SESSION 09 – UNDERSTANDING THE ENTITY, AUDIT RISK AND ENGAGEMENT RISK OVERVIEW Objective To describe how the auditor, through understanding the entity and controls, aims to minimise audit risk UNDERSTANDING THE ENTITY NEW AND CONTINUING AUDITS ANALYTICAL PROCEDURES Planning stage Ration analysis Expectations and performance measures Information needs AUDIT MATERIALITY Session 10 ISA 315 Methods Team discussions Sources of knowledge Using the knowledge Matters to consider Information needs Objectives, strategies, business risks Accounting policies Updating existing clients INTERNAL CONTROL AUDIT RISK Understanding Methods Management monitoring Impact on audit Reporting weaknesses Concept Relationship to business risk Assessing risk of material misstatement Basic principles Inherent risk Control risk FRAUD & ERROR Detection risk Significant risk Documentation Session 11 ENGAGEMENT RISK Basic concept Client business risk Audit risk Auditor’s business risk Engagement risk process 0901 SESSION 09 – UNDERSTANDING THE ENTITY, AUDIT RISK AND ENGAGEMENT RISK UNDERSTANDING THE ENTITY, ITS ENVIRONMENT AND CONTROLS 1.1 ISA 315 Identifying and Assessing the Risks of Material Misstatement through Understanding the Entity and its Environment ISA 315 requires the auditor to identify risks arising from the entity and its environment, including relevant controls, by: understanding the entity, its environment and controls; and considering the impact on transactions (e.g sales, expenses), account balances (e.g non-current assets, payables) and disclosures (e.g related party transactions) in the financial statements Relate the risks that have been identified to what can go wrong: at the assertion level (e.g occurrence, completeness, accuracy, cut-off, and classification of transactions and events); and at the overall financial statement level (e.g where many assertions are impacted thus risk is pervasive throughout the financial statements); and Consider whether the risks are of the type and magnitude that could result in a material misstatement of the financial statements Consider the likelihood that the risks could result in a material misstatement of the financial statements Understand internal control by considering the design and implementation of relevant internal controls to assess the potential risk of material misstatements Plan, design and perform appropriate audit procedures in response to those identified risks In other words: understand the business, its environment and controls to establish what could go wrong (in that the financial statements contain a material error); then identify the ways in which material errors could arise and devise a work programme to test to see if they have (ISA 330 and ISA 500) 1.2 Methods Obtaining an understanding of the entity and its environment, including its internal control, is a continuous, dynamic process of gathering, updating and analyzing information throughout the audit To obtain the necessary level of understanding, auditors must, for example: 0902 SESSION 09 – UNDERSTANDING THE ENTITY, AUDIT RISK AND ENGAGEMENT RISK make inquiries of management and others within the entity (e.g business objectives, governance, production, marketing, internal audit, key employees); carry out analytical procedures (e.g on internal and external generated information); observe (e.g activities and operations) and inspect (e.g business plans, strategies, internal audit risk assessments, records, procedure manuals, premises and plant); read reports prepared by management (e.g monthly management accounts) and those charged with governance (e.g board minutes); review external sources of information and benchmark against similar companies in the same activity; and carry out other procedures (e.g visit premises and facilities, walk through systems relevant to financial reporting, review external sources of information) Prior year information (e.g organisational structures, control environment, management attitude and actions to control breaches) can be used as long as it is up to date (i.e check and update as required) Information obtained from client acceptance procedures and other client engagements (e.g review of interim financial statements) may also be relevant in obtaining an understanding of the entity 1.2.1 Use of information systems Much of the information obtained will be used within a series of (expert systems) business templates to assess and understand potential weaknesses that could result in material financial statement errors (as well as providing added value business assessments to the client) Information systems will be also be used, for example: to store and categorise the data held on each client and provide quick access through key word searches; to search external databases (eg newspapers, trade, regulators) based on key words (eg entity name, industry name, competitor names, product names) to find data relevant to the understanding of the entity’s business 1.3 Audit team discussions Discussions should be held (at least) amongst the (senior and key members of the) engagement team about the susceptibility of the financial statements to material misstatement, including