Risikobaseret tilgang til
revision
Hvordan får vi egentlig forholdt os praktisk til ISA
315?
v/Henrik Nørgaard & Thomas Kühn
Structure of the Global Audit Methodology
September 2013
Page 2
Phase 1 – Planning and Risk Identification
Phase 1 – Planning and Risk Identification
September 2013
Page 4
Phase 1 – Planning and Risk Identification
P01 – P02
.
September 2013
The first group of objectives represents
the procedures needed to start the
audit process for a recurring or a new
client, like understanding service
requirements, determining the project
scope, forming the engagement team,
and completing preliminary engagement
activities like considering the results of
our client acceptance/continuance
process and evaluating compliance with
ethical requirements, including
independence.
Page 5
Phase 1 – Planning and Risk Identification
P03 – P06
.
September 2013
The second group of objectives involves
developing our audit strategy by
understanding the business of the
client, determining the need for
specialized skills on the team,
understanding the entity-level controls
and performing initial risk analysis.
Page 6
P03 – Understand the business
September 2013
Page 7
P03 – Understand the business
P03_5 Obtain understanding
by review, inquiry, analytical
procedures, observation and
inspection
P03_1 Nature of the entity and
its environment
► Industry, legal and
regulatory and other
external factors
► Nature of the entity
► Accounting policies
► Objectives and strategies
► Measurement and review
of financial performance
► Overall analytical
procedures
Determine
key
influences on
The entity
We identify
We determine
We relate
P03_8: Risks
to financial
statements
We make
S08: Our
combined risk
assessments
P03_2 Related party
relationships and transactions
We
respond
P03_3 Status of management’s
going concern assessment
S11: Design and
implement
substantive
procedures
P03_4 Role of IT in the entity
September 2013
Risk factors
P03_6 and
P03_7: Risks
of material
misstatement
Page 8
P03 – Understand the business
The four types of risk
September 2013
Page 9
P03 – Understand the business
Determine significant risks
September 2013
Page 10
P04 – Determine the need for specialized
skills on the team
Determine the need for specialized skills on the team (P04)
As we obtain our understanding of the entity and the environment in which it
operates, we:
►
Reassess the composition of the engagement team to confirm that the
engagement team has the appropriate balance of skills, experience and
competence
►
Determine whether any additional expertise is needed beyond that
possessed by the engagement team’s current members
We achieve this by:
►
Determining whether we include EY professionals with specialized
knowledge of IT, tax or the industry in which the entity operates as part of
the engagement team to assist with the performance of the audit
►
Determining whether to use the work of an expert in a field other than
accounting or auditing as audit evidence. If so, we consider whether:
►
The entity employs experts in this field, and whether we can use
their work
►
Management has engaged an expert to assist with a particular
issue, and whether we can use the expert’s work
►
To involve an expert employed by EY
►
To involve an expert who is external to EY
►
Determining whether legal council is regarded as managements’ expert .
September 2013
Page 11
P05 – Understand entity-level controls
Understand entity-level controls (P05)
Our understanding of entity-level controls assists us in identifying and
assessing risks of material misstatement due to fraud or error, as well as
assisting us in determining the most appropriate audit strategy. We
achieve this by:
• Understanding entity-level controls
 Determining how to obtain an understanding of entity-level
controls
 Determining the extent of understanding of entity-level controls
and audit evidence
 Identifying and assessing risks of material misstatement
 Determining the effect on our audit strategy
 Obtaining audit evidence of the operation of the elements of
components at the entity level
September 2013
Page 12
P05 – Understand entity-level controls
Components of internal control
September 2013
Page 13
P06 – Identify risks of material misstatement
due to fraud and determine responses
September 2013
Page 14
Phase 1 – Planning and Risk Identification
P07
This objective addresses concepts of
planning materiality (PM), tolerable
error (TE) and the SAD nominal
amount to identify misstatements to be
reported in the Summary of Audit
Differences (SAD).
September 2013
Page 15
P07 – Determine PM, TE and SAD nominal
amount
►
►
►
We consider materiality at two levels:
► At the overall level, as it relates to the financial
statements taken as a whole PM
► At the individual account level  TE
In addition to determining PM and TE amounts, we also
determine an appropriate “nominal amount” to use in
posting misstatements to the SAD.
