Risk-based Approaches Materiality Planning Internal Control

The Risk Based Approaches to Audit

Audit risk: “ The auditor obtains and evaluates evidence to obtain reasonable assurance about whether the financial statements give a true and fair view (or are presented fairly in all material respects) in accordance with the applicable financial reporting framework. The concept of reasonable assurance acknowledges that there is a risk the audit opinion is inappropriate. The risk that the auditor expresses an inappropriate audit opinion when the financial statements are materially misstated is known as “audit risk risk””.” (ISA 200, 14)

Acceptable audit risk: “ The auditor should plan and perform the audit to reduce audit risk to an acceptably low level that is consistent with the objective of an audit. … Reasonable assurance is obtained when the auditor has reduced audit risk to an acceptably low level. (ISA 200, 15)

A risk based approach approach:: “The auditor performs audit procedures to assess the risk of material misstatement and seeks to limit detection risk by performing further audit procedures based on that assessment. The audit process involves the the exercise of professional judgment in designing the audit approach, through focusing on what can go wrong at the assertion level and performing audit procedures in response to the assessed risks in order to obtain sufficient appropriate evidence.” (ISA, 200, 16)

Audit risk - the components (ISA 200): Inherent risk

Control risk

Risk of Material Misstatement

Detection risk

Audit risk

Inherent risk “ the susceptibility of an assertion to a misstatement that could be material, either individually or when aggregated with other misstatements, assuming that there are no related controls.” (ISA, 200, 20)

Inherent risk factors: • Pervasive / entity level – Nature of the business, industry & economy. – The integrity, quality and experience of management. – Special pressures.

• Local / assertions level – – – – – – –

Complexity of transaction / calculation. Judgement / estimation required. Specific technological change / product obsolescence. Assets susceptible to misappropriation. Make up of population. Non-routine transactions. Related parties.

Audit risk - the components (ISA 200): Inherent risk

Control risk

Risk of Material Misstatement

Detection risk

Audit risk

Control risk: “ the risk that a misstatement that could occur in an assertion and that could be material, either individually or when aggregated with misstatements, will not be prevented, or detected and corrected, on a timely basis, by the entity ’ s internal control control.” (ISA, 200, 20)

A function of both design & operation of controls.

Audit risk - the components (ISA 200): Inherent risk

Control risk

Risk of Material Misstatement

Detection risk

Audit risk

Detection risk: “ the risk that auditor will not detect a misstatement that exists in an assertion that could be material, either individually or when aggregated with other misstatements.” (ISA, 200, 22)

• A function of the design and implementation of audit procedures: – – – –

Sampling risk Design risk Application risk Interpretation risk

The PwC Approach – identifying & responding to risk (2000) • TeamAsset … allows each audit team to build a tailored audit program from planning to completion stages by selecting client-specific risks from a “library” of risks. Each risk that is selected by the auditor for inclusion in the client audit file is linked to the identification of a set of suggested procedures at a given control risk level that will mitigate the identified risk.” (Winograd, et al., (2000))

Risk assessment: structure & judgment “ Instead of viewing an audit as a series of closely coordinated technical steps, it may be informative to view it as a social enterprise that relies on language and certain imbedded perspectives in order to understand the client organization and to make it understandable. Our empirical findings strongly suggest that an audit firm ’ s philosophical position with respect to structure, influences what client characteristics audit team members see as important in assessing inherent risk.” (Dirsmith & Haskins, “Inherent risk assessment & audit firm technology”, AOS, 1991, p.82)

The components of audit risk

AR

=

AR - Audit risk DR - Detection risk IR - Inherent risk CR - Control risk

IR

X

CR

X

DR

The components of audit risk

AAR

=

IR

X

AAR - Acceptable audit risk PDR - Planned detection risk IR - Inherent risk CR - Control risk

CR

X

PDR

Planned detection risk • Determines the amount of substantive evidence the auditor must plan to collect (inverse with size of PDR). Determined by other factors in –Determined model.

