CHAPTER

3 PHASE I – RISK ASSESSMENT:

PLANNING THE AUDIT (Cont’d) AND
PERFORMANCE OF RISK ASSESSMENT

3-1. The pre-audit conference should be attended by all members of the audit team,
including the partner in charge of the examination. The conference should cover
the following areas:
a. Nature of the client’s activities;
b. General nature of the client’s system of internal control;
c. Unique accounting practices;
d. Duties of individual audit team members; and
e. Known areas of high audit risk.

3-2. The accuracy of transactions and balances is a function of the reliability of the
information system. An effective control environment, accounting system, and
control activities (the information system), together with a system of monitoring
such that controls adapt to a changing environment, serves to produce accurate
financial data. Weak controls are more likely to produce inaccurate financial data.
By first testing the information system, the auditor is able to increase or decrease
the nature, timing, and extent of transaction and balance testing according to
his/her assessment of control risk.

3-3. a. Analytical procedures are used for these broad purposes:

To assist the auditor in planning the nature, timing, and extent of other
auditing procedures.
As a substantive test to obtain evidential matter about particular
assertions related to account balances or classes of transactions.
As an overall review of the financial information in the final review stage
of the audit.

b. An auditors’ expectations are developed from the following sources of

information:
Financial information for comparable prior periods giving consideration
to know changes.
Anticipated results--for example, budgets, forecasts, and extrapolations.
Relationships among elements of financial information within the period.
Information regarding the industry in which the client operates.
Relationships of financial information with relevant nonfinancial
information.
3-2 Solutions Manual to Accompany Applied Auditing

c. The factors that influence an auditor’s consideration of the reliability of data

for purposes of achieving audit objectives are whether the
Data were obtained from independent sources outside the entity or from
sources within the entity.
Sources within the entity were independent of those who are responsible
for the amount being audited.
Data were developed under a reliable system with adequate controls.
Data were subjected to audit testing in the current or prior year.
Expectations were developed using data from a variety of sources.

3-4. a. (4) b. (4)

3-5. a. (1) b. (1) c. (1)

3-6. a. 1. Audit risk is the risk that the auditor may unknowingly fail to
appropriately modify an opinion on financial statements that are materially
misstated.

2. Inherent risk is the susceptibility of an account balance or class of

transactions to error that could be material, when aggregated with error in other
balances or classes, assuming that there were no related internal controls.

Control risk is the risk that error in an account balance or class of

transactions that could be material, when aggregated with error in other balances
or classes, will not be prevented or detected on a timely basis by controls.

Detection risk is the risk that an auditor’s procedures will lead the auditor
to conclude that error in an account balance or class of transactions that could be
material, when aggregated with error in other balances or classes, does not exist,
when in fact such error does exist.

3. Inherent risk and control risk differ from detection risk in that they exist
independently of the audit of financial statements, whereas detection risk relates to
the auditor’s procedures and can be changed at the auditor’s discretion. Detection
risk should bear an inverse relationship to inherent and control risk. The less
inherent and control risk the auditor believes exists, the greater the acceptable
detection risk.

b. 1. Materiality is the magnitude of an omission or misstatement of

accounting information that, in the light of surrounding circumstances,
makes it probable that the judgment of a reasonable person relying on the
information would have been changed or influenced by the omission or
misstatement. This concept recognizes that some matters, either
individually or in the aggregate, are important for the fair presentation of
 Phase I – Risk Assessment: Planning the Audit (Cont’d) and Performance of Risk Assessment 3-3
financial statements in conformity with applicable financial reporting
standards whereas other matters are not important.

2. Materiality is affected by the nature and amount of an item in relation to

the nature and amount of items in the financial statements under
examination, and by the auditor’s judgment as influenced by the
auditor’s perception of the needs of a reasonable person who will rely on
the financial statements.

3-7. Internal control is defined as:

A process, effected by an entity’s board of directors, managers, and other

personnel, designed to provide reasonable assurance regarding the achievement of
objectives in the following categories: (1) reliability of financial reporting, (2)
compliance with applicable laws and regulations, (3) effectiveness and efficiency
of operations, and (4) safeguarding of assets.

It is important to assess control risk in an audit engagement because it allows the

auditor to identity the types of misstatements most likely to occur and to plan the
audit.

