Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
Summary
Introduction
8.01 Professional standards require the audit team to identify and assess
risks of material misstatement at (1) the financial statement level and (2) the
assertion-level for classes of transactions, account balances and disclosures,
whether due to error or fraud. To assess these risks the audit team:
obtains an understanding of the entity and its environment, including
internal control
relates the identified risks to what can go wrong at the assertion level
considers whether the identified risks could result in a material
misstatement
considers the likelihood that the risks could result in a material
misstatement
8.02 The risk assessment process is the foundation for the audit. This
continuous process requires the audit team to identify and assess risks based on
an appropriate understanding of the entity, including its internal control. The audit
team needs to first conduct a thorough risk assessment process and then the
audit team properly designs and performs procedures that directly respond to the
identified risks.
8.03 To develop an appropriate audit plan (one that reduces audit risk to an
appropriate level), the audit team must understand the entity being audited and
the environment in which it operates, including its internal control. This provides
the audit team with the information necessary to assess the risks of material
financial statement misstatement, whether due to error or fraud. The procedures
used to obtain this understanding are called “risk assessment procedures,” as the
information obtained from them is used as audit evidence to support the audit
team’s assessment of the risks of material misstatement.
8.04 The audit team performs certain risk assessment procedures to identify
and consider areas in the financial statements where material misstatements
(whether caused by error or fraud) are more likely to occur, identify the risks that
could cause the misstatements, evaluate the identified risks to determine the
likelihood of them causing the misstatements and finally to identify other areas
where audit attention will be focused. Understanding the entity and its
environment, including internal control also assists in determining the nature,
extent and timing of audit procedures to employ in response to the identified risks.
8.09 The nature of our understanding of the entity and its environment that
should be obtained consists of the following:
1. Nature of the Entity
the entity’s business operations, including location, products and/or
services, sources of revenue, markets, major customers and
suppliers, competition, related parties, outsourced activities,
employment
its ownership and governance (who owns the business and is
responsible for governance)
the types of investments (planned or recent acquisitions, securities,
loans, fixed assets, special-purpose entities), including related
matters such as debt covenants, leasing activities, off-balance
sheet arrangements and the use of derivatives
the way it is structured and how it is financed (this includes how the
business obtains funds to operate)
accounting principles and industry practices, revenue recognition
policies, accounting for complex or unusual transactions, financial
statement presentation and disclosure
2. Industry, Regulatory and Other External Factors, Including the
Applicable Accounting Framework
industry conditions, such as the competitive environment, supplier
and customer relationships, technological considerations related to
its products, and energy supply and cost
regulatory environment including the applicable accounting
principles and industry-specific practices, the type and extent of
regulatory oversight, the legal and political environment, including
taxation and trade issues and government policies, and
environmental requirements
general economic conditions, interest rates, availability of financing
and inflation
3. Objectives, Strategies, and Related Business Risks
the objectives or overall plans for the entity (defined by those
charged with governance) to address business risks
strategies (operational approaches set by management to achieve
these objectives)
the related business risks (events, conditions, circumstances or
actions that could adversely affect the entity’s ability to achieve its
objectives and execute its strategies, including the risk of a material
financial statement misstatement)
these risks may be related to:
− industry developments
− new products and services (for example, increased product
liability risks)
− business expansion
− new accounting requirements
− financing requirements (current or future)
− use of IT
4. Measurement and Review of Financial Performance
key ratios, operating statistics and performance indicators (financial
and non-financial)
budgets, variance analysis, segment information and divisional,
departmental, and other level performance reports
comparison of performance with peers
employee performance measures
5. Internal Control (see further discussion in Chapter 9)
the five components of internal control
entity-level controls
activities-level controls associated with reasonably possible risks
Sources of Information
8.11 Sources of information about the entity and its environment include the
following:
management and others within the organization
observations of the audit team
those charged with governance
office and plant tours
analytical procedures
client-prepared reports and other documentation
external sources
firm specialists
Additional sources of information about the entity and its environment may
also be obtained from the client’s website and other websites in the
industry.
