risk-based approaches materiality planning internal control

The Risk Based The Risk Based The Risk Based The Risk Based Approaches to AuditApproaches to AuditApproaches to AuditApproaches to Audit

Audit riskAudit riskAudit riskAudit risk: “ The auditor obtains and evaluates evidence to

obtain reasonable assurancereasonable assurancereasonable assurancereasonable assurance about whether the financial statements give a true and fair view (or are presented fairly in all material respects) in accordance with the applicable financial reporting framework. The concept of reasonable assurance The concept of reasonable assurance The concept of reasonable assurance The concept of reasonable assurance acknowledges that there is a risk the audit acknowledges that there is a risk the audit acknowledges that there is a risk the audit acknowledges that there is a risk the audit opinion is inappropriate.opinion is inappropriate.opinion is inappropriate.opinion is inappropriate. The risk that the auditor expresses an inappropriate audit opinion when the financial statements are materially misstated is known as known as known as known as ““““audit riskaudit riskaudit riskaudit risk””””.”

(ISA 200, 14)

Acceptable audit risk:Acceptable audit risk:Acceptable audit risk:Acceptable audit risk: “ The auditor should plan and perform the audit to reduce audit risk to an acceptably an acceptably an acceptably an acceptably low levellow levellow levellow level that is consistent with the objective of an audit. … Reasonable assuranceReasonable assuranceReasonable assuranceReasonable assurance is obtained when the auditor has reduced audit risk to an acceptably low level.

(ISA 200, 15)

A risk based approachA risk based approachA risk based approachA risk based approach:::: “The auditor performs audit procedures to assess performs audit procedures to assess performs audit procedures to assess performs audit procedures to assess

the risk of material misstatement and seeks to the risk of material misstatement and seeks to the risk of material misstatement and seeks to the risk of material misstatement and seeks to limit detection risk by performing further audit limit detection risk by performing further audit limit detection risk by performing further audit limit detection risk by performing further audit procedures based on that assessment.procedures based on that assessment.procedures based on that assessment.procedures based on that assessment. The audit process involves the the exercise of professional judgment in designing the audit approach, through focusing on what can go wrong at the assertion focusing on what can go wrong at the assertion focusing on what can go wrong at the assertion focusing on what can go wrong at the assertion level and performing audit procedures in level and performing audit procedures in level and performing audit procedures in level and performing audit procedures in response to the assessed risksresponse to the assessed risksresponse to the assessed risksresponse to the assessed risks in order to obtain sufficient appropriate evidence.”

(ISA, 200, 16)

Audit risk - the componentsAudit risk - the componentsAudit risk - the componentsAudit risk - the components (ISA 200):(ISA 200):(ISA 200):(ISA 200):

Inherent riskInherent riskInherent riskInherent risk Control risk

Risk of Material Misstatement Detection risk

Audit risk

Inherent riskInherent riskInherent riskInherent risk “ the susceptibility of an assertion to a

misstatement that could be material, either individually or when aggregated with other misstatements, assuming that there are no related controls.”

(ISA, 200, 20)

Inherent risk factors:Inherent risk factors:Inherent risk factors:Inherent risk factors:• Pervasive / entity levelPervasive / entity levelPervasive / entity levelPervasive / entity level

– Nature of the business, industry & economy.– The integrity, quality and experience of management.– Special pressures.

• Local / assertions levelLocal / assertions levelLocal / assertions levelLocal / assertions level – Complexity of transaction / calculation.– Judgement / estimation required.– Specific technological change / product obsolescence.– Assets susceptible to misappropriation.– Make up of population.– Non-routine transactions. – Related parties.


Inherent risk Control riskControl riskControl riskControl risk

Risk of Material Misstatement Detection risk

Audit risk

Control risk:Control risk:Control risk:Control risk: “ the risk that a misstatementthe risk that a misstatementthe risk that a misstatementthe risk that a misstatement that could

occur in an assertion and that could be material, either individually or when aggregated with misstatements, will not bewill not bewill not bewill not be prevented, or detected and corrected, on a prevented, or detected and corrected, on a prevented, or detected and corrected, on a prevented, or detected and corrected, on a timely basis, by the entitytimely basis, by the entitytimely basis, by the entitytimely basis, by the entity ’’’’ s internal s internal s internal s internal controlcontrolcontrolcontrol.”

(ISA, 200, 20) A function of both design & operation of controls.


Inherent risk Control risk

Risk of Material Misstatement Detection riskDetection riskDetection riskDetection risk

Audit risk

Detection riskDetection riskDetection riskDetection risk:::: “ the risk that auditor will not detect a the risk that auditor will not detect a the risk that auditor will not detect a the risk that auditor will not detect a

misstatement misstatement misstatement misstatement that exists in an assertion that could be material, either individually or when aggregated with other misstatements.”

