Chapter 4

Audit Risk,
Business Risk,
and Audit
Planning

Copyright © 2012 South-Western/Cengage Learning

Audit Opinion Formulation Process
 LO1: Nature of Risk
• Risk is a pervasive concept. Four critical
components of risk that are relevant in
conducting an audit
– Business risk—risk that affects the operations and
potential outcomes of organizational activities
– Financial reporting risk—risk that relates to the
recording of transactions and the presentation of
the financial data in an organization’s financial
statements
 Nature of Risk (continued)
– Engagement Risk—risk that auditors encounter by
being associated with a particular client, including
loss of reputation, inability of the client to pay the
auditor, or financial loss
– Audit risk—risk that the auditor may provide an
unqualified opinion on financial statements that
are materially misstated
Overview of Risk Elements Affecting
an Audit
 LO2: Managing Engagement Risk Through
Client Acceptance and Retention Decisions
• Management integrity
– Previous Auditors
– Prior-Year Audit Experience
– Independent Sources of Information
• Independence and competence of management and
the board of directors
• Quality of management’s risk management process
and controls
 Managing Engagement Risk Through Client
Acceptance and Retention Decisions (continued)
• Reporting requirements, including regulatory
requirements
• Participation of key stakeholders
• Existence of related-party transactions
• The financial health of the organization
 High-Risk Audit Clients
• Characteristics of High-risk Clients/Companies
– Inadequate capital
– Lack of long-run strategic and operational plans
– Low cost of entry into the market
– Dependence on a limited product range
– Dependence on technology that may quickly become
obsolete
– Instability of future cash flows
– History of questionable accounting practices
– Previous inquiries by the SEC or other regulatory agencies
 Purpose of Engagement Letter
• The auditor and client should have a mutual
understanding of the audit process
• The auditor should prepare an engagement letter
to clarify the responsibilities and expectations of
each party, and to summarize and document this
understanding including the
– Nature of the services to be provided
– Timing of those services
Purpose of Engagement Letter
(continued)

– Expected fees and basis on which they will be

billed (fixed fee, hourly rates)
– Auditor responsibilities including the search for
fraud
– Client responsibilities including preparing
information for the audit
– Need for any other services to be performed by the
firm
 LO3: Managing Audit Risk
• What is Materiality
– The auditor is expected to design and conduct an audit
that provides reasonable assurance that material
misstatements will be detected
– The FASB defines materiality as the
“Magnitude of an omission or misstatement of accounting
information that, in light of surrounding circumstances,
makes it probable that the judgment of a reasonable
person relying on the information would have been
changed or influenced by the omission or misstatement”
 Managing Audit Risk
– Materiality has three significant dimensions:
• Size of the misstatement (dollar amount)
• Circumstances—some things are viewed more critically
than others
• User impact—impact on potential users and the type of
judgments made
– Determination of materiality is situation specific
• Although this makes determination more difficult, it
allows the auditor to adjust the rigor of the audit to
reflect the risk of the engagement
 Managing Audit Risk
• The lower the dollar amount of set materiality, the more
rigorous the examination
– Most firms have guidelines for setting materiality
• Guidelines usually involve applying percentages to
some base
• Guidelines may also be based on nature of the industry
or other factors
– Auditors initially set planning materiality for the
statements as a whole, and then allocate this to
individual accounts based on their susceptibility to
misstatement
LO4: Understanding the Audit Risk
Model
• What is Audit Risk?
– The risk that the auditor may provide an
unqualified opinion on materially misstated
financial statements.
– The auditor assesses engagement risk first, then
sets audit risk
Understanding the Audit Risk Model
(continued)

• Audit risk is inversely related to engagement risk

– If the auditor accepts a client with high engagement risk
• The auditor must conduct a more rigorous audit
• The auditor does this is by setting audit risk at a low level
– If the auditor accepts a client with low engagement risk
• The auditor will set audit risk at a higher level
 Inseparability of Audit Risk &
Materiality 审计风险与重要性的不可分离性

