1

Audit Risk

Week 10

2

Risk Assessment in Planning

AR = IR x CR x DR To meet desired level of Audit Risk Need to assess each component IR & CR can be assessed but not

controlled DR is dependent on perceived

levels in IR & CR

3

Inherent Risk

Factors affecting Inherent Risk (SAS 300.2)

At Entity Level: Integrity of directors and management Management experience Unusual pressures on management Nature of the business Conditions within the industry

4

Inherent Risk Factors affecting Inherent Risk At balance and transaction class level

Sales and cash receipt transactions and debtor balances

Purchases and payroll transactions and creditors balances

Stocks Tangible fixed assets Cash

5

The Control Environment SAS 300.3 – auditors need to

understand the entity’s accounting systems to understand and identify Major classes of transactions How such transactions are initiated Significant accounting records and

supporting documents The accounting and financial

reporting process

6

The Control Environment

Once understood Able to assess risk element Design appropriate testing

schedule Update audit plan

7

Understanding the accounting system

Document Perform audit tests Eg Walkthrough tests

Manual & electronic systems Evaluate quality of internal audit

procedures

8

Reliance on Internal AuditThe role of the internal control

systems Internal Control systems are policies and procedures adopted by the directors and senior

management of an organisation to assist in attempting to achieve the orderly and efficient conduct of business

Internal control systems attempt to ensure that: Complete and accurate accounting records are kept so that

financial transactions can be recorded and disclosed in an informative manner

Assets are safeguarded on behalf of their rightful owners Error and or fraud are prevented and are likely to be detected

if they occur Information can be prepared and disclosed in a timely and

informative manner Staff adhere to organisational policies and procedures The organisation and its officers adhere to statutory and other

relevant regulatory requirements.

9

Fundamental concepts of internal control systems

Segregation of duties Physical access controls Authorisation and approval controls Management control Supervision and periodic reconciliation Arithmetical and accounting controls Personnel

10

Internal auditor - role

Continuous review and appraisal of systems of control

Report on adequacy of controls Identify areas for improvement Involvement with development &

implementation of new systems But…employee of the company

11

Effect on Control Risk To reduce Control Risk External auditor can rely on Internal

audit work Needs to make assessment of Quality Comprehensiveness Objectivity

Should never rely 100% on internal audit

12

Evaluation of Internal AuditorsSAS 500

500.18 evaluation may include consideration of whether: Work is performed by staff who have adequate technical

training and proficiency as internal auditors Work of assistants is properly supervised, reviewed and

documented Sufficient appropriate audit evidence is obtained to form a

reasonable basis for the conclusions reached Conclusions reached are appropriate Reports by the internal audit are consistent with the results

of the work performed Any exceptions and unusual matters disclosed by internal

audit are properly resolved Amendments to the external audit programme are required

as a result of matters identified by the internal audit work There is a need to test the work of internal audit to confirm

its adequacy

13

A system weakness? Last point suggests There is no need to test IA work to

confirm its adequacy International Standard of Accounting 610 “The external auditor should not rely

entirely on the IA’s work. Therefore some tests must be performed

to confirm adequacy

14

Performance of audit and reliance on IA – Step 1

Recording accounting systems using a flowchart and/or narrative notes

EA should check the flowchart is correct by checking a few transactions through the system (eg a walkthrough test)

For a purchases system check purchase requisition purchase order receipt of goods passing the purchase invoice posting it to the purchase ledger paying the invoice

If EA’s checks of transactions through the system are consistent with the flowchart EA can use the IA’s flowchart

15

Performance of audit and reliance on IA – Step 2

Evaluate recorded controls by means of an internal control evaluation questionnaire (ICE) or internal control questionnaire (ICQ)

ICQ = set of questions in yes/no format designed to gather information about a suite of controls

If IA’s ICQs conform to samples of EA’s ICQs can adopt IA’s

16

Performance of audit and reliance on IA – Step 3

Test controls in the accounting systems EA should perform tests on a sample of the

items checked by the IA If the results are the same as the IA’s, the EA

can rely on the IA’s work Therefore EA need check fewer items than if no

reliance was placed on the IA’s work If errors are found in the items checked by the

EA then total number of transactions checked will

be increased so as to achieve the desired level of control risk

17

Performance of audit and reliance on IA – Step 4

Substantive tests of items in the financial statements

IAs tend to carry out fewer tests on items in the financial statements, than on checking controls in accounting systems

Therefore, here EA will place less reliance on the IA’s work

18

Performance of audit and reliance on IA – Step 5

Visits to Branches/sites If branch numbers are large EA unable to visit all If IA’s work at selected branches =

EA’s findings Reduces Control Risk Reduces number of branch/site visits

19

Performance of audit and reliance on IA – Step 6

Checking computer systems IA’s work skewed to systems testing IA’s programme should include

checking procedures over writing and testing software before it is used by the company

checking the implementation of new systems, including transfer of data from the old system and training of staff

checking the operation of the systems by performing computer assisted audit techniques of test data and computer audit programs (audit software)

checking general controls in the computer system, including controls over access to the computer, periodic copying of data files and general maintenance of the computer

checking controls over the individual systems in which the external auditor is placing reliance

20

Summary Internal Audit procedures can Act as deterrent against fraud Provide guidance to employees on

correct procedures Provide detailed descriptions and

reviews of systems of Internal Control

Assist EA in reducing substantive testing

21

Minimising Detection Risk

A material misstatement occurs Internal controls do not pick it up How can EA be confident

substantive testing will detect it? Clearly not 100% assured Need to take samples Techniques required

22

SAS 430Audit Sampling

SAS 430 Points out the pitfalls in sampling When determining sample sizes,

auditors should consider sampling risk, the amount of error that would be acceptable and the extent to which they expect to find errors (430.3)

23

Sampling Risk

This is defined as arising From the possibility that the

auditors’ conclusion, based on a sample, may be different from the conclusion that would be reached if the entire population were subjected to the same audit procedure

24

Sampling or not Auditors need to select samples which

would be expected to be representative of the whole population

Non-sampling 100% examination (selecting all items in a

population) analytical procedures (relationship testing) tests in total (calculations of reasonableness

based on independently verified data) ‘walkthrough’ tests other selective testing of specific items (eg

high-value, key and unusual items)

25

Selecting the sample

SAS 430.4 Random selection (number

tables/software) Systematic (constant interval) Haphazard (as long as no bias)

26

Selecting the sample

If going to sample would need to incorporate into audit plan Sample design Sample selection Testing Evaluation

27

Sample design Should consist of: audit objective(s) of the test population from which the sample is to be

drawn sampling unit (individual item of population) results or conditions that will be regarded as

errors or deviations In substantive = an error In control = a control deviation

sample size (based on assurance required, tolerable error & stratification)

28

Sample selection

Dependant upon size of population Level of risk assigned to detection

risk Homogeneity of population Basis SAS 430.4

29

Testing and Evaluating Should use pre-determined test If not possible required to devise

alternative procedures If tests inconclusive alternative evidence

should be sought from other means When evaluating results consider Nature Cause Impact on other areas of the audit

30

Summary Not all selective testing constitutes audit sampling Audit sampling is testing less than 100% of items that

have a chance of selection Sampling risk is the risk that a sample is not

representative Non-sampling risk arises from factors that cause the

auditor to reach an incorrect conclusion (for any reason unrelated to sample size)

Four stages in audit sampling are design, selection, testing and evaluation

Statistical sampling requires random sample selection and use of probability theory

Three methods of selecting representative samples are random number, systematic and haphazard

Results are evaluated qualitatively and quantitatively