Chuyên Đề Thực Tập Assessment And Recommendation For Improving The Audit Risk Evaluation.pdf

TABLE OF CONNTENT LIST OF TABLE 2 INTRODUCTION 3 CHAPTER I THEORETICAL FRAMEWORK OF AUDIT RISK EVALUATION IN FINANCIAL STATEMENT AUDIT 4 1 1 Audit risk in the Financial Statement Audit 4 1 1 1 Definit[.]

TABLE OF CONNTENT

LIST OF TABLE 2

INTRODUCTION 3

CHAPTER I: THEORETICAL FRAMEWORK OF AUDIT RISK EVALUATION IN FINANCIAL STATEMENT AUDIT 4

1.1 Audit risk in the Financial Statement Audit 4

1.1.1 Definition 4

1.1.2 Types of Audit risks 5

1.2 Evaluation of Audit Risk in Financial Statement Audit 9

1.2.1 Determine the level of desired audit risk 9

1.2.2 Inherent Risk Assessment 11

1.2.3 Control Risk Assessment 13

1.2.4 Detection Risk Assessment 15

CHAPTER II: CURRENT SITUATION OF AUDIT RISK ASSESSMENT IN FINANCIAL STATEMENT AUDIT IN VIETNAM 17

2.1 The development of auditing in Vietnam 17

2.2 Current status of audit risk assessment process in Vietnam 17

2.2.1 Audit risk assessment 17

2.2.1.1 Risk assessment in terms of financial statement 17

2.2.1.2 Audit risk assessment in terms of account balance and type of operations a Inherent risk assessment in terms of account balance and type of operations 21

Chapter III: ASSESSMENT AND RECOMMENDATION FOR IMPROVING AUDIT RISK EVALUATION 23

3.1 A general assessment of the process of audit risk assessment in current financial statements in Vietnam 23

3.1.1 Strengths 24

3.1.2 Weakness 24

3.3.2 Solution for improving audit risk evaluation 25

CONCLUDE 27

LIST OF TABLE

Table 1.1: Relationship between risks and audit evidences……….9Table 1.2 Risk matrix detection……….……….….16Table 2.1: Inherent Risk Assessment in terms of Financial Statements of the AASC….19Table 2.2: Internal Control of Customers conducted by AASC……….… 21Table 2.3: Conclusions on inherent risks in terms of account balance and type ofoperations performed by the AASC……….22Table 2.4: Synthesized audit risk assessment for each account on the financial reportmade by the AASC……….… 23

Auditors are gradually asserting an important position in the Vietnamese economy

At present, the service of auditing the financial statement is still a large proportion of thetotal revenue of independent auditing companies in Vietnam Implementing an effectiverisk assessment that identifies a sound audit plan is an important factor contributing to thequality and effectiveness of the audit However, in practice, the audit risk assessment inthe audit of financial statements of independent auditing firms in Vietnam still has manyincomplete points because this is a complex task requiring skill as well as judgment ofauditor Therefore, the audit and assessment of audit risk in financial statement is a matter

of concern So, I chose "Auditing Risks and Processes of Audit Risk Assessment inAuditing Financial Statements" for my subject project in order to solve problems ofreasoning and the practice of audit risk assessment in financial report auditing Theproject is based on the learned knowledge and references of auditing companies'materials, self-collect materials and analytical synthesis Methodology to improve theaudit risk assessment in the financial statement audit The content of the project consists

CHAPTER I: THEORETICAL FRAMEWORK OF AUDIT RISK EVALUATION IN FINANCIAL

To understand the concept of audit risk, we first need to understand the concept ofrisk According to the Vietnamese dictionary, "Risk is the adjective for misfortune" or

"risk is not good, no good happened unexpectedly " Such risk is undesirable In differentareas, risk has its own characteristics In the area of auditing risk has been defined in the

audit guidelines and audit standards as follows.

