audit risk and business risk
TRANSCRIPT
Chapter 4Audit Risk and Business Risk
Relevant Professional Relevant Professional Standards
• ASA 210 Terms of Audit Engagements
• ASA 315 Understanding the Entity and Its Environment and Assessing the Risks of M t i l Mi t t tMaterial Misstatement
Nature of RiskNature of Risk
• Four critical components of risk affect the audit papproach and audit outcome:– Enterprise risk: risks that affect the operations
and potential outcomes organisation activities– Engagement risk: comes with association with
a specific client– Financial reporting risk: risks that relate
di tl t th di t ti d th directly to the recording transactions and the presentation of the financial statementsAudit risk: the risk that an auditor may provide – Audit risk: the risk that an auditor may provide an unqualified opinion on financial statements that are materially misstated.that are materially misstated.
Nature of Risk (cont.)
• Each of these components can be managed.
• Company survival depends on the effectiveness of risk management processes.
Enterprise Risk Enterprise Risk Management (ERM)g ( )
• COSO defines ERM as:‘[a] process effected by an entity’s board of [a] process effected by an entity s board of directors, management and other personnel, applied in strategy setting and across the app ed st ategy sett g a d ac oss t eenterprise, designed to identify potential events that may affect the entity, and manage risks to within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives ’ achievement of entity objectives.
Enterprise Risk Enterprise Risk Management (cont.)
• COSO describes ERM as consisting of eight interrelated processes:p– risk management environment: management
culture and attitude towards risk– event identification: identification of events
that may affect the organisation’s ability to implement strategies or achieve objectives
– risk assessment: assessing risks to determine response
– risk response
Enterprise Risk Enterprise Risk Management (cont.)g ( )
– control activities: policies and procedures designed to reduce risks and to ensure designed to reduce risks and to ensure management’s directives and strategies are implementedp e e ted
– information and communication– monitoringmonitoring
• An effective ERM process within an organisation is designed to provide assurance organisation is designed to provide assurance that risks are identified, understood and addressed.
Organisational Risk Organisational Risk Responsesp
• Once risk has been identified and assessed, i ti h f h ian organisation has four choices:
– control the riskh f h k– share or transfer the risk
– diversify against or avoid the risk– accept the risk.
• Depending on the circumstances, each of these may be an acceptable approach to manage the risk.
Risk Factors Affecting the Audit
• Engagement risk • Engagement risk – The risk auditors incur by being associated
with a particular clientwith a particular client– Risk is high whenever there is increased
likelihood that:likelihood that:• the auditor is associated with a failed client• financial statements contain material misstatement
that the auditor fails to find.
– These conditions increase the likelihood that the auditor will be suedthe auditor will be sued
Risk Factors Affecting Risk Factors Affecting the Audit (cont.)( )
• Client acceptance or retention decision
– Perhaps the most important audit decision
– A decision affected by a range of factors. The most important involve:• the quality of the client’s corporate governance
• the client’s financial health.
Corporate Governance & Client Acceptance & Client Acceptance
• The key factors an auditor will analyse include:– management integrity– independence and competence of the
audit committee and board– quality of ERM and controls– regulatory and reporting requirements– participation of key stakeholders– existence of related party transactions.
Organisation Financial Health
• There are a number of reasons why the auditor needs to evaluate a potential client’s financial health:
– The auditor will most likely be sued if a client goes onto liquidation.
– Investors and creditors who have lost money will look for recovery.
– Lawyers will claim the financial statements were misstated and the auditors should have known they were misstated.
Organisation Financial Health Organisation Financial Health (cont.)( )
Th dit l d t d t d th • The auditor also needs to understand the financial health in order to:
assess management’s motivation to – assess management s motivation to misstate the financial statements
– identify areas that are likely to be misstated– identify areas that are likely to be misstated– identify account balances that appear
unusual.unusual.
Other Factors Affecting E Ri kEngagement Risk
• Auditors should evaluate a company’s economic • Auditors should evaluate a company s economic prospects to ensure important areas are investigated and the company is likely to stay in business.p y y y
• High-risk companies are generally characterised by:– inadequate capitalq p– lack of long-run strategic and operational plans– low cost entry into the markety– dependence on limited product offerings– dependence on technology subject to obsolescencedependence on technology subject to obsolescence– instability of future cash flows– history of questionable accounting practiceshistory of questionable accounting practices– previous inquiries by regulatory agencies.
Material Misstatement RiskMaterial Misstatement Risk
• Financial misstatement risk is influenced by– the company’s financial health– the quality of the company’s internal controls– the complexity of the company’s transactions
d f land financial reporting– management’s motivation to misstate the
fi i l tfinancial report.
• These factors are interrelated.
