Lesson 5: Audit Risk Assessment and Risk Reponse

Levels of Determining Risk of Material Misstatement (RMM)

1. RMM at financial statement level

2. RMM at the assertion level

RMM at Financial Statement Level

Risks that relate pervasively to the financial statements as a whole, and can potentially affect many assertions (e.g., business continuity risk, fraud risk, control environment risk, etc.).

RMM at the Assertion Level

Risks that affect specific assertions related to classes of transactions, account balances, and disclosures. RMM at the assertion level consists of inherent risk and control risk.

Risk

The uncertainty an auditor accepts when performing an engagement

Audit Risk

The risk that the auditor expresses an inappropriate audit opinion when the financial statements are materially misstated. Auditor must obtain sufficient appropriate audit evidence to reduce this to an acceptably low level

Audit Risk Formula

Inherent Risk x Control Risk x Detection Risk

Inherent Risk (IR)

The measure of the auditor’s assessment of the likelihood that a material misstatement might occur in the first place, without considering the effect of internal controls. A thorough understanding of the business is needed to assess this.

Control Risk (CR)

The measure of an auditor’s assessment of the likelihood that a material misstatement will not be prevented or detected by the system of internal control. However, for the auditor to assess this, an understanding of the control system must first be obtained.

Detection Risk (DR)

The risk that the audit procedures will fail to detect material misstatements. Auditors manage this by adjusting the nature (type of procedure and quality of evidence), timing (year-end versus interim), and extent (quantity) of their audit procedures based upon their assessment of RMM. The auditor can control the level of this risk by increasing the amount of audit evidence gathered. This is the only part of the audit risk model that the auditor can control. In other words, the auditor has no control over inherent risk factors (i.e. events or conditions that affect the risk of material statements) and internal controls implemented by management.

Factors that Effect Inherent Risk

• complexity (e.g., complex regulation, business model, and accounting process);

• subjectivity (e.g., objective accounting estimation, such as allowance for doubtful accounts and recognition of amortization);

• change (e.g., economic conditions, markets, and new regulation);

• uncertainty (e.g., pending legislation and contingent liability); and

• susceptibility to misstatement due to management bias and/or fraud risk factors (e.g., concerns over management integrity and significant nonroutine transactions).

CAS 315 Highlighted Significant Risks

• Transactions for which there are multiple acceptable accounting treatments, such that subjectivity is involved.

• Accounting estimates that have high estimation uncertainty or complex models. Estimation uncertainty is often related to assumptions about future events, which are difficult to predict.

• Account balances or quantitative disclosures that involve complex calculations.

• Accounting principles that may be subject to differing interpretation.

• Changes in the entity’s business that involve changes in accounting, for example, mergers and acquisitions.

• Non-routine related-party transactions.

CAS 240 Required Risk Assessments

• Discuss with audit team members the risks of material misstatement due to fraud.

• Make inquiries to management, those in charge of governance, and others regarding processes for identifying and responding to fraud risk.

• Evaluate unusual and expected relationships identified when performing analytical review procedures.

• Evaluate the risk for revenue fraud and management override and understand period end.

CAS 240 Conditions for fraud that occur (Fraud Triangle)

1. Incentives/Pressures

2. Opportunities

3. Attitudes/rationalization

Incentives/Pressures

• pressure to misstate financial statements–a decline in earnings can lead to earnings manipulation

• pressure to misappropriate material assets–personal financial obligations

Opportunities

• environment–inventory in many locations, weaknesses in accounting and information systems

• environment–weak internal controls, inadequate segregation of duties

Attitude/Rationalization

• ethical values and character of CEOs and to management–rationalize dishonest act

• ethical values and character of management and employees–rationalize dishonest act

Process to Identify Strengths/Weaknesses of the Internal Control System

1. Evaluate the design of the control

2. Determine if the controls have been implemented

3. Evaluate the competence of the people carrying out the controls

4. Evaluate the adequacy of information technology

CAS 330 Risk Response Strategies

• Assign more experienced staff or those with special skills, or use experts.

• Instruct the engagement team to maintain a heightened level of professional skepticism.

• Increase involvement of audit partners and managers.

• Close supervision and review.

• Incorporate additional elements of unpredictability in the selection of further audit procedures to be performed.

• Consider if changes need to be made to the overall audit strategy (such as performance materiality, audit approach, nature, timing, and extent of substantive procedures).

Choices for Developing Audit Procedures

1. Test of Controls

2. Substantive Procedures (Tests of Details or Substantive Testing and Substantive Analytical Procedures)

3. Combined Approach

Test of Controls

The auditor selects some processes or procedures (e.g., control activities) carried out by client staff and examines whether the controls worked or not. For example, to test the controller’s approval of the client’s monthly payroll summary before payments, the auditor would look for the signature/initial of the controller on a copy of the payroll summary.

Substantive Procedures

• Test of Details

• Substantive Analytical Procedures (SAPs)

Test of Details

In this approach, the auditor does not plan to rely upon controls, either because the controls are ineffective, or it is not efficient to test controls.

The substantive audit approach includes tests of details and analytical procedures. The auditor performs this approach to identify dollar misstatements using the five transaction-related assertions (occurrence, completeness, accuracy, cutoff, and classification).

Substantive Analytical Procedures (SAPs)

Designed to provide evidence at the assertion level. In other words, are the use of analytical procedures as substantive testing procedures in the audit risk response. CAS 520 describes the process of developing these:

• Develop an independent expectation

• Define significant difference

• Compute the difference

• Investigate significant difference

Are more applicable to large volumes of transactions that tend to be predictable over time and depend upon the auditor’s assessment of how effective they will be in detecting a misstatement.

Combined Approach

Combination of control tests and substantive tests. For example, if the auditor determines to rely heavily on the client’s internal controls because of low control risk, the auditor may plan to perform an extensive amount of control tests (larger sample size), extensive substantive analytical procedures, and a small amount of tests of details (smaller sample size).