8.15 Obtaining detailed information about the entity requires sensitivity and
tact. Client personnel may be defensive about the audit team questioning their
areas of responsibility. They may feel threatened by such questioning or, despite
assurances, they may feel that criticism is implied. Moreover, such personnel,
including executives, often have a very different outlook and perspective than the
audit team. Accordingly, discussions with management and other key personnel,
in particular sensitive discussions about the client’s goals and objectives, should
usually be conducted by a partner or manager.
8.16 During this meeting, the audit team should explain and discuss the
anticipated scope of their work and obtain knowledge of the expectations or
special needs of those charged with governance. The audit team should also
make inquiries regarding the views of those charged with governance about the
risk of fraud and whether they have knowledge of any fraud or suspected fraud.
The audit team should also reach an understanding regarding the expected
nature and extent of communications about misappropriations perpetrated by
lower-level employees and the aggregate materiality threshold of such
misappropriations. The objective should be to form the working relationship with
those charged with governance necessary to prevent mistaken expectations and
develop a good line of communication.
8.17 Touring the client’s offices and principal plants may enhance the audit
team’s knowledge. The audit team can learn a great deal about the client's
business, accounting systems, and controls by making such visits and observing
personnel performing their daily activities. Similarly, a tour of the client's plants
and receiving and shipping facilities can convey a great deal of information about
the client's operations and likely control problems. Observations of the
orderliness, cleanliness, and physical layout of facilities and of the employees’
routine functions and work habits can often tell more about the client than can be
learned from studying the accounting records.
Analytical Procedures
8.18 Analytical procedures performed during the planning phase of the audit
are used to identify unusual changes in the financial statements, or the absence
of expected changes, and specific risks. They are required on all audits. During
the planning stage, analytical procedures are usually focused on account
balances aggregated at the financial statement level and relationships between
account balances. Because the analytical procedures at this stage generally use
data aggregated at a high level, the results of those procedures only provide a
broad initial indication about whether a material misstatement of the financial
statements may exist. However, they are helpful in identifying areas where audit
work will be focused.
8.20 In the planning phase, the most commonly used analytical procedures
are ratio analysis and trend analysis.
8.21 For ratio analysis and trend analysis, the expectation formation is
implicit. This is because the reasonable expectation is that the prior year, budget
or industry data used for comparative purposes will be consistent with the current
period. Therefore, the data used for comparison in executing ratio and trend
analysis (prior year, budget, and industry data) is the expectation. Explicit (or
specific) documentation of the expectation is not required when using these
methods in planning.
8.22 In the identification phase, the audit team uses their understanding of
the entity and its environment to identify fluctuations where further audit work is
necessary. This could be because the fluctuation is unusual or unexpected or
because the expected fluctuation did not occur.
8.23 For those fluctuations identified, the audit team considers the possible
explanations for the differences. This is the investigation phase. The audit team
then evaluates whether the explanations are plausible and whether further audit
work may be required. The accounts or assertions where the risk of material
misstatement is evaluated as possible should be discussed in the risk assessment
meeting among the key audit team members (see Discussion Among Audit Team
Members below). Therefore, the documentation required for the identification,
investigation and evaluation phases for the analytical procedures performed in
planning should reference or link to the documentation of the risk assessment
meeting. In the risk assessment phase of the audit, it is not necessary for the
audit team to resolve whether or not misstatements are present.
External Sources
8.26 External sources can provide valuable information about the client and
its industry. Sources of such external information may include reports distributed
by financial reporting services or by brokerage firms (these reports should be
obtained from the issuer).
8.30 The same general principle applies to internal factors, such as the
client's operations. A complete study of all phases of operations is seldom
practicable and rarely necessary. Such a study would embrace many disciplines,
involve specialized expertise, and require considerable time. The initial review,
and annual updating, is directed to the client as a whole, with primary emphasis
on the data bearing directly on the audit process. Accordingly, the extent and
detail of information necessary for audit purposes is a matter of professional
judgment.
8.32 Risks can reside at the financial statement level or at the assertion
level. At the financial statement level, risks are pervasive and can affect several
assertions. At the assertion-level, risks typically only affect a single assertion.
