Risikobaseret tilgang til revision

Transcription

1 Risikobaseret tilgang til revision Hvordan får vi egentlig forholdt os praktisk til ISA 315? v/henrik Nørgaard & Thomas Kühn

2 Structure of the Global Audit Methodology September 2013 Page 2

3 Phase 1 Planning and Risk Identification

4 Phase 1 Planning and Risk Identification September 2013 Page 4

5 Phase 1 Planning and Risk Identification P01 P02. The first group of objectives represents the procedures needed to start the audit process for a recurring or a new client, like understanding service requirements, determining the project scope, forming the engagement team, and completing preliminary engagement activities like considering the results of our client acceptance/continuance process and evaluating compliance with ethical requirements, including independence. September 2013 Page 5

6 Phase 1 Planning and Risk Identification P03 P06. The second group of objectives involves developing our audit strategy by understanding the business of the client, determining the need for specialized skills on the team, understanding the entity-level controls and performing initial risk analysis. September 2013 Page 6

7 P03 Understand the business September 2013 Page 7

8 P03 Understand the business P03_5 Obtain understanding by review, inquiry, analytical procedures, observation and inspection P03_1 Nature of the entity and its environment Industry, legal and regulatory and other external factors Nature of the entity Accounting policies Objectives and strategies Measurement and review of financial performance Overall analytical procedures Determine key influences on The entity P03_6 and We identify Risk factors We determine P03_7: Risks of material We relate misstatement P03_8: Risks to financial statements We make S08: Our combined risk assessments P03_2 Related party relationships and transactions We respond P03_3 Status of management s going concern assessment P03_4 Role of IT in the entity S11: Design and implement substantive procedures September 2013 Page 8

9 P03 Understand the business The four types of risk September 2013 Page 9

10 P03 Understand the business Determine significant risks September 2013 Page 10

11 P04 Determine the need for specialized skills on the team Determine the need for specialized skills on the team (P04) As we obtain our understanding of the entity and the environment in which it operates, we: Reassess the composition of the engagement team to confirm that the engagement team has the appropriate balance of skills, experience and competence Determine whether any additional expertise is needed beyond that possessed by the engagement team s current members We achieve this by: Determining whether we include EY professionals with specialized knowledge of IT, tax or the industry in which the entity operates as part of the engagement team to assist with the performance of the audit Determining whether to use the work of an expert in a field other than accounting or auditing as audit evidence. If so, we consider whether: The entity employs experts in this field, and whether we can use their work Management has engaged an expert to assist with a particular issue, and whether we can use the expert s work To involve an expert employed by EY To involve an expert who is external to EY Determining whether legal council is regarded as managements expert. September 2013 Page 11

12 P05 Understand entity-level controls Understand entity-level controls (P05) Our understanding of entity-level controls assists us in identifying and assessing risks of material misstatement due to fraud or error, as well as assisting us in determining the most appropriate audit strategy. We achieve this by: Understanding entity-level controls Determining how to obtain an understanding of entity-level controls Determining the extent of understanding of entity-level controls and audit evidence Identifying and assessing risks of material misstatement Determining the effect on our audit strategy Obtaining audit evidence of the operation of the elements of components at the entity level September 2013 Page 12

13 P05 Understand entity-level controls Components of internal control September 2013 Page 13

14 P06 Identify risks of material misstatement due to fraud and determine responses September 2013 Page 14

15 Phase 1 Planning and Risk Identification P07 This objective addresses concepts of planning materiality (PM), tolerable error (TE) and the SAD nominal amount to identify misstatements to be reported in the Summary of Audit Differences (SAD). September 2013 Page 15

16 P07 Determine PM, TE and SAD nominal amount We consider materiality at two levels: At the overall level, as it relates to the financial statements taken as a whole PM At the individual account level TE In addition to determining PM and TE amounts, we also determine an appropriate nominal amount to use in posting misstatements to the SAD. TE is used as a basis for determining testing thresholds, while the SAD nominal amount is used to establish a threshold for clearly trivial misstatements. September 2013 Page 16

