审计过程风险评估过程.ppt

第八章 审计过程风险评估过程,“After Equity Funding and the Cohen Commission,the professionrebuffed societys calls for heightened fraud detection responsibilities,but its different this time.We are in a new era where auditors need tobe more responsible for detecting fraud.”Paraphrased from comments by Greg Scates,Associate Chief Auditor,PCAOB Symposium,December 9,2004.,第八章 目录,1、风险基础审计概述 2、签约风险管理 3、审计风险管理,风险基础审计概述,风险基础审计的意义 经营风险基础审计的基本特征 风险的本质 经营风险基础审计的基本流程,财务报表审计的目标和一般原则,第十三条 注册会计师按照审计准则的规定执行审计工作，能够对财务报表整体不存在重大错报获取合理保证。第十四条 由于审计中存在的固有限制影响注册会计师发现重大错报的能力，注册会计师不能对财务报表整体不存在重大错报获取绝对保证。,合理保证的意义,原因：人的有限认知能力和审计的固有局限性意味：社会所要求水平的保证等式：合理保证（%）=绝对保证（100%）审计风险（%）,风险基础审计方式,风险基础审计方式就是审计人将审计风险降至可接受的低水平，使得为审计意见提供合理基础的“合理水平”保持在高水平之上的审计方式。,Business risk-based auditing,基本思路：重大财务报表错报的根源在于被审计企业的经营风险基本概念：审计是一个证据形成、基于判断的风险评估过程Ernst&Young：“全球审计方法”（Global Audit Methodology：GAM）审计模式KPMG：“经营评估过程”（Business Measurement Process：BMP）,基本特征,多方位的风险概念多元化的信息源自上而下方式注重分析经营风险的影响,Four critical components of risk,企业风险（Enterprise risk）影响企业实现其战略目标的不确定性。财务报告风险（Financial reporting risk）与记录交易以及财务报表披露直接相关的风险。签约风险（Engagement risk）与某个特定的客户签订审计业务约定而带来的风险。审计风险(Audit risk)审计人在实施审计时没能发现财务报表存在重大错报，结果发表了错误审计意见的风险。,证据构架工具,软件工具（software tools）核对表（checklist）模板（templet）产业和经济统计等大型数据库其他信息源,Top-down approach,合伙人或者项目经理参与以审计计划过程为中心的整个审计业务对高层次控制的评价，比如，直接与经营者讨论企业的风险管理问题,例子,现实中的经营风险对企业持续能力的影响,图表9-1 基本流程,修改审计计划,Risk-based approach to auditing,了解客户的风险管理过程了解客户的经营业务及其面临的风险根据所识别的风险估计账户余额和财务结果；评估风险管理中内部控制的质量；确定剩余风险，更新对账户余额的估计；通过实施必要的账户余额直接测试以管理账户余额错报风险。,COSO defines ERM as a,一个由一个单位的董事会、经营者和其他成员实施的，应用于战略制定并贯穿于整个企业、旨在识别可能影响该单位的潜在事项，管理风险使其控制在风险容量之内，并为单位目标的实现提供合理保证的过程。,Understanding ERM Process-1,了解客户的风险评估过程复核内部审计所使用的风险基础审计方法与经营者讨论他们的风险管理方式,复核企业的报酬政策以观察其是否符合企业的风险政策复核风险管理的文件等,Understanding ERM Process-2,If,The company has strong risk management processes，the auditor may focus on testing controls and developing corroborative evidence on account balances.,If,The company does not have a comprehensive risk process,the auditor will assess engagement risk as high,set audit risk at a lower level,and increase direct testing.,Key Business Processes,关键性业务影响关键性业务的行业因素经营者管理这些关键性业务的方式关键性业务可能产生的经营效果和财务效果,Business Risk,因企业的内部因素和影响企业活动的不确定的外部因素对企业的发展和经营成果以及持续经营造成的危险。基本相等地影响所有企业的宏观层次的风险。只影响某个行业或某个企业的微观层次的风险。,Business Risk,前者如经济不景气、通货膨胀、高利率、战争、石油价格的高涨、政局不稳、技术革新、经济封锁等；后者如原材料价格的上涨、周转资金不足、罢工、消费动向的变化、诉讼、政府管制、债务保证、或有损失、合同不履行、子公司或联营企业的经营恶化、被投资企业收益下降、购货企业或者供货企业的破产等。,Sources of Information,智能代理（Intelligent agents）知识管理系统（Knowledge management systems）在线搜索（Online searches）电子数据收集及检索系统（Electronic research-Electronic data gathering and retrieval system：EDGAR）经济统计（Economic statistics）专业手册（Professional practice bulletins）股票分析报告（Stock analysts reports）等,Sources of Information,审计人还可以通过与经营者和前任审计人沟通、阅读前期审计工作底稿和客户的预算、视察生产车间和业务部门、复核数据处理中心、阅读重要的债务条款和董事会记录、确认政府的相关法律以及客户的有关法律责任获得关键性业务的信息。