6thrittenbergch4a

8/10/2019 6thRittenbergCh4a

1/35

1

Rittenberg/Schwieger/JohnstoneAuditing: A Business Risk Approach

Sixth Edition

Chapter 4

Audit Risk and a ClientsBusiness Risk

Copyright 2008 Thomson South-Western, a part of the Thomson Corporation. Thomson, the Star logo,and South-Western are trademarks used herein under license.


2/35

2

The Nature of RiskIn this chapter, we identify four critical components of risk

that affect the audit approach and audit outcomeEnterprise risk - those that affect the operations and potentialoutcomes organization activities

Engagement risk - comes with association with a specific clientFinancial reporting risk - those that relate directly to therecording transactions and the presentation of the financialstatementsAudit risk - risk an auditor may provide an unqualified opinionon financial statements that are materially misstated

Each of these components can be managedThe effectiveness of risk management processes will

determine whether the company continues to exist


3/35

3

Enterprise Risk Management(ERM)

COSO defines ERM as a

"process effected by an entity's board of directors,

management and other personnel, applied instrategy setting and across the enterprise,designed to identify potential events that mayaffect the entity, and manage risks to within itsrisk appetite, to provide reasonable assurance

regarding the achievement of entity objectives."


4/35

4

Enterprise Risk Management(ERM) (continued)

COSO elements:Risk management environment: management culture andattitude towards riskEvent identification: of events that may affect organization'sability to implement strategies or achieve objectivesRisk assessment: to determine responseRisk ResponseControl activities: policies and procedures designed to reducerisks and to assure management's directives and strategies areimplemented Information and communicationMonitoring

An effective ERM process within an organization isdesigned to provide assurance that risks are identified,

understood, and addressed


5/35

5

Organizational Risk Responses

Once risk has been identified and assessed, anorganization has four choices:

- Control the risk

- Share or transfer the risk

- Diversify against or avoid the risk

- Accept the risk

Depending on the circumstances, each of thesemay be an acceptable approach to manage risk


6/35

6

Risk Factors Affecting the Audit

Engagement RiskRisk auditors incur by being associated with a particular clientRisk is high whenever there is increased likelihood that

Auditor is associated with a failed client

Financial statements contain material misstatement that theauditor fails to find

These conditions increase the likelihood that the auditor will besued

Client Acceptance or Retention DecisionPerhaps the most important audit decision

A number of factors affect this decision, but most importantinvolve

Quality of the client's corporate governanceClient's financial health


7/35

7

Risk Factors Affecting the Audit:Corporate Governance & Client

AcceptanceThe key factors an auditor will analyzeincludeManagement integrityIndependence and competence of theaudit committee and boardQuality of ERM and controlsRegulatory and reporting requirementsParticipation of key stakeholdersExistence of related party transactions


8/35

8

Risk Factors Affecting the Audit:Financial Health of the Organization

There are a number of reasons why the auditorneeds to evaluate a potential client's financialhealth:

The auditor will most likely be sued if a client declaresbankruptcy

Investors and creditors who have lost money will look forrecovery

Attorneys will claim the financial statements were misstatedand the auditors should have known they were misstated

The auditor also needs to understand the financialhealth in order to: Assess management's motivation to misstate the financialstatementsIdentify areas that are likely to be misstated

Identify account balances that appear unusual


9/35

9

Risk Factors Affecting the Audit: OtherFactors Affecting Engagement Risk

The auditor should evaluate the company's economic prospectsto help ensure that

Important areas will be investigatedThe company will likely stay in business

High-risk companies are generally characterized byInadequate capitalLack of long-run strategic and operational plansLow cost entry into the market

Dependence on limited product offeringsDependence on technology subject to obsolescenceInstability of future cash flowsHistory of questionable accounting practicesPrevious inquiries by the SEC or other regulatory agencies


10/35

10

Risk Factors Affecting the Audit:Financial Reporting Risk

Financial reporting risk is influenced byThe company's financial healthThe quality of the company's internal controls

The complexity of the company's transactions andfinancial reportingManagement's motivation to misstate the financialstatements

These factors are interrelatedThe auditor will gather information on these issues

through reviews of previous audits, or by talkingwith the predecessor auditor


11/35

11

Accepting New Clients: AuditingStandards on Auditor Changes

SAS 84 requires a successor auditor to initiate discussions withthe predecessor to discuss the reasons for the change inauditors

Because of the confidentiality rule, the successor must first

obtain client permission to talk with predecessorThe successor is particularly interested in factors that bear on

Management integrityDisagreements with management on any substantive auditing oraccounting issuesThe predecessor's understanding of the reasons for the change

Any communications between the predecessor andmanagement or audit committee regarding fraud, illegal acts orinternal control matte


