Auditing Theory

Chapter 10 Procedures (not required for all aspects as per PSA 315,
Understanding the Entity and Its Environment only to the extent of required understanding): IAO
Inquiries of management and others within the entity
PHASE I-C
Risk Assessment through Understanding the Entity  Management can provide necessary info, but
others may be inquired by auditor to gain
different perspectives:
PSA 315 1
 auditor is responsible to identify and asses Those charged environment in which FS
RMM through understanding the entity, with governance are prepared
including internal control; discussion with
engagement team re: susceptibility to
misstatement is required Internal audit design & effectiveness of
 Standard’s requirements internal control;
I. Risk assessment procedures and response of management
sources of info to findings
II. Understanding the entity and its Employees appropriateness of
environment + internal control involved in application of certain
III. Identifying and assessing RMM unusual accounting policies
IV. Material weakness in internal control transactions
V. Documentation
In-house legal litigation, compliance,
counsel knowledge of fraud,
I. RISK ASSESSMENT PROCEDURES AND SOURCES OF INFO post-sales obligations,
ABOUT THE ENTITY AND ITS ENVIRONMENT, arrangements, contract
INCLUDING INTERNAL CONTROL terms
Obtaining understanding of E&E+I is a continuous, Marketing/sales changes in marketing
dynamic process of: strategies, sales trends,
 Gathering arrangements with
 Updating customers
 Analyzing information
Risk assessment procedures (RAP)
 audit procedures to obtain understanding (PSA Analytical procedures
5002)  Identifying existence of unusual transactions
 Auditor perform evidence-gathering procedures that have FS and audit implications
even if it was not specifically planned  Audit develops expectations, compares them
 May occur CONCURRENTLY with RAP for with actual records, identifies deviations from
efficiency expectations, and considers them in identifying
 When using info obtained in PRIOR PERIODS, RMM
determine whether changes affect relevance to  Analytical procedures using data aggregated at
current audit high level only provide broad initial indication of
 Previous experience with continuing clients RMM
contribute to understanding  PSA 520 - “Analytical Procedures”
 When relevant, auditors may also consider info
in client acceptance process and experience
from other engagements

1
PSA 315 - “Identifying and Assessing the Risks of Material
Misstatements through Understanding the Entity and Its
Environment
2
PSA 500 – “Audit Evidence”
 Observation and inspection
 Support inquiries and provide info about E&E
 Procedures include: VORIT
 Observation of entity activities and
operation
 Inspection of documents, records,
internal control manuals
 Reading reports prepared by
management
 Visits to entity’s premises
 Tracing transactions through
information systems
II. UNDERSTANDING THE ENTITY AND ITS ENVIRONMENT
INCLUDING INTERNAL CONTROL
INAOPI
Industry, Regulatory, & Other External Factors +
Applicable FRF
Industry
 Competitive environment
 Supplier and customer relationships
 Technological developments
Regulatory
 Applicable FRF
 Legal and political environment
 Environmental requirements
Other
 General economic conditions
*Cabrera, Ch. 10 p.424 for more matters to consider
Overall attractiveness of industry
 Barriers to entry
 Strength of competitors
 Bargaining power of suppliers
 Bargaining power of customers
 Others:
a. Economic conditions
b. Financial trends
c. Governmental regulations
d. Changes in technology
e. Widely used accounting methods
– Industry gives rise to specific RMM arising from nature
of business or degree of regulation
Legislative and regulatory requirements
 Determinant of applicable FRF (usually that of
the jurisdiction in which entity is registered and
auditor is based; auditor and entity will have
common understanding of the framework)
 Where there is no local FRF, entity’s choice will
be governed by:
 Local practice
 Industry practice
 User needs
 Other factors
 Auditor should consider local FRF requirements
since FS may be misstated in the context of the
applicable FRF
Nature of the Entity
- Operations
- Ownership and governance
 PSA 550 – “Related Parties”
- Investments (current and prospects)
- Structure – complex structures lead to difficulty
in consolidation & give rise to RMM:
 Allocation of goodwill
 Impairment
 Investments using equity method
 Accounting for special-purpose entities
- Financing
- Then, critical business processes and value-
creation for customers
Selection/Application of Accounting Policies and
Changes thereto
- Includes:
 Methods used for unusual transactions
 Effect of policies in areas where
authoritative guidance or consensus is
lacking
 Changes in accounting policies
 New FR standards and how the entity
will adopt new requirements
- Presentation of FS includes:
 Adequate disclosure of material
matters; may relate to:
- Form
- Arrangement
- Content and appended notes:
terminology, amount of detail
provided, classification of items,
basis of amounts set forth
- Other matters to consider (Cabrera, Ch. 10, p. 427):
  Business operations Measurement and Review of Entity’s Financial
 Investments Performance
 Financing Performance measures
 Financial Reporting
- create pressures that may motivate
management to take action in:
Objectives, Strategies, and Related Business Risks  improving business performance
Objectives: overall plans developed in response to  misstate FS/ engage in fraud
circumstance in which the entity operates - internal/external

