SET MATERIALITY AND ASSESS ACCEPTABLE AUDIT RISK AND INHERENT RISK

MATERIALITY

Original Text: The magnitude of an omission or misstatement of accounting information that, in the
light of surrounding circumstances, makes it probable that the judgment of a reasonable person
relying on the information would have been changed or influenced by the omission or misstatement.
Auditors follow five closely related steps in applying materiality.

Explanation in Simple Terms: Materiality refers to how much an error or missing information in
financial statements can impact the decisions of people relying on them. If an error is big enough to
mislead someone, it is considered material.

Example: If a company incorrectly records $5 in expenses instead of $500, it’s a small mistake that
won’t mislead investors. However, if they record $5 million instead of $50 million, this could change
investment decisions, making it a material misstatement.

Step 1: Set Preliminary Judgment About Materiality

Original Text: Auditing standards require auditors to decide on the combined amount of
misstatements in the financial statements that they would consider material early in the audit as
they are developing the overall strategy for the audit. It is called a preliminary judgment about
materiality because, although a professional opinion, it may change during the engagement. This
judgment must be documented in the audit files. The preliminary judgment about materiality is the
maximum amount by which the auditor believes the statements could be misstated and still not
affect the decisions of reasonable users.

Explanation in Simple Terms: Auditors decide early on how big an error in financial statements can
be before it becomes a serious problem. This is called preliminary judgment about materiality. It can
change as the audit progresses, and auditors must document this decision.

Example: An auditor may decide that misstatements below $10,000 are not material. However, if
they later find several errors adding up to $100,000, they may change their materiality threshold.

Step 2: Allocate Preliminary Judgment About Materiality to Segments

Original Text: The allocation of the preliminary judgment about materiality to segments is necessary
because auditors accumulate evidence by segments rather than for the financial statements as a
whole. If auditors have a preliminary judgment about materiality for each segment, it helps them
decide the appropriate audit evidence to accumulate. When auditors allocate the preliminary
judgment about materiality to account balances, the materiality allocated to any given account
balance is referred to as tolerable misstatement.
Explanation in Simple Terms: Instead of checking financial statements as a whole, auditors divide
them into sections (segments) and set materiality levels for each. The amount assigned to each
section is called tolerable misstatement. This helps in collecting the right amount of audit evidence.

Example: If total materiality is $100,000, an auditor might assign $50,000 to revenues, $30,000 to
expenses, and $20,000 to assets, ensuring they check these areas properly.

AUDIT RISK

Planned Detection Risk (PDR)

Original Text: Planned detection risk is the risk that audit evidence for a segment will fail to detect
misstatements exceeding tolerable misstatement. Planned detection risk is dependent on the other
three factors in the model. It will change only if the auditor changes one of the other risk model
factors. Planned detection risk determines the amount of substantive evidence that the auditor plans
to accumulate, inversely with the size of planned detection risk. If planned detection risk is reduced,
the auditor needs to accumulate more evidence to achieve the reduced planned risk.

Explanation in Simple Terms: Planned detection risk is the chance that the auditor’s checks might
not find a big mistake. If the auditor lowers this risk, they will need to collect more proof (evidence)
to ensure accuracy.

Example: If an auditor assesses high planned detection risk, they might only sample 5% of
transactions. If the risk is low, they may check 50% of transactions.

Inherent Risk (IR)

Original Text: Inherent risk measures the auditor’s assessment of the likelihood that there are
material misstatements due to error or fraud in a segment before considering the effectiveness of
internal control. If the auditor concludes that a high likelihood of misstatement exists, the auditor
will conclude that inherent risk is high.

Explanation in Simple Terms: Inherent risk is the chance that there are big errors or fraud in financial
statements before considering the company’s internal controls. If the auditor believes the risk is high,
they assume mistakes are likely.

Example: A startup company with weak accounting processes has a high inherent risk, while a well-
established company with experienced accountants has a lower inherent risk.