According to international standard No.25 (IAG25) "Audit Risks are the risksthat an auditor may incur when making inaccurate remarks about financial informationand these are gross misstatements.” For example, auditors may make a full acceptance

of a financial statement without knowing that these reports have material misstatements " More specifically, the auditing standard of Vietnam No 315 defines audit risk as

"Audit risk is the risk that the auditor and the auditor make inappropriate comments whenthe audited financial statements have been audited There are many critical errors Theaudit risk consists of three parts: the inherent risk, the control risk and the detection risk " Thus, accounting professional societies have a common perception of audit risk.Audit risk is understood as the ability of auditors and company to give inaccurateopinions about the audited entity For example, auditors opined that the financialstatement audit of the auditing entity have been fairly presented in the material respects,but in practice these financial statement audit still suffer from material misstatement.Auditor does not detect during the audit Such risk can always exist even if the audit iscarefully planned and implemented with caution This risk increases if audit planning ispoor and reckless

In each audit, the audit risk is considered in relation to the audit plan, auditsampling and audit selection The audit risk is defined as the probability of errors and theassessment of risk It is estimated to be from 0% to 100% or use qualitative: high,medium, low

The audit risk arises from the potential deviations in the financial statements thathave passed the internal control and are not found by the auditor In practice, the auditrisk usually occurs due to management restrictions, which are directly auditing costs andare related to the amount of auditing evidences Audit risk is inversely proportional to theamount of audit evidence However, even if the audit evidence has been collected, theaudit risk still exists

1.1.2 Types of Audit risks

Inherent risks (IR)

Auditors must consider inherent risks (IR) According to the British EnglishAccounting-Audit Dictionary: "The inherent risk is that the enterprise's financialreporting capacity contains significant errors before considering the effectiveness of theinternal control system of the business” These offenses may be considered when alone or

in combination with other offenses in balances in other relevant documents "

According to the International Auditing Principle 25 - "Materiality and Risk,"Section 13 states: "Inherent risks are weaknesses in account balances or a kind ofbusiness with possible errors is serious, these errors may be single or may be combinedwith errors in balances or other transactions (assuming there are no relevant internalcontrol regulations here) The inherent risk lies in the business function of the business inthe business environment as well as in the nature of account balances or types ofoperations

Vietnamese auditing standard (VAS) No.315 - "Risk Assessment and InternalControl", Section 04 states: "Inherent risks are latent risks, inherent in the ability of eachprofession, each item in financial statements when calculating separately or in aggregate,with or without internal control."

Therefore, the inherent risk is that the existence of material misstatements in thefinancial statements can be traced back to the characteristics of the type of business andthe staff capacity of the auditor before considering the effectiveness of the internalcontrol system Auditors does not create nor control potential risks, they can onlyevaluate them

Control risk (CR)

Control risk is the ability of an internal control system of an auditor not to detect,prevent or correct any material misstatement or fraud Principles of InternationalAuditing No 25, Section 14 states: "Control risk is the risk of misidentification, whichmay occur with an account balance or a type of transaction and may be a serious flaw.These errors occur singly or may be combined with errors of balances and otheroperations that the Internal Control System has not prevented or failed to detect in time.Control risk will always be present and unavoidable because of the inherent limitations ofany Internal Control System "

According to VSA 315: "Control risk is the risk that material misstatement willoccur in each operation, each item in the report financial statements when separately oraggregated that the internal control and the accounting system are not prevented or notdetected and repaired in time "

As such, control risk is the ability of the internal control to detect, prevent andtimely repair critical errors As with potential risks, auditors does not create risk controlnor control them The auditor can only assess the Internal Control System of the auditedentity and hence projected the level of control risk

Detection Risk (DR)

Auditors must consider the risk of detection Generally, the detection risk is thelikelihood that the audit procedures will not detect material misstatements According to

the principle of International Auditing No 25, Section 15 states: "Risk of detection is therisk that the auditor does not detect any errors in the balance of accounts or types oftransactions.” These errors can be serious single occurrence or may be combined witherrors in balances, other types of operations."

