1 Understanding the Entity AU Section 314 Understanding the Entity and Its Environment and Assessing the Risks Source: SAS No. 109. The Risk Assessment

1

Understanding the EntityUnderstanding the EntityUnderstanding the EntityUnderstanding the Entity

AU Section 314AU Section 314Understanding the Entity and ItsUnderstanding the Entity and Its

Environment and Assessing the RisksEnvironment and Assessing the Risks

Source: SAS No. 109.Source: SAS No. 109.

The Risk Assessment StandardsThe Risk Assessment Standards

C Delano GrayC Delano Gray

June 18, 2008June 18, 2008

2

Risk Assessment StandardsRisk Assessment StandardsRisk Assessment StandardsRisk Assessment Standards

The risk assessment standards consist of:The risk assessment standards consist of:– SAS No. 104, Amendment to Statement on Auditing Standards SAS No. 104, Amendment to Statement on Auditing Standards

No. 1, No. 1, Due Professional CareDue Professional Care– SAS No. 105, Amendment to Statement on Auditing Standards SAS No. 105, Amendment to Statement on Auditing Standards

No. 95, No. 95, Generally Accepted Auditing StandardsGenerally Accepted Auditing Standards– SAS No. 106, Audit EvidenceSAS No. 106, Audit Evidence– SAS No. 107, Audit Risk and Materiality in Conducting an Audit SAS No. 107, Audit Risk and Materiality in Conducting an Audit

(Audit Risk and Materiality)(Audit Risk and Materiality)– SAS, No. 108, Planning and SupervisionSAS, No. 108, Planning and Supervision– SAS No. 109, Understanding the Entity and Its Environment and SAS No. 109, Understanding the Entity and Its Environment and

Assessing the Risks of Material Misstatement (Assessing Risks)Assessing the Risks of Material Misstatement (Assessing Risks)– SAS No. 110, Performing Audit Procedures in Response to SAS No. 110, Performing Audit Procedures in Response to

Assessed Risks and Evaluating the Audit Evidence Obtained Assessed Risks and Evaluating the Audit Evidence Obtained (Performing Procedures)(Performing Procedures)

– SAS No. 111, Amendment to Statement on Auditing Standards SAS No. 111, Amendment to Statement on Auditing Standards No. 39, No. 39, Audit SamplingAudit Sampling

3


The risk assessment standards consist of:The risk assessment standards consist of:– SAS No. 112 Communicating Internal Control Related Matters SAS No. 112 Communicating Internal Control Related Matters

Identified in an Audit (Superseded SAS 60)Identified in an Audit (Superseded SAS 60)– SAS No. 113 Omnibus StandardsSAS No. 113 Omnibus Standards– SAS No. 114 The Auditor’s Communication with Those Charged SAS No. 114 The Auditor’s Communication with Those Charged

with Governance (Supersedes SAS 61)with Governance (Supersedes SAS 61)

http://www.aicpa.org/Professional+Resources/Accounting+and+Auhttp://www.aicpa.org/Professional+Resources/Accounting+and+Auditing/Audit+and+Attest+Standards/Authoritative+Standards+and+diting/Audit+and+Attest+Standards/Authoritative+Standards+and+Related+Guidance+for+Non-Issuers/auditing_standards.htmRelated+Guidance+for+Non-Issuers/auditing_standards.htm

Source: AICPASource: AICPA

http://www.aicpa.org/Professional+Resources/Accounting+and+Auditing/Audit+and+Attest+Standards/Authoritative+Standards+and+Related+Guidance+for+Non-Issuers/auditing_standards.htm



4


The ASB believes that the SASs represent a The ASB believes that the SASs represent a significant strengthening of auditing standards significant strengthening of auditing standards which in turn will improve the quality of audits which in turn will improve the quality of audits conducted under these standardsconducted under these standards

5

ObjectivesObjectivesObjectivesObjectives

The objectives of the SASs are to improve audit The objectives of the SASs are to improve audit effectiveness by requiring:effectiveness by requiring:

A more in-depth understanding of the entity and its A more in-depth understanding of the entity and its environment, including its internal control. environment, including its internal control.

