Question

1 a) What is acceptable audit risk, and how may this risk affect the scope of the auditors’ work?

B) What is an engagement letter? Is there any similarity between the engagement letter and the standard unmodified audit report? Please explain.

C) When may an auditor seek the help of an outside specialist, and what responsibility the auditor maintains if he/she uses such help?

D )Please write out the Audit Risk model equation for planning and explain it.

E) The COSO Framework described five components of internal control that management designs and implements to provide reasonable assurance that its control objectives will be met. Please list and explain these.

F)What are tests of controls, and what are the procedures for test of controls?

What is an AUDIT PROGRAM? What is the main purpose of using an audit program in auditing?

Answer 1

A. Acceptable Audit Risk:

As the name suggests, acceptable risk is that percentage of misstatement in the financial statements or any documents under audit, that the auditor is ready to accept. In other words, it is the measure at which the auditor is willing to accept that the financial statements or the subject matter of audit may be materially misstated during or after the audit is completed.

Affect on scope of audit:

The higher the risk of acceptance, the lower is the certainty of misstatement of financial statements, and vice-versa. In other words, when the auditors acceptance of risk level is low, he will be more certain that the financial statements are free from misstatements, as more misstatements will not be accepted by the auditor.

B. Engagement Letter and standard unmodified audit report:

Engagement letter is a kind of agreement between the auditor and the client, which includes the terms & conditions of the audit. It is an arrangement that an auditor has with a client to performan audit of client's books of accounts and the financial statements. It includes, the objective and scope of audit, the reponsibilities of the auditor and the management (client), etc.

Unmodified audit report is a kind of audit report where the auditor expresses an unmodified opinion stating that the financial statements are prepared, in all material respects, in accordance with the financial reporting framework.

There are no such similarities between an engagement letter and unmodified audit report. Engagement letter is an agreement done before start of audit, and the audit report is given after the audit is completed. Engagement letter is an agreement between the auditor and the client, whereas audit report is the report that an auditor gives on the basis of his audit of financial statements. However, both engagement letter and audit report, do state the responsibilities of auditor and the management, and the Independence to be maintained by the auditor while performing the audit.

C. Seeking the help of an outside specialist:

Auditor is not expected to be an expertise in all fields or subjects. He is a specialist in Auditing, Taxation and accounting matters. However, there will be situations where the auditor might have to look into different fields or subjects in order to obtain sufficient audit evidence. In such situation, where in expertise in a different subject or field other than in which the auditor is an expert is necessary, he / she shall determine seeking the help of specialist in such subject or field.

Responsibilities of the auditor in such a situation:

• The auditor should consider the the professional qualifications of the specialist in determining whether the specialist possesses the necessary skill or knowledge in the particular field or subject. This can be done by checking the certification, licence or any such documentation, the reputation and the experience of the specialist, etc.
• The auditor should obtain an understanding of the nature of the work performed or to be performed by the specialist.
• The auditor should evaluate the relationship of the specialist to the client, including circumstances that might impair the specialist's objectivity. When a specialist does not have a relationship with the client, the specialist's work usually will provide the auditor with greater assurance of reliability.  
• The auditor should enter into an agreement with the specialist in writing.
• The auditor should (a) obtain an understanding of the methods and assumptions used by the specialist, (b) make appropriate tests of data provided to the specialist, taking into account the auditor's assessment of control risk, and (c) evaluate whether the specialist's findings support the related assertions in the financial statements.
• If the auditor determines that the specialist's findings support the related assertions in the financial statements, he or she reasonably may conclude that sufficient appropriate evidential matter has been obtained. If there is a material difference between the specialist's findings and the assertions in the financial statements, he or she should apply additional procedures. If after applying any additional procedures that might be appropriate the auditor is unable to resolve the matter, the auditor should obtain the opinion of another specialist, unless it appears to the auditor that the matter cannot be resolved.

D. Audit Risk Model:

Audit risk is the risk that the auditor will express an inappropriate audit opinion on financial statements that contain material misstatements.

