CCH Audit Automation provides the facility for you to record Identified Audit Risks (or Significant Business Risks in ISA terminology). Many dialogs contain an [Identified risk] button and at any time you may select this to record a risk as it is identified.
When you click on the [Identified risk] button, the Associated audit risks dialog is displayed. This shows all audit risks already entered in respect of the question/source . From this you can add, edit or remove risks.
Please note the guidance button at bottom of dialog.
Add a new risk
To add a new risk, click on [Add], to edit an existing risk, select the risk and click on [Edit]. Adding or editing a risk is carried out through the following dialog.
Please note the guidance button at bottom of dialog
Enter the description of the risk and complete the other areas of the dialog as follows:
Keep risk record on balance forward
This will retain this risk so that it appears automatically on the list for next year.
Assess risk at the financial statements level
This will clear the input screens of details relevant only to risks at the assertion level and flag this as a financial statements level risk.
Material classes not otherwise tested
This identifies this as a material class of transactions, account balances or disclosures that has not otherwise been determined have risks of material misstatement. We are required to review these material groupings and confirm our judgement that no risks of material misstatement have been identified.
Risk profile (does not apply to financial statements level risks)
Each risk is assessed by reference to its financial impact and likelihood, select these by clicking on the appropriate radio button. A checkbox is available to indicate if the risk is a significant risk. The system will require that you enter a justification describing the reason why you have made the selections.
To save the justification, you must right click in the justification area and select ‘Save Justification’.
If the risk has been identified as a significant risk, by placing a tick in the checkbox, the system will require that you plan at least one procedure in the work programme for the risk and will not allow you to sign off planning until this has been done.
This flags the risk as one that mees the definition of such risks in ISA 315, which will therefore lead to further audit requirements (see ISA 240).
Financial statement area/assertions
You may associate the risk with any number of financial statement areas/assertion combinations. Use the [Add] and [Delete] buttons to complete this area.
IFULL Master Pack Only. For financial statements level risks, two dummy assertions (ZZ) are provided for risks that are ‘Pervasive to the financial statements as a whole’.
This ‘assertion’ is included in the following areas:
- A Audit and accounts review (which would include for instance, issues relating to going concern or fraudulent overstatement of the company’s position - see ISA 315.A195-A198).
- Y Trial balance and accounts (which would include risks linked to nominal ledger adjustments).
Risk assessment and audit response
This area allows you to identify your assessment of the inherent risk, whether you expect to place reliance upon controls (and the extent of that reliance), and the reliance to be placed upon non-sampling substantive tests. The residual risk to be covered by sampling is calculated from this information. These assessments are done independently for each assertion, ie:
- You highlight the first assertion.
- You enter the inherent risk level (none to 5).
- You choose whether tests of control will be used, and the level of reliance (low or medium).
- If you are testing controls, you need to assess control risk. Note that the CCH procedures allow tests of controls only where control risk is low, but other methodologies may apply different restrictions.
- If you are applying non-sampling substantive tests (including reliance on other audit areas), you choose the level of reliance (high, medium, low, none).
- The residual risk is calculated and is shown as a value none to 5.
- You then highlight the next assertion and repeat the process.
You may design the audit procedures in respect of the risk at any time. This can be done from this dialog by clicking on the [Work programme] button, or you can do this at the same time as designing your work in respect of assessed risks, as described later in this document. Details of how work programmes are created are set out in that section.
When working from the identified risks screen, there are three possible areas for which a work programme is required: tests of control, non-sampling substantive tests, and residual risk covered by sampling. Where any of those three are not "none", the system will require that you click on that row in the Risk assessment and audit response screen and choose or design tests for it.
Text Box for Assertions
In right hand panel text boxes with headings are provided for each selected assertion
Note: this process will need to be done for each separate assertion
Key control (does not apply to financial statements level risks)
You can add a key control and link this to the audit risk, if required. Note that this is required only for risks is identified as a significant risk, controls over journal entries, or where tests of control are being carried out. Click the [Key control] button to list any key controls already linked to this audit risk, and use the [Add] button to create a new control. For further information see the Key Controls section on click here.
After the field work has been completed, you will need to record your conclusion on the risk. This is typically required after planning has been signed off. However, it is possible that the planner may decide that there is no need to design any procedures in respect of an entered risk if it does not represent a material risk. In this case, they will want to enter their reasoning as a conclusion.
To enter a conclusion, click the [Risk Conclusion] button to display the following dialog:
Enter your conclusion and click on [OK]. If you have entered a conclusion in error, or later wish to remove it, you can remove it by returning to this form and selecting [Remove conclusion]. If someone else has entered a conclusion and you wish to add to it, you can do so by selecting [Add to comments] from this dialog.
