CPA Review A-3: Planning and Risk Assessment

Prenumbering of Documents

1. All transactions are recorded (completeness) 2. No transactions are recorded more than once (existence)

Timely and Appropriate Performance Reviews

1. Comparison of actual performance to budgets, forecasts, and prior periods 2. Comparison of financial and nonfinancial information 3. Review and evaluation of functions or activites

Components of Internal Control - CRIME

1. Control environment 2. Risk assessments 3. Information and communication systems 4. Monitoring 5. Existing control activities

Audit Procedure in the Planning stage: Fraud Risk Assessment- DOAEMD

1. Discuss fraud risk with engagement personnel 2. Obtain information to identify specific fraud risks 3. Assess fraud risk and develop an appropriate response 4. Evaluate audit evidence regarding fraud 5. Make appropriate communications about fraud 6. Document the auditor's consideration of fraud

Analytical Procedure: Purpose

1. Enhance the auditor's understanding of the client's business and of transactions and events that have occurred since the last audit date 2. Identify ununsual transactions and events, and amounts, ratios, or trends that might be significant to the financial statements and may represent specific risks relevant to the audit

Pre-acceptance activities: Assess the Audability of the Client

1. Evaluate management's integrity 2. Consider the availability and adequacy of the client's accounting records 3. Determine whether the audit firm is capable of performing the audit 4. Consider whether an audit is the most appropriate form of engagement

Documentations

1. Flowchart 2. Internal Control Questionnaire or Checklist 3. Narrative 4. Decision Table

Types of Fraud

1. Fraudulent Financial Reporting 2. Missappropriation of Assets

Planned Further Audit Procedures

1. Further audit procedures are applied at the relevant assertion level or each material account balance, transaction class, and disclosure item 2. May include tests of operating effectiveness of controls, and shouldo also incude the nature, extent, and timing of planned substantive procedures

Presumption of Risk

1. Improper revenue recognition 2. Management override of controls

Fraud Risk Factors

1. Incentives/Pressure 2. Opportunity 2. Rationalization/Attitude

Pre-acceptance activities

1. Make inquires of the predecessor auditor 2. Assess the audability of the client 3. Assess the client's business risk and CPA business risk 4. Evaluate compliance with ethical requirements.

Planning Phase of the Audit

1. Obtain a sufficient understanding of the entity and its environment, including its internal control 2. Obtain knowledge of the client's industry and business 3. Perform analytical procedures 4. Develop an overall audit strategy, and develop and document a written audit plan 5. Consider materiality and audit risk so that an overall low level of audit risk is attained

Risk Assessment - Audit Steps

1. Obtain an understanding of the entity and its environment, including its internal control 2. Assess the risk of material misstatement 3. Respond to the assessed level of risk by designing further audit procedures based on this assessment 4. Test internal controls to evaluate their operating effectiveness 5. Perform substantive tests 6. Evaluate the sufficiency and appropriateness of audit evidence obtained

Engagement Letter- Format

1. Overall audit strategy 2. Arrangements involving the conduct of the engageement, such as timing, client assistance, and availability of documents 3. The involvement, if appliable of specialists, internal auditors, and predecessor auditor 4. Arrangements regarding fees and billing 5. Any limitation or other arrangements regarding the liability of the auditor or client 6. Conditions under which access to the audit documentation may be granted to others 7. Additional services to be provided relating to regulatory requirements 8. Arrangements regarding other services to be provided in connection with the engagement, or particular audit procedures requested by the client.

Control Activities - PAIDTIPS

1. Prenumberiing of documents 2. Authorization of Transactions 3 Independent checks to maintain asset accountability 4. Documentation 5. Timely and appropriate performance reviews 6. Information processing control 7. Physical controls for safeguarding assets 8. Segregation of duties

Entity Objectives

1. Reliability of financial reporting 2. Effectiveness and efficiency of operations 3. Compliance with applicable laws and regulations

Audit Procedures

1. Risk Assessment Procedures 2. Tests of Controls 3. Substantive Procedures

Types of Substantive Procedures

1. Tests of details applied to transaction classes, account balances, and disclosure 2 Substantive analytical procedure

Materiality: Preliminary Judgement

1. The auditor uses financial statements as adjusted for relevant changes that have occurred, to set a preliminary measure of materiality 2. Tolerable error, as determined for specific account balances, transaction classes, or disclosure items, is typically lower than overall financial statements materiality limit 3. The auditor should use the smallest level of misstatement that could be material to any one of the financial statements 4. The auditor should consider whether the audit plan needs to be modeified in response to any change in the assessment of materiality, and should not assume that a misstatement is an isolated occurrence

Attributes of Risk

1. Type of risk: Does it involve fraudulent financial reporting or misappropriation of assets 2. Significance of the risk: Can it lead to a material misstatement? 3. Likelihood of the risk: How likely is this to happen? 4. Pervasiveness of the risk. Does it affect the financial statements as a whole or only specific accounts, transactions, or assertions?

