In: Accounting
The BakFirn Corporation, a publicly traded firm, has contracted with YOUCPA, your public accounting firm, for an audit. The BakFirn Corporation manufactures specialty construction tools. The tools are used in the unique construction of homes, warehouses, and multiunit dwellings. The prices range from $1,000 to $5,000 per unit.
During the audit, the audit team has determined the risk assessment of the client. Consequently, the audit has to respond to the assessed risks of material misstatement at the financial statement and assertion levels. The YOUCPA audit team has asked you, the auditor, to prepare a list of actions that you will take to assess the audit risk.
The following information is available in the year just finished:
Questions: Audit Assessment Steps:
The risk of material misstatement is the risk that the financial statements of an organization have been misstated to a material degree. This risk is assessed by auditors at the following two levels:
At the assertion level. This is further subdivided into inherent risk and control risk. Inherent risk is the susceptibility of an assertion to misstatement because of error or fraud, before considering controls. Control risk is the risk of misstatement that will not be prevented or detected by a reporting entity's internal controls.
At the financial statement level. Relates to the financial statements as a whole. This risk is more likely when there is a possibility of fraud.
So the “assertion level” is the level at which statements are presented as completely true. E.G. Management tells the auditor the financial statements show a true valuation of inventory – management are formally “asserting” this statement as being correct, so we call this at the “assertion level
For example, an ineffective control environment, a lack of sufficient capital to continue operations, and declining conditions affecting the company's industry might create pressures or opportunities for management to manipulate the financial statements, leading to higher risk of material misstatement.
Before discussing how auditors should assess the risk of material misstatement, it is important to consider what is meant by 'misstatement'. The term 'misstatement' is not defined in ISA 315, but in ISA 450, Evaluation of Misstatements Identified During the Audit, which contains this definition: 'a difference between the amount, classification, presentation or disclosure of a reported financial statement item and the amount, classification, presentation or disclosure that is required for the item to be in accordance with the applicable financial reporting framework.
Misstatements can arise from fraud or error.' In other words, a misstatement arises where there is a difference between the reported figures, and what is expected to be reported in order for the financial statements to be fairly presented (or show a true and fair view). Misstatements can be factual, in the case of a clear breach of a requirement of a financial reporting standard, or could be judgmental, arising from unsuitable estimation techniques or the selection of inappropriate accounting policies.
Obtaining and documenting an understanding of the entity
Without an in-depth understanding of the audited entity, it is impossible to properly assess the risk of material misstatement. ISA 315 requires that the auditor obtains an understanding relating to five aspects of the audited entity:
relevant industry, regulatory and other external factors including the applicable financial reporting framework(IFRS OR National Standards)
the nature of the entity including its operations, its ownership and governance structures, the types of investments it makes, and the way the entity is structured and financed
the entity's selection and application of accounting policies
the entity's objectives and strategies, and business risks that may result in risks of material misstatement, and
the measurement and review of the entity's financial performance. (ISA 315.11)
The requirement to obtain knowledge of the entity's objectives, strategies and business risks is a crucial step in audit planning. This is because according to the application guidance of ISA 315, 'business risk is broader than the risk of material misstatement, though it includes the latter'. (ISA 315.A30) Therefore, to successfully identify risks of material misstatement, the auditor should use a business risk approach.
A simple example is that a company may face a business risk such as a fall in demand for its products. The associated risk of material misstatement lies in the valuation of inventory therefore there is a risk of misstatement at the assertion level. However, the fall in demand could also have a longer-term impact on the company's going concern status, leading to a potential risk of misstatement at the financial statement level. Appendix 2 of ISA 315 contains a useful list of examples of conditions and events that may indicate risks of material misstatement.
Conditions and Events That May Indicate Risks of Material Misstatement
The following are examples of conditions and events that may indicate the existence of risks of material misstatement.
