Escolar Documentos
Profissional Documentos
Cultura Documentos
ANALYSIS APPROACH
5th edition
Larry F. Konrath
Electronic Presentation
by Harold
O. Wilson
1
CHAPTER 7
AUDIT PLANNING:
2
KEY CONCEPTS OVERVIEW
■ Control risk = a function of internal
control policies & procedures
■ Quantifying control risk (odds of MM)
■ Studying & documenting internal controls
(memos, flowcharts, checklists,
questionnaires); reportable conditions.
■ Starting with prescribed internal controls
■ Testing the internal controls (tracing
transactions; observations, discoveries)
3
LEARNING
OBJECTIVES
■ Explain audit reasoning & risk assessments
■ Quantify audit risk (joint probability of
components)
■ Distinguish initial assessments and revisions
based on sample evidence
■ Relate risk to audit planning, audit programs,
sampling, work papers, evidence, substantive
testing, and analytical procedures
■ Understand “reportable conditions”
4
INTERNAL CONTROL
DEFINED
A process, effected by an entity’s board …
[and others], designed to provide
reasonable assurance regarding the
achievement of objectives in ...
■ Effectiveness & efficiency of operations.
■ Reliability of financial reporting.
■ Compliance with applicable laws.
5
ASSESSING CONTROL
RISK
■ Control risk: The probability of the
occurrence of a MM (lack of prevention)
and it remaining undetected on a timely
basis by the entity’s internal controls.
(The odds that “prescribed” internal
controls failed when needed!)
■ Detection risk: The probability, given
such failure, that the auditor fails to
discover an existing MM.
6
IMPROPER ASSESSMENT OF
CONTROL RISK
If CR is subjectively assessed as higher than it
should be, excessive substantive testing (and
excessive cost) results. It is inefficient!
8
QUANTIFYING RISK
AR = IR x CR x DR
If an unofficial risk level for auditors to take, is
“about 5%,” the product of the above should be .05.
Then, DR “should dictate” the audit program
for substantive testing, caption by caption.
9
ASSESSING CONTROL
RISK (CR)
Considerations:
■ Inherent risk (IR)
■ Ultra-conservative: Assess IR = 100%!
■ Designing audit programs: the nature,
timing, & extent of substantive tests and
analytical procedures must conform to
the targeted maximum AR (e.g., 5%).
■ DR = f(AR, IR, CR)
10
FAQ?
Presuming that extensive internal
controls reduce risks, and that the
[unofficial] required confidence level is
95%, could a pre-sample confidence level
be so high as to preclude having to take a
sample?
No, except for immaterial accounts!
Pre-sample? Maybe 90% max!
11
A note on detection risk (DR)…
DR calculations depend on exact audit
procedures and the exact sample sizes
selected in the auditor’s attempt to
ascertain the “state of the universe”
under examination—from among many
possibilities.
12
Auditor’s Procedures
■ Inquire as to prescribed controls ; prepare
memos, questionnaires, etc.
■ Assess control risk (with explanations).
■ Test for compliance with prescribed controls.
■ Evaluate sample results and its impact on
proposed substantive tests.
■ Revise audit programs in light of the above.
13
Auditor must …
■ Assess risks & potential areas of both
unintentional and intentional MM.
■ Document responses to such (e.g.,
revisions of audit programs).
■ Perform tests; evaluate results.
■ Communicate conclusions to audit
committees, etc., as considered
necessary.
Never communicate such to just one person!
14
Understanding the IC System
■ Ability to anticipate risks of MM and/or
fraud.
■ Ability to identify IC weaknesses, and
communicate reportable conditions, if
any are discovered.
■ Ability to design substantive tests to ascertain
if MM exist in fact, when desired controls
are absent or judged ineffective.
■ Ability to judge & evaluate order, personnel,
competencies.
15
AND…
■ In assessing the overall Audit Risk, and
“RE-calculating” it as the audit progresses,
the auditor must investigate all material
exceptions to what was to have happened.
This confirmation disagrees
with the books.II How extensive
could such events be?
16
Get your ducks in a row...
19
FAQ?
How is initial CR quantification to be
approached?
Trend: require auditor justification if s/he
does not assess CR at the maximum.
Many believe the approach is, “Conservatively,
what is the highest confidence level you think is
consistent with the prescribed IC?”
Then, 1 minus that is the initial CR.
20
Observations…
■ If the initial quantifications of IR and
CR are both to be set at 100%, i.e.,the
extreme of maximums, the variables of
management attitudes & character, and
prescribed controls become “moot” by
implication.
■ Being ultra-conservative is not to
become an excuse for over-sampling!
21
Summarizing the audit schema!
If each step in the accounting cycle for all
audit captions (cash, receivables, inventory,
etc.) were listed, there would be a parallel list
of internal controls designed to ensure a
business event triggered some documentation,
journalizing, and posting of such. A third
column would list the audit program steps to
ensure the controls were working, and, lastly,
the parallel list of audit work papers, if any,
to serve as evidence of the audit.
22
Note
23
Tests of Controls “should” build auditor
confidence that the client’s controls work,
i.e., testing establishes the control risk. The
lower the CR, the less substantive tests will
be used later in the audit (at FYE), absent
the subsequent discovery of more
errors/irregularities.
24
GUIDELINES FOR AUDIT
PROGRAM DESIGN
■ Resource allocations: proportionately
more to (a) high risk areas, and (b)
material items/balances.
■ External evidence is more persuasive
than internally generated evidence.
■ Aggregate materiality and high error
rates, even among immaterial items,
must be considered.
25
GUIDELINES FOR AUDIT
PROGRAM DESIGN
■ Iferrors are completely random,
they should average $0.
■ Judgment (“sixth sense”) must not
be ignored; qualitative factors may
be more important than math!
■ Don’t hesitate to follow your
suspicions!
26
QUANTITATIVE
EXAMPLE
■ AR, set a little “loose,” at 10%.
■ IR, set high, at 70%.
■ CR, set very high, at 50%; therefore,
30
Detection of errors or fraud
■ Request for client to correct
■ Consideration of extent and nature of risk
of more of the same
■ Revision(s) in current audit program and
future audit program(s)
■ Consideration of impact on audit report
■ Management Letter comments
31
REPORTABLE
CONDITIONS
■ Definition: Matters coming to the
auditor’s attention [representing]
significant deficiencies in … internal
control[s], which could adversely
affect …[reporting on] assertions
of management.
■ Reportable to the Audit Committee or
the senior executives, as a group
■ No requirement to search, per se; if
discovered, must [write] report!
32
REPORTABLE
CONDITIONS
Typically, reported in the CPA’s
Management Letter to the client:
■ What the deficiency is
■ Why it should be corrected
■ How to change the IC system now
38
End of Chapter 7
39