Audit Risk and Internal Control
-
Upload
alexandru-vasile -
Category
Documents
-
view
22 -
download
4
description
Transcript of Audit Risk and Internal Control
Atta-ur-Rahman Arif
Audit Risk and Internal Controls
Audit Risk Model
• AR = IR x CR x DR• AR = Audit risk– Also referred to as Residual Risk– The risk that the auditor will incorrectly issue an
unqualified opinion• IR = Inherent risk– The risk of material misstatements absent any
internal controls or testing
Audit Risk Model
• CR = Control risk– The risk that internal controls will fail to prevent or
detect material misstatement• DR = Detection risk– The risk that audit tests will fail to detect material
misstatement• Therefore, audit risk is a function of inherent
risk, unchecked by controls and not detected by the auditor
Risk Components
• Inherent risk– Higher in complex transactions– Higher where items are more naturally prone to
fraud– Based in part on prior experience– Industry and management pressures
• Inherent risk cannot be changed by the auditor
Control Risk• Part of Audit Risk Model • Depends on the design and execution of controls• Audit Risk = risk that internal controls will FAIL to prevent or
detect misstatement– High CR means high risk controls will fail– Low CR means low risk controls will fail
• If CR is high, auditor will not rely much on controls• If CR is low, auditor can rely on ICS and reduce other types of
testing
Is Risk Quantifiable?
• Yes and No• Often assessed in percentage terms• Requires judgment because no number is out
there to be measured• Detection risk needs to be quantified for
statistical testing
Interrelationship of Risks
• IF IR and CR are high, then
• If IR is high and CR is low
• If IR is low and CR is low
• If IR is low but CR is high
• DR should be low (lots of testing)
• DR can be higher, because controls offset high IR
• DR can be high
• Somewhat indicative of fraud. DR should be very low
What is Acceptable Audit Risk?
Risk the auditor is willing to take of being wrong Generally considered in terms of unqualified
where there are misstatements, but not in reverse
Depends on engagement risk› Financial stability› Industry factors› Management integrity
Degree of reliance on audited statements
Keep Things Open
• Control risk assessment must be backed up by control testing results
• If tests show weaker controls, CR is higher, thus DR needs to be lower
Internal Control Objectives
• Reliability of financial statements• Efficiency and effectiveness of operations• Compliance with laws and regulations• Safeguarding of assets
Underlying Limitations
• Reasonable assurance• Cost-benefit• Inherent limitations– collusion
Design of ICS
• Preventing material misstatements• Detecting material misstatements• Preventing misappropriation• Detecting misappropriation• SarbOx: Management must assess and report
on design– How are transaction initiated, authorized, recorded,
processed, and reported?– Are there any weaknesses?
Management’s Report on ICS
• Must describe design• Must make assertions about effectiveness• Must report material weaknesses• A single weakness prevents claim that ICS is
operating effectively• Must be able to document basis for report• Auditor will provide an opinion on the report• Any weaknesses mean that auditor’s report will be
adverse.
Risk Assessment
• Management’s identification of risks– Economic– Industry– Regulatory– Operating risks
• Analysis and management of risks• Examples– Oil companies in the Gulf of Mexico– Smith Corona
Control Activities
• Policies and procedures to address risks• Pertains to all four other areas• Separation of duties• Proper authorization• Adequate documents and records• Physical control over assets and records• Independent checks
Information and Communication
• Initiates, records, processes, and reports• Transaction cycles• Subsidiaries and controls• Think of PERCV
Monitoring
• Need to ensure controls are working• Monitoring now more pressing because of
SarbOx• Control needs change• Personnel change• Organizational structure changes