Canadian Excellence

Chapter 7

Assessing
Risks and
Internal
Control
Canadian Excellence
Learning Objectives
1. Describe the
conceptual audit risk
model and its
components, and
explain its usefulness
and limitations in
conducting the audit.
2. Explain how auditors
assess the auditees
business risk through
strategic analysis and
business process
analysis.

3. Outline the
relationships among
business processes,
accounting
processes/cycles and
managements
general purpose
financial statements.

Canadian Excellence
Learning Objectives
4. Illustrate how business
risk analysis is used in a
preliminary assessment
of the risk that fraud or
error has led to material
misstatement at the
overall financial
statement level.
5. Describe the basic
components of internal
control; control
environment,
managements risk
assessment process,
information systems and
communication, control
activities and monitoring.
6. Explain how the auditors
understanding of an
organizations internal
control helps to assess
the risk that its financial.
statements are
misstated.
7. Apply and integrate the
chapter topics to analyze
a practical auditing
situation / case /
scenario.




Canadian Excellence
Audit Risk Assessment
Auditing is fundamentally a risk management
process.
Audit risk is related to information risk that
financial statements are materially misstated.
Auditors strive to lower audit risk by performing audit
work that gives a high level of assurance that statements
are correct.
Auditors need to assess risk in audit related terms;
inherent risk, control risk and detection risk.
Canadian Excellence
Inherent Risk
The probability of material misstatement
occurring in transactions entering the
accounting system or being in the account
balances is inherent risk.
Auditors do not create or control inherent risk.
Auditors only try to assess its magnitude based on prior
experience, management bias, and nature of the
transactions.
The auditor will consider the characteristics of the clients
business, types of transactions, and effectiveness of
accountants.
Canadian Excellence
Internal Controls
Internal controls are a key component of an
organizations overall risk management
framework.

When we adapt a controls approach, auditors
evaluate or assess probability of control
failures to detect material misstatements.
Auditors assess the effectiveness of controls
This is known as controls testing: procedures
used in the control risk assessment.


Canadian Excellence
Control Risk
The risk that the clients internal control
system will not prevent or detect a material
misstatement is control risk.
Auditors do not create or control the control risk;
they simply evaluate or assess probability of failure
to detect material misstatements.
Assessment is based on study and evaluation of
the companys control system.
Canadian Excellence
Control Risk
Control risk assessment provides only an
indirect assessment of monetary
misstatements in the financial statements.
Control testing or compliance testing are detailed
procedures used to assess control risk.
Control risk should not be assessed so low that
auditors rely entirely on controls, and do no
substantive work.
Canadian Excellence
Risk of Material Misstatement (RMM)


Inherent Risk




Control risk


High


Moderate/Low


Low


Moderate/Low


Risk that is not
Significant


Significant
Risk

Higher


Lower

Auditor will make an
assessment of IR and
CR, which is called
RMM
Canadian Excellence
Detection Risk
The risk that any material misstatement that
has not been corrected by the clients internal
control will not be detected by the auditor.
Auditors can control this risk by conducting
substantive (balance audit) tests.
Substantive tests include audit of details of transactions
and balances, and analytical procedures applied to dollar
amounts in the accounts.
Canadian Excellence
Audit Risk
The probability that an auditor will fail to
express a reservation that financial
statements are materially misstated is audit
risk.
Audit risk is greater if there is poor planning or
poor execution of the audit.
Audit risk is dependent on user reliance.
Audit risk is also applied to individual account
balances and disclosures.
Canadian Excellence
Audit Risk Model
AR = IR x CR x DR Be wary! Its not a straight
calculation!
Audit risk will occur when:
a material misstatement has been made in the
transactions or balances (inherent risk),
and internal controls fail to detect or correct the
misstatement (control risk), and
audit procedures also fail to detect the
misstatement (detection risk).

Auditors want to hold audit risk to a
relatively low level

Canadian Excellence
How Materiality and Audit Risk are
Related
The materiality and audit risk decisions main
impact on the audit is on the extent of audit
evidence that needs to be gathered during the
audit:
Nature, timing and extent of audit procedures.
Canadian Excellence
Business Risk and extension of the Audit
Risk Model
Business risk is an event of action that will
adversely affect an organizations ability to
achieve its objectives and execute its
strategies.
Auditors need to assess the ways that business
risk affects the risk of material misstatement in
financial statements.
Canadian Excellence
Business Risk-Based Approach to Auditing
The business risk-based approach to auditing
requires the auditor to understand the
auditees business risks, managements
strategy for addressing those risks, and the
business processes it uses to implement the
strategy.
- Assess entitys risk assessment process

Canadian Excellence
Business Risk Analysis
There are two parts of business analysis:
1. Strategic analysis, and
2. Business process analysis.

