Day 2

AUDIT TECHNIQUES
RISK ASSESSMENT AND INTERNAL
CONTROL
Risk Assessment
Stages of an Audit

Obtain (or
Engagement Risk Substantive
retain) Reporting
Planning Assessment Procedures
Engagement
ENGAGEMENT RISK

Client and third

party lawsuits

An auditor’s exposure
to financial loss and
damage to
professional reputation.

Local audit Negative

failure … publicity
AUDIT RISK

The
The risk
risk that
that an
an auditor
auditor will
will issue
issue an
an
unqualified
unqualified opinion
opinion on
on materially
materially
misstated
misstated financial
financial statements.
statements.

Individual account
Financial statement
balance or class
level
of transactions level
THE AUDIT RISK MODEL

Inherent risk and control risk:

Risk that material misstatements exist

Audit Risk = IR × CR × DR

Detection risk:
Risk that auditor will not detect misstatements

• Inappropriate audit procedure

• Fail to detect when using Nonsampling Sampling
appropriate audit procedure risk risk
• Misinterpreting audit results
USING THE AUDIT RISK MODEL


Set
Setaaplanned
plannedlevel
levelofofaudit
auditrisk
risksuch
suchthat
thatan
anopinion
opinion
can
canbe
beissued
issuedon
onthe
thefinancial
financialstatements.
statements.

Assess
Assessinherent
inherentrisk
riskand
andcontrol
controlrisk.
risk.

Use
Usethe
theaudit
auditrisk
riskequation
equationto
tosolve
solvefor
forthe
theappropriate
appropriate
level
levelof
ofdetection
detectionrisk:
risk:

AR = IR × CR × DR
AR
DR = IR × CR

Auditors use this level of detection risk to design audit

procedures that will reduce audit risk to an acceptable level.
ARM Relationships
Audit Risk Model

•A conceptual tool
PLANNING AN AUDIT STRATEGY
SUBSTANTIVE STRATEGY

After obtaining an understanding of internal control, an auditor may

choose to follow a substantive strategy and set control risk at the
maximum for some or all assertions because of one or all of the
following factors:

Controls are
assessed as Testing the
Controls do not ineffective. effectiveness of
pertain to an
controls is
assertion.
inefficient.
RELIANCE STRATEGY

Obtain Understanding of
Internal Control

Plan to Rely on Internal

Control and Assess
Control Risk Below
Maximum
Implications of Calculating Detection Risk

Lower Detection Risk Higher Detection Risk

Nature More effective tests Less effective tests

Timing Testing at year-end Testing at interim

Extent More tests Fewer tests

Insights from the Audit Risk Model

1. Cannot estimate inherent risk to be zero and omit

other evidence gathering procedures
AR = 0 X CR X DR = 0
2. Cannot place complete reliance in internal controls
to the exclusion of other audit procedures.
AR = IR X 0 X DR = 0
3. Auditors would not exhibit due professional care if
the level of audit risk was too high
LIMITATIONS OF THE AUDIT RISK MODEL

The
Theaudit
auditrisk
riskmodel
modelisisaaplanning
planningtool,
tool,but
butitithas
hassome
somelimitations
limitationsthat
that
must
mustbe
beconsidered
consideredwhen
whenthe
themodel
modelisisused
usedto
torevise
reviseananaudit
auditplan
planor
orto
to
evaluate
evaluateaudit
auditresults.
results.
•• The
The desired
desiredlevel
levelof
ofaudit
auditrisk
riskmay
maynotnotactually
actuallybe
beachieved.
achieved.
•• ItItdoes
doesnot
notconsider
considerpotential
potentialauditor
auditorerror.
error.
•• There
Thereisisnot
notway
wayofofknowing
knowingwhat
whatthe
thepreliminary
preliminarylevel
levelof
ofrisk
risk
actually
actuallywas.
was.

