6 Risk assessment Flashcards
What attitude must the auditor carry out audit?
with an attitude of professional scepticism, exercise professional judgement and comply with ethical requirements.
Define Professional scepticism
Professional scepticism is an attitude that includes a questioning mind, being alert to conditions which may indicate possible misstatement due to error or fraud, and a critical assessment of audit evidence.
Define Professional judgement
Professional judgement is the application of relevant training, knowledge and experience in making informed decisions about the courses of action that are appropriate in the circumstances of the audit engagement.
Professional scepticism requires the auditor to be alert to:
• Audit evidence that contradicts other audit evidence obtained • Information that brings into question the reliability of documents and responses to enquiries to be used as audit evidence • Conditions that may indicate possible fraud • Circumstances that suggest the need for audit procedures in addition to those required by ISAs
Professional judgement is required in the following areas:
• Materiality and audit risk • Nature, timing and extent of audit procedures • Evaluation of whether sufficient appropriate audit evidence has been obtained • Evaluating management’s judgements in applying the applicable financial reporting framework • Drawing conclusions based on the audit evidence obtained
What approach o auditors follow to auditing ISAs
risk-based approach
An audit risk is likely to the ___
financial statements
Define Audit risk
Audit risk is the risk that the auditor expresses an inappropriate audit opinion when the financial statements are materially misstated. It is a function of the risk of material misstatement (inherent risk and control risk) and the risk that the auditor will not detect such misstatement (detection risk).
Audit risk = __risk × __risk × __risk
Audit risk = Inherent risk × control risk × detection risk
Inherent risk
Inherent risk is the susceptibility of an assertion to a misstatement that could be material individually or when aggregated with other misstatements, assuming there were no related internal controls
Control risk
Control risk is the risk that a material misstatement, that could occur in an assertion and that could be material, individually or when aggregated with other misstatements, will not be prevented or detected and corrected on a timely basis by the entity’s internal control.
Detection risk
Detection risk is the risk that the procedures performed by the auditor to reduce audit risk to an acceptably low level will not detect a misstatement that exists and that could be material, either individually or when aggregated with other misstatement
One way to decrease detection risk is to increase sample sizes. T/F
True
increasing sample sizes and carrying out more work is not the only way to manage detection risk. why?
This is because detection risk is a function of the effectiveness of an audit procedure and of its application by the auditor
Although increasing sample sizes or doing more work can help to reduce detection risk, the following actions can also improve the effectiveness and application of procedures and therefore help to reduce detection risk:
• Adequate planning • Assignment of more experienced personnel to the engagement team • The application of professional scepticism • Increased supervision and review of the audit work performed
Define Materiality
Materiality for the financial statements as a whole and performance materiality must be calculated at the planning stages of all audits. The calculation or estimation of materiality should be based on experience and judgement. Materiality for the financial statements as a whole must be reviewed throughout the audit and revised if necessary.
ISA 320 does not define materiality (in relation to the financial statements as a whole) but notes that while it may be discussed in different terms by different financial reporting frameworks the following are generally the case:
(a) Misstatements are considered to be material if they, individually or in aggregate, could reasonably be expected to influence the economic decisions of users. (b) Judgements about materiality are made in the light of surrounding circumstances, and are affected by the size and nature of a misstatement or a combination of both. (c) Judgements about matters that are material to users of financial statements are based on a consideration of the common financial information needs of users as a group.