More rigorous assessment of the risks of material More rigorous assessment of the risks of material misstatement (whether caused by error or fraud) of the misstatement (whether caused by error or fraud) of the financial statements. financial statements.

A linkage between the assessed risks and the nature, A linkage between the assessed risks and the nature, timing, and extent of audit procedures performed in timing, and extent of audit procedures performed in response to those risks.response to those risks.

6

KnowledgeKnowledgeKnowledgeKnowledge

This assumes the followingThis assumes the following

Knowledge of the SAS’sKnowledge of the SAS’s

Knowledge of FAS and InterpretationsKnowledge of FAS and Interpretations

Knowledge of Industry Specific StandardsKnowledge of Industry Specific Standards

Knowledge of SOP’s and EITF PronouncementsKnowledge of SOP’s and EITF Pronouncements

Knowledge of Entity’s Industry, Markets, Knowledge of Entity’s Industry, Markets, Competitors and Industry Practices. Competitors and Industry Practices.

7

Overview of SASsOverview of SASs

8

Overview of SASsOverview of SASsOverview of SASsOverview of SASs

SAS No. 104, Amendment to SAS No. 1Amendment to SAS No. 1 SAS No. 104 expands the definition of “reasonable SAS No. 104 expands the definition of “reasonable

assurance” as a “assurance” as a “high”high” level of assurance” level of assurance”

9


SAS No. 105, Amendment to SAS 95, Amendment to SAS 95, Generally Generally Accepted Auditing StandardsAccepted Auditing Standards

““Internal control” is replaced by “the entity and its Internal control” is replaced by “the entity and its environment, including its internal control”environment, including its internal control”

““Further audit procedures” replaces “tests to be Further audit procedures” replaces “tests to be performed”performed”

““Audit evidence” replaces “evidential matter”Audit evidence” replaces “evidential matter”

10


SAS No. 106, Audit EvidenceSAS No. 106, Audit Evidence

(Amends SAS 31)(Amends SAS 31)

““The auditor must obtain sufficient audit evidence The auditor must obtain sufficient audit evidence by performing audit procedures to afford a by performing audit procedures to afford a reasonable basis for an opinion regarding the reasonable basis for an opinion regarding the financial statements under audit.”financial statements under audit.”

11


SAS No. 106, Audit EvidenceSAS No. 106, Audit Evidence Audit evidenceAudit evidence is all the information used by the auditor in is all the information used by the auditor in

arriving at the conclusions on which the audit opinion is arriving at the conclusions on which the audit opinion is based and includes:based and includes:– Entity’s accounting records,Entity’s accounting records,– Confirmations,Confirmations,– Minutes,Minutes,– Industry reports,Industry reports,– Audit procedures such as inquiries, observations, Audit procedures such as inquiries, observations,

inspections, etc. inspections, etc.

12



Audit Proceduresa. Risk Assessment Procedures

1. Inquiries

2. Analytical procedures

3. Inspection and observation

b. Further Audit Procedures

1. Test of controls

2. Substantive procedures

i. Test of details

ii. Substantive analytical procedures

13



The use of assertions in obtaining audit evidence – these The use of assertions in obtaining audit evidence – these are management’s implicit or explicit assertions regarding are management’s implicit or explicit assertions regarding the recognition, measurement, presentation and the recognition, measurement, presentation and disclosure of information in the financial statements and disclosure of information in the financial statements and related disclosures.related disclosures.

14


SAS No. 106, Audit Evidence (continued)SAS No. 106, Audit Evidence (continued) Categories of AssertionsCategories of Assertions

a.a. Classes of transactionsClasses of transactions

b.b. Account balancesAccount balances

c.c. Presentation and disclosurePresentation and disclosure

15


SAS No. 107, Audit Risk and Materiality

(Amends SAS 47)

“The auditors should perform the audit to reduce audit risk to a low level that is (in his or her judgment) appropriate for expressing an opinion on the financial statements.”