Internal control is a process that emanates from the board of directors and
management of the company and thus is an integral part of the overall governance
and risk management process. Internal control over financial reporting includes
the design and implementation of control procedures to ensure, among other
things, that all transactions are properly authorized, recorded in the correct time
period, and valued correctly; and that assets are adequately safeguarded. Since the
auditor’s job is to render an opinion on the financial statements, they are more
concerned with the internal controls that affect financial reporting. In most
companies, however, it is difficult to draw a line between “internal controls” and
“internal controls over financial reporting,” because many controls that may seem
unrelated can in some way indirectly affect financial reporting.

The broader definition of internal auditing addresses objectives related to

operations and compliance, as well as financial reporting.

3-8. An organization's control environment is the overall tone of operations of an

organization which collectively serve to enhance, or alternatively
mitigate, the functioning of specific control policies and procedures. The
control environment reflects the overall attitude, awareness, and actions
of those in control of the organization in creating an atmosphere of
control.

The components of the control environment include:

 management's philosophy and operating style,

3-4 Solutions Manual to Accompany Applied Auditing

 the entity's organizational structure,

 the functioning of the board of directors and its committees,
particularly the audit committee,
 human resource policies and practices,
 integrity and ethical values,
 commitment to competence.

3-9. The auditor should be capable of evaluating the competency of the accounting
staff:

 first, the auditor has expertise in the accounting area,

 second, the commitment to competence is an integral part of internal
control, and by professional standards, the audit firm should not accept
the engagement unless they have the expertise to assess the client’s
controls.

There are a number of ways in which the auditor can evaluate the competency of
the accounting staff, including the following:

 evaluating the judgments made on areas where accounting choices have

been made,
 evaluating the number of exceptions noted in audit testing,
 discussions with accounting staff regarding accounting and audit issues,
 gathering input from the CEO or the audit committee,
 evaluating the background (academic and work) of the staff, as well as
the experience in dealing with issues related to the company.

3-10. Monitoring is an overall control process that is designed to continually assess the
design and operation of a control system. It is designed to give management
feedback on how well the existing control system is operating. Examples of
monitoring controls include:

 management exception reports on transactions rejected by the computer

system.
 management reports on gross margins of products by product lines and
by stores.
 management oversight and review of operations.

The authors speculate that the concept of monitoring controls will change the
audit by shifting focus on evaluating and testing the effectiveness of monitoring
controls. If monitoring controls are working effectively, the auditor and the
organization can have confidence that other controls are working properly. The
rationale is that properly working monitoring controls should detect and correct
problems in other controls on a timely basis.
 Phase I – Risk Assessment: Planning the Audit (Cont’d) and Performance of Risk Assessment 3-5
3-11. Material misstatements in account balances at the end of a year imply that there
was a material weakness in internal controls during the year.

3-12. The primary factors for the auditor to consider in determining whether to directly
test a year-end account balance include:

 the overall quality of internal controls (all five components),

 the quality of specific controls over transactions processing affecting the
account balance,
 the risk of management override for the account balance,
 the extent that management makes subjective judgments about the
account balance,
 the materiality of the account balance,
 history of misstatements in the account balance in previous years,
 the extent that evidence is provided through direct tests of other accounts,
and the auditor’s overall judgment as to the likelihood that the account
balance could be misstated

3-13. The five most significant controls the auditor should evaluate in assessing fraud
risk include:

• Controls over significant, unusual transactions, particularly those that

result in late or unusual journal entries;

• Controls over journal entries and adjustments made in the period-end

financial reporting process;

• Controls over related party transactions;

• Controls related to significant management estimates; and

• Controls that mitigate incentives for, and pressures on, management to falsify
or inappropriately manage financial results.

3-14. Yes, the auditor has to analyze the cause of the misstatement. It is likely that the
material misstatement in the account balance is related to a material weakness in
internal control. The auditor’s report on internal control must identify the
presence and nature of the control weakness. In order to do so, the auditor must
understand the cause of the material misstatement.

