Key feature of modern auditing is the ‘risk- based’ approach that is taken in most audits.
At the planning stage, as required by BSA 315,
the auditor will identify and assess the main risks associated with the business to be audited. Audit Risk Audit risk is the risk (chance) that the auditor reaches an inappropriate (wrong) conclusion on the area under audit.
For example, if the audit risk is 5%, this means
that the auditor accepts that there will be a 5% risk that the audited item will be misstated in the financial statements, and only a 95% probability that it is materially correct. Audit Risk Model IR (Inherent Risk) Inherent risk is the risk that items may be misstated as a result of their inherent characteristics. Inherent risk may result from either:
• the nature of the items themselves. For
example, estimated items are inherently risky because their measurement depends on an estimate rather than a precise measure; or IR • the nature of the entity and the industry in which it operates. For example, a company in the construction industry operates in a volatile and high-risk environment, and items in its financial statements are more likely to be misstated than items in the financial statements of companies in a more low-risk environment, such as a manufacturer of food and drinks. IR
When inherent risk is high,
this means that there is a high risk of misstatement of an item in the financial statements. CR (Control Risk) Control risk is the risk that a misstatement would not be prevented or detected by the internal control systems that the client has in operation.
In preparing an audit plan, the auditor needs to
make an assessment of control risk for different areas of the audit. Evidence about control risk can be obtained through ‘tests of control’. DR (Detection risk) Detection risk is the risk that the audit testing procedures will fail to detect a misstatement in a transaction or in an account balance. For example, if detection risk is 10%, this means that there is a 10% probability that the audit tests will fail to detect a material misstatement.
Detection risk can be lowered by carrying out more
tests in the audit. For example, to reduce the detection risk from 10% to 5%, the auditor should carry out more tests. Audit Risk The detection risk can be managed by the auditor in order to control the overall audit risk through increasing audit work.
Inherent risk cannot be controlled.
Control risk can be reduced by improving the quality of internal
controls.
However, recommendations to the client about improvements in its
internal controls can only affect control risk in the future, not control risk for the financial period that is subject to audit.
So, audit risk can be reduced by increasing testing, and
reducing detection risk. Example An auditor has set an overall level of acceptable audit risk in respect of a client of 10%. Assessed Inherent risk is 50% and control risk is 80%.
Required
• Explain the meaning of a 10% level of audit risk
• What level of detection risk is implied by this information. • If the level of audit risk needs to be maintain only at 5%, how would this affect the level of detection risk and how would the audit work be affected by this change? Answer a) A 10% level of audit risk means that the auditor will be 90% certain that his opinion on the financial statements is correct.
b) AR = IR × CR × DR then DR = AR / (IR × CR) DR = 0.10 / (0.50 × 0.80) Therefore DR = 0.25 = 25%
c) If AR is reduced to 5%, DR would now be 12.5%. More
audit work will be needed to achieve this lower level of detection risk. Risk of material misstatement • Exists at the financial statements level and assertion level – Categories of risk within these levels • Inherent risk • Control risk • Risk of material misstatement high - Auditor accepts less audit risk • Risk of material misstatement lower - Auditor accepts more audit risk What Makes a Risk Significant? – Whether the risk is a risk of fraud – Complexity of transactions – Whether the risk involves transactions with related parties – Degree of subjectivity in measurement of financial information related to risk – Whether the risk involving significant transactions outside normal course of business Factors For assessment of inherent risk • Lack of expertise to deal with changes in industry • Uncertain likelihood of successful introduction of new product and acceptance by market • Information technology being incompatible across systems • Expansion of business for which demand not accurately estimated • Implementation of incomplete business strategy • New regulatory requirements increase legal exposure Factors For assessment of inherent risk
• Alternative products, services, competitors, or
providers posing a threat to current business • Significant supply chain risks • Complex production and delivery processes • Mature and declining industry • Inability to control costs with possibility of unforeseen costs • Producing products that have multiple substitutes Example: identifying inherent risks A charitable organisation relies for its funding on donations from the general public, which is mainly in the form of cash collected in the streets by volunteers and cheques sent in by post to the charity’s head office. Wealthy individuals occasionally provide large donations, sometimes on condition that the money is used for a specific purpose. The constitution of the charity specifies the purpose of the charity, and also states that no more than 15% of the charity’s income each year may be spent on administration costs.