(ISA, 200, 22)

• A function of the design and implementation of audit procedures: – Sampling risk – Design risk – Application risk – Interpretation risk

The The The The PwCPwCPwCPwC Approach Approach Approach Approach –––– identifying & identifying & identifying & identifying & responding to risk (2000)responding to risk (2000)responding to risk (2000)responding to risk (2000)

• TeamAsset … allows each audit team to build a tailored audit program from planning to completion stages by selecting client-specific risks from a “library” of risks. Each risk that is selected by the auditor for inclusion in the client audit file is linked to the identification of a set of suggested procedures at a given control risk level that will mitigate the identified risk.”

(Winograd, et al., (2000))

Risk assessment: structure & judgmentRisk assessment: structure & judgmentRisk assessment: structure & judgmentRisk assessment: structure & judgment “ Instead of viewing an audit as a series of closely

coordinated technical steps, it may be informative to view it as a social enterprise that relies on language and certain imbedded perspectives in order to understand the client organization and to make it understandable.

Our empirical findings strongly suggest that an audit firm ’ s philosophical position with respect to structure, influences what client characteristics audit team members see as important in assessing inherent risk.”

(Dirsmith & Haskins, “Inherent risk assessment & audit firm technology”, AOS, 1991, p.82)

ARARARAR IRIRIRIR CRCRCRCR DRDRDRDR= X X

The components of audit risk

AR - Audit risk AR - Audit risk AR - Audit risk AR - Audit risk DR - Detection riskDR - Detection riskDR - Detection riskDR - Detection riskIR - Inherent riskIR - Inherent riskIR - Inherent riskIR - Inherent riskCR - Control riskCR - Control riskCR - Control riskCR - Control risk

AARAARAARAAR IR CR PDRPDRPDRPDR= X X


AAR - Acceptable audit risk AAR - Acceptable audit risk AAR - Acceptable audit risk AAR - Acceptable audit risk PDR - Planned detection riskPDR - Planned detection riskPDR - Planned detection riskPDR - Planned detection riskIR - Inherent riskCR - Control risk

Planned Planned Planned Planned detection risk

• Determines the amount of substantivesubstantivesubstantivesubstantive evidence the auditor must plan to collect (inverse with size of PDR).

–DeterminedDeterminedDeterminedDetermined by other factors in model.

2%2%2%2% 50%50%50%50% 50%50%50%50% ?%?%?%?%= X X

AARAARAARAAR IRIRIRIR CRCRCRCR PDRPDRPDRPDR X X =

2%2%2%2% 50%50%50%50% 50%50%50%50% 8%8%8%8%= X X


2%2%2%2% 100%100%100%100% 100%100%100%100% 2%2%2%2%= X X


For a given level of audit risk, the greater the risk of material For a given level of audit risk, the greater the risk of material For a given level of audit risk, the greater the risk of material For a given level of audit risk, the greater the risk of material misstatement (IR x CR), the less detection risk can be accepted.misstatement (IR x CR), the less detection risk can be accepted.misstatement (IR x CR), the less detection risk can be accepted.misstatement (IR x CR), the less detection risk can be accepted.

LowLowLowLow HighHighHighHigh HighHighHighHigh LowLowLowLow= X X


Low PDR = High amount of substantive audit evidence requiredLow PDR = High amount of substantive audit evidence requiredLow PDR = High amount of substantive audit evidence requiredLow PDR = High amount of substantive audit evidence required

Quantifying the components of audit risk is highly problematicQuantifying the components of audit risk is highly problematicQuantifying the components of audit risk is highly problematicQuantifying the components of audit risk is highly problematic

AARAARAARAAR

IRIRIRIR CRCRCRCRPDRPDRPDRPDR ====

X


PDRPDRPDRPDR

====

5%5%5%5%

50%50%50%50% 40%40%40%40% X

PDRPDRPDRPDR 25%25%25%25%

====

AARAARAARAAR IRIRIRIR CRCRCRCR

PDRPDRPDRPDR

Materiality Materiality Materiality Materiality ||||

Tolerable Tolerable Tolerable Tolerable misstatementmisstatementmisstatementmisstatement

Planned Planned Planned Planned substantivesubstantivesubstantivesubstantive

auditauditauditaudit

Risk, materiality & substantive audit evidenceRisk, materiality & substantive audit evidenceRisk, materiality & substantive audit evidenceRisk, materiality & substantive audit evidence

Materiality:Materiality:Materiality:Materiality:• “Information is material if its omission could

influence the economic decisions of usersinfluence the economic decisions of usersinfluence the economic decisions of usersinfluence the economic decisions of users taken on the basis of the financial statements. …”

(ISA 320.3)

“The objective of an audit of financial statements is to enable the auditor to express an opinion whether the financial statements are prepared in all materialmaterialmaterialmaterial respects, in accordance with an applicable financial reporting framework. The assessment of what is The assessment of what is The assessment of what is The assessment of what is material is a matter of professional judgement.material is a matter of professional judgement.material is a matter of professional judgement.material is a matter of professional judgement.””””

(ISA 320.4)

Materiality - levels:Materiality - levels:Materiality - levels:Materiality - levels:

• Preliminary judgement of materiality at level of the overalloveralloveralloverall financial statements (ISA, 320, 7).

