F8 AA (Int)Session09_j08

SESSION 09 – UNDERSTANDING THE ENTITY, AUDIT RISK AND ENGAGEMENT RISK

0901

OVERVIEW

Objective

To describe how the auditor, through understanding the entity and controls, aims to minimise audit risk.

ENGAGEMENT RISK

NEW AND CONTINUING

AUDITS

ISA 315 Methods Team discussions Sources of knowledge Using the knowledge

ANALYTICAL PROCEDURES

Planning stage Ration analysis Expectations and

performance measures Information needs

INTERNAL CONTROL

AUDIT RISK

UNDERSTANDING THE ENTITY

Matters to consider Information needs Objectives, strategies, business risks Accounting policies Updating existing clients

Concept Relationship to business risk Assessing risk of material misstatement Basic principles Inherent risk Control risk Detection risk Significant risk Documentation

Understanding Methods Management monitoring Impact on audit Reporting weaknesses

AUDIT MATERIALITY

FRAUD & ERROR

Session 11 Session 10

Basic concept Client business risk Audit risk Auditor’s business risk Engagement risk process


0902

1 UNDERSTANDING THE ENTITY, ITS ENVIRONMENT AND CONTROLS

1.1 ISA 315 Identifying and Assessing the Risks of Material Misstatement through Understanding the Entity and its Environment

ISA 315 requires the auditor to identify risks arising from the entity and its environment, including relevant controls, by:

understanding the entity, its environment and controls; and

considering the impact on transactions (e.g. sales, expenses), account balances (e.g. non-current assets, payables) and disclosures (e.g. related party transactions) in the financial statements.

Relate the risks that have been identified to what can go wrong:

at the assertion level (e.g. occurrence, completeness, accuracy, cut-off, and classification of transactions and events); and

at the overall financial statement level (e.g. where many assertions are impacted thus risk is pervasive throughout the financial statements); and

Consider whether the risks are of the type and magnitude that could result in a material misstatement of the financial statements.

Consider the likelihood that the risks could result in a material misstatement of the financial statements.

Understand internal control by considering the design and implementation of relevant internal controls to assess the potential risk of material misstatements.

Plan, design and perform appropriate audit procedures in response to those identified risks.

In other words:

understand the business, its environment and controls to establish what could go wrong (in that the financial statements contain a material error); then

identify the ways in which material errors could arise and devise a work programme to test to see if they have (ISA 330 and ISA 500).

1.2 Methods

Obtaining an understanding of the entity and its environment, including its internal control, is a continuous, dynamic process of gathering, updating and analyzing information throughout the audit.

To obtain the necessary level of understanding, auditors must, for example:


0903

make inquiries of management and others within the entity (e.g. business objectives, governance, production, marketing, internal audit, key employees);

carry out analytical procedures (e.g. on internal and external generated information);

observe (e.g. activities and operations) and inspect (e.g. business plans, strategies, internal audit risk assessments, records, procedure manuals, premises and plant);

read reports prepared by management (e.g. monthly management accounts) and those charged with governance (e.g. board minutes);

review external sources of information and benchmark against similar companies in the same activity; and

carry out other procedures (e.g. visit premises and facilities, walk through systems relevant to financial reporting, review external sources of information).

Prior year information (e.g. organisational structures, control environment, management attitude and actions to control breaches) can be used as long as it is up to date (i.e. check and update as required).

Information obtained from client acceptance procedures and other client engagements (e.g. review of interim financial statements) may also be relevant in obtaining an understanding of the entity.

1.2.1 Use of information systems

Much of the information obtained will be used within a series of (expert systems) business templates to assess and understand potential weaknesses that could result in material financial statement errors (as well as providing added value business assessments to the client).

Information systems will be also be used, for example:

to store and categorise the data held on each client and provide quick access through key word searches;

to search external databases (eg newspapers, trade, regulators) based on key words (eg entity name, industry name, competitor names, product names) to find data relevant to the understanding of the entity’s business.

1.3 Audit team discussions

Discussions should be held (at least) amongst the (senior and key members of the) engagement team about the susceptibility of the financial statements to material misstatement, including fraud risk (see Session 11). By holding such discussions:

the more experienced engagement team members brief other members and share their knowledge and audit experience of the entity (the engagement partner must be involved at least with the highest levels of the briefing process);

team members exchange information about the business risks to which the entity is subject and about how and where the financial statements might be susceptible to material misstatement;


0904

members of the engagement team obtain a better understanding of the potential for material misstatements of the financial statements resulting from fraud or error in the specific areas assigned to them; and

understand how the results of the audit procedures that they perform may affect other aspects of the audit including the decisions about the nature, timing, and extent of further audit procedures.

The discussion should also emphasise the need to:

address the application of the applicable financial reporting framework to the entity’s facts and circumstances;

maintain professional scepticism throughout the engagement;

be alert for information or other conditions that indicate that a material misstatement due to fraud or error may have occurred; and

be rigorous in following up on such indications.

Such discussions must always be documented along with the decisions made and the impact on the audit approach.

