Professional Documents
Culture Documents
Audit 2 Slides
Audit 2 Slides
Audit 2 Slides
material misstatement
The audit function includes some risk or uncertainty. A popular method of dealing
with risk is called the audit risk model, which can be summarised as:
AAR = IR * CR * PDR
Where AAR stands for acceptable audit risk, IR for inherent risk, CR for control risk,
and PDR for planned detection risk.
• Audit risk is the risk that an unqualified audit opinion is issued on the
financial statements, while in fact they contain material
misstatements.
• Acceptable audit risk is the risk the auditor is willing to accept that
the financial statements may be materially misstated after the audit is
completed and an unqualified opinion has been issued. The smaller
the AAR is, the less willing the auditor is to accept the risk of material
misstatements. This risk level is set by the auditor after considering
certain factors.
• Inherent risk is the risk that the financial statements may include
material misstatements due to the nature of the company or the
account(s) involved. The auditor cannot affect inherent risk, but he
assesses it due to its effect on the planning and conducting of the
audit. The higher the IR is, the more risky the audit is.
• Control risk is the risk that the financial statements may include
material misstatements that will not be prevented or detected by the
client's internal control system on a timely basis. The auditor cannot
directly affect control risk, but he assesses it due to its effect on the
planning and conducting of the audit. The higher the CR is, the more
risky the audit is.
•
• Planned detection risk is the risk that the financial statements may include
material misstatements that will not be detected by the auditor's own
procedures (such as evidence collection and testing). This risk is related to the
other three in the audit risk model, and is calculated using the equation after
determining the other three. It is directly related to the amount of audit
procedures to be performed (such as evidence collection and testing), in that the
lower the PDR is, the more are the audit procedures that have to be performed,
and vice-versa.
• Assessing Acceptable Audit Risk
Engagement risk is the risk that the auditor or audit firm will suffer harm after the
audit is finished, even though the audit report was correct. If the client fails in
achieving its objectives or becomes bankrupt, the audit firm is likely to fall in
trouble even if the audit was of high quality. For example, it may face numerous
lawsuits and loss of reputation and loss of clients. There is a relation between
acceptable audit risk and what likely negative consequences may happen to the
audit firm in case of such trouble. Therefore, to assess AAR, the following issues
are taken into consideration:
1- The degree to which external users rely on the statements: AAR is generally
lowered if external users place heavy reliance on the financial statements and
the audit. External users are significantly more likely to file lawsuits or cause
other damage to the audit firm's reputation than internal users, who may
themselves be a main reason of the collapse of the client. The following factors
are likely to indicate the degree to which financial statements are relied on by
external users:
A- Size: In general, the larger the client's size, the more widely its financial statements are used by
external parties.
B- Distribution of ownership: The financial statements of publicly held companies (especially when
there are many small shareholders) are generally more widely used by external parties than those
of closely held companies, such as those with a small number of large investors, those with family
ownership, or partnerships.
C- Nature and amount of liabilities: The more the client's liabilities are, the more likely its financial
statements will be used by external creditors, such as banks, bondholders, and trade creditors.
2- The likelihood that a client will have financial difficulties after the audit
report is issued: When a client goes bankrupt or has significant financial
problems after the audit is completed, the audit firm is likely to face more
challenges to the quality of its audit (such as lawsuits). This will likely cause
AAR to be set at a lower level if the likelihood of the client's financial
difficulties is higher. Some indicators of a client's financial difficulties include
poor liquidity, continuing losses, financing growth only by debt, taking high
risks, and poor competence of management.
3- The auditor's evaluation of management's integrity: If the auditor considers
that the client's management lacks integrity, and still accepts the
engagement, he is likely to set the AAR at a significantly low level.
Assessing Inherent Risk
• The following factors may affect the auditor's assessment of inherent risk:
1- Nature of the client's business: The more risky the nature of the client's business
is, the higher is IR.
2- Results of previous audits: An auditor may discover some misstatements in
previous audits of the client that are likely to recur in future audits because they
are systematic and the client cannot, or has not done something to, stop them.
The more these types of misstatements exist, the higher is IR.
3- Initial versus repeat engagements: Having audited the client's
financial statements for several years, the audit firm gains knowledge
and experience about the likelihood of occurrence of some
misstatements. Therefore, new clients have a higher IR compared to
old ones.
4- Related parties: IR is higher when there are more related parties and
more transactions with them, because these are generally more likely
to include misstatements due to the nature of the relationship among
the related parties.
