Audit assessment of audit risk: types, methods, calculation
Audit assessment of audit risk: types, methods, calculation

Video: Audit assessment of audit risk: types, methods, calculation

Video: Audit assessment of audit risk: types, methods, calculation
Video: Reputational Risk and How To Manage Reputational Risks (Reputation & Reputational Risk Management) 2024, December
Anonim

In today's world of business development and commercial enterprises, external audit services are becoming increasingly important. Auditing activity is an integral element of controlling the legality of business procedures carried out by a particular firm. Therefore, the audit, as the fundamental principle of an independent non-departmental audit by third-party auditors-specialists of the financial situation of a legal entity, is aimed at expressing a recommendatory opinion on improving and optimizing the financial and economic side of the company's development.

The audit was marked by the achievement of the main goal - the expression of an independent opinion on the reliability of the statements (both financial and accounting) of the audited entity and the compliance of the accounting procedure with the current legislation of the Russian Federation. The main economic essence of the audit isthe growing needs of users of financial statements in a qualitative assessment by experts of its reliability. In view of this, an important aspect is the audit assessment of audit risk, methods of its implementation and methods of implementation. But for this it is worth familiarizing yourself with the concept of audit risk.

Audit risk

In a broad sense, audit risk implies the possibility of an independent auditor expressing a false (erroneous) opinion based on incorrect calculations due to material misstatements in the content of financial statements. The audit process is characterized by its inherent risk of issuing an incorrect (erroneous) conclusion due to objective circumstances that directly affect the conduct of a scheduled or unannounced audit. In other words, this is the responsibility that the auditor assumes when issuing an opinion on the complete and open reliability of the information contained in external reporting, although in fact there may be errors and omissions that took place, but did not come to the attention of the inspector.

At the same time, risks are distinguished in the following areas:

  • Auditor's professional ability - meaning that each specific enterprise is provided with a specialist, taking into account a strict approach to choosing the audited firm, its reputation, honesty and integrity, as well as the degree of risk of operations carried out by this firm.
  • Customer expectations - there is always a risk that the control and audit service represented by a commercial audit company may not meet the requirementscustomer firm. It is also natural that in cases where the selected audit company did not meet the expectations of the customer, the latter has the right to refuse to provide its services in the future.
  • The quality of the audit - implies that the conclusion of the audit service may be incorrect due to any objective reasons. This may be the failure to identify significant errors in the financial statements of an economic entity or a distortion after confirming its proven reliability. This is called audit risk. The assessment methodology in this case can be determined based on specific situational indicators.
Conducting an audit
Conducting an audit

Regulations

At the legislative level, the concept of audit risk is described in the requirements defined at the level of Federal Rule (Standard) No. 8 “On the Assessment of Audit Risks and Internal Control Performed by the Audited Entity”. This legislative act was approved by the Decree of the Russian government under the number 405, issued on 04.07.2003. Based on the content of this rule, the auditor undertakes to use his own professional judgment in order to objectively assess audit risks. At the same time, he needs to develop those control and revision procedures that are needed to reduce the level of error to an acceptable level. The specific value, which is recognized as acceptably low, is not defined by this resolution. But in practice, this is considered the level of 5%. Simply put, out of a hundred signed reports, five audit judgments are oftencontain distorted, incorrect information on controversial issues. A higher misconception rate may adversely affect the competitiveness of a particular audit firm.

Influence factors of audit risk

Examples of assessing the pathological dangers of issuing an incorrect or incorrect conclusion boil down to the fact that everything depends on the type of risk. In turn, each of them arises on the basis of any separate situations that contribute to the fact that an independent auditor makes a mistake, an oversight, misses a distortion. For example, the following are considered factors influencing the occurrence of audit risks:

  • insufficient level of qualification of the internal auditor;
  • short-term experience in external audit;
  • work in narrow specifics (single audit direction), which does not allow comprehensive development and qualification in other areas of audit;
  • management's negligent attitude towards scheduled internal audit;
  • lack of special literature of economic content with the features of the audit of accounting and tax accounting;
  • irregular compilation and implementation of scheduled inspections for a certain period;
  • Leadership's inaction with respect to inspections in problem areas of accounting.
Detection Risk
Detection Risk

AP assessment methods

International Auditing Standards (ISA) in the assessment of audit risk and the methodology for its implementation are based on the key points of assessment based on a specific areachecks. So, based on the level of prerequisites and reporting, auditors are guided by paragraph 5 of the international standard number 315. Based on the types of operations performed, the specialist uses paragraphs 25 and 26 of ISA 315, and if we are talking about business processes and, accordingly, business risks, points 11, 37 and 40 of the same standard are taken into account.

