AUDITING: A RISK

ANALYSIS APPROACH
5th edition

Larry F. Konrath

Electronic Presentation
by Harold
O. Wilson
1
CHAPTER 7

AUDIT PLANNING:

2
KEY CONCEPTS OVERVIEW
■ Control risk = a function of internal
control policies & procedures
■ Quantifying control risk (odds of MM)
■ Studying & documenting internal controls
(memos, flowcharts, checklists,
questionnaires); reportable conditions.
■ Starting with prescribed internal controls
■ Testing the internal controls (tracing
transactions; observations, discoveries)
3
 LEARNING
OBJECTIVES
■ Explain audit reasoning & risk assessments
■ Quantify audit risk (joint probability of
components)
■ Distinguish initial assessments and revisions
based on sample evidence
■ Relate risk to audit planning, audit programs,
sampling, work papers, evidence, substantive
testing, and analytical procedures
■ Understand “reportable conditions”
4
INTERNAL CONTROL
DEFINED
A process, effected by an entity’s board …
[and others], designed to provide
reasonable assurance regarding the
achievement of objectives in ...
■ Effectiveness & efficiency of operations.
■ Reliability of financial reporting.
■ Compliance with applicable laws.
5
 ASSESSING CONTROL
RISK
■ Control risk: The probability of the
occurrence of a MM (lack of prevention)
and it remaining undetected on a timely
basis by the entity’s internal controls.
(The odds that “prescribed” internal
controls failed when needed!)
■ Detection risk: The probability, given
such failure, that the auditor fails to
discover an existing MM.
6
 IMPROPER ASSESSMENT OF
CONTROL RISK
If CR is subjectively assessed as higher than it
should be, excessive substantive testing (and
excessive cost) results. It is inefficient!

If CR is subjectively assessed as lower than it

should be, insufficient substantive testing (and
insufficient evidence) results. It is ineffective!
7
Clues …

■ Auditor’s prior work papers

(especially prior control weaknesses,
error rates & analytical reviews)
■ Permanent files
■ Predecessor audit correspondence, contact
■ “Sixth senses”

8
 QUANTIFYING RISK

Audit risk (AR) : The joint probability of

IR, CR and DR:

AR = IR x CR x DR
If an unofficial risk level for auditors to take, is
“about 5%,” the product of the above should be .05.
Then, DR “should dictate” the audit program
for substantive testing, caption by caption.
9
 ASSESSING CONTROL
RISK (CR)
Considerations:
■ Inherent risk (IR)
■ Ultra-conservative: Assess IR = 100%!
■ Designing audit programs: the nature,
timing, & extent of substantive tests and
analytical procedures must conform to
the targeted maximum AR (e.g., 5%).
■ DR = f(AR, IR, CR)
10
 FAQ?
Presuming that extensive internal
controls reduce risks, and that the
[unofficial] required confidence level is
95%, could a pre-sample confidence level
be so high as to preclude having to take a
sample?
No, except for immaterial accounts!
Pre-sample? Maybe 90% max!
11
A note on detection risk (DR)…
DR calculations depend on exact audit
procedures and the exact sample sizes
selected in the auditor’s attempt to
ascertain the “state of the universe”
under examination—from among many
possibilities.

Obviously, a statement of the Control Risk

(probability) must be in the audit work papers!

12
 Auditor’s Procedures
■ Inquire as to prescribed controls ; prepare
memos, questionnaires, etc.
■ Assess control risk (with explanations).
■ Test for compliance with prescribed controls.
■ Evaluate sample results and its impact on
proposed substantive tests.
■ Revise audit programs in light of the above.

13
Auditor must …
■ Assess risks & potential areas of both
unintentional and intentional MM.
■ Document responses to such (e.g.,
revisions of audit programs).
■ Perform tests; evaluate results.
■ Communicate conclusions to audit
committees, etc., as considered
necessary.
Never communicate such to just one person!
14
Understanding the IC System
■ Ability to anticipate risks of MM and/or
fraud.
■ Ability to identify IC weaknesses, and
communicate reportable conditions, if
any are discovered.
■ Ability to design substantive tests to ascertain
if MM exist in fact, when desired controls
are absent or judged ineffective.
■ Ability to judge & evaluate order, personnel,
competencies.
15
AND…
■ In assessing the overall Audit Risk, and
“RE-calculating” it as the audit progresses,
the auditor must investigate all material
exceptions to what was to have happened.
This confirmation disagrees
with the books.II How extensive
could such events be?

16
 Get your ducks in a row...

And be sharp for eXceptions!

17
 CAUTIONS!
■ Auditors should not overemphasize
control points in data processing.
■ The absence of a desired control does not
automatically generate MM.
■ There may be compensating controls, to
substitute for traditional control
procedures, mitigating apparent
weaknesses.
■ There is no “one best” approach to
evaluating internal controls.
18
 FAQ?
What is the maximum control risk?

Maximum control risk: “the greatest

probability that a MM that could occur in
the assertion, will not be prevented or
detected on a timely basis by the entity’s
internal control structure.”