AAR

=

IR

X

CR

X

PDR

2%

=

50%

X

50%

X

?%

AAR

=

IR

X

CR

X

PDR

2%

=

50%

X

50%

X

8%

AAR

=

IR

X

CR

X

PDR

2%

=

100%

X

100%

X

2%

For a given level of audit risk, the greater the risk of material misstatement (IR x CR), the less detection risk can be accepted.

AAR

=

IR

X

CR

X

PDR

Low

=

High

X

High

X

Low

Quantifying the components of audit risk is highly problematic Low PDR = High amount of substantive audit evidence required

The components of audit risk AAR PDR

= IR

X

CR

5% PDR

= PDR

50%

25%

=

X

40%

Risk, materiality & substantive audit evidence

AAR

IR

PDR

Planned substantive audit

CR Materiality | Tolerable misstatement

Materiality: • “Information is material if its omission could influence the economic decisions of users taken on the basis of the financial statements. …” (ISA 320.3) “The objective of an audit of financial statements is to enable the auditor to express an opinion whether the financial statements are prepared in all material respects, in accordance with an applicable financial reporting framework. The assessment of what is material is a matter of professional judgement. judgement.”” (ISA 320.4)

Materiality - levels: • Preliminary judgement of materiality at level of the overall financial statements (ISA, 320, 7). • Allocate materiality at level of overall financial statements to segments - tolerable misstatement per segment (class of transactions, account balances, and disclosures) (ISA, 320, 7).

The assessment of materiality: • Materiality is relative rather than absolute. – Bases needed for materiality assessment.

• Both quantitative and qualitative factors affect materiality (ISA, 320, 5). • The cumulative effects of errors (ISA, 320, 7). • Legal & regulatory considerations relating to particular assertions / disclosures (ISA, 320, 7). – Different materiality levels may then apply to different elements of the financial statements.

Enron - Andersen & Materiality • “While auditing Enron’s 1997 financial results, Andersen proposed that the energy company make ‘adjustments’ that would have cut its annual income by almost 50 percent, to $54 million from $105 million … Enron chose not to make those adjustments and Andersen put its stamp of approval on the company’s financial report anyway.” (Hilzenrath, D.S., (2001), Early Warnings of Trouble at Enron”, The Washington Post, December 30th.)

Enron - Andersen & Materiality • “In 1997, Enron had taken large nonrecurring charges. When the company decided to pass these proposed adjustments, our audit team had to determine whether the company’s decision had a material impact on the financial statements. The question was whether the team should use reported income of $105 million, or should it also consider adjusted earnings before items that affect comparability - what accountants call “normalized” income?” (Bernadino, J.F., (2001), Remarks before the Committee on Financial Services of the US Representatives)

Enron Fina ncia l Da ta & M a te ria lity Rule s of Thum b

5% of net incom e 10% of net incom e 1% of total assets 1.5% of total assets 1% of Sales revenue 1.5% of Sales revenue Conservative blend non-conservative blend 5% of net incom e + 1997 non-recurring loss 10% of net incom e + 1997 non-recurring loss

1997 $M 5.25 10.50 234.22 352.33 202.73 304.10 147.40 221.98

1994-97 $M 20.78 41.55 161.91 242.87 129.34 194.01 104.01 159.48

28.4

26.56

56.8

53.13

Internal Control

Internal Control: “ is the process designed and effected by those charged with governance, management, and other personnel to provide reasonable assurance about the achievement of the entity’s objectives with regard to reliability of financial reporting reporting, effectiveness and efficiency of operations and compliance with applicable laws and regulations. It follows that internal control is designed and implemented to address identified business risks that threaten the achievement of any of these objectives.” (ISA, 315, 42)

Auditor concerns “The auditor should obtain an understanding of internal control relevant to the audit. The auditor uses understanding of internal control to identify types of potential misstatements, consider factors that affect the risks of material misstatements, and design the nature, timing, and extent of further audit procedures.” (ISA, 315, 41)

Elements of Internal Control The control environment The Entity Entity’’s risk assessment

The information system

Control activities

Monitoring of controls

ISA, 315, 43

The control environment (ISA 315, 67-69): • Governance & management philosophy, attitudes, awareness & action in respect of controls. – Communication and enforcement of integrity & ethical values. – Methods of imposing control, including board & internal audit functions. – Commitment to competence - personnel policies & practices. – Organisational structure & methods of assigning authority & responsibility (including segregation of duties and supervisory controls).

