Assessing Risks and Internal Control

Audit Risk Assessment Auditing is fundamentally a risk management process. CAS 200 Reasonable assurance is Obtained when auditor has This reduces Audit risk is related to information risk Auditors strive to lower audit risk Auditors need to assess risk in audit related terms

Definition of Audit Risk The probability that an auditor will fail to express a reservation that financial statements are materially misstated is audit risk. Audit risk, at best, can be controlled Audit risk is greater if Audit risk is inversely proportionate to Audit risk is dependent on user reliance. Audit risk is also applied to

Auditors Assessment of Risk from Accepting the Engagement Audit Risk that Can Be Accepted Auditor Decision Extremely high Extremely low level, near zero It is probably impossible to achieve a near zero risk, so do not accept the engagement High Lowest Accept the engagement only if auditor can achieve a very low audit risk by performing extensive audit work Moderate Accept engagement, plan to achieve a moderate audit risk level, and perform a less extensive level of audit work Low Accept engagement, plan to achieve a somewhat higher audit risk, and perform a relatively lower level of audit work

The Audit Risk Model AR = IR x CR x DR Audit risk will occur when: a material misstatement has been made and internal controls fail to audit procedures also fail to Auditors usually like to limit audit risk to less than

Inherent Risk The probability of material misstatement occurring in transactions entering the accounting system or being in the account balances is inherent risk. Auditors do not create or control inherent risk. Who does? Auditors only try The auditor will consider

Some inherent risk factors: Non-routine accounts or transactions Complex transactions Accounts that require a lot of estimates The competency of the clients accounting staff Negative economic conditions Assets that can be easily lost or stolen Suspected or actual knowledge of a fraud The client has multiple locations Management lacks integrity Prior year problems. E.g. material misstatement

Control Risk The risk that the client’s internal control system will not prevent or detect a material misstatement is control risk. Auditors do not create or control, control risk The auditor’s assessment of internal control is

Control risk assessment provides only an indirect assessment of monetary misstatements in the financial statements. Control testing is also called compliance testing In this compliance testing the auditor wants to see if the controls are operational The auditor can thus assess control risk as a number or qualitatively If the controls are operational the auditor can rely on them Control risk should not be assessed so low

Detection Risk The risk that any material misstatement that has not been corrected by the client’s internal control will not be detected by the auditor is detection risk. Auditors can control this risk by Substantive procedures include audit of details of transactions and balances, and analytical procedures applied to dollar amounts in the accounts. As detection risk is decreased

Assume that the auditor made the following risk assessments in examining inventories Desired audit risk 5% Inherent risk 50% Control risk 50% DR = AR / (IR x CR) = 0.05/(0.5 x 0.5) = 0.2 The auditor may decide that the inherent risk cannot be quantified and use a conservative approach IR = The auditor may decide that the system of internal control will not be tested. CR =

Inherent Risk Control Risk Detection Risk Audit risk HIGH .70 .6 x .8 x.7 = .34 Small Samples Few substantive tests Extensive reliance on IC HIGH .80 System poorly designed System poorly executed Not tested (CR = 1.00) LOW .10 .6 x .8 x .1 = .05 Large samples Many substantive tests HIGH .60 No reliance on IC Assets susceptible to theft New client .6 x .2 x .7 = .08 Integrity doubtful As above Non profitable and needs financing LOW .20 System well designed and well executed Audit tests show system LOW .30 .6 x .2 x .3 = .04 effective

Inherent Risk Control Risk Detection Risk Audit risk HIGH .70 .4 x .8 x.7 = .22 Small Samples Few substantive tests Extensive reliance on IC HIGH .80 System poorly designed System poorly executed Not tested (CR= 1.00) LOW .30 .4 x .8 x .3 = .10 Large samples Many substantive tests LOW .40 No reliance on IC Assets not susceptible to theft .4 x .2 x .7 = .06 Old client As above Integrity believed high Profitable and easily LOW .20 financed System well designed and well executed Audit tests show system .4 x .2 x .3 = .02 effective

How Materiality and Audit Risk are Related Materiality refers to the magnitude of a misstatement; audit risk refers to the level of assurance that material misstatement does not exist. The auditor will make these assessments independently. Both deal with sufficiency of evidence and extent of audit evidence that will be collected.

