The University of Sydney Business School

WELCOME
ACCT3014 - Auditing and Assurance
Semester 1, 2013

Week 3 Lecture Planning the Audit

Audit Process Audit Planning Procedures Understanding the Company and Assessing Business Risk

Business School Auditing and Assurance

Lecture Outline
How does the Audit Process work?

Why is Audit Planning crucial in the audit?

Why does the Auditor have to Understand the Client? Why does the Auditor have to assess Business Risk?

Planning the Audit, the Steps ASA 300 Planning an Audit of a Financial Report provides the guidelines for the auditor to follow:

Audit Process
Audit involves various stages
- Pre-engagement/Procedures covering acceptance of a new audit

- Planning, that is establishing an overall audit strategy-Developing an audit plan

- Evidence Collection and Evaluation (covered in Lecture 6)

- Opinion Forming and Reporting (covered in Lecture 12)

LEVELS OF RISK
Pre-engagement stage of Audit Process

ENGAGEMENT RISK (Audit Firm) BUSINESS RISK (Client) AUDIT RISK (IR / CR/ DR)
(Financial Report / Accounts / Assertion)

Planning stage of Audit Process

Engagement Risk: Client Evaluation/Ethical & Legal Considerations

Client Evaluation

Ethical considerations Legal considerations Use of External Experts / other auditors

Introduction to Business Risk Understanding the Entity To plan an audit, the auditor should obtain an understanding of the entity and its environment, to understand events, transactions and practices that may have a significant effect on the financial statements This understanding provides a framework for planning an overall audit approach that responds to the unique characteristics of the entity

ASA 315 - Identifying and Assessing the Risk of Material Misstatement

through Understanding the Entity and Its Environment

Risk assessment commences at a business level which includes potential business risk arising from:

External factors (refer ASA 315.11(a) and A17-A22)

- industry (e.g. market and competition, cyclical/seasonal activity, technological developments)
- regulatory environment (legislation and regulation; applicable accounting framework and industry-specific principles; taxation; government policies such as tariffs, trade restrictions; environmental requirements; and other factors such as level of economic activity, interest risks, inflation, FX fluctuation)
8

ASA 315 (cont.)

Nature of the entity (refer ASA 315.11(b) and A23-A27)

- business operations such as nature of revenue sources, products/services/markets, e-commerce involvement, geographic dispersion, key customers/suppliers, employment issues, R & D, related parties - investments such as acquisitions/mergers/disposal of business activities, capital investment - financing including group structure, debt structure, use of derivative instruments - financial reporting such as accounting principles, revenue recognition, accounting for fair value, FX issues, unusual or complex transactions

ASA 315 (cont.)

Nature of the entity (refer ASA 315.11(b) and A23-A27)

- business operations such as nature of revenue sources, products/services/markets, e-commerce involvement, geographic dispersion, key customers/suppliers, employment issues, R & D, related parties - investments such as acquisitions/mergers/disposal of business activities, capital investment - financing including group structure, debt structure, use of derivative instruments - financial reporting such as accounting principles, revenue recognition, accounting for fair value, FX issues, unusual or complex transactions

10

Auditors Measurement and Review of Financials Such measures from an audit perspective would include: - Key ratios and operating statistics - Key performance indicators - Employee performance measures - Industry trends - Forecasts, budgets and variance analysis - Analyst reports and credit rating reports
Analytical procedures involve a study and comparison of relationships among data to identify expected or unexpected fluctuations and other unusual items Refer ASA 520 Analytical Procedures ...more in future Lecture
11

Information about the Clients Business (refer to ASA 315.6-10 and A6-A14)
Visit premises Annual reports Minutes of meetings Internal meeting reports Prior years audit work papers Firm personnel who provide non audit services Discussions with client management and staff Policy and procedures manual Trade journals and magazines Economy in general
12

The Auditors Business Risk Approach

Recent years have called for Auditors to better understand the Business Risks that the Client is facing, and accordingly identify and respond to those business risks:

A business risk approach allows the auditor to:

Identify threats faced by the organisation Recognises that most business risks will eventually have an effect on the financial statements

Increase the chances of identifying risks of material misstatements in the financial reports

13

Business Risk Categories

BR Categories Financial risk- funds availability, constraints on credit, complex
financing arrangements...

Operational risk-changes in supply chain, lack of competent personnel,

changes in IT environment, changes in key management...

Compliance risk- environmental breaches, exposures to litigation,

contingent liability exposure...

