Risk Assessment and Internal Control

Audit Risk

Audit risk is the risk of issuing an inappropriate audit opinion when financial statements are materially misstated. It's a function of the risks of material misstatement and detection risk. To mitigate this, auditors must gather sufficient, appropriate audit evidence (SAAE) to reduce audit risk to an acceptably low level, according to SA-200. Audit risk is expressed by the following formula: Audit Risk $=$ Risk of Material Misstatement $*$ Detection Risk, where the Risk of Material Misstatement is further divided into Inherent Risk and Control Risk. The auditor's objective is to keep the overall audit risk at an acceptably low level. Audit risk should be kept at a bare minimum.

Risks of Material Misstatement

Risks of material misstatement exist at the overall financial statement level and the assertion level. These risks comprise inherent risk and control risk, both of which are influenced by the client and exist independently of the audit. Understanding these risks is important for planning the audit procedures.

Inherent Risk

Inherent risk is the susceptibility of an assertion to material misstatement before considering any related controls. It varies for different assertions and is considered when designing tests of controls and substantive procedures. High inherent risks require more rigorous testing and a larger sample size. Examples of factors increasing inherent risk include complex calculations, estimates, and susceptibility to fraud or error.

Control Risk

Control risk is the risk that an entity's internal controls will not prevent or detect material misstatements on a timely basis (SA-200). It has an inverse relationship with the efficiency of internal control. When internal controls are effective, control risk is low, and vice versa. Auditors evaluate control risk to determine the level of reliance they can place on the entity's internal controls. Effective internal controls reduce the likelihood of material misstatements occurring.

Detection Risk

Detection risk is the risk that the auditor's procedures will not detect a material misstatement. It comprises sampling and non-sampling risk. Auditors can only influence detection risk and must reduce it to keep audit risk low. This is achieved through well-planned and executed audit procedures. Factors affecting detection risk include the auditor's competence, the nature and timing of audit procedures, and the adequacy of audit evidence gathered. Some ways to reduce detection risk is to increase the scope of audit procedures and perform audit procedures closer to the period end.

Risk Assessment

Risk assessment relies on audit procedures to gather necessary information and evidence. It requires professional judgment and leads to a combined assessment of the risks of material misstatement, which can be expressed quantitatively or non-quantitatively. Quantitative measures involve assigning numerical probabilities, while non-quantitative assessments use descriptive terms like high, medium, or low.

Identifying and Assessing Risk

SA 315 guides auditors in identifying and assessing risks of material misstatement at the financial statement and assertion levels through understanding the entity and its environment, including internal control, to design appropriate responses. The standard requires a thorough understanding of the entity's business, its operations, and the industry in which it operates.

Risk Assessment Procedures

Risk assessment procedures include inquiries of management and others, analytical procedures, and observation and inspection. Information gathered is used as audit evidence to support risk assessments. Analytical procedures involve evaluating financial information through analysis of plausible relationships among both financial and non-financial data. They help identify inconsistencies or unusual transactions that may indicate a risk of material misstatement.

Materiality

Materiality refers to misstatements that could reasonably influence the economic decisions of users (SA 320). Auditors apply this concept in planning and performing the audit, evaluating the effect of misstatements, and forming an opinion. Materiality guides the scope and testing levels. It ensures that the audit focuses on areas that are most likely to impact the fairness of the financial statements.

Performance Materiality

Performance materiality is set below overall materiality to reduce the probability that the aggregate of uncorrected and undetected misstatements exceeds materiality for the financial statements. This acts as a buffer to reduce audit risk to an acceptably low level.

Determining Materiality

A percentage applied to a chosen benchmark—such as profit before tax, total revenue, or gross profit—is a starting point. Professional judgment guides the selection of the benchmark and the determination of materiality. Common benchmarks are:

Profit before tax: Often used for profitable entities.
Total revenue: Useful for not-for-profit organizations or entities with volatile profits.
Gross profit: Suitable for entities where gross profit is a key performance indicator.
Total expenses: Sometimes used for entities that are consistently loss-making.

