Business Risk
Copyright © 2008 Thomson South-Western, a part of the Thomson Corporation. Thomson, the Star logo,
and South-Western are trademarks used herein under license. 1
THE NATURE OF RISK
In this chapter, we identify four critical components of risk
that affect the audit approach and audit outcome
Enterprise risk - those that affect the operations and potential
outcomes organization activities
Engagement risk - comes with association with a specific client
Financial reporting risk - those that relate directly to the
recording transactions and the presentation of the financial
statements
Audit risk - risk an auditor may provide an unqualified opinion
on financial statements that are materially misstated
Each of these components can be managed
The effectiveness of risk management processes will
determine whether the company continues to exist
2
ENTERPRISE RISK MANAGEMENT
(ERM)
COSO defines ERM as a
"process effected by an entity's board of directors,
management and other personnel, applied in
strategy setting and across the enterprise, designed
to identify potential events that may affect the
entity, and manage risks to within its risk appetite,
to provide reasonable assurance regarding the
achievement of entity objectives."
3
ENTERPRISE RISK MANAGEMENT
(ERM) (CONTINUED)
COSO elements:
Risk management environment: management culture and
attitude towards risk
Event identification: of events that may affect organization's
ability to implement strategies or achieve objectives
Risk assessment: to determine response
Risk Response
Control activities: policies and procedures designed to reduce
risks and to assure management's directives and strategies are
implemented
Information and communication
Monitoring
An effective ERM process within an organization is
designed to provide assurance that risks are identified,
understood, and addressed
4
ORGANIZATIONAL RISK RESPONSES
5
RISK FACTORS AFFECTING THE AUDIT
Engagement Risk
Risk auditors incur by being associated with a particular client
Risk is high whenever there is increased likelihood that
Auditor is associated with a failed client
Financial statements contain material misstatement that the
auditor fails to find
These conditions increase the likelihood that the auditor will be
sued
Client Acceptance or Retention Decision
Perhaps the most important audit decision
A number of factors affect this decision, but most important
involve
Quality of the client's corporate governance
Client's financial health
6
RISK FACTORS AFFECTING THE AUDIT:
CORPORATE GOVERNANCE & CLIENT
ACCEPTANCE
The key factors an auditor will analyze
include
Management integrity
Independence and competence of the
audit committee and board
Quality of ERM and controls
Regulatory and reporting requirements
Participation of key stakeholders
Existence of related party transactions
7
RISK FACTORS AFFECTING THE AUDIT:
FINANCIAL HEALTH OF THE
ORGANIZATION
There are a number of reasons why the auditor
needs to evaluate a potential client's financial
health:
The auditor will most likely be sued if a client
declares bankruptcy
Investors and creditors who have lost money will look for
recovery
Attorneys will claim the financial statements were misstated
and the auditors should have known they were misstated
The auditor also needs to understand the financial
health in order to:
Assess management's motivation to misstate the financial
statements
Identify areas that are likely to be misstated
Identify account balances that appear unusual 8
RISK FACTORS AFFECTING THE AUDIT:
OTHER FACTORS AFFECTING ENGAGEMENT
RISK
The auditor should evaluate the company's economic prospects
to help ensure that
Important areas will be investigated
The company will likely stay in business
High-risk companies are generally characterized by
Inadequate capital
Lack of long-run strategic and operational plans
Low cost entry into the market
Dependence on limited product offerings
Dependence on technology subject to obsolescence
Instability of future cash flows
History of questionable accounting practices
Previous inquiries by the SEC or other regulatory agencies
9
RISK FACTORS AFFECTING THE AUDIT:
FINANCIAL REPORTING RISK
Financial reporting risk is influenced by
The company's financial health
The quality of the company's internal controls
The complexity of the company's transactions and
financial reporting
Management's motivation to misstate the financial
statements
These factors are interrelated
The auditor will gather information on these issues
through reviews of previous audits, or by
talking with the predecessor auditor
10
ACCEPTING NEW CLIENTS:
AUDITING STANDARDS ON AUDITOR
CHANGES
SAS 84 requires a successor auditor to initiate discussions with
the predecessor to discuss the reasons for the change in
auditors
Because of the confidentiality rule, the successor must first
obtain client permission to talk with predecessor
The successor is particularly interested in factors that bear on
Management integrity
Disagreements with management on any substantive auditing or
accounting issues
The predecessor's understanding of the reasons for the change
Any communications between the predecessor and management
or audit committee regarding fraud, illegal acts or internal
control matte
11
ACCEPTING NEW CLIENTS: THE
ENGAGEMENT LETTER
The auditor and client should have a mutual understanding of
the audit process
The auditor should prepare an engagement letter to clarify the
responsibilities and expectations of each party, and to
summarize and document this understanding including the
Nature of the services to be provided
Timing of those services
Expected fees and basis on which they will be billed (fixed fee,
hourly rates)
Auditor responsibilities including the search for fraud
Client responsibilities including preparing information for the
audit
Need for any other services to be performed by the firm
12
BUSINESS RISK AND THE
AUDIT PROCESS
Risk-based approach to auditing:
Develop understanding of management's risk
management process
Develop understanding of the business and the risks it
faces
Use the identified risks to develop expectations about
account balances and financial results
Assess the quality of control systems to manage risks
Determine residual risks, and update expectations about
account balances
Manage remaining risk of account balance
misstatement by determining the direct tests of account
balances (detection risk) that are necessary
13
UNDERSTANDING MANAGEMENT'S RISK
MANAGEMENT PROCESS
To understand the client's risk management process,
auditors will normally use the following techniques:
Understand the processes used to evaluate risks
Review the risk-based approach used by internal auditing
Interview management about their risk approach
Review regulatory agency reports that address company's policies
towards risk
Review company polices and procedures for addressing risk
Review company compensation policies to see if they are consistent
with company's risk policies
14
UNDERSTANDING MANAGEMENT'S RISK
MANAGEMENT PROCESS (CONTINUED)
Review prior years' work to determine if current
actions are consistent with risk approach
discussed with management
Review risk management documents
If the company has strong risk management
processes, the auditor may focus on testing
controls and developing corroborative evidence on
account balances
On the other hand, if the company does not have a
comprehensive risk process, the auditor will assess
engagement risk as high, set audit risk at a lower
level, and increase direct testing
15
DEVELOPING AN UNDERSTANDING OF
BUSINESS AND RISK
There are a number of information sources (including
electronic sources) that auditors use to develop an
understanding:
Intelligent agents
Knowledge management systems
Online searches
Review SEC filings
Company web sites
Economic statistics
Professional practice bulletins
Stock analysts' reports
16
UNDERSTANDING KEY BUSINESS
PROCESSES
Each organization has a few key processes
that give them a competitive advantage (or
disadvantage)
The auditor should gather sufficient
information to understand
The key processes
The industry factors affecting key processes
How management monitors key processes
The potential operational and financial effects
associated with key processes
17