Audit & taxation| Audit Risk in the Brave New World| Audit Risk Model| | | 6/27/2010| Submitted To: MR. Asim Khan Submitted By Bilal Khalid INTRODUCTION The audit risk model has provided a conceptual framework for auditing practice for more than 40 years. Despite practical difficulties in implementation and criticisms of its theoretical foundation, the model has been fairly effective in helping auditors analyze risks and use that analysis to determine the nature, timing, and extent of audit procedures (especially substantive procedures) in audits of financial statements.
The audit risk model provides a conceptual framework for the risk assessment standards. In recent years, auditors have tried to apply the model to audits of internal control, usually performed as parts of integrated audits. An integrated audit is an engagement where the auditor provides an opinion on the financial statements and an opinion on the effectiveness of internal control. It is integrated in the sense that the auditor tries to use some of the same procedures to meet both objectives. AUDIT RISK Basically, audit risk is the risk arising from carrying out audit work.
It is the risk of the auditor ‘suffering loss’ as a result of giving an inappropriate audit opinion. The loss may be in the form of damage to the auditor’s reputation (and resulting business loss) or in the form of monetary compensation for damages to another person (the client or a third party), or indeed both (reputational and monetary). An auditor gives an inappropriate opinion by, for example, stating that the financial statements show a true and fair view when in fact they do not, or that they do not give a true and fair view when in fact they do.
This may arise from: * not gathering appropriate audit evidence * being deliberately misled by those providing the evidence who conceal evidence that would have led to a different opinion, or who falsify evidence * misinterpreting (drawing inappropriate conclusions from) the evidence gathered. In summary, audit risk is the risk that the auditor will suffer financial and/or reputational loss as a result of doing something wrong or omitting to do something during an audit engagement.
All audits, therefore, involve risk. There is always the possibility of fraud or error remaining undetected no matter how careful an auditor is in gathering and assessing audit evidence in support of the auditor’s resulting opinion. It is possible that the auditor will arrive at an unsuitable opinion. A large part of an audit engagement is dealing with this risk – assessing it at the start of the engagement, and gathering evidence and reassessing it during the engagement.
Audit risk is fundamental to the audit process because auditors cannot and do not attempt to check all transactions. Students should refer to any published accounts of large companies and think about the vast number of transactions in a statement of comprehensive income and a statement of financial position. It would be impossible to check all of these transactions, and no one would be repaired to pay for the auditors to do so, hence the importance of the risk based approach toward auditing.
Traditionally, auditors have used risk-based approach in order to minimize the chance of giving an inappropriate audit opinion, and audits conducted in accordance with ISAs must follow the risk based approach, which should also help to ensure that audit work is carried out efficiently, using the most effective tests based on the audit risk assessment. Auditors should direct audit work to the key risks (sometimes also scribed as significant risks), where it is more likely that errors in transactions and balances will lead to a material misstatement in the financial statements.
It would be inefficient to address insignificant risks in a high level of detail, and whether a risk is classified as a key risk or not is a matter of judgment for the auditor. Relevant to audit risk are the new ISAs which the IAASB has grouped together and called ‘The Risk Standards’. These are: * ISA 315, Understanding the Entity and its Environment and Assessing the Risks of Material Misstatements * ISA 330, The Auditor’s Procedures in Response to Assessed Risks * ISA 500 (Revised), Audit Evidence.
The requirements in these newly-issued risk standards represent significant changes to the standards governing audits of financial statements. They enable the auditors to focus more clearly on areas where there is a greater risk of misstatement of the financial statements. The belief is that these risk standards will increase audit quality. This is as a result of better risk assessments through a more detailed understanding of the entity and its environment, including internal control, and improved design and performance of audit procedures to respond to assessed risks of material misstatements.
The improved linkage of audit procedures and assessed risks is expected to result in a greater concentration of audit effort on areas where there is a greater risk of material misstatements. The scope of each of the risk standards is reflected in the introduction to the standards, and can be summarized as follows. ISA 315 This standard provides guidance on performing audit procedures to obtain a broader understanding of the entity and its environment, including its internal control, and on assessing risks of material misstatement.
The IAASB recognises that there may be specific considerations relevant to the audit of small entities and ISA 315 includes such considerations. ISA 330 This standard provides guidance on determining overall responses to assessed risks at the financial statement level and on designing and performing further audit procedures to respond to assessed risks of material misstatements at the assertions level. ISA 500 (Revised) This standard provides guidance on: * what constitutes audit evidence the sufficiency and appropriateness of audit evidence obtained * the auditor’s use of assertions and * the auditor’s procedures for obtaining audit evidence. It provides additional guidance about the auditor’s use of assertions and the qualitative aspects of audit evidence. THE AUDIT RISK MODEL In this context, audit risk (also referred to as residual risk) refers to acceptable audit risk, i. e. it indicates the auditor’s willingness to accept that the financial statements may be materially misstated after the audit is completed and an unqualified (clean) opinion was issued.