Team members not involved in the discussions, must none-the-less be informed of the outcome and specific impact on areas relevant to their responsibilities. This would usually be achieved through the use of a client planning memorandum (detailing, for example, the audit strategy, work programme, areas of risk) and verbal briefing by the team supervisor/manager prior to commencing each audit section.

All team members must have sufficient understanding of the entity to enable them to perform the work delegated to them and understand how it fits in, and overlaps, with the rest of the audit.

1.4 Sources of knowledge

Example 1

Suggest examples of the sources which provide background knowledge.

External Auditor Client


0905

1.5 Using the knowledge

To establish a framework within which the audit is planned and professional judgment exercised in assessing risks of material misstatement and responding to those risks throughout the audit.

Meaning:

To assess various components of audit and business risk and to develop the audit strategy and audit plan.

To determine materiality levels and judge if they remain appropriate as the audit progresses (see Session 10).

Developing expectations for use when performing analytical procedures.

Identifying areas where special audit consideration may be necessary, for example, related party transactions, the appropriateness of management’s use of the going concern assumption, or considering the business purpose of transactions.

Designing and performing further audit procedures to reduce audit risk to an acceptably low level.

To evaluate the sufficiency and appropriateness of audit evidence (see Session 15) including, for example, management representations (see Session 20).

To recognize conflicting information, unusual circumstances and effectively apply professional scepticism.

To make informed enquiries and assess the reasonableness of responses.

To appraise the appropriateness of the selection and application of accounting policies and the adequacy of financial statement disclosures.

To provide a better service to clients and be responsive to their needs.


0906

2 NEW AND CONTINUING AUDITS

2.1 Matters to consider

Capability and resources

Independence

Problems e.g. professional reasons (“enquiry” letter).

(See Session 5.)

Obtain a more detailed understanding of the entity and its environment sufficient to plan an effective and efficient audit

2.2 Information needs

ISA 315 requires the auditor to obtain an understanding of the:

nature of the entity, its operations, ownership, governance, investments, structure and financing;

relevant industry, regulatory, and other external factors including the applicable financial reporting framework;

entity’s selection and application of accounting policies and changes;

entity’s objectives and strategies; and

the measurement and review of the entity’s financial performance.

Example 2

For a new client suggest, under the following headings, what information you will require to enable you to obtain a sufficient understanding of the entity and its environment under ISA 315.

ACCEPTINGAPPOINTMENT

BEFOREACCEPTING

APPOINTMENT

AFTER


0907

Solution

GENERAL ECONOMIC

INDUSTRY

MANAGEMENT AND OWNERSHIP

BUSINESS

FINANCIAL PERFORMANCE

REPORTING ENVIRONMENT


0908

2.3 Objectives, strategies and related business risks

All of the above elements will be taken into account by the entity when setting its objectives and strategies. As the environment within which the entity changes (as it will) so the objectives and strategies for achieving those objectives must change. If the entity fails to change, its business will be at risk – business risk through failure to change (see Session 8 ).

Business risks result from significant conditions, events, circumstances, actions or inactions that could adversely affect the entity’s ability to achieve its objectives and execute its strategies, or through the setting of inappropriate objectives and strategies.

In addition to the examples given within Session 8, further examples of business risks to be managed in relation to objectives and strategies include:

Industry developments (e.g. that the entity does not have the personnel or expertise to deal with changes or increased complexity in the industry, or does not recognise the need for change).

New products and services (e.g. that there is increased product liability or that the product may fail).

Expansion of the business (e.g. that the demand has not been accurately estimated, the market incorrectly analysed).

New accounting requirements (e.g. incomplete or improper implementation of a new IFRS, or increased costs).

Regulatory requirements (e.g. that there is increased legal exposure).

Current and prospective financing requirements (e.g. the loss of financing due to the entity’s inability to meet requirements).

Use of IT (e.g. the loss of e-commerce facilities due to a failure within the system).

2.4 Selection and application of accounting policies

The auditor needs to understand how the entity selects and applies accounting policies eg: are they are appropriate for the business and consistent with the financial reporting framework and accounting polices used in the relevant industry. An incorrect or aggressive application relates to a financial statement risk.

Of particular risk will be:

the methods the entity uses to account for significant and unusual transactions;

the effect of significant accounting policies in controversial or emerging areas for which there is a lack of authoritative guidance or consensus; and

the way changes in accounting policies are dealt; and

the impact of reporting standards (eg IFRS), laws and regulations that are new to the entity which must be understood.


0909

For example, where the IFRS is new (ie not an update) is the application appropriate and the implementation requirements/disclosures applied? Where the IFRS is a revised standard, have the transition provisions (or IAS 8 where appropriate) been correctly applied and appropriate disclosures made?

Also note:

Basic, core IFRS are already in issue. New IFRS will more than likely relate to complex issues with the financial statement risk of inappropriate application.

