Chapter 4

Audit Risk and Business Risk

 Relevant Professional
Standards
• ASA 210 Terms of Audit Engagements
• ASA 315 Understanding the Entity and Its
Environment and Assessing the Risks of
M t i l Misstatement
Material Mi t t t
 Nature of Risk
• Four critical components
p of risk affect the audit
approach and audit outcome:
– Enterprise risk: risks that affect the operations
and potential outcomes organisation activities
– Engagement risk: comes with association with
a specific client
– Financial reporting risk: risks that relate
di
directly
tl tto th
the recording
di transactions
t ti and
d the
th
presentation of the financial statements
– Audit risk: the risk that an auditor may provide
an unqualified opinion on financial statements
that are materially misstated.
 Nature of Risk (cont.)

• Each of these components can be managed.

• Company survival depends on the
effectiveness of risk management processes.
 Enterprise Risk
Management
g (
(ERM))
• COSO defines ERM as:
‘[a]
[a] process effected by an entity
entity’s
s board of
directors, management and other personnel,
applied
app ed in strategy
st ategy setting
sett g and
a d across
ac oss the
t e
enterprise, designed to identify potential
events that may affect the entity, and manage
risks to within its risk appetite, to provide
reasonable assurance regarding the
achievement of entity objectives.
objectives ’
 Enterprise Risk
Management (cont.)
• COSO describes ERM as consisting of eight
interrelated processes:
p
– risk management environment: management
culture and attitude towards risk
– event identification: identification of events
that may affect the organisation’s ability to
implement strategies or achieve objectives
– risk assessment: assessing risks to determine
response
– risk response
 Enterprise Risk
Management
g (
(cont.)
)
– control activities: policies and procedures
designed to reduce risks and to ensure
management’s directives and strategies are
implemented
p e e ted
– information and communication
– monitoring
• An effective ERM process within an
organisation is designed to provide assurance
that risks are identified, understood and
addressed.
 Organisational Risk
Responses
p
• Once risk has been identified and assessed,
an organisation
i ti h
has four
f choices:
h i
– control the risk
– share
h or transfer
f theh risk
k
– diversify against or avoid the risk
– accept the risk.
• Depending on the circumstances, each of
these may be an acceptable approach to
manage the risk.
 Risk Factors
Affecting the Audit
• Engagement risk
– The risk auditors incur by being associated
with a particular client
– Risk is high whenever there is increased
likelihood that:
• the auditor is associated with a failed client
• financial statements contain material misstatement
that the auditor fails to find.
– These conditions increase the likelihood that
the auditor will be sued
 Risk Factors Affecting
the Audit (cont.)
( )
• Client acceptance or retention decision
– Perhaps the most important audit decision
– A decision affected by a range of factors.
The most important involve:
• the quality of the client’s corporate governance
• the client’s financial health.
 Corporate Governance
& Client Acceptance
• The key factors an auditor will analyse include:
– management integrity
– independence and competence of the
audit committee and board
– quality of ERM and controls
– regulatory and reporting requirements
– participation of key stakeholders
– existence of related party transactions.
 Organisation Financial Health

• There are a number of reasons why the auditor

needs to evaluate a potential client’s financial
health:
– The auditor will most likely be sued if a client
goes onto liquidation.
– Investors and creditors who have lost money
will look for recovery.
– Lawyers will claim the financial statements
were misstated and the auditors should have
known they were misstated.
Organisation Financial Health
(
(cont.)
)

• Th
The auditor
dit also
l needs d to
t understand
d t d the
th
financial health in order to:
– assess management’s
management s motivation to
misstate the financial statements
– identify areas that are likely to be misstated
– identify account balances that appear
unusual.
 Other Factors Affecting
E
Engagement Ri
Risk
k
• Auditors should evaluate a company’s
company s economic
prospects to ensure important areas are investigated
and the company
p y is likelyy to stay
y in business.
• High-risk companies are generally characterised by:
– inadequate
q capital
p
– lack of long-run strategic and operational plans
– low cost entry y into the market
– dependence on limited product offerings
– dependence on technology subject to obsolescence
– instability of future cash flows
– history of questionable accounting practices
– previous inquiries by regulatory agencies.
 Material Misstatement Risk