The materiality level will impact on the auditor’s decisions relating to:
• How many items to examine • Which items to examine • Whether to use sampling techniques • What level of misstatement is likely to result in a modified audit opinion
Conforming amendments to ISA 320 published in 2015 make it clear that auditors must consider the risks of material misstatement in qualitative disclosures. In doing so, the auditor should consider:
• The circumstances of the entity (eg any business acquisitions or disposals during the period) • The applicable financial reporting framework (eg new qualitative disclosures may be required by a new financial reporting standard) • Qualitative disclosures that are important to the users of the financial statements because of the nature of the entity (eg liquidity risk disclosures for a financial institution)
The following factors may affect the identification of an appropriate benchmark:
• Elements of the financial statements (eg assets, liabilities, equity, revenue, expenses) • Whether there are items on which users tend to focus • Nature of the entity, industry and economic environment • Entity’s ownership structure and financing • Relative volatility of the benchmark
Define performance materiality
Performance materiality is the amount or amounts set by the auditor at less than materiality for the financial statements as a whole to reduce to an appropriately low level the probability that the aggregate of uncorrected and undetected misstatements exceeds materiality for the financial statements as a whole. Performance materiality also refers to the amount or amounts set by the auditor at less than the materiality level or levels for particular classes of transactions, account balances or disclosures.
As you can see, determining performance materiality is very much dependent on the auditor’s professional judgement. In summary, it is affected by:
• The nature and extent of misstatements identified in prior audits • The auditor’s understanding of the entity • Result of risk assessment procedures
Materiality has qualitative aspects give examples
• Law, regulation or the applicable financial reporting framework affect users’ expectations regarding the measurement or disclosure of certain items (for example, related party transactions, and the remuneration of management and those charged with governance). • Some disclosures are key disclosures in relation to the industry in which the entity operates (for example, research and development costs for a pharmaceutical company). • Attention is sometimes focused on a particular aspect of the entity’s business that is separately disclosed in the financial statements (for example, a newly acquired business).
ISA 320 requires the following to be documented:
• Materiality for the financial statements as a whole • Materiality level or levels for particular classes of transactions, account balances or disclosures if applicable • Performance materiality • Any revision of the above as the audit progresses
Why do we need an understanding? what does ISA 315 say about this?
ISA 315 (Revised) Identifying and assessing the risks of material misstatement through understanding the entity and its environment states that the objective of the auditor is to identify and assess the risks of material misstatement, whether due to fraud or error, through understanding the entity and its environment, including the entity’s internal control, thereby providing a basis for designing and implementing responses to the assessed risks of material misstatement
OBTAINING AN UNDERSTANDING OF THE ENTITY AND ITS ENVIRONMENT Why is this important?
– To identify and assess the risks of material misstatement in the financial statements – To enable the auditor to design and perform further audit procedures – To provide a frame of reference for exercising audit judgement, for example, when setting audit materiality
OBTAINING AN UNDERSTANDING OF THE ENTITY AND ITS ENVIRONMENT What is important?
– Industry, regulatory and other external factors, including the applicable financial reporting framework – Nature of the entity, including operations, ownership and governance, investments, structure and financing – Entity’s selection and application of accounting policies – Objectives and strategies and related business risks that might cause material misstatement in the financial statements – Measurement and review of the entity’s financial performance – Internal control
OBTAINING AN UNDERSTANDING OF THE ENTITY AND ITS ENVIRONMENT How do we go about obtaining this information?
– Enquiries of management, appropriate individuals within the internal audit function and others within the entity – Analytical procedures – Observation and inspection – Prior period knowledge
– Client acceptance or continuance process – Discussion by the audit team of the susceptibility of the financial statements to material misstatement – Information from other engagements undertaken for the entity
In addition to the sources shown in the diagram above, the auditor will refer to the following to help in obtaining an understanding of the entity and its environment.
• The permanent audit file where information of continuing importance to the audit is kept • Audit working papers from the previous year’s audit file • Information from the client’s website • Publications or websites related to the industry the client operates in
A combination of the following procedures should be used to obtain an understanding:
• Enquiries of management, internal auditors and others within the entity • Analytical procedures • Observation and inspection
What are analytical procedures?
Analytical procedures consist of evaluations of financial information through analysis of plausible relationships among both financial and non-financial data. Analytical procedures also encompass investigation of identified fluctuations or relationships that are inconsistent with other relevant information or that differ from expected values by a significant amount.
