The risk model followed by Audit Automation is based on the assumption that total audit risk must be below an acceptable limit in each audit area. Audit risk, in this context, is defined as the risk that material errors exist which are not picked up by the audit work. An alternative way of expressing this is in terms of audit confidence, namely, that you wish to be at least X% confident that the audit work will pick up any material errors.
Audit risk may be considered in its constituent parts:
1) Inherent risk - that material errors are present in the accounts (IR).
2) Control risk - that the client’s internal control procedures, or proprietorial controls, fail to detect material errors (CR).
3) Detection risk - that the auditor’s test will fail to detect errors (DR).
Detection risk can be sub-divided into two areas:
a) Sampling detection risk - that the sampling tests will fail to detect material errors (SDR).
b) Non-sampling detection risk - that the work carried out, other than sampling, fail to detect material errors (NSDR).
To use Audit Automation it is not necessary to understand the underlying mathematics of the risk model, however, it is important that the user understands the concept of each element of risk and is able to answer the questions posed or make an assessment where required.
Not only is there a need to assess risk at a financial statement area level, but also by class of transaction and assertion in each area. There is also the requirement to identify and record identified business risks. Once this has been done, you must then design the audit procedures to cover both the assessed and specific audit risks.
General inherent risk
Up to 99 areas can be defined for general risk and each area can have up to 99 questions which are answered “Yes” or “No”. Where the answer indicates that there is not a problem, no points are scored. Where, however, the answer is adverse, points will be scored - the more fundamental the problem the higher the points. Where appropriate, you should annotate your answers to the questions, explaining why you have selected the answer you have and Audit Automation allows you to enter a note to be attached to any question.
The system totals the points for each of the general areas and can base the assessment of general risk on the results of each area and the overall total. A matrix is maintained, as a look-up table, for the number of areas which exceed a points level and the overall points score. The client is allocated a risk level from 1 - 5, 1 representing a high risk environment and 5 a very low risk environment.
The overall assessment of inherent risk is at a general level and the resulting risk is shown as guidance only and plays no part in the automated calculation of residual risk. As will be seen, the auditor uses their judgment to assess the “Overall risk” for each assertion in a financial statement area.
The control environment is the culture within which the internal controls are operated. If the company has a strong control environment, then the culture will be such that controls can rarely be bypassed. However, if the culture is such that there is a slack attitude towards controls, even if controls exist it may be that significant risks could be present and that no reliance can be placed on the controls being effective in practice. The control environment is assessed by the user answering a series of questions and the system using a look up table to determine if the answers indicate that there is a strong, neutral or weak environment.
As with the General Inherent Risk, the result is shown for guidance only while the auditor considers the level of reliance that can be from control testing and whether any significant risks arise from any weak control environment.
As with Overall risk, the user must determine this on an assertion by assertion basis. In Audit Automation, the user indicates the level of reliance that is to be placed on controls and the system determines the audit risk after control reliance has been taken into account.
Non-sampling detection risk
Non-sampling risk relates to the comfort that one can draw from an analytical review of the client’s results, and other external information that can provide a guide to the accuracy of the figures. The auditor cannot obtain non-sampling detection comfort for all audit areas and the system therefore allows an upper limit to be set of the maximum comfort that can be taken in each audit area
Again, the user must determine this on an assertion by assertion basis. In Audit Automation, the user indicates the level of reliance that is to be obtained from non-sampling methods and the system determines the audit risk after this level of reliance has been taken into account.
Residual risk is calculated by multiplying together the audit risks for each of the above items and a look up table is used to derive a risk level, risk factor and sample size relating thereto.