,Developing Expectations,The auditor should use information about the companys key processes and risks to develop expectations about its account balances and performance These expectations are compared to recorded book values to identify misstatements,Sources of data commonly used,Financial information for prior periodsExpected or planned results from budgets and forecastsComparison of linked accounts(such as interest expense and debt)Ratios of financial information(such as common-size financial statements)Company and industry trendsRelevant non-financial information,These expectations should be,Developed independently of managementDocumented,along with a rationale for the expectationsCommunicated to all audit team members,Techniques commonly used,Trend analysisComparative financial statements(horizontal analysis)Common-sized financial statements(vertical analysis)Ratio analysis,What are thepurposes of preliminary analyticalprocedures?,-understanding the clients industry-assessing going concern issues-indicating possible misstatements-reducing detailed tests,Examples of key performance indicators,Backlog of work in progressAmount of return itemsIncreased disputes regarding accounts receivable or accounts payableSurveys of customer satisfactionEmployee absenteeismDecreased productivityInformation processing errorsIncreased delays in important processes,Residual risk,The remaining risk after management has taken action to alter the risks likelihood or impact.,Linkage to direct tests of account balances,If the auditor concludes there is a high risk of material misstatement auditor mustSet materiality at an appropriate levelUse procedures appropriate for the level risk to examine the account balance,The auditor is required to assess the appropriateness of the accounting methods used by managementGuidelines to evaluate appropriateness include:Representational faithfulness-does the accounting reflect the economic substance of the transactionsConsistency of application of GAAPAccounting estimates-based on proven models,reconciled to actual results,based on valid economic reasons?,Quality of accounting principles used,Managing Detection&Audit Risk,Adjusting audit staff to reflect risk associated with a clientDeveloping direct tests of account balances consistent with detection riskAnticipating potential misstatements likely associated with account balancesAdjusting the timing of audit tests to minimize overall audit risk,签约风险管理,签约风险管理的意义签约风险管理中对客户的考虑签约风险管理所需信息的获得签约风险管理中对自身因素的考虑,审计业务约定书,What is an engagement letter?Executory contract between the auditor and clientWhy is it necessary?To document terms of the audit and minimize misunderstandings.Do you know a lawsuit case?,The letter is written by the auditor to the client,then signed by both.When should the letter be signed?Before or after the predecessor/successor auditor communication?Before or after the audit procedures?Must an engagement letter be in a written form?,1136 Tenants corporation vs.Rothenberg case,Tenants are the ownersManaged by third party realtorCPAs maintained accounting books(book keeping)Sued for failure to