You are on page 1of 55

Risikobaseret tilgang til

revision
Hvordan fr vi egentlig forholdt os praktisk til ISA
315?

v/Henrik Nrgaard & Thomas Khn


Structure of the Global Audit Methodology

September 2013 Page 2


Phase 1 Planning and Risk Identification
Phase 1 Planning and Risk Identification

September 2013 Page 4


Phase 1 Planning and Risk Identification
P01 P02

The first group of objectives represents


the procedures needed to start the
audit process for a recurring or a new
client, like understanding service
requirements, determining the project
. scope, forming the engagement team,
and completing preliminary engagement
activities like considering the results of
our client acceptance/continuance
process and evaluating compliance with
ethical requirements, including
independence.
September 2013 Page 5
Phase 1 Planning and Risk Identification
P03 P06

The second group of objectives involves


. developing our audit strategy by
understanding the business of the
client, determining the need for
specialized skills on the team,
understanding the entity-level controls
and performing initial risk analysis.

September 2013 Page 6


P03 Understand the business

September 2013 Page 7


P03 Understand the business

P03_5 Obtain understanding


by review, inquiry, analytical
procedures, observation and
inspection

P03_1 Nature of the entity and


its environment P03_6 and
Determine P03_7: Risks P03_8: Risks
key The entity We identify Risk factors We determine We relate to financial
Industry, legal and influences on of material
statements
regulatory and other misstatement
external factors
Nature of the entity
Accounting policies
Objectives and strategies We make
Measurement and review
of financial performance
S08: Our
Overall analytical combined risk
procedures assessments

P03_2 Related party


We
relationships and transactions respond

P03_3 Status of managements


S11: Design and
going concern assessment implement
substantive
P03_4 Role of IT in the entity procedures

September 2013 Page 8


P03 Understand the business
The four types of risk

September 2013 Page 9


P03 Understand the business
Determine significant risks

September 2013 Page 10


P04 Determine the need for specialized
skills on the team

Determine the need for specialized skills on the team (P04)


As we obtain our understanding of the entity and the environment in which it
operates, we:
Reassess the composition of the engagement team to confirm that the
engagement team has the appropriate balance of skills, experience and
competence
Determine whether any additional expertise is needed beyond that
possessed by the engagement teams current members

We achieve this by:


Determining whether we include EY professionals with specialized
knowledge of IT, tax or the industry in which the entity operates as part of
the engagement team to assist with the performance of the audit
Determining whether to use the work of an expert in a field other than
accounting or auditing as audit evidence. If so, we consider whether:
The entity employs experts in this field, and whether we can use
their work
Management has engaged an expert to assist with a particular
issue, and whether we can use the experts work
To involve an expert employed by EY
To involve an expert who is external to EY
Determining whether legal council is regarded as managements expert .

September 2013 Page 11


P05 Understand entity-level controls

Understand entity-level controls (P05)


Our understanding of entity-level controls assists us in identifying and
assessing risks of material misstatement due to fraud or error, as well as
assisting us in determining the most appropriate audit strategy. We
achieve this by:

Understanding entity-level controls


Determining how to obtain an understanding of entity-level
controls
Determining the extent of understanding of entity-level controls
and audit evidence
Identifying and assessing risks of material misstatement
Determining the effect on our audit strategy
Obtaining audit evidence of the operation of the elements of
components at the entity level

September 2013 Page 12


P05 Understand entity-level controls
Components of internal control

September 2013 Page 13


P06 Identify risks of material misstatement
due to fraud and determine responses

September 2013 Page 14


Phase 1 Planning and Risk Identification
P07

This objective addresses concepts of


planning materiality (PM), tolerable
error (TE) and the SAD nominal
amount to identify misstatements to be
reported in the Summary of Audit
Differences (SAD).

September 2013 Page 15


P07 Determine PM, TE and SAD nominal
amount

We consider materiality at two levels:


At the overall level, as it relates to the financial
statements taken as a whole PM
At the individual account level TE
In addition to determining PM and TE amounts, we also
determine an appropriate nominal amount to use in
posting misstatements to the SAD.
TE is used as a basis for determining testing thresholds,
while the SAD nominal amount is used to establish a
threshold for clearly trivial misstatements.

