- 1. Chapter 4 Audit Risk and Business Risk
2. Define the Nature of Risk
- In this chapter, we identify four critical components of risk
that affect the audit approach and audit outcome
- Enterprise risk- those that affect the operations and potential
outcomes organization activities
- Engagement risk- comes with association with a specific
client
- Financial reporting risk- those that relate directly to the
recording transactions and the presentation of the financial
statements
- Audit risk- risk an auditor may provide an unqualified opinion
on financial statements that are materially misstated
- Each of these components can be managed
- The effectiveness of risk management processes will determine
whether the company continues to exist
3. Enterprise Risk Management (ERM)
- "process effected by an entity's board of directors, management
and other personnel, applied in strategy setting and across the
enterprise, designed to identify potential events that may affect
the entity, and manage risks to within its risk appetite, to
provide reasonable assurance regarding the achievement of entity
objectives."
4. Enterprise Risk Management (ERM)(Continued)
- Risk management environment: management culture and attitude
towards risk
- Event identification: of events that may affect organization's
ability toimplement strategies or achieve objectives
- Risk assessment: to determine response
- Control activities: policies and procedures designed to reduce
risks and to assure management's directives and strategies are
implemented
- Information and communication
- An effective ERM process within an organization is designed to
provide assurance that risks are identified, understood, and
addressed
5. Discuss Organizational Risk Responses
- Once risk has been identified and assessed, an organization has
four choices:
- - Share or transfer the risk
- - Diversify against or avoid the risk
- Depending on the circumstances, each of these may be an
acceptable approach to manage risk
6. Review Risk Factors Affecting the Audit
- Risk auditors incur by being associated with a particular
client
- Risk is high whenever there is increased likelihood that
-
- Auditor is associated with a failed client
-
- Financial statements contain material misstatement that the
auditor fails to find
- These conditions increase the likelihood that the auditor will
be sued
- Client Acceptance or Retention Decision
- Perhaps the most important audit decision
- A number of factors affect this decision, but most important
involve
-
- Quality of the client's corporate governance
-
- Client's financial health
7. Discuss Risk Factors Affecting the Audit - Corporate
Governance & Client Acceptance
- The key factors an auditor will analyze include
- Independence and competence of the audit committee and
board
- Quality of ERM and controls
- Regulatory and reporting requirements
- Participation of key stakeholders
- Existence of related party transactions
8. Risk Factors Affecting the Audit - Financial Health of the
Organization
- There are a number of reasons why the auditor needs to evaluate
a potential client's financial health:
- The auditor will most likely be sued if a client declares
bankruptcy
-
- Investors and creditors who have lost money will look for
recovery
-
- Attorneys will claim the financial statements were misstated
and the auditors should have known they were misstated
- The auditor also needs to understand the financial health in
order to:
-
- Assess management's motivation to misstate the financial
statements
-
- Identify areas that are likely to be misstated
-
- Identify account balances that appear unusual
9. Risk Factors Affecting the Audit - Other Factors Affecting
Engagement Risk
- The auditor should evaluate the company's economic prospects to
help ensure that
- Important areas will be investigated
- The company will likely stay in business
- High-risk companies are generally characterized by
- Lack of long-run strategic and operational plans
- Low cost entry into the market
- Dependence on limited product offerings
- Dependence on technology subject to obsolescence
- Instability of future cash flows
- History of questionable accounting practices
- Previous inquiries by the SEC or other regulatory agencies
10. Review Risk Factors Affecting the Audit - Financial
Reporting Risk
- Financial reporting risk is influenced by
- The company's financial health
- The quality of the company's internal controls
- The complexity of the company's transactions and financial
reporting
- Management's motivation to misstate the financial
statements
- These factors are interrelated
- The auditor will gather information on these issues through
reviews of previous audits, or by talking with the predecessor
auditor
11. Accepting New Clients: Auditing Standards on Auditor
Changes
- SAS 84 requires a successor auditor to initiate discussions
with the predecessor to discuss the reasons for the change in
auditors
- Because of the confidentiality rule, the successor must first
obtain client permission to talk with predecessor
- The successor is particularly interested in factors that bear
on
- Disagreements with management on any substantive auditing or
accounting issues
- The predecessor's understanding of the reasons for the
change
- Any communications between the predecessor and management or
audit committee regarding fraud, illegal acts or internal control
matte
12. Discuss Accepting New Clients: Engagement Letter
- The auditor and client should have a mutual understanding of
the audit process
- The auditor should prepare an engagement letter to clarify the
responsibilities and expectations of each party, and to summarize
and document this understanding including the
- Nature of the services to be provided
- Expected fees and basis on which they will be billed (fixed
fee, hourly rates)
- Auditor responsibilities including the search for fraud
- Client responsibilities including preparing information for the
audit
- Need for any other services to be performed by the firm
13. Define Materiality
- The auditor is expected to plan and perform an audit that
provides reasonable assurance that material misstatements will be
detected
- The FASB defines materiality as the
- "magnitude of an omission or misstatement of accounting
information that, in light of surrounding circumstances, makes it
probable that the judgment of a reasonable person relying on the
information would have been changed or influenced by the omission
or misstatement"
- Materiality has three significant dimensions:
- Size of the misstatement (dollar amount)
- Circumstances - some things are viewed more critically than
others
- User impact - impact on potential users and the type of
