Title Here Challenging Risk Assessment in Planning an Audit PLANNING THE AUDIT FOR EFFECTIVENESS AND EFFICIENCY Annette Eustice CPA CGFM 2316278381 annetteeusticerehmanncom March 5 2017 ID: 602557
Download Presentation The PPT/PDF document "Insert Presentation" is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.
Slide1
Insert PresentationTitle Here
Challenging Risk Assessment in Planning an
Audit
– PLANNING THE AUDIT FOR EFFECTIVENESS AND EFFICIENCY
Annette Eustice, CPA, CGFM
231.627.8381
annette.eustice@rehmann.com
March 5, 2017Slide2
OBJECTIVERisk assessment is a key requirement in the planning phase of an audit.
The
objective of this presentation is to provide the participant with a brief overview of the risk assessment planning process of an audit, documentation requirements, and how to best plan an audit around the
conclusions developed from the risk assessment planning process. Slide3
EXAMPLES OF CHALLENGES IN RISK ASSESSMENTRisks identified - no audit response
Risks identified in planning are not considered in the risk assessment.
Fraud risks identified are not reflected in risk assessment and no audit response is prepared.Areas identified as significant in other planning are not identified as significant in the risk assessment planning.Slide4
EXAMPLES OF CHALLENGES IN RISK ASSESSMENT
Audit responses crafted to address identified risks are not reflected in the audit program.Audit procedures to be performed (added) which are documented in risk assessment are not added in the audit program (tailoring).
Low risk areas identified during risk assessment as areas being addressed using a limited approach and to be documented on a lead sheet are actually supported by a formal audit program with basic or extended procedures in the audit program.Slide5
WHAT WOULD YOU DO IF?You had unlimited time to complete an audit and the client was willing to pay you an unlimited amount to do it right?
You have a fixed fee contract of $20,000 and 100 hours to complete the engagementSlide6
WHAT IS RISK ASSESSMENT?
Audit Procedures
Concentrate audit effort in high risk areas
Inherent riskControl riskPerform less extensive procedures in low risk areas
Linkage
Risk Assessment
Obtain an understanding of the client, including internal control
Identify and assess risks of material misstatement of the financial statements
Evaluate both overall risks and risks that affect only specific assertionsSlide7
The Cycle of Risk AssessmentSlide8
Client Acceptance/Continuance
Consider:
Nature and purpose of
engagementClient’s reputation, integrity, and competenceCommunication with predecessor
Compliance with ethical requirements, including independence
Adequacy of accounting records
Firm resources and competence
Engagement economics
Other risk concerns
Slide9
Planning and Risk Assessment ProceduresSlide10
Engagement Team Discussion
Discuss the susceptibility of the financial statements to material misstatement
Consider fraud risks and risks of error
Include:Critical issues and areas of significant audit riskAreas susceptible to management override of controlsUnusual accounting practices
Important control systems
Materiality considerations
Need to exercise professional skepticism
Business risks
Fraud considerationsSlide11
Engagement Team Discussion (cont.)
Attendance:
Auditor with final responsibility
Key members of engagement teamTax PersonnelConcurring ReviewersDocument:
How the discussion occurred, the subject matter, who participated, and decisions about planned responses Slide12
MaterialityApply professional judgment
Consider decisions that users make
Use appropriate benchmarks, such as % of assets or revenueRe-evaluate materiality as the audit progresses. If lower, reconsider:
Level of performance materiality Adequacy of proceduresSlide13
MaterialityDocument:
Materiality at the financial statement level
If applicable, materiality level(s) for particular transaction classes, account balances, or disclosures
Performance materialityFactors considered in their determinationAny revisions made during the auditSlide14
Perform Risk Assessment ProceduresTwo categories of audit procedures:
Risk Assessment Procedures
Further
Audit Procedures
Both Provide Audit EvidenceSlide15
Risk Assessment ProceduresSlide16
Risk Assessment ProceduresPerformed to obtain an understanding of the entity and its environment, including internal control, for the purpose of assessing risks
All of the procedures should be performed
Inquiry alone is not sufficient to understand internal controlProvide audit evidenceSlide17
Required InquiriesInquire about:
Fraud
Related parties
Accounting estimates Compliance with laws and regulations Service organizationsSlide18
Observation and InspectionInspect documents and records
Read internal reports and minutesRead external information
Visit premises and plant facilitiesTrace transactions through the system (walkthroughs)Slide19
Analytical ProceduresPreliminary analytical procedures
Analytical procedures related to revenue required by AU-C 240To enhance understanding of the business and identify potential risk areasSlide20
Understanding the Entity and Its Environment
Perform risk assessment procedures (inquiry, analytics, observation, and inspection) to gather information about:Industry, regulatory, and other external factors
Nature of the entity
Objectives, strategies, and related business risksMeasurement and review of the entity’s financial performanceSelection and application of accounting policiesSlide21
Understanding the Entity and Its Environment
Consider the presence of fraud risk factorsUpdate information obtained in prior years by performing risk assessment procedures to determine if the information has changedSlide22
Understanding Internal Control
22Slide23
Understanding Internal ControlUnderstand design and implementation
Perform inquiry, observation, and inspectionInquiry alone is not sufficient to understand the design and implementation of controls
23Slide24
Understanding Internal ControlEvaluate the design and implementation of controls
—Related to significant risks
Related to risks that cannot be tested effectively using substantive procedures alone
Understand—How the incorrect processing of transactions is resolvedHow detail is reconciled to the general ledger for material accounts
24Slide25
Understanding Internal ControlDocument the following:
Understanding of internal control components
Sources of information
Procedures performedControls evaluated related to significant risks and risks for which substantive procedures alone are not effectiveSlide26
Understanding Internal ControlDocument the processing of transactions for each significant transaction class
Document the financial close and reporting processSlide27
Identifying Significant Transaction Classes
Transaction classes that present a reasonable possibility of material misstatement of the financial statements or disclosures based on:Volume of activity
Size and composition of accounts
Types of transactionsPresence of fraud risks or other significant risksChanges from the prior periodSlide28
Understanding Significant Transaction Classes
How are transactions initiated and authorized?How are transactions recorded and processed?
How are transactions reconciled?What reports are generated and how are they used
?Slide29
Understanding Significant Transaction Classes
Consider control objectives:Completeness: All transactions are recorded
Occurrence: All recorded transactions occurred and pertain to the entity
Accuracy: Transactions are recorded in the proper amountClassification: Transactions are recorded in the proper accountCutoff: Transactions are recorded in the proper periodSlide30
Documenting Significant Transaction Classes
Narrative descriptionFocus on key controls and control objectives related to identified risks
How are control objectives achieved?What controls are in place to address significant or fraud risks?
Are controls properly designed and implemented?Slide31
Performing WalkthroughsSelect one or a few transactions
Trace from initial creation of the source document to final posting in the general ledgerInspect documents and records used in processing, make inquiries, and observe procedures being performedSlide32
Tests of ControlsPerform tests of controls if:
Relying on them to reduce the risk assessment
Substantive tests alone are not adequateInquiry alone is not sufficient for testing controls
32Slide33
Tests of ControlsRotational tests of controls are permitted:
Obtain evidence about whether the controls have changed using inquiry, observation, and inspection
If controls have changed, rotation is not appropriate
Test a control at least once every three yearsIf several controls are rotationally tested, test some controls each yearIf relying on controls for significant risks, controls must be tested in the current year
33Slide34
Retrospective Review of Accounting EstimatesPerformed to evaluate:
Effectiveness of management’s estimation process
Information relevant to current year estimates
The need for disclosureThe existence of possible management biasSlide35
Assessing Risks and Developing ResponsesSlide36
Assess Risks at the Financial Statement Level
Identify risks that are pervasive to the financial statements and potentially affect many assertionsAssess the risk of material misstatement at the financial statement level
Develop overall responses
Document the risk assessment and the responses36Slide37
Develop the Overall Audit Strategy
Characteristics of the engagement that define its scope
Reporting objectives of the engagement
Important factors that determine audit focusResources needed to perform the audit37Slide38
Factors That Determine Audit
Focus
Materiality levelsOverall risks and responses
Preliminary identification of high risk audit areasPreliminary identification of material locations and accountsWhether you plan to test controlsComposition and deployment of the audit team
38Slide39
Assess Risks at the Relevant Assertion Level
Identify risks of material misstatement (due to error or fraud) for specific—
Account balances
Transaction classesDisclosuresConsider what can go wrong at the relevant assertion level39Slide40
Assess Risks at the Relevant Assertion Level
40Slide41
Assess Risks at the Relevant Assertion Level
Assessing risks at the assertion level
Are the risks of a magnitude that could result in material misstatement?
What is the likelihood that the risks could result in material misstatement?Likelihood is a function of:Inherent riskControl risk
Need a basis for the assessment
41Slide42
Assess Risks at the Relevant Assertion Level
Identify significant risks that require special audit consideration
Fraud risksOther significant risks
Significant risks often relate to:Significant economic, accounting, or other developmentsComplex, non-routine, or judgmental mattersTransactions with related parties
42Slide43
Assess Risks at the Relevant Assertion Level
Identify risks for which substantive procedures alone are not adequateRevise the risk assessment and reconsider planned audit procedures if audit evidence contradicts the original risk assessmentSlide44
Assess Risks at the Relevant Assertion Level
Document the following:
Risk assessment at the relevant assertion level
Basis for the assessmentSignificant risksRisks for which substantive procedures alone are not adequate44Slide45
The Detailed Audit PlanThe nature, timing, and extent of further audit procedures to respond to the risk assessment (i.e., the audit program)
Provides linkage between the risk assessment and the responses at the assertion level
45Slide46
Tailoring the Audit ProgramsSlide47
Performing Further Audit
Procedures
47Slide48
Substantive ProceduresTest
all
relevant assertions for material account balances, transaction classes, and disclosures
Perform procedures specifically to address significant risks Substantive analytical procedures alone are not sufficient for significant risks48Slide49
Substantive Procedures
Perform the following substantive procedures in all audits:Agree the financial statements and notes to the accounting records
Examine material journal entries and other adjustments made when preparing the financial statements
Procedures required by AU-C 240 to address the risk of management override of controls49Slide50
IMPACT OF THE CLARITY STANDARDS (AU-C-300)Engagement partner has to be involved in the planning of the audit and must include key members of the audit team.
The auditor has to plan the nature, timing and extent of the supervision of the team and the review of its work. Planning the supervision and review wasn’t explicit before.
Auditor has to document the audit strategy and the reasons for changes in the audit strategy or audit plan.Slide51
IMPACT OF THE CLARITY STANDARDSAuditor was expected to consider all other non-audit services. Now it requires considering ONLY the engagement partner’s prior engagements for the entity.
AU-300.08Slide52
IMPACT OF THE CLARITY STANDARDSIn addition
to the features that didn’t change, the auditor is now required to specifically consider whether the control environment promotes a culture of honesty
. AU-C-315.15
Auditor has to specifically consider whether the lack of a risk assessment process is a material weakness or significant deficiency. This was implicit in SAS No. 115, but is explicit here. AU-C-315.18
The auditor
has
to specifically consider the internal audit function, if there is one,
in assessing risk
.
AU-C-315.24
Slide53
IMPACT OF THE CLARITY STANDARDSAuditor was expected to consider all other non-audit services. Now it requires considering ONLY the engagement partner’s prior engagements for the entity
. AU
314.13Audit team discussion was to include critical issues and need for skepticism. Skepticism still applies but does not required to be explicitly discussed
. AU 314.18-19Auditor had to consider the reliability and precision of information used in performance measures. AU
314.38
Auditor was required to understand reconciliation procedures for significant accounts – now only for material accounts
.
AU
314.90Slide54
IMPACT OF THE CLARITY STANDARDSThe
auditor should revise FS materiality during the audit in light of information that would have suggested a different amount if the auditor had the information when originally calculating materiality. Implied before but explicit now. AU-C-320.12
The auditor has to document separate materiality levels for transaction classes, account balances, or disclosures when he or she determines that otherwise immaterial misstatements in them would affect the decision of users
. AU-C-320.14Slide55
IMPACT OF THE CLARITY STANDARDSThe auditor should obtain more persuasive evidence the higher the risk assessment
. AU-C-330.07
When tests of controls reveal deviations, the auditor should make specific inquiries to understand the consequences of deviations and determine whether there is a basis for reliance, whether additional tests are necessary, and whether the risk of material misstatement needs to be addressed through substantive procedures
. AU-C-330.17Accounts receivable should be confirmed. This was only presumption under SAS 67. AU-C-330.20Slide56
IMPACT OF THE CLARITY STANDARDSIf unexpected misstatements are found at an interim date, the auditor should determine whether the plan should be modified
. AU-C-330.22The method of item selection should be effective to meet the purpose of the procedure
. AU-C-330.23Slide57
1. Can you use a standard audit program?An auditor can use a standard program as the core of the procedures to be applied rather than starting with a blank piece of paper. But, the programs have to be tailored to address the risks specific to the engagement. On recurring engagements, it is reasonable to use the prior year’s audit programs as a starting point and revise them for new conditions or to introduce additional efficiencies or an element of unpredictability
.Slide58
2. Who should attend a planning meeting?The standards do not specify who should attend, but some auditors recommend that, when practical, all members of the team participate in the discussion. There are advantages to this
Everyone, including the newest staff, can learn from the partner’s perspective.In many cases, the partner has the most perspective on the business.
The manager and in-charge have knowledge that the partner may not have.Each team member who participated in the prior engagement has a different perspective to bring to the table.
Even staff level people may know things, such as available reports or systems information, that more senior people may have forgotten or not be as familiar with.The standards DO state that the Partner and Key Members of the Audit Team should be involved in planning.Slide59
3. Are walkthroughs required on all controls? Every year?AU-C-315.14 says the auditor should evaluate the design of controls and determine whether they have been implemented. Implementation means that the control exists and the entity is using it. So, the auditor has to apply a procedure – a walk through – to make sure the controls that he or she understands to be in existence have been put into operation. However, AU-C315.A68 notes that assessing implementation of an ineffectively-designed control is of little use, so walkthroughs of those controls are unnecessary. Assessing effectiveness of the controls’ design before determining implementation can limit walkthroughs to only those controls that appear to be effective.
On the other hand, if controls are deemed ineffective, the auditor has to consider the ramifications in assessing risk and has to consider whether the control weaknesses have to be reported to management and those charged with governance.Slide60
4. If the entire audit is conducted by the Engagement Partner, is documentation of the engagement team discussion necessary?
AU-C230 A19 says that in such an audit, the documentation need not include items that serve solely to inform or instruct members of the engagement team or evidence review of the work. (This acknowledgement is new to SAS 122). Accordingly, the discussion does not have to be documented. But risks identified and the responses to them would still have to be documented.Slide61
5. Is the calculation of performance materiality the same as for tolerable misstatement?
There is no new requirement, merely a new term. The same factors for performance materiality
are used for tolerable misstatement.Slide62
6. Did the clarification standards raise the bar on the need to confirm accounts receivable?SAS 67 did not contain an explicit requirement to confirm accounts receivable. The standard stopped just short of a requirement; it said that unless any of three conditions are present, there is a presumption that receivables would be confirmed. The auditor could overcome this presumption, but had to document how the presumption was overcome. Under the clarified standard, it is a requirement, if the auditor does not comply, he or she has to document how, in the absence of obtaining accounts receivable confirmations, the intent of the requirement was achieved. So, while the standard technically raises the bar, it is unlikely to cause much change in practice.
Slide63
Questions?
Annette Eustice, Principal
Cheboygan Office of Rehmann231.627.8381 (work)231.290.2780 (mobile)annette.eustice@rehmann.com