OVERVIEW

Objective

¾

To describe how the auditor, through understanding the entity and controls, aims to minimise audit risk.

ENGAGEMENT RISK NEW AND CONTINUING

AUDITS

¾ ISA 315 ¾ Methods

¾ Team discussions ¾ Sources of knowledge ¾ Using the knowledge

ANALYTICAL PROCEDURES ¾ Planning stage ¾ Ration analysis ¾ Expectations and

performance measures ¾ Information needs

INTERNAL CONTROL

AUDIT RISK UNDERSTANDING

THE ENTITY

¾ Matters to consider ¾ Information needs

¾ Objectives, strategies, business risks ¾ Accounting policies

¾ Updating existing clients

¾ Concept

¾ Relationship to business risk

¾ Assessing risk of material misstatement ¾ Basic principles

¾ Inherent risk ¾ Control risk ¾ Detection risk ¾ Significant risk ¾ Documentation

¾ Understanding ¾ Methods

¾ Management monitoring ¾ Impact on audit

¾ Reporting weaknesses

AUDIT

MATERIALITY FRAUD & ERROR

¾ Session 11 ¾ Session 10

¾ Basic concept ¾ Client business risk ¾ Audit risk

1

UNDERSTANDING THE ENTITY, ITS ENVIRONMENT AND

CONTROLS

1.1

ISA 315 Identifying and Assessing the Risks of Material Misstatement

through Understanding the Entity and its Environment

¾

ISA 315 requires the auditor to identify risks arising from the entity and its environment, including relevant controls, by:

‰ understanding the entity, its environment and controls; and

‰ considering the impact on transactions (e.g. sales, expenses), account balances (e.g. non-current assets, payables) and disclosures (e.g. related party transactions) in the financial statements.

¾

Relate the risks that have been identified to what can go wrong:

‰ at the assertion level (e.g. occurrence, completeness, accuracy, cut-off, and classification of transactions and events); and

‰ at the overall financial statement level (e.g. where many assertions are impacted thus risk is pervasive throughout the financial statements); and

¾

Consider whether the risks are of the type and magnitude that could result in a material misstatement of the financial statements.

¾

Consider the likelihood that the risks could result in a material misstatement of the financial statements.

¾

Understand internal control by considering the design and implementation of relevant internal controls to assess the potential risk of material misstatements.

¾

Plan, design and perform appropriate audit procedures in response to those identified risks.

¾

In other words:

‰ understand the business, its environment and controls to establish what could go wrong (in that the financial statements contain a material error); then

‰ identify the ways in which material errors could arise and devise a work programme to test to see if they have (ISA 330 and ISA 500).

1.2

Methods

¾

Obtaining an understanding of the entity and its environment, including its internal control, is a continuous, dynamic process of gathering, updating and analyzing information throughout the audit.

‰ make inquiries of management and others within the entity (e.g. business objectives, governance, production, marketing, internal audit, key employees); ‰ carry out analytical procedures (e.g. on internal and external generated

information);

‰ observe (e.g. activities and operations) and inspect (e.g. business plans, strategies, internal audit risk assessments, records, procedure manuals, premises and plant); ‰ read reports prepared by management (e.g. monthly management accounts) and

those charged with governance (e.g. board minutes);

‰ review external sources of information and benchmark against similar companies in the same activity; and

‰ carry out other procedures (e.g. visit premises and facilities, walk through systems relevant to financial reporting, review external sources of information).

¾

Prior year information (e.g. organisational structures, control environment,

management attitude and actions to control breaches) can be used as long as it is up to date (i.e. check and update as required).

¾

Information obtained from client acceptance procedures and other client engagements (e.g. review of interim financial statements) may also be relevant in obtaining an understanding of the entity.

1.2.1

Use of information systems

¾

Much of the information obtained will be used within a series of (expert systems) business templates to assess and understand potential weaknesses that could result in material financial statement errors (as well as providing added value business

assessments to the client).

¾

Information systems will be also be used, for example:

‰ to store and categorise the data held on each client and provide quick access through key word searches;

‰ to search external databases (eg newspapers, trade, regulators) based on key words (eg entity name, industry name, competitor names, product names) to find data relevant to the understanding of the entity’s business.

1.3

Audit team discussions

¾

Discussions should be held (at least) amongst the (senior and key members of the) engagement team about the susceptibility of the financial statements to material misstatement, including fraud risk (see Session 11). By holding such discussions: ‰ the more experienced engagement team members brief other members and share

‰ members of the engagement team obtain a better understanding of the potential for material misstatements of the financial statements resulting from fraud or error in the specific areas assigned to them; and

‰ understand how the results of the audit procedures that they perform may affect other aspects of the audit including the decisions about the nature, timing, and extent of further audit procedures.

¾

The discussion should also emphasise the need to:

‰ address the application of the applicable financial reporting framework to the entity’s facts and circumstances;

‰ maintain professional scepticism throughout the engagement;

‰ be alert for information or other conditions that indicate that a material misstatement due to fraud or error may have occurred; and

‰ be rigorous in following up on such indications.

¾

Such discussions must always be documented along with the decisions made and the impact on the audit approach.

¾

Team members not involved in the discussions, must none-the-less be informed of the outcome and specific impact on areas relevant to their responsibilities. This would usually be achieved through the use of a client planning memorandum (detailing, for example, the audit strategy, work programme, areas of risk) and verbal briefing by the team supervisor/manager prior to commencing each audit section.

¾

All team members must have sufficient understanding of the entity to enable them to perform the work delegated to them and understand how it fits in, and overlaps, with the rest of the audit.

1.4

Sources of knowledge

Example 1

Suggest examples of the sources which provide background knowledge.

External Auditor

¾

¾

¾

¾

¾

¾

¾

¾

¾

¾

¾

¾

¾

¾

¾

¾

¾

¾

¾

¾

¾

¾

¾

¾

¾

¾

¾

1.5

Using the knowledge

To establish a framework within which the audit is planned and professional judgment exercised in assessing risks of material misstatement and responding to those risks throughout the audit.

¾

Meaning:

‰ To assess various components of audit and business risk and to develop the audit strategy and audit plan.

‰ To determine materiality levels and judge if they remain appropriate as the audit progresses (see Session 10).

‰ Developing expectations for use when performing analytical procedures.

‰ Identifying areas where special audit consideration may be necessary, for example, related party transactions, the appropriateness of management’s use of the going concern assumption, or considering the business purpose of transactions.

‰ Designing and performing further audit procedures to reduce audit risk to an acceptably low level.

‰ To evaluate the sufficiency and appropriateness of audit evidence (see Session 15) including, for example, management representations (see Session 20).

‰ To recognize conflicting information, unusual circumstances and effectively apply professional scepticism.

2

NEW AND CONTINUING AUDITS

2.1

Matters to consider

¾

Capability and resources

¾

Independence

¾

Problems e.g. professional reasons (“enquiry” letter). (See Session 5.)

¾

Obtain a more detailed

understanding of the entity and its environment sufficient to plan an effective and efficient audit

2.2

Information needs

¾

ISA 315 requires the auditor to obtain an understanding of the:

‰ nature of the entity, its operations, ownership, governance, investments, structure and financing;

‰ relevant industry, regulatory, and other external factors including the applicable financial reporting framework;

‰ entity’s selection and application of accounting policies and changes; ‰ entity’s objectives and strategies; and

‰ the measurement and review of the entity’s financial performance.

Example 2

For a new client suggest, under the following headings, what information you will require to enable you to obtain a sufficient understanding of the entity and its environment under ISA 315.

ACCEPTING APPOINTMENT BEFORE

ACCEPTING APPOINTMENT

Solution

GENERAL ECONOMIC

¾

¾

¾

¾

¾

¾

INDUSTRY

¾

¾

¾

¾

¾

¾

MANAGEMENT AND OWNERSHIP

¾

¾

¾

¾

¾

¾

¾

¾

¾

BUSINESS

¾

¾

¾

¾

¾

¾

¾

¾

¾

FINANCIAL PERFORMANCE

¾

¾

¾

¾

¾

¾

¾

¾

¾

REPORTING ENVIRONMENT

¾

2.3

Objectives, strategies and related business risks

¾

All of the above elements will be taken into account by the entity when setting its objectives and strategies. As the environment within which the entity changes (as it will) so the objectives and strategies for achieving those objectives must change. If the entity fails to change, its business will be at risk – business risk through failure to change (see Session 8 ).

¾

Business risks result from significant conditions, events, circumstances, actions or inactions that could adversely affect the entity’s ability to achieve its objectives and execute its strategies, or through the setting of inappropriate objectives and strategies.

¾

In addition to the examples given within Session 8, further examples of business risks to

be managed in relation to objectives and strategies include:

‰ Industry developments (e.g. that the entity does not have the personnel or expertise to deal with changes or increased complexity in the industry, or does not recognise the need for change).

‰ New products and services (e.g. that there is increased product liability or that the product may fail).

‰ Expansion of the business (e.g. that the demand has not been accurately estimated, the market incorrectly analysed).

‰ New accounting requirements (e.g. incomplete or improper implementation of a new IFRS, or increased costs).

‰ Regulatory requirements (e.g. that there is increased legal exposure).

‰ Current and prospective financing requirements (e.g. the loss of financing due to the entity’s inability to meet requirements).

‰ Use of IT (e.g. the loss of e-commerce facilities due to a failure within the system).

2.4

Selection and application of accounting policies

¾

The auditor needs to understand how the entity selects and applies accounting policies eg: are they are appropriate for the business and consistent with the financial reporting framework and accounting polices used in the relevant industry. An incorrect or aggressive application relates to a financial statement risk.

