Audit procedures of risk assessment at r nplanning phase at ey vietnam limited r ncompany

Audit risk Auditing standards require the auditor to obtain an understanding of the entity and its environment, including its internal control, to assess the ROMM in the client’s finan

UNIVERSITY OF ECONOMICS AND LAW FACULTY OF ACCOUNTING AND AUDITING

UNIVERSITY OF ECONOMICS AND LAW

FACULTY OF ACCOUNTING AND AUDITING

GRADUATION THESIS

AUDIT PROCEDURES OF RISK ASSESSMENT AT PLANNING PHASE

AT EY VIETNAM LIMITED COMPANY

ADVISOR: HOÀNG THỊ MAI KHÁNH AUTHOR: NGUYỄN THANH TRÚC

STUDENT ID: K174050625

HO CHI MINH CITY, MAY 2021

COMMENTS OF ADVISOR

……… ………

…… ……… ………

……… ……… ………

……… ……… ………

……… ……… ………

……… ………

……… ………

…… ……… ………

……… ……… ………

……… ……… ………

……… ……… ………

……… ………

……… ………

…… ……… ………

……… ……… ………

……… ……… ………

……… ……… ………

……… ………

……… ………

…… ……… ………

……… ……… ………

……… ……… ………

……… ……… ………

……… ………

……… ………

THANK YOU STATEMENT

First of all, I would like to thank the teachers of the University of Economics and Law especially the teachers in Accounting and Auditing Faculty, who always accompany me, teach and convey knowledge, extremely valuable to me throughout final this year That knowledge will definitely help you a lot on your career path in the future

I would like to send my deep thanks to my advisor – Ms Hoang Thi Mai Khanh She is a person who always helps and supports me a lot but over the past time, she has always taught me a lot of things about the field that I have chosen Through her support, all of them helped me a lot in completing the thesis and helped me receive the necessary technical knowledge to apply in work and in life Thank you very much I also would like to send my deep thanks to the Board of Directors and my colleagues at EY The time I practiced at Ernst & Young Co., Ltd gave me the opportunity to gain practical knowledge Practice, imparting to me skills, experience and especially helping me a lot so that I can complete this essay

During the internship, as well as in the process of completing this graduation thesis, there are still many limitations, it is inevitable that unnecessary mistakes are unavoidable I look forward to receiving the comments of teachers Those things will help me a lot in learning skills, experience and overcoming mistakes

I sincerely thank you!

Ho Chi Minh City, April 19 th 2021 Student name

LIST OF ABBREVIATIONS

EY GAM Ernst & Young Global Audit Methodology

LIST OF TABLES

Table 1.1 Matrix of detection risk

Table 2.1.Summary of Walk-through Test Results

Table 2.2 CRA for material items

Table 2.3 Relationship between associated risk and substantive testing performance

LIST OF DIAGRAMS

Diagram 1.1 - Relationship between components in audit risk

Diagram 2.1 EY’s organizational structure of management

Table of Contents

INTRODUCTION 1

Reasons to choose the topic 1

Objectives of the study 2

Methodology of the study 2

Scope and limitations of the study 3

CHAPTER 1: THEORITICAL BACKGROUND OF AUDIT RISKS AND AUDIT RISK ASSESSMENT 4

1.1 What are audit risks? Differentiate from other types of risk 4

1.1.1 Audit risk 4

1.1.2 Differentiate from business risk 5

1.1.3 Audit risks model components 6

1.1.4 The relationship between risk types (audit risk model) 9

1.1.5 Relationship between audit risks with materiality 12

1.2 Risk assessment process 13

1.2.1 Risk assessment in each stage of the financial statements audit 13

1.2.2 Risk assessment in planning stage of the financial statements audit 14

CHAPTER 2: AUDIT PROCESS OF RISK ASSESSMENT AT EY – ILLUSTRATION AT CLIENT ABC 21

2.1 Introduction to EY 21

2.1.1 EY Global 21

2.1.2 EY Vietnam 22

2.1.3 Key services 22

2.1.4 Management system 23

2.1.5 Mission, Vision & Values 24

2.1.6 Achievements 24

2.1.7 Audit process of FSs at Ernst & Young Vietnam (EY GAM) 25

2.2 Risk assessment process at Ernst & Young Vietnam – Illustrate at ABC Company 27

2.2.1 Pre-planning phase 27

2.2.2 Planning phase 31

2.2.3 Test Walkthrough 58

2.2.4 Assessment of internal control system 60

2.2.5 Combined risk (CRA) with substantive test 62

CHAPTER 3: COMMENTS AND RECOMMENDATIONS 66

3.1 Comment on the audit risk assessment process during the planning phase at Ernst & Young Co., Ltd 66

3.1.1 Advantages 66

3.1.2 Disadvantages 70

3.2 Recommendations 71

CONCLUSION 73

REFERENCES 74

APPENDIX 75

APPENDIX I - AUDITOR PROCEDURES TO BE FOLLOWED WHEN UNDERSTANDING INTERNAL CONTROL SYSTEMS 75

APPENDIX II - UNDERSTAND THE BUSINESS - COMPANY ABC 78

APPENDIX III - LAWS AND REGULATIONS FORM – ABC COMPANY 87

APPENDIX IV – ENTITY LEVEL CONTROLS COMPANY A 92

APPENDIX V – CRA FOR MATERIAL ITEMS AT CLIENT ABC 106

INTRODUCTION

Reasons to choose the topic

Nowadays, along with the development and diversification of IT, integration and cooperation with the countries around the world as participating in many free trade agreements such as opposition agreements Trans-Pacific (TPP), ASEAN Economic Community (ACE), This has contributed to make Vietnam's economy more and more developed, parallel to the advantages in multi-modal import, businesses in Vietnam also face with the formula and fierce competition in capital mobilization and market expansion

