Objectives of This Course: Outline the PPC audit risk assessment

processUnderstand how to use PPC practice aids to

perform and document risk assessment

What is Risk Assessment?

Risk Assessment

Obtain an understanding of the client, including internal control

Identify and assess risks of material misstatement of the financial statements

Evaluate both overall risks and risks that affect only specific assertions

Audit Procedures

Concentrate audit effort in high risk areas Inherent riskControl risk

Perform less extensive procedures in low risk areas

Linkage

PPC Audit ApproachStep

Description

1 Perform Preliminary Engagement Activities• Client acceptance/continuance• Establish an understanding with the client

2 Perform Planning and Risk Assessment Procedures• Hold an engagement team discussion• Determine materiality• Perform risk assessment procedures• Understand the entity and its environment, including internal control

3 Assess Risks and Develop Responses• Assess risks at the financial statement level• Develop the overall audit strategy• Assess risks at the relevant assertion level• Develop the detailed audit plan

4 Perform Further Audit Procedures• Tests of controls• Substantive procedures

5 Evaluate Audit Findings

6 Issue Reports and Communications

Preliminary Engagement Activities

Client Acceptance/ContinuanceConsider: DocumentNature and purpose of

engagementClient’s reputation,

integrity, and competenceCommunication with

predecessorCompliance with ethical

requirements, including independence

Adequacy of accounting records

Firm resources and competence

Engagement economicsOther risk concerns

CX-1.1: “Engagement Acceptance and Continuance Form”

CX-7.1: “Risk Assessment Summary Form” (if risks are identified)

Establish an Understanding with the ClientEstablish an understanding about:

Objectives of the engagementManagement’s responsibilitiesAuditor’s responsibilitiesLimitations of the engagement

Communicate the understanding in a written engagement letter

CL-1.1: “Audit Engagement Letter”

Planning and Risk Assessment Procedures

Engagement Team DiscussionDiscuss the susceptibility of the financial

statements to material misstatementConsider fraud risks and risks of errorInclude:

Critical issues and areas of significant audit risk Areas susceptible to management override of controls Unusual accounting practices Important control systems Materiality considerations Need to exercise professional skepticism Business risks Fraud considerations

Engagement Team Discussion (cont.)Attendance:

Auditor with final responsibility Key members of engagement team

Document:How the discussion occurred, the subject

matter, who participated, and decisions about planned responses

CX-3.2: “Engagement Team Discussion”CX-7.1: “Risk Assessment Summary Form”

(if risks are identified)

MaterialityMateriality for the financial statements as a

wholeMateriality for particular items of lesser

amountsPerformance materiality

MaterialityApply professional judgmentConsider decisions that users makeUse appropriate benchmarks, such as % of

assets or revenueRe-evaluate materiality as the audit

progresses. If lower, reconsider:Level of performance materiality Adequacy of procedures

MaterialityDocument:

Materiality at the financial statement levelIf applicable, materiality level(s) for

particular transaction classes, account balances, or disclosures

Performance materialityFactors considered in their determinationAny revisions made during the auditCX-2: “Financial Statement Materiality

Worksheet for Planning Purposes”

Risk Assessment ProceduresTwo categories of audit procedures: Risk assessment procedures Further audit procedures

Risk Assessment Procedures

Further Audit

Procedures

Both Provide Audit

Evidence

Risk Assessment Procedures

Risk Assessment ProceduresPerformed to obtain an understanding of the

entity and its environment, including internal control, for the purpose of assessing risks

All of the procedures should be performedInquiry alone is not sufficient to understand

internal controlProvide audit evidence

InquiriesManagementOther employeesExternal parties (maybe)

Required InquiriesInquire about:

Fraud Related parties Accounting estimates Compliance with laws and regulations Service organizations

Document the inquiries:CX-3.3, “Fraud Risk Inquiries Form”CX-7.1, “Risk Assessment Summary Form” (if

risks are identified)

Observation and InspectionInspect documents and recordsRead internal reports and minutesRead external informationVisit premises and plant facilitiesTrace transactions through the system

(walkthroughs)

Analytical ProceduresPreliminary analytical proceduresAnalytical procedures related to revenue

required by AU-C 240To enhance understanding of the business

and identify potential risk areasDocumented by completing a step on AP-1,

“Audit Program for General Planning Procedures”

Add risks to CX-7.1, “Risk Assessment Summary Form”

