Chapter One - InnerPrize
Summary
This Chapter presents an overview of
InnerPrize – KAP CHARTERED ACCOUNTANTS Audit methodology.
Overview of InnerPrize
Chapter presents an overview of InnerPrize – KAP's audit methodology.
Although InnerPrize is the same regardless of the size or type of entity, the
procedures selected and the extent of work performed will vary considerably for
each audit. InnerPrize is KAP’s means of complying with firm policies and
professional standards, including the standards established by the International
Auditing and Assurance Standards Board (IAASB).
1.01 This
1.02 The
following flowchart depicts the principal components of InnerPrize methodology.
It is not intended to suggest that the audit is a linear process.
Identify Risks
Understand the
entity and its
environment
Evaluate Risks
Perform
inquiries
Respond to Risks
Perform
preliminary
analytics
Evaluate risk
indicators
Summarize
matters
impacting the
financial
statements
Additional risks identified during execution
Identify financial
statement risks
and relevant
assertions
Assess inherent
risk of relevant
assertions
Evaluate
type of risk
Not likely source of
Likely source of
material misstatement material misstatement
Significant (nonreoccurring, fraud)
Identify
controls that
respond to
the risks
Perform
walkthroughs
Perform
appropriate
substantive
procedures
1.03 As
Perform tests
of controls
the chart depicts, InnerPrize’s principal components consist of:
●
●
identifying financial statement risks
evaluating the likelihood that those risks could cause a material
misstatement
● responding to the identified risks
Identifying Financial Statement Risks
Understanding the Entity and its Environment
1.04 InnerPrize
requires an understanding of the entity and its environment, including its
internal control. This understanding helps the audit team:
●
●
●
identify where misstatements could occur in the financial statements
tailor audit procedures to achieve an effective audit
determine whether special skills are needed to achieve the audit
objectives
1.05 Obtaining
an understanding of the entity and its environment is a dynamic process
that occurs throughout the entire audit. This process enables the audit team to
understand how the entity fulfills its objectives and how the transactions are
captured and recorded in the financial statements. The audit team should be in a
position to know not only what risks the entity may face, but where those risks will
manifest themselves in the financial statements.
1.06 The
procedures performed by the audit team to obtain this understanding are called
the risk assessment procedures. While the risk assessment procedures are
performed primarily to obtain the understanding of the entity and its environment,
they may also provide evidence to support certain financial statement assertions.
Risk Assessment Procedures
1.07 The
audit process has three phases: planning, execution, and completion. While all
three phases are important to achieving a quality audit, the planning phase is
particularly important because that is where risks are identified and audit procedures
are designed to respond to identified risks. It is in the planning phase where the
understanding of the entity and the skills and experience of the audit team come
together to create a tailored audit program that addresses the risks of each
engagement.
1.08 InnerPrize,
●
●
●
●
●
●
●
●
●
performing risk assessment procedures means that the audit team:
captures information about the entity and its environment, including its
outsourced activities, IT profile, operating structure and nature of its
revenues
makes inquiries of management, internal auditors, and those charged with
governance
makes inquiries of others in the entity, as needed
determines materiality
performs preliminary analytical procedures
evaluates the inherent risk indicators
captures entity-level controls
identifies significant cycles
captures information about the accounting system
1.09 Risk
assessment procedures are concentrated at the beginning of the audit, but they
also could occur during the execution phase of the audit as the audit team reacts to
findings.
1.10 As
the risk assessment procedures are performed, the audit team acquires a great
deal of knowledge about the entity and its environment. This knowledge results in
the identification of conditions and events that may or may not affect the financial
statements. InnerPrize refers to these conditions and events as “matters.” Matters
are the bridge between the understanding obtained in performing the risk
assessment procedures and the risks that could cause the financial statements to be
materially misstated.
Financial Statement Risks
1.11 InnerPrize
is designed to detect material misstatements in the financial statements.
The risk of failing to detect a material misstatement is managed by the work
performed by the audit team. The nature, timing, and extent of this work are directly
proportional to the risks of material misstatements and where they are more likely to
occur. That is why the proper identification of risk is very important in the InnerPrize
methodology.
1.12 The
financial statement risks generally fall into four broad categories. These are:
●
●
●
●
accounting errors
financial reporting errors
fraud
going concern
1.13 Accounting
errors occur when people make mistakes or the system is poorly
designed. Financial reporting errors are mistakes or omissions in the financial
statements, including disclosures. Fraud includes both fraudulent financial reporting
and misappropriation of assets. Finally, there are risks associated with the entity’s
ability to continue as a going concern.
1.14 While
it is helpful to think of risks in such broad terms, it is difficult to focus audit
effort at this level. Accordingly, InnerPrize further classifies these broad risks into
specific risks at the financial statement assertion level. This allows InnerPrize to
suggest an appropriate response when a risk is identified by the audit team.
1.15 Audit
attention is focused on those financial statement risks that are more likely to
cause a material misstatement. InnerPrize identifies these risks as reasonably
possible risks or, expressed differently, risks that are more likely to be the
cause of a material misstatement. Some reasonably possible risks have an
elevated level of inherent risk and certain other characteristics including fraud,
adoption of a new accounting standard, complexity, and measurement
uncertainty, among others. These risks are identified as significant risks. Because
the risk assessment process is such an important aspect of InnerPrize’s risk
assessment procedure, the audit partner and manager are required to actively
participate in the process.
Matters
described above, InnerPrize audit methodology uses the term “matters” to
describe the conditions and events identified in performing the risk
assessment procedures that may be the source of a financial reporting risk
that may have an impact on the financial statements. Discuss matters with the
1.16 As
Managing Partner to give more insight into the industry and document as part of
worksheets.
1.17 Matters
are used to bridge the information gathered by the audit team in obtaining
an understanding of the entity and its environment to the financial statement
assertions and the risks that could cause material misstatements.
1.18 Matters
themselves are not the end objective. As previously stated, they are simply
the way InnerPrize connects the information learned about the entity and its
environment to financial statement risks. The ultimate objective is to identify the
financial statement risks that could cause the financial statements to be materially
misstated.
Cycles
1.19 Financial
statement elements are the individual transactions and balances that
collectively make up the financial statements. Sales and receivables are two
examples of financial statement elements. In understanding a business process,
financial statement elements are not independent items. There is a relationship
among various income and expense accounts and balance sheet accounts. An
example is sales, accounts receivable and cash receipts. Accounts receivable exist
because sales occur and are realized when converted to cash upon receipt of
consideration from a customer. These groupings of accounts are called cycles to
reflect normal business processes, double entry bookkeeping, and the functioning of
accounting and control systems.
1.20 InnerPrize
utilizes the cycle approach in designing an audit program. This permits
consideration of the interrelationships throughout the financial statements and
disclosures, such as between income and expense accounts and their
corresponding balance sheet accounts in designing an audit strategy.
1.21 InnerPrize
methodology only requires audit procedures to be performed on accounts
within significant cycles. A significant cycle is one that contains accounts or
disclosure amounts that are quantitatively or qualitatively material to the financial
statements. Quantitative materiality and tolerable error are judgments made by the
audit team. Accordingly, a cycle would be significant if any accounts or disclosures
within the cycle are greater than tolerable error. Qualitatively material accounts may
not be large, but they represent a risk due to other factors such as related party
implications, complexity or the relative importance of the account to users of the
financial statements or regulators.
1.22 This
is not to say that InnerPrize requires the same level of audit effort for every
account in a significant cycle. Designating a cycle as being significant is the starting
point and the audit team will later identify the financial statement risks within the
cycle and how to respond to them.
Financial Statement Assertions
1.23 Assertions
are representations by management that are embodied in the financial
statements. The assertions used in InnerPrize are:
●
●
●
●
●
●
existence or occurrence
completeness
cut-off
rights and obligations
valuation or allocation (gross and net)
presentation and disclosure
1.24 In
InnerPrize, specific financial statement risks are grouped within the relevant
assertion where they could manifest themselves. The audit team identifies the
pertinent risks and identifies where the misstatements could occur in the financial
statements by asking “what could go wrong?” Based on the likelihood that such risks
could cause a material misstatement, and the significance of those risks, the audit
team develops an appropriate response.
Evaluating the Likelihood that Risks Could Cause Material Misstatements
1.25 After
the audit team identifies the financial statement risks that could cause a
material misstatement, the audit team then evaluates which of the identified risks are
more likely to cause a material misstatement, including those that should be
considered significant. This may prove to be a challenging aspect of the risk
assessment process for the audit team. Because the impact of this evaluation on the
audit strategy is so significant, it is essential that the partner and manager be part of
this process.
1.26 InnerPrize
is designed to focus audit effort on assertions that pose the greatest
risk. This requires the audit team to first identify the specific risks within an assertion
that could cause a material misstatement. Next, because the same degree of risk of
material misstatement does not necessarily apply to all the identified risks within an
assertion, the audit team must make a judgment about the likelihood that each risk
could cause a material misstatement. Accordingly, InnerPrize categorizes risks as
those that are reasonably possible, including those that are significant risks,
and those that are not reasonably possible. InnerPrize also considers fraud risks.
When fraud risks are identified, they are always designated as reasonably possible
and significant risks.
risk is “reasonably possible” when the likelihood of a material misstatement
occurring is more than remote. When the audit team believes that a material
misstatement is not very likely in a particular account, then the associated risks are
remote (not reasonably possible).
1.27 A
1.28 Risk
of material misstatement is implicit in all financial statements and therefore
every audit will have risks that are reasonably possible. Designating a risk as
reasonably possible does not mean that the audit team expects to find material
errors or fraud. However, it does cause the documentation to reflect the possibility
that material errors or fraud could be present.
1.29 Some
reasonably possible risks are also significant risks. Significant risks
have a higher risk of material misstatement that require special audit
consideration beyond the ordinary or routine. Designating a risk as being a
significant risk is a judgment made by the audit team.
Responding to Identified Risks
Reasonably Possible Risks
1.30 As
previously mentioned, reasonably possible risks are those where the likelihood of
a material misstatement occurring is more than remote. To respond to a reasonably
possible risk, the audit team should first understand how the entity responds to the
risk.
1.31 An
entity responds to a risk by establishing internal controls. Internal controls are the
policies and procedures that the entity implements to produce accurate financial
statements and protect its assets. For risks assessed as being reasonably possible,
the audit team should obtain an understanding of these controls before an adequate
response can be designed. To understand internal control, the audit team:
●
●
●
captures the controls
evaluates their design
verifies they are implemented
1.32 When
controls are designed effectively and implemented, testing them to determine
whether they operate effectively will frequently be the most effective and efficient
response to a particular risk. This is because the audit team may rely on controls
that were tested effective to reduce the substantive procedures that would otherwise
be performed.
1.33 The
audit team should assess inherent risk for each assertion with reasonably
possible risks. Inherent risk is the susceptibility of an assertion to material
misstatement, assuming there are no related internal controls. This risk is
greater for some assertions and related classes of transactions, account balances or
disclosures than for others. For example, cash transactions are generally more
susceptible to theft than certain inventories. Complex calculations are more likely to
be materially misstated than simple calculations. Accounts consisting of amounts
derived from accounting estimates will have greater risk of misstatement than
accounts consisting of relatively routine, factual data.
1.34 Ordinarily,
audit teams will assess inherent risk as either medium or high since it is
not logical to assess inherent risk as low for an assertion that contains reasonably
possible risks. In rare cases where the audit team considers the proper assessment
of inherent risk for an assertion to be low, therefore requiring only a minimal
response to the risks within that assertion, it is likely that the associated risks were
incorrectly assessed as being reasonably possible.
1.35 The
last step in responding to reasonably possible risks is to determine the nature,
timing and extent of the substantive procedures to perform. The audit team makes
these judgments by using their understanding of the controls (including whether the
audit team performed tests of controls and whether the tested controls operate
effectively) and the inherent risk assessment of the relevant assertion. InnerPrize
uses that information (inherent risk and intended control reliance) to suggest an
audit program that the audit team tailors to appropriately respond to the risks.
Significant Risks
1.36 As
previously mentioned, significant risks are those reasonably possible risks that
have a higher risk of material misstatement and require special audit consideration.
Special audit consideration means:
●
Understanding internal controls related to the risk sufficient to design an
appropriate response, and
● Performing substantive procedures that are specifically responsive to the
risk.
1.37 In
some situations, it may be possible to respond to a significant risk by testing
controls and performing substantive procedures. However, many significant risks
may be associated with assertions, events and transactions that may involve nonroutine, non-systematic events for which controls may not be well established. When
the response to a significant risk consists only of substantive procedures, those
procedures should include tests of details.
Not Reasonably Possible Risks
1.38 As
mentioned previously, InnerPrize requires an audit response for all significant
cycles. The audit team may judge that a transaction cycle has no reasonably
possible risks even though it may contain material monetary amounts.
1.39 When
the risk of material misstatement is not reasonably possible, the audit team
may decide that substantive procedures alone will appropriately reduce the risk of a
material misstatement to an acceptably low level. Further, the substantive
procedures performed in response to not reasonably possible risks are ordinarily
less extensive than those procedures required for reasonably possible risks. For
example, the risk of material misstatement for the risk “capital asset activity not
valid” may be addressed by scanning the additions to identify large and unusual
additions to vouch whereas sampling might be appropriate if the risk were assessed
as reasonably possible.
Exhibit 1.1 - Financial Statement Assertions
E01
InnerPrize uses the following financial statement assertions:
Existence or Occurrence
E02
Assertions about existence or occurrence deal with whether assets or liabilities
exist at a given date (referred to as existence), and whether recorded transactions have
in fact occurred during a given period (referred to as occurrence). The audit of the
existence and occurrence assertions is essentially concerned with establishing that
balances within transaction cycles are not overstated.
Completeness
E03
Assertions about completeness deal with whether all balances and
transactions that should be presented in the financial statements are properly recorded.
The audit of the completeness assertion is essentially concerned with establishing that
balances within transaction cycles are not understated.
Cut-off
E04
Assertions about cut-off deal with whether all assets, liabilities, income and
expenses are reported in the appropriate period. Cut-off is a separate assertion
because the substantive procedures to verify it are typically different from those applied
to the other components of completeness.
Rights and Obligations
E05
Assertions about rights and obligations deal with whether the entity has rights
to assets (i.e., whether the entity has ownership and title to assets) and liabilities
represent all the entity’s obligations at a given date. These assertions relate to whether
the entity was, in actuality, party to a transaction, and whether the transaction was for
valid business purposes.
E06
Rights and obligations assertions may in many cases be inseparable from the
existence and completeness assertions, and do not normally require separate audit
attention. However, where an entity deals with assets, liabilities or transactions
pertaining to other parties, this may not be so.
Valuation
E07
Assertions about valuation deal with whether assets and liabilities are included
in the financial statements at appropriate amounts. InnerPrize subdivides the valuation
assertion for asset and liability accounts into “gross” and “net.” Valuation “gross” deals
with recording or allocating the proper amounts and valuation “net” deals with
recognizing appropriate impairment adjustments. Because the required responses to
financial statement risks associated with “gross” and “net” are typically different, the
valuation assertion in HorizInner Prize on is separated into two assertions: valuationgross and valuation-net.
Presentation and Disclosure
E08
Assertions about presentation and disclosure deal with whether particular
items in the financial statements are properly classified, described, and disclosed.
E09
Presentation and disclosure assertions are considered during the course of
the audit by procedures to determine that disclosures are complete and accurate. The
disclosures that are most susceptible to material misstatement are those that require
significant judgment and qualitative assessments. Audit teams assess the
completeness and accuracy of disclosures by determining that the disclosures provide
information in a manner that does not materially omit, distort or mislead the user.
E10
Many firms use a financial statement disclosure checklist, generally completed
near the conclusion of the audit, to assist in determining that disclosures are complete.