Elements of Internal Control The control environment The Entity Entity’’s risk assessment

The information system

Control activities

Monitoring of controls

The Entity Entity’’s Risk Assessment Process “The auditor should obtain an understanding of the entity’s process for identifying business risks relevant to financial reporting objectives and deciding about actions to address those risks, and the results thereof.” (ISA, 315, 76)

Information System, “The auditor should obtain an understanding of the information system, including the related business processes, relevant to financial reporting, …” (ISA, 315, 81)

Control Activities “The auditor should should obtain a sufficient understanding of control activities to assess the risks of material misstatements at the assertion level and to design further audit procedures responsive to assessed risks. (ISA, 315, 90)

Monitoring “The auditor should obtain an understanding of the major types of activities that the entity uses to monitor internal control over financial reporting, including those related to those control activities relevant to the audit, and how the entity initiates corrective action to its controls.” (ISA, 315, 96)

Steps to reliance on control Preliminary review of accounting system & control environment Is reliance on controls potentially possible and efficient ? NO Assume high control risk, and move on to planning substantive testing

YES Understand & document internal control: design and operation Assess control risk Test controls Decide planned detection risk and substantive tests

Is reliance on internal control feasible ? – Relevance to financial statement assertions • • • • • • •

Existence Rights & Obligations Occurrence Completeness Valuation & allocation Measurement, accuracy & cut-off Classification, presentation & disclosure (ISA, 500, 17)

Transaction Related Assertions & Objectives: Sales M an agem en t a s s e r tio n s

S p e c ific a u d it o b je c tiv e s

O ccu rren ce

R e c o rd e d s a le s a re fo r d is p a tc h e s m a d e to re a l c u s to m e rs

C o m p le te n e s s

A ll s a le s tra n s a c tio n s a re re c o rd e d

M easu rem en t

S a le s a re re c o rd e d a t p ro p e r a m o u n t a n d a llo c a te d to th e c o rre c t p e rio d . R e c o rd e d s a le s a re fo r th e a m o u n t o f g o o d s d is p a tc h e d , c o rre c tly b ille d & re c o rd e d . S a le s tra n s a c tio n s a re p ro p e rly c la s s ifie d . S a le s tra n s a c tio n s a re re c o rd e d o n c o rre c t d a te s .

P r e s e n ta tio n & d is c lo s u r e

S e g m e n ta l a n a ly s is is p ro p e rly c o m p ile d a n d d is c lo s e d .

Understand & document internal control: design and operation • Evaluate previous experience. • Inquiry of client - various levels, note developments. • Review client's policy and system documentation. • Examine documents & records. • Observe activities. • Transaction walk through.

Understand & document internal control: design and operation • Narrative. • Flowchart. • Internal control questionnaire.

Internal control questionnaire: Sales Recorded sales are for goods dispatched to real customers (occurrence): • Is the recording of sales supported by authorized dispatch documents and approved customer orders? • Is customer credit approved by a responsible person and is access to alter credit limit files restricted? • Is a prenumbered written dispatch note required before any goods leave store?

Internal control questionnaire: Sales All existing sales transactions are recorded (completenness ): completenness): • Is a record of dispatches maintained? • Are dispatch documents controlled in a way that helps ensure that all dispatches are billed? • Are dispatch documents prenumbered and accounted for? • Are sales invoices prenumbered and accounted for?

