Audit risk consists of three components and includes intracompany risk, control risk and detection risk. When assessing risks, auditors can apply many different gradations or use quantitative indicators (percentages or fractions of a unit).

On-farm risk(inherent, internal, pure) is the probability of the existence of an error exceeding the acceptable value before testing the internal control system. It reflects the degree of exposure to significant account irregularities accounting, balance sheet items, groups of the same type business transactions and reporting in general, provided that the audit client does not have appropriate internal controls.

Intracompany risk is assessed on the basis of the auditor’s professional judgment about the integrity of the audit client’s management, his experience and knowledge; the presence of circumstances putting pressure on management; the nature of the audit client’s business and its industry characteristics; motives for the audit client's behavior; results of the previous audit; professionalism of accounting personnel; account balances and amounts by reporting items; the number and composition of the audit client’s transactions.

As a rule, auditors set intra-company risk under the most favorable conditions at a level significantly higher than 50%, and if there are objective grounds for expecting significant misstatements, then at a level of 100%.

Controls Risk (control risk, control risk, internal control system risk) is the probability that an existing error exceeding an acceptable value will be neither prevented nor detected in the internal control system. This type of risk determines the reliability and efficiency of the accounting system and internal control of the audit client. It is inversely proportional to the risk of non-detection and directly proportional to the amount of evidence to be collected.

Before establishing the level of control risk, auditors should familiarize themselves with the client's internal control system and evaluate its operation, as well as test for effectiveness the control points, the structure of which forms the internal control system. In this case, tests of controls are performed to obtain audit evidence regarding the effectiveness of the structure of the accounting system and the internal control system, i.e. determining how well they are organized in terms of preventing (detection) and correcting material misstatements, as well as the performance of internal controls during the period under review.

When analyzing the test results, the auditor must take into account that some controls may be effective in general, but ineffective during certain periods of the audited organization’s activities (for example, in the case of replacing an accounting employee, seasonal nature of work). The more efficient the on-farm control system is, the lower the level of risk. However, if the auditor does not test controls, then he is required to establish a risk level of at least 100%.

Risk of non-detection- This is the probability that the audit procedures used and the evidence to be collected will not detect errors greater than an acceptable amount. This type of risk allows you to assess the effectiveness and quality of the auditor’s work and depends primarily on the qualifications of the auditor and his previous familiarity with the activities of the audit client.

To determine the acceptable detection risk and the nature, timing and extent of audit procedures, the auditor should consider preliminary assessment control risk and intra-business risk. Reducing the level of detection risk to an acceptably low level is achieved by increasing substantive audit procedures.

Between the risk of non-detection and the total level of intra-business risk and control risk there is Feedback. However, no matter how low the intra-business risk and control risk are assessed, the auditor must carry out substantive testing procedures. When determining their features, he should pay attention to the nature of the procedures and the types of sources of audit evidence, the timing of completion and the scope of the procedures.

Audit is a special independent form of control, which represents independent examination and analysis financial statements business entity in order to determine its reliability, completeness and compliance with current legislation and requirements for accounting and financial reporting.

The main purpose of the audit is Objective assessment completeness, reliability and accuracy of reporting assets, liabilities, own funds And financial results activities of the enterprise for a certain period, checking the compliance of the accounting policies adopted by the enterprise with current legislation and regulations.

An audit in general has an inherent risk of issuing an erroneous conclusion due to objective circumstances, which can be significantly reduced only by conducting an audit in volumes that are equal to or greater than the volumes of work previously carried out by the client’s accounting department.

Audit risk is the risk that the auditor takes on when giving an opinion on the complete reliability of external reporting data, while there may be errors and omissions that did not come to the attention of the auditor. Usually distinguish the following types risks.

1. Risk to the auditor's professional ability.

It is determined by a strict approach to the selection of the company being inspected, taking into account its reputation (decency, honesty of the company, the degree of risk of the transactions performed by this organization). When inspecting a company, an audit company first of all pays attention to its reputation. Thus, the audit of this company should not cause damage to the audit company and its clients.

2. Risk of client expectations (risk of not meeting the expectations of your client).

In cases where the client is not satisfied with the audit, he may subsequently refuse the services of this audit company.

3. Audit risk.

This type of risk lies in the likelihood that the auditor’s report may be incorrect for reasons: financial statements economic entity may contain undetected material errors and (or) distortions after confirming its accuracy, or admit that it contains material distortions when in fact there are no such distortions in the financial statements.

Let us consider in more detail the last type of risk - audit .

The essence of audit risk is that the auditor may make some errors in his work (by testing control points and other audit procedures) and draw incorrect conclusions when summing up the overall results.

From a practical point of view this type risks can be broken down into three components:

1) intra-economic risk;

2) control risk;

3) risk of non-detection.

The auditor is required to study these risks during the course of work, evaluate them and document the results of the assessment. When assessing risks, it is necessary to use at least three gradations: high risk, medium and low. Audit organizations may decide to apply in their activities more gradations in risk assessments than the three above, or about the use for risk assessment quantitative indicators(percent or fraction of a unit).

Acceptable audit risk is a subjectively determined level of risk that the auditor is willing to take on. If the auditor determines for himself a lower level of audit risk, this means that he seeks greater confidence that the financial statements do not contain material errors.

Zero risk – the auditor’s complete confidence that the financial statements do not contain significant errors. The auditor cannot guarantee the complete absence of significant errors. Most auditors believe that the amount of acceptable audit risk should not exceed 5%.

1. On-farm risk

Intra-business risk (pure or inherent risk) is understood as the probability, subjectively determined by the auditor, of the occurrence of significant misstatements in a given accounting account, balance sheet item, similar group of business transactions, or reporting of an economic entity as a whole, before such misstatements are detected by means of the internal control system or under the condition assumptions about the lack of such funds.

Intra-business risk characterizes the degree of exposure to significant violations of the accounting account, balance sheet item, same-type group of business transactions and reporting as a whole of the economic entity being audited.

This risk is largely determined by the specifics of the client and is determined by those internal characteristics, as well as external environmental conditions, which sometimes cannot be verified by means of internal control. Essentially this is the probability that economic system cannot constantly be on the optimal trajectory of its development.

