6thrittenbergch4a
TRANSCRIPT
-
8/10/2019 6thRittenbergCh4a
1/35
1
Rittenberg/Schwieger/JohnstoneAuditing: A Business Risk Approach
Sixth Edition
Chapter 4
Audit Risk and a ClientsBusiness Risk
Copyright 2008 Thomson South-Western, a part of the Thomson Corporation. Thomson, the Star logo,and South-Western are trademarks used herein under license.
-
8/10/2019 6thRittenbergCh4a
2/35
2
The Nature of RiskIn this chapter, we identify four critical components of risk
that affect the audit approach and audit outcomeEnterprise risk - those that affect the operations and potentialoutcomes organization activities
Engagement risk - comes with association with a specific clientFinancial reporting risk - those that relate directly to therecording transactions and the presentation of the financialstatementsAudit risk - risk an auditor may provide an unqualified opinionon financial statements that are materially misstated
Each of these components can be managedThe effectiveness of risk management processes will
determine whether the company continues to exist
-
8/10/2019 6thRittenbergCh4a
3/35
3
Enterprise Risk Management(ERM)
COSO defines ERM as a
"process effected by an entity's board of directors,
management and other personnel, applied instrategy setting and across the enterprise,designed to identify potential events that mayaffect the entity, and manage risks to within itsrisk appetite, to provide reasonable assurance
regarding the achievement of entity objectives."
-
8/10/2019 6thRittenbergCh4a
4/35
4
Enterprise Risk Management(ERM) (continued)
COSO elements:Risk management environment: management culture andattitude towards riskEvent identification: of events that may affect organization'sability to implement strategies or achieve objectivesRisk assessment: to determine responseRisk ResponseControl activities: policies and procedures designed to reducerisks and to assure management's directives and strategies areimplemented Information and communicationMonitoring
An effective ERM process within an organization isdesigned to provide assurance that risks are identified,
understood, and addressed
-
8/10/2019 6thRittenbergCh4a
5/35
5
Organizational Risk Responses
Once risk has been identified and assessed, anorganization has four choices:
- Control the risk
- Share or transfer the risk
- Diversify against or avoid the risk
- Accept the risk
Depending on the circumstances, each of thesemay be an acceptable approach to manage risk
-
8/10/2019 6thRittenbergCh4a
6/35
6
Risk Factors Affecting the Audit
Engagement RiskRisk auditors incur by being associated with a particular clientRisk is high whenever there is increased likelihood that
Auditor is associated with a failed client
Financial statements contain material misstatement that theauditor fails to find
These conditions increase the likelihood that the auditor will besued
Client Acceptance or Retention DecisionPerhaps the most important audit decision
A number of factors affect this decision, but most importantinvolve
Quality of the client's corporate governanceClient's financial health
-
8/10/2019 6thRittenbergCh4a
7/35
7
Risk Factors Affecting the Audit:Corporate Governance & Client
AcceptanceThe key factors an auditor will analyzeincludeManagement integrityIndependence and competence of theaudit committee and boardQuality of ERM and controlsRegulatory and reporting requirementsParticipation of key stakeholdersExistence of related party transactions
-
8/10/2019 6thRittenbergCh4a
8/35
8
Risk Factors Affecting the Audit:Financial Health of the Organization
There are a number of reasons why the auditorneeds to evaluate a potential client's financialhealth:
The auditor will most likely be sued if a client declaresbankruptcy
Investors and creditors who have lost money will look forrecovery
Attorneys will claim the financial statements were misstatedand the auditors should have known they were misstated
The auditor also needs to understand the financialhealth in order to: Assess management's motivation to misstate the financialstatementsIdentify areas that are likely to be misstated
