Chapter 4
Audit Risk and a Client’s
Business Risk
I. NATURE OF RISK
a. The four critical components of risk that will affect the audit approach and audit outcome are:
i.
ii. Engagement Risk – the risk auditors encounter by being associated with a particular client: loss of reputation, inability of the client to pay the auditor, or financial loss because management is not honest and inhibits the audit process.
iii. Financial Reporting Risk – those risks that relate directly to the recording of transactions and the presentation of financial data in an organization’s financial statements.
iv. Audit Risk – the risk that the auditor may provide an unqualified opinion on financial statements that are materially misstated.
b. Each of the components is interrelated and can be managed. The effectiveness of risk management processes will determine whether or not a company continues to exist, and indeed, whether or not an audit firm will continue to exist. This chapter identifies a framework for identifying and managing risks to minimize the auditor’s risk associated with issuing an audit opinion on a company’s financial statements or on the quality of its internal accounting controls.
c. The integrity of management and the quality of the company’s financial condition affects whether or not an auditor wants to be associated with a client. This is engagement risk. All of the above factors, plus the quality of internal controls and the complexity of the organization’s financial processes affect financial reporting risk. The auditor must assess this risk as a basis for identifying areas most likely to be misstated as well as a basis for determining the overall audit approach and extent of procedures to be performed.
d. The auditor first starts with knowledge about factors that affect the entity’s operations and its prospects for success. The auditor must understand the complexity of the business and its risks as a basis for determining:
i. whether the auditor has sufficient knowledge to audit the client;
ii. the auditor understands the approaches taken by management to manage risks, and
iii. to assess the measurement of the risks that affect the financial statements, e.g. inventory obsolescence, collectibility of loans.
e. The bottom line for the auditor is audit risk. It is something that the auditor must determine, i.e. how much risk the auditor is willing to take that s/he may render an inappropriate opinion on the financial statements. If all of the other factors show risk to be high, then, if the auditor decides to accept the engagement at all, then the auditor must control audit risk so that it is at a very low level. Audit risk will be discussed in more detail in the third section of the chapter.
II. RISK FACTORS AFFECTING THE AUDIT
a. Increasingly, public accounting firms have placed increased emphasis on procedures and information that helps them assess whether or not they want to serve as the auditor for a company. Increasingly audit firms are:
i. walking away from clients that they perceive to be high risk, or
ii. are requiring major changes to the organization, including management changes, before accepting an audit client.
b. Engagement Risk
i. Defined as the risk (resulting in a potential loss) that an auditor might incur by being associated with a particular client. It increases with any of the following:
1. Management with questionable integrity
2. A failed company (i.e. bankruptcy)
3. A materially misstated financial statement
a. Any of these conditions increases the likelihood that a public accounting firm will be sued and will incur costs in defending the suit or, in some cases, incur additional costs if the court finds the auditing firm liable for damages.
ii. Auditor manages this risk by:
1. Not associating with “high risk” audit clients
2. By setting audit risk low (i.e. increase amount of audit work to render an audit opinion)
c. Client Acceptance or Retention Risk
i. The retention or acceptance of a client is probably the most important decision a firm makes. Most audit firms have developed detailed checklists that are reviewed annually for the continuation of audit clients. There are a number of factors that affect the auditor’s decision, but the major factors revolve around the quality of corporate governance and the financial health of the organization.
d. Corporate Governance and Client Acceptance
i. The quality of corporate governance is often a major factor in the decision to retain or accept a client. Some of the key factors for analysis include:
1. Management integrity
2. Management integrity is probably the most important factor for the auditor to assess and understand in every audit engagement, and in the decision to accept an audit client. There are a number of potential sources that the auditor should consult in gathering information on management integrity.
3.
a. The auditor should gather enough information to assess whether or not the audit committee is both competent and acts in an independent fashion. The auditor should also understand the audit committee’s commitment to transparent financial reporting and its approach in supporting internal auditing as an independent review function.
4. Quality of management’s risk management process and internal controls
a. The auditor should assess management’s commitment to implementing an effective ERM system with accompanying controls.
5. Reporting requirements, including regulatory requirements
a. The auditor should review previous reports to regulatory agencies such as those filed with the SEC to determine if the regulatory auditors have identified problems with the company or its management. When a change in auditing firms occurs, the dismissed CPA must communicate with the Securities and Exchange Commission (SEC) stating whether the auditor agrees with the information reported by the client in its Form 8-K.
6. Participation of key stakeholders
a. Outside stakeholders often have an important stake in the audit. When possible, the auditor should make inquiries of such stakeholders to
i. understand their concerns; and
ii. understand key compliance issues (e.g. lending agreements that will affect the conduct of the audit.)
