Sample Notes for 22522 Assurance Services & Audit - Amazon Web ...
Sample Notes for 22522 Assurance Services & Audit Lecture Topic 3: Audit Planning & The Audit Risk Model Content from this lecture is drawn from the textbook: • Chapter 6: Audit Planning • Chapter 7: The Audit Risk Model Audit Planning Planning the Audit • One of the most important steps in audit planning is gaining an understanding of the client’s business and industry. • Planning is important in order for an auditor to do a good job and avoid being sued. • Under ASA 300, auditors should plan audit engagements in order to: o To enable the auditor to obtain sufficient appropriate evidence to prove that the financial statements are correct. o To keep audit costs reasonable (being efficient – spending time effectively). o To avoid misunderstandings with the client so the auditor can get access to specific materials. An auditor must clarify with management. Risk Terms Acceptable/desired audit risk: Refers to the extent to which the auditor is willing to accept that the financial statements may be materially misstated when an unqualified opinion has been issued. Acceptable audit risk is made up of: •
Inherent risk: Refers to the Auditor’s assessment of the likelihood of material misstatement in an account balance before considering the effectiveness of internal control and before the auditor does any testing or procedures.
•
Control risk: Refers to the auditor’s assessment of the potential risk of misstatement within the company’s internal controls (policies, procedures, rules and systems). In other words, internal controls leading to material misstatement.
•
Detection risk: Refers to the risk of NOT detecting a misstatement as a result of applying audit procedures.
Initial Audit Planning The initial steps of audit planning: 1. Accept new clients or continue to service existing clients 2. Identify the client’s reasons for an audit 3. Obtain mutual understanding with the client about the terms of the engagement. 4. Select staff for the engagement and evaluate need for outside specialists. Client Acceptance and Continuance • Do we accept a new client or continue an existing client?
New Client Investigation
• •
•
The auditing firm should investigate the company (client) to determine its acceptability. Furthermore, an examination of the prospective client’s: o Standing in the business community (Public reputation) o Financial stability (Enough money to pay us?) o Relations with previous accounting firms We have standards of our clients in order to make a decision to accept or reject a client.
Continuing Engagements: • Reasons to drop a client: e.g. conflicts over audit scope, type of opinion or fees. Identify the Client’s Reasons for Audit • Most likely uses of the statements can be determined from: o Previous experience with the client o Discussion with management. • Information may affect the auditor’s assessment of acceptable audit risk. Obtain an Understanding with the Client The engagement letter sets out the contract (terms and conditions) between the auditor and the client. Under ASA 210 an engagement letter: • Documents the auditor’s understanding with the client which includes: o The objectives of engagement o Responsibilities of the auditor and management o Limitations of engagement (what the auditor covers and what they do not cover) o Agreement to provide other services o Agreement on fees o Does not affect auditor’s responsibility to external users. Overall Audit Strategy • An audit strategy allows an auditor to develop a preliminary approach to the audit by considering the nature of the client’s business and industry and the areas where there is greater risk of significant misstatement. • Such preliminary approaches include picking the right staff by: o Selecting the most appropriate staff who has the appropriate capabilities, competence and time to perform the audit o Selecting a staff member who must have knowledge in the client’s industry. o Determining whether or not an outside expert or specialist is needed. Understanding the Client’s Business and Industry Under ASA 215 • Need to understand external factors • Structure of the entity • Decide the reasons for their polices and what polices they adopt • Understand business risk to the extent that they impact material misstatement on financial statements.
• • •
The entity’s financial performance Understand their internal controls Determine if internal controls are working or not.