16


Audit Risk and Materiality -

"The auditor's consideration of materiality is a matter of professional judgment and is influenced by the auditor’s perception of the needs of users of financial statements”SAS 107.

17


SAS No. 108, Planning and SupervisionSAS No. 108, Planning and Supervision

((Amends SAS 1 and SAS 22)Amends SAS 1 and SAS 22)

““The auditor must adequately plan the work and The auditor must adequately plan the work and must properly supervise any assistants.” must properly supervise any assistants.”

18


SAS No. 109, Assessing RisksSAS No. 109, Assessing Risks

““The auditor must obtain a sufficient understanding of The auditor must obtain a sufficient understanding of the entity and its environment, including its internal the entity and its environment, including its internal control, to assess the risk of material misstatement of control, to assess the risk of material misstatement of the financial statements whether due to error or fraud, the financial statements whether due to error or fraud, and to design the nature, timing, and extent of further and to design the nature, timing, and extent of further audit procedures.” audit procedures.”

19


Enhances the auditor’s application of the audit Enhances the auditor’s application of the audit risk model in practice by requiring:risk model in practice by requiring:– More in-depth understanding of the entity and its More in-depth understanding of the entity and its

environment, including its internal control to better environment, including its internal control to better understand where risks of misstatements are higherunderstand where risks of misstatements are higher May require greater understanding of internal control design May require greater understanding of internal control design

and implementation of controlsand implementation of controls Ability to default to maximum control risk assessment Ability to default to maximum control risk assessment

removedremoved

– Improved linkage between the assessed risks and the Improved linkage between the assessed risks and the nature, timing, and extent of audit procedures nature, timing, and extent of audit procedures performedperformed

20


Enhances the auditor’s application of the audit risk Enhances the auditor’s application of the audit risk model:model:

AR = [CR x IR] x DRAR = [CR x IR] x DR

[CR x IR] = RMM[CR x IR] = RMMAR = Audit RiskAR = Audit Risk

CR = Control RiskCR = Control Risk

IR = Inherent RiskIR = Inherent Risk

DR =Detection RiskDR =Detection Risk

RMM = risk of material misstatementRMM = risk of material misstatement

Source: AICPA.Source: AICPA.

21


– Internal Control Framework is unchangedInternal Control Framework is unchanged

22

SAS 109SAS 109SAS 109SAS 109

Understanding the Entity and ItsUnderstanding the Entity and ItsEnvironment and Assessing the RisksEnvironment and Assessing the Risks

23

IntroductionIntroduction

.01 .01 This section establishes standards and provides guidance about This section establishes standards and provides guidance about implementing the second standard of field work, as follows:implementing the second standard of field work, as follows:

The auditor must obtain a sufficient understanding of the entity and The auditor must obtain a sufficient understanding of the entity and its environment,its environment,

Its internal control, to assess the risk of material misstatement of the Its internal control, to assess the risk of material misstatement of the financial statements whether due to error or fraud, financial statements whether due to error or fraud,

Design the nature, timing, and extent of further audit procedures.Design the nature, timing, and extent of further audit procedures.

24

.02 .02 The following is an overview of this standard:The following is an overview of this standard: • • Risk assessment procedures and sources of information about the Risk assessment procedures and sources of information about the

entity and its environment, including its internal control. entity and its environment, including its internal control. This section explains the audit procedures that the auditor should This section explains the audit procedures that the auditor should

perform to obtain the understanding of the entity and its perform to obtain the understanding of the entity and its environment, including its internal control (risk assessment environment, including its internal control (risk assessment procedures). procedures).

The audit team should discuss the susceptibility of the entity's The audit team should discuss the susceptibility of the entity's financial statements to material misstatement.financial statements to material misstatement.

