Audit risk

advertisement
Rittenberg/Schwieger/Johnstone
Auditing: A Business Risk Approach
Sixth Edition
Chapter 4
Audit Risk and a Client’s
Business Risk
Copyright © 2008 Thomson South-Western, a part of the Thomson Corporation. Thomson, the Star logo,
and South-Western are trademarks used herein under license.
1
The Nature of Risk
In this chapter, we identify four critical components of risk
that affect the audit approach and audit outcome
 Enterprise risk - those that affect the operations and potential
outcomes organization activities
 Engagement risk - comes with association with a specific client
 Financial reporting risk - those that relate directly to the
recording transactions and the presentation of the financial
statements
 Audit risk - risk an auditor may provide an unqualified opinion
on financial statements that are materially misstated
Each of these components can be managed
The effectiveness of risk management processes will
determine whether the company continues to exist
2
Enterprise Risk Management
(ERM)
COSO defines ERM as a
"process effected by an entity's board of directors,
management and other personnel, applied in
strategy setting and across the enterprise,
designed to identify potential events that may
affect the entity, and manage risks to within its
risk appetite, to provide reasonable assurance
regarding the achievement of entity objectives."
3
Enterprise Risk Management
(ERM) (continued)
COSO elements:
 Risk management environment: management culture and
attitude towards risk
 Event identification: of events that may affect organization's
ability to implement strategies or achieve objectives
 Risk assessment: to determine response
 Risk Response
 Control activities: policies and procedures designed to reduce
risks and to assure management's directives and strategies are
implemented
 Information and communication
 Monitoring
An effective ERM process within an organization is
designed to provide assurance that risks are identified,
understood, and addressed
4
Organizational Risk Responses
Once risk has been identified and assessed, an
organization has four choices:
- Control the risk
- Share or transfer the risk
- Diversify against or avoid the risk
- Accept the risk
Depending on the circumstances, each of these
may be an acceptable approach to manage risk
5
Risk Factors Affecting the Audit
Engagement Risk
 Risk auditors incur by being associated with a particular client
 Risk is high whenever there is increased likelihood that
Auditor is associated with a failed client
Financial statements contain material misstatement that the
auditor fails to find
 These conditions increase the likelihood that the auditor will be
sued
Client Acceptance or Retention Decision
 Perhaps the most important audit decision
 A number of factors affect this decision, but most important
involve
Quality of the client's corporate governance
Client's financial health
6
Risk Factors Affecting the Audit:
Corporate Governance & Client
Acceptance
The key factors an auditor will analyze
include
Management integrity
Independence and competence of the
audit committee and board
Quality of ERM and controls
Regulatory and reporting requirements
Participation of key stakeholders
Existence of related party transactions
7
Risk Factors Affecting the Audit:
Financial Health of the Organization
There are a number of reasons why the auditor
needs to evaluate a potential client's financial
health:
The auditor will most likely be sued if a client declares
bankruptcy
Investors and creditors who have lost money will look for
recovery
Attorneys will claim the financial statements were misstated
and the auditors should have known they were misstated
The auditor also needs to understand the financial
health in order to:
Assess management's motivation to misstate the financial
statements
Identify areas that are likely to be misstated
Identify account balances that appear unusual
8
Risk Factors Affecting the Audit: Other
Factors Affecting Engagement Risk
The auditor should evaluate the company's economic prospects
to help ensure that
 Important areas will be investigated
 The company will likely stay in business
High-risk companies are generally characterized by
 Inadequate capital
 Lack of long-run strategic and operational plans
 Low cost entry into the market
 Dependence on limited product offerings
 Dependence on technology subject to obsolescence
 Instability of future cash flows
 History of questionable accounting practices
 Previous inquiries by the SEC or other regulatory agencies
9
Risk Factors Affecting the Audit:
Financial Reporting Risk
Financial reporting risk is influenced by
The company's financial health
The quality of the company's internal controls
The complexity of the company's transactions and
financial reporting
Management's motivation to misstate the financial
statements
These factors are interrelated
The auditor will gather information on these issues
through reviews of previous audits, or by talking
with the predecessor auditor
10
Accepting New Clients: Auditing
Standards on Auditor Changes
SAS 84 requires a successor auditor to initiate discussions with
the predecessor to discuss the reasons for the change in
auditors
Because of the confidentiality rule, the successor must first
obtain client permission to talk with predecessor
The successor is particularly interested in factors that bear on
 Management integrity
 Disagreements with management on any substantive auditing or
accounting issues
 The predecessor's understanding of the reasons for the change
 Any communications between the predecessor and
management or audit committee regarding fraud, illegal acts or
internal control matte
11
Accepting New Clients: The
Engagement Letter
The auditor and client should have a mutual understanding of
the audit process
The auditor should prepare an engagement letter to clarify the
responsibilities and expectations of each party, and to
summarize and document this understanding including the
 Nature of the services to be provided
 Timing of those services
 Expected fees and basis on which they will be billed (fixed fee,
hourly rates)
 Auditor responsibilities including the search for fraud
 Client responsibilities including preparing information for the
audit
 Need for any other services to be performed by the firm
12
What Is Materiality?
