and accurately recorded.  Access to assets is limited in accordance with management’s authorisation.  Asset records are compared with existing assets at reasonable intervals.

83 Slide 83 Management controls  Definition: ‘The activities undertaken by senior management to mitigate strategic risks to the entity, and promote effectiveness of decision making and efficiency of business activities’.  These include:  Communicating business objectives and goals  Establishing lines of authority and accountability  Establishing and enforcing appropriate codes of conduct  Monitoring risk environments  Defining policies and procedures for dealing with these risks  Monitoring performance through performance indicators and benchmarking.

84 Slide 84 Transaction controls  These are performed by staff and lower level management. Every transaction goes through the identifiable steps of authorisation, execution and recording.  These controls:  Are generally focused on internal risks and reflect the formal policies and procedures defined by senior management  Deal primarily with the reliability of accounting information and compliance with rules and regulations  Control the flow of transactions through the accounting system and safeguard related assets by authorising and recording transactions, restricting access to assets and checking for existence of recorded assets.

85 Slide 85 Characteristics of satisfactory internal control  Controls to monitor and minimise business risks  Segregation of incompatible duties and responsibilities  System of authorisation, recording and procedures adequate to provide control over assets, liabilities, revenues and expenses  Sound business practices in performance of duties and functions  Capabilities commensurate with responsibilities

86 Slide 86 Elements of internal control Five elements of IC outlined in ASA 315 1.Control environment 2.Entity’s risk assessment process 3.Information system 4.Control activities 5.Monitoring of controls. Refer page 15 of notes

87 Slide 87 1. Control environment  The control environment includes management’s overall attitude, awareness and actions regarding internal control and its importance in the entity (ASA 315.80)  Auditors should consider:  Communication and enforcement of integrity and ethical values  Commitment to competence  Participation by those charged with governance  Management philosophy and operating style  Organisational structure  Assignment of authority and responsibility  Human resource policies and practices.

88 Slide 88 1. Considering internal control in a financial report audit  For every audit, irrespective of intended reliance on internal control, an auditor must obtain sufficient understanding of internal control to plan the audit and determine tests to be performed.  The nature and extent of an auditor’s consideration of internal control varies considerably across audits and depends on audit strategy.

89 Slide 89 1. Understanding internal control (IC)  The auditor obtains an understanding of ICs to assess control risk and:  Identify the types of potential misstatements that could occur and the factors that contribute to the risk that they will occur  Understand the accounting system sufficiently to identify the client documents etc. that may be available and ascertain what data will be used in audit tests  Determine an efficient and effective approach to the audit.  Where auditor assesses control risk as less than high, he or she must consider operating effectiveness and gather evidence to support this assessment. This evidence will be obtained through tests of control (discussed later).

90 Slide 90 1. Procedures for understanding the control environment  An auditor gains an understanding of the control environment by:  Making inquiries of key management personnel  Inspecting documented policies and procedures  Observing activities and operations  Considering past experience with the client.

91 Slide 91 1. Procedures for understanding the control activities  Procedures include:  Inquiry of appropriate client personnel  Inspection of documentation  Observation of the entity’s activities, operations and procedures  Walkthrough — an auditor traces one or a few transactions of each type through the related documents and accounting records, observing related processing and control procedures in operation.

92 Slide 92 2. Entity’s risk assessment process  An entity’s risk assessment process is its way of identifying and responding to business risks.  Once risks are identified, management needs to consider their significance and how they should be managed.  Management may introduce plans to address specific risks or it may accept a risk on a cost-benefit basis.

93 Slide 93 2. Procedures for understanding the risk assessment process  An auditor needs to determine how management identifies business risks relevant to the financial report, estimate the significance of the risks, assess their likelihood of occurrence, and decides upon actions to manage them.  An auditor will inquire of management about business risks that management have identified and consider whether they may result in a material misstatement.  If an auditor identifies a risk of material misstatements during the audit that management failed to identify, he or she needs to consider whether management should have identified it and, if so, why the process failed.