Strategies: operational approaches to achieve Internal External

objectives  KPIs (financial and  Analyst’s reports
Business Risk nonfinancial)  Credit rating agency
 Budgets reports
- result from significant things that adversely  Variance analyses
affect entity’s ability to achieve objectives and
 Segment information
strategies
 Divisional,
- broader than RMM, but includes it
departmental, other
- may arise from:
level reports
(1) Change  Comparison with
(2) Complexity competitors
- failure to recognize change also gives rise to risk
- auditor DOES NOT have a responsibility to - entities use measurement systems to gauge
identify ALL business risk progress towards meeting objectives
- most (not all) have financial consequences, - external parties may also review performance
therefore, affecting financial statements - determines incentives because compensation is
- auditor is interested in how management tied to performance measures
assesses and responses to such risk - may be indicators of RMM (unexpected results)
- where there is no documentation, auditors - when used by auditors, check for precision in
perform inquiry MM detection
- Other matters to consider: (Cabrera Ch. 10 p. 433)
Objectives and strategies change over time along with
changes in the environment
Other matters to consider: This is distinguished from MONITORING OF CONTROLS
though their purposes may overlap.
1. existence of objectives
2. effects of implementing a strategy Monitoring of Controls Measurement and
Review of FP
(Cabrera, Ch. 10 p.430)
Effectiveness of internal Progress in attaining
controls objectives set by
management or third
parties;