Methods for assessing audit risk, in turn, are divided into quantitative and qualitative.

The first involves the calculation of the existing risk of distortion or incorrect interpretation of the information received during the audit, which is based on the total addition of all existing risks. The second method proceeds from those indicators that are not expressed in numbers, but also in one way or another affect the implementation of the verification. For example, the auditor is based in the course of audit activities on three main evaluation gradations - low, medium, high. At the same time, he takes into account the qualifications and experience of the chief accountant of the audited company, the workload of him and his assistants, the scale of the business, the features of management, and so on. Of the above, some of the factors are rated low, while others are rated medium or high. Of course, with such an evaluation plan, there is always an element of subjectivity. But this kind of method of debriefing during audit activities still takes place and continues to be actively used by auditor enterprises.

Thus, not only quantitative indicators can affect the verdict of the supervisory authority, the accompanying nuances alsoare taken into account in the methodological study of the activities of a particular company, since a lot often depends on them.

Types of risks and calculation formula

Every seasoned entrepreneur who has been doing business for more than a year knows that audit risk includes several of its subspecies. Thus, inherent threats, the risk of controls and the danger of non-detection are considered mandatory components of this phenomenon. The specialist is obliged to assess the audit risk at the stage of initial planning. Already during the audit, he receives additional information about the audited object and can make changes to his assessment, which was obtained at the preparatory stage.

Calculation of audit risk is carried out according to the formula:

- OAR=HP+RN+RSK, where:

OAR - total audit risk, NR - inherent risks, RN - risk of non-detection, RSK - control risk.

Control risk
Control risk

Inherent risk

This part in the general list of potential threats characterizes the susceptibility of residual amounts on the balance sheet of accounting accounts to material distortions that arise due to the failure of the enterprise to carry out proper internal control during the audit assessment. The risk and audit methods of its analysis in this case are based on its inalienability from the direct process: it means that of all possible potential threats, the verification procedure is accompanied by the possibility of data error.

Based on Federal Rule clauses(standard) number 8, which describes the concept, types and assessment of audit risk, the specialist-auditor takes measures to develop a general audit plan. He is also involved in drawing up an audit program.

The general plan provides for the formation of an opinion by the auditor on the assessment of the components of audit risk, that is, in this case, when studying information about the financial statements, he relies on his own professional judgment. In this case, it is mandatory to take into account:

  • The depth and duration of management experience of the audited entity, as well as rotations in the management staff for a specific period of time.
  • Type and type of activity of the entrepreneur.
  • External and internal factors that have a direct impact on the market segment in which the audited company performs its entrepreneurial functions.

In turn, the general program of the auditor correlates with the object of the audit risk assessment and the causes of possible inconsistencies. Therefore, the specialist should compare the estimated indicators with the real ones, assuming in advance that the inherent risk in this regard will be unambiguously high. Again, the auditor will rely on his or her own professional judgment in carrying out the audit, taking into account the following factors:

  • informativeness of accounting accounts of an audited enterprise, which may be distorted for any reason;
  • difficulties in certain segments of accounting for business transactions and other events that often requireengaging an expert person;
  • a factor of subjective judgment, which is necessary for the correct comparison of the audited client's accounting balance with the expected correct value;
  • assets at risk of loss or misappropriation;
  • peculiarities of the end of the reporting period, which is often accompanied by the completion of non-regular and complex business transactions;
  • presence of procedures that are not normally affected by normal standard processing.