Why do we need to understand the client? • We need to understand the client because all of the above components may influence: o Accounting policy choice o Management decisions o Identify where misstatements are likely to occur (Which accounts are more likely to be wrong). ▪ ^ These are often called inherent risks Industry and External Environment • Risks vary from industry to industry; therefore risks associated with specific industries may affect the auditor’s assessment of client business risk and acceptable audit risk. • An auditor who is familiar with a certain industry and the risk associated with the industry will aid the auditor in assessing their relevance to the client as certain inherent risk are typically common to all clients in certain industries. • Many industries have unique accounting requirements that the auditor must understand to evaluate whether the client’s financial statements are in accordance with Australian accounting standards. • We have to understand the industry because this will provide auditors with the most risk of material misstatements. Business Operations & Processes • An auditor needs an understanding of: o The major sources of revenue o Key customers and suppliers – Who are they engaging in transactions with (affects accounts payable and receivables). o Sources of financing – Are they utilizing equity or debt? o And to identify related parties (a close relationship with them leading to unfair transactions and that is why auditors need to report these) by: ▪ Enquire into management regarding known related parties ▪ Reviewing the information related to third parties ▪ Examine share registers ▪ Enquire into the affiliation of management with other entities ▪ Reviewing minutes of meetings (which refers to the content that management has discussed within the meeting). Management & Governance • The auditor should understand and assess: o Management’s philosophy and operating style o Client’s ability to identify and respond to risk o The company’s governance system o The company policies, company’s constitution o The company’s code of ethics o The corporate minutes (which refers to the content in which management has discussed within the meeting)
o The company’s systems of measuring/reviewing performance •
The auditor should understand client objectives related to: o Reliability of financial reporting o Effectiveness and efficiency of operations o Compliance with laws and regulations
Client Business Risk • In order to know what is and what is not an inherent risk, we mist first understand business risk. • Client business risk refers to the risk that the client will fail to achieve its objectives. • The auditor’s primary concern is: o The risk of material misstatements in the financial statements. o Business risk can lead to inherent risk. • Management is the primary source of identifying client business risk • Whereas business risk are risks that management must deal with and not always the concern of the auditor. Assessing Client Business Risk
Identifying Inherent Risks • Inherent risks are the risks that arise because of the inherent nature of the business or industry. • These risks must have an impact on the financial statements. • In order to it to be an inherent risk, at least one account and one assertion for that account which must have a material of misstatement. • Although auditors and management have different responsibilities (for inherent and business risk) it may overlap. Example: Mining Industry – What is inherent risk and what is business risk? • Planning is important in order for an auditor to do a good job and avoid being sued.
1. 2. 3. 4. 1. It is both business risk and inherent risk because the company and lose money (business risk) which in turn affect the accounts on financial statements (inherent risk) arising from changes in foreign exchange. 2. This is not a business risk because it doesn’t matter how you measure it because you will get profits either way but it is inherent risk because we don’t know how much we can collect from the mining reserve. Leading to a likely misstatement in the financial statements. 3. It is a business risk because it affects demand leading to lower demand, commodity prices etc. It can also be inherent risk because now you are worried about construction companies (your buyers) that owe you money. Accounts receivable are affected if your customers go bankrupt thus being unlikely to collect your receivables. 4. It is a business risk because the longer we go on the less money we get. It is not an inherent risk because it will not affect the accounts.
Preliminary Analytical Procedures • Preliminary analytics procedures are performed to: o Better understand the client’s business o Assess client business risk o Highlight areas of concern •
Forms of Analytical Procedures o Percentage (%) changes from pervious years o Ratio analysis: Comparing current to previous years and the industry averages as well. What do the changes tell us?
•
After performing preliminary analytical procedures, what results look out of place compared to what we know about the business?
Risk & Audit Risk Model Audit Risk • Audit risk is the risk that the auditor expresses an inappropriate audit opinion when the financial report is materially misstated. • In other words it is the likelihood that auditors will make the wrong decision. • Issuing an unqualified opinion to say that everything is fine but there is material misstatement. Risks • An auditor recognizes the: o Inherent uncertainty about appropriateness of evidence (caused by an inherent risk factor). o Uncertainty about the effectiveness of a client’s internal controls. o Uncertainty as to whether the financial statements are fairly stated when the audit is complete (detection risk). •
Responding to risks properly is critical to achieving a high quality audit.