94 Slide 94 3. Information system  An effective information system establishes records and methods that:  Identify and record all valid transactions  Describe on a timely basis the transactions in sufficient detail to permit proper classification for financial reporting  Measure the value of transactions in a manner that permits recording of their proper monetary value in the financial report  Determine the period in which transactions occurred to permit recording of transactions in the proper accounting period  Present the transactions and related disclosures properly in the financial report.

95 Slide 95 3. Procedures for understanding the information system  An auditor is required to obtain sufficient knowledge of the information system to understand:  Significant classes of transactions  Initiation of transactions  Records, documents and accounts  Accounting processing  Financial reporting procedures.  Being able to follow transaction flows (the audit trail) is an important technique in understanding the information systems.

96 Slide 96 3. Audit trail An important feature of the information system is the audit trail.  Audit trail:  Individual transactions can be traced through each step of the accounts to their inclusion in the financial report and, similarly, from the financial report the amounts can be vouched or traced back to original source documentation.  Main elements:  Source documents — the initial records of transactions in the system. Processing usually creates a source document when a transaction is executed  Journal  Ledger.

97 Slide 97 4. Control activities  Policies and procedures that management has established to ensure its directives are carried out.  Can pertain to:  Performance reviews (e.g. comparing actual with budget)  Information processing, comprise application controls (processing of individual applications) and general IT controls (policies and procedures applying to many applications)  Physical controls (e.g. locked storerooms for inventory and fireproof safes for cash and securities on hand)  Segregation of duties (the most basic of which is to have different individuals responsible for custody of assets and the keeping of records relating to those assets).

98 Slide 98 4. Segregation of duties related to a transaction A transaction may be considered to pass through four phases:  Authorisation — the initial authorisation or approval for an exchange transaction  Execution — the act commits the entity to the exchange, such as placing an order  Custody — the physical act of accepting, delivering or maintaining the asset  Recording — the entry of the transaction data into the accounting system. Ideally, all four phases should be kept separate.

99 Slide 99 4. Control activities and assertions  Control activities can be related to financial report assertions:  Occurrence (e.g. authorisation and approval of transactions)  Completeness (e.g. accounting for sequence of transactions)  Accuracy (e.g. checking dollar amounts back to supporting documentation)  Cutoff (e.g. independent review of transactions around balance data of account coding)  Classification (e.g. independent checking of account coding).

100 Slide 100 5. Monitoring of controls  Monitoring of controls: A process to assess the effectiveness of the performance of internal control. It involves:  Evaluating the design and operation of controls  Taking corrective action where necessary.  Management may monitor controls through ongoing activities such as supervisory activities and/or separate evaluations.  In many entities internal auditors contribute to the monitoring process.

101 Slide 101 5. Procedures for understanding monitoring of controls  The auditor is required to obtain an understanding of how the entity monitors internal control over financial reporting and initiates corrective actions.  In many entities internal auditors contribute to the monitoring of an entity’s activities.  The auditor needs to obtain an understanding of the sources of the information related to the entity’s monitoring activities and the basis upon which management considers the information to be sufficiently reliable.

102 Slide 102 Procedures to document the understanding of internal control  Internal control questionnaires and checklists  Narrative memoranda: written description of internal control policies and procedures  Flowcharts

103 Slide 103 Assessing internal control

104 Slide 104 Assessing control risk  After obtaining an understanding of the five components of internal control, the auditor assesses control risk for the assertions in the related account balances, transaction classes and disclosures.  The auditor must decide whether to assess control risk for a particular assertion at high or at less than high.

105 Slide 105 Assessment of control risk at high  Control risk will be assessed at high because the entity’s internal control policies and procedures in the area:  Are poor and do no support less than a high assessment;  May be effective, but the audit tests to gather evidence of their effectiveness would be more time consuming than performing substantive tests; or  Do not pertain to the particular assertion.

