Årgang 18 | Nummer 54 | September 2013
effects on the achievement of the strategic objectives to an acceptable low level – a residual risk. In light of this definition, the outcome of a control process audit can be reformulated to: An assertion about the ability of a control process to reduce the risk of adverse effects on strategic objectives to an acceptable residual risk We will call this type of assurance engagement a process based engagement. In order for the ARM to make sense, we must adjust the way we define the elements of the audit: Process based engagement Outcome The control process reduces the risk of adverse effects on strategic objectives to an acceptable residual risk. Subject matter Criteria The control process The assessment of IR includes all significant risks of adverse effects on the strategic objectives in question. The control process is designed properly to reduce IR to the residual risk specified by management. The control process is operating effectively.
The significant differences to the output based engagement now become visible. Whereas the output based engagement is retrospective, the process based engagement is prospective – a strategic tool to manage risk going forward Because the process based engagement is prospective, DR (and AR) cannot be reduced by performing substantive procedures. Substantive procedures are applied on process output, which is not the subject matter of the audit in a process based engagement Whereas the criteria in the output based engagement exclusively pertain to the subject matter, the criteria in the process based engagement must be split between those that pertain to IR and those that pertain to the subject matter In the process based engagement, AR must be split between the criteria that pertain to the subject matter and the criteria that pertain to the assessment of IR In the output based engagement IR is defined as the risk that the audit subject matter does not comply with the criteria without consideration of internal control. In the process based engagement the subject matter cannot be used in the definition of IR because the subject matter is the control process itself. With these points being made, we are ready to formulate an ARM suitable to a process based engagement (see Figure 1). We now have two versions of the ARM. One applies to the output based engagement and one applies to the process based engagement.
Figure 1: ARM suitable to a process based engagement
AR (Audit risk) The risk that the auditor expresses an inappropriate audit opinion when: a) The assessment of inherent risk does not include all significant risks of adverse effects on the strategic objectives in question or b) the control process does not reduce the inherent risk to the accepted level of residual risk due to either the design or operating effectiveness.
=
IR (Inherent risk) The risk of strategic objectives relevant to the control process being subject to adverse effects without consideration of the mitigating effect of the control process
X
CR (Control risk) The risk that the inherent risk is not reduced to the accepted level of residual risk by means of the control process. .
Side 30 | Foreningen af Interne Revisorer