3-15. The auditor’s assessment of internal control must be based on the culmination of
evidence that is gathered by the auditor. The auditor can rely on some of
management’s information, but that information has to be developed in a situation
where there is a strong control environment and the assessment is made by parties
that the auditor deems to be independent of those responsible for the controls, and
competent in testing. However, the external auditor still has to gather
3-6 Solutions Manual to Accompany Applied Auditing

corroborating evidence to conclude that the internal testers in the organization

properly performed their work. In the end, the auditor must be convinced that he
or she has developed competent and independent evidence to reach a decision on
the quality of the controls.

3-16. The PCAOB and the SEC have indicated that the auditor must make sure that all
material account balances are covered during the integrated audit. However, the
auditor must consider the most efficient way to accomplish that objective. One
approach is to start with the major processes that lead up to the significant account
balances. There may be significant efficiencies in starting with the processes, but
the auditor must make sure that information is gathered that relate to all of the
significant account balances.

3-17. Business risk is the risk that management has to address in running the business.
The complexity of the business risks may affect the quality of internal controls,
and also the risk of misstatements in account balances. There is another aspect
that should be considered by the auditor: the more risky that management’s
actions are, the greater the likelihood an organization will suffer a loss. This, in
turn creates greater valuation problems for the company and the auditor. It also
requires a more formal process, and thus, more formal controls, in making the
accounting judgments.

3-18. There are many sources of evidence available that the auditor can evaluate in
terms of determining whether the client has a commitment to maintaining
acceptable levels of financial competencies. These include:

 Auditor interaction with financial reporting personnel and direct

observation of their knowledge of financial accounting standards, and
ability to dissect problems to deal with financial complexities.
 Analysis of staffing levels, i.e. assessing whether the company has
sufficient personnel to deal with its financial reporting issues.
 Evaluation of personnel background, including educational degrees and
experience.
 Arrangements the organization has made to utilize financial expertise
outside of the organization as needed.
 Interviews with the chair of the audit committee and his or her assessment
of financial reporting competencies.

The assessment is essentially based on auditor judgment as to the financial

accounting knowledge level needed by the organization. While there are some
objective measures that the auditor can utilize, e.g. educational and work
experience background, it will essentially come down to a judgment call made by
the auditor.
 Phase I – Risk Assessment: Planning the Audit (Cont’d) and Performance of Risk Assessment 3-7
3-19. Management should have controls over making estimates similar to controls in
transactions processing systems. Sometimes there is a tendency to think that
making estimates is purely judgmental and there is not a need for controls. That
thinking is incorrect. The controls that an auditor would expect to find over
accounting estimates include:

 Controls sufficient to ensure that adequate data are gathered to make the
estimate. For example, the company should systematically gather data
related to the age of accounts receivable, current economic conditions,
financial status of major accounts, and maintain collectibility.
 Information on changes made to the underlying process. For example,
the auditor should know whether there have been any changes in the
credit granting procedures by the company.
 Controls to ensure that the process is consistent over time. The process
should be adjusted for changes in economic factors, but the underlying
process should not be systematically changed.
 Controls to ensure periodic updates. The change in estimates should be
made periodically to accompany updates in processing changes in the
underlying systems that are pertinent to the estimates.

3-21. Alternative courses of action in the audit associated with the two outcomes are as
follows:
 If deficiencies are identified, assess those deficiencies to determine whether
they are significant deficiencies or material weaknesses. Determine whether
the preliminary control risk assessment should be modified (should control
risk be assessed at a higher level) and document the implications for
substantive testing. Determine the impact of these deficiencies, and any
revision in the control risk assessment, on planned substantive audit
procedures by determining the types of misstatements that are most likely to
occur.

 If no control deficiencies are identified, assess whether the preliminary

control risk assessment is still appropriate, determine the extent that controls
can provide evidence on the correctness of account balances, and then
determine planned substantive audit procedures. The level of substantive
testing in this situation will be less than what is likely required in
circumstances where deficiencies in internal control were identified.
3-8 Solutions Manual to Accompany Applied Auditing

Exercises
3-1.
(c ) Evidence that
(b) Controls to Control is
Segregation of Duties Mitigate the Operating
Problem (a) Risk Risk Effectively
1. Individual handles: (1) Individual (1) Management (1) The auditor
 Cash could take cash could perform could review
and could cover period reviews of management
 Customer up the cash accounts receivable analyses of
Complaints shortage by taking write-ups and accounts written
 Performs Bank customer independently off and evidence of
Reconciliation complaints and investigate the investigation. The
then writing off reason for the auditor would want
the accounts write-offs (partial to make sure that
receivable. mitigation) management knew
it was getting
accurate reports of
(2) The individual (2) There are no the write-offs.
could also take compensating
cash, but record it, controls for this.
and cover it up There needs to be (2) No tests
through the bank independent bank because there are
reconciliation. reconciliations. no controls. The
auditor would want
to review the
independent bank
reconciliations.

