The risk of issuing the wrong audit opinion (typically, stating that the. financial statements are true and fair, when in fact they are not).

Transcription

1 TOPIC 27: AUDIT RISK AUDIT RISK The risk of issuing the wrong audit opinion (typically, stating that the financial statements are true and fair, when in fact they are not). Audit theory has developed the following audit risk model to analyse the components of audit risk: AUDIT RISK = RISK OF MATERIAL MISSTATEMENT X DETECTION RISK Risk of Material Misstatement = Inherent Risk X Control Risk So, the Audit Risk Model is AUDIT RISK = INHERENT RISK * CONTROL RISK * DETECTION RISK INHERENT RISK Definition: the susceptibility of an account balance or class of transactions to misstatement that could be individually or when aggregated with misstatements in other balances or classes, assuming there were no related internal controls Risk of errors or misstatements due to the nature of the company and its transactions. Or, more simply the risk that the accounting records and Financial Statements will contain errors. 1

2 Clearly, the assessment of inherent risk, requires the audit team to have a good knowledge of how the client s activities are likely to affect its Financial Statements, and the audit team should discuss these matters in a planning meeting before deciding on the detailed approach and audit work to be used. CONTROL RISK Definition: the risk that a material misstatement would not be prevented, detected or corrected by the accounting and internal control systems Risk of errors or misstatements because the company s internal controls are not strong enough to prevent, detect and correct them. Or, more simply- the risk that internal controls will not identify errors. As we shall see later, before considering the detailed control procedures that a company uses, the audit team needs to consider whether the client s control environment is strong enough for these procedures to be effective. DETECTION RISK (within Auditors control!) Definition: risk that the auditors substantive procedures will not detect a misstatement that exists in an account balance or class of transactions that could be material, either individually or when aggregated with misstatements in other balances or classes Risk that the auditors substantive testing does not pick up errors and misstatements 2

3 It can be seen that audit risk comprises three types of risk. The assessment does not need to be a mathematical one the equation helps us to understand how the risks interact but many firms use a mathematical approach. This involves the various risks being assessed (often using a checklist of relevant questions) and being issued a score, a process that may be carried out by a piece of computer software. Once inherent and control risks (together known as Entity Risk) have been assessed, and with a maximum overall audit risk score in mind, detection risk becomes the balancing figure. Detection risk will be a major variable in determining sample sizes for audit tests. SUMMARY OF METHOD 1. Assess Inherent risks 2. Assess whether controls are suitable to deal with these inherent risks 3. If controls are suitable, can get assurance from these controls (after testing them to ensure operate as stated) that Financial Statements are materially correct thus will do only minimal substantive work 4. If controls are not strong enough, will need to do an extensive programme of substantive audit work (larger sample sizes) or do BETTER audit work (e.g. higher quality staff) 3

4 Note: At the level of the individual audit - Audit Risk; Inherent Risk and Control Risk are outside the auditors control and can only be observed and measured. The auditor responds to these observations by adjusting the level of Detection Risk. Inherent risk: The chance of misstatement if no internal controls prevent it Business risk: Risk that an event or action could adversely affect a company s ability to achieve its objectives Could lead to Risk of material misstatement: The financial statements could be materially misstated Control risk: Inverse relationship Detection risk: The risk that substantive procedures will not detect a misstatement The risk that the company s internal controls will not prevent or detect and correct misstatements Audit risk: The risk that the auditor gives an inappropriate audit opinion on financial information that is materially misstated 4

5 Business Risk: Risk resulting from significant conditions, events, circumstances, actions or inactions that could adversely affect an entity s ability to achieve its objectives and execute its strategies, or from the setting of inappropriate objectives and strategies Business risk is the risk inherent to the company in its operations Business Risk Financial Risks: Arising from the Financial Activities or financial consequences of an operation Operational Risk: Risk resulting from operations Compliance Risk: Risk that arises from non compliance with laws and regulations - Financial reports containing errors or omissions leading to poor operating decisions - Overtrading Risk of injury to customers Loss of Orders Loss of Key Staff Health & Safety Regulations Employmen t Law Environme ntal Regulations - Unrecorded Liabilities Poor Brand Managem ent Tax Laws Company Law Suppliers wont supply 5

6 The UK sturnbull guidance refers to the management of risks that are significant to the fulfilment of the companys objectives which is known as business risk Business risk cannot be eliminated, but it must be managed by the company: Identify Risks Determine Company Policy Implement Strategy Designing and operating internal control systems is a key part of a company s risk management. Remember the REC acryonm for reasons why companys create systems of internal control Careful! Do not confuse Audit risk and Business risks Audit risk is focused on the Financial Statements of a company, whereas business risk is related to the company as a whole. 6

7 Approaches to the Audit Risk Based Audit Approach Traditional Risk Based & Business Risk ISA 315 also requires auditors to consider the entity s process for assessing its own business risks This has given rise to the business risk approach to auditing With a business risk approach, the auditor will ask - What business risks does the business face? - What controls does the entity have in place to deal with these risks? - Do the business risks give rise to Financial Statement risk (i.e. the risk of Material Misstatements in the FS) Business risk approach has been called a top down approach because it starts at the business and its objectives and works back down to the financial statements rather than working up from the financial statements which has been the traditional audit approach Business risk approach and its effect on typical audit procedures Tests of Controls emphasis on testing high level controls (like the quality of the control environment) and their ability to manage business risk rather then low level controls ( like authorisation) Analytical Procedures - Increased use of analytical procedures as the auditor will seek to understand the entity and its operations rather than prove the figures in the FS Detailed Testing will be reduced although substantive will not be entirely eliminated 7

8 APPLICATION OF RISK ANALYSIS Risk analysis is probably the most important stage of the audit. If auditors carry out this stage properly, they will: Identify main areas where errors or misstatements are likely early in the audit Plan audit work that addresses these possible mistakes Not discover errors late in the audit process Carry out the most efficient (and hence profitable) audit possible Minimise the chance of issuing an incorrect audit opinion (Audit Risk!) Reduce the chance of getting sued (and losing!) Have a good understanding of the risks of fraud, money laundering etc. Be in the best position to assess whether the client is a going concern 8