Identify account balances that appear unusual
-
8/10/2019 6thRittenbergCh4a
9/35
9
Risk Factors Affecting the Audit: OtherFactors Affecting Engagement Risk
The auditor should evaluate the company's economic prospectsto help ensure that
Important areas will be investigatedThe company will likely stay in business
High-risk companies are generally characterized byInadequate capitalLack of long-run strategic and operational plansLow cost entry into the market
Dependence on limited product offeringsDependence on technology subject to obsolescenceInstability of future cash flowsHistory of questionable accounting practicesPrevious inquiries by the SEC or other regulatory agencies
-
8/10/2019 6thRittenbergCh4a
10/35
10
Risk Factors Affecting the Audit:Financial Reporting Risk
Financial reporting risk is influenced byThe company's financial healthThe quality of the company's internal controls
The complexity of the company's transactions andfinancial reportingManagement's motivation to misstate the financialstatements
These factors are interrelatedThe auditor will gather information on these issues
through reviews of previous audits, or by talkingwith the predecessor auditor
-
8/10/2019 6thRittenbergCh4a
11/35
11
Accepting New Clients: AuditingStandards on Auditor Changes
SAS 84 requires a successor auditor to initiate discussions withthe predecessor to discuss the reasons for the change inauditors
Because of the confidentiality rule, the successor must first
obtain client permission to talk with predecessorThe successor is particularly interested in factors that bear on
Management integrityDisagreements with management on any substantive auditing oraccounting issuesThe predecessor's understanding of the reasons for the change
Any communications between the predecessor andmanagement or audit committee regarding fraud, illegal acts orinternal control matte
-
8/10/2019 6thRittenbergCh4a
12/35
12
Accepting New Clients: TheEngagement Letter
The auditor and client should have a mutual understanding ofthe audit process
The auditor should prepare an engagement letter to clarify theresponsibilities and expectations of each party, and to
summarize and document this understanding including theNature of the services to be providedTiming of those servicesExpected fees and basis on which they will be billed (fixed fee,hourly rates)
Auditor responsibilities including the search for fraudClient responsibilities including preparing information for theauditNeed for any other services to be performed by the firm
-
8/10/2019 6thRittenbergCh4a
13/35
13
What Is Materiality?The auditor is expected to plan and perform an audit that provides
reasonable assurance that material misstatements will bedetected
The FASB defines materiality as the"magnitude of an omission or misstatement of accountinginformation that, in light of surrounding circumstances, makes itprobable that the judgment of a reasonable person relying on theinformation would have been changed or influenced by the omissionor misstatement"
Materiality has three significant dimensions:Size of the misstatement (dollar amount)Circumstances - some things are viewed more critically than othersUser impact - impact on potential users and the type of judgmentsmade
-
8/10/2019 6thRittenbergCh4a
14/35
14
Materiality (continued)Determination of materiality is situation specific
Although this makes determination more difficult, it allows theauditor to adjust the rigor of the audit to reflect the risk of theengagementThe lower the dollar amount of set materiality, the more rigorousthe examination
Most firms have guidelines for setting materialityGuidelines usually involve applying percentages to some baseGuidelines may also be based on nature of the industry or other
factors Auditors initially set planning materiality for the statements
as a whole, and then allocate this to individual accountsbased on their susceptibility to misstatement
-
8/10/2019 6thRittenbergCh4a
15/35
15
What Is Audit Risk?