2. Same person: (1) Individual This is difficult to No tests because

 Bills customers bills the customer control because the potential
 Collects Cash and takes the cash management would mitigating control
 Applies Credits remittances. The have to anticipate is not considered
to customer cash shortage is all the accounts strong enough to
accounts. covered up by that could be mitigate the risk.
debiting an debited instead of The auditor would
expense account cash. Depending have to perform
such as (a) on the more direct testing
customer sophistication of of the account
discounts, or (b) the system, balance.
bad debt expense. management or
someone
independent of this
person could
perform an analysis
 Phase I – Risk Assessment: Planning the Audit (Cont’d) and Performance of Risk Assessment 3-9
(c ) Evidence that
(b) Controls to Control is
Segregation of Duties Mitigate the Operating
Problem (a) Risk Risk Effectively
of customer
discounts, or bad
debt expense.

3. Individual There is no Controls are No additional tests

 Prepares unusual risk here. sufficient. of controls.
Billings
 Does monthly
bank
reconciliation.
 Does not handle
cash.

4. Controller: This is not an Management The auditor could

 Responsible for unusual situation review of all test to determine if
accounting for many smaller significant there is evidence
estimates businesses. The estimates and that management
 Adjusting risk is that the closing entries. performed such a
journal entries adjusting entries review. However,
 No CFO or accounting management is not
estimates may be always aware of
made without the closing entries,
economic nor reviews it in
substance, or may detail. This is a
be in error. risk that would
cause the auditor to
do more direct
testing of the
account balances
affected by
estimates and
closing entries.

5. Small company has The risk is that Management The auditor could
only one accounting this person does review all the examine evidence
person. everything and transactions and that management
there is no acts as an thoroughly reviews
segregation of additional control. all transactions,
duties. reperforms bank
The problem with reconciliations, etc.
this control is that However, as noted
3-10 Solutions Manual to Accompany Applied Auditing

(c ) Evidence that
(b) Controls to Control is
Segregation of Duties Mitigate the Operating
Problem (a) Risk Risk Effectively
it detracts from in the previous
management column it is
performing its unlikely that the
main goals of control will be
growing the strong enough to
business, and thus, mitigate the risks.
the control
activities are
usually a secondary
consideration.

6. Computerized expert The individual Software controls Auditor would

runs software, has access could change the that would not have to have
to the software, as well software to have allow access to evidence that the
as access to data records. inventory sent to changing the software could not
him, or to transfer software. be changed.
cash to him (her)
Management If the individual
review of all has access to the
transactions that records, he or she
involve employees. could suppress
their name in such
a report, thus the
control cannot be
considered
sufficient to
mitigate the risk.

3-2. a. Methodologies that could be used in determining the effectiveness of the

organization’s code of ethics include:

 Determine if the company has educational sessions regarding the code of

ethics.
 Tour the organization’s facilities to determine whether copies of the
organization’s code of ethics are posted on the walls or otherwise readily
available.
 Develop a questionnaire that would demonstrate whether or not employees
understood the organization’s code of ethics and administer it to a random
selection of employees.
 Ask employees how they handle difficult issues; determine if the open-door
policy is really in existence, and what happens as a result of reporting ethical
issues.
Phase I – Risk Assessment: Planning the Audit (Cont’d) and Performance of Risk Assessment 3-11

b. Before applying any ethical issue, the auditor should always be confident in
the facts. In other words, the auditor needs to be sure that the differences are not
just subjective and that there are fundamental flaws in the application of internal
control principles in the organization. For example, the auditor should be sure
that the ‘open door policy’ is not as effective as full blown whistleblowing
program, and so forth.

Identify the Ethical Issue: There is a difference of opinion regarding the

quality of the client’s internal controls. More importantly, from the auditor’s
point of view, the difference appears to be motivated by a desire to keep the
new audit client happy.

Determine Affected Parties and Their Rights. The parties affected, in

addition to the two main parties, include:

 The client – right to an honest and correct opinion,

 The CPA firm – assurance that their employees act with professional
competence and integrity,
 The investing public – the right to fairly presented audit reports,
 Lenders and Suppliers – the right to fairly presented audit reports.

Determine the Most Important Rights. The audit profession exists to serve
the public good. Thus, the most important right is that of the recipients of the
auditor’s report to receive accurate and honest reports from the auditor.
Further, the audit firm has a right to assume that all of their auditors act with
professional competence and due professional care.

Develop Alternative Courses of Action: There are only two courses of actions
available: either issue an unqualified opinion on the client’s internal control
over financial reporting or issue an adverse opinion.

Determine most likely consequences: Unqualified opinion. The client will be

happy and the firm will retain them as an audit client. However, should the
client ever fail in the future, or if investors lose money on the client, it is
likely that the auditor could be sued for the inappropriate opinion. Further,
the audit firm will suffer a loss of reputation and its services may be in less
demand. Adverse Opinion. There is a chance that the audit firm may lose the
audit client. However, this could also have some positive side benefits: (a)
the audit firm could see its reputation increase because of the action taken,
and (b) the audit firm avoids being associated with a client that is perceived to
be less than honest.

Evaluate Rights. The most important rights lie with the user public and the
CPA firm.
3-12 Solutions Manual to Accompany Applied Auditing

Decide on Most Appropriate Course of Action. Insist that the audit firm issue
an adverse audit opinion on internal control.

The difficult issue is what to do if the audit partner disagrees. There are a few
courses of actions the auditor should take that include:

 Raise the issue with the concurring partner during their review,
 Document the difference in writing and insist that your opinion stays in the
audit working papers,
 Raise the issue with the office managing partner,
 Raise the issue with appropriate people in the national office of the firm.

c. Yes, the data support a conclusion that there is a weakness in internal control.
Some of the key elements to be considered by the auditor are:

 No whistleblowing program, which also represents non-

compliance with the Sarbanes-Oxley Act (a violation of public
law),
 Weakness at the control environment level (no commitment to
competence, no adherence to the code of ethics, lack of depth in
talent),
 Inadequate testing of internal control for management’s opinion
(small sample size),
 Ineffective monitoring of internal controls.

d. The paragraphs should describe the nature of the material weaknesses in

internal control identified in part c above.

3-3. a. Testing a control in operation means that the auditor is taking a sample of
transactions to determine if evidence exists that the control is operating as it is
designed to operate - and thus is effective in achieving the organization's
processing control objectives.

The auditor makes a determination of which controls to test by determining

which controls most effectively contribute to the accomplishment of a control
objective. If there are three controls that contribute to the accomplishment of
a control objective, for example, the auditor may choose to test the one
control that, if operating effectively will accomplish the processing objective.

b. The top-down, risk-based approach advocated by the PCAOB recognizes

that auditors should:

 Start with the end-product, i.e. the financial statements and

determine the accounts that are material,
 Determine the risk that the account balance may be misstated,
 Phase I – Risk Assessment: Planning the Audit (Cont’d) and Performance of Risk Assessment 3-13
 Develop specific tests that create a better understanding of the
controls regarding the recording of the material accounts,
 Determine the likelihood of a material misstatement in the accounts,
and what might cause the account balance to be misstated,
 Develop tests to determine whether a material misstatement
occurred.

c. If a documented control is not operating effectively, it is not much

different than the control not operating at all. There are two potential
consequences:

(1) The auditor reassesses the control risk in the accounting

subsystem assuming that the control is not operative. The
auditor then determines the critical importance of the control
and the effect on processing transactions. If the control is
partially working, the auditor's assessment as it affects material
misstatements may not be as harsh.

(2) The auditor needs to determine the types of misstatements that

will occur and not be prevented or detected by the control
procedure, and design specific tests of the account balances to
determine if such misstatements had taken place.

d. Should a document not be able to be located by the client, the auditor

should become more uncomfortable with assessing the control as
effective. Another document (or documents) should be tested. However,
realize that when a sample is taken, the original documents (including the
lost one) should all be taken into account when making a final
assessment.