TE is used as a basis for determining testing thresholds,
while the SAD nominal amount is used to establish a
threshold for clearly trivial misstatements.
September 2013
Page 16
Phase 1 – Planning and Risk Identification
P08
The last objective of Phase 1 addresses
identifying significant accounts and
disclosures and relevant assertions.
September 2013
Page 17
P08 – Identify Significant Accounts and
Disclosures and Relevant Assertions
►
►
Accounts and disclosures are significant if they may contain
material misstatements. To determine this, we consider both:
► Quantitative considerations (the larger the account balance, the
greater the possibility that it contains material misstatements)
► Qualitative considerations (risks associated to the
account/disclosure or significance and sensitivity of the information)
The extent and nature of audit procedures we perform will vary
depending on whether accounts and disclosures are significant or not.
September 2013
Page 18
Phase 2 – Strategy and Risk Assessment
Phase 2 – Strategy and Risk Assessment
September 2013
Page 20
S01 – TPE and discussion of fraud and error
E01 – Post-Interim Event (PIE)
The first group of objectives will
cover the team events within the
Strategy and Risk Assessment and
Execution phases:
► the Team Planning Event (TPE)
and discussion of fraud and
error and
► the Post-Interim Event (PIE)
September 2013
Page 21
Phase 2 – Strategy and Risk Assessment
S02 – S07
The next group of objectives will cover a
variety of categories as the engagement team
starts understanding and evaluating the
classes of transactions and controls as a
foundation of the overall risk assessment and
strategy development
September 2013
Page 22
S02 – Identify SCOTs, significant disclosure
processes and related IT applications
►
►
We identify significant classes of transactions (SCOTs),
significant disclosures processes and related IT
applications that affect the relevant assertions of
significant accounts/disclosures.
We achieve this by:
►
►
Identifying the SCOTs that generate the amounts recorded in the
significant accounts and the significant disclosure processes that
generate the amounts or words for significant disclosures
Identifying the IT applications (and related attributes) that support
the SCOTs and significant disclosure processes and produce
electronic audit evidence (EAE).
September 2013
Page 23
S02 – Identify IT applications supporting
SCOTs, disclosure processes and EAE
►
►
Once we identify the SCOTs and significant disclosure
processes, we identify those IT applications supporting
them that are relevant to the audit.
An IT application relevant to the audit is a software
program that supports any of the following:
►
►
►
SCOTs from initiation, recording, processing, correcting as
necessary and reporting to the financial statements
Significant disclosure processes by which transactions, events, or
conditions required to be disclosed by the applicable reporting
framework are accumulated, recorded, processed, summarized
and appropriately reported in the financial statements
The production or creation of electronic audit evidence (EAE).
September 2013
Page 24
Identify SCOTs and related IT applications
September 2013
Page 25
S03_2 – Understand the critical path of the
SCOTs and significant disclosure processes
We obtain an understanding of
the critical path in the significant
class of transactions (SCOT).
The critical path covers from
initiation through reporting in
the entity’s general ledger.
We also obtain an understanding
of the policies and procedures
in place that management uses
to ensure that directives are
carried out and applied, and
consider the effect IT has on the
SCOTs and the significant
disclosure processes.
We use our understanding of the critical path and the policies and procedures to
identify what can go wrongs (WCGWs) and, when applicable, relevant controls.
September 2013
Page 26
S03_4 – Identify WCGWs in SCOTs and
significant disclosure processes
The identification of WCGWs assists us
in determining the nature, timing and
extent of our further audit procedures at
the assertion level necessary to obtain
sufficient appropriate audit evidence.
When there is a likelihood of
occurrence of misstatements (i.e., point
in the critical path where misstatements
can occur), we determine the magnitude
of the potential misstatement (i.e.,
whether it can result in a risk of material
misstatement).
If we determine the magnitude of the
potential misstatement may be material,
we identify a WCGW.
We do not attempt to identify all WCGWs, but focus on those WCGWs that could have a
material effect on the relevant assertions
September 2013
Page 27
S03_4
Link WCGW and assertions
September 2013
Page 28
S03_6
Identify controls that are relevant to the audit
Controls
We establish a preliminary audit strategy for
placing reliance on controls related to the
SCOTs and the significant disclosure
processes once we obtain an understanding
of the SCOTs and the significant disclosure
processes. We distinguish between the
following strategies:
►
►
Controls reliance strategy
Substantive only strategy
When we select a controls reliance strategy, we obtain an understanding of the controls
relevant to the audit (i.e., relevant controls). By obtaining an understanding of the critical
path, WCGWs and controls, we know:
► How transactions are initiated, corrected, processed and reported
► What errors could occur during the process
► What controls exist that mitigate the risk of errors .