Preliminary Actual
Assessment +/–
or Achieved
Level of Risk Level of Risk
Risk Assessment Process
ASSESSING THE RISK OF MATERIAL
MISSTATEMENT DUE TO ERROR OR FRAUD

Errors
Errorsare
areunintentional
unintentionalmisstatements:
misstatements:
 Mistakes
Mistakesiningathering
gatheringororprocessing
processingfinancial
financialdata
dataused
usedtotoprepare
prepare
financial statements.
financial statements.
 Unreasonable
Unreasonableaccounting
accountingestimates
estimatesarising
arisingfrom
fromoversight
oversightoror
misinterpretation of facts.
misinterpretation of facts.
 Mistakes
Mistakesininthe
theapplication
applicationof ofaccounting
accountingprinciples
principlesrelating
relatingtotoamount,
amount,
classification, manner of presentation, or disclosure.
classification, manner of presentation, or disclosure.
ASSESSING THE RISK OF MATERIAL
MISSTATEMENT DUE TO ERROR OR FRAUD
Fraud
Fraud involves
involves intentional
intentional misstatements.
misstatements. The
The
fraud
fraud risk
risk identification
identification process
process includes:
includes:
 Sources
Sources of
of information
information about
about possible
possible fraud
fraud
 Communications
Communicationsamongamongthe
theaudit
auditteam
team
 Inquires of management and others
Inquires of management and others
 Fraud risk factors
Fraud risk factors
 Analytical procedures
Analytical procedures
 Other information
Other information
ASSESSING THE RISK OF MATERIAL MISSTATEMENT
DUE TO ERROR OR FRAUD
(FRAUD TRIANGLE)

Three
Threeconditions
conditionsusually
usually
exist
existwhen
whenfraud
fraudoccurs.
occurs.

Incentive
Incentiveoror Opportunity
Opportunity Attitude
Attitudeoror
pressure
pressuretoto totocarry
carryout
out rationalization
rationalization
perpetrate
perpetratefraud
fraud the
thefraud
fraud totojustify
justifyfraud
fraud
COMMUNICATIONS ABOUT FRAUD

Whenever
Whenever the the auditor
auditor has
has found
found evidence
evidence that
that aa fraud
fraud may
may exist,
exist, that
that
matter
matter should
should be be brought
brought to to the
the attention
attention of
of an
an appropriate
appropriate level
level of
of
management.
management. Fraud Fraud involving
involving senior
senior management
management and and fraud
fraud that
that causes
causes aa
material
material misstatement
misstatement of of the
the financial
financial statement
statement should
should bebe reported
reported
directly
directly to
to the
the audit
audit committee
committee of of the
the board
board of
of directors.
directors.

The
The auditor
auditor should
should reach
reach an
an understanding
understanding withwith the
the audit
audit committee
committee
regarding
regarding the
the expected
expected nature
nature and
and extent
extent of
of communications
communications about
about
misappropriations
misappropriations perpetrated
perpetrated byby lower-level
lower-level employees.
employees.
Inherent Risk Assessment
(Understand Company and its Environment)
What Could Go Wrong?

• Seven general categories of potential misstatements

1. Invalid transactions are recorded
2. Valid transactions or disclosures are omitted from the financial statements
3. Transaction or disclosure amounts are inaccurate
4. Transactions are classified in the wrong accounts
5. Transaction accounting and posting are incorrect
6. Transactions are recorded in the wrong period
7. Disclosures are incomplete or misleading
Factors Related to the Susceptibility of Accounts to
Misstatement or Fraud
• Dollarsize of the account
• Liquidity
• Volume of transactions

• Complexity of the transactions

• Subjective estimates
Understanding the Client’s Business and Its
Environment
• Industryand External Factors
• Nature of the Company
• Accounting Principles and Disclosures

• Objectives and Strategies

• Measurement and Analysis of Financial Performance
Industry, Regulatory and Other External Factors

• Competitive environment
• Technological developments
• Regulatory environment– including applicable financial
reporting framework
• Legal and political environment
• Broad economic environment– price regulation; import/export
restrictions
• Developments in taxation
• Industry characteristics
The Nature of the Company

 The company’s organizational structure and management

personnel
 The sources of funding of the company’s operations and
investment activities
 The company’s significant investments
 The company’s operating characteristics, including size and
complexity
 The sources of the company’s earnings, including the relative
profitability of key products and services and key supplier and
customer relationships
Selection of Accounting Principles

 Have there been any changes?