When assessing intra-business risk in relation to the balance sheet and reporting, the auditor needs to take into account factors such as:

a) features of functioning and current economic situation the industry in which the economic entity operates;

b) specific features of the activities carried out by this economic entity;

c) the honesty of the personnel of the economic entity who carry out management and are responsible for maintaining records and preparing reports;

d) experience and qualifications of employees responsible for maintaining records and preparing reports;

e) the possibility of external pressure on the managers and personnel of an economic entity in order to achieve certain financial reporting indicators at any cost;

f) the possibility of control over the activities of the enterprise by its owners.

When assessing intra-company risk, the auditor can use audit data from previous years, but he must make sure that the estimates of the magnitude of this risk made in previous year, are also valid for the year being tested.

2. Control risk

Control risk (control risk) is understood as the probability, subjectively determined by the auditor, that the existing and regularly used means of the accounting system and internal control system at the enterprise will not promptly detect and correct violations that are significant individually or in the aggregate, and (or) prevent such violations from occurring.

The accounting and control system organized by any economic entity must be effective, but at the same time quite cheap. Consequently, initially there is a certain risk of failure to warn or detect errors or other significant inaccuracies in this system.

Control risk characterizes the degree of reliability of the accounting system and the internal control system of an economic entity, which are complementary categories:

a) high reliability corresponds to low risk;

b) average reliability corresponds to average risk;

c) low reliability corresponds to high risk.

During the audit, the auditor is obliged to study and evaluate the internal control system of the economic entity, the control environment and individual controls. This work must be carried out in three stages:

a) general familiarity with the internal control system;

b) initial assessment of the reliability of the internal control system;

c) confirmation of the reliability of the assessment of the reliability of the internal control system.

To assess control risk, special audit procedures called testing of controls are used to ensure that:

a) whether the accounting and internal control systems provided at the enterprise operate reliably and whether these systems are capable of effectively preventing the emergence of material misstatements in the financial statements and identifying them;

b) whether controls operate with the same effectiveness throughout the reporting period.

Testing of controls is performed in all cases except those where control risk is assessed as high. The more the auditor intends to rely on certain controls in preparing his opinion, the more carefully he should check their reliability and effectiveness.

The auditor should reflect the results of the control risk assessment in the overall audit plan, and clarifying assessments (if any) in working documentation by check.

3. Risk of non-detection

Detection risk refers to the probability, subjectively determined by the auditor, that the audit procedures used by the auditor during the audit will not detect actually existing violations that are significant individually or in the aggregate.

Assessing internal and control risks, as well as their impact on the likelihood of detecting material misstatements, can have a decisive impact on the scope of the audit and the level of detection risk.

Detection risk is an indicator of the effectiveness and quality of the auditor's work. It depends on the order of the specific audit, determining a representative sample, applying necessary and sufficient audit procedures, as well as factors such as the qualifications of auditors and the degree of their previous familiarity with the activities of the audited economic entity.

The auditor is obliged, based on an assessment of intra-business risk and the risk of controls, to determine the risk of non-detection acceptable in his work and, taking into account minimization of the risk of non-detection, plan appropriate audit procedures.

Unlike intra-business risk and control risk, the magnitude of which the auditor can only estimate, detection risk can be controlled by changing the nature, timing and scope of individual substantive tests.

Types of risks and ways to reduce them are discussed in the Rule (Standard) “Materiality and Audit Risk”.

In this Rule, auditor risk is defined as the probability that the audited financial statements may contain undetected material errors and (or) misstatements after confirming their accuracy or admit that they contain material misstatements when in fact there are no such distortions in the financial statements.

Audit risk consists of three components:

1) intra-economic risk;

2) control risk;

3) risk of non-detection.

The auditor is required to study these risks in the course of work, evaluate them and document the results of the assessment. When assessing risks, the auditor must use at least three of the following gradations:

1) high;

2) average;

3) low.

Auditing organizations may decide to use in their activities a greater number of gradations when assessing risks than the three above, or to use quantitative indicators (percentages or fractions of a unit) to assess risks.

When conducting an audit, the auditor must take the necessary measures to reduce audit risk to a reasonable minimum level.

Thus, risk in an audit can be defined as the likelihood that the auditor will make a mistake by forming an incorrect opinion about the reliability of the financial statements of an economic entity.

In practice, it is unrealistic to reduce audit risk to zero. However, the auditor should strive to minimize it and plan and conduct the audit in such a way that the risk of incorrect judgment is sufficiently small. In each specific case, the degree of minimization of audit risk largely depends on the degree of interest of external users in the financial statements of an economic entity. The wider the circle of potential users, the higher their interest in reporting, the more relevant it is for the auditor to minimize audit risk. It can be assumed that the reporting of economic entities with a large volume of financial and economic transactions is more in demand than the reporting industrial enterprises producing homogeneous products. Shareholders, owners and potential investors are more likely to be interested in public reporting joint stock companies than the reporting of closed joint stock companies and limited liability companies.

The study and analysis of risks is the subject of close attention of the auditor, since the nature and scale of the procedures performed directly depend on the assessment of the degree of risk. If the risk is assessed as high, then it is necessary to obtain more reliable audit evidence, conduct more thorough research, and plan larger data samples. The auditor may face justified claims regarding the quality of the work he has done and the reliability of the conclusions reached (in one case - from users of the audit, in the other - from an audited economic entity whose interests and reputation have been unfairly damaged). Disconfirmation reliable reporting primarily damages the reputation of an economic entity. A client concerned about such unfairness is likely to take proactive steps to discover the truth without waiting for the audit report to be issued.

INTRA-BUSINESS RISK

On-farm risk (pure risk)– the probability, subjectively determined by the auditor, of the appearance of significant distortions in a given accounting account, balance sheet item, similar group of business transactions, or reporting of an economic entity as a whole, before such distortions are detected by means of the internal control system or subject to the assumption of the absence of such means.

This risk characterizes the degree of exposure to significant violations of an accounting account, balance sheet item, a similar group of business transactions and reporting in general for the economic entity being audited.

