Auditing – Lecture 5 Part II. Audit process by phase: Phase II. Planning Content nUnderstanding of the client nAudit risk nInternal control nControl risk nPlanning of the audit nRecommended reading nAppendices: ISA 300, 310, 315, 320, 330 Oct 19, 2015 2 Understanding – AP* nIn the client acceptance phase (Phase I of the audit process model), the auditors review material that is readily available about the entity and the entity’s environment (annual reports, public news, and public information databases). However, in the planning phase the auditor’s understanding of the entity and its environment should grow significantly. As ISA 315 points out, this understanding is an essential aspect of carrying out an ISA audit. It establishes a frame of reference within which the auditor plans the audit and exercises professional judgment about assessing risks of material misstatement of the financial statements and responding to those risks. nAnalytical procedures to obtain understanding of entity and its environment (preliminary AP or risk assessment AP): qInquiries of management and others within the entity - it is important to have discussions with the client’s management about its objectives and expectations, and its plans for achieving these goals. The discussions may encompass short-term management objectives such as increasing profit, n n n n n n Oct 19, 2015 3 Understanding – AP* nreducing investment in working capital, introducing new product lines, reducing taxes, or reducing selling and distribution expenses. However, although management will typically be the most effective and efficient information source, it might be worthwhile to obtain information from others, in order to reduce the potential for bias. qObservation and inspection - A visit to, and tour of, the company premises will help the auditor develop a better understanding of the client’s business and operations. Seeing the production process will help the auditor assess the inventory movement and the use of fixed assets. Rust on equipment may indicate that plant assets have been idle. Excessive dust on raw materials or finished goods may indicate a problem of obsolescence. qOther information sources - In addition to these procedures, the auditor might consider obtaining information from others sources, for example, the entity’s external legal counsel, or externally available data sources, including analysts’ reports, industry journals, government statistics, surveys, texts etc. q n n n n n n Oct 19, 2015 4 *See Appendix: ISA 315 Understanding – understan-g* Oct 19, 2015 5 nISA 315 distinguishes the following relevant aspects in the understanding of the entity and its environment: qindustry, regulatory and other external factors, including the applicable financial reporting framework - It is important to understand the client’s industry because their industry has specific risks created by the nature of the business, accounting conventions, and industry regulation. Understanding inherent risks common to all companies in a certain industry helps the auditor identify the inherent risks of the individual company. The regulatory environment issues relevant to understanding the industry are: accounting principles (their industry specific application), taxation, environmental requirements, and the laws and government policies affecting the industry. Industries are also affected by external factors such as general economic conditions, interest rates, and availability of capital and debt. qnature of the entity, including the entity’s selection and application of accounting policies - This aspect of the understanding phase deals with the entity’s core, i.e. n n n n n *See Appendix: ISA 315 Understanding – understan-g* Oct 19, 2015 6 nits operations, types of investments, its financing ownership, and how management applies and discloses accounting policies. qobjectives and strategies, and the related business risks that may result in a material misstatement of the financial statements - the entity’s objectives are the overall plans for the company as determined by those charged with governance and management. Strategies are the operational approaches by which management intends to achieve its objectives. Significant conditions, events, circumstances or actions that could adversely affect the entity’s ability to achieve its objectives and execute its strategies create business risks. The concept of business risks is broader than the concept of risks of material misstatements in the financial statements. However, most business risks will typically have a financial consequence, and hence will find their way into the financial statements. qmeasurement and review of the entity’s financial performance - in order to assess the risk of material misstatements in the financial statements, an auditor should n n n n n *See Appendix: ISA 315 Understanding – understan-g* Oct 19, 2015 7 nexamine internally generated information used by management and external (third party) evaluations of the company. Internal measures provide management with information about progress towards meeting the entity’s objectives. Internal information may include key performance indicators, budgets, variance analysis, segment information, and divisional, departmental or other level performance reports, and comparisons of an entity’s performance with that of competitors. External information, such as analysts’ reports and credit rating agency reports, may be useful to the auditor. Internal or external performance measures may create pressures on management to misstate the financial statements. A deviation in the performance measures may indicate a risk of misstatement of related financial statement information. qinternal control – a good understanding of internal control is required for an appropriate assessment of the risk of material misstatement in the financial statements. *See Appendix: ISA 315 Audit risk – assess-t (steps) n n n Oct 19, 2015 8 nThe auditor examines the risks of material misstatement at the financial statement level and at the financial statement assertion level for classes of transactions, account balances, and disclosures. Risks that exist at the financial statement level are pervasive, i.e. they have a potential impact on a large number of items in the financial statements. An example is the risk that a company is unable to continue as a going concern. This risk would not just have an impact on one item of the financial statements, but would be of importance on the recognition and valuation of many items. Other