1. Chapter 4 Audit Risk, Business Risk, and Audit Planning
Copyright © 2010 South-Western/Cengage Learning

2. Audit Opinion Formulation Process

3. LO1: Nature of Risk
Risk is a pervasive concept. Four critical components of risk that are relevant in conducting an audit
Business risk - risk that affects the operations and potential outcomes of organizational activities
Financial reporting risk - risk that relates to the recording of transactions and the presentation of the financial data in an organization’s financial statements

4. Nature of Risk (continued)
Engagement Risk - risk that auditors encounter by being associated with a particular client, including loss of reputation, inability of the client to pay the auditor, or financial loss
Audit risk - risk that the auditor may provide an unqualified opinion on financial statements that are materially misstated

5. Overview of Risk Elements Affecting an Audit

6. LO2: Managing Engagement Risk Through Client Acceptance and Retention Decisions
Management integrity
Previous Auditors
Prior-Year Audit Experience
Independent Sources of Information
Independence and competence of management and the board of directors
Quality of management’s risk management process and controls

7. Managing Engagement Risk Through Client Acceptance and Retention Decisions (continued)
Reporting requirements, including regulatory requirements
Participation of key stakeholders
Existence of related-party transactions
The financial health of the organization

8. High-Risk Audit Clients
Characteristics of High-risk Clients/Companies
Inadequate capital
Lack of long-run strategic and operational plans
Low cost of entry into the market
Dependence on a limited product range
Dependence on technology that may quickly become obsolete
Instability of future cash flows
History of questionable accounting practices
Previous inquiries by the SEC or other regulatory agencies

9. Purpose of Engagement Letter
The auditor and client should have a mutual understanding of the audit process
The auditor should prepare an engagement letter to clarify the responsibilities and expectations of each party, and to summarize and document this understanding including the
Nature of the services to be provided
Timing of those services

10. Purpose of Engagement Letter (continued)
Expected fees and basis on which they will be billed (fixed fee, hourly rates)
Auditor responsibilities including the search for fraud
Client responsibilities including preparing information for the audit
Need for any other services to be performed by the firm

11. LO3: Managing Audit Risk
What is Materiality
The auditor is expected to design and conduct an audit that provides reasonable assurance that material misstatements will be detected
The FASB defines materiality as the
“Magnitude of an omission or misstatement of accounting
information that, in light of surrounding circumstances,
makes it probable that the judgment of a reasonable
person relying on the information would have been
changed or influenced by the omission or misstatement"

12. Materiality (continued)
Materiality has three significant dimensions:
Size of the misstatement (dollar amount)
Circumstances - some things are viewed more critically than others
User impact - impact on potential users and the type of judgments made
Determination of materiality is situation specific
Although this makes determination more difficult, it allows the auditor to adjust the rigor of the audit to reflect the risk of the engagement

13. Materiality (continued)
The lower the dollar amount of set materiality, the more rigorous the examination
Most firms have guidelines for setting materiality
Guidelines usually involve applying percentages to some base
Guidelines may also be based on nature of the industry or other factors
Auditors initially set planning materiality for the statements as a whole, and then allocate this to individual accounts based on their susceptibility to misstatement

14. LO4: Understanding the Audit Risk Model
What is Audit Risk?
The risk that the auditor may provide an unqualified opinion on materially misstated financial statements.
The auditor assesses engagement risk first, then sets audit risk
Audit risk is inversely related to engagement risk
If the auditor accepts a client with high engagement risk
The auditor must conduct a more rigorous audit
The auditor does this is by setting audit risk at a low level

15. Understanding the Audit Risk Model (continued)
If the auditor accepts a client with low engagement risk
The auditor will set audit risk at a higher level

16. Inseparability of Audit Risk & Materiality
Audit risk and engagement risk relate to factors that might encourage someone to challenge the auditor's work
For example, transactions that might not be material to a "healthy" company might be material to financial statement users for a company on the brink of bankruptcy
The following factors help integrate the concepts of risk and materiality:

17. Inseparability of Audit Risk & Materiality (continued)
All audits involve testing and cannot provide 100 percent assurance that the company’s financial statement are correct
Some clients are not worth accepting
Auditors must compete in an active marketplace for clients
Auditors need to understand society's expectations of financial reporting and the audit process
Auditors must identify the risky areas of a business to determine which accounts are more susceptible to material misstatement
Auditors need to develop methodologies to allocate overall assessments of materiality to individual account balances

18. Business Risk and the Audit Process
Risk-based approach to auditing:
Develop understanding of management's risk management process
Develop understanding of the business and the risks it faces
Use the identified risks to develop expectations about account balances and financial results
Assess the quality of control systems to manage risks
Determine residual risks, and update expectations about account balances
Manage remaining risk of account balance misstatement by determining the direct tests of account balances (detection risk) that are necessary

19. The Audit Risk Model
The auditor sets desired audit risk based on assessed engagement risk
AR = IR x CR x DR
AR = Audit Risk
IR = Inherent Risk
CR = Control Risk
DR = Detection Risk

20. The Audit Risk Model (continued)
The audit risk model allows the auditor to consider the following:
Complex or unusual transactions are more likely to recorded in error than are simple or recurring transactions
Management may be motivated to misstate earnings or assets
Better internal controls mean a lesser likelihood of misstatement
The amount and persuasiveness of audit evidence gathered should vary directly with the likelihood of material misstatements

21. The Audit Risk Model (continued)
Inherent Risk - Susceptibility of transactions to be recorded in error
Inherent risk is higher for some items:
Complex transactions are more likely to be misstated than simple transactions
Estimated balances more likely to be misstated than fact based balances
The auditor assesses inherent risk
Control Risk - Risk that the client internal control system will fail to prevent or detect a misstatement

22. The Audit Risk Model (continued)
The quality of controls often varies between classes of transactions
The auditor assesses control risk
Environment Risk - inherent and control risks combined
Reflects the likelihood of material misstatements occurring
Detection risk - risk that the audit procedures will fail to detect material misstatements
Relates to the effectiveness of audit procedures and their application

23. The Audit Risk Model (continued)
Detection risk is controlled by the auditor and is an integral part of audit planning
The level of detection risk set directly determines the rigor of the substantive audit work performed
AR = IR x CR x DR
Audit risk is set inversely to the assessed level of engagement risk
After audit risk is set, the auditor assesses inherent and control (environment) risks
The auditor sets detection risk INVERSELY to environment risk

24. The Audit Risk Model (continued)
Example, if the auditor is examining transactions with high inherent risk, or weak controls, the auditor will set a low detection risk
Low detection risk means a low probability of NOT detecting material misstatements
To achieve low detection risk, the auditor will have to perform more rigorous substantive testing
For example, larger sample sizes, more reliable forms of evidence, assign more experienced auditors, closer supervision, greater year-end (rather than interim) testing

25. The Audit Risk Model (continued)
The audit risk model shows that the amount, nature, and timing of audit procedures depends on the level of audit risk an auditor assumes, and the level of client-related risks

26. LO5: Limitations of Audit Risk Model
Inherent risk is difficult to formally assess
Audit risk is judgmentally determined
This model treats each risk component as separate and independent when in fact, this is not the case
Audit technology is not so precise that each component of the model can be accurately assessed
Because of these limitations, many auditors use the audit risk model as a functional, rather than mathematical model

27. LO6: Planning the Audit using the Audit Risk Model

28. Developing an Understanding of Business and Risk
There are a number of information sources (including electronic sources) that auditors use to develop an understanding:
Knowledge management systems
Online searches
Review SEC filings
Company web sites
Economic statistics
Professional practice bulletins
Stock analysts' reports

29. Understanding Key Business Processes
Each organization has a few key processes that give them a competitive advantage (or disadvantage)
The auditor should gather sufficient information to understand
The key processes
The industry factors affecting key processes
How management monitors key processes
The potential operational and financial effects associated with key processes