Effects of IT and E-Commerce on Business Risk Analyzing the effects of IT and e-commerce is also an important component of business risk analysis. More involvement in e-commerce and more complex information systems The auditor needs to understand how e-commerce and IT integrate into the business processes.

Accounting Processes and the Financial Statements There are two important points to remember about client financial statements: Management is responsible for preparing them The financial statement numbers are produced by the company's accounting system and are summarized

Management’s Financial Statements To simplify the audit plan, auditors typically group the accounts into several accounting processes (1) revenues and collection (2) acquisition and expenditure (3) production and conversion (4) finance and investment The purpose of using business cycles is to group together related accounts by transactions that normally affect them.

Trial Balance

Business Risk and the Risk of Material Misstatement Risks can be managed in any of four ways. Risk can be: avoided reduced to acceptable levels tolerated transferred to another party

Internal Control Components Internal control is defined as the process designed, implemented, and maintained by management to provide reasonable assurance about: the reliability effectiveness and efficiency compliance with

Internal Control Components Internal control consists of the following: the control environment, the entity’s risk assessment process, the information system and business processes control activities, and the monitoring of controls. Control activities are controls over processes, applications, and transactions.

Control Environment Characterized by management attitudes, structure, effective communication of control objectives and supervision of personnel and activities. Elements of control environment: operating style and organizational structure operation of the board of directors management monitoring methods computerized systems

Control Activities Controls are policies and procedures that ensure the achievement of the entity’s goals, including financial reporting goals. Controls can be categorized as General controls relevant to the audit Application controls include checks on

Monitoring of Controls Management’s monitoring of controls includes considering whether they are operating as intended. Monitoring may include Controls are modified as required to accommodate changes in business conditions.

How Internal Control Relates to the Risk of Material Misstatement To assess the risk of material misstatement at the financial statement level, the auditor needs a detailed knowledge of internal control components relevant to financial reporting.

Problem 6-1, Page 237 Audit Risk Model Audit risks for particular accounts and disclosures can be conceptualized in this model: AR = IR x CR x DR Required: Use this model as a framework for considering the following situations and deciding whether the auditor’s conclusion is appropriate: Olsen, PA, has participated in the audit of Limberg Cheese Company for five years, first as an assistant accountant and the last two years as the senior accountant. He has never seen an accounting adjustment recommended. He believes the inherent risk must be zero. Jones, PA, has just (November 30) completed an exhaustive study and evaluation of the internal control system of Lang’s Derfer Foods, Inc. (fiscal year ending December 31). She believes the control risk must be zero because no material errors could possibly slip through the many error checking-procedures and review layers by Lang’s. Fields, PA, is lazy and does not like audit jobs in Toronto, anyway. On the audit of Hogtown Manufacturing Company, he decided to use detail procedures to audit the year-end balances very thoroughly to the extent that his risk of failing to detect material errors and irregularities should be 0.02 or less. He gave no thought to inherent risk and conducted only very limited review of Hogtown’s internal control system. Shad, PA, is nearing the end of a “dirty” audit of Allnight Protection Company, Allnight’s accounting personnel all resigned during the year are were replaced by inexperienced people. The controller resigned last month in disgust. The journals and ledgers were a mess because one computer specialist was hospitalized for three months during the year. Shad thought thankfully, “I’ve been able to do this audit in less time than last year when everything was operating smoothly.”

Problem 6-2, Page 237 Planning, Inherent and Control Risk, Manufacturing Business Darter Ltd. Is a medium-sized business involved in manufacturing and assembling consumer electronic products, such as DVD players, radios, and satellite receivers. It is privately owned. Its minority shareholders requested that the annual financial statements be audited for the first time this year. Your firm is engaged to do the current year’s audit. You are now reviewing Darter’s preliminary general ledger trial balance in order to begin preparing the planning memorandum. Consider the following accounts that appear in this trial balance. Cash Inventory, finished goods Inventory, work-in-process Inventory, unassembled components Inventory, spare parts Property, plant, and equipment Deferred development costs Goodwill Accounts payable Warranty provision Bank loan, long term Share capital, common shares Retained earnings Revenue Cost of goods sold General and administrative expenses