Auditing &

Assurance
Services,
6e

Copyright 2015 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of McGraw-Hill Education.

Chapter 04
Management Fraud and Audit Risk
Profit is the result of risks wisely selected
Frederick Barnard Hawley

Risk comes from not knowing what youre doing

Warren Buffett

4-2

Learning Objectives
1.
2.
3.
4.
5.
6.
7.

Define business risk and understand how management addresses

business risk with the Enterprise Risk Management Model
Explain auditors responsibility for risk assessment and define and
explain the differences among several types of fraud and errors that
might occur in an organization.
Describe the audit risk model and explain the meaning and importance
of its components in terms of professional judgment and audit
planning
Understand sources of inherent risk factors including the clients
business and environment.
Understand sources of information for assessing risks including
analytical procedures, brainstorming and inquiries. Explain how
auditors respond to assessed risks.
Explain auditors responsibilities with respect to a clients failure to
comply with laws or regulations.
Describe the content and purpose of an audit strategy.

4-3

Managements
Risks
Business Riskfailure to meet objectives
Objectivesoverall plans
Strategiesmethods to meet objectives

Information Risk---financial statements will

be misstated.

4-4

Sources of Risk Exhibit 4.1

4-5

ERM Exhibit 4.2

4-6

Auditors Risk
Responsibilities
Audit Riskauditor will give unqualified opinion on
misstated financial statements
Management Fraud Riskmanagement intentionally
misstates financial statements
Fraudulent financial reporting
Errors are unintentional misstatements or omissions of
amounts or disclosures in financial statements.
Auditors primary responsibility is to design procedures to
provide reasonable assurance that frauds that materially
misstate the financial statements are detected.
4-7

Other Definitions Related to

Fraud
Employee fraud
Larceny
misappropriation of assets

Defalcation
Embezzlement

4-8

Overview of Types of Fraud

Risk Exhibit 4.4

4-9

General Categories of Errors

and Frauds

Invalid transactions are recorded.

Valid transactions are omitted from the accounts.
Unauthorized transactions are executed and
recorded.
Transaction amounts are inaccurate.
Transactions are classified in the wrong
accounts.
Transaction accounting and posting is incorrect.
Transactions are recorded in the wrong period.

4-10

Risk Factors Related to Fraudulent

Financial Reporting
Managements characteristics and influence
Industry conditions
Operating characteristics and financial stability

4-11

Fraud Risk Factors: Managements

Characteristics and Influence
Management has a motivation to engage in fraudulent
reporting.
Management decisions are dominated by an individual or a
small group.
Management fails to display an appropriate attitude about
internal control.
Managers attitudes are very aggressive toward financial
reporting.
Managers place too much emphasis on earnings
projections.
4-12

Fraud Risk Factors: Managements

Characteristics and Influence (cont.)
Nonfinancial management participates excessively in
the selection of accounting principles or
determination of estimates.
The company has a high turnover of senior
management.
The company has a known history of violations.
Managers and employees tend to be evasive when
responding to auditors inquiries.
Managers engage in frequent disputes with auditors
4-13

Fraud Risk Factors: Industry conditions

Company profits lag the industry.
New requirements are passed that could
impair stability or profitability.
The companys market is saturated due to
fierce competition.
The companys industry is declining.
The companys industry is changing rapidly.

4-14

Fraud Risk Factors: Operating

Characteristics
A weak internal control environment prevails.
The company is not able to generate sufficient cash
flows to ensure that it is a going concern.
There is pressure to obtain capital.
The company operates in a tax haven jurisdiction.
The company has many difficult accounting
measurement and presentation issues.
The company has significant transactions or
balances that are difficult to audit.
The company has significant and unusual relatedparty transactions.
Company accounting personnel are lax or
inexperienced in their duties.
4-15

The AUDIT RISK MODEL (ARM)

Audit risk (AR) is the risk (likelihood) that the
auditor may unknowingly fail to modify the opinion
on financial statements that are materially misstated
(e.g., an unqualified opinion on misstated financial
statements.)
The AUDIT RISK MODEL decomposes overall
audit risk into three components: inherent risk
(IR), control risk (CR), and detection risk (DR):
AR = IR x CR x DR
(IR x CR = Risk of Material Misstatement (RMM))
4-16

Inherent Risk
Factors affecting account inherent risk include:
Dollar size of the account
Liquidity
Volume of transactions
Complexity of the transactions
New accounting pronouncements
Subjective estimates

4-17

Control Risk
Control Risk (CR) is the likelihood that a material misstatement would not be
caught by the clients internal controls.
Factors affecting control risk include:
The environment in which the company operates (its control environment).
The existence (or lack thereof) and effectiveness of control activities.
Monitoring activities (audit committee, internal audit function, etc.).