Analytical procedures include:
(a) The consideration of comparisons with: • Similar information for prior periods • Anticipated results of the entity, from budgets or forecasts • Predictions prepared by the auditors • Industry information
(b) The consideration of the relationship between elements of financial information that are expected to conform to a predicted pattern based on the entity’s experience, such as the relationship of gross profit to sales. (c) The consideration of the relationship between financial information and relevant non-financial information, such as the relationship of payroll costs to number of employees.
The auditor also needs to have a good understanding of the business to assess the significance of e-commerce and its effect on audit risk. The auditor should consider the following
• The entity’s business activities and industry • The entity’s e-commerce strategy • The extent of e-commerce activities • Outsourcing arrangements Specific risks affecting entities that engage in e-commerce include: • Loss of transaction integrity • Security risks • Improper accounting policies (eg capitalisation of expenditure, translation of foreign currency, allowances for warranties and returns, revenue recognition) • Non-compliance with taxation and other laws and regulations • Failure to ensure that contracts are binding • Overreliance on e-commerce • Systems and infrastructure failures or crashes
Identifying and assessing the risks of material misstatement ISA 315 says that the auditor shall identify and assess the risks of material misstatement at the financial statement level and at the assertion level for classes of transactions, account balances and disclosures. It requires the auditor to take the following steps:
It requires the auditor to take the following steps: • Identify risks throughout the process of obtaining an understanding of the entity and its environment • Assess the identified risks and evaluate whether they relate more pervasively to the financial statements as a whole • Relate the risks to what can go wrong at the assertion level • Consider the likelihood of the risks causing a material misstatement
When the auditor has obtained an understanding of the entity, (s)he shall assess the risks of material misstatement in the financial statements, also identifying significant risks. True/ False
True
Define significant risks
Significant risks are complex or unusual transactions that may indicate fraud, or other special risks.
As part of the risk assessment described above, the auditor shall determine whether any of the risks are significant risks. The following factors indicate that a risk might be significant.
• Risk of fraud (see Section 6) • Its relationship with recent economic, accounting or other developments • The degree of subjectivity in the financial information • It is an unusual transaction • It is a significant transaction with a related party • The complexity of the transaction
Routine, non-complex transactions are less likely to give rise to significant risk than unusual transactions or matters of management judgement. This is because unusual transactions are likely to have more:
• Management intervention • Complex accounting principles or calculations • Manual intervention • Opportunity for control procedures not to be followed When the auditor identifies a significant risk, if they have not done so already, they shall obtain an understanding of the entity’s controls relevant to that risk.
Overall responses include such issues as emphasising to the team the importance of professional scepticism, allocating more staff, using experts or providing more supervision. Overall responses to address the risks of material misstatement at the financial statement level will be changes to the general audit strategy or re-affirmations to staff of the general audit strategy. For example
• Emphasising to audit staff the need to maintain professional scepticism • Assigning additional or more experienced staff to the audit team • Providing more supervision on the audit • Incorporating more unpredictability into the audit procedures • Making general changes to the nature, timing or extent of audit procedures The evaluation of the control environment that will have taken place as part of the assessment of the client’s internal control systems will help the auditor determine what type of audit approach to take.
What are tests of control?
Tests of controls are audit procedures designed to evaluate the operating effectiveness of controls in preventing, or detecting and correcting, material misstatements at the assertion level.
What are substantive procedures?
Substantive procedures are audit procedures designed to detect material misstatements at the assertion level. They consist of tests of details (of classes of transactions, account balances and disclosures) and substantive analytical procedures.