Risk Assessment ProceduresDocument the procedures performedAU-C 230provides guidance on documenting

proceduresFor inquiries, document the date, name and

title of individual, inquiry, and responseFor observation, document what was observed,

where, when, and entity personnel involvedFor inspection, document the identifying

characteristics, for example, document name or number and date

Understanding the Entity and Its EnvironmentPerform risk assessment procedures (inquiry,

analytics, observation, and inspection) to gather information about: Industry, regulatory, and other external factorsNature of the entityObjectives, strategies, and related business

risksMeasurement and review of the entity’s

financial performanceSelection and application of accounting policies

Understanding the Entity and Its EnvironmentObtain an understanding of the client’s

selection and application of accounting policiesAre accounting policies appropriate for the

entity and consistent with the industry?Are there any changes in accounting policies?

23

Understanding the Entity and Its EnvironmentConsider the presence of fraud risk factorsUpdate information obtained in prior years

by performing risk assessment procedures to determine if the information has changed

Using the PPC ApproachCX-3.1: “Understanding the Entity and

Identifying Risks”Key elements of the understandingThe consideration of fraud risk factorsSources of informationRisk assessment procedures performed

CX-7.1: “Risk Assessment Summary Form” (if risks are identified)

CX-6.1: “Entity Risk Factors” and CX-6.2: “Fraud Risk Factors” (memory joggers)

25

Understanding Internal Control

26

Understanding Internal ControlUnderstand design and implementationPerform inquiry, observation, and inspectionInquiry alone is not sufficient to understand

the design and implementation of controls

27

Understanding Internal ControlEvaluate the design and implementation

of controls—Related to significant risksRelated to risks that cannot be tested

effectively using substantive procedures alone

Understand—How the incorrect processing of transactions is

resolvedHow detail is reconciled to the general ledger

for material accounts

28

Understanding Internal ControlDocument the following:

Understanding of internal control componentsSources of informationProcedures performedControls evaluated related to significant risks

and risks for which substantive procedures alone are not effective

Using the PPC ApproachEntity-level controls

Control environmentRisk assessment Information and communicationMonitoring

Activity-level controlsFinancial reporting systemControl activitiesIT environment and general computer controls

Using the PPC ApproachCX-4.1: “Understanding the Design and

Implementation of Internal Control”Evaluate entity-level controls Identify significant transaction classes

CX-4.2.1: “Financial Reporting System Documentation Form—Significant Transaction Classes”Document the processing of transactions for

each significant transaction classDocument the financial close and reporting

process

Using the PPC ApproachCX-4.2.2: “Financial Reporting System

Documentation Form—IT Environment and General Computer Controls”Understand the effect of IT

CX-4.3: “Walkthrough Documentation Table”For each walkthrough

CX-5: “Activity and Entity-level Control Forms” (optional)

Identifying Significant Transaction ClassesTransaction classes that present a reasonable

possibility of material misstatement of the financial statements or disclosures based on:Volume of activitySize and composition of accountsTypes of transactionsPresence of fraud risks or other significant

risksChanges from the prior period

Understanding Significant Transaction ClassesHow are transactions initiated and

authorized?How are transactions recorded and

processed?How are transactions reconciled?What reports are generated and how are they

used?

Understanding Significant Transaction ClassesConsider control objectives:

Completeness: All transactions are recordedOccurrence: All recorded transactions

occurred and pertain to the entityAccuracy: Transactions are recorded in the

proper amountClassification: Transactions are recorded in

the proper accountCutoff: Transactions are recorded in the

proper period

Documenting Significant Transaction ClassesNarrative descriptionFocus on key controls and control objectives

related to identified risksHow are control objectives achieved?What controls are in place to address

significant or fraud risks?Are controls properly designed and

implemented?

Performing WalkthroughsSelect one or a few transactionsTrace from initial creation of the source

document to final posting in the general ledger

Inspect documents and records used in processing, make inquiries, and observe procedures being performed

Retrospective Review of Accounting EstimatesPerformed to evaluate:

Effectiveness of management’s estimation process

Information relevant to current year estimatesThe need for disclosureThe existence of possible management bias

AP-1: “Audit Program for General Planning Procedures”

Assessing Risks and Developing Responses

Assess Risks at the Financial Statement LevelIdentify risks that are pervasive to the

financial statements and potentially affect many assertions

Assess the risk of material misstatement at the financial statement level

Develop overall responsesDocument the risk assessment and the

responsesCX-7.1: “Risk Assessment Summary Form”

(Part I)