Internal control questionnaire: Sales Recorded sales are for the amount of goods dispatched and are correctly billed and recorded (measurement): • Is there independent comparison of quantities on dispatch notes and on sales invoices? • Is an authorized price list used and is access to amend the price list restricted? • Are monthly statements sent to customers? • Is there independent comparison of dates on dispatch documents and dates of recorded sales?

Internal control questionnaire: Sales Recorded sales are correctly classified (presentation & disclosure): • Is there independent comparison of sales and the chart of accounts?

and so on

Assess control risk • Specify audit objectives • Identify specific controls - key controls. • Identify control weaknesses. • Assess control risk. • Report – appropriately

Tests of controls: “ The auditor selects audit procedures to obtain assurance about the operating effectiveness of controls. As planned level of assurance increases, the auditor seeks more reliable audit evidence.” (ISA, 500, 28)

ompliance tests of internal control Compliance • • • •

Inquiries at appropriate levels. Examine documentation, reports records. Observe activities. Re-perform procedures.

Compliance versus Substantive tests Distinction one of motive. • Is a control working ? • Is there error in an account balance ?

Consider cases of failure of internal control: • For example, the collapse of Barings Bank (1995): – Lack of segregation of duties: Leeson (the rogue trader) controlled both front and back office – dealing and settlement. • Internal Audit noted issues in 1994 • External auditors noted problems early 1995

– Personnel selection – Weak supervision / ethos • • • •

Lack of understanding of business & controls Acceptance of excuses / feeble explanations High risk-taking incentivized Weak IT system (account 88888 & so on)

Consider cases of failure of internal control: • For example, Equity Funding Corporation of America (1973). – Goldblum, inflating revenue and assets to sustain share price to fuel expansion programme (1965 – 1973): • 64,000 insurance policies with a face value of $2 billion had been falsified, sold on under reinsurance arrangements

– Flagrant non-application / failure of ICs • From top down – including massive collusion

– Auditors didn’t notice (independence compromised) • had inadequately checked controls • allowed time for “parties” to create documents! • Hadn’t even noticed by scale (analytic review)

– 22 people charged

Audit planning – understanding the client

Audit Planning: • Adequate planning helps to ensure that appropriate attention is devoted to important areas of the audit, that potential problems are identified and resolved on a timely basis and that the audit engagement is properly organized and managed in order to be performed in an effective and efficient manner. (ISA, 300, 4)

Audit Planning – stages: 1 Preliminary engagement activities. 2

Understand the entity & its environment - make an assessment of risks.

3

Develop overall audit plan and program of tests (compliance & substantive).

1. Preliminary engagement activities • Establish client's reasons for the audit. • Consider acceptance & retention. • Clarify / specify the terms of engagement. • Staff the engagement.

Consider Acceptance & Retention: • “the engagement partner should be satisfied that appropriate procedures regarding the acceptance and continuance of client relationships and specific audit engagements have been followed, and that conclusions reached in this regard are appropriate and have been documented.” (ISA, 220, para.14)

Consider Acceptance & Retention: New clients issues: • Communication with predecessor: – If client refuses permission for existing auditor to communicate, the audit should be refused. • Communicate with third parties. • Excessive risks? (low acceptable audit risk - high fee).. Continuing client issues (consider changes): • Previous conflicts (on opinion or fees)? - Integrity of management? • Independence compromised - law suits, outstanding fees? • Excessive risk?