If the auditor decides to lower audit risk, it means that he wants to be more certain that the financial statements are not materially misstated. AR = IR x CR x DR Where IR is inherent risk, CR is control risk and DR , detection risk is the conditional probability that the auditor does not detect a material misstatement in the F/S, given that one exists. Finally, it is important to make reference to the so called traditional audit risk model, which pre-dates ISA 315, but continues to remain important to the audit process. The audit risk model breaks audit risk down into the following three components: Inherent risk
This is the susceptibility of an assertion about a class of transaction, account balance, or disclosure to a misstatement that could be material, either individually or when aggregated with other misstatements, before consideration of any related controls. Control risk This is the risk that a misstatement could occur in an assertion about a class of transaction, account balance or disclosure, and that the misstatement could be material, either individually or when aggregated with other misstatements, and will not be prevented or selected and corrected, on a timely basis, by the entity’s internal control.
Control risk is the risk that the client’s internal control policies and procedures fail to detect or prevent a material misstatement from occurring. Like inherent risk, control risk is out of the hands of the auditor; however, its magnitude can be assessed. DETECTION RISK This is the risk that the procedures performed by the auditor to reduce audit risk to an acceptably low level will not detect a misstatement that exists and that could be material, either individually or when aggregated with other misstatements.
The interrelationship of the three components of audit risk is outside the scope of this current article. Paper F8 students, however, will typically be expected to have a good understanding of the concept of audit risk, and to be able to apply this understanding to questions in order to identify and describe appropriate risk assessment procedures. Detection risk is defined as the likelihood that a material misstatement relating to an assertion will not be detected by the auditor’s substantive testing.
It is important to note that the detection risk indicates the detection risk that the auditor is willing to “live with”, given the acceptable audit risk and his assessment of inherent and control risk. This means that if the detection risk is high, the auditor is willing to accept a high detection risk, and will do less substantive testing as compared to a situation where the detection risk is lower. It is important to note that while detection risk can be modified at the auditor’s discretion, inherent risk and control risk exist independently of the audit EXAMPLE :
Suppose an auditor is doing the risk assessment relating to the completeness of trade payables assertion. He regards 5% as an acceptable audit risk, and has assessed the inherent risk at 70%, which is high. But he has also assessed the control risk relating to this assertion at 10%, which means that the client has strong controls in place “governing” this assertion. The auditor expects these controls to eliminate 90% of the misstatements that were likely due to the inherently risky nature of the assertion, leaving a low combined risk of slightly above 6% for him to respond to by means of his substantive testing.
Calculating the detection risk then produces an answer of almost 80%, which implies that the auditor can, with detection risk at a high 80%, still have the acceptable audit risk of 5%. Hence the auditor does not have to do very exhaustive substantive testing relating to the completeness of trade payables. Note that the auditor can peg control risk at above the assessed level, thereby effectively treating the entity as having worse controls than is really the case. By doing so, the auditor effectively opts to do less controls testing, but must then compensate by doing more substantive testing. RISK ASSESSMENT PROCEDURES ISA 315 gives an overview of the procedures that the auditor should follow in order to obtain an understanding sufficient to assess audit risks, and these risks must then be considered when designing the audit plan. ISA 315 goes on to require that the auditor shall perform risk assessment procedures to provide a basis for the identification and assessment of risks of material misstatement at the financial statement and assertion levels.
ISA 315 goes on to identify the following three risk assessment procedures: Making inquiries of management and others within the entity Auditors must have discussions with the client’s management about its objectives and expectations, and its plans for achieving those goals. Analytical procedures Analytical procedures performed as risk assessment procedures should help the auditor in identifying unusual transactions or positions.
They may identify aspects of the entity of which the auditor was unaware, and may assist in assessing the risks of material misstatement in order to provide a basis for designing and implementing responses to the assessed risks. Observation and inspection Observation and inspection may also provide information about the entity and its environment. Examples of such audit procedures can potentially cover a very broad area, including observation or inspection of the entity’s operations, documents, and reports prepared by management, and also of the entity’s premises and plant facilities.
ISA 315 requires that risk assessment procedures should, at a minimum, comprise a combination of the above three procedures, and the standard also requires that the engagement partner and other key engagement team members should discuss the susceptibility of the entity’s financial statements to material misstatement. Key risks can be identified at any stage of the audit process, and ISA 315 requires that the engagement partner should also determine which matters are to be communicated to those engagement team members not involved in the discussion.
Practical Implication of New Standards External auditors have responsibilities in respect of the risk of fraud and error in an audit of financial statements. These include: * conducting the audit in accordance with ISAs * obtaining reasonable assurance that the financial statements as a whole are free from material misstatements, whether caused by fraud or error * performing risk assessment procedures in order to obtain an understanding of the entity and its environment, including its internal control.