Thus, the inherent risk is characterized by the possibility of misrepresentation of the balances of funds in the accounting accounts of the audited firm. And most importantly, these discrepancies can be significant.

inherent risk
inherent risk

Materiality level

Given the fact that the target orientation of audit activities closely borders on the assessment of the reliability and veracity of the accounting and financial statements of a person subjected to an audit, it should be understood that in the course of carrying out his work, the auditor is not required to confirm this reporting and its reliability with absolute and unwavering accuracy. This means that the regulation establishes such a possible accuracy of the reporting indicators of the audited company, which provides a qualified user with the opportunity to draw correct conclusions and make appropriate economically reasoned decisions. In this case, the establishment of the level of materiality plays a huge role. Assessment of audit risk and improvement of methodsEvaluation of expected erroneous judgments is done by understanding how serious the possible deviations are.

The materiality of the information revealed during the audit in accounting is the property of information to influence the adoption of economic decisions by external users of this information. Materiality itself involves the inclusion of two aspects in its content: quantitative and qualitative.

Quantitative is a comparison of the analyzed indicators with normative data, assuming the carrying out of calculation activities to determine certain coefficients, amounts, volumes of costs for the corresponding planned and unforeseen expenses, and so on.

The qualitative factor of predetermining the level of materiality on the example of assessing audit risk (and accounting, respectively, too) is used primarily to assess the degree of possible disclosure of specific information. As a rule, in such cases, a quantitative assessment is not applied, and the qualitative aspect is in this case an indispensable method for identifying the veracity and reliability of the information obtained in the course of accounting. This includes factors in the auditor's assessment of the level of materiality of detected violations in terms of the requirements of legislative and regulatory documents at the time the business entity is doing business.

It is noteworthy that it is the materiality of information that plays a direct role in the occurrence of risks of non-detection.

Risk of non-detection

International Auditing Standardsprovide for a specific definition of this aspect of the audit conducted at the enterprise. Thus, according to the ISA, the assessment of the audit risk of non-detection provides for the possibility that the conduct of specific audit activities and the proper collection of the evidence base do not allow to identify errors that can exceed the permissible level. In other words, it is a kind of indicator of the quality and effectiveness of the auditor's work. But it is worth noting that this indicator is directly proportional to a certain procedure for conducting an audit, on setting up a representative sample, on the use of sufficient and necessary audit procedures, as well as on factors reflecting the qualifications of the audit company’s specialists and the level of their preliminary acquaintance with the management of the audited business entity.

Relying on the audit assessment of audit risk, the center and benchmark of which is directly the reliability, quality and impartiality of the auditing entity, one can judge the degree of growth of the risk of non-detection. The auditor should determine it in his work and subsequently try to minimize it by planning an appropriate set of audit procedures. If we talk about this aspect in comparison with the risk of control or on-farm risk, the level of which can only be estimated, the risk of non-detection can be controlled by changing the nature, timing and extent of separately conducted substantive checks. That is, these risks can be influenced.

But there is also an inverse relationship between these comparisons.

  • If internal and control risk are high, their growth obliges the auditor to ensure that the audit is conducted in such a way as to minimize the amount of detection risk, as far as possible, thereby narrowing the boundaries of the overall audit risk to an acceptable level.
  • If control risk and intraeconomic risk are low, this allows the auditor to be en titled to assume a slightly higher detection risk, while obtaining an acceptable and adequate value in determining the value of the overall audit risk.

Auditor's evaluation is carried out in order to identify misstatements and determine their level of materiality. Thus, summing up this type of audit threats during the audit, we can make a completely logical conclusion. In assessing the components of audit risk, control measures do not make it possible to detect one or another misstatement of balances on the balance sheet and changes in other groups of operations, inconsistencies in which, collectively or individually, can be considered significant. But at the same time, the human factor and the actions of the auditor remain an important link, which can be modified depending on the level of his skills, experience, and qualifications.

