AUDITING: A RISK ANALYSIS APPROACH

1
AUDITING A RISK ANALYSIS APPROACH
5th edition
Larry F. Konrath
Electronic Presentation
by Harold O. Wilson
2
CHAPTER 7
AUDIT PLANNING

• Assessment
• of Control Risk

3
INTERNAL CONTROL DEFINED
A process, effected by an entitys board and
others, designed to provide reasonable assurance
regarding the achievement of objectives in ...

• Effectiveness efficiency of operations.
• Reliability of financial reporting.
• Compliance with applicable laws.

4
ASSESSING CONTROL RISK

• Control risk The probability of the occurrence
  of a MM (lack of prevention) and it remaining
  undetected on a timely basis by the entitys
  internal controls. (The odds that prescribed
  internal controls failed when needed!)
• Detection risk The probability, given such
  failure, that the auditor fails to discover an
  existing MM.

5
IMPROPER ASSESSMENT OF CONTROL RISK
If CR is subjectively assessed as higher than it
should be, excessive substantive testing (and
excessive cost) results. It is inefficient!
If CR is subjectively assessed as lower than it
should be, insufficient substantive testing (and
insufficient evidence) results. It is
ineffective!
6
CONTROL RISK ASSESSEDBased on Initial
Understanding

• When Control Risk is assessed at maximum
  substantive audit
• When Control Risk is assessed below maximum
• Not based solely on initial understanding
• Must be able to evaluate effectiveness
• Must actually test controls

7
WHY ASSESS CONTROL RISK?

• Required by auditing standards
• Component of audit risk needed to calculate
  detection risk
• Forms basis for reportable conditions letter

8
IDENTIFY TYPES OF POTENTIAL MISSTATEMENTS

• For each transaction cycle
• Identify types of errors or fraud that could
  occur without controls
• Determine necessary controls
• Determine if the controls have been put in place
• Identify weaknesses
• Design substantive programs that reflect the
  weaknesses identified
• Communicate weaknesses as reportable conditions

9
Steps in Assessing Control Risk 1

• Obtain an understanding of internal control
  policies procedures
• Obtained during initial planning phase
• Study of the organization structure
• Inquiry of management

10
Steps in Assessing Control Risk 2

• Identify Control Points
• Exists wherever
• An error or fraud could occur
• Assets need to be safeguarded
• Two types
• Accuracy controls
• Safeguard controls
• Look for compensating controls when accuracy or
  safeguard controls are missing

11

• Document understanding of internal controls
• Memorandum
• Rigorous analysis difficult to follow
• Questionnaire/checklist
• Thorough, easy tendency toward cursory review
• Flowchart
• Easy to review, strengths weaknesses
  highlighted lacks necessary detail

12
Steps in Assessing Control Risk 4

• Assess control risk document conclusions
• May range from maximum to minimum
• If maximum
• Need only to document understanding
• Not relying on internal controls
• Primarily a substantive audit
• If below maximum
• Document basis for reduction
• Must perform tests of controls

13
FAQ?

• What is the maximum control risk?

Maximum control risk the greatest probability
that a MM that could occur in the assertion, will
not be prevented or detected on a timely basis by
the entitys internal control structure.
14
Steps in Assessing Control Risk 5

• Reduce the assessed level of control risk thru
  control testing
• Conditions warranting control testing
• Controls are thought to be effective
• Cost effective to test
• Ways of testing controls
• Reprocessing
• Observation
• Document examination testing

15
Note
Testing transactions (in audit programs)
traditionally refers to tracing business events
through the accounting cycle (from controls, to
documentation, to recordings, to ledgers, to
trial balances, to financial statements).
Reprocessing!

16
GUIDELINES FOR AUDIT PROGRAM DESIGN

• Resource allocations proportionately more to
  (a) high risk areas, and (b) material
  items/balances.
• External evidence is more persuasive than
  internally generated evidence.
• Aggregate materiality and high error rates, even
  among immaterial items, must be considered.

17
Designing Substantive Tests

• Qualitative approach
• Determines nature timing of substantive
  procedures
• The more effective the controls, the more they
  can be relied on, the lesser the requirement for
  substantive testing
• Quantitative approach
• Determines extent of substantive procedures
• High detection risk requires minimum substantive
  testing low detection risk results in
  substantive audit

18
Sampling evidence

• It does not take long to decide--
• when the pie is no good!

Expecting many errors (weak controls) may
prompt a low aggregate materiality threshold,
AND if errors are rampant, a small sample
should disclose such, fairly quickly!
19
QUANTIFYING RISK

• Audit risk (AR) The joint probability of IR,
  CR and DR

AR IR x CR x DR
If an unofficial risk level for auditors to take,
is about 5, the product of the above should
be .05. Then, DR should dictate the audit
program for substantive testing, caption by
caption.
20
QUANTITATIVE EXAMPLE

• AR, set a little loose, at 10.
• IR, set high, at 70.
• CR, set very high, at 50 therefore,

DR AR / IR x CR 29 Meaning The auditor
must make substantive tests until DR is reduced
down to 29!
21
QUANTITATIVE EXAMPLE

The Detection Risk becomes the variable now
controllable by the auditor it is a function
of a controllable sample size! The auditor, in
selecting a sample size, must test until DR
.29 or less, using some form of statistical
sampling mathematics. To test beyond that point
is overcharging.
22
Auditor must

• Assess risks potential areas of both
  unintentional and intentional MM.
• Document responses to such (e.g., revisions of
  audit programs).
• Perform tests evaluate results.
• Communicate conclusions to audit committees,
  etc., as considered necessary.

Never communicate such to just one person!
23
CAUTIONS!

• Auditors should not overemphasize control points
  in data processing.
• The absence of a desired control does not
  automatically generate MM.
• There may be compensating controls, to
  substitute for traditional control procedures,
  mitigating apparent weaknesses.
• There is no one best approach to evaluating
  internal controls.

24
REPORTABLE CONDITIONS

• Definition Matters coming to the
  auditors attention representing significant
  deficiencies in internal controls, which
  could adversely affect reporting on
  assertions of management.
• Reportable to the Audit Committee or the senior
  executives, as a group
• No requirement to search, per se if discovered,
  must write report!

25
REPORTABLE CONDITIONS

• Typically, reported in the CPAs
  Management Letter to the client
• What the deficiency is
• Why it should be corrected
• How to change the IC system now

Basic transaction cycles
26
TRANSACTION CYCLES TESTS OF CONTROLS

• 1. Revenue Cycle
• Sales Accounts receivables
• Cash collections from customers

SALES ACCTS REC CASH
Controls, documents, data processing
27
TRANSACTION CYCLES TESTS OF CONTROLS

• 2. Expenditure Cycle
• Purchases Accounts payable
• Cash disbursements to vendors

INVTY ACCTS PAY CASH
Controls, documents, data processing
28
TRANSACTION CYCLES TESTS OF CONTROLS

• 3. Finance Investing Cycle
• Borrowing
• Investing in Projects

PROJECTS NOTES PAY CASH
Controls, documents, data processing
29
Basic Internal Documentation

• Sales orders
• Shipping tickets, etc.
• Sales invoices
• Remittance advices
• Deposit slips
• Purchase requests
• Purchase orders
• Receiving reports

• Purchase invoices
• Vouchers
• Payroll tabulations
• Clock cards, time tickets
• Requests for checks
• Checks
• Bank statements, etc.

And, internal cost inventory reporting!
30
End of Chapter 7