Performance indicators
may also be used to
identify deficiencies in
internal control
Understanding the Client’s Internal Control
Internal Control – provides reasonable assurance of
achieving objectives related to:
1. Reliable financial reporting
2. Operational efficiency and effectiveness
3. Compliance with laws and regulations
Nature and extent of audit work depend largely upon
effectiveness of internal control.
- Indicators of Existence of RMM:
To evaluate effectiveness of IC:
1. Understand the system: how it works, what
controls exist, who performs controls, how
transactions are processes, what records exist
III. Identifying and Assessing the Risk of Material
Misstatement
- RMM at financial statement level and assertion
level must be identifies and assessed
- The auditor performs the ff:
 Identifies risks throughout the process
of understanding, including relevant
controls
 Relates risks identified to what could go
wrong at the assertion level
 Considers whether magnitude of risk
may cause material misstatement
 Considers the likelihood that risks could
result in a material misstatement
Significant Risks
- Risks that need special audit consideration
- Based on auditor’s professional judgment
- Excludes effects of identified controls
- PSA 3303 describes the consequences for
further audit procedures
- Usually arise from:
1. Non-routine transactions
a. Management intervention in
accounting treatments
b. Manual intervention in data
collection
c. Complex calculations/ principles
d. Nature of non-routine
transactions
2. Judgmental matters
a. Accounting principles subject to
different interpretations
b. Assumptions about effects for
future events; very subjective
3
PSA 330 – “Auditor’s Responses to Assessed Risk”
- Matters to consider in identifying nature of risk:
 Risk of fraud
 Relation to significant economic,
accounting developments
 Complexity of transactions
 Involvement with related parties
 Degree of subjectivity in measurement
 Involvement of significant transactions
outside normal business course
 Operations in economically unstable
regions
 Volatile markets
 Complex regulations
 Going concern & liquidity issues
 Constraints in availability of
capital/credit
 Changes in the industry
 Changes in the supply chain
 New products/services
 New locations
 Large acquisitions/ reorganizations of
the entity
 Segments likely to be sold
 Complex alliances/joint ventures
 Significant transactions with related
parties
 Lack of personnel with appropriate
accounting skills
 Changes in key personnel
 Weakness in internal control
 Inconsistency bet. IT strategy and
business strategies
 Changes in IT
 New IT system
 Inquiries by regulatory bodies
 Past misstatements, significant amount
of adjustments at year-end
 Non-routine transactions
 Transactions recorded based on
management’s intent
 New accounting pronouncements
 Accounting measurements involving
complex processes
 Measurement uncertainty
 Pending litigation
IV. Material Weakness in Internal Control
- Auditor shall identify, based on audit work Risk of the assertion level
performed, material weakness in design,
implementation, or maintenance of IC - risk that financial statement assertion is
- PSA 2604: communicate on a timely basis with materially misstated
those charged with governance (unless they are - FS assertions are not equally subject to
involved in management) misstatements; some have higher risk than
- Types of material weaknesses: others
 RMM that the entity has not controlled,
or for which relevant control is
Audit risk
inadequate
 Weakness in the or an absence of a risk - Possibility that auditors fail to modify opinion
assessment process on materially misstated FS
- Material weaknesses may also be identified in - Consists the possibility that:
controls that prevent/detect/correct error or  RMM (IRXCR): MM has occurred
fraud  DR: Auditor does not detect MM
Audit Risk
Risk of Material Misstatement
V. Documentation
- PSA 230 “Audit Documentation” Inherent Risk Control Risk Detection Risk
- Auditor should document: Susceptibility to Risk that a Risk that auditor’s
 Discussion among engagement team re: MM assuming misstatement substantive
susceptibility of FS to MM + significant there are no cannot be detected/ procedures will fail
controls prevented/corrected to detect a
decisions on a timely basis by misstatement that
 Key elements of understanding internal control could be material
obtained systems
 RMM at FS & assertion level
Composed of:
 Risks identified + related controls
evaluated - Sampling risk
- Non-sampling
- Manner of documentation based on risk
professional judgement
May change for May be affected by can be controlled
- Results of RAP may be: future audits due auditors for a future by auditors
 Documented separately to: audit by through amount of
 Documented as part of auditor’s encouraging client evidence he
- Client’s
documentation of further procedures to implement accumulates
influence
(PSA 330) changes in control
- Common techniques: - Economic or
 Narrative descriptions industry
factors outside
 Questionnaires of client’s
 Check lists influence
 Flow charts exist independently of the audit of FS.
- Form and extent of documentation depend on
Influences nature, timing, extent of audit Relates directly to
nature, size, complexity of the entity, IC, procedures substantive
availability of info, & specific audit methods and procedures
tech used
Inverse relationship with DR
 Large entity with complex info system –
electronic
 Small entity with few transactions –
memorandum
Assessing Inherent Risk and Control Risk at the
Assertion Level
4
PSA 260 – “Communication with Those Charged with
Governance”
Inherent Risk Control Risk
At FS Level - Can never be zero; internal controls cannot
- Management’s integrity provide complete assurance
- Management’s experience and knowledge - Effective internal control structure promotes
- Changes in management during the period reliability in accounting data (GAAS)
- Unusual pressures on management - To obtain understanding:
- Nature of entity’s business  Inquiry
- Factors affecting industry  Inspection
 Observation
At Account Balance and Class of Transactions Level  Reperformance procedures
- FS account likely to be misstated (e.g. accounts - Preliminary assessment of control risk (PACR):
requiring prior-period adjustments that need evaluating effectiveness of internal control in
high degree of estimation) preventing/detecting MM
- Complexity of underlying transactions - Auditor assesses control risk at high level when:
- Degree of judgment involved in determining  Accounting and IC are ineffective
account balances  Evaluating effectiveness of accounting
- Susceptibility of assets to loss or and IC would be inefficient
misappropriation - PACR should be high unless:
- Completion of unusual and complex  Relevant internal controls that are likely
transactions, particularly near or at period end to prevent/ detect MM are identified
- Transactions not subject to ordinary processing  Auditor plans to perform tests of
control to support the assessment
- Documentation
Factors indicative of high inherent risk  Understanding obtained re: accounting
 Inconsistent profitability and internal control systems
 High sensitivity of operating results to economic  Assessment of control risk
factors
 Going concern problems
Detection Risk
 Large known and likely misstatements in prior
audits - Function of the auditor’s verification of account
 Substantial turnover, questionable reputation, balances
inadequate skills of management - Influenced by NTE of audit procedures
- Auditor considers likelihood that he will make a
mistake
Assertions with high inherent risk - Relates DIRECTLY to substantive procedures
 Difficult to audit transactions/balances - Some detection risk will always be present even
if an auditor were to examine 100% of account
 Complex calculations
balances because evidence is mostly persuasive
 Difficult accounting issues
- Restricted by performing substantive tests
 Significant judgment
 Values that vary significantly based on
economic factors Interrelationship of AR Components
Control risk is:
H M L
Inherent H Lowest Lower Medium
risk is: M Lower Medium Higher
L Medium Higher Highest
Audit risk model 3. Assess control risk
- Auditors use this relationship to determine NTE - CR represents:
of audit procedures to manage and control  Effectiveness of IC
audit risk  Auditor’s intention to make that
- May be numeric or qualitative (high, medium, assessment at a level below the
low) maximum (100%) as part of the audit
plan
AR = IR X CR X DR - Before setting CR to less than 100%:
 Obtain understanding of IC
 Evaluate how well IC should function
Steps:  Test IC for effectiveness
1. Determine planned audit risk - If internal controls are completely ineffective,
- Planned audit risk = acceptable audit risk auditor sets CR to 100%
- Factors + methods:
 Reliance of external users on FS 4. Solve equation to determine planned DR
 Examine FS + footnotes
 Read minutes of meetings - Planned detection risk = allowable detection
 Discuss financing plans with risk
management - ADR/PDR is the amount of risk the auditor can
 Likelihood of financial difficulties allow for an assertion that audit evidence will
 Analyze FS for difficulties using ratios fail to detect misstatements exceeding a
 Examine historical and projected cash
flows
tolerable amount
 Management integrity - 2 key points:
 Obtain info from lawyers, CPAs, banks,  Dependent on other three factors in the
predecessor auditor model
- Assessment of factors is highly subjective; thus  Determines amount of substantial
overall assessment is highly subjective evidence the auditor plans to
- E.g. low acceptable audit risk = risky client accumulate (inverse)
requiring more extensive evidence