Illustration Concerning Risk and Evidence • Auditors often gain an understanding of the entity and its environment in order to assess the risk of material misstatement. • Auditors use the audit risk model to: o Further identify the potential for misstatements o Where they are most likely to occur. Audit Risk Model Formula: AAR = IR x CR x PDR Where: AAR = Acceptable audit risk IR = Inherent risk CR = Control risk PDR = Planned Detection Risk Which is then rearranged to solve for PDR: PDR = AAR / (IR x CR) Note: ** The higher the problems there is with inherent risk and control risk, the lower the PDR) - there is an inverse relationship - **
Risk Relationship • An auditor’s objective is to achieve an acceptably low level of audit risk (the least chance of getting the audit opinion wrong). • AAR is set by the partner and is often set to low. • Control risk (CR) and Inherent risk (IR) are assessed by the auditor. • Recognizing the cost of performing audit procedures, there is an inverse relationship between the assessed levels of inherent risk (IR) and control risk
• •
(CR) and the level of planned detection risk (PDR) that the auditor can accept. PDR is often more commonly referred to as Planned Detection Risk (PDR) and is the only component of the AR model that the auditor can affect in any way. Auditors, although unable to control IR and CR, can assess these risks and design substantive procedures to produce an acceptable level of detection risk, thus reducing the audit risk to an acceptable level.
The Impact of the Audit Risk Model on Audit Strategy The level of detection risk (DR) will affect which audit strategy to use. Therefore, by solving for PDR, this will indicate which audit strategy is required. • Low PDR = Substantive audit strategy (Refers to doing a substantial amount of testing. We test the balance sheet and income statement numbers directly). • High PDR = Controls based audit strategy (We focus on making sure that the controls work. If the controls are good, then the controls will make sure that the financial statement are correct). • Medium PDR = Mixed audit strategy Factors Affecting Inherent Risk • Nature of the client’s business (how does the business run, how does it make its money, what industry is it in?) • Results of previous audits • Initial versus repeat engagement • Related parties • Non-routine transactions (Very common problem because uncommon transactions are more likely to record those transactions). • Judgment required for correct recording • Makeup of the population (what kind of transactions are we dealing with) Key Take Away Points: 1. Auditors must understand their client to enable them to plan an efficient and effective audit. 2. Auditors must identify the inherent risks – key areas where there is a greater risk of material misstatement. 3. Analytical procedures can be used to assist in identifying areas at greater risk of misstatement. 4. The audit risk model is used to help decide our audit strategy and the methods by which we will collect evidence to generate our opinion.
If you like what you see, please proceed to purchase these excellent notes. I also have notes for other subjects!! Thank you!!
Inherent risk: Refers to the Auditor’s assessment of the likelihood of material misstatement in an account balance before considering the effectiveness of internal control and before the auditor does any testing or procedures.
•
Control risk: Refers to the auditor’s assessment of the potential risk of misstatement within the company’s internal controls (policies, procedures, rules and systems). In other words, internal controls leading to material misstatement.
•
Detection risk: Refers to the risk of NOT detecting a misstatement as a result of applying audit procedures.
Initial Audit Planning The initial steps of audit planning: 1. Accept new clients or continue to service existing clients 2. Identify the client’s reasons for an audit 3. Obtain mutual understanding with the client about the terms of the engagement. 4. Select staff for the engagement and evaluate need for outside specialists. Client Acceptance and Continuance • Do we accept a new client or continue an existing client?
New Client Investigation
• •
•
The auditing firm should investigate the company (client) to determine its acceptability. Furthermore, an examination of the prospective client’s: o Standing in the business community (Public reputation) o Financial stability (Enough money to pay us?) o Relations with previous accounting firms We have standards of our clients in order to make a decision to accept or reject a client.