• Financial misstatement risk is influenced by

– the company’s financial health
– the quality of the company’s internal controls
– the complexity of the company’s transactions
andd financial
f l reporting
– management’s motivation to misstate the
fi
financial
i l report.
t
• These factors are interrelated.
• The auditor will gather information on these
issues through reviews of previous audits, or by
talking with the predecessor auditor.
 Accepting
p g New Clients:
Minimising Risk

• A new auditor should initiate discussions with the

predecessor to discuss the reasons for the
change in auditors.
• B
Because off the
th confidentiality
fid ti lit rule,
l the
th successor
must first obtain client permission to talk with
predecessor.
predecessor
 Accepting New Clients:
Minimising
g Risk (
(cont.)
)
• The successor is particularly interested in
factors that bear on
– management integrity
– disagreements with management on any
substantive auditing or accounting issues
– the predecessor’s
predecessor s understanding of the
reasons for the change
– any communications between the
predecessor and management or audit
committee regarding fraud, illegal acts or
internal control matters.
 Th E
The Engagementt L
Letter
tt

• The auditor and client should have a mutual

understandingg of the audit p
process.
• The auditor should prepare an engagement letter
to clarify the responsibilities and expectations of
each party, and to summarise and document this
understanding, including the:
– nature of the services to be provided
– timing of those services
– expected fees and basis on which they will be
billed (fixed fee, hourly rates)
The Engagement Letter (cont.)

• The engagement letter should also describe

the:
– auditor responsibilities, including the search
for fraud
– client responsibilities, including preparing
information for the audit
– need for any other services to be performed
byy the firm.
 Materiality and Audit Risk
• The auditor is expected to plan and perform an
audit that provides reasonable assurance that
material misstatements will be detected

• ‘Information is material if its omission,

misstatement or non-disclosure has the potential,
individually or collectively, to
a influence
i fl th
the economic i decisions
d i i off users
taken on the basis of the financial report; or
b affect the discharge of accountability by the
management or governing body of the entity.’
(AASB 1031, para. 9)
 Materiality
• Materiality has three significant dimensions:
– size of the misstatement (dollar amount)
– circumstances – some things are viewed
more critically
i i ll than
h others
h
– user impact – impact on potential users and
the type of judgements made.
made
 M t i lit (cont.)
Materiality ( t)

• Determination of materiality is situation-specific.

– Although this makes determination more
difficult, it allows the auditor to adjust the
rigour
g of the audit to reflect the risk of the
engagement.
– The lower the dollar amount of set materiality,
y,
the more rigorous the examination.
 Materiality Guidelines

• Most firms have guidelines for setting

materiality These guidelines:
materiality.
– usually involve applying percentages to
some base
– may also be based on nature of the industry
or other factors.
• Auditors initially set planning materiality for
the statements as a whole,
whole and then allocate
this to individual accounts based on their
susceptibility
p y to misstatement.
 Audit Risk
• Audit risk is the risk than an auditor may
y issue an
unqualified opinion on materially misstated
financial statements.
• The auditor assesses engagement risk first, then
sets audit risk.
• Audit risk is inversely related to engagement risk.
• If auditors accept clients with high engagement
risk, they must conduct more rigorous audits.
• Auditors do this by setting a low audit risk.
• If the auditor accepts a client with low
engagement risk, they will set audit risk at a
higher level.
 Inseparability of
A dit Risk
Audit Ri k & M
Materiality
t i lit
• Audit risk and engagement
g g risk relate to factors
that might encourage someone to challenge the
auditor’s work.
• For example, transactions that might not be
material to a ‘healthy’ company might be material
to financial statement users for a company on the
brink of bankruptcy.
• The following factors help integrate the concepts of
risk and materiality:
– All audits involve sampling and cannot provide
100 percent assurance.
– Auditors must compete in an active marketplace
for clients.
Inseparability
p y of Audit Risk
& Materiality (cont.)
– Auditors need to understand society’s
expectations
p of financial reporting
p g and the
audit process.
– Auditors must identify the risky areas of a
business to determine which accounts are
more susceptible to material misstatement.
– Auditors need to develop methodologies to
allocate overall assessments of materiality
to individual account balances.
 The Audit Risk Model

• The auditor sets desired audit risk based on

assessed engagement
g g risk:

AR = IR x CR x DR

• AR = audit risk
• IR = inherent risk
• CR = control risk
• DR = detection
d t ti risk
i k
Th A
The Audit
dit Ri
Risk
kMModel
d l((cont.)
t)
• Th
The audit
dit risk
i k model
d l allows
ll the
th auditor
dit tot
consider the following:
–C
Complexl or unusuall transactions
t ti are more
likely to recorded in error than are simple or
recurring transactions.
transactions
– Management may be motivated to misstate
earnings or assets.
assets
– Better internal controls mean a lesser
likelihood of misstatement.
misstatement
– The amount and persuasiveness of audit
evidence gathered should vary directly with
the likelihood of material misstatements.
 The Audit Risk Model (cont.)
(cont )
• Inherent risk: susceptibility of transactions to be
recorded in error. Inherent risk is higher for some
items.
– Complex
C l transactions
i are more likely
lik l to be
b
misstated than simple transactions.
– Estimated balances more likely to be misstated
than fact-based balances.
– The auditor assesses inherent risk
• Control risk: risk client controls will fail to
prevent or detect a misstatement.
– The quality of controls often varies between
classes of transactions.
– The auditor assesses control risk.
 Th A
The Audit
dit Ri
Risk
kMModel
d l((cont.)
t)
• Environment risk: inherent and control risks
combined.
– Reflects the likelihood of material
misstatements occurring.
• Detection risk: risk that audit procedures will fail
to detect material misstatements.
– Relates to the effectiveness of audit
procedures and their application.
– Is controlled by the auditor and is an integral
part of audit planning.
– The level of detection risk set directly
determines the rigour of the substantive audit
work performed.
 The Audit Risk Model (cont.)
( )
AR = IR x CR x DR

• Audit risk is set inversely to the assessed level of

engagement risk.
• After audit risk is set, the auditor assesses inherent
and control (environment) risks.
• The auditor sets detection risk inversely to
environment risk. For example, if the auditor is
examining
i i transactions
i with
i h hi
high
h iinherent
h risk
i k or
weak controls, they will set a low detection risk:
DR = AR
IR x CR
 Audit Risk Model
• Low detection risk means a low probability of
not detecting material misstatements.
• To achieve low detection risk,
risk the auditor will
have to perform more rigorous substantive
testing, such as larger sample sizes, more
reliable forms of evidence, assign more
experienced auditors, closer supervision,
greater year-end (rather than interim) testing.
• The audit risk model shows that the amount,,
nature, and timing of audit procedures
depends on the level of audit risk an auditor
assumes, and d the
th level
l l off client-related
li t l t d risks.
i k
 Limitations of the
Audit Risk Model
• Inherent risk is difficult to formally assess.
• Audit risk is subjectively determined.
• The model treats each risk component as
separate and independent when clearly this is not
the case.
• Audit technology is not so precise that each
component can be accurately assessed.
• Because of these limitations,
limitations many auditors use
the audit risk model as a functional, rather than
mathematical,, model.
 Developing an Understanding
of Business and Financial
Misstatement Risks
• If there are major problems within a company,
the evidence gathered from within that company
will probably be less reliable.
reliable
• Because of this, the auditor should
– understand
d t d th
the company, its
it strategies,
t t i and
d
operations in depth
– develop an understanding of the market in
which the company operates
– develop an understanding of the economics of
client transactions
– develop expectations about financial results or
transaction outcomes.
 The Business Risk
A
Approachh tto A
Auditing
diti
• Develop p understandingg of management’s
g risk
management process
• Develop understanding of the business and the
risks it faces
• Use the identified risks to develop expectations
about account balances and financial results
• Assess quality of control systems to manage risks
• Determine residual risk, and update expectations
about account balances
• Manage
M remaining
i i risk
i k off accountt balance
b l
misstatement by determining the direct tests of
account balances (detection risk) that are
necessary
 Understanding
g Management’s
g
Risk Management Process
• To understand the client’s risk management
process, auditors will normally use the following
techniques:
– understand the processes used to evaluate risks
– review the risk
risk-based
based approach used by
internal auditing
– interview management about its risk approach
– review regulatory agency reports that address
the company’s policies towards risk
– review
i company polices
li and
d procedures
d for
f
addressing risk
– review company compensation policies to see if
they are consistent with company’s risk policies
 Understanding Management
Management’ss
Risk Management Process (cont.)
– review prior years’ work to determine if
current actions are consistent with risk
approach discussed with management
– review risk management documents.
• If the company has strong risk management
processes, the auditor may focus on testing
controls and developing corroborative evidence
on account balances.
• On the other hand,
hand if the company does not have
a comprehensive risk process, the auditor will
assess engagement risk as high, set audit risk at
a lower level and increase direct testing.
testing
Developing an Understanding of
Business & Risks
• There are a number of information sources
(including electronic sources) that auditors use to
develop an understanding of a business and risk:
– intelligent agents
– knowledge management systems
– online searches
– review of ASIC/ASX filings
– company websites
– economic statistics
– professional practice bulletins
– stock
t k analysts’
l t ’ reports.
t
 Understanding Key
Business Processes
• Each organisation has a few key processes that
give them a competitive advantage (or
disadvantage)
• The
h auditor
d should
h ld gather
h sufficient
ff information
f
to understand:
– the key
ke processes
p o e e
– the industry factors affecting key processes
– how
h managementt monitors
it key
k processes
– the potential operational and financial effects
associated with key processes.
processes
 Sources of Information
about Key Processes
• Management inquiries
• Predecessor auditor inquiries
• Review of prior-period audit work papers
• Review of client’s budgets
• Tour of client’s facilities and operations
• Review data processing centre
• Review significant debt covenants and board of
directors’ minutes
• Review relevant government regulations and
client’s legal obligations
 Developing Expectations

