Audit Planning and Risk Assessment Essay Sample
- Word count: 4004
- Category: risk
A limited time offer!
Get a custom sample essay written according to your requirements urgent 3h delivery guaranteedOrder Now
Audit Planning and Risk Assessment Essay Sample
Auditors should plan the audit so that the engagement is conducted in an effective manner.
The objectives of planning include:-
• Directing appropriate attention to the different areas of the audit such as assessing materiality, so that when the detailed audit plan is prepared, audit procedures can be directed towards the material amounts. • Identify potential problems or risks so that they can be resolved at an early stage. • Facilitate review and control of the audit.
• Assigning and briefing staff with appropriate skills, knowledge, training, proficiency. • Coordinating the work of others such as that of experts. • Obtaining knowledge and understanding of the client’s business. • Providing an economic and effective service within appropriate timescales
Planning an audit will permit development of:-
• An audit strategy based on risk analysis
• An audit plan that addressing the risks identified.
• Review the previous years working papers
• Identify problem areas encountered
• Determine staffing requirements
• Obtain an indication of time required
• If the client is new, review the previous auditors’ working papers to obtain closing balances which will affect this year’s financial statements. • Determine the trading pattern and problems faced by the client company. • Establish timetable, important dates and deadlines
• Assess the effect of changes from previous year:
2. Law and regulation
3. Accounting policies
5. Other relevant matters
• Perform analytical review or procedures on the latest accounts. • Request preparation of cash and profit projections where solvency problems are foreseen. • Review the work of internal audit.
• Evaluate whether reliance on other expert is necessary • Allocate and brief audit staff.
ISA 315 Identifying and Assessing the Risks of Material Misstatement Through Understanding the Entity and Its Environment
1. The auditor should perform risk assessment procedures in order to identify and assess the risks of material misstatement. Risk assessment procedures include:- • Making inquiries of management and others within the entity • Discuss with the client’s management about its objectives and expectations, and its plans for achieving those goals • Observation and inspection
• Perform analytical procedures to help the auditor in identifying unusual transactions. 2. The auditor should obtain an understanding of the entity and its environment, including the entity’s internal control systems. Understanding of the entity and its environment will help the auditor to identify the risks of material mis-statement; will provide the auditor with a basis for designing and implementing responses to assessed risk and to ensure that sufficient appropriate audit evidence is collected. An understanding of the entity can be obtained through understanding • Relevant industry, regulatory, and the applicable financial reporting framework • The nature of its operations; its ownership structure and governance structure • The market and its competition
• Nature of products/services and markets
• Location of production facilities and factories
• Key customers and suppliers
• Capital investment activities
• Significant changes over prior years.
3. The auditor should identify and assess the risks of material misstatement, and determine whether any of the risks identified are significant risks. This will help the auditor to design and perform further audit procedures.
The auditor should identify and assess the risks of material misstatement, whether due to fraud or error, at the financial statement and assertion levels.
The auditor must obtain an understanding of the entity and its environment, including internal controls, so that they can identify and assess the risks of material misstatement on financial statements due to fraud or error and design and perform further audit procedures.
The objective is to ensure that auditors obtain sufficient knowledge of the business of the entity to enable them to identify and understand the events, transactions or practice that may have a significant effect on the financial statements or the audit. This knowledge of the business helps to assess the levels of control and inherent risk and to determine audit procedures.
Procedures to follow:-
• Enquiry of management
• Analytical procedures.
• Observation and inspection.
Advantages of Risk Assessment
• Ensures that attention is focused early on the areas most likely to cause material misstatements. • Allows auditor to fully understand the entity.
• Allows the auditor to identify unusual transactions or balances as early as possible so that these could be addressed in a timely manner. • Permits the audit team to focus on key areas.
• Ensure that an experienced team is selected with more experienced staff allocated to higher risk audits and high risk balances. • Reduces the risk of an inappropriate audit opinion being given. • Permits the auditor to have a good understanding of the risks of fraud, money laundering. • Enables the auditor to assess whether the client is a going concern.
ISA 400 RISK ASSESSMENTS AND INTERNAL CONTROL
There are 2 main categories of risk
1. Business Risk
2. Audit Risk.
1. Business Risks
Business risk is the risk that the business will fail to meet its objective.
Elements of Business Risk include
• Financial risk which arises from the company activities such as going concern problems, overtrading, credit risk, interest risk, currency risk and breakdown of accounting systems. • Operational risk arising from the operation of the business such as lost business opportunities, loss of physical assets and lack of business orders. • Compliance risk arising from non-compliances with laws and regulations such as breach of companies acts, and health and safety regulations. 2. Audit risk is defined as the risk that the auditor expresses an inappropriate audit opinion when the financial statements are materially misstated.