judgments made
14. Comment on Materiality
- Determination of materiality is situation specific
- Although this makes determination more difficult, it allows the
auditor to adjust the rigor of the audit to reflect the risk of
theengagement
- The lower the dollar amount of set materiality, the more
rigorous the examination
- Most firms have guidelines for setting materiality
- Guidelines usually involve applying percentages to some
base
- Guidelines may also be based on nature of the industry or other
factors
- Auditors initially set planning materiality for the statements
as a whole, and then allocate this to individual accounts based on
their susceptibility to misstatement
15. Define Audit Risk
- Audit risk is the risk than an auditor may issue an unqualified
opinion on materially misstated financial statements
- The auditor assesses engagement risk first, then sets audit
risk
- Audit risk is inversely related to engagement risk
- If the auditor accepts a client with high engagement risk
-
- The auditor must conduct a more rigorous audit
-
- The auditor does this is by setting audit risk at a low
level
- If the auditor accepts a client with low engagement risk
-
- The auditor will set audit risk at a higher level
16. Review Audit Risk & Materiality
- Audit risk and engagement risk relate to factors that might
encourage someone to challenge the auditor's work
- For example, transactions that might not be material to a
"healthy" company might be material to financial statement users
for a company on the brink of bankruptcy
- The following factors help integrate the concepts of risk and
materiality:
- All audits involve sampling and cannot provide 100 percent
assurance
- Auditors must compete in an active marketplace for clients
- Auditors need to understand society's expectations of financial
reportingand the audit process
- Auditors must identify the risky areas of a business to
determine which accounts are more susceptible to material
misstatement
- Auditors need to develop methodologies to allocate overall
assessments of materiality to individual account balances
17. Review the Audit Risk Model
- The auditor sets desired audit risk based on assessed
engagement risk
- The audit risk model allows the auditor to consider the
following:
- Complex or unusual transactions are more likely to recorded in
error than are simple or recurring transactions
- Management may be motivated to misstate earnings or assets
- Better internal controls mean a lesser likelihood of
misstatement
- The amount and persuasiveness of audit evidence gathered should
vary directly with the likelihood of material misstatements
18. Explain the Audit Risk Model
- Inherent Risk- Susceptibility of transactions to be recorded in
error
- Inherent risk is higher for some items:
-
- Complex transactions are more likely to be misstated than
simple transactions
-
- Estimated balances more likely to be misstated than fact based
balances
- The auditor assesses inherent risk
- Control Risk- Risk client controls will fail to prevent or
detect a misstatement
- The quality of controls often varies between classes of
transactions
- The auditor assesses control risk
19.
- Environment Risk- inherent and control risks combined
- Reflects the likelihood of material misstatements
occurring
- Detection risk- risk audit procedures will fail to detect
material misstatements
- Relates to the effectiveness of audit procedures and their
application
- Detection risk is controlled by the auditor and is an integral
part ofaudit planning
- The level of detection risk set directly determines the rigor
of thesubstantive audit work performed
Explain the Audit Risk Model(Continued) 20. Audit Risk Model
- Audit risk is set inversely to the assessed level of engagement
risk
- After audit risk is set, the auditor assesses inherent and
control(environment) risks
- The auditor sets detection risk INVERSELY to environment
risk
-
- Example, if the auditor is examining transactions with high
inherent risk, or weak controls, the auditor will set a low
detection risk
- Low detection risk means a low probability of NOT detecting
material misstatements
-
- To achieve low detection risk, the auditor will have to perform
more rigorous substantive testing
-
- For example, larger sample sizes, more reliable forms of
evidence,assign more experienced auditors, closer supervision,
greater year-end(rather than interim) testing
- The audit risk model shows that the amount, nature, and timing
of audit procedures depends on the level of audit risk an auditor
assumes, and the level of client-related risks
21. Audit Risk Model: Limitations
- Inherent risk is difficult to formally assess
- Audit risk is subjectively determined
- The model treats each risk component as separate and
independent when clearly, this is not the case
- Audit technology is not so precise that each component can be
accurately assessed
- Because of these limitations, many auditors use the audit risk
model as a functional, rather than mathematical, model
22. Discuss Understanding Enterprise & Financial Reporting
Risks
- If there are major problems within a company, the evidence
gathered from within that company will probably be less
reliable
- Because of this, the auditor should
- Understand the company, its strategies, and operations in
depth
- Develop an understanding of the market in which the company
operates
- Develop an understanding of the economics of client
transactions
- Develop expectations about financial results or transaction
outcomes
23. Explain Business Risk & the Audit Process
- Risk-based approach to auditing:
- Develop understanding of management's risk management
process
- Develop understanding of the business and the risks it
faces
- Use the identified risks to develop expectations about account
balances and financial results
- Assess the quality of control systems to manage risks
- Determine residual risks, and update expectations about account
balances
- Manage remaining risk of account balance misstatement by
determining the direct tests of account balances (detection risk)
that are necessary
24. Understanding Management's Risk Management Process
- To understand the client's risk management process, auditors
will normally use the following techniques:
- Understand the processes used to evaluate risks
- Review the risk-based approach used by internal auditing
- Interview management about their risk approach
- Review regulatory agency reports that address company's
policies towardsrisk
- Review company polices and procedures for addressing risk
- Review company compensation policies to see if they are
consistent with company's risk policies
25.