Consider Acceptance & Retention: PwC & client acceptability • At a simplified level, FRISK determines the acceptability of clients by reviewing quantitative information (e.g., Z-scores, credit analyses), qualitative business information (e.g., company information and management information), financial-reporting information (e.g., incentive-plans, controls) and recent audit results. Together, risks are identified in each of these areas and sophisticated algorithims algorithims,, developed by PwC based on past experience, are used to determine whether to accept or continue the client. (Winograd, et.al., (2000))

Clarify/specify the terms of engagement Obtain an Engagement Letter “The engagement letter documents and confirms the auditor ’ s acceptance of the appointment, the objective and scope of the audit, the extent of the auditor’s responsibilities to the client and the form of any reports.” (ISA, 210, 5)

Consider staffing of the engagement: “The engagement partner should be satisfied that the engagement team collectively has the appropriate capabilities, competence and time to perform the audit engagement in accordance with professional standards and regulatory and legal requirements, and to enable an auditor’s report that is appropriate in the circumstances to be issued.” (ISA, 220, 19)

Audit Planning – stages: 1 Preliminary engagement activities

2 Understand the entity & its environment make an assessment of risks: 3 Develop overall audit plan and program of tests (compliance & substantive).

Understand the entity & its environment: • “The auditor should obtain an understanding of the entity and its environment, including its internal control, sufficient to identify and assess the risks of material misstatement of the financial statements whether due to fraud or error, and sufficient to design and perform further audit procedures.” (ISA, 315, 2)

Understand the entity & its environment: “The auditor should perform the following risk assessment procedures to obtain an understanding of the entity and its environment, including its internal control: a Inquiries of management and others within the entity; b Analytical procedures; and c Observation and inspection. (ISA, 315, 7)

a. Inquiries of management and others within the entity: “Although much of the information the auditor obtains by inquiries can be obtained from management and those responsible for financial reporting, inquiries of others within the entity, such as production and internal audit personnel, and other employees with different levels of authority, may be useful in providing the auditor with a different perspective in identifying risks of material misstatement. (ISA, 315, 9)

b. Preliminary analytical review “The auditor should apply analytical procedures as risk assessment procedures to obtain an understanding of the entity and its environment and in the overall review at the end of the audit. Analytical procedures may also be applied as substantive procedures procedures.” (ISA, 520, 2)

b. Preliminary analytical review Types of analytical procedures • • • • •

Compare client & industry data / ratios. Compare with prior period data / ratios. Compare with client's expected results. Compare with auditor estimates / expectations. Consider relationships among financial and relevant non-financial information that would be expected to conform to a predictable patterns.

• Techniques range from simple comparisons to complex statistical analysis.

c. Observation and inspection: “may support inquiries of management and others, and also provide information about the entity and its environment.” (ISA, 315, 11)

Preliminary determination of risks of material misstatement. • “The auditor should identify and assess the risks of material misstatement at the financial statement level, and at the the assertion level for classes of transactions, account balances, and disclosures.” (ISA, 315, 100)

Preliminary determination of risks of material misstatement. • “Complete the strategic phase of the audit … : – Determination of materiality levels. – Preliminary identification of areas where there may be high risk of material misstatement. – Preliminary identification of material components and account balances, – Evaluation of where the auditor may plan to obtain evidence regarding the effectiveness of internal controls. – Identification of recent significant entity-specific, industry, financial reporting or other relevant developments”. (ISA 300, 9)

The Evolution of Audit • Transaction based audit. • Systems audit. • Risk based audit. – Understanding the client’s business and industry. – Identification of audit risks through analytical review. – Assessment of reliance that can be placed on internal controls. – Drawing evidence from a wide variety of sources. – Focussing audit effort on areas where risks are greatest.

The Evolution of Audit responsive to: • Commercial pressures – cost-cutting & “added value”. • Legal environment. • Still in progress: – Emphasis on client strategic & business risk (as distinct from narrow focus on audit risk), see

– “The Audit Implosion: regulating risk from the inside” (Mike Power, 2000). – The impact of Enron.

The Business risk approach: • Focus on the Business risk - the risk that the entity will fail to achieve its objectives: – profitability, market share, wealth, governance, etc, • A way of adding value. • Justifiable because business risk bears on the financial statements & on audit risk (sometimes only indirectly of course). • May increase audit efficiency / profitability. • May reduce the auditor’s own business / engagement risk - through improved knowledge of client viability, etc.

