Chapter 4

Risk Assessment

Audit Risk

The risk that an auditor expresses an inappropriate audit opinion when

the financial statements are materially misstated.

The risk that an auditor expresses an inappropriate audit opinion when

the financial statements are materially misstated.

Financial statementlevel

Individual accountbalance or disclosure

level

LO# 1

4-2

Assertionlevel

The Audit Risk Model

Audit Risk = IR × CR × DR

Inherent risk and control risk:Risk of material misstatement

Nonsamplingrisk

Nonsamplingrisk

Samplingrisk

Samplingrisk

Detection risk:Risk that auditor will not detect misstatements

Ineffective audit procedures Whether the audit procedureswere performed with due care

LO# 2

4-3

Engagement Risk

An auditor’s exposureto financial loss and

damage toprofessional reputation.

Litigation

Negativepublicity

LO# 2

4-4

Using the Audit Risk Model: Quant approach

Set a level of audit risk.

Assess the risk of material misstatement (IR x CR).

Use the audit risk equation to solve for the appropriate level of detection risk:

Set a level of audit risk.

Assess the risk of material misstatement (IR x CR).

Use the audit risk equation to solve for the appropriate level of detection risk:

Auditors use this level of detection risk to determine the needed audit resources. The lower the DR the greater the needed

audit resources

LO# 3

4-5

Audit Risk Model: IR and CR verbal approach

Qualitative terms may also be used in the audit risk modelQualitative terms may also be used in the audit risk model

Case AR IR CR DR1 Low High High Low

2a Low High Low Moderate2b Low Moderate Moderate Moderate3 Low Low Low High

LO# 3

Audit Risk Model: RMM verbal approach(RMM is simply IR times CR)

Case AR RMM DR1 Low High Low2 Low Moderate Moderate3 Low Low High

LO# 3

Qualitative terms may also be used in the audit risk model.Qualitative terms may also be used in the audit risk model.

4-7

Limitations of theAudit Risk Model

LO# 3

The audit risk model is a planning tool, but it has some limitations.

A major limitation is that inherent risk and control risk are estimates, and you cannot know how accurate those estimates are.

For example, the model may suggest that detection risk should be high (which means the amount of audit resources needed is low) when detection risk should be low (which means the amount of audit resources needed is high).

The audit risk model is a planning tool, but it has some limitations.

A major limitation is that inherent risk and control risk are estimates, and you cannot know how accurate those estimates are.

For example, the model may suggest that detection risk should be high (which means the amount of audit resources needed is low) when detection risk should be low (which means the amount of audit resources needed is high).

The Auditor’s RiskAssessment Process

Auditors need toidentify business risks andunderstand the potential

misstatements thatmay result.

Business risksare risks that result from

significant conditions, events,circumstances or actions thatimpair management’s ability

to execute strategies.

LO# 4

4-9

The Auditor’s Risk Assessment ProcessFigure 4-2 An Overview of the Auditor’s Assessment of Business Risks and the Risk of

Material Misstatements

LO# 4

4-10

Auditor’s Risk Assessment Procedures(How do we gather this evidence?)

Inquiries of Management, Other Entity Personnel, and

Others Outside the Entity

Inquiries of Management, Other Entity Personnel, and

Others Outside the Entity

AnalyticalProcedures

Observationand Inspection

LO# 4

4-11

Understanding the Entityand Its Environment

Industry, Regulatory, and External

Factors

Nature ofthe Entity

InternalControl

Objectives, Strategies,and Business Risks

Entity PerformanceMeasures

LO# 4

4-12

Nature of the Entity The sources of funding of the entity’s

operations and investment activities, including the entity’s capital structure, noncapital funding, and other debt instruments.

The sources of the entity’s earnings, including the relative profitability of key products and services.

Key supplier and customer relationships.

LO# 4

4-13

Industry, Regulatory, and Other External Factors

LO# 4

4-14

Understanding the Entity’s Objectives, Strategies, Risks and Risk Assessment Process

LO# 4

4-15

Now, the Countrywide case will deepen our understanding of these things by focusing on one company.

Errors are unintentional: Mistakes in gathering or processing financial data used

to prepare financial statements. Unreasonable accounting estimates arising from

oversight or misinterpretation of facts. Mistakes in the application of accounting principles

relating to amount, classification, manner of presentation, or disclosure.

Errors are unintentional: Mistakes in gathering or processing financial data used

to prepare financial statements. Unreasonable accounting estimates arising from

oversight or misinterpretation of facts. Mistakes in the application of accounting principles

relating to amount, classification, manner of presentation, or disclosure.

LO# 5

Assessing the Risk of Material Misstatement Due to Error or Fraud

4-16

Fraud is intentional. The fraud risk identification process includes: Sources of information about possible

fraud― Brainstorming among the audit team Inquiries of management and others Analytical procedures

Fraud is intentional. The fraud risk identification process includes: Sources of information about possible

fraud― Brainstorming among the audit team Inquiries of management and others Analytical procedures

LO# 6

Assessing the Risk of Material Misstatement Due to Error or Fraud

4-17

LO# 6

The Fraud Triangle

Incentive or motivation or

pressure

Opportunity(weak

internal control)

FraudTriangle

Attitude or Rationalization

(bad ethics)

Financial stabilityor profitabilityis threatened

Financial stabilityor profitabilityis threatened

Excessive pressurefor management to

meet third partyexpectations

Excessive pressurefor management to

meet third partyexpectations

Management’s personalfinancial situation

is threatened

Management’s personalfinancial situation

is threatened

LO# 6

Fraudulent Financial ReportingRisk Factors Relating to Incentive/Pressure include:

4-19

Risk Factors Relating to Attitudes/Rationalizations

Most difficult of the 3corners of the fraudtriangle to identify

Most difficult of the 3corners of the fraudtriangle to identify

Corporate or personalSymptoms may - or may not -

be present

Corporate or personalSymptoms may - or may not -

be present

Weak or bad ethics on thepart of management

Weak or bad ethics on thepart of management

LO# 6

Fraudulent Financial ReportingRisk Factors Relating to Attitudes/Rationalizations include:

4-20

Misappropriation of assets involves the theft of an entity’s assets to the extent that financial statements are misstated.

Misappropriation of assets involves the theft of an entity’s assets to the extent that financial statements are misstated.

Stealing assets

Embezzlingcash

Co. paying forgoods and services

not received by the co.

LO# 6

The auditing standards require auditors to be vigilant, not just re financial reporting fraud, but also re

misappropriation of assets.

Examples include:

4-21

LO# 6

Assessing the Risk of Misappropriation of Assets

4-22

Auditor’s Response tothe Risk Assessment (See Figure 4-3)

Financial statement level risks

Develop an overallresponse.

Determine what can go wrongat the account or assertion level.

LO# 7

Assess the risk of material misstatement at the financial statement and assertion levels.

Do these risks relate

pervasively to the financialstatements?

Design audit procedures for

assertion level risks.

Assertion level risks

Yes

No

4-23

Auditor’s Response to the Risk Assessment

LO# 7

To respond appropriately to financial statement level risks, the auditor may do the following: Emphasize to the audit team the need to maintain

professional skepticism. Assign more experienced staff or those with

specialized skills. Provide more supervision. Incorporate additional elements of unpredictability in

the selection of audit procedures.

4-24

Evaluation of AuditTest Results

At the completion of the audit, the auditor should consider: 1. Whether the accumulated results of audit procedures affect the

assessments of the entity’s business risk and the risk of material misstatement, and

2. Whether the total misstatements cause the financial statements to be materially misstated.

THEN …

If the financial statements are materially misstated, the auditor should: 1. Request management to eliminate the material misstatement, or 2. If management does not make needed adjustments, the auditor

should issue a qualified or adverse opinion.

At the completion of the audit, the auditor should consider: 1. Whether the accumulated results of audit procedures affect the

assessments of the entity’s business risk and the risk of material misstatement, and

2. Whether the total misstatements cause the financial statements to be materially misstated.

THEN …

If the financial statements are materially misstated, the auditor should: 1. Request management to eliminate the material misstatement, or 2. If management does not make needed adjustments, the auditor

should issue a qualified or adverse opinion.

LO# 8

4-25

Evaluation of AuditTest Results

If the auditor determines that the misstatement is or may be the result of fraud, and has determined that the effect could be material, the auditor should: Attempt to obtain audit evidence to determine whether, in fact,

material fraud has occurred and, if so, its effect. Consider the implications for other aspects of the audit. Discuss the matter and the approach to further investigation with

an appropriate level of management that is at least one level above those involved in committing the fraud and with senior management.

If appropriate, suggest that the client consult with legal counsel. Consider withdrawing from the engagement.

If the auditor determines that the misstatement is or may be the result of fraud, and has determined that the effect could be material, the auditor should: Attempt to obtain audit evidence to determine whether, in fact,

material fraud has occurred and, if so, its effect. Consider the implications for other aspects of the audit. Discuss the matter and the approach to further investigation with

an appropriate level of management that is at least one level above those involved in committing the fraud and with senior management.

If appropriate, suggest that the client consult with legal counsel. Consider withdrawing from the engagement.

LO# 8

4-26

Documentation of theAuditor’s Risk Assessment

The auditor should document: Discussions among engagement personnel. Procedures performed to identify and assess the risks

of material misstatement due to fraud. Risks of identified material misstatement due to fraud

and a description of the auditor’s response to the risks. Fraud risks or other conditions that result in additional

audit procedures. The nature of the communications about fraud made to

management, the audit committee, and others.

The auditor should document: Discussions among engagement personnel. Procedures performed to identify and assess the risks

of material misstatement due to fraud. Risks of identified material misstatement due to fraud

and a description of the auditor’s response to the risks. Fraud risks or other conditions that result in additional

audit procedures. The nature of the communications about fraud made to

management, the audit committee, and others.

LO# 9

4-27

Communications about Fraud

If the auditor decides fraud may exist, it should be brought to the attention of management. Fraud involving senior management or that causes a material misstatement of the financial statements should be reported to the audit committee.

As with Illegal Acts, if the company is publicly held, and does not promptly disclose a material misstatement of the financial statements to the SEC, the auditor must do so.

The auditor must disclose fraud to a successor auditor.

The auditor must disclose fraud if ordered to do so by a court (subpoena).

If the auditor decides fraud may exist, it should be brought to the attention of management. Fraud involving senior management or that causes a material misstatement of the financial statements should be reported to the audit committee.

As with Illegal Acts, if the company is publicly held, and does not promptly disclose a material misstatement of the financial statements to the SEC, the auditor must do so.

The auditor must disclose fraud to a successor auditor.

The auditor must disclose fraud if ordered to do so by a court (subpoena).

LO# 10

4-28

End of Chapter 4

4-29