fraud risk (see Session 11) By holding such discussions: the more experienced engagement team members brief other members and share their knowledge and audit experience of the entity (the engagement partner must be involved at least with the highest levels of the briefing process); team members exchange information about the business risks to which the entity is subject and about how and where the financial statements might be susceptible to material misstatement; 0903 SESSION 09 – UNDERSTANDING THE ENTITY, AUDIT RISK AND ENGAGEMENT RISK members of the engagement team obtain a better understanding of the potential for material misstatements of the financial statements resulting from fraud or error in the specific areas assigned to them; and understand how the results of the audit procedures that they perform may affect other aspects of the audit including the decisions about the nature, timing, and extent of further audit procedures The discussion should also emphasise the need to: address the application of the applicable financial reporting framework to the entity’s facts and circumstances; maintain professional scepticism throughout the engagement; be alert for information or other conditions that indicate that a material misstatement due to fraud or error may have occurred; and be rigorous in following up on such indications Such discussions must always be documented along with the decisions made and the impact on the audit approach Team members not involved in the discussions, must none-the-less be informed of the outcome and specific impact on areas relevant to their responsibilities This would usually be achieved through the use of a client planning memorandum (detailing, for example, the audit strategy, work programme, areas of risk) and verbal briefing by the team supervisor/manager prior to commencing each audit section All team members must have sufficient understanding of the entity to enable them to perform the work delegated to them and understand how it fits in, and overlaps, with the rest of the audit 1.4 Sources of knowledge Example Suggest examples of the sources which provide background knowledge Client 0904 Auditor External SESSION 09 – UNDERSTANDING THE ENTITY, AUDIT RISK AND ENGAGEMENT RISK 1.5 Using the knowledge To establish a framework within which the audit is planned and professional judgment exercised in assessing risks of material misstatement and responding to those risks throughout the audit Meaning: To assess various components of audit and business risk and to develop the audit strategy and audit plan To determine materiality levels and judge if they remain appropriate as the audit progresses (see Session 10) Developing expectations for use when performing analytical procedures Identifying areas where special audit consideration may be necessary, for example, related party transactions, the appropriateness of management’s use of the going concern assumption, or considering the business purpose of transactions Designing and performing further audit procedures to reduce audit risk to an acceptably low level To evaluate the sufficiency and appropriateness of audit evidence (see Session 15) including, for example, management representations (see Session 20) To recognize conflicting information, unusual circumstances and effectively apply professional scepticism To make informed enquiries and assess the reasonableness of responses To appraise the appropriateness of the selection and application of accounting policies and the adequacy of financial statement disclosures To provide a better service to clients and be responsive to their needs 0905 SESSION 09 – UNDERSTANDING THE ENTITY, AUDIT RISK AND ENGAGEMENT RISK NEW AND CONTINUING AUDITS 2.1 Matters to consider BEFORE ACCEPTING APPOINTMENT Capability and resources Independence Problems e.g professional reasons (“enquiry” letter) AFTER ACCEPTING APPOINTMENT Obtain a more detailed understanding of the entity and its environment sufficient to plan an effective and efficient audit (See Session 5.) 2.2 Information needs ISA 315 requires the auditor to obtain an understanding of the: nature of the entity, its operations, ownership, governance, investments, structure and financing; relevant industry, regulatory, and other external factors including the applicable financial reporting framework; entity’s selection and application of accounting policies and changes; entity’s objectives and strategies; and the measurement and review of the entity’s financial performance Example For a new client suggest, under the following headings, what information you will require to enable you to obtain a sufficient understanding of the entity and its environment under ISA 315 0906 SESSION 09 – UNDERSTANDING THE ENTITY, AUDIT RISK AND ENGAGEMENT RISK Solution GENERAL ECONOMIC INDUSTRY MANAGEMENT AND OWNERSHIP BUSINESS FINANCIAL PERFORMANCE REPORTING ENVIRONMENT 0907 SESSION 09 – UNDERSTANDING THE ENTITY, AUDIT RISK AND ENGAGEMENT RISK 2.3 Objectives, strategies and related business risks All of the above elements will be taken into account by the entity when setting its objectives and strategies As the environment within which the entity changes (as