The auditor shall always carry out substantive procedures on material items. The ISA says that, irrespective of the assessed risk of material misstatement, the auditor shall design and perform substantive procedures for each material class of transactions, account balance and disclosure. In addition, the auditor shall carry out the following substantive procedures:
• Agreeing or reconciling the financial statements to the underlying accounting records • Examining material journal entries • Examining other adjustments made in preparing the financial statements
Analytical procedures as substantive procedures tend to be appropriate for large volumes of predictable transactions (for example, wages and salaries). Tests of detail may be appropriate to gain information about account balances; for example, inventory and trade receivables. True / false
True
Substantive procedures fall into two categories
analytical procedures and tests of details
Define analytical tests
Analytical procedures as substantive procedures tend to be appropriate for large volumes of predictable transactions (for example, wages and salaries).
Define tests of detail
Tests of detail may be appropriate to gain information about account balances; for example, inventory and trade receivables.
Give examples of audit risks.
Risk that inventory has a lower net realisable value than cost and is therefore overstated (eg NRV falls due to the client being in an industry where tastes/fashions change quickly).
Examine the instructions to identify slow moving inventory lines when attending the inventory count. Increase the emphasis on reviewing the year end aged inventory analysis for evidence of slow moving inventory. Ascertain sales values for items sold post year end that were in inventory at the year end to ensure their NRV was higher than the cost recorded as part of the inventory value in the financial statements
Give examples of audit risks.
Assets are desirable / more susceptible to theft leading to a risk that recorded assets do not exist (eg inventory/non-current assets).
Focus on testing internal controls over those assets (including physical controls to prevent theft). Increase sample sizes for inspecting recorded assets, ensuring any material assets are verified (in the context of performance materiality).
Give examples of audit risks:
Increased risk of revenue expenditure being incorrectly classified as capital (or vice versa), leading to misstatement of assets/expenses (eg extensive refurbishment of non-current assets where judgement is needed to establish whether the nature of the work is to enhance the asset or repair/replace it).
Obtain a breakdown of related costs and review accounting entries against invoices/details of work done to ensure expenditure is correctly treated as capital/revenue. Perform a detailed review of repairs accounts for any items which should be included in non-current assets. Review the asset register to ensure only capital items have been included.
Give examples of audit risks:
Increased risk of incomplete or unrecorded income due to fraud or theft (eg large amounts of cash collected and held prior to banking)
Perform analytical procedures focusing on comparing revenue with expected seasonal/monthly patterns. If a retail client, perform/reperform a reconciliation of a sample of till records to actual bankings.
Give examples of audit risks: Invoices received (or payments made) in advance/arrears of goods or services delivery date leading to overstatement or understatement of costs and/or liabilities
Review post year end bank statements / cash book payments for evidence of amounts relating to the financial year but not included in liabilities. For a sample of documents pre and post year end indicating date of delivery of goods/services (eg GRNs), verify the cost and liability were recorded in the appropriate period
Give examples of audit risks:
There is an increased risk of irrecoverable debts (eg due to the nature of the client’s industry or customers), resulting in assets being potentially overstated.
Identify year end receivable balances still outstanding at the date of the audit by reviewing post year end receipts from customers. For amounts still outstanding establish whether these are provided for. Review aged receivables analysis and customer correspondence files for evidence of disputes with receivables and consider the adequacy of any related receivables allowance.
Give examples of audit risks:
Management has an incentive to manipulate performance, increasing the risk of profits being overstated (eg remuneration or bank funding is reliant on performance).
Focus on and increase testing on judgemental areas in the financial statements (eg provisions, revenue recognition accounting policies).
What is fraud?
Fraud is an intentional act by one or more individuals among management, those charged with governance, employees, or third parties, involving the use of deception to obtain an unjust or illegal advantage. Fraud may be perpetrated by an individual, or colluded in, with people internal or external to the business.
What is fraud risk factors?
Fraud risk factors are events or conditions that indicate an incentive or pressure to commit fraud or provide an opportunity to commit fraud.
Specifically, there are two types of fraud causing material misstatement in financial statements
• Fraudulent financial reporting • Misappropriation of assets
What is Fraudulent financial reporting?
Fraudulent financial reporting involves intentional misstatements, including omissions of amounts or disclosures in financial statements, to deceive financial statement users.
