Académique Documents
Professionnel Documents
Culture Documents
OVERVIEW
Objective
To describe how the auditor, through understanding the entity and controls, aims to
minimise audit risk.
UNDERSTANDING
THE ENTITY
NEW AND
CONTINUING
AUDITS
ANALYTICAL
PROCEDURES
Understanding
Methods
Management monitoring
Impact on audit
Reporting weaknesses
AUDIT RISK
AUDIT
MATERIALITY
Matters to consider
Information needs
Objectives, strategies, business risks
Accounting policies
Updating existing clients
INTERNAL
CONTROL
Planning stage
Ration analysis
Expectations and
performance measures
Information needs
ISA 315
Methods
Team discussions
Sources of knowledge
Using the knowledge
Session 10
Concept
Relationship to business risk
Assessing risk of material misstatement
Basic principles
Inherent risk
Control risk
FRAUD & ERROR
Detection risk
Significant risk
Documentation
Session 11
ENGAGEMENT
RISK
Basic concept
Client business risk
Audit risk
Auditors business risk
Engagement risk process
0901
1.1
ISA 315 requires the auditor to identify risks arising from the entity and its
environment, including relevant controls, by:
considering the impact on transactions (e.g. sales, expenses), account balances (e.g.
non-current assets, payables) and disclosures (e.g. related party transactions) in the
financial statements.
Relate the risks that have been identified to what can go wrong:
at the overall financial statement level (e.g. where many assertions are impacted
thus risk is pervasive throughout the financial statements); and
Consider whether the risks are of the type and magnitude that could result in a material
misstatement of the financial statements.
Consider the likelihood that the risks could result in a material misstatement of the
financial statements.
Plan, design and perform appropriate audit procedures in response to those identified
risks.
In other words:
understand the business, its environment and controls to establish what could go
wrong (in that the financial statements contain a material error); then
identify the ways in which material errors could arise and devise a work
programme to test to see if they have (ISA 330 and ISA 500).
1.2
Methods
Obtaining an understanding of the entity and its environment, including its internal
control, is a continuous, dynamic process of gathering, updating and analyzing
information throughout the audit.
0902
make inquiries of management and others within the entity (e.g. business
objectives, governance, production, marketing, internal audit, key employees);
observe (e.g. activities and operations) and inspect (e.g. business plans, strategies,
internal audit risk assessments, records, procedure manuals, premises and plant);
carry out other procedures (e.g. visit premises and facilities, walk through systems
relevant to financial reporting, review external sources of information).
Information obtained from client acceptance procedures and other client engagements
(e.g. review of interim financial statements) may also be relevant in obtaining an
understanding of the entity.
1.2.1
Much of the information obtained will be used within a series of (expert systems)
business templates to assess and understand potential weaknesses that could result in
material financial statement errors (as well as providing added value business
assessments to the client).
to store and categorise the data held on each client and provide quick access
through key word searches;
to search external databases (eg newspapers, trade, regulators) based on key words
(eg entity name, industry name, competitor names, product names) to find data
relevant to the understanding of the entitys business.
1.3
the more experienced engagement team members brief other members and share
their knowledge and audit experience of the entity (the engagement partner must
be involved at least with the highest levels of the briefing process);
team members exchange information about the business risks to which the entity is
subject and about how and where the financial statements might be susceptible to
material misstatement;
0903
members of the engagement team obtain a better understanding of the potential for
material misstatements of the financial statements resulting from fraud or error in
the specific areas assigned to them; and
understand how the results of the audit procedures that they perform may affect
other aspects of the audit including the decisions about the nature, timing, and
extent of further audit procedures.
Such discussions must always be documented along with the decisions made and the
impact on the audit approach.
Team members not involved in the discussions, must none-the-less be informed of the
outcome and specific impact on areas relevant to their responsibilities. This would
usually be achieved through the use of a client planning memorandum (detailing, for
example, the audit strategy, work programme, areas of risk) and verbal briefing by the
team supervisor/manager prior to commencing each audit section.