7. Existence of related-party transactions
a. The auditor should search for the existence of related party transactions. While such transactions may have economic motivation, especially for tax purposes, they often represent a potential breakdown in corporate governance that is designed to provide advantages to company management. Related party transactions should not be looked at as a part of normal business. They are always high risk to the auditor.
8. Financial Health of the Organization.
a. The auditor is more likely to be sued if an organization declares bankruptcy than if the organization is financially healthy. The auditor also needs to understand the financial health of the organization to:
i. assess management’s motivation to misstate the financial statements,
ii. identify areas that are more likely to be misstated,
iii.
identify account
balances that appear to be out of the norm.
9.
Other Factors Affecting Engagement Risk.
a.
The auditor should
also evaluate the economic prospects of the company to help ensure that
i.
important areas will
be investigated, and
ii.
the company will likely stay in business.
b.
High-risk companies
are generally characterized by:
i.
Inadequate capital
ii.
Lack of long-run
strategic and operational plans
iii.
Low cost of entry into
the market
iv.
Dependence on a
limited product range
v.
Dependence on
technology that may quickly become obsolete
vi.
Instability of future
cash flows
vii.
History of
questionable accounting practices
viii. Previous inquiries by the SEC or other regulatory agencies
10. Financial Reporting Risk.
a. Financial reporting risk is related to the company’s financial health and is influenced by three other factors:
i. the quality of the company’s internal controls,
ii. the complexity of the company’s transactions and financial reporting,
iii. management’s motivation to misstate the financial statements.
iv. the company’s financial health
b. These four elements are interrelated. For example, if management is motivated to misstate the financial statements because of economic problems, it is easier to do so if the company has poor internal controls and complex financial reporting issues.
e.
Accepting New Clients: Minimizing Risk
i.
Auditing Standards on Accounting Firm Changes.
1.
A successor auditor is
required to initiate discussions with the predecessor auditor to gain an
understanding of the reason for the change in CPA firm. The auditor is
particularly interested in determining whether the previous auditor discovered
anything prejudicial to the client or disagreed with the client on auditing or
accounting procedures—anything substantive that would have led to the auditor’s
dismissal or resignation. Because of the
confidentiality rule, the successor auditor must obtain the client’s permission
to talk with the predecessor auditor. The standard urges the auditor to make
certain inquiries regarding factors that bear on:
a.
Integrity of
management
b.
Disagreements with
management as to accounting principles, auditing procedures, or other similarly
significant matters
c.
The predecessor’s
understanding of the reasons for the change of auditors
d.
Any communications by
the predecessor to the client’s management or audit committee concerning fraud,
illegal acts by the client, and matters related to internal control
ii.
The Engagement Letter.
1. The auditor and client should have a mutual understanding of the nature of the audit services to be performed, the timing of those services, the expected fees and the basis on which they will be billed, the responsibilities of the auditor in searching for fraud, the client’s responsibilities for preparing information for the audit, and the need for other services to be performed by the CPA firm.
III.
MATERIALITY and AUDIT RISK
a.
Materiality.
i.
The auditor is
expected to design and conduct an audit that provides reasonable assurance that
material errors or irregularities will be detected. The concept of materiality is pervasive and
guides the nature and extent of auditing.
For any given client, materiality is not simply a function of
specific dollar amounts in the organization’s financial statements. An auditor must understand who are the
potential users and the type of judgments made by those users when relying on
financial statements.
b.
Materiality Guidance.
i.
Most public accounting
firms provide decision-making guidance to their staff auditors to promote
consistent judgments across the firm.
The guidelines usually involve applying percentages to some base, such
as total assets, total revenue, or pretax income. In choosing a base, the auditor considers the
stability of the base from year to year, so that overall materiality does not
fluctuate significantly between annual audits.
Income is often more volatile than total assets or revenue. But any guidance is just that. The auditor may use it as a starting point
that should be adjusted for the qualitative conditions of the particular audit.
c.
SEC Guidance on Materiality.
i.
The SEC has been very
critical of the accounting profession in the past few years for not
sufficiently examining qualitative factors in making materiality
decisions. In particular, the SEC has
criticized the profession for:
1.
Netting (offsetting) material misstatements
2. Not applying the materiality concept to “swings” in accounting estimates
3. Consistently “passing” on individual adjustments that may not be considered material
d. Audit Risk Defined.
i.