it will) so the objectives and strategies for achieving those objectives must change If the entity fails to change, its business will be at risk – business risk through failure to change (see Session ) Business risks result from significant conditions, events, circumstances, actions or inactions that could adversely affect the entity’s ability to achieve its objectives and execute its strategies, or through the setting of inappropriate objectives and strategies In addition to the examples given within Session 8, further examples of business risks to be managed in relation to objectives and strategies include: Industry developments (e.g that the entity does not have the personnel or expertise to deal with changes or increased complexity in the industry, or does not recognise the need for change) New products and services (e.g that there is increased product liability or that the product may fail) Expansion of the business (e.g that the demand has not been accurately estimated, the market incorrectly analysed) New accounting requirements (e.g incomplete or improper implementation of a new IFRS, or increased costs) Regulatory requirements (e.g that there is increased legal exposure) Current and prospective financing requirements (e.g the loss of financing due to the entity’s inability to meet requirements) Use of IT (e.g the loss of e-commerce facilities due to a failure within the system) 2.4 Selection and application of accounting policies The auditor needs to understand how the entity selects and applies accounting policies eg: are they are appropriate for the business and consistent with the financial reporting framework and accounting polices used in the relevant industry An incorrect or aggressive application relates to a financial statement risk Of particular risk will be: the methods the entity uses to account for significant and unusual transactions; the effect of significant accounting policies in controversial or emerging areas for which there is a lack of authoritative guidance or consensus; and the way changes in accounting policies are dealt; and the impact of reporting standards (eg IFRS), laws and regulations that are new to the entity which must be understood 0908 SESSION 09 – UNDERSTANDING THE ENTITY, AUDIT RISK AND ENGAGEMENT RISK For example, where the IFRS is new (ie not an update) is the application appropriate and the implementation requirements/disclosures applied? Where the IFRS is a revised standard, have the transition provisions (or IAS where appropriate) been correctly applied and appropriate disclosures made? Also note: Basic, core IFRS are already in issue New IFRS will more than likely relate to complex issues with the financial statement risk of inappropriate application First time application of IFRS under IFRS must be considered high risk as the entity will have little experience of IFRS application The experience of the UK indicates that it may take up to three issues of IFRS statements (ie three years) for entities to “iron out” the complications of switching from local GAAP to IFRS 2.5 Updating existing clients In the case of entities audited in prior years, historic key information required for planning will be available in the working papers (“WPs”) and other files (e.g computer knowledge bases) But as entities are adaptive and dynamic and operate in a dynamic environment, the auditor must consider events, transactions and practices that will have changed during the financial year Basically, where were we; what has changed within the business and its environment to change the nature of risks; where are we now Where changes are identified, their impact on the entity, its business and financial reporting environment must be understood (e.g when and how the entity dealt with such changes) Changes that will impact the business in a future financial period cannot be ignored What business risk is there to the entity arising from these changes? Does that risk impact the current financial statements? For example, future changes in regulations may create a going concern risk Reasons for changes in the selection of, or method of applying, accounting policies must be ascertained Any change must be appropriate and consistent with the requirements (including disclosure) of the applicable financial reporting framework (e.g IAS Accounting Policies, Changes in Accounting Estimates and Errors) Example For an existing client, what changes will need to be documented to ensure a complete understanding of the entity and its environment? 