2. Assess inherent risk *Assessed level of IR and CR cannot be sufficiently low

- Implies that auditor attempts to predict where to eliminate need to perform substantive procedures.
misstatements are in the FS Procedures should always be performed.
- Major factors (read Cabrera, Ch. 10 p.450):
 Nature of business
 Integrity of management *If DR cannot be reduced to an acceptably low level,
 Client motivation auditor should express an unqualified opinion or issue a
 Results of previous audits disclaimer.
 Initial vs repeat engagements
 Related parties
*Computation and comparison with achieved audit risk.
 Nonroutine transactions
 Susceptibility to defalcations - if achieved AR is less than or equal to planned
 Judgement required to correctly record AR, evidence accumulated is sufficient
account balances and transactions
 Make up of population AcAR = IR X CR X AcDR
- Auditors are generally conservative in making
assessments of inherent risk
- Relationship to detection risk: inverse *Research shows that the formula is not appropriate in
- Relationship to planned evidence: direct calculating achieved audit risk, but relationships are still
valid.
Ways to reduce AcAR to an acceptable level:
1. Reduce IR
- Based on client’s circumstances
- Assessed during planning
- NOT typically changed unless new facts are
uncovers
2. Reduce CR
- Affected by client’s IC
- Reduced by more extensive test of controls if
client has effective controls
3. Reduce AcDR by increasing substantive audit
procedures

Summary of PSAs
1. PSA 230 - “Audit Documentation”
2. PSA 260 – “Communication with Those Charged
with Governance”
3. PSA 315 - “Identifying and Assessing the Risks of
Material Misstatement through Understanding the
Entity and Its Environment
4. PSA 330 - “Auditor’s Responses to Assessed Risk”
5. PSA 500 – “Audit Evidence”
6. PSA 520 - “Analytical Procedures”
7. PSA 550 – “Related Parties)