TABLE OF CONNTENT LIST OF TABLE 2 INTRODUCTION 3 CHAPTER I THEORETICAL FRAMEWORK OF AUDIT RISK EVALUATION IN FINANCIAL STATEMENT AUDIT 4 1 1 Audit risk in the Financial Statement Audit 4 1 1 1 Definit[.]
TABLE OF CONNTENT LIST OF TABLE INTRODUCTION .3 CHAPTER I: THEORETICAL FRAMEWORK OF AUDIT RISK EVALUATION IN FINANCIAL STATEMENT AUDIT 1.1 Audit risk in the Financial Statement Audit 1.1.1 Definition 1.1.2 Types of Audit risks 1.2 Evaluation of Audit Risk in Financial Statement Audit 1.2.1 Determine the level of desired audit risk 1.2.2 Inherent Risk Assessment .11 1.2.3 Control Risk Assessment 13 1.2.4 Detection Risk Assessment 15 CHAPTER II: CURRENT SITUATION OF AUDIT RISK ASSESSMENT IN FINANCIAL STATEMENT AUDIT IN VIETNAM .17 2.1 The development of auditing in Vietnam 17 2.2 Current status of audit risk assessment process in Vietnam 17 2.2.1 Audit risk assessment 17 2.2.1.1 Risk assessment in terms of financial statement 17 2.2.1.2 Audit risk assessment in terms of account balance and type of operations a Inherent risk assessment in terms of account balance and type of operations 21 Chapter III: ASSESSMENT AND RECOMMENDATION FOR IMPROVING AUDIT RISK EVALUATION 23 3.1 A general assessment of the process of audit risk assessment in current financial statements in Vietnam 23 3.1.1 Strengths 24 3.1.2 Weakness 24 3.3.2 Solution for improving audit risk evaluation 25 CONCLUDE .27 LIST OF TABLE Table 1.1: Relationship between risks and audit evidences……………………………….9 Table 1.2 Risk matrix detection…………………………………………….……….….16 Table 2.1: Inherent Risk Assessment in terms of Financial Statements of the AASC….19 Table 2.2: Internal Control of Customers conducted by AASC…………………….… 21 Table 2.3: Conclusions on inherent risks in terms of account balance and type of operations performed by the AASC…………………………………………………….22 Table 2.4: Synthesized audit risk assessment for each account on the financial report made by the AASC………………………………………………………………….… 23 INTRODUCTION Auditors are gradually asserting an important position in the Vietnamese economy At present, the service of auditing the financial statement is still a large proportion of the total revenue of independent auditing companies in Vietnam Implementing an effective risk assessment that identifies a sound audit plan is an important factor contributing to the quality and effectiveness of the audit However, in practice, the audit risk assessment in the audit of financial statements of independent auditing firms in Vietnam still has many incomplete points because this is a complex task requiring skill as well as judgment of auditor Therefore, the audit and assessment of audit risk in financial statement is a matter of concern So, I chose "Auditing Risks and Processes of Audit Risk Assessment in Auditing Financial Statements" for my subject project in order to solve problems of reasoning and the practice of audit risk assessment in financial report auditing The project is based on the learned knowledge and references of auditing companies' materials, self-collect materials and analytical synthesis Methodology to improve the audit risk assessment in the financial statement audit The content of the project consists of three chapters: Chapter 1: Theoretical framework of audit risk evaluation in financial statement audit Chapter 2: Current situation of auditing risk and process of evaluate the risk of auditing the financial statement in Vietnam Chapter 3: Assessment and recommendation for improving the audit risk evaluation CHAPTER I: THEORETICAL FRAMEWORK OF AUDIT RISK EVALUATION IN FINANCIAL STATEMENT AUDIT 1.1 Audit risk in the Financial Statement Audit 1.1.1 Definition In general auditing and financial audit in particular, audit risk is a familiar concept associated with the auditor's responsibility Therefore, the understanding and good management of audit risk is a decisive factor in limiting the business risk of auditing companies To understand the concept of audit risk, we first need to understand the concept of risk According to the Vietnamese dictionary, "Risk is the adjective for misfortune" or "risk is not good, no good happened unexpectedly " Such risk is undesirable In different areas, risk has its own characteristics In the area of auditing risk has been defined in the audit guidelines and audit standards as follows According to international standard No.25 (IAG25) "Audit Risks are the risks that an auditor may incur when making inaccurate remarks about financial information and these are gross misstatements.” For example, auditors may make a full acceptance of a financial statement without knowing that these reports have material misstatements " More specifically, the auditing standard of Vietnam No 315 defines audit risk as "Audit risk is the risk that the auditor and the auditor make inappropriate comments when the audited financial statements have been audited There are many critical errors The audit risk consists of three parts: the inherent risk, the control risk and the detection risk " Thus, accounting professional societies have a common perception of audit risk Audit risk is understood as the ability of auditors and company to give inaccurate opinions about the audited entity For example, auditors opined that the financial statement audit of the auditing entity have been fairly presented in the material respects, but in practice these financial statement audit still suffer from material misstatement Auditor does not detect during the audit Such risk can always exist even if the audit is carefully planned and implemented with caution This risk increases if audit planning is poor and reckless In each audit, the audit risk is considered in relation to the audit plan, audit sampling and audit selection The audit risk is defined as the probability of errors and the assessment of risk It is estimated to be from 0% to 100% or use qualitative: high, medium, low The audit risk arises from the potential deviations in the financial statements that have passed the internal control and are not found by the auditor In practice, the audit risk usually occurs due to management restrictions, which are directly auditing costs and are related to the amount of auditing evidences Audit risk is inversely proportional to the amount of audit evidence However, even if the audit evidence has been collected, the audit risk still exists 1.1.2 Types of Audit risks Inherent risks (IR) Auditors must consider inherent risks (IR) According to the British English Accounting-Audit Dictionary: "The inherent risk is that the enterprise's financial reporting capacity contains significant errors before considering the effectiveness of the internal control system of the business” These offenses may be considered when alone or in combination with other offenses in balances in other relevant documents " According to the International Auditing Principle 25 - "Materiality and Risk," Section 13 states: "Inherent risks are weaknesses in account balances or a kind of business with possible errors is serious, these errors may be single or may be combined with errors in balances or other transactions (assuming there are no relevant internal control regulations here) The inherent risk lies in the business function of the business in the business environment as well as in the nature of account balances or types of operations Vietnamese auditing standard (VAS) No.315 - "Risk Assessment and Internal Control", Section 04 states: "Inherent risks are latent risks, inherent in the ability of each profession, each item in financial statements when calculating separately or in aggregate, with or without internal control." Therefore, the inherent risk is that the existence of material misstatements in the financial statements can be traced back to the characteristics of the type of business and the staff capacity of the auditor before considering the effectiveness of the internal control system Auditors does not create nor control potential risks, they can only evaluate them Control risk (CR) Control risk is the ability of an internal control system of an auditor not to detect, prevent or correct any material misstatement or fraud Principles of International Auditing No 25, Section 14 states: "Control risk is the risk of misidentification, which may occur with an account balance or a type of transaction and may be a serious flaw These errors occur singly or may be combined with errors of balances and other operations that the Internal Control System has not prevented or failed to detect in time Control risk will always be present and unavoidable because of the inherent limitations of any Internal Control System " According to VSA 315: "Control risk is the risk that material misstatement will occur in each operation, each item in the report financial statements when separately or aggregated that the internal control and the accounting system are not prevented or not detected and repaired in time " As such, control risk is the ability of the internal control to detect, prevent and timely repair critical errors As with potential risks, auditors does not create risk control nor control them The auditor can only assess the Internal Control System of the audited entity and hence projected the level of control risk Detection Risk (DR) Auditors must consider the risk of detection Generally, the detection risk is the likelihood that the audit procedures will not detect material misstatements According to the principle of International Auditing No 25, Section 15 states: "Risk of detection is the risk that the auditor does not detect any errors in the balance of accounts or types of transactions.” These errors can be serious single occurrence or may be combined with errors in balances, other types of operations." According to VSA 315: "Risk of detection is the risk of material misstatement in each operation, each item in the report When calculating separately or counting, in audit process, auditors and auditing company cannot detect " Therefore, the risk of detection is the probability that the audit procedures not detect material misstatements If the potential risks and control risks exist independently, auditors cannot intervene but can only evaluate them In contrast, auditors is responsible for carrying out procedures for the collection of evidence Management and control of detection risk 1.1.3 Audit Risk Model The auditing risks occur when the financial statements contain material misstatements, but auditor considers that they are fair and reasonable This risk derives from the potential discrepancies in the financial statements (inherent risks) that have passed the internal control of the entity (control risk) and are not detected by auditors (detection risk) Hence, audit risk is a combination of three types of risks: inherent risk, control risk and detection risk According to VSA 315 and International Audit Principles No 19 - "Audit Sampling" affirmed: "Audit risk consists of three sets of audit Division: Inherent Risk, Control Risk and Detection Risk." In order to serve the audit risk assessment process, professionals often use the following model to demonstrate the relationship between audit risk and its components: AR = IR x CR x DR (1) In which: - AR: Audit risk - IR: Inherent risk - CR: Control risk - DR: Detection risk This model is used by auditors to evaluate the appropriateness of the audit plan Auditors can use this model to adjust the risk of detection based on other types of risk that have been assessed to achieve low auditing risk that auditor expects The following example may be illustrated: Auditor is preparing to conduct an audit Auditor expects the auditing risk to be relatively low, about 0.03 (that is, an average of about 3% of auditor's decisions is unreasonable) Inherent risks and control risks have been assessed by auditor based on experience, professional judgment, and demonstrated evidence Assuming auditor believes that the business sector of potential customers is high risk, the inherent risk is assessed at 0.9 and the Company's business-as-usual basis, but with reasonable suspicion, auditor assessed the control risk at 0.7 Auditor must adjust so that the risk of detection does not exceed 0.047 to ensure an audit risk of 0.03 as expected Model (1) is rarely used because audit risk is often determined by the technician and difficult to change in an audit As a result, auditor wishes to identify the detection risk for audit planning rather than adjusting the detection risk according to auditing risk (AR) On the other hand, the inherent risk (IR) and the control risk (CR) are inherent, auditor can only assess and not affect them Therefore, the model (1) does not show the auditor "impact" nature of the detection risk Therefore, to better serve the audit planning and in relation to the audit evidence, the audit risk model is often used in the second form: DR = AR (2) IR x CR With the model (2), the detection risk (DR) is a major concern for auditors This model demonstrates the direct relationship between the audit risk (AR) and the detection risk (DR) as well as the "impact" nature of the detection risk (DR) On the other hand, model (2) also demonstrates the relationship between the detection risk (DR) and the amount of audit evidence that should be collected during the audit planning process Consider the example of model (1): Assuming the inherent risk (IR) and control risk (CR) does not change, auditors can accept the desired audit risk at 0.05, when Detection risk (DR) is calculated using the formula in (2): DR = 0,05 = 0,8 or 80% 0,9 x 0,7 Therefore, the amount of work and the amount of audit evidence that auditors need to collect is less than the expected audit risk of 0.03 With model (2), the audit risk is usually determined pre-audit according to the standards of each audit firm and is called the Designed Audit Risk (DAR) Therefore, the model (2) is usually expressed as: DR = DAR IR x CR In an audit, the risk is never precluded Therefore, the concept of auditing risk desires to represent the level of auditor expectations for an acceptable level of risk The desired audit risk is determined by subjective experience and professional judgment of auditor When auditor assumes that the desired auditing risk (DAR) is zero, it means that auditor believes the customer's financial statements not have any material misstatement This is an ideal case for any audit but never happens The audit area is a relatively more absolute field, so auditor can only conclude that the financial statements have been presented honestly in terms of materiality and cannot be ascertained honestly and reasonably in every respect Conversely, when the audit risk is at or 100%, auditor believes that the customer's financial statements have been severely misleading in many respects Therefore, the fluctuation range of the desired audit risk varies from to or from 0% to 100% The introduction of the desired auditing risk level is subjective However, the level of audit risk desired by the auditor must be low enough for interested users to use the audited financial statements of customers as the basis for decision-making, limiting the type of risk in business Research on the types of risk has indicated the close interaction between them Inherent risks and other control risks are detected and audited in that they exist independently and objectively with financial information, independent of the auditor, auditor cannot also influence to change this two kinds of risk The interrelationships between the types of risk in financial auditing are: "Inherent risks and control risks differ from those found in these risks exist independent of financial information The inherent risk and control risk lie within the business operations and management environment of the business as well as in the nature of the account balance, the types of operations whether the audit is conducted or not Even these risks are not checked by auditor Auditor can evaluate