¾

Of particular risk will be:

‰ the methods the entity uses to account for significant and unusual transactions; ‰ the effect of significant accounting policies in controversial or emerging areas for

which there is a lack of authoritative guidance or consensus; and ‰ the way changes in accounting policies are dealt; and

¾

For example, where the IFRS is new (ie not an update) is the application appropriate and the implementation requirements/disclosures applied? Where the IFRS is a revised standard, have the transition provisions (or IAS 8 where appropriate) been correctly applied and appropriate disclosures made?

¾

Also note:

‰ Basic, core IFRS are already in issue. New IFRS will more than likely relate to complex issues with the financial statement risk of inappropriate application. ‰ First time application of IFRS under IFRS 1 must be considered high risk as the

entity will have little experience of IFRS application. The experience of the UK indicates that it may take up to three issues of IFRS statements (ie three years) for entities to “iron out” the complications of switching from local GAAP to IFRS.

2.5

Updating existing clients

¾

In the case of entities audited in prior years, historic key information required for planning will be available in the working papers (“WPs”) and other files (e.g. computer knowledge bases).

¾

But as entities are adaptive and dynamic and operate in a dynamic environment, the auditor must consider events, transactions and practices that will have changed during the financial year.

¾

Basically, where were we; what has changed within the business and its environment to change the nature of risks; where are we now.

¾

Where changes are identified, their impact on the entity, its business and financial reporting environment must be understood (e.g. when and how the entity dealt with such changes).

¾

Changes that will impact the business in a future financial period cannot be ignored. What business risk is there to the entity arising from these changes? Does that risk impact the current financial statements? For example, future changes in regulations may create a going concern risk.

¾

Reasons for changes in the selection of, or method of applying, accounting policies must be ascertained. Any change must be appropriate and consistent with the requirements (including disclosure) of the applicable financial reporting framework (e.g. IAS 8 Accounting Policies, Changes in Accounting Estimates and Errors).

Example 3

Solution

¾

¾

¾

¾

¾

¾

¾

¾

¾

¾

¾

¾

3

ANALYTICAL PROCEDURES AND PERFORMANCE

MEASUREMENT

(

ISA 520

ANALYTICAL PROCEDURES)

3.1

At the planning stage

Meaning

Purpose

Based on

¾

The analysis of significant ratios and trends including the resulting

investigation of fluctuations and relationships

¾

that are inconsistent

with other relevant information or

¾

which deviate from

predictable amounts.

¾

To assist in under-standing business

¾

To identify areas of

potential risk e.g. financial condition

¾

To plan nature,

timing and extent of other audit

procedures

¾

Interim financial information

¾

Budgets/forecasts and management accounts

¾

Draft financial

statements

¾

Discussions with

client

¾

Understanding the entity and its environment. External

3.2

Ratio analysis

¾

Considering one set of ratios for the current year may not, by itself, be sufficient. Comparison should be made with at least the prior year equivalent ratios, if not at least a three to five year trend.

¾

For example:

‰ The deterioration of short-term and/or long-term financial ratios potentially increases the risk of the entity not being a going concern.

‰ An increase in receivable days may, for example, indicate credit control risk and a potential increase in bad and doubtful debts.

‰ A decrease in gross profit % may indicate, for example, inventory shrinkage, poor cut-off procedures or an increase in competition (such that prices were reduced or increased costs unable to be passed onto the customer).

3.3

Expectations and performance measures

¾

By understanding the entity, its environment, performance measures and in performing analytical procedures at the planning stage (as risk assessment procedures) the

expectations are noted about plausible relationships that are reasonably expected to exist.

¾

When such expectations are not founded (e.g. with recorded amounts, ratios developed from recorded amounts or audit test results not meeting original expectations) the audit plan is reviewed in identifying risks of material misstatement.

¾

Performance measures may be internal or external (e.g. meeting budgets, cash flows, reported profit forecasts, share price targets). Professional scepticism must apply when, for example, the auditor is aware of the potential for pressure to be placed upon management to meet expected performance measures.

¾

For example, following discussions with management over the course of the year, a review of the management accounts and an understanding of the business environment in which the entity operates in, the auditor is expecting the results of the entity to be lower than the previous year. Instead, not only is turnover up, but gross profit % has also improved.

4

INTERNAL CONTROL

The process designed and effected by those charged with governance, management, and other personnel, to provide reasonable assurance about the achievement of the entity’s objectives with regard to reliability of financial reporting, effectiveness and efficiency of operations and compliance with applicable laws and regulations.

¾

Internal control is designed and implemented to address identified business risks that threaten the achievement of any of these objectives.

¾

Five components of internal control are defined:

‰ the control environment (i.e. attitude, awareness and actions of management and those charge with governance);

‰ the entity’s risk assessment process (i.e. identifying and assessing business risks); ‰ the entity’s information systems, including the related business processes relevant

to financial reporting and communication;

‰ the control activities (e.g. authorisation, performance review, information processing, physical controls and segregation of duties);

‰ the entity’s process of monitoring controls (i.e. are the controls operating as intended; if not, why not and changes to be made).

