Post on 01-Dec-2015
description
Audit Risk Model
• AR = IR x CR x DR• AR = Audit risk
– The risk that the auditor will incorrectly issue an unqualified opinion
• IR = Inherent risk– The risk of material misstatements
absent any internal controls or testing
Audit Risk Model
• CR = Control risk– The risk that internal controls will fail to
prevent or detect material misstatement
• DR = Detection risk– The risk that audit tests will fail to
detect material misstatement
• Therefore, audit risk is a function of inherent risk, unchecked by controls and not detected by the auditor
Risk Components
• Inherent risk– Higher in complex transactions– Higher where items are more naturally
prone to fraud– Based in part on prior experience– Industry and management pressures
• Inherent risk cannot be changed by the auditor – it just is
Control Risk
• Part of Audit Risk Model • Depends on the design and execution of controls• Audit Risk = risk that internal controls will FAIL to
prevent or detect misstatement– High CR means high risk controls will fail– Low CR means low risk controls will fail
• If CR is high, auditor will not rely much on controls
• If CR is low, auditor can rely on ICS and reduce other types of testing
Risk Components, II
• More Control risk – Depends on all 5 COSO categories– Observed by the auditor but cannot be
changed retroactively
• Detection risk– A function of the types of tests the auditor
does– Remember nature, timing, and extent– This is the only risk element that can be
controlled by the auditor
Is Risk Quantifiable?
• Yes and No• Often assessed in percentage terms• Requires judgment because no
number is out there to be measured• Detection risk needs to be quantified
for statistical testing
Interrelationship of Risks
• IF IR and CR are high, then
• If IR is high and CR is low
• If IR is low and CR is low
• If IR is low but CR is high
• DR should be low (lots of testing)
• DR can be higher, because controls offset high IR
• DR can be high
• Somewhat indicative of fraud. DR should be very low
What is Acceptable Audit Risk?
• Risk the auditor is willing to take of being wrong
• Generally considered in terms of unqualified where there are misstatements, but not in reverse
• Depends on engagement risk– Financial stability– Industry factors– Management integrity
• Degree of reliance on audited statements
Keep Things Open
• Control risk assessment must be backed up by control testing results
• If tests show weaker controls, CR is higher, thus DR needs to be lower
Internal Control Objectives
• Reliability of financial statements• Efficiency and effectiveness of
operations• Compliance with laws and
regulations• Safeguarding of assets
Design of ICS
• Preventing material misstatements• Detecting material misstatements• Preventing misappropriation• Detecting misappropriation• SarbOx: Management must assess and
report on design– How are transaction initiated, authorized,
recorded, processed, and reported?– Are there any weaknesses?
Effectiveness of ICS
• Is the control operating as designed?• Is the person operating the control
qualified to do so effectively?• Does the person have the necessary
authority?• How should management assess this?
•Inquiry
•Inspection of documents
•Reperformance
•Observation of operations
Management’s Report on ICS
• Must describe design• Must make assertions about effectiveness• Must report material weaknesses• A single weakness prevents claim that ICS
is operating effectively• Must be able to document basis for report• Auditor will provide an opinion on the report• Any weaknesses mean that auditor’s report
will be adverse.
COSO Components of ICS
• Control environment• Risk assessment• Control activities• Information and communication• Monitoring
Control Environment
• Reflects management’s overall attitude toward controls
• Integrity and ethical values• Commitment to competence• Audit committee / Board of Directors• Philosophy and operating style• Organizational structure• HR practices• Environment sets the stage for all the rest!
Risk Assessment
• Management’s identification of risks– Economic– Industry– Regulatory– Operating risks
• Analysis and management of risks• Examples
– Oil companies in the Gulf of Mexico– Smith Corona
Control Activities
• Policies and procedures to address risks• Pertains to all four other areas• Separation of duties• Proper authorization• Adequate documents and records• Physical control over assets and records• Independent checks
Information and Communication
• Initiates, records, processes, and reports
• Transaction cycles• Subsidiaries and controls• Think of PERCV
Monitoring
• Need to ensure controls are working• Monitoring now more pressing
because of SarbOx• Control needs change• Personnel change• Organizational structure changes
Documenting your understanding
• Narratives• Flowcharts
– Pictures tell a thousand words!• Questionnaires
– All no answers are weaknesses– Look for mitigating controls elsewhere– Be sure connections are made– Insufficient by itself
Reading a Flowchart
• Top left to bottom right• Try to keep one department or
operator in one column• Decision points give alternate paths• Connectors are usually necessary