Rittenberg/Schwieger/Johnstone Auditing: A Business Risk Approach Sixth Edition Chapter 4 Audit Risk and a Client’s Business Risk Copyright © 2008 Thomson South-Western, a part of the Thomson Corporation. Thomson, the Star logo, and South-Western are trademarks used herein under license. 1 The Nature of Risk In this chapter, we identify four critical components of risk that affect the audit approach and audit outcome Enterprise risk - those that affect the operations and potential outcomes organization activities Engagement risk - comes with association with a specific client Financial reporting risk - those that relate directly to the recording transactions and the presentation of the financial statements Audit risk - risk an auditor may provide an unqualified opinion on financial statements that are materially misstated Each of these components can be managed The effectiveness of risk management processes will determine whether the company continues to exist 2 Enterprise Risk Management (ERM) COSO defines ERM as a "process effected by an entity's board of directors, management and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risks to within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives." 3 Enterprise Risk Management (ERM) (continued) COSO elements: Risk management environment: management culture and attitude towards risk Event identification: of events that may affect organization's ability to implement strategies or achieve objectives Risk assessment: to determine response Risk Response Control activities: policies and procedures designed to reduce risks and to assure management's directives and strategies are implemented Information and communication Monitoring An effective ERM process within an organization is designed to provide assurance that risks are identified, understood, and addressed 4 Organizational Risk Responses Once risk has been identified and assessed, an organization has four choices: - Control the risk - Share or transfer the risk - Diversify against or avoid the risk - Accept the risk Depending on the circumstances, each of these may be an acceptable approach to manage risk 5 Risk Factors Affecting the Audit Engagement Risk Risk auditors incur by being associated with a particular client Risk is high whenever there is increased likelihood that Auditor is associated with a failed client Financial statements contain material misstatement that the auditor fails to find These conditions increase the likelihood that the auditor will be sued Client Acceptance or Retention Decision Perhaps the most important audit decision A number of factors affect this decision, but most important involve Quality of the client's corporate governance Client's financial health 6 Risk Factors Affecting the Audit: Corporate Governance & Client Acceptance The key factors an auditor will analyze include Management integrity Independence and competence of the audit committee and board Quality of ERM and controls Regulatory and reporting requirements Participation of key stakeholders Existence of related party transactions 7 Risk Factors Affecting the Audit: Financial Health of the Organization There are a number of reasons why the auditor needs to evaluate a potential client's financial health: The auditor will most likely be sued if a client declares bankruptcy Investors and creditors who have lost money will look for recovery Attorneys will claim the financial statements were misstated and the auditors should have known they were misstated The auditor also needs to understand the financial health in order to: Assess management's motivation to misstate the financial statements Identify areas that are likely to be misstated Identify account balances that appear unusual 8 Risk Factors Affecting the Audit: Other Factors Affecting Engagement Risk The auditor should evaluate the company's economic prospects to help ensure that Important areas will be investigated The company will likely stay in business High-risk companies are generally characterized by Inadequate capital Lack of long-run strategic and operational plans Low cost entry into the market Dependence on limited product offerings Dependence on technology subject to obsolescence Instability of future cash flows History of questionable accounting practices Previous inquiries by the SEC or other regulatory agencies 9 Risk Factors Affecting the Audit: Financial Reporting Risk Financial reporting risk is influenced by The company's financial health The quality of the company's internal controls The complexity of the company's transactions and financial reporting Management's motivation to misstate the financial statements These factors are interrelated The auditor will gather information on these issues through reviews of previous audits, or by talking with the predecessor auditor 10 Accepting New Clients: Auditing Standards on Auditor Changes SAS 84 requires a successor auditor to initiate discussions with the predecessor to discuss the reasons for the change in auditors Because of the confidentiality rule, the successor must first obtain client permission to talk with predecessor The successor is particularly interested in factors that bear on Management integrity Disagreements with management on any substantive auditing or accounting issues The predecessor's understanding of the reasons for the change Any communications between the predecessor and management or audit committee regarding fraud, illegal acts or internal control matte 11 Accepting New Clients: The Engagement Letter The auditor and client should have a mutual understanding of the audit process The auditor should prepare an engagement letter to clarify the responsibilities and expectations of each party, and to summarize and document this understanding including the Nature of the services to be provided Timing of those services Expected fees and basis on which they will be billed (fixed fee, hourly rates) Auditor responsibilities including the search for fraud Client responsibilities including preparing information for the audit Need for any other services to be performed