September 2013
Page 29
S03_6
Identify controls that are relevant to the audit
September 2013
Page 30
S06 – Select controls to test
We test controls to evaluate the
operating effectiveness of controls
over the SCOTs and significant
disclosure processes to prevent or
detect and correct material
misstatements at the assertion
level.
We select relevant controls to test that address the WCGWs for each
relevant financial statement assertion for which we plan to rely on
controls.
We exercise professional judgment in determining the appropriate
controls to select and test, recognizing that it may be more effective and
efficient to select and test controls that address multiple WCGWs and
assertions.
September 2013
Page 31
S07 – Understand, walkthrough, test and
evaluate ITGCs
►
►
When using a controls reliance strategy for SCOTs or significant
disclosure processes, our understanding of the role of IT in the entity
is important to assist us in concluding whether to rely on ITGCs to
support our reliance on application controls, IT-dependent manual
(ITDM) controls or electronic audit evidence (EAE).
When determining our audit strategy for ITGCs, we perform one of the
following:
►
►
►
Identify, understand, walkthrough, test and evaluate ITGCs (i.e., rely on
ITGCs) when we plan to rely on application controls, ITDM controls or
EAE
Perform direct testing procedures if we decide not to rely on ITGCs, but
we plan to rely on application controls, ITDM controls or EAE.
If we do not rely on ITGCs or do not perform direct testing procedures
as described above, we do not rely on application controls and ITDM
controls. When we use EAE, we are required to perform direct testing
to rely on EAE.
September 2013
Page 32
Approach for evaluating ITGCs
IT-Dependent Manual or
Application Control
Evaluation
RFinancial Control Evaluation
Effective
Aggregate
ITGC
Evaluation
ITGC Evaluation For IT-Dependent
R
Manual Or Application Control
Support
Not
Support
Manage Change
Logical Access
Ineffective
ITGC
ITGC
Effective
Ineffective
ITGC
Effective
September 2013
Other ITGCs
Effective
Effective
ITGC
Effective
ITGC
Effective
ITGC
Effective
ITGC
ITGC
Effective
Page 33
ITGC
Evaluations
Effective
ITGC
Effective
Ineffective
ITGC
Category
Evaluations
R
Rationale required if higher layer
evaluation is Effective or Support and
lower layer contains an Ineffective or
Not Support evaluation.
Evaluate IT General Controls
September 2013
Page 34
Phase 2 – Strategy and Risk Assessment
S08 – E07
This group of objectives
includes objectives from
both the Strategy and
Risk Assessment phase
and the Execution phase,
as we make combined
risk assessments, and
then reassess them later
September 2013
Page 35
S08/E07 Make (and reassess) combined risk
assessments
►
►
In order to develop an audit strategy that is responsive to
the entity’s risks of material misstatement, we make a
combined risk assessment (CRA) for each relevant
assertion for each significant account and disclosure.
We achieve this by:
►
►
►
►
Assessing inherent risk (IR)
Assessing preliminary control risk (CR)
Combining the assessment of inherent risk and control risk to
arrive at a CRA for each relevant assertion for each significant
account and disclosure
Once we have determined the CRA for a relevant
assertion, we address the remaining audit risk
(i.e., detection risk) by designing substantive procedures
that are responsive to the CRA
September 2013
Page 36
S08 – Combined Risk Assessment
Risk components
►
This table shows how we combine our assessments of inherent and
control risks into one combined risk assessment table:
September 2013
Page 37
S08 – Combined Risk Assessment
Effect of CRA on substantive procedures
►
►
EY GAM requires us to obtain reasonable assurance that the financial
statements are free from material misstatements, based on our procedures.
The CRA associated with each assertion affects how we design our audit
strategy to obtain such assurance.
September 2013
Page 38
Phase 2 – Strategy and Risk Assessment
S09 – S12
The group of objectives includes
designing a variety of tests and
procedures to be performed in the next
phase of EY GAM, Execution.
