Materiality, Risk Assessment, and Internal Control

Questions and Answers

Which factor does NOT typically contribute to differences in risk assessment from year to year?

• Consistency of audit procedures (correct)
• Change in Laws
• Change in Business Model
• Changes across the industry

Assessing audit risk is solely mandatory under auditing standards and does not contribute to audit effectiveness or quality.

False (B)

What are the two components of audit risk?

Risk of material misstatement and detection risk

The objective of the audit is to reduce audit risk to an ______ low level.

acceptably

Match the assertion class with its explanation.

Occurrence = Transactions have occurred and pertain to the entity. Completeness = All transactions that should have been recorded are recorded. Accuracy = Amounts and data are recorded appropriately. Cut-Off = Transactions are recorded in the correct accounting period.

Auditors are required to assess the risks of material misstatement at how many levels?

Two levels (overall financial statement level and specific assertion level) (D)

Inherent risk is addressed solely at the assertion level, not at the financial statement level.

False (B)

In the audit risk model, if inherent risk and control risk are high, what happens to detection risk, and why?

Detection risk decreases because the combined level of inherent and control risk is inversely related to detection risk.

A risk-based audit (RBA) involves analyzing audit risks, setting materiality thresholds, and developing audit programs that allocate a larger portion of audit resources to ______ areas.

high-risk

Match the audit risk type with its description:

Inherent Risk = Susceptibility of an assertion to material misstatement. Control Risk = Risk that internal controls will not prevent or detect material misstatement. Detection Risk = Risk that auditor will not detect material misstatement.

According to SA 315, what is the purpose of understanding the entity and its environment?

To primarily focus on the identification and assessment of the financial statement misstatement risks. (B)

The auditor is required to evaluate all control procedures for every financial statement assertion in each account balance and transaction class.

False (B)

What are some key elements of a risk assessment phase of the audit?

Performing client acceptance or continuance procedures, Planning the overall engagement, Performing risk assessment procedures to understand the business and identify inherent and control risks

The auditor should report his audit finidings to management and those charged with ______.

governance

Match the term with its description:

Internal controls = These are policies adopted by the management of an entity to assist in achieving management's objectives. System of internal control = This is defined as the process designed, implemented and maintained by those charged with governance, management and other personnel to provide reasonable assurance about the achievement of an entity's objectives.

What should you consider when obtaining audit evidence about internal controls?

All of the above (D)

In an entity, the administrative and accounting controls are generally the same, because they both impact the accuracy of the financial records.

False (B)

What are the different methods available for obtaining audit evidence?

inspection, observation, or inquiry

It is necessary to establish procedures that authorizations exist by persons acting with the ______ of their authority.

scope

Match the accounting control with its description:

Adequacy of Records and Documents = This accounting control helps to ensure that transactions are executed in accordance with management's authorization. Safeguarding of Assets = This accounting control helps provides appropriate maintenance of records. Independent Checks = This accounting control involves the periodic review by independent persons of whether the control procedures are operating effetively or not.

When the auditor finds inadequacies or weaknesses with internal controls, what should he do?

All of the above (D)

The quality & effectiveness of internal controls is primarily related to the audit programme.

False (B)

What should a well-defined set of SOP's do?

Helps define role, responsibilities, process & controls.

Through IT systems improving the control environment, customer invoicing, correct rates in invoices, our credit can be ______.

monitored

Relate the description of the questionnaire's question to the meaning of the result

Are all receipts recorded promptly? = Yes: It fits in compliance with plan of good control.

What should you do when using a standardized list regarding elements of good control.

All of the above (D)

A check list is mainly designed to be questionnaired to the client, to obtain informaton.

False (B)

Whose view does the flow chart give?

bird's eye view

Internal control weaknesses are defined as absence of adequate controls on flow of transactions that increases the possiblity of ______ and frauds.

errors

In order, match the correct way you could describe COSO.

COSO = Internal Control - Integrated Framework issued by Committee of the Sponsoring Organisations of the Treadway Commission.

During the operation of his manufacturing business that sells air coniditioners, which benchmark is the audtior MOST likely to consider if the company is showing regular profits.

profit before tax / earnings. (C)

Total cost has nothing to do with the benchmark. Expenditures would make a better fit for calculating performance under the company.

False (B)

If an auditor is checking defalcation, what can internal controls prevent?

defalcation to 75%

The auditors are required to to specify an ______ system towards collection of money.

adequate

Match the definition with the financial instrument.

Audit Risk = a risk that Auditor will issue an inappropriate opinion while Financial Statements are materially misstated Risk of material Misstatement = anticipated risk that a material Misstatement may exist in Financial Statement before start of the Audit.