 What is done in controversial or new
areas?
 What about estimates?
Company Objectives, Strategies and Related
Business Risk
Purpose is to identify business risks that could
reasonably be expected to result in material
misstatement of the financial statements
Business risk can come from
 Industry developments
 New products or services
 Expansion of the business
 Implementing a new strategy
 Financing requirements
Preliminary Analytical Procedures

•Five step process

1. Develop an expectation
2. Define a significant difference
3. Compare expectation with the recorded
amount
4. Investigate significant differences
5. Document each of the preceding steps
Brainstorming
 Required procedure
 Objectives
 Gain understanding of

-- Previous experiences with client

-- How a fraud might be perpetrated and concealed in the
entity
-- Procedures that might detect fraud
 Set proper tone for engagement
 Discussions should be ongoing throughout the engagement
Assessing Risk Factors

 Respond to significant risks

– risks that require special consideration because the nature of
the of the risk or the likelihood and potential magnitude of the
misstatement related to the risk
-- adjust detection risk -- use more experienced
auditors
--extended procedures --less predictable
procedures
Noncompliance with Laws and Regulations

Direct-effect noncompliance produce direct and material

effects on the financial statements . The law or regulation can
be identified with a specific account or disclosure (e.g., income
tax .evasion).
 Auditor’s responsibility--design procedures to provide
reasonable assurance
Indirect-effect noncompliance are not related to specific
accounts or disclosures on the financial statements (e.g.,
violations relating to insider securities trading, occupational
health and safety, food and drug administration, environmental
protection, and equal employment opportunity).
 Auditor's responsibility—Follow up on suspected
violations material to the financial statements
Red Flags of Noncompliance

 Unauthorized transactions.
 Government investigations.
 Regulatory reports of violations.
 Payments to consultants, affiliates, or employees for
unspecified services.
 Excessive sales commissions and agents’ fees.
 Unusually large cash payments.
 Unexplained payments to government officials.
 Failure to file tax returns or to pay duties and fees
Audit Strategy Memorandum

• Identify significant accounts and disclosures

• Establish overall audit strategy for each relevant assertion
• Take into account
– Reporting objectives and communications required
– Auditor’s risk assessment.
– Other requirements of laws or regulations.
• Nature, timing, and extent of necessary resources
• Planned tests of controls, substantive procedures, and other
planned audit procedures
• Memo is basis for preparing detailed audit plans (often called
audit programs)
• Written audit plan documenting audit strategy is required
Control Risk Assessment
(Understand Internal Controls Over Financial Reporting)
Risk Assessment Process
INTERNAL CONTROL
Internal control plays an important role in how management meets its stewardship or
agency responsibilities. Management has the responsibility to maintain controls that
provides reasonable assurance that adequate control exists over the entity’s assets and
records. Proper internal control not only ensures that assets and records are safeguarded
but also creates an environment in which efficiency and effectiveness are encouraged and
monitored. Management also needs a control system that generates reliable information
for decision making.
The auditor needs assurance about the reliability of the data generated by the information
system in terms of how it affects the fairness of the financial statements and how well the
assets and records of the entity are safeguarded.
INTERNAL CONTROL

The auditor uses risk assessment procedures to obtain an understanding of

the entity’s internal control and uses this understanding to identify the
types of potential misstatements, ascertain factors that affect the risk of
material misstatement, and design tests of controls and substantive
procedures.
The auditor’s understanding of the internal control is a major factor in
determining the overall audit strategy. The auditor’s responsibilities for
internal control are discussed under two major topics: (1) obtaining an
understanding of internal control and (2) assessing control risk.
OBTAIN AN UNDERSTANDING OF INTERNAL CONTROL

The auditor should obtain an understanding of each of the five

components of internal control in order to plan the audit. This
knowledge is used to:

Pinpoint the factors that

Identify types of potential
affect the risk of material
misstatements
misstatement

Design tests of controls

and substantive
procedures
COMPONENTS OF INTERNAL CONTROL
Entity’s Risk
Control
Assessment
Environment
Process

Information System and Related

Business Processes Relevant to
Financial Reporting & Communication

Control Monitoring of
Procedures Controls
Components of Internal Control
Component Description

