From RiskWiki
Jump to: navigation, search



In auditing, preparation of the testing program relates to the two areas of audit risk that arises because a 100% check cannot be undertaken. These risks are:

  • material errors can occur because a control objective has not been achieved
  • material errors can occur and remain undetected

For the first area of audit risk it will be necessary to test those controls upon which reliance has been placed by means of compliance testing and to analyse those controls which have not been met by risk analysis.

The second part of audit risk will be minimised by the use of substantive testing.

Risk Assessment

The Risk Assessment evaluates the system design focussing on the designed-in controls and the degree to which each assertion is sustainable. The manual identifies two sources of risk:

1. Where the control is absent 2. Where the control is present but not adequate.

Where the design appears to support the assertion, a control point is identified.

The collection and interaction of these control points creates the control system.

In RIAM this risk assessment step is called Systems Evaluation or Analysis, to distinguish it from the higher level Risk assessment (of auditable areas) performed during planning and the lower level risk analysis captured by Audit Risk.

Audit Risk, Inherent, Control and Detection Risks.

IAInherent Control Detection Risk Filter.png

The US Statement of Auditing Standard (SAS) 47 (AU 312) defines audit risk as the risk that the "auditor may unknowingly fail to modify his/her opinion on financial statements that are materially misstated." A later US pronouncement SAS 55 (AU 319) states "The risk of material misstatement in financial statement assertions consist of inherent risk, control risk, and detection risk." Because the scope of internal auditing is greater than that of external auditing, the overall audit risk extends not only to financial statements but also to unwitting failure to uncover material errors or weaknesses in the section/department audited.

IA Inherent Control Risk Matrix.png

Therefore, the definitions below, taken from SAS 55, are applicable to both external and internal auditing:

  • Inherent risk is the susceptibility of an assertion to a material misstatement assuming there are no related internal control structure policies and procedures.
  • Control risk is the risk that a material misstatement that could occur in an assertion will not be prevented or detected on a timely basis by the entity's internal control structure policies or procedures.
  • Detection risk is the risk that the auditor will not detect a material misstatement that exists in an assertion.

Calculating and Ranking Risk - Using Weights and Questionnaires

The measurement of risk may follow any one of a number of methods. A good planning strategy is largely independent of the method of risk assessment adopted. The ranking criteria adopted is significant to the ordering/prioritising of tasks and should be the result of discussions with management.

The primary restriction to risk analysis reflected in the proposed approach is the assumption that risks may be separated into:

1. Inherent Risks 2. Control Risks 3. Detection Risks

Using Audit (or Assertion) Risk to determine acceptable detection risk and in turn effect sample sizes.

Recall the Audit Risk formula: <math>AR ~= ~IR ~* ~CR ~* ~DR.</math>

AR ~= ~IR ~* ~CR ~* ~DR.

Given the Audit Risk, we can determine the detection risk:

<math>DR~=~AR OVER {(~IR~*~CR~)}</math>

DR~=~AR OVER {(~IR~*~CR~)}

Assessing the control risk at something less than 100% requires us to:

  • identify the policies and procedures that are likely to be relevant to the particular assertion being examined, that are likely to prevent or detect misstatements; and
  • test controls to evaluate effectiveness.

This testing may be done with a preliminary compliance test to establish the expected error levels.

The lower the level of control risk the more assurance the audit evidence must provide that policies and procedures appropriate to the particular assertion are effective.

The assessment of overall system audit risk is used in at least two ways:

  • To set the materiality at which a misstatement in financial data is considered significant; and
  • To set the detection risk using the above formula.

The audit risk can therefore be set to a level reflecting "the risk of misstatement (or the risk of incorrect acceptance)". This would ordinarily be something less than 5 %. If we have estimated the inherent risk and control risk, we can determine the acceptable level of detection risk:

DR~=~AR OVER {(~IR~*~CR~)}

DR~=~5% OVER {(~50%~*~30%~)}

DR~=~33 1 OVERSM 3 %

Theoretically, the acceptable level of detection risk, goes to establishing the required confidence level in sample sizes. The lower the acceptable level of detection risk, the greater the assurance required that must be required by substantive tests. The level of assurance required influences the extent of substantive tests and the sample sizes.

Sensitivity Analysis

Sensitivity Analysis is used to test the behaviour of a particular model to changing conditions. It is concerned with how the model solution changes as a result of changes in the problem parameters. Model parameters are generally not known with certainty because there is usually some degree of uncertainty in the real world. Therefore it is often advantageous to know how changes in the parameters change the optimal solution.

In formulating and solving linear programming problems, certain initial assumptions are made that all values of the coefficients are derived from the analysis of data and that they represent average values or best estimate values. Accordingly it is important to analyse the sensitivity of the solution to variations in those coefficients or in the estimates of the coefficients.

If a given solution is not sensitive to changes in the parameters, then the solution is considered more reliable than that in a highly sensitive situation. Given an optimum solution that is relatively sensitive, special attention should be given to forecasting future parameter values. On the other hand, an optimum solution with little sensitivity to change does not merit the effort and resources necessary to estimate the values of the parameters more accurately.

Given that many decision problems utilise estimated parameter values in formulating a model, sensitivity analysis becomes an integral part of decision analysis.

In the earlier example of planning using risk ranking techniques, we observed that subjectivity was present both in the scores chosen and the relative weightings of the variables. In that model we used rules for awarding scores to minimise subjectivity on and provide a more rigorously verifiable result. We did not, however, have a method to establish the weights for the scored variables.

The weights are exactly like the coefficients of the linear programming problem mentioned above. Sensitivity analysis therefore provides us with a way to establish the overall "risk" of the planning model in terms of the degree of sensitivity.

We can measure the sensitivity by determining by how much each weight would have to vary (holding scores constant) before the priority ranking changed significantly. The analysis will highlight those weightings which are particularly significant to the final result. The greater the consistency of scores that a particular section receives across all the variables, the less sensitive will be its score to changes in the weights of the variables.

Compliance Testing

The performance of (and compliance with) the control points is tested by compliance testing. To wit - testing compliance of the system operation with the systems controls. Generally, we do not test all control points. Rather we test only those controls that are defined a "Key Controls".

The breaching of a key control will cause a violation of an audit assertion for the whole system. That is why they are key controls ! For example failing to authorise a purchase order before processing might cause a violation of the "All payments are for authorised transactions and services" assertion.

Where tests involve manual steps (ie not solely on the computer using CAATS), generally compliance tests use attribute sampling to determine the sample sizes.

Substantive Testing

Substantive testing focuses on balances, with the purpose of detecting and measuring error values and error rates. The substantive procedures might include:

  • Sampling invoices and checking the arithmetic, tracing the invoice to the purchase order, payment and into the ledger - comparing the balances at each point.

To distinguish this from compliance testing, the equivalent compliance test might simply verify that the invoice is initialled as having been checked, verified and posted.

Substantive testing includes Analytical Review which is covered in detail in the next section.