What does Fraudulent financial reporting include:
This may include: • Manipulation, falsification or alteration of accounting records / supporting documents • Misrepresentation (or omission) of events or transactions in the financial statements • Intentional misapplication of accounting principles
What is Misappropriation of assets?
Misappropriation of assets involves the theft of an entity’s assets and is often perpetrated by employees in relatively small and immaterial amounts. However, it can also involve management who are usually more capable of disguising or concealing misappropriations in ways that are difficult to detect.
Examples of misappropriation of assets includes:
Employees may be involved in such fraud in small and immaterial amounts, but it can also be carried out on a larger scale by management who may then conceal the misappropriation, for example, by: • Embezzling receipts (for example, diverting them to private bank accounts) • Stealing physical assets or intellectual property (inventory, selling data) • Causing an entity to pay for goods not received (payments to fictitious vendors) • Using assets for personal use 6
The risk of not detecting a material misstatement from fraud is higher than from error because of the following reasons :
• Fraud may involve sophisticated schemes designed to conceal it. • Fraud may be perpetrated by individuals in collusion. • Management fraud is harder to detect because management is in a position to manipulate accounting records or override control procedures
ISA 315 requires a discussion among team members that places particular emphasis on how and where the financial statements may be susceptible to fraud. Risk assessment procedures to obtain information in identifying the risks of material misstatement due to fraud shall include the following:
• Enquiries of management regarding: – Management’s assessment of the risk that the financial statements may be misstated due to fraud – Management’s process for identifying and responding to the risk of fraud – Management’s communication to those charged with governance in respect of its process for identifying and responding to the risk of fraud – Management’s communication to employees regarding its views on business practices and ethical behaviour – Knowledge of any actual, suspected or alleged fraud
ISA 315 requires a discussion among team members that places particular emphasis on how and where the financial statements may be susceptible to fraud. Risk assessment procedures to obtain information in identifying the risks of material misstatement due to fraud shall include the following (part 2):
• Enquiries of internal audit for knowledge of any actual, suspected or alleged fraud, and its views on the risks of fraud • Obtaining an understanding of how those charged with governance oversee management’s processes for identifying and responding to the risk of fraud and the internal control established to mitigate these risks • Enquiries of those charged with governance for knowledge of any actual, suspected or alleged fraud • Evaluating whether any unusual relationships have been identified in performing analytical procedures that may indicate risk of material misstatement due to fraud • Considering whether any other information may indicate risk of material misstatement due to fraud • Evaluating whether any fraud risk factors are presen
In accordance with ISA 330, the auditor shall determine overall responses to address the assessed risks of material misstatement due to fraud at the financial statement level. In this regard, the auditor shall:
• Assign and supervise staff responsible taking into account their knowledge, skill and ability • Evaluate whether the accounting policies may be indicative of fraudulent financial reporting • Incorporate unpredictability in the selection of the nature, timing and extent of audit procedures
As we mentioned above, management fraud is more difficult to detect than employee fraud because of management’s ability to override controls and therefore manipulate accounting records. ISA 240 states that irrespective of the auditor’s assessment of the risks of management override of controls, the auditor shall design and perform audit procedures to:
• Test the appropriateness of journal entries and other adjustments • Review accounting estimates for bias • For significant transactions outside the normal course of business, evaluate whether they have been entered into to engage in fraudulent financial reporting or to conceal misappropriation of asset
ISA 240 requires the auditor to obtain written representations from management and those charged with governance that:
(a) They acknowledge their responsibility for the design, implementation and maintenance of internal control to prevent and detect fraud. (b) They have disclosed to the auditor management’s assessment of the risk of fraud in the financial statements. (c) They have disclosed to the auditor their knowledge of fraud / suspected fraud involving management, employees with significant roles in internal control, and others where fraud could have a material effect on the financial statements. (d) They have disclosed to the auditor their knowledge of any allegations of fraud / suspected fraud communicated by employees, former employees, analysts, regulators or others.