Control Risk (CR)

Original Text: Control risk measures the auditor’s assessment of whether misstatements exceeding
a tolerable amount in a segment will be prevented or detected on a timely basis by the client’s
internal controls. The more effective the internal controls, the lower the risk factor that can be
assigned to control risk.

Explanation in Simple Terms: Control risk is the chance that mistakes will not be caught by a
company’s internal checks. If the company has strong internal controls, this risk is lower. If controls
are weak, this risk is high.

Example: If a company has automated financial software that flags suspicious transactions, control
risk is low. If they rely on manual bookkeeping, control risk is high.

Acceptable Audit Risk (AAR)

Original Text: Acceptable audit risk is a measure of how willing the auditor is to accept that the
financial statements may be materially misstated after the audit is completed and an unqualified
opinion has been issued. When auditors decide on a lower acceptable audit risk, they want to be
more certain that the financial statements are not materially misstated.

Explanation in Simple Terms: Acceptable audit risk is how much risk the auditor is willing to accept
that financial statements might still have big errors after the audit is done. If they set a lower risk level,
they must do more checking to be sure the statements are correct.

Example: A large public company with many investors has a lower acceptable audit risk, meaning
auditors do extra work to ensure accuracy. A small private business may have a higher acceptable
audit risk, requiring less effort.

UNDERSTAND INTERNAL CONTROL AND ASSESS CONTROL RISKS

Original Text: A system of internal control consists of policies and procedures designed to provide
management with reasonable assurance that the company achieves its objectives and goals. These
policies and procedures are often called controls, and collectively, they make up the entity’s internal
control. Management typically has three broad objectives in designing an effective internal control
system:

1. Reliability of financial reporting

2. Efficiency and effectiveness of operations

3. Compliance with laws and regulations

Management designs systems of internal control to accomplish all three objectives. The auditor’s
focus in both the audit of financial statements and the audit of internal controls is on controls over
the reliability of financial reporting plus those controls over operations and compliance with laws
and regulations that could materially affect financial reporting.
Explanation in Simple Terms: Internal controls are rules and procedures a company follows to
ensure it reaches its goals. These controls help prevent errors, fraud, and inefficiencies. There are
three main reasons companies create internal controls:

1. To make sure financial reports are accurate and reliable.

2. To ensure that company operations run smoothly and effectively.

3. To follow laws and regulations properly.

For auditors, the most important aspect is making sure the company’s financial reports are accurate.
They also check if any weaknesses in operations or legal compliance could affect the financial
reports.

Original Text: Management’s Responsibilities for Establishing Internal Control. Management,

not the auditor, must establish and maintain the entity’s internal controls. This concept is consistent
with the requirement that management, not the auditor, is responsible for the preparation of financial
statements in accordance with applicable accounting frameworks such as GAAP or PFRS. Two key
concepts underlie management’s design and implementation of internal control—reasonable
assurance and inherent limitations.

1. Reasonable assurance. A company should develop internal controls that provide

reasonable, but not absolute, assurance that the financial statements are fairly stated.
Internal controls are developed by management after considering both the costs and
benefits of the controls. The concept of reasonable assurance allows for only a remote
likelihood that material misstatements will not be prevented or detected on a timely basis by
internal control.

2. Inherent limitations. Internal controls can never be completely effective, regardless of the
care followed in their design and implementation. Even if management can design an ideal
system, its effectiveness depends on the competency and dependability of the people using
it. Assume, for example, that a carefully developed procedure for counting inventory requires
two employees to count independently. If neither of the employees understands the
instructions or if both are careless in doing the counts, the inventory count is likely to be
wrong. Even if the count is correct, management might override the procedure and instruct
an employee to increase the count to improve reported earnings. Similarly, the employees
might decide to overstate the counts to intentionally cover up a theft of inventory by one or
both of them. An act of two or more employees who conspire to steal assets or misstate
records is called collusion.

Explanation in Simple Terms: Management is responsible for setting up and maintaining internal
controls, not the auditors. Internal controls are not perfect because:
 1. Reasonable assurance means that while internal controls reduce the risk of mistakes or
fraud, they do not eliminate it completely. It’s about balancing costs and benefits.

