audit risk and internal controls.ppt

24
Audit Risk and Internal Controls

Upload: kennethinfante

Post on 01-Dec-2015

32 views

Category:

Documents


7 download

DESCRIPTION

Audit Risk and Internal Controls.ppt

TRANSCRIPT

Audit Risk and Internal Controls

Audit Risk Model

• AR = IR x CR x DR• AR = Audit risk

– The risk that the auditor will incorrectly issue an unqualified opinion

• IR = Inherent risk– The risk of material misstatements

absent any internal controls or testing

Audit Risk Model

• CR = Control risk– The risk that internal controls will fail to

prevent or detect material misstatement

• DR = Detection risk– The risk that audit tests will fail to

detect material misstatement

• Therefore, audit risk is a function of inherent risk, unchecked by controls and not detected by the auditor

Risk Components

• Inherent risk– Higher in complex transactions– Higher where items are more naturally

prone to fraud– Based in part on prior experience– Industry and management pressures

• Inherent risk cannot be changed by the auditor – it just is

Control Risk

• Part of Audit Risk Model • Depends on the design and execution of controls• Audit Risk = risk that internal controls will FAIL to

prevent or detect misstatement– High CR means high risk controls will fail– Low CR means low risk controls will fail

• If CR is high, auditor will not rely much on controls

• If CR is low, auditor can rely on ICS and reduce other types of testing

Risk Components, II

• More Control risk – Depends on all 5 COSO categories– Observed by the auditor but cannot be

changed retroactively

• Detection risk– A function of the types of tests the auditor

does– Remember nature, timing, and extent– This is the only risk element that can be

controlled by the auditor

Is Risk Quantifiable?

• Yes and No• Often assessed in percentage terms• Requires judgment because no

number is out there to be measured• Detection risk needs to be quantified

for statistical testing

Interrelationship of Risks

• IF IR and CR are high, then

• If IR is high and CR is low

• If IR is low and CR is low

• If IR is low but CR is high

• DR should be low (lots of testing)

• DR can be higher, because controls offset high IR

• DR can be high

• Somewhat indicative of fraud. DR should be very low

What is Acceptable Audit Risk?

• Risk the auditor is willing to take of being wrong

• Generally considered in terms of unqualified where there are misstatements, but not in reverse

• Depends on engagement risk– Financial stability– Industry factors– Management integrity

• Degree of reliance on audited statements

Keep Things Open

• Control risk assessment must be backed up by control testing results

• If tests show weaker controls, CR is higher, thus DR needs to be lower

Internal Control Objectives

• Reliability of financial statements• Efficiency and effectiveness of

operations• Compliance with laws and

regulations• Safeguarding of assets

Underlying Limitations

• Reasonable assurance• Cost-benefit• Inherent limitations

– collusion

Design of ICS

• Preventing material misstatements• Detecting material misstatements• Preventing misappropriation• Detecting misappropriation• SarbOx: Management must assess and

report on design– How are transaction initiated, authorized,

recorded, processed, and reported?– Are there any weaknesses?

Effectiveness of ICS

• Is the control operating as designed?• Is the person operating the control

qualified to do so effectively?• Does the person have the necessary

authority?• How should management assess this?

•Inquiry

•Inspection of documents

•Reperformance

•Observation of operations

Management’s Report on ICS

• Must describe design• Must make assertions about effectiveness• Must report material weaknesses• A single weakness prevents claim that ICS

is operating effectively• Must be able to document basis for report• Auditor will provide an opinion on the report• Any weaknesses mean that auditor’s report

will be adverse.

COSO Components of ICS

• Control environment• Risk assessment• Control activities• Information and communication• Monitoring

Control Environment

• Reflects management’s overall attitude toward controls

• Integrity and ethical values• Commitment to competence• Audit committee / Board of Directors• Philosophy and operating style• Organizational structure• HR practices• Environment sets the stage for all the rest!

Risk Assessment

• Management’s identification of risks– Economic– Industry– Regulatory– Operating risks

• Analysis and management of risks• Examples

– Oil companies in the Gulf of Mexico– Smith Corona

Control Activities

• Policies and procedures to address risks• Pertains to all four other areas• Separation of duties• Proper authorization• Adequate documents and records• Physical control over assets and records• Independent checks

Information and Communication

• Initiates, records, processes, and reports

• Transaction cycles• Subsidiaries and controls• Think of PERCV

Monitoring

• Need to ensure controls are working• Monitoring now more pressing

because of SarbOx• Control needs change• Personnel change• Organizational structure changes

Documenting your understanding

• Narratives• Flowcharts

– Pictures tell a thousand words!• Questionnaires

– All no answers are weaknesses– Look for mitigating controls elsewhere– Be sure connections are made– Insufficient by itself

Reading a Flowchart

• Top left to bottom right• Try to keep one department or

operator in one column• Decision points give alternate paths• Connectors are usually necessary

Common Flowchart Symbols

Data enters system

Process

Document

Multiple copies

File

Stored data file

Disk storage

Decision point

Connector

?Yes

No

A

Now let’s look at page 417