Читать книгу Wiley Practitioner's Guide to GAAS 2017 - Flood Joanne M. - Страница 38

Risk Assessment Procedures

The auditor should perform risk assessment procedures to provide a basis for the assessment of material misstatement. (AU-C 315.05) Risk assessment procedures include:

1. Inquiries of management, individuals in the internal audit function, and others at the client

2. Analytical procedures

3. Observation and inspection

(AU-C 315.06)

The auditor's risk assessment procedures provide the audit evidence necessary to support the auditor's risk assessments, which in turn support the determination of the nature, timing, and extent of further audit procedures. Thus, the results of the auditor's risk assessment procedures are an integral part of the audit evidence obtained to support the opinion on the financial statements.

NOTE: Under the previous auditing standards, it was common for auditors to declare control risk to be maximum simply for audit efficiency, without any basis for making that assessment. Section 315 eliminates that practice by requiring auditors to document their rationale for assessing control risk. This rationale should be based on the information gathered from the performance of risk assessment procedures. The elimination of the auditor's ability to default to maximum control risk without justification is a significant change from previous practice.

A Mix of Procedures

Except for the five components of internal control, the auditor is not required to perform all the procedures for each of the five aspects of the client and its environment listed in the upcoming subsection, “The Entity and Its Environment.” However, in the course of gathering information about the client, the auditor should perform all the risk assessment procedures.

Other procedures may provide relevant information about the entity. For example:

● When relevant to the audit, the auditor should consider other information, which may include:

● Information obtained from the client acceptance or continuance process (AU-C 315.07)

● Experience gained on other engagements performed for the entity (AU-C 315.08)

● Some of the procedures the auditor performs to assess the risks of material misstatement due to fraud also may help gather information about the entity and its environment, particularly its internal control. (AU-C 315.09)

NOTE: Because of the close connection between the assessment of the risk of material misstatement and the procedures performed to assess fraud risk, the auditor will want to:

● Coordinate the procedures he or she performs to assess the risk of material misstatement due to fraud with the other risk assessment procedures.

● Consider the results of his or her assessment of fraud risk when identifying the risk of material misstatement.

Updating Information from Prior Periods

If certain conditions are met, the auditor may use information obtained in prior periods as audit evidence in the current period audit. However, when the auditor intends to use information from prior periods in the current period audit, the auditor should determine whether changes have occurred that may affect the relevance of the information for the current audit. (AU-C 315.10) To make this determination, the auditor should make inquiries and perform other appropriate audit procedures, such as walk-throughs of systems. (AU-C 315.A20)

Discussion by the Audit Team

The members of the audit team should discuss the susceptibility of the client's financial statements to material misstatement. (AU-C 315.11) This discussion will allow team members to exchange information and create a shared understanding of the client and its environment, which in turn will enable each team member to:

● Share his or her knowledge.

● Gain a better understanding of the potential for material misstatement resulting from fraud or error in the assertions that are relevant to the areas assigned to them.

● Exchange information about business risks.

● Understand how the results of the audit procedures that they perform may affect other aspects of the audit.

This “brainstorming session” of the audit team could be held at the same time as the team's discussion related to fraud, which is required by Section 240. (AU-C 315.A21)

Understanding the Entity and Its Environment, Including Internal Control

The Entity and Its Environment

The auditor should obtain an understanding of the following five elements of the entity and its environment:

1. External factors, including:

● Industry factors, such as the competitive environment, supplier and customer relationships, and technological developments.

● The regulatory environment, which includes the applicable financial reporting framework, the legal and political environment, and environmental requirements that affect the industry.

● Other matters, such as general economic conditions

2. Nature of the client, which includes its operations, its ownership, governance, the types of investments it makes and plans to make, how it is financed, and how it is structured.

3. Accounting policies, including the entity's selection and application of accounting policies, the reasons for any changes, and whether the entity's accounting policies are appropriate for its business and consistent with the applicable financial reporting framework and accounting policies used in the relevant industry.

4. Objectives and strategies and related business risks, which may result in material misstatement of the financial statements taken as a whole or as individual assertions.

5. Measurement and review of the client's financial performance, which tell the auditor which aspects of the client's performance management considers important.

(AU-C 315.12)

NOTE: The purpose of understanding the entity and its environment is to help identify and assess risk. For example:

● Information about the client's industry may allow the auditor to identify characteristics of the industry that could give rise to specific misstatements.

● Information about the ownership of the client, how it is structured, and other elements of its nature will help identify related-party transactions that, if not properly accounted for and adequately disclosed, could lead to a material misstatement.

● The auditor's identification and understanding of the business risks facing the entity increase the chance of identifying financial reporting risks.

● Information about the performance measures used by the entity may lead the auditor to identify pressures or incentives that could motivate entity personnel to misstate the financial statements.

● Information about the design and implementation of internal control may identify deficiencies in control design, which increase the risk of material misstatement.

