Download presentation
Presentation is loading. Please wait.
1
Insert Presentation Title Here
Challenging Risk Assessment in Planning an Audit – PLANNING THE AUDIT FOR EFFECTIVENESS AND EFFICIENCY Insert Presentation Title Here Annette Eustice, CPA, CGFM March 5, 2017
2
OBJECTIVE Risk assessment is a key requirement in the planning phase of an audit. The objective of this presentation is to provide the participant with a brief overview of the risk assessment planning process of an audit, documentation requirements, and how to best plan an audit around the conclusions developed from the risk assessment planning process.
3
EXAMPLES OF CHALLENGES IN RISK ASSESSMENT
Risks identified - no audit response Risks identified in planning are not considered in the risk assessment. Fraud risks identified are not reflected in risk assessment and no audit response is prepared. Areas identified as significant in other planning are not identified as significant in the risk assessment planning.
4
EXAMPLES OF CHALLENGES IN RISK ASSESSMENT
Audit responses crafted to address identified risks are not reflected in the audit program. Audit procedures to be performed (added) which are documented in risk assessment are not added in the audit program (tailoring). Low risk areas identified during risk assessment as areas being addressed using a limited approach and to be documented on a lead sheet are actually supported by a formal audit program with basic or extended procedures in the audit program.
5
WHAT WOULD YOU DO IF? You had unlimited time to complete an audit and the client was willing to pay you an unlimited amount to do it right? You have a fixed fee contract of $20,000 and 100 hours to complete the engagement Key Points: An engagement letter does not, by itself, result in the identification of risks that may result in a misstatement of the financial statements, but the issuance of the letter may reduce the firm’s business risk by clarifying responsibilities of each party and the objectives and limitations of the engagement. A written engagement letter is required for all audits.
6
WHAT IS RISK ASSESSMENT?
Audit Procedures Concentrate audit effort in high risk areas Inherent risk Control risk Perform less extensive procedures in low risk areas Risk Assessment Obtain an understanding of the client, including internal control Identify and assess risks of material misstatement of the financial statements Evaluate both overall risks and risks that affect only specific assertions Linkage Key Points: An audit approach based on risk assessment provides methods to identify higher-risk areas and assertions so that audit effort can be focused on those areas. By focusing efforts in higher-risk areas and limiting procedures in lower-risk areas, you will perform a more effective and focused audit. The standards relating to risk assessment emphasizes “linkage” between assessed risks and resulting audit procedures, that is, overall responses that address risks of material misstatement at the financial statement level as well as procedures that are clearly linked to assessed risks of material misstatement at the relevant assertion level. Presentation Tip: Assertions are mentioned several times in the presentation. Explain that assertions are representations by management, explicit or otherwise, that are embodied in the financial statements. Assertions about transaction classes relate to the entire period under audit and consist of: Occurrence. Transactions and events that have been recorded have occurred and pertain to the entity. Completeness. All transactions and events that should have been recorded have been recorded. Accuracy. Amounts and other data relating to the recorded transactions and events have been recorded appropriately. Cutoff. Transactions and events have been recorded in the correct accounting period. Classification. Transactions and events have been recorded in the appropriate accounts. Assertions about account balances relate to the period end and consist of: Existence. Assets, liabilities, and equity interests exist. Rights and Obligations. The entity holds or controls the rights to assets, and liabilities are the obligations of the entity. Completeness. All assets, liabilities, and equity interests that should have been recorded have been recorded. Valuation and Allocation. Assets, liabilities, and equity interests are included in the financial statements at appropriate amounts and any resulting valuation or allocation adjustments are appropriately recorded. According to AU-C 315, relevant assertions are assertions that have “a reasonable possibility of containing a misstatement or misstatements that would cause the financial statements to be materially misstated.” For More Information: Financial statement assertions are discussed in section 302.
7
The Cycle of Risk Assessment
Assess risks at the FS level Develop an audit strategy Assess risks at the relevant assertion level Test controls (if applicable) Develop a detailed audit plan Substantive Audit Procedures Engagement Team Discussion Materiality Risk Assessment Procedures Understand the entity and its environment, including internal control Client acceptance/continuance Establishing an understanding with the client. Preliminary Engagement Activities Planning and Risk Assessment Procedures Assessing Risk and Developing Responses Perform Further Audit Procedures
8
Client Acceptance/Continuance
Consider: Nature and purpose of engagement Client’s reputation, integrity, and competence Communication with predecessor Compliance with ethical requirements, including independence Adequacy of accounting records Firm resources and competence Engagement economics Other risk concerns Key Points: The engagement acceptance or continuance decision generally focuses on factors that increase overall financial statement risk, such as increased risks due to indications of pressures, opportunities, or incentives for fraudulent financial reporting on the part of management, the company’s precarious financial position that creates a likelihood of bankruptcy, etc. Consideration of this information might cause the firm to decline to accept the engagement; terminate the client relationship; or plan and perform the audit in a different manner, such as by using more experienced personnel. Agreeing on the terms of an audit includes establishing preconditions for an audit, that is, the use by management of an acceptable financial reporting framework in the preparation and fair presentation of the financial statements and the agreement of management and, when appropriate, those charged with governance, to the premise on which an audit is conducted. If the preconditions for an audit are not met, the auditor should discuss the matter with management and not accept the engagement unless required by law or regulation to accept it. If any risks are identified when making the acceptance or continuance decision that could result in a material misstatement of the financial statements, those risks should be added to your “Risk Assessment Summary Form.”
9
Planning and Risk Assessment Procedures
Perform a retrospective review of accounting estimates Understand the entity and its environment, including internal control Perform risk assessment procedures Determine materiality Hold an engagement team discussion Key Points: Step 2: Perform Planning and Risk Assessment Procedures, which consists of holding an engagement team discussion, determining materiality, performing risk assessment procedures, obtaining an understanding of the entity and its environment, including internal control, and performing a retrospective review of accounting estimates. For More Information: Planning and risk assessment procedures are discussed in section 201.
10
Engagement Team Discussion
Discuss the susceptibility of the financial statements to material misstatement Consider fraud risks and risks of error Include: Critical issues and areas of significant audit risk Areas susceptible to management override of controls Unusual accounting practices Important control systems Materiality considerations Need to exercise professional skepticism Business risks Fraud considerations Key Points: AU-C requires key members of the audit team (including the engagement partner) to discuss the susceptibility of the entity’s financial statements to material misstatements. SAS 99 requires an open exchange of ideas, or “brainstorming” among audit team members about how and where they believe the entity’s financial statements might be susceptible to material misstatement due to fraud, how management could perpetuate and conceal fraudulent financial reporting, and how assets of the entity could be misappropriated. These discussions can be held concurrently, that is, one meeting can cover the susceptibility of the financial statements to material misstatements from both error and fraud. However, it is important to consider the susceptibility to fraud as a distinct part of this combined discussion to avoid potentially diluting that critical consideration. The focus ought to be on the individual members gaining a better understanding of the potential for material misstatements resulting from error or fraud in the specific areas assigned to them, and understanding how the results of audit procedures they perform affect other aspects of the audit. The more experienced team members can share their insights based on their cumulative knowledge of the entity, its industry, and its environment. Participants should maintain an attitude of professional skepticism throughout the discussion and should not be influenced by past favorable experience with the integrity of management. In fact, SAS 99 states that the engagement team should abandon neutrality and any preconceptions about management’s and employees’ honesty, but instead presume the possibility of dishonesty at various levels of management. Presentation Tips: Tailor the list of engagement team discussion items based on your firm’s practice for the engagement team discussion.
11
Engagement Team Discussion (cont.)
Attendance: Auditor with final responsibility Key members of engagement team Tax Personnel Concurring Reviewers Document: How the discussion occurred, the subject matter, who participated, and decisions about planned responses Key Points: In addition to the audit partner and key members of the engagement team, it may be appropriate to include specialists in the discussion, such as IT specialists, assigned to the engagement team. AU-C requires that the following items be documented regarding the discussion among the audit team: How and when the discussion occurred. Subject matter discussed. Participating audit team members. Significant decisions reached concerning planned responses at the financial statement and relevant assertion levels. These requirements are similar to the documentation requirements of AU-C 240 regarding the fraud aspects of the discussion.
12
Materiality Apply professional judgment
Consider decisions that users make Use appropriate benchmarks, such as % of assets or revenue Re-evaluate materiality as the audit progresses. If lower, reconsider: Level of performance materiality Adequacy of procedures Key Points: It is important to use professional judgment when determining planning materiality—the calculation should not be rote. The reference to “decisions that users make” is based on the definition of materiality in FASB Statement of Financial Accounting Concepts 8 as: “Information is material if omitting it or misstating it could influence decisions that users make on the basis of the financial information of a specific reporting entity.” Conceptually, materiality should be established based on the auditor’s perception of users’ needs and expectations since an item is material if it would have influenced users’ judgments. For many nonpublic companies, total assets or revenue often provide a sound benchmark for determining materiality because they are stable, predictable, and representative of entity size. Base amounts (such as assets or revenues) used in the benchmark come from the financial statements to be audited or the trial balance from which those financial statements will be prepared. If those amounts are not available, annualized amounts from the most recent interim financial statements are used. For revenue, an annualized amount is used even if the audit period is shorter than a year. When current amounts are unavailable, significant audit adjustments are expected, or significant changes in the entity's circumstances indicate that current amounts are not representative of the entity's results of operations or financial position, historical averages based on the past two or three years can be used. Planning materiality judgments might need to be reconsidered as the audit progresses. AU-C states that you should revise materiality levels if you become aware of information during the audit that would have caused you to determine a different amount(s) initially. Because the calculation made during initial planning often uses interim financial information, the amounts in the annual audited financial statements might differ. If planning materiality based on interim amounts is too large, then audit scope might not have been sufficient. If planning materiality based on interim amounts was too small, then the audit would be less efficient than would have been possible because the auditor will have done more audit work than was necessary. Thus, if you become aware of changes that would have affected the determination of planning materiality, adjustments are made. AU-C indicates that if you conclude that a lower materiality than initially determined is appropriate, you should determine whether performance materiality has to be revised and whether the nature, timing, and extent of further audit procedures remain appropriate.
13
Materiality Document: Materiality at the financial statement level
If applicable, materiality level(s) for particular transaction classes, account balances, or disclosures Performance materiality Factors considered in their determination Any revisions made during the audit Key Points: Document the levels of planning materiality and performance materiality (for the financial statements as a whole as well as for particular items of lesser amounts), the factors considered in their determination (for example, the benchmark and why it is considered appropriate), and any revisions in materiality as the audit progresses. Presentation Tips: We should also document the amount of a misstatement that is considered trivial (one that does not require posting to the misstatement summary). Be careful to remind participants that any misstatement greater than the trivial amount should be posted to the misstatement schedule. It is not appropriate to dispose of misstatements at the workpaper level unless they are below the trivial amount.
14
Perform Risk Assessment Procedures
Two categories of audit procedures: Risk Assessment Procedures Both Provide Audit Evidence Key Points: AU-C explains that the auditor should perform risk assessment procedures to provide a satisfactory basis for the identification and assessment of risks of material misstatement at both the financial statement and relevant assertion levels. Risk assessment procedures are performed to obtain an understanding of the entity and its environment, including its internal control. The understanding obtained and assessed risks are used to design and perform further audit procedures. Further audit procedures include substantive procedures and tests of controls performed in response to the assessed risks to reduce the overall audit risk to an appropriately low level, as well as other procedures sometimes referred to as general procedures. Risk assessment procedures do not provide sufficient appropriate audit evidence on which to base the auditor’s opinion on the financial statements. Further Audit Procedures
15
Risk Assessment Procedures
Inquiry Observation and Inspection Analytical Procedures Key Points: Types of risk assessment procedures include: Inquiries of management and others within the entity and those charged with governance. Observation and inspection. Analytical procedures.
16
Risk Assessment Procedures
Performed to obtain an understanding of the entity and its environment, including internal control, for the purpose of assessing risks All of the procedures should be performed Inquiry alone is not sufficient to understand internal control Provide audit evidence Key Points: Risk assessment procedures are performed to obtain an understanding of the entity and its environment, including its internal control, for the purpose of assessing the risks of material misstatement at the financial statement and relevant assertion levels. All of the risk assessment procedures (that is, inquiry, observation and inspection, and analytical procedures) are performed when obtaining an understanding of the entity and its environment. However, each of those procedures need not be performed for every component of the required understanding. Performing all of the risk assessment procedures is usually accomplished by: Making inquiries of client personnel to update information in the PPC planning forms. Observing and inspecting documents and records, including performing walkthroughs of transaction processing systems, to corroborate responses to inquiries. Performing preliminary analytical procedures. The standards explicitly indicate that inquiry alone is not sufficient to evaluate the design and implementation of internal control. Therefore, observation and inspection will most likely be coupled with inquiry procedures when obtaining the understanding of internal control. The standards view risk assessment procedures as part of a process that provides audit evidence that ultimately supports the auditor’s opinion on the financial statements. This is the notion that the assessed level of risk itself provides audit evidence, rather than being only a means of determining the audit evidence that is necessary.
17
Required Inquiries Inquire about: Fraud Related parties
Accounting estimates Compliance with laws and regulations Service organizations Key Points: AU-C 240 requires auditors to make fraud-related inquiries of management or the owner/manager, other employees, internal auditors (if applicable), and those charged with governance (if separate from management) to identify whether anyone has suspicions or actual knowledge of fraud. These include inquiries about: Whether they have knowledge of any actual, suspected, or alleged fraud. Management's process for identifying, responding to, and monitoring the risks of fraud in the entity. The nature, extent, and frequency of management's assessment of fraud risk and the results of those assessments. Any specific risks of fraud that management has identified or that have been brought to its attention. The classes of transactions, account balances, or disclosures for which a fraud risk is likely to exist. Management's communications, if any, to (1) those charged with governance on its process for identifying and responding to fraud risks and (2) employees on its views on business practices and ethical behavior. AU-C requires the auditor to make specific inquiries of management and others regarding related parties, including: Identity of related parties, including changes from the prior period. Nature of related-party relationships. Whether there were any transactions with those related parties during the period and, if so, the transaction types and purposes. AU-C states that the auditor should make inquiries of management about whether any changes in circumstances have occurred that may give rise to new accounting estimates or the need to revise existing estimates. Inquiries may include matters such as whether: The entity has entered into new types of transactions that may give rise to accounting estimates. Transaction terms that affect accounting estimates have changed. Accounting policies relating to accounting estimates have changed as a result of changes to GAAP. Regulatory or other changes have occurred that may require the revision of existing accounting estimates or new estimates to be made. New conditions or events have occurred that may give rise to new or revised estimates. AU-C requires the auditor to inquire of management and those charged with governance about whether the entity is in compliance with laws and regulations that may have a material indirect effect on the financial statements and to inspect relevant correspondence with licensing and regulatory authorities. AU-C requires the auditor to inquire of management about whether a service organization has reported to it, or whether it is otherwise aware of, any fraud, noncompliance with laws and regulations, or uncorrected misstatements at the service organization that affect the financial statements of the user entity. There are no specific documentation requirements for inquiries made as risk assessment procedures, but AU-C 230 provides pertinent guidance. AU-C states that in documenting the nature, timing, and extent of audit procedures, the auditor should record the identifying characteristics of the items or matters tested. AU-C 230.A14 suggests that, for a procedure involving inquiries of entity personnel, the auditor records the inquiries made, the dates of inquiries, and the names and job designations of the personnel. CX-3.3, “Fraud Risk Inquiries Form,” provides for documentation of fraud inquiries and includes a list of required inquiries to ensure important topics are not overlooked. If risks are identified that could result in material misstatement of the financial statements, they should be added to CX-7.1, “Risk Assessment Summary Form.” Presentation Tips: Review a blank copy of CX-3.3 with the participants. Point out how the questions on the form match the requirements of the standard. Also point out that this form is also used to document required inquiries about illegal acts and inquiries about unusual or improper journal entry activity. A completed CX-3.3 is illustrated in Case Study 1 at Appendix A-7 and in Case Study 2 at Appendix B-5. Consider reviewing one of these documents, or one of the firm’s completed practice aids, with participants.
18
Observation and Inspection
Inspect documents and records Read internal reports and minutes Read external information Visit premises and plant facilities Trace transactions through the system (walkthroughs) Key Points: Observation and inspection may include inspecting documents and records, reading internal reports and minutes, reading external information, visiting premises and plant facilities, or tracing transactions through the system (walkthroughs). Performance of observation and inspection procedures is required when obtaining an understanding of the entity and its environment, including its internal control, to assess risk. The standards effectively mandate the performance of observation and inspection when obtaining an understanding of internal control by explicitly stating that inquiry alone is not sufficient to understand the design of controls and determine that they have been implemented. One of the best ways to supplement inquiry is to perform a walkthrough of significant transaction processing systems. Observation and inspection are frequently used to corroborate or follow-up on the results of inquires made of management and others. For example, when evaluating the design and implementation of the entity’s system of internal control, members of management might tell you that they communicate the importance of ethical values to employees through a written code of conduct and by example. You might corroborate this response by examining the written code. When obtaining an understanding of the entity and its environment, observation or inspection might be the key procedure that enables the auditor to fully obtain pertinent information and identify related risks. For example, in order to gain an understanding of the client’s financing arrangements and underlying covenants, the auditor might decide to review the client’s loan agreements and other related documents. That procedure, coupled with a review of the client’s financial statements, might be the key procedure that helps the auditor identify risks related to potential noncompliance with loan covenants. Presentation Tips: Consider discussing some examples of the use of observation and inspection procedures, such as: Inspecting documents and records (business plans and strategies, internal control manuals, etc.)—Recent business plan might reveal a shift in marketing and sales strategy during the year to concentrate on one industry dominated by three competitors, which indicates increased risk related to unrecognized sales discounts and rebates. Reading internal reports and minutes—Internal audit reports might cite significant deficiencies in controls over revenue recognition, which indicates increased risk of revenues recorded in incorrect periods or at improper amounts. Reading external information—Trade journals might indicate that one of the client’s key products will soon be outdated due to the recent introduction of a technologically superior product by a competitor, which indicates an increased risk of improper inventory valuation. Visiting premises and plant facilities—While touring client production facilities, you might observe significant damage to uninsured machinery and equipment due to a recent storm, which indicates an increased risk of impairment. Performing walkthroughs—A walkthrough of the billing cycle might reveal that control procedures to follow-up on unbilled transactions have not been implemented, which indicates an increased risk of unrecorded revenues and receivables.