The auditor must assess intra-business risk at the planning stage, using his professional judgment. When preparing the overall audit plan, the auditor must assess such risks in relation to individual balance sheet items and financial statements. When preparing the audit program, internal risks for accounting accounts and transactions, the balances and (or) turnovers of which exceed a given level of materiality, must be assessed.

When assessing intra-company risk in relation to the balance sheet and reporting, the auditor must take into account such factors:

1) features of the functioning and current economic situation of the industry in which the subject operates;

2) specific features of the activities carried out by this economic entity;

3) the honesty of the personnel of the economic entity who carry out management and are responsible for maintaining records and preparing reports;

4) experience and qualifications of employees responsible for maintaining records and preparing reports;

5) the possibility of external pressure on the managers and personnel of an economic entity in order to achieve certain financial reporting indicators at any cost;

6) the possibility of control over the activities of the enterprise by its owners.

When assessing intra-business risk in relation to specific accounting accounts and similar groups of business transactions, the auditor must take into account factors such as:

1) separate accounting accounts, which are characterized by the appearance of unintentional distortions in them;

2) separate accounting accounts, which are characterized by the appearance of deliberate distortions in them due to the high probability of their use for committing abuses;

3) the complexity of the business transactions being recorded, which requires highly qualified performers for their correct execution;

4) the presence of business transactions, accounting registration which may be based in whole or in part on the subjective opinion of the performers;

5) the presence of business transactions, the procedure for correct execution of which is ambiguously interpreted by current legislation;

6) the presence of rare, unusual, non-standard business transactions.

When assessing intra-business risk, the auditor can use audit data from previous years, but he must make sure that the assessments of the magnitude of this risk made in the previous year are also valid for the year being audited.

CONTROLS RISK

Control risk (control risk)– the probability, subjectively determined by the auditor, that the existing and regularly used means of the accounting system and internal control system at the enterprise will not promptly detect and correct violations that are significant individually or in the aggregate, and (or) prevent the occurrence of such violations.

Control risk characterizes the degree of reliability of the accounting system and internal control system of an economic entity.

To assess control risk, the auditor must use special audit procedures called tests of controls.

The purpose of testing controls is to convince the auditor of the following:

– whether the accounting and internal control systems provided at the enterprise operate reliably and whether these systems are capable of effectively preventing the emergence of material misstatements in the financial statements and identifying them;

– whether controls operate with the same effectiveness throughout the reporting period.

Testing of controls may include:

– checking documents reflecting financial and business transactions and, in connection with this, obtaining audit evidence that controls functioned properly;

– surveys and observation of transaction execution in order to obtain audit evidence of the functioning of controls in cases where it is impossible to obtain direct documentary evidence of this;

– using the results of other audit procedures to obtain information about the performance of controls.

When reviewing the results of tests of controls, the auditor must take into account that some controls may be effective overall but may not be effective at certain periods of time. This may be due to the following factors:

– short-term replacement of the accounting employee responsible for implementing this control due to vacation or illness;

– features of the work of the accounting department of an economic entity, reflecting seasonal periods of work of increased intensity;

– the appearance of errors that are isolated and random in nature.

The auditor is required to take these factors into account, analyze negative results from tests of controls and plan his procedures accordingly.

The auditor tests controls in all cases except when he assesses control risk to be high. The more the auditor intends to rely on certain controls in preparing his opinion, the more carefully he should check their reliability and effectiveness.

When assessing control risk, the auditor may use historical audit data, but must ensure that the prior year's assessments of that risk for the relevant controls are valid for the year being audited.

The auditor should reflect the results of the control risk assessment in the general audit plan, and clarifying assessments (if any) in the working documentation for the audit.

RISK OF NON-DETECTION

Risk of non-detection– the probability, subjectively determined by the auditor, that the audit procedures used during the audit will not detect actually existing violations that are significant individually or in aggregate.

The risk of non-detection is an indicator of the effectiveness and quality of the auditor’s work; it depends on the procedure for conducting a specific audit, as well as on factors such as the qualifications of auditors and the degree of their previous familiarity with the activities of the audited economic entity.

The auditor is obliged, based on an assessment of intra-business risk and control risk, to determine the risk of non-detection acceptable in his work and, taking into account the minimization of the risk of non-detection, to plan appropriate audit procedures.

There is an inverse relationship between the risk of non-detection and combinations of intra-company risk and the risk of control means:

1) high values ​​of intra-business risk and control risk oblige to organize the audit in such a way as to reduce, as far as possible, the magnitude of the risk of non-detection and thereby reduce the overall audit risk to an acceptable value;

2) low values ​​of intra-business risk and control risk allow the auditor to allow a higher risk of non-detection during the audit and at the same time obtain an acceptable value of the overall audit risk.

If the auditor needs to reduce the risk of non-detection, he must:

1) modify the applied procedures, providing for an increase in their number and (or) a change in their essence;

2) increase the time spent on verification;

3) increase sample sizes.

If the auditor concludes that he is unable to reduce the detection risk in relation to material balance sheet items or a similar group of business transactions to an acceptable level, this may serve as a basis for the auditor to prepare an audit report other than an unqualified positive one.

The auditor must assess risks beyond his control as early and as thoroughly as possible, since the risk of non-detection is directly related to the volume of work, the volume of work is related to cost, and cost is directly related to total cost audit. If the auditor and the client have agreed on a fixed cost for the audit, and high audit risks are identified after the relevant contract has been signed and the work has actually begun, the auditor risks suffering damages associated with an unplanned increase in the volume of work.

If the contract for an audit stipulates the expected cost of the work, then an increase in this cost by one and a half to two times is unlikely to cause understanding among the client, and the corresponding negotiations seriously complicate the life of the auditor.

Everything related to risk assessment, as well as related calculations, the motivation for their selection and changes must be documented. First, these working papers provide evidence that the audit was planned and carried out with the necessary care and quality. Secondly, summarizing and studying the data from the working documents will allow us to analyze whether the risks were correctly assessed and planned.

REQUIREMENTS FOR AUDIT EVIDENCE

Requirements for evidence and a set of issues related to methods for obtaining them are regulated by the Rule (Standard) “Audit Evidence”.