these risks and design basic audit methods to minimize detection risk to an acceptable level That way it reduces the audit risk to an acceptable level "This type of relationship is built on the first audit risk model (model 1), means the audit risk governed by the risk of detection is not yet illustrate the dependent of detection risk on designed audit risk and inherent risks as well as control risk Inherent risks and control risks are often reversed and are therefore generally recognized when assessing audit risks If the enterprise is operating in high risk business sector, potential risks are high, although the Internal Control System of the company operates effectively but the control risk must always be assessed at medium or above average level This is because the inherent limitations of the Internal Control System and the control risks always exist Contrary to inherent risks and control risks, auditor may have an impact on the audit risk and detection risk In each specific circumstance, auditor will expect the desired audit risk based on the reliability of the financial statements after auditing and auditing costs The detection risk is modeled after (2) after the desired audit risk has been identified and the inherent risk and control risk assessed Therefore, auditor is not only aware but also can influence the detection risk With a predetermined level of audit risk, it can be concluded from model (2) that the detection risk is inversely related to the inherent risk and control risk Therefore, the detection risk is also inversely proportional to the amount of audit evidence to be collected If inherent risks and control risks are underestimated, the detection risk is calculated to be low, whereby the amount of audit evidence needed to be collected, the scope of the audit and the volume of work In contrast, when the inherent risk and control risk are underestimated, the detection risk is high, only the smaller auditing evidence can be gathered by the auditor AR High Low Low Average high Table 1.1: Relationship Between Risks And Audit Evidences IR CR DR Low Low High Average Low Low Low High Average Average High Average Low Average Average The amount of audit evidences low Average High Average Average 1.2 Evaluation of Audit Risk in Financial Statement Audit According to VSA 315 :” When determining the audit approach, auditor must pay attention to the initial assessment of potential risks The control is used to determine the level of acceptable detection risk for the financial statement data base and to determine the content, schedule and scope of the basic procedures for the data base " Thus, the purpose of the audit risk assessment is to determine the level of detection risk that underpins the planning of auditing trials to be applied From the risk profile of the audit, the perceived risk is determined on the basis of the desired audit risk, inherent risk and control risk 1.2.1 Determine the level of desired audit risk The desired audit risk is identified in the audit planning phase, which is determined in a subjective manner and depends on two basic factors: First, the extent to which external users believe in the financial statements In the market mechanism, there are a lot of people interested in the financial situation and its reflection in accounting documents that are directly financial statements Those interested may be: State agencies (information should be honest to regulate macro economy); Investors (need honest information for proper investment direction, use of investment capital and distribution of investment results); business executives and other managers (need honest information to make sound business decisions); Employees, customers, suppliers When many external users put their faith in the financial statements, significant discrepancies in the financial statements are likely to cause widespread harm Therefore, in this case, auditor needs to identify a low level of audit risk, thereby increasing the amount of audit evidence to be collected and increasing the accuracy of its findings A number of factors indicate the extent to which external financial statements are trusted by external users: First, the size of the entity being audited: The size of the entity can be measured by total assets, total revenue, or total income The larger the scale are, the more widely financial statements are used and the lower the desired auditing risk Second, ownership: If the ownership of a business falls to more than one participant, more people will be interested in the financial statement and the desired audit risk will need to be lowered and vice versa Third, the nature and scale of debt Debts are amounts that are definitely related to a third party loan or debt Existing and potential creditors are often concerned about the company's financial position, especially its ability to pay for its continued and continued borrowing Therefore, when the financial statement includes large amounts of debt or large-scale debt, they are likely to be more widely used Secondly, customers may have financial difficulties after the audit report is published If customers have financial difficulties after the audit report is published, auditors may strongly deal with lawsuits by the parties due to using the audited financial statements Therefore, in this