12/35

12

Accepting New Clients: TheEngagement Letter

The auditor and client should have a mutual understanding ofthe audit process

The auditor should prepare an engagement letter to clarify theresponsibilities and expectations of each party, and to

summarize and document this understanding including theNature of the services to be providedTiming of those servicesExpected fees and basis on which they will be billed (fixed fee,hourly rates)

Auditor responsibilities including the search for fraudClient responsibilities including preparing information for theauditNeed for any other services to be performed by the firm


13/35

13

What Is Materiality?The auditor is expected to plan and perform an audit that provides

reasonable assurance that material misstatements will bedetected

The FASB defines materiality as the"magnitude of an omission or misstatement of accountinginformation that, in light of surrounding circumstances, makes itprobable that the judgment of a reasonable person relying on theinformation would have been changed or influenced by the omissionor misstatement"

Materiality has three significant dimensions:Size of the misstatement (dollar amount)Circumstances - some things are viewed more critically than othersUser impact - impact on potential users and the type of judgmentsmade


14/35

14

Materiality (continued)Determination of materiality is situation specific

Although this makes determination more difficult, it allows theauditor to adjust the rigor of the audit to reflect the risk of theengagementThe lower the dollar amount of set materiality, the more rigorousthe examination

Most firms have guidelines for setting materialityGuidelines usually involve applying percentages to some baseGuidelines may also be based on nature of the industry or other

factors Auditors initially set planning materiality for the statements

as a whole, and then allocate this to individual accountsbased on their susceptibility to misstatement


15/35

15

What Is Audit Risk?

Audit risk is the risk than an auditor may issue anunqualified opinion on materially misstated financialstatements

The auditor assesses engagement risk first, then sets auditrisk

Audit risk is inversely related to engagement riskIf the auditor accepts a client with high engagement risk

The auditor must conduct a more rigorous auditThe auditor does this is by setting audit risk at a low level

If the auditor accepts a client with low engagement riskThe auditor will set audit risk at a higher level


16/35

16

Audit Risk & Materiality Audit risk and engagement risk relate to factors that might encourage

someone to challenge the auditor's workFor example, transactions that might not be material to a "healthy"

company might be material to financial statement users for a

company on the brink of bankruptcyThe following factors help integrate the concepts of risk and materiality:

All audits involve sampling and cannot provide 100 percent assurance Auditors must compete in an active marketplace for clients Auditors need to understand society's expectations of financial reporting

and the audit process Auditors must identify the risky areas of a business to determine whichaccounts are more susceptible to material misstatement

Auditors need to develop methodologies to allocate overallassessments of materiality to individual account balances


17/35

17

The Audit Risk ModelThe auditor sets desired audit risk based on assessed engagement risk

AR = IR x CR x DRAR = Audit RiskIR = Inherent Risk

CR = Control RiskDR = Detection Risk

The audit risk model allows the auditor to consider the following:Complex or unusual transactions are more likely to recorded in errorthan are simple or recurring transactionsManagement may be motivated to misstate earnings or assetsBetter internal controls mean a lesser likelihood of misstatementThe amount and persuasiveness of audit evidence gathered should varydirectly with the likelihood of material misstatements


18/35

18

The Audit Risk Model (continued)

Inherent Risk - Susceptibility of transactions to berecorded in error

Inherent risk is higher for some items:Complex transactions are more likely to be misstated thansimple transactionsEstimated balances more likely to be misstated than factbased balances

The auditor assesses inherent risk

Control Risk - Risk client controls will fail toprevent or detect a misstatementThe quality of controls often varies between classesof transactionsThe auditor assesses control risk


19/35

19

Environment Risk - inherent and control riskscombined

Reflects the likelihood of material misstatementsoccurring

Detection risk - risk audit procedures will fail todetect material misstatements

Relates to the effectiveness of audit procedures andtheir applicationDetection risk is controlled by the auditor and is anintegral part of audit planningThe level of detection risk set directly determines therigor of the substantive audit work performed

The Audit Risk Model (continued)


20/35

20

Audit Risk Model (continued)AR = IR x CR x DR Audit risk is set inversely to the assessed level of engagement risk

After audit risk is set, the auditor assesses inherent and control(environment) risksThe auditor sets detection risk INVERSELY to environment risk

Example, if the auditor is examining transactions with high inherentrisk, or weak controls, the auditor will set a low detection risk

Low detection risk means a low probability of NOT detectingmaterial misstatements

To achieve low detection risk, the auditor will have to perform morerigorous substantive testing

For example, larger sample sizes, more reliable forms of evidence,assign more experienced auditors, closer supervision, greater year-end (rather than interim) testing

The audit risk model shows that the amount, nature, and timing of auditprocedures depends on the level of audit risk an auditor assumes,and the level of client-related risks


21/35

21

Audit Risk Model: Limitations

Inherent risk is difficult to formally assess Audit risk is subjectively determinedThe model treats each risk component asseparate and independent when clearly, thisis not the case Audit technology is not so precise that eachcomponent can be accurately assessed