Planned Risk Assessment Procedures

1. Used to assess the risk of material misstatement 2. The results of risk assessment procedures will affect whether and to what extent further audit procedures are necessary

Opportunity

A lack of effectvie controls

Information and Communication System

A means of recording transactions and communicating responsibilities

Incentive/Pressure

A reason to commit fraud

Financial Statement Assertions: Account Balances - Completeness

All assets, liabilities, and equity interests that should have been recorded have been recorded.

Financial Statement Assertions: Presentation and Disclosure - Completeness

All disclosures that should have been included in the financial statements have been included.

Financial Statement Assertions: Transaction and Events - Completeness

All transactions and events that should have been recorded have been recorded

Financial Statement Assertions: Transaction and Events - Accuracy

Amounts and other data relating to recorded transactions and events have been recorded appropriately.

Rationalization/Attitude

An attempt to justify fraudulent behavior

Monitoring

Assessment of internal control performance over time

Financial Statement Assertions: Account Balances - Allocation and Valuation

Assets, liabilities, and equity interests are included in the financial statements at appropriate amounts, and any resulting valuation or allocation adjustments are appropriately recorded.

Financial Statement Assertions: Account Balances - Existence

Assets, liabilities, and equity interests exist.

Audit Risk & Materiality: Financial Statement Level

At the financial statement level, the auditor should consider risks that have a pervasive effect on the financial statements, potentially affecting many relevant assertions. Audit risk at the financial statement level often relates to the entity's control environment. Used to 1. Design risk assessment procedures 2. Identify and assess risk 3. Design further audit procedures 4. Evaluate financial statements taken as a whole

Audit Risk Model

Audit risk is comprised of the risk that the financial statements are materially misstated (risk of material misstatement, or "RMM") and the risk that the auditor will not detect such misstatements (detection risk, or "DR")

Authorization of Transactions

Authorization should occur before commitment of resources

Financial Statement Assertions

CPA CO CARE CURV

RMM

Can be subdivided into inherent risk ("IR") and control risk ("CR").

Substantive Test, if DR increase

Change the extent of substantive test (use a larger sample size)

Substantive Test, if DR increase

Change the timing of substantive tests (perform substantive tests at year-end rather than at interim)

Analytical Procedure During Planning

Consist of review of data aggregated at a high level, such as comparing financial statements to budgeted or anticipated results. Relevant nonfinancial data may also be considered.

Internal Control Questionnaires

Consists of a list of questions to be answered by "Yes" or "No" response

Existing Control Activities

Control policies and procedures

Analysts

Determine what is needed and design the overall system, while programmers do the detailed work to make it happen

Programmers

Develop and write computer programs, They are responsible for debugging programs and writing run manuals

RMM & Substantive Testing

Direct relationshiop. Greater risk requires more persuasive evidence, a larger sample size, and a shift from interim to year-end testing.

Financial Statement Assertions: Presentation and Disclosure - Rights and Obligations, and Occurrence

Disclosed events and transactions have occurred and pertain to the entity.

Analytical Procedures

Evaluations of financial information made by a study of plausible relationships among both financial and nonfinancial data. Used for planning the nature, extent, and timing of other auditing procedures (mandatory), as substantive tests to obtain audit evidence (optional), and as an overall review int he final review stage of the audit (mandatory).

IR & CR

Exist independently of the audit, and the auditor generally cannot change these risks. The auditor can change his or her assessment of this risk.

Financial Statement Assertions: Presentation and Disclosure - Valuation and Accuracy

Financial and other information are disclosed fairly and at appropriate amounts.

Financial Statement Assertions: Presentation and Disclosure - Understandability and Classification

Financial information is appropriately presented and described and disclosures are clearly expressed.

Decision Trees or Tables

Graphic illustrations that depict thelogic of an operation or process. Generally employ questions with "Yes" or "No" answers, which direct the user to the next relevant questions.