Refer ASA315 Appendix 2 for further examples

14

Business Risk Audit Procedures

Enquiries - Management, staff, internal auditors, company bankers, legal advisors Analytical procedures - Provide a broad indication of the likelihood of possible errors Observations and inspections - Inspection of manuals, visiting business premises, observing procedures taking place
See ASA 315 sections 5-10 for further information

15

Audit Risk (ASA 200, para. 13(c)

The risk that the auditor expresses an inappropriate audit opinion when the financial report is materially misstated (i.e. the auditor does not detect/report such misstatement). A Key Issue Would the key financial account be over or understated as a result of the Business Risk identified. Note that achieved audit risk needs to be kept to an acceptably low level (ASA 500.A6), i.e. reasonable/high level of assurance provided to the users.

In setting the desired audit risk, auditors seek an appropriate balance between the costs of an incorrect audit opinion and the costs of performing the additional audit procedures necessary to reduce audit risk
16

Audit Risk and its Components

Audit Risk
Audit risk (AR) is a function of: The risk of material misstatement of the financial report
The risk that the auditor will not detect the material misstatement (Detection Risk (DR))

Must be assessed at two levels Overall level (i.e. the risks that affect the financial report as a whole) Assertion level for classes of transactions, account balances and disclosures Risk at the assertion level has two components
Inherent Risk (IR) The susceptibility of an assertion to material misstatement, assuming there are no related controls. IR factors are generally business risks (BR) affecting a specific account assertion. Control Risk (CR) The risk of an assertion being materially misstated because controls will not prevent, or detect and correct, errors on a timely basis. CR is the impact of the presence or absence of effective internal control designed to mitigate entity's business risks.

Reduced by proper planning, assignment of staff, professional scepticism and supervision and review

17

Audit Risk and its Components

Inherent risk (ASA 200) Is the possibility that a material misstatement could occur in an assertion, either individually or when aggregated with other misstatements, assuming there are no related controls Inherent risk exists independently of the audit of financial statements and thus auditors cannot change the actual level of inherent risk Control risk (ASA 200) Is the risk that a material misstatement could occur in an assertion, either individually or when aggregated with other misstatements, and not be prevented, detected, or corrected on a timely basis by the entitys internal control structure? Control risk is a function of the effectiveness of the internal control structure as good controls reduce risk

18

Audit Risk and its Components

Detection risk (ASA 200)
Is the risk that an auditors substantive procedures will not detect any material misstatements that exist in an assertion, either individually or when aggregated with other misstatements
a function of the effectiveness of substantive procedures and their application by an auditor and thus is fundamental to the amount of audit work undertaken actual level of detection risk is controllable by the auditor through: - appropriate planning, direction, supervision and review

- variation in the nature, timing and extent of audit procedures

- effective performance of the audit procedures and evaluation of their results

19

Audit Risk Components Relationship?

An auditors objective is to achieve an acceptably low level of audit risk, as is practicable Recognising the cost of performing audit procedures, there is an inverse relationship between the assessed levels of inherent and control risks and the level of detection risk that the auditor can accept Auditors, although unable to control inherent risk (IR) and control risk (CR), can assess these risks and design substantive procedures to produce an acceptable level of detection risk, thus reducing the audit risk to an acceptable level
Audit risk model: AR = IR CR DR

choice of audit procedures important!

20

The Audit Process

External Factors (industry, regulatory, economic) Internal Factors (nature of the entity, entitys objectives and strategies)

UNDERSTAND THE BUSINESS ASSESS BUSINESS RISK

ASA 315

ASSESS CLIENT CONTROLS

ASA 315

Including the likelihood of fraud (ASA 240) and non-compliance with laws and regulations (ASA 250)

DETERMINE RESIDUAL AUDIT RISK RESPOND TO AUDIT RISK

ASAs 315, 330, 500

At financial statement level/ account assertion level (AR = fn IR.CR.DR per ASA 200)

Respond to audit risk by linking risks to specific procedures that address the risk at the account and assertion level after considering compensating internal controls
21

Lecture Discussion Question

(a) Explain why it is important to read the board minutes early in the engagement. Identify the types of information that you would expect to be documented in the directors' board minutes that are likely to be relevant to the auditor.

(b)

Discuss how this information will impact on business risk evaluation and audit plan.

22

Deloitte Audit Plan sample

http://www.deloitte.com/view/en_LU/lu/industries/psf/psf-service-offering-along-development/external-audit/index.htm

23

What's on Next Week

More on Business Risk Assessment

Introduction to the term Assertions

Why is the Auditor interested in Internal Controls? What are the Components of Internal Controls? Which Internal Controls are relevant to the Audit linking to the concept assertions? As an introduction to Internal Controls please consider: 1. A control is any action taken by management, the board, and other parties to manage risk and increase the likelihood that established objectives and goals will be achieved. 2. Management plans, organizes, and directs the performance of sufficient actions to provide reasonable assurance that objectives and goals will be achieved.
24