17 Phase 1 Planning and Risk Identification P08 The last objective of Phase 1 addresses identifying significant accounts and disclosures and relevant assertions. September 2013 Page 17

18 P08 Identify Significant Accounts and Disclosures and Relevant Assertions Accounts and disclosures are significant if they may contain material misstatements. To determine this, we consider both: Quantitative considerations (the larger the account balance, the greater the possibility that it contains material misstatements) Qualitative considerations (risks associated to the account/disclosure or significance and sensitivity of the information) The extent and nature of audit procedures we perform will vary depending on whether accounts and disclosures are significant or not. September 2013 Page 18

19 Phase 2 Strategy and Risk Assessment

20 Phase 2 Strategy and Risk Assessment September 2013 Page 20

21 S01 TPE and discussion of fraud and error E01 Post-Interim Event (PIE) The first group of objectives will cover the team events within the Strategy and Risk Assessment and Execution phases: the Team Planning Event (TPE) and discussion of fraud and error and the Post-Interim Event (PIE) September 2013 Page 21

22 Phase 2 Strategy and Risk Assessment S02 S07 The next group of objectives will cover a variety of categories as the engagement team starts understanding and evaluating the classes of transactions and controls as a foundation of the overall risk assessment and strategy development September 2013 Page 22

23 S02 Identify SCOTs, significant disclosure processes and related IT applications We identify significant classes of transactions (SCOTs), significant disclosures processes and related IT applications that affect the relevant assertions of significant accounts/disclosures. We achieve this by: Identifying the SCOTs that generate the amounts recorded in the significant accounts and the significant disclosure processes that generate the amounts or words for significant disclosures Identifying the IT applications (and related attributes) that support the SCOTs and significant disclosure processes and produce electronic audit evidence (EAE). September 2013 Page 23

24 S02 Identify IT applications supporting SCOTs, disclosure processes and EAE Once we identify the SCOTs and significant disclosure processes, we identify those IT applications supporting them that are relevant to the audit. An IT application relevant to the audit is a software program that supports any of the following: SCOTs from initiation, recording, processing, correcting as necessary and reporting to the financial statements Significant disclosure processes by which transactions, events, or conditions required to be disclosed by the applicable reporting framework are accumulated, recorded, processed, summarized and appropriately reported in the financial statements The production or creation of electronic audit evidence (EAE). September 2013 Page 24

25 Identify SCOTs and related IT applications September 2013 Page 25

26 S03_2 Understand the critical path of the SCOTs and significant disclosure processes We obtain an understanding of the critical path in the significant class of transactions (SCOT). The critical path covers from initiation through reporting in the entity s general ledger. We also obtain an understanding of the policies and procedures in place that management uses to ensure that directives are carried out and applied, and consider the effect IT has on the SCOTs and the significant disclosure processes. We use our understanding of the critical path and the policies and procedures to identify what can go wrongs (WCGWs) and, when applicable, relevant controls. September 2013 Page 26

27 S03_4 Identify WCGWs in SCOTs and significant disclosure processes The identification of WCGWs assists us in determining the nature, timing and extent of our further audit procedures at the assertion level necessary to obtain sufficient appropriate audit evidence. When there is a likelihood of occurrence of misstatements (i.e., point in the critical path where misstatements can occur), we determine the magnitude of the potential misstatement (i.e., whether it can result in a risk of material misstatement). If we determine the magnitude of the potential misstatement may be material, we identify a WCGW. We do not attempt to identify all WCGWs, but focus on those WCGWs that could have a material effect on the relevant assertions September 2013 Page 27

