Chapter 4

Audit Risk and Business Risk

Define the Nature of Risk

In this chapter, we identify four critical components of risk that affect the audit approach and audit outcome

Enterprise risk - those that affect the operations and potential outcomes organization activities

Engagement risk - comes with association with a specific client

Financial reporting risk - those that relate directly to the recording transactions and the presentation of the financial statements

Audit risk - risk an auditor may provide an unqualified opinion on financial statements that are materially misstated

Each of these components can be managedThe effectiveness of risk management processes will

determine whether the company continues to exist

Enterprise Risk Management (ERM)

COSO defines ERM as a

"process effected by an entity's board of directors, management and other personnel,

applied in strategy setting and across the enterprise, designed to identify potential

events that may affect the entity, and manage risks to within its risk appetite, to provide

reasonable assurance regarding the achievement of entity objectives."

Enterprise Risk Management (ERM) (Continued)

COSO elements: Risk management environment: management culture and

attitude towards risk Event identification: of events that may affect organization's

ability to implement strategies or achieve objectives Risk assessment: to determine response Risk Response Control activities: policies and procedures designed to reduce

risks and to assure management's directives and strategies are implemented

Information and communication MonitoringAn effective ERM process within an organization is designed to

provide assurance that risks are identified, understood, and addressed

Discuss Organizational Risk Responses

Once risk has been identified and assessed, an organization has four choices:

- Control the risk- Share or transfer the risk- Diversify against or avoid the risk- Accept the risk

Depending on the circumstances, each of these may be an acceptable approach to manage risk

Review Risk Factors Affecting the Audit

Engagement Risk Risk auditors incur by being associated with a particular

client Risk is high whenever there is increased likelihood that

Auditor is associated with a failed clientFinancial statements contain material misstatement

that the auditor fails to find These conditions increase the likelihood that the auditor

will be suedClient Acceptance or Retention Decision Perhaps the most important audit decision A number of factors affect this decision, but most

important involveQuality of the client's corporate governanceClient's financial health

Discuss Risk Factors Affecting the Audit - Corporate Governance & Client

Acceptance The key factors an auditor will analyze

includeManagement integrityIndependence and competence of the

audit committee and boardQuality of ERM and controlsRegulatory and reporting requirementsParticipation of key stakeholdersExistence of related party transactions

Risk Factors Affecting the Audit - Financial Health of the Organization

There are a number of reasons why the auditor needs to evaluate a potential client's financial health:

The auditor will most likely be sued if a client declares bankruptcy Investors and creditors who have lost money will look for

recovery Attorneys will claim the financial statements were misstated

and the auditors should have known they were misstated The auditor also needs to understand the financial

health in order to: Assess management's motivation to misstate the financial

statements Identify areas that are likely to be misstated Identify account balances that appear unusual

Risk Factors Affecting the Audit - Other Factors Affecting Engagement Risk

The auditor should evaluate the company's economic prospects to help ensure that

Important areas will be investigated The company will likely stay in businessHigh-risk companies are generally characterized by Inadequate capital Lack of long-run strategic and operational plans Low cost entry into the market Dependence on limited product offerings Dependence on technology subject to obsolescence Instability of future cash flows History of questionable accounting practices Previous inquiries by the SEC or other regulatory

agencies

Review Risk Factors Affecting the Audit - Financial Reporting Risk

Financial reporting risk is influenced byThe company's financial health The quality of the company's internal

controlsThe complexity of the company's

transactions and financial reportingManagement's motivation to misstate the

financial statementsThese factors are interrelatedThe auditor will gather information on these

issues through reviews of previous audits, or by talking with the predecessor auditor

Accepting New Clients: Auditing Standards on Auditor Changes

SAS 84 requires a successor auditor to initiate discussions with the predecessor to discuss the reasons for the change in auditors

Because of the confidentiality rule, the successor must first obtain client permission to talk with predecessor

The successor is particularly interested in factors that bear on

Management integrity Disagreements with management on any substantive

auditing or accounting issues The predecessor's understanding of the reasons for the

change Any communications between the predecessor and

management or audit committee regarding fraud, illegal acts or internal control matte

Discuss Accepting New Clients: Engagement Letter

The auditor and client should have a mutual understanding of the audit process

The auditor should prepare an engagement letter to clarify the responsibilities and expectations of each party, and to summarize and document this understanding including the

Nature of the services to be provided Timing of those services Expected fees and basis on which they will be billed

(fixed fee, hourly rates) Auditor responsibilities including the search for fraud Client responsibilities including preparing information for

the audit Need for any other services to be performed by the firm

Define Materiality

The auditor is expected to plan and perform an audit that provides reasonable assurance that material misstatements will be detected

The FASB defines materiality as the "magnitude of an omission or misstatement of accounting

information that, in light of surrounding circumstances, makes it probable that the judgment of a reasonable person relying on the information would have been changed or influenced by the omission or misstatement"

Materiality has three significant dimensions: Size of the misstatement (dollar amount) Circumstances - some things are viewed more critically than

others User impact - impact on potential users and the type of

judgments made

Comment on Materiality

Determination of materiality is situation specific Although this makes determination more difficult, it

allows the auditor to adjust the rigor of the audit to reflect the risk of the engagement

The lower the dollar amount of set materiality, the more rigorous the examination

Most firms have guidelines for setting materiality Guidelines usually involve applying percentages to

some base Guidelines may also be based on nature of the

industry or other factorsAuditors initially set planning materiality for the

statements as a whole, and then allocate this to individual accounts based on their susceptibility to misstatement

Define Audit Risk

Audit risk is the risk than an auditor may issue an unqualified opinion on materially misstated financial statements

The auditor assesses engagement risk first, then sets audit risk

Audit risk is inversely related to engagement risk If the auditor accepts a client with high engagement

risk The auditor must conduct a more rigorous audit The auditor does this is by setting audit risk at a low level

If the auditor accepts a client with low engagement risk The auditor will set audit risk at a higher level

Review Audit Risk & Materiality

Audit risk and engagement risk relate to factors that might encourage someone to challenge the auditor's work

For example, transactions that might not be material to a "healthy" company might be material to financial statement users for a company on the brink of bankruptcy

The following factors help integrate the concepts of risk and materiality:

All audits involve sampling and cannot provide 100 percent assurance

Auditors must compete in an active marketplace for clients Auditors need to understand society's expectations of financial

reporting and the audit process Auditors must identify the risky areas of a business to

determine which accounts are more susceptible to material misstatement

Auditors need to develop methodologies to allocate overall assessments of materiality to individual account balances

Review the Audit Risk ModelThe auditor sets desired audit risk based on assessed

engagement riskAR = IR x CR x DR

AR = Audit RiskIR = Inherent RiskCR = Control RiskDR = Detection Risk The audit risk model allows the auditor to consider the

following: Complex or unusual transactions are more likely to recorded in

error than are simple or recurring transactions Management may be motivated to misstate earnings or assets Better internal controls mean a lesser likelihood of

misstatement The amount and persuasiveness of audit evidence gathered

should vary directly with the likelihood of material misstatements

Explain the Audit Risk Model

Inherent Risk - Susceptibility of transactions to be recorded in error

Inherent risk is higher for some items: Complex transactions are more likely to be misstated than

simple transactions Estimated balances more likely to be misstated than fact

based balances The auditor assesses inherent riskControl Risk - Risk client controls will fail to prevent or

detect a misstatement The quality of controls often varies between classes

of transactions The auditor assesses control risk

Environment Risk - inherent and control risks combined

Reflects the likelihood of material misstatements occurring

Detection risk - risk audit procedures will fail to detect material misstatements

Relates to the effectiveness of audit procedures and their application

Detection risk is controlled by the auditor and is an integral part of audit planning

The level of detection risk set directly determines the rigor of the substantive audit work performed

Explain the Audit Risk Model (Continued)

Audit Risk ModelAR = IR x CR x DR

Audit risk is set inversely to the assessed level of engagement risk

After audit risk is set, the auditor assesses inherent and control (environment) risks

The auditor sets detection risk INVERSELY to environment risk Example, if the auditor is examining transactions with high

inherent risk, or weak controls, the auditor will set a low detection risk

Low detection risk means a low probability of NOT detecting material misstatements To achieve low detection risk, the auditor will have to perform

more rigorous substantive testing For example, larger sample sizes, more reliable forms of

evidence, assign more experienced auditors, closer supervision, greater year-end (rather than interim) testing

The audit risk model shows that the amount, nature, and timing of audit procedures depends on the level of audit risk an auditor assumes, and the level of client-related risks

Audit Risk Model: Limitations

Inherent risk is difficult to formally assessAudit risk is subjectively determinedThe model treats each risk component as

separate and independent when clearly, this is not the case

Audit technology is not so precise that each component can be accurately assessed

Because of these limitations, many auditors use the audit risk model as a functional, rather than mathematical, model

Discuss Understanding Enterprise & Financial Reporting Risks

If there are major problems within a company, the evidence gathered from within that company will probably be less reliable

Because of this, the auditor shouldUnderstand the company, its strategies, and

operations in depthDevelop an understanding of the market in

which the company operatesDevelop an understanding of the economics

of client transactionsDevelop expectations about financial results

or transaction outcomes

Explain Business Risk & the Audit Process

Risk-based approach to auditing: Develop understanding of management's risk

management process Develop understanding of the business and the risks

it faces Use the identified risks to develop expectations

about account balances and financial results Assess the quality of control systems to manage

risks Determine residual risks, and update expectations

about account balances Manage remaining risk of account balance

misstatement by determining the direct tests of account balances (detection risk) that are necessary

Understanding Management's Risk Management Process

To understand the client's risk management process, auditors will normally use the following techniques:

Understand the processes used to evaluate risks Review the risk-based approach used by internal

auditing Interview management about their risk approach Review regulatory agency reports that address

company's policies towards risk Review company polices and procedures for

addressing risk Review company compensation policies to see if

they are consistent with company's risk policies

Review prior years' work to determine if current actions are consistent with risk approach discussed with management

Review risk management documentsIf the company has strong risk management

processes, the auditor may focus on testing controls and developing corroborative evidence on account balances

On the other hand, if the company does not have a comprehensive risk process, the auditor will assess engagement risk as high, set audit risk at a lower level, and increase direct testing

Understanding Management's Risk Management Process

Review Developing an Understanding of Business & RiskThere are a number of information sources

(including electronic sources) that auditors use to develop an understanding:

Intelligent agentsKnowledge management systemsOnline searchesReview SEC filingsCompany web sitesEconomic statisticsProfessional practice bulletinsStock analysts' reports

Discuss Understanding Key Business Processes

Each organization has a few key processes that give them a competitive advantage (or disadvantage)

The auditor should gather sufficient information to understand

The key processesThe industry factors affecting key processesHow management monitors key processesThe potential operational and financial

effects associated with key processes

Understanding Key Business Processes - Sources of Information

Management inquiriesPredecessor auditor inquiriesReview of prior-period audit work papersReview of client's budgetsTour client's facilities and operationsReview data processing centerReview significant debt covenants and board

of director minutesReview relevant government regulations and

client’s legal obligations

Discuss Developing Expectations

The auditor should use information about the company’s key processes and risks to develop expectations about its account balances and performance

These expectations should be Developed independently of managementDocumented, along with a rationale for the

expectationsCommunicated to all audit team members

Explain Assessing Quality of Internal Controls

Controls include policies and procedures set by management to manage risk

The auditor is particularly interested in those controls designed to protect the company's key processes and the measures used to monitor the operation of these controls

Examples of these measures (key performance indicators): Backlog of work in progress Amount of return items Increased disputes regarding accounts receivable or accounts

payable Surveys of customer satisfaction Employee absenteeism Decreased productivity Information processing errors Increased delays in important processes

Review Managing Detection & Audit Risk

The auditor manages audit risk byAdjusting audit staff to reflect risk

associated with a clientDeveloping direct tests of account

balances consistent with detection riskAnticipating potential misstatements

likely associated with account balancesAdjusting the timing of audit tests to

minimize overall audit risk

Preliminary Financial Statement Review: Techniques & Expectations

Auditors use analytical procedures to develop expectations of account balances

These expectations are compared to recorded book values to identify misstatements

Sources of data commonly used: Financial information for prior periods Expected or planned results from budgets and

forecasts Comparison of linked accounts (such as interest

expense and debt) Ratios of financial information (such as common-

size financial statements) Company and industry trends Relevant non-financial information

Preliminary Financial Statement Review: Techniques & Expectations

Techniques commonly used Trend analysisComparative financial statements (horizontal

analysis)Common-sized financial statements (vertical

analysis)Ratio analysisThe results of analytical procedures are placed

in context when auditors compare client results to the client's prior performance, industry data, or client expectations (budgets and forecasts)

Comment on Risk Analysis & Conduct of the Audit

The risk approach means auditors must understand the company and its risks as a basis for determining which account balances should be directly tested and which can be corroborated by analytical procedures

Linkage to direct tests of account balances If the auditor concludes there is a high risk of

material misstatement s/he must Set materiality at an appropriate level Use procedures appropriate for the level risk to

examine the account balance

Quality of accounting principles usedThe auditor is required to assess the

appropriateness of the accounting methods used by management

Guidelines to evaluate "appropriateness" include:Representational faithfulness - does the

accounting reflect the economic substance of the transactions

Consistency of application of GAAPAccounting estimates - based on proven models,

reconciled to actual results, based on valid economic reasons?

Comment on Risk Analysis & Conduct of the Audit