• Audit risk and engagement risk relate to

factors that might encourage someone to
challenge the auditor’s work
• For example, transactions that might not be
material to a “healthy” company might be
material to financial statement users for a
company on the brink of bankruptcy
 Inseparability of Audit Risk &
Materiality (continued)
• The following factors help integrate the concepts of risk and materiality:
– All audits involve testing and cannot provide 100 percent assurance
that the company’s financial statement are correct
– Some clients are not worth accepting
– Auditors must compete in an active marketplace for clients
– Auditors need to understand society’s expectations of financial
reporting and the audit process
– Auditors must identify the risky areas of a business to determine which
accounts are more susceptible to material misstatement
– Auditors need to develop methodologies to allocate overall
assessments of materiality to individual account balances
 Business Risk and the
Audit Process
Risk-based approach to auditing:
– Develop understanding of management’s risk
management process
– Develop understanding of the business and the risks it
faces
– Use the identified risks to develop expectations about
account balances and financial results
– Assess the quality of control systems to manage risks
– Determine residual risks, and update expectations about
account balances
– Manage remaining risk of account balance misstatement
by determining the direct tests of account balances
(detection risk) that are necessary
 The Audit Risk Model
The auditor sets desired audit risk based on
assessed engagement risk 审核员根据评估的审计业务风险来
设置期望的审计风险
AR  IR  CR  DR
AR = Audit Risk 审计风险
IR = Inherent Risk 固有风险
CR = Control Risk 控制风险
DR = Detection Risk 检查风险
 The Audit Risk Model (continued)
• The audit risk model allows the auditor to consider the
following:
– Complex or unusual transactions are more likely to recorded
in error than are simple or recurring transactions
– Management may be motivated to misstate earnings or assets
– Better internal controls mean a lesser likelihood of
misstatement
– The amount and persuasiveness of audit evidence gathered
should vary directly with the likelihood of material
misstatements
 The Audit Risk Model (continued)
• Inherent Risk—Susceptibility of transactions
to be recorded in error
– Inherent risk is higher for some items:
• Complex transactions are more likely to be
misstated than simple transactions
• Estimated balances more likely to be misstated than
fact based balances
– The auditor assesses inherent risk
 The Audit Risk Model (continued)
• Control Risk—Risk that the client internal control
system will fail to prevent or detect a misstatement
– The quality of controls often varies between classes of
transactions
– The auditor assesses control risk
• Environment Risk—inherent and control risks
combined
– Reflects the likelihood of material misstatements occurring
• Detection risk—risk that the audit procedures will
fail to detect material misstatements
– Relates to the effectiveness of audit procedures and their
application
 The Audit Risk Model (continued)
– Detection risk is controlled by the auditor and is an integral
part of audit planning
– The level of detection risk set directly determines the rigor
of the substantive audit work performed
AR  IR  CR  DR
• Audit risk is set inversely to the assessed level of
engagement risk
• After audit risk is set, the auditor assesses inherent
and control (environment) risks
• The auditor sets detection risk INVERSELY to
environment risk
 The Audit Risk Model (continued)
– Example, if the auditor is examining transactions with high
inherent risk, or weak controls, the auditor will set a low
detection risk
• Low detection risk means a low probability of NOT
detecting material misstatements
– To achieve low detection risk, the auditor will have to
perform more rigorous substantive testing
– For example, larger sample sizes, more reliable forms of
evidence, assign more experienced auditors, closer
supervision, greater year-end (rather than interim) testing
 The Audit Risk Model (continued)
• The audit risk model shows that the amount, nature,
and timing of audit procedures depends on the level
of audit risk an auditor assumes, and the level of
client-related risks
 LO5: Limitations of Audit Risk
Model
• Inherent risk is difficult to formally assess
• Audit risk is judgmentally determined
• This model treats each risk component as separate
and independent when in fact, this is not the case
• Audit technology is not so precise that each
component of the model can be accurately assessed