Evaluating the Design of Internal Control

On every audit, the auditor should obtain an understanding of internal control that is of sufficient depth to enable the auditor to:

1. Assess the risks of material misstatement of the financial statements, whether due to error or to fraud.

2. Design the nature, timing, and extent of further audit procedures.

To meet these requirements, the auditor should:

1. Evaluate the design of controls that are relevant to the audit and determine whether the control – either individually or in combination – is capable of effectively preventing or detecting and correcting material misstatements.

2. Determine that the control has been implemented – that is, that the control exists and that the entity is using it.

(AU-C 315.13-14)

The auditor's evaluation of internal control design and the determination of whether controls have been implemented are critical to the assessment of the risks of material misstatement. Remember that even if the auditor's overall audit strategy contemplates performing only substantive procedures for all relevant assertions related to material transactions, account balances, and disclosures, the auditor still needs to evaluate the design of the client's internal control.

NOTE: In evaluating control design, it is helpful to consider:

● Whether control objectives that are specific to the unique circumstances of the client have been considered for all relevant assertions for all significant accounts and disclosures

● Whether the control or combination of controls would – if operated as designed – meet the control objective

● Whether all controls necessary to meet the control objective are in place

When obtaining an understanding about the design of internal controls and determining whether those controls have been implemented, inquiry alone is not sufficient. Thus, for these purposes, the auditor should supplement inquiries with other risk assessment procedures. (AU-C 315.14)

NOTE: To evaluate the design and implementation of internal controls relevant to the audit, the auditor should perform procedures such as:

● Inquiry

● Observation

● Inspection of documentation

● Walk-throughs – tracing transactions through the information systems

(AU-C 315.A76)

Distinguishing between Evaluation of Design and Tests of Controls

Obtaining an understanding of the design and implementation of internal controls is different from testing their operating effectiveness.

● Understanding the design and implementation is required on every audit as part of the process of assessing the risks of material misstatement.

● Testing the operating effectiveness is necessary only when the auditor will rely on the operating effectiveness of controls to modify the nature, timing, and extent of substantive procedures or when substantive procedures alone do not provide the auditor with sufficient audit evidence at the assertion level.

The procedures necessary to understand the design and implementation of controls do provide some limited evidence regarding the operation of the controls. However, the procedures necessary to understand the design and implementation of controls generally are not sufficient to serve as a test of their operating effectiveness for the purpose of placing significant reliance on their operation.

Examples of situations where the procedures the auditor performs to understand the design and implementation of controls may provide sufficient audit evidence about their operating effectiveness include:

● Controls that are automated to the degree that they can be performed consistently provided that general information technology (IT) controls over those automated controls operate effectively during the period.

● Controls that operate only at a point in time rather than continuously throughout the period. For example, if the client performs an annual physical inventory count, the auditor's observation of that count and other procedures to evaluate its design and implementation provide audit evidence that may affect the design of the auditor's substantive procedures.

The required understanding of internal control must include all five components of internal control:

1. The control environment,

2. Risk assessment,

3. Information and communication,

4. Control activities, and

5. Monitoring.

(AU-C 315.A57)

These components may operate at the entity level or the individual transaction level. Obtaining an appropriate understanding of internal control requires the auditor to understand and evaluate the design of all five components of internal control and to determine whether the controls are in use by the client.

Control Environment

The auditor should obtain a sufficient knowledge of the control environment to understand management's and the board of directors' attitudes, awareness, and actions concerning the environment. (AU-C 315.15) Control environment factors include:

1. Communication and enforcement of integrity and ethical values

2. Commitment to competence

3. Participation by those charged with governance

4. Management's philosophy and operating style

5. Organizational structure

6. Assignment of authority and responsibility

7. Human resource policies and practices

(AU-C 315.A79)

NOTE: The auditor should concentrate on the substance of controls (established and acted upon), not their form.

Risk Assessment

The auditor should obtain an understanding of the entity's procedures for business risk, specifically:

● Identifying the risks

● Estimating significance

● Assessing the likelihood of occurrence

● Deciding on an action plan to address the risk

(AU-C 315.16)

Risks can occur because of the following:

1. Changes in operating environment

2. New personnel

3. New or revamped information systems

4. Rapid growth

5. New technology

6. New business models, products, or activities

7. Corporate restructurings

8. Expanded foreign operations

9. New accounting pronouncements

10. Changes in economic conditions

(AU-C 315.A90)

NOTE: The auditor's assessment of inherent and control risks is a separate consideration and not part of the entity's risk assessment.