Please note that other users even if a lower level than than user that created the identified risk can click on the assertions and view them after Risk is concluded to check it’s respective data like Risk assessment and Audit Response and Risk profile and Settings.
Amending conclusions of identified audit risks
The risk conclusion cannot be edited by someone who is a lower user level than the current user. If the current user is the same or higher user level than the user that concluded on the risk, the non-selectable remove conclusion button will be replaced with an active revise conclusion option. This will allow the user to update the original conclusion. If you wish to add comments to the conclusion this is still available via the Add to comments button.
Note: an entry will be made in the audit trail and will record the original conclusion and the initials of who made the change and the date the change was made.
Keep risk on a balance forward
If the risk that you are defining is of a type that it will occur again in the following year, tick this checkbox and the risk will not be removed when the client’s records are balanced forward to the following year.
Adding comments to risks raised by someone else
If you open a risk that has been raised by another member of staff, you will not be able to edit the risk description, however, an [Add to comments] button appears above the description of the risk and you can use this to add your own thoughts.
Financial statements level risks
You will tick the box on the right of ‘Assess risk at the financial statement level’ to activate this type of risk.
These risks are different in nature from assertion- level risks and require different treatments:
- The risk is assessed qualitatively only (‘Evaluate the nature and extent of their pervasive effect on the financial statements’ ISA 315.30b). This information is entered in the same box as the description.
- The risk profile settings spectrum 1-5 are not applicable
- The user does NOT devise specific tests linked to individual audit assertions as a result. Instead, the user identifies ‘overall procedures’ in response to the risk (ISA 330.5).
- The auditor is also required to consider whether there are specific assertions affected by the pervasive financial statements risk. If so, these should be entered separately in the same way as other risks at the assertion level.
- In the risk assessment and audit response matrix Control Risk and Risk of material misstatment are disabled.
Material classes not otherwise tested
You will tick the box on the right of ‘Material classes not otherwise tested’ to activate this type of risk.
This option is used for the stand-back procedure required to 'Review any material classes of transactions, account balances or disclosures' for which there is no identified risk of material misstatement. When the user chooses this option, the screen changes so that:
- The risk profile is not shown, since we are confirming that we do not identify a non-trivial risk of material misstatement.
- Significant risk and fraud risk are irrelevant.
- Inherent risk should be left as ‘none’.
- You should tick the box for ‘no key controls’.
Often (as in the example above) the user will conclude that the existing substantive analytical review procedures already provide adequate audit evidence, and this would be recorded in the description box. Where the user wishes to include specific procedures, the work programme link should be used to identify the tests being used.
Linking risks to more than one source
As you enter risks via a source, eg the preliminary analytical review, the system stores the source with each risk and when you access the list of risks you only see the risks associated with the source from which you entered the list. It is possible that you may wish to associate the same risk with more than one source and this is possible via the Associated audit risks dialog. To do this, click on the [Audit risk] button from the source with which the risk is to be associated. Click on the Show all risks checkbox and all audit risks will be displayed.
Select the risk to be linked and then click the [Link] button. The association will be made. If you remove the “Show all” tick, only the risks associated with the current source will be displayed.
Menu access to show all risks
You may display the full list of identified audit risks by selecting Planning [Risk analysis] Identified risks. The system will display the above dialog with the “Show all audit risks” option ticked so that all risks are shown.
The identified risk summary has been updated and the risk profile column has been updated to show if the risk has been identified as a fraud risk. As there is now potential to have multiple assessments of assertions, the summary screen will only show the assertion with the highest assessed risk.
The final column in the dialog shows the source, or sources, of the risks. You may drill down to a source, by highlighting the risk and clicking on the right mouse button, or on [Source]. A pop up menu will appear listed in the sources to which the risk has been associated. Click on the source to be displayed and source dialog from which the risk was originally entered will be displayed.
Clicking the [Risk summary] button results in the display of a report containing all risks, the procedures that have been carried out in connection therewith, results and conclusions.
The risk summary report has been updated to allow for the updated reporting requirements. We have also introduced a matrix to show the assessment of the risk. If multiple assertions are assessed within a risk, the risk will appear in the matrix with the highest assessed assertion.
When you click on OK, you will get a report containing all risks (one risk per page), the procedures that have been carried out in connection therewith, results and conclusions.
The matrix can be used to filter the risks that have been assessed high in the spectrum. You get 3 tick boxes to filter:
- Significant risks
- Fraud risks
- Financial Statement level risks
Print risks button
Clicking this button results in a printed report of all risks and conclusions, without the audit procedures.
Identified risk icon
In any lists showing a question/source with an associated audit risk, a red exclamation mark is displayed by the text. When the item dialog is displayed, the text of the [Identified risk] button is displayed in red if there is one or more audit risk associated with the question.