Add to collection(s) Add to saved
  1. Business
  2. Finance

CHAPTER 7 - McGraw-Hill

advertisement 
WHAT YOU REALLY NEED TO KNOW
CHAPTER 7: ASSESSING RISKS AND INTERNAL CONTROL
Audit risk is related to information risk and auditing is fundamentally a risk management process.
Audit risk is the risk that audited financial statements that are materially misstated will go out to
users. Assurance is the complement of audit risk. Auditors strive to lower audit risk by performing
audit work that gives a high level of assurance that the statements are fairly presented.
Understanding the auditee’s business and performing preliminary analytical procedures help auditors
to identify problem areas and make an overall business risk assessment. The organization’s
management is responsible for addressing business risk by implementing effective internal control.
Thus business risk and internal control are inseparable concepts that exist within an auditee
organization. To develop the audit work programs, auditors need to assess risk specifically in auditrelated terms: inherent risk, control risk, and detection risk.
Inherent risk is the probability that material misstatements have occurred in transactions within the
accounting system used to develop financial statements, or that material misstatements have occurred
in an account balance. Inherent risk is the risk of material misstatements occurring in the first place.
It is a characteristic of the auditee’s business, the major types of transactions, and the effectiveness of
its accountants, so understanding the auditee’s business risk is important for assessing inherent risks.
Inherent risk can arise because the nature of the auditee’s business may produce complicated
transactions and calculations and special accounting treatments. Some kinds of inventories such as
grain may be harder to count and value. Revenue accounting can have high inherent risk.
Management optimism and bias leads to overstatements in asset and revenue accounts.
Control frameworks define control broadly to include an organization’s resources, systems,
processes, culture, structure, and tasks that work together to support the organization’s objectives.
Thus, management control systems are much broader than are “internal controls relevant to the
audit” but auditors are mainly concerned with accounting controls and systems.
Control risk is the probability that the auditee’s internal control policies and procedures will fail to
detect or prevent material misstatements. Auditors do not create or affect the control risk. They
evaluate the design of an organization’s control system. They also test whether the auditee’s system
is working as designed. They then assess the probability of material misstatements.
Preliminary control effectiveness conclusions and risk assessments are made for planning purposes.
Control risk should not be assessed so low that auditors place complete reliance on controls and do
not perform any other audit work. Many auditors conclude their control risk assessment decisions
with descriptive assessments (e.g., high, moderate, low), and some auditors put probability numbers
on them (e.g., 1.0, 0.50, 0.30).
Smieliauskas/Bewley, 5e
What You Really Need to Know
© The McGraw-Hill Companies, Inc., 2010
7-1
Assessing Risks and Internal Control
Inherent and control risks can be difficult to assess separately because some internal controls “work”
only when errors, irregularities, and other misstatements occur, while others are preventive in nature
and so tend to reduce inherent risk. An auditor may make separate or combined assessments of
inherent and control risk. Combined, inherent risk and control risk is referred to as the risk of
material misstatement.
Detection risk is the risk that any material misstatement that has not been prevented or corrected by
the auditee’s internal control will not be detected by the auditor. It is the auditor’s responsibility to
reduce detection risk to an acceptably low level by performing evidence-gathering procedures known
as substantive procedures. The two categories of substantive procedures are (1) tests of the details of
transactions and balances and (2) analytical procedures applied to produce circumstantial evidence
about dollar amounts in the accounts. Detection risk is the probability that these substantive
procedures will fail to detect material misstatements that exist.
In an overall sense, audit risk is the probability that an auditor will fail to express a reservation that
financial statements are materially misstated. Audit risk can at best be controlled at a low level but
not eliminated, even when audits are well planned and carefully performed. The risk of audit failure
is much greater in poorly planned and carelessly performed audits. Generally, as the risk of being
sued for material misstatement increases, an auditor will decrease planned audit risk to compensate
for the increased risk associated with the engagement.
The Audit Risk Model
Audit risk (AR) = Inherent risk (IR) × Control risk (CR) × Detection risk (DR)
Audit risk is the probability that the audit fails to detect a material misstatement. This will occur
when (1) there is a material misstatement to start with (inherent risk), (2) the internal controls fail to
detect and correct the material misstatement (control risk), and (3) the audit procedures also fail to
detect the material misstatement (detection risk). The audit fails only if all three events occur. The
probability of audit success is one minus the probability that it fails; therefore, audit assurance equals
1 – audit risk. Reducing acceptable (or planned) audit risk, say from 5 percent to 1 percent, is equal
to increasing acceptable (or planned) audit assurance, from 95 percent to 99 percent. Despite its
simplicity, the risk model is only a conceptual tool.
For example, an auditor thought an inventory balance had a high inherent risk of material
misstatement (say, IR = 0.90) and that the auditee’s internal control was not very effective (say, CR =
0.70). If the auditor wanted audit risk at a 5 percent level (AR = 0.05), planned audit procedures
would need to achieve detection risk (DR) that did not exceed 0.08 (approximately). The model can
be used for planning the audit work by rearranging it to solve for DR.
