Chapter 7 - Risk Assessment and Inherent Risk Flashcards
What is audit risk?
It is the risk that an inappropriate or erroneous conclusion is made even when audit plans and procedures are in accordance to GAAP, but it is materially misstated.
What do we do if it is impossible to eliminate audit risk?
If it is impossible to eliminate audit risk you will collect sufficient appropriate audit evidence to reduce it to an acceptable level. It will then allow the auditor to draw a reasonable conclusion
What is the relationship of audit risk to the auditor?
Audit risk is related to the process of auditing. It is not the auditors business risk, such as loss from litigation or adverse publicity, that can arise as a result of an audit.
What are the two components of audit risk?
Audit risk is comprised of inherent risk, control risk, and detection risk. It is the foundation for all audits.
What are the two levels that RMM exists at?
- The overall financial statement level
- The assertion level for classes of transactions, account balances, and disclosures.
What is the risk of material misstatement at the financial statement level? What causes it?
Risks that relate perversely to the financial statements as a whole and potentially affect many assertions. Business risk, fraud, or deficiencies in the control environment.
What is the risk of material misstatement at the assertion level? What are the two components of RMM at the assertion level?
Refers to the risks that affect classes of transactions, account balances, and disclosures. Inherent risk and control risk.
What is inherent risk?
The susceptibility of an assertion relating to a class of transaction, account balance, or the disclosure before considering the effectiveness of the clients internal controls.
What is control risk?
It is the risk that a clients internal controls systems will not prevent or detect material misstatement in a timely manner.
Who does control risk and inherent risk belong too?
Control risk and inherent risk belong to the client, they are independent of the audit of the financial statements. Auditors have no control over these risks.
What precedes RMM at the assertion level?
The nature, timing, and extent of further audit procedures - These are the procedures that go beyond the risk assessment procedures as a response to RMM
What is detection risk?
It is the risk that the auditors procedures will not be effective in detecting a material misstatement when one exists. It is the only component that auditors are able to control.
What is the audit risk model?
It is a conceptual tool, not a precise formula, which helps the auditor plan their risk response. It is comprised of the following
AR = RMM * Detection Risk
RMM = Inherent Risk * Control Risk
What is the relationship between RMM and Detection risk?
There is an inverse relationship.
As RMM goes up, detection risk will go down as we will perform more substantive procedure ensuring we do not miss anything. They do this to make audit risk low
Ad RMM goes down, detection risk goes up as we perform less substantive procedures and focus more on the internal controls.
What are the two most common formulas for the audit risk model? What is the relationship between control risk and sufficient appropriate audit evidence?
Remember we always want the Audit Risk to be low, therefore these are common:
- Audit Risk (L) = Control Risk (H) * Inherent Risk (H) * Detection Risk (L) - More sufficient appropriate audit evidence
- Audit Risk (L) = Control Risk (L) * Inherent Risk (L) * Detection Risk (H) - less sufficient appropriate audit evidence.
There is a direct relationship. As the control risk goes up, sufficient appropriate audit evidence goes down, and vice versa.
How do we manage detection risk?
Essentially if the detection risk is high that means that the auditor will be relying on the internal controls and therefore does not care about the substantive testing rigorous processes lowering sample size, quality, etc. If the detection risk is low, this means that the auditor will be relying heavily on the substantive test procedures and thus place more of an emphasis on it.
What are relevant assertions? When are these assertions determined?
Relevant assertions are assertions about a class of transactions, account balances, or disclosures that are relevant when it has an identified RMM. Before considering the internal controls.
What are three ways to manage detection risk?
- Change the nature of the audit procedures - Use high quality evidence
- Change the timing of the audit procedures - Perform the audit procedure at the end of the year rather than during an interim period.
- Change the extent of the audit procedures - Use a large sample size
What does the audit risk model focus on? What are two practical ways auditors manage detection risk?
The audit risk model focuses on the adjustment of the further audit procedures.
1. Assigning more experienced staff to that area
2. Reviewing the completed audit tests more thoroughly.
How do we determine the existence of RMM? What is it?