case, auditor must set up a lower level of auditing risk at the beginning to prevent cases that are related to the parties involved This case will lead to higher audit costs but auditor still has to identify reasonable audit risk It is very complicated to predict the probability of a unit being audited in the future However, auditor may rely on the following factors to predict this event: First, the ability to convert into cash If a business often runs out of money and working capital, enterprises may have difficulty paying Technicians must assess the ability of customers to predict the ability of customers will face difficulties in the future and if aggravated, businesses lose their ability to pay short-term debt is easy to go bankrupt Second, the profit (loss) in previous years When a business drops rapidly or gains for a number of years, this is a sign that the business is in a bad direction Technicians should assess the likelihood that customers will experience financial difficulties when they see these signs appear Third, measures to increase the funding process If the business is more dependent on donations, especially looking for ways to increase this funding, it can prove that the business is not financially self-sufficient, thus the possibility of financial difficulties It will be high Fourth, the nature of the operation of the customer company In some areas of business, the risk of bankruptcy is high, such as securities brokerage business When auditing such businesses, Customers will face difficulties and risks in business to determine the reasonable risk of auditing Collecting information and learning about customers, especially the above two factors, will help auditor to determine the desired auditing risk for all audited financial statements However, auditing procedures are tailored to each item, the design of these procedures depends a great deal on the audit risk identified for each of those items Therefore, after setting the overall audit risk level for the entire financial statement, auditor should rely on it to set the level of audit risk for each item For example, auditor assesses the desired auditing risk level for the entire financial statement, auditor can determine the level of auditing risk of each item is also average However, with some special items, auditor can adjust this risk to be more appropriate because each item will be allocated a different critical level, the possibility of the existence of errors is considered Substantial and undetectable in each of the different items will be different 10 Fifth, the scale of the account balance Accounts with large cash balances are often subject to a higher inherent risk assessment than those with a small cash balance Auditor should collect and evaluate the above factors and determine the appropriate level of risk for each item in the financial statements 1.2.3 Control Risk Assessment Control risk assessment is a step in the assessment process of the customer's internal control system Control risk assessment is divided into three steps: initial assessment of control risk, implementation of control testing and reassessment of control risk However, in order for the process of risk assessment to be carried out properly, the auditor must still carry out all the work steps such as the process of evaluating the Supervisory Board Step 1, Initial assessment of control risk According to VSA 315: "Initial assessment of control risk is the assessment of the effectiveness of the accounting and control system of the application In preventing or detecting and correcting critical errors Control risk is not completely eliminated due to the inherent limitations of the accounting system and internal control system " To provide an initial assessment of the control risk, the auditor must collect information on the internal control system and describe in detail his / her working document By means of an itemized approach and cyclic approach, it is important to understand the information that is needed to evaluate the internal control in three ways: its existence, its continuity and its effectiveness When the internal control meets the above requirements, the auditor will initially assess the control risk at medium or low levels To gain an understanding of the information, auditor can use the following methods: - Based on past experience of auditor predecessors - An interview with a company employee - Review the company's procedures, regulations, and regulations - Check the customer records of the company - Observe the operational and operational aspects of the client company In order to better understand such information, the auditor must describe the information on the working paper through questionnaires, narrative tables or flow charts of the internal control system Auditors may incorporate these descriptive methods to increase the efficiency of the cognitive process in order to make the initial assessment relevant According to VSA 315: "Based on an understanding of the accounting system and internal control system, auditor and audit firm An initial assessment of the control risk for the basis of each account balance or major economic operations is required." The process of assessing the control risk on the basis of each account balance or major economic operations requires auditor to