Although expressed as a formula, it should be recognized that this is not a purely mathematical formula, but it is used to assist the auditor in judging and determining the acceptable level of error as a basis for designing procedures and conducting the audit.
Certain limitations of the audit risk model:
- Although the auditor makes the best efforts in planning, the auditor's assessment of desired audit risk, inherent risk, and control risk remains subjective.
- The audit risk model is a planning model, so it is limited in its use in evaluating audit results.
Points to note when using the audit risk model:
- Auditors can only assess but cannot influence potential risks and control risks.
In case of failure to assess, the auditor will accept the maximum risk.
- In case the potential risk and control risk are assessed at the lowest level, the auditor must still perform basic testing on important transactions and account balances.
- The auditor proactively decides on the level of detection risk by adjusting the content, scope and timing of substantive tests.
2.1.5.2. Audit risk matrix
In VSA 400, the relationship between risk types is established by a matrix table to determine the detection risk as follows:
Table 2.1: Audit risk matrix
Control risk assessment | ||||
High | Medium | Short | ||
Assess potential risks | High | Lowest | Short | Medium |
Medium | Short | Medium | High | |
Short | Medium | High | Highest | |
Maybe you are interested!
-
Perfecting the process and organization of internal audit apparatus in Vietnamese state-owned commercial banks - 20 -
Performance audit enhances the role of State Audit in public finance and asset management in Vietnam - 3 -
Current Practices of Auditing and Using Audit Reports in Vietnam. -
Factors Affecting the Quality of Auditing Financial Statements of Banks Conducted by the State Audit Office -
Internal audit organization in economic groups of Vietnam - 28
Through the audit risk matrix, we can see that detection risk is always inversely proportional to inherent risk and control risk.
2.2. AUDIT RISK ASSESSMENT IN THE AUDIT PLANNING PHASE AS REQUIRED BY VSA 315
Since the late 1990s, auditing based on the financial risk approach has been upgraded to the approach based on the client's strategic business risk. Business risk is defined according to VSA 315: "Business risk is the risk arising from conditions, events, situations, implementation or non-implementation of actions that have a significant impact that may lead to an adverse impact on the ability to achieve the objectives and implement the business strategy of the unit, or the risk arising from the determination of inappropriate business objectives and strategies".
Paragraph 3 of VSA 315 states that the auditor must identify and assess the risk of material misstatement due to fraud or error at both the overall financial statement level and the individual assertion level through understanding the client entity and its operating environment, including the internal control system, as a basis for designing and performing audit procedures to respond to the assessed risks. Understanding the client helps the auditor:
- Identify business risks related to financial statements and risks of material misstatement.
- Decide on risk response procedures.
- The basis for auditors to make professional judgments.
Accordingly, auditors must increase the implementation of complex analytical procedures to identify business risks. For frequently occurring transactions, auditors will mainly rely on the client's internal control system and only focus on detailed inspection of transactions, balances, and accounts that auditors believe contain risks of material misstatement.
2.2.1. Applying the concept of audit risk
This concept is applied in financial statement auditing to help auditors control risks within allowable limits. To achieve this:
- During the audit preparation stage, the auditor needs to assess audit risks, including inherent risks and control risks, to determine the appropriate level of detection risk, and on that basis design appropriate substantive tests so that the final audit risk will be within the allowable limit. For items where the acceptable detection risk is low, the auditor needs to increase detailed tests and expand the sample size. Conversely, for items where the detection risk level can be allowed
high, the auditor can reduce substantive tests and sample sizes to increase efficiency.
- During the audit phase, the auditor should always consider adding or adjusting the initial risk assessments. When preparing to complete the audit, based on the results of the audit process, the auditor should review whether the audit risk has finally been reduced to an acceptable level.
2.2.2. Understanding the unit and its internal control system
Understanding the unit
The entity knowledge that the auditor needs to gather under VSA 315 includes:
- Business sector, legal regulations and other external factors, including the framework for preparing and presenting financial statements;
- Field of operation;
- Type of ownership and management structure;
- Forms of investment that the unit is and will participate in, including investment in special purpose units;
- Organizational structure, production, business and management, capital structure of the unit;
- The accounting policies that the unit chooses to apply and the reasons for changes (if any);
- The unit's objectives, strategies and related business risks;
- Measurement and evaluation of unit performance.
Internal control system of the unit
VSA 315 requires the auditor to understand the internal control system of the enterprise related to the audit because all controls related to the audit are related to the financial statements, but all controls related to the financial statements are not related to the audit (Paragraph 12, VSA 315). In other words, there is a close relationship between the enterprise's objectives and controls in providing reasonable assurance. The objectives as well as internal controls related to the financial statements, operations and compliance of the enterprise, not all are related to the audit. For example, in the case of a diversified enterprise, the revenue of a small business that is within the acceptable margin of error will not be related to the audit, but the internal control of the entity on the existence of the revenue will still be performed.
According to paragraph A61, VSA 315, relating to the auditor's judgment about whether a control element, individually or in combination with other elements, is relevant to the audit may include matters such as:
- Materiality;
- The severity of the risks involved;
- Size of the unit;
- Characteristics of the business operations of the unit, including characteristics of the unit and owner;
- Diversity and complexity in the unit's operations;
- Situations and applicable components of the internal control system;
- The characteristics and complexity of the unit's internal control system, including the use of service providers;
- The existence and how a particular control, alone or in combination with other controls, can prevent and detect and correct material misstatements.