Substantive Test, if DR increase

If acceptable level of DR decrease, the auditor may change the nature of substantive tests from a less effective to a more effective procedure (direct test toward independent parties outside the entity rather than toward parties or documentation inside the entity)

Significant Fraud Risk

In cases where a significant fraud risk exists, it may not be practicable or possible to design audit procedures that sufficiently address the risks. In such cases, the auditor may consider withdrawing from the engagement.

Independent Checks to Maintain Asset Accountability

Independent checks involve the verification of work previously performed by others: 1. Review of bank reconciliation 2. Comparison of subsidiary records to control accounts 3. Comparison of physical counts of inventory to perpetual records

Information Processing Control

Information processing general and application controls ensure that transactions are valid, properly authorized, and completely and accurately recorded.

How to Test Controls

Inquiries, Inspection, Observation, and Reperformance

Fraud

Intentional action that results in misstatements of the financial statements

Segregation of Duties - ARC

Involves ensuring that individuals do not perform incompatible duties. Authoriziing, recording, custody

Fraudulent FInancial Reporting

Involves intentional misstatements or omissions of amounts or disclosures in the financial statements, designed to deceive financial statement users.

Physical Controls for Safeguarding Assets

Involves security devices and limited access to programs and to restricted areas, including computer facilities

Librarian

Keeps track of program and file use, maintains storage of all data and backups, and controls access to programs

Audit Plan

List of procedures to be performed. Must be in writing, and should include the nature, extent, and timing of risk assessment procedures, planned further qudit procedures, and other required procedures.

Audit Plan

Listing of audit procedures that the auditor believes are necessary to accomplish the objectives of the audit. Shoud set out procedures in reasonable details, specifying the nature, extent, and timing of the work to be performed, and incuding a reference to the assertion under consideration.

Risk Assessment

Management's identification of risk

Likely MIsstatements

Misstatements that the auditor considers likely to exist either due to differences between auditor and management judgments regarding estimates or based on extrapolation from audit evidence

Test of Details

More appropriate when obtaining evidence regarding the existence and valuation of account balance

Substantive Analytical Procedure

Often used when there is a large volume of predictable transactions.

Operators

Operators convert data into machine readable form during the input state.

Internal Control

Process effected by those charged with governance, management, and other personnel, designed to provide reasonable assurance about the achievement of the entity's objectives.

Audit Requirements: Planning Stage

Professional Skepticism - The auditor should maintain an attitude of professional skepticism, which includes a questioning mind and a critical assessment of audit evidence.

Documentation

Provides evidence of the underlying transactions and is a basis for establishing responsibility for the execution and recording of transactions.

Control Group

Responsible for internal control within the IT department itself. This group maintains an error log in which they keep track of errors, and they assume responsibility for determining the cause and developing an appropriate resolution

MIsstatements

Results from errors, which are unintentional, or fraud, which is intentional

Risk Assessment Purpose

Serves as evidence to support the auditor's risk assessment, which in turn, is used to determine the nature, extent, and timing of further audit procedures.

Audit Plan

Should be designed so that the audit evidence gathered will support the auditor's conclusion.

Known Misstatements

Specific misstatements identified during the audit

Flowchart

Symbolic diagram representing the sequential flow of authority, processes, and documents. More appropriate for documenting complex structures.

Test of Controls

Test of controls are performed when the auditor's risk assessment is based on the assumption that controls are operating effectively or when substantive procedures alone are insufficient.

Materiality

The amount of error or omission that would affect the judgment of a reasonable person.

The Auditor Can Change Detection Risk

The auditor can change the level of detection risk by varying the nature, extent, and timing of audit procedures. For example, as the acceptable level of detection risk decrease, the assurance provided from substantive procedures should increase.

Risk of Material Misstatement (RMM)

The auditor makes an assessment of the risk of material misstatement by perform risk assessment procedures, and where applicable, tests of controls.

Weak Control Environment

The auditor may perform more substantive procedures as of the balance sheet date rather than at interim; may modify the nature of test to obtain more persuasive evidence; or may increase the extent of testing (include more items, locations, etc.)

Strong Control Environment

The auditor may perform tests at an interim date rather than at the balance sheet date; may use tests that provide somewhat less persuasive evidence; or may reduce the extent of testing

Engagement Letter

The auditor must establish an understanding with the client regarding the service to be performed.