The examples provided cover a broad range of conditions and events; however, not all conditions and events are relevant to every audit engagement and the list of examples is not necessarily complete
. • Operations in regions that are economically unstable, for example, countries with significant currency devaluation or highly inflationary economies. • Operations exposed to volatile markets, for example, futures trading. • Operations that are subject to a high degree of complex regulation. • Going concern and liquidity issues including loss of significant customers. • Constraints on the availability of capital and credit. • Changes in the industry in which the entity operates. • Changes in the supply chain. • Developing or offering new products or services, or moving into new lines of business. • Expanding into new locations. • Changes in the entity such as large acquisitions or reorganizations or other unusual events. • Entities or business segments likely to be sold. • The existence of complex alliances and joint ventures. • Use of off balance sheet finance, special-purpose entities, and other complex financing arrangements. • Significant transactions with related parties. • Lack of personnel with appropriate accounting and financial reporting skills. • Changes in key personnel including departure of key executives. • Deficiencies in internal control, especially those not addressed by management. • Inconsistencies between the entity’s IT strategy and its business strategies. • Changes in the IT environment. Installation of significant new IT systems related to financial reporting. • Inquiries into the entity’s operations or financial results by regulatory or government bodies. • Past misstatements, history of errors or a significant amount of adjustments at period end. • Significant amount of non-routine or non-systematic transactions including intercompany transactions and large revenue transactions at period end. • Transactions that are recorded based on management’s intent, for example, debt refinancing, assets to be sold and classification of marketable securities. • Application of new accounting pronouncements. • Accounting measurements that involve complex processes. • Events or transactions that involve significant measurement uncertainty, including accounting estimates. • Pending litigation and contingent liabilities, for example, sales warranties, financial guarantees and environmental remediation.
Internal Control
It is a specific requirement of ISA
315 that the auditor obtains an understanding of the internal
control relevant to the audit. This is a crucial step in assessing
the risk of material misstatement, as one of the components of audit risk is
control risk, defined as the risk that a misstatement that could
occur will not be prevented, or detected and corrected, on a timely
basis by the entity's internal control.
Internal control has five components, each of which must be
understood and documented by the auditor:
the control environment
the entity's risk assessment procedure
the information system, including the related business processes, relevant to financial reporting and communication
control activities, and
monitoring of controls.
It is tempting to think that in a simple system operating in a small company there is little risk of material misstatement, but of course there are specific risks associated with this type of company, especially the risks posed by opportunities for management override, and the limited scope for segregation of duty and authorisation controls. In a smaller company, the extent and nature of management's involvement in internal control is likely to be a key aspect in the documentation of internal control.
. Most large organisations will have an internal risk management function, the effectiveness of which may be assessed by the auditor.
Smaller entities will not have such a function, and risk assessment will be performed in an ad-hoc manner by the company's owners and/or managers. In this case, it is required that the auditor discusses with management whether business risks relevant to financial reporting have been identified and addressed, and should then consider whether this represents a significant deficiency in internal control. (ISA 315.17)
Assessing the risks of material misstatement
Having obtained and documented an
understanding of the entity including its internal control, the
auditor is now in a position to identify and assess the risks of
material misstatement, which should be done at the financial
statement level, and at the assertion level for classes of
transactions, account balances and disclosures. The point of the
risk assessment is to provide a basis for designing and performing
further audit procedures.
Risk assessment procedures should
include inquiries of management and other relevant individuals,
analytical procedures, observation and enquiry. (ISA
315.6)
An important part of assessing the risk of material misstatement is that the risks identified should be prioritised. This is because ISA 315 determines that risks which are identified as being significant risks require special audit consideration. It is a matter of judgment as to whether a risk constitutes a significant risk, and matters such as the complexity of the transaction, whether there is a risk of fraud, the involvement of related parties, and whether the transaction is outside the normal course of business should be considered. (ISA 315)
It is further required that where a significant risk is identified, the relevant controls, including control activities should be understood. (ISA 330, The Auditor's Responses to Identified Risks) then deals with the action that should be taken in obtaining evidence in relation to significant risks. If the auditor plans to rely on controls over a significant risk, the controls must be tested in the current period, and substantive procedures should be performed in response to significant risks at the assertion level.)