Audit risk is the risk than an auditor may issue anunqualified opinion on materially misstated financialstatements
The auditor assesses engagement risk first, then sets auditrisk
Audit risk is inversely related to engagement riskIf the auditor accepts a client with high engagement risk
The auditor must conduct a more rigorous auditThe auditor does this is by setting audit risk at a low level
If the auditor accepts a client with low engagement riskThe auditor will set audit risk at a higher level
-
8/10/2019 6thRittenbergCh4a
16/35
16
Audit Risk & Materiality Audit risk and engagement risk relate to factors that might encourage
someone to challenge the auditor's workFor example, transactions that might not be material to a "healthy"
company might be material to financial statement users for a
company on the brink of bankruptcyThe following factors help integrate the concepts of risk and materiality:
All audits involve sampling and cannot provide 100 percent assurance Auditors must compete in an active marketplace for clients Auditors need to understand society's expectations of financial reporting
and the audit process Auditors must identify the risky areas of a business to determine whichaccounts are more susceptible to material misstatement
Auditors need to develop methodologies to allocate overallassessments of materiality to individual account balances
-
8/10/2019 6thRittenbergCh4a
17/35
17
The Audit Risk ModelThe auditor sets desired audit risk based on assessed engagement risk
AR = IR x CR x DRAR = Audit RiskIR = Inherent Risk
CR = Control RiskDR = Detection Risk
The audit risk model allows the auditor to consider the following:Complex or unusual transactions are more likely to recorded in errorthan are simple or recurring transactionsManagement may be motivated to misstate earnings or assetsBetter internal controls mean a lesser likelihood of misstatementThe amount and persuasiveness of audit evidence gathered should varydirectly with the likelihood of material misstatements
-
8/10/2019 6thRittenbergCh4a
18/35
18
The Audit Risk Model (continued)
Inherent Risk - Susceptibility of transactions to berecorded in error
Inherent risk is higher for some items:Complex transactions are more likely to be misstated thansimple transactionsEstimated balances more likely to be misstated than factbased balances
The auditor assesses inherent risk
Control Risk - Risk client controls will fail toprevent or detect a misstatementThe quality of controls often varies between classesof transactionsThe auditor assesses control risk
-
8/10/2019 6thRittenbergCh4a
19/35
19
Environment Risk - inherent and control riskscombined
Reflects the likelihood of material misstatementsoccurring
Detection risk - risk audit procedures will fail todetect material misstatements
Relates to the effectiveness of audit procedures andtheir applicationDetection risk is controlled by the auditor and is anintegral part of audit planningThe level of detection risk set directly determines therigor of the substantive audit work performed
The Audit Risk Model (continued)
-
8/10/2019 6thRittenbergCh4a
20/35
20
Audit Risk Model (continued)AR = IR x CR x DR Audit risk is set inversely to the assessed level of engagement risk
After audit risk is set, the auditor assesses inherent and control(environment) risksThe auditor sets detection risk INVERSELY to environment risk
Example, if the auditor is examining transactions with high inherentrisk, or weak controls, the auditor will set a low detection risk
Low detection risk means a low probability of NOT detectingmaterial misstatements
To achieve low detection risk, the auditor will have to perform morerigorous substantive testing
For example, larger sample sizes, more reliable forms of evidence,assign more experienced auditors, closer supervision, greater year-end (rather than interim) testing
The audit risk model shows that the amount, nature, and timing of auditprocedures depends on the level of audit risk an auditor assumes,and the level of client-related risks
-
8/10/2019 6thRittenbergCh4a
21/35
21
Audit Risk Model: Limitations
Inherent risk is difficult to formally assess Audit risk is subjectively determinedThe model treats each risk component asseparate and independent when clearly, thisis not the case Audit technology is not so precise that eachcomponent can be accurately assessed
Because of these limitations, many auditorsuse the audit risk model as a functional,rather than mathematical, model
-
8/10/2019 6thRittenbergCh4a
22/35
22
Understanding Enterprise & FinancialReporting Risks
If there are major problems within a company, theevidence gathered from within that company willprobably be less reliable
Because of this, the auditor shouldUnderstand the company, its strategies, andoperations in depthDevelop an understanding of the market in which thecompany operatesDevelop an understanding of the economics of clienttransactionsDevelop expectations about financial results ortransaction outcomes
-
8/10/2019 6thRittenbergCh4a
23/35
23
Business Risk and theAudit Process
Risk-based approach to auditing:Develop understanding of management's riskmanagement processDevelop understanding of the business and the risksit facesUse the identified risks to develop expectations aboutaccount balances and financial results
Assess the quality of control systems to manage risks