To meet these difficulties in economic integration, the FSs have been audited to contribute an important part in creating reputation and reliability for businesses The audit of financial statements not only needed for the supervision

of companies trading on the stock market, but also used as a mechanism for fraud detection and financial liability In order to solve the problem above, companies FSs need to be audited to provide audited reports to stakeholder’s confidence on the information they are provided

As one of the professional services, auditors are becoming the essential workforce in the society With independence and technical knowledge, auditors can give the confidence to the shareholders on the subject matter as financial statements and help them make decision on whether they should invest their money

in the company One of the audit procedures in the planning phase will help the

auditors is, “ Risk Assessment at the planning stage of an audit" Risk assessment in the planning phase is extremely important, helping the auditor have

a basis for content design, schedule, and scope of subsequent audit procedures Besides, risk assessment also helps auditors identify high-risk areas, then focus resources to ensure not passing material misstatements Furthermore, the risk

assessment also helps the auditors save time, thereby bringing the balance between benefits and costs and auditors' efforts but still ensure the quality of the audit

Among all procedures in conducting an audit, risk assessment is the fundamental procedures Today, an audit is still conducted on a risk-based approach to give a reasonable assurance on the FSs The auditors cannot and do not arrange to check all transactions but just the material and risky areas

Understanding the essence of this procedure, the author decided to combine the theory and the practical experience gaining from the internship at

Ernst and Young Vietnam Limited Company, then choose the topic “ Audit procedures of risk assessment at planning phase at EY Vietnam Limited Company ”

Objectives of the study

The study aims to:

- Review the theoritical background of risk assessment procedures in the planning stage

of an audit

- Describe and analyze the practice of risk assessment at EY Vietnam Limited Company Figure out the different between the guideline from books and on the practical use of

methods to assess the risk of Ernst & Young Vietnam Limited Company

- Give comments on pros and cons as well as recommendations for the implementation

of the regulation risk assessment at EY

Methodology of the study

- Collect documents and published standards related to ROMM assessment, theoretical from the Auditing course

- Researching on the audit program of EY (EY Global Audit Methodology - EY GAM)

- Collecting data from the entity audit file combined with the interview with EY audit team leaders to learn about ROMM assessment procedures at EY Vietnam Co., Ltd

Scope and limitations of the study

The procedure for assessing the risks of material misstatement during the audit planning stage is an important process and is regulated by international accounting standards and Vietnam, so the auditing companies apply the submitted

to this in all audits And obviously, EY has also been applying the above process

in the company's audit program, the risk assessment is a continuous process and is always updated and adjusted in time so that auditors have the coping with risks, and this is usually a job by senior auditors such as audit team leaders, owners, Those are auditors who have a lot of experience, knowledge and professional judgment to make practical and effective reviews

The topic focuses only on risk assessment, does not focus on other procedures and illustrates only 1 client, so it is not general for all cases at EY At the same time, the writer is not directly involved in the discussion, discussion and assessment of audit risks during the audit preparation phase, but only has the opportunity to learn the actual documents, to record the Client records about the content related to the risk assessment procedures of the units in which the writer is participating in the audit in EY's Canvas audit program

CHAPTER 1: THEORITICAL BACKGROUND OF AUDIT RISKS AND AUDIT RISK ASSESSMENT

1.1 What are audit risks? Differentiate from other types of risk

1.1.1 Audit risk

Auditing standards require the auditor to obtain an understanding of the entity and its environment, including its internal control, to assess the ROMM in the client’s financial statements Auditors can increase the number of audit procedures in order to reduce the level of audit risk Reducing audit risk to a modest level is a key part of the audit function, since the users of financial statements are relying upon the assurances of auditors when they read the financial statements of

an organization

According to paragraph 13 VSA 200 defines: “Audit risk is the risk stated

by the auditor knowledge is not appropriate when the audited financial statements contain material misstatements Audit risk is the result of risks of material misstatement (including inherent risks, audit risks control) and risk detection ” In addition, paragraph A33 VSA 200 states: “Auditing risk” does not include the risk that the auditor may state that the financial statements contain material misstatement but in fact the financial statements do not contain such misstatements

The auditor can give an opinion that there are material misstatements in the financial statements, but in reality, the financial statements do not have misstatements like that This risk is usually not serious It only affects the effectiveness results of the audit because the auditor has performed more procedures to prove the financial statements there are no material flaws Additionally, audit risk is a related technical term to the audit process, does not imply the risks that auditors encounter in business such as losing the lawsuit,

disclosing information, not collecting audit fees, etc…or events arising in relation

to the audit of financial statements”

There are many reasons why auditors give inappropriate opinions while the audited financial statements still contain material misstatements, including:

- The audit of the financial statements only provides a reasonable level of assurance (a high level of assurance possible acceptable but not absolute)

- Unable to detect all misstatements at the unit due to the existence of fraudulent acts noncompliance or collusion among employees at the client is audited

- Limited in terms of time as well as audit fees The audit was performed out the balance between time and audit fees Auditors performed the audit for a reasonable fee also guarantees the quality of the service be provided

- Limited professional capacity of auditors and capacity in the field of operation client action

- Limitations in audit procedures that lead to the inability to detect all misstatements key at the client

- Due to the nature of financial statement preparation: accounting estimates, provisions, etc…

- The risk in sampling technique leads to the sample being selected not being representative of the population

1.1.2 Differentiate from business risk

Business risks are defined as “a risk resulting from significant conditions, events, circumstances, actions or inactions that could adversely affect an entity’s ability to achieve its objectives and execute its strategies, or from the setting of inappropriate objectives and strategies” ISA 315(2) definition

Risks must be related to the risk arising in the audit of the financial statements and should include the financial statement assertion impacted Therefore, audit risks should be related back to relevant assertions

ISA 315, Identifying and Assessing the Risks of Material Misstatement through Understanding the Entity and Its Environment identifies the following assertions:

• Assertions about classes of transactions and events for the period under audit – occurrence completeness, accuracy, cut off and classification

• Assertions about account balances at the period end – existence, rights and obligations completeness, and valuation and allocation

• Assertions about presentation and disclosure – occurrence and rights and obligations, completeness, classification and understandability, and accuracy and valuation

1.1.3 Audit risks model components

Audit risk is made up of two components – risks of material misstatement

and detection risk Risk of material misstatement is defined as the risk that the financial statements are materially misstated prior to audit This consists of two components which are inherent risk and control risk

According to paragraph 13 VSA 200 defines: “The risk that the auditor expresses an inappropriate audit opinion when the financial statements are materially misstated Audit risk is a function of the risks of material misstatement and detection risk”- ISA 200

Inherent risk is the susceptibility of an assertion about a class of

transactions, account balance or disclosure to a misstatement that could be material, either individually or when aggregated with other misstatements, before consideration of any related controls

According to paragraph 13 VSA 200: “Inherent risk is a potential, inherent risk, due to the assertions of a group of transactions, account balance or disclosures

that may contain material misstatement, when considered individually or in combination, prior to considering any relevant controls ”

Some assertions of items or disclosures presented in the financial statements contain inherent risks at a higher level than other assertions The difference in the level of inherent risk between assertions depends on the business performance of each enterprise

For example, for a food processing business, the problem is the stock or inventory If inventory is not properly maintained, and the risk associated with inventories at this enterprise is inadequate provisioning for inventories

➔Therefore, data processing establishments assessing inventories of food processing enterprises have very high inherent risks

In addition, external factors such as the business environment, the level of competition, the field of operation, and cultural legal factors also affect the inherent risks of the entity For example, with a joint stock company operating in a high-risk, highly competitive field, the risk of revenue will be overstated to ensure investment attraction and continue to be listed on the stock exchange Therefore, the assertion of revenue generated in this business is potentially risky at a very high level In addition, many internal factors also affect the inherent risks of the entity such as: the integrity of the board of directors, the professional capacity, management styles, etc…If the results of the Board of Directors are based on sales, the risk identified here is the ability to overstate the revenue to achieve the prescribed salary or bonus

Control risk measures the auditor’s assessment of the risk that a material

misstatement could occur in an assertion and not be prevented or detected on a timely basis by the client’s internal controls

However, no matter how effective the internal control system is, it is not possible to prevent and completely eliminate all risks, or in other words, there are

always control risks at the unit, an effective internal control system can only help

to reduce the level of risk occurs, from which the level of control risk will be reduced

According to paragraph 13 VSA 200: “Control risk is the risk of material misstatement, either alone or in aggregate, to a group of transactions assertions, account balances or theoretical information The unit's internal control cannot be prevented or detected and repaired in time ” If there is a major control failure, an organization will probably suffer undocumented asset losses, i.e., its financial statements might identify a profit although there’s really a loss

Planned detection risk is defined as ‘the risk that the procedures

performed by the auditor to reduce audit risk to an acceptably low level will not detect a misstatement that exists and that could be material, either individually or when aggregated with other misstatements.’