Continual revision of risk assessment
The risk assessment outlined above takes place in the planning phase of the audit. Of course, as the audit progresses, further information may come to light which provides additional insight into the company's operations and internal control. It may therefore be necessary to revise the original risk assessment, and modify the planned audit procedures in response to new or amended risks identified.
Conclusion
Auditor's should not underestimate the importance of ISA 315, as its requirements relating to risk assessment help to ensure that audits are responsive to individual audit clients' circumstances, and when applied properly should help to reduce audit risk. Though the requirements of the ISA can seem onerous, careful application of the standard and appropriate use of auditor's judgment should mean that compliance with documentation requirements is relatively straightforward.
Audit Procedures Responsive to the Assessed Risks of Material Misstatement at the Assertion Level
(INTERNATIONAL STANDARD ON AUDITING 330 THE AUDITOR’S RESPONSES TO ASSESSED RISKS)
The auditor shall design and perform further audit procedures whose nature, timing and extent are based on and are responsive to the assessed risks of material misstatement at the assertion level.
. In designing the further audit procedures to be performed, the auditor shall:
(a) Consider the reasons for the assessment given to the risk of material misstatement at the assertion level for each class of transactions, account balance, and disclosure, including:
(i) The likelihood of material misstatement due to the particular characteristics of the relevant class of transactions, account balance, or disclosure (that is, the inherent risk); and
(ii) Whether the risk assessment takes account of relevant controls (that is, the control risk), thereby requiring the auditor to obtain audit evidence to determine whether the controls are operating effectively (that is, the auditor intends to rely on the operating effectiveness of controls in determining the nature, timing and extent of substantive procedures); and
(b) Obtain more persuasive audit evidence the higher the auditor’s assessment of risk. (Ref: Para. A19)
Tests of Controls.
The auditor shall design and perform tests of controls to obtain sufficient appropriate audit evidence as to the operating effectiveness of relevant controls if:
(a) The auditor’s assessment of risks of material misstatement at the assertion level includes an expectation that the controls are operating effectively (that is, the auditor intends to rely on the operating effectiveness of controls in determining the nature, timing and extent of substantive procedures); or
(b) Substantive procedures alone cannot provide sufficient appropriate audit evidence at the assertion level.
9. In designing and performing tests of controls, the auditor shall obtain more persuasive audit evidence the greater the reliance the auditor places on the effectiveness of a control.
Nature and Extent of Tests of Controls
10. In designing and performing tests of controls, the auditor shall:
(a) Perform other audit procedures in combination with inquiry to obtain audit evidence about the operating effectiveness of the controls, including:
(i) How the controls were applied at relevant times during the period under audit;
(ii) The consistency with which they were applied; and
(iii) By whom or by what means they were applied. THE AUDITOR’S RESPONSES TO ASSESSED RISKS 325 ISA 330 AUDITING
(b) Determine whether the controls to be tested depend upon other controls (indirect controls), and, if so, whether it is necessary to obtain audit evidence supporting the effective operation of those indirect controls.
Timing of Tests of Controls .
The auditor shall test controls for the particular time, or throughout the period, for which the auditor intends to rely on those controls, in order to provide an appropriate basis for the auditor’s intended reliance.
Using audit evidence obtained during an interim period
If the auditor obtains audit evidence about the operating effectiveness of controls during an interim period, the auditor shall:
(a) Obtain audit evidence about significant changes to those controls subsequent to the interim period; and
(b) Determine the additional audit evidence to be obtained for the remaining period.
Using audit evidence obtained in previous audits .
In determining whether it is appropriate to use audit evidence about the operating effectiveness of controls obtained in previous audits, and, if so, the length of the time period that may elapse before retesting a control, the auditor shall consider the following:
(a) The effectiveness of other elements of internal control, including the control environment, the entity’s monitoring of controls, and the entity’s risk assessment process;
(b) The risks arising from the characteristics of the control, including whether it is manual or automated; (c) The effectiveness of general IT controls;
(d) The effectiveness of the control and its application by the entity, including the nature and extent of deviations in the application of the control noted in previous audits, and whether there have been personnel changes that significantly affect the application of the control;
(e) Whether the lack of a change in a particular control poses a risk due to changing circumstances; and (f) The risks of material misstatement and the extent of reliance on the control.