2. Inherent limitations mean that internal controls are only as good as the people using them.
Mistakes can happen due to human error, negligence, or even intentional fraud. For example,
two employees could work together (collusion) to manipulate records and steal from the
company.

Original Text: Components of Internal Control - CRIME

1. Control Environment – The actions, policies, and procedures that reflect the overall
attitudes of top management, directors, and owners of an entity about internal control and
its importance to the entity. The essence of an effectively controlled organization lies in the
attitude of its management. If top management believes that control is important, others in
the organization will sense this commitment and respond by conscientiously observing the
controls established.

2. Risk Assessment – Management’s identification and analysis of risks relevant to the

preparation of financial statements in conformity with appropriate accounting standards. For
example, if a company frequently sells products at a price below inventory cost because of
rapid technology changes, it is essential for the company to incorporate adequate controls
to address the risk of overstating inventory.

3. Control Activities – The policies and procedures that help ensure necessary actions are
taken to address risks. These include: a. Adequate separation of duties b. Proper
authorization of transactions and activities c. Adequate documents and records d. Physical
control over assets and records e. Independent checks on performance

4. Information and Communication – The purpose of an entity’s accounting information and

communication system is to initiate, record, process, and report transactions to maintain
accountability.

5. Monitoring Activities – Ongoing or periodic assessment of the quality of internal control by

management to determine that controls are operating as intended.

Explanation in Simple Terms: Internal controls can be remembered using the acronym CRIME:

1. Control Environment – The company’s culture and management’s attitude toward control.
If the boss cares about control, employees will, too.

2. Risk Assessment – Identifying risks that could lead to errors or fraud. Example: A tech
company facing rapid innovation needs controls to avoid selling products at a loss.

3. Control Activities – Specific actions taken to prevent problems, such as separating duties
(one person approves payments, another records them).
 4. Information and Communication – Keeping proper records and ensuring information flows
correctly through the organization.

5. Monitoring Activities – Checking to see if controls are working, often done through audits or
internal reviews.

Obtain and Document Understanding of Internal Control

Original Text:
The level of understanding internal control and extent of testing required for the audit of internal
control exceeds what is required for an audit of only the financial statements. Therefore, when
auditors first focus on the understanding and testing of internal control for the audit of internal
controls, they will have met the requirements for assessing internal control for the financial
statement audit. As part of the auditor’s risk assessment procedures, the auditor uses procedures
to obtain an understanding, which involve gathering evidence about the design of internal controls
and whether they have been implemented, and then uses that information as a basis for the
integrated audit.

The auditor generally uses four of the eight types of evidence to obtain an understanding of the design
and implementation of controls: documentation, inquiry of entity personnel, observation of
employees performing control processes, and reperformance by tracing one or a few transactions
through the accounting system from start to finish. Auditors commonly use three types of documents
to obtain and document their understanding of the design of internal control: narratives, flowcharts,
and internal control questionnaires.

After obtaining an understanding of internal control, the auditor makes a preliminary assessment of
control risk as part of the auditor’s overall assessment of the risk of material misstatement. This
assessment is a measure of the auditor’s expectation that internal controls will prevent material
misstatements from occurring or detect and correct them if they have occurred.

Explanation in Simple Terms:

Auditors need to deeply understand a company’s internal controls when auditing financial
statements. They check whether these controls are properly designed and functioning. To do this,
they gather evidence through different methods, such as reviewing documents, asking employees
about their duties, watching them perform tasks, and redoing some transactions to see if they follow
the correct process. Once auditors understand the controls, they estimate how likely it is that errors
or fraud will happen despite these controls.

Communications to Those Charged with Governance and Management Letters

Original Text:
As part of understanding internal control and assessing control risk, the auditor is required to
communicate certain matters to those charged with governance. The auditor must communicate
significant deficiencies and material weaknesses in writing to those charged with governance as
soon as the auditor becomes aware of their existence. The communication is usually addressed to
the audit committee and to management. Timely communications may provide management an
opportunity to address control deficiencies before management’s report on internal control must be
issued. In some instances, deficiencies can be corrected sufficiently early such that both
management and the auditor can conclude that controls are operating effectively as of the balance
sheet date.

In addition to these matters, auditors often identify less significant internal control-related issues, as
well as opportunities for the client to make operational improvements. These should also be
communicated to the client. The form of communication is often a separate letter for that purpose,
called a management letter. Although management letters are not required by auditing standards,
auditors generally prepare them as a value-added service of the audit.

Explanation in Simple Terms:

Auditors must inform company leaders if they find major weaknesses in the internal controls. This is
usually done in writing and sent to the audit committee or management. If the issues are addressed
quickly, both management and auditors can confirm that controls are effective by the time financial
reports are finalized. Besides major issues, auditors may also suggest minor improvements through
a separate document called a management letter. This letter is not required but is often given to help
the company improve its operations.

Tests of Controls

Original Text:
Tests of Controls are used to support a control risk assessment. Key controls that the auditor intends
to rely on to support a control risk of medium or low must be supported by sufficient tests of controls.
Assessing control risk requires the auditor to consider both the design and operation of controls to
evaluate whether they will likely be effective in meeting related audit objectives. During the
understanding phase, the auditor will have already gathered some evidence in support of both the
design of the controls and their implementation by using procedures to obtain an understanding. If
not, the auditor must obtain additional evidence about the operating effectiveness of controls
throughout all, or at least most, of the period under audit. The procedures to test effectiveness of
controls in support of a reduced assessed control risk are called tests of controls.

If the results of tests of controls support the design and operation of controls as expected, the auditor
uses the same assessed control risk as the preliminary assessment. If, however, the tests of controls
indicate that the controls did not operate effectively, the assessed control risk must be reconsidered.

Explanation in Simple Terms:

Auditors check whether key controls actually work as expected by performing tests. These tests help
decide if controls can be trusted to prevent errors or fraud. If controls work well, auditors rely on them
and keep their original risk assessment. If controls fail, they must reassess the risk and adjust their
audit procedures accordingly.
Procedures to Support the Effectiveness of Internal Controls

Original Text:

The auditor is likely to use four types of procedures to support the operating effectiveness of internal
controls. Management’s testing of internal control will likely include the same types of procedures.
The four types of procedures are as follows:

1. Make inquiries of appropriate client personnel.

2. Examine documents, records, and reports.

3. Observe control-related activities.

4. Reperform client procedures.

The extent to which tests of controls are applied depends on the preliminary assessed control risk. If
the auditor wants a lower assessed control risk, more extensive tests of controls are applied, both in
terms of the number of controls tested and the extent of the tests for each control. For example, if
the auditor wants to use a low assessed control risk, a larger sample size for documentation,
observation, and reperformance procedures should be applied. The extent of testing also depends
on the frequency of the operation of the controls, and whether it is manual or automated.

Explanation in Simple Terms:

Auditors use four main ways to test internal controls: (1) asking employees about their tasks, (2)
reviewing company documents, (3) watching employees perform tasks, and (4) redoing some tasks
to check for errors. The more reliable a company’s controls appear, the fewer tests the auditor needs
to perform. However, if the auditor wants to be more certain, they will test a larger sample of controls
and transactions.

Linking Control Risk to Audit Procedures

Original Text:
The auditor uses the control risk assessment and results of tests of controls to determine planned
detection risk and related substantive tests for the audit of financial statements. The auditor does
this by linking the control risk assessments to the balance-related audit objectives for the accounts
affected by the major transaction types and to the four presentation and disclosure audit objectives.
The appropriate level of detection risk for each balance-related audit objective is then decided using
the audit risk model.

Explanation in Simple Terms:

After testing internal controls, auditors decide how much additional testing is needed to find errors
in financial statements. They connect the results of their tests to specific audit objectives and
determine the level of risk that remains. This helps them decide how much further investigation is
needed to ensure that the financial statements are accurate.