Risk assessment (cont.

)
&
audit risk model
Week 5

Before the class

Watch the videos below which explains the audit risk

model (AR, IR, CR & DR)

Audit risk model

The

basic workings of the Audit Risk Model

watch

the video on Internal Controls & Consider why

businesses need internal control?

Read the slides and chapters 9 & 10

Do exercises 9.13, 9.16 & 9.19

Read TQ 8, 9.27,10.28 & 10.29

Objective
Understand

internal control and assess control

environment.

Understand

the audit risk model and its

components.

Understand

how audit risk model determine audit

strategies and audit evidences.

Understand

evidence.

what are audit procedures and audit

Business risk assessment

Definition of business risk :
a risk resulting from significant conditions, events, circumstances, actions or
inactions that could adversely affect an entitys ability to achieve its objectives
and execute its strategies, or from the setting of inappropriate objectives and
strategies. ISA(NZ) 315 4(b)

A business risk approach allows the auditor to:

Identify threats faced by the organisation.
Recognises that most business risks will eventually
have an effect on the financial statements.
Increase the chances of identifying risks of material
misstatements in the financial reports
4

Risk Assessment
Planning

approach auditor identify and analyse

clients exposure to the risk of material
misstatements (ISA(NZ)315:25-26)
The risk of material misstatements and detection
risks directly affects auditors exposure to audit risk
Special risk consideration (ISA(NZ) 315:28)

Fraud risk

Economic development risk

Complexity of transactions

Related party risks

Financial information very subjective & uncertain

Unusual transactions

Revision

of risks assessment as more audit

evidence is available (ISA(NZ) 315:28)
5

Risk assessment procedures

Enquiries
Management, staff, internal auditors, company bankers,
legal advisors.
Analytical procedures
Provide a broad indication of the likelihood of possible
errors.
Observations and inspections
Inspection of manuals, visiting business premises,
observing procedures taking place.

Importance of internal control

The Committee of Sponsoring Organisations (COSO) of
the Treadway Commission defines internal control as:
a process, effected by an entitys board of directors,
management and other personnel, designed to
provide reasonable assurance regarding the
achievement of objectives in the following categories:
Effectiveness and efficiency of operations
Reliability of financial reporting
Compliance with applicable laws and regulations

Management responsibility
Management must establish and maintain the entity's control
structure, which aids management by ensuring:
irregularities are prevented or detected and corrected;
assets are safeguarded;
financial records are accurately reflected;
adherence to management policies;
operational efficiency is promoted that prevents; and
unnecessary duplication of effort.
Because of its inherent limitations, an internal control
structure cannot be regarded as completely effective,
regardless of the care taken in its design and implementation.
8

Auditor responsibility
ASA 315 para 12 states that:
The auditor shall obtain an understanding of
internal control relevant to the audit
The auditors understanding of the internal control is then used
to plan the audit and to determine the nature, timing and
extent of tests to be performed.
The above has to be done in the context of the internal
control structure as defined in ASA 315.

The internal control system

Five components:
Control environment
Risk assessment processes
Information system
Control activities
Monitoring controls
(IAS (NZ) 315 paragraph A58)

10

Control environment
Sets the tone of the entity towards control
consciousness and includes:
Enforcement of integrity and ethical values
example: setting the tone at the top of the entity by demonstrating integrity
and ethical behaviour.

Commitment to competence
example: adequate knowledge and skills at every level in the entity.

11

Control environment
Participation by those charged with governance
Managements philosophy and operating style
example: approach to taking and monitoring business risks.

Organisational structure
Assignment of authority and responsibility
Human resource policies and practices
example: screening prospective employees.

12

Auditors Exposure to Risks

Audit

risk (ISA(NZ200)13c; A32)

Client factors affecting audit risk:

The

risk of material misstatement (RMM)

(ISA(NZ)200:13n; A34-A38) affected by:

Inherent risk (ISA(NZ)200:13n(i)

control risk (ISA(NZ)200:13n(ii)

Auditor has no control over IR and CR

13

Risk Exposure
Detection risk (ISA(NZ)200:13c; A42-A44)

Auditor factor - affecting audit risk

Auditors substantive procedures or auditor competence will not
detect any material misstatements that exist in an assertion
(individually or when aggregated with other misstatements)
Detection risk is a function of the effectiveness of substantive
procedures and its application
Detection risk is fundamental to the amount of audit work
undertaken
Auditor can control exposure to detection risk through:
appropriate planning, direction, supervision and review
variation in the nature, timing and extent of audit procedures
effective performance of the audit procedures and evaluation
of their results
14

Non-Quantified Audit Risk Model

Auditors may use non-quantified expressions for risk

Consistent with the quantified audit risk model - the
acceptable levels of detection risk are inversely related to the
assessments of inherent and control risks
IR and CR assessed as high, then the acceptable level of
detection risk will generally have to be very low
That is, the risk that the auditors substantive procedures will
not detect material misstatements will need to be low
which means more substantive testing by the auditor
Conversely, if IR and CR assessed as low, then the acceptable
level of detection risk can be high, i.e. the auditors
substantive procedures can be reduced
15

Audit Strategy, Detection Risk

and Substantive Test
Planned
Detection
Risk

Audit Strategy

Substantive
Test

Low or very
Predominantly
low
substantive approach

High

Moderate or Lower assessed level

high
of control risk
approach

Low

Click icon to add picture

The above diagram is explained in this video

Control risks and audit strategies

17

Materiality
Audit opinion is about whether a financial statement is free from
MATERIAL misstatement. Therefore it is important to identify what is
material for a certain audit.
The higher the risk, the lower the materiality level. The video below
explains it.