by the firm 12 What Is Materiality? The auditor is expected to plan and perform an audit that provides reasonable assurance that material misstatements will be detected The FASB defines materiality as the "magnitude of an omission or misstatement of accounting information that, in light of surrounding circumstances, makes it probable that the judgment of a reasonable person relying on the information would have been changed or influenced by the omission or misstatement" Materiality has three significant dimensions: Size of the misstatement (dollar amount) Circumstances - some things are viewed more critically than others User impact - impact on potential users and the type of judgments made 13 Materiality (continued) Determination of materiality is situation specific Although this makes determination more difficult, it allows the auditor to adjust the rigor of the audit to reflect the risk of the engagement The lower the dollar amount of set materiality, the more rigorous the examination Most firms have guidelines for setting materiality Guidelines usually involve applying percentages to some base Guidelines may also be based on nature of the industry or other factors Auditors initially set planning materiality for the statements as a whole, and then allocate this to individual accounts based on their susceptibility to misstatement 14 What Is Audit Risk? Audit risk is the risk than an auditor may issue an unqualified opinion on materially misstated financial statements The auditor assesses engagement risk first, then sets audit risk Audit risk is inversely related to engagement risk If the auditor accepts a client with high engagement risk The auditor must conduct a more rigorous audit The auditor does this is by setting audit risk at a low level If the auditor accepts a client with low engagement risk The auditor will set audit risk at a higher level 15 Audit Risk & Materiality Audit risk and engagement risk relate to factors that might encourage someone to challenge the auditor's work For example, transactions that might not be material to a "healthy" company might be material to financial statement users for a company on the brink of bankruptcy The following factors help integrate the concepts of risk and materiality: All audits involve sampling and cannot provide 100 percent assurance Auditors must compete in an active marketplace for clients Auditors need to understand society's expectations of financial reporting and the audit process Auditors must identify the risky areas of a business to determine which accounts are more susceptible to material misstatement Auditors need to develop methodologies to allocate overall assessments of materiality to individual account balances 16 The Audit Risk Model The auditor sets desired audit risk based on assessed engagement risk AR = IR x CR x DR AR = Audit Risk IR = Inherent Risk CR = Control Risk DR = Detection Risk The audit risk model allows the auditor to consider the following: Complex or unusual transactions are more likely to recorded in error than are simple or recurring transactions Management may be motivated to misstate earnings or assets Better internal controls mean a lesser likelihood of misstatement The amount and persuasiveness of audit evidence gathered should vary directly with the likelihood of material misstatements 17 The Audit Risk Model (continued) Inherent Risk - Susceptibility of transactions to be recorded in error Inherent risk is higher for some items: Complex transactions are more likely to be misstated than simple transactions Estimated balances more likely to be misstated than fact based balances The auditor assesses inherent risk Control Risk - Risk client controls will fail to prevent or detect a misstatement The quality of controls often varies between classes of transactions The auditor assesses control risk 18 The Audit Risk Model (continued) Environment Risk - inherent and control risks combined Reflects the likelihood of material misstatements occurring Detection risk - risk audit procedures will fail to detect material misstatements Relates to the effectiveness of audit procedures and their application Detection risk is controlled by the auditor and is an integral part of audit planning The level of detection risk set directly determines the rigor of the substantive audit work performed 19 Audit Risk Model (continued) AR = IR x CR x DR Audit risk is set inversely to the assessed level of engagement risk After audit risk is set, the auditor assesses inherent and control (environment) risks The auditor sets detection risk INVERSELY to environment risk Example, if the auditor is examining transactions with high inherent risk, or weak controls, the auditor will set a low detection risk Low detection risk means a low probability of NOT detecting material misstatements To achieve low detection risk, the auditor will have to perform more rigorous substantive testing For example, larger sample sizes, more reliable forms of evidence, assign more experienced auditors, closer supervision, greater yearend (rather than interim) testing The audit risk model shows that the amount, nature, and timing of audit procedures depends on the level of audit risk an auditor assumes, and the level of client-related risks 20 Audit Risk Model: Limitations Inherent risk is difficult to formally assess Audit risk is subjectively determined The model treats each risk component as separate and independent when clearly, this is not the case Audit technology is not so precise that each component can be accurately assessed Because of these limitations, many auditors use the audit risk model as a functional, rather than mathematical, model 21 Understanding Enterprise & Financial Reporting Risks If there are major problems within a company, the evidence gathered from within that company will probably be less reliable Because of this, the auditor should Understand the company, its strategies, and operations in depth Develop an understanding of the market in which the company operates Develop an understanding of the economics of client transactions