Professional Documents
Culture Documents
Audit and assurance right and duties of auditor, internal auditor appointment and selection
according to ISA. How ISA development
Auditor publicity, promotion and advertisement, appointment, acceptance rules and regulations,
engagement letter content, revision required
Chapter 3
The auditor is now appointed. Client/entity sign an engagement letter with auditor. Now we plan
and do a risk assessment.
The reason or objective for which audit plan is done is explained by the purpose of an audit plan.
Why the engagement is being done and what is the scope of the objective is explained by the
purpose of audit plan. The purpose is to meet the objective timely by the external or internal
auditor. An audit plan sets out what needs to be done to achieve an objective. The objective of
the auditor is to plan the audit so that it will be performed in an effective manner.
Both external and internal auditors; objective is the production of an audit report. The objective
of the external and nternal auditor both is to evaluate the company and make an audit report.
An audit plan lays out the strategies to be followed to conduct an audit. It includes the nature,
timing and extent of audit procedures to be performed by the engagement team members. The
auditor shall develop an audit plan while considering the following:
The content tells what will make up the audit plan. What is included in the audit plan is
described by the audit plan.
Who will perform the audit work? Who is doing the audit work?
If the external or internal auditor is doing the party, then at what level is the external party or
internal party doing the auditing.
Staffing
Auditor shall determine the exact requirements of the staff along with the broad estimate of time
required by each staff members. So that the audit work will be completed on time.
The audit company decides what type of staff needs to be for auditing of the particular company.
It depends on what kind of auditing is being done. Staffing depends on complexity of work done
by organization, the geographical location. If the operations of the organization are complex then
senior staff members to gain a better understanding of the work. If the organization’s subsidiary
are dispersed in different location, then senior staff, more number of staff are sent or staff which
are closer to the area and has no problem in travelling to the company’s location is sent for
auditing. If the auditing needs to be done of a local store or warehouse, lower staff can be sent .
a) Interim audit
The staff in this audit is internees or staff who report back to senior executives.
b) Full Audit
The staff in this audit are senior executives.
When will the work be done?
Auditor should determine timing of the report. This will help auditor in determining time
schedule of the audit. The timing of audit decide how long will auditing take place. This depends
on the complexity of the subject being audited.
What work is to be done?
Auditor should determine the form of the report. This will help auditor in determining the
scope of the audit.
When auditor sign the engagement letter, the scope of work is clearly mentioned in the
letter. Limit and boundaries stated. Auditor can be restricted in their work/ For example,
if an auditor wants to meet an employee to confirm information stated in the financial
statement, the auditor can meet that person. If an auditor wants to see an invoice, the
management is obliged to give it to the auditor. The auditor is just obliged to follow the
laws, rules regulation followed by the applicable financial reporting framework. The
auditor clearly states what work is exempted due to the international laws or ISA.
2) Risk Assessment and the audit plan:
When auditor get appointed, they need to identify threat, limitation and problem they will
face during auditing. They need to identify the safeguards too associated with the threats
to limit threats. Risk assessment is done by the auditor to find the threat the environment
poses on the entity (company).Risk assessment is done of the client, how the client
affects the environment and major risks the auditor would have to encounter while doing
the auditing of the company. If the company is involved in a fraud, how would you
evaluate the fraud. Risk assessment would be used to find out the threat posed on the
environment and entity of not detecting the fraud. The self competence and learning of
the auditor will be affected through fraud detection.
The entity to be audited, and
Which company is to be audited. The size, location of the company will be seen. The
nature of the entity's business, for example, the potential for technological obsolescence
of its products and services, the complexity of its capital structure, the significance of
related parties and the number of locations and geographical spread of its production
facilities
The environment in which the entity operates
The external environment and internal environment affects the way in which entity
operates. The external environment includes factor like political, technological,
economical, demographical so on. The internal environment include the supplier,
competitor, distributor, employees, so on. The industry it work in, regulatory body that
governs the entity to ensure standardization, stakeholder, government perception is
created by the way taxes are payed by the entity, investors. The threat the environment
poses on the entity or the entity poses on the environement will be assessed in the risk
assessment done by auditor and thus help in assessing the risk all this has on the audit
plan.
Factors affecting the industry in which the entity operates, for example, economic and
competitive conditions as indicated by financial trends and ratios, and changes in
technology, consumer demand and accounting practices common to the industry
How the auditing will be affected by the risk assessed?
The assessment of risk in the audit will affect:
The amount of audit work performed in general; and
The risk assessment will tell the type of work that needs to be done. It would help and
guide in planning the auditing process. For example, if the client will face a risk during
auditing because of technological changes in the environment, the auditing plan would be
made to help reduce risk faced by the technological changes of the environment. Risk
would be reduced in a way that it does not cause any problem in the auditing or on the
entity.
The areas on which the auditor will focus his attention
Risk assessment is used to identify the risk of entity and environment. An awareness is
created about the areas on which the auditor should do auditing on properly and how
would the threats in the areas be reduced by making a proper audit plan.
Significant Audit Areas are identified in Audit Plan. It is important for the auditor to
identify the areas which involves greater audit risk, so that the audit can be planned in
such a way that overall audit risk will be less. More risky areas should be checked in
detail and vice-versa.
The auditor makes an audit report using the materiality concept. The areas in which the
risk is most and threatens the company most is material for the company. The auditor
uses only material information to save his time, energy, effort and money used. If a risk
assessment is not done, the auditor would not be able to focus on areas that matter the
most in making an audit plan., the auditor may have to bear high cost if he does not do
risk assessment.
3) Important for both internal, external, audit and review
The effect of risk assessment is important for both internal, external, audit and review.
If an internal or an external auditor is doing a review or even a full audit, risk assessment
is necessary for the auditor to convey it opinion in a fair and true manner using the
materiality concept.
“An audit that includes a questioning mind, being alert to conditions which may indicate
possible misstatement due to error or fraud, and a critical assessment of audit evidence”
Political, questioning mind should be used by an auditor. An auditor should critically evaluate its
situation. They ask different type of question by seeing anything or anyone to finally identify
what is the problem and detect fraud.
a) Overview:
Planning an audit of financial statements is to plan the audit work so that the audit will be
performed in an effective manner.Audit of Financial statement is prepared in such a way
that is effective. The purpose of doing the audit is achieved.
b) Adequate planning benefits the audit. Sufficient and enough planning benefits the audit
through the following:
Adequate planning devotes appropriate attention to important areas of audit.
Proper planning will tell which areas need to be emphasized and which ares do not need
to be emphasized on.
Adequate planning identifies and resolves potential problems on a timely
basis.
Interim audit has been done. The interim audit can used to find the potential problems in
a timely manner. It can used to tell where the problem occurs, why and measures need to
be taken to solve the problem.
Adequate planning organizes and manages the audit engagement so that it is
performed in an effective and efficient manner.
Audit engagement has contents that are managed in an efficient and effective manner.
This means that less cost and time is spent on audit and the audit plan gives the most
benefit.The purpose of the audit plan should be achieved in a way that it reaps the most
benefit to the parties concerned by the auditing.
Adequate planning helps in the selection of staff with appropriate experience
to respond to risk and the assignment work.
Staff should be capable enough to find the errors in the entity and detect fraud.