19
 FAQ?
How is initial CR quantification to be
approached?
Trend: require auditor justification if s/he
does not assess CR at the maximum.
Many believe the approach is, “Conservatively,
what is the highest confidence level you think is
consistent with the prescribed IC?”
Then, 1 minus that is the initial CR.
20
Observations…
■ If the initial quantifications of IR and
CR are both to be set at 100%, i.e.,the
extreme of maximums, the variables of
management attitudes & character, and
prescribed controls become “moot” by
implication.
■ Being ultra-conservative is not to
become an excuse for over-sampling!

21
Summarizing the audit schema!
If each step in the accounting cycle for all
audit captions (cash, receivables, inventory,
etc.) were listed, there would be a parallel list
of internal controls designed to ensure a
business event triggered some documentation,
journalizing, and posting of such. A third
column would list the audit program steps to
ensure the controls were working, and, lastly,
the parallel list of audit work papers, if any,
to serve as evidence of the audit.
22
 Note

“Testing transactions” (in audit

programs) traditionally refers to tracing
business events through the accounting
cycle (from controls, to documentation,
to recordings, to ledgers, to trial
balances, to financial statements).
[Reprocessing!]

23
Tests of Controls “should” build auditor
confidence that the client’s controls work,
i.e., testing establishes the control risk. The
lower the CR, the less substantive tests will
be used later in the audit (at FYE), absent
the subsequent discovery of more
errors/irregularities.

24
GUIDELINES FOR AUDIT
PROGRAM DESIGN
■ Resource allocations: proportionately
more to (a) high risk areas, and (b)
material items/balances.
■ External evidence is more persuasive
than internally generated evidence.
■ Aggregate materiality and high error
rates, even among immaterial items,
must be considered.
25
GUIDELINES FOR AUDIT
PROGRAM DESIGN
■ Iferrors are completely random,
they should average $0.
■ Judgment (“sixth sense”) must not
be ignored; qualitative factors may
be more important than math!
■ Don’t hesitate to follow your
suspicions!

26
QUANTITATIVE
EXAMPLE
■ AR, set a little “loose,” at 10%.
■ IR, set high, at 70%.
■ CR, set very high, at 50%; therefore,

DR = AR / [IR x CR] = 29%

Meaning: The auditor must make
substantive tests until DR is reduced
down to 29%!
27
QUANTITATIVE
EXAMPLE
The Detection Risk becomes the variable
now “controllable” by the auditor; it is a
function of a controllable sample size!
The auditor, in selecting a sample size,
must test until DR = .29 or less, using
some form of [statistical] sampling
mathematics. To test beyond that point
is “overcharging.”
28
QUANTITATIVE EXAMPLE
Conversely, statistical (and/or subjective)
probability formulas can be used to
derive the proper sample size, n, needed
in light of other relevant variables:
N, error rates, the mean error, the mean of
population items, the standard deviations
involved, and error sizes discovered.
Goal: To precisely derive a DR of 29% or less.
BUT, a universe poor data may emerge!
29
Sampling & evidence…
“It does not take long to decide--
when the pie is no good!”

“Expecting” many errors (weak controls)

may prompt a low “aggregate materiality”
threshold, AND if errors are “rampant,” a
small sample should disclose such, fairly
quickly!

30
 Detection of errors or fraud
■ Request for client to correct
■ Consideration of extent and nature of risk
of more of the same
■ Revision(s) in current audit program and
future audit program(s)
■ Consideration of impact on audit report
■ Management Letter comments

31
REPORTABLE
CONDITIONS
■ Definition: Matters coming to the
auditor’s attention [representing]
significant deficiencies in … internal
control[s], which could adversely
affect …[reporting on] assertions
of management.
■ Reportable to the Audit Committee or
the senior executives, as a group
■ No requirement to search, per se; if
discovered, must [write] report!
32
REPORTABLE
CONDITIONS
Typically, reported in the CPA’s
Management Letter to the client:
■ What the deficiency is
■ Why it should be corrected
■ How to change the IC system now

Basic transaction cycles

33
TRANSACTION CYCLES;
TESTS OF CONTROLS
1. Revenue Cycle:
Sales & Accounts receivables
Cash collections from customers
SALES ACCTS REC CASH

Controls, documents, data processing

34
TRANSACTION CYCLES;
TESTS OF CONTROLS
2. Expenditure Cycle
Purchases & Accounts payable
Cash disbursements to vendors
INVTY ACCTS PAY CASH

Controls, documents, data processing

35
TRANSACTION CYCLES;
TESTS OF CONTROLS
3. Finance & Investing Cycle:
Borrowing
Investing in Projects
PROJECTS NOTES PAY CASH

Controls, documents, data processing

36
Basic Internal Documentation
■ Sales orders ■ Purchase invoices
■ Shipping tickets, etc. ■ Vouchers
■ Sales invoices ■ Payroll tabulations
■ Remittance advices ■ Clock cards, time
■ Deposit slips tickets
■ Purchase requests ■ Requests for checks
■ Purchase orders ■ Checks
■ Receiving reports ■ Bank statements, etc.
And, internal cost & inventory reporting!
37
Critical Terms Review
■ Assessed level of ■ IC Memorandums
control risk ■ IC Questionnaires
■ Compensating
controls
■ Maximum CR
■ Control points ■ Professional
■ Detection risk skepticism
■ Error rates ■ Qualitative approach
■ IC Checklist ■ Testing/sampling
■ IC Flowchart ■ Warning signs

38
End of Chapter 7

39