This Standard was intended to determine the requirements for audit evidence on the basis of which it is possible to form an informed opinion about the reliability of the financial statements of an economic entity.

The objectives of the Rule are:

1) determination of types of audit evidence;

2) listing sources of audit evidence;

3) description of methods for obtaining audit evidence.

Requirements of this Standard mandatory for all audit organizations when carrying out an audit that involves the preparation of an official audit report.

In case of deviation when performing a specific task from mandatory requirements of this Rule(Standard) audit organization must necessarily note this in its working documentation and in a written report to the management of the economic entity.

Responsibility for the reliability of financial statements lies with the executive body of the economic entity. The presence of an audit report drawn up in relation to the financial statements does not shift responsibility for its preparation to the auditor. However, this does not mean that the auditor is not responsible for anything. He is responsible for forming an objective opinion about the degree of reliability of the statements presented and drawing up an appropriate conclusion, which serves as a guide for users of financial statements and should warn them about existing or probable deviations in these statements.

Therefore, the auditor’s opinion on both the reliability and unreliability or insufficient degree of reliability of the financial statements should be based on the necessary and sufficient audit evidence collected during the audit. Each such evidence must serve as evidence of the accuracy of the financial statements as a whole or its components.

When collecting evidence, the auditor must focus on the need for its reliability and sufficiency. During the audit, the auditor must study such a volume of information that would allow him to draw reasonable conclusions. It is not possible to establish strict criteria to determine the amount of information required during an audit. Even if the economic entities whose accounting statements are subject to audit carry out the same financial and business operations, have the same number of accounting personnel and the same number of safes in which accounting documents are stored, this does not say anything about the quality and quantity of the required audit evidence. The sufficiency of audit evidence in each specific case is determined on the basis of an assessment of the internal control system and the level of audit risk of a given economic entity.

IN modern economy The terms “auditors”, “audit check”, “audit report” are often heard... This article explains the main points regarding auditing activities, talks about the structure and internal standards of the audit organization and its risks.

Audit activity: definitions, grounds for conducting, legal regulation

England is considered the historical birthplace of modern audit, where, starting in 1844, a series of laws on companies were issued that obliged boards joint stock companies At least once a year, invite a special person to check the accounting accounts and report to shareholders.

In our country, auditing activity appeared during perestroika. The first audit organization in Russia was the joint-stock company Inaudit, founded in the fall of 1987, and in 1989 Lenaudit and Bank Audit appeared. They were engaged in audits and providing consulting services on various issues of accounting, law and taxation.

First of all, the audit is carried out to confirm the reliability of the annual accounting (financial) statements.

Important!

On January 1, 2013, the Federal Law of December 6, 2011 No. 402-FZ “On Accounting” (hereinafter referred to as Federal Law No. 402-FZ) came into force; accordingly, the Federal Law of November 21, 1996 No. 129-FZ “On Accounting” accounting" (hereinafter referred to as Federal Law No. 129-FZ). An auditor's report on the reliability of accounting (financial) statements as one of the components of accounting (financial) statements is not provided for by Federal Law No. 402-FZ.

But the conduct of a mandatory annual audit is not regulated by regulations Federal Law No. 402-FZ, and other legislative acts, for example Art. 5 of Federal Law No. 307-FZ of December 30, 2008 (as amended on December 28, 2013) “On Auditing Activities” (hereinafter referred to as Federal Law No. 307-FZ).

According to Federal Law No. 307-FZ subject to mandatory audit:

• organizations that have the organizational and legal form of an open joint stock company;
• organizations, securities which are admitted to circulation at organized auctions;
• credit organizations;
• brokerage and investment companies who are professional participants in the securities market;
• insurance organizations;
• clearing organizations;
• non-state pension funds(NPF);
• organizations whose revenue from the sale of products (sale of goods, performance of work, provision of services) for the previous reporting year exceeds 400 million rubles;
• organizations that present and (or) publish summary (consolidated) accounting (financial) statements.

Except mandatory audit the organization can order proactive audit. Although the legislation of the Russian Federation currently does not contain the concept of “initiative audit”, it can nevertheless be carried out under an agreement on related and other audit services.

An audit at the initiative of the organization is carried out in the following cases:

• the owner has doubts about the correctness of accounting and the formation of financial statements of the enterprise;
• there is a need to verify the competence and integrity of responsible persons;
• for the purpose of assessment economic efficiency enterprise (for a certain period) and the optimality of the applied taxation system;
• at the request of investors, government agencies or credit institutions.

So, what is auditing?

Auditing activities represents the business activity of auditors ( audit firms) to carry out independent non-departmental audits of accounting (financial) statements, payment and settlement documentation, tax returns and other financial obligations and requirements of economic entities, as well as the provision of other audit services.

Audit activities are carried out by an audit organization. Audit organization- a commercial organization that is a member of one of the self-regulatory organizations auditors.

Self-regulatory organization of auditors(SRO) is a non-profit organization created on the basis of membership in order to provide conditions for the implementation of audit activities.

The main staff of audit organizations consists of auditors.

Auditor recognized in the Russian Federation individual, who has received a qualification certificate as an auditor and is a member of one of the SROs of auditors. An individual is recognized as an auditor from the date of entry of information about him into the register of auditors and audit organizations.

The auditor has the right to carry out audit activities as an employee of an audit organization on the basis of an employment contract between him and the audit organization, as well as as an individual private entrepreneur - an individual auditor.

An audit organization can be created in any organizational and legal form, with the exception of an open joint-stock company, state or municipal unitary enterprise. Its founder can only be a certified auditor, provided that 51% of the company's shares belong to him. The director of the audit organization must be an auditor who has a qualified auditor certificate. If the powers of the executive body of the audit organization are transferred under an agreement to another commercial organization, the latter must be an audit organization.