The procedures include making inquiries of management, of those charged with governance and of appropriate others within the entity (eg operating personnel, chief ethics officer and fraud investigating officer), considering whether one or more fraud factors exist, considering any unusual relationships that have been identified in performing analytical procedures and considering other information that may be helpful in identifying the risks of material misstatements due to fraud * maintaining an attitude of professional scepticism throughout the audit * considering the potential for management override of controls and recognising the fact that audit procedures that are effective for detecting error may not be appropriate in the context of an identified risk of material misstatement due to fraud * accepting records and documents as genuine unless the auditor has reason to believe the contrary * investigating further by, for example, using the work of an expert or confirming directly with a third party if conditions identified during the audit cause the auditor to believe that a document may not be authentic * discussing with the members of the engagement team the susceptibility of the entity to materially misstate the financial statements. Auditors seek information and perform procedures during the planning, risk assessment and determination of the audit approach for the audit of a company.
The information sought includes that relating to: * the entity’s organisational structure, business and controls * past misstatements and whether or not they were corrected on a timely basis (beware of changes in the entity and its environment that would render this historical information irrelevant) * the environment in which the financial statements are prepared * litigation compliance with laws and regulations, knowledge of fraud or suspected fraud affecting the entity, post-sales obligations, arrangements (eg joint ventures) with business partners, warranties and the meaning of contract terms * information relating to changes in the entity’s marketing strategies, sales trends, or contractual arrangements with customers * the design and effectiveness of the entity’s internal control and whether management has satisfactorily responded to any findings from these activities * the appropriateness of the selection and application of certain accounting policies. In performing risk assessment procedures, auditors may obtain evidence about classes of transactions, account balances, or disclosures and related assertions about the operating effectiveness of controls. For audit efficiency reasons, auditors may choose to perform substantive procedures or tests of controls concurrently with risk assessment procedures.
Auditors should expect to see certain types of audit working papers on the audit files and those working papers should have certain features that show they have been properly completed. The types of working papers include permanent audit files and current audit files. Permanent audit files These contain information of continuing importance and are updated during each audit. The information includes: * statutory material * the rules and regulations of the enterprise * copies of documents of continuing importance (eg letter of engagement) * addresses of the registered office and other premises * list of books and other records and where they are kept * history of the organization * list of important accounting matters other information of a continuing nature. Current audit files Current audit files include information relating to a single audit (accounting) period. The information includes: * a copy of the financial statements * an index to the file * a description of the internal control system * an audit programme * a schedule for each of the balance sheet items showing the opening balance * movement during the period and the closing balance * a schedule for each of the income statement (profit and loss account) items showing its makeup * a statutory checklist * a schedule of important statistics, copies of all communications with other people * letters of representation conclusions reached by the auditor concerning significant aspects of the audit * anything else that contributes to the audit evidence for the current year’s audit. Features to show that the papers have been completed properly include evidence: * of who performed the actual audit work and when it was performed * that the work performed was supervised and reviewed * that the performers, supervisors and reviewers were appropriately qualified and experienced for their tasks. Internal Control Evaluation: Assessing Control Risk * The Second Standard of Field Work * A sufficient understanding of the internal control structure is to be obtained to plan the audit and to determine the nature, timing, and extent of tests to be performed. How will the auditor’s understanding of the internal control structure influence the nature, timing, and extent of audit tests? * The Audit Risk Model (Assessment of Control Risk) AR = IR x CR x DR Competence of Evidential Matter The more effective the internal control structure, the more assurance it provides about the reliability of the accounting data and financial statements. Management versus Auditor Responsibility * Management is responsible for establishing and maintaining components of the entity’s internal control. * External and internal auditors are responsible for evaluating existing internal controls and assessing the related control risk.
General Categories of Internal Control Errors, Irregularities, and Misstatements The Most Common Errors which can be found in the internal control of an organization are as follows * Invalid transactions are recorded (validity). * Valid transactions are omitted from the accounts (completeness). * Unauthorized transactions are executed and recorded (authorization). * Transaction amounts are inaccurate (accuracy). * Transactions are classified in the wrong accounts (classification). * Transaction accounting and posting is incorrect (accounting/posting). Reportable Conditions Reportable conditions represent significant deficiencies in the design or operation of the internal controls that could adversely affect the organization’s ability to record, process, summarize, and report financial data in the financial statements. Material Weaknesses.
A material weakness in internal control, which is a more serious reportable condition, is a condition in which internal controls do not adequately lower the risk level of material errors in the financial statements and may not be found on a timely basis by employees of the entity. Objectives to Minimize the Control Risk * Validity. Ensure that recorded transactions are the ones that should have been recorded. * Completeness. Ensure that valid transactions are not omitted entirely from the accounting records. * Authorization. Ensure that transactions are approved before they are recorded. * Accuracy. Ensure that dollar amounts are figured correctly. * Classification.
Ensure that transactions are recorded in the right accounts. * Accounting and Posting. Ensure that the accounting process for a transaction is completely performed and in conformity with GAAP. * Proper period. Ensure that transactions are accounted for in the period in which they occur. Control Risk Assessment * General Control Considerations. Proper segregation of responsibilities for authorization, custody, recording and reconciliation. * Persons who handle cash should be insured under a fidelity bond. * Provide for detail error-checking activities. * Information about the control system can be gathered by an internal control questionnaire, a “walk-through” or a “sample of one. ”