We assess the inherent risk factors. Inherent risk factors are events or conditions that affect RMM before the consideration of controls. It may be quantitative or qualitative.
What are the five inherent risk factors. Briefly describe each one
- Complexity - The complexity and confusing nature of the accounting records
- Bias - Management skewing the information for their own benefit or fraud, they fail to remain neutral.
- Subjectivity - A misunderstanding of different method to apply an accounting framework or policy, the ability to prepare in an objective manner.
- Change - There was a change in an accounting policy, model, or environment
- Uncertainty - Management makes estimates on the basis of imprecise non comprehensive data
Are these factors assessed independently?
No, these factors are not assessed independently rather they are assessed as a whole, in a holistic manner.
What is the purpose of evaluating the nature and significance of the risks?
- Determine the overall risk response at the financial statement level. 2
- Design the further audit procedures that address the risks at the assertion level.
What are overall financial statement level risks?
These are risks that pervasively affect the financial statements as a whole or many different assertions.
What is assessed after the overall financial statement level risk has been identified
- Determine whether the risks affect the assessment of risks at the assertion level.
- Evaluate the nature and extent of the pervasive effect on the financial statements.
What are examples of events and conditions that are pervasive risk?
- Poorly trained or inexperienced accounting staff
- Significant control deficiencies.
- A history of ongoing loss and liquidity problems
- Past misstatements a/history of errors/significant amount of adjustments.
- Fraud
- Management integrity
How do we develop an appropriate risk response at the assertion level?
We need to identify the significant class of transactions, account balances, and disclosures, with significance being related to materiality and risk factors
What happens once the risk has been identified?
Determine the relevant assertion and assess the inherent risk for the assertion that depends upon the degree of the likelihood and the magnitude of misstatement, on the spectrum of inherent risk.
What is significant risk?
It is the inherent risk factors, that when individual or aggregated, have increased the likelihood of misstatements occurring or the magnitude of the misstatement. Significant risks need special attention.
What are 5 examples of significant risks?
- Transactions where there are multiple acceptable accounting treatments
- Accounting estimates that have high estimation uncertainty or complex models.
- Account balances or quantitative disclosures that involve complex calculations
- Accounting principles that may be subject to different interpretations
- Changes in the entity’s business
What are two significant risks as defined by audit standards?
- Related party transactions outside the normal course of business
- Assume there is fraud in the revenue cycle.
What is a related party? What is an example of a related party
A party that has the ability to influence decisions either directly or indirectly. A parent company and its subsidiary
What is an economic dependence?
Is the potential for exercise of significant influence on an audit client by its most important supplier, customer, lender, or borrower.
What are non routine transactions? Why are these transactions more risky?
Transactions that are unusual due to the size, nature, or they are infrequent in nature. They are more risky because they are subjected to management interventions, manual data collection and processing, complex accounting principles or calculations not fixed by internal controls systems.
What are IFRS and ASPE requirements for non routine related party transactions on the side of those engaging in the transaction? What is a potential risk?
- Disclosure the nature of the relationship
- Description of the transaction with dollar amounts
- Amounts due from and to related parties.
- Since they are not arms length transaction parties there is a risk that they were not valued at the same amounts.
What are the two types of responses developed by the auditor?
- Overall risk response (audit strategy) addressing the pervasive risks at the financial statement level.
- A risk response on the assertion level, further audit procedures like substantive testing and test of controls.
What are examples of risk response at the overall financial statement level?
- Assign more experienced staff of those with special skills
- Instruct the engagement team to have heightened professional skepticism.
- Increase the involvement of the audit partner and management
- Closer supervision and review
- Incorporate elements of unpredictability in the selection of the further audit procedures
- Consider if changes need to be made to the overall audit strategy/
What are the risk responses at the assertion level?
- Test of controls
- Test of details / substantive audit procedures
Which is higher the fraud risk or the error risk? Why?
Fraud risk because it involves complex sophisticated schemes designed by perpetrators to conceal it who misrepresent information to the auditor, colluding and concealing it with other people involved.