September 2013 Page 16


Phase 1 Planning and Risk Identification
P08

The last objective of Phase 1 addresses


identifying significant accounts and
disclosures and relevant assertions.

September 2013 Page 17


P08 Identify Significant Accounts and
Disclosures and Relevant Assertions
Accounts and disclosures are significant if they may contain
material misstatements. To determine this, we consider both:
Quantitative considerations (the larger the account balance, the

greater the possibility that it contains material misstatements)


Qualitative considerations (risks associated to the

account/disclosure or significance and sensitivity of the information)


The extent and nature of audit procedures we perform will vary
depending on whether accounts and disclosures are significant or not.

September 2013 Page 18


Phase 2 Strategy and Risk Assessment
Phase 2 Strategy and Risk Assessment

September 2013 Page 20


S01 TPE and discussion of fraud and error
E01 Post-Interim Event (PIE)

The first group of objectives will


cover the team events within the
Strategy and Risk Assessment and
Execution phases:
the Team Planning Event (TPE)
and discussion of fraud and
error and
the Post-Interim Event (PIE)

September 2013 Page 21


Phase 2 Strategy and Risk Assessment
S02 S07

The next group of objectives will cover a


variety of categories as the engagement team
starts understanding and evaluating the
classes of transactions and controls as a
foundation of the overall risk assessment and
strategy development

September 2013 Page 22


S02 Identify SCOTs, significant disclosure
processes and related IT applications

We identify significant classes of transactions (SCOTs),


significant disclosures processes and related IT
applications that affect the relevant assertions of
significant accounts/disclosures.
We achieve this by:
Identifying the SCOTs that generate the amounts recorded in the
significant accounts and the significant disclosure processes that
generate the amounts or words for significant disclosures
Identifying the IT applications (and related attributes) that support
the SCOTs and significant disclosure processes and produce
electronic audit evidence (EAE).

September 2013 Page 23


S02 Identify IT applications supporting
SCOTs, disclosure processes and EAE

Once we identify the SCOTs and significant disclosure


processes, we identify those IT applications supporting
them that are relevant to the audit.
An IT application relevant to the audit is a software
program that supports any of the following:
SCOTs from initiation, recording, processing, correcting as
necessary and reporting to the financial statements
Significant disclosure processes by which transactions, events, or
conditions required to be disclosed by the applicable reporting
framework are accumulated, recorded, processed, summarized
and appropriately reported in the financial statements
The production or creation of electronic audit evidence (EAE).

September 2013 Page 24


Identify SCOTs and related IT applications

September 2013 Page 25


S03_2 Understand the critical path of the
SCOTs and significant disclosure processes
We obtain an understanding of
the critical path in the significant
class of transactions (SCOT).

The critical path covers from


initiation through reporting in
the entitys general ledger.

We also obtain an understanding


of the policies and procedures
in place that management uses
to ensure that directives are
carried out and applied, and
consider the effect IT has on the
SCOTs and the significant
disclosure processes.
We use our understanding of the critical path and the policies and procedures to
identify what can go wrongs (WCGWs) and, when applicable, relevant controls.

September 2013 Page 26


S03_4 Identify WCGWs in SCOTs and
significant disclosure processes
The identification of WCGWs assists us
in determining the nature, timing and
extent of our further audit procedures at
the assertion level necessary to obtain
sufficient appropriate audit evidence.

When there is a likelihood of


occurrence of misstatements (i.e., point
in the critical path where misstatements
can occur), we determine the magnitude
of the potential misstatement (i.e.,
whether it can result in a risk of material
misstatement).
If we determine the magnitude of the
potential misstatement may be material,
we identify a WCGW.

We do not attempt to identify all WCGWs, but focus on those WCGWs that could have a
material effect on the relevant assertions

September 2013 Page 27


S03_4
Link WCGW and assertions

September 2013 Page 28


S03_6
Identify controls that are relevant to the audit
Controls

We establish a preliminary audit strategy for


placing reliance on controls related to the
SCOTs and the significant disclosure
processes once we obtain an understanding
of the SCOTs and the significant disclosure
processes. We distinguish between the
following strategies:

Controls reliance strategy


Substantive only strategy

When we select a controls reliance strategy, we obtain an understanding of the controls


relevant to the audit (i.e., relevant controls). By obtaining an understanding of the critical
path, WCGWs and controls, we know:
How transactions are initiated, corrected, processed and reported

What errors could occur during the process

What controls exist that mitigate the risk of errors .