Continuing Engagements: • Reasons to drop a client: e.g. conflicts over audit scope, type of opinion or fees. Identify the Client’s Reasons for Audit • Most likely uses of the statements can be determined from: o Previous experience with the client o Discussion with management. • Information may affect the auditor’s assessment of acceptable audit risk. Obtain an Understanding with the Client The engagement letter sets out the contract (terms and conditions) between the auditor and the client. Under ASA 210 an engagement letter: • Documents the auditor’s understanding with the client which includes: o The objectives of engagement o Responsibilities of the auditor and management o Limitations of engagement (what the auditor covers and what they do not cover) o Agreement to provide other services o Agreement on fees o Does not affect auditor’s responsibility to external users. Overall Audit Strategy • An audit strategy allows an auditor to develop a preliminary approach to the audit by considering the nature of the client’s business and industry and the areas where there is greater risk of significant misstatement. • Such preliminary approaches include picking the right staff by: o Selecting the most appropriate staff who has the appropriate capabilities, competence and time to perform the audit o Selecting a staff member who must have knowledge in the client’s industry. o Determining whether or not an outside expert or specialist is needed. Understanding the Client’s Business and Industry Under ASA 215 • Need to understand external factors • Structure of the entity • Decide the reasons for their polices and what polices they adopt • Understand business risk to the extent that they impact material misstatement on financial statements.
• • •
The entity’s financial performance Understand their internal controls Determine if internal controls are working or not.
Why do we need to understand the client? • We need to understand the client because all of the above components may influence: o Accounting policy choice o Management decisions o Identify where misstatements are likely to occur (Which accounts are more likely to be wrong). ▪ ^ These are often called inherent risks Industry and External Environment • Risks vary from industry to industry; therefore risks associated with specific industries may affect the auditor’s assessment of client business risk and acceptable audit risk. • An auditor who is familiar with a certain industry and the risk associated with the industry will aid the auditor in assessing their relevance to the client as certain inherent risk are typically common to all clients in certain industries. • Many industries have unique accounting requirements that the auditor must understand to evaluate whether the client’s financial statements are in accordance with Australian accounting standards. • We have to understand the industry because this will provide auditors with the most risk of material misstatements. Business Operations & Processes • An auditor needs an understanding of: o The major sources of revenue o Key customers and suppliers – Who are they engaging in transactions with (affects accounts payable and receivables). o Sources of financing – Are they utilizing equity or debt? o And to identify related parties (a close relationship with them leading to unfair transactions and that is why auditors need to report these) by: ▪ Enquire into management regarding known related parties ▪ Reviewing the information related to third parties ▪ Examine share registers ▪ Enquire into the affiliation of management with other entities ▪ Reviewing minutes of meetings (which refers to the content that management has discussed within the meeting). Management & Governance • The auditor should understand and assess: o Management’s philosophy and operating style o Client’s ability to identify and respond to risk o The company’s governance system o The company policies, company’s constitution o The company’s code of ethics o The corporate minutes (which refers to the content in which management has discussed within the meeting)
o The company’s systems of measuring/reviewing performance •
The auditor should understand client objectives related to: o Reliability of financial reporting o Effectiveness and efficiency of operations o Compliance with laws and regulations
Client Business Risk • In order to know what is and what is not an inherent risk, we mist first understand business risk. • Client business risk refers to the risk that the client will fail to achieve its objectives. • The auditor’s primary concern is: o The risk of material misstatements in the financial statements. o Business risk can lead to inherent risk. • Management is the primary source of identifying client business risk • Whereas business risk are risks that management must deal with and not always the concern of the auditor. Assessing Client Business Risk
Identifying Inherent Risks • Inherent risks are the risks that arise because of the inherent nature of the business or industry. • These risks must have an impact on the financial statements. • In order to it to be an inherent risk, at least one account and one assertion for that account which must have a material of misstatement. • Although auditors and management have different responsibilities (for inherent and business risk) it may overlap. Example: Mining Industry – What is inherent risk and what is business risk? • Planning is important in order for an auditor to do a good job and avoid being sued.