Control Environment Actions, policies and procedures that reflect the overall
attitude of top management, directors and owners of an
entity about controls and its importance
Management’s Risk Management’s identification and analysis of risks relevant
Assessment to the preparation of financial statements in accordance with
GAAP
Accounting Information Methods used to identify, assemble, classify, record, and
Systems and report an entity’s transactions and to maintain
Communication accountability for related assets
Control Activities (Control Policies and procedures that management established to
Procedures) meets its objectives for financial reporting

Monitoring Management’s ongoing and periodic assessment of the

effectiveness of the design and operation of an internal
control structure to determine if its operating as intended
and modified when needed
COMPONENTS OF INTERNAL CONTROL
Control Environment

 Sets the “tone at the top” of an organization,

influencing the control consciousness of its people.
 It is the foundation for all other components.
 As a result, an auditor must obtain a detailed
understanding of the control environment and
document that understanding.
Factors Affecting the Control Environment

Communication and enforcement of integrity and ethical values

A commitment to competence
Participation of the board of directors and audit committee
Management’s philosophy and operating style
Organizational structure
Assignment of authority and responsibility
Human resource policies and practices
COSO 2013 New Framework

Control Environment
Principles Points of Focus
1 Sets the tone at the top

2 Established standards of conduct

The organization demonstrates a
1 commitment to integrity and ethical
values 3 Evaluates adherence to standards of
conduct
4 Addresses deviations in a timely
manner
COSO 2013 New Framework

Control Environment
Principles Points of Focus
5 Establishes oversight responsibilities

6 Applies relevant expertise

The board of directors demonstrates
independence from management and 7 Operates independently
2 exercises oversight of the
development and performance of
internal control 8 Provides oversight in Control
Environment, Risk Assessment,
Control Activities, Information and
Communication, and Monitoring
Activities
COSO 2013 New Framework

Control Environment
Principles Points of Focus
9 Considers all structures of the entity
Management establishes, with board
oversight, structures, reporting lines, 10 Establishes reporting lines
3 and appropriate authorities and
responsibilities in the pursuit of
objectives 11 Defines, assigns, and limits authorities
and responsibilities
COSO 2013 New Framework

Control Environment
Principles Points of Focus
12 Establishes policies and practices

The organization demonstrates a 13 Evaluates competence and addresses

commitment to attract, develop, and shortcomings
4
retain competent individuals in 14 Attracts, develops, and retains
alignment with objectives individuals
15 Plans and prepares for succession
COSO 2013 New Framework

Control Environment
Principles Points of Focus
16 Enforces accountability through
structures, authorities and
responsibilities
17 Establishes performance measures,
incentives and rewards
The organization holds individuals
accountable for their internal control 18 Evaluates performance measures,
5 incentives and rewards for ongoing
responsibilities in the pursuit of
objectives relevance
19 Considers excessive pressures

20 Evaluates performance and rewards or

disciplines individuals
Risk Assessment Process

The risk assessment process should consider external and internal

events and circumstances that may arise and adversely affect the
entity’s ability to initiate, record, process and report financial data
consistent with the assertions of management in the financial
statements.
Should include not just the identification of those risks but also
the actions taken to address those risks.
Factors Affecting Business Risk

Changes in the operating environment

New personnel
Rapid growth
New technology
Corporate restructuring
Expanded international growth
New accounting pronouncements
New or revamped information systems
New business models, products or activities
COSO 2013 New Framework
Risk Assessment
Principles Points of Focus
6 The organization specifies objectives with
sufficient clarity to enable the identification
and assessment of risks relating to objectives:

--Operating Objectives 21a Reflects management’s choices

22a Considers tolerances for risk
23 Includes operations and financial performance
goals
24 Forms a basis for committing of resources
--External Financial Reporting Objectives 21b Complies with GAAP
22b Considers materiality
25 Reflects entity activities
--External Non-financial Reporting Objectives 21c Complies with externally established
standards and frameworks
22c Considers the required level of precision
25 Reflects entity activities
--Internal Reporting Objectives 21a Reflects management’s choices
22c Considers the required level of precision
25 Reflects entity activities

--Compliance Objectives 21d Reflects external laws and regulations

22a Considers tolerances for risk
COSO 2013 New Framework

Risk Assessment
Principles Points of Focus
26 Includes entity, subsidiary, division,
operating unit, and functional levels