28 S03_4 Link WCGW and assertions September 2013 Page 28

29 S03_6 Identify controls that are relevant to the audit Controls We establish a preliminary audit strategy for placing reliance on controls related to the SCOTs and the significant disclosure processes once we obtain an understanding of the SCOTs and the significant disclosure processes. We distinguish between the following strategies: Controls reliance strategy Substantive only strategy When we select a controls reliance strategy, we obtain an understanding of the controls relevant to the audit (i.e., relevant controls). By obtaining an understanding of the critical path, WCGWs and controls, we know: How transactions are initiated, corrected, processed and reported What errors could occur during the process What controls exist that mitigate the risk of errors. September 2013 Page 29

30 S03_6 Identify controls that are relevant to the audit September 2013 Page 30

31 S06 Select controls to test We test controls to evaluate the operating effectiveness of controls over the SCOTs and significant disclosure processes to prevent or detect and correct material misstatements at the assertion level. We select relevant controls to test that address the WCGWs for each relevant financial statement assertion for which we plan to rely on controls. We exercise professional judgment in determining the appropriate controls to select and test, recognizing that it may be more effective and efficient to select and test controls that address multiple WCGWs and assertions. September 2013 Page 31

32 S07 Understand, walkthrough, test and evaluate ITGCs When using a controls reliance strategy for SCOTs or significant disclosure processes, our understanding of the role of IT in the entity is important to assist us in concluding whether to rely on ITGCs to support our reliance on application controls, IT-dependent manual (ITDM) controls or electronic audit evidence (EAE). When determining our audit strategy for ITGCs, we perform one of the following: Identify, understand, walkthrough, test and evaluate ITGCs (i.e., rely on ITGCs) when we plan to rely on application controls, ITDM controls or EAE Perform direct testing procedures if we decide not to rely on ITGCs, but we plan to rely on application controls, ITDM controls or EAE. If we do not rely on ITGCs or do not perform direct testing procedures as described above, we do not rely on application controls and ITDM controls. When we use EAE, we are required to perform direct testing to rely on EAE. September 2013 Page 32

33 Approach for evaluating ITGCs R Financial Control Evaluation Effective IT-Dependent Manual or Application Control Evaluation R ITGC Evaluation For IT-Dependent Manual Or Application Control Support Not Support Aggregate ITGC Evaluation Manage Change Ineffective Logical Access Effective Other ITGCs Effective ITGC Category Evaluations ITGC ITGC ITGC ITGC ITGC ITGC Effective Ineffective Effective Effective Effective Effective ITGC Evaluations ITGC Effective ITGC Effective ITGC Ineffective Effective R Rationale required if higher layer evaluation is Effective or Support and lower layer contains an Ineffective or Not Support evaluation. September 2013 Page 33

34 Evaluate IT General Controls September 2013 Page 34

35 Phase 2 Strategy and Risk Assessment S08 E07 This group of objectives includes objectives from both the Strategy and Risk Assessment phase and the Execution phase, as we make combined risk assessments, and then reassess them later September 2013 Page 35

36 S08/E07 Make (and reassess) combined risk assessments In order to develop an audit strategy that is responsive to the entity s risks of material misstatement, we make a combined risk assessment (CRA) for each relevant assertion for each significant account and disclosure. We achieve this by: Assessing inherent risk (IR) Assessing preliminary control risk (CR) Combining the assessment of inherent risk and control risk to arrive at a CRA for each relevant assertion for each significant account and disclosure Once we have determined the CRA for a relevant assertion, we address the remaining audit risk (i.e., detection risk) by designing substantive procedures that are responsive to the CRA September 2013 Page 36

37 S08 Combined Risk Assessment Risk components This table shows how we combine our assessments of inherent and control risks into one combined risk assessment table: September 2013 Page 37

38 S08 Combined Risk Assessment Effect of CRA on substantive procedures EY GAM requires us to obtain reasonable assurance that the financial statements are free from material misstatements, based on our procedures. The CRA associated with each assertion affects how we design our audit strategy to obtain such assurance. September 2013 Page 38

39 Phase 2 Strategy and Risk Assessment S09 S12 The group of objectives includes designing a variety of tests and procedures to be performed in the next phase of EY GAM, Execution. September 2013 Page 39

