Chapter 3
In This Chapter
Identifying the three types of risk related to audits
Brushing up on risk-assessment procedures
Figuring out the difference between errors and fraud
Acting on your audit-risk results
This chapter introduces you to two important auditing concepts: audit risk and materiality. Audit risk is the chance that you won't catch a major mistake in the financial statements. Materiality refers to whether the mistakes you find are classified as significant or insignificant — in other words, as material or immaterial. A material amount is large enough to possibly influence the conclusions drawn by the person reading the financial statement.
These concepts are fundamental; you'll look to both as you plan the audit and implement the steps you decide to use during the audit. You'll also consider them as you evaluate the results of all your hard work to form an opinion about the fairness of your client's financial statements. These concepts are so important that the auditor's standard report refers to both.
Assessing audit risk is your phase-two responsibility after you accept the client engagement, establish your firm's independence, and have the client sign the engagement letter. This chapter explains the audit risk model, introduces some risk-assessment procedures, describes the characteristics of fraud and errors, shows you how to tailor an audit to both a low-risk and high-risk assessment, and explains how to evaluate and document your audit risk results.
When you audit a company, your main goal is to provide assurance to the users of the company's financial statements that those documents are free of material misstatement. In other words, the financial statements don't contain any serious or substantial misstatement that may mislead an interested party, such as an investor, a bank, or a taxing authority, on the financial condition of the business. You use the audit risk model, which consists of inherent, control, and detection risk, to help you determine your auditing procedures for accounts or transactions shown on your client's financial statements. Later in this chapter, you find out more about inherent, control, and detection risk.
For this book, the financial statements consist of these three documents:
In addition to these three statements, owners’ equity can be further broken out into a statement of changes in owners’ equity, which details items such as the effect net income and dividends have on owners’ equity. Your client may also have footnotes to the financial statements, which report additional information omitted from the main reporting documents, such as the balance sheet and income statement, for the sake of brevity.
Unfortunately, you can't just trust that a client's financial statements are complete and accurate. You have to work hard to come to that conclusion — or to determine that certain information is incomplete or inaccurate. And you may encounter situations in which your ability to assess the financial statements is impeded by the client. That situation increases your audit risk: the risk of arriving at an inaccurate conclusion about the financial statements.
Audit risk has two faces:
How can this type of error happen? Maybe you're not up to speed with recent changes in GAAP, or you misinterpret a specific accounting principle, leading you to find fault where none exists.
This section defines the three specific components of audit risk (AR) — inherent risk (IR), control risk (CR), and detection risk (DR). The following equation shows the relationship between audit risk and the various components of audit risk:
AR = IR × CR × DR
One component of audit risk is inherent risk. The term refers to the likelihood that you'll arrive at an inaccurate audit conclusion based on the nature of the client's business. While assessing this level of risk, you ignore whether the client has internal controls in place (such as a well-documented procedures manual) in order to help mitigate the inherent risk. As explained in the next section, you consider the strength of the internal controls when assessing the client's control risk. Your job here is to evaluate how susceptible the financial statement assertions are to material misstatement given the nature of the client's business.
The following sections cover a few key factors that can increase inherent risk.
Here are some examples of environment and external factors that can lead to high inherent risk:
If a company has made mistakes in prior years that weren't material (meaning they weren't significant enough to have to change), those errors still exist in the financial statements. You have to aggregate prior-period misstatements with current year misstatements to see whether you need to ask the client to adjust the accounting records for the total misstatement.
Here's an example: Suppose you're in charge of auditing the client's accounts receivable balance. Going through prior-period workpapers, you note accounts receivable was understated by $20,000 and not corrected because your firm determined any misstatement under $40,000 was immaterial. In the current period, you determine accounts receivable is overstated by $30,000. The same $40,000 benchmark for materiality is in place. Do you have a material misstatement?
The answer is yes. Standing alone, neither the $20,000 from last year nor the $30,000 from this year is over the $40,000 limit. However, adding the two misstatements together gives you $50,000, which is in excess of the tolerable level of misstatement.