In BSF Limited, which is true of the sales ledger?

An officer was handling the sales ledger and cash receipts. (B)

Revising the control risk is unlikely, and cannot result in modification in nature, timing and extent of planned substantive procedures.

False (B)

Why should the auditor be concerned by substantial donations in the current year from a not for profit?

Since NGO has received substantial donations in current year and its activities were on a relatively small scale during last year, formal controls may not be in place. Lack of formal controls may lead to non-compliance with laws.

Flashcards

What is Audit Risk?

The risk of expressing an inappropriate audit opinion on financial statements that are materially misstated.

Auditor's Actions on Risk

The auditor identifies assertions where are risks of material misstatement and concentrates audit procedures on those areas.

What is Control Risk?

Risk that the entity's internal control system will not prevent, or detect and correct on a timely basis, a misstatement.

What is Inherent Risk?

Susceptibility of an assertion to a misstatement that could be material, individually or when aggregated with other misstatements

What is Detection Risk?

Risk that the auditor will not detect a misstatement that exists in an assertion.

What is Internal Control?

SA 315 defines this as a process designed to provide reasonable assurance about the achievement of an entity's objectives.

Nature of Internal Control

A set of internally generated policies and procedures adopted by the management of an enterprise as a prerequisite for an organisations efficient and effective performance

What is Risk Assessment?

Assesses the level of risk in various business processes.

Review of internal control allows auditor to formulate his opinion

To formulate his opinion as to the reliance he may place on the system itself whether the system is such as would enable the management to produce a true and fair set of financial statements

Reporting to Clients

Auditor should communicate material weaknesses to the management or the audit committee, if any, on a timely basis.

Standard Operating Procedures

A well defined set of SOP helps define role, responsibilities, process & controls & thus helps clearly communicate the operating controls to all touch points of a process.

What is Enterprise Risk Management?

Helps to identify & mitigate risks across the enterprise & its periodical review will assist in early identification of gaps & taking effective control measures.

segregation of Job Responsibilities

Is a key element of control is that multiple activities in a transaction/decision should not be concentrated with one individual.

IT based Controls

With the advent of computers & enterprise resource planning (ERP) systems, it is much easier to embed controls through the system instead of being human dependent.

Flow Chart

Is a graphic presentation of internal controls in the organisation and is normally drawn up to show the controls in each section or sub-section.

What is Segregation of duties?

In order to achieve the objectives of internal controls, it is necessary to establish adequate control policies and procedures. Transaction processing are allocated to different persons.

Actions to address Specific Risks

Management may initiate plans, programs, or actions to address specific risks or it may decide to accept a risk because of cost or other considerations

Risk Assessment

The entity should identify and assess its business and other risks (such as fraud) and respond. by designing and implementing a system of internal control.

Authorization of Transaction

Delegation of authority to different levels and to particular persons are required to establish by the management for controlling the execution of transaction in accordance with prescribed conditions

Objective of Audit

The objective of the audit is to reduce this audit risk to an acceptably low level. This may be achieved by performing procedures that respond to the assessed risks at the financial statement, class of transactions, account balance and assertion levels.

Design and Implementation

Evaluate the design and implementation of internal controls and then perform tests of control to ensure that the controls operate effectively.

Information processing

The two broad groupings of information systems control activities are application controls and general IT-controls

COBIT Framework

COBIT standards for Control Objectives for Information and Related Technology

What is the objective of the internal check system?

To detect error and frauds with ease.

Internal Check System

The system provides existence of checks on the day-to-day transactions which operate continuously. as part of the routine system.

Detection Risk

It Is a risk that a material misstatement remained undetected even if all audit procedures applied.

Study Notes

• Materiality, Risk Assessment, and Internal Control are fundamental aspects of auditing and financial management.

Learning Outcomes

• Understand risk-based audits, internal controls, and risk assessment.
• Identify audit risk and internal control components.
• Review internal control systems.
• Understand the nature, scope, objectives, and structure of internal control systems.
• Report internal control weaknesses to clients.
• Framework for reporting on internal control.
• Practical application of concepts through examples and case studies.

Chapter Overview

• Reporting to clients on internal control weaknesses.
• Audit risk and risk-based audits.
• Internal control system's nature, scope, objectives, and structure.
• Components of internal control.
• Evaluation of internal control systems.
• The process of evaluating internal control systems.
• Internal control and risk assessment.

