Académique Documents
Professionnel Documents
Culture Documents
Audit Risk
Assessment
Announcement
QUIZ TWO
The second quiz for this course will open on 8am,
Wednesday 26th August and will close on
11.59pm, Friday 28th August.
Students are once again reminded that you have
only one chance to attempt this quiz, and you
should attempt within the allocated time.
Failure to do so will result in a zero marks being
awarded to the student.
This quiz covers chapters 4, 5 & 6. It will
comprise of 20 multiple choice questions. The
time allocated for this quiz is only 20 minutes.
The quiz is contributes 1% towards your course
Objectives
Appreciate the importance of audit risk assessment and
why it is linked to financial statement assertions
Describe the procedures performed by an auditor to
assess risk
Appreciate the importance of internal control to an entity
and to its independent auditors
Indicate the procedures for obtaining and documenting
an understanding of the entitys internal control
Explain why and how a preliminary assessment of
control risk is made
Explain the importance of the concept of audit risk and
its three components
Managements financial
statement assertions
Existence or occurrence
Assets or liabilities of the entity exist at a given date
and whether recorded transactions or events have
occurred during the period
Completeness
Transactions, events and accounts that should be
presented in the financial statement are included
Cut-off
All transactions, events and accounts have been
recorded in the correct period
Managements financial
statement assertions
Rights and obligations
Assets represent rights of the entity and liabilities are
the obligations of the entity at a given date
Valuation and allocation
Asset, liability, components have been included in the
financial statements at the appropriate amounts
Accuracy
Transactions have been appropriately recorded in the
proper accounts
Managements financial
statement assertions
Presentation and disclosure
Particular components of the financial statements are
properly classified, described and disclosed
Risk assessment
procedures
Enquiries
Management, staff, internal auditors, company
bankers, legal advisors
Analytical procedures
Provide a broad indication of the likelihood of possible
errors
Observations and inspections
Inspection of manuals, visiting business premises,
observing procedures taking place
Importance of internal
control
The Committee of Sponsoring Organisations (COSO) of
the Treadway Commission defines internal control as:
a process, affected by an entitys board of directors,
management and other personnel, designed to
provide reasonable assurance regarding the
achievement of objectives in the following categories:
Effectiveness and efficiency of operations
Reliability of financial reporting
Compliance with applicable laws and regulations
Management responsibility
Management (not the auditor), must establish and
maintain the entity's control structure
Control structure aids management to ensure:
Auditor responsibility
ASA 315 para 12 states that:
The auditor shall obtain an understanding of internal
control relevant to the audit
The auditors understanding of the internal control is
then used to plan the audit and to determine the
nature, timing and extent of tests to be performed
The above has to be done in the context of the
internal control structure as defined in ASA 315
11
12
Control environment
Sets the tone of the entity towards control
consciousness and includes:
Enforcement of integrity and ethical values
e.g. setting the tone at the top of the entity by
demonstrating integrity and ethical behaviour
Commitment to competence
e.g. adequate knowledge and skills at every level
in the entity
13
Control environment
Participation by those charged with governance
Managements philosophy and operating style
e.g. approach to taking and monitoring business
risks
Organisational structure
Assignment of authority and responsibility
Human resource policies and practices
e.g. screening prospective employees
14
Risk assessment
Risk assessment is the process used to identify,
analyse and manage the relevant risks which may
affect the achievement of the entitys objectives,
including the preparation of financial statements
15
Risk assessment
Key factors include for example:
changes in the operating environment
new personnel
new or revamped information systems
rapid growth
corporate restructuring
expanded foreign operations
All of the key factors have inherent risks with potential
adverse financial consequences
17
Control activities
Control activities are policies and procedures that help
ensure that management directives are carried out to
address risks that threaten the achievement of entity
objectives
18
Control activities
Key factors include:
performance reviews
information processing controls
e.g. general controls and application controls over
input, processing and output in a computerised
system
physical controls
segregation of duties
e.g. ensuring that individuals do not perform
incompatible duties such as banking cash and
performing bank reconciliations
Information Processing
Controls
General controls
Apply to systems as a whole:
Organisational controls
Systems development and maintenance controls
Access controls
Data and procedural controls
Application controls (input, processing & output
controls)
Segregation of duties
Physical controls
Performance reviews
20
Monitoring
Monitoring is the process by which the entity monitors
the quality of internal controls over time
Involves assessing the design and operation of
controls on a timely basis and taking the necessary
corrective actions
Ongoing monitoring activities could include:
internal audit
continual management review of exception and
operation reports
review/response to customer complaints
21
Limitations of control
22
Understanding internal
control
Issues can include:
Identifying the types of potential misstatements that
may occur
e.g. where to look for potential errors and fraud
Understanding factors that affect the risk of material
misstatement
e.g. revenue recognition issues in some entities
Designing further audit procedures
e.g. assess adequacy of risk assessment
procedures and plan tests of controls
Testing general and application controls in
computerised systems
23
Procedures to obtain an
understanding
Procedures can include:
reviewing previous experience with the entity
being audited
inquiries of management, supervisory and staff
personnel
inspection of documents and records
observation of the entitys activities and operations
transaction walk-through reviews to confirm
documented understanding
24
Example 1
Refer to Professional Application
Question 9.23
Example 1
(a) Business risks are threats that the organisation faces in
attempting to achieve its goals. In this case there are a couple
of main business risks to HealthyGlow, both are in relation to
the purchase of the new full-body scanning machines.
Studies that have shown the potential side-effects of the
new machines is a concern, which is a risk in the longer
term. In the short term, the bad publicity is a risk although
it appears to have had little effect on the level of bookings.
The potential ban of the use of the machines by the Medical
Association of NSW is a much more significant short term
business risk even though management only assesses
this likelihood at 20% (the auditor would want more
evidence on this). HealthyGlow have significant capital
investment in these machines and also significant revenue
that is contingent on the continued operation of the
machines.
Example 1
(b) i. The scanners (property, plant and equipment)
ii. Revenue and unearned revenue
(c) i. Valuation. The scanners may become worthless if they
cannot be used due to the possible decision by the Medical
Association of NSW. There may be an overseas market for
them but this presumably would result in a significant
discounting of value.
ii. Accuracy and cut-off for revenue. There is a risk that
HealthyGlow has been incorrectly recording revenue before
the service is provided. The auditor will need to ensure that
only those services provided before the end of June have been
included in revenue and payments received for bookings after
the end of June should be included as Unearned revenue.
Completeness for unearned revenue. There is a risk that
revenue that has not been earned has not been accounted for
properly.
Documenting the
understanding
Internal Control Questionnaire (ICQ)
consists of a series of questions about accounting
and control policies and procedures the auditor feels
are necessary to prevent material misstatements in
the financial statements
Flow chart
is a schematic diagram that uses standardised
symbols, interconnecting flow lines and annotations
to portray the steps involved in processing
information through the information system
28
Documenting the
understanding
Narrative memoranda
may be used to supplement other forms of
documentation by summarising the auditors overall
understanding of the information system or specific
control policies or procedures
Preliminary assessment of
Control Risk
ASA 315 para 25:
The auditor shall identify and assess the risks of
material misstatement at the financial report level, and
the assertion level for classes of transactions, account
balances and disclosures
Purpose of preliminary assessment
Assessment to obtain a reasonable understanding
of controls in place
decide on appropriate audit strategy so as to
design a detailed audit program
30
Process of assessing
control risk
Use professional judgement to assess the control
environment
Assess the design effectiveness of control procedures
and their ability to prevent or correct misstatements
Assess whether controls were effectively applied
throughout the period under audit
31
32
34
37