Audit risk has two components
I. Risks of material misstatement (Financial Statement Risk) II. Detection Risk
I. Risk of material misstatement is defined as ‘the risk that the financial statements are materially misstated prior to audit. This consists of two elements inherent risk and control risk.
Financial Statement Risk = Risk of material misstatement= inherent risk + control risk
Inherent risk is ‘the risk that an assertion about a class of transaction, account balance or disclosure could be materially misstated.
Inherent risk is the risk that misstatement will occur due to factors inherent in the company’s business or environment or the nature of individual transaction or balance. It is the risk attached to an assertion that could cause a material misstatement. Certain assertions, related classes of transactions and account balances such as stock are more prone to risk.
Inherent risk depends on the type of business.
The following have a high inherent risk:
• Businesses with products subject to changes in fashion and technology business. The risk is that stock could be overstated. • Companies with a dominant chief executive.
• Small and new companies.
• Companies experiencing going concern problems.
• Companies facing a highly competitive environment.
Control risk is the risk that a misstatement could occur in an account balance or class of transactions and that could be material either individually or when aggregated with misstatement in other balance or class, would not be detected and corrected on timely basis, by the accounting and internal control systems.
This is the risk that the client’s internal control system will not prevent errors occurring or will not detect them after the occurrence so that they may be prevented.
Example of control risk – corporate culture of slack control procedures, lack of proper reconciliation of ledger balances.
II. Detection risk
Detection risk is the risk that auditor’s substantive procedures do not detect a misstatement that exist in an account balance or class of transactions that could be material either individually or when aggregated with misstatements in other balance. One component of detection risk is sampling risk. Sampling risk is the possibility that the auditor’s conclusion, based on a sample, may be different from the conclusion reached if the entire population were subjected to the audit procedure.
NOTE: Risks must be related to the risk arising in the audit of the financial statements and should include the financial statement assertion impacted. Therefore, audit risks should be related back to relevant assertions in the financial statements and must state whether the account will be overstated or understated.
Assessing Risk: ISA 330 The auditor’s procedures in response to assessed risks
1. ISA 330 indicates that the auditor must respond to the assessed risk by determining the nature and extent of audit evidence to be obtained from the performance of substantive procedures in response to the related assessment of the risk of material misstatement. This varies depending on the assessment of inherent and control risks, and that, irrespective of the assessed risk of material misstatement, the auditor designs and performs substantive procedures for each material class of transactions, account balance, and disclosure and that the assessed levels of inherent and control risk cannot be sufficiently low to eliminate the need to perform any substantive procedures. • Emphasize to the audit team the need to maintain professional skepticism in gathering and evaluating audit evidence. • Assign more experienced staff or those with special skills or using experts, providing more supervision. • Make changes to the nature, timing, or extent of audit procedures as an overall response, for example, performing substantive procedures at period end instead of at an interim date.
In designing further audit procedures, the auditor considers such matters as the following:
• The significance of the risk.
• The likelihood that a material misstatement will occur.
• The characteristics of the class of transactions, account balance, or disclosure • involved.
• The nature of the specific controls used by the entity and in particular whether they are manual or automated. • Whether the auditor expects to obtain audit evidence to determine if the entity’s controls are effective in preventing, or detecting and correcting, material misstatements.
ISA 520 Analytical Procedures
Analytical procedures are used in obtaining an understanding of an entity and its environment and in the overall review at the end of the audit. ‘Analytical procedures’ actually is the evaluation of financial and other information, and the review of plausible relationships in that information. The review also includes identifying fluctuations and relationships that do not appear consistent with other relevant information or results.
Types of analytical procedures
Analytical procedures can be used as:
– Compare information to prior periods to identify unusual changes or fluctuations in amounts.
– Compare actual or anticipated results of the entity with budgets and/or forecasts, or the expectations of the auditor in order to determine the potential accuracy of those results.
– Compare to industry information either for the industry as a whole or by comparison to entities of similar size to the client to determine whether reasonable.
Use of analytical procedures
• Risk assessment procedures
Analytical procedures are used at the beginning of the audit to help the auditor obtain an understanding of the entity and assess the risk of material misstatement. Audit procedures can then be directed to these
• Analytical procedures as substantive procedures
Analytical procedures can be used as substantive procedures in determining the risk of material misstatement at the assertion level during work on the income statement and statement of financial position (balance sheet).
• Analytical procedures in the overall review at the end of the audit Analytical procedures help the auditor at the end of the audit in forming an overall conclusion as to whether the financial statements as a whole are consistent with the auditor’s understanding of the entity.
ISA 320 AUDIT MATERIALITY
Auditors must consider materiality and its relationship to audit risk when conducting and audit.
Information is material if its omission or misstatement could influence the economic decisions of users taken on the basis of the financial statements. Misstatements, including omissions, are considered to be material if they could reasonably be expected to influence the economic decisions of users.