The audit company decides what type of staff needs to be for auditing of the particular
company. It depends on what kind of auditing is being done. Staffing depends on
complexity of work done by organization, the geographical location. If the operations of
the organization are complex then senior staff members to gain a better understanding of
the work. If the organization’s subsidiary are dispersed in different location, then senior
staff, more number of staff are sent or staff which are closer to the area and has no
problem in travelling to the company’s location is sent for auditing. If the auditing needs
to be done of a local store or warehouse, lower staff can be sent .
There are two types of auditing
a) Interim audit
The staff in this audit is internees or staff who report back to senior executives.
b) Full Audit
The staff in this audit are senior excecutives.
Adequate planning helps in directing and supervising of staff and review of
their work.
The seniors of external auditor provides direction on how the audit will be done. The
senior staff of external auditor plays an important role in ensuring that auditing is planned
in an efficient and effective manner. Current external auditor supervise and review the
work of company staff and staff of audit company.
Adequate planning helps in coordinating of work done by auditors of
components and experts
Auditor works to gather information from every department e.g. purchase, accounting,
finance , marketing etc. The report from each department is combined to form a final
audit report.
ISA 300 requires the auditor to:
1. ISA 300 requires the auditor to involve whole management team in auditing.
Whole management team is the members who are involved in the discussion of audit
engagement. Partner, firms involved in the audit engagement are the whole management
team who work together to ensure that auditing is done in an efficient and effective
manner.
2. Performing procedures (ISA 220),
ISA 220 for performing procedures requires continuance of the client
relationship
Recurrent audit is when auditing is done again from the firm that did the previous
audit too. The same procedures which were used to do the previous audit would be
used again.
ISA 220 for performing procedures requires specific audit engagement,
The audit engagement letter would be made in same way except it would be
modified to meet the current requirement of audit plan. If there is a change in
structure, top level management, or accounting framework , the engagement letter
can be made again to suit the requirements.
ISA 220 for performing procedures requires compliance with the relevant
ethical requirements and independence
The code of ethics should be met. This includes professional, no dishonesty, no
cheating while doing the auditing. Independence means that external or internal
auditor should not be personally be involved with the business. This is so that
management does not influence the auditor’s opinion and the pinion given by the
auditor is fair and true. The auditor should not have a personal relationship so that
management does not influence decision of creating a positive audit report when the
report is negative in fact. The evaluation should not be biased
3. ISA 210 requires understanding the terms of the engagement
Both parties involved in the audit engagement should have an understanding of the
preconditions needed to do audit engagement
4. Overall strategy for the audit that sets the scope, timing and direction of the audit,
Audit plan needs a strategy in which the limitation and restriction of the plan is defined.
Auditor should determine the form and the timing of the report. This will help auditor in
determining the scope and time schedule of the audit. These questions should be
answered while making overall strategy:
How much time is needed to complete the audit?
How will work be supervised and reviewed?
How will the work be done? What is the scope of work done?
5. Document the overall strategy and the audit plan
The audit plan developed should be documented and written in an audit report so that it can be
easily reviewed when needed to do so.The Audit Working Papers the official record that contains
the planning and execution of the audit agreement.
ISA 300 requires the engagement partner and other key members of the engagement
team to be involved in planning the audit, including planning and participating in the
discussion among engagement team members to enhance the efficiency and effectiveness
of the planning process.
Whole management team is the members who are involved in the discussion of audit
engagement. Partner, firms involved in the audit engagement are the whole management
team who work together to ensure that auditing is done in an efficient and effective
manner.
• Complexity
If the activities of the business is complex and difficult, then audit engagement
team would be large to accommodate the needs of the organization and ensure an
efficient and effective auditing is planned. If the activities of the business is not
complex and not difficult, then audit engagement team would be large to
accommodate the needs of the organization and ensure an efficient and effective
auditing is planned.
If you are dealing with a defense institute then you need to consider many other
factor like staff involved. Relevant factors may involve the location of the
organization, the type of organization. If the organization’s subsidiary are
dispersed in different location, then, more number of staff are sent or staff which
are closer to the area and has no problem in travelling to the company’s location
is sent for auditing. If the auditing needs to be done of a local store or warehouse,
less engagement team members can be sent.
When an engagement team is made then Preliminary engagement activities need to be planned.
Terms of Engagement and any Statutory Responsibilities: While framing an audit plan
auditor should ascertain his terms of appointment and responsibilities cast by various legislations
on him. The auditor should then prepare his audit plan based on what he is required to do.
Isa 220 checks whether the internal auditor is competent to perform the
engagement. This means that it follows all the rules and obligation listed by the
applicable financial reporting framework for the appointment of the auditor. The
auditor should be qualified enough to perform its right and duties in the correct
manner to convey an opinion which is true, fair and is based upon material
information.
The auditor should meet the needs of client. The auditor should be approachable,
friendly, honest, fair, true and professional with the client.
Auditor should Consider significant matters that have arisen during the
current or previous audit engagement
The special matters which came into consideration now should be audited in a true
and fair manner.
2. Evaluate compliance with relevant ethical requirements, including independence (ISA
220)
a) ISA 220 is used to confirm that the auditor remains compliant with ethical
requirements
The code of ethics should be met. This includes professional, no dishonesty, no cheating
while doing the auditing. Independence means that external or internal auditor should not
be personally be involved with the business. This is so that management does not
influence the auditor’s opinion and the pinion given by the auditor is fair and true. The
auditor should not have a personal relationship so that management does not influence
decision of creating a positive audit report when the report is negative in fact. The
evaluation should not be biased.
Threat can be given to auditor in case they are not working according to standards of
applicable financial reporting framework. If the auditor is dishonest and commiting
fraud, then extreme measure like jail can be used.
b) The engagement partner will need to provide the firm with relevant information
about the client engagement.
• Scope of services
Engagement partner should give their firm relevant info about their client. This is to
provide proof of their independence. The info will be shared to show in what limit
and restriction were the service of auditing provided.
The terms of the engagement should be considered. Auditor should frame an audit plan by
ascertaining his terms of appointment and responsibilities cast by various legislations on auditor.
The auditor should then prepare his audit plan based on what he/she is required to do.
• Planning Activities:
Audit plan needs a strategy in which the limitation and restriction of the plan is defined.
Auditor should determine the form and the timing of the report. This will help auditor in
determining the scope and time schedule of the audit. These questions should be answered
while making overall strategy:
• How will the work be done? What is the scope of work done?
An audit plan lays out the strategies to be followed to conduct an audit. It includes the nature,
timing and extent of audit procedures to be performed by the engagement team members.
Planning activities include establishing an overall audit strategy that sets the scope, timing
and direction. The auditor shall develop an audit plan while considering the following:
b) Documentation:
The auditor should document in a written form The overall audit strategy, the audit plan, and any
significant changes made during the audit engagement along with the reasons. The audit plan
developed should be documented and written in an audit report so that it can be easily reviewed
when needed to do so.
1.4. Contents of the overall business strategy and the audit plan
The nature of the entity's business, for example the number of locations and
geographical spread of its production facilities.
4. The nature of the control relationships between a parent and its components
The relationship between the external and internal auditor. The relationship
between parent and the subsidiary.
The nature of the entity's business, for example, the potential for technological
obsolescence of its products and services, the complexity of its capital structure,
the significance of related parties and the number of locations and geographical
spread of its production facilities. If a company sells different kind of product.
Example of such companies include Protector and Gambler. Experts needed with
specialized knowledge to deal with such companies.
Statutory audit is audit that is applied by law or legal bodies on a company. Small
companies, NGOS, clubs may be exempted from statutory audit. It would be seen
whether there should be an audit for subsidiary companies or there should be a
consolidated report including all report from subsidiary companies.