27 Analyzes internal and external

The organization identifies risks to the factors
achievement of its objectives across
7 the entity and analyzes risks as a basis 28 Involves appropriate levels of
for determining how the risk should management
be managed
29 Estimates significance of risks
identifies
30 Determines how to respond to risks
COSO 2013 New Framework

Risk Assessment
Principles Points of Focus
31 Considers various types of fraud

32 Assesses incentives and pressures

The organization considers the
8 potential for fraud in assessing risks
to the achievement of objectives 33 Assesses opportunities

34 Assesses attitudes and

rationalizations
COSO 2013 New Framework

Risk Assessment
Principles Points of Focus
35 Assess changes in the external
environment
The organization identifies and
assesses changes that could 36 Assesses changes in the business
9 model
significantly impact the system of
internal control
37 Assesses changes in leadership
Control Activities

Specific actions management and employees take to help ensure

that management’s directives are carried out
These procedures include:
Performance reviews
Physical controls
Information processing
Separation of duties
Separation of Duties
COSO 2013 New Framework

Control Activities
Principles Points of Focus
38 Integrates with risk assessment

39 Considers entity-specific factors

The organization selects and develops 40 Determines relevant business

control activities that contribute to the processes
10
mitigation of risks to the achievement 41 Evaluates a mix of control activity
of objectives to acceptable levels types
42 Considers at what level activities are
applied
43 Addresses segregation of duties
COSO 2013 New Framework
Control Activities
Principles Points of Focus
44 Determines dependency between the
use of technology in business
processes and technology general
controls
45 Establishes relevant technology
The organization selects and develops infrastructure control activities
general control activities over
11 46 Establishes relevant technology
technology to support the
achievement of objectives acquisition, development, and
maintenance process control
activities
47 Establishes policies and procedures
to support deployment of
management’s directives
COSO 2013 New Framework
Control Activities
Principles Points of Focus
48 Establishes policies and procedures
to support deployment of
management’s directives

49 Establishes responsibility and

accountability for executing policies
The organization deploys control and procedures
activities through policies that
12 establish what is expected and 50 Performs in timely manner
procedures that put policies into
action 51 Takes corrective action

52 Performs using competent personnel

53 Reassesses policies and procedures

Information Systems and Communication

An effective accounting system gives appropriate consideration to

establishing methods and records that will
1.Identify and record all valid transactions.
2.Describe on a timely basis the transactions in sufficient detail to permit
proper classification of transactions for financial reporting.
3.Measure the value of transactions in a manner that permits recording their
proper monetary value in the financial statements.
4.Determine the time period in which transactions occurred to permit
recording of transactions in the proper accounting period.
5.Properly present the transactions and related disclosures in the financial
statements.
Understanding Controls Over Technology
Step 1
Steps 2 and 3
Categories of Application Controls

Completeness checks
Validity checks
Identification
Authentication
Authorization
Input controls
Forensic controls
Steps 4 and 5
General Controls

Administrative Controls Technical Controls

Policies Authentication controls
Risk Assessment Access controls
Security responsibility Audit controls
User access process Encryption controls
Security awareness and training Architecture controls
Security incident response Configuration controls
Contingency planning/ data backup

Vendor Management Controls

Contract language
Physical Controls
Security audit
Facility access controls
Vendor access control
Workstation controls
Vendor copies of confidential
Device and media controls
information
COSO 2013 New Framework

Information and Communication

Principles Points of Focus
54 Identifies information requirements

55 Captures internal and external sources of

The organization obtains or data
generates and uses relevant, 56 Processes relevant data into information
13 quality information to support the
functioning of other components
of internal control 57 Maintains quality throughout processing

58 Considers costs and benefits

COSO 2013 New Framework

Information and Communication

Principles Points of Focus
59 Communicates internal control
The organization internally information
communicates information, 60 Communicates with the board of directors
including objectives and
14 responsibilities for internal
control, necessary to support the 61 Provides separate communication lines
functioning of other components
of internal control 62 Selects relevant method of
communication
COSO 2013 New Framework

Information and Communication

Principles Points of Focus
63 Communicates to external parties

64 Enables inbound communication

The organization communicates
with external parties regarding 65 Communicates with the board of directors
15 matters affecting the functioning
of other components of internal
control 66 Provides separate communication lines

