Audit Risk and Internal Controls

1
Audit Risk and Internal Controls
2
Audit Risk Model

• AR IR x CR x DR
• AR Audit risk
• The risk that the auditor will incorrectly issue
  an unqualified opinion
• IR Inherent risk
• The risk of material misstatements absent any
  internal controls or testing

3
Audit Risk Model

• CR Control risk
• The risk that internal controls will fail to
  prevent or detect material misstatement
• DR Detection risk
• The risk that audit tests will fail to detect
  material misstatement
• Therefore, audit risk is a function of inherent
  risk, unchecked by controls and not detected by
  the auditor

4
Risk Components

• Inherent risk
• Higher in complex transactions
• Higher where items are more naturally prone to
  fraud
• Based in part on prior experience
• Industry and management pressures
• Inherent risk cannot be changed by the auditor
  it just is

5
Control Risk

• Part of Audit Risk Model
• Depends on the design and execution of controls
• Audit Risk risk that internal controls will
  FAIL to prevent or detect misstatement
• High CR means high risk controls will fail
• Low CR means low risk controls will fail
• If CR is high, auditor will not rely much on
  controls
• If CR is low, auditor can rely on ICS and reduce
  other types of testing

6
Risk Components, II

• More Control risk
• Depends on all 5 COSO categories
• Observed by the auditor but cannot be changed
  retroactively
• Detection risk
• A function of the types of tests the auditor does
• Remember nature, timing, and extent
• This is the only risk element that can be
  controlled by the auditor

7
Is Risk Quantifiable?

• Yes and No
• Often assessed in percentage terms
• Requires judgment because no number is out there
  to be measured
• Detection risk needs to be quantified for
  statistical testing

8
Interrelationship of Risks

• IF IR and CR are high, then
• If IR is high and CR is low
• If IR is low and CR is low
• If IR is low but CR is high

• DR should be low (lots of testing)
• DR can be higher, because controls offset high IR
• DR can be high
• Somewhat indicative of fraud. DR should be very
  low

9
What is Acceptable Audit Risk?

• Risk the auditor is willing to take of being
  wrong
• Generally considered in terms of unqualified
  where there are misstatements, but not in reverse
• Depends on engagement risk
• Financial stability
• Industry factors
• Management integrity
• Degree of reliance on audited statements

10
Keep Things Open

• Control risk assessment must be backed up by
  control testing results
• If tests show weaker controls, CR is higher, thus
  DR needs to be lower

11
Internal Control Objectives

• Reliability of financial statements
• Efficiency and effectiveness of operations
• Compliance with laws and regulations
• Safeguarding of assets

12
Underlying Limitations

• Reasonable assurance
• Cost-benefit
• Inherent limitations
• collusion

13
Design of ICS

• Preventing material misstatements
• Detecting material misstatements
• Preventing misappropriation
• Detecting misappropriation
• SarbOx Management must assess and report on
  design
• How are transaction initiated, authorized,
  recorded, processed, and reported?
• Are there any weaknesses?

14
Effectiveness of ICS

• Is the control operating as designed?
• Is the person operating the control qualified to
  do so effectively?
• Does the person have the necessary authority?
• How should management assess this?

• Inquiry
• Inspection of documents

• Reperformance
• Observation of operations

15
Managements Report on ICS

• Must describe design
• Must make assertions about effectiveness
• Must report material weaknesses
• A single weakness prevents claim that ICS is
  operating effectively
• Must be able to document basis for report
• Auditor will provide an opinion on the report
• Any weaknesses mean that auditors report will be
  adverse.

16
COSO Components of ICS

• Control environment
• Risk assessment
• Control activities
• Information and communication
• Monitoring

17
Control Environment

• Reflects managements overall attitude toward
  controls
• Integrity and ethical values
• Commitment to competence
• Audit committee / Board of Directors
• Philosophy and operating style
• Organizational structure
• HR practices
• Environment sets the stage for all the rest!

18
Risk Assessment

• Managements identification of risks
• Economic
• Industry
• Regulatory
• Operating risks
• Analysis and management of risks
• Examples
• Oil companies in the Gulf of Mexico
• Smith Corona

19
Control Activities

• Policies and procedures to address risks
• Pertains to all four other areas
• Separation of duties
• Proper authorization
• Adequate documents and records
• Physical control over assets and records
• Independent checks

20
Information and Communication

• Initiates, records, processes, and reports
• Transaction cycles
• Subsidiaries and controls
• Think of PERCV

21
Monitoring

• Need to ensure controls are working
• Monitoring now more pressing because of SarbOx
• Control needs change
• Personnel change
• Organizational structure changes

22
Documenting your understanding

• Narratives
• Flowcharts
• Pictures tell a thousand words!
• Questionnaires
• All no answers are weaknesses
• Look for mitigating controls elsewhere
• Be sure connections are made
• Insufficient by itself

23
Reading a Flowchart

• Top left to bottom right
• Try to keep one department or operator in one
  column
• Decision points give alternate paths
• Connectors are usually necessary

24
Common Flowchart Symbols

• Data enters system
• Process
• Document
• Multiple copies
• File

• Stored data file
• Disk storage
• Decision point
• Connector

Yes
?
No
A
Now lets look at page 417