Licensing of audit activities was canceled as of 01/01/2010, and instead mandatory membership in an SRO was introduced. According to Art. 18 Federal Law No. 307-FZ The following requirements apply to membership of auditors in SROs::

• a commercial organization can be created in any organizational and legal form, with the exception of an open joint-stock company, state or municipal unitary enterprise;
• number of auditors who are employees of a commercial organization based on employment contracts, must be at least three;
• the share of the authorized (share) capital of a commercial organization owned by auditors and (or) audit organizations must be at least 51%;
• the number of auditors in the collegial executive body of a commercial organization must be at least 50% of the composition of such executive body. A person who is the sole executive body of a commercial organization, as well as individual entrepreneur(manager), to whom the powers of the executive body of a commercial organization are transferred under the contract, must be auditors. If the powers of the executive body of a commercial organization are transferred under an agreement to another commercial organization, the latter must be an audit organization;
• availability and compliance with the rules for internal quality control;
• impeccable business (professional) reputation;
• payment of contributions to the SRO of auditors in the amounts and manner established by it;
• payment of contributions to the compensation fund (compensation funds) of SRO auditors.

An audit organization acquires the right to carry out audit activities from the date of entering information about it into the register of self-regulatory organizations of auditors.

For reference

Currently in State Register SRO auditors included:

• Non-profit partnership “Audit Chamber of Russia”;
• Non-profit partnership “Institute of Professional Auditors”;
• Non-profit partnership "Moscow Audit Chamber";
• Non-profit partnership “Russian Board of Auditors”;
• Non-profit partnership “Commonwealth Audit Association”;
• Non-profit partnership "Guild of Auditors of Regional Institutes of Professional Accountants".

The goal of any commercial organization is to generate income, and an audit company is no exception. For her, earning income is associated with conducting audits, since she has no right to engage in any other entrepreneurial activity.

In addition to the audit, the audit company can provide other services related to auditing activities (Clause 7, Article 1 of Federal Law No. 307-FZ), in particular:

• establishment, restoration and maintenance of accounting records, preparation of accounting (financial) statements, accounting consulting;
• tax consulting, staging, restoration and management tax accounting, preparation of tax calculations and declarations;
• analysis of financial economic activity organizations and individual entrepreneurs, economic and financial consulting;
• management consulting, including those related to the reorganization of organizations or their privatization;
• legal assistance in areas related to auditing activities, including advice on legal issues, representation of the interests of the principal in civil and administrative proceedings, in tax and customs legal relations, in the authorities state power and local governments;
• automation of accounting and implementation of information technologies;
• appraisal activities;
• development and analysis of investment projects, drawing up business plans;
• conducting research and experimental work in areas related to auditing activities and disseminating their results, including on paper and electronic media;
• training in areas related to auditing.

In addition to Federal Law No. 307-FZ, auditing activities are regulated by federal rules (standards) of auditing activities, approved by Decree of the Government of the Russian Federation of September 23, 2002 No. 696 (as amended on December 22, 2011; hereinafter referred to as Resolution No. 696).

In addition, from 01/01/2014 it applies new edition Rules for the independence of auditors and audit organizations (approved by the Audit Council on September 20, 2012, Minutes No. 6).

The rules (standards) of auditing activities are divided into:

• to federal rules (standards);
• internal company rules (standards) in force in professional audit associations, as well as in audit organizations and individual auditors.

Auditing organizations and individual auditors in accordance with the requirements of legislative and other regulatory legal acts of the Russian Federation and federal rules(standards) of auditing activities has the right to independently choose the techniques and methods of their work.

Note!

The exception is the rules (standards) for planning and documenting the audit, drawing up the auditor’s working documentation, and the audit report, which are carried out in accordance with the federal rules (standards) of auditing activities.

The audit company, based on federal rules (standards) for auditing activities, develops the following internal rules and standards:

• general audit plan;
• audit program;
• auditor working papers;
• internal rule (standard) “Materiality”;
• internal rule (standard) “Audit sampling”.

Internal auditing standards make it possible to ensure a unified approach to auditing in a given audit firm.

Audit procedure

Preparation for an audit begins with coordination of the financial interests and economic requirements of the parties to the future audit.

For this purpose, the audit organization sends a special letter to its potential client organization about conducting an audit.

The letter, as a rule, begins with the following phrase: “You have contacted us with a request to conduct an audit of financial (accounting) statements for (indicate the period of the audit, for example, 2013). With this letter we confirm our agreement and our understanding of this assignment...” Further, the letter usually indicates: the purpose of the audit, the responsibility of the auditors in the manner prescribed by the current legislation on auditing activities and the audit agreement, the obligation of the auditors to observe the client’s trade secrets. The letter also reflects the scope of the audit, the list of documents expected to be prepared based on the audit results, the price of the audit and the payment procedure.

The organization receiving such a letter must confirm in writing that it agrees to the terms of the audit proposed by the audit company. After written confirmation from the potential client, the parties enter into an agreement to conduct an audit. If the purpose, methods and scope, as well as the cost of the audit, are specified in detail by the parties in the audit agreement, then a letter of consent may not be drawn up or its contents should provide additional information for the audited organization.

In preparation for an audit, tests are used to evaluate the company's internal control system and accounting system. Based on the data obtained, audit risks are assessed and the necessary audit procedures are determined.

Based on the assessment of the internal control system, an audit plan and program is developed.

The planning procedure is determined by Federal Rule (Standard) of Auditing No. 3 “Audit Planning” (approved by Resolution No. 696). Audit planning includes:

• drawing up a general plan of expected work;
• determining the scope and timing of audit procedures;
• development of an audit program.

The audit program contains a list of audit procedures performed.

At the end of the audit, a review of the financial statements is carried out, including errors and comments identified during the audit, and final conclusions are drawn. The most important points are discussed with the client.

Based on the auditors' findings, an audit report is drawn up. In addition to the opinion on the financial statements, the client is provided with an audit report on the results of the audit, in which:

• a general assessment of the internal control system of the audited organization is given;
• the compliance of accounting with the requirements of current legislation is indicated;
• Recommendations are offered to improve the efficiency of the accounting system and eliminate errors that can significantly distort the results of accounting (financial) statements.

Conducting an audit in practice

We will tell you about the preliminary stage of the audit, how to determine the level of materiality and assess the audit risks of a potential client, using an example.

The structure of the audit company (the company is small, numbering up to 100 people) is shown in Fig. 1.

Rice. 1. Organizational structure audit company

Areas of responsibility distribution

Heads an audit company CEO, who is a professional auditor and has an auditor certificate. He manages the work of the entire team, expresses the audit organization’s opinion on the reliability of the financial statements of the audited economic entity, reflected in the audit report, and resolves controversial issues that arise during the audit.