0909 SESSION 09 – UNDERSTANDING THE ENTITY, AUDIT RISK AND ENGAGEMENT RISK Solution Internal External ANALYTICAL PROCEDURES AND PERFORMANCE MEASUREMENT (ISA 520 ANALYTICAL PROCEDURES) 3.1 At the planning stage Meaning The analysis of significant ratios and trends including the resulting investigation of fluctuations and relationships that are inconsistent with other relevant information or which deviate from predictable amounts 0910 Purpose Based on To assist in understanding business Interim financial information To identify areas of potential risk e.g financial condition Budgets/forecasts and management accounts To plan nature, timing and extent of other audit procedures Draft financial statements Discussions with client Understanding the entity and its environment SESSION 09 – UNDERSTANDING THE ENTITY, AUDIT RISK AND ENGAGEMENT RISK AUDIT RISK 5.1 Concept The risk that the auditor gives an inappropriate audit opinion when the financial statements are materially misstated An audit in accordance with ISAs is designed to provide reasonable assurance that the financial statements taken as a whole are free from material misstatement The concept of “reasonable assurance” implies that there is a risk that the audit opinion will be inappropriate (eg an unqualified opinion when the financial statements are materially misstated) This risk may be reduced to an acceptable level by designing and performing audit procedures to obtain sufficient appropriate audit evidence to be able to draw reasonable conclusions on which to base the audit opinion This will be achieved through an appropriate audit strategy and work programme (see Session 8) which will be developed following a detailed understanding and analysis of the business, its environment and controls (as discussed above) Audit risk therefore considers two base risks: that the financial statements may be materially misstated prior to audit – financial statement risk; and that the auditor may not detect such material misstatement – detection risk 5.2 Relationship of audit risk to business risk Business risk is much broader than financial statement risk but as most business risks will eventually have financial consequences, there will be a ‘cascading’ impact on the financial statements and consequently, financial statement risk Embodied within business risk controls will be those controls that directly, or indirectly, relate to financial reporting, operations and compliance As already discussed, business risks that have the potential to create financial statement risks (the ultimate business risk relating to a financial statement risk being going concern) must be identified by the auditor 5.3 Assessing risk of material misstatement Through obtaining an understanding of the business and its environment, including relevant controls, and considering the classes of transactions, account balances and disclosures in the financial statements, under ISA the auditor must consider the risk of material misstatement at the: overall financial statement level (eg such that the financial statements as a whole are misleading); and at the transaction, balance and disclosure level (eg an individual item is in error) 0916 SESSION 09 – UNDERSTANDING THE ENTITY, AUDIT RISK AND ENGAGEMENT RISK No one model for doing this is proposed within ISA The key points are: the auditor is concerned with material misstatement within the financial statements; audit risk is reduced to an acceptably low level by the exercise of professional judgement; and audit procedures are designed to ensure that audit risk is at an acceptable level 5.4 Basic principles Whist it is irrelevant what names and approaches are used (so long as the model follows the basic principles required by ISAs) the ‘traditional’ model considers that inherent risk, control risk and detection risk are the basic components of audit risk Inherent risk and control risk, although separately defined, are often subject to a combined assessment to assess the risk of material misstatement, eg financial statement risk because of inherent risk and the fact that the controls will not detect such errors Detection risk is then referred to as ‘residual risk’ The ‘traditional’ audit risk model deals with inherent risk and control risk separately: Components Audit Risk = Inherent Risk (IR) × Control Risk (CR) (Ultimate risk) Auditor assesses × Detection Risk (DR) Auditor manages/manipulates to achieve acceptable audit risk exist independently of audit An overall acceptable level of audit risk may be quantified as a matter of practice (i.e audit firm) policy (e.g 5% meaning that there is a 5% risk of a material error being undetected or conversely, the auditor obtains 95% assurance that there are no undetected material errors) This % may provide the basis for mathematical derivation of detection risk and sample sizes Alternately inherent risk and control risk may be designated as High, Medium or Low, with detection risk being the inverse of this relationship (e.g if both inherent and control risk are high, detection risk will be low) 5.5 Inherent risk 5.5.1 Definition The susceptibility of an assertion to misstatement that could be material (individually or in aggregate) assuming no related internal controls 0917 SESSION 09 – UNDERSTANDING THE ENTITY, AUDIT RISK AND ENGAGEMENT RISK 5.5.2 Financial statement vs assertion levels Auditor assesses At overall financial statement level At account balance, transaction or disclosure level Example State at which level (financial statement or assertion) the following factors would be evaluated Solution (1) Doubts about the integrity of management (2) Management inexperience in the preparation of the financial statements (3) Accounts which involve a high degree of estimation (4) Entity lacks sufficient capital to continue operations (5) Potential for