Because of these limitations, many auditorsuse the audit risk model as a functional,rather than mathematical, model


22/35

22

Understanding Enterprise & FinancialReporting Risks

If there are major problems within a company, theevidence gathered from within that company willprobably be less reliable

Because of this, the auditor shouldUnderstand the company, its strategies, andoperations in depthDevelop an understanding of the market in which thecompany operatesDevelop an understanding of the economics of clienttransactionsDevelop expectations about financial results ortransaction outcomes


23/35

23

Business Risk and theAudit Process

Risk-based approach to auditing:Develop understanding of management's riskmanagement processDevelop understanding of the business and the risksit facesUse the identified risks to develop expectations aboutaccount balances and financial results

Assess the quality of control systems to manage risks

Determine residual risks, and update expectationsabout account balancesManage remaining risk of account balancemisstatement by determining the direct tests ofaccount balances (detection risk) that are necessary


24/35

24

Understanding Management'sRisk Management Process

To understand the client's risk managementprocess, auditors will normally use the followingtechniques:

Understand the processes used to evaluate risksReview the risk-based approach used by internal auditingInterview management about their risk approachReview regulatory agency reports that address company'spolicies towards riskReview company polices and procedures for addressing riskReview company compensation policies to see if they areconsistent with company's risk policies


25/35

25

Review prior years' work to determine if currentactions are consistent with risk approachdiscussed with managementReview risk management documents

If the company has strong risk managementprocesses, the auditor may focus on testingcontrols and developing corroborative evidenceon account balances

On the other hand, if the company does not have acomprehensive risk process, the auditor willassess engagement risk as high, set audit risk ata lower level, and increase direct testing

Understanding Management'sRisk Management Process (continued)


26/35

26

Developing an Understanding ofBusiness and Risk

There are a number of information sources(including electronic sources) that auditors useto develop an understanding:Intelligent agentsKnowledge management systemsOnline searchesReview SEC filings

Company web sitesEconomic statisticsProfessional practice bulletinsStock analysts' reports


27/35

27

Understanding Key BusinessProcesses

Each organization has a few key processesthat give them a competitive advantage (ordisadvantage)

The auditor should gather sufficientinformation to understand

The key processes

The industry factors affecting key processesHow management monitors key processesThe potential operational and financial effectsassociated with key processes


28/35

28

Understanding Key BusinessProcesses: Sources of InformationManagement inquiries

Predecessor auditor inquiriesReview of prior-period audit work papersReview of client's budgetsTour client's facilities and operationsReview data processing centerReview significant debt covenants and boardof director minutesReview relevant government regulations and

clients legal obligations


29/35

29

Developing Expectations

The auditor should use information about thecompanys key processes and risks to developexpectations about its account balances andperformance

These expectations should be

Developed independently of management

Documented, along with a rationale for theexpectations

Communicated to all audit team members


30/35

30

Assessing the Quality ofInternal Controls

Controls include policies and procedures set by management tomanage risk

The auditor is particularly interested in those controls designed toprotect the company's key processes and the measures used tomonitor the operation of these controls

Examples of these measures (key performance indicators):Backlog of work in progress

Amount of return itemsIncreased disputes regarding accounts receivable or accounts payable

Surveys of customer satisfactionEmployee absenteeismDecreased productivityInformation processing errorsIncreased delays in important processes


31/35

31

Managing Detection andAudit Risk

The auditor manages audit risk by Adjusting audit staff to reflect risk associatedwith a client

Developing direct tests of account balancesconsistent with detection risk

Anticipating potential misstatements likelyassociated with account balances Adjusting the timing of audit tests to minimizeoverall audit risk


32/35

32

Preliminary Financial StatementReview: Techniques & Expectations

Auditors use analytical procedures to develop expectationsof account balances

These expectations are compared to recorded book valuesto identify misstatements

Sources of data commonly used:Financial information for prior periodsExpected or planned results from budgets and forecastsComparison of linked accounts (such as interest expense and

debt)Ratios of financial information (such as common-size financialstatements)Company and industry trendsRelevant non-financial information


33/35

33

Preliminary Financial StatementReview: Techniques & Expectations

Techniques commonly usedTrend analysisComparative financial statements (horizontal

analysis)Common-sized financial statements (vertical analysis)Ratio analysis

The results of analytical procedures are placed incontext when auditors compare client results tothe client's prior performance, industry data, orclient expectations (budgets and forecasts)


34/35

34

Risk Analysis and the Conductof the Audit

The risk approach means auditors mustunderstand the company and its risks as a basisfor determining which account balances shouldbe directly tested and which can be corroboratedby analytical procedures

Linkage to direct tests of account balancesIf the auditor concludes there is a high risk of materialmisstatement

s/he mustSet materiality at an appropriate levelUse procedures appropriate for the level risk toexamine the account balance


35/35

6thrittenbergch4a

Documents