The audit department is headed by the Deputy General Director for Audit, also an auditor with an auditor certificate. The Deputy General Director reports directly to the director, negotiates with the management of the economic entity, resolves organizational issues of conducting audits and conflict situations with the client, and is responsible for the company’s internal standards.

Employees of the Audit Department, depending on the functions they perform, are divided into the following categories:

• heads of departments of the audit department - leading auditors with an auditor certificate;
• senior auditors - auditors who have an auditor certificate, supervise audits;
• auditors who have an auditor certificate, have been working in the company for less than 1 year, and participate in audits;
• auditor assistants are company employees who participate in audits but do not have an auditor certificate.

Functional responsibilities for each category of employees of the audit department are specified in job descriptions.

The heads of departments of the audit department (lead auditors) report to the Deputy Director for Audit. Lead auditors staff the audit team, appoint the head of the audit group, approve the audit plan and program.

A senior auditor is appointed as the head of the audit. He participates in the audit, manages the auditors reporting to him, and is responsible for the organization and quality of the audit.

The senior auditor systematizes all working documentation accumulated during the audit, processes the received accounting data, and compiles the results of audit procedures into written information (audit report) provided to the client. He is accountable to the head of the department - the lead auditor, brings the audit results to his attention, discusses controversial situations that may affect the content and conclusions of the audit report.

Auditors participate in audits, draw up working documentation, make calculations, and participate in the preparation of the audit report.

Audit assistants participate in audits under the direction of auditors or senior auditors and are responsible for performing the duties assigned to them during the audit.

The administrative service (Fig. 2) is headed by the Deputy Director for General Affairs.

Rice. 2. Structure of the administrative service

The legal department is headed by a senior lawyer. He resolves legal issues arising during the audit, represents the interests of the client in arbitration court. The Senior Lawyer reports directly to the Deputy Director for General Affairs.

The accounting department, headed by the chief accountant, maintains the accounting records of the audit company. Chief Accountant reports directly to the General Director.

The HR department, headed by the head of the HR department, maintains personnel records. The Head of the Human Resources Department reports to the Deputy Director for General Affairs.

The Client Attraction Service offers audit and audit-related services to legal entities, including searching for new clients. The service is headed by a senior manager who reports directly to the general director.

Let's assume that the customer acquisition service has found a construction company that has agreed to conduct a proactive audit of its annual financial statements for 2013. Construction company carries out construction and installation work at sites in Moscow and near Moscow region, acts as a contractor. The parties entered into an audit agreement, which indicated the purpose of the audit, the period of its conduct, the cost of the audit, and other necessary conditions. The period for conducting audit procedures is from February 11 to February 22, the audit report and conclusion must be provided to the client by February 27, 2013.

Accounting reporting forms, primary documents, accounting and tax registers, and tax returns were provided for the audit.

At the preliminary stage of the audit, the level of materiality was calculated and audit risks were identified.

Materiality in an audit (Rule (standard) No. 4 “Materiality in an audit”)

Each organization determines the formula and methodology for calculating the level of materiality itself and approves it in its internal standard, which is open information. Interested parties (existing and potential clients, users of external reporting) should be able to familiarize themselves with the procedure for determining the level of materiality in the audit organization, which will confirm the reliability of their financial statements.

The accepted standard for determining the level of materiality is applied on an ongoing basis. The provisions of the intra-company standard can be changed in the event of changes in legislation in the field of accounting, changes in the specialization of the company (for example, previously only general audits were carried out, and then audits of banks began to be carried out).

Our audit company uses the following financial reporting indicators as basic indicators used to calculate the level of materiality: profit (loss) from sales, revenue, cost of sales, balance sheet currency, equity(total 5 indicators).

Data for calculating the level of materiality are presented in table. 1.

Table 1. Data for calculating the level of materiality
Basic indicators	Financial statements	Value of the base indicator as of December 31, 2013, thousand rubles.	Share, %	Value acceptable for finding the level of materiality, (thousand rubles)
Profit (loss) from sales	Page 2200 Profit and Loss Statement			32,35
Revenue	Page 2110 Income Statement	51 239		1024,78
Cost of sales	Page 2120 Income Statement	50 583		1011,66
Balance currency	Page 1600, page 1700 Balance Sheet	16 224		324,48
Equity	Page 1300 Balance Sheet	1397		139,7
Total				2532,97
Average value				506,594

Formula for calculating the level of materiality:

(32.35 + 1024.78 + 324.48 + 139.7 + 1011.66) / 5 = 506.594 thousand rubles.

Indicators that deviate significantly more and/or less from the average value are discarded. Let the acceptable level of deviations be set at 50%.

We find the percentage deviation of the minimum and maximum values ​​using the formula:

Off (%) = (Significance level – Basic indicator value) / Materiality level × 100%.

Percent deviation:

• minimum value:

(32.35 – 506.594) / 506.594 × 100% = 93.62 - the value is discarded;

• maximum value:

(1024.78 – 506.594) / 506.594 × 100% = 102.28 - the value is discarded.

Since our acceptable level of deviations is 50%, and the resulting deviations are much greater than 50%, we discard the maximum and minimum values.

We determine the new value of the materiality level, thousand rubles:

(324.48 + 139.7 + 1011.66) / 3 = 491.94 thousand rubles.

The overall materiality level is RUB 491.94 thousand. We round this value to a whole value, resulting in 500 thousand rubles.

Calculation of the level of audit risk

An important element influencing the audit conclusion is the level of risk, which is determined in accordance with Rule (Standard) No. 8 “Understanding the activities of the audited entity, the environment in which it is carried out, and assessing the risks of material misstatement of the audited financial (accounting) statements.”

Audit risk- this is the probability that the financial statements may contain undetected material errors or distortions after confirming their accuracy.

If average value The risk level is set at 5%, which means that 5 out of 100 audit reports may contain incorrect conclusions, and the level of confidence in the auditor’s opinion is 95%.

In practice, there are two practical models for calculating audit risk: direct and indirect.

