Audit risk Auditing standards require the auditor to obtain an understanding of the entity and its environment, including its internal control, to assess the ROMM in the client’s finan
THEORITICAL BACKGROUND OF AUDIT RISKS AND AUDIT RISK
What are audit risks? Differentiate from other types of risk
Auditing standards mandate that auditors gain a comprehensive understanding of the entity and its environment, including internal controls, to evaluate the risk of material misstatement (ROMM) in financial statements To mitigate audit risk, auditors may implement additional audit procedures, aiming to lower the risk to an acceptable level This reduction is crucial, as stakeholders depend on auditors' assurances when interpreting an organization’s financial statements.
According to paragraph 13 of VSA 200, audit risk refers to the possibility that an auditor's knowledge is insufficient when the audited financial statements have material misstatements This risk arises from various factors, including inherent risks, control risks, and detection risks Additionally, paragraph A33 clarifies that audit risk does not encompass the scenario where an auditor incorrectly claims that financial statements contain material misstatements when they do not.
Auditors may express an opinion indicating the presence of material misstatements in financial statements, even when such misstatements do not exist, though this risk is generally not severe This scenario primarily impacts the effectiveness of the audit, as auditors may need to conduct additional procedures to confirm the accuracy of the financial statements It's important to note that audit risk specifically refers to the potential inaccuracies in the audit process itself and does not encompass other business-related risks faced by auditors, such as legal liabilities, confidentiality breaches, or issues related to fee collection.
There are many reasons why auditors give inappropriate opinions while the audited financial statements still contain material misstatements, including:
- The audit of the financial statements only provides a reasonable level of assurance (a high level of assurance possible acceptable but not absolute)
- Unable to detect all misstatements at the unit due to the existence of fraudulent acts noncompliance or collusion among employees at the client is audited
The audit process is constrained by both time and fees, requiring auditors to find a balance between delivering quality service and managing costs By conducting audits within a reasonable timeframe and fee structure, auditors ensure that high-quality services are maintained without compromising on efficiency.
- Limited professional capacity of auditors and capacity in the field of operation client action
- Limitations in audit procedures that lead to the inability to detect all misstatements key at the client
- Due to the nature of financial statement preparation: accounting estimates, provisions, etc…
- The risk in sampling technique leads to the sample being selected not being representative of the population
Business risks refer to potential threats arising from various conditions, events, or actions that may hinder an organization’s ability to meet its goals and implement its strategies This includes risks stemming from the establishment of unsuitable objectives and strategies, as defined by ISA 315(2).
Audit risks should be directly linked to the risks associated with the financial statements, specifically addressing the financial statement assertions affected It is essential that these audit risks correspond to the relevant assertions to ensure a comprehensive evaluation.
ISA 315, Identifying and Assessing the Risks of Material Misstatement through Understanding the Entity and Its Environment identifies the following assertions:
• Assertions about classes of transactions and events for the period under audit – occurrence completeness, accuracy, cut off and classification
• Assertions about account balances at the period end – existence, rights and obligations completeness, and valuation and allocation
• Assertions about presentation and disclosure – occurrence and rights and obligations, completeness, classification and understandability, and accuracy and valuation
Audit risk comprises two key elements: the risk of material misstatement and detection risk The risk of material misstatement refers to the possibility that financial statements contain significant inaccuracies before the audit process begins This risk is further divided into two components: inherent risk, which relates to the nature of the financial statements, and control risk, which pertains to the effectiveness of the internal controls in place.
Audit risk, as defined in paragraph 13 of VSA 200, refers to the possibility of an auditor issuing an incorrect opinion due to material misstatements in financial statements This risk is influenced by two key factors: the risk of material misstatement and detection risk, as outlined in ISA 200.
Inherent risk refers to the likelihood that a statement regarding a specific class of transactions, account balance, or disclosure may be materially misstated, either on its own or when combined with other misstatements, without taking into account any associated controls.
Inherent risk refers to the potential for material misstatement in a group of transactions, account balance, or disclosures, either individually or collectively, before considering any relevant controls, as defined in paragraph 13 of the VSA 200 This type of risk is inherent in the financial statements and exists regardless of the effectiveness of internal controls It is a critical consideration in the audit process, as it helps auditors identify areas where material misstatements are more likely to occur By understanding inherent risk, auditors can design more effective audit procedures to mitigate this risk and ensure the accuracy of financial statements.
Certain assertions in financial statements carry a higher inherent risk compared to others, with the degree of risk varying based on the business performance of each enterprise.
Effective inventory management is crucial for food processing businesses, as inadequate stock maintenance can lead to significant risks Proper provisioning for inventories is essential to avoid operational disruptions and ensure a steady supply of products.
➔Therefore, data processing establishments assessing inventories of food processing enterprises have very high inherent risks
External factors like the business environment, competition, operational field, and cultural legal aspects significantly influence an entity's inherent risks For instance, a joint stock company in a high-risk, competitive sector may overstate revenue to attract investment and maintain its stock exchange listing, leading to a high potential risk in revenue assertion Additionally, internal factors such as the integrity of the board of directors, their professional capabilities, and management styles also contribute to inherent risks If board performance is tied to sales outcomes, there is a risk of revenue overstatement to meet salary or bonus targets.
Control risk evaluates the auditor's judgment regarding the likelihood of a significant misstatement occurring in an assertion, which may not be identified or mitigated promptly by the client's internal control systems.
While an effective internal control system significantly mitigates risks, it cannot entirely eliminate them Control risks will always exist within an organization; however, a robust internal control framework can lower the likelihood and impact of these risks, thereby enhancing overall risk management.
Risk assessment process
1.2.1 Risk assessment in each stage of the financial statements audit
- Consider accepting or rejecting new clients, maintaining or terminating relationships with existing clients;
- The risk assessment also helps the auditor to calculate the completed workload as a basis for the reasonable allocation of resources, time for the audit and calculation of audit fees
- Limiting the scope of work to the extent necessary to both save time and ensure the quality of the audit at a reasonable fee;
- Zoning out high-risk items, need to focus resources and have appropriate audit procedures to satisfy audit objectives
- The risk assessment in previous stages is the basis for conducting audit procedures in accordance with identified focus;
During this phase, ongoing risk assessment is crucial to identify any events that may elevate risks compared to the initial evaluation An increase in audit risk necessitates adjustments to the audit procedures' content, schedule, and scope to ensure that material misstatements are adequately addressed.
- Support for auditing work in the following years
Completion phase of the audit
- As a basis for reviewing audit records, evaluating the completeness of audit evidence and work performed, thereby ensuring the quality of the audit
Risk assessment is a crucial and mandatory step in the audit of financial statements, as outlined in both Vietnamese and international audit standards Auditors are required to carry out this process during their audit procedures to ensure compliance and accuracy.
1.2.2 Risk assessment in planning stage of the financial statements audit
In the planning stage, auditors must gain a comprehensive understanding of the unit and its business environment to effectively evaluate and analyze its events, operations, and practices, as these factors can significantly impact the financial statements.
To gather assessment information, auditors utilize various data sources, including statistics from the Ministry of Finance, the official website of the unit, industry analysis reports, economic structures, and relevant regulations.
The main contents, auditors need to have understanding of the unit and unit environment include:
- General understanding of the economic situation
- The understanding of the environment and the field of operation
- The understanding of the intrinsic factors of the entity being audited
1.2.2.1 General understanding of the economic situation
Auditors must stay informed about the current economic landscape, including factors such as inflation volatility, GDP, currency value, foreign exchange rates, and industry structure Utilizing resources like the Ministry of Finance's statistics website and financial analysis platforms is essential for this purpose A thorough understanding of these elements is crucial, as they significantly influence both the current and future performance of an organization This knowledge enables auditors to explain changes in business activities and identify the underlying reasons for specific challenges within the entity.
1.2.2.2 Understanding of the environment and the field of operation
Learning about the environment and the field of operation will help auditors a lot in identifying business risks that can affect the operations and industries of the unit
- Requirements for legal frameworks: including legal and regulatory environment related to the business industry
- Accounting system is applying and practices for the entity's profession
- Legal and regulatory stereotypes significantly affect an entity's business, including direct oversight activities
- Tax regulations include unit income tax, personal income tax and other taxes
Each industry, business field has its own characteristics in each period, each market with different development trends and is affected by the competitive market such as:
- The progressive change of technology, high technology
❖ Business goals, strategies and risks
Auditors will assess business risks through learning about single goals and strategies to identify possible ROMM Auditors need to learn contents such as:
- Industry development: for example, an entity that is unable to adapt to a change in industry, lack of resources and expertise
- New product or service: obligations the unit may incur in the future, liability for the product increases, reputation affected
- Expanding the scope of business: estimating the market demand incorrectly
Identifying ineffective development strategies, unmet market objectives, or flaws in products and services is crucial for maintaining an entity's reputation and fulfilling its responsibilities Auditors with a strong grasp of business risks play a vital role in detecting risks of material misstatement (ROMM), as these risks can significantly affect financial outcomes and the accuracy of financial statements However, it is important to note that auditors do not need to assess every business risk, as not all of them result in ROMM.
1.2.2.3 Understanding of the intrinsic values of the entity being audited
Auditors must recognize the unique characteristics of each business unit, focusing on critical aspects such as business activities, ownership and governance structures, investment initiatives, sponsorship activities, and the preparation and presentation of financial statements Understanding these elements is essential for a thorough audit process.
Gaining a comprehensive understanding of the unit's characteristics enables the auditor to identify the risk of material misstatement (ROMM) in the financial statements and assess the associated internal control risks effectively.
❖ Selection and application of accounting policies
Auditors familiarize themselves with the accounting policies utilized within their units, which encompass the chosen principles and practices for the preparation and presentation of financial statements Typically, these units adhere to current accounting standards To effectively identify the risk of material misstatement (ROMM) in the financial statements, auditors must take into account several key considerations.
- Accounting policies apply to important transactions, major operations and unusual transactions, for example, the method of applying inventory price calculation
- Changes in new accounting books
- The specific accounting policies of the entity
❖ Measure and evaluate the performance of the unit
Business performance is assessed by evaluating the achievement of goals set by the Board of Directors, influenced by both internal and external pressures These pressures, which include performance monitoring and financial assessments, can compel the Board to take actions aimed at improving business outcomes For instance, when shareholders expect a 9% annual growth in market share amidst economic challenges, it can lead the Board to face increased pressure, potentially resulting in the manipulation of financial statements to satisfy shareholder expectations.
❖ Understand the internal control system
During the audit planning phase, the auditor's team prioritizes understanding the entity's internal control system They gather information pertinent to the internal controls related to the audit and assess the effectiveness of these components The auditor evaluates the impact of the internal control system on the unit and examines whether the designed control procedures are being implemented effectively.
While an internal control system is crucial for managing risks, it cannot completely eliminate all potential threats to an organization's objectives Inherent limitations, such as human error, poor decision-making, flawed accounting designs, misunderstandings of goals, and possible fraudulent activities, can compromise its effectiveness Consequently, control risks remain a persistent challenge within any unit.
1.2.2.4 Understand the internal control system
The control risk assessment starts with evaluating the control environment, as a weak control environment can undermine the internal control system Even robust individual control procedures cannot offset the deficiencies of a weak control environment, making its assessment a crucial aspect that relies on professional judgment.
After evaluating the control environment, auditors must assess the design effectiveness of control procedures to determine their capability to prevent or rectify material failures, either individually or in conjunction with other controls Proper design is crucial; if a control is inadequately designed, its implementation is futile Therefore, it is essential to scrutinize the design of each control, as any inadequately designed control that fails to prevent, detect, or correct defects represents a significant weakness in the entity's internal control system.
An essential aspect of the internal control system is the quality assessment of its components by auditors They must evaluate the contributing factors, ensure their effective operation, and draw overall conclusions about the control environment.
In order to assess an entity's risk assessment process, the auditor needs to understand that the organization has its own process like:
- Identify business risks related to financial statements
- Estimate the magnitude of the risks
- Evaluate the likelihood of a risk occurring
- Identify actions to address those risks” (VSA 315.15)
AUDIT PROCESS OF RISK ASSESSMENT AT EY – ILLUSTRATION AT
Introduction to EY
With nearly three decades of experience, EY has created job opportunities for 231,000 employees across over 700 offices in 150 countries worldwide, with its headquarters located in London, England.
EY divides the four main operating regions: EMEIA (Europe, Middle East, India and Africa), Americas (Americas), Asia-Pacific (Asia-Pacific) and Japan
Since its establishment in Vietnam in 1992, EY has been a pioneer as the first fully foreign-owned company offering auditing and consulting services in the country In 2017, EY Vietnam proudly marked its 25th anniversary, reflecting its long-standing commitment to the Vietnamese market.
EY operates two representative offices in Vietnam, located in Hanoi and Ho Chi Minh City, and has extended its reach to Laos and Cambodia With a profound understanding of the Vietnamese market and extensive international experience, EY connects with over 140 offices globally, enhancing its ability to serve clients effectively.
Ernst & Young Vietnam stands as a premier professional services firm, excelling in auditing, taxation, and consulting across diverse business sectors The company is structured into three main divisions: Audit Services (AABS), Tax Consulting (TAX), and International Business Consulting (TAS), ensuring comprehensive support for all business needs.
Auditing plays a crucial role in EY's business operations, serving as a primary revenue source The firm is dedicated to delivering high-quality audit services while assisting clients in addressing complex challenges, ultimately enhancing their business performance The range of audit services offered by EY is extensive and tailored to meet diverse client needs.
▪ Auditing financial statements according to the law
▪ Review financial statements according to law
▪ Check financial information on the basis of agreement procedures
▪ Fraud investigation and dispute resolution services
▪ Risk advisory and security services in IT (ITRA)
EY Vietnam provides a team of consultants with deep, focused tax knowledge in consulting and providing the best solutions for the unit in tax related matters in Vietnam such as:
▪ Tax services and consulting in the business sector
▪ Human Resource Management and Support Services
▪ Tax advisory service for mergers and restructuring transactions
EY's consulting department specializes in providing consulting services related to the financial sector trade for entities that are primarily foreign-invested entities
TAS at EY specializes in providing the following key services:
▪ Financial consulting services for projects, integration of real estate transactions and transactions
▪ Support for unit restructuring or consulting mergers and acquisitions
Diagram 2.1 EY’s organizational structure of management
AABS TAX TAS ITRA ADMIN
The organizational structure is decentralized, allowing for task delegation among numerous employees Each department head is accountable for their operations while fostering collaboration and support between departments.
At EY, our mission is to "build a better working world" by delivering valuable insights and high-quality services that foster trust and confidence in global capital markets and economies We cultivate exceptional leaders who collaborate to fulfill commitments to all stakeholders, thereby playing a vital role in enhancing the working environment for individuals, clients, and communities alike.
Our vision is to deliver exceptional professional services that support our unit in reaching its objectives while effectively executing individual and corporate development plans, ultimately making a positive impact on the community.
We prioritize the quality of service delivered to our clients, emphasizing the importance of professional ethics Our commitment lies in fostering a professional and friendly work environment, where everyone is encouraged to share experiences and engage in discussions about professional matters.
EY Vietnam's client portfolio has expanded to over a thousand units, featuring notable companies such as Truong Hai Corporation, Vingroup, Dat Xanh Land, Vietnam Electricity, and Hoang Anh Gia Lai Group.
EY is in the "List of 100 best workplaces in Vietnam" by Fortune magazine announced in 2020
2.1.7 Audit process of FSs at Ernst & Young Vietnam (EY GAM)
EY GAM (EY Global Audit Methodology) is an applied audit program at
EY Global Auditing Methodology (GAM) provides auditors with a foundational understanding of the financial statement audit process and outlines essential procedures for conducting audits While the EY GAM sample audit program is not tailored for specific entities, auditors must adapt it to fit the unique characteristics of the businesses they are auditing The methodology is developed in alignment with international audit standards by experienced senior auditors The audit process, as per EY GAM, comprises four key steps: planning, risk identification and evaluation, designing and implementing appropriate audit procedures to address assessed risks, and drawing conclusions regarding the entity's financial statements.
During the planning phase, auditors define the audit's scope, expectations, and requirements while assembling a team of skilled professionals, including experts in tax and information technology, to ensure high-quality audit services Effective communication with the Board of Directors is essential to clarify the audit's purpose and align with client expectations Auditors must gain a thorough understanding of the client's business environment, quality, and associated risks that could impact operations This understanding helps establish the audit scope, determine timelines, and allocate necessary resources Additionally, auditors prioritize assessed risks, identify significant financial statement items, and pinpoint areas susceptible to fraud or errors, focusing on high-risk elements that require detailed examination.
To effectively identify and evaluate the risks of significant errors in financial statements, auditors must gain a comprehensive understanding of the client's characteristics, business environment, and associated operational risks This includes determining key components of the financial statements and assessing the risk of material misstatement (ROMM) due to fraud or error at an overall level Additionally, auditors should familiarize themselves with key trading groups (SCOTs), crucial information, and the processes involved in preparing and presenting financial statements, as well as the influence of information technology on these statements This thorough assessment contributes to the overall Combined Risk Assessments (CRA).
❖ Design and implement audit procedures dealing with the assessed risks
During the audit process, auditors develop a comprehensive audit strategy by designing procedures to address identified risks of material misstatement (ROMM) They assess the timing and extent of control tests and substantive tests necessary to mitigate these risks Additionally, auditors conduct specialized procedures for transactions involving stakeholders and evaluate compliance with relevant laws and regulations, ensuring the ongoing viability of the business and addressing any legal concerns As auditors gain insights into critical services, information dissemination processes, and internal controls, they perform control tests, substantive testing, and create an audit plan Throughout the audit, they assess the results and combined risks, making necessary adjustments to the audit strategy in response to any changes in risk levels.
The auditor finalizes the audit and communicates key findings and significant issues to the Board of Directors or management of the audited unit Additionally, the auditor must gather sufficient evidence to ensure that the financial statements are free from critical errors due to fraud or misinterpretation Throughout the audit process, the auditor should promptly update and reassess the initial audit procedures to confirm their continued relevance and make necessary adjustments.
Risk assessment process at Ernst & Young Vietnam – Illustrate at ABC Company
During the preliminary phase of the audit, senior auditors, including lead auditors and audit managers, will perform a risk assessment to determine the feasibility of accepting the audit engagement for the client.
Auditors need to collect basic information about clients to serve a preliminary risk assessment, determine the audit scope and client requirements, including:
- Type of business (joint stock company, private enterprise, limited liability company or partnership);
- Areas of business of the enterprise include the business lines, the business environment, products, degree of competition in the industry, the main suppliers and clients of the business;
- Basic information about related parties (parent company, subsidiary company, joint venture, associate);
- The financial situation of the business, including total assets, liabilities, equity, total revenue, profit / loss, etc…
- The purpose of the audit is to serve whom (shareholders, investors, creditors, banks, tax authorities and other related parties);
- Related business risks that enterprises may face (general economic situation, new legal requirements and regulations may affect the operation of the business);
- Opinion of the previous auditor on the unit's financial statements
Senior auditors will conduct a preliminary risk assessment at the client based on the collected information to ensure:
- Client adoption is within the "Relevant" channel to protect the relationship with existing and new clients;
- Determine whether prospective (new) or existing clients for which the assessed contractual risk is high that the company should not establish or maintain relationships with potential or existing clients ;
- Performing audit services within the service framework provided by EY and not related to the prohibited services;
- Comply with all legal, regulatory and professional requirements, including compliance with the “EYG Independence Policy” and “Business Relationship and Maintaining Our Independence”;
- Classify the risk of participation and the audit as low, moderate or frequent monitoring;
- Whether or not additional audit procedures can be performed to manage risks related to potential or existing clients for which the risk of providing audit services is not low
When evaluating a client's audit acceptance, auditors must assess potential risks, available resources, and expertise within the client's industry to ensure that audit risk remains manageable If a client poses a high risk, the auditor has the option to decline the audit, despite the possibility of implementing alternative procedures Additionally, auditors must consider how accepting a client could impact EY's reputation and its relationships with both current and prospective clients.
In reaching a conclusion about accepting or maintaining a relationship with a client, in addition to the basic information to be collected above, the auditor should consider the following five factors:
The integrity of managers plays a crucial role in shaping the control environment of an organization, particularly in small businesses with simpler operations When managers uphold ethical values and demonstrate integrity, the likelihood of intentional errors or dishonest practices diminishes significantly, fostering a more trustworthy and reliable business environment.
- The possible risks to EY such as damage to the reputation, the risk of facing lawsuits, or the financial impact from the audit for that client;
To effectively deliver audit services, it is crucial to assess the necessary resources, including the appropriate number of auditors, assistants, and specialists Additionally, auditors must evaluate their own experience and expertise in relation to the specific industry of the client’s operations.
- Relevance between the audit fee and the level of risk involved;
Establishing long-term client relationships is essential for sustainable business growth It is important to schedule audit appointments that are intended to recur in the future Accepting one-time audit engagements solely for the purpose of leveraging EY's reputation should be avoided, as these do not contribute to lasting partnerships.
Refer to Appendix 2 - Questionnaire for a description of client knowledge and risks
Senior auditors conduct thorough research and preliminary assessments of client risks based on inquiries and questionnaires They evaluate the client's risk on four levels: Low Risk, Moderate Risk, High Risk requiring close monitoring, and Very High Risk, which indicates that a relationship with the client should not be established This assessment is crucial in determining whether to accept the client.
❖ Objective: To find out the differences in content between the entities audited under
EY policy in the "UTB" and "ELC" forms
• "UTB 1.1a": Industry, legal framework and other external factors
- Overall industry or specific industry trend
• "UTB 1.1d": Objectives, strategies and business risks
• "UTB 1.1e": Measuring and evaluating financial performance
• "UTB 1.1f": Components and changes in financial information
- "IT": The role of IT in the unit
- "ELC": Components of the internal control system
➢ Survey sample: The writer selected company in terms of fields, industries, ownership forms and characteristics of sizes as follows:
- A form of equity ownership: partnership
- Listed/ Non listed: Non listed company
Following the signing of the audit contract, the risk assessment process persists into the planning phase, where the auditor gathers essential information to understand the client and their environment This understanding serves as a foundation for assessing the risk of material misstatement (ROMM) Based on this risk assessment, the auditor will tailor audit procedures to effectively meet the defined audit objectives.
During the planning stage of an audit, it is crucial for auditors to gather pertinent information about the unit and its environment This process involves understanding the client's operations and context thoroughly The writer provides a sample of client information that illustrates the type of data auditors should collect to enhance their understanding and ensure a comprehensive audit approach.
Refer to appendix II - company A: Form to learn about client profile unit
The "UTB - Understanding the Business" framework, detailed in Appendix IV, focuses on learning about internal control systems at the entity level This approach highlights the key information maintained in the records at Ernst & Young, emphasizing the importance of robust internal controls for effective business management.
Its principal activities are to lease industrial real estate in industrial zone
A, build factories for resale and lease and provide other utilities in DongNai province The client is audited the next year, so the basic information related to the internal control system about the client's internal policy and regulations may not pay much attention to the auditor if there is no change in the audit year Auditors consider learning on two main contents:
In the context of "UTB," auditors' leaders exhibit varying interpretations influenced by their backgrounds in different fields or industries These discrepancies arise not only from the specific objectives of the audit but also from the diverse characteristics, sizes, and formats of the units being assessed Consequently, these factors contribute to differing judgments regarding the focus on information exploitation and the identification of Risks of Material Misstatement (ROMM).
Auditors typically gather information on internal control systems in "ELC" by reviewing various documents, including regulations, information documents, business registration licenses, and meeting minutes from the Board of Directors To understand the overall internal control systems, they primarily rely on direct observation and interviews with the Board of Directors, chief accountants, and internal auditors.
2.2.2.1 General understanding of the unit and its environment
Understanding the entity and its environment is crucial for auditors to develop and implement an effective audit plan By gaining comprehensive knowledge of the client and their surroundings, auditors can better assess potential risks that may lead to material misstatements in financial statements This understanding also aids in identifying business risks that the entity may encounter, enabling the Board of Directors to take necessary actions to enhance performance and mitigate the risk of fraud-related misstatements Consequently, auditors can evaluate factors contributing to financial statement inaccuracies, pinpoint high-risk items, and adopt appropriate measures to maintain an acceptable low level of audit risk.
"UTB 1.1a": Industry, legal framework and other external factors
External factors can significantly influence an entity, presenting both positive and negative impacts that auditors must evaluate to identify business and inherent risks These considerations serve as a foundation for assessing the risk of material misstatement (ROMM) Auditors should carefully examine these issues to ensure a comprehensive risk assessment.
Understanding economic indicators like GDP, inflation rate, and unemployment rate is crucial for assessing industry trends and fluctuations These factors significantly impact the financial health of a business, influencing its performance and outcomes Consequently, organizations must navigate the objective effects of these economic conditions, which can lead to various associated risks.
COMMENTS AND RECOMMENDATIONS
Comment on the audit risk assessment process during the planning phase at Ernst &
- EY applies the guiding policy for EY GAM implementation in compliance with VSA 315:
The EY GAM database system provides comprehensive guidance for the ROMM evaluation process, focusing on both the unit and its environment Built on the principles of ISA 315, EY GAM ensures compliance with the requirements set forth by VSA 315.
EY provides detailed guidelines, including examples and clear instructions, that enable auditors to easily access and comprehend the required evaluation procedures This clarity allows auditors to make objective assessments and identify items that may contain material misstatements.
During the planning phase, auditors must conduct risk assessment procedures in line with VSA 315 and ISA 315, which outline strategies for identifying various risk types, including potential rot, business risk, and control risk This understanding, combined with the auditor's professional judgment, enables an effective evaluation of the Risk of Material Misstatement (ROMM) At EY, a structured division of labor exists among team members, from audit team leaders to auditors and owners, to facilitate a thorough assessment of ROMM Collaborative discussions further enhance the development of an appropriate audit strategy while ensuring that inherent risks are acknowledged and addressed.
During the planning phase of the EY GAM evaluation procedure for ROMM, the focus is on gathering insights into economic trends and the business environment to better assess risks EY emphasizes understanding both internal and external factors impacting the business while closely examining the internal control system and its components The assessment procedures are tailored based on the complexity and size of the units being audited, ensuring that appropriate audit evidence is gathered while minimizing costs If auditors identify no material defects in the internal control system that could impact the financial statements, they must inform senior auditors to accurately evaluate risks and implement effective risk response measures.
The ROMM audit procedure during the planning phase at EY Vietnam differs from VSA 315, as EY employs a structured approach to risk assessment that begins with a comprehensive understanding of inherent risks, followed by an evaluation of control risks, ultimately leading to a combined risk assessment (CRA) In contrast, VSA 315 requires auditors to evaluate inherent and control risks simultaneously, recognizing that these risks are often interconnected and cannot be easily separated.
- Detail guidance for risk assessment procedures in the audit planning stage at EY
EY implements a structured system of guidelines to comprehend the unit and its environment, including internal control systems, for effective risk assessment and documentation This approach enables auditors to efficiently understand the unit by referencing evaluated procedures from previous periods or by collaborating with units that share similar professional characteristics.