106 Slide 106 Assessing control risk at less than high  An auditor must support assessment where control risk is assessed at less than high:  First, the auditor identifies specific control activities relevant to particular assertions that are likely to prevent or detect material misstatements in those assertions.  Next, the auditor performs tests of controls to evaluate the effectiveness of these control activities. This process is followed for each account balance or transaction class that is material to the financial report. This is discussed later.

107 Slide 107 Discussion Problem #4

108 Slide 108 Discussion Problem #6

109 Slide 109 Controls in an IT environment

110 Slide 110 Levels of control in computerised systems Two main categories: 1.User controls —  Those controls established and maintained by departments whose processing is performed by computer. 2.IT controls —  Those controls established and maintained at the location of the computer, for example in data-processing departments.

111 Slide 111 General and application controls  IT controls can be further divided into general and application controls. General controls are those controls that relate to a number of application systems; application controls relate to a particular application.  User controls are always application controls, given their purpose.

112 Slide 112 General controls  General controls are manual and computer controls that relate to all or many computerised accounting applications. These provide a reasonable level of assurance that overall objectives of internal control are achieved.  General controls include:  Segregation of duties  Control over programs  Control over data.

113 Slide 113 Segregation of duties within IT

114 Slide 114 Control over programs  Includes control over:  Development or acquisition of new programs  Changes to existing programs  Access to programs  Specialised systems software  Modifications or access should be appropriately authorised, approved and tested.

115 Slide 115 Control over data  Control procedures in user departments to ensure restricted access (e.g. key passes, locks)  Control procedures in CIS departments at input and processing stage  Restriction of access to data files (e.g. password)  Use of librarian function or software

116 Slide 116 Other general controls  These include controls that back up hardware, software and files and ensure recovery when computer is installed or particular files or programs are damaged.  These do not normally have an effect on the auditor’s control risk assessment.

117 Slide 117 Application controls  Relate to individual computerised accounting applications (e.g. debtors)  Contribute to achievement of specific control objectives considered by auditor in tests of controls  Can be programmed and located in either the user departments or IT department

118 Slide 118 User application controls  Control totals:  Financial totals  Record totals  Hash totals  Review and reconciliation of data  Error correction and resubmission procedures  Authorisation of each transaction and batch of transactions

119 Slide 119 IT application controls  Usually classified into the following categories:  Input controls  File controls  Processing controls  Output controls

120 Slide 120 Input controls  Control totals  Key verification  Key entry validation  Programmed controls:  Check digit  Limit or reasonableness test  Field test  Valid code test.

121 Slide 121 File controls  Include:  Internal file labels — computer- readable data that identifies content of file  External file labels — printed or handwritten labels attached to disk or tape.

122 Slide 122 Processing controls  Programmed control procedures:  Checking numerical sequence of records  Comparing related fields.  Run-to-run control totals

123 Slide 123 Output controls  These include:  Restricted distribution  Automatic dating of reports  Page numbering  End-of-report messages.

124 Slide 124 Relationship between general and application controls  The auditor should start by looking at general controls.  If general controls are unreliable, an auditor has little confidence in programmed application controls and reduced confidence in manual application controls → auditor takes more substantive approach to the audit.  If general controls reliable, auditor makes preliminary evaluation of application controls. If reliance on application controls is then planned, a more detailed evaluation of these controls is made → auditor determines appropriate degree of testing of controls and substantive testing.

125 Slide 125 Control systems in different environments  Database: A database is a computer-readable file of records that is used by many accounting applications. In order to handle processing of data, a system software program called a database management system (DBMS) is used. Has many controls built in.  Stand-alone PCs: Can cause distinction between general and application controls to be blurred and controls to be less structured. Thus, control risk commonly assessed as high.

126 Slide 126 Control systems in different environments  LANS and other networks: networking PCs means that processing is distributed to PCs at many locations. Can cause problems with security and control procedures as they are more dispersed. In most cases control risk has risen significantly.

127 Slide 127 ICAA Audit Training Series 2008 ASA 240 – The Auditor’s Responsibility to Consider to Fraud charteredaccountants.com.au

128 Slide 128 Special areas of audit risk: fraud  At the planning stage, an auditor should consider the risk that misstatements from fraud or error will not be detected.  It is easier to miss material misstatements resulting from fraud because fraud involves acts designed to conceal it.