8.33 When assertion-level risks are identified, the audit team must evaluate
the likelihood that the risks could cause a material misstatement and develop an
appropriate response. Assertion-level risks that are more likely to be the cause of
a material misstatement are further evaluated to understand whether:
internal controls that address the risk are established by the client
the controls are designed effectively
the controls are implemented
the operating effectiveness of controls will be tested
The intended control reliance in combination with the inherent risk of an
error occurring determines the response to these assertion-level risks with
a higher likelihood of occurrence. Assertion-level risks with a lower
likelihood of occurrence are addressed entirely with a substantive
response.
8.34 When financial statement level risks are identified, the audit team must
carefully consider where these risks could manifest themselves in the financial
statements and respond to them appropriately. Many times these pervasive risks
do not directly affect any particular assertion, but rather impact many assertions.
Some are so pervasive that the entire audit is affected. The proper response for
pervasive risks may not require a response in the audit program itself, but rather
an overall response such as:
adding more experienced team members
applying additional professional skepticism as the work progresses
providing additional review
performing procedures at or near year end
varying the nature of the procedures
including procedures with an element of unpredictability
reconsidering continuance
8.35 To identify financial statement level risks, the audit team uses their
understanding of the entity and its environment to assess the presence of certain
indicators that Horizon calls the “risk indicators”.
8.36 To identify assertion-level risks, the audit team carefully considers the
information gathered in obtaining an understanding of the entity and its
environment to identify the matters that could impact the financial statements.
Once these “matters” are identified, the audit team can identify the risks that the
matters pose and the assertions where those risks reside.
Risk Indicators
8.37 The risk indicators are conditions, events or characteristics of the entity
and its environment. They reveal the extent to which incentives, opportunities or
circumstances exist that could cause the financial statements to be materially
misstated. The audit team evaluates the applicability of the indicators to
demonstrate their understanding of the entity and to identify matters that could
impact the financial statements. Risk indicators are included in Voyager.
8.38 The risk indicators should not be evaluated until the audit team has a
thorough understanding of the entity and its environment. The risk indicators
reflect the audit team’s knowledge that was obtained by performing the risk
assessment procedures.
8.40 The risk indicators are divided into the categories to which they relate.
Most categories contain several indicators. The applicability of any one indicator
may or may not generate a matter. The categories are:
business practices
economic
external
going concern
skills
management
nature of transactions
operating
ownership
lifestyle
reporting pressures
workplace
Matters
8.43 The audit team summarizes the information learned and identified
during the performance of the risk assessment procedures and the evaluation of
the risk indicators by identifying “matters”. Horizon uses the term “matters” to
describe the items identified by the audit team while performing the risk
assessment procedures that may have an impact on the financial statements.
8.44 The audit team should carefully consider each matter to determine
whether it could impact the financial statements. Matters that do not impact the
financial statements need not be considered further; however, the audit team
should document their reasoning.
8.45 For the remaining matters, the audit team should carefully consider
what impact each matter could have on the financial statements. A matter can
affect a single transaction cycle within the financial statements or it could affect
several cycles. For example, the matter “Inventory activities core to operations”
likely affects only the inventory cycle whereas the matter “Inadequate skills of
personnel may increase likelihood of errors” may affect several cycles.
8.48 Matters related to the entity’s industry are linked to risks at the assertion
level. For example, for a commercial entity these matters relate to cycles in the
financial statements such as revenues and inventory. For a depository institution,
they relate to cycles such as loans and deposits. The audit team can accept these
risks, deselect those that do not apply or link the matter to additional risks.
8.49 The matters generated based on the design of entity-level controls are
the result of a very high-level evaluation. Since these matters also relate to control
deficiencies, they are separately evaluated on the Summary of Control
Deficiencies. However, because these particular matters are so pervasive and
could cause misstatements in the financial statements, their effect on the financial
statements should be considered. These matters include:
lack of segregation of duties
lack of management oversight
lack of supervision over business units
lack of monitoring related parties
weak governance controls.
8.50 The audit team must determine whether these matters could impact the
financial statements and, if so, link them to the appropriate risks that could cause
a material misstatement.
8.51 The existence of risk indicators may result in matters being suggested
(the evaluation of the risk indicators was discussed in the previous section of this
Chapter). Again, the audit team must determine whether these matters could
impact the financial statements and, if so, link them to the risks that could cause a
material misstatement. If the audit team believes that an indicator is singularly
important enough that a matter should be generated, but Voyager does not
suggest one, they should manually add the relevant matter.