19
Analytical Procedures
Preliminary analytical procedures Analytical procedures related to revenue required by AU-C 240 To enhance understanding of the business and identify potential risk areas Key Points: AU-C specifies that risk assessment procedures should include analytical procedures. Other than the analytical procedures performed to comply with SAS 99, analytical procedures used in the planning stage only need to be designed to point out audit areas that may be indicative of potential risks and, thus, need special emphasis. Professional standards do not require the use of any particular analytical procedures. Analytical procedures may consist of reviewing changes in account balances from the prior year to the current year using the general ledger or the preliminary or unadjusted working trial balance. Other preliminary analytical procedures may consist primarily of analysis of ratios or trends related to profitability, liquidity, solvency, and activity combined with inquiries of financial and operating management. In the audit of a small business, simple comparisons and ratios are ordinarily effective. AU-C 240 requires performance of preliminary analytical procedures relating to revenue in order to identify unusual or unexpected relationships that may indicate fraudulent financial reporting (that is, improper revenue recognition). Comparison of current and prior-period account balances for revenue accounts ordinarily will not be sufficient to identify potential fraudulent financial reporting. Preliminary analytical procedures related to revenue should typically be performed at a more disaggregated level than other preliminary analytics, such as by comparing sales by month or by location to comparable prior-year sales. Those procedures should be updated during the final review stage of the audit, that is, they should be performed through the end of the reporting period. Documentation of preliminary analytical procedures can be limited, but it should be sufficient to provide support for the auditor's risk assessment. The results of the preliminary analytical review ordinarily are documented using a narrative memorandum, comparative carryforward schedule, or other form of workpaper referenced from a step on the planning program. If risks are identified, they should be added to CX-7.1, “Risk Assessment Summary Form.”
20
Understanding the Entity and Its Environment
Perform risk assessment procedures (inquiry, analytics, observation, and inspection) to gather information about: Industry, regulatory, and other external factors Nature of the entity Objectives, strategies, and related business risks Measurement and review of the entity’s financial performance Selection and application of accounting policies Key Points: Matters relating to industry, regulatory, or other external factors include: Industry conditions Legal and regulatory environment Government policies General economic conditions Matters relating to the nature of the entity include: Structure, ownership, and governance Business operations—revenues, products or services, and markets Major assets and liabilities Expenses Workforce considerations Investments Financing Financial reporting Matters relating to objectives, strategies, and related business risks include future trends, expectations, objectives, and strategies in areas such as: Products and services Marketing and sales Research and development Technology Business expansion or restructuring Workforce or compensation Information used by management for measurement and review of the entity’s financial performance might include: Key financial and nonfinancial performance indicators Trends Key ratios and other operating and financial statistics Forecasts, budgets, and variance analyses Period-on-period financial performance Comparisons to competitors’ performance (i.e., benchmarking) Information prepared by external parties, such as analyst reports and credit rating agency reports
21
Understanding the Entity and Its Environment
Consider the presence of fraud risk factors Update information obtained in prior years by performing risk assessment procedures to determine if the information has changed Key Points: AU-C states that the auditor should evaluate whether the information obtained from risk assessment procedures indicates that one or more fraud risk factors are present. Fraud risk factors are conditions or events that indicate: Incentives/pressure to perpetrate fraud (such as conditions that indicate excessive pressure on management or the owner/manager to meet the requirements or expectations of third parties), Opportunities to carry out the fraud (such as deficiencies in internal control or ineffective monitoring of management), or Attitudes/rationalizations to justify a fraudulent action (such as dissatisfaction with the entity on the part of employees with access to assets susceptible to theft). Fraud risk factors may be related to fraudulent financial reporting or misappropriation of assets. Previous experience with the entity contributes to the understanding of the entity and its environment. Audit procedures performed in previous audits typically provide useful audit evidence about: The entity’s organizational structure, business, and controls. Past misstatements and whether they were corrected on a timely basis, which assists the auditor in assessing risks of material misstatement in the current audit. However, before using information obtained in prior periods, determine whether changes have occurred that may affect its relevance in the current audit. According to AU-C 315, “The auditor should make inquiries and perform other appropriate audit procedures, such as walkthroughs of systems, to determine whether changes have occurred that may affect the relevance of such information.” Changes may change the client’s inherent or business risk or the auditor’s assessment of risks of material misstatement.
22
Understanding Internal Control
Control Environment Risk Assessment Information and Communication Monitoring Control Activities Key Points: Auditors should obtain an understanding of the five components of internal control that is sufficient to assess the risks of material misstatement of the financial statements due to error or fraud and design the nature, timing, and extent of further audit procedures. The control environment sets the tone of an entity and influences the control consciousness of its people. The control environment is the foundation for all other components of internal control and provides structure and discipline. Among the important elements of the control environment are attitudes, awareness, and actions of management, as well as those charged with governance, concerning internal control. The integrity of management or the owner/manager often plays a significant role in establishing a strong control environment. Risk assessment is the process of setting objectives; prioritizing and linking those objectives; and identifying, analyzing, and managing risks relevant to achieving those objectives. With respect to the objective of reliable financial reporting, the entity’s risk assessment process involves the identification, analysis, and management of the risks of material misstatement of the financial statements. Information refers to the financial reporting system, which includes the accounting system, and encompasses the procedures and records established to initiate, authorize, record, process, and report the entity’s transactions. It also includes the accountability over assets, liabilities, and equity. Communication is the process of providing an understanding of roles and responsibilities to individuals within the organization regarding internal control over financial reporting. The monitoring is a process by which an entity assesses the quality of its internal control over time. Monitoring involves assessing the design and operation of controls on a timely basis, capturing and reporting identified control deficiencies, and taking actions as necessary. Monitoring activities can also reveal evidence or symptoms of fraud. Effective monitoring ensures that internal controls are modified as changes in conditions occur in the business. Control activities are the policies and procedures that help ensure that management directives are carried out. That is, control activities are those actions that are taken to address risks that threaten the entity’s ability to achieve its objectives, one of which is reliable financial reporting. Control activities usually involve two elements: (a) a policy that establishes what should be done and (b) the procedure that implements the policy. Auditors generally begin by obtaining an understanding of the control environment, risk assessment, information and communication, and monitoring components, typically obtaining an understanding of the control environment first. The understanding of control activities is not needed until planning the nature, timing, and extent of further audit procedures at the assertion level. As a practical matter, however, auditors often obtain an understanding of control activities while obtaining an understanding of the other control components.
23
Understanding Internal Control
Understand design and implementation Perform inquiry, observation, and inspection Inquiry alone is not sufficient to understand the design and implementation of controls Key Points: AU-C 315 requires auditors to perform risk assessment procedures to evaluate the design of controls that are relevant to the audit and determine whether they have been implemented. A key consideration is whether and how the entity’s internal control prevents, or detects and corrects, material misstatements in relevant assertions related to transaction classes, account balances, or disclosures. It is not enough to simply determine whether a control as described or documented is effective in design. Implementation means determining that the control, as documented or described, actually exists and the entity is using it. This involves performing observation and inspection in addition to inquiry. Inquiry alone is not sufficient to evaluate the design and implementation of internal control. Generally, observation and inspection procedures are performed in addition to inquiry.
24
Understanding Internal Control
Evaluate the design and implementation of controls— Related to significant risks Related to risks that cannot be tested effectively using substantive procedures alone Understand— How the incorrect processing of transactions is resolved How detail is reconciled to the general ledger for material accounts Key Points: Significant risks generally relate to nonroutine transactions and complex or judgmental matters. Examples of matters that often involve significant risks include: Significant nonroutine transactions, that is, transactions that are unusual due to their size or nature. Accounting estimates for which there is significant measurement uncertainty, such as certain fair value estimates. Transactions that involve complex calculations or the application of complex accounting principles, such as self-constructed property with capitalized interest or revenue recognition for software that is tailored for the customer. Significant related-party transactions. Transactions that require a large degree of manual intervention in data collection and processing. Unusual or infrequent transactions that by their nature make effective controls difficult to implement, such as major litigation. Transactions that involve a relatively large degree of management intervention in specifying the accounting treatment. Fraud risks are always considered to be significant risks. After completing your risk assessment procedures to evaluate internal control design and implementation, you should consider whether a sufficient understanding has been obtained of controls that would prevent, or detect and correct, material misstatements related to fraud risks or other significant risks. If not, you should perform additional risk assessment procedures directed at gaining an understanding of controls relating to those risks. When you believe substantive procedures alone will not be sufficient, testing of internal controls is required. This tends to occur in highly automated processing environments in which a significant amount of information is initiated, authorized, recorded, processed, or reported electronically. If you have not obtained a sufficient understanding of controls related to risks that cannot be addressed with substantive procedures alone, you should perform additional risk assessment procedures directed at gaining an understanding of controls relating to those risks. You should obtain an understanding of how the incorrect processing of transactions is resolved. For example, some systems use suspense accounts or files to capture failed transactions. For such situations, the auditor would understand the procedures for suspense accounting including how suspended transactions are researched and cleared. Another specific requirement of the auditing standards is to understand the process for reconciling detail records to the general ledger. For example, for the accounts receivable general ledger account, you should understand the process of reconciling the account to the subsidiary accounts receivable ledger. This understanding is typically obtained when obtaining an understanding of significant transaction processing systems and the financial close and reporting process.