• The auditor will gather information on these issues through reviews of previous audits, or by talking with the predecessor auditor.
Accepting New Clients: p gMinimising Risk
• A new auditor should initiate discussions with the predecessor to discuss the reasons for the predecessor to discuss the reasons for the change in auditors.
B f th fid ti lit l th • Because of the confidentiality rule, the successor must first obtain client permission to talk with predecessorpredecessor.
Accepting New Clients: Accepting New Clients: Minimising Risk (cont.)g ( )
• The successor is particularly interested in factors that bear onfactors that bear on– management integrity
disagreements with management on any – disagreements with management on any substantive auditing or accounting issues
– the predecessor’s understanding of the – the predecessor s understanding of the reasons for the change
– any communications between the any communications between the predecessor and management or audit committee regarding fraud, illegal acts or internal control matters.
Th E t L ttThe Engagement Letter
• The auditor and client should have a mutual understanding of the audit process.g p
• The auditor should prepare an engagement letter to clarify the responsibilities and expectations of to clarify the responsibilities and expectations of each party, and to summarise and document this understanding, including the:– nature of the services to be provided– timing of those services– expected fees and basis on which they will be
billed (fixed fee, hourly rates)
The Engagement Letter (cont.)
• The engagement letter should also describe the:the:– auditor responsibilities, including the search
for fraudfor fraud– client responsibilities, including preparing
information for the auditinformation for the audit– need for any other services to be performed
by the firm.y
Materiality and Audit Risk• The auditor is expected to plan and perform an • The auditor is expected to plan and perform an
audit that provides reasonable assurance that material misstatements will be detected
• ‘Information is material if its omission, misstatement or non-disclosure has the potential, individually or collectively, to
i fl th i d i i f a influence the economic decisions of users taken on the basis of the financial report; or
b affect the discharge of accountability by the b affect the discharge of accountability by the management or governing body of the entity.’ (AASB 1031, para. 9)(AASB 1031, para. 9)
Materiality
• Materiality has three significant dimensions:
– size of the misstatement (dollar amount)– circumstances – some things are viewed
i i ll h hmore critically than others– user impact – impact on potential users and
the type of judgements madethe type of judgements made.
M t i lit ( t )Materiality (cont.)
• Determination of materiality is situation-specific.
– Although this makes determination more – Although this makes determination more difficult, it allows the auditor to adjust the rigour of the audit to reflect the risk of the gengagement.
– The lower the dollar amount of set materiality, y,the more rigorous the examination.
Materiality Guidelines
• Most firms have guidelines for setting materiality These guidelines:materiality. These guidelines:– usually involve applying percentages to
some basesome base– may also be based on nature of the industry
or other factors.or other factors.
• Auditors initially set planning materiality for the statements as a whole and then allocate the statements as a whole, and then allocate this to individual accounts based on their susceptibility to misstatement.p y
Audit RiskAudit Risk• Audit risk is the risk than an auditor may issue an y
unqualified opinion on materially misstated financial statements.
• The auditor assesses engagement risk first, then sets audit risk.
• Audit risk is inversely related to engagement risk.
• If auditors accept clients with high engagement • If auditors accept clients with high engagement risk, they must conduct more rigorous audits.
• Auditors do this by setting a low audit risk.Auditors do this by setting a low audit risk.
• If the auditor accepts a client with low engagement risk, they will set audit risk at a engagement risk, they will set audit risk at a higher level.
Inseparability of A dit Ri k & M t i litAudit Risk & Materiality
• Audit risk and engagement risk relate to factors g gthat might encourage someone to challenge the auditor’s work.
• For example, transactions that might not be material to a ‘healthy’ company might be material to financial statement users for a company on the brink of bankruptcy.
• The following factors help integrate the concepts of risk and materiality:
– All audits involve sampling and cannot provide 100 percent assurance.
– Auditors must compete in an active marketplace for clients.
Inseparability of Audit Risk p y& Materiality (cont.)
– Auditors need to understand society’s expectations of financial reporting and the p p gaudit process.
– Auditors must identify the risky areas of a Auditors must identify the risky areas of a business to determine which accounts are more susceptible to material misstatement.
– Auditors need to develop methodologies to allocate overall assessments of materiality to individual account balances.
The Audit Risk ModelThe Audit Risk Model
• The auditor sets desired audit risk based on assessed engagement risk:g g
AR = IR x CR x DR
• AR = audit risk
• IR = inherent riskIR inherent risk
• CR = control risk
DR d t ti i k• DR = detection risk
Th A dit Ri k M d l ( t )The Audit Risk Model (cont.)
Th dit i k d l ll th dit t • The audit risk model allows the auditor to consider the following:
C l l t ti – Complex or unusual transactions are more likely to recorded in error than are simple or recurring transactionsrecurring transactions.