Auditors are given guidance in ISA 250 Consideration of laws and regulations in an audit of financial statements. The objectives of the auditor are:
(a) To obtain sufficient appropriate audit evidence regarding compliance with the provisions of those laws and regulations that have a direct effect on the determination of material amounts and disclosures in the financial statements (b) To perform specified audit procedures to help identify non-compliance with other laws and regulations that may have a material effect on the financial statements (c) To respond appropriately to non-compliance / suspected non-compliance identified during the audit
ISA 250 distinguishes the auditor’s responsibilities in relation to compliance with two different categories of laws and regulations:
a) Those that have a direct effect on the determination of material amounts and disclosures in the financial statements (b) Those that do not have a direct effect on the determination of material amounts and disclosures in the financial statements but where compliance may be fundamental to the operating aspects, ability to continue in business, or to avoid material penalties
In accordance with ISA 315, the auditor shall obtain a general understanding of:
• The applicable legal and regulatory framework • How the entity complies with that framework
The auditor shall remain alert throughout the audit to the possibility that other audit procedures may bring instances of non-compliance or suspected non-compliance to the auditor’s attention. These audit procedures could include:
• Reading minutes • Making enquiries of management and in-house/external legal advisers regarding litigation, claims and assessments • Performing substantive tests of details of classes of transactions, account balances or disclosure
The following factors may indicate non-compliance with laws and regulations:
• Investigations by regulatory authorities and government departments • Payment of fines or penalties • Payments for unspecified services or loans to consultants, related parties, employees or government employees • Sales commissions or agents’ fees that appear excessive • Purchasing at prices significantly above/below market price • Unusual payments in cash
The following factors may indicate non-compliance with laws and regulations Part 2:
• Unusual transactions with companies registered in tax havens • Payment for goods and services made to a country different to the one in which the goods and services originated • Payments without proper exchange control documentation • Existence of an information system that fails to provide an adequate audit trail or sufficient evidence • Unauthorised transactions or improperly recorded transactions • Adverse media comment
The following table summarises audit procedures to be performed when non-compliance is identified or suspected Non-compliance: audit procedures
Obtain understanding of nature of act and circumstances. Obtain further information to evaluate possible effect on financial statements. Discuss with management and those charged with governance. Consider need to obtain legal advice if sufficient information not provided and matter is material. Evaluate effect on auditor’s opinion if sufficient information not obtained. Evaluate implications on risk assessment and reliability of written representations
The auditor shall communicate with those charged with governance, but, if the auditor suspects that those charged with governance are involved, the auditor shall communicate with the next highest level of authority, e.g….
such as the audit committee or supervisory board. If this does not exist, the auditor shall consider the need to obtain legal advice.
Auditors must ensure they have documented the work done at the risk assessment stage, such as the discussion among the audit team of the susceptibility of the financial statements to material misstatements, significant risks, and overall responses. The following matters shall be documented during planning:
• The discussion among the audit team concerning the susceptibility of the financial statements to material misstatements, including any significant decisions reached • Key elements of the understanding gained of the entity regarding the elements of the entity and its internal control components specified in ISA 315, the sources of the information gained and the risk assessment procedures carried out
Auditors must ensure they have documented the work done at the risk assessment stage, such as the discussion among the audit team of the susceptibility of the financial statements to material misstatements, significant risks, and overall responses. The following matters shall be documented during planning: (part 2)
• The identified and assessed risks of material misstatement at the financial statement level and at the assertion level • Risks identified and related controls evaluated • The overall responses to address the risks of material misstatement at the financial statement level • Nature, extent and timing of further audit procedures linked to the assessed risks at the assertion level • Results of audit procedures • If the auditors have relied on evidence about the effectiveness of controls from previous audits, conclusions about how this is appropriate • Demonstration that the financial statements agree or reconcile with the underlying accounting record