KPMG Business Measurement Process (BMP) Approach Serious thought • “Serious thought, formal analysis of an entity’s strategy, and whether it can be achieved have not been financial statement audit steps. KPMG’s Business Measurement Process (BMP) approach makes common this type of thoughtful analysis. The viability of a business is formally considered, and it provides a basis for forming expectations about what should be the financial-statement balances for the audit period. If an entity has a viable strategy, reasonable plans, effective internal control, and account balances that are close to expectations, then the need for detailed auditing is limited to exceptional items items.” (Kinney, 1997)

KPMG Business Measurement Process (BMP) Approach Similar to a traditional auditor, the BMP auditor is • “Similar concerned about assessing the three components of audit risk - inherent, control and detection risk. The BMP auditor, however grounds his judgments in a much broader view of the client than does an auditor following a transaction-detail audit approach. He uses more holistic perspectives to frame the assessment of the validity of the financial statements taken as a whole, and the account balances contained therein.” (Bell, et.al., (1997))

KPMG Business Measurement Process (BMP) Approach • “The traditional “risk-based” audit focuses the auditor’s assessment of risk through a narrow “accounting lens lens”” a lens that directs his attention and his related assessment and testing activities, to the nature of account balances, classes of transactions, and properties of the client’s accounting system for the purpose of assessing the risk that financial-statement assertions are materially misstated. We believe that this disaggregative disaggregative,, “bottom-up ” focus can inhibit the auditor bottom-up” auditor’’s development of the level of business understanding needed to effectively judge financial-statement assertions assertions.” (Bell, et.al., (1997))

KPMG Business Measurement Process (BMP) Approach A proposed knowledge acquisition framework for risk“A based strategic-systems audit: 1 Understand the client’s strategic advantage. 2 Understand the risks that threaten attainment of client business objectives. 3 Understand the key processes and related competencies needed to realize strategic advantage. 4 Measure and benchmark process performance 5 Document the understanding of the client’s ability to create value and generate future cash flows using a client business model, process analyses, key performance indicators, and a business risk profile. 6 Use the comprehensive business knowledge decision frame to develop expectations about key assertions embodied in the overall financial statements. 7 Compare reported financial results to expectations and design additional audit test work …” (Bell, et.al., (1997))

The PwC Approach (2000) • “In today’s environment, an effective audit has to be knowledge-based and industry-focused. One of the fundamental concepts of the PwCAA methodology is to develop a better understanding of our client client’’s business by looking at the business through ” We seek to understand “management management’’s eyes. eyes.” management’s business objectives, not just financial objectives, to increase shareholder value, to identify the significant risks that may prevent management from achieving its business objectives and to identify related controls …” (Winograd, et.al., (2000))

The Business risk approach: • Please refer to papers in the special section of Accounting, Organizations and Society, 2007, Vol.32, No.4-5. – “SSA was an appropriate and necessary means of enhancing audit quality in the 1990s, and it is all the more so today” (Peecher et al, AOS, 2007, vol.32, p.464)

The Business risk approach: • “Bell et al. (2002, p. 8) argue that ‘‘[p]erhaps the most important principle giving rise to the need for SSA is the strong relation between RMM and the auditee’s business risks.’’ … When … business risks increase or spike, it generally becomes more difficult for entity management to estimate how to fairly depict select entity business states within financial-statement representations. And, at the same time, management generally faces greater temptation to optimistically distort their business-state representations. Thus, shifts in business risks have audit risk implications.” (Peecher et al, AOS, 2007, vol.32, p.474)

The Business risk approach: • “Is the Development of SSA an attempt to enhance

auditor’s reputations by ‘‘borrowing’’ prestige from consultants?” • “Is SSA an attempt to expand the sale of non-audit advisory services rather than to improve audit quality?” • “Are too few substantive tests of details performed under SSA?” • “What do we know about economic (cost) considerations under SSA?” (Peecher et al, AOS, 2007, vol.32, p.479-481)