Materiality is an important concept in the audit process and affects:- • Audit risk evaluation
• The nature, timing and extent of audit procedures (e.g. sample sizes). • The determination of whether the financial statements are distorted by misstatements discovered.
The auditor’s assessment of materiality is influenced by the following:
• The overall impact on the financial statements. A materiality level for the financial statements as a whole. • Individual account balances and transactions
• Performance materiality. An amount or amounts lower than the
materiality level for the financial statements as a whole. It is the amount set by the auditor to reduce the probability that the aggregate of uncorrected and undetected misstatements exceeds materiality for the financial statements as a whole.
Performance materiality is set to reduce the probability that the aggregate of uncorrected and undetected misstatements in the financial statements exceeds materiality for the financial statements as a whole
ISA 320 defines performance materiality as
1. The amount(s) set by the auditor at lower (smaller) than the materiality for the financial statements as a whole to reduce the probability that the aggregate of uncorrected and undetected misstatements exceeds materiality for the financial statements as a whole to an appropriately low level 2. Performance materiality also refers to the amounts set a less than materiality for the financial statements as a whole when considering particular classes of transaction, account balances or disclosures.
Materiality for financial statements as a whole, of £90,000
Total of identified but uncorrected misstatements £ 40,000 Total of expected (unidentified mis-statements) £ 30,000 £ 70,000
Lower of £ 90,000 and £ 70,000= £ 70,000
The auditor should set materiality for the financial statements as a whole AND should also establish an amount set at less than materiality when designing the nature, timing and extent of further audit procedures. This will help to reduce the risk that misstatements in aggregate exceed the total for materiality for the financial statements as a whole.
Determination of materiality requires the exercise of professional judgement.
ISA 315 Assertions – Representations or statements made by management and
included in the financial statements
SIX Assertions about classes of transactions and events (Statement of Comprehensive Income items) 1. Occurrence: A financial or non financial transaction occurred/ took place during the accounting period. 2. Completeness: all transactions of sales and expenses that took place are recorded in the statement of comprehensive income. 3. Accuracy: the transactions are recorded at the correct amounts. 4. Cut-off transactions have been recorded in the correct accounting period 5. Classification: the transactions have been recorded in the proper accounts. 6. Presentation and disclosure: all transactions are presented and disclosed in accordance with the relevant financial reporting framework.
FIVE Assertions about account balances in the Statement of Financial Position
1. Existence: an asset and liability exists at balance sheet date. (The key objective is that assets are not overstated and liabilities are not understated).
2. Completeness: all assets and liabilities have been recorded.
3. Rights and obligation (Ownership) : The company has the rights to use the asset and is obligated to repay the liabilities.
4. Assertions about valuation: The assets and liabilities are recorded at an appropriate value. For all non current assets this would be initial cost plus increases or minus decreased in value.
5. Assertions about presentation and disclosures: Must be in accordance with relevant national legislation and accounting standard.
The auditor’s assessment of the identified risks at the assertion level provides a basis for considering the appropriate audit approach for designing and performing further audit procedures. The response must use:-
1. Test of controls/ compliance tests
In some cases, the auditor may determine that only by performing tests of controls will he achieve an effective response to the assessed risk of material misstatement for a particular assertion. Tests of control are an audit procedure designed to evaluate the operating effectiveness of controls in preventing, or detecting and correcting, material misstatements at the assertion level. The auditor designs tests of controls to obtain sufficient appropriate audit evidence that the controls operated effectively throughout the period of reliance. Matters the auditor may consider in determining the extent of the auditor’s tests of controls include the following:
• The frequency of the performance of the control by the entity during the period. • The length of time during the audit period that the auditor is relying on the operating effectiveness of the control.
• The relevance and reliability of the audit evidence to be obtained in supporting that the control prevents, or detects and corrects, material misstatements at the assertion level.
• The extent to which audit evidence is obtained from tests of other controls related to the assertion.
2. Substantive Procedures. If the auditor determines that performing only substantive procedures is appropriate for specific assertions, he can exclude the effect of controls from the relevant risk assessment. This may be because the auditor’s risk assessment procedures have not identified any effective controls relevant to the assertion, or because testing the operating effectiveness of controls would be inefficient. However, the auditor needs to be satisfied that performing only substantive procedures for the relevant assertion would be effective in reducing the risk of material misstatement to an acceptably low level. Often the auditor may determine that a combined approach using both tests of the operating effectiveness of controls and substantive procedures is an effective approach.
Substantive procedure – An audit procedure designed to detect material misstatements at the assertion level. Substantive procedures comprise tests of details and substantive analytical procedures.