25


The auditor should assess the risks of material The auditor should assess the risks of material misstatement at the financial statement level and misstatement at the financial statement level and at the relevant assertion level on all audits based at the relevant assertion level on all audits based on the understanding obtainedon the understanding obtained

26


New Assertion FrameworkNew Assertion Framework

Classes of Classes of TransactionsTransactions

Account BalancesAccount Balances Presentation and Presentation and DisclosuresDisclosures

–OccurrenceOccurrence –ExistenceExistence –Occurrence and Occurrence and Rights and Rights and obligationsobligations

–CompletenessCompleteness –Rights and Rights and obligationsobligations

–CompletenessCompleteness

–AccuracyAccuracy –CompletenessCompleteness –Classification and Classification and understandabilityunderstandability

–CutoffCutoff –Valuation and Valuation and allocationallocation

–Accuracy and Accuracy and valuationvaluation

–ClassificationClassification

27


– Identifying risks through consideringIdentifying risks through considering The entity and its environment, including its internal controlThe entity and its environment, including its internal control Classes of transactions, account balances, and disclosuresClasses of transactions, account balances, and disclosures

– Relating the identified risks to what could go wrong at Relating the identified risks to what could go wrong at the relevant assertion levelthe relevant assertion level

– Significant risksSignificant risks11

11SAS 109SAS 109, Assessing Risks, , Assessing Risks, paragraphs 102-121paragraphs 102-121

28


Audit RiskAudit Risk Auditor’s ResponseAuditor’s Response

Financial StatementFinancial Statement Overall responses Overall responses

Account levelAccount level Further Audit Procedures (Tests of Further Audit Procedures (Tests of Controls and Substantive Tests)Controls and Substantive Tests)

29


Testing of controls is encouragedTesting of controls is encouraged

The requirement to link assessed risks and the The requirement to link assessed risks and the audit procedures responsive to those risks is audit procedures responsive to those risks is improvedimproved

Risk assessment is a continuous process, not a series of discrete stages

30


– Perform further audit procedures that are clearly Perform further audit procedures that are clearly linked to risks at the relevant assertion level by:linked to risks at the relevant assertion level by: Performing tests of the operating effectiveness of controlsPerforming tests of the operating effectiveness of controls Performing substantive proceduresPerforming substantive procedures Evaluating the adequacy of presentation and disclosureEvaluating the adequacy of presentation and disclosure11

11SAS 110SAS 110, Performing Procedures , Performing Procedures SAS, paragraphs 23-68SAS, paragraphs 23-68

– Evaluate whether sufficient competent audit evidence Evaluate whether sufficient competent audit evidence has been obtainedhas been obtained22

22SAS 110SAS 110, Performing Procedures, Performing Procedures, paragraphs 70-76, paragraphs 70-76

Source AICPASource AICPA

31


Greater emphasis is placed on testing of Greater emphasis is placed on testing of disclosuresdisclosures

Greater Emphasis is placed on the Evaluation of Greater Emphasis is placed on the Evaluation of Internal ControlsInternal Controls

Guidance on evaluating audit findings is clarified Guidance on evaluating audit findings is clarified and expandedand expanded

Documentation requirements are significantly Documentation requirements are significantly expandedexpanded

32

Significant Changes to Existing Significant Changes to Existing PracticesPracticesSignificant Changes to Existing Significant Changes to Existing PracticesPractices

Identifying and assessing the risks of material Identifying and assessing the risks of material misstatements at both the financial statement misstatements at both the financial statement level and the relevant assertion level by level and the relevant assertion level by performing risk assessment procedures. performing risk assessment procedures.

Designing and performing tailored further audit Designing and performing tailored further audit procedures responsive to assessed risks at the procedures responsive to assessed risks at the relevant assertion levelrelevant assertion level

Linkage of audit procedures to the risk of material Linkage of audit procedures to the risk of material misstatement.misstatement.

33(#)

AU Section 314AU Section 314Understanding the Entity and ItsUnderstanding the Entity and Its

Environment and Assessing the RisksEnvironment and Assessing the Risksof Material Misstatementof Material Misstatement

(Supersedes SAS No. 55)(Supersedes SAS No. 55)Source: SAS No. 109.Source: SAS No. 109.