Audit programs
Audit programs are sets of instructions to the audit team, specifying the audit procedures that
should be performed in each area/department of the audit. An audit programme is a set of
instructions which are to be followed for proper execution of audit. After the development of
audit plan a detailed written audit programme containing the various steps and procedures shall
be required. This helps the auditor in proper supervision of the audit.
The audit programme contains the measures that are generally employed to determine what, and
how much evidence must be collected and evaluated. It also lays down the responsibilities for the
whole audit team for carrying out different tasks. The prepared audit program may be revised if
needed in accordance with the prevailing circumstances. An audit program largely depends on
the size of the organization and other relevant factors. There is no standard audit
programmeapplicable for all situations.
The system assessment work and transaction testing will be carried out in Interim Audit.
It asses audit work for 10-15 days. Interim Adit is done before full audit. Articleship students or
people who have completed the last CA 4 module paper do the interim audit. Then they see the
environment, develop an understanding and activities of client/entity, financial statements,
books, whether auditing standard are met, risks that are faced, safeguards used to prevent
damage from threat. The materiality concept should be seen in which values that are too high or
information that is too risky are considered. Organization should have an internal auditor to have
internal audotou.
The balance of the work and testing of statement of financial position items taking place at the
final audit.
The audit report is made using evaluation of organization done through auditor. A full audit is
done after interim audit. It is done using annual report with the help of substansive testing.
Key Benefits:
An entity first decides to do interim audit to make it easy to do the final audit.
Audit need to be performed an audit report on time. Auditor may decide to performan interim
audit before final audit.
During the interim audit, the internal control system is documented and evaluated. This will
determine the mix of tests of control and substantive procedures but both will tend to focus on
transactions that have occurred so far in the period.
During the final audit, the focus is on the financial statements and the assertions about assets,
liabilities and equity interests. At this stage the auditor will design substantive procedures to
ensure that assurance has been gained over all relevant assertions.
ISA 300 specifically states that the following procedures can only be performed at or after
the period end:
For an initial audit engagement, additional matters the auditor may consider in establishing the
overall audit strategy and audit plan include the following:
Audit engagement letter includes specific components. The auditor wants to consider some
specific, important matter from audit engagement in the auditing.
Section 2
Understanding the Business and Materiality (ISAs 315 and
320)
Auditor’s Risk Assessment Process:
ISAs 315 and 320 is related to the Auditor’s Risk Assessment Process.
Risk assessment is the systematic process for estimating the likelihood of adverse conditions
occurring. Risks are assessed in terms of both likelihood and impact. For Example, managers
of a company would assess the risk of weather conditions (e.g., hurricane, blizzard) affecting
supply or of key suppliers going out of business. As part of this assessment, they also would
attempt to determine the financial impact if such an occurrence happened. By combining
these risk assessments, they would be able to better prioritize the events and their potential
effects on store operations. For example, a week before Hurricane struck location where
company was location, business’s continuity director was tracking the storm’s progress from
an emergency command center.
ISAs state that the Auditor’s Risk Assessment Process is done on the basis of these:
1. Inquiries:
Professional skepticism should be done while asking questions. The auditor should have a
questioning mind to critically evaluate the information provided through the inquiries . It
would also help to detect fraud and error present in the information. It is used to identify
problem. Inquires include enquiring from the client, his staff or third parties having
knowledge about a particular item or activity.
Management
Lower level manager and upper level manager are asked questions to get
sufficient and appropriate information. The whistle blow is done by lower level.
The company’s employee speak about company’s information to external party.
Company’s secrets are revealedto thepublic. The media and legal body began to
support the company so that no harm comes to environment and
company.Company staff may commit fraud.
Appropriate individuals within the internal audit function if such function exists;
Others who may have information regarding the risks of material misstatement
due to fraud or error.
2. Analytical Procedures:
It is a study of ratios and trends to identify the existence of unusual transactions or events
that might have implications for the audit. Financial ratios are calculated. Vertical and
horizontal analysis may be done by the auditor. Analytical procedures is analysis of
significant ratios and trends for investigating unusual fluctuation and items.
3. Observation and Inspection:
Analysis is done on the basis of the observation and inspection done by the auditor.
Observation: The process or procedure being performed by others is observed. For example,
physical verification and counting of inventory can be observation done by an auditor. This
includes inspecting internal controls manuals or business plan.
Inspection: Inspecting the documentary evidence like deed papers, certificates etc relating to
the audit whether in possession of the entity or the third parties.
Example of Observation and Inquiry:
Institutional Framework evaluation is a method in which HEC sends a person that evaluates a
university. HEC would demand files from each department like HR department,
administration, and research so on. When files of admission department are seen, HEC will
find the way in which selection of a student is done, proper documents were there, filtering
method was a proper one. HR is making good policies, purchase department is recording fees
correctly and so on will be checked by HEC will see whether the work by the university is
done properly and govern rules to ensure they are followed by the university.
Recession is taking in the industry of client company. In recession, the demand increase and
supply decrease because industry is not in the position to make products. Input price increase
since demand increase. Output price or sale price also increase to pay input price. Customer has
to pay higher price. The organization would increases its sale on credit basis to get more profit.
Auditor see what will be effect on environment and ensure that whole country does not go into
recession and how will the people pay on credit basis.
4. Conclusion
The audit should give particular attention to the measurement of trade receivables, and the
estimates for bad and doubtful debts.
Auditor will see if the company was capable enough to use trade receivables. Company has
policy to cater customer needs by providing discounts. The average collection period will be
calculate. Bad debt and write off will be found so the trade policy is not good. The auditor
will give opinion that the company was already in a bad position, how did it do more sales on
basis of credit. The company keeps on doing bad debts then revenue will decrease since bad
debts are there so no profit will occur. If the company is not evaluating the situation then this
means the company is involved in malfunction
When risk assessement is done then the industry, regulatory, environment is evaluated.
Knowledge and understanding of the client’s business in the context of the client’s industry is
essential in an audit. Auditing standards require auditors to obtain a thorough understanding of
the business to plan and perform the audit work. Obtaining an understanding of the company
includes understanding:
The entity’s objectives, plans and strategies and those related business risk
that might be reasonably be expected to result in risks of material
misstatement.
The purpose of obtaining an understanding of the company’s objectives,
strategies, and related business risks is to identify business risks that could
reasonably be expected to result in material misstatement of the financial
statements. The following are examples of situations in which business risks
might result in material misstatement of the financial statements:
Audit risk
Business risk
Business Risks
Business risk includes factors that could hinder the goals and objectives of the company
during the course of an audit. Risks that could adversely affect companies’ ability to achieve
objectives and execute strategies are called business risks. Business risks might result from
setting inappropriate objectives and strategies, or from complexity in the company’s
operations, changes in the industry environment, or even management
incompetence.Financial statements can be used to see the effects of the industry environment,
including economic and political events, weather occurrences, technological advances, and
social and demographic patterns on business. Auditors need to take the time to carefully
acquire knowledge about a client’s business, industry, and strategy to achieve competitive
advantage in order to get a better understanding of business risk.
Business risks relate exclusively to the company and its stakeholders. These risks can be very
diverse, but the largest risk facing any company is that is ceases to continue. The risks
include any factors that could lead to business failure. The following is a list of common
business risks, but it is not all-inclusive.
• Significant conditions,
Loss of profitability
Over trading
This may include risk like major plant failure, labour price rise, labour union arise which
may negatively affect the cash flow.
• Events,
There may be a political event or religious event. There may an unexpected event that may
cause business to fail. The current dilemma that is being faced includes the corona pandemic.
Political or economic instability
• Circumstances,
There may be circumstance like earthquake, flood, corona that affect business negatively.
Legal issues
• Actions or inactions that could affect an entity’s ability to reach its objectives and
carry out its strategies
Lack of financing
Market action that may include an unexpected decrease in stock price, an unexpected
decrease of customer, increased competition, decline in demand of product or service that
causes the organization to not timely meet its planned goal and objectives.
There are conditions in economy which cause business risks. Busines risk are known as
operational technical volatility. Risk that arise form activities of the business is called
operational technical volatility
Audit Risk
a. Inherent Risk
b. Control Risk
c. Detection Risk
Auditing standards require auditors to design audits to provide reasonable assurance of detecting
material errors and frauds to minimize audit risk.
How is audit Risk and Business Risk linked with each other?
Slide 15 Missing
American Institute of Certified Public Accountants (AlCPA) says; the plan of organization and
all of the coordinate methods and measures adopted within a business safeguard its assets, check
the accuracy and reliability of its accounting data, promote operational efficiency and encourage
adherence to preserved managerial policies.
For example;
In small business organizations, generally, the owner-manager controls the total activities of his
business by his personal supervision and direct participation. The owner generally purchases
required business materials and other properties. He himself gives the appointment of employees,
completes the contract with them through discussion and also keeps, constant watch over their
activities. He himself signs cheques for payments in different heads. Since the signs all the
cheques, he can easily have an idea of what commodities, assets, and services he is signing for.
But with the expansion of business, the appointment of additional employees and officers is
needed and the scope of business also widens. Under such conditions, it becomes almost
impossible on the part of the manager to perform all the activities of the business alone for which
he is to delegate authority and so his overall control tends to decrease. The owner needs an
internal control system to ensure that his overall control remains same.
The internal control system differs from one business organization to another depending on the
nature and size of the business.
The nature of the entity's business, for example, the potential for technological
obsolescence of its products and services, the complexity of its capital structure, the
significance of related parties and the number of locations and geographical spread of its
production facilities.
The size of business may include how large or small the business is.
How is risk assessed? Internal Audit System is made up of 5 steps.
1. Control Environment
This step ensures that an environment is buildup in which whatever operation is done by the
organization is automatically monitored and controlled by the environment. Control
environment is the “risk consciousness” of the organization and includes the
organization’s risk management philosophy and “risk appetite,” its integrity and ethical
values, and the environment in which it operates.
The control environment is arguably the most important component because it sets the tone
for the organization. Factors of the control environment include employees' integrity, the
organization's commitment to competence, management's philosophy and operating style,
and the attention and direction of the board of directors and its audit committee. The control
environment provides discipline and structure for the other components. Objective setting is
management’s responsibility to determine the goals and objectives of the organization.
.
The core of any organization is its people – their individual attributes, including integrity,
ethical values and competence – and the environment in which they operate. They are the
engine that drives the organization and the foundation on which everything rests. Effectively
controlled organizations set a positive "tone at the top" and strive to:
Train staff to understand and use appropriate management controls in all areas.
Provide structure and process for implementing these controls.
Internal controls are likely to function well if management believes that those controls are
important and communicates that view to employees at all levels. If management views controls
as unrelated to achieving its objectives, or even worse, as an obstacle, this attitude will also be
communicated. Despite policies to the contrary, employees will then view internal controls as
"red tape" to be "cut through" to get the job done. An effective internal control environment:
Sets the tone of an organization influencing the control consciousness of its people
Is an intangible factor that is the foundation for all other components of internal control,
providing discipline and structure
Describes "organizational culture"
Includes a commitment to hire, train, and retain qualified staff
Encompasses both technical competence and ethical commitment
2. Entity’s Risk Assessment Process.
After setting up the objective of business, external and internal risks are to be assessed. The
management determines risk controlling means after examining the risks related to every
objective.
Risk assessment refers to the identification, analysis, and management of uncertainty facing
the organization. Risk assessment focuses on the uncertainties in meeting the organization's
financial, compliance, and operational objectives. Changes in personnel, new product lines,
or rapid expansion could affect an organization's risks.
A risk is anything that endangers the achievement of an objective. Always ask: What can go
wrong? What assets do we need to protect?
Risk assessment is the process used to identify, analyze, and manage the potential risks
that could hinder or prevent an agency from achieving its objectives.
Risk increases during a time of change, for example, turnover in personnel, rapid growth,
or establishment of new services.
Other potential high risk factors include complex programs or activities, cash receipts,
direct third party beneficiaries, and prior problems.
Management must be aware of and deal with the risks the organization faces. It must set
objectives, integrated with other activities so that the organization is operating in concert.
Management must also establish mechanisms to identify, analyze and manage the related risks.
Risk assessment is the systematic process for estimating the likelihood of adverse conditions
occurring. Risks are assessed in terms of both likelihood and impact. For Example, managers of
a company would assess the risk of weather conditions (e.g., hurricane, blizzard) affecting
supply or of key suppliers going out of business. As part of this assessment, they also would
attempt to determine the financial impact if such an occurrence happened. By combining these
risk assessments, they would be able to better prioritize the events and their potential effects on
store operations. For example, a week before Hurricane struck location where company was
location, business’s continuity director was tracking the storm’s progress from an emergency
command center.
3. Information System
Relevant information for taking decision are to be collected and reported in proper time. The
events that yield data may originate from internal or external sources. Communication is very
important for achieving management goals. The employees are to realize what is expected of
them and how their responsibilities are related to the activities of others. Communication of
the owners with outside parties’ like’s suppliers is also very important.
Information and communication encompasses the identification, capture, and exchange of
financial, operational, and compliance information in a timely manner. People within an
organization who have timely, reliable information are better able to conduct, manage, and
control the organization's operations.
Control activities are surrounded by information and communication systems. These systems
enable the organization’s people to capture and exchange the information needed to conduct,
manage and control its operations.
Obtain external and internal information, and provide management with necessary
reports on the organization’s performance relative to established objectives.
Provide information to the right people in sufficient detail and on time to enable them
to carry out their responsibilities efficiently and effectively.
Develop or revise information systems based on a strategic plan, linked to the
organization’s overall strategy, and responsive to achieving the entity-wide and
activity-level objectives.
Demonstrate support for developing necessary information systems by committing
adequate human and financial resources.
4. Control activities
The management establishes a controlling activities system to prevent risk associated with
every objective. These controlling activities include all those measures that are to be
followed by the employees. Control activities are policies and procedures to ensure that risk
responses are appropriate given the circumstances and environment in which the organization
operates.
Organizations establish policies and procedures so that identified risks do not prevent the
organization from reaching its objectives.
5. Monitoring Of Controls
When the internal control system is in practice, the organization monitors its effectiveness so
that necessary changes can be brought if any serious problem arises. Monitoring includes
regular management and supervisory activities over risk management activities to make sure
they remain in place and operate effectively. Many companies have large internal audit
groups to monitor their internal control process.
Monitoring refers to the assessment of the quality of internal control. Monitoring activities
provide information about potential and actual breakdowns in a control system that could
make it difficult for an organization to accomplish its goals. Informal monitoring activities
might include management's checking with subordinates to see if objectives are being met. A
more formal monitoring activity would be an assessment of the internal control system by the
organization's internal auditors.
The entire process must be monitored, and modifications made as necessary. This way, the
system can react dynamically, changing as conditions warrant. Ongoing monitoring occurs in the
course of operations. It includes regular management and supervisory activities, and other
actions personnel take in performing their duties. The scope and frequency of separate
evaluations will depend primarily on an assessment of risks and the effectiveness of ongoing
monitoring procedures.
After implementing internal controls, organizations must monitor their effectiveness periodically
to ensure that controls continue to be adequate and continue to function properly. Management
must also revisit previously identified problems to ensure that they are corrected.
The COSO model is just one representation that can be used, and at its heart it
guides management through the implementation of a control framework that’s
measurable and targeted at reducing risk.
For example, to safeguard assets, does the client tag all computers with
identifying stickers and periodically take a count to make sure all
computers are present? Regarding the accounting system, is it
computerized or manual? If it’s computerized, are authorization levels set
for employees so they can access only their piece of the accounting
puzzle? For data, are backups done frequently and kept offsite in case of
fire or theft?
Internal control will also be evaluated by the external auditors. External auditors
assess the effectiveness of internal control within an organization to plan the
financial statement audit. In contrast to internal auditors, external auditors focus
primarily on controls that affect financial reporting. External auditors have a
responsibility to report internal control weaknesses (as well as reportable
conditions about internal control) to the audit committee of the board of directors.
An Auditor should ensure that certain rules and procedures are followed by the business unit he
is working on, in spite of the fact that a sound system of internal control is as sole responsibility
of the management. The Auditor can simply guide or help the management if he is asked to do
so, because he has no authority to prescribe such rules and procedures. The degree of reliance on
the system depends upon the effectiveness of internal control system; therefore, the Auditor
should review and evaluate the internal control system of an organization to prepare his audit
Program. The auditor should try to reach a judgement about how strong (or weak) the internal
controls, in order to make a decision about the amount of testing that should be carried out in the
audit. He should consider:
Interim Auditors check how strong company’s internal control system is. The internal control
system is efficiently, effectively and independently evaluating the company according to
accounting standards. If this is happening, this means that the chances of error, fraud or
malfunction is less. Internal control system can be used for evaluation of the company by the
external auditor.
ISA 315 emphasizes that establishing communications with the appropriate individuals within an
entity’s internal audit function early in the engagement, and maintaining such communications
throughout the engagement, can facilitate effective sharing of information. Internal control
system tells how the organization should work and ensure standardization in the company.
To be useful, information must be reliable and it must be communicated to those who need it.
For example, supervisors must communicate duties and responsibilities to the employees that
report to them and employees must be able to alert management to potential problems.
• Information must be communicated both within the organization and to those outside, for
example, vendors, recipients, and other constituents
• Communication must be ongoing both within and between various levels and activities of
the organization.
The management either clearly or using unclear statement try to show that everything in the
company is according to requirements in the financial statements. Auditor tries ot find potential
misstatements, errors, possible problems form the assertions.
If the auditor performs tests to confirm the occurrence of sales this will also provide some
assurance about the existence of receivables so these assertions are linked to each other.There are
two type of assertions:
Assertions about classes of transactions and events and related disclosures for the period
under audit. How are transaction made and disclosed?
Transactions include sales, purchases, and wages paid during the accounting period.
Assertions about account balances and related disclosures at the period end. How are
account balances made and disclosed?
Account balances include all the asset, liabilities and equity interests included in the
statement of financial position at the period end.
Occurrence: Transactions and events that have been recorded or disclosed have occurred
and relate to the entity.
Assertions related to transaction have recorded and disclosed and relate to the entity.
Recorded means mentioned in the document and disclosed mentioned in the annual
report.
Completeness: there are no unrecorded transactions, events and disclosures.
Accuracy: amounts and other data relating to recorded transactions and events have been
recorded appropriately. For example different amount recorded in the document and
different amount mentioned in the annual report.
Cut-off: Transactions and events have been recorded in the correct account period.
The timing should be correct. International financial management and taxation states that
if you have payed the expense of next year in the previous year then it should not
recorded in the previous year but next year. Previous year expenditure will increase so
profit will decrease while the next year will have less expenditure so more profit will be
shown.
Classification: Transactions and events have been recorded in the proper accounts.
There are two different type of account- Sale and Sale return
Sale mentioned In the sale return.
Advertisement expenditure should not be recorded in operating expenditures.
Presentation: Transactions and events are appropriately aggregated or disaggregated and
clearly described and related disclosures are relevant and understandable.
The transactions are properly identified and described clearly. The financial statements of
a Nishat Textile Mills with 6 years at a glance show how to properly present the
transaction.
A great deal of work takes place on completeness and accuracy but it is important not to
underestimate the significance of the other elements.
Outright frauds may show up in tests for occurrence, i.e. tests designed to show whether
transactions actually happened, but cut-off errors give rise to many misstatements, i.e.
moving transactions into or out of the accounting period around the period-end.
Cut-off issues can arise for a whole host of reasons. Cut-off is not always a well-
controlled part of the financial reporting process and may involve period-end journal
entries. Errors often arise unintentionally. However, cut-off is often a higher-risk area not
simply because of poor control, but because intentionally shifting transactions across the
reporting date can be useful to:
• meet profit targets or manipulate bonus or tax payments;
• prevent the breach of banking covenants, i.e. promises to the bank not to exceed certain
asset to liability ratios, for example;
• maintain or improve key performance indicators such as earnings per share, or simply
keep them on the right side of industry averages.
Classification is often important for tax or regulatory purposes as well as for disclosures
in the notes to the accounts. If expenditure is posted incorrectly to a capitalized research
and development account, assets and profits are overstated and tax may be understated,
among other things.
Assertions about account balances and related disclosures are as follows:
Completeness and valuation are clearly important but auditors can be made to look very silly if
they do not check on existence. There have been a number of celebrated cases in which auditors
have not checked on the physical existence of assets by going and seeing them, or have done so
in a very predictable manner. Inevitably, there have been cases where significant assets in the
balance sheet turned out to be elaborate documentary fabrications. Auditors can never entirely
rely on records, however good they appear to be and checking on existence at random or in an
unpredictable manner improves the chances of fraud detection.
Occurrence: All sale invoices reflected in the accounting records relate to goods
dispatched by the entity during the current year. The figure for revenue in the financial
statements agrees to the sales account in the nominal ledger.
Completeness: All goods dispatched have been invoiced and all such sales invoices have
been entered into the accounting records. All entries in the sales account in the nominal
ledger have been included within “revenue”.
Accuracy: All invoices have been correctly priced and discounts properly applied, and
they have been accurately entered in the accounting records. The sales account in the
nominal ledger has been properly added to arrive at the “revenue ” figure in the financial
statements.
Cut-off: Goods dispatched just before the year end have been invoiced and included in
sales. Goods dispatched just after the year end have not been included in sales.
Classification: All sales invoices have been posted to the sales account in the nominal
ledger. ‘Revenue’ is properly disclosed in the financial statements in the income
statement or statement of comprehensive income for the current year.
Relevant test – select a sample of entries from the sales account in the general
ledger and trace to the appropriate sales invoice and supporting goods dispatched
notes and customer orders.
Completeness – this means that transactions that should have been recorded and
disclosed have not been omitted.
Relevant test – select a sample of customer orders and check to dispatch notes
and sales invoices and the posting to the sales account in the general ledger.