AR = IR × CR × DR
DR = AR / (IR × CR) = 0.05 / (0.90 × 0.70) = 0.08
Materiality refers to the magnitude of a misstatement, while audit risk refers to the level of assurance
that material misstatement does not exist in the financial statements. The materiality decision is
based on how misstatements will affect financial statement users. An auditor decides on the
materiality level independently of audit risk considerations. Both audit risk and materiality levels
will be planned early in the engagement. The materiality and audit risk decision’s main impact is on
the extent of audit evidence that needs to be gathered.
Smieliauskas/Bewley, 5e
What You Really Need to Know
© The McGraw-Hill Companies, Inc., 2010
7-2
Assessing Risks and Internal Control
Business risk is any event or action adversely affecting an organization’s ability to achieve its
business objectives and execute its strategies. There are two parts of business risk analysis: strategic
analysis and business process analysis. A risk-based audit approach places business risk assessment
at the heart of the audit process.
Auditors of companies need to understand the business risks that arise in an industry. The risk of
material misstatement in a highly competitive technology business is mainly in the valuation of
inventory, patents, and other technology-based intangible assets. Management tries to minimize
business risks by designing well thought-out business processes. Business processes are a structured
set of activities designed to produce a specific output that matches business strategy. Just in time
processes reduce the risk that inventory will become obsolete and therefore, overstated on the
financial statements.
An accounting process can be thought of as a cycle. Accounts go together in the accounting
information system because they record transaction information from the same business activity and
run through the same accounting process over and over, in a cycle. These transactions are recorded
by the organization’s accountants using journal entries involving the same set of accounts. The cycle
perspective looks at accounts grouped according to routine transactions. Auditors find it easier to
audit the related accounts with a coordinated set of procedures instead of attacking each account
alone.
The auditor knows that management has to consider risk as part of the operations of an organization.
There are four ways of managing risk: avoided it; monitor it; reduce it; or transfer it. Risk is
composed of two factors in this analysis: the likelihood the risk will occur and the magnitude of the
risk. Management controls minimize both the likelihood of a risk and the impact that the risk will
have. Risks that are not moved into the low category by management controls represent categories
for which the controls fail to reduce the risks that the financial statements do not portray the actual
business performance. These are areas that need to be audited with the greatest care.
Business risk and internal control are so tightly linked that auditors need to consider them together.
The auditor is primarily interested in the accounting controls.
Management’s and directors’ attitudes, awareness, and actions concerning the company’s internal
controls set the tone for the control environment. Management must act to remove or reduce
incentives and temptations motivating people in the organization to act unethically.
The board of directors and audit committee monitor management and financial reporting. The audit
committee, a subcommittee of the board’s members, helps the board by overseeing the financial
reporting as well as external and internal auditing functions. The audit committee’s prime role is to
act as intermediary between management and the auditor in the external audit, helping make it
function more independently.
Two categories of controls are preventive controls and detective/corrective controls. Generally,
environmental controls can be characterized as preventive controls since they are there to prevent
misstatements from arising in the first place. Preventive controls are more effective than controls
designed to detect and correct misstatements after they have entered the system. Auditors tend to
Smieliauskas/Bewley, 5e
What You Really Need to Know
© The McGraw-Hill Companies, Inc., 2010
7-3
Assessing Risks and Internal Control
focus their preliminary evaluation on environmental controls for this reason and also because they
have such a pervasive impact on the accounting cycles affected.
An information system is defined as a set of interrelated functions that collect, process, store, and
distribute information in an organization. An information system has three main activities: input,
processing, and output. The input is mainly data, the raw facts collected from the environment.
Processing coverts data into output in an understandable and useful form referred to as information.
The information system is related to all of the key business processes. An auditor must understand
how the information system relates to financial reporting. The auditor needs to understand how the
auditee’s information system is used in its financial reporting process and identify the risk associated
with IT use. The two broad groups of IT control activities are general controls and application
controls.
The auditor gains knowledge of controls mainly by making enquiries of auditee personnel. This
provides an understanding of the flow of transactions through the accounting information system and
the elements of the control environment that affect it. The auditor gathers information about the
following features: (a) the organizational structure, (b) the methods used by the auditee to
communicate responsibility and authority, (c) the methods used by management to supervise the
accounting information systems, including the existence of an internal audit function, and (d) the
accounting information system. A questionnaire is sometimes used to guide the enquiries.
Smieliauskas/Bewley, 5e
What You Really Need to Know
© The McGraw-Hill Companies, Inc., 2010
7-4
Related documents
Evolution of an Automated Internal Audit Management System
Evolution of an Automated Internal Audit Management System
Chapter 8: Preliminary Survey & Internal Control Review
Chapter 8: Preliminary Survey & Internal Control Review
Green Impact Auditor
Green Impact Auditor
Audit Poster - BSG Colonoscopy Audit
Audit Poster - BSG Colonoscopy Audit
Lutz Internal Audit Director 10 22 2015
Lutz Internal Audit Director 10 22 2015
LGFMA Presentation - Internal Audit Program Model
LGFMA Presentation - Internal Audit Program Model
9-25
9-25
Electronic Data Processing * Audit Sistem Informasi
Electronic Data Processing * Audit Sistem Informasi
Download
advertisement