40

Develop the Overall Audit StrategyCharacteristics of the engagement that define

its scopeReporting objectives of the engagement Important factors that determine audit focusResources needed to perform the audit

41

Factors That Determine Audit FocusMateriality levelsOverall risks and responsesPreliminary identification of high risk audit

areasPreliminary identification of material

locations and accountsWhether you plan to test controlsComposition and deployment of the audit

team

42

Assess Risks at the Relevant Assertion LevelIdentify risks of material misstatement (due

to error or fraud) for specific—Account balancesTransaction classesDisclosures

Consider what can go wrong at the relevant assertion level

43

Assess Risks at the Relevant Assertion Level

44

Assess Risks at the Relevant Assertion LevelAssessing risks at the assertion level

Are the risks of a magnitude that could result in material misstatement?

What is the likelihood that the risks could result in material misstatement?

Likelihood is a function of:Inherent riskControl risk

Need a basis for the assessment

45

Assess Risks at the Relevant Assertion LevelIdentify significant risks that require

special audit considerationFraud risksOther significant risks

Significant risks often relate to:Significant economic, accounting, or other

developmentsComplex, nonroutine, or judgmental mattersTransactions with related parties

46

Assess Risks at the Relevant Assertion LevelIdentify risks for which substantive

procedures alone are not adequateRevise the risk assessment and reconsider

planned audit procedures if audit evidence contradicts the original risk assessment

Assess Risks at the Relevant Assertion LevelDocument the following:

Risk assessment at the relevant assertion levelBasis for the assessmentSignificant risksRisks for which substantive procedures alone

are not adequateCX-7.1: “Risk Assessment Summary Form”

(Part II)

48

The Detailed Audit PlanThe nature, timing, and extent of further

audit procedures to respond to the risk assessment (i.e., the audit program)

Provides linkage between the risk assessment and the responses at the assertion level

49

Tailoring the PPC Audit Programs

Performing Further Audit Procedures

51

Tests of ControlsPerform tests of controls if:

Relying on them to reduce the risk assessmentSubstantive tests alone are not adequate

Inquiry alone is not sufficient for testing controls

52

Tests of ControlsRotational tests of controls are permitted:

Obtain evidence about whether the controls have changed using inquiry, observation, and inspection

If controls have changed, rotation is not appropriate

Test a control at least once every three years If several controls are rotationally tested, test

some controls each year If relying on controls for significant risks, controls

must be tested in the current yearCX-10.1: “Test of Controls Form”

53

Substantive ProceduresTest all relevant assertions for material

account balances, transaction classes, and disclosures

Perform procedures specifically to address significant risks

Substantive analytical procedures alone are not sufficient for significant risks

54

Substantive ProceduresPerform the following substantive procedures in

all audits:Agree the financial statements and notes to the

accounting recordsExamine material journal entries and other

adjustments made when preparing the financial statements

Procedures required by AU-C 240 to address the risk of management override of controls

Required procedures are on AP-2, “Audit Program for General Auditing and Completion Procedures”

55

Documenting Further Audit ProceduresDocument the following:

Nature, timing, and extentLinkageResultsConclusion about relying on tests of controls

performed in a prior audit

56

SummaryCompleted risk assessment consists of:

AP-1: “Audit Program for General Planning Procedures”

CX-1.1: “Engagement Acceptance and Continuance Form”

CX-2: “Financial Statement Materiality Worksheet for Planning Purposes”

CX-3.1: “Understanding the Entity and Identifying Risks”

CX-3.2: “Engagement Team Discussion”CX-3.3: “Fraud Risk Inquiries Form”

SummaryCompleted risk assessment (cont.)

CX-4.1: “Understanding the Design and Implementation of Internal Control”

CX-4.2.1: “Financial Reporting System Documentation Form—Significant Transaction Classes” (for each significant transaction class and financial close and reporting)

CX-4.2.2: “Financial Reporting System Documentation Form—IT Environment and General Computer Controls”

CX-4.3: “Walkthrough Documentation Table” (for each walkthrough)

CX-7.1: “Risk Assessment Summary Form”

SummaryOther PPC practice aids related to risk assessment

CX-5: “Activity and Entity-level Control Forms” (optional)

CX-6.1: “Entity Risk Factors” (memory jogger)CX-6.2: “Fraud Risk Factors” (memory jogger)CX-10.1: “Test of Controls Form” (if controls are

tested)CX-12.2: “Audit Difference Evaluation Form”AP-2: “Audit Program for General Auditing and

Completion Procedures”Tailored audit programs for individual audit areas