Required
Identify the inherent risks for this charitable organisation that an
auditor of its financial statements would need to consider. Solution • Volunteers collecting cash from the general public may keep for themselves some or all of the cash they collect.
• There are no controls that can ensure that all the
money received by the charity is properly recorded. This is because there are no sales invoices against which receipts of income can be checked.
• When money is given to the charity for spending on a
specific purpose, there are no controls to ensure that the money is actually spent on its intended purpose. • Similarly there are no controls to ensure that the money collected by the charity is spent on the purposes specified in the constitution of the charity.
• There are possibly no controls to ensure that
money spent on administration is actually recorded as administration costs. Assessing Factors Affecting Control Risk
• Difficulty gaining access to the organization
or determining the controllers of the organization
• Little interaction between senior
management and operating staff
• Weak tone at the top leading to a poor
control environment
• Inadequate accounting staff and
information systems Assessing Factors Affecting Control Risk • Growth of organization exceeding accounting system infrastructure
• Disregard of regulations for prevention of illegal acts
• No internal audit function, or lack of respect for
internal audit function by management
• Weak design, implementation, and monitoring
of internal controls
• Lack of supervision of accounting personnel
Determining Detection Risk and Audit Risk
• Auditor determines level of
detection risk on the basis of:
– Assessment of risk of material
misstatement at all levels – Consideration of desired level of audit risk Detection Risk and Audit Risk
• Detection risk is affected by:
• Effectiveness of substantive auditing procedures performed • Extent to which the procedures were performed with due professional care • High level of detection risk • Audit firm is willing to take higher risk of not detecting a material misstatement • Audit risk is also high Detection Risk and Audit Risk
• Low level of detection risk
– Audit firm is not willing to take as much of a risk of not detecting material misstatement – Audit risk is also low • Audit risk usually set at between 1% and 5% • Detection risk ranges from 1% to 100% Risks and Their Effects on Audit Work Risks and Their Effects on Audit Work High Risk of Material Misstatement • Assuming an account with many complex transactions and weak internal controls – Inherent risk and control risk assessed at their maximum – Audit risk set at a low level • Audit risk model Audit Risk = Inherent Risk × Control Risk × Detection Risk 0.01 = 1.00 × 1.00 × Detection Risk Detection Risk = 0.01 / (1.0 × 1.0) = 1% Low Risk of Material Misstatement • Assuming an account with simple transactions and well-trained personnel with no incentive to misstate financial statements • Inherent risk and control risk assessed at 50% and 20% respectively • Audit risk set at 5% Audit Risk = Inherent Risk × Control Risk × Detection Risk 0.05 = 0.50 × 0.20 × Detection Risk Detection Risk = 0.05 / (0.50 × 0.20) = 50% Planning Audit Procedures to Respond to the Assessed Risks of Material Misstatement
• Auditor should design:
– Controls reliance audit – Substantive audit • When considering risk responses, auditor should: – Evaluate reasons for assessed risk of material misstatement – Estimate likelihood of material misstatement due to inherent risks of client Planning Audit Procedures to Respond to the Assessed Risks of Material Misstatement
– Consider the role of internal controls, and
determine whether control risk is relatively high or low – Obtain more relevant and reliable evidence with increase in assessment of risk of material misstatement Nature of Risk Response • Types of audit procedures applied given the nature of account balance and relevant assertions regarding that account balance • Procedures • Assembling audit team with more experienced auditors • Including on audit team outside specialists • Increasing emphasis on professional skepticism Timing of Risk Response • When audit procedures are conducted and whether they are conducted at announced or predictable times • When risk of material misstatement is heightened – Audit procedures conducted closer to year end on an unannounced basis – Some element of unpredictability included in timing Timing of Risk Response • Introducing unpredictability – Performance of some audit procedures on low risk accounts, disclosures, and assertions – Change in timing of audit procedures from year to year – Selection of items for testing that are lower than prior-year materiality – Performance of audit procedures on a surprise or unannounced basis – Varying location or procedures year to year Timing of Risk Response • Procedures that can be completed only at or after period end – Comparison of financial statements to accounting records – Evaluation of adjusting journal entries made by management in preparing financial statements – Conduct procedures to respond to risks that management may have engaged in improper transactions at period end Thank You for Your Attention Any Questions?
Identify and Describe The Two Forms of Accounts Receivable Confirmation Requests and Indicate What Factors Vicktor Should Consider in Determining When To Use Each. (6 Marks)