129 Slide 129 Increased attention to fraud  Auditors have been required to pay greater attention to fraud. Auditors:  Need specifically to consider risks of material misstatement in financial report due to fraud  Must discuss an entity’s susceptibility to fraud with other members of the audit team  Must make more extensive inquiries of management with respect to fraud.  Auditors are now specifically required to consider the risk of fraud in revenue recognition and the possibility of management override of controls.

130 Slide 130 Audit procedures for fraud at planning stage  An auditor will use his or her experience, knowledge and training to determine whether fraud could occur.  An auditor needs a thorough understanding of a client’s business in order to identify opportunities for the perpetration of fraud.

131 Slide 131 ASA 240 deals with 4 key issues: 1.Responsibilities of the auditor 2.Risk assessment procedures 3.Evaluation of audit evidence 4.Communication with management Considering the risk of fraud

132 Slide 132 1.Responsibilities of the auditor  Obtain reasonable assurance that the financial report is free from material misstatement due to fraud  Maintain attitude of professional scepticism  Discuss and document considerations with engagement team  Discuss how might arise on engagement Considering the risk of fraud

133 Slide 133 Earnings management  Earnings management occurs when judgment in financial reporting and in structuring transactions is used to alter financial reports to influence the perceptions of stakeholders.  Earnings management involves those responsible for preparing the financial report such as the Chief Financial Officer (CFO) and Chief Executive Officer (CEO).  Incentives to manage earnings can be either behavioural or market-based.

134 Slide 134 Broad categories of earnings management  Earnings management by clients may fall into the following categories:  Intentional violations of accounting standards and other reporting requirements that are individually immaterial  Inappropriate revenue recognition  ‘Big bath’ charges under the guise of restructuring  Improper accruals and estimation of liabilities in good times.

135 Slide 135 2.Risk assessment procedures  Consider the risk of fraud as part of your risk assessment procedures  Next step is to assess the risk of material misstatement due to fraud at the financial report and assertion level (balances, transactions, disclosures)  Determine how to respond to those risks and design and perform appropriate procedures Considering the risk of fraud

136 Slide 136 Red flag indicators of fraud  An auditor commonly uses a checklist to identify increased risks of fraud. Where risk is high, it is called a 'red flag'.  These are listed in appendix of standard and are grouped under:  Management  Unusual pressures within an entity  Market pressures  Unusual transactions  Unsatisfactory records  IT environment.

137 Slide 137 3.Evaluation of audit evidence  Evaluate whether your risk assessment in relation to fraud remains appropriate  Consider whether any misstatements found are indicative of fraud Considering the risk of fraud

138 Slide 138 3.Evaluation of audit evidence  Consider whether concluding analytical procedures indicate a previously unrecognised risk of fraud  Obtain management representations in relation to fraud Considering the risk of fraud

139 Slide 139 4.Communicate with management  Communicate with management and/or the governing body if fraud is identified or indicated Considering the risk of fraud

140 Slide 140 ICAA Audit Training Series 2008 ASA 250 – Consideration of Laws and Regulations charteredaccountants.com.au

141 Slide 141 Considering illegal acts  ASA 250 (ISA 250) provides guidance on an auditor’s consideration of illegal acts (noncompliance with laws and regulations):  An auditor must understand the legal and regulatory framework applicable to the entity and industry  An audit normally does not include procedures specifically designed to detect illegal acts  An auditor must recognise circumstances requiring special attention (e.g. a debenture deed requires a specific current ratio be maintained) and consider these in preparation of audit programs.

142 Slide 142 Module 2 – Topics Covered  ASA 500 – Audit Evidence (Assertions only)  ASA 200 - Risk  ASA 320 – Materiality  ASA 315 – Understanding the entity and assessing risk  ASA 240 – Fraud and error  ASA 250 – Consideration of laws and regulations  Integrating assertions, risks and materiality

143 Slide 143 Conclusion and questions

Download ppt "Charteredaccountants.com.au/training Fundamentals of Auditing in 2007 ICAA Audit Training Series 2008 Module 2 – Planning, Materiality & Risk: An Integrated."

