Chapter 7 - Class

8/12/2019 Chapter 7 - Class

1/30

Canadian Excell ence

ChapterAssessingRisks and

InternalControl


2/30


Learning Objectives

1. Describe the

conceptual audit risk

model and its

components, and

explain its usefulnessand limitations in

conducting the audit.

2. Explain how auditors

assess the auditeesbusiness risk through

strategic analysis and

business process

analysis.

3. Outline the

relationships among

business processes,

accounting

processes/cycles andmanagements

general purpose

financial statements.


3/30


Learning Objectives

4. Illustrate how businessrisk analysis is used in apreliminary assessmentof the risk that fraud orerror has led to materialmisstatement at theoverall financialstatement level.

5. Describe the basiccomponents of internalcontrol; control

environment,managements riskassessment process,information systems andcommunication, controlactivities and monitoring.

6. Explain how the auditorsunderstanding of anorganizations internalcontrol helps to assessthe risk that its financial.statements aremisstated.

7. Apply and integrate thechapter topics to analyzea practical auditingsituation / case /

scenario.


4/30


Audit Risk Assessment

Auditing is fundamentally a risk management

process.

Audit risk is related to information risk that

financial statements are materially misstated.

Auditors strive to lower audit risk by performing audit

work that gives a high level of assurance that statements

are correct.

Auditors need to assess risk in audit related terms;

inherent risk, control risk and detection risk.


5/30


Inherent Risk

The probability of material misstatement

occurring in transactions entering the

accounting system or being in the account

balances is inherent risk. Auditors do not create or control inherent risk.

Auditors only try to assess its magnitude based on prior

experience, management bias, and nature of the

transactions.

The auditor will consider the characteristics of the clientsbusiness, types of transactions, and effectiveness of

accountants.


6/30


Internal Controls

Internal controls are a key component of an

organizations overall risk management

framework.

When we adapt a controls approach, auditors

evaluate or assess probability of control

failures to detect material misstatements.

Auditors assess the effectiveness of controls

This is known as controls testing: procedures

used in the control risk assessment.


7/30


Control Risk

The risk that the clients internal control

system will not prevent or detect a material

misstatement is control risk.

Auditors do notcreate or control the control risk;they simply evaluate or assess probability of failure

to detect material misstatements.

Assessment is based on study and evaluation of

the companys control system.


8/30


Control Risk

Control risk assessment provides only an

indirect assessment of monetary

misstatements in the financial statements.

Control testing or compliance testing are detailedprocedures used to assess control risk.

Control risk should not be assessed so low that

auditors rely entirely on controls, and do no

substantive work.


9/30


Risk of Material Misstatement (RMM)

Inherent Risk

Control risk

High Moderate/Low

LowModerate/LowRisk that is not

Significant

SignificantRisk

Higher Lower

Auditor will make an

assessment of IR and

CR, which is called

RMM


10/30


Detection Risk

The risk that any material misstatement that

has not been corrected by the clients internal

control will not be detected by the auditor.

Auditors can control this risk by conductingsubstantive (balance audit) tests.

Substantive tests include audit of details of transactions

and balances, and analytical procedures applied to dollar

amounts in the accounts.


11/30


Audit Risk

The probability that an auditor will fail to

express a reservation that financial

statements are materially misstated is audit

risk. Audit risk is greater if there is poor planning or

poor execution of the audit.

Audit risk is dependent on user reliance.

Audit risk is also applied to individual accountbalances and disclosures.


12/30


Audit Risk Model

AR = IR x CR x DR Be wary! Its not a straightcalculation!

Audit risk will occur when:

a material misstatement has been made in the

transactions or balances (inherent risk),

and internal controls fail to detect or correct themisstatement (control risk), and

audit procedures also fail to detect the

misstatement (detection risk).

Auditors want to hold audit risk to a

relatively low level


13/30


How Materiality and Audit Risk are

Related

The materiality and audit risk decisions main

impact on the audit is on the extent of audit

evidence that needs to be gathered during the

audit: Nature, timing and extent of audit procedures.


