Auditing

Chapter 4
8e

Gramling
Rittenberg
Johnstone

Audit Risk,
Business Risk,
and Audit
Planning

Copyright 2012 South-Western/Cengage Learning

Audit Opinion Formulation Process

LO1: Nature of Risk

Risk is a pervasive concept. Four critical
components of risk that are relevant in
conducting an audit
Business riskrisk that affects the operations and
potential outcomes of organizational activities
Financial reporting riskrisk that relates to the
recording of transactions and the presentation of
the financial data in an organizations financial
statements

Nature of Risk (continued)

Engagement Riskrisk that auditors encounter by
being associated with a particular client, including
loss of reputation, inability of the client to pay the
auditor, or financial loss
Audit riskrisk that the auditor may provide an
unqualified opinion on financial statements that are
materially misstated

Overview of Risk Elements Affecting

an Audit

LO2: Managing Engagement Risk Through

Client Acceptance and Retention Decisions
Management integrity
Previous Auditors
Prior-Year Audit Experience
Independent Sources of Information

Independence and competence of management and

the board of directors
Quality of managements risk management process
and controls

Managing Engagement Risk Through Client

Acceptance and Retention Decisions (continued)
Reporting requirements, including regulatory
requirements
Participation of key stakeholders
Existence of related-party transactions
The financial health of the organization

High-Risk Audit Clients

Characteristics of High-risk Clients/Companies

Inadequate capital
Lack of long-run strategic and operational plans
Low cost of entry into the market
Dependence on a limited product range
Dependence on technology that may quickly become
obsolete
Instability of future cash flows
History of questionable accounting practices
Previous inquiries by the SEC or other regulatory agencies

Purpose of Engagement Letter

The auditor and client should have a mutual
understanding of the audit process
The auditor should prepare an engagement letter
to clarify the responsibilities and expectations of
each party, and to summarize and document this
understanding including the
Nature of the services to be provided
Timing of those services

Purpose of Engagement Letter

(continued)

Expected fees and basis on which they will be

billed (fixed fee, hourly rates)
Auditor responsibilities including the search for
fraud
Client responsibilities including preparing
information for the audit
Need for any other services to be performed by the
firm

LO3: Managing Audit Risk

What is Materiality
The auditor is expected to design and conduct an audit
that provides reasonable assurance that material
misstatements will be detected
The FASB defines materiality as the
Magnitude of an omission or misstatement of accounting
information that, in light of surrounding circumstances,

makes it probable that the judgment of a reasonable

person relying on the information would have been
changed or influenced by the omission or misstatement

Managing Audit Risk

Materiality has three significant dimensions:
Size of the misstatement (dollar amount)
Circumstancessome things are viewed more critically
than others
User impactimpact on potential users and the type of
judgments made

Determination of materiality is situation specific

Although this makes determination more difficult, it
allows the auditor to adjust the rigor of the audit to
reflect the risk of the engagement

Managing Audit Risk

The lower the dollar amount of set materiality, the more
rigorous the examination

Most firms have guidelines for setting materiality

Guidelines usually involve applying percentages to
some base
Guidelines may also be based on nature of the industry
or other factors

Auditors initially set planning materiality for the

statements as a whole, and then allocate this to
individual accounts based on their susceptibility to
misstatement

LO4: Understanding the Audit Risk

Model
What is Audit Risk?
The risk that the auditor may provide an
unqualified opinion on materially misstated
financial statements.
The auditor assesses engagement risk first, then
sets audit risk

Understanding the Audit Risk

Model (continued)
Audit risk is inversely related to engagement risk
If the auditor accepts a client with high engagement risk
The auditor must conduct a more rigorous audit
The auditor does this is by setting audit risk at a low level

If the auditor accepts a client with low engagement risk

The auditor will set audit risk at a higher level

Inseparability of Audit Risk &

Materiality
Audit risk and engagement risk relate to
factors that might encourage someone to
challenge the auditors work
For example, transactions that might not be
material to a healthy company might be
material to financial statement users for a
company on the brink of bankruptcy

Inseparability of Audit Risk &

Materiality (continued)
The following factors help integrate the concepts of risk and materiality:
All audits involve testing and cannot provide 100 percent assurance
that the companys financial statement are correct
Some clients are not worth accepting
Auditors must compete in an active marketplace for clients
Auditors need to understand societys expectations of financial
reporting and the audit process
Auditors must identify the risky areas of a business to determine which
accounts are more susceptible to material misstatement
Auditors need to develop methodologies to allocate overall assessments
of materiality to individual account balances

Business Risk and the

Audit Process
Risk-based approach to auditing:
Develop understanding of managements risk
management process
Develop understanding of the business and the risks it
faces
Use the identified risks to develop expectations about
account balances and financial results
Assess the quality of control systems to manage risks
Determine residual risks, and update expectations about
account balances
Manage remaining risk of account balance misstatement
by determining the direct tests of account balances
(detection risk) that are necessary

The Audit Risk Model

The auditor sets desired audit risk based on
assessed engagement risk

AR IR CR DR
AR = Audit Risk
IR = Inherent Risk
CR = Control Risk
DR = Detection Risk

The Audit Risk Model (continued)

The audit risk model allows the auditor to consider
the following:
Complex or unusual transactions are more likely to
recorded in error than are simple or recurring transactions
Management may be motivated to misstate earnings or
assets
Better internal controls mean a lesser likelihood of
misstatement

The amount and persuasiveness of audit evidence gathered

should vary directly with the likelihood of material
misstatements

The Audit Risk Model (continued)

Inherent RiskSusceptibility of transactions
to be recorded in error
Inherent risk is higher for some items:
Complex transactions are more likely to be
misstated than simple transactions
Estimated balances more likely to be misstated than
fact based balances

The auditor assesses inherent risk

The Audit Risk Model (continued)

Control RiskRisk that the client internal control
system will fail to prevent or detect a misstatement
The quality of controls often varies between classes of
transactions
The auditor assesses control risk

Environment Riskinherent and control risks

combined
Reflects the likelihood of material misstatements occurring

Detection riskrisk that the audit procedures will

fail to detect material misstatements
Relates to the effectiveness of audit procedures and their
application

The Audit Risk Model (continued)

Detection risk is controlled by the auditor and is an integral
part of audit planning
The level of detection risk set directly determines the rigor
of the substantive audit work performed

AR IR CR DR

Audit risk is set inversely to the assessed level of

engagement risk
After audit risk is set, the auditor assesses inherent
and control (environment) risks
The auditor sets detection risk INVERSELY to
environment risk

The Audit Risk Model (continued)

Example, if the auditor is examining transactions with high
inherent risk, or weak controls, the auditor will set a low
detection risk

Low detection risk means a low probability of NOT

detecting material misstatements
To achieve low detection risk, the auditor will have to
perform more rigorous substantive testing
For example, larger sample sizes, more reliable forms of
evidence, assign more experienced auditors, closer
supervision, greater year-end (rather than interim) testing

The Audit Risk Model (continued)

The audit risk model shows that the amount, nature,
and timing of audit procedures depends on the level
of audit risk an auditor assumes, and the level of
client-related risks

LO5: Limitations of Audit Risk

Model
Inherent risk is difficult to formally assess
Audit risk is judgmentally determined
This model treats each risk component as separate
and independent when in fact, this is not the case
Audit technology is not so precise that each
component of the model can be accurately assessed
Because of these limitations, many auditors use the audit risk
model as a functional, rather than mathematical model

LO6: Planning the Audit using the

Audit Risk Model

Developing an Understanding of
Business and Risk
There are a number of information sources
(including electronic sources) that auditors use
to develop an understanding:

Knowledge management systems

Online searches
Review SEC filings
Company web sites
Economic statistics
Professional practice bulletins
Stock analysts reports

Understanding Key Business

Processes
Each organization has a few key processes that give
them a competitive advantage (or disadvantage)
The auditor should gather sufficient information to
understand

The key processes

The industry factors affecting key processes
How management monitors key processes
The potential operational and financial effects associated
with key processes

Understanding Key Business

Processes: Sources of Information

Management inquiries
Review of clients budgets
Tour clients plant and operations
Review data processing center
Review important debt covenants and board of
director minutes
Review relevant government regulations and
clients legal obligations

Developing Expectations
Auditor should use information about the companys
key processes and risks to develop expectations about
its account balances and performance
These expectations should be
Developed independently of management
Documented, along with a rationale for the expectations

Communicated to all audit team members

Assessing the Quality of

the design of Internal Controls
Controls include policies and procedures set by
management to manage risk
Auditor is particularly interested in those controls
designed to protect the companys key processes and
the measures used to monitor the operation of these
controls
Examples of these measures (key performance
indicators):
Backlog of work in progress
Amount of return items

Assessing the Quality of

the design of Internal Controls (continued)
Increased disputes regarding accounts receivable or
accounts payable
Surveys of customer satisfaction
Assessment of risk associated with financial instruments
Current level of collection (loans and receivable)
Employee absenteeism
Decreased productivity
Information processing errors
Increased delays in important processes

Managing Detection and

Audit Risk
The auditor manages audit risk by
Adjusting audit staff to reflect risk associated with a
client
Developing substantive tests of account balances
consistent with detection risk
Anticipating potential misstatements likely associated
with account balances

Adjusting the timing of audit tests to minimize overall

audit risk

Understanding Managements Risk

Management and Control Processes
Techniques used to understand the risk
management and control processes in place
Develop an understanding of the process
Review the risk-based approach used
Interview management about its risk approach,
preferences etc.
Review outside regulatory reports
Review company policies and procedures for
addressing risk

Understanding Managements Risk

Management and Control Processes

Understanding companys compensation schemes

Review prior years work
Review risk management documents
Determine how management and the board
monitor risk, identify changes in risk, and react to
mitigate, manage, or control the risk

LO7: Using Analytical Techniques to

Identify Areas of Heightened Risk
Auditors use analytical procedures to develop
expectations of account balances
These expectations are compared to recorded
book values to identify misstatements
Sources of data commonly used:
Financial information for prior periods
Expected or planned results from budgets and
forecasts

Using Analytical Techniques to Identify

Areas of Heightened Risk (continued)
Expected or planned results from budgets and
forecasts
Comparison of linked accounts relationships (such
as interest expense and debt)
Ratios of financial information (such as commonsize financial statements)
Company and industry trends
Relevant non-financial information

Process for Performing Analytical

Procedures
Develop an expectation (informed expectation)
Determining the gap between auditors
expectation and what the client has recorded.
The maximum acceptable difference is referred to
as a threshold
Differences in excess of the threshold will have to
be investigated by the auditor

Identifying the differences need to be

investigated in greater detail

Questions arising from comparing

expectations to the clients records
Why is this company experiencing such a rapid
growth in insurance sales when its product depends
on an ever-rising stock market and the stock market
has been declining for the past three years?
Why is this company experiencing rapid sales growth
when the rest of the industry is showing a downturn?
Why are a bank clients loan repayments on a more
current basis than those of similar banks operating in
the same region with the same type of customers?

LO 8: Types of Analytical

Procedures
Techniques commonly used
Trend analysis
Includes simple year-to-year comparisons of account
balances, graphic presentations, and analysis of
financial data, histograms of ratios, and projections of
account balances based on the history of changes in the
account

Types of Analytical Procedures

(continued)

Ratio analysis
Useful in identifying significant differences between the
client results and a norm (such as industry ratios) or
between auditor expectations and actual results
Useful in identifying potential audit problems
It has power to identify unusual or unexpected changes
in relationships

Commonly Used Financial Ratios

Types of Analytical Procedures

Ratio and trend analysis are generally carried
out at three levels:
Comparison of client data with industry data
May indicate problems with product quality or credit
risk
May result in problems in banks concentration of loans
Data may not be comparable with clients data

Types of Analytical Procedures

(continued)

Comparison of client data with similar prior-period

data
It is important that the auditor go through each of the
steps in the process, beginning with the development of
expectations

Comparison of preliminary client data with

expectations developed from industry trends, client
budgets, other account balances, or other bases of
expectations