Materiality and Risk Assessment

• Auditors identify areas prone to misstatements by understanding a company and its internal controls.
• Risk assessment changes due to law changes, business models, or industry shifts, differing from prior years.
• Grasping a company's business risks and strategies impacts audit risk; established risk management plans boost auditor confidence.
• Evaluating company controls pinpoints deficiencies and missing controls.
• Ineffective or absent controls raise the risk of material misstatement, increasing control risk.
• Auditors use risk assessment like inquiries, inspections, and observations to grasp material misstatement risks for an effective audit.
• Auditors communicate internal control deficiencies to management and governance, prompting corrective actions.
• Such communication can serve as auditor's defense by showing preemptive action.
• SA 320 guides auditors in applying materiality when planning, performing audits, and assessing misstatement effects on financial statements and auditor's opinion.
• Throughout the audit, materiality and audit risk are weighed, particularly when spotting and assessing material misstatement risks and determining audit procedure specifics.

Identification of Risks

• Risk assessment gauges risk in various business processes, focusing on business/regulatory environments, organization structure and management concerns to find high-risk areas.
• Auditors address Areas required for Entity Understanding and identify, list events (identified risks) that could result misstatements in financials:
• External Factors
• Nature of Entity
• Entity Objectives & Strategies
• Measurement/review of Financial Performance
• Audit risk means misrepresenting financial statements.
• Audit risk comprises Inherent Risk, Control Risk, and Detection Risk.

Audit Risk Components

• Inherent Risk: Susceptibility of misstatement.
  • Business-related risks affect accountbalance.
  • Complex calculations can be misstated.
  • High-value inventory.
  • Accounting estimates.
  • Insufficient working capital.
  • Technology changes make product obsolete.
• Risks of importance:
  • Complex calculations.
  • High-value inventory.
  • Accounting estimates.
  • Insufficient working capital.
  • Declining or volatile industries.
  • Technological changes.
• Control Risk: Internal control system to prevent errors.
  • Response design mitigates fraud.
  • Entity-level controls impact assertions.
  • Some risk persists despite controls.
• Audit identifies assertions.
  • Auditor should identify material misstatement for procedures and evaluations.
  • Auditors select appropriate procedures and consider misinterpreting info.
• Audit Risk Components Interrelate:
  • Low Risk
  • Moderate Risk
  • High Risk
• Misstatements in financials

Audit Risk Analysis

• Audit Risk (AR) mathematically equals Inherent Risk (IR) x Control Risk (CR) x Detection Risk (DR). i.e. AR = IR x CR x DR.
• Audit Risk has 2 components:
  • Risk of material misstatement -The financial statements contain a material misstatement prior to the audit.
  • Detection risk
    • The auditor will not be able to detect such a misstatement.
• Risk of material misstatement is anticipated ahead of the audit.
• Has two Risk components: Inherent risk and control risk
  • Risk of material Misstatement = Inherent risk X Control risk
• Detection risk: Remaining undetected even if all audit procedures are applied.
• Combined Inherent Risk/Control Risk in Detection Risk.
• Audit Materiality (inverse) related to Audit Risk.
• To reduce audit risk to an acceptable level to state:
  • Assess the risks of material misstatement
  • Limit the detection risk

Assertions

• Auditors assess material misstatement risks in two levels:
  • Risks relate to financial statements, potentially affecting assertions.
• Risks with specific assertions.
• An assessment of risk should be produced to high, moderate, or low.
• Different areas to address are:
  • Occurrence
    • Have been recorded
  • Completeness
    • Should have been recorded
  • Accuracy -Amount that has been appropriated recorded
  • Cut-off
    • Transactions recorded in the correct accounting period.
  • Classification
    • Transactions recorded in proper accounts

Steps for Risk Identification

• significance assessed and materiality revised for specific account balances.
• Likelihood and impact on auditing procedures are determined.
• Assertions documentation.
• Risk impact.
• Significant risks get auditor attention.
• Planned audit procedures.
• The nature of internal controls.
• Routine or periodic controls.
• Error prevention controls.
• Unique risk characteristics.
• Characteristics in transactions.
• Could involve:
  • high value inventory
  • complex contractual agreements
  • customer sales percentage.

Risk-Based Audit Approach

• Risk-based audits addresses audited entity's achievement.
• RBA analyzes audit risks, sets materiality, develops programs that allocate resources to high-risk areas.
• Auditors focus audit procedures on major risks that misstate financial statements.
• Financial audits include assessing misstatement risks.
• Audits helps improve auditee's risk management.
• In performance audits, risks relate to program effectiveness.

Audit Risk Analysis

• Auditors analyze risks impacting auditee before procedures.
• Risk assessment is subjective, based on auditor's judgment.
• Auditors should know whether their opinion fails to appropriately modify statements.