40 S09 Design tests of controls We design the nature, timing and extent of our tests of controls to obtain sufficient appropriate audit evidence that the controls selected for testing operate effectively as designed throughout the period of reliance to prevent or detect and correct material misstatements at the assertion level when: We plan to rely on the operating effectiveness of the controls in determining the nature, timing and extent of our substantive procedures Substantive procedures alone cannot provide sufficient appropriate audit evidence at the assertion level (e.g., for highly automated SCOTs). September 2013 Page 40

41 S10 Design tests of journal entries and other mandatory fraud procedures We plan procedures to mitigate the risk of management override of controls by: Testing the appropriateness of journal entries recorded in the general ledger and other adjustments made in the preparation of the financial statements Evaluating the business rationale for significant unusual transactions that are outside the normal course of business for the entity Reviewing significant accounting estimates for evidence of management bias We evaluate whether to perform other audit procedures to respond to the risk of management override of controls. September 2013 Page 41

42 S11 Design substantive procedures We design substantive procedures so that the combination of our procedures (including tests of controls) provides sufficient appropriate audit evidence to reduce audit risk to an acceptably low level and enables us to draw reasonable conclusions on which to base our opinion. The appropriate mix of substantive procedures depends on factors such as the nature of the account balance and our combined risk assessments. EY GAM requires certain substantive procedures (Primary Substantive Procedures) to be performed, regardless of our combined risk assessment. Our combined risk assessment affects the timing and extent of PSP (e.g. the higher our combined risk assessment, the closer to period-end and the higher the extent of the PSPs we design). Other substantive procedures may be required as the CRA increases and/or significant risks are identified. September 2013 Page 42

43 S12 Plan general audit procedures E06 Perform general audit procedures We plan and perform general audit procedures to audit those areas on every engagement that are not directly related to financial statement account assertions in the following areas: The entity s compliance with laws and regulations Litigation and claims Minutes and contracts Consideration of going concern Related party relationships and transactions Obtaining management representations We make an initial determination of the scope of the general audit procedures to be performed and exercise judgment in determining the timing and extent of general audit procedures. We document our general audit procedures in the Program for general audit procedures (PGAP). The PGAP is supplemented, where applicable, by local professional standards and requirements. September 2013 Page 43

44 Phase 2 Strategy and Risk Assessment S13 The last group of objectives covers the audit strategy memorandum that concludes this phase. September 2013 Page 44

45 Phase 3 Execution

46 Phase 3 Execution September 2013 Page 46

47 E02 Execute tests of controls We execute tests of relevant controls to ensure that those controls we plan to rely on are operating as intended throughout the period of reliance. If we identify control exceptions, we assess the effect of the control exception and respond appropriately. At the completion of our tests of controls, we evaluate the results of our tests and conclude on the operating effectiveness of controls. September 2013 Page 47

48 E04 Update tests of controls When we execute our tests of controls, including IT general controls (ITGCs), prior to the balance sheet date and conclude that we are able to rely on controls, we update our tests of controls to the balance sheet date so that we have sufficient appropriate audit evidence that the controls operate effectively throughout the period of reliance. We achieve this by: Determining the additional audit evidence to be obtained for the remaining period Updating our tests of controls procedures and evaluating the results. September 2013 Page 48

49 E05 Perform substantive procedures The extent of substantive procedures depends on the CRA Our strategy is based on an appropriate balance of testing controls, and performing substantive procedures, so that the combination of our procedures (including tests of relevant controls) provide sufficient appropriate audit evidence to reduce audit risk to an acceptably low level and enable us to draw reasonable conclusions on which to base our auditors opinion. September 2013 Page 49

50 Phase 4 Conclusion and Reporting

51 Phase 4 Conclusion and Reporting September 2013 Page 51

52 Summary by Account September 2013 Page 52

53 Summary by Process September 2013 Page 53

54 Summary by Risks September 2013 Page 54

55 Questions? THANK YOU September 2013 Page 55