Identification of information distortions
Identification of information distortions

Auditor subjectivism

The level of risk of internal controls is determined by the ability of organizational structures operating at the level of financial and accountingaccounting, detect and counteract the emergence and use of inaccurate data. Thus, the audit rule on “Materiality and audit risk”, approved by the Decree of the Ministry of Finance No. 24 dated March 16, 2001, defines this risk as one of the three most significant.

Because each area of human impact, and especially economic activity, is associated with the direct adoption of relevant decisions in the mode of incomplete information provided, some threats arise as a result. Certain risks also arise in the course of an audit. It is in view of this that one of the most significant tasks of a specialist is considered to be the collection of a sufficient evidence base to express his opinion on the subject that the accounting or financial statements of the audited entity are drawn up in accordance with generally accepted principles and practice and reflect a fair and correct view, not containing any or inaccuracies and distortions.

But there are some nuances in this definition. After all, the auditor cannot confirm absolutely every transaction concluded by the client. He can do nothing more than just give his opinion with some level of confidence in its objectivity and correctness. And therefore, there is always a certain risk, due to which some significant inaccuracy or any distortion of the data was not detected during the check. That is why audit risk is considered a quality criterion for an audit inspector. And that is why the assessment of any auditor is based on his professional opinion.

Carrying out audit activities
Carrying out audit activities

Control risk

The third subspecies of possible threats of low-quality inspection or revision at the audited enterprise is the risk of controls. Simply put, this is the subjective probability determined by the auditor that the accounting systems available at the business facility are not perfect, and internal control does not always contribute to the timely detection and correction of violations that are significant in general or individually. As well as not always internal control can prevent the occurrence of this kind of distortion.

Among other things, due to the risk of controls, the degree of reliability of the information provided by the accounting department is revealed. To evaluate it, audit procedures of a special nature are mainly used, which are carried out in the form of testing.

What are the tests for?

  • They are able to convince the auditor of the reliability of the work provided by the enterprise and aimed at implementing controlling procedures for accounting and financial accounting - fundamental aspects of doing business that are often subject to distortion.
  • With their help, the auditor finds out whether such measures are effectively implemented to prevent the occurrence of significant violations of financial statements.
  • Through testing, you can determine whether certain controls are working equally effectively throughout the reporting period.

Besides this, testing involves including:

  • Official review of records reflecting business financial transactions and, as a result, obtaining audit confirmation that controls have operated and functioned to their fullest potential.
  • Interrogations and observation of the processing of transactions in order to obtain a proven feasibility of controls in cases where it is not possible to obtain direct documentary evidence of this.
  • The results of other audit procedures that provide data on the performance of various controls.

Moreover, when analyzing the effectiveness of testing controls and assessing audit risk on a materiality scale, the auditor should pay special attention to the fact that some of these controls may be quite effective in general, but not be so individually in certain periods of time. What could be causing this?

  • The ineffectiveness of one or another means of control may be affected by illness, vacation or other kind of short-term absence of an accounting employee responsible for the implementation of a particular area of the audit.
  • This may also be a feature of the work of the accounting department of a particular business entity, which reflects the seasonality of periods of work capacity in conditions of increased intensity.
  • There are possible one-time, isolated or accidental errors made by specialists in their areas of work.

The meaning of a correct revision is that the auditor mustlook at the check comprehensively, providing for every possible factor that can affect the results of the audit study. So, its main targets include the need to analyze the negative results of testing controls, adjusted in planning for these features. A competent specialist initially sees possible problem areas in the enterprise, and due to his experience, he often finds flaws and distortions thanks to his audit instinct.

Independent auditor
Independent auditor

Instead of a conclusion

It is important to note that the auditor performs mandatory testing in almost all standard cases, with the exception of those when he has to assess the risk of controls as high. As a result, when the auditor prepares the final stage of the review with the issuance of his opinion, he needs to pay special attention to those controls that will be in his conclusions in the form of important arguments and aspects of the evidence base. Therefore, the more he plans to rely on them in his decision, the more carefully he needs to examine their effectiveness, reliability and validity.

Another interesting point: when conducting a scheduled audit, the auditor has the right to rely on the information base of previous periods. However, here you also need to make sure that the risk assessment made in the early period is also valid for the current year.

Recommended: