Auditing Theory - Risk Assessment
Auditing Theory - Risk Assessment
Auditing Theory - Risk Assessment
to financial reporting, estimates the significance of the risks, assesses the likelihood
of their occurrence, and decides upon actions to manage them.
If the entitys risk assessment process is appropriate to the circumstances, it assists
the auditor in identifying risks of material misstatement.
Client business risk can arise or change due to following circumstances
Changes in operating environment. Changes in the regulatory or operating
environment can result in changes in competitive pressures and significantly
different risks.
New personnel. New personnel may have a different focus on or
understanding of internal control.
New or revamped information systems. Significant and rapid changes in
information systems can change the risks relating to internal controls.
Rapid growth. Significant and rapid expansion of operations can strain
controls and increase the risk of breakdown in controls.
New technology. Incorporating new technologies into production processes
or information systems may change the risk associated with internal control.
New business model, products, or activities. Entering into business
areas or transactions with which an entity has little experience may introduce
new risks associated with internal control.
Corporate restructurings. Restructurings may be accompanied by staff
reductions and changes in supervision and segregation of duties that may
change the risk associated with internal control.
Expanded foreign operations. The expansion or acquisition of foreign
operations carries new and often unique risks that may affect internal control,
for example, additional or changed risks from foreign currency transactions.
New accounting pronouncements. Adoption of new accounting principles
or changing accounting principles may affect risks in preparing financial
statements.
3.3.3 Understanding the information System and Communication [PSA
315(2009.18-21, A81-A87]
The information system, including the related business processes, relevant to
financial reporting, and communication (definition). The information system relevant
to financial reporting objectives, which includes the accounting system, consists of
the procedures (whether automated or manual) and records designed and
established to initiate, record, process, and report entity transactions (as well as
events and conditions) and to maintain accountability for the related assets,
liabilities, and equity. Communication involves providing an understanding of
individual roles and responsibilities pertaining to internal control over financial
reporting.
The auditor should obtain sufficient knowledge of the information system relevant
to financial reporting to understand the following:
The classes of transactions in the entitys operations that are significant to
the financial statements.
A well-design information system that is operating effectively can reduce the risk of
material misstatement.
The auditor should also understand how the entity communicates financial reporting
roles and responsibilities and significant matters relating to financial reporting PSA
315.89.
3.3.4 Understanding the Control Activities [PSA 315(2009.20-21; A88-A97]
Control activities (definition). Control activities are the policies and procedures
that help ensure that management derives are carried out.
The auditor should obtain a sufficient understanding of control activities, the
auditors primary consideration is whether, and how, a specific control activity,
individually or in combination with others, prevents, or detects and corrects,
material misstatements in classes of transactions, account balances, or disclosures,
Control activities relevant to the audit are those for which auditor considers it
necessary to obtain an understanding in order to assess risks of material
misstatement at the assertion level to design and perform further audit procedures
responsive to the assessed risks.
Examples of control activities relevant to an audit.
Generally control activities that may be relevant to an audit may be categorized as
policies and procedures that pertain to the following:
Performance reviews. These control activities include reviews and analyses
of actual performance versus budgets, forecasts, and prior period
performance; relating different sets of data operating or financial to one
another, together with analyses of the relationships and investigate and
corrective actions; comparing internal data with external sources of
information; and review of functional or activity performance.
Information processing. The two broad groupings of information systems
control activities are application controls, which apply to the processing of
individual applications, and general IT-controls, which are policies and
procedures that relate to many applications and support the effective
Assess the identified risks, and evaluate whether they relate more
pervasively to the financial statements as a whole and potentially affect
many assertions;
Relate the identified risks to what can go wrong at the assertion level, taking
account of relevant controls that the auditor intends to test; and (Ref:Para.
A116-A118)
Consider the likelihood of misstatement, including the possibility of multiple
misstatements, and whether the potential misstatement is of a magnitude
that could result in a material misstatement.
For example, risk at the financial level may derive from inadequate general
computer controls or weak overall control environment, such as managements lack
of competence or lack of integrity. The latter may require the auditor to issue a
qualified opinion or adverse opinion or resign from the engagement.
The auditors understanding of internal control mat raise doubts about the
auditability of an entitys financial statements.
For example:
Concerns about the integrity of the entitys management may be serious as
to cause the auditor to conclude that the risk of management
misrepresentation in the financial statements is such that an audit cannot be
conducted.
Concerns about the condition and reliability of an entitys records may cause
the auditor to conclude that it is unlikely that sufficient appropriate audit
evidence will be available to support an unmodified opinion on the financial
statements.
3.2.2 Assessment of Risks of Material Misstatement at the Assertion Level
Such consideration at the assertion level is necessary because they directly assists
in determining the nature, timing, and extent of further audit procedures at the
assertion level necessary to obtain sufficient appropriate audit evidence.
In considering the different types of potential misstatements that may occur, the
auditor uses the assertions management implicitly or explicitly made regarding the
recognition, measurement, presentation and disclosure of the various elements of
financial statements and related disclosure.
Conditions and Events That May Indicate Risks of Material Misstatement
The examples provided cover a broad range of conditions and events; however, not
all conditions and events are relevant to every audit engagement and the list of
examples is not necessarily complete.
Operations in regions that are economically unstable
Operations exposed to volatile markets
Operations that are subject to high degree of complex regulation
Going concern and liquidity issues including loss of significant customers.
Constraints on the availability of capital and credit
Changes in the industry in which the entity operates
Changes in the supply chain
Developing or offering new products or services, or moving into new lines of
business
Expanding into new locations
Changes in the entity such as large acquisitions or reorganizations or other
unusual events
Entities or business segments likely to be sold
The existence of complex alliances and joint ventures
Use of off-balance-sheet finance, special-purpose entities, and other complex
financing arrangements
The nature of non-routine transactions, which may make it difficult for the
entity to implement effective controls over the risks.
In respect of some risks, the auditor may judge that it is not possible or practicable
to obtain sufficient appropriate audit evidence only from substantive procedures. In
such cases, the entitys controls over such risks are relevant to the audit and the
auditor shall obtain an understanding of them.
3.5 Revision of Risks Assessment [PSA 315(2009).31,A130]
In circumstances where the auditor obtains audit evidence from performing further
audit procedures, or if new information is obtained, either of which is inconsistent
with the audit evidence on which of the auditor originally based the assessment, the
auditor shall revise the assessment and modify the further planned audit
procedures accordingly.
4.0 Documenting the Understanding of Internal Control [PSA
315(2009).32;A131-134]
The auditor shall include in the audit documentation:
The discussion among the engagement team and the significant decisions
reached;
Key elements of the understanding obtained regarding each of the aspects of
the entity and its environment and of each of the internal control
components; the sources of information from which the understanding was
obtained; and the risk assessment procedures performed;
The identified and assessed risks of material misstatement at the financial
statement level and at the assertion level; and
The risks identified, and related controls about which auditor has obtained an
understanding.
The form extent of documentation is for the auditor determine using professional
judgment and influenced by:
The nature size the complexity of the entity and its internal control,
Availability of the information from the entity and
The audit methodology and technology used in the course of the audit.
The experience and capabilities of the audit engagement team.
The following tools are available for documenting the understanding of internal
control:
Copies of the entities procedures manual and organizational chart.
Narrative description
Internal control questionnaires
Flowcharts.
1. Procedures manual
Manual companies prepare procedures manual that document the entitys policies
and procedures. Portions of such are manuals may include documentation of the
accounting system and related activities. Copies of this document and the