Professional Documents
Culture Documents
The risk that the auditor will incorrectly issue an unqualified opinion The risk of material misstatements absent any internal controls or testing
IR = Inherent risk
CR = Control risk
The risk that internal controls will fail to prevent or detect material misstatement The risk that audit tests will fail to detect material misstatement
DR = Detection risk
Therefore, audit risk is a function of inherent risk, unchecked by controls and not detected by the auditor
Inherent risk
Higher in complex transactions Higher where items are more naturally prone to fraud Based in part on prior experience Industry and management pressures
Part of Audit Risk Model Depends on the design and execution of controls Audit Risk = risk that internal controls will FAIL to prevent or detect misstatement
High CR means high risk controls will fail Low CR means low risk controls will fail
If CR is high, auditor will not rely much on controls If CR is low, auditor can rely on ICS and reduce other types of testing
Depends on all 5 COSO categories Observed by the auditor but cannot be changed retroactively
Detection risk
A function of the types of tests the auditor does Remember nature, timing, and extent This is the only risk element that can be controlled by the auditor
Yes and No Often assessed in percentage terms Requires judgment because no number is out there to be measured Detection risk needs to be quantified for statistical testing
DR should be low (lots of testing) DR can be higher, because controls offset high IR DR can be high
Somewhat indicative of fraud. DR should be very low
Risk the auditor is willing to take of being wrong Generally considered in terms of unqualified where there are misstatements, but not in reverse
Control risk assessment must be backed up by control testing results If tests show weaker controls, CR is higher, thus DR needs to be lower
Reliability of financial statements Efficiency and effectiveness of operations Compliance with laws and regulations Safeguarding of assets
collusion
How are transaction initiated, authorized, recorded, processed, and reported? Are there any weaknesses?
Is the control operating as designed? Is the person operating the control qualified to do so effectively? Does the person have the necessary authority? How should management assess this?
Must describe design Must make assertions about effectiveness Must report material weaknesses A single weakness prevents claim that ICS is operating effectively
Must be able to document basis for report Auditor will provide an opinion on the report Any weaknesses mean that auditors report will be adverse.
Control environment Risk assessment Control activities Information and communication Monitoring
Reflects managements overall attitude toward controls Integrity and ethical values Commitment to competence Audit committee / Board of Directors
Philosophy and operating style Organizational structure HR practices Environment sets the stage for all the rest!
Policies and procedures to address risks Pertains to all four other areas Separation of duties Proper authorization
Adequate documents and records Physical control over assets and records Independent checks
Initiates, records, processes, and reports Transaction cycles Subsidiaries and controls
Need to ensure controls are working Control needs change Personnel change Organizational structure changes
Narratives Flowcharts
Questionnaires
All no answers are weaknesses Look for mitigating controls elsewhere Be sure connections are made Insufficient by itself
Top left to bottom right Try to keep one department or operator in one column Decision points give alternate paths Connectors are usually necessary
Document
Multiple copies File
Yes
Decision point
Connector