Straight model based on the auditor's direct judgment. For example, if the auditor believes that inherent risk is 80%, control risk is 50% and detection risk is 10%, then direct audit risk will be: 0.8 × 0.5 × 0.1 = 0.04, i.e. 4 %.

Indirect model assumes that a key characteristic of the auditor's work is detection risk, and it is this that should be assessed.

In our example, the audit company calculates audit risk using an indirect model.

Audit risk includes three components:

• inherent (intra-business) risk;
• risk of the internal control system;
• the risk of undetected errors and distortions in financial statements.

Therefore, an acceptable audit risk is set, for example 5%.

Inherent (on-farm) risk- the likelihood of reporting being susceptible to significant errors. Determined subjectively by the auditor.

The auditor identifies the likelihood of significant misstatements in a given accounting account, balance sheet item, or financial statements of the audited entity as a whole before they are detected by the internal control system or on the assumption that there is no internal control.

To identify the likelihood of material misstatements, the auditor evaluates the accounting system in place at the audited enterprise. This can be done in the form of an auditor questionnaire (Table 2). In the future, when drawing up an audit program and selecting procedures for collecting audit evidence, the results of the questionnaire are taken into account.

Table 2. Auditor Questionnaire
No.	Questions	Answer options
		Yes	No
	Has the company's accounting policy been approved?
	Is accounting carried out in accordance with the Accounting Policies?
	Does the chief accountant have a higher education degree? economic Education and a professional accountant certificate?
	Does the chief accountant undergo advanced training courses once a year?
	Do accounting employees participate in special seminars and trainings to improve their skills?
	Are there any job descriptions for accounting workers?
	Is accounting staff certified for compliance with the duties they perform?
	Is reconciliation of accounting and operational data carried out once every 3 months?
	Does the enterprise have a document flow schedule and are submission deadlines met? primary documents to accounting?
	Does the organization subscribe to special periodicals (“Chief Accountant”, Moscow Accountant”, “Taxes and Law”, etc.)?
	Do accounting employees use the legal frameworks “Garant” and “Consultant Plus” in their work?
	Is an official licensed version of the automated accounting software used?
	Official version data accounting program Are they updated at least once a month?
	Is there separate automated accounting for the “Payroll calculations” section?
	Is accounting more than 80% automated?
	Does the company have an internal audit department?

Based on the questionnaire, we will evaluate the reliability of the accounting system.

Let the reliability of the accounting system be equal to:

100% - 16 questions,
yes - 10,
no - 6.

Calculation formula:

10 × 100% / 16 = 62.5% - internal audit risk.

Based on the results of the survey, the following can be done: conclusion: the organization of the accounting system for operations generally meets the requirements of efficiency and reliability and the percentage is 62.5%.

Internal control system risk- the likelihood of ineffective internal control.

Internal control system- a set of organizational structure, methods and procedures operating in an organization and allowing for more efficient and rational accounting of economic activities.

The internal accounting system involves supervision and verification of accounting by the organization itself. In this case, the following are controlled:

• compliance with legal requirements;
• accuracy and completeness of accounting documentation;
• timeliness of preparation and reliability of financial statements;
• timeliness and accuracy of execution of orders and instructions;
• ensuring the safety of the organization's property.

Assessing the effectiveness of the internal control system is a generalization of indicators of its effectiveness and efficiency.

These indicators include the following factors:

• the circle of employees involved in the generation of information at the enterprise, and whether they have the appropriate education, how responsible they are in fulfilling their job responsibilities;
• availability of technical means of control;
• availability of control technology;
• controlled parameters.

The questionnaire to identify the operation of the internal control system is presented in Table. 3

Table 3.Questionnaire to identify the operation of the internal control system
No.	Questions	Possible answer
		Yes	No
	Are the forms of primary documents used in the organization reflected in the accounting policies?
	Have liability agreements been concluded with financially responsible persons?
	Is inventory taken before changing materially responsible persons?
	Are sudden inventories of the cash register and warehouses carried out?
	Do accounting employees check the compliance of the documents they apply to accounting with the requirements of current legislation?
	Has the circle of accountable persons been established?
	Is there a period for reporting by accountable persons on the amounts issued to them?
	Are the responsibilities of the chief accountant and cashier combined?
	Is inventory taking place? material assets before preparing the annual financial statements?
	Are employees paid? wage 2 times a month (advance and salary)?
	Accountable amounts are not issued to employees who have not accounted for previous amounts issued?
	Accountable amounts (except for travel allowances) are not issued to employees not listed in the list of accountable persons?
	Is the use of working time monitored?
	Are vacation pay issued to employees 3 days before the start of the vacation?
	Does the organization have internal labor regulations and safety regulations?
	Are newly hired employees familiar with the Internal Labor Regulations and Safety Rules?

According to testing of the internal control system, its reliability can be assessed as:

16 questions - 100%,
yes - 9;
no - 7.

9 × 100 / 16 = 56.25% - control risk.

We conclude: the internal control system can be characterized as being at an average level, since the reliability is 56.25%, therefore, one cannot fully rely on the internal control system.

Risk of non-detection- the likelihood that the auditor will not detect significant errors after they were not detected by internal control systems; determined by the formula:

AR = RN × VR × RSK,

where AR is audit risk, %;

RN - risk of non-detection, %;

Water chemistry - on-farm risk, %;

RSC - control risk, %.

For our example:

BHR (accounting system assessment test) = 62.5%;

RSK (internal control system assessment test) = 56.25%.

The risk of non-detection is defined as follows:

RN = AR / VCR × RSK,

for our example, pH = 0.05 / 0.625 × 0.562 = 0.1423, that is, 14.23%.

The level of risk is determined by adding up the points awarded for answering the questions. The total scores are compared with the ranges of values ​​(Table 4).

Table 4. Risk assessment ranges
Risk level
Short	1–45 %
Average	45–80 %
High	80–100 %

The level of risk assessment for our example is presented in table. 5.

Table 5.Risk assessment level
Risk	Range of values ​​in percentage terms	Risk level
On-farm risk	62,5 %,	average
Internal control risk	56,25 %	average
Risk of non-detection	14,23 %	short

From the data in table. 5 it follows that the water chemistry and water quality control are average, the pH is quite low, so the auditor can afford to reduce real labor costs, reduce the sample size, and use less labor-intensive methods for obtaining audit evidence.

