chapter 4 audit risk and business risk. define the nature of risk in this chapter, we identify four...
TRANSCRIPT
Chapter 4
Audit Risk and Business Risk
Define the Nature of Risk
In this chapter, we identify four critical components of risk that affect the audit approach and audit outcome
Enterprise risk - those that affect the operations and potential outcomes organization activities
Engagement risk - comes with association with a specific client
Financial reporting risk - those that relate directly to the recording transactions and the presentation of the financial statements
Audit risk - risk an auditor may provide an unqualified opinion on financial statements that are materially misstated
Each of these components can be managedThe effectiveness of risk management processes will
determine whether the company continues to exist
Enterprise Risk Management (ERM)
COSO defines ERM as a
"process effected by an entity's board of directors, management and other personnel,
applied in strategy setting and across the enterprise, designed to identify potential
events that may affect the entity, and manage risks to within its risk appetite, to provide
reasonable assurance regarding the achievement of entity objectives."
Enterprise Risk Management (ERM) (Continued)
COSO elements: Risk management environment: management culture and
attitude towards risk Event identification: of events that may affect organization's
ability to implement strategies or achieve objectives Risk assessment: to determine response Risk Response Control activities: policies and procedures designed to reduce
risks and to assure management's directives and strategies are implemented
Information and communication MonitoringAn effective ERM process within an organization is designed to
provide assurance that risks are identified, understood, and addressed
Discuss Organizational Risk Responses
Once risk has been identified and assessed, an organization has four choices:
- Control the risk- Share or transfer the risk- Diversify against or avoid the risk- Accept the risk
Depending on the circumstances, each of these may be an acceptable approach to manage risk
Review Risk Factors Affecting the Audit
Engagement Risk Risk auditors incur by being associated with a particular
client Risk is high whenever there is increased likelihood that
Auditor is associated with a failed clientFinancial statements contain material misstatement
that the auditor fails to find These conditions increase the likelihood that the auditor
will be suedClient Acceptance or Retention Decision Perhaps the most important audit decision A number of factors affect this decision, but most
important involveQuality of the client's corporate governanceClient's financial health
Discuss Risk Factors Affecting the Audit - Corporate Governance & Client
Acceptance The key factors an auditor will analyze
includeManagement integrityIndependence and competence of the
audit committee and boardQuality of ERM and controlsRegulatory and reporting requirementsParticipation of key stakeholdersExistence of related party transactions
Risk Factors Affecting the Audit - Financial Health of the Organization
There are a number of reasons why the auditor needs to evaluate a potential client's financial health:
The auditor will most likely be sued if a client declares bankruptcy Investors and creditors who have lost money will look for
recovery Attorneys will claim the financial statements were misstated
and the auditors should have known they were misstated The auditor also needs to understand the financial
health in order to: Assess management's motivation to misstate the financial
statements Identify areas that are likely to be misstated Identify account balances that appear unusual
Risk Factors Affecting the Audit - Other Factors Affecting Engagement Risk
The auditor should evaluate the company's economic prospects to help ensure that
Important areas will be investigated The company will likely stay in businessHigh-risk companies are generally characterized by Inadequate capital Lack of long-run strategic and operational plans Low cost entry into the market Dependence on limited product offerings Dependence on technology subject to obsolescence Instability of future cash flows History of questionable accounting practices Previous inquiries by the SEC or other regulatory
agencies
Review Risk Factors Affecting the Audit - Financial Reporting Risk
Financial reporting risk is influenced byThe company's financial health The quality of the company's internal
controlsThe complexity of the company's
transactions and financial reportingManagement's motivation to misstate the
financial statementsThese factors are interrelatedThe auditor will gather information on these
issues through reviews of previous audits, or by talking with the predecessor auditor
Accepting New Clients: Auditing Standards on Auditor Changes
SAS 84 requires a successor auditor to initiate discussions with the predecessor to discuss the reasons for the change in auditors
Because of the confidentiality rule, the successor must first obtain client permission to talk with predecessor
The successor is particularly interested in factors that bear on
Management integrity Disagreements with management on any substantive
auditing or accounting issues The predecessor's understanding of the reasons for the
change Any communications between the predecessor and
management or audit committee regarding fraud, illegal acts or internal control matte
Discuss Accepting New Clients: Engagement Letter
The auditor and client should have a mutual understanding of the audit process
The auditor should prepare an engagement letter to clarify the responsibilities and expectations of each party, and to summarize and document this understanding including the
Nature of the services to be provided Timing of those services Expected fees and basis on which they will be billed
(fixed fee, hourly rates) Auditor responsibilities including the search for fraud Client responsibilities including preparing information for