According to VSA 315: "Risk of detection is the risk of material misstatement ineach operation, each item in the report When calculating separately or counting, in auditprocess, auditors and auditing company cannot detect "

Therefore, the risk of detection is the probability that the audit procedures do notdetect material misstatements If the potential risks and control risks exist independently,auditors cannot intervene but can only evaluate them In contrast, auditors is responsiblefor carrying out procedures for the collection of evidence Management and control ofdetection risk

1.1.3 Audit Risk Model

The auditing risks occur when the financial statements contain materialmisstatements, but auditor considers that they are fair and reasonable This risk derivesfrom the potential discrepancies in the financial statements (inherent risks) that havepassed the internal control of the entity (control risk) and are not detected by auditors(detection risk) Hence, audit risk is a combination of three types of risks: inherent risk,control risk and detection risk According to VSA 315 and International Audit Principles

No 19 - "Audit Sampling" affirmed: "Audit risk consists of three sets of audit Division:Inherent Risk, Control Risk and Detection Risk." In order to serve the audit riskassessment process, professionals often use the following model to demonstrate therelationship between audit risk and its components:

AR = IR x CR x DR (1)

In which:

- AR: Audit risk

- IR: Inherent risk

- CR: Control risk

- DR: Detection risk

This model is used by auditors to evaluate the appropriateness of the audit plan.Auditors can use this model to adjust the risk of detection based on other types of riskthat have been assessed to achieve low auditing risk that auditor expects The followingexample may be illustrated:

Auditor is preparing to conduct an audit Auditor expects the auditing risk to berelatively low, about 0.03 (that is, an average of about 3% of auditor's decisions isunreasonable) Inherent risks and control risks have been assessed by auditor based onexperience, professional judgment, and demonstrated evidence Assuming auditorbelieves that the business sector of potential customers is high risk, the inherent risk isassessed at 0.9 and the Company's business-as-usual basis, but with reasonable suspicion,auditor assessed the control risk at 0.7 Auditor must adjust so that the risk of detectiondoes not exceed 0.047 to ensure an audit risk of 0.03 as expected

Model (1) is rarely used because audit risk is often determined by the technicianand difficult to change in an audit As a result, auditor wishes to identify the detectionrisk for audit planning rather than adjusting the detection risk according to auditing risk(AR) On the other hand, the inherent risk (IR) and the control risk (CR) are inherent,auditor can only assess and not affect them Therefore, the model (1) does not show theauditor "impact" nature of the detection risk Therefore, to better serve the audit planningand in relation to the audit evidence, the audit risk model is often used in the secondform:

DR = IR x CR AR (2)

With the model (2), the detection risk (DR) is a major concern for auditors Thismodel demonstrates the direct relationship between the audit risk (AR) and the detectionrisk (DR) as well as the "impact" nature of the detection risk (DR) On the other hand,model (2) also demonstrates the relationship between the detection risk (DR) and theamount of audit evidence that should be collected during the audit planning process.Consider the example of model (1): Assuming the inherent risk (IR) and control risk (CR)does not change, auditors can accept the desired audit risk at 0.05, when Detection risk(DR) is calculated using the formula in (2):

DR =0,9 x 0,70,05 = 0,8 or 80%

Therefore, the amount of work and the amount of audit evidence that auditors need

to collect is less than the expected audit risk of 0.03 With model (2), the audit risk isusually determined pre-audit according to the standards of each audit firm and is calledthe Designed Audit Risk (DAR) Therefore, the model (2) is usually expressed as:

DR = IR x CR DAR

In an audit, the risk is never precluded Therefore, the concept of auditing riskdesires to represent the level of auditor expectations for an acceptable level of risk Thedesired audit risk is determined by subjective experience and professional judgment ofauditor When auditor assumes that the desired auditing risk (DAR) is zero, it means thatauditor believes the customer's financial statements do not have any materialmisstatement This is an ideal case for any audit but never happens The audit area is arelatively more absolute field, so auditor can only conclude that the financial statementshave been presented honestly in terms of materiality and cannot be ascertained honestlyand reasonably in every respect Conversely, when the audit risk is at 1 or 100%, auditorbelieves that the customer's financial statements have been severely misleading in many

respects Therefore, the fluctuation range of the desired audit risk varies from 0 to 1 orfrom 0% to 100%.

