Audit Risk and Internal Control
-
Upload
alexandru-vasile -
Category
Documents
-
view
22 -
download
4
description
Transcript of Audit Risk and Internal Control
![Page 1: Audit Risk and Internal Control](https://reader035.fdocuments.us/reader035/viewer/2022062313/55cf8ff1550346703ba1829a/html5/thumbnails/1.jpg)
Atta-ur-Rahman Arif
Audit Risk and Internal Controls
![Page 2: Audit Risk and Internal Control](https://reader035.fdocuments.us/reader035/viewer/2022062313/55cf8ff1550346703ba1829a/html5/thumbnails/2.jpg)
Audit Risk Model
• AR = IR x CR x DR• AR = Audit risk– Also referred to as Residual Risk– The risk that the auditor will incorrectly issue an
unqualified opinion• IR = Inherent risk– The risk of material misstatements absent any
internal controls or testing
![Page 3: Audit Risk and Internal Control](https://reader035.fdocuments.us/reader035/viewer/2022062313/55cf8ff1550346703ba1829a/html5/thumbnails/3.jpg)
Audit Risk Model
• CR = Control risk– The risk that internal controls will fail to prevent or
detect material misstatement• DR = Detection risk– The risk that audit tests will fail to detect material
misstatement• Therefore, audit risk is a function of inherent
risk, unchecked by controls and not detected by the auditor
![Page 4: Audit Risk and Internal Control](https://reader035.fdocuments.us/reader035/viewer/2022062313/55cf8ff1550346703ba1829a/html5/thumbnails/4.jpg)
Risk Components
• Inherent risk– Higher in complex transactions– Higher where items are more naturally prone to
fraud– Based in part on prior experience– Industry and management pressures
• Inherent risk cannot be changed by the auditor
![Page 5: Audit Risk and Internal Control](https://reader035.fdocuments.us/reader035/viewer/2022062313/55cf8ff1550346703ba1829a/html5/thumbnails/5.jpg)
Control Risk• Part of Audit Risk Model • Depends on the design and execution of controls• Audit Risk = risk that internal controls will FAIL to prevent or
detect misstatement– High CR means high risk controls will fail– Low CR means low risk controls will fail
• If CR is high, auditor will not rely much on controls• If CR is low, auditor can rely on ICS and reduce other types of
testing
![Page 6: Audit Risk and Internal Control](https://reader035.fdocuments.us/reader035/viewer/2022062313/55cf8ff1550346703ba1829a/html5/thumbnails/6.jpg)
Is Risk Quantifiable?
• Yes and No• Often assessed in percentage terms• Requires judgment because no number is out
there to be measured• Detection risk needs to be quantified for
statistical testing
![Page 7: Audit Risk and Internal Control](https://reader035.fdocuments.us/reader035/viewer/2022062313/55cf8ff1550346703ba1829a/html5/thumbnails/7.jpg)
Interrelationship of Risks
• IF IR and CR are high, then
• If IR is high and CR is low
• If IR is low and CR is low
• If IR is low but CR is high
• DR should be low (lots of testing)
• DR can be higher, because controls offset high IR
• DR can be high
• Somewhat indicative of fraud. DR should be very low
![Page 8: Audit Risk and Internal Control](https://reader035.fdocuments.us/reader035/viewer/2022062313/55cf8ff1550346703ba1829a/html5/thumbnails/8.jpg)
What is Acceptable Audit Risk?
Risk the auditor is willing to take of being wrong Generally considered in terms of unqualified
where there are misstatements, but not in reverse
Depends on engagement risk› Financial stability› Industry factors› Management integrity
Degree of reliance on audited statements
![Page 9: Audit Risk and Internal Control](https://reader035.fdocuments.us/reader035/viewer/2022062313/55cf8ff1550346703ba1829a/html5/thumbnails/9.jpg)
Keep Things Open
• Control risk assessment must be backed up by control testing results
• If tests show weaker controls, CR is higher, thus DR needs to be lower
![Page 10: Audit Risk and Internal Control](https://reader035.fdocuments.us/reader035/viewer/2022062313/55cf8ff1550346703ba1829a/html5/thumbnails/10.jpg)
Internal Control Objectives
• Reliability of financial statements• Efficiency and effectiveness of operations• Compliance with laws and regulations• Safeguarding of assets
![Page 11: Audit Risk and Internal Control](https://reader035.fdocuments.us/reader035/viewer/2022062313/55cf8ff1550346703ba1829a/html5/thumbnails/11.jpg)
Underlying Limitations
• Reasonable assurance• Cost-benefit• Inherent limitations– collusion
![Page 12: Audit Risk and Internal Control](https://reader035.fdocuments.us/reader035/viewer/2022062313/55cf8ff1550346703ba1829a/html5/thumbnails/12.jpg)
Design of ICS
• Preventing material misstatements• Detecting material misstatements• Preventing misappropriation• Detecting misappropriation• SarbOx: Management must assess and report
on design– How are transaction initiated, authorized, recorded,
processed, and reported?– Are there any weaknesses?
![Page 13: Audit Risk and Internal Control](https://reader035.fdocuments.us/reader035/viewer/2022062313/55cf8ff1550346703ba1829a/html5/thumbnails/13.jpg)
Management’s Report on ICS
• Must describe design• Must make assertions about effectiveness• Must report material weaknesses• A single weakness prevents claim that ICS is
operating effectively• Must be able to document basis for report• Auditor will provide an opinion on the report• Any weaknesses mean that auditor’s report will be
adverse.
![Page 14: Audit Risk and Internal Control](https://reader035.fdocuments.us/reader035/viewer/2022062313/55cf8ff1550346703ba1829a/html5/thumbnails/14.jpg)
Risk Assessment
• Management’s identification of risks– Economic– Industry– Regulatory– Operating risks
• Analysis and management of risks• Examples– Oil companies in the Gulf of Mexico– Smith Corona
![Page 15: Audit Risk and Internal Control](https://reader035.fdocuments.us/reader035/viewer/2022062313/55cf8ff1550346703ba1829a/html5/thumbnails/15.jpg)
Control Activities
• Policies and procedures to address risks• Pertains to all four other areas• Separation of duties• Proper authorization• Adequate documents and records• Physical control over assets and records• Independent checks
![Page 16: Audit Risk and Internal Control](https://reader035.fdocuments.us/reader035/viewer/2022062313/55cf8ff1550346703ba1829a/html5/thumbnails/16.jpg)
Information and Communication
• Initiates, records, processes, and reports• Transaction cycles• Subsidiaries and controls• Think of PERCV
![Page 17: Audit Risk and Internal Control](https://reader035.fdocuments.us/reader035/viewer/2022062313/55cf8ff1550346703ba1829a/html5/thumbnails/17.jpg)
Monitoring
• Need to ensure controls are working• Monitoring now more pressing because of
SarbOx• Control needs change• Personnel change• Organizational structure changes