All team members must have sufficient understanding of the entity to enable them to
perform the work delegated to them and understand how it fits in, and overlaps, with
the rest of the audit.
1.4
Sources of knowledge
Example 1
Suggest examples of the sources which provide background knowledge.
Client
0904
Auditor
External
1.5
To establish a framework within which the audit is planned and professional judgment
exercised in assessing risks of material misstatement and responding to those risks
throughout the audit.
Meaning:
To assess various components of audit and business risk and to develop the audit
strategy and audit plan.
To determine materiality levels and judge if they remain appropriate as the audit
progresses (see Session 10).
Identifying areas where special audit consideration may be necessary, for example,
related party transactions, the appropriateness of managements use of the going
concern assumption, or considering the business purpose of transactions.
To evaluate the sufficiency and appropriateness of audit evidence (see Session 15)
including, for example, management representations (see Session 20).
0905
2.1
Matters to consider
BEFORE
ACCEPTING
APPOINTMENT
Independence
AFTER
ACCEPTING
APPOINTMENT
2.2
Information needs
ISA 315 requires the auditor to obtain an understanding of the:
relevant industry, regulatory, and other external factors including the applicable
financial reporting framework;
Example 2
For a new client suggest, under the following headings, what information you
will require to enable you to obtain a sufficient understanding of the entity and
its environment under ISA 315.
0906
Solution
GENERAL ECONOMIC
INDUSTRY
BUSINESS
FINANCIAL PERFORMANCE
REPORTING ENVIRONMENT
0907
2.3
All of the above elements will be taken into account by the entity when setting its
objectives and strategies. As the environment within which the entity changes (as it
will) so the objectives and strategies for achieving those objectives must change. If the
entity fails to change, its business will be at risk business risk through failure to
change (see Session 8 ).
In addition to the examples given within Session 8, further examples of business risks to
be managed in relation to objectives and strategies include:
Industry developments (e.g. that the entity does not have the personnel or expertise
to deal with changes or increased complexity in the industry, or does not recognise
the need for change).
New products and services (e.g. that there is increased product liability or that the
product may fail).
Expansion of the business (e.g. that the demand has not been accurately estimated,
the market incorrectly analysed).
Current and prospective financing requirements (e.g. the loss of financing due to
the entitys inability to meet requirements).
Use of IT (e.g. the loss of e-commerce facilities due to a failure within the system).
2.4
The auditor needs to understand how the entity selects and applies accounting policies
eg: are they are appropriate for the business and consistent with the financial reporting
framework and accounting polices used in the relevant industry. An incorrect or
aggressive application relates to a financial statement risk.
the methods the entity uses to account for significant and unusual transactions;
the impact of reporting standards (eg IFRS), laws and regulations that are new to
the entity which must be understood.
0908
For example, where the IFRS is new (ie not an update) is the application appropriate
and the implementation requirements/disclosures applied? Where the IFRS is a revised
standard, have the transition provisions (or IAS 8 where appropriate) been correctly
applied and appropriate disclosures made?
Also note:
2.5
Basic, core IFRS are already in issue. New IFRS will more than likely relate to
complex issues with the financial statement risk of inappropriate application.
First time application of IFRS under IFRS 1 must be considered high risk as the
entity will have little experience of IFRS application. The experience of the UK
indicates that it may take up to three issues of IFRS statements (ie three years) for
entities to iron out the complications of switching from local GAAP to IFRS.
In the case of entities audited in prior years, historic key information required for
planning will be available in the working papers (WPs) and other files (e.g. computer
knowledge bases).
But as entities are adaptive and dynamic and operate in a dynamic environment, the
auditor must consider events, transactions and practices that will have changed during
the financial year.
Basically, where were we; what has changed within the business and its environment to
change the nature of risks; where are we now.
Where changes are identified, their impact on the entity, its business and financial
reporting environment must be understood (e.g. when and how the entity dealt with
such changes).
Changes that will impact the business in a future financial period cannot be ignored.
What business risk is there to the entity arising from these changes? Does that risk
impact the current financial statements? For example, future changes in regulations
may create a going concern risk.