September 2013
Page 39
S09 – Design tests of controls
►
We design the nature, timing and extent of our tests of
controls to obtain sufficient appropriate audit evidence that
the controls selected for testing operate effectively as
designed throughout the period of reliance to prevent or
detect and correct material misstatements at the assertion
level when:
►
►
We plan to rely on the operating effectiveness of the controls in
determining the nature, timing and extent of our substantive
procedures
Substantive procedures alone cannot provide sufficient
appropriate audit evidence at the assertion level (e.g., for highly
automated SCOTs).
September 2013
Page 40
S10 – Design tests of journal entries and other
mandatory fraud procedures
►
We plan procedures to mitigate the
risk of management override of
controls by:
►
►
►
►
Testing the appropriateness of journal
entries recorded in the general ledger and
other adjustments made in the preparation
of the financial statements
Evaluating the business rationale for
significant unusual transactions that are
outside the normal course of business for
the entity
Reviewing significant accounting estimates
for evidence of management bias
We evaluate whether to perform other audit
procedures to respond to the risk of
management override of controls.
September 2013
Page 41
S11 – Design substantive procedures
►
►
►
►
We design substantive procedures so that the
combination of our procedures (including tests of
controls) provides sufficient appropriate audit evidence
to reduce audit risk to an acceptably low level and
enables us to draw reasonable conclusions on which
to base our opinion.
The appropriate mix of substantive procedures
depends on factors such as the nature of the account
balance and our combined risk assessments. EY GAM
requires certain substantive procedures (Primary
Substantive Procedures) to be performed, regardless
of our combined risk assessment.
Our combined risk assessment affects the timing and
extent of PSP (e.g. the higher our combined risk
assessment, the closer to period-end and the higher
the extent of the PSPs we design).
Other substantive procedures may be required as the
CRA increases and/or significant risks are identified.
September 2013
Page 42
S12 – Plan general audit procedures
E06 – Perform general audit procedures
►
►
►
We plan and perform general audit procedures to audit those
areas on every engagement that are not directly related to financial
statement account assertions in the following areas:
► The entity’s compliance with laws and regulations
► Litigation and claims
► Minutes and contracts
► Consideration of going concern
► Related party relationships and transactions
► Obtaining management representations
We make an initial determination of the scope of the general audit
procedures to be performed and exercise judgment in determining
the timing and extent of general audit procedures.
We document our general audit procedures in the Program for
general audit procedures (PGAP). The PGAP is supplemented,
where applicable, by local professional standards and requirements.
September 2013
Page 43
Phase 2 – Strategy and Risk Assessment
S13
The last group of objectives covers the
audit strategy memorandum that
concludes this phase.
September 2013
Page 44
Phase 3 – Execution
Phase 3 – Execution
September 2013
Page 46
E02 – Execute tests of controls
►
►
►
We execute tests of relevant controls to ensure that those controls
we plan to rely on are operating as intended throughout the period
of reliance.
If we identify control exceptions, we assess the effect of the control
exception and respond appropriately.
At the completion of our tests of controls, we evaluate the results of
our tests and conclude on the operating effectiveness of controls.
September 2013
Page 47
E04 – Update tests of controls
►
When we execute our tests of controls, including IT general controls
(ITGCs), prior to the balance sheet date and conclude that we are
able to ‘rely on controls’, we update our tests of controls to the
balance sheet date so that we have sufficient appropriate audit
evidence that the controls operate effectively throughout the period
of reliance. We achieve this by:
► Determining the additional audit evidence to be obtained for the
remaining period
► Updating our tests of controls procedures and evaluating the
results.
September 2013
Page 48
E05 – Perform substantive procedures
►
►
►
The extent of substantive procedures depends on the CRA
Our strategy is based on
► an appropriate balance of testing controls, and
► performing substantive procedures, so that
the combination of our procedures (including tests of relevant
controls) provide sufficient appropriate audit evidence to reduce
audit risk to an acceptably low level and enable us to draw
reasonable conclusions on which to base our auditors’ opinion.
September 2013
Page 49
Phase 4 – Conclusion and Reporting
Phase 4 – Conclusion and Reporting
September 2013
Page 51
Summary by Account
September 2013
Page 52
Summary by Process
September 2013
Page 53
Summary by Risks
September 2013
Page 54
¿Questions?
THANK YOU
September 2013
Page 55