carry out for each specific audit objective Therefore, auditor should the following: - Identify the control objectives under which the assessment process is applied - Identification of specific control processes 13 - Identify and evaluate the weaknesses of the internal control system After identifying these issues, auditor relies on information obtained to provide initial assessment of control risks In this work, VSA 315 writes: 29 Auditor typically assesses the level of control risk at the basis of the financial statements in the case of: - Inadequate accounting and internal control system; - Inefficient accounting and internal control system; - Auditor is not provided with sufficient basis to assess the adequacy and effectiveness of the accounting system and internal audit system of customers 30 Auditor generally assesses the control risk to a lesser degree on the basis of the financial statements in the case of: - The team has sufficient grounds to conclude that the accounting system and internal control system are designed to prevent, detect and correct material errors; - Auditor plans to carry out control tests as the basis for risk assessment However, during the initial assessment of control risk, auditor must take into account the constraints faced by the internal control system These restrictions include: - The Board of Directors of the company always requests that the costs of the internal control system must be lower than the benefit of the system Therefore, auditor easily found that small businesses not design and maintain the internal control system, so the risk of initial control is always high - Most control procedures are usually set up for regular operations rather than occasional operations As a result, auditor can immediately anticipate the high initial control risk for its clients' non-routine operations - Errors due to human lack of attention during the implementation of the functions and tasks of the control process, so to ensure prudence, auditor usually assess the initial control risk of 50% to 100% - The ability of the internal control system to not detect collusion between board members or employees with other individuals inside or outside the unit - The ability of the person responsible for performing the control procedures to abuse his or her powers and duties - Regulatory changes and regulatory requirements have made control procedures obsolete than required or violated For the last three inherent limitations, auditor still has to carry out the basic tests and audit procedures necessary even if the initial control risk is assessed to be low Step 2, Perform Test Control After the initial assessment of control risk, auditor conducted the control experiment The nature of the implementation of control tests is to evaluate the effectiveness of the internal control system, which can reduce the baseline testing in the audit process Section 33 of the VSA 315 states that "technicians must perform control tests to obtain sufficient evidence of the effectiveness of the system mathematics and science and technology -technology in terms of: 14 -Design: The accounting system and the internal control system of the unit is designed to be capable of preventing, detecting and correcting critical errors; - Implementing: The accounting system and the internal control system exist and operate effectively during the review period " The implementation of control tests must be based on the condition of each specific customer Auditor can perform the following controls: Firstly, auditor performs a check on documents reflecting economic transactions and events that arise to collect audit evidence on the effectiveness of the accounting and the internal control system For example, auditor can check whether advance documents are fully and properly approved Secondly, auditor conducts interviews, observes the actual performance of the control functions and tasks of those who carry out internal controls Third, auditor rechecked the implementation of internal control procedures to ensure that the company complied with the regulations When performing control tests, the control objectives may not change, but the audit procedures may vary depending on whether the client applies or does not apply the information in the accounting work as well as the internal control system When accounting work and the internal control system are implemented on computers, auditor can use computerized audit techniques with auditing software to collect auditing evidences Step 3, Reassess control risk Based on the results of the implementation of control trials, auditor re-evaluates and determines the level of control risk used to plan the implementation of the baseline tests If the initial assessment of the control risk is high, auditor believes that the risk of actual control is lower, auditor will expand control tests to prove its judgment and then reevaluate the risk control will decrease The control risk assessment is controlled by auditor after the evaluation of the internal control system If the auditor gives a good assessment of the customer's internal control, the re-assessed control risk will be low but never zero because the auditor can not fully trust the internal control system sets of customers In the opposite case, the control risk is reassessed at a higher