4-18

Detection Risk
Detection risk (DR) is the risk that a material
misstatement would not be caught by audit
procedures.
Factors affecting detection risk include:
Nature, timing, and extent of audit procedures
Sampling risk
Risk of choosing an unrepresentative sample.
Nonsampling risk
Risk that the auditor may reach inappropriate
conclusions based upon available evidence
4-19

Detection Risk and the

Nature, Timing, and Extent
of Audit Procedures

Nature

Timing

Lower
Detection
Risk

Higher
Detection
Risk

More
effective
tests.

Less
effective
tests.

Testing
Testing can
performed at
be
year-end.
performed at
Interim.
4-20

Audit Risk Process

4-21

Factors Affecting Overall

Inherent Risk
Company and its environment
Nature of Company
Related parties

Accounting Principles and Disclosures

Objectives and Strategies
Measurement and Analysis of Financial
Performance
4-22

Information Sources
General Business Sources
Company Sources
Minutes

Client acceptance, Planning, Past audits,

and Other Engagements

4-23

Preliminary Analytic Procedures

RECORDED
ACCOUNT
BALANCE

ESTIMATED
ACCOUNT
BALANCE

Attention directing
Identify potential problem areas
An organized approach
A standard starting place to start examining the financial statements
Describe the financial activities
Identify unusual changes in relationships in the data
Ask relevant questions
What could be wrong?
What legitimate reasons are there for these results?
Cash flow analysis

4-24

Analytic Procedure Steps

1. Develop an expectation.
2. Define a significant difference.
3. Calculate predictions and compare them
with the recorded amount.
4. Investigate significant differences.
5. Document each of the above steps.

4-25

Analytic Procedures:
Stages of Use
Preliminary planning-- required
Substantive testing -- optional
Final review -- required

4-26

Audit team discussions

(brainstorming)
Required procedure
Objectives
Gain understanding of
Previous experiences with client
How a fraud might be perpetrated and concealed in
the entity
Procedures that might detect fraud
Set proper tone for engagement
Discussions should be ongoing throughout the engagement

4-27

Inquiries

Management
Audit committee
Internal auditors
Others

Risk of Fraud

4-28

Assess Fraud Risks

Type of risk
Significance of risk
Likelihood of risk
Pervasiveness of risk
Assess controls and programs

4-29

Required Risk Assessments

Presume that improper revenue recognition is a
fraud risk.
Identify risks of management override of controls.
Examine journal entries and other adjustments.
Review accounting estimates for biases.
Evaluate business rationale for significant
unusual transactions.

Identify Significant Risks

4-30

Respond to Assessed Risks

Respond to Significant Risks
Assignment of personnel
Choice of accounting principles
Predictability of auditing procedures
Retrospective review of prior year accounting
estimates
Accumulated Results of Procedures
Extended procedures

4-31

Evaluate Audit Evidence

Discrepancies in the accounting records.

Conflicting or missing evidential matter.
Problematic or unusual relationships between the auditor and management.
Results from substantive of final review stage analytical procedures.
Vague, implausible or inconsistent responses to inquiries.

4-32

Communicate Fraud Matters

Evidence that fraud may exist must be
communicated to appropriate level of
management.
Sarbanes Oxley: Significant deficiencies
must be communicated to those charged
with governance.
Any fraud committed by management (no
matter how small) is material.
4-33

Document Fraud Matters

Discussion of engagement personnel.
Procedures to identify and assess risk.
Specific risks identified and auditor
response.
If revenue recognition not a riskexplain
why.
Results of procedures regarding
management override.
Other conditions causing auditors to believe
additional procedures are required.
Communication to management, audit
committee, etc.
4-34

Noncompliance With Laws

and Regulations
Direct-effect noncompliance produce direct and material effects on the financial statements . The law or regulation
can be identified with a specific account or disclosure (e.g., income tax .evasion).
Auditors responsibility--design procedures to provide reasonable assurance
Indirect-effect noncompliance are not related to specific accounts or disclosures on the financial statements (e.g.,
violations relating to insider securities trading, occupational health and safety, food and drug administration,
environmental protection, and equal employment opportunity).
Auditor's responsibilityFollow up on suspected violations material to the financial statements

4-35

Red Flags of Potential

Noncompliance

Unauthorized transactions.
Government investigations.
Regulatory reports of violations.
Payments to consultants, affiliates, or employees
for unspecified services.
Excessive sales commissions and agents fees.
Unusually large cash payments.
Unexplained payments to government officials.
Failure to file tax returns or to pay duties and fees.
4-36

Audit Strategy Memorandum

Identify significant accounts and disclosures
Establish overall audit strategy for each relevant assertion
Take into account
Reporting objectives and communications required
Auditors risk assessment.
Other requirements of laws or regulations.
Nature, timing, and extent of necessary resources
Planned tests of controls, substantive procedures, and other planned audit
procedures
Memo is basis for preparing detailed audit plans (often called audit
programs)
Written audit plan documenting audit strategy is required

4-37