Determine residual risks, and update expectationsabout account balancesManage remaining risk of account balancemisstatement by determining the direct tests ofaccount balances (detection risk) that are necessary
-
8/10/2019 6thRittenbergCh4a
24/35
24
Understanding Management'sRisk Management Process
To understand the client's risk managementprocess, auditors will normally use the followingtechniques:
Understand the processes used to evaluate risksReview the risk-based approach used by internal auditingInterview management about their risk approachReview regulatory agency reports that address company'spolicies towards riskReview company polices and procedures for addressing riskReview company compensation policies to see if they areconsistent with company's risk policies
-
8/10/2019 6thRittenbergCh4a
25/35
25
Review prior years' work to determine if currentactions are consistent with risk approachdiscussed with managementReview risk management documents
If the company has strong risk managementprocesses, the auditor may focus on testingcontrols and developing corroborative evidenceon account balances
On the other hand, if the company does not have acomprehensive risk process, the auditor willassess engagement risk as high, set audit risk ata lower level, and increase direct testing
Understanding Management'sRisk Management Process (continued)
-
8/10/2019 6thRittenbergCh4a
26/35
26
Developing an Understanding ofBusiness and Risk
There are a number of information sources(including electronic sources) that auditors useto develop an understanding:Intelligent agentsKnowledge management systemsOnline searchesReview SEC filings
Company web sitesEconomic statisticsProfessional practice bulletinsStock analysts' reports
-
8/10/2019 6thRittenbergCh4a
27/35
27
Understanding Key BusinessProcesses
Each organization has a few key processesthat give them a competitive advantage (ordisadvantage)
The auditor should gather sufficientinformation to understand
The key processes
The industry factors affecting key processesHow management monitors key processesThe potential operational and financial effectsassociated with key processes
-
8/10/2019 6thRittenbergCh4a
28/35
28
Understanding Key BusinessProcesses: Sources of InformationManagement inquiries
Predecessor auditor inquiriesReview of prior-period audit work papersReview of client's budgetsTour client's facilities and operationsReview data processing centerReview significant debt covenants and boardof director minutesReview relevant government regulations and
clients legal obligations
-
8/10/2019 6thRittenbergCh4a
29/35
29
Developing Expectations
The auditor should use information about thecompanys key processes and risks to developexpectations about its account balances andperformance
These expectations should be
Developed independently of management
Documented, along with a rationale for theexpectations
Communicated to all audit team members
-
8/10/2019 6thRittenbergCh4a
30/35
30
Assessing the Quality ofInternal Controls
Controls include policies and procedures set by management tomanage risk
The auditor is particularly interested in those controls designed toprotect the company's key processes and the measures used tomonitor the operation of these controls
Examples of these measures (key performance indicators):Backlog of work in progress
Amount of return itemsIncreased disputes regarding accounts receivable or accounts payable
Surveys of customer satisfactionEmployee absenteeismDecreased productivityInformation processing errorsIncreased delays in important processes
-
8/10/2019 6thRittenbergCh4a
31/35
31
Managing Detection andAudit Risk
The auditor manages audit risk by Adjusting audit staff to reflect risk associatedwith a client
Developing direct tests of account balancesconsistent with detection risk
Anticipating potential misstatements likelyassociated with account balances Adjusting the timing of audit tests to minimizeoverall audit risk
-
8/10/2019 6thRittenbergCh4a
32/35
32
Preliminary Financial StatementReview: Techniques & Expectations
Auditors use analytical procedures to develop expectationsof account balances
These expectations are compared to recorded book valuesto identify misstatements
Sources of data commonly used:Financial information for prior periodsExpected or planned results from budgets and forecastsComparison of linked accounts (such as interest expense and
debt)Ratios of financial information (such as common-size financialstatements)Company and industry trendsRelevant non-financial information
-
8/10/2019 6thRittenbergCh4a
33/35
33
Preliminary Financial StatementReview: Techniques & Expectations
Techniques commonly usedTrend analysisComparative financial statements (horizontal
analysis)Common-sized financial statements (vertical analysis)Ratio analysis
The results of analytical procedures are placed incontext when auditors compare client results tothe client's prior performance, industry data, orclient expectations (budgets and forecasts)
-
8/10/2019 6thRittenbergCh4a
34/35
34
Risk Analysis and the Conductof the Audit
The risk approach means auditors mustunderstand the company and its risks as a basisfor determining which account balances shouldbe directly tested and which can be corroboratedby analytical procedures
Linkage to direct tests of account balancesIf the auditor concludes there is a high risk of materialmisstatement
s/he mustSet materiality at an appropriate levelUse procedures appropriate for the level risk toexamine the account balance
-
8/10/2019 6thRittenbergCh4a
35/35