8.52 Indicators are also evaluated in the client acceptance process and in
documenting the nature of the entity’s revenue sources.
8.53 When a Voyager file is created for a new client, the audit team should
import the information gathered in the GTI client acceptance tool. This import
process is important for all new clients because it passes information gathered
during client acceptance to Voyager. For a few clients, there could be
circumstances identified that might have an impact on the audit. These include,
among others:
resignation of the prior auditor
regulatory investigations
communication of internal control deficiencies
These circumstances are identified and vetted during the client
acceptance process and when the judgment is made to accept the client,
the Voyager import process ensures that the audit team does not fail to
consider them again in performing risk assessment procedures.
8.56 Finally, matters may be identified by the audit team as they perform the
risk assessment procedures. These matters can be entered into the summary and
linked to the risks that could cause a material misstatement.
8.58 Matters themselves are not the end objective. Matters are simply the
way Horizon connects the information obtained about the entity and its
environment to financial statement risks. The ultimate objective is to identify the
risks that could cause the financial statements to be materially misstated.
8.59 Voyager provides the audit team with the ability to link matters to the
financial statement risks. With the matter highlighted, Voyager displays all of the
significant audit cycles. Within each significant cycle, the financial statement risks
are grouped by the relevant assertion to which they apply. As mentioned earlier,
at this point the audit team can accept these risks, deselect those that do not
apply or link the matter to additional risks.
Significant Cycles
8.60 Horizon utilizes the cycle approach in designing an audit program. This
permits consideration of the interrelationships among income and expense
accounts and corresponding balance sheet accounts in designing an audit
strategy.
Assertions
8.64 Not every assertion is relevant to every transaction cycle. For example,
valuation in the cash cycle. Also, not every assertion is an audit concern. For
example, existence for a building. In this example, existence may be relevant, but
little audit effort is required to verify existence.
8.66 The financial statement risks generally fall into four broad categories.
These are:
accounting errors
financial reporting errors
fraud
going concern
8.68 Many of the specific assertion-level risks are common to entities in the
same industry and will be present in most audits. These include risks such as:
recorded receivables not valid
allowance for loan losses not adequate
inventory quantities not valid
inventory prices not valid
payables understated or not recorded in correct period
fair value measurements not correct
intangible asset allowances not adequate
8.69 Some specific assertion-level risks may not apply to every entity. The
audit team should select these risks only when the circumstances of the
engagement cause these items to be an audit concern. These risks may include:
bill and hold revenue not valid
share-based obligations understated
theft perpetuated through payments to fictitious employees
deferred tax assets not realizable
8.70 Most of the specific risks included in Horizon are clear. The use of risk
terms such as “understated”, “not correct”, “not adequate”, and “not realizable” are
commonly used in auditing literature. Horizon uses the term “not valid” to describe
circumstances where the population being tested may include items that should
not be there. This could be because a transaction was recorded in error, a price
was not updated, or a quantity overstated.
8.71 Audit effort will only be expended on risks that could cause a material
misstatement. Therefore it is important that the audit team identify all assertion-
level risks that could be the cause of a material misstatement. This importance
requires the audit partner and manager to actively participate in the risk
assessment process.
8.72 Horizon is designed to focus audit effort on assertions that pose the
greatest risk. This requires the audit team to first identify the specific risks within
an assertion that could cause a material misstatement, which was discussed in
the previous section. Next, because the same degree of risk of material
misstatement does not necessarily apply to all the identified risks within an
assertion, the audit team must make a judgment about the likelihood that each
risk could cause a material misstatement. Accordingly, Horizon categorizes risks
as those that are reasonably possible and those that are not reasonably possible.
