1 / 23

Audit Risk and Internal Controls

Audit Risk Model. AR = IR x CR x DRAR = Audit riskThe risk that the auditor will incorrectly issue an unqualified opinionIR = Inherent riskThe risk of material misstatements absent any internal controls or testing. Audit Risk Model. CR = Control riskThe risk that internal controls will fail to prevent or detect material misstatementDR = Detection riskThe risk that audit tests will fail to detect material misstatementTherefore, audit risk is a function of inherent risk, unchecked by contr9462

Rita
Download Presentation

Audit Risk and Internal Controls

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

    1. Audit Risk and Internal Controls

    2. Audit Risk Model AR = IR x CR x DR AR = Audit risk The risk that the auditor will incorrectly issue an unqualified opinion IR = Inherent risk The risk of material misstatements absent any internal controls or testing

    3. Audit Risk Model CR = Control risk The risk that internal controls will fail to prevent or detect material misstatement DR = Detection risk The risk that audit tests will fail to detect material misstatement Therefore, audit risk is a function of inherent risk, unchecked by controls and not detected by the auditor

    4. Risk Components Inherent risk Higher in complex transactions Higher where items are more naturally prone to fraud Based in part on prior experience Industry and management pressures Inherent risk cannot be changed by the auditor – it just is

    5. Control Risk Part of Audit Risk Model Depends on the design and execution of controls Audit Risk = risk that internal controls will FAIL to prevent or detect misstatement High CR means high risk controls will fail Low CR means low risk controls will fail If CR is high, auditor will not rely much on controls If CR is low, auditor can rely on ICS and reduce other types of testing

    6. Risk Components, II More Control risk Depends on all 5 COSO categories Observed by the auditor but cannot be changed retroactively Detection risk A function of the types of tests the auditor does Remember nature, timing, and extent This is the only risk element that can be controlled by the auditor

    7. Is Risk Quantifiable? Yes and No Often assessed in percentage terms Requires judgment because no number is out there to be measured Detection risk needs to be quantified for statistical testing

    8. Interrelationship of Risks IF IR and CR are high, then If IR is high and CR is low If IR is low and CR is low If IR is low but CR is high DR should be low (lots of testing) DR can be higher, because controls offset high IR DR can be high Somewhat indicative of fraud. DR should be very low

    9. What is Acceptable Audit Risk? Risk the auditor is willing to take of being wrong Generally considered in terms of unqualified where there are misstatements, but not in reverse Depends on engagement risk Financial stability Industry factors Management integrity Degree of reliance on audited statements

    10. Keep Things Open Control risk assessment must be backed up by control testing results If tests show weaker controls, CR is higher, thus DR needs to be lower

    11. Internal Control Objectives Reliability of financial statements Efficiency and effectiveness of operations Compliance with laws and regulations Safeguarding of assets

    12. Underlying Limitations Reasonable assurance Cost-benefit Inherent limitations collusion

    13. Design of ICS Preventing material misstatements Detecting material misstatements Preventing misappropriation Detecting misappropriation SarbOx: Management must assess and report on design How are transaction initiated, authorized, recorded, processed, and reported? Are there any weaknesses?

    14. Effectiveness of ICS Is the control operating as designed? Is the person operating the control qualified to do so effectively? Does the person have the necessary authority? How should management assess this?

    15. Management’s Report on ICS Must describe design Must make assertions about effectiveness Must report material weaknesses A single weakness prevents claim that ICS is operating effectively Must be able to document basis for report Auditor will provide an opinion on the report Any weaknesses mean that auditor’s report will be adverse.

    16. COSO Components of ICS Control environment Risk assessment Control activities Information and communication Monitoring

    17. Control Environment Reflects management’s overall attitude toward controls Integrity and ethical values Commitment to competence Audit committee / Board of Directors Philosophy and operating style Organizational structure HR practices Environment sets the stage for all the rest!

    18. Risk Assessment Management’s identification of risks Economic Industry Regulatory Operating risks Analysis and management of risks Examples Oil companies in the Gulf of Mexico Smith Corona

    19. Control Activities Policies and procedures to address risks Pertains to all four other areas Separation of duties Proper authorization Adequate documents and records Physical control over assets and records Independent checks

    20. Information and Communication Initiates, records, processes, and reports Transaction cycles Subsidiaries and controls Think of PERCV

    21. Monitoring Need to ensure controls are working Monitoring now more pressing because of SarbOx Control needs change Personnel change Organizational structure changes

    22. Documenting your understanding Narratives Flowcharts Pictures tell a thousand words! Questionnaires All no answers are weaknesses Look for mitigating controls elsewhere Be sure connections are made Insufficient by itself

    23. Reading a Flowchart Top left to bottom right Try to keep one department or operator in one column Decision points give alternate paths Connectors are usually necessary

    24. Common Flowchart Symbols Data enters system Process Document Multiple copies File Stored data file Disk storage Decision point Connector

More Related