Planned detection risk is the risk that audit evidence for an audit objective will fail to detect misstatements exceeding performance materiality There are two key point to know about planned detection risk Planned detection risk is dependent

on the other three factors in the model It will change only if the auditor changes one of the other risk model factors Planned detection risk determines the amount

of substantive evidence that the auditor plans to accumulate, inversely with the size

of planned detection risk If planned detection risk is reduced, the auditor needs to accumulate more evidence to achieve the reduced planned risk.- This type of risk

is different from inherent risk and control risk Risk of detection is subject to the auditor's control through substantive testing The level of detected risk is influenced by many factors, including:

- Content, schedule and scope of audit trials Auditors can reduce the risk of detection by increasing the baseline experiment, expanding the scope of the audit

or increasing the sample size However, the auditor cannot completely eliminate

the risk of detection even if the auditor performs the test for all transactions in the entity, which may be due to improper selection of audit procedures, incorrect sampling or the capacity of the auditor;

- "Sampling risk is the risk that the auditor's conclusion on the testing of a sample may differ from the conclusion made if the entire population is examined with the same audit procedure." (Section 5 VSA 530)

- "Risk beyond sampling is the risk when the auditor reaches a false conclusion because the reasons are not related to the risk of sampling." (Section 5, VSA 530)

1.1.4 The relationship between risk types (audit risk model)

Three types of audit risk that include inherent risk, control risk, and detection risk are closely related to each other Even though inherent risk and control risk are not in the control of auditors, they need to make sure that the level

of detection risk is suitable in responding to these types of audit risk so that the overall level of audit risk is acceptably low Audit risk is a function of inherent risk assessment, control risk assessment and detection risk, as demonstrated in the audit risk model

The audit risk model is shown through the following model:

Table 1.1 Matrix of detection risk

Risk of material misstatement: The risk that the financial statements contain material misstatement before the audit At the assertion level, risks of material misstatement include two parts:

(i) Inherent risk: is a potential risk, due to the ability of a group of transactions, account balance or disclosures that may contain material misstatement, when considering individually or collectively, before any relevant controls are considered;

(ii) Control risk: The risk of material misstatement which, when considered individually or aggregated , against a group of transactions assertions, account balance or disclosures that internal controls are unable to prevent or fail to detect and correct in time; According to paragraph 13, VSA 200: “The risk of material misstatement is the risk when the financial statements contain material misstatement before auditing.” Risk of material misstatement includes two levels: the overall level of the financial statements and the level of assertion

According to paragraph A105, ISA 315 defines: “Risks of material misstatement at the financial statement level refer to risks that relate pervasively to the financial statements as a whole and potentially affect many assertions Risks of this nature are not necessarily risks identifiable with specific assertions at the class

of transactions, account balance, or disclosure level Rather, they represent circumstances that may increase the risks of material misstatement at the assertion level, for example, through management override of internal control Financial statement level risks may be especially relevant to the auditor’s consideration of the risks of material misstatement arising from fraud ”

Also at the level of assertions of a group of transactions, account balances

or disclosures, the risk of material misstatement is a combination of the inherent risk and control risk in the entity The auditor should consider the risk of material misstatement at the assertion level for groups of transactions, account balances or disclosures, as it will assist the auditor in determining content and schedule, and the scope of subsequent audit procedures

Diagram 1.1 - Relationship between components in audit risk

1.1.5 Relationship between audit risks with materiality

According to paragraph 9 ISA 320 materiality is defined as follows:

“Performance materiality means the amount or amounts set by the auditor at less than materiality for the financial statements as a whole to reduce to an appropriately low level the probability that the aggregate of uncorrected and undetected misstatements exceeds materiality for the financial statements as a whole If applicable, performance materiality also refers to the amount or amounts set by the auditor at less than the materiality level or levels for particular classes of transactions, account balances or disclosures ”

Audit risk and materiality are inversely related to each other This means that, if the lower the audit risk is assessed, the materiality level will be established

at a lower level and then more audit work is required, vice versa

In the planning stage, the auditor conducts a preliminary risk assessment

at the client through the general understanding of the client From there, the auditor will make judgments about the extent of the misstatements that will be considered material These judgments will be the basis for:

Determining the content, schedule and scope of risk assessment procedures;

- Identify and evaluate the risks of material misstatement; and

- Determine the content, schedule and scope of subsequent audit procedures

In the process of auditing the financial statements, the auditor must always evaluate the relationship between audit risks and materiality If an arising event results in the auditor's re-evaluation of audit risks at the entity is higher than the original evaluation, it also means that acceptable misstatements will be reduced

With a reduced acceptable level of error, the auditor will have to adjust the audit procedures appropriately (increase the sample size, expand the scope or perform additional audit procedures) to ensure to detect most of the material misstatements that may affect the entity's financial statements and to gain higher level of assurance

Currently, in the Vietnamese and international auditing standards, there is

no specific regulation on establishing materiality in auditing financial statements This means that materiality will be determined primarily on the auditor's professional judgment and experience Auditors will base on their knowledge of the client through research and risk assessment at the client to be able to provide a reasonable materiality, to ensure that audit risks will be minimized to an acceptable low level Therefore, considering the relationship between materiality and audit risks is extremely important throughout the audit process Moreover, considering the possibility of material misstatement of each item, account balance or disclosures also helps auditors target high risk areas, and needs to focus resources and need in the redesign of audit procedures so that audit risks are always kept at

an acceptable level

1.2 Risk assessment process

1.2.1 Risk assessment in each stage of the financial statements audit

Pre-planning stage:

- Consider accepting or rejecting new clients, maintaining or terminating relationships with existing clients;

- The risk assessment also helps the auditor to calculate the completed workload as

a basis for the reasonable allocation of resources, time for the audit and calculation

of audit fees

Planning phase

- Limiting the scope of work to the extent necessary to both save time and ensure the quality of the audit at a reasonable fee;

- Zoning out high-risk items, need to focus resources and have appropriate audit procedures to satisfy audit objectives

Audit implementation stage

- The risk assessment in previous stages is the basis for conducting audit procedures

in accordance with identified focus;

- During this phase, the risk assessment continues to ensure that the events leading

to the increase in risk compared to the original assessment are not missed An increase in audit risk leads to altering the content, schedule and scope of audit procedures to ensure material misstatements are not ignored;

- Support for auditing work in the following years

Completion phase of the audit

- As a basis for reviewing audit records, evaluating the completeness of audit evidence and work performed, thereby ensuring the quality of the audit

- In addition to the above meanings, risk assessment is also a mandatory process in the audit of financial statements and is specified in Vietnamese and international audit standards that auditors are required to perform when conduct an audit

1.2.2 Risk assessment in planning stage of the financial statements audit

During the planning stage, auditors need to have necessary and complete understanding of the unit and its business environment in order to evaluate and analyze the events, operations and practices of the unit but according to the auditor, the events, profession or practice activities can materially affect the financial statements

To get the assessment information, the auditor uses data sources such as from the statistics websites of the Ministry of Finance, the website of the unit, industry analysis reports, economic structure, regulations, etc…

The main contents, auditors need to have understanding of the unit and unit environment include:

- General understanding of the economic situation

- The understanding of the environment and the field of operation

- The understanding of the intrinsic factors of the entity being audited

1.2.2.1 General understanding of the economic situation

Auditors need to update their knowledge about the current state of the economy: inflation volatility, GDP, currency value, foreign exchange rate and foreign exchange control, industry structure through information sources such

as Ministry of Finance's statistics website, a website that analyzes the financial indicators of the economy These significantly impact the unit's current performance and future performance trends From that understanding, changes in activity can be explained or provide indicators of why specific problems exist in the entity's business

1.2.2.2 Understanding of the environment and the field of operation

Learning about the environment and the field of operation will help auditors a lot in identifying business risks that can affect the operations and industries of the unit

❖ Legal framework needs

- Requirements for legal frameworks: including legal and regulatory environment related to the business industry

- Accounting system is applying and practices for the entity's profession

- Legal and regulatory stereotypes significantly affect an entity's business, including direct oversight activities

- Tax regulations include unit income tax, personal income tax and other taxes

- Other policies, regulations

❖ Competitive market

Each industry, business field has its own characteristics in each period, each market with different development trends and is affected by the competitive market such as:

- Competitive environment;

- Supplier relationship;

- Relationship with a key entity;

- The progressive change of technology, high technology

❖ Business goals, strategies and risks

Auditors will assess business risks through learning about single goals and strategies to identify possible ROMM Auditors need to learn contents such as:

- Industry development: for example, an entity that is unable to adapt to a change in industry, lack of resources and expertise

- New product or service: obligations the unit may incur in the future, liability for the product increases, reputation affected

- Expanding the scope of business: estimating the market demand incorrectly

Identifying inappropriate development strategies, unmet market goals, or product or service flaws affecting unit reputation and obligations and responsibilities the entity has to bear, Auditors who have an understanding of business risks will help in detecting ROMM, because most business risks will impact, causing financial consequences, influence the financial statements of the unit However, auditors do not have to learn and evaluate all the business risks of the entity, because not all of them cause ROMM

1.2.2.3 Understanding of the intrinsic values of the entity being audited

❖ Characteristics of the unit

In addition to the general characteristics of the profession, each unit also has its own characteristics about the unit, which the auditor should pay attention to learn the information related to business activities, ownership and governance structures, investment activities, sponsorship and sponsorship activities, the preparation and presentation of financial statements, etc…

Understanding this helps the auditor to determine the ROMM on the financial statements and the related internal control risks The auditor gaining an understanding of the characteristics of the unit will help to understand the problem

❖ Selection and application of accounting policies

Auditors learn about the accounting policies applied in their units, these are the selected accounting principles and policies for preparing and presenting financial statements Most of the units will apply accounting policies in accordance with current standards Auditors need to consider the following issues to identify ROMM in the financial statements:

- Accounting policies apply to important transactions, major operations and unusual transactions, for example, the method of applying inventory price calculation

- Changes in new accounting books

- The specific accounting policies of the entity

❖ Measure and evaluate the performance of the unit

Business performance is measured and evaluated, focusing on achieving the goals set by the Board of Directors (third parties)? The measurement of results from within (monitoring performance control activities, financial and non-financial assessment indicators, volatility analysis, phased performance, etc…) or outside

are all can exert pressure on the unit These pressures may be the cause for the Board of Directors to take action to improve the outcome business results or financial statements information For example, the pressure from shareholders to expect the market share price to grow 9% / year while the economy is in trouble That puts pressure on business results for the Board of Directors, they will have more risk of falsifying the financial statements to meet shareholders' goals

❖ Understand the internal control system

At this stage of audit planning, the auditor's team focuses on understanding how the entity's internal control works Auditors must find out information related to the internal control system of the unit, which is related to the audit The auditor evaluates whether the components of the internal control system operate with a high level of impact on the unit or not, how to design assess whether the control procedures designed at the unit have been done or not

