Offender Risk Assessment in Virginia... the risk assessment ...
Objectives of This Course: Outline the PPC audit risk assessment process Understand how to use PPC...
-
Upload
isabella-wiggins -
Category
Documents
-
view
221 -
download
0
Transcript of Objectives of This Course: Outline the PPC audit risk assessment process Understand how to use PPC...
Objectives of This Course: Outline the PPC audit risk assessment
processUnderstand how to use PPC practice aids to
perform and document risk assessment
What is Risk Assessment?
Risk Assessment
Obtain an understanding of the client, including internal control
Identify and assess risks of material misstatement of the financial statements
Evaluate both overall risks and risks that affect only specific assertions
Audit Procedures
Concentrate audit effort in high risk areas Inherent riskControl risk
Perform less extensive procedures in low risk areas
Linkage
PPC Audit ApproachStep
Description
1 Perform Preliminary Engagement Activities• Client acceptance/continuance• Establish an understanding with the client
2 Perform Planning and Risk Assessment Procedures• Hold an engagement team discussion• Determine materiality• Perform risk assessment procedures• Understand the entity and its environment, including internal control
3 Assess Risks and Develop Responses• Assess risks at the financial statement level• Develop the overall audit strategy• Assess risks at the relevant assertion level• Develop the detailed audit plan
4 Perform Further Audit Procedures• Tests of controls• Substantive procedures
5 Evaluate Audit Findings
6 Issue Reports and Communications
Preliminary Engagement Activities
Client Acceptance/ContinuanceConsider: DocumentNature and purpose of
engagementClient’s reputation,
integrity, and competenceCommunication with
predecessorCompliance with ethical
requirements, including independence
Adequacy of accounting records
Firm resources and competence
Engagement economicsOther risk concerns
CX-1.1: “Engagement Acceptance and Continuance Form”
CX-7.1: “Risk Assessment Summary Form” (if risks are identified)
Establish an Understanding with the ClientEstablish an understanding about:
Objectives of the engagementManagement’s responsibilitiesAuditor’s responsibilitiesLimitations of the engagement
Communicate the understanding in a written engagement letter
CL-1.1: “Audit Engagement Letter”
Planning and Risk Assessment Procedures
Engagement Team DiscussionDiscuss the susceptibility of the financial
statements to material misstatementConsider fraud risks and risks of errorInclude:
Critical issues and areas of significant audit risk Areas susceptible to management override of controls Unusual accounting practices Important control systems Materiality considerations Need to exercise professional skepticism Business risks Fraud considerations
Engagement Team Discussion (cont.)Attendance:
Auditor with final responsibility Key members of engagement team
Document:How the discussion occurred, the subject
matter, who participated, and decisions about planned responses
CX-3.2: “Engagement Team Discussion”CX-7.1: “Risk Assessment Summary Form”
(if risks are identified)
MaterialityMateriality for the financial statements as a
wholeMateriality for particular items of lesser
amountsPerformance materiality
MaterialityApply professional judgmentConsider decisions that users makeUse appropriate benchmarks, such as % of
assets or revenueRe-evaluate materiality as the audit
progresses. If lower, reconsider:Level of performance materiality Adequacy of procedures
MaterialityDocument:
Materiality at the financial statement levelIf applicable, materiality level(s) for
particular transaction classes, account balances, or disclosures
Performance materialityFactors considered in their determinationAny revisions made during the auditCX-2: “Financial Statement Materiality
Worksheet for Planning Purposes”
Risk Assessment ProceduresTwo categories of audit procedures: Risk assessment procedures Further audit procedures
Risk Assessment Procedures
Further Audit
Procedures
Both Provide Audit
Evidence
Risk Assessment Procedures
Risk Assessment ProceduresPerformed to obtain an understanding of the
entity and its environment, including internal control, for the purpose of assessing risks
All of the procedures should be performedInquiry alone is not sufficient to understand
internal controlProvide audit evidence
InquiriesManagementOther employeesExternal parties (maybe)
Required InquiriesInquire about:
Fraud Related parties Accounting estimates Compliance with laws and regulations Service organizations
Document the inquiries:CX-3.3, “Fraud Risk Inquiries Form”CX-7.1, “Risk Assessment Summary Form” (if
risks are identified)
Observation and InspectionInspect documents and recordsRead internal reports and minutesRead external informationVisit premises and plant facilitiesTrace transactions through the system
(walkthroughs)
Analytical ProceduresPreliminary analytical proceduresAnalytical procedures related to revenue
required by AU-C 240To enhance understanding of the business
and identify potential risk areasDocumented by completing a step on AP-1,
“Audit Program for General Planning Procedures”
Add risks to CX-7.1, “Risk Assessment Summary Form”
Risk Assessment ProceduresDocument the procedures performedAU-C 230provides guidance on documenting
proceduresFor inquiries, document the date, name and
title of individual, inquiry, and responseFor observation, document what was observed,
where, when, and entity personnel involvedFor inspection, document the identifying
characteristics, for example, document name or number and date
Understanding the Entity and Its EnvironmentPerform risk assessment procedures (inquiry,
analytics, observation, and inspection) to gather information about: Industry, regulatory, and other external factorsNature of the entityObjectives, strategies, and related business
risksMeasurement and review of the entity’s
financial performanceSelection and application of accounting policies
Understanding the Entity and Its EnvironmentObtain an understanding of the client’s
selection and application of accounting policiesAre accounting policies appropriate for the
entity and consistent with the industry?Are there any changes in accounting policies?