discover defalcations of management Confusion between the role of CPA and AuditorLessonsCPAs are supposed to audit the financial statements(Expectation Gap)Engagement letterAlert for any sign of defalcationReport any sign of fraud to owners,regardless of services rendered,1136 Tenants Corporation,CPA firm,A realtor(president:Rothenburg),Only book keepingNo Audit service,Rothenburg stole$130,000.The auditor did not report the Rothenbergs fraud to the managements of 1136 Tenants CorpororationCompilation fee:$600Courts judgment:pay$230,000 to the 1136 Tenants Corp.,Managed by,HiredOral agreement,Lessons,CPAs are supposed to audit the financial statements(Expectation Gap)Engagement letterAlert for any sign of defalcationReport any sign of fraud to owners,regardless of services rendered,Engagement Risk,签约风险管理是最重要的审计决策之一。被审计企业经营失败或者其财务报表中存在审计人无法发现的重大错报，往往引发审计诉讼。签约风险管理的目的是排除高风险客户，从源头控制审计风险。,综合考虑,所有的审计都不可能提供100%的保证；审计人是在激烈竞争的市场中竞争客户；审计人有义务满足社会对财务报告以及审计的期望；审计人应该发展审计方法面对高风险；审计人可以保持高度的职业怀疑心去发现重要的错报。,Factors Affect,Quality of the clients corporate governanceClients financial healthClients economic prospects,Corporate Governance,企业外部的所有者和债权人等对企业实施控制并要求企业履行经管责任的过程。公司治理的质量反映了经营者履行经管责任的质量和财务报告的质量。,The key factors an auditor will analyze,经营者的诚实性董事会和审计委员会的独立性及能力ERM以及内部控制的质量法律和报告要求的遵守主要利害关系者参与企业经营的程度关联方交易,Why the financial health,审计之后被审计企业申请破产增加审计人被起诉的可能性审计人需要通过评估了解：经营者是否具有制造财务报表错报的动机识别可能错报的领域识别不正常的账户余额,Economic Prospects,High-risk companies are generally characterized by 营运资本不足；缺乏长期战略和经营计划；市场进入成本低；依赖于有限的产品提供；依赖于将要过时的技术；将来的现金流量不稳定；有不恰当会计处理的历史；受到过外部监管机构的调查。,签约管理信息,前后任审计人的沟通向其他人员询问 Any communications between the predecessor and management or audit committee regarding fraud,illegal acts or internal control matte.,Why?To identify clients reasons for an audit Competency of the prior auditor Hunting for opinion Prior CPA left the client because of illegal acts.Support beginning balances What if not sure about the beginning balance?,Communicate with Predecessor Auditors,Procedures of predecessor and successor auditor communication,the successor is required to initiate the communicationthe client must give permission for the communication What if a client does not give permission?Are the predecessor required to respond?What if a predecessor auditor does not respond?,Audit Committee,Audit committee is responsible for appointment,compensation and oversight of auditorsArrangements for the audit should be made through contact with the companys audit committeeRequired by NYSE and NASDAQConsists of at least 3 independent(outside)directorsAudit committee members should not receive any consulting,advisory or other compensatory fees from the companyAudit committee members should be financially literate,Are we independent?Are we technically competent?Is client reputable?client lacking integrity-financially unstable client client unable to pay audit fees-Why do they want us?,What would be the major question in client acceptance?,-training and overall