technological obsolescence of products and services (6) Complex underlying transactions which might require using the work of an expert (7) Highly desirable and movable assets (e.g cash) susceptible to loss or misappropriation (e.g theft, embezzlement) (8) Unusual and complex transactions completed at or near the period end (9) Changes in consumer demand (10) Transactions not subject to ordinary processing 0918 SESSION 09 – UNDERSTANDING THE ENTITY, AUDIT RISK AND ENGAGEMENT RISK 5.6 Control risk 5.6.1 Definition The risk that a misstatement that could occur (at the assertion level) and be material will not be: prevented; or detected and corrected on a timely basis; by the internal control system 5.6.2 Preliminary assessment An understanding of the design and implementation of internal control will be obtained through understanding the entity and its environment (see Session 9) From this understanding, controls that are key to assessing the risk of material misstatement at the assertion level will have been identified Where the controls are suitably designed to prevent, or detect and correct, a material misstatement, tests of the operating effectiveness of the controls can be carried out if considered to be efficient to so (see Session 13) 5.6.3 Measuring control risk Control risk is assumed to be high (i.e high risk of material misstatements in the financial statements) unless: internal controls which are likely to prevent/detect/correct material misstatement relevant to the assertion are identified; and tests of the operating effectiveness are planned to be performed to support the assessment Control risk will be assessed as high when: internal control is not assessed to be effective; or evaluating the operating effectiveness of controls would not be an efficient audit approach; or sufficient audit evidence can be obtained purely from substantive testing There will always be some control risk because of the inherent limitations of any internal control system Example Suggest factors may indicate high control risk 0919 SESSION 09 – UNDERSTANDING THE ENTITY, AUDIT RISK AND ENGAGEMENT RISK Solution 5.7 Detection risk 5.7.1 Definition That the auditor will not detect a misstatement that exists (in the financial statements at the assertion level) that could be material (either individually or in aggregate with other misstatements) It is a function of the effectiveness of the planning of substantive audit procedures, their application and interpretation by the auditor Substantive procedures are those procedures that are performed in order to detect material misstatements in the financial statements and include: tests of detail of transactions tests of detail on account balances tests of detail on disclosures; and analytical review 5.7.2 Basic principles Factors that must be considered to avoid incorrect assessment of detection risk include: the possible selection at the planning stage of inappropriate audit procedures (e.g deciding not to carry out any confirmations, low sample sizes, biased sample selection methods) ; misapplication of an audit procedure by the audit team (e.g through lack of training, incorrect directional application) and misinterpretation of test results (e.g not recognising the significance of an error or nor recognising that there is an error) Such factors can be minimised through adequate planning, assignment of appropriate staff (e.g experienced, trained, technically competent) the application of professional scepticism, clear supervision and strong review of the work carried out 0920 SESSION 09 – UNDERSTANDING THE ENTITY, AUDIT RISK AND ENGAGEMENT RISK As inherent and control risk assessments influence the nature, timing and extent of substantive procedures to be performed to reduce detection risk (and therefore audit risk) to an acceptably low level, any inappropriate assessment will have a direct, negative, impact on detection risk Because of the nature of the audit process and the factors outlined above, some detection risk would always be present even if examining 100% of an account balance or class of transactions The aim is to reduce this risk to an acceptable level Illustration An audit firm uses a mathematical audit risk model to determine the levels of detection risk Audit risk: Say 5% risk of drawing the wrong conclusion is acceptable (Most firms operate between 1% and 5%.) Inherent risk: Assessed at 75% risk that material problems could arise (e.g High) Control risk: Assessed at 20% risk that controls may miss material errors (e.g Low) Required: Calculate detection risk Solution Using the model ⇒ 0.05 = 0.75 × 0.2 × DR …… therefore DR = 0.33 (e.g Medium) This means that substantive testing levels will be adequate even if there is a 33% chance of them failing to detect material errors or omissions But note that most audit work programmes require material items to be selected and tested anyway - regardless of the detection risk assessed and the sample size calculated Example The same firm as in the above example, has a new client company that undertakes research and development for the pharmaceutical industry The client is seeking a listing on the Stock Exchange Inherent