The introduction of the desired auditing risk level is subjective However, the level

of audit risk desired by the auditor must be low enough for interested users to use theaudited financial statements of customers as the basis for decision-making, limiting thetype of risk in business

Research on the types of risk has indicated the close interaction between them.Inherent risks and other control risks are detected and audited in that they existindependently and objectively with financial information, independent of the auditor,auditor cannot also influence to change this two kinds of risk The interrelationshipsbetween the types of risk in financial auditing are: "Inherent risks and control risks differfrom those found in these risks exist independent of financial information The inherentrisk and control risk lie within the business operations and management environment ofthe business as well as in the nature of the account balance, the types of operationswhether the audit is conducted or not Even these risks are not checked by auditor.Auditor can evaluate these risks and design basic audit methods to minimize detectionrisk to an acceptable level That way it reduces the audit risk to an acceptable level "Thistype of relationship is built on the first audit risk model (model 1), means the audit riskgoverned by the risk of detection is not yet illustrate the dependent of detection risk ondesigned audit risk and inherent risks as well as control risk

Inherent risks and control risks are often reversed and are therefore generallyrecognized when assessing audit risks If the enterprise is operating in high risk businesssector, potential risks are high, although the Internal Control System of the companyoperates effectively but the control risk must always be assessed at medium or aboveaverage level This is because the inherent limitations of the Internal Control System andthe control risks always exist

Contrary to inherent risks and control risks, auditor may have an impact on theaudit risk and detection risk In each specific circumstance, auditor will expect thedesired audit risk based on the reliability of the financial statements after auditing andauditing costs The detection risk is modeled after (2) after the desired audit risk has beenidentified and the inherent risk and control risk assessed Therefore, auditor is not onlyaware but also can influence the detection risk

With a predetermined level of audit risk, it can be concluded from model (2) thatthe detection risk is inversely related to the inherent risk and control risk Therefore, thedetection risk is also inversely proportional to the amount of audit evidence to becollected If inherent risks and control risks are underestimated, the detection risk iscalculated to be low, whereby the amount of audit evidence needed to be collected, thescope of the audit and the volume of work In contrast, when the inherent risk and controlrisk are underestimated, the detection risk is high, only the smaller auditing evidence can

be gathered by the auditor

Table 1.1: Relationship Between Risks

And Audit Evidences

audit evidences

1.2 Evaluation of Audit Risk in Financial Statement Audit

According to VSA 315 :” When determining the audit approach, auditor must payattention to the initial assessment of potential risks The control is used to determine thelevel of acceptable detection risk for the financial statement data base and to determinethe content, schedule and scope of the basic procedures for the data base "

Thus, the purpose of the audit risk assessment is to determine the level of detectionrisk that underpins the planning of auditing trials to be applied From the risk profile ofthe audit, the perceived risk is determined on the basis of the desired audit risk, inherentrisk and control risk

1.2.1 Determine the level of desired audit risk

The desired audit risk is identified in the audit planning phase, which isdetermined in a subjective manner and depends on two basic factors:

First, the extent to which external users believe in the financial statements

In the market mechanism, there are a lot of people interested in the financialsituation and its reflection in accounting documents that are directly financial statements.Those interested may be: State agencies (information should be honest to regulate macroeconomy); Investors (need honest information for proper investment direction, use ofinvestment capital and distribution of investment results); business executives and othermanagers (need honest information to make sound business decisions); Employees,customers, suppliers

When many external users put their faith in the financial statements, significantdiscrepancies in the financial statements are likely to cause widespread harm Therefore,

in this case, auditor needs to identify a low level of audit risk, thereby increasing theamount of audit evidence to be collected and increasing the accuracy of its findings

A number of factors indicate the extent to which external financial statements aretrusted by external users:

First, the size of the entity being audited: The size of the entity can be measured bytotal assets, total revenue, or total income The larger the scale are, the more widelyfinancial statements are used and the lower the desired auditing risk

Second, ownership: If the ownership of a business falls to more than oneparticipant, more people will be interested in the financial statement and the desired auditrisk will need to be lowered and vice versa

Third, the nature and scale of debt Debts are amounts that are definitely related to

a third party loan or debt Existing and potential creditors are often concerned about thecompany's financial position, especially its ability to pay for its continued and continuedborrowing Therefore, when the financial statement includes large amounts of debt orlarge-scale debt, they are likely to be more widely used

Secondly, customers may have financial difficulties after the audit report is published

If customers have financial difficulties after the audit report is published, auditorsmay strongly deal with lawsuits by the parties due to using the audited financialstatements Therefore, in this case, auditor must set up a lower level of auditing risk at thebeginning to prevent cases that are related to the parties involved This case will lead tohigher audit costs but auditor still has to identify reasonable audit risk