30. Understanding Key Business Processes: Sources of Information
Management inquiries
Review of client's budgets
Tour client's plant and operations
Review data processing center
Review important debt covenants and board of director minutes
Review relevant government regulations and client’s legal obligations

31. Developing Expectations
Auditor should use information about the company’s key processes and risks to develop expectations about its account balances and performance
These expectations should be
Developed independently of management
Documented, along with a rationale for the expectations
Communicated to all audit team members

32. Assessing the Quality of the design of Internal Controls
Controls include policies and procedures set by management to manage risk
Auditor is particularly interested in those controls designed to protect the company's key processes and the measures used to monitor the operation of these controls
Examples of these measures (key performance indicators):
Backlog of work in progress
Amount of return items

33. Assessing the Quality of the design of Internal Controls (continued)
Increased disputes regarding accounts receivable or accounts payable
Surveys of customer satisfaction
Assessment of risk associated with financial instruments
Current level of collection (loans and receivable)
Employee absenteeism
Decreased productivity
Information processing errors
Increased delays in important processes

34. Managing Detection and Audit Risk
The auditor manages audit risk by
Adjusting audit staff to reflect risk associated with a client
Developing substantive tests of account balances consistent with detection risk
Anticipating potential misstatements likely associated with account balances
Adjusting the timing of audit tests to minimize overall audit risk

35. Understanding Management’s Risk Management and Control Processes
Techniques used to understand the risk management and control processes in place
Develop an understanding of the process
Review the risk-based approach used
Interview management about its risk approach, preferences etc.
Review outside regulatory reports
Review company policies and procedures for addressing risk

36. Understanding Management’s Risk Management and Control Processes
Understanding company's compensation schemes
Review prior years’ work
Review risk management documents
Determine how management and the board monitor risk, identify changes in risk, and react to mitigate, manage, or control the risk

37. LO7: Using Analytical Techniques to Identify Areas of Heightened Risk
Auditors use analytical procedures to develop expectations of account balances
These expectations are compared to recorded book values to identify misstatements
Sources of data commonly used:
Financial information for prior periods
Expected or planned results from budgets and forecasts

38. Using Analytical Techniques to Identify Areas of Heightened Risk (continued)
Expected or planned results from budgets and forecasts
Comparison of linked accounts relationships (such as interest expense and debt)
Ratios of financial information (such as common-size financial statements)
Company and industry trends
Relevant non-financial information

39. Process for Performing Analytical Procedures
Develop an expectation (informed expectation)
Determining the gap between auditor's expectation and what the client has recorded.
The maximum acceptable difference is referred to as a threshold
Differences in excess of the threshold will have to be investigated by the auditor
Identifying the differences need to be investigated in greater detail

40. Questions arising from comparing expectations to the client’s records
Why is this company experiencing such a rapid growth in insurance sales when its product depends on an ever-rising stock market and the stock market has been declining for the past three years?
Why is this company experiencing rapid sales growth when the rest of the industry is showing a downturn?
Why are a bank client’s loan repayments on a more current basis than those of similar banks operating in the same region with the same type of customers?

41. LO8: Types of Analytical Procedures
Techniques commonly used
Trend analysis
Includes simple year-to-year comparisons of account balances, graphic presentations, and analysis of financial data, histograms of ratios, and projections of account balances based on the history of changes in the account
Ratio analysis

42. Types of Analytical Procedures (continued)
Useful in identifying significant differences between the client results and a norm (such as industry ratios) or between auditor expectations and actual results
Useful in identifying potential audit problems
It has power to identify unusual or unexpected changes in relationships

43. Commonly Used Financial Ratios

44. Types of Analytical Procedures
Ratio and trend analysis are generally carried out at three levels:
Comparison of client data with industry data
May indicate problems with product quality or credit risk
May result in problems in bank’s concentration of loans
Data may not be comparable with client’s data
Comparison of client data with similar prior-period data

45. Types of Analytical Procedures (continued)
It is important that the auditor go through each of the steps in the process, beginning with the development of expectations
Comparison of preliminary client data with expectations developed from industry trends, client budgets, other account balances, or other bases of expectations