Auditing: an International Approach, 7Ce (Smieliauskas, Bewley)

Assessing Risks in an Audit Engagement

What You Really Need to Know

Chapter 6: Assessing Risks In An Audit Engagement

LO1 Explain how the auditor’s understanding of the business risksis used to assess the risk of material misstatement

The business risk-based approach to auditing requires the auditor to understand the auditee’s business risks and strategy and its related internal control. Auditors then assess the risks of material misstatement and design procedures that address the assess risks.
There are two parts of business risk analysis: strategic analysis and business process analysis. A risk-based audit approach places business risk assessment at the heart of the auditprocess.
Business processes are a structured set of activities designed to produce a specific output that matches business strategy – processes work to create value for customers and thus achieve strategic objectives. Changes in technology and ecommerce can affect business risks and processes.
Business performance analysis ideally considers financial and nonfinancial performance measures and the interrelationship between the two (for example increasing sales and gross margins should relate to market share increases or process efficiencies).

LO2 Identify the principal assertions in management’s financial statements and the related risks of material misstatement

Management the following assertions about how the financial statements represent the underlying economicdata in the accounting system: existence; completeness; ownership (rights and obligations); valuation (measurement and allocation); and presentation (classification and disclosure).
Existence establishes with evidence that balance-sheet assets,liabilities, and equities are actually real. For revenue and expense transactions, the existenceassertion is also described as occurrence.
Completeness establishes with evidence that all valid transactions and accounts that shouldbe presented in the financial reports are included. A completeness error exists when a transactiontotal or account balance is understated.
Proper cutoff means accounting for all transactions that occurred during a period without postponing some recordings to the next period (completeness) or accelerating next-period transactions intothe current-year accounts (existence). Simple cutoff errors occur in the revenue accounting process when late-December salesinvoices are recorded for goods not actually shipped until January.
The objective related to ownership is establishing, with evidence, the ownership (rights) for assets, “ownership” (obligations) for liabilities, and the propriety of revenue andexpense transactions.
The objective related to valuation (also stated as measurement, or allocation) is determiningwhether proper dollar amounts have been assigned to the assets, liabilities, equities,revenue, and expense recognized in the financial statements. It can involve evaluating the measurementapproach used (historic cost, fair value, present value) or the method of allocatingjoint costs.
Auditors also must determine whether accounting principles are properly selected and applied and whether disclosures are adequate—all of the aspects of financial statement presentation. One specific objective ofpresentationis proper balance sheet classification (e.g., current versus long-term).
Compliance is not normally listed as a separate assertion; however compliance with laws and regulationsis very important for a business. Disclosure of known non-compliance is necessary for presentation of financial statements in conformity with GAAP. The compliance assertion will increase in importance as new lawsand regulations come into force to improve governance and accountability. When the sole purpose of an engagement is to audit compliance with various laws, regulations,or rules, it is called a compliance audit.
All financial statement audits are designed to confirm these assertions.

LO3 Describe the conceptual audit risk model and its components

Understanding the auditee’s business and performing preliminary analytical procedures help auditors to identify problem areas and make an overall business risk assessment. The organization’s management is responsible for addressing business risk by implementing effective internal control.
To develop the audit work programs, auditors need to assess risk specifically in audit-related terms: inherent risk, control risk, and detection risk.
Inherent risk is the probability that material misstatements have occurred in transactions within the accounting system used to develop financial statements, or that material misstatements have occurred in an account balance. It is the risk of material misstatements occurring in the first place and is a characteristic of the auditee’s business, the major types of transactions, and the effectiveness of its accountants.Management optimism and bias leads to a higher inherent risk of overstatement in asset and revenue accounts and a higher inherent risk of understatement in liability and expense accounts.
Control risk is the probability that the auditee’s internal control policies and procedures will fail to detect or prevent material misstatements. Auditors do not create or affect the control risk, but they do evaluate the design of an organization’s control system and test whether the auditee’s system is working as designed. They then assess the probability of material misstatements.Control risk should not be assessed so low that auditors place complete reliance on controls and do not perform any other audit work.
Inherent and control risks can be difficult to assess separately because some internal controls “work” only when errors, irregularities, and other misstatements occur, while others are preventive in nature and so tend to reduce inherent risk. An auditor may make separate or combined assessments of inherent and control risk. Combined, inherent risk and control risk is referred to as the risk of material misstatement.
Detection risk is the risk a material misstatement that has not been prevented or corrected by the auditee’s internal control will not be detected by the auditor. It is the auditor’s responsibility to reduce detection risk to an acceptably low level by performing evidence-gathering procedures known as substantive procedures. Two categories of substantive procedures are (1) tests of the details of transactions and balances and (2) analytical procedures applied to produce circumstantial evidence about dollar amounts in the accounts.
Audit risk is related to information risk and auditing is fundamentally a risk management process. Audit risk is the probability an auditor will fail to express a reservation that financial statements are materially misstated. Audit risk can at best be controlled at a low level but not eliminated, even when audits are well planned and carefully performed. Generally, as the risk of being sued for material misstatement increases, an auditor will decrease planned audit risk to compensate for the increased risk associated with the engagement.
The audit fails if all of the following three events occur: (1) there is a material misstatement to start with (inherent risk), (2) the internal controls fail to detect and correct the material misstatement (control risk), and (3) the audit procedures also fail to detect the material misstatement (detection risk).
Audit Risk Model

Audit risk (AR) = Inherent risk (IR) × Control risk (CR) × Detection risk (DR)

LO4 Explain the usefulness and limitations of the audit risk model in conducting the audit

Audit Risk Model

Audit risk (AR) = Inherent risk (IR) × Control risk (CR) × Detection risk (DR)

The objective is to limit audit risk to a low level by assessing inherent risk and control risk as high, moderate or low.
For example, an auditor thought an inventory balance had a high inherent risk of materialmisstatement (say, IR = 0.90) and that the auditee’s internal control was not veryeffective (say, CR = 0.70). If the auditor wanted audit risk at a 5% level (AR = 0.05),planned audit procedures would need to achieve detection risk (DR) that did not exceed 0.08(approximately). The model can be used for planning the audit work by rearranging it tosolve for DR.

AR = IR × CR × DR

DR = AR / (IR × CR) = 0.05 / (0.90 × 0.70) = 0.08

Materiality refers to the magnitude of a misstatement, while audit risk refers to the levelof assurance that material misstatement does not exist in the financial statements. Themateriality decision is based on how misstatements will affect financial statement users.
Audit risk and materiality are planned early in the audit and are used throughout the audit for financial statements as a whole, as well as for individual accounts.
Inherent risk, control risk and detection risk vary by assertion for each account balance, transaction stream and disclosure.
The business risk-based audit approach was set out by CAS. The approach ensures the auditor understands the client’s business risks and strategy before assessing the risks of material misstatement in the financial statements.

LO5 Outline the relationship among the business processes and accounting process (or cycles) that constitutean organization’s information system and management’s general purpose financial statements

An accounting process can be thought of as a cycle. Accounts go together in theaccounting information system because they record transaction information from thesame business activity and run through the same accounting process over and over, in acycle. These transactions are recorded by the organization’s accountants usingjournal entries involving the same set of accounts. The cycle perspective looks at accountsgrouped according to routine transactions. Auditors find it easier to audit the related accounts with a coordinated set of procedures instead of attacking each account alone.
The four simplified accounting processes are the(1) revenue process, (2) purchasing process, (3) production process, and (4) financing process.

LO7 Explain how an auditor uses an understanding of the auditee’s business risk and its managementrisk assessment processes to assess the risk of material misstatement in the assertions of its financialstatements.

The auditor knows that management has to consider risk as part of the operations of an organization.
There are four ways of managing risk: avoidit; monitor it; reduce it; or transfer it.
Risk is composed of two factors in the analysis: the likelihood the risk will occur andthe magnitude of the risk. Management controls minimize both the likelihood of a risk and the impact that the risk will have.
Risks that are not moved into the low category by managementcontrols represent categories for which the controls fail to reduce the risks that the financialstatements do not portray the actual business performance. These are areas that needto be audited with the greatest care.

What You Really Need to Know 6-1