• Allocate materiality at level of overall financial statements to segments - tolerable tolerable tolerable tolerable misstatementmisstatementmisstatementmisstatement per segment (class of transactions, account balances, and disclosures) (ISA, 320, 7).

The assessment of materiality:The assessment of materiality:The assessment of materiality:The assessment of materiality:• Materiality is relative rather than absolute.

– Bases needed for materiality assessment.

• Both quantitative and qualitative factors affect materiality (ISA, 320, 5).

• The cumulative effects of errors (ISA, 320, 7).

• Legal & regulatory considerations relating to particular assertions / disclosures (ISA, 320, 7).– Different materiality levels may then apply to

different elements of the financial statements.

Enron - Andersen & MaterialityEnron - Andersen & MaterialityEnron - Andersen & MaterialityEnron - Andersen & Materiality• “While auditing Enron’s 1997 financial results,

Andersen proposed that the energy company make ‘adjustments’ that would have cut its annual income by almost 50 percent, to $54 million from $105 million … Enron chose not to make those adjustments and Andersen put its stamp of approval on the company’s financial report anyway.”

(Hilzenrath, D.S., (2001), Early Warnings of Trouble at Enron”, The Washington Post, December 30th.)

Enron - Andersen & MaterialityEnron - Andersen & MaterialityEnron - Andersen & MaterialityEnron - Andersen & Materiality• “In 1997, Enron had taken large nonrecurring

charges. When the company decided to pass these proposed adjustments, our audit team had to determine whether the company’s decision had a material impact on the financial statements. The question was whether the team should use reported income of $105 million, or should it also consider adjusted earnings before items that affect comparability - what accountants call “normalized” income?”

(Bernadino, J.F., (2001), Remarks before the Committee on Financial Services of the US Representatives)

Enron Financia l Data & Materia lity Rules of ThumbEnron Financia l Data & Materia lity Rules of ThumbEnron Financia l Data & Materia lity Rules of ThumbEnron Financia l Data & Materia lity Rules of Thumb

1997 1994-97$M $M

5% of net income 5.255.255.255.25 20.7820.7820.7820.7810% of net income 10.5010.5010.5010.50 41.5541.5541.5541.551% of total assets 234.22 161.911.5% of total assets 352.33 242.871% of Sales revenue 202.73 129.341.5% of Sales revenue 304.10 194.01Conservative blend 147.40 104.01non-conservative blend 221.98 159.48

5% of net income + 1997 non-recurring loss 28.428.428.428.4 26.5626.5626.5626.5610% of net income + 1997 non-recurring loss 56.8 53.13

Internal ControlInternal ControlInternal ControlInternal Control

Internal Control:Internal Control:Internal Control:Internal Control: “ is the process designed and effected by those

charged with governance, management, and other personnel to provide reasonable assurance about the achievement of the entity’s objectives with regard to reliability of financial reportingreliability of financial reportingreliability of financial reportingreliability of financial reporting, effectiveness and efficiency of operations and compliance with applicable laws and regulations. It follows that internal control is designed and implemented to address identified business risks that threaten the achievement of any of these objectives.”

(ISA, 315, 42)

Auditor concernsAuditor concernsAuditor concernsAuditor concerns

“The auditor should obtain an understanding of internal control relevant to the audit. The auditor uses understanding of internal control to identify types of potential misstatements, consider factors that affect the risks of material misstatements, and design the nature, timing, and extent of further audit procedures.”

(ISA, 315, 41)

Elements of Internal ControlElements of Internal ControlElements of Internal ControlElements of Internal Control

The control environmentThe control environmentThe control environmentThe control environment

The EntityThe EntityThe EntityThe Entity’’’’ssssriskriskriskrisk

assessmentassessmentassessmentassessment

The informationThe informationThe informationThe informationsystemsystemsystemsystem

Control Control Control Control activitiesactivitiesactivitiesactivities

MonitoringMonitoringMonitoringMonitoringofofofof

controlscontrolscontrolscontrols

ISA, 315, 43ISA, 315, 43ISA, 315, 43ISA, 315, 43

The control environmentThe control environmentThe control environmentThe control environment (ISA 315, 67-69): • Governance & management philosophy,

attitudes, awareness & action in respect of controls.– Communication and enforcement of integrity &

ethical values. – Methods of imposing control, including board &

internal audit functions. – Commitment to competence - personnel policies &

practices.– Organisational structure & methods of assigning

authority & responsibility (including segregation of duties and supervisory controls).

Elements of Internal ControlElements of Internal ControlElements of Internal ControlElements of Internal Control

The control environmentThe control environmentThe control environmentThe control environment

The EntityThe EntityThe EntityThe Entity’’’’ssssriskriskriskrisk

assessmentassessmentassessmentassessment

The informationThe informationThe informationThe informationsystemsystemsystemsystem

Control Control Control Control activitiesactivitiesactivitiesactivities

MonitoringMonitoringMonitoringMonitoringofofofof

controlscontrolscontrolscontrols

The EntityThe EntityThe EntityThe Entity’’’’s Risk Assessment Processs Risk Assessment Processs Risk Assessment Processs Risk Assessment Process

“The auditor should obtain an understanding of the entity’s process for identifying business risks relevant to financial reporting objectives and deciding about actions to address those risks, and the results thereof.”

(ISA, 315, 76)

Information System, Information System, Information System, Information System,

“The auditor should obtain an understanding of the information system, including the related business processes, relevant to financial reporting, …”

(ISA, 315, 81)

Control Activities Control Activities Control Activities Control Activities

“The auditor should should obtain a sufficient understanding of control activities to assess the risks of material misstatements at the assertion level and to design further audit procedures responsive to assessed risks.

(ISA, 315, 90)

Monitoring Monitoring Monitoring Monitoring

“The auditor should obtain an understanding of the major types of activities that the entity uses to monitor internal control over financial reporting, including those related to those control activities relevant to the audit, and how the entity initiates corrective action to its controls.”

(ISA, 315, 96)

Steps to reliance on controlSteps to reliance on controlSteps to reliance on controlSteps to reliance on control

Preliminary review of accounting system & control environment

Is reliance on controls potentially possible and efficient ?

Assume high control risk, and move on to planning

substantive testing

Understand & document internal control: design and operation

NO YES

Assess control risk

Test controls

Decide planned detection riskand substantive tests

Is reliance on internal control feasible ? Is reliance on internal control feasible ? Is reliance on internal control feasible ? Is reliance on internal control feasible ? –––– Relevance to financial statement assertionsRelevance to financial statement assertionsRelevance to financial statement assertionsRelevance to financial statement assertions • Existence• Rights & Obligations• Occurrence• Completeness• Valuation & allocation• Measurement, accuracy & cut-off• Classification, presentation & disclosure (ISA, 500, 17)

Transaction Related Assertions & Objectives: SalesTransaction Related Assertions & Objectives: SalesTransaction Related Assertions & Objectives: SalesTransaction Related Assertions & Objectives: SalesM a n a g e m e n tM a n a g e m e n tM a n a g e m e n tM a n a g e m e n ta s s e r t i o n sa s s e r t i o n sa s s e r t i o n sa s s e r t i o n s

S p e c i f i c a u d i t o b j e c t i v e sS p e c i f i c a u d i t o b j e c t i v e sS p e c i f i c a u d i t o b j e c t i v e sS p e c i f i c a u d i t o b j e c t i v e s

O c c u r r e n c eO c c u r r e n c eO c c u r r e n c eO c c u r r e n c e R e c o r d e d s a l e s a r e f o r d i s p a t c h e sm a d e t o r e a l c u s t o m e r s

C o m p l e t e n e s sC o m p l e t e n e s sC o m p l e t e n e s sC o m p l e t e n e s s A l l s a l e s t r a n s a c t i o n s a r e r e c o r d e dM e a s u r e m e n tM e a s u r e m e n tM e a s u r e m e n tM e a s u r e m e n t S a l e s a r e r e c o r d e d a t p r o p e r

a m o u n t a n d a l l o c a t e d t o t h e c o r r e c tp e r i o d .R e c o r d e d s a l e s a r e f o r t h e a m o u n to f g o o d s d i s p a t c h e d , c o r r e c t l yb i l l e d & r e c o r d e d .S a l e s t r a n s a c t i o n s a r e p r o p e r l yc l a s s i f i e d .S a l e s t r a n s a c t i o n s a r e r e c o r d e d o nc o r r e c t d a t e s .

P r e s e n t a t i o nP r e s e n t a t i o nP r e s e n t a t i o nP r e s e n t a t i o n& d i s c l o s u r e& d i s c l o s u r e& d i s c l o s u r e& d i s c l o s u r e

S e g m e n t a l a n a l y s i s i s p r o p e r l yc o m p i l e d a n d d i s c l o s e d .

Understand & documentUnderstand & documentUnderstand & documentUnderstand & document internal control: design and operation

• Evaluate previous experience. • Inquiry of client - various levels, note

developments. • Review client's policy and system

documentation.• Examine documents & records.• Observe activities.• Transaction walk through.

Understand & documentUnderstand & documentUnderstand & documentUnderstand & document internal control: design and operation

• Narrative.• Flowchart.• Internal control questionnaire.

Internal control questionnaire: SalesInternal control questionnaire: SalesInternal control questionnaire: SalesInternal control questionnaire: Sales Recorded sales are for goods dispatched to Recorded sales are for goods dispatched to Recorded sales are for goods dispatched to Recorded sales are for goods dispatched to

real customers (occurrence):real customers (occurrence):real customers (occurrence):real customers (occurrence):• Is the recording of sales supported by authorized

dispatch documents and approved customer orders?

• Is customer credit approved by a responsible person and is access to alter credit limit files restricted?

• Is a prenumbered written dispatch note required before any goods leave store?

Internal control questionnaire: SalesInternal control questionnaire: SalesInternal control questionnaire: SalesInternal control questionnaire: Sales

All existing sales transactions are recorded All existing sales transactions are recorded All existing sales transactions are recorded All existing sales transactions are recorded ((((completennesscompletennesscompletennesscompletenness):):):):

• Is a record of dispatches maintained?

• Are dispatch documents controlled in a way that helps ensure that all dispatches are billed?

• Are dispatch documents prenumbered and accounted for?

• Are sales invoices prenumbered and accounted for?


Recorded sales are for the amount of goods Recorded sales are for the amount of goods Recorded sales are for the amount of goods Recorded sales are for the amount of goods dispatched and are correctly billed and dispatched and are correctly billed and dispatched and are correctly billed and dispatched and are correctly billed and recorded (measurement):recorded (measurement):recorded (measurement):recorded (measurement):

• Is there independent comparison of quantities on dispatch notes and on sales invoices?

• Is an authorized price list used and is access to amend the price list restricted?

• Are monthly statements sent to customers?

• Is there independent comparison of dates on dispatch documents and dates of recorded sales?


Recorded sales are correctly classified Recorded sales are correctly classified Recorded sales are correctly classified Recorded sales are correctly classified (presentation & disclosure):(presentation & disclosure):(presentation & disclosure):(presentation & disclosure):

• Is there independent comparison of sales and the chart of accounts?

and so on

Assess control riskAssess control riskAssess control riskAssess control risk

• Specify audit objectives

• Identify specific controls - key controls.

• Identify control weaknesses.

• Assess control risk.

• Report – appropriately

Tests of controls:Tests of controls:Tests of controls:Tests of controls:

“ The auditor selects audit procedures to obtain assurance about the operating effectiveness of controls. As planned level of assurance increases, the auditor seeks more reliable audit evidence.”

(ISA, 500, 28)

Compliance tests of internal controlompliance tests of internal controlompliance tests of internal controlompliance tests of internal control

• Inquiries at appropriate levels.• Examine documentation, reports records.• Observe activities.• Re-perform procedures.

Compliance versus Substantive testsCompliance versus Substantive testsCompliance versus Substantive testsCompliance versus Substantive tests

Distinction one of motive.• Is a control working ?• Is there error in an account balance ?

Consider cases of failure of internal control:Consider cases of failure of internal control:Consider cases of failure of internal control:Consider cases of failure of internal control:

• For example, the collapse of Barings Bank (1995):– Lack of segregation of duties: Leeson (the rogue trader)

controlled both front and back office – dealing and settlement.

• Internal Audit noted issues in 1994• External auditors noted problems early 1995

– Personnel selection

– Weak supervision / ethos• Lack of understanding of business & controls• Acceptance of excuses / feeble explanations• High risk-taking incentivized• Weak IT system (account 88888 & so on)

Consider cases of failure of internal control:Consider cases of failure of internal control:Consider cases of failure of internal control:Consider cases of failure of internal control:• For example, Equity Funding Corporation of

America (1973).– Goldblum, inflating revenue and assets to sustain share

price to fuel expansion programme (1965 – 1973):• 64,000 insurance policies with a face value of $2 billion had

been falsified, sold on under reinsurance arrangements

– Flagrant non-application / failure of ICs• From top down – including massive collusion

– Auditors didn’t notice (independence compromised)• had inadequately checked controls• allowed time for “parties” to create documents!• Hadn’t even noticed by scale (analytic review)

– 22 people charged

Audit planning Audit planning Audit planning Audit planning ––––

understanding the understanding the understanding the understanding the clientclientclientclient

Audit Planning:Audit Planning:Audit Planning:Audit Planning:• Adequate planning helps to ensure that

appropriate attention is devoted to important areas of the audit, that potential problems are identified and resolved on a timely basis and that the audit engagement is properly organized and managed in order to be performed in an effective effective effective effective and efficient efficient efficient efficient manner.

(ISA, 300, 4)

Audit Planning Audit Planning Audit Planning Audit Planning –––– stages: stages: stages: stages:

1 Preliminary engagement activities.Preliminary engagement activities.Preliminary engagement activities.Preliminary engagement activities.

2 Understand the entity & its environment - make an assessment of risks.

3 Develop overall audit plan and program of tests (compliance & substantive).

1. 1. 1. 1. Preliminary engagement activitiesPreliminary engagement activitiesPreliminary engagement activitiesPreliminary engagement activities

• Establish client's reasons for the audit.

• Consider acceptance & retention.

• Clarify / specify the terms of engagement.

• Staff the engagement.

Consider Acceptance & Retention: Consider Acceptance & Retention: Consider Acceptance & Retention: Consider Acceptance & Retention:

• “the engagement partner should be satisfied that appropriate procedures regarding the acceptance and continuance of client relationships and specific audit engagements have been followed, and that conclusions reached in this regard are appropriate and have been documented.”

(ISA, 220, para.14)

Consider Acceptance & Retention:Consider Acceptance & Retention:Consider Acceptance & Retention:Consider Acceptance & Retention: New clients issues:New clients issues:New clients issues:New clients issues:• Communication with predecessor:

– If client refuses permission for existing auditor to communicate, the audit should be refused.

• Communicate with third parties.• Excessive risks? (low acceptable audit risk - high fee)....

Continuing client issues (consider changes):Continuing client issues (consider changes):Continuing client issues (consider changes):Continuing client issues (consider changes):• Previous conflicts (on opinion or fees)? - Integrity of

management?• Independence compromised - law suits, outstanding fees?• Excessive risk?

Consider Acceptance & Retention:Consider Acceptance & Retention:Consider Acceptance & Retention:Consider Acceptance & Retention:

PwCPwCPwCPwC & client acceptability & client acceptability & client acceptability & client acceptability • At a simplified level, FRISK determines the

acceptability of clients by reviewing quantitative information (e.g., Z-scores, credit analyses), qualitative business information (e.g., company information and management information), financial-reporting information (e.g., incentive-plans, controls) and recent audit results. Together, risks are identified in each of these areas and sophisticated sophisticated sophisticated sophisticated algorithimsalgorithimsalgorithimsalgorithims, developed , developed , developed , developed by by by by PwCPwCPwCPwC based on past experience, are used to based on past experience, are used to based on past experience, are used to based on past experience, are used to determine whether to accept or continue the client.determine whether to accept or continue the client.determine whether to accept or continue the client.determine whether to accept or continue the client.

(Winograd, et.al., (2000))

Clarify/specify the terms of engagementClarify/specify the terms of engagementClarify/specify the terms of engagementClarify/specify the terms of engagement

Obtain an Engagement LetterObtain an Engagement LetterObtain an Engagement LetterObtain an Engagement Letter “The engagement letter documents and confirms the

auditor ’ s acceptanceacceptanceacceptanceacceptance of the appointment, the objectiveobjectiveobjectiveobjective and scopescopescopescope of the audit, the extent of the auditor’s responsibilitiesresponsibilitiesresponsibilitiesresponsibilities to the client and the form of any reports.”

(ISA, 210, 5)

Consider staffing of the engagement:Consider staffing of the engagement:Consider staffing of the engagement:Consider staffing of the engagement: “The engagement partner should be satisfied

that the engagement team collectively has the appropriate capabilities, competence and timecapabilities, competence and timecapabilities, competence and timecapabilities, competence and time to perform the audit engagement in accordance with professional standards and regulatory and legal requirements, and to enable an auditor’s report that is appropriate in the circumstances to be issued.”

(ISA, 220, 19)

Audit Planning Audit Planning Audit Planning Audit Planning –––– stages: stages: stages: stages:

1 Preliminary engagement activities

2 Understand the entity & its environment - Understand the entity & its environment - Understand the entity & its environment - Understand the entity & its environment - make an assessment of risks:make an assessment of risks:make an assessment of risks:make an assessment of risks:

3 Develop overall audit plan and program of tests (compliance & substantive).

Understand the entity & its environment:Understand the entity & its environment:Understand the entity & its environment:Understand the entity & its environment:

• “The auditor should obtain an understandingobtain an understandingobtain an understandingobtain an understanding of the entity and its environment, including its internal control, sufficient to identify and assess the risks of material misstatement of the financial statements whether due to fraud or error, and sufficient to design and perform further audit procedures.”

(ISA, 315, 2)

Understand the entity & its environment:Understand the entity & its environment:Understand the entity & its environment:Understand the entity & its environment:

“The auditor should perform the following risk assessment procedures to obtain an understanding of the entity and its environment, including its internal control:

a Inquiries of management and others within the entity;

b Analytical procedures; andc Observation and inspection.

(ISA, 315, 7)

a. Inquiries of management and others a. Inquiries of management and others a. Inquiries of management and others a. Inquiries of management and others within the entity:within the entity:within the entity:within the entity:

“Although much of the information the auditor obtains by inquiries can be obtained from management and those responsible for financial reporting, inquiries of others within the entity, such as production and internal audit personnel, and other employees with different levels of authority, may be useful in providing the auditor with a different perspective in identifying risks of material misstatement.

(ISA, 315, 9)

b. Preliminary analytical reviewb. Preliminary analytical reviewb. Preliminary analytical reviewb. Preliminary analytical review

“The auditor should apply analytical procedures as risk assessment proceduresrisk assessment proceduresrisk assessment proceduresrisk assessment procedures to obtain an understanding of the entity and its environment and in the overall review at the end of the audit. Analytical procedures may also be applied as substantive proceduressubstantive proceduressubstantive proceduressubstantive procedures.”

(ISA, 520, 2)

b. Preliminary analytical review b. Preliminary analytical review b. Preliminary analytical review b. Preliminary analytical review

Types of analytical proceduresTypes of analytical proceduresTypes of analytical proceduresTypes of analytical procedures • Compare client & industry data / ratios.• Compare with prior periodprior periodprior periodprior period data / ratios.• Compare with client's expected results.expected results.expected results.expected results.• Compare with auditor estimates / expectations.• Consider relationships among financial and financial and financial and financial and

relevant non-financialrelevant non-financialrelevant non-financialrelevant non-financial information that would be expected to conform to a predictable patterns.

• TechniquesTechniquesTechniquesTechniques range from simple comparisons to complex statistical analysis.

c. Observation and inspection: c. Observation and inspection: c. Observation and inspection: c. Observation and inspection:

“may support inquiries of management and others, and also provide information about the entity and its environment.” (ISA, 315, 11)

Preliminary determination of risks of Preliminary determination of risks of Preliminary determination of risks of Preliminary determination of risks of material misstatement.material misstatement.material misstatement.material misstatement.

• “The auditor should identify and assess the risks of material misstatement at the financial statement level, and at the the assertion level for classes of transactions, account balances, and disclosures.”

(ISA, 315, 100)

Preliminary determination of risks of Preliminary determination of risks of Preliminary determination of risks of Preliminary determination of risks of material misstatement.material misstatement.material misstatement.material misstatement.

• “Complete the strategic phase of the audit … : – Determination of materiality levels.– Preliminary identification of areas where there may be

high risk of material misstatement.– Preliminary identification of material components and

account balances,– Evaluation of where the auditor may plan to obtain

evidence regarding the effectiveness of internal controls.– Identification of recent significant entity-specific,

industry, financial reporting or other relevant developments”.

(ISA 300, 9) (ISA 300, 9) (ISA 300, 9) (ISA 300, 9)

The Evolution of AuditThe Evolution of AuditThe Evolution of AuditThe Evolution of Audit• Transaction based audit.• Systems audit.• Risk based audit.

– Understanding the client’s business and industry. – Identification of audit risks through analytical review.– Assessment of reliance that can be placed on internal

controls. – Drawing evidence from a wide variety of sources.– Focussing audit effort on areas where risks are Focussing audit effort on areas where risks are Focussing audit effort on areas where risks are Focussing audit effort on areas where risks are

greatest.greatest.greatest.greatest.

The Evolution of Audit The Evolution of Audit The Evolution of Audit The Evolution of Audit responsive to:

• Commercial pressures – cost-cutting & “added value”.

• Legal environment.• Still in progress:

– Emphasis on client strategic & business riskstrategic & business riskstrategic & business riskstrategic & business risk (as distinct from narrow focus on audit risk), see

– “The Audit Implosion: regulating risk from the inside” (Mike Power, 2000).

– The impact of Enron.

The Business risk approach:The Business risk approach:The Business risk approach:The Business risk approach:• Focus on the Business risk - the risk that the entity

will fail to achieve its objectives:– profitability, market share, wealth, governance, etc,

• A way of adding value.• Justifiable because business risk bears on the

financial statements & on audit risk (sometimes only indirectly of course).

• May increase audit efficiency / profitability.• May reduce the auditor’s own business /

engagement risk - through improved knowledge of client viability, etc.

KPMG Business Measurement Process (BMP) ApproachKPMG Business Measurement Process (BMP) ApproachKPMG Business Measurement Process (BMP) ApproachKPMG Business Measurement Process (BMP) Approach

• “Serious thoughtSerious thoughtSerious thoughtSerious thought, formal analysis of an entity’s strategy, and whether it can be achieved have not been financial statement audit steps. KPMG’s Business Measurement Process (BMP) approach makes common this type of thoughtful analysis. The viability of a businessThe viability of a businessThe viability of a businessThe viability of a business is formally considered, and it provides a basis for forming expectations about what should be the financial-statement balances for the audit period. If an entity has a viable If an entity has a viable If an entity has a viable If an entity has a viable strategy, reasonable plans, effective internal control, strategy, reasonable plans, effective internal control, strategy, reasonable plans, effective internal control, strategy, reasonable plans, effective internal control, and account balances that are close to expectations, and account balances that are close to expectations, and account balances that are close to expectations, and account balances that are close to expectations, then the need for detailed auditing is limited to then the need for detailed auditing is limited to then the need for detailed auditing is limited to then the need for detailed auditing is limited to exceptional itemsexceptional itemsexceptional itemsexceptional items.”

(Kinney, 1997)

KPMG Business Measurement Process (BMP) ApproachKPMG Business Measurement Process (BMP) ApproachKPMG Business Measurement Process (BMP) ApproachKPMG Business Measurement Process (BMP) Approach

• “Similar to a traditional auditor, the BMP auditor is Similar to a traditional auditor, the BMP auditor is Similar to a traditional auditor, the BMP auditor is Similar to a traditional auditor, the BMP auditor is concerned about assessing the three components of concerned about assessing the three components of concerned about assessing the three components of concerned about assessing the three components of audit risk - inherent, control and detection risk. The audit risk - inherent, control and detection risk. The audit risk - inherent, control and detection risk. The audit risk - inherent, control and detection risk. The BMP auditor, however grounds his judgments in a BMP auditor, however grounds his judgments in a BMP auditor, however grounds his judgments in a BMP auditor, however grounds his judgments in a much broader view of the clientmuch broader view of the clientmuch broader view of the clientmuch broader view of the client than does an auditor following a transaction-detail audit approach. He uses more holistic perspectives to frame the assessment of the validity of the financial statements taken as a whole, and the account balances contained therein.”

(Bell, et.al., (1997))

KPMG Business Measurement Process (BMP) ApproachKPMG Business Measurement Process (BMP) ApproachKPMG Business Measurement Process (BMP) ApproachKPMG Business Measurement Process (BMP) Approach • “The traditional “risk-based” audit focuses the auditor’s

assessment of risk through a narrow ““““accounting lensaccounting lensaccounting lensaccounting lens”””” - a lens that directs his attention and his related assessment and testing activities, to the nature of account balances, classes of transactions, and properties of the client’s accounting system for the purpose of assessing the risk that financial-statement assertions are materially misstated. We believe that this We believe that this We believe that this We believe that this disaggregativedisaggregativedisaggregativedisaggregative, , , , ““““bottom-upbottom-upbottom-upbottom-up”””” focus can inhibit the auditor focus can inhibit the auditor focus can inhibit the auditor focus can inhibit the auditor’’’’s s s s development of the level of business understanding development of the level of business understanding development of the level of business understanding development of the level of business understanding needed to effectively judge financial-statement needed to effectively judge financial-statement needed to effectively judge financial-statement needed to effectively judge financial-statement assertionsassertionsassertionsassertions.”

(Bell, et.al., (1997))

KPMG Business Measurement Process (BMP) ApproachKPMG Business Measurement Process (BMP) ApproachKPMG Business Measurement Process (BMP) ApproachKPMG Business Measurement Process (BMP) Approach “A proposed knowledge acquisition framework for risk-A proposed knowledge acquisition framework for risk-A proposed knowledge acquisition framework for risk-A proposed knowledge acquisition framework for risk-

based strategic-systems audit:based strategic-systems audit:based strategic-systems audit:based strategic-systems audit:1 Understand the client’s strategic advantage.2 Understand the risks that threaten attainment of client business

objectives.3 Understand the key processes and related competencies needed to

realize strategic advantage.4 Measure and benchmark process performance5 Document the understanding of the client’s ability to create value

and generate future cash flows using a client business model, process analyses, key performance indicators, and a business risk profile.

6 Use the comprehensive business knowledge decision frame to develop expectations about key assertions embodied in the overall financial statements.

7 Compare reported financial results to expectations and design additional audit test work …”

(Bell, et.al., (1997))

The The The The PwCPwCPwCPwC Approach (2000) Approach (2000) Approach (2000) Approach (2000)• “In today’s environment, an effective audit has to be

knowledge-based and industry-focused. One of the fundamental concepts of the PwCAA methodology is to develop a better understanding of our clientunderstanding of our clientunderstanding of our clientunderstanding of our client’’’’s s s s business by looking at the business through business by looking at the business through business by looking at the business through business by looking at the business through ““““managementmanagementmanagementmanagement’’’’s eyes.s eyes.s eyes.s eyes.”””” We seek to understand management’s business objectives, not just financial objectives, to increase shareholder value, to identify the significant risks that may prevent management from achieving its business objectives and to identify related controls …”

(Winograd, et.al., (2000))

The Business risk approach:The Business risk approach:The Business risk approach:The Business risk approach:

• Please refer to papers in the special section of Accounting, Organizations and Society, 2007, Vol.32, No.4-5.

– “SSA was an appropriate and necessary means of enhancing audit quality in the 1990s, and it is all the more so today”

(Peecher et al, AOS, 2007, vol.32, p.464)

The Business risk approach:The Business risk approach:The Business risk approach:The Business risk approach:• “Bell et al. (2002, p. 8) argue that ‘‘[p]erhaps the most

important principle giving rise to the need for SSA is the strong relation between RMM and the auditee’s business risks.’’ … When … business risks increase or spike, it generally becomes more difficult for entity management to estimate how to fairly depict select entity business states within financial-statement representations. And, at the same time, management generally faces greater temptation to optimistically distort their business-state representations. Thus, shifts in business risks have audit risk implications.”

(Peecher et al, AOS, 2007, vol.32, p.474)

The Business risk approach:The Business risk approach:The Business risk approach:The Business risk approach:• “Is the Development of SSA an attempt to enhance

auditor’s reputations by ‘‘borrowing’’ prestige from consultants?”

• “Is SSA an attempt to expand the sale of non-audit advisory services rather than to improve audit quality?”

• “Are too few substantive tests of details performed under SSA?”

• “What do we know about economic (cost) considerations under SSA?”

(Peecher et al, AOS, 2007, vol.32, p.479-481)

risk-based approaches materiality planning internal control

Documents