Audit risk is defined as the risk that the auditor may give an
unqualified opinion on materially misstated financial statements. Audit risk may lead to lawsuits or other
actions that may be costly to the auditor.
The auditor must assess engagement risk to determine (1) whether to accept
an audit client; and (2) the likelihood that an audit may be questioned. If the auditor believes there is a high
likelihood an audit may be questioned, the auditor might not accept the
engagement. If the auditor accepts the
engagement, then it is important to perform “extra” audit work to ensure there
is little risk that the audit opinion is incorrect. The auditor assesses engagement risk and then sets audit risk.
e.
Inseparability of Audit Risk and Materiality.
i.
Audit risk and
engagement risk relate to factors that would likely encourage someone to
challenge the auditor’s work. If a
company is on the brink of bankruptcy, transactions that might not be material
to a “healthy” company of similar size may be material to the users of the
potentially bankrupt company’s financial statements.
f.
The Audit Risk Model.
i.
The auditor sets
desired audit risk based on the assessment of engagement risk. Some firms
implement the concept by setting desired audit risk at a 0.01 level for
high-risk clients and 0.05 for lower-risk clients. Other auditing firms work with the broader
description of audit risk as high, moderate, or low and adjust the nature of
their audit procedures accordingly. The
following general observations flow from the nature of accounting transactions:
1.
Complex or unusual
transactions are more likely to be recorded in error than are recurring or
routine transactions.
2.
Some managers may be
motivated to misstate earnings or assets to achieve personal goals.
3.
The better the
organization’s controls, the lower the likelihood of material misstatements.
4.
The amount and
persuasiveness of audit evidence gathered should vary directly with the
likelihood of material misstatements existing in the accounting records; that
is, more reliable evidence is required when the risk of material misstatements
is higher.
ii.
These general premises
have been incorporated into an audit risk (AR) model with three
components: inherent risk (IR), control risk (CR), and detection
risk (DR) as follows:
AR = f(IR, CR, DR)
1.
Where:
a.
Inherent risk (IR) is the initial susceptibility of a transaction or
accounting adjustment to be recorded in error, or for the transaction not to be
recorded in the absence of internal controls.
b.
Control risk (CR) is the risk that the client’s internal control system will
fail to prevent or detect a misstatement.
c.
Detection risk (DR)
is the risk that the audit procedures will
fail to detect a material misstatement.
2. The audit risk model is sometimes written as a
multiplicative model in the following form to illustrate the logical
relationships within the model:
AR = IR * CR
* DR
3.
Audit risk is a
planning judgment that is set by the auditor. The auditor assesses the
inherent and control risk (the likelihood of a misstatement occurring and not
being detected) for each significant component of the financial statements.
From these two assessments, the auditor determines the level of
detection risk for each significant component of the financial statements.
g.
Illustration of
the Audit Risk Model.
i.
If the input and
process are reliable (low environment risk), then there is little likelihood
that the account balance is misstated and the auditor will have to perform only
a minimal amount of work to ensure that the account balance is correct. However, if the client’s control system is
weak, if management is motivated to misstate the account balance, or if the
nature of the transaction is inherently difficult, then environment risk would
be assessed as high. Consequently, the auditor will have to do more work
directly testing the account balance. The auditor cannot accept much risk that
the auditing procedures will fail to find a material misstatement.
ii. The audit risk model may also be illustrated using a quantitative approach with probability assessments applied to each of the model’s components. Although useful, a strictly quantitative approach tends to give the appearance that each component can be precisely measured—when they cannot be.
iii. Quantitative Example of Audit Risk: High Environment Risk.
1. The auditor places inherent risk and control risk at the maximum. This implies that the client does not have effective internal control.
iv. Quantitative Example: Environment Risk is Low
1. The auditor places inherent risk and control risk at a nominal or lesser factor. This implies that the client does have effective internal control.
v. Limitations of Audit Risk Model.
1.
The audit risk model has some limitations that
make its actual implementation difficult. In addition to the danger that
auditors will look at the model too mechanically, CPA firms in determining
their approach to implementing the model have considered the following
limitations:
a.
Inherent risk is
difficult to formally assess.
b.
Audit risk is
subjectively determined.
i.
Many auditors set
audit risk at some nominal level, such as 5 percent. However, no firm could
survive if 5 percent of their audits were in error. Audit risk on most
engagements is much lower than 5 percent because of conservative assumptions
that take place when inherent risk is assessed at the maximum. Setting inherent
risk at 100 percent implies that every transaction is initially recorded in
error. It is very rare that every transaction would be in error. Because such a
conservative assessment leads to more audit work, the real level of audit risk
will be less than 5 percent.
c.