Accuracy – this means that there have been no errors while preparing documents
or in posting transactions to ledgers. The reference to disclosures being
appropriately measured and described means that the figures and explanations are
not misstated.
Relevant test – reperformance of calculations on invoices, payroll, etc, and the
review of control account reconciliations are designed to provide assurance about
accuracy.
Relevant test – recording last goods received notes and dispatch notes at the
inventory count and tracing to purchase and sales invoices to ensure that goods
received before the year end are recorded in purchases at the year end and that
goods dispatched are recorded in sales.
Relevant test – confirm that the total employee benefits expense is analysed in
the notes to the financial statements under separate headings– ie wages and
salaries, pension costs, social security contributions and taxes, etc.
Assertions
PCAOB ASB Assertions Key Questions Examples of Representative
Assertions Evidence Available Audit Procedures
Existence or Existence Do the assets The physical Inspection of
occurrence recorded really presence of the tangible assets
exist?) assets
Inspection of
Occurrence Did the recorded Client Shipping records or
sales transactions documents documents
really occur? (vouching)
Completeness Completeness Are the financial Documents Inspection of
statements prepared by the records or
(including client documents
footnotes) (tracing)
complete?
Cutoff Cutoff Were all Client receiving, Inspection of
transactions shipping reports records or
recorded in the documents (tracing
proper period? or vouching)
Rights and Rights and Does the entity Statements by Confirmation
obligations obligations really own the independent parties
responsibilitie assets?Are related
s identified? legal
responsibilities
identified?
Valuation and Valuation or Are the accounts Client-prepared Reperformance
allocation allocation valued correctly? accounts receivable
aging schedule
Accuracy Accuracy Were transactions Vendor invoices Inspection of
recorded records or
accurately? documents (tracing
or vouching)
Classification Classification Were all Comparisons of Analytical
transactions current-year procedures
recorded in the amounts with those
proper accounts? from the prior year
Presentation Understandability Are the Management Inquiry
and disclosure presentations and prepared financial
disclosures statements and
understandable to footnotes
users?
It should be noted by the auditor what type of level of assurance is required An audit
level of assurance can be high assurance while a review level of assurance is moderate
assurance.
For example, a higher level of assurance is required for evidence to support observations
than is required to support contextual information included in the report.
All liabilities have been recorded and that recorded assets exist.
The areas where risk of misstatement (error) appear to exist, and the nature of the risk.
When an error should be considered material, and when it may be ignored
What aspects of the audit will be the most difficult to plan because of the high risk of
misstatement.
Assessment of inherent risks and control risks and the identification of the
significant audit areas;
Assessing the inherent risk means if an auditor is doing audit work then threats that will
occur will be identified. . When the inherent risk is high, this means that there is a high
risk of misstatement of an item in the financial statements. Inherent risk operates
independently of controls. The auditor must accept that the inherent risk that exists will
not just be removed itself. The control is risk that a misstatement that could occur in an
assertion about a class of transaction, account balance or disclosure that could be
material, either individually or when aggregated with other misstatements, will not be
prevented, or detected and corrected, on a timely basis by the entity’s internal control.
Significant Audit Areas are identified in Audit Plan. It is important for the auditor to
identify the areas which involves greater audit risk, so that the audit can be planned in
such a way that overall audit risk will be less. More risky areas should be checked in
detail and vice-versa.
Setting materiality levels
The level of materiality in Rupees terms or the significance of the observation or
conclusion. Generally, the higher the level of significance or materiality, the higher the
standard that evidence will have to meet.
The possibility of material misstatements
Information is material if its omission or misstatement could influence the economic
decisions of users taken on the basis of the financial statements. The management either
clearly or using unclear statement try to show that everything in the company is
according to requirements in the financial statements. Auditor tries to find potential
misstatements, errors, possible problems from the assertions, audit evidence so on.
The identification of complex accounting areas
There is a new instrument so what is done with the previous one. Any change in
accounting and auditing standards may affect the scope of audit or the manner in which it
is conducted. Therefore these should be carefully considered while finding the risk in
auditing.
• The substantive approach whereby every item in the financial statements is tested and
vouched to supporting documents.
• Used for small entities, where internal controls and weak and are few
transactions.
A substantive audit plan would contain a list of audit procedures for gathering evidence related
to the relevant assertions identified for an audit client’s significant financial statement accounts
and disclosures.
The substantive audit plan (i.e., the nature, timing, and extent of futher procedures) depends
almost exclusively upon the assessment of risk at an audit client. For example, consider the
nature of procedures.
When completing analytical procedures to gather evidence, the auditor must develop an
independent expectation of what he or she thinks the account balance should be. Once this is
developed, the expectation is compared to the recorded amount. Any significant differences must
be investigated and then corroborated with evidence. When applying substantive test of details,
the auditor must seek to understand the account balance and/or economic transaction to ensure,
based on valid and reliable evidence, that the amount was recorded in accordance with the
applicable financial reporting framework. In general, analytical procedures are considered more
efficient while a test of details is considered more effective. Thus, an auditor must take great care
in determining the nature of the testing procedure that is whether substantive analytical
procedure or test of detail is to be specified in the audit plan.
• The system approach whereby the underlying accounting systems were tested with less
emphasis on the testing of individual transactions and balances.
Some testing of controls is likely to be necessary in addition to substantive testing where there is
a large volume of routine transactions subject to automated processing. This is particularly
relevant where there is little or no source documentation, where transactions are generated by the
system itself, such as in on-line ordering from the Internet and airline ticketing, and even more so
where the information is held in electronic form only. This is the principal type of risk for which
substantive procedures alone are inadequate. Again, the requirement is for auditors to understand
the relevant controls.
• The IASB’s Framework for the preparation and presentation of financial statements state
that:
• ISA 320 materiality in planning and performing an audit states that, assessing what is or
is not material is a matter of professional judgement.
Have a reasonable knowledge of business and are willing to study the information in the
financial statements diligently.
Understanding that financial statements are prepared, presented and audited levels of
materiality,
Recognize the uncertainties inherent in certain amounts in the financial statements,
Make reasonable economic decisions based on the information in the financial
statements.
At planning stage:
Performance materiality recognizes the fact that if all areas of the audit are carried out to
detect all errors/omissions under the materiality level.
As the auditor progresses, the auditor must revise materiality, if he becomes aware of
information which would have caused him to have initially set different levels.
Documentation must includes details of all materiality levels set and any revision of these
levels as the audit progresses.
o If the auditor finds, as a result of audit tests, that his estimate of inventory is more
than the client measurement, then the error would be considered material.
For setting overall materiality ‘qualitative’ characteristics may also be taken into
account.
o Many auditors would take the view that certain figures in financial statements
should be absolutely correct and that any errors in those figures would be judged
to be material.
Illustration
Inventory = Rs. 4M
Performance materiality
Apply risk-based weightage (80% for low risk, 70% for moderate risk and 60% for high
risk)
At the planning stage, ISA 315, the auditor will identify and assess the main risks associated with
the business to be audited.
The environment of the risks at this level and therefore the auditor’s response is very much
affected by the auditor’s assessment of the control environment.
An effective control environment will be likely to increase the auditor’s confidence in controls in
all areas and allow him to carry out more procedures at the interim audit and to carry out less test
of details.
Inherent and control risk are client risk. Detection risk are under the control of the
auditor.