25
Understanding Internal Control
Document the following: Understanding of internal control components Sources of information Procedures performed Controls evaluated related to significant risks and risks for which substantive procedures alone are not effective Key Points: Au-C requires documentation of the understanding of internal control. The auditor is required to document the understanding obtained for the five components of internal control, the sources of information used and risk assessment procedures performed to obtain the understanding, and the controls related to significant risks and risks for which substantive procedures alone will not be sufficient. Professional standards permit flexibility in the manner of documentation. Possible documentation methods include: Narratives or memorandum documents. Internal control questionnaires. Checklists. Flowcharts. The form and extent of documentation is influenced by factors such as the complexity, size, and nature of the entity and the use of technology. Some auditors supplement their documentation with existing documentation of control systems prepared by the entity. Consider inquiring of the client about the existence of such documentation along with any supporting evaluation of the effectiveness of controls. When client documentation is available, the auditor may gain additional audit efficiencies and a better understanding of the client's internal control.
26
Understanding Internal Control
Document the processing of transactions for each significant transaction class Document the financial close and reporting process
27
Identifying Significant Transaction Classes
Transaction classes that present a reasonable possibility of material misstatement of the financial statements or disclosures based on: Volume of activity Size and composition of accounts Types of transactions Presence of fraud risks or other significant risks Changes from the prior period Key Points: The auditor should identify significant transaction classes and obtain an understanding of the flow of information (including electronic information) through the entity's financial reporting system for each of those classes. That is, the auditor should obtain an understanding of how transactions are processed from initiation through inclusion in the general ledger. Significant transaction classes are identified and listed on CX-4.1, “Understanding the Design and Implementation of Internal Control.” Significant transaction classes are those classes of transactions in the entity's operations that are significant to the financial statements, generally because of the volume or risk characteristics of transactions processed. When identifying significant transaction classes, focus on transaction classes that present a reasonable possibility of material misstatement of the financial statements or disclosures, including those that involve significant or fraud risks. Qualitative and quantitative factors such as the following should be considered: Volume of activity. Size and composition of the related accounts. Susceptibility to misstatement due to errors or fraud. Nature of the transactions, related account balances, or disclosures. Accounting and reporting complexities. Exposure to losses in the related accounts. Possibility of significant contingent liabilities arising from the activities being processed. Existence of related party transactions. Changes from the prior period in the characteristics of the transactions, related account balances, or disclosures.
28
Understanding Significant Transaction Classes
How are transactions initiated and authorized? How are transactions recorded and processed? How are transactions reconciled? What reports are generated and how are they used? Key Points: The following questions are related to understanding how transactions are initiated and authorized: How and by whom are transactions initiated and authorized? What source documents (or electronic means) are used to capture information for entry in the accounting system? How and by whom are transactions originally entered in the accounting system for processing? The following questions are related to understanding how transactions are recorded and processed: What are the accounting processing steps, both automated and manual, from original entry to inclusion in the general ledger and who performs them? What accounting records and supporting documents are used or created when processing transactions? What subsidiary journals or ledgers are involved? How is the incorrect processing of transactions resolved? The following questions are related to understanding how transactions are reconciled: What procedures are used to enter transaction totals into the general ledger? What is the entity’s process for reconciling account detail to the general ledger for material accounts? How does IT affect the entity’s control activities? Consider what management reports or other information are generated from the system and how they are used by management or the owner/manager in managing and controlling the entity’s activities. Throughout the process of obtaining the understanding, consider the effect of IT on the way the entity's control activities are designed and implemented. Also identify and evaluate the controls, if any, the entity has implemented to prevent or detect and correct material misstatements related to fraud risks or other significant risks. And be alert for areas where controls must be tested because substantive procedures alone will not be sufficient to address assessed risks.
29
Understanding Significant Transaction Classes
Consider control objectives: Completeness: All transactions are recorded Occurrence: All recorded transactions occurred and pertain to the entity Accuracy: Transactions are recorded in the proper amount Classification: Transactions are recorded in the proper account Cutoff: Transactions are recorded in the proper period Key Points: When obtaining an understanding of internal control, many auditors consider control objectives during the process of identifying controls and evaluating their design and implementation. A control objective states the purpose of a control in relation to risks and “what could go wrong” in the financial statements. For example, “All property, plant, and equipment additions are recorded,” might be a control objective that addresses a risk of fixed asset transactions not being properly tracked and recorded (i.e., completeness). Failure to achieve that control objective could potentially result in understatement of fixed assets and depreciation expense, as well as misstatements in other income statement accounts. Control objectives for transaction processing typically relate to the assertions of completeness (all transactions are recorded), occurrence (all recorded transactions occurred and pertain to the entity), accuracy (transactions are recorded in the proper amount), classification (transactions are recorded in the proper account), and cutoff (transactions are recorded in the proper period). By considering control objectives and how they relate to risks and what can go wrong at the relevant assertion level, an auditor might find it easier to identify existing controls and evaluate their design effectiveness. For example, an auditor might tailor inquiries of client personnel to focus on how certain control objectives are achieved within the entity when trying to identify the controls that address a particular risk of material misstatement. Likewise, when existing controls are identified, the auditor can evaluate whether those controls, if operating effectively, would fully achieve the objective or whether deficiencies exist because of improper design or missing controls. The auditor is not required to understand all controls and control activities that might exist in an entity. The auditor typically focuses attention on those controls that are most important in achieving particular control objectives related to identified risks. Often, an entity has multiple controls that contribute to achieving its control objectives. However, certain of those controls, referred to as key controls, are considered primary to achieving the objectives. When identifying controls, evaluating design effectiveness, determining implementation, and testing operating effectiveness, it is often most efficient and effective for the auditor to focus on key controls. Many times, these are the controls that the client believes are the most effective and reliable in operation to fully address a control objective.
30
Documenting Significant Transaction Classes
Narrative description Focus on key controls and control objectives related to identified risks How are control objectives achieved? What controls are in place to address significant or fraud risks? Are controls properly designed and implemented? Key Points: When preparing the narratives, attention should be focused on the control objectives and key controls related to the relevant assertions and risks that were identified when performing other risk assessment procedures. Before writing the narrative, review your identified risks related to the transaction class and consider the related control objectives. For example, if the transaction class is sales order processing, and you identified a risk related to the completeness of sales transactions, address in your narrative the controls that are in place to ensure that all sales transactions are processed (completeness). Be sure the narrative specifically addresses controls the entity has implemented to prevent or detect and correct material misstatements related to fraud risks, other significant risks, and risks for which substantive procedures alone are not sufficient. For example, if you identify a risk related to fraudulent cash disbursements, make sure your narrative describing the processing of cash disbursements addresses the controls that are in place to prevent or detect fraudulent disbursements. The narrative should enable you to conclude whether controls over the transaction class are properly designed and implemented to achieve the significant control objectives. The narrative is intended to assist in assessing the magnitude of identified risks and deciding whether to respond to them with substantive procedures alone or a combination of substantive procedures and tests of controls.
31
Performing Walkthroughs
Select one or a few transactions Trace from initial creation of the source document to final posting in the general ledger Inspect documents and records used in processing, make inquiries, and observe procedures being performed Key Points: A common method of obtaining an understanding of the processing of transactions for a significant transaction class is to trace a transaction through the various processing steps from initiation to inclusion in the general ledger. This is commonly referred to as a “walkthrough.” Walkthroughs may be used to confirm information obtained by inquiry or from prior years' audits. Walkthroughs are also commonly used in gaining an understanding of control activities. Walkthroughs of transactions usually involve document inspection, inquiry, and observation. The auditor judgmentally selects one or a few transactions from each of the major classes of transactions and walks those transactions and related controls through the system from cradle to grave, that is, from initial creation of a source document to final posting in the general ledger and inclusion in the financial statements. The auditor inspects the documents and accounting records used in processing, talks to the personnel involved, and observes the handling of records and related assets. In performing a walkthrough, the auditor should follow the same transaction through all of the processing steps in the system. A walkthrough may not be effective if a different transaction is used to test each control or processing step separately rather than walking a single transaction through the entire process or if the auditor does not use the same documents and IT that client personnel use. Even though AU-C 315 allows the auditor to rely on audit evidence obtained in prior periods, the auditor is still required to perform audit procedures to determine the continued relevance of that evidence. In many cases, the auditor can establish the continued relevance of information about internal control through the performance of a walkthrough. Indeed, a walkthrough may be helpful in determining whether and how internal control design and implementation have changed since the prior period. Thus, walkthroughs are ordinarily performed in each audit period for significant transaction classes.