3-4.
Significant Material
Control Tested Test Results Deficiency? Weakness?
(1) All sales over Tested throughout Yes. Obviously No, it does not rise
P10,000 require year with a sample P10,000 is a material to this level given
computer check of size of 30. Only 3 enough amount that the sales manager’s
outstanding balances failures, all in the they decided to set actions.
to see if approved last quarter, but all the threshold there.
balance is exceeded. approved by sales A 10% failure rate
manager. suggests that the
control is not
operating effectively,
even if the
transactions that fell
through were later
approved. The risk
3-14 Solutions Manual to Accompany Applied Auditing

here would be that

the estimate for
uncollectible
accounts would be
understated. But the
sales manager’s
approval is an
adequate
compensating
control.

(2) The computer is Sampled ten items No, because it rises to Yes. Computers do
programmed to during the last the level of a material not make errors.
record a sale only month. One weakness. The fact that the
when an item is indicated that it recording was
shipped. was recorded made before
before shipped. shipment suggests
Management was that the computer
aware of the control is flawed.
recording. Because this is a
fundamental
transaction to the
revenue cycle and
many others could
potentially have
been affected, it
should be classified
as a material
weakness.

(3) All prices are Auditor selected 40 No. The transactions No

obtained from a invoices and found were still recorded
standardized price 5 instances in for the proper
list maintained which the price amount-what the
within the computer was less than the customer paid. This
and accessible only price list. All of does not appear as
by the marketing the price changes though it would cause
manager. were initiated by a misstatement as
sales people. much as it could lead
to lower profitability
of the business.
Questions of
computer access
controls should also
be raised.
 Phase I – Risk Assessment: Planning the Audit (Cont’d) and Performance of Risk Assessment 3-15

(4) Sales are shipped Auditor selects 15 No, because it rises to Yes. 20% or more
only upon receiving transactions near the level of a material error suggests a
an authorized the end of each weakness. material
purchase order from quarter. On deficiency.
customer. average, 3 – 4 are Considering that
shipped each this again is a
quarter based on fundamental
salesperson’s transaction, the
approval and error could have
without a customer occurred on a large
purchase order. (material) scale.
Revenue could be
overstated if
unauthorized
shipments are
being made. The
estimate for
uncollectible
accounts would
also be affected.

(5) Every shipment Auditor examines No, because it rises to Yes. When an item
is assigned a number three of the weekly the level of a material is shipped, the
by the computer reports and weakness. computer is
when an order is observes that the programmed to
taken. A report is items shown as then record a sale.
prepared each month shipped do not If the amount
showing the status reconcile with the shipped does not
of all items where number of items reconcile with the
purchase orders have invoiced. amount invoiced,
been received, items Management says the program is not
currently in this is a regular functioning
progress, and items process and does correctly. If the
shipped. not affect error is large
recording. enough, it could be
classified as a
material deficiency
in internal control.

3-5. a. Elements of Poor Internal Controls include:

1. No credit checks are made of contract clients.

2. Accounts receivable are not recorded nor controlled.
3. Weak control is exerted over cash transactions.
3-16 Solutions Manual to Accompany Applied Auditing

4. No control is in effect between production type work and potential

revenues due. Examples: bookkeeping services, design and printing
services and tax work.
5. Forms are not prenumbered or accounted for.
6. There are no controls to assure that all receivables that are due are paid
on a timely basis.
7. The control over slow or delinquent payments is very poor.
8. All remittances are not recorded timely, nor is cash deposited daily.
9. There are no running control totals to prevent contract services from
exceeding the contract ceilings.
10. No controls are in effect to assure that all work was billed.

b. Elements of Good Internal Control include:

1. A cash log is maintained even though it is not used effectively.

2. Bank reconciliations are made.
3. Monthly analyses of cost percentages of revenue items are performed,
although they could be performed more effectively.
4. Historical evidence (audit trail) is maintained of all production work.
5. Periodic analyses are performed of unpaid bills.
6. Copy work paid in cash is balanced to the cash register.
7. Unusual variations between costs and revenues are investigated on a
monthly basis.

Multiple Choice Questions

3-1. c.
3-2. d.
3-3. b.
3-4. d.
3-5. e.
3-6. b.
3-7. c.
3-8. d.
3-9. c.
3-10. d.