– Management may be motivated to misstate earnings or assetsearnings or assets.
– Better internal controls mean a lesser likelihood of misstatementlikelihood of misstatement.
– The amount and persuasiveness of audit evidence gathered should vary directly with evidence gathered should vary directly with the likelihood of material misstatements.
The Audit Risk Model (cont )The Audit Risk Model (cont.)
• Inherent risk: susceptibility of transactions to be Inherent risk: susceptibility of transactions to be recorded in error. Inherent risk is higher for some items.
C l i lik l b – Complex transactions are more likely to be misstated than simple transactions.
– Estimated balances more likely to be misstated – Estimated balances more likely to be misstated than fact-based balances.
– The auditor assesses inherent risk
• Control risk: risk client controls will fail to prevent or detect a misstatement.prevent or detect a misstatement.
– The quality of controls often varies between classes of transactions.classes of transactions.
– The auditor assesses control risk.
Th A dit Ri k M d l ( t )
Environment risk: inherent and control risks
The Audit Risk Model (cont.)
• Environment risk: inherent and control risks combined.– Reflects the likelihood of material Reflects the likelihood of material
misstatements occurring.
• Detection risk: risk that audit procedures will fail • Detection risk: risk that audit procedures will fail to detect material misstatements.
– Relates to the effectiveness of audit Relates to the effectiveness of audit procedures and their application.
– Is controlled by the auditor and is an integral part of audit planning.
– The level of detection risk set directly determines the rigour of the substantive audit determines the rigour of the substantive audit work performed.
The Audit Risk Model (cont.)( )AR = IR x CR x DR
• Audit risk is set inversely to the assessed level of engagement risk.
• After audit risk is set, the auditor assesses inherent and control (environment) risks.
• The auditor sets detection risk inversely to environment risk. For example, if the auditor is
i i i i h hi h i h i kexamining transactions with high inherent risk or weak controls, they will set a low detection risk:
DR ARDR = ARIR x CR
Audit Risk ModelAudit Risk Model
• Low detection risk means a low probability of • Low detection risk means a low probability of not detecting material misstatements.
To achieve low detection risk the auditor will • To achieve low detection risk, the auditor will have to perform more rigorous substantive testing, such as larger sample sizes, more testing, such as larger sample sizes, more reliable forms of evidence, assign more experienced auditors, closer supervision, greater year-end (rather than interim) testing.
• The audit risk model shows that the amount, ,nature, and timing of audit procedures depends on the level of audit risk an auditor
d th l l f li t l t d i kassumes, and the level of client-related risks.
Limitations of the Limitations of the Audit Risk Model
• Inherent risk is difficult to formally assess.
• Audit risk is subjectively determined.Audit risk is subjectively determined.
• The model treats each risk component as separate and independent when clearly this is not separate and independent when clearly this is not the case.
• Audit technology is not so precise that each • Audit technology is not so precise that each component can be accurately assessed.
• Because of these limitations many auditors use • Because of these limitations, many auditors use the audit risk model as a functional, rather than mathematical, model.,
Developing an Understanding of Business and Financial of Business and Financial
Misstatement Risks• If there are major problems within a company,
the evidence gathered from within that company will probably be less reliablewill probably be less reliable.
• Because of this, the auditor shouldd t d th it t t i d – understand the company, its strategies, and
operations in depthdevelop an understanding of the market in – develop an understanding of the market in which the company operates
– develop an understanding of the economics of develop an understanding of the economics of client transactions
– develop expectations about financial results or develop expectations about financial results or transaction outcomes.
The Business Risk A h t A ditiApproach to Auditing
• Develop understanding of management’s risk p g gmanagement process
• Develop understanding of the business and the risks it faces
• Use the identified risks to develop expectations about account balances and financial results
• Assess quality of control systems to manage risks• Determine residual risk, and update expectations
about account balancesM i i i k f t b l • Manage remaining risk of account balance misstatement by determining the direct tests of account balances (detection risk) that are account balances (detection risk) that are necessary
Understanding Management’s g gRisk Management Process
• To understand the client’s risk management process, auditors will normally use the following techniques:techniques:– understand the processes used to evaluate risks– review the risk-based approach used by review the risk based approach used by
internal auditing– interview management about its risk approach– review regulatory agency reports that address
the company’s policies towards riski li d d f – review company polices and procedures for
addressing risk– review company compensation policies to see if review company compensation policies to see if
they are consistent with company’s risk policies
Understanding Management’s Understanding Management s Risk Management Process (cont.)
– review prior years’ work to determine if current actions are consistent with risk approach discussed with management
– review risk management documents.