Risks

Include risks about error and fraud

• Error
  • unintentional mistake.
  • legitimate being excluded
• Fraud
  • Users concealing misappropriations.

General Steps

Steps involving risk by following:

• Assessing misstatement risks in financials.
• Designing audit procedures that respond to risks
• Issuing audit report.

Phases

• Risk assessment for client (acceptance/continuance, engagement planning, understanding business, internal controls, assessing risks)
• Risk response with procedure design & evidence collection.
• Reporting and conclusions.

Risk Assessment & Response

Include the following steps taken:

• Acceptance.
• Planning.
• Risk assessment.
• Internal controls.
• Financial misstatements.
• Audit consideration.
• Communicating.
• Informed risk assessment.

Plan

Includes considering considerations:

• No manual intervention.
• Assess control.
• Analytical procedures.
• Risks for management
• Fraud Scenarios
• Identified “significant risks”.

Reporting Phase

The final phase of the audit and is assess what was sufficient to give the most benefit to reduce audit risk. Important determination to consider is:

• Change in assessed the risk level
• Work is always appropriate and followed accordingly
• Suspicious will always be encounter.

The following will also determine

• More assessment can be set appropriately
• Auditors will provide what is required and provide an opinion correctly

Nature, Scope, Objectives and Structure of the Internal Control

• Internal controls gives assurance.
• SA 315 sees the process.

Objectives and compliance

• Set of financials in a true and fair is to check with framework.
• Auditors must gain an understanding.
• The auditor is to obtain evidence
• Auditor should make inquires on several factor.
• The auditor are to consider different control
• Based on set control is determined appropriately.

Components of internal control

• Control environment
• Risk assessment
• Control activities
• Communication
• Monitoring

Control environment encompasses

• Integrity ethical values
• Task and competencies
• Governance consciousness
• Operating style
• Organizational key
• Communication

Objectives related to the effectiveness and efficiency:

• Financial performance and safe guarding assets.
• Reporting
• Established by regulations.

Internal Controls:

• A system
• Accurate recording
• Protected from unorganized use
• Verified appropriate action would be used.

Limitation of Internal Control:

The system must have considerations:

• Costs must expect benefit
• A variety due to error is of human nature and how it acts.
• Through parties to the entity
• The entity will cause any harm.

Structure of Internal Control:

• Segregation is when processing can complete transactions with the completion.
• This will prevent:
• Undetected for too long.
• vested interest from by holding positions for too long
• This also means people understand the data.

Components to be considered of Internal Control to include the follows:

• Control environments.
• Entity's Risk assessment Process.
• Control activities
  • information.
  • responsibility
• Monitoring

Internal Control in nature

• The auditor might obtain audit evidence about the proper segregation of duties.

Internal Control System

It must have the aspects of:

• Clear and well designed and in order.
• To detect easy errors
  • Staff work is with an organization -The integrity, scrutiny is check.
• Also avoid the process with the company’s cash.

The auditors will check for different things:

-Financial and administrative is to be correctly distributed

• Check account is very accurate.

Internal audits

• It will the scope is set by the management system
• The company must reflect the process
• By what they act and plan.

system

• Designed to check errors is to effectively or not
• With these action in control:
  • Procedures is to work
• Assess performance and monitor.

System is to be as the follows

• That needs to address
• Need that includes test to mitigate or add to acceptable low level
• And a audit report by findings.

Effectiveness will fall depending

• By what and consistency
• With internal controls
• How has the system done.

Review of the System of Internal Controls

The steps are:

• Opinion is what can be put for reliance. -The nature, timing and extent must adjust.

Assessment Evaluation

For more assessment on key note see:

• Well communication.
• Risk can be reduced. -The duties of the job and what must occur.
• A buyer won’t receive or pass items.

Techniques Evaluation

• The goal and the questions are needed to get better
• However it can be hard
• For the client there can be many questions on their own.

Standard Controls in place;

• All procedures must work
• It is important on a team as one self.
• No sole person one the position and for completing by them self
• Always know if authorize as one as the position
• Work is always looked and will work fine.

Chart Flow:

• In sections or different types to see the overall.
• To analyze what they should know
• What will the process steps be taken
• To make an chart:
• See what's need and make by sections
• Know were it has come from and what can be seen.

Reporting to Clients on Internal Control Weaknesses;

• Auditors note material internal control weaknesses that increase fraud possibilities in financials. Letter components will:
• List in detail where the weaknesses affect the system
• Clearly state discuss management.
• What the auditor should not assume or try.

The auditor must communicate;

• To also write letters To look for defects.