First time application of IFRS under IFRS 1 must be considered high risk as the entity will have little experience of IFRS application. The experience of the UK indicates that it may take up to three issues of IFRS statements (ie three years) for entities to “iron out” the complications of switching from local GAAP to IFRS.

2.5 Updating existing clients

In the case of entities audited in prior years, historic key information required for planning will be available in the working papers (“WPs”) and other files (e.g. computer knowledge bases).

But as entities are adaptive and dynamic and operate in a dynamic environment, the auditor must consider events, transactions and practices that will have changed during the financial year.

Basically, where were we; what has changed within the business and its environment to change the nature of risks; where are we now.

Where changes are identified, their impact on the entity, its business and financial reporting environment must be understood (e.g. when and how the entity dealt with such changes).

Changes that will impact the business in a future financial period cannot be ignored. What business risk is there to the entity arising from these changes? Does that risk impact the current financial statements? For example, future changes in regulations may create a going concern risk.

Reasons for changes in the selection of, or method of applying, accounting policies must be ascertained. Any change must be appropriate and consistent with the requirements (including disclosure) of the applicable financial reporting framework (e.g. IAS 8 Accounting Policies, Changes in Accounting Estimates and Errors).

Example 3

For an existing client, what changes will need to be documented to ensure a complete understanding of the entity and its environment?


0910

Solution

3 ANALYTICAL PROCEDURES AND PERFORMANCE MEASUREMENT (ISA 520 ANALYTICAL PROCEDURES)

3.1 At the planning stage

Meaning Purpose Based on

The analysis of significant ratios and trends including the resulting investigation of fluctuations and relationships

that are inconsistent with other relevant information or

which deviate from predictable amounts.

To assist in under-standing business

To identify areas of potential risk e.g. financial condition

To plan nature, timing and extent of other audit procedures

Interim financial information

Budgets/forecasts and management accounts

Draft financial statements

Discussions with client

Understanding the entity and its environment.

ExternalInternal


0911

3.2 Ratio analysis

Considering one set of ratios for the current year may not, by itself, be sufficient. Comparison should be made with at least the prior year equivalent ratios, if not at least a three to five year trend.

For example:

The deterioration of short-term and/or long-term financial ratios potentially increases the risk of the entity not being a going concern.

An increase in receivable days may, for example, indicate credit control risk and a potential increase in bad and doubtful debts.

A decrease in gross profit % may indicate, for example, inventory shrinkage, poor cut-off procedures or an increase in competition (such that prices were reduced or increased costs unable to be passed onto the customer).

3.3 Expectations and performance measures

By understanding the entity, its environment, performance measures and in performing analytical procedures at the planning stage (as risk assessment procedures) the expectations are noted about plausible relationships that are reasonably expected to exist.

When such expectations are not founded (e.g. with recorded amounts, ratios developed from recorded amounts or audit test results not meeting original expectations) the audit plan is reviewed in identifying risks of material misstatement.

Performance measures may be internal or external (e.g. meeting budgets, cash flows, reported profit forecasts, share price targets). Professional scepticism must apply when, for example, the auditor is aware of the potential for pressure to be placed upon management to meet expected performance measures.

For example, following discussions with management over the course of the year, a review of the management accounts and an understanding of the business environment in which the entity operates in, the auditor is expecting the results of the entity to be lower than the previous year. Instead, not only is turnover up, but gross profit % has also improved.

This would place the auditor on guard that the financial statements may contain material errors. If combined with other known factors (e.g. performance-based incentive remunerations such as bonuses or share options) the risk of management manipulation through profit smoothing, inappropriate revenue recognition or deferral of expenses, is higher.


0912

4 INTERNAL CONTROL

The process designed and effected by those charged with governance, management, and other personnel, to provide reasonable assurance about the achievement of the entity’s objectives with regard to reliability of financial reporting, effectiveness and efficiency of operations and compliance with applicable laws and regulations.

Internal control is designed and implemented to address identified business risks that threaten the achievement of any of these objectives.

Five components of internal control are defined:

the control environment (i.e. attitude, awareness and actions of management and those charge with governance);

the entity’s risk assessment process (i.e. identifying and assessing business risks);

the entity’s information systems, including the related business processes relevant to financial reporting and communication;

the control activities (e.g. authorisation, performance review, information processing, physical controls and segregation of duties);

the entity’s process of monitoring controls (i.e. are the controls operating as intended; if not, why not and changes to be made).

The control environment is crucial to determining the quality and existence of the other components.

Session 8 provides a detailed review of these five internal control components. This session considers the auditor’s approach and methods to understanding the design and implementation of internal controls to assess the risks of material misstatement within the financial statements. This is different to gaining audit assurance from the effectiveness of internal controls (see Session 13).

4.1 Understanding internal control

The auditor should obtain an understanding of internal control relevant to the audit (i.e. of the five elements noted above).

They must also obtain an understanding of the way that the management monitors internal control, e.g. over financial reporting, and the way corrective action is taken.

Understanding internal controls helps the auditor to:

identify the potential types of misstatement; consider factors that affect the risks of material misstatement; and design the nature, timing, and extent of further audit procedures.