the audit Need for any other services to be performed by the firm
Define Materiality
The auditor is expected to plan and perform an audit that provides reasonable assurance that material misstatements will be detected
The FASB defines materiality as the "magnitude of an omission or misstatement of accounting
information that, in light of surrounding circumstances, makes it probable that the judgment of a reasonable person relying on the information would have been changed or influenced by the omission or misstatement"
Materiality has three significant dimensions: Size of the misstatement (dollar amount) Circumstances - some things are viewed more critically than
others User impact - impact on potential users and the type of
judgments made
Comment on Materiality
Determination of materiality is situation specific Although this makes determination more difficult, it
allows the auditor to adjust the rigor of the audit to reflect the risk of the engagement
The lower the dollar amount of set materiality, the more rigorous the examination
Most firms have guidelines for setting materiality Guidelines usually involve applying percentages to
some base Guidelines may also be based on nature of the
industry or other factorsAuditors initially set planning materiality for the
statements as a whole, and then allocate this to individual accounts based on their susceptibility to misstatement
Define Audit Risk
Audit risk is the risk than an auditor may issue an unqualified opinion on materially misstated financial statements
The auditor assesses engagement risk first, then sets audit risk
Audit risk is inversely related to engagement risk If the auditor accepts a client with high engagement
risk The auditor must conduct a more rigorous audit The auditor does this is by setting audit risk at a low level
If the auditor accepts a client with low engagement risk The auditor will set audit risk at a higher level
Review Audit Risk & Materiality
Audit risk and engagement risk relate to factors that might encourage someone to challenge the auditor's work
For example, transactions that might not be material to a "healthy" company might be material to financial statement users for a company on the brink of bankruptcy
The following factors help integrate the concepts of risk and materiality:
All audits involve sampling and cannot provide 100 percent assurance
Auditors must compete in an active marketplace for clients Auditors need to understand society's expectations of financial
reporting and the audit process Auditors must identify the risky areas of a business to
determine which accounts are more susceptible to material misstatement
Auditors need to develop methodologies to allocate overall assessments of materiality to individual account balances
Review the Audit Risk ModelThe auditor sets desired audit risk based on assessed
engagement riskAR = IR x CR x DR
AR = Audit RiskIR = Inherent RiskCR = Control RiskDR = Detection Risk The audit risk model allows the auditor to consider the
following: Complex or unusual transactions are more likely to recorded in
error than are simple or recurring transactions Management may be motivated to misstate earnings or assets Better internal controls mean a lesser likelihood of
misstatement The amount and persuasiveness of audit evidence gathered
should vary directly with the likelihood of material misstatements
Explain the Audit Risk Model
Inherent Risk - Susceptibility of transactions to be recorded in error
Inherent risk is higher for some items: Complex transactions are more likely to be misstated than
simple transactions Estimated balances more likely to be misstated than fact
based balances The auditor assesses inherent riskControl Risk - Risk client controls will fail to prevent or
detect a misstatement The quality of controls often varies between classes
of transactions The auditor assesses control risk
Environment Risk - inherent and control risks combined
Reflects the likelihood of material misstatements occurring
Detection risk - risk audit procedures will fail to detect material misstatements
Relates to the effectiveness of audit procedures and their application
Detection risk is controlled by the auditor and is an integral part of audit planning
The level of detection risk set directly determines the rigor of the substantive audit work performed
Explain the Audit Risk Model (Continued)
Audit Risk ModelAR = IR x CR x DR
Audit risk is set inversely to the assessed level of engagement risk
After audit risk is set, the auditor assesses inherent and control (environment) risks
The auditor sets detection risk INVERSELY to environment risk Example, if the auditor is examining transactions with high
inherent risk, or weak controls, the auditor will set a low detection risk
Low detection risk means a low probability of NOT detecting material misstatements To achieve low detection risk, the auditor will have to perform
more rigorous substantive testing For example, larger sample sizes, more reliable forms of
evidence, assign more experienced auditors, closer supervision, greater year-end (rather than interim) testing
The audit risk model shows that the amount, nature, and timing of audit procedures depends on the level of audit risk an auditor assumes, and the level of client-related risks
Audit Risk Model: Limitations
Inherent risk is difficult to formally assessAudit risk is subjectively determinedThe model treats each risk component as
separate and independent when clearly, this is not the case
Audit technology is not so precise that each component can be accurately assessed
Because of these limitations, many auditors use the audit risk model as a functional, rather than mathematical, model
Discuss Understanding Enterprise & Financial Reporting Risks
If there are major problems within a company, the evidence gathered from within that company will probably be less reliable
Because of this, the auditor shouldUnderstand the company, its strategies, and
operations in depthDevelop an understanding of the market in
which the company operatesDevelop an understanding of the economics