risk is therefore assessed as high (100%) – high risk enterprise, high risk as seeking listing However, the client appears to have reasonable internal control Control risk is assessed at 40% Required: Calculate detection risk and comment on how it compares with that calculated in the preceding illustration 0921 SESSION 09 – UNDERSTANDING THE ENTITY, AUDIT RISK AND ENGAGEMENT RISK Solution This mathematical model demonstrates the relationship between inherent risk, control risk and detection risk, in that the nature, extent and timing of substantive procedures are inversely related to the assessment of inherent and control risks For a given acceptable audit risk, when both inherent and control risks are high (high risk that the financial statements may contain a material error), detection risk is assessed as low (higher degree and level of substantive work required) and vice-versa Audit Risk Inherent Risk Control Risk Detection Risk Policy H H L Policy L L H High detection risk means that it is only necessary to carry out a minimum level of substantive testing (which will usually include testing all items greater than the materiality level) Because of the low(er) risks of there being a material error within the financial statements (low inherent and low control risks), a lower quantity (e.g sample size) and lower quality (e.g indirect evidence rather than direct evidence) of substantive testing may be acceptable Low detection risk, means that higher levels of substantive testing are required as there is greater risk of a material error being within the financial statements (ie greater testing to lower the risk of a material error not being discovered) Methods of varying detection risk Examples where inherent/control risk are high Change nature of audit work ⇒ Direct tests toward independent parties rather than documentation within entity ⇒ Use tests of detail in addition to analytical procedures Change extent of audit work ⇒ Use a larger sample size Change timing of audit work ⇒ Perform a procedure at the period end rather than at an earlier (interim) date Some substantive procedures should always be carried out for material account balances and classes of transactions 0922 SESSION 09 – UNDERSTANDING THE ENTITY, AUDIT RISK AND ENGAGEMENT RISK More evidence should be obtained from substantive procedures the higher the inherent and control risk assessments A qualified opinion (or a disclaimer of opinion) should be expressed if detection risk cannot be reduced to an acceptable level (See Session 30) 5.8 Significant risks What ever risk model is used, care must be taken to identify “significant risks”, i.e those risks that relate to significant non-routine transactions and judgemental matters, where there is for example; greater ability for management intervention, e.g aggressive application of accounting policies, overriding of internal controls; greater ability to use manual override with IS collection and processing of data; complex calculations (e.g fair value, provisions and estimates that provide opportunity for varying outcomes) or accounting policies open to different interpretations; subjective judgement based on a significant measurement uncertainty (e.g a range of values); and the nature of the transactions make it difficult to implement effective controls over the risks A full understanding of such risks and the management’s internal control and risk assessment procedures must be obtained by the auditor Such risks would normally be specifically fully tested (ie 100%) 5.9 Matters requiring documentation The discussion among the engagement team regarding the susceptibility of the entity’s financial statements to material misstatement due to error or fraud, and the significant decisions reached Key elements of the understanding obtained regarding each aspect of the entity and its environment e.g., industry, regulatory, and other external factors; the applicable financial reporting framework; nature of the entity, including the entity’s selection and application of accounting policies; objectives and strategies and the related business risks that may result in a material misstatement of the financial statements; measurement and review of the entity’s financial performance Internal control components: the control environment; the entity’s risk assessment procedures; 0923 SESSION 09 – UNDERSTANDING THE ENTITY, AUDIT RISK AND ENGAGEMENT RISK the entity’s information systems, including the related business processes relevant to financial reporting and communication; the control activities; the entity’s process of monitoring controls The sources of information from which the understanding was obtained The risk assessment procedures The identified and assessed risks of material misstatement at the financial statement level and at the assertion level ENGAGEMENT RISK 6.1 Basic concept Engagement risk is the overall risk associated with an assurance engagement, eg risk of litigation, loss of reputation, unpaid fees, low fee recoveries, inappropriate audit opinions, poor client relationships, failure to understand the client’s business It must be managed by the auditor and reduced to an acceptable level