Chapter 4 Audit Risk and Business Risk
Standards • ASA 210 Terms of Audit Engagements • ASA 315 Understanding the Entity and Its Environment and Assessing the Risks of a er a ss a emen
Standards • ASA 210 Terms of Audit Engagements • ASA 315 Understanding the Entity and Its Environment and Assessing the Risks of a er a ss a emen
• Four Four crit critic ical al co com m on onen ents ts of ris isk k af affe fect ct the audi auditt approach and audit outcome: – En Ente terp rpri rise se ri risk sk:: risks that affect the operations and potential outcomes organisation activities – En Enga gage geme ment nt ri risk sk:: comes with association with a specific client – Fin Financi ancial al rep report orting ing ris risk: k: risks that relate rec y o e recor ng ransac ons an e presentation of the financial statements – an unqualified opinion on financial statements
Nature of Risk (cont.) • Each Each of thes these e comp compon onen ents ts can can be be man manage aged. d. • Comp Compan any y sur survi viva vall depe depend nds s on the the effectiveness of risk management processes.
Management (ERM) • COSO defines ERM as: ‘ ’ directors, management and other personnel, a lied in strate settin and across the enterprise, designed to identify potential events that may affect the entity, and manage risks to within its risk appetite, to provide reasonable assurance regarding the .’
Management (cont.) • COSO describes ERM as consisting of eight interrelated rocesses: – risk management environment: management culture and attitude towards risk – event identification: identification of events that may affect the organisation’s ability to implement strategies or achieve objectives – risk assessment: assessing risks to determine response – risk response
Management (cont.) – control activities: policies and procedures management’s directives and strategies are im lemented – information and communication – • An effective ERM process within an that risks are identified, understood and addressed.
Responses • Once risk has been identified and assessed, an organ sa on as our c o ces: – control the risk – s are or trans er t e ris – diversify against or avoid the risk – accept the risk. • Depending on the circumstances, each of these may be an acceptable approach to manage the risk.
Risk Factors Affecting the Audit – The risk auditors incur by being associated – Risk is high whenever there is increased • the auditor is associated with a failed client • financial statements contain material misstatement that the auditor fails to find.
– These conditions increase the likelihood that
the Audit (cont.) • Client acceptance or retention decision – Perhaps the most important audit decision – A decision affected by a range of factors. The most important involve: • the quality of the client’s corporate governance • the client’s financial health.
Corporate Governance • The key factors an auditor will analyse include: – management integrity – independence and competence of the audit committee and board – quality of ERM and controls – regulatory and reporting requirements – participation of key stakeholders – existence of related party transactions.
Organisation Financial Health • There are a number of reasons why the auditor needs to evaluate a potential client’s financial health: – The auditor will most likely be sued if a client goes onto liquidation. – Investors and creditors who have lost money will look for recovery. – Lawyers will claim the financial statements were misstated and the auditors should have known they were misstated.
(cont.) •
e au or a so nee s o un ers an e financial health in order to: – ’ misstate the financial statements – – identify account balances that appear .
Other Factors Affecting ngagement s ’ prospects to ensure important areas are investigated and the company is likely to stay in business. • High-risk companies are generally characterised by: – inade uate ca ital – lack of long-run strategic and operational plans – low cost entr into the market – dependence on limited product offerings – de endence on technolo sub ect to obsolescence – instability of future cash flows – – previous inquiries by regulatory agencies.
• Financial misstatement risk is influenced by – the company’s financial health – the quality of the company’s internal controls – the complexity of the company’s transactions and financial reporting – management’s motivation to misstate the nanc a repor . • These factors are interrelated. • The auditor will gather information on these issues through reviews of previous audits, or by talking with the predecessor auditor.
Acce tin New Clients: Minimising Risk • A new auditor should initiate discussions with the change in auditors. •
ecause o e con en a y ru e, e successor must first obtain client permission to talk with .
Minimising Risk (cont.) • The successor is particularly interested in – management integrity – substantive auditing or accounting issues – ’ reasons for the change – predecessor and management or audit committee regarding fraud, illegal acts or internal control matters.
e
ngagemen
e er
• The auditor and client should have a mutual understandin of the audit rocess. • The auditor should prepare an engagement letter each party, and to summarise and document this understanding, including the: – nature of the services to be provided – timing of those services – expected fees and basis on which they will be billed (fixed fee, hourly rates)
The Engagement Letter (cont.) • The engagement letter should also describe – auditor responsibilities, including the search – client responsibilities, including preparing – need for any other services to be performed b the firm.
Materiality and Audit Risk audit that provides reasonable assurance that material misstatements will be detected • ‘Information is material if its omission, misstatement or non-disclosure has the potential, individually or collectively, to a n uence e econom c ec s ons o users taken on the basis of the financial report; or management or governing body of the entity.’ AASB 1031 ara. 9
Materiality • Materiality has three significant dimensions: – size of the misstatement (dollar amount) – circumstances – some things are viewed more critica y t an ot ers – user impact – impact on potential users and .
a er a
y con .
• Determination of materiality is situation-specific. difficult, it allows the auditor to adjust the ri our of the audit to reflect the risk of the engagement. – The lower the dollar amount of set materiality, the more rigorous the examination.
Materiality Guidelines • Most firms have guidelines for setting . – usually involve applying percentages to – may also be based on nature of the industry • Auditors initially set planning materiality for , this to individual accounts based on their susceptibility to misstatement.
• Audit risk is the risk than an auditor ma issue an unqualified opinion on materially misstated financial statements. • The auditor assesses engagement risk first, then sets audit risk. • Audit risk is inversely related to engagement risk. risk, they must conduct more rigorous audits. • • If the auditor accepts a client with low , higher level.
Inseparability of u s a er a
y
• Audit risk and en a ement risk relate to factors that might encourage someone to challenge the auditor’s work. • For example, transactions that might not be material to a ‘healthy’ company might be material to financial statement users for a company on the brink of bankruptcy. • The following factors help integrate the concepts of risk and materiality: – All audits involve sampling and cannot provide 100 percent assurance. – Auditors must compete in an active marketplace for clients.
Inse arabilit of Audit Risk & Materiality (cont.) – Auditors need to understand society’s ex ectations of financial re ortin and the audit process. – Auditors must identif the risk areas of a business to determine which accounts are more susceptible to material misstatement. – Auditors need to develop methodologies to allocate overall assessments of materiality to individual account balances.
• The auditor sets desired audit risk based on assessed en a ement risk: AR = IR x CR x DR • AR = audit risk •
=
• CR = control risk •
= e ec on r s
e •
u
s
o e
e au r s mo e a ows consider the following: –
e au
con . or o
omp ex or unusua ransac ons are more likely to recorded in error than are simple or .
– Management may be motivated to misstate . – Better internal controls mean a lesser . – The amount and persuasiveness of audit the likelihood of material misstatements.
. • Inherent risk: susce tibilit of transactions to be recorded in error. Inherent risk is higher for some items. – omp ex transactions are more i e y to e misstated than simple transactions. – than fact-based balances. – The auditor assesses inherent risk • Control risk: risk client controls will fail to – The quality of controls often varies between classes of transactions. – The auditor assesses control risk.
e
u
s
o e
con .
• combined. – misstatements occurring. • to detect material misstatements. – procedures and their application. – Is controlled by the auditor and is an integral part of audit planning. – The level of detection risk set directly work performed.
The Audit Risk Model cont. AR = IR x CR x DR • Audit risk is set inversely to the assessed level of engagement risk. • After audit risk is set, the auditor assesses inherent and control (environment) risks. • The auditor sets detection risk inversely to environment risk. For example, if the auditor is examining transactions wit ig in erent ris or weak controls, they will set a low detection risk: = IR x CR
not detecting material misstatements. •
v w r , u rw have to perform more rigorous substantive , , reliable forms of evidence, assign more experienced auditors, closer supervision, greater year-end (rather than interim) testing.
• The audit risk model shows that the amount nature, and timing of audit procedures depends on the level of audit risk an auditor assumes, an e eve o c en -re a e r s s.
Audit Risk Model • Inherent risk is difficult to formally assess. • • The model treats each risk component as the case. • component can be accurately assessed. , the audit risk model as a functional, rather than mathematical, model.
Developing an Understanding Misstatement Risks • If there are major problems within a company, the evidence gathered from within that company . • Because of this, the auditor should – un ers an e company, s s ra eg es, an operations in depth – which the company operates – client transactions – transaction outcomes.
The Business Risk pproac o u ng • Develo understandin of mana ement’s risk management process • Develop understanding of the business and the risks it faces • Use the identified risks to develop expectations about account balances and financial results • Assess quality of control systems to manage risks • Determine residual risk, and update expectations about account balances • anage rema n ng r s o accoun a ance misstatement by determining the direct tests of necessary
Understandin Mana ement’s Risk Management Process • To understand the client’s risk management process, auditors will normally use the following – understand the processes used to evaluate risks – internal auditing – interview management about its risk approach – review regulatory agency reports that address the company’s policies towards risk – rev ew company po ces an proce ures or addressing risk – they are consistent with company’s risk policies
’ Risk Management Process (cont.) – review prior years’ work to determine if current actions are consistent with risk approach discussed with management – review risk management documents. • If the company has strong risk management processes, the auditor may focus on testing on account balances. , a comprehensive risk process, the auditor will assess engagement risk as high, set audit risk at .
Developing an Understanding of Business & Risks • There are a number of information sources (including electronic sources) that auditors use to – – – – – – – –
intelligent agents online searches company websites professional practice bulletins s oc ana ys s repor s.
Business Processes • Each organisation has a few key processes that give them a competitive advantage (or disadvantage) • T e au itor s ou gat er su icient in ormation to understand: – y r c ss s – the industry factors affecting key processes – ow managemen mon ors ey processes – the potential operational and financial effects .
Sources of Information about Key Processes • • • • • • •
Management inquiries Predecessor auditor inquiries Review of prior-period audit work papers Review of client’s budgets Tour of client’s facilities and operations Review data processing centre Review significant debt covenants and board of directors’ minutes • Review relevant government regulations and client’s legal obligations
Developing Expectations • The auditor should use information about the company s ey processes an r s s o eve op expectations about its account balances and . • These expectations should be: – developed independently of management – documented, along with a rationale for the expec a ons – communicated to all audit team members.
Internal Controls • Controls include policies and procedures set by . • The auditor is particularly interested in those con ro s es gne o pro ec e company s ey processes and the measures used to monitor the .
Controls (cont.) • Examples of these measures (key performance r u : – backlog of work in progress – – increased disputes regarding accounts – surveys of customer satisfaction – – decreased productivity – – increased delays in important processes.
& Audit Risk • The auditor manages audit risk by – adjusting audit staff to reflect risk associated with a client – eve oping irect tests o account a ances consistent with detection risk – an c pa ng po en a m ss a emen s ey o be associated with account balances – overall audit risk.
Statement Review: ec n ques xpec a ons • Auditors use analytical procedures to develop expectations of account balances. • These expectations are compared to recorded book values to identify misstatements.
Preliminar Financial Statement Review: Techniques . • Sources of data commonl used: – financial information for prior periods – ex ected or lanned results from bud ets and forecasts – comparison of linked accounts (such as interest expense and debt) – ratios of financial information (such as common-size financial statements) – company and industry trends – relevant nonfinancial information.
Preliminary Financial Statement Review: Techniques & . • Techniques commonly used – Trend analysis – Comparative financial statements (horizontal analysis) – Ratio analysis – Common-sized financial statements (vertical analysis) • The results of analytical procedures are placed in context when auditors compare client results to the client’s prior performance, industry data, or client expectations (budgets and forecasts)
Conduct of the Audit • The risk approach means auditors must understand the company and its risks as a basis for determining which account balances should be directly tested and which can be • Linkage to direct tests of account balances: if an au or conc u es ere s a g r s o material misstatement they must: – – use procedures appropriate for the level risk .