. If the auditor plans to use audit evidence from a previous audit about the operating effectiveness of specific controls, the auditor shall establish the continuing relevance of that evidence by obtaining audit evidence about whether significant changes in those controls have occurred subsequent to the previous audit. The auditor shall obtain this evidence by performing inquiry combined with observation or inspection, to confirm the understanding of those specific controls, and:
(a) If there have been changes that affect the continuing relevance of the audit evidence from the previous audit, the auditor shall test the controls in the current audit.
(b) If there have not been such changes, the auditor shall test the controls at least once in every third audit, and shall test some controls each audit to avoid the possibility of testing all the controls on which the auditor intends to rely in a single audit period with no testing of controls in the subsequent two audit periods. (Ref: Para. A37–A39)
Controls over significant risks .
If the auditor plans to rely on controls over a risk the auditor has determined to be a significant risk, the auditor shall test those controls in the current period.
Evaluating the Operating Effectiveness of Controls
When evaluating the operating effectiveness of relevant controls, the auditor shall evaluate whether misstatements that have been detected by substantive procedures indicate that controls are not operating effectively. The absence of misstatements detected by substantive procedures, however, does not provide audit evidence that controls related to the assertion being tested are effective.
17. If deviations from controls upon which the auditor intends to rely are detected, the auditor shall make specific inquiries to understand these matters and their potential consequences, and shall determine whether:
(a) The tests of controls that have been performed provide an appropriate basis for reliance on the controls
(b) Additional tests of controls are necessary; or
(c) The potential risks of misstatement need to be addressed using substantive procedures.
Substantive Procedures
Irrespective of the assessed risks of material misstatement, the auditor shall design and perform substantive procedures for each material class of transactions, account balance, and disclosure.
. The auditor shall consider whether external confirmation procedures are to be performed as substantive audit procedures.
Substantive Procedures Related to the Financial Statement Closing Process
The auditor’s substantive procedures shall include the following audit procedures related to the financial statement closing process:
(a) Agreeing or reconciling the financial statements with the underlying accounting records; and
(b) Examining material journal entries and other adjustments made during the course of preparing the financial statements.
Substantive Procedures Responsive to Significant Risks
. If the auditor has determined that an assessed risk of material misstatement at the assertion level is a significant risk, the auditor shall perform substantive procedures that are specifically responsive to that risk. When the approach to a significant risk consists only of substantive procedures, those procedures shall include tests of details.
Timing of Substantive Procedures
If substantive procedures are performed at an interim date, the auditor shall cover the remaining period by performing:
(a) substantive procedures, combined with tests of controls for the intervening period; or
(b) if the auditor determines that it is sufficient, further substantive procedures only, that provide a reasonable basis for extending the audit conclusions from the interim date to the period end.
If misstatements that the auditor did not expect when assessing the risks of material misstatement are detected at an interim date, the auditor shall evaluate whether the related assessment of risk and the planned nature, timing or extent of substantive procedures covering the remaining period need to be modified.
In regards to The BakFirn Corporation, a publicly traded firm , Company is at High Risk,
There are various factors as mentioned below reflects company is at High Risk
1)The Overall Industry is in Downturn since past 3 year and continue to be in future for more 2 years due to this, it will effect industry suppling tools to construction industry due to this have a effect on going concern basis.
2) The Management is not providing correct reason/information for change in Previous Auditor , this effect reliability/credential of Management providing information and documents to Auditor.
3)Days Sales Outsatnding (DSO) has increased to 90-120 days from 80-90 days due to Debtors turnover Increases and it will effect Cash flow of Company and also effect working capital and liquidity of company.
4)Since Inventory and Accounts receivable consists of 80% of total Assets and Audit team has defined materiality to be focused on account receivable and inventory with $3,000 being the initial threshold.
There is an Increase in Accounts receivable and Inventory Ratio.also
5)Due to Blocking of working capital, company is not in a position to bear the cost of internal Audit.
Due to above factors it can be mentioned company is at high risk and requires more control on receivable and Inventory