Management of Risks in Audit RISK ANALYSIS AND STATISTICAL SAMPLING IN AUDIT The Risk Model Theory and Assumptions Control Risk (CR) Risk that the internal control systems in an organization will not be able to detect an error or material misstatement Inherent Risk (IR) Susceptibility of a class of transactions to material misstatement or errors Risk of Occurrence of Error Detection Risk (DR) Risk that auditor’s substantive tests will not be able to detect a material misstatement in the audited transactions Overall Audit Risk (OAR) Assurance required from audit procedures the maximum risk the auditor is willing to accept OAR = CR x IR x DR OAR defined by the audit institution • A constant pre-determined quantity Objective of the auditor assess inherent and control risks in the entity design and perform compliance and substantive tests to provide sufficient assurance that the product of the risks identified ≤ overall audit risk solve the equation for DR assessing IR and CR Detection Risk (DR) DR is actually a combination of: Analytical procedures risk (AP): Risk that analytical procedures will fail to detect material errors Tests of detail risk (TD): Risk that detailed test procedures will fail to detect the material errors DR = AP X TD OAR = IR X CR X AP X TD Auditor exercises professional judgment in assessing IR, CR and AP and solves the equation for TD Confidence Level Detection Risk is closely related to the confidence that the auditor wishes to obtain from his substantive tests. Increased confidence => Low DR => more transactions and balances need to be tested substantively Confidence Level = 100%-Detection Risk Detection Risk Only risk that the auditor has under his control Must be kept low Materiality and Audit Risk-I Independent of OAR Related to VALUE, NATURE and CONTEXT of Error Materiality relates to the maximum possible misstatements/ error Risk -- concerned with the likelihood of error Materiality – concerned with extent to which we can tolerate error Materiality and Audit Risk -II Auditor to ensure: Maximum possible error at the desired assurance level < Materiality IR + CR => Expected error rate in the population Materiality => Tolerable error rate in the population Assessment of Risks-I Assessment of Inherent Risk Depends on nature, complexity and volume of transactions Inherent to these activities or sets of transactions Risk classified as high, moderate or low Possible to assign numerical values to the risk assessed Assessment of Risks-II Assessment of Control Risk: Assesses adequacy of policies, procedures and systems in the organization Whether controls are adequate to detect errors Expressed either in numerical (%) or qualitative (high, medium, low) terms Assessment of Detection Risk Assurance about transactions required from audit procedures Risk Assurance Guide Sample Size Detection Risk Assurance Guide Assurance from inherent risk evaluation High Assurance from internal control Assurance from substantive analytical review procedures High Med (Excellent system) Low Nil Med Med (Good system) Low Nil Low Med (Fair system) Low Nil Nil Med (Poor System/DST) Low Nil Required assurance from detailed substantive tests confidence level 60 70 75 65 75 80 75 80 85 92 94 95 Risk Assessment and Sampling Statistical Sampling The population is a homogeneous group There is no bias in the selection of sample items Attribute Sampling, Variable Sampling and MUS Attribute sampling Estimates proportion of items in a population having a certain attribute or characteristic. In audit, estimates the existence or otherwise of an error. Used to derive assurance about prescribed procedures/ controls. Estimates % of error (say, vouchers that have been misclassified) Attribute sampling • Set upper limit of acceptable error, being still assured that systems are in place • can only be used in assessment of control risk The attribute : whether a specific control has been applied or not applied Types of Audit sampling Variables sampling estimates a quantity e.g. amount of sundry debtors shown in the balance sheet the underassessment in a tax circle. Monetary Unit Sampling provides quantitative results and is suited to most audit situations More accurate in low level error situations with a relatively small population, where there are no negative or zero balances. ‘PPS’ or ‘Probability Proportional to Size’ the probability of selection becomes proportional to the size of a/c high value items tend to get more weight and therefore more probability of getting picked up in any random selection, since Sampling Methods Simple random sampling Systematic random sampling Stratified sampling CAATs: IDEA => identified audit tests can directly be applied on the sample elements. Audit Assumptions Audit works on the principle that higher the risk involved in the transactions, higher the need for more extensive checks. Audit through statistical sampling Assessment of Inherent Risk through auditor’s knowledge, judgment and application of specific auditing procedures like analytical reviews etc. Assessment of Control Risk through Compliance Testing, done