The auditor is expected to plan and perform an audit that provides
reasonable assurance that material misstatements will be
detected
The FASB defines materiality as the
 "magnitude of an omission or misstatement of accounting
information that, in light of surrounding circumstances, makes it
probable that the judgment of a reasonable person relying on the
information would have been changed or influenced by the omission
or misstatement"
Materiality has three significant dimensions:
 Size of the misstatement (dollar amount)
 Circumstances - some things are viewed more critically than others
 User impact - impact on potential users and the type of judgments
made
13
Materiality (continued)
Determination of materiality is situation specific
 Although this makes determination more difficult, it allows the
auditor to adjust the rigor of the audit to reflect the risk of the
engagement
 The lower the dollar amount of set materiality, the more rigorous
the examination
Most firms have guidelines for setting materiality
 Guidelines usually involve applying percentages to some base
 Guidelines may also be based on nature of the industry or other
factors
Auditors initially set planning materiality for the statements
as a whole, and then allocate this to individual accounts
based on their susceptibility to misstatement
14
What Is Audit Risk?
Audit risk is the risk than an auditor may issue an
unqualified opinion on materially misstated financial
statements
The auditor assesses engagement risk first, then sets audit
risk
Audit risk is inversely related to engagement risk
 If the auditor accepts a client with high engagement risk
 The auditor must conduct a more rigorous audit
 The auditor does this is by setting audit risk at a low level
 If the auditor accepts a client with low engagement risk
 The auditor will set audit risk at a higher level
15
Audit Risk & Materiality
Audit risk and engagement risk relate to factors that might encourage
someone to challenge the auditor's work
For example, transactions that might not be material to a "healthy"
company might be material to financial statement users for a
company on the brink of bankruptcy
The following factors help integrate the concepts of risk and materiality:
 All audits involve sampling and cannot provide 100 percent assurance
 Auditors must compete in an active marketplace for clients
 Auditors need to understand society's expectations of financial reporting
and the audit process
 Auditors must identify the risky areas of a business to determine which
accounts are more susceptible to material misstatement
 Auditors need to develop methodologies to allocate overall
assessments of materiality to individual account balances
16
The Audit Risk Model
The auditor sets desired audit risk based on assessed engagement risk
AR = IR x CR x DR
AR = Audit Risk
IR = Inherent Risk
CR = Control Risk
DR = Detection Risk
 The audit risk model allows the auditor to consider the following:
 Complex or unusual transactions are more likely to recorded in error
than are simple or recurring transactions
 Management may be motivated to misstate earnings or assets
 Better internal controls mean a lesser likelihood of misstatement
 The amount and persuasiveness of audit evidence gathered should vary
directly with the likelihood of material misstatements
17
The Audit Risk Model (continued)
Inherent Risk - Susceptibility of transactions to be
recorded in error
Inherent risk is higher for some items:
Complex transactions are more likely to be misstated than
simple transactions
Estimated balances more likely to be misstated than fact
based balances
The auditor assesses inherent risk
Control Risk - Risk client controls will fail to
prevent or detect a misstatement
The quality of controls often varies between classes
of transactions
The auditor assesses control risk
18
The Audit Risk Model (continued)
Environment Risk - inherent and control risks
combined
Reflects the likelihood of material misstatements
occurring
Detection risk - risk audit procedures will fail to
detect material misstatements
Relates to the effectiveness of audit procedures and
their application
Detection risk is controlled by the auditor and is an
integral part of audit planning
The level of detection risk set directly determines the
rigor of the substantive audit work performed
19
Audit Risk Model (continued)
AR = IR x CR x DR
 Audit risk is set inversely to the assessed level of engagement risk
 After audit risk is set, the auditor assesses inherent and control
(environment) risks
 The auditor sets detection risk INVERSELY to environment risk
 Example, if the auditor is examining transactions with high inherent
risk, or weak controls, the auditor will set a low detection risk
 Low detection risk means a low probability of NOT detecting
material misstatements
 To achieve low detection risk, the auditor will have to perform more
rigorous substantive testing
 For example, larger sample sizes, more reliable forms of evidence,
assign more experienced auditors, closer supervision, greater yearend (rather than interim) testing
The audit risk model shows that the amount, nature, and timing of audit
procedures depends on the level of audit risk an auditor assumes,
and the level of client-related risks
20
Audit Risk Model: Limitations
Inherent risk is difficult to formally assess
Audit risk is subjectively determined
The model treats each risk component as
separate and independent when clearly, this
is not the case
Audit technology is not so precise that each
component can be accurately assessed
Because of these limitations, many auditors
use the audit risk model as a functional,
rather than mathematical, model
21
Understanding Enterprise & Financial
Reporting Risks
If there are major problems within a company, the
evidence gathered from within that company will
probably be less reliable
Because of this, the auditor should
Understand the company, its strategies, and
operations in depth
Develop an understanding of the market in which the
company operates
Develop an understanding of the economics of client
transactions
Develop expectations about financial results or
transaction outcomes
22
Business Risk and the
Audit Process
Risk-based approach to auditing:
Develop understanding of management's risk
management process
Develop understanding of the business and the risks
it faces
Use the identified risks to develop expectations about
account balances and financial results
Assess the quality of control systems to manage risks
Determine residual risks, and update expectations
about account balances
Manage remaining risk of account balance
misstatement by determining the direct tests of
account balances (detection risk) that are necessary 23
Understanding Management's
Risk Management Process
To understand the client's risk management
process, auditors will normally use the following
techniques:
 Understand the processes used to evaluate risks
 Review the risk-based approach used by internal auditing
 Interview management about their risk approach
 Review regulatory agency reports that address company's
policies towards risk
 Review company polices and procedures for addressing risk
 Review company compensation policies to see if they are
consistent with company's risk policies
24
Understanding Management's
Risk Management Process (continued)
Review prior years' work to determine if current
actions are consistent with risk approach
discussed with management
Review risk management documents
If the company has strong risk management
processes, the auditor may focus on testing
controls and developing corroborative evidence
on account balances
On the other hand, if the company does not have a
comprehensive risk process, the auditor will
assess engagement risk as high, set audit risk at
a lower level, and increase direct testing
25
Developing an Understanding of
Business and Risk
There are a number of information sources
(including electronic sources) that auditors use
to develop an understanding:
Intelligent agents
Knowledge management systems
Online searches
Review SEC filings
Company web sites
Economic statistics
Professional practice bulletins
Stock analysts' reports
26
Understanding Key Business
Processes
Each organization has a few key processes
that give them a competitive advantage (or
disadvantage)
The auditor should gather sufficient
information to understand
The key processes
The industry factors affecting key processes
How management monitors key processes
The potential operational and financial effects
associated with key processes
27
Understanding Key Business
Processes: Sources of Information
Management inquiries
Predecessor auditor inquiries
Review of prior-period audit work papers
Review of client's budgets
Tour client's facilities and operations
Review data processing center
Review significant debt covenants and board
of director minutes
Review relevant government regulations and
28
client’s legal obligations
Developing Expectations
The auditor should use information about the
company’s key processes and risks to develop
expectations about its account balances and
performance
These expectations should be
Developed independently of management
Documented, along with a rationale for the
expectations
Communicated to all audit team members
29
Assessing the Quality of
Internal Controls
Controls include policies and procedures set by management to
manage risk
The auditor is particularly interested in those controls designed to
protect the company's key processes and the measures used to
monitor the operation of these controls
Examples of these measures (key performance indicators):








Backlog of work in progress
Amount of return items
Increased disputes regarding accounts receivable or accounts payable
Surveys of customer satisfaction
Employee absenteeism
Decreased productivity
Information processing errors
Increased delays in important processes
30
Managing Detection and
Audit Risk
The auditor manages audit risk by
Adjusting audit staff to reflect risk associated
with a client
Developing direct tests of account balances
consistent with detection risk
Anticipating potential misstatements likely
associated with account balances
Adjusting the timing of audit tests to minimize
overall audit risk
31
Preliminary Financial Statement
Review: Techniques & Expectations
Auditors use analytical procedures to develop expectations
of account balances
These expectations are compared to recorded book values
to identify misstatements
Sources of data commonly used:
 Financial information for prior periods
 Expected or planned results from budgets and forecasts
 Comparison of linked accounts (such as interest expense and
debt)
 Ratios of financial information (such as common-size financial
statements)
 Company and industry trends
 Relevant non-financial information
32
Preliminary Financial Statement
Review: Techniques & Expectations
Techniques commonly used
Trend analysis
Comparative financial statements (horizontal
analysis)
Common-sized financial statements (vertical analysis)
Ratio analysis
The results of analytical procedures are placed in
context when auditors compare client results to
the client's prior performance, industry data, or
client expectations (budgets and forecasts)
33
Risk Analysis and the Conduct
of the Audit
The risk approach means auditors must
understand the company and its risks as a basis
for determining which account balances should
be directly tested and which can be corroborated
by analytical procedures
Linkage to direct tests of account balances
If the auditor concludes there is a high risk of material
misstatement
s/he must
Set materiality at an appropriate level
Use procedures appropriate for the level risk to
examine the account balance
34
Risk Analysis and the Conduct
of the Audit
Quality of accounting principles used
The auditor is required to assess the appropriateness
of the accounting methods used by management
Guidelines to evaluate "appropriateness" include:
Representational faithfulness - does the accounting reflect
the economic substance of the transactions
Consistency of application of GAAP
Accounting estimates - based on proven models, reconciled
to actual results, based on valid economic reasons?
35
Download