1. 2. 3. 4. 1. It is both business risk and inherent risk because the company and lose money (business risk) which in turn affect the accounts on financial statements (inherent risk) arising from changes in foreign exchange. 2. This is not a business risk because it doesn’t matter how you measure it because you will get profits either way but it is inherent risk because we don’t know how much we can collect from the mining reserve. Leading to a likely misstatement in the financial statements. 3. It is a business risk because it affects demand leading to lower demand, commodity prices etc. It can also be inherent risk because now you are worried about construction companies (your buyers) that owe you money. Accounts receivable are affected if your customers go bankrupt thus being unlikely to collect your receivables. 4. It is a business risk because the longer we go on the less money we get. It is not an inherent risk because it will not affect the accounts.
Preliminary Analytical Procedures • Preliminary analytics procedures are performed to: o Better understand the client’s business o Assess client business risk o Highlight areas of concern •
Forms of Analytical Procedures o Percentage (%) changes from pervious years o Ratio analysis: Comparing current to previous years and the industry averages as well. What do the changes tell us?
•
After performing preliminary analytical procedures, what results look out of place compared to what we know about the business?
Risk & Audit Risk Model Audit Risk • Audit risk is the risk that the auditor expresses an inappropriate audit opinion when the financial report is materially misstated. • In other words it is the likelihood that auditors will make the wrong decision. • Issuing an unqualified opinion to say that everything is fine but there is material misstatement. Risks • An auditor recognizes the: o Inherent uncertainty about appropriateness of evidence (caused by an inherent risk factor). o Uncertainty about the effectiveness of a client’s internal controls. o Uncertainty as to whether the financial statements are fairly stated when the audit is complete (detection risk). •
Responding to risks properly is critical to achieving a high quality audit.
Illustration Concerning Risk and Evidence • Auditors often gain an understanding of the entity and its environment in order to assess the risk of material misstatement. • Auditors use the audit risk model to: o Further identify the potential for misstatements o Where they are most likely to occur. Audit Risk Model Formula: AAR = IR x CR x PDR Where: AAR = Acceptable audit risk IR = Inherent risk CR = Control risk PDR = Planned Detection Risk Which is then rearranged to solve for PDR: PDR = AAR / (IR x CR) Note: ** The higher the problems there is with inherent risk and control risk, the lower the PDR) - there is an inverse relationship - **
Risk Relationship • An auditor’s objective is to achieve an acceptably low level of audit risk (the least chance of getting the audit opinion wrong). • AAR is set by the partner and is often set to low. • Control risk (CR) and Inherent risk (IR) are assessed by the auditor. • Recognizing the cost of performing audit procedures, there is an inverse relationship between the assessed levels of inherent risk (IR) and control risk
• •
(CR) and the level of planned detection risk (PDR) that the auditor can accept. PDR is often more commonly referred to as Planned Detection Risk (PDR) and is the only component of the AR model that the auditor can affect in any way. Auditors, although unable to control IR and CR, can assess these risks and design substantive procedures to produce an acceptable level of detection risk, thus reducing the audit risk to an acceptable level.
The Impact of the Audit Risk Model on Audit Strategy The level of detection risk (DR) will affect which audit strategy to use. Therefore, by solving for PDR, this will indicate which audit strategy is required. • Low PDR = Substantive audit strategy (Refers to doing a substantial amount of testing. We test the balance sheet and income statement numbers directly). • High PDR = Controls based audit strategy (We focus on making sure that the controls work. If the controls are good, then the controls will make sure that the financial statement are correct). • Medium PDR = Mixed audit strategy Factors Affecting Inherent Risk • Nature of the client’s business (how does the business run, how does it make its money, what industry is it in?) • Results of previous audits • Initial versus repeat engagement • Related parties • Non-routine transactions (Very common problem because uncommon transactions are more likely to record those transactions). • Judgment required for correct recording • Makeup of the population (what kind of transactions are we dealing with) Key Take Away Points: 1. Auditors must understand their client to enable them to plan an efficient and effective audit. 2. Auditors must identify the inherent risks – key areas where there is a greater risk of material misstatement. 3. Analytical procedures can be used to assist in identifying areas at greater risk of misstatement. 4. The audit risk model is used to help decide our audit strategy and the methods by which we will collect evidence to generate our opinion.
If you like what you see, please proceed to purchase these excellent notes. I also have notes for other subjects!! Thank you!!
