Risk Response at Assertion Level - Audit Notes

Risk Response at Assertion Level Overview

  • Objective: The primary objective is to develop an effective risk response at the assertion level to guide and refine the focus of audit procedures, ensuring that significant risks are adequately addressed.

  • RMM Assessment:

  • Conduct a comprehensive assessment of the risk of material misstatement (RMM) to pinpoint specific areas that require deeper scrutiny.

  • Perform the RMM assessment both at the overall financial statement level (OFSL) and at the assertion level, allowing for a layered understanding of risk exposure across different facets of the auditor's focus.

Significant Risks

  • Changes in Revenue Transactions: Modifications in revenue recognition practices have critical implications for accounts receivable, leading to potential misstatements in financial reporting.

  • Consideration of Pervasive Risks: Evaluate widespread risks, such as management incentive structures (e.g., management bonuses) that may induce misstatement of account assertions, thereby impacting the integrity of financial reports.

  • Control Risk Assessment: The audit team must thoroughly assess control risk and identify effective controls within the relevant cycle, which will justify the extent to which substantive procedures can be relied upon.

Risk Response Development

  • The assessment of RMM at the assertion level is pivotal in shaping further audit procedures. These procedures can be categorized as follows:

  • Tests of Controls: These audits are conducted when the control risk assessment indicates that effective controls exist or when dealing with processes characterized by high levels of automation, thus supporting the reliance on such controls.

  • Substantive Procedures: These procedures include both detailed tests (tests of details) and substantive analytical procedures, designed to directly address the risks identified.

Audit Approach

  • Auditors face three distinct choices regarding risk response based on their assessment of control risk:

  1. When Control Risk is High: Emphasize reliance on substantive procedures, as effective controls may not be present.

  2. When Control Risk is Low: Favor reliance on controls, allowing substantive tests to be guided by existing controls.

Control Risk Assessment

  • The Hillsburg audit team has developed a nuanced risk response incorporating both tests of controls and substantive procedures based on their low control risk assessment at the assertion level.

  • When controls are highly automated, it is essential to test both general IT controls and application computer controls to confirm their operational effectiveness.

Case Study: KPMG Audit Plan

  • In their audit engagements, KPMG identified significant risks related to fraudulent activities, specifically in revenue recognition processes, therefore closely evaluating specific areas such as salaries and benefits that could pose abuse opportunities.

  • KPMG opted for a combined audit approach for certain areas, striking a balance between substantive procedures and control tests based on their RMM assessments, tailored according to identified risks.

Comparison of Different Audit Approaches
Audit Approaches Summarized:

  1. Audit 1 - Significant Internal Controls:

  • Inherent assurance from large companies with robust internal controls allows reliance on these controls to reduce the necessity for extensive detailed tests.

  1. Audit 2 - Some Controls:

  • In situations featuring moderate control environments, a combination of control tests and substantive testing is employed, particularly where risks related to RMM are pronounced.

  1. Audit 3 - Limited/No Controls:

  • In instances of high control risk, a primarily substantive approach is necessary, incorporating more thorough and detailed testing to mitigate risks.

  1. Audit 4 - Change in Approach:

  • If initial reliance on controls yields unsatisfactory results or control failures are identified during testing, auditors may revert to a predominately substantive approach to enhance the audit's reliability.

Internal Controls Considerations

  • Establishing internal controls is fundamentally a choice of the business, rather than a legal requirement, thus companies weigh the implementation costs against perceived benefits.

  • Conducting a cost/benefit analysis of implementing controls is particularly crucial for smaller businesses that might have limited resources.

  • The audit strategy and audit approach play critical roles in determining the timing of control tests:

  • Audit Strategy: Involves a high-level plan that identifies key RMM and formulates responses to address these risks.

  • Audit Approach: The specific decision-making process pertaining to when to test controls versus relying on substantive tests, ensuring appropriateness relative to the context of the audit.

Important Procedures

  • Tests of Controls: Mandatory if controls are automated; otherwise, these tests may be optional and based on risk assessments.

  • Substantive Procedures: Should demonstrate validity across all material classes and address significant risks effectively.

  • Dual-Purpose Tests: Efficiency is gained by evaluating controls while performing substantive checks concurrently to streamline the auditing process.

Timing and Extent of Procedures

  • Audit tests can be strategically scheduled at interim periods or year-end, contingent upon the client's control environment and associated risk analysis.

  • In complex and sophisticated systems, auditing procedures may occur throughout the year, facilitating a model of continuous auditing to enhance overall risk management.

  • The extent of testing can center on high-risk items or leverage automated tools to improve efficiency in identifying errors and irregularities.

Conclusion

  • Effective risk response planning necessitates thorough integration of internal control assessments, substantive testing, and adaptive flexibility in tailoring audit strategies to the distinctive environments of various organizations.