Effective for audits of financial statements for periods beginning Effective for audits of financial statements for periods beginning on or afteron or after

December 15, 2006. EarlierDecember 15, 2006. Earlier application is permitted.application is permitted.

34

Risk Assessment Overview

Fraud Risk Factors

Respond

Risk Assessment

New Process

Brainstorming

InquiriesAnalytical

Procedures

Other

35

SAS No. 109, Assessing Risks SAS No. 109, Assessing Risks

Risk assessment procedures and sources of Risk assessment procedures and sources of information about the entity and its internal control are:information about the entity and its internal control are:

a.a. InquiriesInquiries

b.b. Analytical proceduresAnalytical procedures

c.c. Observation and inspectionObservation and inspection

Discussion among audit teamDiscussion among audit team

36

SAS No. 109, Assessing Risks SAS No. 109, Assessing Risks Inquiries of management may be directed toward:Inquiries of management may be directed toward:

a.a. External parties – for example, legal counsel, External parties – for example, legal counsel, bankers, valuation experts, etc.bankers, valuation experts, etc.

b.b. Internal – for example those charged with Internal – for example those charged with governance, internal audit, employees other than governance, internal audit, employees other than accounting personnel, in-house counsel, etc.accounting personnel, in-house counsel, etc.

37


Analytical ProceduresAnalytical Procedures

a.a. Use guidance of SAS 56, Use guidance of SAS 56, Analytical ProceduresAnalytical Procedures

b.b. Helpful In identifying unusual transactions or Helpful In identifying unusual transactions or eventsevents

c.c. Assist in determining amounts, ratios, trends in Assist in determining amounts, ratios, trends in the financial statementsthe financial statements

38


Observation and inspection include:Observation and inspection include:

a.a. Inspection of documents and manuals (for Inspection of documents and manuals (for example accounting or internal control)example accounting or internal control)

b.b. Reading internal reports and minutesReading internal reports and minutes

c.c. Visit premises and plant facilitiesVisit premises and plant facilities

d.d. Tracing transactions through systems Tracing transactions through systems

39


The auditor should consider the results of the fraud risk The auditor should consider the results of the fraud risk assessment performed during planning along with assessment performed during planning along with other information gathered in identifying the risks of other information gathered in identifying the risks of material misstatements.material misstatements.

40


Discussion among audit teamDiscussion among audit team::a.a. Can be held at the same time as the discussion Can be held at the same time as the discussion

specified in SAS 99.specified in SAS 99.

b.b. Objective is for members to gain a better Objective is for members to gain a better understanding of the potential for material understanding of the potential for material misstatements.misstatements.

c.c. An opportunity for more experienced members to An opportunity for more experienced members to share their insights.share their insights.

41

SAS No. 109SAS No. 109, , Assessing RisksAssessing Risks Understanding the entity and its environment, including Understanding the entity and its environment, including

its internal control.its internal control.– Industry, regulatory, and other external factorsIndustry, regulatory, and other external factors– Nature of the entityNature of the entity– Objectives and strategies and the related business Objectives and strategies and the related business

risks that may result in a material misstatement of risks that may result in a material misstatement of the financial statementsthe financial statements

– Measurement and review of the entity's financial Measurement and review of the entity's financial performanceperformance

– Internal controlInternal control

42


Internal controlInternal control

43

SAS No. 109, SAS No. 109, Assessing Risks Assessing Risks (continued)(continued) The auditor should obtain a sufficient understanding of The auditor should obtain a sufficient understanding of

internal controls to:internal controls to:

a.a. Evaluate the design of controls relevant to the audit, Evaluate the design of controls relevant to the audit,

b.b. Determine whether the controls have been Determine whether the controls have been implemented.implemented.

44

SAS No. 109, SAS No. 109, Assessing Risks Assessing Risks

The auditor should perform risk assessment procedures to The auditor should perform risk assessment procedures to obtain an understanding of internal control. Procedures obtain an understanding of internal control. Procedures include observation, inspection, or performing include observation, inspection, or performing walkthroughs.walkthroughs.