- Review prior years' work to determine if current actions are
consistent with risk approach discussed with management
- Review risk management documents
- If the company has strong risk management processes, the
auditor may focus on testing controls and developing corroborative
evidence on account balances
- On the other hand, if the company does not have a comprehensive
risk process, the auditor will assess engagement risk as high, set
audit risk at a lower level, and increase direct testing
Understanding Management's Risk Management Process 26. Review
Developing an Understanding of Business & Risk
- There are a number of information sources (including electronic
sources) that auditors use to develop an understanding:
- Knowledge management systems
- Professional practice bulletins
27. Discuss Understanding Key Business Processes
- Each organization has a few key processes that give them a
competitive advantage (or disadvantage)
- The auditor should gather sufficient information to
understand
- The industry factors affecting key processes
- How management monitors key processes
- The potential operational and financial effects associated with
key processes
28. Understanding Key Business Processes - Sources of
Information
- Predecessor auditor inquiries
- Review of prior-period audit work papers
- Review of client's budgets
- Tour client's facilities and operations
- Review data processing center
- Review significant debt covenants and board of director
minutes
- Review relevant government regulations and clients legal
obligations
29. Discuss Developing Expectations
- The auditor should use information about the companys key
processes and risks to develop expectations about its account
balances and performance
- These expectations should be
- Developed independently of management
- Documented, along with a rationale for the expectations
- Communicated to all audit team members
30. Explain AssessingQuality of Internal Controls
- Controls include policies and procedures set by management to
manage risk
- The auditor is particularly interested in those controls
designed to protect the company's key processes and the measures
used to monitor the operation of these controls
- Examples of these measures (key performance indicators):
- Backlog of work in progress
- Increased disputes regarding accounts receivable or accounts
payable
- Surveys of customer satisfaction
- Information processing errors
- Increased delays in important processes
31. Review Managing Detection & Audit Risk
- The auditor manages audit risk by
- Adjusting audit staff to reflect risk associated with a
client
- Developing direct tests of account balances consistent with
detection risk
- Anticipating potential misstatements likely associated with
account balances
- Adjusting the timing of audit tests to minimize overall audit
risk
32. Preliminary Financial Statement Review: Techniques &
Expectations
- Auditors use analytical procedures to develop expectations of
account balances
- These expectations are compared to recorded book values to
identify misstatements
- Sources of data commonly used:
- Financial information for prior periods
- Expected or planned results from budgets and forecasts
- Comparison of linked accounts (such as interest expense and
debt)
- Ratios of financial information (such as common-size financial
statements)
- Company and industry trends
- Relevant non-financial information
33. Preliminary Financial Statement Review: Techniques &
Expectations
- Comparative financial statements (horizontal analysis)
- Common-sized financial statements (vertical analysis)
- The results of analytical procedures are placed in context when
auditors compare client results to the client's prior performance,
industry data, or client expectations (budgets and forecasts)
34. Comment on Risk Analysis & Conduct of the Audit
- The risk approach means auditors must understand the company
and its risks as a basis for determining which account balances
should be directly tested and which can be corroborated by
analytical procedures
- Linkage to direct tests of account balances
- If the auditor concludes there is a high risk of material
misstatement
- Set materiality at an appropriate level
- Use procedures appropriate for the level risk to examine the
account balance
35.
- Quality of accounting principles used
- The auditor is required to assess the appropriateness of the
accounting methods used by management
- Guidelines to evaluate "appropriateness" include:
-
- Representational faithfulness - does the accounting reflect the
economic substance of the transactions
-
- Consistency of application of GAAP
-
- Accounting estimates - based on proven models, reconciled to
actual results, based on valid economic reasons?
Comment on Risk Analysis & Conduct of the Audit