5- Nonroutine transactions: Transactions that are unusual for a client
are more likely to be incorrectly recorded than routine transactions
because the client often lacks experience recording them. In addition,
nonroutine transactions may be questionable and may contain some
type of fraud concealment. Therefore, the more and the larger
nonroutine transactions are, the larger is IR.
6- Judgment required to correctly record account balances and
transactions: The more the financial reporting of the client includes
personal judgements and estimates (such as allowances or fair
valuation), the higher is IR due to the possible intentional and
unintentional material misstatements.
7- Makeup of the population: The makeup of the population for some
accounts or transactions may affect IR. For example, IR is higher for
accounts receivable if a larger percentage of them (in number or
amount) are overdue.
8- Factors related to fraudulent financial reporting and
misappropriation of assets: The presence of fraud risk factors
increases the IR. (It also affects CR)
• Chapter Eleven: Internal Controls and COSO Framework
• IT may be better for internal control of companies, but it has its own
problems and risks which the company and its auditors must be
aware of. These include:
1-Reliance on the functioning capabilities of hardware and software:
If the hardware or software were limited in their features or not well
maintained or carried viruses, their functioning may be impaired.
2-Systematic versus random errors: While the errors that occur in
manual systems tend to be random, errors occurring in IT systems
tend to be systematic. For example, if there was an error in designing
an IT system, this is likely to lead to errors in all transactions
processed through this system.
3- Unauthorized access: In addition to physically unauthorized access
by people having access to the IT machines, there is the risk of
unauthorized access through misusing passwords or hacking.
4- Loss of data: A simple “delete” process may lead to a loss of a large
amount of data stored electronically.
5- Invisibility of audit evidence: This occurs through computer
functions reducing or eliminating, or at least hiding, the evidence the
auditor can use, leading to significantly less evidence to test
(especially documents and records).
6- Reduced human involvement: This implies that many individuals
who deal with the system may never have the access to the results of
their work, and therefore cannot verify the accuracy of it.
7- Lack of traditional authorization: This is because in IT systems, there are less
procedures like authorised signatures and seals. In this case, the entity should be
careful with IT authorisation of transactions.
8- Reduced separation of duties: IT environments often lead to reduced separation
of duties through combining many functions that were traditionally separated in
one centralized IT function. If an individual has large access to many functions on
the system, he/she might act dishonestly.
9- Need for IT experience: IT environments need special knowledge
that not every employee possesses. If employees dealing with IT are
not qualified, this may lead to high IT risks.
General internal controls
After the previous steps are undertaken, the auditor now makes a subjective
assessment of control risk for each audit objective. This may be in the form of
(high – moderate – low) or percentage or numerical levels. This assessment may
be amended as a result of the tests of controls and substantive tests of details.
• Communications to those charged with governance and management letters:
• Auditing standards require the auditor to report some control issues to those
charged with governance (such as the client’s board of directors and audit
committee). Those charged with governance can then interfere and improve
the control problems, and therefore help both the client and the auditor.
Auditors may (but are not required to) report recommendations on less
significant internal control issues to the client as a value-added service.
In summary, the steps for performing a preliminary assessment of control risk
are as follows:
1- Identify what controls should exist in the situation
2- Identify what controls exist in the situation
3- Identify the absence of key controls
4- Consider the possibility of compensating controls
5- Decide whether there are significant deficiencies or material weaknesses
6- Determine potential misstatements in the financial statements that can result
from these significant deficiencies and material weaknesses.
This is repeated for each audit objective.
Tests of controls
• If the auditor decides to consider relying on the internal controls of
the client (the assessed control risk is low or medium), he has to test
the controls in order to justify the previously made assessment of
control risk. If the results of the tests of controls supports the
previous assessment of control risk, then they can be used to reduce
substantive testing evidence collection. If not, the previous
assessment of control risk is to be reconsidered.
The operational effectiveness of internal controls can be tested using
the following four procedures:
• Making inquiries of appropriate client personnel.
• Examining documents, records, and reports.
• Observing control-related activities.
• Reperforming client procedures.
• The extent of use of these tests of control procedures depends on the
desired level of control risk to be depended on by the auditor. The
lower the level of control risk the auditor wants to use, the more
extensive the tests of controls procedures will be.
After performing tests of controls and determining a final assessment
of control risk, this assessment is alined to audit objectives and
integrated into the determination of planned detection risk, and
therefore the types of audit evidence to be collected and evaluated
and the types of substantive tests of details to be performed.