Understanding the Entity and Its Environment

Auditors must understand the entity's industry, regulatory environment, nature of the entity, accounting policies, objectives, strategies, and financial performance measures (SA 315). This knowledge aids in audit planning and identifying areas needing special attention. It allows auditors to assess risks specific to the entity and tailor audit procedures accordingly. For example, understanding the entity's revenue recognition policies can help identify risks related to revenue overstatement.

Internal Control

Internal control is designed and implemented by governance, management, and personnel to provide reasonable assurance about achieving the entity's objectives (SA-315). It addresses risks related to financial reporting reliability, operational effectiveness, legal compliance, and asset safeguarding. Effective internal control systems help ensure the accuracy and reliability of financial information.

Components of Internal Control

Internal control comprises the control environment, the entity's risk assessment process, the information system and communication, control activities, and monitoring of controls.

Control Environment: Sets the tone of an organization, influencing the control consciousness of its people. It includes the ethical values, integrity, and competence of the entity's people.
Risk Assessment Process: How management identifies and responds to business risks. It involves identifying, analyzing, and managing risks relevant to financial reporting.
Information System and Communication: Systems that support the identification, capture, and exchange of information. These systems should provide accurate, timely, and relevant information.
Control Activities: Policies and procedures that help ensure management directives are carried out. Examples include authorizations, reconciliations, and segregation of duties.
Monitoring of Controls: Processes used to assess the quality of internal control performance over time. It involves ongoing evaluations and separate evaluations.

Risks Requiring Special Audit Consideration

Auditors must determine if identified risks are significant, considering fraud risk, recent economic developments, transaction complexity, related party transactions, subjectivity in financial information, and unusual transactions. Significant risks often require more extensive audit procedures.

Evaluation of Internal Control

Evaluation of the internal control system is crucial for overall audit assurance. Benefits include identifying potential errors and frauds, assessing the effectiveness of internal controls, and determining the extent of audit examination needed. A thorough evaluation helps auditors tailor the nature, timing, and extent of audit procedures.

Methods of Evaluation

Methods include narrative records, checklists, internal control questionnaires, and flow charts.

Narrative Records: Written descriptions of an entity's internal controls. They provide a detailed understanding of how controls operate.
Checklists: Standardized lists of control procedures. They ensure that all relevant controls are considered.
Internal Control Questionnaires: Questions designed to evaluate the design and implementation of internal controls. Responses provide insights into the effectiveness of internal controls.
Flow Charts: Diagrams that illustrate the flow of transactions and the controls in place. They help identify potential weaknesses in the internal control system.

Testing of Internal Control

Auditors test the design and operation of internal controls, including inspection of documents, inquiries, observation, and re-performance. Testing of controls provides evidence about their effectiveness. The extent of testing depends on the auditor's planned reliance on internal controls.

Automated Environment

An automated environment uses computer systems for processes, operations, and accounting. Key features include faster operations, accuracy, large volume processing, integration, and better controls.

IT Risks and Controls

Risks arising from IT systems include inaccurate data processing, unauthorized access, and unauthorized changes. Controls are categorized as general IT controls, application controls, and IT-dependent controls.

Digital Audit and Data Analytics

Digital audits use technology like AI and data analytics to improve audit effectiveness. Data analytics, through Computer Assisted Auditing Techniques (CAATs), aids in testing electronic records.

Internal Financial Controls (IFC)

Internal Financial Controls (IFC) refer to policies and procedures ensuring financial reporting reliability, operational effectiveness, legal compliance, asset safeguarding, and fraud prevention.

Auditor’s Responses to Assessed Risks(SA 330)

SA-330 requires auditors to design and implement overall responses to address assessed risks of material misstatement. Further Audit procedures should be responsive to assessed risks at the assertion level. These responses may include:

Modifying the nature, timing, and extent of further audit procedures.
Assigning more experienced staff or those with special skills.
Increasing the level of