23
Understanding the Entity and Its EnvironmentConsider the presence of fraud risk factorsUpdate information obtained in prior years
by performing risk assessment procedures to determine if the information has changed
Using the PPC ApproachCX-3.1: “Understanding the Entity and
Identifying Risks”Key elements of the understandingThe consideration of fraud risk factorsSources of informationRisk assessment procedures performed
CX-7.1: “Risk Assessment Summary Form” (if risks are identified)
CX-6.1: “Entity Risk Factors” and CX-6.2: “Fraud Risk Factors” (memory joggers)
25
Understanding Internal Control
26
Understanding Internal ControlUnderstand design and implementationPerform inquiry, observation, and inspectionInquiry alone is not sufficient to understand
the design and implementation of controls
27
Understanding Internal ControlEvaluate the design and implementation
of controls—Related to significant risksRelated to risks that cannot be tested
effectively using substantive procedures alone
Understand—How the incorrect processing of transactions is
resolvedHow detail is reconciled to the general ledger
for material accounts
28
Understanding Internal ControlDocument the following:
Understanding of internal control componentsSources of informationProcedures performedControls evaluated related to significant risks
and risks for which substantive procedures alone are not effective
Using the PPC ApproachEntity-level controls
Control environmentRisk assessment Information and communicationMonitoring
Activity-level controlsFinancial reporting systemControl activitiesIT environment and general computer controls
Using the PPC ApproachCX-4.1: “Understanding the Design and
Implementation of Internal Control”Evaluate entity-level controls Identify significant transaction classes
CX-4.2.1: “Financial Reporting System Documentation Form—Significant Transaction Classes”Document the processing of transactions for
each significant transaction classDocument the financial close and reporting
process
Using the PPC ApproachCX-4.2.2: “Financial Reporting System
Documentation Form—IT Environment and General Computer Controls”Understand the effect of IT
CX-4.3: “Walkthrough Documentation Table”For each walkthrough
CX-5: “Activity and Entity-level Control Forms” (optional)
Identifying Significant Transaction ClassesTransaction classes that present a reasonable
possibility of material misstatement of the financial statements or disclosures based on:Volume of activitySize and composition of accountsTypes of transactionsPresence of fraud risks or other significant
risksChanges from the prior period
Understanding Significant Transaction ClassesHow are transactions initiated and
authorized?How are transactions recorded and
processed?How are transactions reconciled?What reports are generated and how are they
used?
Understanding Significant Transaction ClassesConsider control objectives:
Completeness: All transactions are recordedOccurrence: All recorded transactions
occurred and pertain to the entityAccuracy: Transactions are recorded in the
proper amountClassification: Transactions are recorded in
the proper accountCutoff: Transactions are recorded in the
proper period
Documenting Significant Transaction ClassesNarrative descriptionFocus on key controls and control objectives
related to identified risksHow are control objectives achieved?What controls are in place to address
significant or fraud risks?Are controls properly designed and
implemented?