0913

If controls are poorly designed or are not implemented, there is potentially a greater risk of material misstatement within the financial statements.

Professional judgement has to be used to identify those controls (which may be in any of the five elements noted above) that relate to;

the entity’s objective of preparing financial statements that give a true and fair view; and

the management of risk that may result in a material misstatement within the financial statements.

For example:

Controls to prevent unauthorised ordering of materials, or the curtailment of the supply of essential material, will be relevant to the audit whereas controls to prevent the excessive use of material within the manufacturing process are unlikely to be relevant.

Controls over the completeness and accuracy of information produced by the entity will be relevant to the auditor where they intend to rely on that information in designing and performing further procedures.

Controls relating to operations and compliance objectives will be relevant to the auditor if they relate to data the auditor evaluates or uses in applying audit procedures.

Controls relating to effective and efficient operations, eg an airline’s system of automated controls to maintain flight schedules, would not normally be relevant to audit.

4.2 Methods for understanding

To be able to understand internal control, the design of a control and its implementation must be ascertained by the auditor.

Evaluating the design of a control involves considering whether the control, individually or in combination with other controls, is capable of effectively preventing, or detecting and correcting, material misstatements.

Implementation of a control means that the control exists and that the entity is using it.

A poorly designed control may still result in a material misstatement regardless of the fact that it is being correctly operated.

4.2.1 Control design

Evidence for understanding and evaluating the design of internal controls can be obtained through:

previous experience of the entity and its controls (as recorded within the permanent audit file) – there will be a need to update understanding where changes have occurred in the current year;


0914

inquiry of entity personnel, e.g. management, internal audit, those charged with governance, operating personnel;

observing the application of specific controls;

inspecting documents and reports, e.g.:

− the entity’s risk strategy assessment and response − internal control procedure manuals − management reports − system error reports − internal audit testing programmes (including reports to management and

management response);

walk-through procedures, e.g. tracing a separate transaction through each relevant element of the information system for financial reporting, (e.g. the sales system) and reviewing the design of the appropriate controls. This will often require the use of computer audit assisted techniques (CAATs – see Session 21) to enable the transaction to be traced through computer based systems (IS).

Questionnaires, e.g. internal control questionnaires (ICQ) and internal control evaluation questionnaires (ICEQ) are often used as a framework for understanding the design of internal controls.

4.2.2 Control implementation

Inquiry alone is not sufficient to determine whether a control has been implemented – it must be seen to be in operation.

This may be achieved through a combination of, for example:

walk-through procedures, e.g. tracing a transaction through a system and checking that the relevant controls are implemented – a purchase order is authorised, the goods received note has been agreed to the purchase order; tracing an internal audit risk analysis report through management procedures; general ethical environment (eg staff appear to be ethically compliant and follow ethical guidance);

re-performance of a control, e.g. carrying out a bank reconciliation; management action from board minutes;

observation of the control in operation, e.g. physical inspection of goods received; monitoring of IS/internet access and use by web-master; meeting of audit committee;

use of computer assisted audit techniques for testing individual control implementation within IS;

actions taken by responsible officials, e.g. follow up of an exception report; business risk analysis tracking; action taken following disciplinary procedures;

inquiry of control operatives; eg internal audit, audit committee, risk committee.

These procedures are broadly the same as those used for testing the effectiveness of internal controls (see Session 13) but note that testing implementation and testing effectiveness are not the same.


0915

Implementation is testing to see that a control was in operation at any one point in time and assists the auditor in understanding the system. Control effectiveness is testing to see if a control was always in operation over a given period of time (e.g. for the financial year) in order to obtain audit assurance that the financial statements are free from material error.

In some circumstances, usually with IS, because of the consistency of operation of automated controls, both objectives may be achieved through one test (see Session 13).

4.3 Management monitoring of internal controls

Typically management monitoring may be through internal audit reviewing and testing internal control. Reports produced by internal audit and the resulting action taken by management may form a suitable basis for the auditor to understand the management monitoring process of internal control.

Regular management and supervisory activities (e.g. checking that control activities take place) and review of external information (e.g. regulatory reports and complaints from customers) are all indicators of management monitoring of internal control.

Where the information used by management for monitoring internal control is produced by the system (e.g. exception reports, variance analysis) the auditor must obtain an understanding of how that information is produced and the basis for management believing it to be sufficient for monitoring purposes.

4.4 Impact on audit approach

As already noted, understanding the design of internal controls and whether or not they have been implemented, provides the auditor with an understanding of the risks of material misstatement due to poor design or non-operation.

If the appropriate controls are well designed and in operation, the auditor can then decide if they wish to obtain audit assurance from those controls. If they decide that placing reliance on the effectiveness of the controls is an efficient and effective approach to lowering audit risk to an acceptable level (see next section, Audit Risk), they must obtain audit evidence about the effectiveness of the control operations throughout the period of the financial statements. (See Session 13).

4.5 Reporting of weaknesses

Those charged with governance, or management, must be informed by the auditor of material weaknesses in the design or implementation of internal control. For example:

risks of material misstatement which the entity has not controlled;

risks of material misstatement for which the relevant control is inadequate or has not been implemented; and (if in the auditor’s judgment there are)

material weaknesses in the entity’s risk assessment process (i.e. the business risk approach and control procedures of the entity).

This will be done through the use of a management letter (sometimes referred to as a weakness letter). See Session 13.


0916

5 AUDIT RISK

5.1 Concept

The risk that the auditor gives an inappropriate audit opinion when the financial statements are materially misstated.

An audit in accordance with ISAs is designed to provide reasonable assurance that the financial statements taken as a whole are free from material misstatement. The concept of “reasonable assurance” implies that there is a risk that the audit opinion will be inappropriate (eg an unqualified opinion when the financial statements are materially misstated).

This risk may be reduced to an acceptable level by designing and performing audit procedures to obtain sufficient appropriate audit evidence to be able to draw reasonable conclusions on which to base the audit opinion.

This will be achieved through an appropriate audit strategy and work programme (see Session 8) which will be developed following a detailed understanding and analysis of the business, its environment and controls (as discussed above).

Audit risk therefore considers two base risks:

that the financial statements may be materially misstated prior to audit – financial statement risk;

and that the auditor may not detect such material misstatement – detection risk.

5.2 Relationship of audit risk to business risk

Business risk is much broader than financial statement risk but as most business risks will eventually have financial consequences, there will be a ‘cascading’ impact on the financial statements and consequently, financial statement risk.

Embodied within business risk controls will be those controls that directly, or indirectly, relate to financial reporting, operations and compliance.

As already discussed, business risks that have the potential to create financial statement risks (the ultimate business risk relating to a financial statement risk being going concern) must be identified by the auditor.

5.3 Assessing risk of material misstatement

Through obtaining an understanding of the business and its environment, including relevant controls, and considering the classes of transactions, account balances and disclosures in the financial statements, under ISA the auditor must consider the risk of material misstatement at the:

overall financial statement level (eg such that the financial statements as a whole are misleading); and at the

transaction, balance and disclosure level (eg an individual item is in error).


0917

No one model for doing this is proposed within ISA. The key points are:

the auditor is concerned with material misstatement within the financial statements;

audit risk is reduced to an acceptably low level by the exercise of professional judgement;

and audit procedures are designed to ensure that audit risk is at an acceptable level.

5.4 Basic principles

Whist it is irrelevant what names and approaches are used (so long as the model follows the basic principles required by ISAs) the ‘traditional’ model considers that inherent risk, control risk and detection risk are the basic components of audit risk.

Inherent risk and control risk, although separately defined, are often subject to a combined assessment to assess the risk of material misstatement, eg financial statement risk because of inherent risk and the fact that the controls will not detect such errors. Detection risk is then referred to as ‘residual risk’.

The ‘traditional’ audit risk model deals with inherent risk and control risk separately:

Components Audit Inherent Control Detection Risk Risk (IR) Risk (CR) Risk (DR)

(Ultimate risk) Auditor manages/manipulates to achieve acceptable audit risk Auditor assesses

exist independently of audit

= × ×

An overall acceptable level of audit risk may be quantified as a matter of practice (i.e. audit firm) policy (e.g. 5% meaning that there is a 5% risk of a material error being undetected or conversely, the auditor obtains 95% assurance that there are no undetected material errors). This % may provide the basis for mathematical derivation of detection risk and sample sizes.

Alternately inherent risk and control risk may be designated as High, Medium or Low, with detection risk being the inverse of this relationship (e.g. if both inherent and control risk are high, detection risk will be low).

5.5 Inherent risk

5.5.1 Definition

The susceptibility of an assertion to misstatement that could be material (individually or in aggregate) assuming no related internal controls.


0918

5.5.2 Financial statement vs assertion levels

Auditor assesses

At overall financial statement level

At account balance, transaction or disclosure level

Example 4

State at which level (financial statement or assertion) the following factors would be evaluated.

Solution

(1) Doubts about the integrity of management

(2) Management inexperience in the preparation of the financial statements

(3) Accounts which involve a high degree of estimation

(4) Entity lacks sufficient capital to continue operations

(5) Potential for technological obsolescence of products and services

(6) Complex underlying transactions which might require using the work of an expert

(7) Highly desirable and movable assets (e.g. cash) susceptible to loss or misappropriation (e.g. theft, embezzlement)

(8) Unusual and complex transactions completed at or near the period end

(9) Changes in consumer demand

(10) Transactions not subject to ordinary processing


0919

5.6 Control risk

5.6.1 Definition

The risk that a misstatement that could occur (at the assertion level) and be material will not be:

prevented; or detected and corrected on a timely basis;

by the internal control system.

5.6.2 Preliminary assessment

An understanding of the design and implementation of internal control will be obtained through understanding the entity and its environment (see Session 9).

From this understanding, controls that are key to assessing the risk of material misstatement at the assertion level will have been identified.