32
Tests of Controls Perform tests of controls if:
Relying on them to reduce the risk assessment Substantive tests alone are not adequate Inquiry alone is not sufficient for testing controls Key Points: Unlike the evaluation of control design and implementation (which is required in every audit), tests of controls, which are categorized as further audit procedures, are not required in every audit. Tests of controls are performed when the auditor plans to rely on their operating effectiveness when designing substantive procedures. Tests of controls are also performed when substantive procedures alone are not effective, such as when an entity’s accounting data and corroborating evidence are available only in electronic form that is not retrievable after a period of time. Also, some auditors believe that in small business audits, the risk of theft of cash is such that it is usually necessary to test controls over cash receipts and disbursements. When controls are tested, controls would not generally be tested for every significant class of transactions, account balance, disclosure, or relevant assertion, but only for those with respect to which you plan to limit substantive procedures in reliance on the related controls. In some circumstances, testing controls would be unnecessary or inefficient. Only effectively designed controls should be tested for operating effectiveness. There is no benefit to testing the operating effectiveness of a control that is inappropriately designed to prevent, or detect and correct, a material misstatement in a relevant assertion or that has not been properly implemented. Since inquiry alone is not sufficient, you need to use a combination of procedures, such as: Inquiries of appropriate personnel Observation of the control being performed Inspection of documents, reports, or electronic files Walkthroughs Reperformance of the control Review of reconciliations/bookkeeping routines
33
Tests of Controls Rotational tests of controls are permitted:
Obtain evidence about whether the controls have changed using inquiry, observation, and inspection If controls have changed, rotation is not appropriate Test a control at least once every three years If several controls are rotationally tested, test some controls each year If relying on controls for significant risks, controls must be tested in the current year Key Point: Au-C 330 allows the use audit evidence about the operating effectiveness of controls obtained in prior audits subject to the conditions listed on this slide. If these conditions are met, the audit practice of rotating tests of controls over a three year cycle might be used.
34
Retrospective Review of Accounting Estimates
Performed to evaluate: Effectiveness of management’s estimation process Information relevant to current year estimates The need for disclosure The existence of possible management bias Key Points: AU-C 540 requires a retrospective review during risk assessment of the outcome of accounting estimates that were included in the prior period's financial statements. Generally, the outcome of an accounting estimate will differ from the amount that was recognized in the prior period. By identifying and understanding the reasons for differences, the auditor may obtain information about the effectiveness of management's prior period estimation process, audit evidence that is pertinent to re-estimation of estimates in the current period, or evidence of matters requiring disclosure in the financial statements such as estimation uncertainty. The retrospective review includes reviewing information available in the current year and comparing that information to significant estimates recorded in the prior year. AU-C also requires a retrospective review of significant prior-year accounting estimates. The intent of the review is to determine, with the benefit of hindsight, whether the underlying assumptions in the prior year might indicate possible bias on the part of management. The review may provide additional information about whether the current year's estimates could be biased. Significant estimates selected for retrospective testing should include those that are highly subjective or may change significantly based on the underlying assumptions and judgments. If possible bias on the part of management in making accounting estimates is identified, the auditor considers whether the bias indicates a risk of material misstatement due to fraud, that is, intentional manipulation of the financial statements, and develops an appropriate response. The retrospective review for risk assessment purposes may be performed concurrently with the review for possible management bias. Using the PPC approach, the retrospective review is performed by completing a step on AP-1, 'Audit Program for General Planning Procedures."
35
Assessing Risks and Developing Responses
Develop the detailed audit plan Assess risks at the relevant assertion level Develop the overall audit strategy Assess risks at the financial statement level Key Point: The next few slides address Step 3 of the PPC Audit Approach: Assess Risks and Develop Responses, which consists of assessing risks at the financial statement level, developing the overall audit strategy, assessing risks at the relevant assertion level, and developing the detailed audit plan. For More Information: Assessing risks and developing responses is discussed in Chapter 3.
36
Assess Risks at the Financial Statement Level
Identify risks that are pervasive to the financial statements and potentially affect many assertions Assess the risk of material misstatement at the financial statement level Develop overall responses Document the risk assessment and the responses Key Points: AU-C states that the auditor’s objective is to identify and assess the risks of material misstatement, whether due to error or fraud, at the financial statement and relevant assertion levels. These risks are identified and assessed by obtaining an understanding of the entity and its environment, including its internal control, and this understanding provides a basis for designing and implementing responses to the assessed risks of material misstatement. Risks of material misstatement at the financial statement level often relate to the entity’s control environment and are not necessarily identifiable with specific relevant assertions at the class of transaction, account balance, or disclosure level. These overall risks are often especially relevant to the auditor’s consideration of the risks of material misstatement arising from fraud, for example, through management override of internal control. Overall responses to address risks of material misstatement at the financial statement level may include: Emphasis to the audit team to use professional skepticism. Assigning staff with higher experience levels or specialized skills. Increasing the level of supervision. Using a greater degree of unpredictability in selecting audit procedures. Changing the nature, timing, and extent of substantive procedures (for example, instead of interim testing shift testing to period end or modify the nature of the audit procedures to obtain more persuasive evidence). AU-C requires documentation of the assessment of risks of material misstatement at the financial statement level and the basis for the assessment, and AU-C requires the auditor to document the overall responses to address the assessed risks of material misstatement at the financial statement level.
37
Develop the Overall Audit Strategy
Characteristics of the engagement that define its scope Reporting objectives of the engagement Important factors that determine audit focus Resources needed to perform the audit Key Points: The overall audit strategy is the operational approach to achieving the objectives of the audit. It is a high level determination of the audit approach. It includes the identification of overall risks, the overall responses to those risks, and the general approach to each audit area as being substantive procedures or a combination of substantive procedures and tests of controls. AU-C provides that in establishing the overall audit strategy the auditor should: Determine the characteristics of the engagement that define its scope. Ascertain the reporting objectives of the engagement to plan the timing of the audit and the nature of communications required. Consider the significant factors that will determine the focus of the audit team’s efforts. Consider the results of preliminary engagement activities. Consider, if applicable, the knowledge from other engagements performed for the entity. Determine the nature, timing, and extent of resources needed to perform the audit. The scope of the engagement may be defined by the following types of characteristics: The basis of reporting, for example, GAAP or an OCBOA. Industry-specific, statutory, or regulatory reporting requirements. The availability of the work of internal auditors and the auditor’s potential reliance on that work. Planned reliance on the work of other auditors. The entity’s use of service organizations. The number of entity locations and nature of procedures to be performed at each. Whether it is an initial versus a continuing engagement. Reporting objectives include: Deadlines for interim and final reporting. Key dates for expected communications with management and those charged with governance, for example, concerning internal control related matters. The expected nature and timing of communications among audit team members, including the nature and timing of review of work performed.
38
Factors That Determine Audit Focus
Materiality levels Overall risks and responses Preliminary identification of high risk audit areas Preliminary identification of material locations and accounts Whether you plan to test controls Composition and deployment of the audit team Key Points: The overall audit strategy includes and is significantly influenced by the auditor’s judgments about materiality and the risks of material misstatement at the financial statement level. Factors that determine the focus of the audit team’s efforts generally include: Materiality considerations, including planning materiality and materiality for auditors of other locations. Overall risks and responses at the financial statement level. Preliminary identification of areas where there may be higher risks of material misstatement, including those due to fraud. Preliminary identification of material locations and account balances. Plans to obtain audit evidence about the operating effectiveness of controls, i.e., whether the auditor plans to use substantive procedures alone or a combination of substantive procedures and tests of controls, and whether control tests will be performed in the current year or reliance placed on tests performed in a prior year. Composition of the audit team and assignment of work to audit team members. Professional standards do not necessarily require all of the matters that affect audit strategy to be documented in one place, such as in a separate audit strategy memo. However, AU-C requires that the auditor document the overall audit strategy, the audit plan, and any significant changes made to them during the audit and the reasons. One efficient approach to documenting the audit strategy in the audit of a small, noncomplex, nonpublic company is to prepare a brief memo that outlines key components of the audit strategy as the basis for planning the current engagement. Subsequent changes in the strategy, if any, can be documented on the original memo, which satisfies the requirement to document changes in the audit strategy. Establishing the overall audit strategy for an entity need not be complex or time consuming. Many of the matters that relate to the overall audit strategy are document in the normal course of completing the audit planning program and related practice aids.
39
Assess Risks at the Relevant Assertion Level
Identify risks of material misstatement (due to error or fraud) for specific— Account balances Transaction classes Disclosures Consider what can go wrong at the relevant assertion level Key Points: In addition to being required to assess the risk of material misstatement at the financial statement level, the auditor is also required to assess the risk of material misstatement of the financial statements whether due to error or fraud at the assertion level for specific account balances, transaction classes, and disclosures. For the purpose of assessing the risks of material misstatement at the relevant assertion level, AU-C indicates that the auditor should do the following: Identify risks throughout the process of obtaining an understanding of the entity and its environment, including relevant controls that relate to the risks. Relate the identified risks to what can go wrong at the relevant assertion level. The auditor uses information gathered to identify risks that may result in material misstatement of the financial statements. The auditor's identification of risks is a matter of professional judgment. It is more than reviewing a checklist of risk factors or red flags. It encompasses all of the auditor's knowledge of the client, including knowledge obtained about the entity and its environment, its management, the industry in which it operates, its internal control, and risk factors. Risks are articulated in terms of what can go wrong in the financial statements at the assertion level. This is done, in part, because the presence of risks may only become evident when information from different sources is combined. That is, when analyzed in combination or as a whole, seemingly unrelated information might indicate a potential risk. In addition, it is difficult to link risks with responses unless the risks are stated in terms of their potential effects on the financial statements.
40
Assess Risks at the Relevant Assertion Level
Account Balances, Transaction Classes, Disclosures Existence or Occurrence Completeness Rights or Obligations Valuation or Allocation Accuracy or Classification Cutoff Key Points: AU-C 315.A115 states that the auditor may use the relevant assertions as they are described in the auditing standards or may express them differently provided aspects described therein have been covered. For example, the auditor may choose to combine the assertions about transactions and events with the assertions about account balances. The following combined categories of assertions are used to facilitate the assessment of risks at the assertion level: Existence or Occurrence Completeness Rights or Obligations Valuation or Allocation Accuracy or Classification Cutoff These categories cover all of the assertions for transactions and events and account balances provided in the auditing standards, as well as those aspects of presentation and disclosure that are considered in the audit programs for individual audit areas. PPC uses the following audit objective in the general audit program to encompass the remaining assertions about presentation and disclosure that are generally considered in the process of preparing the financial statements: “Financial statements are presented in accordance with GAAP. Required disclosures are complete, clearly expressed and understandable, and contain financial and other information that is fairly disclosed at appropriate amounts.”
41
Assess Risks at the Relevant Assertion Level
Assessing risks at the assertion level Are the risks of a magnitude that could result in material misstatement? What is the likelihood that the risks could result in material misstatement? Likelihood is a function of: Inherent risk Control risk Need a basis for the assessment Key Points: After identifying risks and relating them to what can go wrong in the financial statements at the relevant assertion level, the auditor should: Consider whether the risks are of a magnitude that could result in a material misstatement of the financial statements. Consider the likelihood that the risks could result in a material misstatement of the financial statements. Inherent risk is the susceptibility of a relevant assertion to a misstatement that could be material, either individually or when aggregated with other misstatements, assuming that there are no related controls. Control risk is the risk that a misstatement that could occur in a relevant assertion and that could be material, either individually or when aggregated with other misstatements, will be not prevented or detected on a timely basis by the entity’s internal control. The risk assessment procedures performed to obtain an understanding of the entity and its environment, including internal control, provide a basis for making the risk assessment.
42
Assess Risks at the Relevant Assertion Level
Identify significant risks that require special audit consideration Fraud risks Other significant risks Significant risks often relate to: Significant economic, accounting, or other developments Complex, non-routine, or judgmental matters Transactions with related parties Key Points: AU-C states that the auditor should determine which of the risks identified by risk assessment procedures are risks that require special audit consideration, that is, significant risks. One or more significant risks normally arise on most audits. Furthermore, significant risks are likely to exist even when there are no new or unusual circumstances at the client. The determination of significant risks should be based primarily on the consideration of inherent risk, that is, it should be before consideration of the effect of identified controls related to the risk. A significant risk is generally one where the inherent risk is higher than the usual 'high' and therefore it requires special audit consideration. The auditor should determine whether the risk is such that it requires special audit consideration by focusing on the following: The nature of the risk. The magnitude of the potential misstatement, including the possibility of multiple misstatements. The likelihood of the risk occurring. Each of these aspects of the auditor's consideration need attention in determining whether special audit consideration is required, but the nature of the risk is particularly important. The nature of the risk should be evaluated by considering the following: Is the risk a risk of fraud or theft? Is the risk related to recent significant economic, accounting, or other developments? Are the transactions complex? Does the risk involve significant transactions with related parties? Is there a relatively large degree of subjectivity in the measurement of the financial information related to the risk? Does the risk involve significant nonroutine transactions outside the normal course of business or that otherwise appear unusual? An affirmative answer to any of these questions is likely to indicate the need for a specific audit response and, thus, a determination that the risk is a significant risk because it requires special audit consideration. Fraud risks are always considered to be significant risks.
43
Assess Risks at the Relevant Assertion Level
Identify risks for which substantive procedures alone are not adequate Revise the risk assessment and reconsider planned audit procedures if audit evidence contradicts the original risk assessment Key Points: When substantive procedures alone are not adequate, you will need to evaluate the design and implementation of controls and perform tests of controls, and also document the risks and related controls. An audit is a continuous process of gathering, updating, and analyzing information about the fairness of presentation of amounts and disclosures in the client’s financial statements, and thus, risks should be evaluated continuously throughout the audit.
44
Assess Risks at the Relevant Assertion Level
Document the following: Risk assessment at the relevant assertion level Basis for the assessment Significant risks Risks for which substantive procedures alone are not adequate Key Points: Identify any general risk assessment factors Determine the audit areas that are significant. Describe the specific risks of material misstatement that affect the account balance, transaction class, or disclosure; identify the financial statement assertion affected; and consider the significance of the risks. Determine the documentation approach to be used when assessing the risk of material misstatement (that is, by audit area or by assertion). Make a qualitative assessment of inherent risk as high, moderate, or low. Make a qualitative evaluation of control risk as high, moderate, or low. Make a qualitative assessment of the remaining or combined risk of material misstatement as high, moderate, or low based on the prior evaluations of inherent risk and control risk. Determine the response to the risk assessment by selecting an audit approach that includes sufficient further audit procedures to adequately respond to the risk assessment. Provide any relevant comments on audit approach, including any modifications of audit procedures made in response to fraud risks or other significant risks.
45
The Detailed Audit Plan
The nature, timing, and extent of further audit procedures to respond to the risk assessment (i.e., the audit program) Provides linkage between the risk assessment and the responses at the assertion level Key Points: The objective of the risk assessment at the relevant assertion level is the development of a detailed audit plan (including the nature, timing, and extent of planned further audit procedures) that adequately responds to the identified risks. The detailed audit plan is also referred to as the audit program. The individual audit programs in the PPC approach list each audit procedure and the related assertions. The assessment of the risk of material misstatement by assertion assists the auditor when deciding on an appropriate audit response by providing linkage between the risks and related audit program procedures. Linkage means developing procedures that are clearly linked to assessed risks of material misstatement at the relevant assertion level.
46
Tailoring the Audit Programs
No audit program Used for insignificant audit areas with low RMM Low RMM Primarily substantive analytics Some tests of details (required by SASs) Low to Moderate RMM Tests of details and extended analytics For audit areas or assertions with higher risk Moderate to High RMM Key Points: The programs for individual audit areas include the following sections: Programs for Low RMM, which include primarily substantive analytical procedures and certain tests of details, most of which are required by the SASs (such as confirmation of receivables, inventory observation, and tests to address the risk of improper revenue recognition). Programs for Low to Moderate RMM (Procedures for Additional Assurance), which include procedures from which the auditor can choose one or more steps as necessary to supplement the basic procedures in response to the auditor's risk assessment at the relevant assertion level. Programs for High RMM, which include procedures that may be warranted due to the specific circumstances of the engagement. (Other audit procedures are considered Extended Procedures when completing the “Risk Assessment Summary Form.”) The purpose of the risk assessment is to determine the nature, timing, and extent of further audit procedures to be performed. PPC refers to the overall decision of which further audit procedures to perform as the selection of an “audit approach.” The approach may consist of one of the following: Low Risk: Perform only limited procedures and do not develop a separate audit program Moderate Risk: Perform basic procedures from the audit program High Risk: Perform basic procedures plus certain extended procedures from the audit program When no separate specific audit program is needed for an audit area because the procedures for preliminary analytics, other risk assessment procedures, and final analytics are sufficient, that approach is referred to as the Limited approach. The Limited approach is generally appropriate only for audit areas that are not significant and have a low combined risk of material misstatement. Auditors decide whether to apply a Basic or Basic + Extended approach based on the risk assessment at the relevant assertion level. Usually, a low or moderate risk of material misstatement in a significant audit area means that a Basic approach may be appropriate for those assertions. If risk is higher, a Basic + Extended approach may be chosen. The decision about whether to use a Basic + Extended approach considers the following factors: Whether the audit area is significant. Whether the audit area contains any specifically identified risks. Whether an identified risk is considered to be a fraud risk or other significant risk. The assessed level of the risk of material misstatement. The extended procedures section of the audit programs provides a source list of possible audit procedures. The auditor selects procedures from the list that are needed to supplement the basic procedures to adequately respond to the risk assessment. The particular tests selected, whether they are basic or extended, should be tailored to the nature, cause, and direction of potential misstatements at the relevant assertion level. It may also be appropriate to alter the extent or timing of the procedures to adequately respond to the risk assessment. When a Basic + Extended approach is used, extended procedures will normally be performed only for those assertions that are of concern to the auditor based on the risk assessment. Presentation Tip: Review a PPC audit program with the participants and point out the sections of basic, extended, and other procedures. Also point out how the assertions for each procedure provide linkage to the risk assessment.
47
Performing Further Audit Procedures
Tests of Controls Substantive Procedures Tests of Details Substantive Analytical Procedures Key Points: Further audit procedures include tests of controls and substantive procedures. Substantive procedures include tests of details and substantive analytical procedures. .
48
Substantive Procedures
Test all relevant assertions for material account balances, transaction classes, and disclosures Perform procedures specifically to address significant risks Substantive analytical procedures alone are not sufficient for significant risks Key Points: AU-C requires performance of substantive procedures for all relevant assertions related to each material class of transactions, account balance, and disclosure because: The assessment of risk is judgmental and might not be sufficiently precise to identify all risks of material misstatement. There are inherent limitations to internal control, including management override, and even effective internal controls generally reduce, but do not eliminate, the risk of material misstatement. In other words, even if you conclude that the risk of material misstatement is low for a particular assertion related to a material account balance, transaction class, or disclosure, based on performing risk assessment procedures and tests of controls, some substantive procedures are still required. Audit procedures in audit programs are linked to assertions to provide assurance that all relevant assertions have been tested. Significant risks are risks that require special audit attention in the form of substantive procedures. When the audit approach to significant risks consists only of substantive procedures (that is, you do not plan to rely on controls), the substantive procedures should be tests of details only or a combination of tests of details and substantive analytical procedures. The use of only substantive analytical procedures is not permitted.
49
Substantive Procedures
Perform the following substantive procedures in all audits: Agree the financial statements and notes to the accounting records Examine material journal entries and other adjustments made when preparing the financial statements Procedures required by AU-C 240 to address the risk of management override of controls Key Points: Because of the judgmental nature of the auditor's risk assessments and the inherent limitations of internal control, particularly the risk of management override, the auditing standards prescribe certain substantive procedures that should be performed in every audit. AU-C requires that the auditor perform the following substantive procedures in every audit: Agreeing the financial statements, including the accompanying notes, to the underlying accounting records. Examining material journal entries and other adjustments made during the course of preparing the financial statements. AC-C also requires certain substantive procedures in all audits to address the risk of management override of controls. These required procedures are as follows: Examining journal entries and other adjustments for evidence of possible material misstatement due to fraud. Reviewing accounting estimates for bias that could result in material misstatement due to fraud. Evaluating the business rationale for significant unusual transactions. Both AU-C and AC-C require examining journal entries and other adjustments, but the requirement of AC-C is focused on identifying fraudulent journal entries. Thus, the nature, timing, and extent of procedures required by AU-C 240 are different from those required by AU-C 330. AU-C 330 focuses on journal entries made during the course of preparing the financial statements and AU-C 240 requires the auditor to consider reviewing journal entries made throughout the year. Auditors should ensure that their audit procedures satisfy both requirements.
50
IMPACT OF THE CLARITY STANDARDS (AU-C-300)
Engagement partner has to be involved in the planning of the audit and must include key members of the audit team. The auditor has to plan the nature, timing and extent of the supervision of the team and the review of its work. Planning the supervision and review wasn’t explicit before. Auditor has to document the audit strategy and the reasons for changes in the audit strategy or audit plan.
51
IMPACT OF THE CLARITY STANDARDS
Auditor was expected to consider all other non-audit services. Now it requires considering ONLY the engagement partner’s prior engagements for the entity. AU AU-C-300 replaces SAS 108 (AU 311) – Planning and Supervision *The auditor’s objective is to plan the audit so that it will be performed effectively – which should also ensure that the engagement is efficient. Requirements: * Planning the engagement SHOULD involve the engagement partner and ALSO requires that other key members of the engagement team be involved in the planning (doesn’t specify what constitutes a key member). *301.6 – Planning is done throughout the engagement but certain preliminary activities HAVE TO occur at the beginning of the engagement BEFORE significant activities for the current audit are performed including: Continuance procedures Evaluation of compliance with ethics. Establishing the terms of the engagement. *301.8 Implies that some matters need to be considered before the auditor identifies and assesses risk including: Analytical procedures to be applied as risk assessment procedures. Entities legal and regulatory framework and how the entity complies with it. Determination of materiality. Involvement of specialists Application of other risk assessment procedures. *301.9 – The auditor has to establish an overall audit strategy, which is the foundation for the scope, timing and direction of the audit and guides the development of the audit plan (program). To establish the strategy, the auditor: Identifies the engagement characteristics that define its scope. Determines the engagements reporting objectives Considers matters that are significant to directing the audit team Considers the results of the preliminary audit activity. Consider the results of other engagements the engagement partner performed for the entity and Determines the resources necessary for the engagement. * – It is often necessary to update or change the audit plan or even the audit strategy during the engagement. * – The auditor should also plan the expected nature, timing and extent of the direction and supervision of subordinates. Seek individuals for specialization needs and determine Communicate the objectives of the specialist’s work. Evaluate whether the audit procedures specified will meet the auditors objectives. Evaluate the results of the specialist’s audit procedures for their effect on the scope of planned procedures. * – The auditor should document: The overall audit strategy – key decisions necessary to plan the audit and communicate significant issues to the engagement team – can be a brief memo. The audit plan – program details planned risk assessment procedures and further audit procedures at the assertion level. Significant changes made during the engagement to the strategy or audit plan and the reasons for the change.
52
IMPACT OF THE CLARITY STANDARDS
In addition to the features that didn’t change, the auditor is now required to specifically consider whether the control environment promotes a culture of honesty. AU-C Auditor has to specifically consider whether the lack of a risk assessment process is a material weakness or significant deficiency. This was implicit in SAS No. 115, but is explicit here. AU-C The auditor has to specifically consider the internal audit function, if there is one, in assessing risk. AU-C Standard is relatively unchanged except that it has been restructured and some paragraphs have been moved. **The auditor’s goal is to support an assessment of risk that informs the audit plan, but the risk assessment procedures can be performed concurrently with further audit procedures to simultaneously provide support for the risk assessment and obtain evidence about transactions, balances or control effectiveness (AU-C-315.A2). Required Risk Assessment Procedures are: Inquiries of management and others in the entity. Analytical procedures Observation and inspection Consideration of relevant information from the acceptance and continuance process Consideration of relevant information obtained from other engagements the engagement partner performed for the entity. Should consider the results of the assessment of fraud risk. In assessing risk, the auditor may use information obtained in previous audits or other engagements done for the entity. Auditor should then determine whether any changes occurred. Engagement team should discuss the FS susceptibility to material misstatement. Discussion should include the partner and key members of the team. The standard doesn’t define the key members. The engagement partner should decide which matters should be communicated to those team members not participating. Understanding the entity includes: External matters – industry factors, regulatory issues, relevant laws, regulations and enforcement. Entities operations and the structure of its ownership, governance, investments, and financing. Selection of applicable accounting policies and reasons for any changes to them. Evaluate the appropriateness of the policies and their consistency. Entity’s objectives and strategies and the business risks it faces. The auditor is not responsible for considering all business risks encountered by the entity – only those that might result in a material misstatement. Measurement and review of the entity’s business performance – key measures of the entity or outsiders used to assess the company’s success or those used to motivate or compensate employees. Internal control – Auditor must gain an understanding of the design and whether they are implemented. The internal control model used is based on the COSO framework. The five components include: Control environment (to evaluate whether the entity has created and maintained a culture of honesty and ethical behavior and the strengths of the control environment collectively provide an appropriate foundation for the other components of internal control of whether, conversely, they undermine them). Risk assessment procedures (managements risks relevant to FS preparation and presentation.) The auditor should understand the entity’s process for identifying business risks relevant to the financial reporting objective. estimating the risk’s significance. assessing the likelihood of occurrence deciding on actions to address those risk. Information and communication (procedures and records to: initiate, authorize, record and process and report transactions. resolve incorrect processing transfer information to the general ledger capture other information relevant to financial reporting ensure information required to be disclosed is accumulated, reported and summarized. Auditor should understand the information system related to financial reporting including significant classes of transactions used IT and manual procedures used Related manual or electronic accounting records supporting the information How the system captures the information Financial reporting process Controls around journal entries Communication The roles and responsibilities related to financial reporting – does personnel comprehend how their activities relate to those of others and how are exceptions reported. How does the entity communicate roles and responsibilities and significant matters between management and those charged with governance external communications. Monitoring – management monitors the effectiveness of its controls. Use of internal audit function. Control Activities: The functions – such as authorization, performance reviews, information processing, physical controls and segregation of duties that ensure managements directives are carried out. Process of reconciling detailed records to the GL for material account balances How the entity responds to IT risks Control activates related to significant risks. Assessing Risks – misstatements at FS level and relevant assertion level. At FS Level – Those that relate pervasively to the financial statements and potentially affect many assertions. - Relate to the auditor’s approach to the engagement as a whole. - EX: deficient control environment or external risk factors may require overall audit response or if the entities FS can even be audited. At assertion level – Assertions are the representations that underlie the amounts in the FS. Those about classes of transactions - occurrence, completeness, accuracy, cutoff, classification. Those about account balances at period end – existence, rights and obligations, completeness, valuation and allocation. Those about presentation and disclosure – occurrence and rights and obligations, completeness, classification and understandability, accuracy and valuation. Auditor should focus on relevant assertions! Required to: Identify risks throughout the process of obtaining an understanding. Assess the identified risks and evaluate whether they relate to financial statements overall or individual assertions. Relate the risks to what could go wrong Consider the likelihood and potential magnitude of misstatements. SIGNIFICANT RISKS – risks of material misstatement that the auditor believes requires special consideration. – Should be considered without regard to whether internal controls would mitigate the risk. When determining the significance of risk – consider: Fraud risks Special attention because it is related to recent significant economic, accounting or other developments Significant transactions with relate parties. Measurement involves a high degree of subjectivity or wide range of measurement uncertainty. Involves significant transactions outside the normal course of business or is otherwise unusual. Then consider whether the controls used are suitably designed and implemented to mitigate the risks. Continuous process. Documentation required – Discussion among the engagement team including significant decisions reached, how and when the discussion occurred, who participated. Key elements including – sources of information for the understanding and the risk assessment procedures applied. Risks of material misstatement identified and assessed at the financial statement level relevant assertion level Risks identified and related controls regarding significant risks and situations in which controls have been tested because sufficient evidence cannot be obtained through substantive procedures alone. Nature and extent of documentation is a matter of auditor judgement. Small entity – documentation might be efficiently combined. Risk assessment procedures in the overall audit strategy.