Financial Statement Assertions: Account Balances - Rights and Obligations

The entity holds or control the rights to assets and liabilities are the obligations of the entity.

Planning phase

The objective is the development of an overalll strategy for hte audit, including its conduct, organization, and staffing. The nature, extent, and timing of planning procedures will vary based on the size and complexity of the entity, and on the auditor's experience with and understanding of the entity.

Control Environment

The overall tone of the organization

Audit Risk & Materiality: Inverse Relationship

The risk of a very large misstatement may be low, whereas the risk of a small misstatements may be high. More material a misstatement is, the less likely it is that the auditor will miss it. As materiality decreases, audit risk increase.

Control Risk

The risk that a material misstatements that could occur in a relevant assertion will not be prevented or detected on a timely basis by the entity's internal control. Control risk is a function of the effectiveness of the design and operation of internal control.

Client's Business Risk

The risk that events may occur that will negatively impact the company.

CPA's Business Risk

The risk that hte engagement will not prove to be profitable, and is also considered in determining whether or not to accept an engagement.

Audit Risk

The risk that the auditor may unknowingly fail to modify appropriately the opinion on financial statements that are materially misstated.

Detection RIsk ("DR")

The risk that the auditor will not detect a misstatement that exists in a relevant assertion. Detection risk is a function of the effectiveness of audit procedures and of the manner in which they are applied.

Inherent Risk

The susceptibility of a relevant assertion to a material misstatement, assuming there are no related controls. For example, assertions involving complex calculations, amounts derived from estimates, cash, technological developments that render a product obsolete, a lack of working capital, or decline in the overall industry. <-has higher inherent risk

Management's Responsibility

To design and implement programs and controls to prevent, deter, and detect fraud.

Auditor's Responsibility

To plan and perform the audit to obtain reasonable assuranve about whether the financial statements are free of material misstatements, whether caused by error or fraud. As part of audit planning, the auditor must assess the risk of material misstatement of the financial statement due to fraud, and should consider this assessment in designing the audit procedures to be performed.

Financial Statement Assertions: Transaction and Events - Proper Period Cutoff

Transactions and events have been recorded in the correct (proper) accounting period.

Financial Statement Assertions: Transaction and Events - Classification

Transactions and events have been recorded in the proper accounts.

Financial Statement Assertions: Transaction and Events - Occurrence

Transactions and events that have been recorded have occurred and pertain to entity.

Errors

Unintentional misstatements or omissions of amounts or disclosures in the financial statements.

Substantive Testing

Used to detect material misstatements at the relevant assertion level. Procedures should be designed to be responsive to assessed risk.

Substantive Procedures

Used to detect material misstatements. Include tests of details (as applied to transaction classes, account balances, and disclosures) and substantive analytical procedures.

Audit Risk & Materiality: Account Balance, Transaction Class or Disclosure Item Level

Used to determine the nature, extent, and timing of audit procedures to be applied to specific account balances, transaction classes, or disclosure items.

Tests of Controls

Used to evaluate the operating effectiveness of internal control in preventing or detecting material misstatements.

Risk Assessment Procedures

Used to obtain an understanding of the entity and its environment, including its internal control, in order to assess the risk of material misstatement.

Relationship of Audit Strategy and Audit Plan

While creation of an audit plan typically follows development of a audit strategy, the two activities are closely interrelated and may overlap to some extent.

Narratives

Written version of a flowchart. It is a description of the auditor's understanding of the system of internal control. More appropriate for less complex structure.

Tolerable Misstatement

also called tolerable error, is the maximum error in a specific population that the auditor is willing to accept

DR

can be subdivided into tests of details risk ("TD"" and substantive analytical procedures risk ("AP"). The auditor can change detection risk. The auditor uses his or her assessment of RMM as a basis for determing an appropirate level of detection risk.

Obtaining an understanding of internal control

includes evaluating the design of controls and determining whether they have been implemented.

Missappropriation of Assets

or defalcation, involves theft of an entity's assets when the effect of the theft causes the financial statements not to be presented in conformity with GAAP.

Those Charged with Governance

refers to those who bear responsibility to oversee the obligations, financial reporting process, and strategic direction of an entity. This term is broardly interpreted to encompass the terms "board of directors" and "audit committee."

RMM & DR - Inverse Relationship

when the auditor determines that the RMM is high, detection risk should be set at a low level. Conversely, when the risk of material misstatement is low, the auditor can justify a higher detection risk.