An Overview of the Attestation Process and Alternative Risk Models Prof. Joshua Onome Imoniana of Accountancy ACCY405 October 6, 2014

Today’s Objectives Introduction to Module II Overall Theme: Rich client knowledge  Well informed expectations   High quality risk assessments  High quality audits. Discussion of risks and risk models

Announcements First Professional Lyceum Deloitte Senior Manager Co-Speaker: Douglas

What are We Doing in Module II All about delivering audit quality How do we plan audits to obtain reasonable assurance? The audit risk model Strategic systems auditing (SSA) method Application: Real company examples, mini cases

Goals of Attest Engagements Effectiveness Reasonable assurance that no material misstatements in assertions exist. Efficiency Low-cost route to “effectiveness”. Defensible Documentation Alerts supervisors to high-risk areas. Litigation protection: subpoena is possible. PCAOB AS. 3: “Not documented, not done”.

The Basics of Obtaining Reasonable Assurance Requires considerable unstructured & professional judgment with respect to: Risks Evidence Materiality All of these factors interact.

Judgment: What is Material? (PCAOB AS. 11) A material difference is a difference that could affect the decisions of the reasonable decision maker using the financial statement information. Material to whom? What about small misstatements? (PCAOB AS. 14)

What do Auditors do? Auditors give comfort to people who are vulnerable to erroneous, self-interested, and possibly fraudulent financial statements from corporate management. Auditing is a recursive process of evidence-driven, belief- based risk assessment. Think: Why Risk? WHAT IS AUDIT QUALITY?

Risk Assessment & What You Expect What You Observe Risk Assessments E Low Risk Assessment E O High Risk Assessment

HIPAA IX Summit - Security Workshop Risk Matrices Examples 3 X 3 Low 1 to 10 (55%) Medium >10 to 50 (33%) High >50 to 100 (11%) 5 X 5 Very Low 1 to 20 (40%) Low >20 to 40 (28%) Med >40 to 60 (16%) High >60 to 80 (12%) Very High >80 to 100 (4%) 4 X 4 Negligible 1 to 25 (50%) Low >25 to 50 (31%) Med >50 to 75 (13%) High >75 to 100 (6%)

HIPAA IX Summit - Security Workshop Risk Plotting Threat 3 5 2 1 4 5 X 5 Very Low 1 to 20 Low >20 to 40 Med >40 to 60 High >60 to 80 Very High >80 to 100 Vulnerability

Risk Concepts in Auditing Audit Risk (AR) The risk of issuing an incorrect audit opinion (i.e. unqualified/ clean) when the financial statements are materially misstated. Client Business Risk (CBR) The risk that the client will experience adverse outcomes as a result of economic conditions, events, circumstances, or management action/inaction. i.e. the risk that the client will remain viable. Auditor’s Business Risk (ABR) The risk that the audit firm will be exposed to loss from events arising in connection with the financial statements. e.g. litigation, penalties, reputational loss, lack of profitability.

Engagement Risk Model AR CBR ABR

The Audit Risk Model (PCAOB AS. 8) Risk of Material Misstatement (RMM) = IR x CR The risk that the F/S are materially misstated prior to audit. Outside of the control of the auditor. (1) Inherent Risk (IR) The risk that a material misstatement could occur, before the consideration of any internal controls. Example: What industries have low and high inherent risk? (2) Control Risk (CR) The risk that controls present will not prevent, or detect and correct, a material misstatement.

The Audit Risk Model (PCAOB AS. 8) Detection Risk (DR) The risk that the audit procedures performed by an auditor will fail to detect a material misstatement. Directly controllable by the auditor; the planned level of DR is inversely related to the planned level of evidence needed. Why might an auditor fail? Non-sampling risk: inappropriate audit procedures; appropriate procedures but fail to detect misstatements or misinterpret audit results. Sampling risk: auditor’s conclusion could change if audit procedures were applied to the entire population. The Audit Risk Model: Audit Risk = IR x CR x DR

Using the Audit Risk Model Set a planned level of audit risk such that an opinion can be issued on the financial statements.  Assess the risk of material misstatement (IR x CR).  Use the Audit Risk Model (and equation) to solve for the appropriate level of detection risk: CBR & ABR & materiality  AR AR = IR × CR × DR DR = AR IR × CR Auditors use this level of detection risk to design audit procedures that will reduce audit risk to an acceptably low level. 4-17

Changing Risk Conditions Group Activity Changing Risk Conditions

Today’s Objectives Introduction to Module II Overall Theme: Rich client knowledge  Well informed expectations   High quality risk assessments  High quality audits. Discussion of risks and risk models

For Next Class Strategic Systems Auditing (SSA): Audit Evidence & Analytical Procedures Relevant readings for next class: BPS: Chapter 1 MGP: Chapter 5 (including both Advanced Modules) Homework Assignment

Homework Assignment Read question Chapter 5 Be ready for Quiz in the next Class