Risk Assessment (c)(i) and (c)(ii) Flashcards Preview

CITP > Risk Assessment (c)(i) and (c)(ii) > Flashcards

Flashcards in Risk Assessment (c)(i) and (c)(ii) Deck (14):

What is "Audit Risk"?

- Audit Risk = RMM x DR (Detection Risk)
- Level of risk that is acceptable to the audit firm
- Auditor must consider risk of misstatement individually and in aggregate w/ other misstatements


"Audit Risk" is a function of what 3 primary risks:


1. Inherent Risk - Risk before controls are considered that could lead to material misstatement
2. Control Risk - Ability of IC to prevent or detect material misstatement in timely manner
3. Detection Risk - Risk that audit procedures will fail to detect material misstatement


What is "Inherent Risk"?

- Evaluate risk w/out regard of possible mitigating activities and controls that could lead to material misstatement, assuming no other related controls
- ID risks inherent to entity or audit, even if entity cannot affect it
- Ex: Entity’s environment and Entity’s IT (including financial data, data processing, and financial reporting processes)


What are examples of "Inherent Risk" with an Entity’s Environment?

(1) Current Economy
(2) Industry Risks
(3) Entity-Specific Risks
- Large volumes of transactions mean probability of misstatement is proportional to its size
- Certain geographic locations have more IR (flood zone)
- Complex business processes or IT, use of ERP or enterprise-wide systems, history of noncompliance, history of not responding to auditors’ reports on deficiencies and heavy regulated entity


What are examples of high "Inherent Risk" with Entity’s IT?

(1) Data transfers
- Anytime data transferred from one system to another
(2) Software coding
- More programming, more risk
- To mitigate IT risks associated w/ AppDev is to employ SDLC best practices principles
(3) Database administrator (DBA)
- DBA can circumvent strong network and application controls
- Need proper SoD and mitigating controls(ex: no access to keying data, running apps, implementing apps or developing systems)
(4) O/S Admins
(5) Unauthorized access to O/S presents high IR of access to data


What is "Control Risk" and how should it be assessed?

- Likelihood or risk that material misstatement exists in transactions, events, disclosures or acct balances will not be prevented or detected by entity’s system of internal controls in a timely manner
- To assess CR, CITP need to:
(a) Consider nature of controls (automated vs manual, key vs non-key)
(b) Use framework to mitigate controls (Preventive-Detective-Corrective/P-D-C model)


What is the P-D-C Controls Model?

- A framework for evaluating risks associated w/ controls
(1) Preventive Controls
(2) Detective Controls
(3) Corrective (Mitigating) Controls


What are "Preventive Controls"?

- Designed to prevent adverse event from ever occurring
- Ex: Preventive controls implemented to prevent data keypunch errors, fraud, or bugs in software dev


What are "Detective Controls"?

- Designed to detect adverse event if occurs
- If error in data occur, detective control capable of ID'ing it
- Ex: Use CAAT to ID gaps or duplicates in check numbers for disbursements


What are "Corrective (Mitigating) Controls"?

- If adverse event occurs and detected, corrective control corrects the event and reestablish equilibrium, correct data, correct workflow, etc
- Ex: Use errors logs in App. Program written to ID anomalies (Detective). If found, send report. Person corrects errors and resubmits to reprocess (Corrective)


What is the definition of "Key Controls"?

- A key control is one that prevents or detects material misstatement
- Relates to materiality and likelihood
- Also called Primary Controls


What are examples of "Key Controls"?

- A control or combo of that covers all risks, objectives, and assertions in a
financial process related to RMM
- A control at the pinnacle of a hierarchy of controls over same process, risk or assertion
- A control designed to mitigate RMM arising from a process, and if failed, entity would fail to prevent or detect material misstatement
- A control that covers a risk that no other control also covers is by default a key control


What are "Non-Key Controls"?

- A control that does not fit as a Key Control
- Ex: A control that is designed to prevent or detect only immaterial errors


What is "Detection Risk"?

- Risk that audit procedures will fail to detect material misstatement
- Reflects level of substantive procedures and further audit procedures needed to sufficiently minimize Audit Risk to an acceptable level based on the other risks