IIA INFO # 54 - September 2013 | Page 29

Årgang 18 | Nummer 54 | September 2013

The auditor’s job, then, is to test whether the subject matter complies with the criteria in accordance to the outcome and offer a conclusion. The extent of the testing depends upon level of IR and the desired level of assurance. By identifying the core concepts we are equipped to adapt the ARM tentatively: AR (Audit risk) The risk that the auditor expresses an inappropriate audit opinion when the audit subject matter does not comply with the criteria. = IR (Inherent risk) The risk that the audit subject matter does not comply with the criteria without consideration of internal control. X

4. Categorization of assurance engagements
The first step of understanding why the tentative ARM did not apply to the audit of a control process is to understand what separates it from the type of assurance engagement it does apply to.

CR (Control risk) The risk that noncompliance of the subject matter with the criteria will not be prevented, detected and corrected on a timely basis by the entity’s internal control.

X

DR (Detection risk) The risk that the auditor will not detect noncompliance of the subject matter with the criteria

We have rinsed the language of the term “financial statement”. We have also removed the implicit criteria reference to reporting standards such as IFRS. Finally we have also removed the concept of materiality. What we in fact have done here is to insert general terms in the ARM on an assurance engagement of the same general type as the audit of a financial statement. This means that the tentative version of the ARM could be applied to any assurance engagement where the structure of the outcome is similar to the one in the audit of a financial statement. Upon further inspection it does, however, become obvious that this version of the ARM is not suitable for all types of assurance engagements. For example this would be the case in an instance where the outcome is an assertion about the effectiveness of a control process. In this case it would seem that relationship between IR and CR becomes rather obscure. IR would be defined as “the risk of the control process not being effective without consideration of internal control” and CR would be defined as “the risk that the infectivity of the control process would not be caught by… well itself”. And this obscurity does not even address the fact that DR, in essence, is meaningless, because there is no data upon which the substantive procedures can be applied, when the subject matter is not a process output but the process itself. The point is – while the tentative ARM might function for a certain type of assurance engagements ??B6W'F???F?W2??B?F????gW'F?W"v?&??2&WV?&VB?F?RW???RW6VB?2&VV?F?RVF?B?bf???6??7FFV?V?B??V?&W"?bG&?G26?&R7V'67&?&VBF?7V6??VF?B?F?R6?V&?FVf????rG&?G2F?B6W&FR?Bg&???F?W"G?W2?b77W&?6RV?vvV?V?G2&S?F?R7V&?V7B?GFW"?2F?R??7F?&?6??WGWB?b?V?&W"?b6??G&??&?6W76W27&?FW&?&Vv&BF?R?GW&R?bF?R??7F?&?6??WGWB????F?W"v?&G2?F?R?WF6??R?2???F?W6?2&?WBv?B?2?V?VBv?F???6W'F??W&??B????W&V?B??F??2???F?W6?2???R??F?W"???F?W6?2&?WBF?RVffV7F?fV?W72?bF?R6??G&??&?6W76W2F?B&?GV6RF?R?WGWB?vRv???6??F??2G?R?b77W&?6RV?vvV?V?B??WGWB&6VBV?vvV?V?B?????WGWB&6VBV?vvV?V?BF?RVF?F?"??6???6RF?&VGV6R6??R?bF?RVF?B&?6?'?V?FW'7F?F??r?BFW7F??rF?R6??G&??&?6W76W2?V?F??FV?F??Vv???bF?RFW6?&VB?WfV??b77W&?6R?2??v??F?RVF?F?"?W7BW&f?&?FF?F????7V'7F?F?fR&?6VGW&W2vF?W&??r??F?R&?6W72?WGWB?G6V?b???r?WBW2?fR????BF?RVF?BFVf????rG&?G2?b?VF?B?b6??G&??&?6W72?F?R?WF6??R?b7V6??VF?B?2FVf??VB2( ??76W'F???&?WBF?RVffV7F?fV?W72?b6??G&??&?6W7>( ??VffV7F?fV?W72?2( 2W"FVf???F???( 2?V7W&VB??F?R&??G?F?&V6?v???v?B?2F??2v??F?V??'W6??W72?W&FW2F?v&G26??Wf??r?G27G&FVv?2?&?V7F?fW2?F?W6R?&?V7F?fW2&R7V&?V7BF??V?W&?W2&?6?2?F?R&?6?2&R?FV?F?f?VB'?F?R'W6??W72?B?WBv?F?f&??W2&?6?&W7??6W2???R?bF?W6R&W7??6W2??&RF?&VGV6RF?R&?6?'??V?2?b6??G&??&?6W72?F?Rv???b6??G&??&?6W72?F?V???2F?&VGV6RF?R&?6??bGfW'6Rf?&V???vV?b??FW&?R&Wf?6?&W"?6?FR#????