Objective of the auditor’s risk assessment
The auditor can manage audit risk at an acceptable level by designing the detection risk.
Detection risk is primarily influenced by the audit strategy.
To determine the appropriate audit strategy, the auditor needs to assess the RoMM by evaluating the Inherent Risk and Control Risk.
ISA 315 R outlines the objectives of the auditor's risk assessment, which include understanding the entity and its environment, identifying and assessing risks of material misstatement, and providing a basis for designing responses to those risks.
The risk assessment serves as the basis for developing the audit plan and the audit strategy.
An internal control is a process designed, implemented, and maintained to provide reasonable assurance on achieving entity objectives (ISA 315.4 R.). with regard to reliability of financial reporting, effectiveness and efficiency of operations, and compliance with applicable laws and regulations
Internal controls address identified business risks that jeopardize objective attainment.
Objective: Develop effective and adaptable internal control systems.
Mitigate risks to acceptable levels.
Support sound decision-making and governance.
Enable organizations to adapt to changing environments.
Assist management, board of directors, and external stakeholders in fulfilling their duties.
Not overly prescriptive - provides understanding and insight into effective application of internal controls.
Understanding of Internal Controls components COSO CRCIMI
Control Environment: Does management establish a control-focused organization?
Risk Assessment: Does management identify key risks, including non-financial risks, for the company?
Control Activities: Are control activities implemented based on the identified risks as the core of the control system?
Information & Communication:
Information: Is there a handbook or guidance for setting up the internal control system?
Communication: Are there clear communication procedures for reporting the results of control activities and addressing findings?
Monitoring Activities: Is there a system in place to monitor the entire control system, identify weaknesses, and make improvement suggestions?
Independence: Is the monitoring function independent from the operational environment?
Business risk: Entire risk of the company, that management is responsible to handle it.
Within the risks related to financial statements there are risks that lead to RoMM! (only a subset and thus relevant for auditor)
Risk of mass transaction: Risk that simple transaction occurred millions of times, all done in the same way
if there is a systematic error in the mass transaction, all transactions are wrong and the aggregate is wrong in financial misstatement
Orange bubble is the most significant to address from an auditors perspective
Internal controls are designed to mitigate all business risks!