through attribute sampling, analytical reviews etc. Design the Sampling Frame for Substantive Testing : determine sampling method, sample size. Evaluation of results of Substantive Tests and expression of audit opinion. Compliance Testing and Substantive Testing Compliance Testing: review and evaluate the effectiveness of internal control systems Substantive Testing: gather evidence on completeness, accuracy and validity of data. Sampling Risks of an Auditor Sampling Risk in Compliance Testing: risk of over-reliance / under-reliance on controls Sampling Risk in Substantive Testing: risk of incorrect acceptance / rejection Selection of appropriate sample size of utmost importance in minimising risk Designing a Sample Steps Define population and select an appropriate sampling method: attribute, variable, monetary unit etc. Determine sample size Identify sampling procedure, random, systematic, stratified etc. Perform substantive audit tests on the sample elements Estimate Population Value of Parameter Express audit opinion on the entire population Determinants of Sample Size 1. Expected Error Rate in Population Error Rate /Amount in the Population: mistakes in vouchers /wrong entries in cash books/stores ledger unauthorized payments cash books not daily checked /physical verifications not done Areas of application sanctions / propriety / regularity / financial audit auditor only wants to confirm if the balance is correctly stated or not without estimating the correct balance The greater the expected error rate, the larger the sample size for the auditor to conclude: actual error rate < tolerate error rate. 2. Tolerate Error Rate in Population Tolerate error rate / amount the maximum error rate the auditor is prepared to accept when deciding whether his initial evaluation of the control risk is valid maximum error rate the auditor is willing to accept and still conclude that the auditee is following the procedures properly tolerable error is limited by the level of materiality set by the auditor The lower the tolerable error, the larger would be the sample size 3. Precision Level Precision level: Difference between the sample estimate and the actual population value The auditor to decide the precision to provide in his estimates Tolerable Error = maximum error the auditor is willing to accept = Maximum (sample estimate + precision level). Confidence Level Confidence level =100%- DR (%) Confidence level: how certain the auditor is that the actual population measure is within the sample estimates and its associated precision level Occurrence rate Population proportion having the error that audit wishes to test Acceptable risk of Over-Reliance Risk of under-reliance does not affect the correctness of the auditor’s opinion it only results in increasing his workload Over Reliance may lead to wrong audit opinion When the degree of reliance in controls is high, acceptable risk of over reliance is low and vice versa May be quantified as 5%, 10%, 15% etc. Estimating Population Value If Computed tolerable error = Sample estimate + precision < tolerable error assurance can be placed by auditor on the system If Computed tolerable error > tolerable error, assurance derived from control has to be reduced assurance required from substantive tests has to be increased To identify areas of applicability A Few Suggested Areas Checking correct accountal of expenditure/ receipts; Checking calculations of payment or receipts; Checking propriety and regularity of expenditure; Checking interpretation or application of rules /contract clauses /provisions of tax acts; Checking achievement of objective of expenditure / exemption of receipts. Any other areas to be identified Where most / least effective Problems, Doubts and Decision Areas Audit is primarily a judgmental process Statistical sampling cannot be a substitute for Auditor’s judgment At best the two are complementary Nature of Population Distribution Is it necessary to estimate? Assumption of homogeneity-how true? Sampling distribution of mean normal for large sample What about smaller samples? For small samples- what distribution (t?). Testing for a single attribute (say classification mistake) - Binomial/ Poisson distribution? To evolve a framework for application I To integrate the risk model of audit with sampling theory To identify the population distribution and the corresponding sampling frame for auditing To suggest an appropriate sampling method for selection of sample elements identification of areas for application of attribute/ variable/ monetary unit sampling; To suggest an appropriate formula for determination of sample size To evolve a framework for application II To evolve an theoretical framework and practical method for projecting sample results into population and for estimating the population value To suggest ways to minimize audit risk, especially risks of over reliance and incorrect acceptance; To suggest a practical way to apply the theoretical frame in a simple manner OUR CONCERNS OBJECTIVITY RATIONALITY SIMPLICITY USER FRIENDLINESS PRACTICABILITY ADAPTABILITY LEGALITY ASSURANCE