level and the technician must undertake the basic tests 1.2.4 Detection Risk Assessment Detection risks are defined by three types of risks: the desired audit risk, the potential risk, and the control risk These three types of risk vary from item to item, so the detection risk should also be identified for each item and the basis for the auditor to determine the content, schedule and scope of the basic test to be performed Once the desired risk level has been established, the potential risk and control risk are assessed The risk is determined by the formula: DR = AR IR x CR 15 The detection risk is inversely related to the potential risk and control risk When potential risks and control risks are high, the detection risk should be low to maintain a low level of audit risk In contrast, where potential risk and control risk is underestimated, it is acceptable to accept a higher level of exposure but still ensure an acceptable level of audit risk The volatility of the exposure based on auditor's assessment of inherent risks and control risks is shown in the table below: Table 1.2 Risk Matrix Detection IR is evaluated by auditor High Average Low CR is High Lowest Low Average evaluated by Average Low Average High auditor Low Average High Highest (Assumptions for auditing risks are determined by auditor) Auditor's assessment of the types of risks that may change during the audit process If auditor discovers new information that is significantly different from the original, auditor may change the audit plan to suit the inherent risk assessment and control risk 16 CHAPTER II: CURRENT SITUATION OF AUDIT RISK ASSESSMENT IN FINANCIAL STATEMENT AUDIT IN VIETNAM 2.1 The development of auditing in Vietnam Auditing is a profession term and a professional activity that has appeared around the world early and has been accepted in Vietnam since 1990 In the new management mechanism, the state leads the economy not through administrative measures, but by law, leverage and economic instruments Economic market requires that economic and financial activities take place in an equal, transparent and open manner The economic and financial information that is accounted for, synthesized and provided for economic decisions must be sufficient, honest and of high reliability The auditing system in Vietnam - one of the most effective tools for economic and financial management, products of the market economy and international economic integration have been developed The auditing system consists of three constituent parts: state audit, independent audit and internal audit The modules have different positions, roles and scope of activities, but they perform the same function of checking and controlling economic and financial activities, there is a certain similarity in professional methods Independent auditing and internal auditing was established in 1991 and 1997 in turn Since then, auditing modules have gradually established their positions and roles and made positive contributions to the process of managing and using thriftily, for the right purposes, effectively the financial resources and property in society; contributing to the financial and monetary relations; speeding up the process of international economic integration and perfecting the elements of the market economy in Vietnam 2.2 Current status of audit risk assessment process in Vietnam Critical valuation and audit risk are a more complex and audacious problem for auditors In international auditing standards, as well as Vietnamese auditing standards, only general guidance on risk and significance, critical assessment and risk, then each audit firm will have Specific guidance for its auditors In Vietnam now, the number of auditing firms is quite large, but not all companies have specific guidelines on critical appraisal procedures and risks for employees In addition, companies have guidelines, the company will have processes that have different characteristics In this article, I would like to give you examples of auditing companies in Vietnam: AASC Financial Advisory and Accounting Consultancy Service Co., Ltd 2.2.1 Audit risk assessment 2.2.1.1 Risk assessment in terms of financial statement a Set the desired audit risk level 17 The expected audit risk will be based on two fundamental aspects: the extent to which external users trust the customer's financial statements and the likelihood that the customer will encounter financial difficulties after Audit report is published In fact, AASC determine the level of audit risk desired based on the following factors: + Scale of customers; + Number of debts; + Ability to pay; + Revenue growth rate; + Capability of the Board; + Experience of auditors The scale of customers and the number of users of financial statements are determined based on the financial statements as total investment capital and total assets The auditor also reviews and analyzes financial indicators in the balance sheet, the report on business results of the current auditing year and compares them with the previous year's figures to evaluate the financial statements Debt balance, solvency, turnover, profitability and volatility of these indicators Usually with large clients, the auditor will determine that many people are interested in the financial statements Despite the preliminary analysis of