8.75 At this point in the audit process the audit team has identified the
financial statement risks that could cause a material misstatement and separated
them into two categories:
those where the risk of material misstatement is reasonably possible
(more likely)
those where the risk of material misstatement is not reasonably
possible (less likely)
It is not logical for risks affecting assertions with low inherent risk to be
reasonably possible of causing a material misstatement. Either inherent
risk is not assessed correctly or the risk is actually a not reasonably
possible risk. Also, clients establish more precise controls over the
processes where material misstatements are more likely. When the audit
team finds numerous controls addressing a particular risk, this indicates
that the risk is reasonably possible. Finally, the substantive response for
some risks do not vary significantly regardless of the number of controls
established by the client or whether such controls are tested by the audit
team. For such risks, this is an indicator that they are not reasonably
possible.
8.78 Because a reasonably possible risk is one where the risk of a material
misstatement is more than remote, the audit team must design a response that
will identify material misstatements, if present. Horizon suggests the appropriate
response based on a combined risk assessment that is determined by:
the intended reliance on internal controls
the assessment of inherent risk for the related assertion
Activities-Level Internal Controls
8.80 After the audit team understands the internal controls established by
management, they must decide whether the audit strategy for a particular risk will
include an expectation that the controls operate effectively.
8.81 When controls are designed effectively and are implemented, it is often
most efficient to test such controls. Nevertheless, Horizon does not require the
audit team to test the operating effectiveness of internal controls. For each risk,
Horizon provides for three levels of control reliance. These are:
tests of key controls establish that controls operate effectively (high
reliance)
walkthrough tests support that controls are designed effectively and
implemented as designed (some reliance)
controls are missing, not designed effectively, not implemented, or not
operating effectively (no reliance)
Inherent Risk
8.84 Inherent risk is greater for some assertions than for others. For
example, cash transactions are generally more susceptible to theft than certain
raw materials inventories. Complex calculations are more likely to be materially
misstated than simple calculations. Accounts consisting of amounts derived from
accounting estimates will have greater risk than accounts consisting of relatively
routine, factual data.
8.85 Ordinarily, audit teams will assess inherent risk as being either medium
or high since it is not logical to assess inherent risk as low for an assertion that
contains reasonably possible risks. In rare cases where the audit team considers
the proper assessment of inherent risk for an assertion to be low, therefore
requiring only a minimal response to the risks within that assertion, it is likely that
the associated risks were incorrectly assessed as being reasonably possible.
8.86 The audit team is required to document their reasoning for the inherent
risk assessment. Voyager includes inherent risk indicators that can be selected by
the audit team to support their assessment on inherent risk. This provides
sufficient support for the inherent risk assessment. The audit team may choose
not to use the inherent risk indicators as their documentation and if they make this
choice, they should document the basis of their assessment by placing a short
memorandum in the text box provided in Voyager.
8.88 Horizon requires an audit response for all significant cycles. The audit
team may judge that a transaction cycle has no reasonably possible risks even
though it may contain material monetary amounts.
8.91 The audit team should complete the necessary risk assessment
procedures before tailoring the audit programs, setting scopes, and performing
significant substantive procedures or tests of controls. The risk assessment
process is ongoing and as such, the audit team considers risks throughout the
performance of the entire engagement. The risk assessment process does not
end merely because the audit team finished a formal risk assessment meeting. If
additional risks are noted in other stages of the audit, the audit team addresses
them by developing an appropriate response.
8.92 The objective of the discussion is for audit team members to:
gain a better understanding of the potential for material misstatements
resulting from fraud or error in the specific areas assigned to them
understand how the results of the audit procedures in one area may
affect other aspects of the audit
8.93 The discussion among the audit team members should specifically
include how and where they believe the entity’s financial statements might be
materially misstated.
Fraud
Overview
8.94 The term “fraud” refers to intentional acts of one or more individuals that
result in a material misstatement of financial statements. In assessing risks, the
audit team needs to be alert to the possibility of fraud. The audit team should plan
and perform the audit to determine that the financial statements are free of
material errors, including those due to fraud. Further, the audit team should
consider whether factors are present that could indicate fraud. This involves
considering where in the business or in the financial statements fraud could be
occurring. If fraud factors are present, audit procedures should be designed to
obtain reasonable assurance that material fraud will be identified. Horizon
includes the fraud risk factors in the inherent risk indicators discussed above.
8.95 For audit purposes, two types of misstatements are relevant when
considering fraud: misstatements arising from fraudulent financial reporting and
misstatements arising from misappropriation of assets.