risks are confined to one or only a few assertions in the financial statements, e.g. the risk of theft from a specific warehouse A could have an impact on the existence of the items recorded on account balance “Inventory warehouse A”. nTo assess the misstatement risks, the auditor performs four tasks: qIdentify risks by developing an understanding of the entity and its environment, including relevant controls that relate to the risks. Analyze the strategic risks and the significant classes of transactions. Audit risk – assess-t (steps) n n n Oct 19, 2015 9 qRelate the identified risks to what could go wrong in management’s assertions about completeness, existence, valuation, occurrence, and measurement of transactions or assertions about rights, obligations, presentation, and disclosure. qDetermine whether the risks are of a magnitude that could result in a material misstatement of the financial statements. qConsider the likelihood that the risks will result in a material misstatement of the financial statements and their impact on classes of transactions, account balances and disclosures. n Audit risk – assess-t (B&Arisk)* n n n Oct 19, 2015 10 nBusiness risks result from significant conditions, events, circumstances, or actions that could adversely affect the entity’s ability to achieve its objectives and execute its strategies. Even though such risks are likely to eventually have an impact on an entity’s financial statements, not every business risk will translate directly in a risk of a material misstatement in the financial statements, which is often referred to as audit risk. For example, the fact that an engineering company has difficulty finding sufficient engineers is clearly a business risk, without there being an obvious direct link to an audit risk. nAudit risk is the risk that the auditor gives an inappropriate audit opinion when the financial statements are materially misstated. Audit risk is a measure of how reliable the information used by the accounting system is, i.e. how much reliance can be put on it. The higher the audit risk, the more evidence must be gathered in order for the auditor to obtain sufficient assurance as a basis for expressing an opinion on the financial statements. nAudit risk has three components: n *See Appendix: ISA 315, 320, 330 Oct 19, 2015 11 qInherent risk – is the susceptibility of an account balance or class of transactions to misstatements that could be material, individually or when aggregated with misstatements in other balances or classes, assuming that there were no related internal controls. qControl risk – is the risk that a misstatement that could occur in an account balance or class of transactions and that could be material – individually or when aggregated with misstatements in other balances or classes – will not be prevented or detected and corrected on a timely basis by accounting and internal control systems. qDetection risk – is the risk that an auditor’s substantive procedures will not detect a misstatement that exists in an account balance or class of transactions that could be material, individually or when aggregated with misstatements in other balances or classes. n Audit risk – assess-t (B&Arisk)* *See Appendix: ISA 315, 320, 330 Oct 19, 2015 12 Audit risk – assess-t (B&Arisk)* *See Appendix: ISA 315, 320, 330 13 nWhen inherent and control risks are high, acceptable detection risk needs to be low to reduce audit risk to an acceptably low level. For example, if the internal control structure is effective in preventing and/or detecting errors (i.e. control risk is low), the auditor is able to perform less effective substantive tests (detection risk is high). Alternatively, if the account balance is more susceptible to misstatement (inherent risk is higher), the auditor must apply more effective substantive testing procedures (detection risk is lower). In short, the higher the assessment of inherent and control risk, the more audit evidence the auditor should obtain from the performance of substantive procedures. n n Audit risk – assess-t (B&Arisk)* *See Appendix: ISA 315, 320, 330 14 Audit risk – assess-t (B&Arisk)* *See Appendix: ISA 315, 320, 330 Audit risk – assess-t (IR)* Oct 19, 2015 15 nThe inclusion of inherent risk (IR) in the audit risk model is one of the most important concepts in auditing. It implies that auditors should attempt to predict where misstatements are most and least likely in the financial statement segments. This information affects the amount of evidence that the auditor needs to accumulate, the assignment of staff and the review of audit documentation. nThe auditor must assess the factors that make up IR and modify audit evidence to take them into consideration: nature of the client’s business, results of previous audits, initial versus repeat engagement, related parties, nonroutine transactions, judgment required to correctly record account balances and transactions, makeup of the population, factors related to fraudulent financial reporting, factors related to misappropriation of assets. It is difficult to separate the latter ones – factors related to fraudulent financial reporting and/or misappropriation of assets – into acceptable audit risk, inherent risk, or control risk. n *See Appendix: ISA 315, 320, 330 Audit risk – assess-t (IR)* Oct 19, 2015 16 nThe auditor must evaluate the information affecting inherent risk and decide on an appropriate inherent risk level for each cycle, account, and, many times, for each audit objective. Some factors, such as an initial versus repeat engagement, will affect many or perhaps all cycles, whereas others, such as nonroutine transactions, will affect only specific accounts or audit objectives. nBy performing preliminary analytical procedures (inquiry, observation, investigation) auditors begin their assessments of inherent risk during the planning phase and update the assessments throughout the whole audit process. n *See Appendix: ISA 315, 320, 330 Audit risk – assess-t (SR)* Oct 19, 2015 17 nSignificant risks (SR) are audit risks that require special audit consideration. Significant risks generally relate to judgmental matters and significant non-routine transactions. Judgment is used, for example, in the development of significant accounting or fair value estimates. Non-routine transactions are transactions that are unusual, either due to size or nature, and that therefore occur infrequently. Risks of material misstatement may be greater for significant judgmental matters requiring accounting