14/30


Business Risk and extension of the Audit

Risk Model

Business risk is an event of action that will

adversely affect an organizations ability to

achieve its objectives and execute its

strategies. Auditors need to assess the ways that business

risk affects the risk of material misstatement in



15/30


Business Risk-Based Approach to Auditing

The business risk-based approach to auditing

requires the auditor to understand the

auditees business risks, managements

strategy for addressing those risks, and thebusiness processes it uses to implement the

strategy.

- Assess entitys risk assessment process


16/30


Business Risk Analysis

There are two parts of business analysis:

1. Strategic analysis, and

2. Business process analysis.

- At the end of the business analysis, the auditor

should be able to determine if there are any

weaknesses in the clients risk management

process that could lead to misstatement on the



17/30


Strategic Analysis

Gain an understanding from senior client

management about:

business objectives,

key strategies employed to meet those objectives,

and

risks that threaten achievement of those

objectives.


18/30


Business Process Analysis

Management will minimize risks through well-

designed business processes.

Business process analysis deepens the

auditors understanding of the clients

operations.

It may also highlight risks and possible note

disclosures.


19/30


Accounting Processes and the Financial

Statements

Recap There are two important points to

remember about client financial statements:

Management is responsible for preparing them,

and they contain managements assertions

about economic actions and events.

The financial statement numbers are produced

by the company's accounting system and are

summarized on the trial balance.


20/30


Managements Financial Statements

To simplify the audit plan, auditors typically

group the accounts into several accounting

processes.

(1) revenues and collection (2) acquisition and expenditure

(3) production and conversion

(4) finance and investment

Can you identify which FS accounts are

linked to each process?


21/30


Internal Control Components

Internal control is defined as the process

designed, implemented, and maintained by

management to provide reasonable assurance

about: the reliability of financial reporting,

effectiveness and efficiency of operations, and

compliance with applicable laws and regulations.


22/30



Internal control consists of the following:

a. the control environment,

b. the entitys risk assessment process,

c. the information system and business processes

relevant to financial reporting and

communication,

d. control activities, and

e. the monitoring of controls.


23/30



Components (a) (b) (c) and (e) operate at the

company level, and are referred to as

management controls.

Control activities (d) are controls over processes,

applications, and transactions.


24/30


Control Environment

The control environment is characterized by

management attitudes, structure, effective

communication of control objectives and

supervision of personnel and activities. Tone at the top.

Board of directors, particularly the audit committee

should be considered.


25/30


Control Environment

Elements of control environment (CAS 315):

- Communication and enforcement of integrity and

ethical values

- Commitment to competence

- Participation of those charged with governance

- Managements philosophy and operating style

- Organizational structure

- Assignment of authority and responsibility

- Human resource policies and practices


26/30


Risk Assessment Process

The risk assessment process is how

management identifies risks related to

misstatements in the financial statements.

Management will also evaluate the significanceand likelihood of those risks, and decide how to

manage those risks efficiently and effectively.


27/30


Information System, Business Processes

and Communication

Information system consists of infrastructure,

software, people, procedures and data. An

information system has procedures to:

identify and record all valid transactions,

describe transactions in a manner that permits properclassification,

measure the value of transactions,

determine the time period in which transactions should be

reported, and

Present the transactions properly in the financial statements.

Communication may take such forms as policy

manuals and can be made electronically, orally, and

through the actions of management.


28/30


Control Activities

Controls are policies and procedures that

ensure the achievement of the entitys goals,

including financial reporting goals.

Controls can be categorized as either general

controls or as application controls.

General controls relevant to the audit include

performance reviews.

Application controls include checks on

accuracy, completeness, and authorization of

transaction processing.


29/30


Monitoring of Controls

Managements monitoring of controls includes

considering whether they are operating as

intended.

Monitoring may include reviews of reconciliations,

internal audit evaluations, and legal department

evaluations of compliance.

Controls are modified as required to accommodate

changes in business conditions.


30/30


How Internal Control Relates to the RMM

To assess the risk of material misstatement at

the financial statement level, the auditor needs

a detailed knowledge of internal control

components relevant to financial reporting. Gained mainly by making enquiries of clients

personnel, analytical procedures, observation and

inspection, PY information, discussion amongst

engagement team.

Documents

Chapter 7 - Class