Reasons for changes in the selection of, or method of applying, accounting policies must
be ascertained. Any change must be appropriate and consistent with the requirements
(including disclosure) of the applicable financial reporting framework (e.g. IAS 8
Accounting Policies, Changes in Accounting Estimates and Errors).
Example 3
For an existing client, what changes will need to be documented to ensure a
complete understanding of the entity and its environment?
0909
Solution
Internal
External
3.1
Meaning
The analysis of
significant ratios and
trends including the
resulting
investigation of
fluctuations and
relationships
that are inconsistent
with other relevant
information or
which deviate from
predictable amounts.
0910
Purpose
Based on
Interim financial
information
To identify areas of
potential risk e.g.
financial condition
Budgets/forecasts and
management accounts
Draft financial
statements
Discussions with
client
Understanding the
entity and its
environment.
To plan nature,
timing and extent of
other audit
procedures
3.2
Ratio analysis
Considering one set of ratios for the current year may not, by itself, be sufficient.
Comparison should be made with at least the prior year equivalent ratios, if not at least
a three to five year trend.
For example:
3.3
An increase in receivable days may, for example, indicate credit control risk and a
potential increase in bad and doubtful debts.
A decrease in gross profit % may indicate, for example, inventory shrinkage, poor
cut-off procedures or an increase in competition (such that prices were reduced or
increased costs unable to be passed onto the customer).
When such expectations are not founded (e.g. with recorded amounts, ratios developed
from recorded amounts or audit test results not meeting original expectations) the audit
plan is reviewed in identifying risks of material misstatement.
Performance measures may be internal or external (e.g. meeting budgets, cash flows,
reported profit forecasts, share price targets). Professional scepticism must apply
when, for example, the auditor is aware of the potential for pressure to be placed upon
management to meet expected performance measures.
For example, following discussions with management over the course of the year, a
review of the management accounts and an understanding of the business environment
in which the entity operates in, the auditor is expecting the results of the entity to be
lower than the previous year. Instead, not only is turnover up, but gross profit % has
also improved.
This would place the auditor on guard that the financial statements may contain
material errors. If combined with other known factors (e.g. performance-based
incentive remunerations such as bonuses or share options) the risk of management
manipulation through profit smoothing, inappropriate revenue recognition or deferral
of expenses, is higher.
0911
INTERNAL CONTROL
The process designed and effected by those charged with governance, management, and
other personnel, to provide reasonable assurance about the achievement of the entitys
objectives with regard to reliability of financial reporting, effectiveness and efficiency of
operations and compliance with applicable laws and regulations.
Internal control is designed and implemented to address identified business risks that
threaten the achievement of any of these objectives.
the control environment (i.e. attitude, awareness and actions of management and
those charge with governance);
the entitys risk assessment process (i.e. identifying and assessing business risks);
the entitys information systems, including the related business processes relevant
to financial reporting and communication;
the entitys process of monitoring controls (i.e. are the controls operating as
intended; if not, why not and changes to be made).
The control environment is crucial to determining the quality and existence of the other
components.
Session 8 provides a detailed review of these five internal control components. This
session considers the auditors approach and methods to understanding the design and
implementation of internal controls to assess the risks of material misstatement within
the financial statements. This is different to gaining audit assurance from the
effectiveness of internal controls (see Session 13).
4.1
The auditor should obtain an understanding of internal control relevant to the audit (i.e. of
the five elements noted above).
They must also obtain an understanding of the way that the management monitors internal
control, e.g. over financial reporting, and the way corrective action is taken.
0912
If controls are poorly designed or are not implemented, there is potentially a greater risk
of material misstatement within the financial statements.
Professional judgement has to be used to identify those controls (which may be in any
of the five elements noted above) that relate to;
the entitys objective of preparing financial statements that give a true and fair
view; and
the management of risk that may result in a material misstatement within the
financial statements.
For example:
Controls over the completeness and accuracy of information produced by the entity
will be relevant to the auditor where they intend to rely on that information in
designing and performing further procedures.