September 2013 Page 29


S03_6
Identify controls that are relevant to the audit

September 2013 Page 30


S06 Select controls to test

We test controls to evaluate the


operating effectiveness of controls
over the SCOTs and significant
disclosure processes to prevent or
detect and correct material
misstatements at the assertion
level.

We select relevant controls to test that address the WCGWs for each
relevant financial statement assertion for which we plan to rely on
controls.

We exercise professional judgment in determining the appropriate


controls to select and test, recognizing that it may be more effective and
efficient to select and test controls that address multiple WCGWs and
assertions.
September 2013 Page 31
S07 Understand, walkthrough, test and
evaluate ITGCs
When using a controls reliance strategy for SCOTs or significant
disclosure processes, our understanding of the role of IT in the entity
is important to assist us in concluding whether to rely on ITGCs to
support our reliance on application controls, IT-dependent manual
(ITDM) controls or electronic audit evidence (EAE).
When determining our audit strategy for ITGCs, we perform one of the
following:
Identify, understand, walkthrough, test and evaluate ITGCs (i.e., rely on
ITGCs) when we plan to rely on application controls, ITDM controls or
EAE
Perform direct testing procedures if we decide not to rely on ITGCs, but
we plan to rely on application controls, ITDM controls or EAE.
If we do not rely on ITGCs or do not perform direct testing procedures
as described above, we do not rely on application controls and ITDM
controls. When we use EAE, we are required to perform direct testing
to rely on EAE.
September 2013 Page 32
Approach for evaluating ITGCs

IT-Dependent Manual or
RFinancial Control Evaluation Application Control
Evaluation
Effective

Aggregate
ITGC Evaluation For IT-Dependent ITGC
R
Manual Or Application Control Evaluation
Support
Not Support

ITGC
Manage Change Logical Access Other ITGCs Category
Evaluations
Ineffective Effective Effective

ITGC
ITGC ITGC ITGC ITGC ITGC ITGC Evaluations
Effective Ineffective Effective Effective Effective Effective

ITGC ITGC ITGC Rationale required if higher layer


evaluation is Effective or Support and
Effective Effective Effective
R lower layer contains an Ineffective or
Ineffective
Not Support evaluation.

September 2013 Page 33


Evaluate IT General Controls

September 2013 Page 34


Phase 2 Strategy and Risk Assessment
S08 E07

This group of objectives


includes objectives from
both the Strategy and
Risk Assessment phase
and the Execution phase,
as we make combined
risk assessments, and
then reassess them later

September 2013 Page 35


S08/E07 Make (and reassess) combined risk
assessments
In order to develop an audit strategy that is responsive to
the entitys risks of material misstatement, we make a
combined risk assessment (CRA) for each relevant
assertion for each significant account and disclosure.
We achieve this by:
Assessing inherent risk (IR)
Assessing preliminary control risk (CR)
Combining the assessment of inherent risk and control risk to
arrive at a CRA for each relevant assertion for each significant
account and disclosure
Once we have determined the CRA for a relevant
assertion, we address the remaining audit risk
(i.e., detection risk) by designing substantive procedures
that are responsive to the CRA
September 2013 Page 36
S08 Combined Risk Assessment
Risk components
This table shows how we combine our assessments of inherent and
control risks into one combined risk assessment table:

September 2013 Page 37


S08 Combined Risk Assessment
Effect of CRA on substantive procedures

EY GAM requires us to obtain reasonable assurance that the financial


statements are free from material misstatements, based on our procedures.
The CRA associated with each assertion affects how we design our audit
strategy to obtain such assurance.

September 2013 Page 38


Phase 2 Strategy and Risk Assessment
S09 S12

The group of objectives includes


designing a variety of tests and
procedures to be performed in the next
phase of EY GAM, Execution.