Determining the level of materiality and audit risks is an important point in preparing for an audit. Knowing the level of materiality and audit risks, auditors plan the audit. For this purpose, a general plan and audit program are drawn up.

In addition, the accepted level of materiality will influence the auditors’ opinion on the reliability of the financial statements. At the same time, there are three levels of materiality for choosing an audit report:

1. insignificant amounts (much less than the calculated amount of materiality);
2. the amounts are material (above the estimated level) but do not distort the overall impression of the financial statements as a whole;
3. The amounts are so significant and so frequent that the objectivity of the financial statements as a whole is called into question.

Non-essential amounts- these are identified inaccuracies in the financial statements that are much less than the calculated amount of materiality. These inaccuracies will not distort financial statements and will not affect the auditors' opinion on the reliability of such statements. In this case, an unmodified conclusion is issued.

For example, the level of materiality is determined at RUB 200,000. and it was revealed that the cost of inventories was overstated by RUB 220,000, that is, the amount of misstatement is significant. However, the amount of reserves in the total assets of the enterprise is insignificant and amounts to about 15%; all other balance sheet items are formed correctly. The auditor's opinion will depend on his professional judgment. If the auditor considers that the consequences of the detected error are not significant for the reporting as a whole and will not have a significant impact on the balance sheet profit and tax payments, then a modified opinion with a reservation will be issued.

If the identified amounts of misstatement are much higher than the established level of materiality or the identified error is systemic, that is, it often occurs in accounting, and there is confidence that users of the audited financial statements will inevitably make incorrect decisions based on them, the auditor issues a modified negative opinion.

The auditor's choice of procedures is based on risk assessment. The higher the auditor's risk assessment, the more reliable and relevant the audit evidence obtained by the auditor as a result of the audit should be.

The success of the audit largely depends on the chosen level of materiality and the established audit risk.

Audit risk is the risk that the auditor will express an inappropriate audit opinion when there is a material misstatement in the financial statements.

This is standard No. 8. It matches international standard ISA 330 and ISA 315.

Audit risk depends on 2 components:

1. The risk of material misstatement is the risk that the financial statements have already been misstated before the start of the audit.

2. Non-detection risk is the risk that the auditor will not detect such misstatements in the financial statements.

Audit risk consists of 3 parts:

1. Inherent risk.

2. Control risk.

3. Risk of non-detection.

Inherent risk (intrabusiness risk) is the exposure of the balance of funds in the accounting accounts or some group of similar transactions to distortion, which can be significant (individually or together), in the absence of the necessary internal controls.

Internal control risk (see printout).

Risk of non-detection:

1. Risk of analytical procedures - inspection, examination of records, documents, inspection tangible assets, observation (studying the actions of other persons), inquiry, analytical procedures(study of financial and economic indicators of the company’s activities, comparison of these indicators).

2. Risk of detailed tests of transactions and account balances.

3. Risk of sampling method.

The appendix to Standard 8 (Appendix 3 to Standard 8) sets out conditions and events that may indicate a risk of material misstatement exists.

Internal control system is a set of organizational measures, methods and procedures adopted by the management of an organization for the orderly and efficient conduct of business activities, which also includes supervision and verification of:

1. Compliance with laws.

2. Accuracy and completeness of accounting.

3. Asset safety

4. Execution of orders and instructions, etc.

It includes:

1. Accounting system.

2. Control environment. This concept characterizes general relations, awareness and practical actions of the management of the audited organization aimed at developing internal control. It includes:

a. Basic principles of organization management.

b. Organizational structure of the organization.

c. Personnel policy and practice.

d. Distribution of responsibilities and powers, etc.

3. Separate funds control.

Examples of internal controls:

1. Inventory.

2. Registration of documents in special journals.

3. Counter mutual checks of accounting records.

4. Continuous numbering of created documents, etc.

Unlike the risk of material misstatement, detection risk characterizes the effectiveness and quality of the auditor’s work and depends on the procedure for conducting a particular audit and the level of the auditor.

Methods for assessing audit risk:

1. Evaluative (intuitive) – auditors, based on their own professional experience and understanding of the activities of the audited entity and the environment in which it is carried out, determine the audit risk based on the financial statements as a whole as high, medium or low and use this when planning the audit.

2. More widely applied quantitative calculation method audit risk assessments. Audit risk = VR * RK * RN = internal risk (inherent) * risk of internal controls * risk of non-detection.

Audit risk is a certain characteristic that is acceptable from the point of view. A value often mentioned is 5%, i.e. in 5 cases out of 100, the audit organization gives an erroneous audit opinion.

If the audit risk has a specified value, then the risk of non-detection (DR) and the risk of internal controls (IC) must be assessed by the auditor at the stage of preparing the audit and its planning. The lower the auditor's assessment of these components, the higher the detection risk he can anticipate.

In practice, the audit risk model is used in several ways:

1. Establish the values ​​of the components of audit risk.

2. The emphasis is shifted to calculating the value of detection risk and the corresponding amount of required audit evidence - this is a more effective way.

Detection risk = Audit risk / (intra-business risk (inherent) * internal control risk).

When assessing risks, the auditor, when identifying such risks, requires special audit consideration; they are defined as significant risks. When determining significant risks, the auditor considers a number of issues:

1. The risk of dishonest actions in the organization.

2. Complexity of business operations.

3. Subjectivism when calculating some estimated values contained in the financial statements, etc.

Example 5:

Auditors in the pre-planning process rated inherent risk as very high (80%), control risk as medium (50%) and detection risk as 20%. Assess the overall audit risk.

Audit risk is calculated using our first formula: 0.8 * 0.5 * 0.2 * 100 = 8%, i.e. in 8 cases out of a hundred it can give an incorrect conclusion.

Example 6:

During the planning of the audit, the auditor rated the inherent risk as high (80%) and the risk of internal controls as medium (50%). Estimate what the detection risk should be to ensure an audit risk of 5%.

pH = 0.05/(0.8*0.5) * 100 = 12.5%