Chapter 4 Audit Risk, Business Risk, and Audit Planning Copyright © 2010 South-Western/Cengage Learning
Audit Opinion Formulation Process
LO1: Nature of Risk Risk is a pervasive concept. Four critical components of risk that are relevant in conducting an audit Business risk - risk that affects the operations and potential outcomes of organizational activities Financial reporting risk - risk that relates to the recording of transactions and the presentation of the financial data in an organization’s financial statements
Nature of Risk (continued) Engagement Risk - risk that auditors encounter by being associated with a particular client, including loss of reputation, inability of the client to pay the auditor, or financial loss Audit risk - risk that the auditor may provide an unqualified opinion on financial statements that are materially misstated
Overview of Risk Elements Affecting an Audit
LO2: Managing Engagement Risk Through Client Acceptance and Retention Decisions Management integrity Previous Auditors Prior-Year Audit Experience Independent Sources of Information Independence and competence of management and the board of directors Quality of management’s risk management process and controls
Managing Engagement Risk Through Client Acceptance and Retention Decisions (continued) Reporting requirements, including regulatory requirements Participation of key stakeholders Existence of related-party transactions The financial health of the organization
High-Risk Audit Clients Characteristics of High-risk Clients/Companies Inadequate capital Lack of long-run strategic and operational plans Low cost of entry into the market Dependence on a limited product range Dependence on technology that may quickly become obsolete Instability of future cash flows History of questionable accounting practices Previous inquiries by the SEC or other regulatory agencies
Purpose of Engagement Letter The auditor and client should have a mutual understanding of the audit process The auditor should prepare an engagement letter to clarify the responsibilities and expectations of each party, and to summarize and document this understanding including the Nature of the services to be provided Timing of those services
Purpose of Engagement Letter (continued) Expected fees and basis on which they will be billed (fixed fee, hourly rates) Auditor responsibilities including the search for fraud Client responsibilities including preparing information for the audit Need for any other services to be performed by the firm
LO3: Managing Audit Risk What is Materiality The auditor is expected to design and conduct an audit that provides reasonable assurance that material misstatements will be detected The FASB defines materiality as the “Magnitude of an omission or misstatement of accounting information that, in light of surrounding circumstances, makes it probable that the judgment of a reasonable person relying on the information would have been changed or influenced by the omission or misstatement"
Materiality (continued) Materiality has three significant dimensions: Size of the misstatement (dollar amount) Circumstances - some things are viewed more critically than others User impact - impact on potential users and the type of judgments made Determination of materiality is situation specific Although this makes determination more difficult, it allows the auditor to adjust the rigor of the audit to reflect the risk of the engagement
Materiality (continued) The lower the dollar amount of set materiality, the more rigorous the examination Most firms have guidelines for setting materiality Guidelines usually involve applying percentages to some base Guidelines may also be based on nature of the industry or other factors Auditors initially set planning materiality for the statements as a whole, and then allocate this to individual accounts based on their susceptibility to misstatement
LO4: Understanding the Audit Risk Model What is Audit Risk? The risk that the auditor may provide an unqualified opinion on materially misstated financial statements. The auditor assesses engagement risk first, then sets audit risk Audit risk is inversely related to engagement risk If the auditor accepts a client with high engagement risk The auditor must conduct a more rigorous audit The auditor does this is by setting audit risk at a low level
Understanding the Audit Risk Model (continued) If the auditor accepts a client with low engagement risk The auditor will set audit risk at a higher level
Inseparability of Audit Risk & Materiality Audit risk and engagement risk relate to factors that might encourage someone to challenge the auditor's work For example, transactions that might not be material to a "healthy" company might be material to financial statement users for a company on the brink of bankruptcy The following factors help integrate the concepts of risk and materiality:
Inseparability of Audit Risk & Materiality (continued) All audits involve testing and cannot provide 100 percent assurance that the company’s financial statement are correct Some clients are not worth accepting Auditors must compete in an active marketplace for clients Auditors need to understand society's expectations of financial reporting and the audit process Auditors must identify the risky areas of a business to determine which accounts are more susceptible to material misstatement Auditors need to develop methodologies to allocate overall assessments of materiality to individual account balances
Business Risk and the Audit Process Risk-based approach to auditing: Develop understanding of management's risk management process Develop understanding of the business and the risks it faces Use the identified risks to develop expectations about account balances and financial results Assess the quality of control systems to manage risks Determine residual risks, and update expectations about account balances Manage remaining risk of account balance misstatement by determining the direct tests of account balances (detection risk) that are necessary
The Audit Risk Model The auditor sets desired audit risk based on assessed engagement risk AR = IR x CR x DR AR = Audit Risk IR = Inherent Risk CR = Control Risk DR = Detection Risk
The Audit Risk Model (continued) The audit risk model allows the auditor to consider the following: Complex or unusual transactions are more likely to recorded in error than are simple or recurring transactions Management may be motivated to misstate earnings or assets Better internal controls mean a lesser likelihood of misstatement The amount and persuasiveness of audit evidence gathered should vary directly with the likelihood of material misstatements
The Audit Risk Model (continued) Inherent Risk - Susceptibility of transactions to be recorded in error Inherent risk is higher for some items: Complex transactions are more likely to be misstated than simple transactions Estimated balances more likely to be misstated than fact based balances The auditor assesses inherent risk Control Risk - Risk that the client internal control system will fail to prevent or detect a misstatement
The Audit Risk Model (continued) The quality of controls often varies between classes of transactions The auditor assesses control risk Environment Risk - inherent and control risks combined Reflects the likelihood of material misstatements occurring Detection risk - risk that the audit procedures will fail to detect material misstatements Relates to the effectiveness of audit procedures and their application