experience-industry and client experience-supervision-need for specialists,Are we technically competent?,Components of Engagement Letter,Name of the clientstatements to be auditedscope of the services including any limitationsthe auditors responsibility for detecting fraudobligation of the clients staff in preparing schedules and statementsfees or method of determining feeprovisions for clients acceptance signature and date The more specific,the better,审计风险管理,审计风险概述审计重要性审计风险评估和控制,审计风险概述,审计风险的概念 审计风险的要素审计风险的理论模型 审计风险模型的界限,What is audit risk?,Audit risk is the risk that an auditor may issue an unqualified opinion on materially misstated financial statements.,审计风险的要素,固有风险 控制风险 环境风险 检查风险,Inherent Risk,财务报表项目受会计偏向、如错误或舞弊影响的可能性，指假定被审计企业不存在相关内部控制政策或程序的情况下，某一账户或交易类别产生重大错报的可能性。some accounts,components,cycles are inherently riskier than others,Control Risk,The risk that material misstatements will not be prevented or detected by internal controls,控制风险的特点,控制风险水平与被审计企业的内部控制水平有关。控制风险不可能为零。不同交易循环的控制风险的程度可能不同。,Sampling riskauditor samples Non-sampling riskauditors may select ineffective audit proceduresauditors may apply procedures ineffectivelyauditors may incorrectly evaluate the results of procedures,Detection Risk,a risk that material misstatements will not be detected by the audit procedures,抽样风险,抽样风险是审计人依据抽样结果得出的结论与审计对象总体特征不相符合的可能性，起因于抽样的不确定性，与样本不能代表总体有关。,非抽样风险,非抽样风险是指审计人因采用不恰当的审计程序或方法，或因误解审计证据等而未能发现重大误差的可能性，起因于证据评价错误等观察上的问题。,Non-Sampling Risk is the Primary Culprit,2003年SEC公布的SOX704条报告分析审计失败的原因后指出对非经常性事项、期末交易或者关联方交易未能保持应有的职业怀疑心（professional skepticism），没有获得充分适当的证据资料支持他们关于财务报表的意见是审计人被指控的最主要原因。,图表8-2 SEC的审计失败原因分析,98%,Audit Risk VS.Engagement Risk,审计风险和签约风险之间存在着反向关系。如果审计人接受了具有较高签约风险的审计业务，审计人需要执行相应严格的审计，为此审计人需要把审计风险水平设置在较低的水平上。反之，如果签约风险比较低，则审计人可以设置较高的审计风险水平。,audit risk model,Risk that material misstatements has occurred,Risk that auditors do not detect the misstatement,检查风险的特点,检查风险与环境风险之间存在着反比的关系。因此，尽管审计人无法控制环境风险，但审计人可以通过必要的审计程序来分析和判断固有风险水平，根据被审计企业的内部控制的健全性和有效性情况，估计控制风险水平，计划可接受的检查风险水平，使审计风险降低到可接受的水平。检查风险的水平直接决定实质性审计的严格程度。检查风险水平越低，实质性测试的严格程度越高。,例子,审计人关于某个特定财务报表项目所能接受的审计风险水平为3%，并估计该财务报表项目的固有风险为90%，当控制风险分别为80%和20%时：第一种情况 第二种情况 AR:3%3%IR:90%90%CR:80%20%DR:4.17%16.70%,解释,第一种情况表示，要使审计风险控制在3%以内，必须将检查风险控制在4.17%以内，也就是说，所计划的测试范围要足够大到至少要保证审计有效性的水准达到96%。在第2种情况下，同样的审计风险水准所必要的审计程序有效性只要达到84%即可，相对于第1种情况而言测试范围可以大幅度地缩小。,Audit Risk Model:Limitations,Inherent risk is difficult to formally assessAudit risk is subjectively determinedThe model treats each risk component as separate and independent when clearly,this is not the caseAudit technology is not so precise that each component can be accurately assessed,Materiality,重要性的意义重要性的概念 重要性及其运用,Audit Risk VS.Engagement Risk,审计风险和签约风险之间存在着反向关系。如果审计人接受了具有较高签约风险的审计业务，审计人需要执行相应严格的审计，为此审计人需要把审计风险水平设置在较低的水平上。反之，如果签约风险比较低，则审计人可以设置较高的审计风险水平。,98%,Materiality is the magnitude of omitted or misstated information that probably would have made a difference in the judgment of someone relying on that information(FASB 2).,What ismateriality?,three significant dimensions,错报的金额：重要性的程度和金额的大小有关；对照环境：重要性的程度取决于被审计企业的经营规模和业务性质。