Where the controls are suitably designed to prevent, or detect and correct, a material misstatement, tests of the operating effectiveness of the controls can be carried out if considered to be efficient to do so (see Session 13)

5.6.3 Measuring control risk

Control risk is assumed to be high (i.e. high risk of material misstatements in the financial statements) unless:

internal controls which are likely to prevent/detect/correct material misstatement relevant to the assertion are identified; and

tests of the operating effectiveness are planned to be performed to support the assessment.

Control risk will be assessed as high when:

internal control is not assessed to be effective; or

evaluating the operating effectiveness of controls would not be an efficient audit approach; or

sufficient audit evidence can be obtained purely from substantive testing.

There will always be some control risk because of the inherent limitations of any internal control system.

Example 5

Suggest factors may indicate high control risk.


0920

Solution

5.7 Detection risk

5.7.1 Definition

That the auditor will not detect a misstatement that exists (in the financial statements at the assertion level) that could be material (either individually or in aggregate with other misstatements).

It is a function of the effectiveness of the planning of substantive audit procedures, their application and interpretation by the auditor.

Substantive procedures are those procedures that are performed in order to detect material misstatements in the financial statements and include:

tests of detail of transactions tests of detail on account balances tests of detail on disclosures; and analytical review

5.7.2 Basic principles

Factors that must be considered to avoid incorrect assessment of detection risk include:

the possible selection at the planning stage of inappropriate audit procedures (e.g. deciding not to carry out any confirmations, low sample sizes, biased sample selection methods) ;

misapplication of an audit procedure by the audit team (e.g. through lack of training, incorrect directional application) and

misinterpretation of test results (e.g. not recognising the significance of an error or nor recognising that there is an error).

Such factors can be minimised through adequate planning, assignment of appropriate staff (e.g. experienced, trained, technically competent) the application of professional scepticism, clear supervision and strong review of the work carried out.


0921

As inherent and control risk assessments influence the nature, timing and extent of substantive procedures to be performed to reduce detection risk (and therefore audit risk) to an acceptably low level, any inappropriate assessment will have a direct, negative, impact on detection risk.

Because of the nature of the audit process and the factors outlined above, some detection risk would always be present even if examining 100% of an account balance or class of transactions. The aim is to reduce this risk to an acceptable level.

Illustration 1

An audit firm uses a mathematical audit risk model to determine the levels of detection risk.

Audit risk: Say 5% risk of drawing the wrong conclusion is acceptable. (Most firms operate between 1% and 5%.)

Inherent risk: Assessed at 75% risk that material problems could arise (e.g. High).

Control risk: Assessed at 20% risk that controls may miss material errors (e.g. Low).

Required:

Calculate detection risk.

Solution

Using the model ⇒ 0.05 = 0.75 × 0.2 × DR …… therefore DR = 0.33 (e.g. Medium).

This means that substantive testing levels will be adequate even if there is a 33% chance of them failing to detect material errors or omissions.

But note that most audit work programmes require material items to be selected and tested anyway - regardless of the detection risk assessed and the sample size calculated.

Example 6

The same firm as in the above example, has a new client company that undertakes research and development for the pharmaceutical industry. The client is seeking a listing on the Stock Exchange. Inherent risk is therefore assessed as high (100%) – high risk enterprise, high risk as seeking listing. However, the client appears to have reasonable internal control. Control risk is assessed at 40%.

Required:

Calculate detection risk and comment on how it compares with that calculated in the preceding illustration.


0922

Solution

This mathematical model demonstrates the relationship between inherent risk, control risk and detection risk, in that the nature, extent and timing of substantive procedures are inversely related to the assessment of inherent and control risks.

For a given acceptable audit risk, when both inherent and control risks are high (high risk that the financial statements may contain a material error), detection risk is assessed as low (higher degree and level of substantive work required) and vice-versa.

Audit Risk

Inherent Risk

Control Risk

Detection Risk

Policy H H L

Policy L L H

High detection risk means that it is only necessary to carry out a minimum level of

substantive testing (which will usually include testing all items greater than the materiality level).

Because of the low(er) risks of there being a material error within the financial statements (low inherent and low control risks), a lower quantity (e.g. sample size) and lower quality (e.g. indirect evidence rather than direct evidence) of substantive testing may be acceptable.

Low detection risk, means that higher levels of substantive testing are required as there is greater risk of a material error being within the financial statements (ie greater testing to lower the risk of a material error not being discovered).

Methods of varying detection risk

Examples where inherent/control risk are high

1 Change nature of audit work ⇒ Direct tests toward independent parties rather than documentation within entity.

⇒ Use tests of detail in addition to analytical procedures.

2 Change extent of audit work ⇒ Use a larger sample size.

3 Change timing of audit work ⇒ Perform a procedure at the period end rather than at an earlier (interim) date.

Some substantive procedures should always be carried out for material account balances

and classes of transactions.


0923

More evidence should be obtained from substantive procedures the higher the inherent and control risk assessments.

A qualified opinion (or a disclaimer of opinion) should be expressed if detection risk cannot be reduced to an acceptable level. (See Session 30)

5.8 Significant risks

What ever risk model is used, care must be taken to identify “significant risks”, i.e. those risks that relate to significant non-routine transactions and judgemental matters, where there is for example;

greater ability for management intervention, e.g. aggressive application of accounting policies, overriding of internal controls;

greater ability to use manual override with IS collection and processing of data;

complex calculations (e.g. fair value, provisions and estimates that provide opportunity for varying outcomes) or accounting policies open to different interpretations;

subjective judgement based on a significant measurement uncertainty (e.g. a range of values); and

the nature of the transactions make it difficult to implement effective controls over the risks.

A full understanding of such risks and the management’s internal control and risk assessment procedures must be obtained by the auditor. Such risks would normally be specifically fully tested (ie 100%).

5.9 Matters requiring documentation

The discussion among the engagement team regarding the susceptibility of the entity’s financial statements to material misstatement due to error or fraud, and the significant decisions reached.

Key elements of the understanding obtained regarding each aspect of the entity and its environment e.g.,

industry, regulatory, and other external factors;

the applicable financial reporting framework;

nature of the entity, including the entity’s selection and application of accounting policies;

objectives and strategies and the related business risks that may result in a material misstatement of the financial statements;

measurement and review of the entity’s financial performance.

Internal control components:

the control environment;

the entity’s risk assessment procedures;


0924

the entity’s information systems, including the related business processes relevant to financial reporting and communication;

the control activities;

the entity’s process of monitoring controls.

The sources of information from which the understanding was obtained.

The risk assessment procedures.

The identified and assessed risks of material misstatement at the financial statement level and at the assertion level.

6 ENGAGEMENT RISK

6.1 Basic concept

Engagement risk is the overall risk associated with an assurance engagement, eg risk of litigation, loss of reputation, unpaid fees, low fee recoveries, inappropriate audit opinions, poor client relationships, failure to understand the client’s business. It must be managed by the auditor and reduced to an acceptable level.

The basic components are:

the clients’ business risk; audit risk; and the auditor’s business risk.

6.2 Clients’ business risk

The client’s business risk cannot be controlled by the auditor – it is independent of the auditor. However, a thorough understanding of the client’s business risks and how they are managed assists the auditor in understanding potential engagement risk, eg what is the risk that management actions (or inaction) will result in the entity failing to continue in business.

6.3 Audit risk

Audit risk is controlled and determined solely by the auditor. Through a thorough understanding of the entity and its environment (including business risk and internal controls) the auditor can adjust the nature, timing and extent of audit procedures to reduce audit risk to an acceptable level.

In normal circumstances, engagement risk may also be reduced to an acceptable level by an appropriate reduction in audit risk. However, where audit risk cannot be reduced to an acceptable level, engagement risk will remain high, eg the integrity of management is in doubt and no audit procedures can eliminate this fact.


0925

6.4 Auditor’s business risk

As with their client’s, auditors are faced with business risk, ie the risk that they will not achieve their objectives. For example, their business is regulated (eg loss of registered auditor status will impact earning capabilities), exposed to litigation, adverse publicity, inability to attract/retain experienced staff, failure to keep technically up to date, failure to maintain fee levels and high risk clients (engagement risk).

Such business risks can be managed. In respect of engagement risk, the risk related to clients can be managed through good client acceptance and retention procedures (see Session 5).

6.5 Engagement risk procedures

Engagement risk must be addressed throughout the audit, from the initial decision to accept a new client (or continue to service an existing client) to planning the engagement, carrying out the audit procedures, reviewing the results of such procedures and the issue of the audit report.

The key to an acceptable engagement risk are:

strong client acceptance procedures (eg do not accept clients who have a tendency to change auditors on a regular basis, who are “litigation happy”, who require services beyond the auditor’s capabilities);

continuous review for change of client relationships and behaviour throughout the audit (eg reducing integrity, sudden use of aggressive application of accounting policies; continuous challenges to auditor recommendations for changes to financial statements);

closedown review of client continuance (eg are there any factors that will increase engagement risk for the next audit).

FOCUS

You should now be able to:

explain how auditors obtain an initial understanding of the entity and knowledge of its business environment;

explain the components of audit risk;

explain why an auditor needs to obtain an understanding of internal control activities relevant to the audit;

describe the use of information technology in risk analysis;

identify and describe engagement risks affecting the audit of an entity.


0926

EXAMPLE SOLUTION

Solution 1 — Sources

Directors/senior

operating personnel

Internal audit and Governance

Website

Visit to premises and plant facilities

Specific employees involved in process

Minutes of meeting

Documents sent to shareholders/filed with authorities

Financial budgets and management reports

Chart of accounts and Job descriptions

Procedures manuals

Previous relevant experience

Specialist publications (e.g. on hotel audits)

Technical experts (e.g. IS, extractive industries)

In-house knowledgebase

CAF/PAF

Business process templates

Predecessor auditor

Legal advisors

Industry regulators

Government data

Customers

Suppliers

Competitors

Trade journals

Financial press

Websites

ExternalAuditorClient


0927

Solution 2 — Information

GENERAL ECONOMIC FACTORS

Recession

Growth

Interest rates

Sources of finance

Inflation

Government policy (e.g. monetary, fiscal, trade)

Investment incentives (e.g. regional development grants)

Foreign exchange (rates and controls)

Fresh-field sites

Availability and education of workforce

THE INDUSTRY

Market/competition

Costs of entry

Cyclical/seasonal trade

Technology/fashion

Key ratios and performance measures

Specific accounting practices, GAAP

Regulatory/environmental requirements

Energy supply and costs

Workforce skills

MANAGEMENT & OWNERSHIP

Corporate structure

Owners and related parties

Local/foreign

Capital structure

Organizational structure

Philosophy and strategic plans

Acquisitions and disposals

Sources of finance

Board of directors and governance

Operating management

Internal audit

Attitude to internal control environment

BUSINESS

Nature (manufacturer, exporter)

Locations (office/production/storage)

Employment (union contracts)

Products/services/markets

Conduct of operations (e.g. service logistics, production, segments)

Major/dependent suppliers/customers (delivery methods e.g. JIT)

Alliances, joint ventures and outsourcing activities

Inventories (type, location, quantities)

Research and development

Information systems and use of e-commerce (nature and dependency)

Debt structure (including covenants)


0928

FINANCIAL PERFORMANCE

Key ratios, trends

Performance indicators (e.g. share price, EPS)

Employee measures and compensation

Period-on-period financial performance

Accounting principles

Accounting policies

Earnings/cash flow

Leasing commitments

Lines of credit

Off-balance sheet finance

Foreign currency and interest rates

REPORTING ENVIRONMENT

Legislation and regulations

Appropriate selection and application of accounting principles and use of GAAP

Audit reporting requirements (shareholders, regulators and other third parties)

Taxation

Revenue recognition

Use of fair values

Users of financial statements

Solution 3 — Changes

Business developments (e.g. e-

commerce, discontinued operations)

New products, services

Key personnel (starters and leavers)

Changes within business and financial control systems

Governance/internal audit work and reports

Regulator visits and reports

Administration and IT functions

Pending litigation

New legislation and regulation (e.g. environmental, health and safety)

Latest financial reporting standards

Changes in the application of accounting policies

Changes in specialist regulations (and trade unions)

Competitors and their products

Economic (interest/foreign exchange/ tax rates etc)

Volatility of markets (supplier, customer, financial)

Industry practices

Changes in local and national government

ExternalInternal


0929

Solution 4 — Inherent risk factors

Financial statements level

1 (see Discussion below), 2, 4, 5 & 9

Assertion level

3, 5, 6, 7 (see Discussion), 8 & 10

Discussion

(1) Consider doubts about the integrity of management, could that inherent risk affect the financial statements as a whole or just a few individual account balances? Suppose management wanted to overstate profit (in order to pay themselves bonuses say). To increase profit management could

overstate revenue (e.g. by bringing forward next year’s sales revenue into the current year – i.e. a deliberate cut-off error)

understate costs (e.g. by suppressing purchase and expense invoices)

Because every Dr has a Cr there are then implications for the statement of financial position

overstatement of trade receivables (because they do not owe the money at the year end)

understatement of trade payables (because liabilities are not recorded).

Profit could also be increased by understating provisions against assets

obsolescence provisions against inventory depreciation provisions against tangible long-term assets Bad and doubtful debt provisions against trade receivables.

In conclusion then, doubts about management integrity has a pervasive effect on the financial statements as a whole and so this risk is assessed at the financial statement level.

(7) Consider cash balances (i.e. physical money rather than bank balances). These

balances may be very small in relation to the assets as a whole (e.g. cash floats in the till/register of a shop). At the financial statement level the auditor may take no account of these and so ignore them in the overall audit plan. However, cash is inherently risky (because it can be stolen if safeguards are not adequate) and cannot be ignored at the account balance level.

However, in a cash-based business (i.e. cash revenue, purchases and assets paid for in cash) this would be considered at the financial statement level (i.e. in the preparation of the overall audit plan) because, again, it has a pervasive effect.


0930

Solution 5 — Control risk factors

History of errors found by auditor System changes

Management attitude/dominance Lack of manuals

Inexperienced/incompetent staff Few formal procedures

Lack of segregation of duties/ inadequate supervision

“Late” approval of transactions

Size of entity/accounting systems Poor monitoring controls

Solution 6 — Detection risk

AR = IR × CR × DR DR = CRIR

AR×

DR = 4.00.1

05.0×

= 0.125

DR must be rendered lower than in the Illustration. (We should have anticipated this as both IR and CR have been assessed as higher.) The level of substantive procedures is therefore relatively higher.

Another way of expressing this is that the level of audit assurance required from substantive procedures is

100 – 12.5 = 87.5%

i.e. a relatively high level of assurance is required.