Auditing Theory

Chapter 10 Procedures (not required for all aspects as per PSA 315,
Understanding the Entity and Its Environment only to the extent of required understanding): IAO
Inquiries of management and others within the entity
PHASE I-C
Risk Assessment through Understanding the Entity  Management can provide necessary info, but
others may be inquired by auditor to gain
different perspectives:
PSA 315 1
 auditor is responsible to identify and asses Those charged environment in which FS
RMM through understanding the entity, with governance are prepared
including internal control; discussion with
engagement team re: susceptibility to
misstatement is required Internal audit design & effectiveness of
 Standard’s requirements internal control;
I. Risk assessment procedures and response of management
sources of info to findings
II. Understanding the entity and its Employees appropriateness of
environment + internal control involved in application of certain
III. Identifying and assessing RMM unusual accounting policies
IV. Material weakness in internal control transactions
V. Documentation
In-house legal litigation, compliance,
counsel knowledge of fraud,
I. RISK ASSESSMENT PROCEDURES AND SOURCES OF INFO post-sales obligations,
ABOUT THE ENTITY AND ITS ENVIRONMENT, arrangements, contract
INCLUDING INTERNAL CONTROL terms
Obtaining understanding of E&E+I is a continuous, Marketing/sales changes in marketing
dynamic process of: strategies, sales trends,
 Gathering arrangements with
 Updating customers
 Analyzing information
Risk assessment procedures (RAP)
 audit procedures to obtain understanding (PSA Analytical procedures
5002)  Identifying existence of unusual transactions
 Auditor perform evidence-gathering procedures that have FS and audit implications
even if it was not specifically planned  Audit develops expectations, compares them
 May occur CONCURRENTLY with RAP for with actual records, identifies deviations from
efficiency expectations, and considers them in identifying
 When using info obtained in PRIOR PERIODS, RMM
determine whether changes affect relevance to  Analytical procedures using data aggregated at
current audit high level only provide broad initial indication of
 Previous experience with continuing clients RMM
contribute to understanding  PSA 520 - “Analytical Procedures”
 When relevant, auditors may also consider info
in client acceptance process and experience
from other engagements

1
PSA 315 - “Identifying and Assessing the Risks of Material
Misstatements through Understanding the Entity and Its
Environment
2
PSA 500 – “Audit Evidence”
 Observation and inspection Legislative and regulatory requirements
 Support inquiries and provide info about E&E  Determinant of applicable FRF (usually that of
 Procedures include: VORIT the jurisdiction in which entity is registered and
 Observation of entity activities and auditor is based; auditor and entity will have
operation common understanding of the framework)
 Inspection of documents, records,  Where there is no local FRF, entity’s choice will
internal control manuals be governed by:
 Reading reports prepared by  Local practice
management  Industry practice
 Visits to entity’s premises  User needs
 Tracing transactions through  Other factors
information systems  Auditor should consider local FRF requirements
since FS may be misstated in the context of the
applicable FRF
II. UNDERSTANDING THE ENTITY AND ITS ENVIRONMENT
INCLUDING INTERNAL CONTROL
INAOPI Nature of the Entity

Industry, Regulatory, & Other External Factors + - Operations

Applicable FRF - Ownership and governance
 PSA 550 – “Related Parties”
Industry - Investments (current and prospects)
 Competitive environment - Structure – complex structures lead to difficulty
 Supplier and customer relationships in consolidation & give rise to RMM:
 Technological developments  Allocation of goodwill
 Impairment
Regulatory  Investments using equity method
 Applicable FRF  Accounting for special-purpose entities
 Legal and political environment - Financing
 Environmental requirements - Then, critical business processes and value-
creation for customers
Other
 General economic conditions
Selection/Application of Accounting Policies and
*Cabrera, Ch. 10 p.424 for more matters to consider
Changes thereto
- Includes:
Overall attractiveness of industry  Methods used for unusual transactions
 Barriers to entry  Effect of policies in areas where
 Strength of competitors authoritative guidance or consensus is
 Bargaining power of suppliers lacking
 Bargaining power of customers  Changes in accounting policies
 Others:  New FR standards and how the entity
a. Economic conditions will adopt new requirements
b. Financial trends - Presentation of FS includes:
c. Governmental regulations  Adequate disclosure of material
d. Changes in technology matters; may relate to:
e. Widely used accounting methods - Form
- Arrangement
– Industry gives rise to specific RMM arising from nature
- Content and appended notes:
of business or degree of regulation
terminology, amount of detail
provided, classification of items,
basis of amounts set forth
- Other matters to consider (Cabrera, Ch. 10, p. 427):
  Business operations Measurement and Review of Entity’s Financial
 Investments Performance
 Financing Performance measures
 Financial Reporting
- create pressures that may motivate
management to take action in:
Objectives, Strategies, and Related Business Risks  improving business performance
Objectives: overall plans developed in response to  misstate FS/ engage in fraud
circumstance in which the entity operates - internal/external

Strategies: operational approaches to achieve Internal External

objectives  KPIs (financial and  Analyst’s reports
Business Risk nonfinancial)  Credit rating agency
 Budgets reports
- result from significant things that adversely  Variance analyses
affect entity’s ability to achieve objectives and
 Segment information
strategies
 Divisional,
- broader than RMM, but includes it
departmental, other
- may arise from:
level reports
(1) Change  Comparison with
(2) Complexity competitors
- failure to recognize change also gives rise to risk
- auditor DOES NOT have a responsibility to - entities use measurement systems to gauge
identify ALL business risk progress towards meeting objectives
- most (not all) have financial consequences, - external parties may also review performance
therefore, affecting financial statements - determines incentives because compensation is
- auditor is interested in how management tied to performance measures
assesses and responses to such risk - may be indicators of RMM (unexpected results)
- where there is no documentation, auditors - when used by auditors, check for precision in
perform inquiry MM detection
- Other matters to consider: (Cabrera Ch. 10 p. 433)
Objectives and strategies change over time along with
changes in the environment
Other matters to consider: This is distinguished from MONITORING OF CONTROLS
though their purposes may overlap.
1. existence of objectives
2. effects of implementing a strategy Monitoring of Controls Measurement and
Review of FP
(Cabrera, Ch. 10 p.430)
Effectiveness of internal Progress in attaining
controls objectives set by
management or third
parties;

Performance indicators
may also be used to
identify deficiencies in
internal control
Understanding the Client’s Internal Control - Matters to consider in identifying nature of risk:
Internal Control – provides reasonable assurance of  Risk of fraud
achieving objectives related to:  Relation to significant economic,
accounting developments
1. Reliable financial reporting  Complexity of transactions
2. Operational efficiency and effectiveness  Involvement with related parties
3. Compliance with laws and regulations  Degree of subjectivity in measurement
Nature and extent of audit work depend largely upon  Involvement of significant transactions
effectiveness of internal control. outside normal business course
- Indicators of Existence of RMM:
To evaluate effectiveness of IC:
 Operations in economically unstable
1. Understand the system: how it works, what regions
controls exist, who performs controls, how  Volatile markets
transactions are processes, what records exist  Complex regulations
 Going concern & liquidity issues
 Constraints in availability of
III. Identifying and Assessing the Risk of Material capital/credit
Misstatement  Changes in the industry
 Changes in the supply chain
- RMM at financial statement level and assertion  New products/services
level must be identifies and assessed  New locations
- The auditor performs the ff:  Large acquisitions/ reorganizations of
 Identifies risks throughout the process the entity
of understanding, including relevant  Segments likely to be sold
controls  Complex alliances/joint ventures
 Relates risks identified to what could go  Significant transactions with related
wrong at the assertion level parties
 Considers whether magnitude of risk  Lack of personnel with appropriate
may cause material misstatement accounting skills
 Considers the likelihood that risks could  Changes in key personnel
result in a material misstatement  Weakness in internal control
Significant Risks  Inconsistency bet. IT strategy and
- Risks that need special audit consideration business strategies
- Based on auditor’s professional judgment  Changes in IT
- Excludes effects of identified controls  New IT system
- PSA 3303 describes the consequences for  Inquiries by regulatory bodies
further audit procedures  Past misstatements, significant amount
- Usually arise from: of adjustments at year-end
1. Non-routine transactions  Non-routine transactions
a. Management intervention in  Transactions recorded based on
accounting treatments management’s intent
b. Manual intervention in data  New accounting pronouncements
collection  Accounting measurements involving
c. Complex calculations/ principles complex processes
d. Nature of non-routine  Measurement uncertainty
transactions  Pending litigation
2. Judgmental matters
a. Accounting principles subject to
different interpretations
b. Assumptions about effects for
future events; very subjective

3
PSA 330 – “Auditor’s Responses to Assessed Risk”
IV. Material Weakness in Internal Control
- Auditor shall identify, based on audit work Risk of the assertion level
performed, material weakness in design,
implementation, or maintenance of IC - risk that financial statement assertion is
- PSA 2604: communicate on a timely basis with materially misstated
those charged with governance (unless they are - FS assertions are not equally subject to
involved in management) misstatements; some have higher risk than
- Types of material weaknesses: others
 RMM that the entity has not controlled,
or for which relevant control is
Audit risk
inadequate
 Weakness in the or an absence of a risk - Possibility that auditors fail to modify opinion
assessment process on materially misstated FS
- Material weaknesses may also be identified in - Consists the possibility that:
controls that prevent/detect/correct error or  RMM (IRXCR): MM has occurred
fraud  DR: Auditor does not detect MM
Audit Risk
Risk of Material Misstatement
V. Documentation
- PSA 230 “Audit Documentation” Inherent Risk Control Risk Detection Risk
- Auditor should document: Susceptibility to Risk that a Risk that auditor’s
 Discussion among engagement team re: MM assuming misstatement substantive
susceptibility of FS to MM + significant there are no cannot be detected/ procedures will fail
controls prevented/corrected to detect a
decisions on a timely basis by misstatement that
 Key elements of understanding internal control could be material
obtained systems
 RMM at FS & assertion level
Composed of:
 Risks identified + related controls
evaluated - Sampling risk
- Non-sampling
- Manner of documentation based on risk
professional judgement
May change for May be affected by can be controlled
- Results of RAP may be: future audits due auditors for a future by auditors
 Documented separately to: audit by through amount of
 Documented as part of auditor’s encouraging client evidence he
- Client’s
documentation of further procedures to implement accumulates
influence
(PSA 330) changes in control
- Common techniques: - Economic or
 Narrative descriptions industry
factors outside
 Questionnaires of client’s
 Check lists influence
 Flow charts exist independently of the audit of FS.
- Form and extent of documentation depend on
Influences nature, timing, extent of audit Relates directly to
nature, size, complexity of the entity, IC, procedures substantive
availability of info, & specific audit methods and procedures
tech used
Inverse relationship with DR
 Large entity with complex info system –
electronic
 Small entity with few transactions –
memorandum
Assessing Inherent Risk and Control Risk at the
Assertion Level
4
PSA 260 – “Communication with Those Charged with
Governance”
Inherent Risk Control Risk
At FS Level - Can never be zero; internal controls cannot
- Management’s integrity provide complete assurance
- Management’s experience and knowledge - Effective internal control structure promotes
- Changes in management during the period reliability in accounting data (GAAS)
- Unusual pressures on management - To obtain understanding:
- Nature of entity’s business  Inquiry
- Factors affecting industry  Inspection
 Observation
At Account Balance and Class of Transactions Level  Reperformance procedures
- FS account likely to be misstated (e.g. accounts - Preliminary assessment of control risk (PACR):
requiring prior-period adjustments that need evaluating effectiveness of internal control in
high degree of estimation) preventing/detecting MM
- Complexity of underlying transactions - Auditor assesses control risk at high level when:
- Degree of judgment involved in determining  Accounting and IC are ineffective
account balances  Evaluating effectiveness of accounting
- Susceptibility of assets to loss or and IC would be inefficient
misappropriation - PACR should be high unless:
- Completion of unusual and complex  Relevant internal controls that are likely
transactions, particularly near or at period end to prevent/ detect MM are identified
- Transactions not subject to ordinary processing  Auditor plans to perform tests of
control to support the assessment
- Documentation
Factors indicative of high inherent risk  Understanding obtained re: accounting
 Inconsistent profitability and internal control systems
 High sensitivity of operating results to economic  Assessment of control risk
factors
 Going concern problems
Detection Risk
 Large known and likely misstatements in prior
audits - Function of the auditor’s verification of account
 Substantial turnover, questionable reputation, balances
inadequate skills of management - Influenced by NTE of audit procedures
- Auditor considers likelihood that he will make a
mistake
Assertions with high inherent risk - Relates DIRECTLY to substantive procedures
 Difficult to audit transactions/balances - Some detection risk will always be present even
if an auditor were to examine 100% of account
 Complex calculations
balances because evidence is mostly persuasive
 Difficult accounting issues
- Restricted by performing substantive tests
 Significant judgment
 Values that vary significantly based on
economic factors Interrelationship of AR Components
Control risk is:
H M L
Inherent H Lowest Lower Medium
risk is: M Lower Medium Higher
L Medium Higher Highest
Audit risk model 3. Assess control risk
- Auditors use this relationship to determine NTE - CR represents:
of audit procedures to manage and control  Effectiveness of IC
audit risk  Auditor’s intention to make that
- May be numeric or qualitative (high, medium, assessment at a level below the
low) maximum (100%) as part of the audit
plan
AR = IR X CR X DR - Before setting CR to less than 100%:
 Obtain understanding of IC
 Evaluate how well IC should function
Steps:  Test IC for effectiveness
1. Determine planned audit risk - If internal controls are completely ineffective,
- Planned audit risk = acceptable audit risk auditor sets CR to 100%
- Factors + methods:
 Reliance of external users on FS 4. Solve equation to determine planned DR
 Examine FS + footnotes
 Read minutes of meetings - Planned detection risk = allowable detection
 Discuss financing plans with risk
management - ADR/PDR is the amount of risk the auditor can
 Likelihood of financial difficulties allow for an assertion that audit evidence will
 Analyze FS for difficulties using ratios fail to detect misstatements exceeding a
 Examine historical and projected cash
flows
tolerable amount
 Management integrity - 2 key points:
 Obtain info from lawyers, CPAs, banks,  Dependent on other three factors in the
predecessor auditor model
- Assessment of factors is highly subjective; thus  Determines amount of substantial
overall assessment is highly subjective evidence the auditor plans to
- E.g. low acceptable audit risk = risky client accumulate (inverse)
requiring more extensive evidence

2. Assess inherent risk *Assessed level of IR and CR cannot be sufficiently low

- Implies that auditor attempts to predict where to eliminate need to perform substantive procedures.
misstatements are in the FS Procedures should always be performed.
- Major factors (read Cabrera, Ch. 10 p.450):
 Nature of business
 Integrity of management *If DR cannot be reduced to an acceptably low level,
 Client motivation auditor should express an unqualified opinion or issue a
 Results of previous audits disclaimer.
 Initial vs repeat engagements
 Related parties
*Computation and comparison with achieved audit risk.
 Nonroutine transactions
 Susceptibility to defalcations - if achieved AR is less than or equal to planned
 Judgement required to correctly record AR, evidence accumulated is sufficient
account balances and transactions
 Make up of population AcAR = IR X CR X AcDR
- Auditors are generally conservative in making
assessments of inherent risk
- Relationship to detection risk: inverse *Research shows that the formula is not appropriate in
- Relationship to planned evidence: direct calculating achieved audit risk, but relationships are still
valid.
Ways to reduce AcAR to an acceptable level:
1. Reduce IR
- Based on client’s circumstances
- Assessed during planning
- NOT typically changed unless new facts are
uncovers
2. Reduce CR
- Affected by client’s IC
- Reduced by more extensive test of controls if
client has effective controls
3. Reduce AcDR by increasing substantive audit
procedures

Summary of PSAs
1. PSA 230 - “Audit Documentation”
2. PSA 260 – “Communication with Those Charged
with Governance”
3. PSA 315 - “Identifying and Assessing the Risks of
Material Misstatement through Understanding the
Entity and Its Environment
4. PSA 330 - “Auditor’s Responses to Assessed Risk”
5. PSA 500 – “Audit Evidence”
6. PSA 520 - “Analytical Procedures”
7. PSA 550 – “Related Parties)