estimates or revenue recognition, and for assumptions about the effects of future events (e.g. fair value) than for ordinary transactions. nSignificant risks arise on most audits, but their determination is a matter for the auditor’s professional judgment. n n *See Appendix: ISA 315, 320, 330 Audit risk – materiality* Oct 19, 2015 18 nAs it comes from definition of materiality given by IFAC’s and AICPA frameworks information is material if its omission or misstatement could influence the economic decisions of users taken on the basis of the financial statements. Materiality depends on the size of the item or error judged in the particular circumstances of its omission or misstatement. Thus, materiality provides a threshold or cutoff point rather than being a primary qualitative characteristic which information must have if it is to be useful. nPlanning materiality is a concept that is used to design the audit such that the auditor can obtain reasonable assurance that any error of a relevant (material) size or nature will be identified. There are additional costs for an auditor to audit with a lower materiality. The lower the materiality, the more costly is the audit. If any error of whatever small size needs to be found in the audit, the auditor would spend significantly more time than when a certain level of imprecision (higher materiality level) is considered acceptable. n *See Appendix: ISA 315, 320, 330 Audit risk – materiality* Oct 19, 2015 19 What is material is often difficult to determine in practice. However, four factors are generally considered - size of item, nature of it, the circumstances, and the cost and benefit of auditing the item. qSize of the item – it is the most common characteristics for applying materiality. A large dollar amount item omitted from the financial statements is generally material. Size must be considered in relative terms, for example, as a percentage of the relevant base (net income, total assets, sales, etc.) rather than an absolute amount. qNature of the item – it is a qualitative characteristic. An auditor cannot quantify the materiality decision in all cases; certain items may have significance even though the dollar amount may not be quite as large as the auditor would typically consider material. It has been suggested that in making judgments about materiality, the following aspects of the nature of a misstatement should be considered: Øthe events giving rise to the misstatement; n *See Appendix: ISA 315, 320, 330 Audit risk – materiality* Oct 19, 2015 20 Øthe legality, sensitivity, normality, and potential circumstances of the event or transaction; Øthe identity of any other parties involved; and Øthe accounts and disclosure notes affected. qCircumstances of occurrence of the item qCost and benefit of auditing the item nWhat degree of imprecision or materiality is acceptable in auditing financial statements? q q n *See Appendix: ISA 315, 320, 330 Internal control (IC) – def&im Oct 19, 2015 21 nInternal control is a process, effected by an entity’s board of directors, management and other personnel, designed to provide reasonable assurance regarding the achievement of objectives in the following categories: effectiveness and efficiency of operations, reliability of financial reporting, compliance with applicable laws and regulations, and safeguarding of assets against unauthorized acquisition, use or disposition. This definition reflects certain fundamental concepts: qInternal control is a “process.” Internal control is not one event or circumstance, but a series of actions that permeate an entity’s activities. These actions are persuasive and are inherent in the way management runs the business. qInternal control is effected by people. A board of directors, management, and other personnel in an entity effect internal control. The people of an organization accomplish it, by what they do and say. People establish the entity’s objectives and put control mechanisms in place. n n n n n n Internal control (IC) – def&im Oct 19, 2015 22 qInternal control can be expected to provide only reasonable assurance, not absolute assurance, to an entity’s management and board that the company’s objectives are achieved. The likelihood of achievement is affected by limitations inherent in all internal control systems. These limitations include the realities that human judgment can be faulty, breakdowns may occur because of human failures such as simple error, and controls may be circumvented by collusion of two or more people. Finally, management has the ability to override the internal control system. qInternal control is geared to the achievement of objectives in one or more separate overlapping categories: Øoperations – relating to effective and efficient use of the entity’s resources; Øfinancial reporting – relating to preparation of reliable published financial statements; Øcompliance – relating to the entity’s compliance with applicable laws and regulations; Øsafeguarding of assets. n n n n n Internal control (IC) – def&im Oct 19, 2015 23 nThe reason a company establishes a system of control is to help achieve its performance and profitability goals and prevent loss of resources by fraud and other means. Internal control can also help to ensure reliable financial reporting and compliance with laws and regulations. nEveryone in the organization has responsibility for internal controls: management, board of directors, internal auditors, and other personnel. The chief executive officer is ultimately responsible and should assume ownership of the internal control system, providing leadership and direction to senior managers. Of particular significance are financial officers and their staff. The board of directors provides governance, guidance, and oversight. A strong, active board is best able to identify and correct management attempts to override controls and ignore or stifle communications from subordinates. Internal control should be an explicit or implicit part of everyone’s job description. Internal control (IC) – O&R Oct 19, 2015 24 nResponsibilities for internal controls differ between management and the auditor. Management is responsible for establishing and maintaining the entity’s internal controls. Management is also required to publicly report on the operating effectiveness of those controls. In contrast, the auditor’s responsibilities include understanding and testing internal control over financial reporting. Since 2004, auditors of larger public companies have been required by the SEC to annually issue