The auditor can swiftly enhance their knowledge and insights through the evaluation process, gaining valuable information about environmental and unit characteristics across various industry segments This understanding provides a solid foundation for in-depth analysis relevant to the specific traits of each unit Consequently, EY effectively monitors the implementation of auditing procedures, ensuring that the quality and efficiency of audits are optimized Additionally, EY supports auditors at all levels in self-learning and gaining a comprehensive overview of their auditing units throughout the audit process.
The risk assessment procedure is crucial for identifying and evaluating rot risks during audits, requiring auditors to possess significant experience and professional judgment Often, auditors seek external advice from specialists like lawyers and appraisal experts Typically, this task is undertaken by seasoned auditors, including audit team leaders and senior auditors To effectively assess and make informed judgments about risks, auditors frequently conduct meetings with management and relevant experts to discuss previously identified risks, especially when anomalies, such as a sudden increase in sales during a recession, are observed.
Audit managers are tasked with comprehensively understanding the unit and its environment for large and complex audit clients, while the audit team leader will handle this responsibility for simpler or open applications Once the team has completed their knowledge acquisition and updates, they reconvene to discuss potential risks Ultimately, the stakeholder will approve the final assessment of critical error risk levels.
To ensure an effective risk assessment process for clients, the Company carefully evaluates the relationship between costs and benefits at each stage of the audit.
- Application of information technology and high technology
EY Vietnam, as a member of EY Global, utilizes the group's comprehensive audit methodologies, advanced working support facilities, and cutting-edge audit software, including EY Smart Sampling and SWOT analysis tools The company is committed to enhancing the skills of its technicians through regular training and development programs.
Auditors at EY are utilizing EY GAMx software to streamline risk assessment procedures for clients By simply annotating their insights and evaluating the provided criteria, auditors can leverage the software to automatically generate risk assessment results This innovative approach not only reduces the time spent on presenting reviews but also enhances the storage and security of client information.
EY Vietnam utilizes EY GAM in alignment with Vietnamese Auditing Standards, ensuring compliance with local laws and regulations The general audit program is continuously reviewed and updated to reflect changes in accounting, auditing, and taxation laws, as well as shifts in both the global and Vietnamese economies.
Currently, the new Canvas audit software used by the Company has provided great support to auditors in the risk assessment process In addition, EY has also invested and granted accounts so that the leader of the auditor team can easily improve their knowledge, update information on opportunities and challenges of risk management suitable for different industries of Their company units, KTV, log into the website: https://bmo.bmiresearch.com, this is the web to provide information on financial services of Fitch Group Its services include credit rankings and research, credit market data, analysis tools and risk services, and training and development programs It serves Companies in the Americas, Europe, the Middle East and Africa, Asia and Australia As a result, auditors can easily update financial information, analyze risks appropriately and accordingly corresponding to each unit profession that EY audits At the same time, the auditor can also compare the variation of information compared to the previous audit year through EY Canvas, recording the crazy evidence that was posted from the previous audit year In general, EY has access to utility technology software, which greatly assist in the audit of its members
While EY GAM provides clear and understandable instructions, there is currently a lack of tailored guidance for understanding the internal control system and assessing control risks across different industries This general approach poses challenges for auditors, particularly those who are new and lack experience in evaluating audit risks Survey results indicate that the existing documentation on internal control systems is too broad, lacking specific guidance that would enable auditors to effectively navigate and assess risks in their evaluations.
Recommendations
EY should provide comprehensive guidance while acknowledging the unique aspects of internal control systems across different units within the industry Given that many organizations operate within the same sector or scale, they frequently encounter similar internal control activities and risk factors.
Auditors need to record the reason as the basis for the selective judgment to record the information in "UTB", making it easy for everyone to access and cultivate experience
To enhance auditors' understanding of risk factors, it is essential to rotate audit team leaders among clients influenced by similar legal and market conditions This strategy not only fosters a deeper comprehension of the specific risks involved but also ensures that auditors gain diverse experiences by working with different companies over the years.
To alleviate work pressure for senior auditors, it is essential to allocate sufficient time for them to engage with clients, ensuring comprehensive information gathering for effective risk assessment.
In auditing client units within sensitive sectors, it is crucial for auditors to involve field experts during the risk identification and assessment process This collaboration aids auditors in recognizing external environmental influences and inherent risks specific to the sector, ensuring a thorough evaluation of potential vulnerabilities.