Inquiry alone is not sufficient to evaluate the design of Inquiry alone is not sufficient to evaluate the design of controls and whether they have been implemented.controls and whether they have been implemented.

45

SAS No. 109, SAS No. 109, Assessing Risks Assessing Risks

The auditor should identify and assess the risks of material The auditor should identify and assess the risks of material misstatements at:misstatements at:

a.a. Financial statement level Financial statement level

b.b. The relevant assertion levelThe relevant assertion level

46

Internal ControlsInternal ControlsInternal ControlsInternal Controls

The three primary objectives of effective internal The three primary objectives of effective internal control.control.

47

3. Compliance with laws and regulations

2. Efficiency and effectiveness of operations

1. Reliability of financial reporting

Internal Control ObjectivesInternal Control ObjectivesInternal Control ObjectivesInternal Control Objectives

48

Managements ResponsibilitiesManagements ResponsibilitiesManagements ResponsibilitiesManagements Responsibilities

Contrast management’s responsibilities for Contrast management’s responsibilities for maintaining and reporting on internal controls maintaining and reporting on internal controls with the auditor’s responsibilities for with the auditor’s responsibilities for understanding, testing, and reporting on internal understanding, testing, and reporting on internal controls.controls.

49

Management and Auditor Responsibilities RelatedManagement and Auditor Responsibilities Relatedto Internal Controlto Internal Control


Management’s responsibilityfor establishing internal control

Reasonable assurance

Inherent limitations

50



Design of internal control

Operating effectiveness of controls

51



Auditor responsibilities forunderstanding internal control

Control over classes of transactions

Auditor responsibilities for testinginternal control

Controls over the reliabilityof financial reporting

52

Internal ControlInternal ControlInternal ControlInternal Control

The five components of the COSO internal The five components of the COSO internal control framework.control framework.

53

Five Components of Internal ControlFive Components of Internal ControlFive Components of Internal ControlFive Components of Internal Control

Riskassessment

Controlactivities

Information andcommunication

Monitoring

54

The Control EnvironmentThe Control EnvironmentThe Control EnvironmentThe Control Environment

Integrity and ethical values

Commitment to competence

Board of directors or auditcommittee participation

55

The Control EnvironmentThe Control EnvironmentThe Control EnvironmentThe Control Environment

Management’s philosophy and operating style

Organizational structure

Human resource policies and practices

56

Risk AssessmentRisk AssessmentRisk AssessmentRisk Assessment

Identify factors that may increase risk

Assess the likelihood of the risk occurring

Determine actions necessary to manage the risk

Estimate the significance of the risk

57

Control ActivitiesControl ActivitiesControl ActivitiesControl Activities

1. Adequate separation of duties

2. Proper authorization of transactions and activities

3. Adequate documents and records

4. Physical control over assets and records

5. Independent checks on performance

58

Adequate Separation of DutiesAdequate Separation of DutiesAdequate Separation of DutiesAdequate Separation of Duties

Custody of assets Accounting

Authorizationof transactions

The custody ofrelated assets

Operationalresponsibility

Record-keepingresponsibility

IT duties User departments

from

from

from

from

59

Proper Authorization of Transactions and Proper Authorization of Transactions and ActivitiesActivities

Proper Authorization of Transactions and Proper Authorization of Transactions and ActivitiesActivities

General authorization

Specific authorization

60

Adequate Documents and RecordsAdequate Documents and RecordsAdequate Documents and RecordsAdequate Documents and Records

Prenumbered consecutively

Prepared at the time of transaction

Designed for multiple use

Constructed to encourage correct preparation

61

Physical Control Over AssetsPhysical Control Over Assetsand Recordsand Records

Physical Control Over AssetsPhysical Control Over Assetsand Recordsand Records

The most important type of protectivemeasure for safeguarding assets andrecords is the use of physical precautions.

62

Independent Checks on PerformanceIndependent Checks on PerformanceIndependent Checks on PerformanceIndependent Checks on Performance

The need for independent checks arisesbecause internal control tends to changeover time unless there is a mechanismfor frequent review.