67 Selects relevant method of

communication
Monitoring of Controls

Monitoring of controls is a process that assesses the quality of

internal control performance over time
COSO 2013 New Framework

Monitoring Activities
Principles Points of Focus
68 Considers a mix of ongoing and separate
evaluations

69 Considers rate of change

70 Establishes baseline understanding

The organization selects, develops, and
performs ongoing and/or separate evaluations 71 Uses knowledgeable personnel
16
to ascertain whether the components of internal
control are present and functioning 72 Integrates with business processes

73 Adjusts scope and frequency

74 Objectively evaluates
COSO 2013 New Framework
Monitoring Activities
Principles Points of Focus
75 Assesses results
The organization evaluates and
communicates internal control 76 Communicates deficiencies to parties
deficiencies in a timely manner to responsible for corrective action and
17 those parties responsible for taking to senior management and the board
corrective action, including senior of directors
management and the board of
directors, as appropriate. 77 Monitors corrective actions
THE EFFECT OF ENTITY SIZE ON INTERNAL CONTROL

While the basic concepts of the five components should

be present in all entities, they are likely to be less formal
in a small or midsize entity than in a large entity.
THE LIMITATIONS OF AN ENTITY’S INTERNAL CONTROL

Management
Override of
Internal Control

Human Errors or
Mistakes

Collusion
Internal Control Evaluation
Phases of Internal Control Evaluation
Detail of Phase 1
Understanding Internal Control

Top-down risk based approach

Should identify significant accounts and disclosures and their
relevant assertions
Not solely quantitative but it is unlikely that a large account
would be omitted from consideration
Entity Level Controls

Audit teams start by examining entity-level controls

controls that are pervasive to the internal control system
and the reliability of the financial statements taken as whole
PCAOB has published a list of entity-level controls that includes
parts or all of the COSO framework elements
If the audit team deciders that an entity-level control sufficiently
reduces a specific risk of material misstatement, they may not
delve further into transaction level controls
Entity Level Controls
Transaction Level Controls

Transaction level controls pertain to specific classes of

transactions, account balances, and disclosures
Most effective way to gather this evidence is through a
walkthrough
a combination of inquiry, observation and document
examination while tracing one or more transactions
through the audit trail from initiation to its inclusion in
the financial statements
Design Effectiveness

Design effectiveness determines whether the controls over

financial reporting, if operating effectively, would be expected to
prevent or detect errors or fraud that could result in a material
misstatement in the financial statements
The auditor has obtained an understanding of the design of
controls– how those controls are intended to function.
Does not provide information about operating effectiveness
is the control operating as designed and whether the
person performing the control possesses the necessary author
and qualifications to perform the control correctly
DOCUMENTING THE UNDERSTANDING
OF INTERNAL CONTROL

Procedure Manuals and

Narrative Description
Organizational Charts

Internal Control
Flowcharts
Questionnaires
Key Decision: Deciding Whether to Continue to
Test Controls
Control system is too ineffective in preventing or detecting
misstatements
The time to tests controls is more than the time to perform
substantive tests
How to Account?
Assess the Control Risk (Preliminary)

After documenting the audit team’s understanding of internal

control they should be able to make a preliminary assessment of
control risk
The audit team should document control strengths and
weaknesses in a bridge workpaper
so called because it connects (bridges) the control
evaluation to subsequent audit procedures
Bridge Workpaper
How to Account?
Degree of Compliance

A matter of professional judgment

Discussed more in the sampling discussion
Test of Controls

Should be performed for activities throughout the period under

audit
Four Methods
Inquiry
Observation
Document examination
Reperformance
Reassess the Control Risk

Does the control testing match the preliminary control

assessment?
COMMUNICATION OF INTERNAL
CONTROL-RELATED MATTERS
Significant deficiencies in the design or operation of
Reportable internal control that could adversely affect the
organization’s ability to initiate, record, process, and
Conditions report financial data consistent with management’s
assertions.

A reportable condition in which the design or operation

of one or more of the specific internal control
components does not reduce to a relatively low level the
Material risk that errors or fraud in amounts that would be
material in relation to the financial statements being
Weakness audited may occur and not be detected within a timely
period by employees in the normal course of performing
their assigned functions.
EXAMPLES OF REPORTABLE CONDITIONS