Inherent Risk: An inherent risk occurs when a material misstatement occurs. Inherent risk is the
susceptibility of an assertion about a class of transaction, account balance or disclosure to a
misstatement that could be material, either individually or when aggregated with other
misstatements, before consideration of any related controls. The nature of the items, entity and
industry in which it operates. When the inherent risk is high, this means that there is a high risk
of misstatement of an item in the financial statements. Inherent risk operates independently of
controls. The auditor must accept that the risk exists and will not ‘go away’.
Inherent risk is the probability that, in the absence of internal controls, material errors or frauds
could enter the accounting system used to develop financial statements. Inherent risk can be
described as the susceptibility of the account to misstatement. Inherent risk is a function of the
nature of the client’s business, the major types of transactions, and the effectiveness and integrity
of its managers and accountants. It is important to understand that for different accounts,
different assertions are riskier than others. For example for cash, existence is riskier than
valuation; for receivables, valuation is riskier than completeness; and for liabilities, completeness
is riskier than existence. Thus, auditors focus their attention on relevant assertions. Auditors do
not create or control inherent risk. They can only try to assess its magnitude.
Control Risk: The likelihood that an error or fraud will not be prevented or detected by
client internal controls is control risk. It is the risk that a misstatement that would occur in
an assertion about a class of transaction, account balance or disclosure would be
material, either individually or when aggregated with other misstatements, will not be
prevented, or detected and corrected, on a timely basis by the entity’s internal control.
Assumption is that the control risk is very high and the existing internal controls are
insufficient to prevent the risk of material misstatement.
Control risk is the probability that the client’s internal control activities will fail to
prevent or detect material misstatements provided that they enter or would have entered
the accounting system in the first place. One of major purposes of internal control is to
ensure appropriate processing and recording of transactions to help ensure the production
of reliable financial statements. Auditors do not create or manage control risk. They can
only evaluate an entity’s control system and assess the probability of its failure to prevent
or detect material misstatements. External auditors’ task of control risk assessment starts
with learning about an entity’s controls designed to prevent, detect, and correct the
inherent risks discovered. The auditors then observe and test the control activities if
necessary to determine whether they are operating effectively.
Inherent risk and control risk are combined into risk of material misstatement (RMM) , which is
the risk a material misstatement exists in the financial statements before auditors apply their
procedures.
Detection Risk: The likelihood that an error or fraud will not be caught by the auditor’s
procedures is detection risk. The risk that the procedures performed by the auditor to
reduce audit risk to an acceptably low level will not detect a misstatement that exists and
that could be material, either individually or when aggregated with other misstatements.
Detection risk is the probability that the auditor’s own procedures will fail to detect
material misstatements provided that any have entered the accounting system in the first
place and have not been prevented or detected and corrected by the client’s internal
controls. In contrast to inherent risk and control risk, auditors are responsible for
performing the evidence-gathering procedures that manage and establish detection risk.
These audit procedures represent the auditors’ opportunity to detect material
misstatements in financial statements. In other words, unlike inherent risk and control
risk, auditors can and do influence the level of detection risk.
Detection risk is produced when procedures in these two categories fail to detect material
misstatements.
Detection risk can be lowered by carrying out more tests in the audit.
Set an overall level of audit risk which he judges to be acceptable for the particular
audit,
Assess the levels of inherent risk and control risk, and then
Adjust the level of detection risk in order to achieve the overall required level of risk
in the audit.
Summary:
Detection risk can be managed by the auditor in order to control the overall audit
risk.
Audit risk can be reduced by increasing testing and reducing detection risk.
These components of audit risk can be expressed in a conceptual model that is designed to help
auditors understand how the assessment of each component impacts the overall audit risk being
faced on the engagement. It is also important to point out that the audit risk model assumes that
each of the elements is independent. Thus, the risks can be expressed in a model form as follows:
Audit risk (AR) = Inherent risk (IR) * Control risk (CR) * Detection risk (DR)
Detection risk depends on and is planned for based on the assessment of the other risk factors.
DR is calculated and derived from the others by solving the risk model equation.
Based on the allowable or planned level of detection risk (which is based on the assessment of IR
and CR), auditors modify the nature, the timing, and the extent of further audit procedures. The
nature of the procedures refers to the overall effectiveness of further audit procedures in
detecting misstatements. While inquiry of management as to whether accounts receivable listed
on the balance sheet really exist is an audit procedure, it certainly is not an effective one. A much
more effective procedure would be to confirm accounts receivable directly with the client’s
customers. Timing refers to when the further audit procedures take place. While confirmation of
accounts receivable may be performed at an interim period, auditors are expressing an opinion
on year-end balances. The closer the further procedures are performed to year-end (the date of
the financial statements), the more effective they are because there is less chance of a material
misstatement occurring between the interim confirmation date and year-end. Finally, extent
refers to the number of tests performed. Clearly, the larger the number of accounts receivable
confirmations that are mailed to customers, the greater the chance of finding errors and fraud.
The Impact of Detection Risk Allowed on the Nature, Timing, and Extent of Further Audit
Procedures
Lower Detection Risk Higher Detection Risk
Allowed Allowed
Nature More effective tests Less effective tests
Timing Testing performed at year- Testing can be performed at
end interim
Extent More tests Fewer tests
There is always a risk involved in an audit, because the auditor is giving an opinion. An audit
risk is when the opinion is inappropriate on the financial statements. There is a model to
calculate this risk, it is the multiplication of inherent risk, control risk and detection risk.
Inherent Risk
The risk of materially misstating in the financial statements caused by errors or omissions,
from factors that are not a failure of controls. Inherent risk is usually higher when there is a
higher degree of judgement and estimation involved or when the company’s transactions are
very complex.
Control Risk
The risk of materially misstating in the financial statements caused by the lack of or failing of
relevant controls in operations of the company. Internal controls and checks and balances
must be in place to prevent and alert issues of error or fraud. Control risk tends to be higher
when the internal controls are not adequate.
Detection Risk
The risk of failure to detect the occurrence of material misstatements in the financial
statements. The auditor must use proper audit procedures to alert to misstatements whether
due to error or fraud. If proper procedures are not followed or not applied correctly a
misstatement could be undetected. There is always a certain amount of detection risk due to
the inherent limits of an audit, for example, using sampling in selecting transactions. This
risk can be lessened by sampling more transactions.
Auditors use the audit risk model to attempt to lessen the audit risks. They will examine
inherent and control risk in order to understand the environment of the company.
Audit risk (also referred to as residual risk) refers to the risk that an auditor may issue an
unqualified report due to the auditor's failure to detect material misstatement either due to error
or fraud. This risk is composed of:
Inherent risk (IR), the risk involved in the nature of business or transaction. Example,
transactions involving exchange of cash may have higher IR than transactions involving
settlement by cheques. The term inherent risk may have other definitions in other
contexts.[1];
Control risk (CR), the risk that a misstatement may not be prevented or detected and
corrected due to weakness in the entity's internal control mechanism. Example, control
risk assessment may be higher in an entity where separation of duties is not well defined;
and
Detection risk (DR), the probability that the auditing procedures may fail to detect
existence of a material error or fraud. Detection risk may be due to sampling error or non-
sampling error.[2]
AR = IR × CR × DR
https://accounting-simplified.com/audit/risk-assessment/audit-risk/
\
Fraud is the act of knowingly making material misrepresentations of fact with the intent of
inducing someone to believe the falsehood and act on it and, thus, suffer a loss or damage.