an audit report on the operating effectiveness of those controls. qManagement’s responsibilities for establishing internal control - management, not the auditor, must establish and maintain the entity’s internal controls. This concept is consistent with the requirement that management, not the auditor, is responsible for the preparation of financial statements in accordance with applicable accounting frameworks such as GAAP or IFRS. Two key concepts underlie management’s design and implementation of internal control - reasonable assurance and inherent limitations. Internal control (IC) – O&R Oct 19, 2015 25 ØReasonable assurance - a company should develop internal controls that provide reasonable, but not absolute, assurance that the financial statements are fairly stated. Internal controls are developed by management after considering both the costs and benefits of the controls. The concept of reasonable assurance allows for only a remote likelihood that material misstatements will not be prevented or detected on a timely basis by internal control. ØInherent limitations - internal controls can never be completely effective, regard less of the care followed in their design and implementation. Even if management can design an ideal system, its effectiveness depends on the competency and depend ability of the people using it. qManagement’s reporting responsibilities – SOX requires management of all public companies to issue an internal control report that includes the following: n n n n Internal control (IC) – O&R Oct 19, 2015 26 ØA statement that management is responsible for establishing and maintaining an adequate internal control structure and procedures for financial reporting ØAn assessment of the effectiveness of the internal control structure and procedures for financial reporting as of the end of the company’s fiscal year. Management must also identify the framework used to evaluate the effectiveness of internal control. Management’s assessment of internal control over financial reporting consists of two key aspects. First, management must evaluate the design of internal control over financial reporting. Second, management must test the operating effectiveness of those controls. qAuditor responsibilities for understanding internal control – the auditor obtains the understanding of internal control to assess control risk in every audit. Auditors are primarily concerned about controls over the reliability of financial reporting and controls over classes of transactions. Internal control (IC) – O&R Oct 19, 2015 27 ØControls over the reliability of financial reporting - financial statements are not likely to correctly reflect GAAP or IFRS if internal controls over financial reporting are inadequate. Unlike the client, the auditor is less concerned with controls that affect the efficiency and effectiveness of company operations, because such controls may not influence the fair presentation of financial statements. Auditors should not, however, ignore controls affecting internal management information, such as budgets and internal performance reports. These types of information are often important sources used by management to run the business and can be important sources of evidence that help the auditor decide whether the financial statements are fairly presented. If the controls over these internal reports are inadequate, the value of the reports as evidence diminishes. ØControls over classes of transactions - Auditors emphasize internal control over classes of n n n n Internal control (IC) – O&R Oct 19, 2015 28 ntransactions rather than account balances because the accuracy of accounting system outputs (account balances) depends heavily on the accuracy of inputs and processing (transactions). For example, if products sold, units shipped, or unit selling prices are wrong in billing customers for sales, both sales and accounts receivable will be misstated. On the other hand, if controls are adequate to ensure correct billings, cash receipts, sales returns and allowances, and write-offs, the ending balance in accounts receivable is likely to be correct. qAuditor responsibilities for testing internal control - the auditor is required to report on the effectiveness of internal control over financial reporting. To express an opinion on these controls, the auditor obtains an understanding of and performs tests of controls for all significant account balances, classes of transactions, and disclosures and related assertions in the financial statements. n n n n Internal control (IC) – Components Oct 5, 2015 29 nInternal control consists of five interrelated components: (1) control environment; (2) risk assessment process; (3) the information system, communication, and related business processes; (4) control procedures; (5) monitoring of controls. qControl environment - consists of the actions, policies, and procedures that reflect the overall attitudes of top management, directors, and owners of an entity about internal control and its importance to the entity. q n n n n n n Internal control (IC) – Components Oct 19, 2015 30 qRisk assessment - management’s risk assessment differs from but is closely related to the auditor’s risk assessment. While management assesses risks as a part of designing and operating internal controls to minimize errors and fraud, auditors assess risks to decide the evidence needed in the audit. If management effectively assesses and responds to risks, the auditor will typically accumulate less evidence than when management fails to identify or respond to significant risks. nAuditors obtain knowledge about management’s risk assessment process using questionnaires and discussions with management to determine how management identifies risks relevant to financial reporting, evaluates the significance and likelihood of the risks occurring, and decides the actions needed to address the risks. qControl activities – policies and procedures, in addition to Internal control (IC) – Components Oct 19, 2015 31 nthose included in the four control components, that help ensure that necessary actions are taken to address risks to the achievement of the entity’s objectives. There are potentially many such control activities in any entity, including both manual and automated controls. The control activities generally fall into the following five types, which are discussed next: ØAdequate separation of duties – it includes*: separation of the custody of assets from accounting, separation of the authorization of transactions from the custody of related assets, separation of operational responsibility from record-keeping responsibility, separation of IT duties from user departments ØProper authorization of transactions and activities - Every transaction must be properly authorized if controls are to be satisfactory. If any person in an organization could acquire or expend assets at will, complete chaos n n n n n * •separation of the custody of assets from accounting - a person who has temporary or permanent custody of an asset should not account for that asset, •separation of the authorization of transactions from the custody of related assets - it is desirable to prevent persons who authorize transactions from having control over the related asset, to reduce the likelihood of embezzlement, •separation of operational responsibility from record-keeping responsibility - to ensure unbiased information, record keeping is typically the responsibility of a separate department reporting to the controller. •separation of IT duties from user departments - to compensate for these overlaps of IT duties and specific user departments duties, it is important for companies to separate major IT-related functions from key user department functions. Internal control (IC) – Components Oct 19, 2015 32 nwould result. Authorization can be either general or specific. Under general authorization, management establishes policies and subordinates are instructed to implement these general authorizations by approving all transactions within the limits set by the policy. General authorization decisions include the issuance of fixed price lists for the sale of products, credit limits for customers, and fixed reorder points for making acquisitions. Specific authorization applies to individual transactions. ØAdequate documents and records - they are the records upon which transactions are entered and summarized. They include such diverse items as sales invoices, purchase orders, subsidiary records, sales journals, and employee time cards. Adequate documents are essential for correct recording of transactions and control of assets. Ø n n n n n n Internal control (IC) – Components Oct 19, 2015 33 nDocuments and records should be: (1) prenumbered consecutively (to facilitate control over missing documents and records and as an aid in locating them when they are needed at a later date); (2) prepared at the time a transaction takes place, or as soon as possible thereafter, to minimize timing errors; (3) designed for multiple use, when possible, to minimize the number of different forms. ØPhysical control over assets and records - to maintain adequate internal control, assets and records must be protected. If assets are left unprotected, they can be stolen. If records are not adequately protected, they can be stolen, damaged, altered, or lost, which can seriously disrupt the accounting process and business operations. The most important type of protective measure for safeguarding assets and records is the use of physical precautions. q n n n n n n Internal control (IC) – Components Oct 19, 2015 34 ØIndependent checks on performance - the last category of control activities is the careful and continuous review of the other four, often called independent checks or internal verification. The need for independent checks arises because internal controls tend to change over time, unless there is frequent review. Personnel are likely to forget or intentionally fail to follow procedures, or they may become careless unless someone observes and evaluates their performance. Personnel responsible for performing internal verification procedures must be independent of those originally responsible for preparing the data. qInformation systems (IS), communications and related business procedures - the purpose of an entity’s accounting information and communication system is to initiate, record, process, and report the entity’s transactions and to maintain accountability for the related assets. An accounting IS Ø q n n n n n n Internal control (IC) – Components Oct 19, 2015 35 nhas several subcomponents, typically made up of classes of transactions such as sales, sales returns, cash receipts, acquisitions, and so on. For each class of transactions, the accounting system must satisfy all of the six transaction-related audit objectives identified earlier. To understand the design of the accounting information system, the auditor determines (1) the major classes of transactions of the entity; (2) how those transactions are initiated and recorded; (3) what accounting records exist and their nature; (4) how the system captures other events that are significant to the financial statements, such as declines in asset values; and (5) the nature and details of the financial reporting process followed, including procedures to enter transactions and adjustments in the general ledger. qMonitoring activities - deal with ongoing or periodic assessment of the quality of internal control by management to determine that controls are operating as q q Ø q n n n n n n Internal control (IC) – Components Oct 19, 2015 36 nintended and that they are modified as appropriate for changes in conditions. The information being assessed comes from a variety of sources, including studies of existing internal controls, internal auditor reports, exception reporting on control activities, reports by regulators such as bank regulatory agencies, feedback from operating personnel, and complaints from customers about billing charges. For many companies, especially larger ones, an internal audit department is essential for effective monitoring of the operating performance of internal controls. To be effective, the internal audit function must be performed by staff independent of both the operating and accounting departments and report directly to a high level of authority within the organization, either top management or the audit committee of the board of directors. n q q Ø q n n n n n n Control risk – assessment Oct 19, 2015 37 nThe auditor obtains an understanding of the design and implementation of internal control to make a preliminary assessment of control risk as part of the auditor’s overall assessment of risk of material misstatements. Before making a preliminary assessment of control risk for each material class of transactions, the auditor must first decide whether the entity is auditable. For this the auditor needs to: qassess whether the financial statements are auditable qdetermine assessed control risk supported by the understanding obtained and by using