4.2
Implementation of a control means that the control exists and that the entity is
using it.
4.2.1
Control design
Evidence for understanding and evaluating the design of internal controls can be
obtained through:
previous experience of the entity and its controls (as recorded within the permanent
audit file) there will be a need to update understanding where changes have
occurred in the current year;
0913
inquiry of entity personnel, e.g. management, internal audit, those charged with
governance, operating personnel;
4.2.2
Control implementation
Inquiry alone is not sufficient to determine whether a control has been implemented it
must be seen to be in operation.
These procedures are broadly the same as those used for testing the effectiveness of
internal controls (see Session 13) but note that testing implementation and testing
effectiveness are not the same.
0914
Implementation is testing to see that a control was in operation at any one point in time
and assists the auditor in understanding the system. Control effectiveness is testing to
see if a control was always in operation over a given period of time (e.g. for the financial
year) in order to obtain audit assurance that the financial statements are free from
material error.
4.3
Typically management monitoring may be through internal audit reviewing and testing
internal control. Reports produced by internal audit and the resulting action taken by
management may form a suitable basis for the auditor to understand the management
monitoring process of internal control.
Regular management and supervisory activities (e.g. checking that control activities
take place) and review of external information (e.g. regulatory reports and complaints
from customers) are all indicators of management monitoring of internal control.
4.4
As already noted, understanding the design of internal controls and whether or not they
have been implemented, provides the auditor with an understanding of the risks of
material misstatement due to poor design or non-operation.
If the appropriate controls are well designed and in operation, the auditor can then
decide if they wish to obtain audit assurance from those controls. If they decide that
placing reliance on the effectiveness of the controls is an efficient and effective approach
to lowering audit risk to an acceptable level (see next section, Audit Risk), they must
obtain audit evidence about the effectiveness of the control operations throughout the
period of the financial statements. (See Session 13).
4.5
Reporting of weaknesses
Those charged with governance, or management, must be informed by the auditor of
material weaknesses in the design or implementation of internal control. For example:
risks of material misstatement for which the relevant control is inadequate or has
not been implemented; and (if in the auditors judgment there are)
material weaknesses in the entitys risk assessment process (i.e. the business risk
approach and control procedures of the entity).
This will be done through the use of a management letter (sometimes referred to as a
weakness letter). See Session 13.
0915
AUDIT RISK
5.1
Concept
The risk that the auditor gives an inappropriate audit opinion when the financial statements
are materially misstated.
An audit in accordance with ISAs is designed to provide reasonable assurance that the
financial statements taken as a whole are free from material misstatement. The concept
of reasonable assurance implies that there is a risk that the audit opinion will be
inappropriate (eg an unqualified opinion when the financial statements are materially
misstated).
This risk may be reduced to an acceptable level by designing and performing audit
procedures to obtain sufficient appropriate audit evidence to be able to draw reasonable
conclusions on which to base the audit opinion.
This will be achieved through an appropriate audit strategy and work programme (see
Session 8) which will be developed following a detailed understanding and analysis of
the business, its environment and controls (as discussed above).
that the financial statements may be materially misstated prior to audit financial
statement risk;
and that the auditor may not detect such material misstatement detection risk.
5.2
Business risk is much broader than financial statement risk but as most business risks
will eventually have financial consequences, there will be a cascading impact on the
financial statements and consequently, financial statement risk.
Embodied within business risk controls will be those controls that directly, or indirectly,
relate to financial reporting, operations and compliance.
As already discussed, business risks that have the potential to create financial statement
risks (the ultimate business risk relating to a financial statement risk being going
concern) must be identified by the auditor.
5.3
overall financial statement level (eg such that the financial statements as a whole
are misleading); and at the
0916
No one model for doing this is proposed within ISA. The key points are:
and audit procedures are designed to ensure that audit risk is at an acceptable level.
5.4
Basic principles
Whist it is irrelevant what names and approaches are used (so long as the model follows
the basic principles required by ISAs) the traditional model considers that inherent
risk, control risk and detection risk are the basic components of audit risk.