• The auditor should use information about the

company’s’ k
key processes andd risks
i k to
t develop
d l
expectations about its account balances and
performance.
performance
• These expectations should be:
– developed independently of management
– documented, along with a rationale for the
expectations
t ti
– communicated to all audit team members.
 Assessing Quality of
Internal Controls
• Controls include policies and procedures set by
management to manage risk.risk
• The auditor is particularly interested in those
controls
t l d designed
i d tto protect
t t the
th company’s ’ key
k
processes and the measures used to monitor the
operation of these controls.
controls
Assessing Quality of Internal
Controls (cont.)
( )
• Examples of these measures (key performance
indicators) might include:
– backlog of work in progress
– amount of return items
– increased disputes regarding accounts
receivable or accounts payable
– surveys of customer satisfaction
– employee absenteeism
– decreased productivity
– information processing errors
– increased delays in important processes.
 Managing Detection
& Audit Risk
• The auditor manages audit risk by
– adjusting audit staff to reflect risk associated
with a client
– developing
d l d
direct tests off account balances
b l
consistent with detection risk
– anticipating
ti i ti potential
t ti l misstatements
i t t t lik
likely
l tto
be associated with account balances
– adjusting the timing of audit tests to minimise
overall audit risk.
 Preliminary Financial
Statement Review:
T h i
Techniques & Expectations
E t ti
• Auditors use analytical procedures to develop
expectations of account balances.
• These expectations are compared to recorded book
values to identify misstatements.
 Preliminary
y Financial
Statement Review: Techniques
& Expectations (cont.)
(cont )
• Sources of data commonly y used:
– financial information for prior periods
– expected
p or p
planned results from budgets
g
and forecasts
– comparison of linked accounts (such as
interest expense and debt)
– ratios of financial information (such as
common-size financial statements)
– company and industry trends
– relevant nonfinancial information.
Preliminary Financial Statement
Review: Techniques &
Expectations (cont.)
(cont )
• Techniques commonly used
– Trend analysis
– Comparative financial statements
(horizontal analysis)
– Ratio analysis
– Common-sized financial statements
(vertical analysis)
• The results of analytical procedures are placed in
context when auditors compare client results to
the client’s prior performance, industry data, or
client expectations (budgets and forecasts)
 Risk Analysis &
Conduct of the Audit
• The risk approach means auditors must
understand the company and its risks as a
basis for determining which account balances
should be directly tested and which can be
corroborated by analytical procedures
• Linkage to direct tests of account balances: if
an auditor
dit concludes
l d there
th is
i a high
hi h risk
i k off
material misstatement they must:
– set materiality at an appropriate level
– use procedures appropriate for the level risk
to examine the account balance.
balance
 Risk Analysis
y & Conduct of
the Audit (cont.)
• Quality of accounting principles used: The auditor
is required to assess the appropriateness of the
accounting methods used by management.
management
• Guidelines to evaluate ‘appropriateness’ include
– Representational faithfulness: does the
accounting reflect the economic substance of
the transactions?
– Consistency of application of accounting
standards
– Accounting estimates: are they based on
proven models, reconciled to actual results,
based on valid economic reasons?