a control risk matrix to assess control risk qidentify audit objectives and existing controls and to associate controls with related audit objectives qidentify and evaluate control deficiencies, significant deficiencies, and material weaknesses and to associate significant deficiencies and material weaknesses with related audit objectives qassess control risk for each related audit objective n n n n n Control risk – ToC Oct 19, 2015 38 nTests of controls are audit procedures to test the effectiveness of control policies and procedures in support of a reduced control risk. Key internal controls must be supported by tests of controls. The extent to which the test of controls are applied depends on the assessed control risk. The lower the assessed control risk, the more extensive the tests should be in order to support the high degree of reliance upon internal control. nIf an auditor’s low assessment of control risk is based on the expectation that controls are operating effectively, he must perform tests of controls to obtain evidence that the controls were operating effectively during the period. Testing for operating effectiveness is different from determining if controls have been implemented. The auditor determines that the relevant controls exist and that the company is using them to show implementation. When performing tests of the operating effectiveness of controls, the auditor obtains audit evidence about how controls were applied at relevant times during the audit period, the consistency with which they were applied, and by whom or by what means they were applied. n n n n n Control risk – ToC Oct 19, 2015 39 nTests of controls generally consist of one (or a combination) of four types of evidence-gathering techniques: 1 inquiry of client personnel; 2 observation; 3 inspection (examination of documents); 4 reperformance (or recalculation) – the same procedures as those for obtaining understanding of entity. nOne type of evidence is not enough - inquiry alone will not provide sufficient appropriate audit evidence. Sometimes substantive tests may be used as tests of controls. When responding to the risk assessment, the auditor may use tests of details of transactions as tests of controls. The objective of tests of details performed as tests of controls is to evaluate whether a control operated effectively. The objective of tests of details performed as substantive procedures is to detect material misstatements in the financial statements. nTiming - the timeliness of evidential matter is about when the evidence was obtained and the portion of the audit period to which it may be applied. If the auditor tests controls at a particular time, the auditor only obtains audit evidence that the controls n n n n Control risk – ToC Oct 19, 2015 40 noperate effectively at that time. However, if the auditor tests controls throughout a period, he obtains audit evidence of the effectiveness of the operation of the controls during that period. nExtent - the more reliance the auditor puts on controls in his audit, the greater the extent (amount) of the auditor’s tests of controls. In addition, as the rate of expected variability of the control increases, the auditor increases the extent of testing of the control. Use of IT processing decreases the extent of testing controls. Once the auditor determines that an automated control is functioning as intended, the auditor may perform tests to determine if the control continues to function effectively. nEffect - the assessed level of control risk for an assertion has a direct effect on the design of substantive tests. The lower the assessed level of control risk, the less evidence the auditor needs from substantive tests. The auditor’s control risk assessment influences the nature, timing, and extent of substantive procedures to be performed. Planning – evidence* Oct 19, 2015 41 nBased on the audit procedures performed and the audit evidence obtained, the auditor should evaluate whether the assessments of the risks of material misstatement at the assertion level remain appropriate. The auditor’s assessment of the components of audit risk may change during the course of an audit. The audit evidence obtained may cause the auditor to modify the nature, timing, or extent of other planned audit procedures. The auditor may conclude that evidence is likely to be available to support a further reduction in the assessed level of control risks for some assertions. In all such cases, the auditor should revise his assessment of control risk and should consider changing his audit strategy for the related financial statement assertion audit objective. qAppropriateness of evidence – a measure of the quality of evidence, meaning its relevance and reliability in meeting audit objectives for classes of transactions, account balances, and related disclosures. If evidence is considered highly appropriate, it is a great help in persuading the auditor that financial statements are fairly n n n n n n *See Appendix: ISA 300 Planning – evidence* Oct 19, 2015 42 nstated. Note that appropriateness of evidence deals only with the audit procedures selected. Appropriateness cannot be improved by selecting a larger sample size or different population items. It can be improved only by selecting audit procedures that are more relevant or provide more reliable evidence. qSufficiency – is the quantity of evidence obtained. It is measured primarily by the sample size the auditor selects. nThe final step in the planning process is to prepare an audit planning memorandum and an audit plan. The audit planning memorandum summarizes the overall audit strategy and contains the decisions regarding the overall scope, emphasis, and conduct of the audit, planned audit responses at the overall financial statement level, along with a summarization of significant matters documented in the audit plan. nAudit plan (also known as “audit program”) sets out the nature, timing and extent of planned audit procedures required to implement the overall audit strategy into a comprehensive description of the work to be performed. n n n n n n n n *See Appendix: ISA 300 Recommended reading nArens et al. (2015) – chosen chapters will be uploaded to IS qCh. 8-10 (whole) nHayes et al. (2014) – chosen chapters will be uploaded to IS qCh. 6-8 (whole) nISA 300, 310, 315, 320, 330, 400 n n Oct 19, 2015 43 Appendix: ISA 300 - Planning nScope: qISA 300 deals with the auditor’s responsibility to plan an audit of financial statements. ISA 300 is written in the context of recurring audits. Additional considerations in an initial audit engagement are separately identified. nObjective: qThe objective of the of the auditor is to plan the audit so that it will be performed in an effective manner. nRequirements: qISA 300 requires to get engagement partner and other key members of the engagement team to get involve in ØPlanning ØDiscussion qISA 300 require under take the following activities at the beginning of the current audit engagement; ØPerform requirements of ISA 220 n Oct 12, 2015 44 Appendix: ISA 300 - Planning ØPerform requirements of ISA 220 ØEstablishing and understanding terms of engagement in accordance with ISA 210 qISA 300 Require to establish overall audit strategy ØIdentify the characteristics of the engagement that define its scope; ØAscertain the reporting objectives of the engagement to plan the timing of the audit and the nature of the communications required; ØConsider the factors that, in the auditor’s professional judgement, are significant in directing the engagement team’s efforts; ØConsider the results of preliminary engagement activities and, where applicable, whether knowledge gained on other engagements performed by the engagement partner for the entity is relevant; and Ø n Oct 12, 2015 45 Appendix: ISA 300 - Planning ØAscertain the nature, timing and extent of resources necessary to perform the engagement. qISA 300 require to develop audit plan that involve ØThe nature, timing and extent of planned risk assessment procedures, as determined under ISA 315; ØThe nature, timing and extent of planned further audit procedures at the assertion level, as determined under ISA 330; and ØOther planned audit procedures that are required to be carried out so that the engagement complies with ISAs qISA 300 require to plan the nature, timing and extent of direction and supervision. qISA 300 require to document the strategy, plan and any significant changes. n Ø q Ø n Oct 12, 2015 46 Appendix: ISA 300 - Planning qISA 300 require that In respect of Initial Audit Engagement ØPerforming procedures required by ISA 220 regarding the acceptance of the client relationship and the specific audit engagement; and Ø Communicating with the predecessor auditor, where there has been a change of auditors, in compliance with relevant ethical requirements. q Ø q Ø n Oct 12, 2015 47 Appendix: ISA 310 – Unders-g nScope: qIn performing an audit of financial statements, the auditor should have or obtain a knowledge of the business sufficient to enable the auditor to identify and understand the events, transactions and practices that, in the auditor’s judgment, may have a significant effect on the financial statements or on the examination or audit report. For example, such knowledge is used by the auditor in assessing inherent and control risks and in determining the nature, timing and extent of audit procedures. nObjective: qThe purpose of ISA 310 is to establish standards and provide guidance on what is meant by a knowledge of the business, why it is important to the auditor and to members of the audit staff working on an engagement, why it is relevant to all phases of an audit, and how the auditor obtains and uses that knowledge. n Oct 12, 2015 48 Appendix: ISA 310 – Unders-g nRequirements: qISA 310 points out that the sources of auditors' knowledge are: Øprevious working experience with the entity and its industry. Øsite visit including client's premises and plant facilities. Øthe client's minutes of meetings and other legal and non-legal documents. Øthe entity's directors and other personnel. Øthe internal auditors and audit committee of the entity. Øthe lawyers, surveyors and other experts who provided services to the entity. Øthe previous auditors and audit working papers. Øthe previous financial reports, budgets, internal control reports and interim financial reports. Øthe client's business partners including customers, suppliers and bankers. n Oct 12, 2015 49 Appendix: ISA 315 – Audit risk nScope: qISA 315 deals with the auditor’s responsibility to identify and assess the risks of material misstatement in the financial statements, through understanding the entity and its environment, including the entity’s internal control. nObjective: qThe objective of the auditor is to identify and assess the risks of material misstatement, whether due to fraud or error, at the financial statement and assertion levels, through understanding the entity and its environment, including the entity’s internal control, thereby providing a basis for designing and implementing responses to the assessed risks of material misstatement. nRequirements: qRisk assessment procedures - ISA 315 gives an overview of the procedures that the auditor should follow in order to obtain an understanding sufficient to assess audit risks, and these Oct 12, 2015 50 Appendix: ISA 315 – Audit risk nrisks must then be considered when designing the audit plan. ISA 315 goes on to require that the auditor shall perform risk assessment procedures to provide a basis for the identification and assessment of risks of material misstatement at the financial statement and assertion levels. ISA 315 goes on to identify the following three risk assessment procedures: ØMaking inquiries of management and others within the entity - auditors must have discussions with the client’s management about its objectives and expectations, and its plans for achieving those goals ØAnalytical procedures - analytical procedures performed as risk assessment procedures should help the auditor in identifying unusual transactions or positions. They may identify aspects of the entity of which the auditor was unaware, and may assist in assessing the risks of material misstatement in order to provide a basis for designing and implementing responses to the assessed risks. q Oct 12, 2015 51 Appendix: ISA 315 – Audit risk ØObservation and inspection – such procedures may also provide information about the entity and its environment. Examples of such audit procedures can potentially cover a very broad area, including observation or inspection of the entity’s operations, documents, and reports prepared by management, and also of the entity’s premises and plant facilities. nISA 315 requires that risk assessment procedures should, at a minimum, comprise a combination of the above three procedures, and the standard also requires that the engagement partner and other key engagement team members should discuss the susceptibility of the entity’s financial statements to material misstatement. Key risks can be identified at any stage of the audit process, and ISA 315 requires that the engagement partner should also determine which matters are to be communicated to those engagement team members not involved in the discussion. n Oct 12, 2015 52 Appendix: ISA 315 – Audit risk qUnderstanding an entity - ISA 315 gives detailed guidance about the understanding required of the entity and its environment by auditors, including the entity’s internal control systems. Understanding of the entity and its environment is important for the auditor in order to help identify the risks of material misstatement, to provide a basis for designing and implementing responses to assessed risk (see reference below to ISA 330, The Auditor’s Responses to Assessed Risks), and to ensure that sufficient appropriate audit evidence is collected. Given that the focus of this article is audit risk, however, students should ensure that they also make themselves familiar with the concept of internal control, and the components of internal control systems. qIdentification and assessment of significant risks and the risks of material misstatement - In exercising judgement as to which risks are significant risks, the auditor is required to consider the following: Oct 12, 2015 53 Appendix: ISA 315 – Audit risk ØWhether the risk is a risk of fraud. ØWhether the risk is related to recent significant economic, accounting or other developments, and therefore requires specific attention. ØThe complexity of transactions. ØWhether the risk involves significant transactions with related parties. ØThe degree of subjectivity in the measurement of financial information related to the risk, especially those measurements involving a wide range of measurement uncertainty. ØWhether the risk involves significant transactions that are outside the normal course of business for the entity, or that otherwise appear to be unusual. q Oct 12, 2015 54 Appendix: ISA 320 – Mater-ty nScope: qISA 320 deals with the auditor’s responsibility to apply the concept of materiality in planning and performing an audit of financial ISA 450 explains how materiality is applied in evaluating the effect of identified misstatements on the audit and of uncorrected misstatements, if any, on the financial statements. nObjective: qThe objective of the auditor is to apply the concept of materiality appropriately in planning and performing the audit. nRequirements: qISA 320 require the auditor to determine at planning stage materiality at overall financial statement level, and where lower amount can impact the decision of user for specific transaction, balance and disclosure, such lower amount. n n Oct 12, 2015 55 Appendix: ISA 320 - Mater-ty qISA 320 require auditor to determine performance materiality for purposes of assessing the risks of material misstatement and determining the nature, timing and extent of further audit procedures. qRevise the materiality or set the lower amount if required during any stage of audit. qISA 320 require to include in documentation ØMateriality for the financial statements as a whole; ØIf applicable, the materiality level or levels for particular classes of transactions, account balances or disclosures; ØPerformance materiality; and ØAny revision during the audit. q n Oct 12, 2015 56 Appendix: ISA 330 – Audit risk nScope: qISA 330 deals with the auditor’s responsibility to design and implement responses to the risks of material misstatement identified and assessed by the auditor in accordance with ISA 315 in an audit of financial statements. nObjective: qThe objective of the auditor is to obtain sufficient appropriate audit evidence regarding the assessed risks of material misstatement, through designing and implementing appropriate responses to those risks. nRequirements - Auditors responses to assessed risks: qResponse at financial statement level - The engagement partner and audit manager must ensure: ØEmphasizing the need to maintain professional skepticism ØAssigning more experienced staff ØProviding more supervision q q q Oct 12, 2015 57 Appendix: ISA 330 - Audit risk ØUsing unpredictable audit procedures and changing the nature, timing , or extent of audit procedures ØObtaining more extensive audit evidence from substantive procedures qResponse at the assertion level - The auditor must respond to the assessed risks of material misstatements by determining the nature timing and extent of audit procedures: ØNature of procedures means either test of controls or substantive procedures.it may also include the type of audit procedures (analytical, enquiry, inspection, observation, Recalculation). It is necessary to determine the nature of audit procedures as some procedures are more appropriate for some assertion than others. Such as for completeness assertion test of control is more appropriate and substantive procedures for occurrence assertion. ØTiming of audit procedures means when it is performed, or the period to which the audit evidence applies. Such as q q Oct 12, 2015 58 Appendix: ISA 330 - Audit risk Øprocedures on stock take and to verify the cut off assertion the procedures need to be performed at the year end to verify the contracts at the year end. ØExtent of audit procedures refer to quantum of procedures .normally greater sample sizes is selected for risky areas to reduce the risk of misstatement to acceptable level. There is direct correlation between the risk and extent of procedures. ØTest of controls refer to testing the system rather than each individual transaction. Which approach to be taken depends upon results of testing and is a matter of choice discussed separately above. Usually CAAT is used such as test data to obtain evidence of operating effectiveness of automated programmed validation tests. To verify effectiveness of the general controls in an IT environment enquiry, inspection, observation and re-performance are used. q q q q Oct 12, 2015 59 Appendix: ISA 330 - Audit risk ØSubstantive procedures include all possible lists of procedures including analytical procedures, performed on each material class of transactions, account balance and disclosure to verify the assertions associated with those risks. Auditors may choose to apply either analytical procedures or test of detail (rest of procedures excluding analytical procedures) or both considering their appropriateness to assessed risks. Such as for risk of window dressing it is appropriate of confirming the existence of outstanding balances. ØAuditor’s response to assess risks must be documented. q q q Oct 12, 2015 60