63

Information and CommunicationInformation and CommunicationInformation and CommunicationInformation and Communication

The purpose of an accounting informationand communication system is to…

initiate, record, process, and reportthe entity’s transactions and to maintainaccountability for the related assets.

64

MonitoringMonitoringMonitoringMonitoring

Monitoring activities deal with management’songoing and periodic assessment of thequality of internal control performance…

to determine whether controls are operatingas intended and modified when needed.

65

Documenting ControlsDocumenting ControlsDocumenting ControlsDocumenting Controls

Obtain and document an understanding of Obtain and document an understanding of internal control.internal control.

66

Process for Understanding Internal Control and Process for Understanding Internal Control and Assessing Control RiskAssessing Control Risk

Process for Understanding Internal Control and Process for Understanding Internal Control and Assessing Control RiskAssessing Control Risk

Phase 1

Obtain anunderstanding ofinternal control:design andoperation

Phase 2Assess controlrisk

Phase 3Design, perform,and evaluate testsof controls

Phase 4

Decide planneddetection riskand substantivetests

67

Obtain and Document Understanding of Internal Obtain and Document Understanding of Internal ControlControl

Obtain and Document Understanding of Internal Obtain and Document Understanding of Internal ControlControl

SAS 109 and PCAOB Standard 2 both require auditors to obtain an understandingof internal control for every audit.

Procedures to obtain an understanding: Design of internal controls Whether placed in operation Uses this information as a basis for the

integrated audit

68

Methods UsedMethods UsedMethods UsedMethods Used

Narrative

FlowchartInternalcontrol

questionnaire

69

NarrativeNarrativeNarrativeNarrative

1. The origin of every document and record in the system

2. All processing that takes place

3. The disposition of every document and record in the system

4. An indication of the controls relevant to the assessment of control risk

70

Evaluating Internal Control OperationEvaluating Internal Control OperationEvaluating Internal Control OperationEvaluating Internal Control Operation

Update and evaluate auditor’s previousexperience with the entity

Make inquiries of client personnel

Examine documents and records

Observe entity activities and operations

Perform walk-throughs of the accounting system

71

Control Risks and Audit ObjectivesControl Risks and Audit ObjectivesControl Risks and Audit ObjectivesControl Risks and Audit Objectives

Assess control risk by linking key controls, Assess control risk by linking key controls, significant deficiencies, and material weaknesses significant deficiencies, and material weaknesses to transaction-related audit objectives.to transaction-related audit objectives.

72

Assess Control RiskAssess Control RiskAssess Control RiskAssess Control Risk

Assess whether the financial statementsare auditable.

Determine assessed control risk supportedby the understanding obtained assumingthe controls are being followed.

Use of a control risk matrix to assesscontrol risk.

73

Control Risk MatrixControl Risk MatrixControl Risk MatrixControl Risk Matrix

Many auditors use the control risk matrixto assist in the control risk assessmentprocess.

74

Control Risk MatrixControl Risk MatrixControl Risk MatrixControl Risk Matrix

Identify audit objectives

Identify existing controls

Associate controls with related audit objectives

Identify and evaluate control deficiencies,significant deficiencies, and material weaknesses

75

Evaluating Significant Control Evaluating Significant Control DeficienciesDeficiencies

Evaluating Significant Control Evaluating Significant Control DeficienciesDeficiencies

MaterialWeakness

LIKELIHOOD

SIGNIFICANCE

Material

Immaterial

ProbableRemote

76

Identify Deficiencies and WeaknessIdentify Deficiencies and WeaknessIdentify Deficiencies and WeaknessIdentify Deficiencies and Weakness

Identify existing controls

Identify the absence of key controls

Consider the possibility of compensating controls

Decide whether there is a significant deficiencyor material weakness

Determine potential misstatements that could result

77

CommunicationsCommunicationsCommunicationsCommunications

Management letters

Communications to thosecharged with governance

78

Tests of ControlsTests of ControlsTests of ControlsTests of Controls

The procedures to test effectiveness of controlsin support of a reduced assessed controlrisk are called tests of controls.