Information and Communication

The auditor should obtain sufficient knowledge of the accounting information system to understand:

1. The classes of transactions that are significant to the financial statements

2. The procedures, both automated and manual, by which those transactions are initiated, recorded, processed, and reported from their occurrence to inclusion in the financial statements

3. The related accounting records, whether electronic or manual, supporting information, and specific accounts involved in initiating, recording, processing, and reporting transactions

4. How the information system captures other events and conditions that are significant to the financial statements

5. The financial reporting process

6. Controls surrounding journal entries, including nonstandard journal entries used to record nonrecurring, unusual transactions, or adjustments

(AU-C 315.19)

The auditor should understand the automated and manual procedures used to prepare financial statements and related disclosures, and how misstatements may occur. Such procedures include:

1. The procedures used to enter transaction totals into the general ledger

NOTE: The auditor should be aware that when information technology (IT) is used to automatically transfer information from transaction processing systems to general ledger or financial reporting systems, there may be little or no visible evidence of intervention in the information systems (e.g., an individual may inappropriately override automated processes by changing the amounts being automatically passed to the general ledger or financial reporting system).

2. The procedures used to initiate, record, and process standard (e.g., monthly sales and purchase transactions) and nonstandard (e.g., business combinations or disposals, or a nonrecurring accounting estimate) journal entries in the general ledger

NOTE: Auditors should be aware that:

● When IT is used to maintain the general ledger and prepare financial statements, such nonstandard entries may exist only in electronic form and may be more difficult to identify through physical inspection of printed documents.

● Financial statement misstatements are often perpetrated by using nonstandard entries to record fictitious transactions or other events and circumstances, particularly near the end of the reporting period.

3. Other procedures used to record recurring and nonrecurring adjustments (e.g., consolidating adjustments and reclassifications that are not made by formal journal entries)

The auditor should also obtain sufficient knowledge of the means the entity uses to communicate financial reporting roles and responsibilities and significant matters about financial reporting. (AU-C 315.20)

Control Activities

The auditor should obtain an understanding of those control activities that are relevant to the audit. (AU-C 315.21) Control activities are relevant to the audit if they are related to significant risks, as discussed later in this section. Examples of specific control activities include:

1. Authorization

2. Performance reviews

3. Information processing

4. Physical controls

5. Segregation of duties (e.g., assigning different people the responsibility for authorizing transactions, recording transactions, and maintaining custody of assets)

(AU-C 315.A99)

The auditor should also obtain an understanding of the process of reconciling detail to the general ledger for significant accounts. (AU-C 315.21)

Monitoring

The auditor should obtain sufficient knowledge of the major types of activities that the entity uses to monitor internal control over financial reporting, including the internal audit function – how it works, its responsibilities, and how it fits into the organization. (Section 610)

NOTE: Section 315 requires the auditor to gain an understanding of some controls that previously did not have to be addressed, including the following:

● How the incorrect processing of significant transactions is resolved

● The process of reconciling detail to the general ledger for significant accounts

● Control activities related to “significant risks,” as defined in the standard

Assessing the Risk of Material Misstatement

The auditor's understanding of the entity and its environment – which includes an evaluation of the design and implementation of internal control – is used to assess the risk of material misstatement. To assess the risk of material misstatement, the auditor should:

1. Identify risks throughout the process of obtaining an understanding of the entity, its internal control, and its environment.

2. Relate the identified risks to what can go wrong at the relevant assertion level.

3. Consider whether the risks could result in a material misstatement to the financial statements.

4. Consider the likelihood that the risks could result in a material misstatement of the financial statements.

(AU-C 315.27)

Financial-statement-level and assertion-level risks. The auditor should identify and assess the risks of material misstatement at both the financial statement level and the relevant assertion level. (AU-C 315.26)

1. Financial-statement-level risks. Some risks of material misstatement relate pervasively to the financial statements taken as a whole and potentially affect many relevant assertions. These risks at the financial statement level may be identifiable with specific assertions at the class of transaction, account balance, or disclosure level. (AU-C 315.122)

2. Assertion-level risks. Other risks of material misstatement relate to specific classes of transactions, account balances, and disclosures at the assertion level. The auditor's assessment of risks at the assertion level provides a basis for considering the appropriate audit approach for designing and performing further audit procedures. (AU-C 315.A126)

Risks that exist at the financial statement level – for example, those that pertain to a weak control environment or to management's process for making significant accounting estimates – should be related to specific assertions. In other instances, it may not be possible to relate financial-statement-level risks to a particular assertion or group of assertions. (AU-C 315.A123-.A124) Financial-statement-level assertions that cannot be related to specific assertions will require an overall response, such as the way in which the audit is staffed or supervised. Section 330 provides additional guidance on the auditor's overall responses to financial-statement-level risks.

How to consider internal control when assessing risks. When making risk assessments, the auditor should identify the controls that are likely to either prevent or detect and correct material misstatements in specific assertions.

Individual controls often do not address a risk completely in themselves. Often, only multiple control activities, together with other components of internal control (for example, the control environment, risk assessment, information and communication, or monitoring), will be sufficient to address a risk. For this reason, when determining whether identified controls are likely to prevent or detect and correct material misstatements, the auditor generally considers controls in relation to significant transactions and accounting processes (for example, sales, cash receipts, or payroll), rather than ledger accounts.