Chapter Ten: Assessing and Responding to Fraud Risks
• Types of fraud
• Fraudulent financial reporting is an intentional misstatement or omission of amounts or
disclosures with the intent to deceive users. Most fraud includes an attempt to overstate income,
but also there is fraud that intends to understate income, if this leads to lower income tax or to
create earnings reserves. Some forms of fraud include earnings management, involving deliberate
actions taken by management to meet earnings objectives. A form of that is income smoothing,
where revenues and expenses are shifted between periods to reduce fluctuations in earnings.
Misappropriation of assets involves theft of the
entity's assets. While this usually involves internal
parties, such as employees and members of the
executive management and the board of
directors, it may sometimes involve external
parties, such as customers (ex. shoplifting) or
suppliers (ex. cheating in products).
Conditions for fraud
• According to the fraud triangle principle, three conditions should be available in order for fraud to
occur. These are:
• Incentives / Pressures: Management or other employees have incentives or pressures to commit
fraud.
• Opportunities: Circumstances provide opportunities for management or employees to commit
fraud.
• Attitudes / Rationalization: An attitude, character, or set of ethical values exists that allows
management or employees to commit a dishonest act, or they are in an environment that
imposes sufficient pressure that causes them to rationalize committing a dishonest act.
See page 340 and page 342 and the appendixes of ISA240 for examples
of risk factors concerning the above three conditions, in the cases of
fraudulent financial reporting or misappropriation of assets.
• In the case of fraudulent financial reporting, incentives and pressures
include a decline in the company's prospects, such as low profitability
or low ability to repay debt, and a willingness to meet budgets or
analysts' forecasts or conditions of debt covenants. Another
important factor here is the willingness of managers to earn higher
bonuses through manipulating financial statements.
• As for opportunities, risk factors include the existence of significant judgements
and estimates in accounting, weakness of accounting information systems and
internal control, and high turnover of accounting and information technology
employees.
• As for attitudes and rationalization, risk factors include a managerial disregard of
the financial reporting process, desire to meet overly optimistic forecasts, and
lack of ethics.
• In the case of misappropriation of assets, incentives and pressures include
financial pressures on employees, or their dissatisfaction with the company they
work at. Opportunities include weakness of internal controls, such as easy access
to cash or inventory or other valuable assets, and lack of adequate separation of
duties or lack of keeping adequate records and documents. Attitudes and
rationalization include management's attitudes towards ethics (if managers cheat
then lower-level employees may consider this acceptable).
Assessing the risk of fraud
1 -Communication among the audit team: Discussions among the members of the
audit team may reveal some issues related to fraud, such as the opportunities of
its occurrence due to poor controls, or the existence of some suspicious
observations by some members. Sometimes, lower-level auditors (who do most
of the daily work) may not be aware of the risk of something that the higher-level
auditors may, due to experience, perceive as important.
2-Inquiries of management: Sometimes management may be aware of
the existence of fraud or suspecting it in the company, and tell the
auditor about that and about its plans to deal with it. The auditor is
required to ask the client's management about their knowledge about
any fraud in the entity and what they have done in response to this
issue.
3-Risk factors: The auditor has to evaluate risk factors in order to
consider whether there are significant possibilities of fraud in the
company, whether through fraudulent financial reporting or through
misappropriation of assets. The existence of one or more risk factors
does not definitely mean that there is fraud, but the auditor has to
give more attention to the issue.
4-Analytical procedures: Analysis using analytical procedures may
show that there are differences between the reported figures and the
auditor's expectations. In this case, this issue may be the result of a
hidden fraud.
5- Other information: This information may be obtained through other
risk assessment activities or from other sources, such as the
reputation of management on integrity and honesty. Another source
is receiving tips from employees or other people about the possible
existence of fraud or suspicious activities in the client.
After assessing fraud risks, auditors have to document their discussions
and findings in their working papers. In evaluating fraud risk factors,
auditors have to consider whether the fraud risk may be reduced
through better corporate governance oversight, including
management's fulfilment of their responsibilities towards fraud, and
the oversight of the audit committee.
Responding to the risk of fraud
• If fraud is suspected, the auditor gathers additional information to determine whether fraud
actually exists. A popular method here is additional inquiries of management and other parties.
Inquiries may be informational (to obtain new information) or assessment (to corroborate or
contradict prior information) or interrogative (to determine whether individuals are deceptive –
this method requires sufficient experience by auditors). After that, auditors evaluate the
responses to inquiry, and may perform follow-up inquiries and interviews. In interviews, auditors
should observe with attention verbal and nonverbal cues used by interviewees that may indicate
possible deception. (See tables 10-6 and 10-7 on page 361 for examples).
• Other practices in response to the suspicion of fraud existence include
using audit software analysis [such as Computer-Aided Audit
Techniques (CAATs)] and the use of expanded substantive testing.
Specific fraud risk areas
• In developing an overall audit plan, auditors use five types of tests to determine
whether financial statements are fairly stated. Auditors use risk assessment
procedures to assess the risk of material misstatements. The other four types of
tests represent further audit procedures performed in response to the risk
identified. Each audit procedure falls into one, and sometimes more than one, of
these five categories. The five types of audit tests are:
• Risk assessment procedures: The auditor is required to obtain an understanding
of the entity and its environment, including its internal control, to assess the risk
of material misstatement in the client's financial statements. The other four
audit tests (discussed below) are performed in response to the auditor's
assessment of the risk of material misstatements. According to the audit firm's
approach to risk assessment, several different types and quantities of risks may
be assessed (although there are minimum requirements). This selection of risks,
and its results, significantly affects the mix of other tests performed in the audit
program.
• Tests of controls: The auditor's understanding of internal controls is used to
assess control risk for each transaction-related audit objective (the assessment
may be different for each objective). If the preliminary control risk assessment is,
for example, low or medium, and the auditor wants to rely on internal controls to
reduce substantive audit procedures, he has to perform tests of controls. Tests of
controls are performed to obtain sufficient appropriate evidence to support the
preliminary assessment of control risk. Tests of controls may include making
inquiries of appropriate client personnel, examining documents and records and
reports, observing control-related activities, and reperforming client procedures.
• Tests of control can be either manual or automated. They are also used to
determine whether the controls are effective (by testing a sample of the
controls). The amount of additional evidence required for tests of controls
depends on the extent of evidence obtained in gaining the understanding of
internal control, and the planned reduction in control risk. Tests of controls may
be performed separately, but it may be cost-effective to do them at the same
time as doing substantive tests of transactions, especially if the same procedure
is applied for both types of tests.
• Substantive tests of transactions: Substantive tests are procedures designed
to test for monetary misstatements that directly affect the correctness of
financial statement balances. These tests are substantive tests of transactions,
substantive tests of details of balances, and substantive analytical procedures.
• Substantive tests of transactions are used to determine whether all six
transaction-related audit objectives (occurrence, completeness, accuracy, posting
and summarization, classification, timing) have been satisfied for each class of
transactions.
• Substantive tests of details of balances: These tests focus on the ending general
ledger balances for both balance sheet and income statement accounts. Typical
types of such tests include confirming payable and receivable accounts and
physical examination of tangible assets. These tests are performed to satisfy all
balance-related audit objectives (existence, completeness, accuracy,
classification, cutoff, detail tie-in, realizable value, rights and obligations) for
each significant account.
• Substantive analytical procedures: Analytical procedures involve comparisons of
recorded amounts to expectations developed by the auditor. They are required by
audit standards during the stages of planning and completing the audit, but they
can also be used as a substantive auditing procedure in order to provide
substantive evidence and indicate possible misstatements in the financial
statements. If auditors believe that analytical procedures indicate a reasonable
possibility of misstatement, they may perform additional analytical procedures or
decide to modify tests of details.
• However, if the results of analytical procedures make the auditor conclude
that the client's ending balances in certain accounts appear reasonable,
certain tests of details of balances may be eliminated or sample sizes
reduced. The extent to which an auditor may be willing to rely on analytical
procedures in support of account balances depends on several factors,
including the precision of the expectation developed by the auditor,
materiality, the risk of material misstatement, and the effectiveness of the
client's internal control.
Selecting which types of tests to perform
• Typically, auditors use all five types of tests when performing an audit of the
financial statements, but certain types may be emphasised, depending on the
circumstances. Several factors influence the auditor's choice of the types of tests
to select, including the availability of the different types of evidence, the relative
costs of each type of evidence, the effectiveness of internal controls, inherent
risks, fraud risks, and business risks.
• Availability of types of evidence for further audit procedures
• See Table 13-2, page 454.
• We can see from the table that six out of eight possible types of
evidence are available for testing balances, four for testing
transactions, four for testing controls, and only two for analytical
procedures. Certain types of evidence, including physical examination
and confirmation, can only be used to test a balance, while inquiries
of the client can be used in all types of tests.
• Relative costs of audit procedures
Audit procedures are different in costs. The rule is that auditors have to fulfil their
responsibilities according to laws and regulations and auditing standards. This
includes collecting sufficient appropriate evidence. There are general
requirements for the use of certain types of audit procedures, but after that the
extent of use of each type is a matter of personal judgement. The audit firm is a
profit-seeking entity, and therefore would like to fulfil its legal and professional
responsibilities at the lowest possible cost. This influences the mix of audit
procedures it uses.
In general, the audit procedures are classified below, according to their
relative costs, with the least costly first:
• Analytical procedures
• Risk assessment procedures (including obtaining an understanding of
the entity)
• Tests of controls
• Substantive tests of transactions
• Substantive tests of details of balances
• It is clear that the least expensive type is analytical procedures, which may
include making only a few comparisons per case or using a software program,
while the most expensive is substantive tests of balances, which may include too
many complications in the account components, and the need to use expensive
confirmation and physical examination. Tests of controls are more expensive than
risk assessment procedures due to the need for more extensive testing
procedures in the former.
CHAPTER 24: Completing the Audit
• In this chapter, some procedures done at the end of the audit, but before the issuance of the
audit report are discussed.
• A contingent liability is a potential future obligation to an outside party for an unknown amount
resulting from activities that have already taken place. Three conditions are required for a
contingent liability to exist:
• 1- There is a potential future payment to an outside party or the impairment of an asset that
resulted from an existing condition.
• 2- There is uncertainty about the amount of the future payment or impairment.
• 3- The outcome will be resolved by some future event or events.
• If the likelihood of occurrence of the future outcome is probable and the amount can be
reasonably estimated, financial statement accounts are adjusted (a debit to a loss/expense and a
credit to a liability).
• If the likelihood of occurrence of the future outcome is probable and the amount cannot be
reasonably estimated, note disclosure is necessary.
• If the likelihood of occurrence of the future outcome is reasonably possible, note disclosure is
necessary.
• If the likelihood of occurrence of the future outcome is remote, no disclosure is necessary.
• Certain contingent liabilities include, for example:
• Pending litigation.
• Income tax disputes
• Product warranties
• Guarantees of obligations of other parties.
• Main objectives in verifying contingent liabilities are:
• Evaluating the accounting treatment of known contingent liabilities.
• Identifying (to the extent practical) any contingent liabilities not already identified by the client.
• The auditor must review transactions and events that occurred after the balance
sheet date to determine whether any of these transactions or events affects the
fair presentation and disclosure of the current period statements. Normally, this
responsibility extends up to the date of the auditor's report, which corresponds
to the completion of the important auditing procedures.
• Subsequent events are of two types:
1- Those that have a direct effect on the financial statements and require adjustments. This
generally means events that make issues that were unclear (probably estimated) at year-end
clearer, such as a settlement of litigation or a sale of an impaired asset. In these cases, an
adjustment to the financial statements of the previous year is required.
2- Those that do not have a direct effect on the financial statements but for which disclosure is
required. These are significant events that do not affect the balances at the year-end but are
significantly material to require a disclosure to mention their existence. These include a major loss
of uninsured buildings caused by fire, or the occurrence of a merger or acquisition.
Subsequent events are tested both as procedures normally integrated as part of the verification of
year-end account balances, and procedures performed specifically for the purpose of discovering
events or transactions that must be recognized as subsequent events. The first procedures are
done along with other audit tests (see cutoff and valuation objectives), while the second may
include procedures such as:
• Reviewing records prepared subsequent to the balance sheet date.
• Reviewing internal statements prepared subsequent to the balance sheet date.
• Examining minutes issued subsequent to the balance sheet date.
• Corresponding with attorneys.
• Inquiring of management.
• Obtaining a letter of representation.
• Perform final analytical procedures
• This includes other information in the annual report apart from the
financial statements and their related note disclosures. If the auditor
finds information that contradicts with the financial statements, and
the client refuses to make amendments, the auditor may consider
adding a paragraph to emphasise that in the audit report (or qualify
the opinion if the error was in the financial statements or their notes).
After doing all that, the auditor evaluates the final results and issues
the report. He also communicates with the audit committee on:
• fraud and illegal acts
• internal control deficiencies
• other communication
This is to
• communicate auditor responsibilities in the audit of financial statements
• provide an overview of the scope and timing of the audit
• provide those charged with governance with significant findings arising during the audit.
• Obtain from those charged with governance information relevant to the audit.
Also, the auditor writes to the client about his recommendations about any part of the client’s
business.