Similar presentations

Auditing Concepts.

Auditing Concepts.
1. Management Income Statement Balance Sheet Stmt of CF Management Prepares 1 Users Basic Mistrust 2 Auditors Independent Auditor 3 Lends Credibility.

1. Management Income Statement Balance Sheet Stmt of CF Management Prepares 1 Users Basic Mistrust 2 Auditors Independent Auditor 3 Lends Credibility.
Discussion on SA-500 – AUDIT EVIDENCE

Discussion on SA-500 – AUDIT EVIDENCE
The Islamic University of Gaza

The Islamic University of Gaza
Review of Introduction to Auditing

Review of Introduction to Auditing
Auditing A Risk-Based Approach To Conducting A Quality Audit

Auditing A Risk-Based Approach To Conducting A Quality Audit
Internal Control in a Financial Statement Audit

Internal Control in a Financial Statement Audit
Copyright  2003 McGraw-Hill Australia Pty Ltd PPTs t/a Auditing and Assurance Services in Australia by Gay & Simnett Slides prepared by Roger Simnett.

Copyright  2003 McGraw-Hill Australia Pty Ltd PPTs t/a Auditing and Assurance Services in Australia by Gay & Simnett Slides prepared by Roger Simnett.
Internal Control. COSO’s Framework Committee of Sponsoring Organizations 1992 issued a white paper on internal control Since this time, this framework.

Internal Control. COSO’s Framework Committee of Sponsoring Organizations 1992 issued a white paper on internal control Since this time, this framework.
INTERNAL CONTROL OVER FINANCIAL REPORTING

INTERNAL CONTROL OVER FINANCIAL REPORTING
Financial Audit Autonomous Bodies Internal Control and Risk Assessment Session 1.8 1 Internal Control and Risk Assessment.

Financial Audit Autonomous Bodies Internal Control and Risk Assessment Session Internal Control and Risk Assessment.
Chapter 4 Risk Assessment.

Chapter 4 Risk Assessment.
Chapter 8 Understanding and assessing internal control

Chapter 8 Understanding and assessing internal control
Copyright  2003 McGraw-Hill Australia Pty Ltd PPTs t/a Auditing and Assurance Services in Australia by Gay & Simnett Slides prepared by Roger Simnett.

Copyright  2003 McGraw-Hill Australia Pty Ltd PPTs t/a Auditing and Assurance Services in Australia by Gay & Simnett Slides prepared by Roger Simnett.
Audit objectives, Planning The Audit

Audit objectives, Planning The Audit
Planning an Audit The Audit Process consists of the following phases:

Planning an Audit The Audit Process consists of the following phases:
Copyright © 2006 by The McGraw-Hill Companies, Inc. All rights reserved. McGraw-Hill/Irwin 3-1 Chapter Three Risk Assessment and Materiality Chapter Three.

Copyright © 2006 by The McGraw-Hill Companies, Inc. All rights reserved. McGraw-Hill/Irwin 3-1 Chapter Three Risk Assessment and Materiality Chapter Three.
1 Designing Substantive Procedures The auditor “must plan and perform the audit to reduce the audit risk to an acceptably low level that is consistent.

1 Designing Substantive Procedures The auditor “must plan and perform the audit to reduce the audit risk to an acceptably low level that is consistent.
Chapter 07 Internal Control McGraw-Hill/IrwinCopyright © 2014 by The McGraw-Hill Companies, Inc. All rights reserved.

Chapter 07 Internal Control McGraw-Hill/IrwinCopyright © 2014 by The McGraw-Hill Companies, Inc. All rights reserved.
INTERNAL CONTROL OVER FINANCIAL REPORTING

INTERNAL CONTROL OVER FINANCIAL REPORTING

Similar presentations

Ads by Google