The basic components are: the clients’ business risk; audit risk; and the auditor’s business risk 6.2 Clients’ business risk The client’s business risk cannot be controlled by the auditor – it is independent of the auditor However, a thorough understanding of the client’s business risks and how they are managed assists the auditor in understanding potential engagement risk, eg what is the risk that management actions (or inaction) will result in the entity failing to continue in business 6.3 Audit risk Audit risk is controlled and determined solely by the auditor Through a thorough understanding of the entity and its environment (including business risk and internal controls) the auditor can adjust the nature, timing and extent of audit procedures to reduce audit risk to an acceptable level In normal circumstances, engagement risk may also be reduced to an acceptable level by an appropriate reduction in audit risk However, where audit risk cannot be reduced to an acceptable level, engagement risk will remain high, eg the integrity of management is in doubt and no audit procedures can eliminate this fact 0924 SESSION 09 – UNDERSTANDING THE ENTITY, AUDIT RISK AND ENGAGEMENT RISK 6.4 Auditor’s business risk As with their client’s, auditors are faced with business risk, ie the risk that they will not achieve their objectives For example, their business is regulated (eg loss of registered auditor status will impact earning capabilities), exposed to litigation, adverse publicity, inability to attract/retain experienced staff, failure to keep technically up to date, failure to maintain fee levels and high risk clients (engagement risk) Such business risks can be managed In respect of engagement risk, the risk related to clients can be managed through good client acceptance and retention procedures (see Session 5) 6.5 Engagement risk procedures Engagement risk must be addressed throughout the audit, from the initial decision to accept a new client (or continue to service an existing client) to planning the engagement, carrying out the audit procedures, reviewing the results of such procedures and the issue of the audit report The key to an acceptable engagement risk are: strong client acceptance procedures (eg not accept clients who have a tendency to change auditors on a regular basis, who are “litigation happy”, who require services beyond the auditor’s capabilities); continuous review for change of client relationships and behaviour throughout the audit (eg reducing integrity, sudden use of aggressive application of accounting policies; continuous challenges to auditor recommendations for changes to financial statements); closedown review of client continuance (eg are there any factors that will increase engagement risk for the next audit) FOCUS You should now be able to: explain how auditors obtain an initial understanding of the entity and knowledge of its business environment; explain the components of audit risk; explain why an auditor needs to obtain an understanding of internal control activities relevant to the audit; describe the use of information technology in risk analysis; identify and describe engagement risks affecting the audit of an entity 0925 SESSION 09 – UNDERSTANDING THE ENTITY, AUDIT RISK AND ENGAGEMENT RISK EXAMPLE SOLUTION Solution — Sources Client Auditor Directors/senior operating personnel Previous relevant experience Internal audit and Governance Specialist publications (e.g on hotel audits) Website Technical experts (e.g IS, extractive industries) Visit to premises and plant facilities Specific employees involved in process Minutes of meeting Documents sent to shareholders/filed with authorities Financial budgets and management reports Chart of accounts and Job descriptions Procedures manuals 0926 External Predecessor auditor Legal advisors Industry regulators Government data Customers In-house knowledgebase Suppliers CAF/PAF Competitors Business process templates Trade journals Financial press Websites SESSION 09 – UNDERSTANDING THE ENTITY, AUDIT RISK AND ENGAGEMENT RISK Solution — Information GENERAL ECONOMIC FACTORS THE INDUSTRY Recession Market/competition Growth Costs of entry Interest rates Cyclical/seasonal trade Sources of finance Technology/fashion Inflation Key ratios and performance measures Government policy (e.g monetary, fiscal, trade) Specific accounting practices, GAAP Investment incentives (e.g regional development grants) Foreign exchange (rates and controls) Regulatory/environmental requirements Energy supply and costs Workforce skills Fresh-field sites Availability and education of workforce MANAGEMENT & OWNERSHIP BUSINESS Corporate structure Nature (manufacturer, exporter) Owners and related parties Locations (office/production/storage) Local/foreign Employment (union contracts) Capital structure Products/services/markets Organizational structure Conduct of operations (e.g service logistics, production, segments) Philosophy and strategic plans Acquisitions and disposals Sources of finance Major/dependent suppliers/customers (delivery methods e.g JIT) Board of directors and governance Alliances, joint ventures and outsourcing activities Operating management Inventories (type, location, quantities) Internal audit Research and development Attitude to internal control environment Information systems and use of ecommerce (nature and dependency) Debt structure (including covenants) 0927 SESSION 09 – UNDERSTANDING THE ENTITY, AUDIT RISK AND ENGAGEMENT RISK FINANCIAL PERFORMANCE REPORTING ENVIRONMENT Key ratios, trends Legislation and regulations Performance indicators (e.g share price, EPS) Appropriate selection and application of accounting principles and use of GAAP Employee measures and compensation Audit reporting requirements (shareholders, regulators and other third parties) Period-on-period financial performance Taxation Accounting principles Revenue recognition Accounting policies Use of fair values Earnings/cash flow Users of financial statements Leasing commitments Lines of credit Off-balance sheet finance Foreign currency and interest rates Solution — Changes Internal Business developments (e.g ecommerce, discontinued operations) New products, services Key personnel (starters and leavers) Changes within business and financial control systems Governance/internal audit work and reports Regulator visits and reports Administration and IT functions Pending litigation 0928 External New legislation and regulation (e.g environmental, health and safety) Latest financial reporting standards Changes in the application of accounting policies Changes in specialist regulations (and trade unions) Competitors and their products Economic (interest/foreign exchange/ tax rates etc) Volatility of markets (supplier, customer, financial) Industry practices Changes in local and national government SESSION 09 – UNDERSTANDING THE ENTITY, AUDIT RISK AND ENGAGEMENT RISK Solution — Inherent risk factors Financial statements level (see Discussion below), 2, 4, & Assertion level 3, 5, 6, (see Discussion), & 10 Discussion (1) Consider doubts about the integrity of management, could that inherent risk affect the financial statements as a whole or just a few individual account balances? Suppose management wanted to overstate profit (in order to pay themselves bonuses say) To increase profit management could overstate revenue (e.g by bringing forward next year’s sales revenue into the current year – i.e a deliberate cut-off error) understate costs (e.g by suppressing purchase and expense invoices) Because every Dr has a Cr there are then implications for the statement of financial position overstatement of trade receivables (because they not owe the money at the year end) understatement of trade payables (because liabilities are not recorded) Profit could also be increased by understating provisions against assets obsolescence provisions against inventory depreciation provisions against tangible long-term assets Bad and doubtful debt provisions against trade receivables In conclusion then, doubts about management integrity has a pervasive effect on the financial statements as a whole and so this risk is assessed at the financial statement level (7) Consider cash balances (i.e physical money rather than bank balances) These balances may be very small in relation to the assets as a whole (e.g cash floats in the till/register of a shop) At the financial statement level the auditor may take no account of these and so ignore them in the overall audit plan However, cash is inherently risky (because it can be stolen if safeguards are not adequate) and cannot be ignored at the account balance level However, in a cash-based business (i.e cash revenue, purchases and assets paid for in cash) this would be considered at the financial statement level (i.e in the preparation of the overall audit plan) because, again, it has a pervasive effect 0929 SESSION 09 – UNDERSTANDING THE ENTITY, AUDIT RISK AND ENGAGEMENT RISK Solution — Control risk factors History of errors found by auditor System changes Management attitude/dominance Lack of manuals Inexperienced/incompetent staff Few formal procedures Lack of segregation of duties/ inadequate supervision “Late” approval of transactions Size of entity/accounting systems Poor monitoring controls Solution — Detection risk AR = IR × CR × DR DR = AR IR × CR DR = 0.05 = 0.125 1.0 × 0.4 DR must be rendered lower than in the Illustration (We should have anticipated this as both IR and CR have been assessed as higher.) The level of substantive procedures is therefore relatively higher Another way of expressing this is that the level of audit assurance required from substantive procedures is 100 – 12.5 = 87.5% i.e a relatively high level of assurance is required 0930 ... audit progresses (see Session 10) Developing expectations for use when performing analytical procedures Identifying areas where special audit consideration may be necessary, for example, related... of gathering, updating and analyzing information throughout the audit To obtain the necessary level of understanding, auditors must, for example: 0902 SESSION 09 – UNDERSTANDING THE ENTITY, AUDIT... Designing and performing further audit procedures to reduce audit risk to an acceptably low level To evaluate the sufficiency and appropriateness of audit evidence (see Session 15) including, for example,