It is very complicated to predict the probability of a unit being audited in thefuture However, auditor may rely on the following factors to predict this event:

First, the ability to convert into cash If a business often runs out of money andworking capital, enterprises may have difficulty paying Technicians must assess theability of customers to predict the ability of customers will face difficulties in the futureand if aggravated, businesses lose their ability to pay short-term debt is easy to gobankrupt

Second, the profit (loss) in previous years When a business drops rapidly or gainsfor a number of years, this is a sign that the business is in a bad direction Techniciansshould assess the likelihood that customers will experience financial difficulties whenthey see these signs appear

Third, measures to increase the funding process If the business is more dependent

on donations, especially looking for ways to increase this funding, it can prove that thebusiness is not financially self-sufficient, thus the possibility of financial difficulties Itwill be high

Fourth, the nature of the operation of the customer company In some areas ofbusiness, the risk of bankruptcy is high, such as securities brokerage business Whenauditing such businesses, Customers will face difficulties and risks in business todetermine the reasonable risk of auditing

Collecting information and learning about customers, especially the above twofactors, will help auditor to determine the desired auditing risk for all audited financialstatements

However, auditing procedures are tailored to each item, the design of theseprocedures depends a great deal on the audit risk identified for each of those items.Therefore, after setting the overall audit risk level for the entire financial statement,auditor should rely on it to set the level of audit risk for each item For example, auditorassesses the desired auditing risk level for the entire financial statement, auditor candetermine the level of auditing risk of each item is also average However, with somespecial items, auditor can adjust this risk to be more appropriate because each item will

be allocated a different critical level, the possibility of the existence of errors isconsidered Substantial and undetectable in each of the different items will be different

For items with a higher critical weight, auditor can determine the lower level of auditingrisk required and vice versa There are items that are more important to the user than theresults of the audit, the risk should also be lower For example, to get a bank loan, anenterprise must have an audited financial statement Then auditing the items related tosolvency of the business auditors need to set a lower level of auditing risk than otheritems.

After establishing the desired audit risk level, auditor will assess the potential riskand control risk

1.2.2 Inherent Risk Assessment

Inherent risk assessment is very important when planning an audit The level ofpotential risk is the basis for selecting audit procedures, determining the amount of work,time, personnel and costs required for an audit

According to VSA 315:"When planning audit, technician and auditing firm mustassess the potential risk for the entire financial statements of the unit audited Whenpreparing audit programs, auditor must determine the level of potential risks for balances

or types of operations that are important to each of the assets Where it is not possible todetermine the specificity, auditor must assume that the potential risk is high for the database Based on the level of potential risk assessments to be performed, the auditprocedures are performed for operations, material items on the financial statements, ortransactions and items for which they are attributed is potentially high risk

The internal risk assessment process is carried out on both sides:

Firstly, the internal risk assessment in terms of financial reporting

When assessing the internal risk in terms of financial statements, the customerusually relies on the following factors:

First, the characteristics of the Board of Directors: If the economic and financialdecisions in the unit are monopolized by an individual on the Board of Directors, then it

is more likely that major decisions will be made In addition, the lack of integrity,experience and understanding of the Board of Directors as well as the change in thecomposition of the Management Board occurred in the successor year It is easy to leadthe wrong direction of economic transactions Moreover, when there are many personnelchanges in the Board of Directors, auditor also needs to consider when there are manyhonest people, do not accept the fraud occurred in the business should voluntarily resignand then, internal risks will be more appreciated

Second, the qualification and professional experience of the chief accountant, ofthe internal auditor and their change (if any) Their level will influence the accountingwork of the unit, accounting and auditing and the accuracy of the financial information isrecorded and presented on the financial statements If there is a change in the personnel

of these positions, new people may not have experience so easily lead to errors In thiscase, auditor should assess the potential risk at a higher level

Third, undue pressure on the Board of Directors, chief accountants, especially thecircumstances that motivate them to present dishonest financial statements For instance,businesses are facing financial difficulties and need to call for more capital contributions

from shareholders to supplement capital, businesses are easy to cheat in the disclosure offinancial indicators to make the picture The income of the enterprise is better than theincome of the enterprise, such as the recognition of income or income when the fact hasnot occurred, or the expenses are not recognized.

