Risk Assessment
The auditor is required to perform risk assessment procedures during audit planning. PCAOB Auditing Standard Identifying and Assessing Risks of Material Misstatement (AS 2110), as amended states the auditor’s responsibilities as: “The auditor should perform risk assessment procedures that are sufficient to provide a reasonable basis for identifying and assessing the risks of material misstatement, whether due to error or fraud, and designing further audit procedures.”
Risks of material misstatement can arise from a variety of sources, for example, external or company-specific factors can affect the judgments involved in determining accounting estimates or create pressures to manipulate the financial statements to achieve certain financial targets. The risk assessment procedures;
- Obtaining an understanding of the company and its environment
- Obtaining an understanding of internal control over financial reporting
- Considering information from the client acceptance and retention evaluation, audit planning activities, past audits, and other engagements performed for the company
- Performing analytical procedures and other procedures
- Conducting a discussion among engagement team members regarding the risks of material misstatement
- Inquiring of the audit committee, management, and others within the company about the risks of material misstatement
Before getting into the subject, I would like to briefly introduce a four-step tool called as Audit Risk Assessment Tool created by AICPA. This tool has been designed to provide illustrative information with respect to the subject matter covered and is recommended for use on audit engagements that are generally smaller in size and have less complex auditing and accounting issues. But, keep in mind, in applying the auditing guidance included in this Audit Risk Assessment Tool*, the auditor should, using professional judgment, assess the relevance and appropriateness of such guidance to the circumstances of the audit. And, there’s no such thing as a one-size-fits-all approach to identifying, assessing and responding to risks of material misstatement, especially when you’re auditing clients in different industries. Each industry has its own considerations when it comes to risk assessment.
Step 1—Obtain an Understanding of Your Client and Its Environment
- External Factors; consider the client’s business and other external factors that affect the client’s business, such as industry factors, the regulatory factors, technological factors and applicable financial reporting framework factor and other external factors.
- Nature of Client; consider the nature of the entity such as entity’s operation, ownership, corporate governance, availability of financing, currency revaluation and others.
- Objectives, Strategies, and Related Business Risks; consider how the entity addresses industry, regulator, and other external factors that affect it, and consider the effects of implementing a strategy, including any effects that will lead to new accounting requirements.
- Measurement and Review of Financial Performance; consider the following matters, key ratios and operating statistics, key performance indicators, employee performance measures and incentive compensation policies; trends, forecasts, budgets, variance analysis, and competitor analysis, and period-on-period financial performance (revenue growth, profitability, and leverage).
Step 2—Obtain an Understanding of Internal Control
Obtain an understanding of internal control that is sufficient to enable to (a) evaluate the design of controls that are relevant to the audit and determine whether the control, either individually or in combination, is capable of effectively preventing or detecting and correcting material misstatements and (b) determine that the control has been implemented (that is, that the control exists and that the entity is using it). A top-down approach of focusing on financial statement assertions that are material to the entity’s financial statements will help you narrow your understanding of controls that are relevant to the audit. Although the auditing standards do not require a specific internal control framework, the COSO framework is widely used by entities for designing, implementing, and conducting internal control.
- Control Environment; obtain sufficient knowledge of the control environment to understand the attitudes, awareness, and actions of management and those charged with governance concerning the entity’s internal control and its importance in achieving reliable financial reporting.
- Control Activities; determine for all material classes of transactions, account balances, and disclosures and their relevant assertions.
- Risk Assessment, Information and Communication, and Monitoring of Controls; risk assessment, information and communication, and monitoring are components of internal control that are relevant to all organizations. Often, many smaller entities do not have well-documented controls or procedures in these three internal control components.
Step 3—Brainstorming Meeting
Step 4—Summarization of the Audit Risk Assessment
Conclusion (end of Audit Risk Assessment Tool)
Since I think the tool made by AICPA has been adequately explained in Step 1, I would like to start with step 2 and continue with this part of the article under the heading “Obtain an Understanding of Internal Control”. An auditor must obtain an understanding of the design and implementation of internal control during the planning stage of the audit. In order to comprehend the design and implementation of internal control, the auditor should understand the components of internal control through the five principles of COSO Internal Control. The COSO (Committee of Sponsoring Organization) framework is a framework for designing, implementing and evaluating internal control for organizations, providing enterprise risk management.
Control Environment
- Exercise integrity and ethical values.
- Make a commitment to competence.
- Use the board of directors and audit committee, and participation of those charged with governance
- Facilitate management’s philosophy and operating style.
- Create organizational structure.
- Issue assignment of authority and responsibility.
- Utilize human resources policies and procedures.
Risk Assessment
- Create companywide objectives.
- Incorporate process-level objectives.
- Perform risk identification and analysis.
- Manage change because risks are generally related to changes
Control Activities
- Follow policies and procedures.
- Authorization and Asset accountability
- Segregation of Duties
- Safeguarding of Assets.
Information and Communication
- Measure quality of information.
- Measure effectiveness of communication.
- Initiating, authorizing, recording, processing, and reporting entity transactions, conditions, and events
- Communicating roles and responsibilities
Monitoring
- Internal audit function
- Perform ongoing monitoring and supervising
- Conduct separate evaluations.
- Report deficiencies.
Auditor’s consideration of Internal Control
Consideration of the components of the Internal Control; internal control consists of five interrelated components. These are derived from the way management runs a business and are integrated with the management process. According to COSO, internal control is a process, effected by an entity’s board of directors, management and other personnel, designed to provide reasonable assurance regarding the achievement of objectives. These objectives are; accurate and reliable financial reporting, compliance with laws and regulations, and effectiveness and efficiency of the operations. And, some circumstances will raise concerns regarding management’s operating style such as management consumed with meeting the budget, management dominated by one person, and management compensation linked to the financial performance of the business.
Identifying controls relevant to reliable financial reporting; related internal controls are grouped as preventive and detective controls that prevent, detect and correct material misstatements. Internal controls may affect the financial statements as a whole or a particular class of transactions, account balances or disclosures.
Evaluate the design and implementation of Internal Control; Management is responsible for the design, implementation, and maintenance of all internal controls, with the Board responsible for the overall oversight of the control environment. An understanding of the design and implementation of an entity’s relevant controls is required to complete the assessment of the risks of material misstatement.
Walk through tests; walkthrough test is an audit procedure that auditors use to measure a client’s internal control system and its efficiency. With a walkthrough test, auditors trace a transaction from its commencement until it enters the financial statements. This way, the auditor can understand the process behind a specific account better. This test helps auditors measure a system’s reliability. Walk-through procedures include inquiry and additional procedures such as observing, reperformancing, inspecting.
Documentation the understanding of Internal Control; the auditor must document the understating of the design and implementation of the entity’s internal controls. This documentation should include key elements of understanding each of the internal control components as well as the sources of information from which the understanding was obtained.
Consider the limitations of Internal Control; internal control provides only reasonable (not absolute) assurance that objectives will be achieved because of the three inherent limitations of internal control: management override, human error, and deliberate override of controls by the collusion of two or more people.
Effect of information technology on internal controls; an entity’s use of information technology may affect any of the five components of internal control.