September 2013 Page 39


S09 Design tests of controls

We design the nature, timing and extent of our tests of


controls to obtain sufficient appropriate audit evidence that
the controls selected for testing operate effectively as
designed throughout the period of reliance to prevent or
detect and correct material misstatements at the assertion
level when:
We plan to rely on the operating effectiveness of the controls in
determining the nature, timing and extent of our substantive
procedures
Substantive procedures alone cannot provide sufficient
appropriate audit evidence at the assertion level (e.g., for highly
automated SCOTs).

September 2013 Page 40


S10 Design tests of journal entries and other
mandatory fraud procedures
We plan procedures to mitigate the
risk of management override of
controls by:
Testing the appropriateness of journal
entries recorded in the general ledger and
other adjustments made in the preparation
of the financial statements
Evaluating the business rationale for
significant unusual transactions that are
outside the normal course of business for
the entity
Reviewing significant accounting estimates
for evidence of management bias
We evaluate whether to perform other audit
procedures to respond to the risk of
management override of controls.

September 2013 Page 41


S11 Design substantive procedures

We design substantive procedures so that the


combination of our procedures (including tests of
controls) provides sufficient appropriate audit evidence
to reduce audit risk to an acceptably low level and
enables us to draw reasonable conclusions on which
to base our opinion.
The appropriate mix of substantive procedures
depends on factors such as the nature of the account
balance and our combined risk assessments. EY GAM
requires certain substantive procedures (Primary
Substantive Procedures) to be performed, regardless
of our combined risk assessment.
Our combined risk assessment affects the timing and
extent of PSP (e.g. the higher our combined risk
assessment, the closer to period-end and the higher
the extent of the PSPs we design).
Other substantive procedures may be required as the
CRA increases and/or significant risks are identified.
September 2013 Page 42
S12 Plan general audit procedures
E06 Perform general audit procedures
We plan and perform general audit procedures to audit those
areas on every engagement that are not directly related to financial
statement account assertions in the following areas:
The entitys compliance with laws and regulations
Litigation and claims
Minutes and contracts
Consideration of going concern
Related party relationships and transactions
Obtaining management representations
We make an initial determination of the scope of the general audit
procedures to be performed and exercise judgment in determining
the timing and extent of general audit procedures.
We document our general audit procedures in the Program for
general audit procedures (PGAP). The PGAP is supplemented,
where applicable, by local professional standards and requirements.
September 2013 Page 43
Phase 2 Strategy and Risk Assessment
S13

The last group of objectives covers the


audit strategy memorandum that
concludes this phase.

September 2013 Page 44


Phase 3 Execution
Phase 3 Execution

September 2013 Page 46


E02 Execute tests of controls

We execute tests of relevant controls to ensure that those controls


we plan to rely on are operating as intended throughout the period
of reliance.
If we identify control exceptions, we assess the effect of the control
exception and respond appropriately.
At the completion of our tests of controls, we evaluate the results of
our tests and conclude on the operating effectiveness of controls.

September 2013 Page 47


E04 Update tests of controls

When we execute our tests of controls, including IT general controls


(ITGCs), prior to the balance sheet date and conclude that we are
able to rely on controls, we update our tests of controls to the
balance sheet date so that we have sufficient appropriate audit
evidence that the controls operate effectively throughout the period
of reliance. We achieve this by:
Determining the additional audit evidence to be obtained for the
remaining period
Updating our tests of controls procedures and evaluating the
results.

September 2013 Page 48


E05 Perform substantive procedures

The extent of substantive procedures depends on the CRA


Our strategy is based on
an appropriate balance of testing controls, and
performing substantive procedures, so that
the combination of our procedures (including tests of relevant
controls) provide sufficient appropriate audit evidence to reduce
audit risk to an acceptably low level and enable us to draw
reasonable conclusions on which to base our auditors opinion.

September 2013 Page 49


Phase 4 Conclusion and Reporting
Phase 4 Conclusion and Reporting

September 2013 Page 51


Summary by Account

September 2013 Page 52


Summary by Process

September 2013 Page 53


Summary by Risks

September 2013 Page 54


Questions?

THANK YOU

September 2013 Page 55