Flashcards in Risk Assessment (c)(i) and (c)(ii) Deck (14):
What is "Audit Risk"?
- Audit Risk = RMM x DR (Detection Risk)
- Level of risk that is acceptable to the audit firm
- Auditor must consider risk of misstatement individually and in aggregate w/ other misstatements
"Audit Risk" is a function of what 3 primary risks:
AR = ICD!
1. Inherent Risk - Risk before controls are considered that could lead to material misstatement
2. Control Risk - Ability of IC to prevent or detect material misstatement in timely manner
3. Detection Risk - Risk that audit procedures will fail to detect material misstatement
What is "Inherent Risk"?
- Evaluate risk w/out regard of possible mitigating activities and controls that could lead to material misstatement, assuming no other related controls
- ID risks inherent to entity or audit, even if entity cannot affect it
- Ex: Entity’s environment and Entity’s IT (including financial data, data processing, and financial reporting processes)
What are examples of "Inherent Risk" with an Entity’s Environment?
(1) Current Economy
(2) Industry Risks
(3) Entity-Specific Risks
- Large volumes of transactions mean probability of misstatement is proportional to its size
- Certain geographic locations have more IR (flood zone)
- Complex business processes or IT, use of ERP or enterprise-wide systems, history of noncompliance, history of not responding to auditors’ reports on deficiencies and heavy regulated entity
What are examples of high "Inherent Risk" with Entity’s IT?
(1) Data transfers
- Anytime data transferred from one system to another
(2) Software coding
- More programming, more risk
- To mitigate IT risks associated w/ AppDev is to employ SDLC best practices principles
(3) Database administrator (DBA)
- DBA can circumvent strong network and application controls
- Need proper SoD and mitigating controls(ex: no access to keying data, running apps, implementing apps or developing systems)
(4) O/S Admins
(5) Unauthorized access to O/S presents high IR of access to data
What is "Control Risk" and how should it be assessed?
- Likelihood or risk that material misstatement exists in transactions, events, disclosures or acct balances will not be prevented or detected by entity’s system of internal controls in a timely manner
- To assess CR, CITP need to:
(a) Consider nature of controls (automated vs manual, key vs non-key)
(b) Use framework to mitigate controls (Preventive-Detective-Corrective/P-D-C model)
What is the P-D-C Controls Model?
- A framework for evaluating risks associated w/ controls
(1) Preventive Controls
(2) Detective Controls
(3) Corrective (Mitigating) Controls
What are "Preventive Controls"?
- Designed to prevent adverse event from ever occurring
- Ex: Preventive controls implemented to prevent data keypunch errors, fraud, or bugs in software dev
What are "Detective Controls"?
- Designed to detect adverse event if occurs
- If error in data occur, detective control capable of ID'ing it
- Ex: Use CAAT to ID gaps or duplicates in check numbers for disbursements
What are "Corrective (Mitigating) Controls"?
- If adverse event occurs and detected, corrective control corrects the event and reestablish equilibrium, correct data, correct workflow, etc
- Ex: Use errors logs in App. Program written to ID anomalies (Detective). If found, send report. Person corrects errors and resubmits to reprocess (Corrective)
What is the definition of "Key Controls"?
- A key control is one that prevents or detects material misstatement
- Relates to materiality and likelihood
- Also called Primary Controls
What are examples of "Key Controls"?
- A control or combo of that covers all risks, objectives, and assertions in a
financial process related to RMM
- A control at the pinnacle of a hierarchy of controls over same process, risk or assertion
- A control designed to mitigate RMM arising from a process, and if failed, entity would fail to prevent or detect material misstatement
- A control that covers a risk that no other control also covers is by default a key control
What are "Non-Key Controls"?
- A control that does not fit as a Key Control
- Ex: A control that is designed to prevent or detect only immaterial errors