53
IMPACT OF THE CLARITY STANDARDS
Auditor was expected to consider all other non-audit services. Now it requires considering ONLY the engagement partner’s prior engagements for the entity. AU Audit team discussion was to include critical issues and need for skepticism. Skepticism still applies but does not required to be explicitly discussed. AU Auditor had to consider the reliability and precision of information used in performance measures. AU Auditor was required to understand reconciliation procedures for significant accounts – now only for material accounts. AU
54
IMPACT OF THE CLARITY STANDARDS
The auditor should revise FS materiality during the audit in light of information that would have suggested a different amount if the auditor had the information when originally calculating materiality. Implied before but explicit now. AU-C The auditor has to document separate materiality levels for transaction classes, account balances, or disclosures when he or she determines that otherwise immaterial misstatements in them would affect the decision of users. AU-C Materiality in planning is used for determining the risk assessment procedures. identifying and assessing the risks of material misstatements determine the scope of further audit procedures. Quantitative terms – A quantitatively small misstatement can be material because of qualitative concerns, but that determination is made only after misstatements are discovered. Qualitative materiality is considered in evaluation NOT planning. Requirements: Determine materiality for FS taken as a whole. If a misstatement is too small to be material to the FS would affect a users decision because of its effect on one or more classes or transactions, account balances or disclosures, the auditor should determine a lower materiality amount to be applied. After determining materiality at FS level – determine performance materiality- materiality less than FS materiality (relates to account balances, transactions or disclosures). Previously called tolerable misstatement. Materiality should be revised if circumstances change. Two factors that affect the calculation of materiality in governmental agency audits that do not typically affect other audits: Determination of materiality may be influenced by law or regulation. rather than the governmental financial statements taken as a whole, materiality is established for opinion units. Documentation: materiality for the financial statements taken as a whole. lower materiality levels for particular classes of transactions, account balances, or disclosures when such lower amounts would be material to users. performance materiality revisions to materiality levels. The amount below which misstatements will be deemed trivial.
55
IMPACT OF THE CLARITY STANDARDS
The auditor should obtain more persuasive evidence the higher the risk assessment. AU-C When tests of controls reveal deviations, the auditor should make specific inquiries to understand the consequences of deviations and determine whether there is a basis for reliance, whether additional tests are necessary, and whether the risk of material misstatement needs to be addressed through substantive procedures. AU-C Accounts receivable should be confirmed. This was only presumption under SAS 67. AU-C Materiality in planning is used for determining the risk assessment procedures. identifying and assessing the risks of material misstatements determine the scope of further audit procedures. Quantitative terms – A quantitatively small misstatement can be material because of qualitative concerns, but that determination is made only after misstatements are discovered. Qualitative materiality is considered in evaluation NOT planning. Requirements: Determine materiality for FS taken as a whole. If a misstatement is too small to be material to the FS would affect a users decision because of its effect on one or more classes or transactions, account balances or disclosures, the auditor should determine a lower materiality amount to be applied. After determining materiality at FS level – determine performance materiality- materiality less than FS materiality (relates to account balances, transactions or disclosures). Previously called tolerable misstatement. Materiality should be revised if circumstances change. Two factors that affect the calculation of materiality in governmental agency audits that do not typically affect other audits: Determination of materiality may be influenced by law or regulation. rather than the governmental financial statements taken as a whole, materiality is established for opinion units. Documentation: materiality for the financial statements taken as a whole. lower materiality levels for particular classes of transactions, account balances, or disclosures when such lower amounts would be material to users. performance materiality revisions to materiality levels. The amount below which misstatements will be deemed trivial.
56
IMPACT OF THE CLARITY STANDARDS
If unexpected misstatements are found at an interim date, the auditor should determine whether the plan should be modified. AU-C The method of item selection should be effective to meet the purpose of the procedure. AU-C AU-C-330 – Deals with the design and application of further audit procedures, that is, substantive procedures and tests of controls. This deals with designing the evidence-gathering procedures and evaluating the evidence they provide. Objective: Auditor’s objective is to obtain sufficient appropriate audit evidence regarding the assessed risks of material misstatements through designing and implementing appropriate responses to those risks. Requirements: 1. Financial statement level response to risk – a. Auditor should design and implement overall responses to risks at the FS level. b. Responses tend to deal with strategic issues – those that affect the entire audit. c. Might require greater skepticism, assigning more experienced staff, providing closer supervision of staff, increasing the level of unpredictability or making other changes to reduce risk like timing of procedures. 2. Responses to Risk at the assertion Level – a. relevant assertion level. b. Designed to detect the types of misstatements the auditor has assessed as reasonable possible. c. Two approaches to applying further procedures substantive tests after tests of controls substantive tests with no tests of controls Scope of procedures is a mix of nature, timing and extent. The higher the assessment of risk, the more persuasive the audit evidence needs to be. AU C requires application of substantive procedures to the financial statement close process. Two such procedures include Agreeing or reconciling the financial statements with the underlying financial records and Examining material journal entries and other adjustments made in preparing the financial statements. Substantive procedures should be specifically responsive to significant risks. If the auditor doesn’t test controls relevant to a specific risk, the substantive procedures are required to include tests of details; they cannot consist solely of analytical procedures in that case. Documentation: 1. The overall responses to address the assessed risks of material misstatement at the financial statement level. 2. The nature, timing and extent of further audit procedures applied. 3. The linkage of the further audit procedures to the assessed risks at the relevant assertion level. 4. the results of the audit procedures including, when not otherwise clear, the conclusions reached. 5. The basis for any conclusions reached about relying on controls tested in a previous audit. 6. Any determination not to confirm accounts receivable when the account balance is material. 7. That the financial statements agree with or reconcile to the underlying financial records.
57
1. Can you use a standard audit program?
An auditor can use a standard program as the core of the procedures to be applied rather than starting with a blank piece of paper. But, the programs have to be tailored to address the risks specific to the engagement. On recurring engagements, it is reasonable to use the prior year’s audit programs as a starting point and revise them for new conditions or to introduce additional efficiencies or an element of unpredictability.
58
2. Who should attend a planning meeting?
The standards do not specify who should attend, but some auditors recommend that, when practical, all members of the team participate in the discussion. There are advantages to this Everyone, including the newest staff, can learn from the partner’s perspective. In many cases, the partner has the most perspective on the business. The manager and in-charge have knowledge that the partner may not have. Each team member who participated in the prior engagement has a different perspective to bring to the table. Even staff level people may know things, such as available reports or systems information, that more senior people may have forgotten or not be as familiar with. The standards DO state that the Partner and Key Members of the Audit Team should be involved in planning.
59
3. Are walkthroughs required on all controls? Every year?
AU-C says the auditor should evaluate the design of controls and determine whether they have been implemented. Implementation means that the control exists and the entity is using it. So, the auditor has to apply a procedure – a walk through – to make sure the controls that he or she understands to be in existence have been put into operation. However, AU-C315.A68 notes that assessing implementation of an ineffectively-designed control is of little use, so walkthroughs of those controls are unnecessary. Assessing effectiveness of the controls’ design before determining implementation can limit walkthroughs to only those controls that appear to be effective. On the other hand, if controls are deemed ineffective, the auditor has to consider the ramifications in assessing risk and has to consider whether the control weaknesses have to be reported to management and those charged with governance.
60
4. If the entire audit is conducted by the Engagement Partner, is documentation of the engagement team discussion necessary? AU-C230 A19 says that in such an audit, the documentation need not include items that serve solely to inform or instruct members of the engagement team or evidence review of the work. (This acknowledgement is new to SAS 122). Accordingly, the discussion does not have to be documented. But risks identified and the responses to them would still have to be documented.
61
5. Is the calculation of performance materiality the same as for tolerable misstatement?
There is no new requirement, merely a new term. The same factors for performance materiality are used for tolerable misstatement.
62
6. Did the clarification standards raise the bar on the need to confirm accounts receivable?
SAS 67 did not contain an explicit requirement to confirm accounts receivable. The standard stopped just short of a requirement; it said that unless any of three conditions are present, there is a presumption that receivables would be confirmed. The auditor could overcome this presumption, but had to document how the presumption was overcome. Under the clarified standard, it is a requirement, if the auditor does not comply, he or she has to document how, in the absence of obtaining accounts receivable confirmations, the intent of the requirement was achieved. So, while the standard technically raises the bar, it is unlikely to cause much change in practice.
63
Questions? Annette Eustice, Principal Cheboygan Office of Rehmann
(work) (mobile)
Similar presentations
© 2025 SlidePlayer.com Inc.
All rights reserved.