Wiley Practitioner's Guide to GAAS 2020. Joanne M. Flood

Чтение книги онлайн.

Читать онлайн книгу Wiley Practitioner's Guide to GAAS 2020 - Joanne M. Flood страница 56

Wiley Practitioner's Guide to GAAS 2020 - Joanne M. Flood

Скачать книгу

The Economy

       The Client’s Industry

       The Client’s Business: New Client

       The Client’s Business: Continuing Client

       Using a Risk-Based, Top-Down Approach to Evaluate Internal Control

       Effect of IT on Internal Control

       AU-C 315 Illustrations

      SCOPE

      AU-C 315 provides guidance for the auditor to identify and assess the risks of material misstatements. The auditor does this by achieving an understanding the entity and its environment, including internal control. (AU-C 315.01)

      TECHNICAL ALERT

      Through the AICPA’s initiative on Enhancing Audit Quality (EAQ), data surfaced that indicated firms often fail to perform appropriate risk assessments and link those risk assessments to their audit procedures in compliance with AU-C Section 315 and AU-C Section 330. As a result, the AICPA Peer Review Board has developed stronger, more precise guidance. The Peer Review Board in its September 2018 Alert, as clarified in October 2018, announced an updated focus on risk assessment documentation and a new section in the Peer Review Manual, Evaluation of Non-Compliance with the Risk Assessment Standards. This new guidance is effective for peer reviews scheduled from October 2018 through September 2021.1

       Failure to gain an understanding of internal control

       Improperly assessing control risk

       Insufficient risk assessment

       Failure to link procedures performed to the risk assessment

      Failure to Gain an Understanding of Internal Control

      According to the AICPA, 40% of identified issues related to failure to gain an understanding of internal control. Auditors must understand internal control in order to identify related risks and design proper responses. Auditors are reminded to:

       Consider what could go wrong in financial statement preparation,

       Identify the controls intended to mitigate identified risks, and

       Evaluate the likelihood those controls can prevent, detect, and correct material misstatements.

      Auditors are cautioned that it is incorrect to think that AU-C 315.14 does not apply to an engagement where the client has no controls. Similarly, auditors are reminded that even when they do not plan to rely on internal control, defaulting to setting control risk at the maximum level is not permitted.

      Improperly Assessing Control Risk

      Improperly assessing control risk as less than high without appropriately testing controls accounted for 13% of the violations. Auditors are reminded not to reduce control risk to less than high without appropriately testing the relevant controls. Reducing control risk to less than maximum can only be done if the auditors have tested controls and are comfortable relying on their operating effectiveness.

      Insufficient Risk Assessment

      This risk comprises 14% of identified issues related to risk assessment. Failure to assess risk can result in over-auditing or worse, a failure to obtain sufficient appropriate audit evidence. The alert reminds auditors that:

       Regardless of the nature and extent of substantive procedures, they must:Identify the client’s risk of material misstatement through an understanding of its internal control,Assess the risk of material misstatement, andDesign or select procedures in response to those risks.

       Failure to identify at least one significant risk is likely to mean the auditor has failed to comply with AU-C 315.28.Auditors are reminded of the presumption of fraud in revenue recognition and that should be treated as a significant risk. (AU-C 240.26–.27)

       They must identify risk at both the financial statement and relevant assertion levels (AU-C 315.26)

       It is not necessary to document the risk of material misstatement for every audit area. Some assertions are not relevant.

      Failure to Link Procedures Performed to the Risk Assessment

      Of the most common risk assessment violations, 24% related to not linking risk assessment to auditors’ responses. The Alert reminds auditors to be responsive to the financial statement and relevant assertion level risks and that the linkage is at the assertion, not account, level. The AICPA discovered that auditors are not designing procedures with regard to the results of their risk assessment. Therefore, the risk is not reduced to an appropriate level, and the standards are not complied with.

      DEFINITIONS OF TERMS

      Source: AU-C 315.04. For definitions related to this standard, see Appendix A, “Definitions of Terms”: Assertions, Business risk, Internal control, Relevant assertion, Risk assessment procedures, Significant risk.

      OBJECTIVE OF AU-C SECTION 315

      The objective of the auditor is to identify and assess the risks of material misstatement, whether due to fraud or error, at the financial statement and relevant assertion levels through understanding the entity and its environment, including the entity’s internal control, thereby providing a basis for designing and implementing responses to the assessed risks of material misstatement.

      (AU-C Section 315.03)

      OVERVIEW

      The audit risk model describes audit risk as:

      AR = RMM × DR

      where AR is audit risk, RMM is the risk of material misstatement, and DR is detection risk. The risk of material misstatement is a combination of inherent and control risk. Although GAAS describes a combined risk assessment, the auditor may perform separate assessments

Скачать книгу