Performing WalkthroughsSelect one or a few transactionsTrace from initial creation of the source
document to final posting in the general ledger
Inspect documents and records used in processing, make inquiries, and observe procedures being performed
Retrospective Review of Accounting EstimatesPerformed to evaluate:
Effectiveness of management’s estimation process
Information relevant to current year estimatesThe need for disclosureThe existence of possible management bias
AP-1: “Audit Program for General Planning Procedures”
Assessing Risks and Developing Responses
Assess Risks at the Financial Statement LevelIdentify risks that are pervasive to the
financial statements and potentially affect many assertions
Assess the risk of material misstatement at the financial statement level
Develop overall responsesDocument the risk assessment and the
responsesCX-7.1: “Risk Assessment Summary Form”
(Part I)
40
Develop the Overall Audit StrategyCharacteristics of the engagement that define
its scopeReporting objectives of the engagement Important factors that determine audit focusResources needed to perform the audit
41
Factors That Determine Audit FocusMateriality levelsOverall risks and responsesPreliminary identification of high risk audit
areasPreliminary identification of material
locations and accountsWhether you plan to test controlsComposition and deployment of the audit
team
42
Assess Risks at the Relevant Assertion LevelIdentify risks of material misstatement (due
to error or fraud) for specific—Account balancesTransaction classesDisclosures
Consider what can go wrong at the relevant assertion level
43
Assess Risks at the Relevant Assertion Level
44
Assess Risks at the Relevant Assertion LevelAssessing risks at the assertion level
Are the risks of a magnitude that could result in material misstatement?
What is the likelihood that the risks could result in material misstatement?
Likelihood is a function of:Inherent riskControl risk
Need a basis for the assessment
45
Assess Risks at the Relevant Assertion LevelIdentify significant risks that require
special audit considerationFraud risksOther significant risks
Significant risks often relate to:Significant economic, accounting, or other
developmentsComplex, nonroutine, or judgmental mattersTransactions with related parties
46
Assess Risks at the Relevant Assertion LevelIdentify risks for which substantive
procedures alone are not adequateRevise the risk assessment and reconsider
planned audit procedures if audit evidence contradicts the original risk assessment
Assess Risks at the Relevant Assertion LevelDocument the following:
Risk assessment at the relevant assertion levelBasis for the assessmentSignificant risksRisks for which substantive procedures alone
are not adequateCX-7.1: “Risk Assessment Summary Form”
(Part II)
48
The Detailed Audit PlanThe nature, timing, and extent of further
audit procedures to respond to the risk assessment (i.e., the audit program)
Provides linkage between the risk assessment and the responses at the assertion level
49
Tailoring the PPC Audit Programs
Performing Further Audit Procedures
51
Tests of ControlsPerform tests of controls if:
Relying on them to reduce the risk assessmentSubstantive tests alone are not adequate
Inquiry alone is not sufficient for testing controls
52
Tests of ControlsRotational tests of controls are permitted:
Obtain evidence about whether the controls have changed using inquiry, observation, and inspection
If controls have changed, rotation is not appropriate
Test a control at least once every three years If several controls are rotationally tested, test
some controls each year If relying on controls for significant risks, controls
must be tested in the current yearCX-10.1: “Test of Controls Form”
53
Substantive ProceduresTest all relevant assertions for material
account balances, transaction classes, and disclosures
Perform procedures specifically to address significant risks
Substantive analytical procedures alone are not sufficient for significant risks
54
Substantive ProceduresPerform the following substantive procedures in
all audits:Agree the financial statements and notes to the
accounting recordsExamine material journal entries and other
adjustments made when preparing the financial statements
Procedures required by AU-C 240 to address the risk of management override of controls
Required procedures are on AP-2, “Audit Program for General Auditing and Completion Procedures”
55
Documenting Further Audit ProceduresDocument the following:
Nature, timing, and extentLinkageResultsConclusion about relying on tests of controls
performed in a prior audit
56
SummaryCompleted risk assessment consists of:
AP-1: “Audit Program for General Planning Procedures”
CX-1.1: “Engagement Acceptance and Continuance Form”
CX-2: “Financial Statement Materiality Worksheet for Planning Purposes”
CX-3.1: “Understanding the Entity and Identifying Risks”
CX-3.2: “Engagement Team Discussion”CX-3.3: “Fraud Risk Inquiries Form”
SummaryCompleted risk assessment (cont.)
CX-4.1: “Understanding the Design and Implementation of Internal Control”
CX-4.2.1: “Financial Reporting System Documentation Form—Significant Transaction Classes” (for each significant transaction class and financial close and reporting)
CX-4.2.2: “Financial Reporting System Documentation Form—IT Environment and General Computer Controls”
CX-4.3: “Walkthrough Documentation Table” (for each walkthrough)
CX-7.1: “Risk Assessment Summary Form”
SummaryOther PPC practice aids related to risk assessment
CX-5: “Activity and Entity-level Control Forms” (optional)
CX-6.1: “Entity Risk Factors” (memory jogger)CX-6.2: “Fraud Risk Factors” (memory jogger)CX-10.1: “Test of Controls Form” (if controls are
tested)CX-12.2: “Audit Difference Evaluation Form”AP-2: “Audit Program for General Auditing and
Completion Procedures”Tailored audit programs for individual audit areas