Through both fraud and aggressive financial reporting, some companies have caused financial
statements to be misstated, usually by:
Every company must face the subject of fraud and do fraud audit. This is because:
Many companies have experienced the negative impact of fraud in the form of financial
losses and damage to their image.
This has been necessitated by legal requirements.
Fraud is an intentional act by one or more persons while error results from a genuine mistake or
omission and is not intentional.
Fraud audit has become increasingly important for businesses to equip their companies
adequately so it can deal with fraud problems. Auditor investigates and assesses every different
types of incidents and suspected fraud. To effectively deal with fraud it is important to have a
clearly structured organization, which immediately deals with the relevant circumstances of
fraud and triggers, coordinates, and performs the necessary activities quickly, accurately, and
reliably.
Fraud audits are aimed in particular at identifying suspected organizational and process
weaknesses, investigating anonymous accusations or specific information on irregularities, or
gathering evidence for cases of fraud that have already been proven. Fraud audit is used to find
whether and to what extent an incident has led to directly measurable, or at least indirectly
related, financial consequences for the company.
Auditors are concerned with fraud that affects the financial statements only. Auditor are not
responsible to detect all fraud but are responsible to detect cases where fraudulent activity results
in materially misstated financial statements. For example, if a warehouse employee is
misappropriating inventory but that embezzlement does not result in materially misstated
financial statements, auditors do not have responsibility for detecting this fraud. However, if
management is intentionally misstating revenues in order to meet earnings expectations, auditors
are responsible for detecting this misstatement. The auditors would not ignore immaterial fraud.
The primary responsibility of an auditor is to design procedures to provide reasonable assurance
that material frauds that might misstate the financial statements are detected.
The auditor may accept records and documents as genuine only if auditor has no
reason to believe the contrary
The auditor shall investigate the inconsistencies where responses to inquiries of
management are inconsistent.
Misappropriation of assets
Defalcation is another name for employee fraud, embezzlement, and larceny. Auditing standards
also call it misappropriation of assets.
Misappropriation of assets include:
i. Embezzling receipts
iv. Causing an entity to pay for goods and services not received
This is an example of employee fraud in which employee uses false documents,
lying, exceeds authority, or violates an employer’s policies.
Fraudulent financial reporting often involves management override that could occur, in which
management show control by that operations are working effectively.
A. Techniques are:
iv. Concealing or not disclosing facts that could affect the amounts recorded in the
financial statements.
vi. Altering records and terms related to significant and unusual transactions
Fraud can be committed in any company therefore all companies should prepare their process
structures for such an eventuality. Fraud should be identified and evaluated reactively and
proactively. All measures should also be taken for adequate prosecution of those who commit
fraud. An organization should have a clear, unambiguous code of conduct. Guidelines and
instructions must be comprehensible and accessible to all employees. An organization should
have a shared set of values and clearly communicate the consequences that fraud entails. The
auditor shall design and perform audit procedures to test the appropriateness of journal entries
recorded in the general ledger and other adjustments made in the preparation of financial
statements.
I. Make inquiries of individuals involved in the financial reporting process
Internal Audit interviews the people who are afected or involved in the
incident. Suspected employees that can be individuals involved in the
financial reporting process can also be questioned. If the interviews reveal
that employees are guilty and have directly or indirectly admitted their
guilt, the result of the interviews is of critical importance for reporting and
documenting the case. Interviews should always be conducted by two
auditors in order to ensure that the evidence is authentic.
II. Select journal entries and other adjustments made at the end of a reporting
period;
ii. Review accounting estimates for biases and evaluate whether the circumstances
producing the bias, if any, represent a risk of material misstatements due to fraud.
ii. Their process in place for identifying and responding to the risks of
fraud
The investigation of significant differences is probably the most critical step in the
analytical procedures process. After generating basic financial data and
relationships, the next step is to determine whether the financial changes and
relationships actually describe what is going on within the company. Analytical
procedures are required at the beginning of an audit—the preliminary stage
application of analytical procedures discussed in this chapter and at the end of an
audit when the partners in charge review the overall quality of the work and look
for apparent problems. Analytical procedures can also be used as a substantive
testing procedure to gather evidence about the relevant assertion being tested.
When using substantive analytical procedures, the auditor must take great care to
develop an independent expectation that is based on reliable information. When
this has been developed, the expectation is compared to the recorded amount, and
any significant differences must be investigated and corroborated with
documentary evidence. The procedure to provide evidence about an assertion
must be conducted with exacting precision and a high degree of rigor. Regardless
of when analytical procedures are performed, auditors conclude their analytical
procedures test work by documenting the team’s findings.
There are times when management finds it beneficial to understate assets and revenues
and overstate expenses and liabilities. This can be in times when profits are low
anyway and management wants to store reserves use them to increase profits in future
years. Understating profits also can be desirable if the company is under scrutiny by
governmental bodies, taxing authorities, labor, or competitors (or, in one case, a
spouse’s divorce lawyer).
These industry conditions make the company commit fraud to achieve an unexpected earning
target or financial outcome:
Company profits lag those of its industry. New requirements are passed
that could impair stability or profitability. The company’s market is
saturated due to fierce competition. The company’s industry is declining.
The company’s industry is changing rapidly.
The company is not able to generate sufficient cash flows to ensure that it
is a going concern. There is pressure to obtain capital. The company
operates in a tax haven jurisdiction. The company has many difficult
accounting measurement and presentation issues. The company has
significant transactions or balances that are difficult to audit.
Operating Characteristics and Financial Stability perceive opportunity to commit fraud as they
believe internal control can be overridden because he trust or has knowledge of specific
deficiencies in internal control:
i. Individual may possess an attitude, character or setoff ethical values that allow them
knowingly and intentionally to commit a dishonest act.
Financial statements may be materially misstated as a result of errors or fraud. While accounting
errors are usually unintentional, fraud consists of knowingly making material misrepresentations
of fact with the intent of inducing someone to believe the falsehood and act on it and, thus, suffer
a loss or damage. This definition encompasses all means by which people can lie, cheat, steal,
and dupe other people. Management fraud is deliberate fraud committed by management that
injures investors and creditors through materially misstated information. Management fraud
usually takes the form of deceptive financial statements, management fraud so is sometimes
referred to as fraudulent financial reporting.
A. Discrepancies in the accounting records,
i. Missing documents
ix. Difference between A/R sub-ledger and control account, or between the customer
statements and the A/R sub-ledger
Furthermore, preventive audit ieldwork focuses on the following processes and content elements:
Consequence management and its communication in the organization form the apex of the
prevention model. The reports and memorandums of Internal Audit are the starting point for
consequences and the resulting communication. In addition to any criminal charges, the
consequences of economic crime or incidents that cause loss to the company are mostly of a
disciplinary or organizational nature. Consequences must be applied uniformly, without
favoritism and irrespective of hierarchy levels. The line taken on consequences is communicated
throughout organization and thus creates a ixed set of values on which the entier fraud
prevention model is based.
The entity
Business: sources of revenue, products and services, alliances and joint ventures,
outsourcing, locations, key customers and suppliers, R&D, related parties.
Investments: investment strategy; acquisitions and disposals of property, plant and
equipment, acquisition of short- and long-term securities.
Financing: bank loans and other debt financing such as loans from group companies and
other related parties including directors, shareholdings, overdraft facilities, leases and
derivative financial instruments.
Financial reporting: accounting framework such as IFRS, industry specifi c accounting
requirements, accounting for revenue recognition, fair values, foreign currency
transactions, and financial statement presentation and disclosures.