the financial statements, Vietnamese auditors have not yet focused on setting the desired auditing risk level In each audit, companies determine the level of general audit risk and apply to most audits b Inherent risk assessment in terms of financial statements The AASC assesses inherent risks at three risk levels: high, medium and low The assessment of a customer is classified as a risk based on the following criteria: + The first criterion: integrity and characteristics of the board of directors; + The second criterion: business nature of customers; + The third criterion: accounting estimates; + Criterion 4: economic operations are not regular Based on the factors influencing auditor to understand the customer Then they can synthesize their knowledge about the customer to answer the questions put forward for the assessment of potential risks in the financial report Auditor questions to assess inherent risks include: What are the company's activities? What is the customer structure? What is the accounting policy applying of the client company? Changes in current accounting policies? Capability of Board of Directors? Qualifications of chief accountant and staff of accounting department, internal auditor Relationship between customer and auditors? Does auditor have doubts about the integrity of the Board of Directors? Do customers intend to cheat auditor? 18 The change of market and the competition? Comment of auditor on audit report last year? Are there any unusual pressures on the management and staff of the accounting department? Ability to report wrong financial results or asset value? Change in personnel in Board of Directors and Accounting Department? From those criteria, the AASC provided the questionnaire format: Table2.1: Inherent Risk Assessment in terms of Financial Statements of the AASC AUDITING ACCOUNTING FINANCE SERVICE CONSULTANCY (AASC) Customer name: Accounting year: Account: Task: Inherent risk financial statement Performer: assessment on Date: What are the company's activities? What is the customer structure? What is the accounting policy applying of the client company? Changes in current accounting policies? Capability of Board of Directors? Qualifications of chief accountant and staff of accounting department, internal auditor Relationship between customer and auditors? Does auditor have doubts about the integrity of the Board of Directors? Do customers intend to cheat auditor? 10 The change of market and the competition? 11 Comment of auditor on audit report last year? 12 Are there any unusual pressures on the management and staff of the accounting department? 13 Ability to report wrong financial results or asset value? 14 Change in personnel in Board of Directors and Accounting Department? Conclude Auditor: Date: c Evaluation of control risk in terms of financial statement 19 Along with the inherent risk assessment, auditor will conduct a thorough investigation of the customer's internal control and assess the control risk After evaluating the inherent risk for the entire financial statement, the AASC auditor conducted a control risk assessment by collecting questionnaire information (Table 2.2) on the Internal Control Based on the responses on the "Internal Audit Questionnaire", auditor will assess the Issuer's eligibility status as moderate, average, or weak, thereby identifying low, medium or high control risks The questions asked by the Internal Market and External Development are designed for each aspect of the internal control: + Accounting system +Control procedures Auditor's assessment is reflected in the document working on each of these elements through the internal control In the assessment process, auditor also relies on the judgment to make appropriate conclusions about the internal control and on that basis identify the corresponding control risk Table 2.2: Internal Control of Customers conducted by AASC AUDITING ACCOUTING FINANCE SERVICE CONSULTANCY (AASC) Customer name: Accouting year: Performer: Account: Date: Task: Evaluation of internal control Conclude: The internal control evaluated: Fair Medium Low Questions Yes No Not applying Is the organizational structure too complex? There is no sufficient information between the board of directors, the board of directors and the control committee? Auditor: Date: d Determine the risk of detection in terms of financial statements Detection risk is determined on the basis of the expected audit risk, inherent risk and control risk assessed However, in practice, due to lack of attention and proper implementation of risk assessment process and especially control risk, most independent auditing companies of Vietnam determine the risk presently, the audits are on average but 20 ... audit risk evaluation CHAPTER I: THEORETICAL FRAMEWORK OF AUDIT RISK EVALUATION IN FINANCIAL STATEMENT AUDIT 1.1 Audit risk in the Financial Statement Audit 1.1.1 Definition In general auditing... original, auditor may change the audit plan to suit the inherent risk assessment and control risk 16 CHAPTER II: CURRENT SITUATION OF AUDIT RISK ASSESSMENT IN FINANCIAL STATEMENT AUDIT IN VIETNAM. .. with financial information, independent of the auditor, auditor cannot also influence to change this two kinds of risk The interrelationships between the types of risk in financial auditing are: