Audit Risk versus Business Risk Slide from Chapter 4

1
Audit Risk versus Business Risk (Slide from
Chapter 4)

• Audit Risk - The risk that the auditor will
  incorrectly give an unqualified opinion on
  financial statements that are materially
  misstated.
• Business Risk - The risk that the auditor will
  suffer loss or injury to his or her professional
  practice due to litigation or adverse publicity
  in connection with an audit.
• The high level of business risk can cause the
  auditor to gather MORE evidence, but a low level
  of business risk does not justify the auditor to
  gather LESS evidence.

2
Why are Internal ControlsRelevant to an Audit?

• They may pertain to the entitys objective of
  preparing for external purposes financial
  statements that are fairly presented in
  conformity with GAAP.
• They may pertain to data the auditor uses to
  apply auditing procedures.

3
How Do Controls Affect Audit Planning and
Performance?

• They provide information about the types and
  risks of potential material misstatements that
  could occur in financial statement assertions.
• They provide information about the specific
  processes, methods, records, and reports a client
  uses to prepare financial statements.

4
Five Components of Internal Control

• The control environment
• Risk assessment
• Control activities
• Information processing and communication
• Monitoring

5
Managements Responsibility for the Internal
Control Structure

• An entitys management is responsible for
  establishing and maintaining internal control.
• Their goal is to provide reasonable assurance
  that the entitys objectives will be achieved.
• Cost of an entitys internal control should not
  exceed the expected benefits.
• Limitations will exist in any entitys internal
  control.

6
Auditors Understanding of Internal Control

• Identify the types of potential material
  misstatements that could occur in the financial
  statements.
• Consider factors that affect the risk that such
  misstatements will occur.
• Design substantive tests.

7
Sources of Knowledge to Obtain an Understanding
of Internal Control

• Auditors prior experience with the client
• Making inquiries of management and client
  personnel
• Observing client activities and operations
• Inspecting documents and records

8
Documentation of the Understanding

• Narrative Descriptions
• Written descriptions and memorandums
• Flowcharts and Data Flow Diagrams
• Symbols and diagrams to show the flow of
  information and documents
• Questionnaires

9
Assessing Control Risk

• First the auditor must obtain an understanding of
  the internal control structure.
• SAS No. 47, Audit Risk and Materiality in
  Conducting an Audit requires the auditor to
  assess control risk.
• Control risk is the likelihood that a material
  misstatement will get through the internal
  control structure and into the financial
  statements.
• Maximum control risk means 100 likelihood that
  internal control will NOT prevent or detect a
  material misstatement in a specific assertion.
• The higher the control risk the more evidence
  from substantive tests the auditor needs to
  perform an adequate audit.

10
Procedures to Compensate for Increasing Levels of
Control Risk

• May modify substantive tests in one of the three
  following ways.
• Change the nature of the substantive tests from
  less effective to more effective procedures.
• Change the timing of the substantive tests (i.e.
  more year end and fewer interim tests).
• Change the extent of the substantive tests (i.e.
  apply to more items).

11
Assessing Control Risk Below the Maximum Level

• First - Identify the controls (policies or
  procedures) that affects a financial statement
  assertion.
• There can be a pervasive effect on many
  assertions, or a specific effect on an individual
  assertion.
• Second - Evaluate how effectively the controls
  prevent or detect material misstatements in that
  assertion.
• Test the controls to determine how the procedure
  is designed and how it operates.

12
Sources of Evidence About Control Risk

• Understanding of internal control obtained to
  plan the audit
• Planned tests of controls performed to obtain the
  understanding
• Additional tests of controls performed
• Determine whether additional evidence is likely
  to be available
• Determine whether it would be efficient to
  perform the additional tests of controls

13
Documenting the Assessed Level of Control Risk

• SAS No. 55 requires the auditor to document the
  assessment of control risk.
• If control risk is determined to be below the
  maximum level, documentation is required.
• Tests of controls
• Results of the tests
• Auditors evaluation of the effectiveness the
  controls
• If control risk is determined to be at the
  maximum level, only that fact need be documented.

14
The Internal Audit Function

• SAS No. 65, The Auditors Consideration of the
  Internal Audit Function in an Audit of Financial
  Statements establishes the auditors
  responsibilities to consider the internal audit
  function.
• The internal audit function is part of the
  monitoring component of internal control.

15
Internal Audit Activities

• May influence nature, timing, and extent of three
  major audit procedural categories
• Procedures to obtain an understanding of the
  entitys internal control.
• Tests of controls necessary to support the
  assessed level of control risk.
• Substantive tests necessary to restrict detection
  risk to an acceptable level.

16
Assessing the Competence and Objectivity of the
Internal Audit Function

• If internal auditors activities may affect the
  audit, the external auditor must evaluate the
  competence and objectivity of the internal audit
  function. Three factors should be considered
• The internal auditors education, experience,
  certification, and continuing education program
• Internal audit policies programs procedures,
  etc.
• Quality of internal audit documentation, reports,
  and recommendations and the evaluation of
  internal auditors performance

17
Communication of Internal Control Matters

• Reportable Conditions are significant
  deficiencies in the design or operation of
  internal control which could adversely affect the
  organizations accounting functions.
• Material Weaknesses are reportable conditions
  that could result in material errors or
  irregularities in financial statement amounts.
• Conditions may be reported orally or in writing.
• Oral communications must be documented in the
  work papers.
• Written reports have specific guidelines.
• Auditor is prohibited from issuing a report
  saying there were no reportable conditions noted.

18
Foreign Corrupt Practices Act

• Illegal Foreign Payments
• Criminal offense to pay foreign officials to
  obtain or maintain a business relationship.
• Accounting Provisions
• Apply only to SEC registrants
• Registrants must establish and maintain adequate
  records of transactions.
• Registrants must establish a system of internal
  accounting controls.