8.98 Three conditions are normally present when fraud occurs. First,
management or employees have an incentive or are under pressure, which
provides a reason to commit fraud. Second, circumstances exist – for example,
the absence of controls, ineffective controls, or the ability of management to
override controls – that provide an opportunity for a fraud to be perpetrated. Third,
those involved are able to rationalize committing a fraudulent act. Some
individuals possess an attitude, character, or set of ethical values that allow them
to knowingly and intentionally commit an act of fraud. These three conditions are
known as the fraud triangle and all three elements are present in frauds. While the
auditor cannot read minds to evaluate the rationalization or attitude of the
individual(s) committing the fraud, the incentives or pressures and opportunities
are often red flags that could indicate fraud.
8.100 This information should enhance the audit team’s ability to identify
areas (assertions, accounts, classes of transactions or disclosures) where fraud
could occur and to develop an appropriate response. This identification process
includes considering the type, significance, pervasiveness, and likelihood of the
risk of fraud.
8.101 The risk of improper revenue recognition is presumed to be reasonably
possible within Voyager.
8.102 As part of understanding internal control sufficient to plan the audit, the
audit team should evaluate whether entity programs and controls that address
identified risks of fraud have been suitably designed and placed in operation. The
audit team then considers whether these programs and controls mitigate or
exacerbate the identified risks before responding to those risks.
8.104 The results of audit tests may indicate fraud or the audit team’s risk
assessment may indicate high risk of fraudulent financial reporting or
misappropriation of asserts. In such cases, the audit team should consider
withdrawing from the engagement and communicating the reasons for withdrawal
to those charged with governance. The appropriate course of action depends on
the diligence and cooperation of senior management and those charged with
governance in investigating the circumstances and taking appropriate action.
Because of the variety of circumstances that may arise, it is not possible to
describe definitively when withdrawal is appropriate.
8.105 The PSP and the OMP or RPPS should be consulted in these
situations. The OMP or RPPS will determine the need to consult with the firm's
legal counsel.
8.107 The nature and extent of communicating the audit plan will vary,
depending on the circumstances. At a minimum, the plan should be
communicated to all staff assigned to the audit to the extent that they are affected
and should include the information necessary to enable such personnel to have
an appropriate understanding of their individual role in the audit.
8.108 The overall audit plan should be discussed with client management and
those charge with governance to ensure that the audit team will obtain appropriate
client assistance and that client's expectations are in line with the plan. The client
also should be aware of the anticipated timetable.
Consideration of Laws and Regulations
8.109 Knowledge of the business includes obtaining an understanding of the
legal and regulatory framework applicable to both the client and the industry. The
audit team should also obtain a clear understanding of how the client is complying
with the framework.
8.110 When planning and performing audit procedures and in evaluating and
reporting the results thereof, the audit team should recognize that non-compliance
by the client with laws and regulations may affect the financial statements.
8.112 The audit team should obtain written representations from management
that all known actual or possible non-compliance is disclosed.
8.115 In an audit, laws and regulations that are generally recognized to have
a direct and material effect on the financial statements (e.g. tax laws) are
considered from the perspective of their relationship to pertinent financial
statement assertions, rather than from the perspective of legality.
8.117 Other illegal acts are those that may have an indirect financial
statement effect. Entities may be affected by many laws or regulations (e.g.
securities trading, occupational safety and health, environmental protection) which
generally relate more to operations than to financial and accounting matters, and
their financial statement effect is indirect (e.g., normally, the need to disclose a
contingent liability). Ordinarily, the audit team does not have sufficient basis for
recognizing possible violations of such laws and regulations. Even when violations
of such laws and regulations can have a material financial statement effect, they
may not become aware of such illegal acts unless they are informed by the client
or they find evidence of an investigation concerning legality in the client's
accounting records normally subjected to audit procedures.
8.502 What actions should the audit team take after the risk assessment
meeting?
The audit partner should remind the audit team to maintain, throughout the entire
audit, a mindset that recognizes the possibility that a material misstatement due
to fraud could be present, regardless of any past experience with the entity or the
beliefs about management’s honesty and integrity. In other words, it is important
to maintain professional skepticism throughout the audit.