The model treats
each risk component as separate and independent when in fact the components
are not independent.
d. Audit technology is not so precisely developed that each component of the model can be accurately assessed.
IV.
DEVELOPING AN UNDERSTANDING OF
a.
Lessons Learned – the
i.
If there are major
problems within a company, it is likely that the reliability of evidence gathered
from within the company will be reduced.
Because of the reduced reliability of internally generated evidence, the
auditor should:
1.
understand the
company, its strategies, and operations in depth;
2.
develop an
understanding of the market in which the company operates, including economic
trends, product trends, and competitor actions;
3.
develop an
understanding of the economics of the client’s transactions; and
4.
develop a set of expectations about financial results or
transaction outcomes.
ii.
Auditors must understand
all aspects of risk, but should start with a thorough analysis of the company’s
business, its strategy, the nature of its transactions, its processes to
identify and manage risk, and the economics of its transactions. The approach is summed up as follows:
1.
Develop an independent
understanding of the business as well as the risks the organization faces.
2.
Use the risks
identified to develop expectations about account balances and financial
results.
3.
Assess the quality of
control system to manage risks.
4.
Determine residual
risks, and update expectations about financial account balances.
5.
Manage remaining risk
of account balance misstatement by determining the direct tests of account
balances (detection risk) that are necessary.
b.
Understanding Management’s Risk Management
Process.
i.
To understand the
processes in place, the auditor will normally utilize some or all of the
following techniques:
1.
Develop an
understanding of the processes utilized by the board of directors and
management to periodically evaluate risks.
2.
Review the risk-based
approach used by internal auditing with the director of internal auditing and
the audit committee.
3.
Interview management
about their risk approach, risk preferences, risk appetite, and the
relationship of risk analysis to strategic planning.
4.
Review outside
regulatory reports, where applicable, that address the company’s policies and
procedures toward risk.
5.
Review company
policies and procedures for addressing risk.
6.
Gain a knowledge of
company compensation schemes to determine if they are consistent with the risk
policies adopted by the company.
7.
Review prior years’
work to determine if current actions are consistent with risk approaches
discussed with management.
8.
Review risk management
documents.
ii.
If the auditor determines
through inquiry and testing that the company has strong risk management
processes in place, the auditor may be
able to focus the audit program on testing controls and developing
corroborative evidence on account balances.
On the other hand, if the company does not have a comprehensive risk
process in place, the auditor will assess the engagement risk as high, set
audit risk at a lower level, and increase the extent of direct testing.
c.
Developing an Understanding of Business and
Risks.
i.
The auditor will
utilize a variety of tools to understand the client’s business and its business
risk. Much of the work will be done by
monitoring the financial press, SEC filings, reading broker analyses, and
developing a firm-based knowledge management system, and utilizing electronic
agents and other online information sources about a company. Some traditional approaches will continue to
be used, including inquiries of management, inquiries of business people, and
review of legal or regulatory proceedings against the company.
ii.
Electronic
Sources of Information.
1. Following are some of the major online activities an
auditor can use to learn more about a company:
a. Intelligent agents
b. Knowledge management system
c. Online searches
d.
Review of SEC filings
e. Company websites
f. Economic statistics
g.
Professional practice bulletins
iii.
Understanding Key Business Processes.
1.
Each organization has
a few key processes that give them a competitive advantage (or disadvantage).
The auditor should gather sufficient information to understand the key
processes, the industry factors affecting key processes, how management
monitors key processes, and the potential operational and financial effects
associated with key processes.
iv.
Sources of Information About
Key Processes.
1. Following are other sources of information about the
company:
a. Management inquiries
b. Review of client’s budget
c. Tour of client’s plant and
operations
d. Review of data processing center
e. Review important debt covenants
and board of director minutes
f. Review relevant government regulations and client’s legal obligations
v. Develop Expectations.
1.
The auditor should, and can, develop informed
expectations about company results without having set foot within the company.
The expectations should be documented, along with a rationale for the
expectations. The analysis of the
company should be communicated to all audit team members, emphasizing an
understanding of the areas they are assigned to audit.
vi.
Assess Quality of Internal Controls
1.
Controls exist to help
the organization better manage risks. The controls range from broad policies to
effective oversight, starting with the board of directors and permeating
through management to every level in the organization. The auditor may gain a
great deal of confidence about the correctness of financial account balances
based on their confidence in the client’s system and the consistency of its
operations with objectively developed expectations.
vii.
Assess Risk that an Account Balance is Misstated
1.