Inherent risk and control risk, although separately defined, are often subject to a
combined assessment to assess the risk of material misstatement, eg financial statement
risk because of inherent risk and the fact that the controls will not detect such errors.
Detection risk is then referred to as residual risk.
The traditional audit risk model deals with inherent risk and control risk separately:
Components
Audit
Risk
Inherent
Risk (IR)
Control
Risk (CR)
(Ultimate risk)
Detection
Risk (DR)
Auditor manages/manipulates to
achieve acceptable audit risk
Auditor assesses
exist independently of audit
An overall acceptable level of audit risk may be quantified as a matter of practice (i.e.
audit firm) policy (e.g. 5% meaning that there is a 5% risk of a material error being
undetected or conversely, the auditor obtains 95% assurance that there are no
undetected material errors). This % may provide the basis for mathematical derivation
of detection risk and sample sizes.
Alternately inherent risk and control risk may be designated as High, Medium or Low,
with detection risk being the inverse of this relationship (e.g. if both inherent and
control risk are high, detection risk will be low).
5.5
Inherent risk
5.5.1
Definition
0917
5.5.2
At overall financial
statement level
At account balance,
transaction or
disclosure level
Example 4
State at which level (financial statement or assertion) the following factors
would be evaluated.
Solution
(1) Doubts about the integrity of management
(2) Management inexperience in the preparation of the financial statements
(3) Accounts which involve a high degree of estimation
(4) Entity lacks sufficient capital to continue operations
(5) Potential for technological obsolescence of products and services
(6) Complex underlying transactions which might require using the work of an expert
(7) Highly desirable and movable assets (e.g. cash) susceptible to loss or misappropriation
(e.g. theft, embezzlement)
(8) Unusual and complex transactions completed at or near the period end
(9) Changes in consumer demand
(10) Transactions not subject to ordinary processing
0918
5.6
Control risk
5.6.1
Definition
The risk that a misstatement that could occur (at the assertion level) and be
material will not be:
prevented; or
detected and corrected on a timely basis;
5.6.2
Preliminary assessment
From this understanding, controls that are key to assessing the risk of material
misstatement at the assertion level will have been identified.
Where the controls are suitably designed to prevent, or detect and correct, a material
misstatement, tests of the operating effectiveness of the controls can be carried out if
considered to be efficient to do so (see Session 13)
5.6.3
Control risk is assumed to be high (i.e. high risk of material misstatements in the
financial statements) unless:
There will always be some control risk because of the inherent limitations of any
internal control system.
Example 5
Suggest factors may indicate high control risk.
0919
Solution
5.7
Detection risk
5.7.1
Definition
That the auditor will not detect a misstatement that exists (in the financial
statements at the assertion level) that could be material (either individually or
in aggregate with other misstatements).
Substantive procedures are those procedures that are performed in order to detect
material misstatements in the financial statements and include:
5.7.2
Basic principles
Factors that must be considered to avoid incorrect assessment of detection risk include:
the possible selection at the planning stage of inappropriate audit procedures (e.g.
deciding not to carry out any confirmations, low sample sizes, biased sample
selection methods) ;
0920
As inherent and control risk assessments influence the nature, timing and extent of
substantive procedures to be performed to reduce detection risk (and therefore audit
risk) to an acceptably low level, any inappropriate assessment will have a direct,
negative, impact on detection risk.
Because of the nature of the audit process and the factors outlined above, some
detection risk would always be present even if examining 100% of an account balance or
class of transactions. The aim is to reduce this risk to an acceptable level.
Illustration 1
An audit firm uses a mathematical audit risk model to determine the levels of
detection risk.
Inherent risk: Assessed at 75% risk that material problems could arise (e.g.
High).
Control risk: Assessed at 20% risk that controls may miss material errors
(e.g. Low).
Required:
Calculate detection risk.
Solution
Using the model 0.05 = 0.75 0.2 DR therefore DR = 0.33 (e.g. Medium).