EY should implement training sessions focused on the ROMM assessment to foster an environment where auditors at all levels can enhance their skills and knowledge through mentorship from experienced colleagues These sharing sessions should include practical examples of ROMM assessment procedures, allowing auditors to express their opinions and judgments This collaborative approach will significantly aid each member in learning, exchanging ideas, and gaining a comprehensive understanding of risk assessment.
Senior auditors must thoroughly document their judgments and considerations regarding the entity and its environment during each audit This includes recording specific judgments related to inherent risks that commonly impact clients in their field Such documentation not only aids in the learning and development of other auditors but also enhances their experience through manuals and updates on platforms like Canvas, which recognize the insights of senior auditors.
Audit risk assessment is crucial at every stage of the audit process, as it helps minimize audit risk to an acceptable level while enhancing audit quality The introduction of a new electronic audit method in Vietnam has provided EY Vietnam with significant advantages, despite some existing limitations In today's dynamic and competitive audit market, utilizing software for audit planning and execution offers substantial benefits, improving efficiency and adding value for clients My three-month experience at Ernst & Young Vietnam allowed me to gain valuable practical insights, working in a professional environment, engaging with clients, and applying theoretical knowledge to real-world scenarios, while also learning to address challenges not typically covered in textbooks.
The EY GAM audit program, tailored for EY auditors and supported by advanced auditing software like Canvas and EY Sampling, offers a significant advantage for EY Vietnam compared to other audit firms Special thanks to Ms Vo Yen Nhi and the faculty of the Department of Accounting and Auditing at Ernst and Young Viet Co., Ltd for their invaluable guidance and expertise, which greatly assisted the writer in completing this report.
1 ACCA’s Study text Paper F8 – Audit and Assurance Learning MEDIA
2 YY GAMx – Ernst & Young Global Audit Methodology [internal]
4 EY Guidebook, Internship Training Program
1 EY Atlas - https://eync-live-app.atlas.ey.com/#home?pref 052/9/1007 [internal]
2 EY CANVAS https://eycanvas.ey.net/pages/landingpage/landingpage.html [internal]
AUDITOR PROCEDURES TO BE FOLLOWED WHEN
WHEN UNDERSTANDING INTERNAL CONTROL SYSTEMS
Control activities of the business Audit procedure
Business has a specific ethics policy for its employees and is implemented by employees
Collect documents related to the company's ethical policy, employee working style
Enterprises conduct periodic staff reviews and assessments
Research and review the evaluation records of the department head, team leader for staff members of the departments
There is a clear division of duties between departments
Collect documents on the organizational structure of the business
Enterprises regularly review and update procedures and policies to suit their current situation
Review of how often procedures and policies change, assessing whether they are in compliance with existing regulatory standards
The company is known for its high esteem and its registered identity has been affected by the changes in the internal and external conditions
Review reports, meeting minutes of BOM, BOD related to the risk assessment
The accounting department of the client has updated changes in the financial statements template, changes in legal elements, accounting policies to match those changes
Update knowledge of guiding documents on standards, circulars and decisions, check the compliance of those documents with the company's application
Enterprises have specific targets and strategic plans established, announced and monitored the implementation
Collect documents on meeting minutes of the Board of Directors, the Board of Directors and the General Meeting of Shareholders
Enterprises update their budget estimates in accordance with changing conditions
Collect annual budget estimates and the latest forecasts
3 Control activities, information and communication
Enterprise has security systems to prevent outside intrusions as well as decentralized access
Observe the employee's card swipe, fingerprint scan, the computer's security system
The company has a policy that consistently applies to accountants
Review mid-year and end-of-year financial statements
Have policies and procedures to reasonably divide tasks and ensure safety for the property
Obtain information about the business cycle and which internal control procedures are performed
Board of Directors has built, carried out and supervised the implementation of both financial objectives such as budget, profit
Review the implementation of the enterprise's proposed goals against the achievements achieved through company reports
The enterprise's information system provides all necessary reports for the business so that the
Board of Directors can identify the changes and act in accordance with that change
Review of the monthly and quarterly corporate governance reports and detailed annotations related to the Board's response to material changes
The company carries out the full control of material and accounting data, and compares the book data against reality
Reviewing records of asset, equipment inventory, records of comparison between book data and actual period
Enterprises have compared the estimates with reality and conducted an investigation for significant misstatements
The Board of Directors (BOD) conducts monthly and quarterly review meetings, during which the minutes are collected and analyzed Additionally, reports on departmental supply usage are generated The Board Governance Department (BGD) promptly addresses any deficiencies in the control system identified by the independent auditor, ensuring necessary corrections are made in a timely manner.
The auditor reviews the report of the BOD about the rectification of the deficiencies of the control system given by the auditor in the previous year