Risk Assessment Procedures and Internal Controls
AU 315 Focuses
1. Risk assessment procedures; 2. Understanding the entity and its environment, including its internal control; 3. Assessing the risks of material misstatement; and 4. Documentation.
Risk Assessment Procedures Purpose
Auditor should perform "risk assessment procedures" to obtain an understanding of the entity and its environment, including its internal control (the nature, timing, and extent of the risk assessment procedures vary with the engagement's circumstances, such as the entity's size and complexity and the auditor's experience with it).
Inherent Limitations of Internal Control
Internal control provides reasonable, not absolute, assurance about achieving the entity's objectives. Internal control may be ineffective owing to human failures (mistakes and misunderstandings) and controls may be circumvented by collusion or management override of controls. The cost of an internal control procedure should not exceed the benefit expected to be derived from it.
Internal Control Components - Control environment
Procedures that determine the overall control consciousness of the entity, sometimes called "the tone at the top." Communication and enforcement of integrity and ethical values; Commitment to competence; Participation of those charged with governance (including their interaction with internal and external auditors); Management's philosophy and operating style; The entity's organizational structure; The entity's assignment of authority and responsibility (including internal reporting relationships); and Human resource policies and practices.
Discussion among audit team members - Key members should be involved in the discussion
Professional judgment is required to determine who should be included in that discussion. (For a multilocation audit, there may be multiple discussions for key members at each major location.)
Discussion among audit team members - The discussion should include "critical issues"
Such matters include the areas of significant audit risk, the potential for management override of controls; important controls; materiality at the financial statement level and the relevant assertion level; etc.
Risk Assessment Procedures - Discussion among audit team members
The audit team should discuss the susceptibility of the entity's financial statements to material misstatements Key members should be involved in the discussion -- But professional judgment is required to determine who should be included in that discussion. (For a multilocation audit, there may be multiple discussions for key members at each major location.)
Can there be an audit without any substantive testing?
The auditor must perform substantive tests to some degree for all significant audit areas - cannot assess control risk so low that substantive testing is omitted entirely!
Understanding the Entity and Its Environment - Objectives and strategies
The auditor should obtain an understanding of the entity's objectives and strategies, including any related business risks that may cause material misstatement of the financial statements. Strategies are operational approaches by which management intends to achieve its objectives. Business risks result from circumstances that could adversely affect the entity's ability to achieve its objectives. (Note that the auditor does not have a responsibility to identify all business risks.)
Understanding the Entity and Its Environment - Measurement and review of the entity's financial performance
The auditor should obtain an understanding of the entity's performance measures (and their review) indicate aspects of the entity's performance that management considers important, which may help the auditor to understand whether such pressures increase the risks of material misstatement.
Risk Assessment Procedures - Inquiries of management and others
The auditor should obtain information from inquiries made of management and others, including internal auditors, production and marketing personnel, those charged with governance, and outsiders (such as external legal counsel or valuation experts used by the entity).
Understanding the Entity and Its Environment - Obtain a sufficient understanding of internal control
The auditor should perform risk assessment procedures to evaluate the design of controls relevant to the audit to identify types of potential misstatements. Note that inquiry alone is not sufficient to evaluate the design and implementation of a control. Consider factors that affect the risks of material misstatement; and design the tests of controls, if applicable, and the substantive procedures that are appropriate in the circumstances.
Risk Assessment Procedures - Review information
The auditor should review information about the entity and its environment obtained in prior periods. The auditor should consider whether changes may have affected the relevance of that information (perhaps by making inquiries or performing a walkthrough of transactions through the entity's systems).
Risk Assessment Procedures - Analytical procedures
The auditor's analytical procedures performed in planning may assist the auditor in understanding the entity and its environment and identify specific risks relevant to the audit
Risk Assessment Procedures - Observation and inspection
The auditor's risk assessment procedures should include observation of entity operations, inspection of documents (e.g., internal control manuals), reading reports prepared by management and those charged with governance (e.g., minutes of meetings), and visits to the entity's facilities.
Internal Control Components - Risk assessment
The policies and procedures involving the identification, prioritization, and analysis of relevant risks as a basis for managing those risks. Inquiring about business risks that management has identified relevant to financial reporting and considering their implications to the financial statements; Considering how management identified (and decided how to manage) business risks relevant to financial reporting; and Considering the implications to the risk assessment process when the auditor identifies business risks that management failed to identify.
Internal Control Components - Monitoring
The policies and procedures involving the ongoing assessment of the quality of internal control effectiveness over time. The auditor should obtain an understanding of the sources of the information related to the entity's monitoring activities and the basis upon which management considers the information to be reliable.
Internal Control Components - Information and communication systems
The policies and procedures related to the identification, capture, and exchange of information in a form and time frame that enable people to carry out their responsibilities. Sufficient knowledge to understand the classes of transactions that are significant to the financial statements and the procedures and relevant documents related to financial reporting; An understanding of how incorrect processing of transactions is resolved; An understanding of the automated (IT) and manual procedures used to prepare the financial statements and how misstatements may occur; An understanding of how transactions originate with the entity's business processes; and Sufficient knowledge to understand how the entity communicates financial reporting roles and responsibilities.
Internal Control Components - Control activities
The policies and procedures that help ensure that management directives are carried out especially those related to a. Authorization, b. Segregation of duties, c. Performance reviews, d. Information processing, and e. Physical controls. Obtaining an understanding of how IT affects control activities relevant to planning the audit (especially with respect to "application controls" and "general controls"); and Considering whether the entity has established effective controls related to IT (especially with respect to maintaining the integrity of information and the security of data).
Discussion among audit team members -
The purpose of the discussion is for members of the audit team to understand the potential for material misstatements of the financial statements (due to error or fraud) in specific areas assigned to them and how their work may affect other parts of the audit.
Understanding the Entity and Its Environment - Industry, regulatory, and other external factors
There may be specific risks of material misstatement due to the nature of the business, the degree of regulation or other economic, technical, and competitive issues.
AU 315 - "Understanding the Entity and Its Environment and Assessing the Risks of Material Misstatement."
This pronouncement states that the auditor's objective is to "identify and assess the risks of material misstatement, whether due to fraud or error, at the financial statement and relevant assertion levels through understanding the entity and its environment, including its internal control, thereby providing a basis for designing and implementing responses to the assessed risks of material misstatement."
Understanding the Entity and Its Environment - Nature of the entity
This refers to the entity's operations, ownership, governance, financing, etc. (Understanding these considerations may help the auditor understand the classes of transactions, account balances, and disclosures that are relevant to the financial statements.)