This means that substantive testing levels will be adequate even if there is a 33% chance
of them failing to detect material errors or omissions.
But note that most audit work programmes require material items to be selected and
tested anyway - regardless of the detection risk assessed and the sample size calculated.
Example 6
The same firm as in the above example, has a new client company that
undertakes research and development for the pharmaceutical industry. The
client is seeking a listing on the Stock Exchange. Inherent risk is therefore
assessed as high (100%) high risk enterprise, high risk as seeking listing.
However, the client appears to have reasonable internal control. Control risk is
assessed at 40%.
Required:
Calculate detection risk and comment on how it compares with that calculated
in the preceding illustration.
0921
Solution
This mathematical model demonstrates the relationship between inherent risk, control
risk and detection risk, in that the nature, extent and timing of substantive procedures
are inversely related to the assessment of inherent and control risks.
For a given acceptable audit risk, when both inherent and control risks are high (high
risk that the financial statements may contain a material error), detection risk is assessed
as low (higher degree and level of substantive work required) and vice-versa.
Audit
Risk
Inherent
Risk
Control
Risk
Detection
Risk
Policy
Policy
High detection risk means that it is only necessary to carry out a minimum level of
substantive testing (which will usually include testing all items greater than the
materiality level).
Because of the low(er) risks of there being a material error within the financial
statements (low inherent and low control risks), a lower quantity (e.g. sample size) and
lower quality (e.g. indirect evidence rather than direct evidence) of substantive testing
may be acceptable.
Low detection risk, means that higher levels of substantive testing are required as there
is greater risk of a material error being within the financial statements (ie greater testing
to lower the risk of a material error not being discovered).
Methods of varying
detection risk
Some substantive procedures should always be carried out for material account balances
and classes of transactions.
0922
More evidence should be obtained from substantive procedures the higher the inherent
and control risk assessments.
5.8
Significant risks
What ever risk model is used, care must be taken to identify significant risks, i.e.
those risks that relate to significant non-routine transactions and judgemental matters,
where there is for example;
greater ability to use manual override with IS collection and processing of data;
complex calculations (e.g. fair value, provisions and estimates that provide
opportunity for varying outcomes) or accounting policies open to different
interpretations;
the nature of the transactions make it difficult to implement effective controls over
the risks.
A full understanding of such risks and the managements internal control and risk
assessment procedures must be obtained by the auditor. Such risks would normally be
specifically fully tested (ie 100%).
5.9
The discussion among the engagement team regarding the susceptibility of the entitys
financial statements to material misstatement due to error or fraud, and the significant
decisions reached.
Key elements of the understanding obtained regarding each aspect of the entity and its
environment e.g.,
nature of the entity, including the entitys selection and application of accounting
policies;
objectives and strategies and the related business risks that may result in a material
misstatement of the financial statements;
0923
the entitys information systems, including the related business processes relevant
to financial reporting and communication;
The identified and assessed risks of material misstatement at the financial statement
level and at the assertion level.
ENGAGEMENT RISK
6.1
Basic concept
Engagement risk is the overall risk associated with an assurance engagement, eg risk of
litigation, loss of reputation, unpaid fees, low fee recoveries, inappropriate audit
opinions, poor client relationships, failure to understand the clients business. It must
be managed by the auditor and reduced to an acceptable level.
6.2
6.3
Audit risk
Audit risk is controlled and determined solely by the auditor. Through a thorough
understanding of the entity and its environment (including business risk and internal
controls) the auditor can adjust the nature, timing and extent of audit procedures to
reduce audit risk to an acceptable level.
0924
6.4
As with their clients, auditors are faced with business risk, ie the risk that they will not
achieve their objectives. For example, their business is regulated (eg loss of registered
auditor status will impact earning capabilities), exposed to litigation, adverse publicity,
inability to attract/retain experienced staff, failure to keep technically up to date, failure
to maintain fee levels and high risk clients (engagement risk).
Such business risks can be managed. In respect of engagement risk, the risk related to
clients can be managed through good client acceptance and retention procedures (see
Session 5).
