Assessing Risks and Internal Control Audit Risk Assessment Auditing is fundamentally a risk management process. CAS 200 • • Reasonable assurance is Obtained when auditor has This reduces • Audit risk is related to information risk • • Auditors strive to lower audit risk • Auditors need to assess risk in audit related terms 2 Definition of Audit Risk The probability that an auditor will fail to express a reservation that financial statements are materially misstated is audit risk. • • • Audit risk, at best, can be controlled Audit risk is greater if • Audit risk is inversely proportionate to Audit risk is dependent on user reliance. • Audit risk is also applied to 3 Auditors Assessment of Risk from Accepting the Engagement Audit Risk that Can Be Accepted Auditor Decision Extremely high Extremely low level, near zero It is probably impossible to achieve a near zero risk, so do not accept the engagement High Lowest Accept the engagement only if auditor can achieve a very low audit risk by performing extensive audit work Moderate Moderate Accept engagement, plan to achieve a moderate audit risk level, and perform a less extensive level of audit work Low High Accept engagement, plan to achieve a somewhat higher audit risk, and perform a relatively lower level of audit work 4 The Audit Risk Model AR = IR x CR x DR Audit risk will occur when: • a material misstatement has been made • and internal controls fail to • audit procedures also fail to • Auditors usually like to limit audit risk to less than 5 Inherent Risk The probability of material misstatement occurring in transactions entering the accounting system or being in the account balances is inherent risk. • Auditors do not create or control inherent risk. • • Who does? Auditors only try • The auditor will consider 6 Some inherent risk factors: 1. 2. 3. 4. 5. 6. 7. 8. 9. 10. Non-routine accounts or transactions Complex transactions Accounts that require a lot of estimates The competency of the clients accounting staff Negative economic conditions Assets that can be easily lost or stolen Suspected or actual knowledge of a fraud The client has multiple locations Management lacks integrity Prior year problems. E.g. material misstatement 7 Control Risk The risk that the client’s internal control system will not prevent or detect a material misstatement is control risk. • Auditors do not create or control, control risk • The auditor’s assessment of internal control is 8 Control risk assessment provides only an indirect assessment of monetary misstatements in the financial statements. • Control testing is also called compliance testing • In this compliance testing the auditor wants to see if the controls are operational • • The auditor can thus assess control risk as a number or qualitatively If the controls are operational the auditor can rely on them • Control risk should not be assessed so low 9 Detection Risk The risk that any material misstatement that has not been corrected by the client’s internal control will not be detected by the auditor is detection risk. • Auditors can control this risk by • • Substantive procedures include audit of details of transactions and balances, and analytical procedures applied to dollar amounts in the accounts. As detection risk is decreased 10 • Assume that the auditor made the following risk assessments in examining inventories Desired audit risk Inherent risk Control risk • • • 5% 50% 50% • DR • The auditor may decide that the inherent risk cannot be quantified and use a conservative approach = AR / (IR x CR) = 0.05/(0.5 x 0.5) = 0.2 IR = The auditor may decide that the system of internal control will not be tested. CR = 11 Inherent Risk Control Risk Detection Risk HIGH •Small •Few .70 Audit risk .6 x .8 x.7 = .34 Samples substantive tests •Extensive reliance on IC HIGH .80 •System poorly designed •System poorly executed •Not tested (CR = 1.00) LOW .10 •Large samples •Many substantive .6 x .8 x .1 = .05 tests HIGH •Assets •New .60 reliance on IC susceptible to theft client •Integrity •Non •No HIGH doubtful •As .70 .6 x .2 x .7 = .08 .30 .6 x .2 x .3 = .04 above profitable and needs financing LOW .20 •System well designed and well executed •Audit tests show system effective LOW •As above 12 Inherent Risk Control Risk Detection Risk HIGH •Small •Few .70 Audit risk .4 x .8 x.7 = .22 Samples substantive tests •Extensive reliance on IC HIGH .80 •System poorly designed •System poorly executed •Not tested (CR= 1.00) LOW .30 •Large samples •Many substantive .4 x .8 x .3 = .10 tests LOW .40 •Assets not susceptible to •No theft •Old reliance on IC HIGH client •Integrity .4 x .2 x .7 = .06 .30 .4 x .2 x .3 = .02 above believed high •Profitable financed •As .70 and easily LOW .20 •System well designed and well executed •Audit tests show system effective LOW •As above 13 How Materiality and Audit Risk are Related Materiality refers to the magnitude of a misstatement; audit risk refers to the level of assurance that material misstatement does not exist. • The auditor will make these assessments independently. • Both deal with sufficiency of evidence and extent of audit evidence that will be collected. 14 Effects of IT and E-Commerce on Business Risk Analyzing the effects of IT and e-commerce is also an important component of business risk analysis. • More involvement in e-commerce and more complex information systems • The auditor needs to understand how e-commerce and IT integrate into the business processes. 15 Accounting Processes and the Financial Statements There are two important points to remember about client financial statements: • Management is responsible for preparing them • The financial statement numbers are produced by the company's accounting system and are summarized 16 Management’s Financial Statements To simplify the audit plan, auditors typically group the accounts into several accounting processes (1) revenues and collection (2) acquisition and expenditure (3) production and conversion (4) finance and investment The purpose of using business cycles is to group together related accounts by transactions that normally affect them. 17 Trial Balance Revenue Payments Production Financing X X X X X X X X X X X X X X X X X X Cash Accounts receivable Allowance for doubtful accounts Sales Sales returns Bad debt expense Inventory Capital assets Accum. Amortization Accounts payable Accrued expenses General expenses Cost of goods sold Amortization expense X Bank loans X Long term notes X Accrued interest X Share capital X Retained earnings X Dividends declared X Interest expense X Income tax expense Debit 484 400 Credit 30 8,500 400 50 1,940 4,000 1,800 600 10 1,955 5,265 300 750 400 40 2,000 900 40 196 15,030 15,030 18 Business Risk and the Risk of Material Misstatement Risks can be managed in any of four ways. Risk can be: 2. avoided reduced to acceptable levels 3. tolerated 4. transferred to another party 1. 19 Internal Control Components Internal control is defined as the process designed, implemented, and maintained by management to provide reasonable assurance about: • • • the reliability effectiveness and efficiency compliance with 20 Internal Control Components Internal control consists of the following: a. b. c. d. e. the control environment, the entity’s risk assessment process, the information system and business processes control activities, and the monitoring of controls. Control activities are controls over processes, applications, and transactions. 21 Control Environment Characterized by management attitudes, structure, effective communication of control objectives and supervision of personnel and activities. Elements of control environment: • • • operating style and organizational structure • operation of the board of directors management monitoring methods • computerized systems 22 Control Activities Controls are policies and procedures that ensure the achievement of the entity’s goals, including financial reporting goals. • Controls can be categorized as • • General controls relevant to the audit Application controls include checks on 23 Monitoring of Controls Management’s monitoring of controls includes considering whether they are operating as intended. • Monitoring may include • Controls are modified as required to accommodate changes in business conditions. 24 How Internal Control Relates to the Risk of Material Misstatement To assess the risk of material misstatement at the financial statement level, the auditor needs a detailed knowledge of internal control components relevant to financial reporting. 25 Problem 6-1, Page 237 Audit Risk Model Audit risks for particular accounts and disclosures can be conceptualized in this model: AR = IR x CR x DR Required: Use this model as a framework for considering the following situations and deciding whether the auditor’s conclusion is appropriate: a. Olsen, PA, has participated in the audit of Limberg Cheese Company for five years, first as an assistant accountant and the last two years as the senior accountant. He has never seen an accounting adjustment recommended. He believes the inherent risk must be zero. b. Jones, PA, has just (November 30) completed an exhaustive study and evaluation of the internal control system of Lang’s Derfer Foods, Inc. (fiscal year ending December 31). She believes the control risk must be zero because no material errors could possibly slip through the many error checking-procedures and review layers by Lang’s. c. Fields, PA, is lazy and does not like audit jobs in Toronto, anyway. On the audit of Hogtown Manufacturing Company, he decided to use detail procedures to audit the year-end balances very thoroughly to the extent that his risk of failing to detect material errors and irregularities should be 0.02 or less. He gave no thought to inherent risk and conducted only very limited review of Hogtown’s internal control system. d. Shad, PA, is nearing the end of a “dirty” audit of Allnight Protection Company, Allnight’s accounting personnel all resigned during the year are were replaced by inexperienced people. The controller resigned last month in disgust. The journals and ledgers were a mess because one computer specialist was hospitalized for three months during the year. Shad thought thankfully, “I’ve been able to do this audit in less time than last year when everything was operating smoothly.” 26 Problem 6-2, Page 237 Planning, Inherent and Control Risk, Manufacturing Business Darter Ltd. Is a medium-sized business involved in manufacturing and assembling consumer electronic products, such as DVD players, radios, and satellite receivers. It is privately owned. Its minority shareholders requested that the annual financial statements be audited for the first time this year. Your firm is engaged to do the current year’s audit. You are now reviewing Darter’s preliminary general ledger trial balance in order to begin preparing the planning memorandum. Consider the following accounts that appear in this trial balance. • Cash • Inventory, finished goods • Inventory, work-in-process • Inventory, unassembled components • Inventory, spare parts • Property, plant, and equipment • Deferred development costs • Goodwill • Accounts payable • Warranty provision • Bank loan, long term • Share capital, common shares • Retained earnings • Revenue • Cost of goods sold • General and administrative expenses 27