The formula for determining the level of risk associated with a given audit is as follows:

Detection Risk = Audit Risk / (Inherent Risk x Control Risk)

DR = AR / (IR x CR)

In other words, AR = IR x CR x DR (audit risk is the product of Inherent Risk, Control Risk and Detection Risk)

Detection risk is the risk that the auditor will not detect a material misstatement during the course of audit.

Inherent risk (IR) is the susceptibility of having a material misstatement, assuming there were no Internal Controls.

Control risk (CR) is the risk that the material misstatement will not be prevented or detected and corrected on a timely basis by the internal control system.

• Management often reacts ro inherent risk situations by improving its internal control systems, and reduces the risk of control too. Hence we can say that in most of the cases, IR and CR are inter-related.
• DR has an inverse relation with the product of IR and CR.
• When IR and CR are high, acceptable detection risk needs to be low to reduce audit risk to an acceptably low level, and vice-versa.
• Audit risk and detection risk are related to the auditor, while inherent and control risk are independent of the auditor (they exist within the client, regardless of an audit). According to the audit/detection risk that the auditor decides, the audit procedures are designed accordingly.
• Hence, in order to ascertain the audit risk, the auditor should take into account, the combined level of inherent risk, control risk and detection risk.

E. Five components of Internal control as described by COSO framework:

The five components described by COSO Framework are control environment, risk assessment, information and communication, monitoring activities, and existing control activities (CRIME). They are explained as follows:

1. Control Environment: How has management put into place policies and procedures that guide the organization? What kind of tone has management set in the organization so that everyone knows that they are supposed to make sure that the controls are operating effectively and are achieving the results that are expected?
2. Risk Assessment: How does the organization assess risk in order to identify the things that threaten the achievement of their objectives?
3. Information and Communication: How does management communicate to their internal and external users what is expected of them? How do they make sure that they receive acknowledgement from those people that they understood what they are asking them to do?
4. Monitoring Activities: How does management oversee the functioning of the entire organization? How does it identify when things aren’t working correctly and correct those deficiencies as quickly as possible?
5. Existing Control Activities: What are the controls that are currently in place? Were they in place and operating effectively over a period of time?

F. Test of Controls:

A test of controls is an audit procedure to test the effectiveness of a control used by a client entity, to prevent or detect material misstatements. Depending on the results of this test, auditors may choose to rely upon a client's system of controls as part of their audit. However, if the test reveals that controls are weak, the auditors will enhance their use of substantive testing, which usually increases the cost of an audit.

The procedures vary from auditor to auditor depending on the control that they want to review. The following are general procedures of tests of controls:

• Observation: Auditors may observe a business process in action, and in particular the control elements of the process. Say for example, observe the inventories count at the year-end to ensure that the count has really existed and the procedures during the count are proper.
• Inspection: Auditors may examine business documents for approval signatures, stamps, or review check marks, which indicate that controls have been performed. For example, invoices and goods receive noted.
• Reperformance. Auditors may initiate a new transaction, to see which controls are used by the client and the effectiveness of those controls. For example, re-perform the monthly bank reconciliation.
• Re-calculation: Auditors may check the calculation accuracy by recalculating the computations done by the client. For example, Re-calculate the monthly depreciation that performs by clients.
• Confirmation: The auditor performs the confirmation to test the existence of account receivables, bank accounts, account payables, or loan balance. For example: optain confirmation from Banks regarding the existence of Bank account and the balance in it.

F. Audit Program:

An audit program is a detailed plan of work, prepared by the auditor for carrying out the audit. It is comprised of a set of techniques and procedures, which the auditor plans to apply in the given audit for forming an opinion about the client's statement of accounts. It provides a basis for the supervision and control of the audit work. It may also contain the audit objectives for each audit step.

The main purpose of the audit program is to serve in detail the set of instructions to the audit team, the pattern and flow of audit work, and to complete the audit in a smooth and planned manner. It helps the auditor to devote appropriate attention to important areas of the audit, identify and resolve potential problems on a timely basis. A well organised and programmed audit is always more effective and efficient than unplanned / unprogrammed audits.