The relationship between risk level and materiality

Materiality is a judgement call. Materiality has different tier: overall

materiality, performance materiality at account level and materiality for
tests.
Students are required to understand the concept of materiality, but do
not need to know how to calculate materiality.

ISA(NZ) 500 Audit Evidence

ISA(NZ) 500:4
The auditor should obtain sufficient appropriate audit
evidence to be able to draw reasonable conclusions
on which to base the audit opinion
Sufficient = enough
Appropriate = relevant and reliable
Reasonable = rational basis for an opinion

Textbook Chapter 8 PPT18

20

Audit Evidence
Relevance and Reliability (ISANZ A26-A31)

Auditing evidence needs to be relevant to a particular assertion under

question.

Audit evidence needs to be reliable

Normally externally prepared evidence is more reliable than internally
generated
Written evidence is more reliable than oral evidence
Original documents is more reliable than photocopies or facsimiles

When selecting a procedure, the auditor need to balance:

potential

effectiveness of the procedure in meeting specific

objectives vs the cost of performing the procedure

Textbook Chapter 8 PPT23

21

Audit Procedures

Audit methods and techniques used to gather and evaluate audit

evidence (figure 10.5 P440)

Analytical procedures

Inspecting

Tracing

Vouching

Confirming

Enquiring

Counting

Observing

Re-performing

ISA (NZ) 500 A10- NZA25.1

22

Categories of Auditing Procedures

Only 2 types of auditing procedures according to its purposes:

tests

of control to confirm the

effectiveness and efficiency of
identified internal controls

substantive

procedures (test of
details) to test transactions and
balances

Textbook Chapter 8 PPT25

23

Purpose of Tests of Controls

Tests of controls carried out

Textbook Chapter 9 PPT4

When preliminary assessments indicate existence of

good controls

when auditor decides to rely on company internal

controls

To confirm the existence and effectiveness of internal

controls for the financial year

The results of tests of controls have implication on

substantive procedure

24

Designing Tests of Controls

Tests of controls include (Nature of tests):

re-performance of procedures

inspection of documents and records

inquiries of client personnel

observation of activities and procedures

e.g. observation of counting during a stock take

Timing of test of controls

Audit must test the control for the whole financial period.

For audit efficiency, the test of controls should be performed as late in the interim
period as possible.

Extent of tests

More extensive tests of controls provide more evidence of the effectiveness of control.

The extent of tests is influenced by the nature of the control (ie automated, ITdependent or manual)

Refer Figure 14.2 in the textbook for an illustration of an audit program designed
Textbook Chapter 9 PPT9 for tests of controls (p.597)
25

Substantive Procedures (1)

Provide direct evidence on the fairness of managements

financial statement assertions

Reveal monetary errors or misstatements in recording or

reporting of transactions and balances

Types of substantive procedures:

analytical procedures

tests of details of transactions

tests of details of balances

Analytical procedures - the use of comparisons to assess

fairness, e.g. a comparison of an account balance with the
previous years balance
26

Substantive Procedures (2)

Tests of details of transactions involve examining support for the

individual debits and credits posted to an account

Examples include vouching the debits in accounts receivable

to entries in the sales journal and supporting sales invoices

Tests of details of balances involve examining support for the

closing balance directly

Examples include confirming accounts receivable directly with

the customer

27

Substantive procedure (3)

Nature of substantive procedure

Determine the types of substantive procedure to be performed

Timing of substantive procedure

If detection risk is HIGH, then certain procedures may be

performed a few months before the end of the year

If detection risk is LOW, all substantive procedures relating to

account balances will be performed at or near the balance date

Extent of substantive procedure

Extent means the number of items or sample size

If level of detection risk is LOW (HIGH), then more (less)

evidence is needed
28

Developing the Audit Plan (1)

Refer

to ISA(NZ) 315 - Identifying and assessing

the risks of material misstatement through
understanding the entity and its environment
Assess inherent and control risk to determine
the appropriate level of detection risk for each
major assertion in purchases, payables and
payroll

29

Developing the Audit Plan (2)

Considers materiality and its relationship to IR and CR

Determine the audit strategy

Plan an appropriate mix of tests of controls and substantive

procedures

Carry out tests of controls

Evidence

to confirm (or otherwise) the auditors

preliminary assessment of control risk.

May

require a reassessment of control risk and a revision of

planned level of substantive procedures

30