The Audit Risk Model (continued) Detection risk is controlled by the auditor and is an integral part of audit planning The level of detection risk set directly determines the rigor of the substantive audit work performed AR = IR x CR x DR Audit risk is set inversely to the assessed level of engagement risk After audit risk is set, the auditor assesses inherent and control (environment) risks The auditor sets detection risk INVERSELY to environment risk
The Audit Risk Model (continued) Example, if the auditor is examining transactions with high inherent risk, or weak controls, the auditor will set a low detection risk Low detection risk means a low probability of NOT detecting material misstatements To achieve low detection risk, the auditor will have to perform more rigorous substantive testing For example, larger sample sizes, more reliable forms of evidence, assign more experienced auditors, closer supervision, greater year-end (rather than interim) testing
The Audit Risk Model (continued) The audit risk model shows that the amount, nature, and timing of audit procedures depends on the level of audit risk an auditor assumes, and the level of client-related risks
LO5: Limitations of Audit Risk Model Inherent risk is difficult to formally assess Audit risk is judgmentally determined This model treats each risk component as separate and independent when in fact, this is not the case Audit technology is not so precise that each component of the model can be accurately assessed Because of these limitations, many auditors use the audit risk model as a functional, rather than mathematical model
LO6: Planning the Audit using the Audit Risk Model
Developing an Understanding of Business and Risk There are a number of information sources (including electronic sources) that auditors use to develop an understanding: Knowledge management systems Online searches Review SEC filings Company web sites Economic statistics Professional practice bulletins Stock analysts' reports
Understanding Key Business Processes Each organization has a few key processes that give them a competitive advantage (or disadvantage) The auditor should gather sufficient information to understand The key processes The industry factors affecting key processes How management monitors key processes The potential operational and financial effects associated with key processes
Understanding Key Business Processes: Sources of Information Management inquiries Review of client's budgets Tour client's plant and operations Review data processing center Review important debt covenants and board of director minutes Review relevant government regulations and client’s legal obligations
Developing Expectations Auditor should use information about the company’s key processes and risks to develop expectations about its account balances and performance These expectations should be Developed independently of management Documented, along with a rationale for the expectations Communicated to all audit team members
Assessing the Quality of the design of Internal Controls Controls include policies and procedures set by management to manage risk Auditor is particularly interested in those controls designed to protect the company's key processes and the measures used to monitor the operation of these controls Examples of these measures (key performance indicators): Backlog of work in progress Amount of return items
Assessing the Quality of the design of Internal Controls (continued) Increased disputes regarding accounts receivable or accounts payable Surveys of customer satisfaction Assessment of risk associated with financial instruments Current level of collection (loans and receivable) Employee absenteeism Decreased productivity Information processing errors Increased delays in important processes
Managing Detection and Audit Risk The auditor manages audit risk by Adjusting audit staff to reflect risk associated with a client Developing substantive tests of account balances consistent with detection risk Anticipating potential misstatements likely associated with account balances Adjusting the timing of audit tests to minimize overall audit risk
Understanding Management’s Risk Management and Control Processes Techniques used to understand the risk management and control processes in place Develop an understanding of the process Review the risk-based approach used Interview management about its risk approach, preferences etc. Review outside regulatory reports Review company policies and procedures for addressing risk
Understanding Management’s Risk Management and Control Processes Understanding company's compensation schemes Review prior years’ work Review risk management documents Determine how management and the board monitor risk, identify changes in risk, and react to mitigate, manage, or control the risk
LO7: Using Analytical Techniques to Identify Areas of Heightened Risk Auditors use analytical procedures to develop expectations of account balances These expectations are compared to recorded book values to identify misstatements Sources of data commonly used: Financial information for prior periods Expected or planned results from budgets and forecasts
Using Analytical Techniques to Identify Areas of Heightened Risk (continued) Expected or planned results from budgets and forecasts Comparison of linked accounts relationships (such as interest expense and debt) Ratios of financial information (such as common-size financial statements) Company and industry trends Relevant non-financial information
Process for Performing Analytical Procedures Develop an expectation (informed expectation) Determining the gap between auditor's expectation and what the client has recorded. The maximum acceptable difference is referred to as a threshold Differences in excess of the threshold will have to be investigated by the auditor Identifying the differences need to be investigated in greater detail
Questions arising from comparing expectations to the client’s records Why is this company experiencing such a rapid growth in insurance sales when its product depends on an ever-rising stock market and the stock market has been declining for the past three years? Why is this company experiencing rapid sales growth when the rest of the industry is showing a downturn? Why are a bank client’s loan repayments on a more current basis than those of similar banks operating in the same region with the same type of customers?
LO8: Types of Analytical Procedures Techniques commonly used Trend analysis Includes simple year-to-year comparisons of account balances, graphic presentations, and analysis of financial data, histograms of ratios, and projections of account balances based on the history of changes in the account Ratio analysis
Types of Analytical Procedures (continued) Useful in identifying significant differences between the client results and a norm (such as industry ratios) or between auditor expectations and actual results Useful in identifying potential audit problems It has power to identify unusual or unexpected changes in relationships
Commonly Used Financial Ratios
Types of Analytical Procedures Ratio and trend analysis are generally carried out at three levels: Comparison of client data with industry data May indicate problems with product quality or credit risk May result in problems in bank’s concentration of loans Data may not be comparable with client’s data Comparison of client data with similar prior-period data
Types of Analytical Procedures (continued) It is important that the auditor go through each of the steps in the process, beginning with the development of expectations Comparison of preliminary client data with expectations developed from industry trends, client budgets, other account balances, or other bases of expectations