Develop expectations about financial results or transaction outcomes 22 Business Risk and the Audit Process Risk-based approach to auditing: Develop understanding of management's risk management process Develop understanding of the business and the risks it faces Use the identified risks to develop expectations about account balances and financial results Assess the quality of control systems to manage risks Determine residual risks, and update expectations about account balances Manage remaining risk of account balance misstatement by determining the direct tests of account balances (detection risk) that are necessary 23 Understanding Management's Risk Management Process To understand the client's risk management process, auditors will normally use the following techniques: Understand the processes used to evaluate risks Review the risk-based approach used by internal auditing Interview management about their risk approach Review regulatory agency reports that address company's policies towards risk Review company polices and procedures for addressing risk Review company compensation policies to see if they are consistent with company's risk policies 24 Understanding Management's Risk Management Process (continued) Review prior years' work to determine if current actions are consistent with risk approach discussed with management Review risk management documents If the company has strong risk management processes, the auditor may focus on testing controls and developing corroborative evidence on account balances On the other hand, if the company does not have a comprehensive risk process, the auditor will assess engagement risk as high, set audit risk at a lower level, and increase direct testing 25 Developing an Understanding of Business and Risk There are a number of information sources (including electronic sources) that auditors use to develop an understanding: Intelligent agents Knowledge management systems Online searches Review SEC filings Company web sites Economic statistics Professional practice bulletins Stock analysts' reports 26 Understanding Key Business Processes Each organization has a few key processes that give them a competitive advantage (or disadvantage) The auditor should gather sufficient information to understand The key processes The industry factors affecting key processes How management monitors key processes The potential operational and financial effects associated with key processes 27 Understanding Key Business Processes: Sources of Information Management inquiries Predecessor auditor inquiries Review of prior-period audit work papers Review of client's budgets Tour client's facilities and operations Review data processing center Review significant debt covenants and board of director minutes Review relevant government regulations and 28 client’s legal obligations Developing Expectations The auditor should use information about the company’s key processes and risks to develop expectations about its account balances and performance These expectations should be Developed independently of management Documented, along with a rationale for the expectations Communicated to all audit team members 29 Assessing the Quality of Internal Controls Controls include policies and procedures set by management to manage risk The auditor is particularly interested in those controls designed to protect the company's key processes and the measures used to monitor the operation of these controls Examples of these measures (key performance indicators): Backlog of work in progress Amount of return items Increased disputes regarding accounts receivable or accounts payable Surveys of customer satisfaction Employee absenteeism Decreased productivity Information processing errors Increased delays in important processes 30 Managing Detection and Audit Risk The auditor manages audit risk by Adjusting audit staff to reflect risk associated with a client Developing direct tests of account balances consistent with detection risk Anticipating potential misstatements likely associated with account balances Adjusting the timing of audit tests to minimize overall audit risk 31 Preliminary Financial Statement Review: Techniques & Expectations Auditors use analytical procedures to develop expectations of account balances These expectations are compared to recorded book values to identify misstatements Sources of data commonly used: Financial information for prior periods Expected or planned results from budgets and forecasts Comparison of linked accounts (such as interest expense and debt) Ratios of financial information (such as common-size financial statements) Company and industry trends Relevant non-financial information 32 Preliminary Financial Statement Review: Techniques & Expectations Techniques commonly used Trend analysis Comparative financial statements (horizontal analysis) Common-sized financial statements (vertical analysis) Ratio analysis The results of analytical procedures are placed in context when auditors compare client results to the client's prior performance, industry data, or client expectations (budgets and forecasts) 33 Risk Analysis and the Conduct of the Audit The risk approach means auditors must understand the company and its risks as a basis for determining which account balances should be directly tested and which can be corroborated by analytical procedures Linkage to direct tests of account balances If the auditor concludes there is a high risk of material misstatement s/he must Set materiality at an appropriate level Use procedures appropriate for the level risk to examine the account balance 34 Risk Analysis and the Conduct of the Audit Quality of accounting principles used The auditor is required to assess the appropriateness of the accounting methods used by management Guidelines to evaluate "appropriateness" include: Representational faithfulness - does the accounting reflect the economic substance of the transactions Consistency of application of GAAP Accounting estimates - based on proven models, reconciled to actual results, based on valid economic reasons? 35