of client transactionsDevelop expectations about financial results
or transaction outcomes
Explain Business Risk & the Audit Process
Risk-based approach to auditing: Develop understanding of management's risk
management process Develop understanding of the business and the risks
it faces Use the identified risks to develop expectations
about account balances and financial results Assess the quality of control systems to manage
risks Determine residual risks, and update expectations
about account balances Manage remaining risk of account balance
misstatement by determining the direct tests of account balances (detection risk) that are necessary
Understanding Management's Risk Management Process
To understand the client's risk management process, auditors will normally use the following techniques:
Understand the processes used to evaluate risks Review the risk-based approach used by internal
auditing Interview management about their risk approach Review regulatory agency reports that address
company's policies towards risk Review company polices and procedures for
addressing risk Review company compensation policies to see if
they are consistent with company's risk policies
Review prior years' work to determine if current actions are consistent with risk approach discussed with management
Review risk management documentsIf the company has strong risk management
processes, the auditor may focus on testing controls and developing corroborative evidence on account balances
On the other hand, if the company does not have a comprehensive risk process, the auditor will assess engagement risk as high, set audit risk at a lower level, and increase direct testing
Understanding Management's Risk Management Process
Review Developing an Understanding of Business & RiskThere are a number of information sources
(including electronic sources) that auditors use to develop an understanding:
Intelligent agentsKnowledge management systemsOnline searchesReview SEC filingsCompany web sitesEconomic statisticsProfessional practice bulletinsStock analysts' reports
Discuss Understanding Key Business Processes
Each organization has a few key processes that give them a competitive advantage (or disadvantage)
The auditor should gather sufficient information to understand
The key processesThe industry factors affecting key processesHow management monitors key processesThe potential operational and financial
effects associated with key processes
Understanding Key Business Processes - Sources of Information
Management inquiriesPredecessor auditor inquiriesReview of prior-period audit work papersReview of client's budgetsTour client's facilities and operationsReview data processing centerReview significant debt covenants and board
of director minutesReview relevant government regulations and
client’s legal obligations
Discuss Developing Expectations
The auditor should use information about the company’s key processes and risks to develop expectations about its account balances and performance
These expectations should be Developed independently of managementDocumented, along with a rationale for the
expectationsCommunicated to all audit team members
Explain Assessing Quality of Internal Controls
Controls include policies and procedures set by management to manage risk
The auditor is particularly interested in those controls designed to protect the company's key processes and the measures used to monitor the operation of these controls
Examples of these measures (key performance indicators): Backlog of work in progress Amount of return items Increased disputes regarding accounts receivable or accounts
payable Surveys of customer satisfaction Employee absenteeism Decreased productivity Information processing errors Increased delays in important processes
Review Managing Detection & Audit Risk
The auditor manages audit risk byAdjusting audit staff to reflect risk
associated with a clientDeveloping direct tests of account
balances consistent with detection riskAnticipating potential misstatements
likely associated with account balancesAdjusting the timing of audit tests to
minimize overall audit risk
Preliminary Financial Statement Review: Techniques & Expectations
Auditors use analytical procedures to develop expectations of account balances
These expectations are compared to recorded book values to identify misstatements
Sources of data commonly used: Financial information for prior periods Expected or planned results from budgets and
forecasts Comparison of linked accounts (such as interest
expense and debt) Ratios of financial information (such as common-
size financial statements) Company and industry trends Relevant non-financial information
Preliminary Financial Statement Review: Techniques & Expectations
Techniques commonly used Trend analysisComparative financial statements (horizontal
analysis)Common-sized financial statements (vertical
analysis)Ratio analysisThe results of analytical procedures are placed
in context when auditors compare client results to the client's prior performance, industry data, or client expectations (budgets and forecasts)
Comment on Risk Analysis & Conduct of the Audit
The risk approach means auditors must understand the company and its risks as a basis for determining which account balances should be directly tested and which can be corroborated by analytical procedures
Linkage to direct tests of account balances If the auditor concludes there is a high risk of
material misstatement s/he must Set materiality at an appropriate level Use procedures appropriate for the level risk to
examine the account balance
Quality of accounting principles usedThe auditor is required to assess the
appropriateness of the accounting methods used by management
Guidelines to evaluate "appropriateness" include:Representational faithfulness - does the
accounting reflect the economic substance of the transactions
Consistency of application of GAAPAccounting estimates - based on proven models,
reconciled to actual results, based on valid economic reasons?
Comment on Risk Analysis & Conduct of the Audit