DOCUMENTING IDENTIFYING AND

ASSESSING RISK
KAP TANUBRATA SUTANTO
FAHMI BAMBANG & REKAN
CHEOW WILLIAM & NINA PUTRI PERMATASARI

1
DETERMINING A CONCLUSION FOR EACH IDENTIFIED RISK

SPECTRUM OF INHERENT
LIKELIHOOD

INHERENT
IDENTIFIED RISK

RISK
RISK
RISK CONCLUSION
FACTORS

MAGNITUDE
 IDENTIFY POTENTIAL RMMs

 Understand the  Understand the  Understand the  Stand back at the end
entity, its entity’s cycles and components of the of risk assessment
environment and the the business entity’s system of procedures to consider
applicable financial processes and internal control if there are any more
reporting framework information systems potential RMMs
within those cycles
UIC-ELC
IT
UTE ENVIRON-
MENT UIC-CARA ETD Q
PAR/RADA INFO
SYSTEMS ITGC RAQ
IDENTIFY POTENTIAL RMMs

Understanding of the entity, its environment and its

information systems: Through
inquiries, analytical procedures, observation & inspection

Potential RMMs

ELRs ALRs (IRMMs)

CONTROL RISK DEFINITION
ISA 315 requires us to
separately assess IR
and CR for assertion
Definition of Control Risk (CR) level RMMs

Control risk is the risk that a

misstatement that could be
material will not be prevented, or
detected and corrected, on a
timely basis by the entity’s system
of internal control.
CONTROL RISK – WHEN AND WHY
WARNING !
WHEN WHY
 Can assess CR at Maximum if  Assessing CR helps us decide:
we do not intend to test OE
of the CARA that address that
IRMM • Whether to test OE of the
CARA

 Assess CR below Maximum if • What the planned TOC

we may want to test OE of assurance level should be
the CARA that address that
IRMM
 CONTROL RISK FACTORS AND CONTROL RISK CONCLUSION

Complexity/subjectivity Degree ofofreliance

Complexity/subjectivity
Other
History CR onofthe
factors
effectiveness control
Competence
How Routine
of personnel
of control effectiveness of other controls
CR Conclusion AOther
simple CRis
control
factors that
may
If there
Routine
personnel a history
controls
performing ofcan
that include:
be in the
errors
operate
manual or IT
How Routine
for each CARA Other
•performed
FSAs controls
Changes
affected
frequently
dependent in
at
CARA include
volume
objectively
by the
the have entity-level
or nature
a may theofa
high have
control,
transaction degree
level
controls,
control
lower
may CR. direct
transactions
may
of competence,
have As thecontrols,
not
lower processed
be
complexity
CR.
CR indirect
effective so
As CR
and/or
isNon-routine
lower.
controls
•may The and related
materiality
increase. ofITGCs.
Ifpersonnel
no of aerrors,
If
possible
history
Degree of reliance on • Low subjectivity
controls
competence thatofof the
operate control
less increases,
decreases,
frequently
control
CRCR
may has
misstatement
may high reliance
decrease.
increases.
increases.
have higher that
CR. theoncontrol
Similarly, the is
if prior
the effectiveness of • Moderate effectiveness
yearmeant
TOCs to of other
prevent
failed, controls,
or
CR may detect CR
increase.
other controls • High may increase.
•ThisManagement's
assumes that assessment
the controlsofwere the
Competence of • Maximum not risk in the FSA/assertion,
redesigned in the currentsince year.
that may influence the precision
personnel
of the control they implement

History of effectiveness

Other CR factors
DETERMINING DIFFERENT ASSURANCE LEVELS

Nature /
Precision reliability of
evidence

Amount of
Coverage
corroboration
TESTS OF CONTROL

CARA ITGC
 DEFINITION OF CARA

The ISAs define certain control activities as relevant to the audit. Any
of the following are considered CARA:

• Where we plan to test operating effectiveness

• Related to Significant RMMs
• Related to journal entries;
• Regarding related parties and transactions outside the normal course of business
• Other – related to Elevated RMMs, G/L reconciliations, complimentary user entity
controls, etc.
CONTROL RISK IMPACT ON PLANNED TOC ASSURANCE
Example 1: IRMM with One Control, CR = High

Example 1
CR = High

TOC TOC Assurance = Max (R = 2.0)?

Assurance

TOC Assurance = Mod (R = 1.5)?

Control TOC Assurance = Low (R = 1.0)?

Risk

TOC Assurance = None (R = 0)?

CONTROL RISK IMPACT ON PLANNED TOC ASSURANCE
Example 2: IRMM with One Control, CR = Low

Example 2
CR = Low

TOC TOC Assurance = Max (R = 2.0)?

Assurance

TOC Assurance = Mod (R = 1.5)?

Control TOC Assurance = Low (R = 1.0)?

Risk

TOC Assurance = None (R = 0)?

 SSPS
WHAT? SSPs are procedures
required when we have material
FSAs with no identified IRMMs.
SSPs can comprise DATs, SAPs
or OSPs.
WHY? ISA 330.18: For each
material FSA, irrespective of
assessed RMMs, substantive audit
procedures shall be designed and
performed.
WHEN? After the process of
planning procedures and audit
strategy for assessed risks.
GOAL: SSPs are performed to obtain
evidence to support our initial
assessment that there is no IRMM in
a material FSA, not to reduce our
risk to an acceptable level.
 NATURE AND DESIGN OF SSPs

• Assertions to test, nature and extent of SSPs

• Tip: Consider assertions in which potential Use professional judgment

misstatement could occur

Example: Consider which assertions to test

Scenario 1: With prepayments, teams may be concerned of
whether balances in the ledger actually exist. Focus on
Existence.

Scenario 2: With accruals, teams may be concerned that

misstatements may arise because of unexpected expenses
have not been recognized. Focus on Completeness.

• SSPs may be designed for one or more assertions

• SSPs may be different in nature and/or have a lesser
extent than audit procedures designed to address IRMMs
SSPs HINTS & TIPS
SSPs do not provide
assurance to address risks;
SSPs are designed to support
our assessment of no IRMMs
for a material FSA
We do not need to design
SSPs to address each
assertion within a material
FSA; however at least one
assertion must be selected
Determination of assertions
SSPs are designed to cover
on which to perform SSPs
the FSA assertions that are
and nature and mix of SSPs
more susceptible to potential
are matters of professional
misstatements
judgment
For a material FSA with
The nature and extent of
IRMMs, we can decide to use
SSPs is less than the nature
SSPs to test certain 'no risk'
and extent of traditional
assertions even when there
audit procedures that have
are other (relevant)
been designed to address
assertions that have
IRMM(s)
identified IRMM(s)
Add ‘SSP’ at the beginning of
each test title when creating
the SSP
Thank you
Q&A