Because of these limitations, many auditors use the audit risk

model as a functional, rather than mathematical model
LO6: Planning the Audit using the
Audit Risk Model
 Developing an Understanding of
Business and Risk
• There are a number of information sources
(including electronic sources) that auditors use
to develop an understanding:
– Knowledge management systems
– Online searches
– Review SEC filings
– Company web sites
– Economic statistics
– Professional practice bulletins
– Stock analysts’ reports
 Understanding Key Business
Processes
• Each organization has a few key processes that give
them a competitive advantage (or disadvantage)
• The auditor should gather sufficient information to
understand
– The key processes
– The industry factors affecting key processes
– How management monitors key processes
– The potential operational and financial effects associated
with key processes
 Understanding Key Business
Processes: Sources of Information
• Management inquiries
• Review of client’s budgets
• Tour client’s plant and operations
• Review data processing center
• Review important debt covenants and board of
director minutes
• Review relevant government regulations and
client’s legal obligations
 Developing Expectations
• Auditor should use information about the company’s
key processes and risks to develop expectations about
its account balances and performance
• These expectations should be
– Developed independently of management
– Documented, along with a rationale for the expectations
– Communicated to all audit team members
 Assessing the Quality of
the design of Internal Controls
• Controls include policies and procedures set by
management to manage risk
• Auditor is particularly interested in those controls
designed to protect the company’s key processes and
the measures used to monitor the operation of these
controls
• Examples of these measures (key performance
indicators):
– Backlog of work in progress
– Amount of return items
 Assessing the Quality of
the design of Internal Controls (continued)
– Increased disputes regarding accounts receivable or
accounts payable
– Surveys of customer satisfaction
– Assessment of risk associated with financial instruments
– Current level of collection (loans and receivable)
– Employee absenteeism
– Decreased productivity
– Information processing errors
– Increased delays in important processes
 Managing Detection and
Audit Risk
The auditor manages audit risk by
– Adjusting audit staff to reflect risk associated with a
client
– Developing substantive tests of account balances
consistent with detection risk
– Anticipating potential misstatements likely associated
with account balances
– Adjusting the timing of audit tests to minimize overall
audit risk
 Understanding Management’s Risk
Management and Control Processes
• Techniques used to understand the risk
management and control processes in place
– Develop an understanding of the process
– Review the risk-based approach used
– Interview management about its risk approach,
preferences etc.
– Review outside regulatory reports
– Review company policies and procedures for
addressing risk
Understanding Management’s Risk
Management and Control Processes
– Understanding company’s compensation schemes
– Review prior years’ work
– Review risk management documents
– Determine how management and the board
monitor risk, identify changes in risk, and react to
mitigate, manage, or control the risk
 LO7: Using Analytical Techniques to
Identify Areas of Heightened Risk
• Auditors use analytical procedures to develop
expectations of account balances
• These expectations are compared to recorded
book values to identify misstatements
• Sources of data commonly used:
– Financial information for prior periods
– Expected or planned results from budgets and
forecasts
Using Analytical Techniques to Identify
Areas of Heightened Risk (continued)
– Expected or planned results from budgets and
forecasts
– Comparison of linked accounts relationships (such
as interest expense and debt)
– Ratios of financial information (such as common-
size financial statements)
– Company and industry trends
– Relevant non-financial information
 Process for Performing Analytical
Procedures
• Develop an expectation (informed expectation)
• Determining the gap between auditor’s
expectation and what the client has recorded.
– The maximum acceptable difference is referred to
as a threshold
– Differences in excess of the threshold will have to
be investigated by the auditor
• Identifying the differences need to be
investigated in greater detail
 Questions arising from comparing
expectations to the client’s records
• Why is this company experiencing such a rapid
growth in insurance sales when its product depends
on an ever-rising stock market and the stock market
has been declining for the past three years?
• Why is this company experiencing rapid sales growth
when the rest of the industry is showing a downturn?
• Why are a bank client’s loan repayments on a more
current basis than those of similar banks operating in
the same region with the same type of customers?
 LO 8: Types of Analytical
Procedures
• Techniques commonly used
– Trend analysis
• Includes simple year-to-year comparisons of account
balances, graphic presentations, and analysis of
financial data, histograms of ratios, and projections of
account balances based on the history of changes in the
account
Types of Analytical Procedures
(continued)

– Ratio analysis
• Useful in identifying significant differences between the
client results and a norm (such as industry ratios) or
between auditor expectations and actual results
• Useful in identifying potential audit problems
• It has power to identify unusual or unexpected changes
in relationships
Commonly Used Financial Ratios
 Types of Analytical Procedures
• Ratio and trend analysis are generally carried
out at three levels:
– Comparison of client data with industry data
• May indicate problems with product quality or credit
risk
• May result in problems in bank’s concentration of loans
• Data may not be comparable with client’s data
Types of Analytical Procedures
(continued)

– Comparison of client data with similar prior-period

data
• It is important that the auditor go through each of the
steps in the process, beginning with the development of
expectations
– Comparison of preliminary client data with
expectations developed from industry trends, client
budgets, other account balances, or other bases of
expectations