• If the company has strong risk management processes, the auditor may focus on testing controls and developing corroborative evidence controls and developing corroborative evidence on account balances.
• On the other hand if the company does not have • On the other hand, if the company does not have a comprehensive risk process, the auditor will assess engagement risk as high, set audit risk at a lower level and increase direct testinga lower level and increase direct testing.
Developing an Understanding of Business & Risks
• There are a number of information sources (including electronic sources) that auditors use to develop an understanding of a business and risk:develop an understanding of a business and risk:– intelligent agents
knowledge management systems– knowledge management systems– online searches
review of ASIC/ASX filings– review of ASIC/ASX filings– company websites
economic statistics– economic statistics– professional practice bulletins
t k l t ’ t– stock analysts’ reports.
Understanding Key Understanding Key Business Processes
• Each organisation has a few key processes that give them a competitive advantage (or disadvantage)h d h ld h ff f• The auditor should gather sufficient information
to understand:the ke p o e e– the key processes
– the industry factors affecting key processesh t it k – how management monitors key processes
– the potential operational and financial effects associated with key processesassociated with key processes.
Sources of Information about Key Processes
• Management inquiries• Predecessor auditor inquiries• Review of prior-period audit work papers• Review of client’s budgets• Tour of client’s facilities and operations• Review data processing centre• Review significant debt covenants and board of
directors’ minutes• Review relevant government regulations and
client’s legal obligations
Developing Expectations
• The auditor should use information about the ’ k d i k t d l company’s key processes and risks to develop
expectations about its account balances and performanceperformance.
• These expectations should be:– developed independently of management– documented, along with a rationale for the
t tiexpectations– communicated to all audit team members.
Assessing Quality of Assessing Quality of Internal Controls
• Controls include policies and procedures set by management to manage riskmanagement to manage risk.
• The auditor is particularly interested in those t l d i d t t t th ’ k controls designed to protect the company’s key
processes and the measures used to monitor the operation of these controlsoperation of these controls.
Assessing Quality of Internal Assessing Quality of Internal Controls (cont.)( )
• Examples of these measures (key performance indicators) might include: indicators) might include: – backlog of work in progress
amount of return items– amount of return items– increased disputes regarding accounts
receivable or accounts payablereceivable or accounts payable– surveys of customer satisfaction– employee absenteeismemployee absenteeism– decreased productivity– information processing errorsinformation processing errors– increased delays in important processes.
Managing Detection Managing Detection & Audit Risk
• The auditor manages audit risk by– adjusting audit staff to reflect risk associated
with a clientd l d f b l– developing direct tests of account balances consistent with detection risk
ti i ti t ti l i t t t lik l t – anticipating potential misstatements likely to be associated with account balancesadjusting the timing of audit tests to minimise – adjusting the timing of audit tests to minimise overall audit risk.
Preliminary Financial Preliminary Financial Statement Review:
T h i & E t tiTechniques & Expectations
• Auditors use analytical procedures to develop expectations of account balances.
• These expectations are compared to recorded book values to identify misstatements.
Preliminary Financial yStatement Review: Techniques
& Expectations (cont )& Expectations (cont.)• Sources of data commonly used:y
– financial information for prior periods– expected or planned results from budgets p p g
and forecasts– comparison of linked accounts (such as
interest expense and debt)– ratios of financial information (such as
common-size financial statements)– company and industry trends– relevant nonfinancial information.
Preliminary Financial Statement Review: Techniques & Expectations (cont )Expectations (cont.)
• Techniques commonly used – Trend analysis– Comparative financial statements
(horizontal analysis)– Ratio analysis– Common-sized financial statements
(vertical analysis)
• The results of analytical procedures are placed in context when auditors compare client results to the client’s prior performance, industry data, or client expectations (budgets and forecasts)
Risk Analysis & Risk Analysis & Conduct of the Audit
• The risk approach means auditors must understand the company and its risks as a basis for determining which account balances should be directly tested and which can be corroborated by analytical procedurescorroborated by analytical procedures
• Linkage to direct tests of account balances: if dit l d th i hi h i k f an auditor concludes there is a high risk of
material misstatement they must:set materiality at an appropriate level– set materiality at an appropriate level
– use procedures appropriate for the level risk to examine the account balanceto examine the account balance.
Risk Analysis & Conduct of ythe Audit (cont.)
• Quality of accounting principles used: The auditor is required to assess the appropriateness of the accounting methods used by managementaccounting methods used by management.
• Guidelines to evaluate ‘appropriateness’ includeRepresentational faithfulness: does the – Representational faithfulness: does the accounting reflect the economic substance of the transactions?the transactions?
– Consistency of application of accounting standards
– Accounting estimates: are they based on proven models, reconciled to actual results, based on valid economic reasons?