对信息使用者的影响：impact on potential users and the type of judgments made,$1000-WOW!,$1000.peanuts,Factors affecting the preliminary judgment about materiality,Circumstances and User impact：舞弊或违法行为造成的错报比同样金额的错误造成的错报重要；与合同条款（例如债务协议中的比率）有关的细小差异也可能是重要的；单个账户的不重要的错报可能累计为重要的财务报表错报。,Factors affecting the preliminary judgment about materiality,SEC staff accounting bulletin#99,故意的错误计量引起的错报；改变收益趋势的错报；达到扭亏为赢或者相反目的的错报；重要分部或业务发生的错报；违反法规的错报；借以满足债务契约的错报；关系到管理者报酬的错报；隐蔽非法交易的错报。,重要性及其运用,确定财务报表层次的重要性 确定账户交易层次的重要性水平,Set Planning Materiality for the Statements as a Whole,Not required to quantify Judgmental Rules of thumbs5%to 10%of net income before tax%to 1%of total asset%to 1%of total revenue1%of total equityMultiple bases of materialityE.g.,net income is not misstated by$100,000,and total assets is not misstated by$300,000.,materiality VS.volume of audit evidence(Audit cost)?,“Investigate mis-statements over$1.”,A small materialityestimate will resultin more/less evidence.,A large materialityestimate will resultin more/less evidence.,“Investigate misstate-ments over$1,000,000.”,Allocate Planning Materiality,Auditors initially set planning materiality for the statements as a whole,and then allocate this to individual accounts based on their susceptibility to misstatement,性质上的重要性判断,一般应考虑的事项包括：发生舞弊或者损失的可能性主观判断或者人为操纵的容易程度账户自身的性质、如在建工程账户等数据计算以及记账的复杂性交易自身的性质、如关联方交易,图表8-3 财务报表层次和账户交易层次的重要性判断,Steps in Risk Assessments,了解被审计企业的经营业务以及行业情况评估被审计企业所面临的风险及其对财务报表的影响初步评估被审计企业的财务报告内部控制,to identify related parties(SAS#16-关联方及其交易)SAS#21-了解被审计单位情况 requires a reasonable understanding of the clients industry.to identify the need for outside specialists(SAS#12-利用专家的工作),to misstate the financial statementsSAS#X 财务报表审计中对舞弊的考虑,Are managementbonuses based on net income?,-study corporate charter and bylaws-study minutes of board and stock-holder meetings-study existingcontracts,how?,What are the purposes ofpreliminary analyticalprocedures?,-understanding the clients industry-assessing going concern issues-indicating possible misstatements-reducing detailed tests,Sufficiently Well-justified Beliefs,审计人的风险评估必须建立在具有充分正当理由的信念（sufficiently well-justified beliefs）之上，审计人必须能够对他人解释这种信念是正当的理由和所在。,documentation,有关审计计划的文件；有关企业层次控制项目的文件；有关特殊项目审计的文件。,Risk Assessment at F/S Level,财务报表层次的风险评估是为了识别总体性的财务报告风险（Pervasive Financial Reporting Risks）,比如持续经营风险、引起财务报表重大错报的舞弊或者错误。,Risk Assessment at CAB Level,账户余额以及交易循环层次的风险评估是为了识别账户交易层次存在的舞弊或者错误。审计人应该针对个别认定考虑账户交易层次的风险。CAB：Classes of Transactions and Account Balances,图表8-9 账户余额以及交易循环和财务报表认定,财务信息的可靠性,表达和披露,账户余额或交易循环,估价和分摊,权利和义务,完整性,存在或发生,Two types of misstatements,Misstatements arising from fraudulent financial reportingMisstatements arising from misappropriation of assets.,IACP Primary Objectives,Safeguarding the states assets Providing reliable financial information,Internal Accounting Control Program,图表8-10 风险评估过程,编制审计计划,执行审计程序,评价审计证据,第1阶段,第2阶段,第3阶段,形成审计证据,