6.5
Engagement risk must be addressed throughout the audit, from the initial decision to
accept a new client (or continue to service an existing client) to planning the
engagement, carrying out the audit procedures, reviewing the results of such
procedures and the issue of the audit report.
strong client acceptance procedures (eg do not accept clients who have a tendency
to change auditors on a regular basis, who are litigation happy, who require
services beyond the auditors capabilities);
continuous review for change of client relationships and behaviour throughout the
audit (eg reducing integrity, sudden use of aggressive application of accounting
policies; continuous challenges to auditor recommendations for changes to financial
statements);
closedown review of client continuance (eg are there any factors that will increase
engagement risk for the next audit).
FOCUS
You should now be able to:
explain how auditors obtain an initial understanding of the entity and knowledge of its
business environment;
0925
EXAMPLE SOLUTION
Solution 1 Sources
Client
Auditor
Directors/senior
operating personnel
Specialist publications
(e.g. on hotel audits)
Website
Specific employees
involved in process
Minutes of meeting
Documents sent to
shareholders/filed with
authorities
Procedures manuals
0926
Previous relevant
experience
External
Predecessor auditor
Legal advisors
Industry regulators
Government data
Customers
In-house knowledgebase
Suppliers
CAF/PAF
Competitors
Business process
templates
Trade journals
Financial press
Websites
Solution 2 Information
GENERAL ECONOMIC FACTORS
THE INDUSTRY
Recession
Market/competition
Growth
Costs of entry
Interest rates
Cyclical/seasonal trade
Sources of finance
Technology/fashion
Inflation
Regulatory/environmental
requirements
Workforce skills
Fresh-field sites
BUSINESS
Corporate structure
Locations (office/production/storage)
Local/foreign
Capital structure
Products/services/markets
Organizational structure
Sources of finance
Major/dependent suppliers/customers
(delivery methods e.g. JIT)
Operating management
Internal audit
0927
FINANCIAL PERFORMANCE
Period-on-period financial
performance
Taxation
Accounting principles
Revenue recognition
Accounting policies
Earnings/cash flow
Leasing commitments
Lines of credit
Solution 3 Changes
Internal
Governance/internal audit
work and reports
Administration and IT
functions
0928
Pending litigation
External
Industry practices
Assertion level
3, 5, 6, 7 (see Discussion), 8 & 10
Discussion
(1)
Consider doubts about the integrity of management, could that inherent risk affect
the financial statements as a whole or just a few individual account balances?
Suppose management wanted to overstate profit (in order to pay themselves bonuses
say). To increase profit management could
overstate revenue (e.g. by bringing forward next years sales revenue into the
current year i.e. a deliberate cut-off error)
Because every Dr has a Cr there are then implications for the statement of financial
position
overstatement of trade receivables (because they do not owe the money at the
year end)
In conclusion then, doubts about management integrity has a pervasive effect on the
financial statements as a whole and so this risk is assessed at the financial statement
level.
(7)
Consider cash balances (i.e. physical money rather than bank balances). These
balances may be very small in relation to the assets as a whole (e.g. cash floats in the
till/register of a shop). At the financial statement level the auditor may take no
account of these and so ignore them in the overall audit plan. However, cash is
inherently risky (because it can be stolen if safeguards are not adequate) and cannot
be ignored at the account balance level.
However, in a cash-based business (i.e. cash revenue, purchases and assets paid for in
cash) this would be considered at the financial statement level (i.e. in the preparation
of the overall audit plan) because, again, it has a pervasive effect.
0929
System changes
Management attitude/dominance
Lack of manuals
Inexperienced/incompetent staff
DR =
AR
IR CR
DR =
0.05
= 0.125
1.0 0.4
DR must be rendered lower than in the Illustration. (We should have anticipated this as both
IR and CR have been assessed as higher.) The level of substantive procedures is therefore
relatively higher.
Another way of expressing this is that the level of audit assurance required from substantive
procedures is
100 12.5 = 87.5%
i.e. a relatively high level of assurance is required.
0930