- At the end of the business analysis, the auditor
should be able to determine if there are any
weaknesses in the clients risk management
process that could lead to misstatement on the
financial statements.


Canadian Excellence
Strategic Analysis
Gain an understanding from senior client
management about:
business objectives,
key strategies employed to meet those objectives,
and
risks that threaten achievement of those
objectives.
Canadian Excellence
Business Process Analysis
Management will minimize risks through well-
designed business processes.

Business process analysis deepens the
auditors understanding of the clients
operations.
It may also highlight risks and possible note
disclosures.
Canadian Excellence
Accounting Processes and the Financial
Statements
Recap There are two important points to
remember about client financial statements:
Management is responsible for preparing them,
and they contain managements assertions
about economic actions and events.
The financial statement numbers are produced
by the company's accounting system and are
summarized on the trial balance.
Canadian Excellence
Managements Financial Statements
To simplify the audit plan, auditors typically
group the accounts into several accounting
processes.
(1) revenues and collection
(2) acquisition and expenditure
(3) production and conversion
(4) finance and investment

Can you identify which FS accounts are
linked to each process?
Canadian Excellence
Internal Control Components
Internal control is defined as the process
designed, implemented, and maintained by
management to provide reasonable assurance
about:
the reliability of financial reporting,
effectiveness and efficiency of operations, and
compliance with applicable laws and regulations.
Canadian Excellence
Internal Control Components
Internal control consists of the following:
a. the control environment,
b. the entitys risk assessment process,
c. the information system and business processes
relevant to financial reporting and
communication,
d. control activities, and
e. the monitoring of controls.

Canadian Excellence
Internal Control Components
Components (a) (b) (c) and (e) operate at the
company level, and are referred to as
management controls.

Control activities (d) are controls over processes,
applications, and transactions.
Canadian Excellence
Control Environment
The control environment is characterized by
management attitudes, structure, effective
communication of control objectives and
supervision of personnel and activities.
Tone at the top.
Board of directors, particularly the audit committee
should be considered.
Canadian Excellence
Control Environment
Elements of control environment (CAS 315):
- Communication and enforcement of integrity and
ethical values
- Commitment to competence
- Participation of those charged with governance
- Managements philosophy and operating style
- Organizational structure
- Assignment of authority and responsibility
- Human resource policies and practices


Canadian Excellence
Risk Assessment Process
The risk assessment process is how
management identifies risks related to
misstatements in the financial statements.
Management will also evaluate the significance
and likelihood of those risks, and decide how to
manage those risks efficiently and effectively.
Canadian Excellence
Information System, Business Processes
and Communication
Information system consists of infrastructure,
software, people, procedures and data. An
information system has procedures to:
identify and record all valid transactions,
describe transactions in a manner that permits proper
classification,
measure the value of transactions,
determine the time period in which transactions should be
reported, and
Present the transactions properly in the financial statements.
Communication may take such forms as policy
manuals and can be made electronically, orally, and
through the actions of management.
Canadian Excellence
Control Activities
Controls are policies and procedures that
ensure the achievement of the entitys goals,
including financial reporting goals.
Controls can be categorized as either general
controls or as application controls.
General controls relevant to the audit include
performance reviews.
Application controls include checks on
accuracy, completeness, and authorization of
transaction processing.
Canadian Excellence
Monitoring of Controls
Managements monitoring of controls includes
considering whether they are operating as
intended.
Monitoring may include reviews of reconciliations,
internal audit evaluations, and legal department
evaluations of compliance.
Controls are modified as required to accommodate
changes in business conditions.
Canadian Excellence
How Internal Control Relates to the RMM
To assess the risk of material misstatement at
the financial statement level, the auditor needs
a detailed knowledge of internal control
components relevant to financial reporting.
Gained mainly by making enquiries of clients
personnel, analytical procedures, observation and
inspection, PY information, discussion amongst
engagement team.