What are 4 ways to highlight and assess the RMM due to fraud?
- Discuss with the audit team members the RMM due to fraud.
- Make inquiries to management, those in charge of governance, and others regarding processes
- Evaluate unusual and unexpected relationships identified when performing analytical review procedures.
- Evaluate the risk for revenue fraud and management override and period end.
At what level is the consideration of RMM for fraud made at?
It is made at the financial statement level and the assertion level for classes of transactions, account balances, presentations and disclosures.
What are the 4 components of discussions with the audit team according to CAS regarding fraud?
- How and where they believe the entity’s financial statements might be susceptible to material misstatements due to fraud. - Include know internal and external factors like opportunities, pressures, and environment
- How management could perpetrate and conceal financial reporting fraud
- How anyone might misappropriate assets of the entity
- How the auditor might respond to the susceptibility of material misstatements due to the fraud.
Describe inquiries with those in charge of management, governance, and others for fraud
Management - Inquiries about if they are aware of any fraud, process of assessing fraud and it frequency, nature of fraud risk, internal controls, and fraud risks reported to the committee.
Governance - Views on the risk for fraud and if they know knowledge or suspects of fraud
Others - Ask other people like inventory management
Describe the evaluation of unusual or unexpected relationships identified
As we know these analytical procedures must be done at the beginning and at completion. The auditor should evaluate results that significantly differ from the expectations
What is the fraud triangle?
Represents the three conditions for fraud: Incentives / pressure, opportunities, and attitudes/rationalizations
Describe the 3 parts of the fraud triangle
Incentives / pressures - Management or the employees have incentives or pressures to behave unethically
Opportunities - Opportunities arise for the management or employees to behave unethically.
Attitudes / Rationalizations - An attitude, character, or set of ethical values exist such that management or employees intentionally unethically. They are in an environment where they are encouraged to act unethically.
What are fraud risk factors?
Entity factors that increase the risk of fraud
What are the two parts of misappropriation of assets? What is it heavily focused on?
- Theft
- Corruption - Owner, executive, or employees abuses his or her power to subvert the decision making process for personal or company gain.
- Heavier emphasis on personal interest and theft
What are the three levels to respond to for fraud risks?
- Overall financial statement level
- Assertion level
- Management override level.
Describe overall response to fraud risk
Essentially in this section apply the 6 different types of possible responses to the overall risk response level. Ensure you use more skilled people, more skepticism, more managers and partners, closer supervision, adding elements of surprise to the nature, timing, and extent of the procedures, as well as considering changes to the overall audit strategy.
Describe overall response to the assertion level fraud risk
Essentially perform more substantive analytical procedures to the account that is subjected to fraud and the type of fraud risk identified. Essentially we perform the three aspect of modifying the nature, extent, and timing of the audit procedures.
What are the three fraud risk responses to management override and describe them
- Examine the journal entries and other adjustments for evidence of possible misstatements
- Review accounting estimates for biases - Look back at significant prior year estimates and assess any significant changes in the company’s processes or managements judgments
3.Evaluate the business rationale for significant unusual transactions -
What are the three types of automated tools and techniques that can be used to detect fraud? Briefly describe them
- They will typically use audit software or machine learning like MindBridge
- Audit Data Analytics - Excel and PowerBI to look for
fake revenue transactions by looking for duplicates of invoices or reconciling sales database with receivables database. ,
sort transactions or account balances into subcategories for further audit testing ,
or spreadsheet data visualization tools to perform analytical procedures at a disaggregated level
- AI understand complex relationships among a vast amount of data, including the entities transactions, third party data, and years of journal entries and records - Looks for issues, flags them, and people follow up, and cause codes
- Human intervention and professional judgement - ATT’s do not detect fraud with a click of a mouse but rather highlight anomalies. The auditor can then focus on those high risk anomalies, you look at documentation, people, and procedures. Only then can fraud truly be determined, and it needs human intervention to execute, assess, and examine.