79

Procedures for Tests of ControlsProcedures for Tests of ControlsProcedures for Tests of ControlsProcedures for Tests of Controls

1. Make inquiries of client personnel

2. Examine documents, records, and reports

3. Observe control-related activities

4. Reperform client procedures

80

Extent of ProceduresExtent of ProceduresExtent of ProceduresExtent of Procedures

Reliance on evidence from prior year’s audit

Testing of controls related to significant risks

Testing less than the entire audit period

81

Relationship of Assessed ControlRelationship of Assessed ControlRisk and Extent of ProceduresRisk and Extent of Procedures

Relationship of Assessed ControlRelationship of Assessed ControlRisk and Extent of ProceduresRisk and Extent of Procedures

InquiryDocumentation

Observation

Reperformance

Yes–extensiveYes–with transaction

walk-throughYes–with transaction

walk-throughNo

Yes–someYes–using sampling

Yes–at multiple times

Yes–using sampling

Type ofprocedure

High level:Procedures to obtain

an understandingLower level:

Tests of controls

Assessed Control Risk

82

READY??READY??READY??READY??

How to get ready.How to get ready.

Document each significant business process in writing. Assess business Document each significant business process in writing. Assess business risks involved in each process. risks involved in each process.

Identify “key” controls within those processes to mitigate risks. If controls Identify “key” controls within those processes to mitigate risks. If controls aren’t adequate to mitigate risks, you would need to consider implementing aren’t adequate to mitigate risks, you would need to consider implementing stronger controls.stronger controls.

Also, establish a monitoring process whereby these business processes are Also, establish a monitoring process whereby these business processes are evaluated to ensure that “key” controls are operating effectively throughout evaluated to ensure that “key” controls are operating effectively throughout the period.the period.

The control activities questionnaire may be a good starting point to help The control activities questionnaire may be a good starting point to help identify your significant business processes and the key controls for those identify your significant business processes and the key controls for those processesprocesses

83

Decide Planned Detection Risk and Design Decide Planned Detection Risk and Design Substantive TestsSubstantive Tests

Decide Planned Detection Risk and Design Decide Planned Detection Risk and Design Substantive TestsSubstantive Tests

The auditor uses the results of the control riskassessment process and tests of controls todetermine the planned detection risk andrelated substantive tests.

The auditor links the control risk assessmentsto the balance-related audit objectives.

84

Business Objective Business Risk

1.

Audit of Activity: __________________________________________

Ass

ets

Ope

ratio

nal

Per

form

ance

Info

rma

tion

Sys

tem

s

Reg

ulat

ory

&

Leg

al I

ssue

s

Ext

. an

d I

nt.

Env

iron

men

t

Check applicable risk category:

85

Risk Importance of Risk

Control Activities to

Address Risk

Impact on audit

(Test)

A. 1.

2.

86

AUDIT DEPARTMENTCOMPANY NAME:

PREPARED BY: __________________

REVIEWED BY:___________________

DATE: _____/_______/______

SECTION XX: Audit of ………………….

AUDIT DATE: As of mm/dd/yyyy

87

Time BudgetPerformed

byW/P REF

Operational Procedure

Description of Controls

Audit Objective

Audit Scope

Audit Procedure

1.2.

Findings

The following exceptions were noted during the audit:(1) =(2) =All findings were discussed with the responsible manager.

Tickmark Legend

= No Exception Noted = Traced to® = Reviewed P & P Manual.

Conclusion

.

88

Section 404 Reporting on Internal Section 404 Reporting on Internal ControlControl

Section 404 Reporting on Internal Section 404 Reporting on Internal ControlControl

1. The auditor’s opinion on whether management’sassessment of the effectiveness of internal controlover financial reporting as of the end of the fiscalperiod is fairly stated, in all material respects.

2. The auditor’s opinion on whether the companymaintained, in all material respects, effectiveinternal control over financial reporting as ofthe specified date.

89(#)

Questions?Questions?

Thank YouThank You