Fourth, operating characteristics of the unit such as technological process, capitalstructure, dependent units, geographic scope seasonal operation For example, if abusiness has a backward technology process, the goods produced are likely to be outdatedand difficult to consume in the market, which may affect the net present value of theinventories In the financial statements, an enterprise with an over-dependency structuremay also have a potential risk of presenting solvency-related indicators An enterprisewith many dependent units will increase the likelihood of errors in synthesis; A large unit

is more likely to err on the scale of a smaller unit

Fifth, the factors affecting the unit's operations such as economic fluctuations,competition, changes in buying markets, selling markets and changes in the accountingsystem for field of operation of the unit

Sixth, the first audit contract and the long-term auditing contract In the initialaudit contract, auditor often lacked the knowledge and experience of customer unit errors,

so they often assessed the potential risk higher than the audit contract the next time

Second, assess the inherent risk in terms of account balance and type of operations

The inherent risk assessment in terms of account balance and type of businessdepends on the following factors: The level of inherent risk assessed for the entirefinancial statements, the nature of the item, the factors that affect inherent risks onaccount balances and types of transactions based on auditor's understanding include thefollowing:

First, the business nature of the customer Inherent risks are increased by thecharacteristics of the industry that may create difficulties for audits due to the existence

of uncertainties or the potential existence of potential frauds or missteps Remain on thefinancial report For example, credit card business customers often have a lot of risk inmanaging cash and payment facilities, so the audit of capital in cash will be more difficultthan in the case of credit card companies

Second, results of previous audits For accounts found to have been committed inprevious audits, the inherent risk was determined at a high level The reason is that manytypes of systematic errors and units often do not promptly take remedial measures so thatmistakes that occurred in the previous year can continue to occur in the next year

Third, the economic operations are not regular These operations are more likely to

be in the wrong book than the daily operations because the client is inexperienced inaccounting for such types of operations, so the inherent risk to the accounts that containthe transaction is usually appreciated

Fourth, accounting estimates The inherent risk of accounts reflect accountingestimates (bad receivables provision, inventory fall reserve, etc.) is often considered highdue to proper entry of accounts This section not only requires an understanding of thenature of the item, the theory involved but also the experience and subjective judgment ofthe responsible person

Fifth, the scale of the account balance Accounts with large cash balances are oftensubject to a higher inherent risk assessment than those with a small cash balance.

Auditor should collect and evaluate the above factors and determine theappropriate level of risk for each item in the financial statements

1.2.3 Control Risk Assessment

Control risk assessment is a step in the assessment process of the customer'sinternal control system Control risk assessment is divided into three steps: initialassessment of control risk, implementation of control testing and reassessment of controlrisk However, in order for the process of risk assessment to be carried out properly, theauditor must still carry out all the work steps such as the process of evaluating theSupervisory Board

Step 1, Initial assessment of control risk According to VSA 315: "Initialassessment of control risk is the assessment of the effectiveness of the accounting andcontrol system of the application In preventing or detecting and correcting critical errors.Control risk is not completely eliminated due to the inherent limitations of the accountingsystem and internal control system "

To provide an initial assessment of the control risk, the auditor must collectinformation on the internal control system and describe in detail his / her workingdocument By means of an itemized approach and cyclic approach, it is important tounderstand the information that is needed to evaluate the internal control in three ways:its existence, its continuity and its effectiveness When the internal control meets theabove requirements, the auditor will initially assess the control risk at medium or lowlevels To gain an understanding of the information, auditor can use the followingmethods:

- Based on past experience of auditor predecessors

- An interview with a company employee

- Review the company's procedures, regulations, and regulations

- Check the customer records of the company

- Observe the operational and operational aspects of the client company

In order to better understand such information, the auditor must describe theinformation on the working paper through questionnaires, narrative tables or flow charts

of the internal control system Auditors may incorporate these descriptive methods toincrease the efficiency of the cognitive process in order to make the initial assessmentrelevant

According to VSA 315: "Based on an understanding of the accounting system andinternal control system, auditor and audit firm An initial assessment of the control risk forthe basis of each account balance or major economic operations is required."

The process of assessing the control risk on the basis of each account balance ormajor economic operations requires auditor to carry out for each specific audit objective.Therefore, auditor should do the following:

- Identify the control objectives under which the assessment process is applied

- Identification of specific control processes