If the auditor has a
sound basis to believe the risk of misstatement is low (low inherent risk, low
control risk, and corroborating evidence through analytical procedures), the
auditor may be able to gain satisfaction regarding the account balance without
directly testing the account balances.
Other techniques such as using analytical procedures, analyzing the
quality of the control system in minimizing misstatements and in encouraging
reasonable accounting estimates, and forming other expectations based on
knowledge of the business can yield persuasive evidence about the correctness
of an account balance.
viii.
Managing Detection and Audit Risk
1.
The auditor manages
audit risk through:
a.
adjusting audit
staffing to reflect the risk associated with the client;
b.
developing direct
tests of account balances consistent with the detection risk associated with
the risk analysis;
c.
anticipating potential
misstatements or accounting problems likely to be associated with account
balances; and
d.
adjusting the timing of audit tests to minimize overall audit risk.
d.
Preliminary Financial Statement Review: Techniques and Expectations
i.
The auditor should
apply financial analysis techniques to the client’s unaudited financial
statements and industry data to better identify the risk of misstatement in
particular account balances.
ii.
Assumptions Underlying Analytical Techniques.
1.
A basic premise
underlying the application of analytical procedures is that plausible
relationships among data may reasonably be expected to exist and continue in
the absence of known conditions to the contrary.
iii.
Trend Analysis.
1.
Trend analysis
includes simple year-to-year comparisons of account balances, graphic
presentations, and analysis of financial data, histograms of ratios, and
projections of account balances based on the history of changes in the account.
It is imperative for the auditor to establish decision rules in advance in
order to identify unexpected results for additional investigation.
iv.
Ratio Analysis
1.
Ratio analysis is more
effective than simple trend analysis because it takes advantage of economic
relationships between two or more accounts.
It is widely used because of its power to identify unusual or unexpected
changes in relationships. Ratio analysis
is useful in identifying significant differences between the client results and
a norm (such as industry ratios), or between auditor expectations and actual
results. It is also useful in
identifying potential audit problems that may be found in ratio changes between
years (such as inventory turnover).
v.
Commonly Used
Financial Ratios
1.
Ratio and trend
analysis are generally carried out at three levels:
a.
Comparison of client
data with industry data
b.
Comparison of client
data with similar prior-period data
c.
Comparison of
preliminary client data with expectations developed from industry trends,
client budgets, other account balances, or other bases of expectations.
vi.
Comparison with
Industry Data
1.
Financial service
companies such as Dun and Bradstreet, Dow Jones Information Services, and
Robert Morris Associates accumulate financial information for thousands of
companies and compile the data for different lines of businesses. Many CPA
firms purchase these publications as a basis for making industry
comparisons. One potential limitation to
utilizing industry data is that such data might not be directly comparable to
the client. Companies may be quite
different but still classified within one broad industry. Also, other companies in the industry may use
accounting principles different from the client’s (for example, LIFO versus
FIFO).
vii.
Comparison with Previous Year Data
1.
Simple ratio analysis
comparing current and past data that is prepared as a routine part of planning
an audit can highlight risks of misstatement.
The auditor often develops ratios on asset turnover, liquidity, and
product-line profitability to search for potential
signals of risk.
viii.
Comparison with Expectations.
1.
Developing informed
expectations, and critically appraising client performance in relationship to
those expectations, is fundamental to a risk analysis approach to auditing. The
auditor needs to understand developments in the client’s industry, general
economic factors, and the client’s strategic development plans in order to
generate informed expectations about client results. This analysis provides a basis for
identifying risks and developing expectations about account balances.
e.
Risk Analysis and the Conduct of the Audit.
1.
The risk approach to
auditing implies a significant change in the structure and composition of audit
firms and audit teams. Auditors must be business savvy and business alert. The
auditor must understand the company and its risks as a basis for determining
which account balances should be directly tested as well as which ones can be
corroborated by analytical procedures.
2.
Linkage to Direct Tests of Account Balances.
a. The auditor assesses the likelihood that an account balance
contains a material misstatement. For
example, assume the auditor concludes there is a high risk that management is
using “reserves” or account balance estimates to manage earnings. In such a
case, the auditor must set materiality at an appropriate level and undertake
procedures to determine if there is an apparent manipulation of the reserves to
influence reported net income.
3. Quality
of Accounting Principles Used.
a. The auditor is required to discuss with the audit committee
not only whether the financial statements are fairly presented in accordance
with GAAP, but also whether the accounting principles chosen by management were
the most appropriate. As accounting
moves more towards a principles-based approach, the auditor will be challenged
to thoroughly understand the economics of transactions and events to ensure
they are fairly presented.