¾

The control environment is crucial to determining the quality and existence of the other components.

¾

Session 8 provides a detailed review of these five internal control components. This session considers the auditor’s approach and methods to understanding the design and implementation of internal controls to assess the risks of material misstatement within the financial statements. This is different to gaining audit assurance from the

effectiveness of internal controls (see Session 13).

4.1

Understanding internal control

The auditor should obtain an understanding of internal control relevant to the audit (i.e. of the five elements noted above).

They must also obtain an understanding of the way that the management monitors internal control, e.g. over financial reporting, and the way corrective action is taken.

¾

Understanding internal controls helps the auditor to: ‰ identify the potential types of misstatement;

¾

If controls are poorly designed or are not implemented, there is potentially a greater risk of material misstatement within the financial statements.

¾

Professional judgement has to be used to identify those controls (which may be in any of the five elements noted above) that relate to;

‰ the entity’s objective of preparing financial statements that give a true and fair view; and

‰ the management of risk that may result in a material misstatement within the financial statements.

¾

For example:

‰ Controls to prevent unauthorised ordering of materials, or the curtailment of the supply of essential material, will be relevant to the audit whereas controls to prevent the excessive use of material within the manufacturing process are unlikely to be relevant.

‰ Controls over the completeness and accuracy of information produced by the entity will be relevant to the auditor where they intend to rely on that information in designing and performing further procedures.

‰ Controls relating to operations and compliance objectives will be relevant to the auditor if they relate to data the auditor evaluates or uses in applying audit procedures.

‰ Controls relating to effective and efficient operations, eg an airline’s system of automated controls to maintain flight schedules, would not normally be relevant to audit.

4.2

Methods for understanding

¾

To be able to understand internal control, the design of a control and its implementation must be ascertained by the auditor.

‰ Evaluating the design of a control involves considering whether the control, individually or in combination with other controls, is capable of effectively preventing, or detecting and correcting, material misstatements.

‰ Implementation of a control means that the control exists and that the entity is using it.

‰ A poorly designed control may still result in a material misstatement regardless of the fact that it is being correctly operated.

4.2.1

Control design

‰ inquiry of entity personnel, e.g. management, internal audit, those charged with governance, operating personnel;

‰ observing the application of specific controls; ‰ inspecting documents and reports, e.g.:

−

the entity’s risk strategy assessment and response

−

internal control procedure manuals

−

management reports

−

system error reports

−

internal audit testing programmes (including reports to management and management response);

‰ walk-through procedures, e.g. tracing a separate transaction through each relevant element of the information system for financial reporting, (e.g. the sales system) and reviewing the design of the appropriate controls. This will often require the use of computer audit assisted techniques (CAATs – see Session 21) to enable the transaction to be traced through computer based systems (IS).

¾

Questionnaires, e.g. internal control questionnaires (ICQ) and internal control

evaluation questionnaires (ICEQ) are often used as a framework for understanding the design of internal controls.

4.2.2

Control implementation

¾

Inquiry alone is not sufficient to determine whether a control has been implemented – it must be seen to be in operation.

¾

This may be achieved through a combination of, for example:

‰ walk-through procedures, e.g. tracing a transaction through a system and checking that the relevant controls are implemented – a purchase order is authorised, the goods received note has been agreed to the purchase order; tracing an internal audit risk analysis report through management procedures; general ethical

environment (eg staff appear to be ethically compliant and follow ethical guidance); ‰ re-performance of a control, e.g. carrying out a bank reconciliation; management

action from board minutes;

‰ observation of the control in operation, e.g. physical inspection of goods received; monitoring of IS/internet access and use by web-master; meeting of audit

committee;

‰ use of computer assisted audit techniques for testing individual control implementation within IS;

‰ actions taken by responsible officials, e.g. follow up of an exception report; business risk analysis tracking; action taken following disciplinary procedures;

‰ inquiry of control operatives; eg internal audit, audit committee, risk committee.

¾

Implementation is testing to see that a control was in operation at any one point in time and assists the auditor in understanding the system. Control effectiveness is testing to see if a control was always in operation over a given period of time (e.g. for the financial year) in order to obtain audit assurance that the financial statements are free from material error.

¾

In some circumstances, usually with IS, because of the consistency of operation of automated controls, both objectives may be achieved through one test (see Session 13).

4.3

Management monitoring of internal controls

¾

Typically management monitoring may be through internal audit reviewing and testing internal control. Reports produced by internal audit and the resulting action taken by management may form a suitable basis for the auditor to understand the management monitoring process of internal control.

¾

Regular management and supervisory activities (e.g. checking that control activities take place) and review of external information (e.g. regulatory reports and complaints from customers) are all indicators of management monitoring of internal control.

¾

Where the information used by management for monitoring internal control is

produced by the system (e.g. exception reports, variance analysis) the auditor must obtain an understanding of how that information is produced and the basis for management believing it to be sufficient for monitoring purposes.

4.4

Impact on audit approach

¾

As already noted, understanding the design of internal controls and whether or not they have been implemented, provides the auditor with an understanding of the risks of material misstatement due to poor design or non-operation.

¾

If the appropriate controls are well designed and in operation, the auditor can then decide if they wish to obtain audit assurance from those controls. If they decide that placing reliance on the effectiveness of the controls is an efficient and effective approach to lowering audit risk to an acceptable level (see next section, Audit Risk), they must obtain audit evidence about the effectiveness of the control operations throughout the period of the financial statements. (See Session 13).

4.5

Reporting of weaknesses

¾

Those charged with governance, or management, must be informed by the auditor of material weaknesses in the design or implementation of internal control. For example: ‰ risks of material misstatement which the entity has not controlled;

5

AUDIT RISK

5.1

Concept

The risk that the auditor gives an inappropriate audit opinion when the financial statements are materially misstated.

¾

An audit in accordance with ISAs is designed to provide reasonable assurance that the financial statements taken as a whole are free from material misstatement. The concept of “reasonable assurance” implies that there is a risk that the audit opinion will be inappropriate (eg an unqualified opinion when the financial statements are materially misstated).

¾

This risk may be reduced to an acceptable level by designing and performing audit procedures to obtain sufficient appropriate audit evidence to be able to draw reasonable conclusions on which to base the audit opinion.

¾

This will be achieved through an appropriate audit strategy and work programme (see Session 8) which will be developed following a detailed understanding and analysis of the business, its environment and controls (as discussed above).

¾

Audit risk therefore considers two base risks:

‰ that the financial statements may be materially misstated prior to audit – financial statement risk;

‰ and that the auditor may not detect such material misstatement – detection risk.

5.2

Relationship of audit risk to business risk

¾

Business risk is much broader than financial statement risk but as most business risks will eventually have financial consequences, there will be a ‘cascading’ impact on the financial statements and consequently, financial statement risk.

¾

Embodied within business risk controls will be those controls that directly, or indirectly, relate to financial reporting, operations and compliance.

¾

As already discussed, business risks that have the potential to create financial statement risks (the ultimate business risk relating to a financial statement risk being going

concern) must be identified by the auditor.

5.3

Assessing risk of material misstatement

¾

Through obtaining an understanding of the business and its environment, including relevant controls, and considering the classes of transactions, account balances and disclosures in the financial statements, under ISA the auditor must consider the risk of material misstatement at the:

¾

No one model for doing this is proposed within ISA. The key points are: ‰ the auditor is concerned with material misstatement within the financial

statements;

‰ audit risk is reduced to an acceptably low level by the exercise of professional judgement;

‰ and audit procedures are designed to ensure that audit risk is at an acceptable level.

5.4

Basic principles

¾

Whist it is irrelevant what names and approaches are used (so long as the model follows the basic principles required by ISAs) the ‘traditional’ model considers that inherent risk, control risk and detection risk are the basic components of audit risk.

¾

Inherent risk and control risk, although separately defined, are often subject to a

combined assessment to assess the risk of material misstatement, eg financial statement risk because of inherent risk and the fact that the controls will not detect such errors. Detection risk is then referred to as ‘residual risk’.

¾

The ‘traditional’ audit risk model deals with inherent risk and control risk separately: Components

Audit Inherent Control Detection Risk Risk (IR) Risk (CR) Risk (DR)

(Ultimate risk) Auditor manages/manipulates to achieve acceptable audit risk Auditor assesses

exist independently of audit

= × ×

¾

An overall acceptable level of audit risk may be quantified as a matter of practice (i.e. audit firm) policy (e.g. 5% meaning that there is a 5% risk of a material error being undetected or conversely, the auditor obtains 95% assurance that there are no

undetected material errors). This % may provide the basis for mathematical derivation of detection risk and sample sizes.

¾

Alternately inherent risk and control risk may be designated as High, Medium or Low, with detection risk being the inverse of this relationship (e.g. if both inherent and control risk are high, detection risk will be low).

5.5

Inherent risk

5.5.2

Financial statement vs assertion levels

Auditor assesses

At overall financial statement level

At account balance, transaction or disclosure level

Example 4

State at which level (financial statement or assertion) the following factors would be evaluated.

Solution

(1) Doubts about the integrity of management

(2) Management inexperience in the preparation of the financial statements

(3) Accounts which involve a high degree of estimation (4) Entity lacks sufficient capital to continue operations

(5) Potential for technological obsolescence of products and services

(6) Complex underlying transactions which might require using the work of an expert

(7) Highly desirable and movable assets (e.g. cash) susceptible to loss or misappropriation (e.g. theft, embezzlement)

(8) Unusual and complex transactions completed at or near the period end (9) Changes in consumer demand

5.6

Control risk

5.6.1

Definition

The risk that a misstatement that could occur (at the assertion level) and be material will not be:

¾

prevented; or

¾

detected and corrected on a timely basis; by the internal control system.

5.6.2

Preliminary assessment

¾

An understanding of the design and implementation of internal control will be obtained through understanding the entity and its environment (see Session 9).

¾

From this understanding, controls that are key to assessing the risk of material misstatement at the assertion level will have been identified.

¾

Where the controls are suitably designed to prevent, or detect and correct, a material misstatement, tests of the operating effectiveness of the controls can be carried out if considered to be efficient to do so (see Session 13)

5.6.3

Measuring control risk

¾

Control risk is assumed to be high (i.e. high risk of material misstatements in the financial statements) unless:

‰ internal controls which are likely to prevent/detect/correct material misstatement relevant to the assertion are identified; and

‰ tests of the operating effectiveness are planned to be performed to support the assessment.

¾

Control risk will be assessed as high when:

‰ internal control is not assessed to be effective; or

‰ evaluating the operating effectiveness of controls would not be an efficient audit approach; or

‰ sufficient audit evidence can be obtained purely from substantive testing.

¾

There will always be some control risk because of the inherent limitations of any

Solution

¾

¾

¾

¾

¾

5.7

Detection risk

5.7.1 Definition

That the auditor will not detect a misstatement that exists (in the financial statements at the assertion level) that could be material (either individually or in aggregate with other misstatements).

¾

It is a function of the effectiveness of the planning of substantive audit procedures, their application and interpretation by the auditor.

¾

Substantive procedures are those procedures that are performed in order to detect material misstatements in the financial statements and include:

‰ tests of detail of transactions ‰ tests of detail on account balances ‰ tests of detail on disclosures; and ‰ analytical review

5.7.2 Basic principles

¾

Factors that must be considered to avoid incorrect assessment of detection risk include: ‰ the possible selection at the planning stage of inappropriate audit procedures (e.g.

deciding not to carry out any confirmations, low sample sizes, biased sample selection methods) ;

‰ misapplication of an audit procedure by the audit team (e.g. through lack of training, incorrect directional application) and

‰ misinterpretation of test results (e.g. not recognising the significance of an error or nor recognising that there is an error).

¾

As inherent and control risk assessments influence the nature, timing and extent of substantive procedures to be performed to reduce detection risk (and therefore audit risk) to an acceptably low level, any inappropriate assessment will have a direct, negative, impact on detection risk.

¾

Because of the nature of the audit process and the factors outlined above, some

detection risk would always be present even if examining 100% of an account balance or class of transactions. The aim is to reduce this risk to an acceptable level.

Illustration 1

An audit firm uses a mathematical audit risk model to determine the levels of detection risk.

¾

Audit risk: Say 5% risk of drawing the wrong conclusion is acceptable. (Most firms operate between 1% and 5%.)

¾

Inherent risk: Assessed at 75% risk that material problems could arise (e.g. High).

¾

Control risk: Assessed at 20% risk that controls may miss material errors (e.g. Low).

Required:

Calculate detection risk.

Solution

Using the model ⇒ 0.05 = 0.75 × 0.2 × DR …… therefore DR = 0.33 (e.g. Medium).

¾

This means that substantive testing levels will be adequate even if there is a 33% chance of them failing to detect material errors or omissions.

¾

But note that most audit work programmes require material items to be selected and tested anyway - regardless of the detection risk assessed and the sample size calculated.

Example 6

Solution

¾

This mathematical model demonstrates the relationship between inherent risk, control risk and detection risk, in that the nature, extent and timing of substantive procedures are inversely related to the assessment of inherent and control risks.

¾

For a given acceptable audit risk, when both inherent and control risks are high (high risk that the financial statements may contain a material error), detection risk is assessed as low (higher degree and level of substantive work required) and vice-versa.

Audit

Risk Inherent Risk Control Risk Detection Risk

Policy H H L

Policy L L H

¾

High detection risk means that it is only necessary to carry out a minimum level of substantive testing (which will usually include testing all items greater than the materiality level).

¾

Because of the low(er) risks of there being a material error within the financial

statements (low inherent and low control risks), a lower quantity (e.g. sample size) and lower quality (e.g. indirect evidence rather than direct evidence) of substantive testing may be acceptable.

¾

Low detection risk, means that higher levels of substantive testing are required as there is greater risk of a material error being within the financial statements (ie greater testing to lower the risk of a material error not being discovered).

Methods of varying

detection risk

Examples where inherent/control risk are

high

1 Change nature of audit work ⇒ Direct tests toward independent parties rather than documentation within entity.

⇒ Use tests of detail in addition to analytical procedures.

2 Change extent of audit work ⇒ Use a larger sample size.

3 Change timing of audit work ⇒ Perform a procedure at the period end rather than at an earlier (interim) date.

¾

More evidence should be obtained from substantive procedures the higher the inherent and control risk assessments.

¾

A qualified opinion (or a disclaimer of opinion) should be expressed if detection risk cannot be reduced to an acceptable level. (See Session 30)

5.8

Significant risks

¾

What ever risk model is used, care must be taken to identify “significant risks”, i.e. those risks that relate to significant non-routine transactions and judgemental matters, where there is for example;

‰ greater ability for management intervention, e.g. aggressive application of accounting policies, overriding of internal controls;

‰ greater ability to use manual override with IS collection and processing of data; ‰ complex calculations (e.g. fair value, provisions and estimates that provide

opportunity for varying outcomes) or accounting policies open to different interpretations;

‰ subjective judgement based on a significant measurement uncertainty (e.g. a range of values); and

‰ the nature of the transactions make it difficult to implement effective controls over the risks.

¾

A full understanding of such risks and the management’s internal control and risk assessment procedures must be obtained by the auditor. Such risks would normally be specifically fully tested (ie 100%).

5.9

Matters requiring documentation

¾

The discussion among the engagement team regarding the susceptibility of the entity’s financial statements to material misstatement due to error or fraud, and the significant decisions reached.

¾

Key elements of the understanding obtained regarding each aspect of the entity and its environment e.g.,

‰ industry, regulatory, and other external factors; ‰ the applicable financial reporting framework;

‰ nature of the entity, including the entity’s selection and application of accounting policies;

‰ objectives and strategies and the related business risks that may result in a material misstatement of the financial statements;

‰ the entity’s information systems, including the related business processes relevant to financial reporting and communication;

‰ the control activities;

‰ the entity’s process of monitoring controls.

¾

The sources of information from which the understanding was obtained.

¾

The risk assessment procedures.

¾

The identified and assessed risks of material misstatement at the financial statement level and at the assertion level.

6

ENGAGEMENT RISK

6.1

Basic concept

¾

Engagement risk is the overall risk associated with an assurance engagement, eg risk of litigation, loss of reputation, unpaid fees, low fee recoveries, inappropriate audit opinions, poor client relationships, failure to understand the client’s business. It must be managed by the auditor and reduced to an acceptable level.

¾

The basic components are: ‰ the clients’ business risk; ‰ audit risk; and

‰ the auditor’s business risk.

6.2

Clients’ business risk

¾

The client’s business risk cannot be controlled by the auditor – it is independent of the auditor. However, a thorough understanding of the client’s business risks and how they are managed assists the auditor in understanding potential engagement risk, eg what is the risk that management actions (or inaction) will result in the entity failing to continue in business.

6.3

Audit risk

¾

Audit risk is controlled and determined solely by the auditor. Through a thorough understanding of the entity and its environment (including business risk and internal controls) the auditor can adjust the nature, timing and extent of audit procedures to reduce audit risk to an acceptable level.

6.4

Auditor’s business risk

¾

As with their client’s, auditors are faced with business risk, ie the risk that they will not achieve their objectives. For example, their business is regulated (eg loss of registered auditor status will impact earning capabilities), exposed to litigation, adverse publicity, inability to attract/retain experienced staff, failure to keep technically up to date, failure to maintain fee levels and high risk clients (engagement risk).

¾

Such business risks can be managed. In respect of engagement risk, the risk related to clients can be managed through good client acceptance and retention procedures (see Session 5).

6.5

Engagement risk procedures

¾

Engagement risk must be addressed throughout the audit, from the initial decision to accept a new client (or continue to service an existing client) to planning the

engagement, carrying out the audit procedures, reviewing the results of such procedures and the issue of the audit report.

¾

The key to an acceptable engagement risk are:

‰ strong client acceptance procedures (eg do not accept clients who have a tendency to change auditors on a regular basis, who are “litigation happy”, who require services beyond the auditor’s capabilities);

‰ continuous review for change of client relationships and behaviour throughout the audit (eg reducing integrity, sudden use of aggressive application of accounting policies; continuous challenges to auditor recommendations for changes to financial statements);

‰ closedown review of client continuance (eg are there any factors that will increase engagement risk for the next audit).

FOCUS

You should now be able to:

¾

explain how auditors obtain an initial understanding of the entity and knowledge of its business environment;

¾

explain the components of audit risk;

EXAMPLE SOLUTION

Solution 1 — Sources

¾

Directors/senior operating personnel

¾

Internal audit and Governance

¾

Website

¾

Visit to premises and plant facilities

¾

Specific employees involved in process

¾

Minutes of meeting

¾

Documents sent to

shareholders/filed with authorities

¾

Financial budgets and management reports

¾

Chart of accounts and Job descriptions

¾

Procedures manuals

¾

Previous relevant experience

¾

Specialist publications (e.g. on hotel audits)

¾

Technical experts (e.g. IS, extractive industries)

¾

In-house knowledgebase

¾

CAF/PAF

¾

Business process templates

¾

Predecessor auditor

¾

Legal advisors

¾

Industry regulators

¾

Government data

¾

Customers

¾

Suppliers

¾

Competitors

¾

Trade journals

¾

Financial press

¾

Websites

External Auditor

Solution 2 — Information

GENERAL ECONOMIC FACTORS

¾

Recession

¾

Growth

¾

Interest rates

¾

Sources of finance

¾

Inflation

¾

Government policy (e.g. monetary, fiscal, trade)

¾

Investment incentives (e.g. regional development grants)

¾

Foreign exchange (rates and controls)

¾

Fresh-field sites

¾

Availability and education of workforce

THE INDUSTRY

¾

Market/competition

¾

Costs of entry

¾

Cyclical/seasonal trade

¾

Technology/fashion

¾

Key ratios and performance measures

¾

Specific accounting practices, GAAP

¾

Regulatory/environmental

requirements

¾

Energy supply and costs

¾

Workforce skills

MANAGEMENT & OWNERSHIP

¾

Corporate structure

¾

Owners and related parties

¾

Local/foreign

¾

Capital structure

¾

Organizational structure

¾

Philosophy and strategic plans

¾

Acquisitions and disposals

¾

Sources of finance

¾

Board of directors and governance

¾

Operating management

¾

Internal audit

¾

Attitude to internal control environment

BUSINESS

¾

Nature (manufacturer, exporter)

¾

Locations (office/production/storage)

¾

Employment (union contracts)

¾

Products/services/markets

¾

Conduct of operations (e.g. service logistics, production, segments)

¾

Major/dependent suppliers/customers (delivery methods e.g. JIT)

¾

Alliances, joint ventures and outsourcing activities

¾

Inventories (type, location, quantities)

¾

Research and development

FINANCIAL PERFORMANCE

¾

Key ratios, trends

¾

Performance indicators (e.g. share price, EPS)

¾

Employee measures and compensation

¾

Period-on-period financial performance

¾

Accounting principles

¾

Accounting policies

¾

Earnings/cash flow

¾

Leasing commitments

¾

Lines of credit

¾

Off-balance sheet finance

¾

Foreign currency and interest rates

REPORTING ENVIRONMENT

¾

Legislation and regulations

¾

Appropriate selection and application of accounting principles and use of GAAP

¾

Audit reporting requirements

(shareholders, regulators and other third parties)

¾

Taxation

¾

Revenue recognition

¾

Use of fair values

¾

Users of financial statements

Solution 3 — Changes

¾

Business developments (e.g. e-commerce, discontinued operations)

¾

New products, services

¾

Key personnel (starters and

leavers)

¾

Changes within business and financial control systems

¾

Governance/internal audit

work and reports

¾

Regulator visits and reports

¾

Administration and IT

functions

¾

New legislation and regulation (e.g. environmental, health and safety)

¾

Latest financial reporting standards

¾

Changes in the application of accounting

policies

¾

Changes in specialist regulations (and trade unions)

¾

Competitors and their products

¾

Economic (interest/foreign exchange/ tax rates etc)

¾

Volatility of markets (supplier, customer, financial)

Solution 4 — Inherent risk factors

Financial statements level

1 (see Discussion below), 2, 4, 5 & 9

Assertion level

3, 5, 6, 7 (see Discussion), 8 & 10

Discussion

(1) Consider doubts about the integrity of management, could that inherent risk affect the financial statements as a whole or just a few individual account balances?

Suppose management wanted to overstate profit (in order to pay themselves bonuses say). To increase profit management could

¾

overstate revenue (e.g. by bringing forward next year’s sales revenue into the current year – i.e. a deliberate cut-off error)

¾

understate costs (e.g. by suppressing purchase and expense invoices)

Because every Dr has a Cr there are then implications for the statement of financial position

¾

overstatement of trade receivables (because they do not owe the money at the year end)

¾

understatement of trade payables (because liabilities are not recorded). Profit could also be increased by understating provisions against assets

¾

obsolescence provisions against inventory

¾

depreciation provisions against tangible long-term assets

¾

Bad and doubtful debt provisions against trade receivables.

In conclusion then, doubts about management integrity has a pervasive effect on the financial statements as a whole and so this risk is assessed at the financial statement level.

Solution 5 — Control risk factors

¾

History of errors found by auditor

¾

System changes

¾

Management attitude/dominance

¾

Lack of manuals

¾

Inexperienced/incompetent staff

¾

Few formal procedures

¾

Lack of segregation of duties/ inadequate

supervision

¾

“Late” approval of transactions

¾

Size of entity/accounting systems

¾

Poor monitoring controls

Solution 6 — Detection risk

AR = IR × CR × DR DR =

CR IR

AR

× DR = 1.0 0.4 05 . 0

× = 0.125

DR must be rendered lower than in the Illustration. (We should have anticipated this as both IR and CR have been assessed as higher.) The level of substantive procedures is therefore relatively higher.

Another way of expressing this is that the level of audit assurance required from substantive procedures is

100 – 12.5 = 87.5%