However, how effective an internal control system is, it is not possible

to eliminate all risks that may affect the achieved goals of the unit The reason is that in any internal control system, there will be inherent limitations (such as misstatements caused by human factors from inappropriate decisions, incorrect accounting system design, or by them) do not fully understand the purpose and requirements of the activity or due to fraudulent actions, overpowering from the leaders at high level), and therefore, control risks at the unit always exist

1.2.2.4 Understand the internal control system

The control risk assessment begins with an assessment of the control environment The internal control system can be damaged by a weak control environment Strong individual control procedures cannot compensate for a weak

control environment and assessment of the control environment is a matter of professional judgment

After assessing the control environment, the auditor should evaluate the design effectiveness of the control procedures and the ability to prevent or correct material failures when considered alone or in combination with other controls If a control is not properly designed, there is no benefit in implementing it, so it is important to consider the design of the control A control that is not properly designed to prevent or detect and correct a defect is a serious defect in the internal control of the entity

❖ Control environment:

This is an important element of the internal control system, the auditor needs

to consider the factors that contribute to its quality, check whether those factors are operating effectively or not and make general conclusions about the environment

❖ Risk assessment:

In order to assess an entity's risk assessment process, the auditor needs to understand that the organization has its own process like:

- Identify business risks related to financial statements

- Estimate the magnitude of the risks

- Evaluate the likelihood of a risk occurring

- Identify actions to address those risks” (VSA 315.15)

❖ IT system

Auditors need to learn about the information system designed and operated

in the unit and how information is communicated related to the accounting system that affects the preparation and presentation of financial statements in order to assess possible risks that have material flaws

❖ Control activities

Control activities are procedures and policies aimed at achieving the goals directed by the Board of Directors Control activities performed in a manual or IT system environment are applied at organizational levels within an organization with different functions and diverse objectives Therefore, the auditor needs to learn about control activities that, according to the auditor's judgment, have an impact related to the audit in order to evaluate the ROMM and evaluate the effectiveness of such control activities

❖ Monitoring

Monitoring control activities at the unit is of a regular nature and associated with daily-repeated activities at the unit such as construction management and supervision, etc…This is the process to evaluate the effectiveness of control activities in the entity and establish timely risk remediation measures at the unit

CHAPTER 2: AUDIT PROCESS OF RISK ASSESSMENT

AT EY – ILLUSTRATION AT CLIENT ABC

At EY, the audit process is designed quite rigorously and methodically, using

top-down risk assessment methods Auditors will first begin to consider the required scope and objectives of the audit, through communication with the Board

of Directors and the Board of Directors

At the audit planning stage, auditors need to collect information to have an understanding of the unit's environment about the economy, industry trends, and characteristics including internal control systems through evaluation procedures

The auditor will analyze and judge the risks to predict the possible risks of material misstatement From there, auditors can build an effective and effective planning criticality estimate

In addition, understanding the environment of the entity will help auditors identify business risks that the entity may face, which can lead to actions to improve The operation results of the unit's Board of Directors made the financial statements have not contained material misstatements due to fraud Through these knowledge, the auditor will evaluate the factors that can cause misstatements on the financial statements, the key items with high risk of misstatements and cautiously pay attention

2.1 Introduction to EY

2.1.1 EY Global

Over nearly 30 years of operation, EY around the world has brought opportunities to work for 231,000 employees in more than 700 offices in 150 countries around the world EY is headquartered in London, England

EY divides the four main operating regions: EMEIA (Europe, Middle East, India and Africa), Americas (Americas), Asia-Pacific (Asia-Pacific) and Japan

2.1.2 EY Vietnam

EY has been present in Vietnam since 1992 and is also the first company

to provide auditing and consulting services 100% foreign investment with branches

in Vietnam In 2017, EY Vietnam has just celebrated its 25th anniversary

In Vietnam, EY has two representative offices in Hanoi and Ho Chi Minh City EY also expanded its operations to offices in Laos and Cambodia EY has a deep understanding of the Vietnamese market, has extensive international expertise and experience, and connects with more than 140 EY offices worldwide

2.1.3 Key services

Ernst & Young Vietnam is the leading professional service company in the world sectors such as auditing, taxation and consulting cover all business areas and are divided into three categories main divisions include: Audit service (AABS), Tax Consulting (TAX), international business consulting (TAS)

➢ Audit service (AABS)

Auditing is a key service in the company's business activities and is providing services the biggest source of revenue for EY With a commitment to providing quality audit services, along with that is to support the unit in solving difficult problems in practice from there business performance is high Audit services include:

▪ Auditing financial statements according to the law

▪ Review financial statements according to law

▪ Check financial information on the basis of agreement procedures

▪ Fraud investigation and dispute resolution services

▪ Risk advisory and security services in IT (ITRA)

➢ Tax consulting (TAX)

EY Vietnam provides a team of consultants with deep, focused tax knowledge in consulting and providing the best solutions for the unit in tax related matters in Vietnam such as:

▪ Tax services and consulting in the business sector

▪ Human Resource Management and Support Services

▪ International tax consulting service

▪ Tax advisory service for mergers and restructuring transactions

➢ International business consulting (TAS)

EY's consulting department specializes in providing consulting services related to

the financial sector trade for entities that are primarily foreign-invested entities

TAS at EY specializes in providing the following key services:

▪ Supports financial transactions

▪ Valuation and business modeling

▪ Financial consulting services for projects, integration of real estate transactions and

The organizational structure is decentralized so every task is delegated to many employees The head of each department is responsible for its operation and between departments with mutual support and assistance

2.1.5 Mission, Vision & Values

Mission – “Building a better working world” The insights and quality services we

provide help build trust and confidence in the capital markets and in economies the world over EY develops outstanding leaders who team to deliver on promises to all of its stakeholders In so doing, they play a critical role in building a better working world for people, for clients and for communities

Vision – commit to providing quality professional service at the highest amount to

assist the unit in achieving its goals and at the same time successfully implementing the next individual and company development plans and make a positive contribution to the community

Values - respecting the quality of the service provided to the business, attach

importance to professional ethics as well as a commitment to building a professional working in professional environment, friendly place where everyone has the opportunity to share experiences and discuss professional issues

2.1.6 Achievements

The client portfolio of EY Vietnam has increased to thousand unit, which can be mentioned prominent names such as: Truong Hai Corporation, Vingroup, Dat Xanh Land, Vietnam Electricity, Hoang Anh Gia Lai Group, etc…

EY is in the "List of 100 best workplaces in Vietnam" by Fortune magazine announced in 2020

2.1.7 Audit process of FSs at Ernst & Young Vietnam (EY GAM)

EY GAM (EY Global Audit Methodology) is an applied audit program at

EY auditing firms globally EY GAM gives the auditors a basic foundation about the financial statements audit process, as well as helping auditors identify the necessary procedures must be done for an audit However, the EY GAM sample audit program is not written for the audit purposes of any particular entity When applying EY GAM in practice, the auditor needs to adjust to suit the characteristics

of the business they are auditing The knowledge foundations in EY GAM are compiled according to spirit of international audit standards set by senior auditors with many years of experience compiled out An audit process of financial statements according to EY GAM includes four steps as follows: the planning stage, identify and evaluate risks, design and implement audit procedures that are appropriate to counteract dealing with the assessed risks and finally making conclusions for the entity's FSs

❖ Planning stage

During the planning phase, the auditor will conduct a determination of the scope of that the expectations as well as the requirements of the audit In addition, the auditor will conduct set up an audit team consisting of professional auditors with professional knowledge with experts in areas such as tax or information technology to ensure the audit is optimally supported, providing customers with high quality audit services During this period, the auditor needs to determine the purpose of the audit through communication with the Board of Directors and members of the Board of Directors of the audit In addition, the auditor will have

to agree with the unit on the expectations of the customer that the audit may carry,

as well as the conditions for audit The auditor needs to achieve a comprehensive understanding of the characteristics, quality and business environment of the client,

as well as the determination of business risks related businesses can affect the operation of the business Through it, the auditors determine the scope of the audit

as the basis for determining the time, provide reasonable resources to ensure that

the audit takes place at the agreed time The auditor must establish the importance

on the basis of assessed risks, identify important items and important statements to

be published At the same time identify risks there are serious errors caused by fraud or confusion on the overall level of financial statement and the base level associated with key items on the financial statements, zoning out high-risk items that need to be centrally sourced

❖ Identify and evaluate risks

In order to be able to identify and assess the risks of critical errors on the financial statements, the auditor needs to achieve a certain understanding of the unit including characteristics, the nature of the business environment of client, and the business risks may affect the operation of the business In addition, the auditor will establish the important items on FSs Furthermore, the auditor will assess the ROMM due to fraud or error and risks associated with financial statements at the overall level Moreover, the auditor needs to identify and learn about key trading groups (SCOTs), the important information, the process of making and presenting financial statements as well as the impact of the IT to the financial statements of the unit, thereby assessing the ROMM on Combined Risk Assessments (CRA)

❖ Design and implement audit procedures dealing with the assessed risks

During this period, the auditor develope an audit strategy through the design of audit procedures to deal with identified ROMM Auditors determine the content and time and the level of control tests and basic tests intended by the auditor

to deal with the risks assessed Besides, the auditor performs special audit procedures for transactions with stakeholders, laws and other regulations may affect the unit, as well as determine whether the reasonability of the business s ongoing activities and legal issues related to the audited business Auditors perform audits when they have gained knowledge of critical services, the process of publishing important information, unit controls, and conducting control tests,

substantive testing and special audit procedures such as an audit plan The auditor

conducts an assessment of the results achieved and assess the combined risk

throughout the course of the audit to determine whether any changes are necessary

for the audit strategy in response to changes combined risk exchange has been

assessed

❖ Conclusions

The auditor completes the audit and informs the Board of Directors or manage the findings and important issues that arise at the audited unit Party in

addition, the auditor must ensure the collection of appropriate audit evidence to

provide reasonable assurance that the financial statements as a total of critical

errors caused by fraud or confusion During the audit process, when there is any

what information the auditor needs to quickly update and review the procedures

the audit has determined initially whether it is still appropriate and there are

appropriate changes in audit procedures

2.2 Risk assessment process at Ernst & Young Vietnam – Illustrate at ABC Company

2.2.1 Pre-planning phase

During this period, the auditor will conduct a preliminary risk assessment at

the client to come to a conclusion about whether to accept the audit for the client

or not Risk assessment during this period is usually performed by senior auditors

such as the lead auditor, audit managers or experienced audit team leaders

Auditors need to collect basic information about clients to serve a preliminary

risk assessment, determine the audit scope and client requirements, including:

- Type of business (joint stock company, private enterprise, limited liability

company or partnership);

- Areas of business of the enterprise include the business lines, the business environment, products, degree of competition in the industry, the main suppliers and clients of the business;

- Basic information about related parties (parent company, subsidiary company, joint venture, associate);

- The financial situation of the business, including total assets, liabilities, equity, total revenue, profit / loss, etc…

- The purpose of the audit is to serve whom (shareholders, investors, creditors, banks, tax authorities and other related parties);

- Related business risks that enterprises may face (general economic situation, new legal requirements and regulations may affect the operation of the business);

- Opinion of the previous auditor on the unit's financial statements

Senior auditors will conduct a preliminary risk assessment at the client based on the collected information to ensure:

- Client adoption is within the "Relevant" channel to protect the relationship with existing and new clients;

- Determine whether prospective (new) or existing clients for which the assessed contractual risk is high that the company should not establish or maintain relationships with potential or existing clients ;

- Performing audit services within the service framework provided by EY and not related to the prohibited services;

- Comply with all legal, regulatory and professional requirements, including compliance with the “EYG Independence Policy” and “Business Relationship and Maintaining Our Independence”;

- Classify the risk of participation and the audit as low, moderate or frequent monitoring;

- Whether or not additional audit procedures can be performed to manage risks related to potential or existing clients for which the risk of providing audit services

is not low

In addition to assessing the risks that may exist in the client, the auditor also considers issues such as the auditor's resources that EY has, expertise in the client's field, to be able to determine whether the client's audit acceptance will keep the level of audit risk at an acceptable level If the auditor determines that accepting the audit for a client is a high risk, even if the auditor may perform alternative audit procedures, the client rejection in this case is optional The auditor should always consider whether a client's acceptance may affect EY's reputation as well as its relationship with potential or existing clients

In reaching a conclusion about accepting or maintaining a relationship with

a client, in addition to the basic information to be collected above, the auditor should consider the following five factors:

- Manager's integrity, this is a factor in the entity's control environment and is especially important for small businesses whose business is not complicated For example, for an entity in which managers have integrity and are committed to ethical values, the risk of them deliberately making mistakes or cheating is reduced;

- The possible risks to EY such as damage to the reputation, the risk of facing lawsuits, or the financial impact from the audit for that client;

- The ability to provide audit services to a client includes determining whether the necessary resources are needed to perform and monitor the work (number of auditors, audit assistants or experts) ) In addition, the auditor should also consider issues of the auditor's experience and expertise related to the field of operation of the enterprise;

- Relevance between the audit fee and the level of risk involved;

- Long-term client relationships: Are audit appointments scheduled to repeat in the future? For example, one-time audit appointments in which a prospect only wants

to temporarily use EY's reputation should not be accepted

Refer to Appendix 2 - Questionnaire for a description of client knowledge and risks

Based on information gathered through client inquiries and questionnaires for the client's risk description, senior auditors will research and preliminary assess risks at the client to come to the final decision on whether to accept the client or not The auditor will preliminarily assess the client's risk on the following four levels: Low Risk, Moderate Risk, High - requires close supervision (Close - Monitoring) and very high - should not establish relationship with that client

❖ Objective: To find out the differences in content between the entities audited under

EY policy in the "UTB" and "ELC" forms

• "UTB 1.1a": Industry, legal framework and other external factors

- Overall industry or specific industry trend

- Competitive environment

- Company Information

- Supplier information

- Technology development

- Other external factors

- "LAW": The legal framework

• "UTB 1.1b": Unit characteristics

• "UTB 1.1d": Objectives, strategies and business risks

• "UTB 1.1e": Measuring and evaluating financial performance

• "UTB 1.1f": Components and changes in financial information

- "IT": The role of IT in the unit

- "ELC": Components of the internal control system

➢ Survey sample: The writer selected company in terms of fields, industries, ownership forms and characteristics of sizes as follows:

- Client: ABC company

- Sector: Real estates

- Industry: Building industrial area

- A form of equity ownership: partnership

- Listed/ Non listed: Non listed company

- Scale: Complex

2.2.2 Planning phase

After signing the audit contract with the client, the risk assessment continues during the planning phase During this period, the auditor will collect information for his or her understanding of the client and the client's environment

as a basis for the assessment of the ROMM Based on the assessed risk, the auditor will design audit procedures in a manner that is satisfied with the stated audit objectives

After each instruction about the information content that the auditor needs

to collect during the planning stage through the understanding of the unit and unit environment The writer has a sample of the information of a client that the writer has the opportunity to access