Audit Risk and Materiality

Questions and Answers

What role does the auditor's risk assessment and materiality determination primarily serve in a financial statement audit?

• To detect all fraudulent activities within the company.
• To eliminate the possibility of litigation against the auditor.
• To guide evidence gathering decisions. (correct)
• To ensure complete accuracy of financial statements.

Which type of risk is most directly associated with potential loss due to litigation or adverse publicity affecting an auditor's professional practice?

• Inherent risk
• Audit risk
• Engagement risk (correct)
• Business risk

Which type of risk is defined as the susceptibility of an assertion to material misstatement, assuming there are no related controls?

• Audit risk
• Control risk
• Detection risk
• Inherent risk (correct)

An auditor believes that a company's internal controls are properly designed and implemented. Which type of risk would this directly affect?

Control risk (C)

What is the relationship between the risk of material misstatement (RMM) and detection risk (DR)?

Inverse relationship: as RMM increases, DR decreases. (C)

An auditor plans to set a very low level of audit risk (AR). According to the audit risk model, what effect does this have on detection risk (DR), assuming other factors are constant?

DR decreases. (B)

Which component of the audit risk model can an auditor directly control?

Detection risk (D)

What is the primary purpose of determining detection risk (DR) when using the audit risk model?

To determine the extent of substantive testing needed. (D)

Which of the following statements best describes the relationship between tolerable misstatement and allowable detection risk?

As tolerable misstatement decreases, allowable detection risk decreases. (B)

What type of understanding should an auditor primarily obtain to assess the risks of material misstatement?

The company and its environment. (A)

How can identified business risks potentially impact the assessment of inherent risk for specific accounts?

Business risks can increase inherent risk if they could reasonably lead to material misstatements. (A)

A company faces new IT developments that require significant changes to its IT environment. If the newly introduced system is incompatible with the existing IT systems, what is this considered?

Business risk (A)

What is the consequence of identified business risks that lead to increased inherent risk?

It may necessitate revising the audit risk model. (B)

When is it necessary for the auditor to revise the audit risk model?

When the desired level of audit risk may not actually be achieved. (B)

What is the effect of a decrease in planned audit risk (AR) on the amount of substantive testing, all other factors being constant?

The amount of testing increases. (D)

What are the two main sources of financial statement misstatements?

Errors and fraud (B)

How does opportunity affect the assessment of fraud risk, according to the fraud triangle?

It impacts control risk, as weak controls give individuals a chance to commit fraud. (C)

According to professional standards like SAS 99, what level of assurance should auditors provide regarding financial statements?

Reasonable assurance that the financial statements are free of material misstatement whether due to error or fraud. (C)

If auditors identify fraud during an audit, under what circumstances are they REQUIRED to communicate this information to a third party?

Only when required by legal or regulatory requirements, such as in response to a subpoena. (C)

What is the ultimate goal of collecting audit evidence?

To be reasonably certain that any misstatements are less than tolerable misstatement . (A)

In data analytics, what is the purpose of 'predictive' analytics?

To forecast future outcomes or trends based on various factors. (A)

What does 'diagnostic' data analytics primarily help auditors achieve?

Gain additional insight about trends by dissecting data. (B)

In the context of audit sampling, what does sampling risk represent?

The risk that the sample chosen does not accurately reflect the population. (C)

What is the relationship between sample size and the level of confidence in audit sampling?

There is a direct relationship where a larger sample provides a higher confidence level. (D)

In audit sampling, what does a Type I error primarily affect?

Audit efficiency (D)

According to COSO, which of the following is a primary objective typically covered by a company's internal controls?

Ensuring compliance with laws and regulations (D)

In the COSO framework, what is the purpose of 'control activities'?

To mitigate risks to achieve objectives. (B)

Which type of transaction is generally considered less risky and more likely to be tested at an interim date?

Routine transactions (A)

What is the primary distinction between preventative and detective internal controls?

Preventative controls aim to stop errors before they occur, while detective controls identify errors after they have occurred. (B)

In assessing control risk, what is the initial step an auditor should take?

Develop an understanding of the client's internal controls. (C)

If the planned level of control risk (CR) is not supported by the achieved level based on tests of controls, what action should the auditor take?

Revise CR upward and planned detection risk (DR) downward to reflect increased risk. (B)

How are general IT controls typically classified?

Computer operations and security (A)

According to PCAOB standards, what should an auditor do if, in conducting an integrated audit, they identify an error during substantive testing?

Determine if the error is material, assess the related control deficiency, and evaluate the impact on both the financial statements and ICFR. (B)

According to AS#5 (or AS#2201) a 'design deficiency' is said to occur if ?

A control is not properly designed to prevent or detect misstatements. (B)

Flashcards

What is engagement risk?

Auditor's loss from professional practice stemming from litigation or adverse publicity.

What is business risk?

Risk from conditions/events that could affect a company's ability to meet objectives.

What is audit risk?

Risk of failing to modify the audit opinion when the F/S are materially misstated.

What is allowable audit risk?

Auditor's willingness to accept F/S with material misstatement after a clean opinion.

What is inherent risk?

Risk of material misstatement before considering internal controls.

What is control risk?

Risk that client's internal controls will not prevent or detect a misstatement.

What is detection risk?

Risk that auditor fails to detect a material misstatement.

Which risk can auditor control?

The auditor can control audit risk and detection risk.

What makes up RMM?

The components are inherent and control risk.

What is first step when assessing ARM?

To set the planned level of audit risk allowable.

Why determine detection risk?

To determine the amount of substantive testing necessary.

What happens with VERY LOW DR?

Allow less detection risk and perform more testing.

What's relation of RMM and DR?

As RMM increases, allowable DR has an indirect relationship.

What's relation of AR and DR?

As AR increases, planned testing increases due to lower DR.

What DIRECT relation to DR?

As TM decreases, allowable DR decreases.

Low audit risk means what?

When audit risk is very low, the amount of substantive testing would be very high.

What an auditor should know?

Understand industry, accounting principles and company objectives

Business risk impact IR?

Business risk affect accounts and assertions.

Planned AR effect increases what?

When planned AR decreases, the amount of testing INCREASES.

Testing can decrease...

As testing INCREASES, allowable DR decreases

What is an error?

Errors are unintentional misstatements

What is fraud?

Fraud is intentional misstatements

What causes mistatements?

Inaccurate data and GAAP errors causes.

Fraudulent reporting?

Fraudulent reporting seeks to deceive F/S users and it's done by management

What is asset theft?

Misappropriation is theft of assets by employees for gain.

Fraud can happen with...

The fraud requires pressure, opportunity and rationalization.

What makes IR?

Incentive, opportunity, and rationalization.

Auditor's responsibility?

Exercise due professional care, skepticism; Communicate findings.

Auditor communicate?

Communicate to management, audit committee, if its in legal matters.

What is Audit data analytics?

The science and art of analysis, modeling and visualization

What is predictive type?

Predict future outcomes from factors, such as payments.

What is Descriptive analysis type?

Past event reports that characterize what happened in the past

What are 3 Vs of Big Data?

Volume, velocity, and variety.

What is predictive data?

Apply predicted patterns to data.

Study Notes

• Audit risk and materiality are significant in evidence gathering, determining the amount of evidence to gather

Risk Types

• Engagement risk: loss/injury to professional practice from litigation/adverse publicity, not part of the Audit Risk Model (ARM)
• Business risk: conditions/events impacting meeting objectives/executing strategies, can form material misstatements
• Audit Risk: auditors not modifying the Financial Statement (F/S) audit opinion, and F/S are materially misstated
• Allowable Audit Risk: Auditor willingness to accept financial statements as materially misstated after a clean audit opinion (0.01-0.05)
• Inherent risk (IR): material misstatement exists without considering client's internal controls, not controlled by them
• Susceptibility of an assertion to material misstatement, assuming no related controls
• Material misstatement risk includes inherent risk.
• Evaluating obsolete inventory requires judgment
• Control risk (CR): Client internal controls cannot prevent/detect misstatement, considering internal controls
• Supervisors reviewing monthly bank reconciliations ensure timely preparation
• Detection risk (DR): auditor failing to detect material misstatement via sampling or non-sampling risk
• DR has an inverse relationship to Inherent Risk (IR) and Control Risk (CR)
• The higher Risk of Material Misstatement (RMM), the lower Detection Risk (testing increases)
• Direct relationship to Audit Risk (AR)
• The lower planned Audit Risk (AR), the lower Detection Risk (testing increases)
• Example: Very low Audit Risk (AR), high Inherent Risk (IR), very high Control Risk (CR) = very low Detection Risk (DR)

Sampling vs Non-Sampling Risk

• Nonsampling risk: risk of human error/audit failure
• Sampling risk: sample not representing the population
• Detection risk arises from non-sampling through mistakes in design, evidence, or conclusions.
• Detection risk arises from sampling when material misstatement is not detected.

Audit Risk Model (AR = RMM X DR)

• Risks are set by the auditor like AR is controllable, those assessed by the auditor are out of their control
• ARM includes inherent, control, detection, and audit risk
• Assessment
• Set Audit Risk (AR) level
• Assess RMM = IR + CR
• Solve the Audit Risk Model equation for Detection Risk allowable
• Auditors control audit risk (AR) and DR, but cannot control RMM (IR x CR)
• Determine the amount of substantive testing with Detection Risk (DR) level

Determining Detection Risk

• DR = AR / (IR x CR)
• DR low = AR very low-low / (IR high-very high) x (CR high)
• Purpose for solving DR when applying the audit risk model is to determine the amount of substantive testing

Relationships between Risk components and Testing

• Allowable DR has an inverse relation to RMM, RMM includes Inherent Risk (IR), and Control Risk (CR)
• Direct relation to AR
• As planned AR increases, testing increases (lower DR)
• Allowable DR has an inverse relation to substantive testing
• As allowable DR decreases, testing increases
• RMM has a direct relation to testing
• As Inherent Risk (IR) and Control Risk (CR) increases, testing increases
• Tolerable Misstatement (TM) has a direct relation to DR
• As Tolerable Misstatement (TM) decreases, allowable DR decreases
• Tolerable Misstatement (TM) has an inverse relation to testing
• As Tolerable Misstatement (TM) decreases, testing increases
• At very low audit risk, substantive testing is very high

Picture Example

• AR -> LOW, DR -> LOW, Testing -> HIGH

Auditor's Risk Assessment

• Auditors should understand the company, its environment, and factors impacting risks of material misstatement
• Relevant industry and nature of the company
• Company accounting principles and measurement of performance
• Company objectives/strategies and related business risks

Factors Driving Inherent Risk

• Complexity of accounts
• Degree of judgement
• Fraud risks
• Changes in industry/environment/business
• Business risks

Business Risk

• Risks from significant events adversely affecting a company's ability to achieve objectives/execute strategies
• Affects Inherent Risk (IR) since these risks can result in material misstatement of Financial Statements (F/S) at the assertion or account level
• Factors influencing Inherent risk (IR) must link to account/assertion level
• Identified risks can lead to increased inherent risk

Audit Risk Model Limitations

• Desired audit risk level may not be achievable
• Model does not account for auditor judgment error, preliminary risk level
• As the planned Audit Risk (AR) decreases, the amount of testing increases, and allowable Detection Risk (DR) decreases

Misstatements

• Errors are unintentional
• Intentional, fraudulent misstatements include fraudulent reporting and misappropriation of assets

Causes of Misstatements

• Inaccurate data gathering/processing
• Omission of items/disclosures
• Inaccurate application/omission of GAAP
• Accounting estimate errors/aggressiveness in management's judgments

Fraudulent vs Misappropriation

• Fraudulent aims to deceive users implemented through fake revenue
• Misappropriation is theft/misuse through stealing inventory

Fraud Triangle

• Incentive/pressure
• Opportunity
• Rationalization/attitude
• Fraud risk using this framework
• All three conditions must exist for fraud risk to be increased
• Incentive impacts Inherent Risk (IR) creating fraud based on company environment/situation
• Opportunity impacts Control Risk (CR) and weak controls create chance
• Rationalization impacts both Inherent Risk (IR) & Control Risk (CR) supporting intention, leading to undetected fraud

Auditor's Fraud Responsibility

• Auditors must provide reasonable assurance of material misstatement free financial statements via:
• Exercising care and skepticism
• Planning/performing audits for reasonable assurances
• Communicating findings to the management committee
• Absolute assurance is unattainable due to limitations, fraud characteristics, etc.

Auditor's Fraud Findings

• If fraud is identified, auditors communicate to:
• Management and audit committees
• 3rd party if required for legal or regulatory reasons, auditor succession, subpoena, or governmental assistance

Analytical Procedures

• Done to obtain, clean, transform, and to identify and communicate patterns, trends, outliers, and information to use in decision making
• Including analysis of operational, financial, and other data
• Data mining provides actionable results, repeated to search for patterns to identify anomalies

Data Analytical Types

• Predictive: Future outcomes or trends identified include analysis of cash receipts indicate previous payment history
• Prescriptive: Evaluate the course of action would lead to the best potential outcome/predictions
• Descriptive: Past event reports characterize, including account analysis
• Diagnostic: Cut of data in different ways to understand additional insight

Data Analytics in Audits

• Is essentially a form of data analytics by external auditors
• Helps auditors identify possible risk areas in the planning stage

Big Data

• Data that’s too large or complex to process using traditional methods
• 3 V's are volume, velocity, and variety

Audit Data Analytics (ADA)

• Science and art using analysis, modeling, and visualization
• Helps discover and analyze patterns, anomalies for planning/performing an audit

ADA Techniques

• Ratio: comparisons over time with bar graphs
• Sorting: nonfinancial categories with bar graph
• Trend: software trends of time with a sparkline
• Matching: matching various source; dots
• Comparisons: year over year with balances
• Forecasting: extrapolate with past patterns

Analytical Procedure Phases

• Understanding the business
• Evaluating internal controls
• Indicates possible misstatements
• Substantive analytical procedures

Interpret key Patterns Analytical procedures

• Ratio, volume, trend analysis, etc
• Financial statement fluctuations, not typical relations

Use in Risk Assessment

• In planning stage of the audit using preliminary analytical procedures required by auditing standards

Substantive Analytical Procedures

• Use more disaggregated data though isn't required by auditing standards
• Final Analytical: identify tests and procedures (required)

Interpret key financial ratios

• Liquidity measures the ability to pay short term obligations
• Quick Ratio is stricter test of liquidity with inventory
• Solvency measures the ability to survive long term
• Debt to Equity measures grow for growth
• Profitabilty measures include Efficiency and Making money measures

Understand ADA's ADA

• Data extraction reliabilty and issues
• Question of what to do interpretting all data

Auditing Standards Updates

• AICPA auditing standards Type 1 Errors
• Inefficent processes

Audit Sampling

• Differences between it and non statsical.
• Also when each is applicable

Calculation on Sample Size

• Sample error rate and extrapolate

Sampling definition

• Level of the sample and confidenced used.
• Relations and size

Type 1 and 2 erroes

• Hypothesis on balance and type of errors
• Which affects effectiveness