Understanding the entity's internal control system must include both the design and operation of the system. The components of the internal control system include: control environment, control activities, risk assessment, information and communication, and monitoring.
2.2.3. Carry out risk assessment procedures and related activities
According to the requirements of VSA 315, the auditor must perform risk assessment procedures to have a basis to identify and assess the risk of material misstatement at the financial statement level and the assertion level.
The risk assessment procedure includes the following steps:
- Interview the Board of Directors and other individuals in the unit;
- Perform analytical procedures;
- Observation and investigation.
Figure 2.3: Relationship between risk assessment procedures and activities related to assessing the risk of material misstatement.
Customer acceptance/retention procedures
Accumulated experience
Risk assessment procedure
Identify and assess the risks of material misstatement
Discussion in the audit group
2.2.4. Assessment of the risk of material misstatement
This section requires the auditor to identify and assess the risk of material misstatement in the financial statements. To assess, the auditor needs to:
- Identify risks by reviewing the entity's business situation and environment, including its internal control system, transactions, account balances, and presentation and disclosure in the financial statements.
- Relate identified risks and potential errors to data bases.
- Consider the likelihood of risk and the level of impact.
The auditor is required to determine whether the assessed risks are material risks that require special consideration or are risks for which substantive procedures alone would not provide sufficient evidence. The auditor is required to evaluate the design of the internal control system for risk and its actual operation. Procedures commonly used by the auditor to obtain an understanding of the client and assess the risks of material misstatement include:
- Interview;
- Check;
- Observe;
- Analytical procedures;
- Discussion between technicians.
At the overall financial statement level
According to VSA 315: “Risks of material misstatement at the financial statement level are risks that have a pervasive impact on many items in the financial statements and have a potential impact on many data bases”. Representing situations that increase the risk of material misstatement such as the capacity of the Board of Directors; fraud originating from the weakness of the internal control system or economic recession.
The assessment of audit risk at the overall financial statement level is based on information collected from understanding the business situation of the unit, auditing experience, potential risk factors at the financial statement level, the presence of factors that increase the possibility of errors, fraud as well as non-compliance with laws and regulations.
The auditor's understanding of the internal control system contributes to assessing the entity's ability to audit its financial statements. According to paragraph A107, VSA 315:
- Concerns about the integrity of the unit's Board of Directors lead the auditor to conclude that the risk of the Board of Directors misrepresenting information in the financial statements is so high that the audit cannot be performed.
- Concerns about the condition and reliability of the entity's records and documents lead the auditor to conclude that it is difficult to collect sufficient appropriate audit evidence to express an unqualified audit opinion on the financial statements.
At the database level
The assessment of risk at the assertion level is affected by the overall audit risk level of the financial statements. At the same time, the auditor will reassess the audit risk based on the understanding of the enterprise and its business situation, the nature of the items as well as through the study and implementation of control tests. From there, the auditor will design the basic tests so that the detection risk is consistent with the audit risk at an acceptable level.
Paragraph A109 of VSA 315 explains that the auditor should consider the risk of material misstatement at the assertion level for classes of transactions, account balances, and disclosures because this will directly assist in determining the nature, timing, and extent of further audit procedures at the assertion level needed to obtain sufficient appropriate audit evidence. When identifying and assessing the risk of material misstatement at the assertion level, the auditor may conclude that the identified risk has a broader impact on the financial statements as a whole and potentially affects multiple assertions.
Figure 2.4: Material Misstatement Risk Assessment Diagram
Risk identification
Does the risk assessment affect the financial statements or multiple assertions?
Relating risk to potential misstatement at the assertion level
Review the unit's control procedures
Consider the feasibility of performing a test of control
• Consider the impact of risks on financial statements
• Consider the possibility of risk
Design and perform further audit procedures
CHAPTER 3: CURRENT STATUS OF AUDIT RISK ASSESSMENT PROCESS IN AUDIT PLANNING PHASE AT PHAN DUNG AUDITING AND CONSULTING COMPANY LIMITED
3.1. GENERAL AUDIT PROCESS AT PDAC COMPANY
3.1.1. Audit planning
Receive customer requests
The client sends an invitation to the company by phone, fax, by invitation letter or in person. In all cases, the client's request must be reported directly to the Director. Determine what the client's audit objective is: statutory, stock or tender to assess the risk of accepting the audit contract.
Conduct preliminary customer surveys, assess the customer's business environment and control environment.
Auditors need to coordinate with the Board of Directors and relevant departments to clarify responsibilities and tasks that require support or explanation from the Board of Directors and staff of the client. When assigned to survey the requirements and customer records, the surveyor needs to identify key areas that need to be inspected, analyzed and performed the following contents:
Collect complete information according to the company's general survey form: information about business activities, control environment, accounting cycles, etc.
Collect additional information based on customer location and specific requirements.
General review of customer records and books.
Important information such as: customers being sued, customers going bankrupt, internal disputes, etc. need to be noted and recorded in the survey form.
The results of the survey must be clearly recorded, assessing the complexity of the documents, the expected time to perform, and the personnel. In case the audit work is considered to be risky, the assigned person can propose not to sign a contract with the client but must clearly state the reason in the survey report. The survey results are presented to the head of the audit department before being submitted to the Director.