(i) Tests of details (of classes of transactions, account balances, and disclosures), and (ii) Substantive analytical procedures. Tests of detail are appropriate for matters identified as significant risks. These include complex or unusual transactions which make indicate fraud or other special risks.
In some circumstances, the auditor may determine that it is effective to perform audit procedures at an interim date before year end
Test of Controls at interim stage:
When the auditor obtains evidence about the operating effectiveness of controls during an interim audit, the auditor should determine what additional audit evidence should be obtained for the remaining period.
Substantive Audit Procedures at interim stage
(a) Identify amounts that appear unusual
(b) Investigate any such amounts
(c) Perform substantive analytical procedures or tests of details to test the interim period.
Performing substantive procedures at an interim date without undertaking additional procedures at a later date increase the risk that the auditor will not detect misstatements that may exist at the period end.
Documentation at planning stage
The form and extent of audit documentation is a matter of professional judgment, and is influenced by the nature, size and complexity of the entity and its internal control, availability of information from the entity and the audit methodology and technology used in the audit.
Must document the following:-
• Audit Strategy
• Key elements of the entity
• Identified or assessed risk of material misstatement • Responses to address risk
• Nature, extent, timing of procedures.
ISA 402 Audit Considerations Relating to an Entity Using a third party Service Organisation.
Third party service organizations are companies that provide outsourcing services that impact the control environment of their clients.
Example of third party service organizations:-
A client may use a service organization such as one that records transactions and processes related data such as a computer systems service organization. If the entity uses a service organization, certain policies, procedures and records maintained by the service organization may be relevant to the audit of the financial statements of the client.
ISA 402 is applied when the auditor intends to use a service auditor’s report as audit evidence. If the auditor concludes that the activities of the service organization are significant to the entity and relevant to the audit, the auditor should obtain a sufficient understanding of the service organization and its environment, including its internal control, to identify and assess the risks of material misstatement and design further audit procedures in response to the assessed risks
If the auditor uses a service organization auditor’s report, the auditor should consider the nature of and content of that report. There are two types of service auditor reports:-
Type I service auditor’s report is a report only on the description and design of controls at a service organization. Type 2 service auditor’s report is a report on the description, design, and operating effectiveness of controls at a service organization
When performing risk assessment the auditor should perform the following procedures to ensure that the service organisation’s controls are operating effectively:-
• Obtain a Type 2 report, if available, prepared by auditors of the service organisation. • Obtain a reasonable assurance report by the service auditor • Perform tests of control at the service organisation • Use another auditor to perform tests of control at the service organisation on their behalf.
If the auditor intends to use a report from a service auditor they should perform procedures to ensure they are satisfied with the competence and independence of the service auditor and that the service auditor’s report provides sufficient appropriate evidence about the effectiveness of controls.
ISA 620 – USING THE WORK OF AN EXPERT
“Expert” means a person or firm possessing special skill, knowledge and experience in a particular field other than accounting and auditing.
An expert may be:
(a) Engaged by the entity;
(b) Engaged by the auditor;
(c) Employed by the entity; or
(d) Employed by the auditor.
When the auditor uses the work of an expert employed by the auditor, that work is used in the employee’s capacity as an expert rather than as an assistant on the audit.
The auditor should obtain sufficient appropriate audit evidence that the scope of the expert’s work is adequate for the purposes of the audit.
An expert’s work can be used :-
• At the planning stage to obtaining an understanding of the entity and performing further procedures in response to assessed risks. • During the audit to obtain audit evidence in the form of reports, opinions, valuations and statements of an expert.
The auditor needs to assess 4 issues in relation to an expert:- 1. Necessity to use him
2. Competence and objectivity – is he an employee or a contracted third party. 3. Scope of work of the expert.
4. Actual work. Consider the source data used, assumptions, methods and results. The consistency of the findings with other evidence; the significant assumptions made; and the use and accuracy of source data.
Before using an expert the audit shall agree, in writing:
• The roles and responsibilities of the auditor and the expert • The nature, scope and objectives of the expert’s work. • The nature, timing and extent of communication between the two parties. • The need for the expert to observe confidentiality.
Reference to an Expert in the Auditor’s Report
1. When issuing an unqualified report, the auditor should not refer to the work of an expert. Such a reference might be misunderstood to be a qualification of the auditor’s opinion or a division of responsibilities.
1. If as a result of the work of an expert, the auditor decides to issue a qualified audit report, it may be appropriate to refer to or describe the work of the expert (including the identity of the expert and the extent of the expert’s involvement). In these circumstances, the auditor would obtain the permission of the expert before making such a reference. If permission is refused and the auditor believes a reference is necessary, the auditor may need to seek legal advice. 2. If the auditor makes reference to the use of an expert in the audit report, the auditor the auditor shall indicate that the reference to the expert does not reduce the auditor’s responsibility for the opinion.