You may think an understatement in one year compensates for an overstatement in another year. In auditing, this assumption isn't true. Here's a real-life auditing example that explains why: Suppose you're running the register at a local clothing store. Your ending cash register draw count is supposed to be $100. One night your register comes up $20 short, a material difference. The next week, you somehow come up $20 over your draw count. That's good news, right? Well, yes and no.
Although your manager is happy to hear that the store didn't actually lose $20, he doesn't buy into the notion that the second mistake erases the first. As he sees it, you made two material mistakes. The $20 differences are added together to represent the total amount of your mistakes, which is $40 and not zero. Zero would indicate no mistakes at all had occurred. Additionally, the fact that the two mistakes counterbalance each other doesn't negate the fact that a material misstatement of your register count occurred on two different occasions, indicating a significant recurring breakdown in controls.
If a certain asset is susceptible to theft or fraud, the account or balance level may be considered inherently risky. For example, if a client has a lot of customers who pay in cash, the balance sheet cash account is going to have risk associated with theft or fraud because of the fact that cash is more easily diverted than are customer checks or credit card payments.
Looking at industry statistics relating to inventory theft, you may also decide to consider the inventory account as inherently risky. Small inventory items can further increase the risk of this account valuation being incorrect because those items are easier to conceal (and therefore easier to steal).
Control risk is the risk that the company's internal controls won't prevent or detect mistakes. Company management is ultimately responsible for the financial statements. The internal controls set in place by the company have the goal of producing accurate and effective reporting.
Not quite sure what it means to tag a particular asset? Businesses with good internal controls have a unique label on each piece of furniture and equipment they own and a record of where each label is placed. Every year, someone goes around to see whether any tagged assets are missing.
Detection risk is the risk that you won't detect material errors, whether they're intentional or not. Detection risk occurs when you don't perform the right audit procedures.
Take the audit risk model explained in the “Introducing audit risk” section earlier in this chapter. The model states that:
AR = IR × CR × DR
Next, isolate DR on one side of the equation by dividing both sides of the equation by (IR × CR):
DR = AR ÷ (IR × CR)
So what does this mean? You solve the detection risk formula by inputting the other three risks into the DR formula. Specifically, you assess inherent and control risk and set your audit risk to an acceptable level.
For example, you're auditing your client's accounts payable balance. Based on your firm's audit practices, your audit supervisor determines an acceptable level of AR is 0.05. Using the same criteria, CR is set at 0.60 and IR at 0.80. Solving for the DR component in the audit risk model, your detection risk is:
DR = 0.05 ÷ (0.80 × 0.60) = 0.05 ÷ 0.48 = 0.10
You use the appropriate audit procedures to make sure your detection risk while auditing accounts payable is 10 percent. See the section later in this chapter, “Following Risk Assessment Procedures” for more information on how to make preliminary decisions for selecting appropriate audit procedures as assisted and approved by your audit supervisor.
Keep in mind that the only way to eliminate detection risk completely is to examine every transaction. Because reviewing every item isn't practical, auditors use sampling methods to assess transactions and balances. Here's a typical sampling procedure for accounts receivable:
You always have some risk of overlooking a misstatement; your goal is to keep it to an acceptable minimum.
Here are the three major elements of detection risk:
Consider an example of detection risk during a common audit procedure. While examining accounts payable, you test to see whether payments made shortly after year-end relate to payables in the prior year. You examine these payments to search for unrecorded liabilities (payables) at year-end. That's a correct audit procedure to use for the accounts payable assertion. You correctly implement your audit procedure and make the accurate decision that the accounts payable balance contains no material misstatements.
However, you fail to test for segregation of duties between the employee who processes the payments and the employee who updates the vendor file marking the invoice as paid. This incomplete testing causes you to misinterpret audit results, which increases your detection risk. In other words, you heighten the risk that you'll fail to recognize or detect errors in the client's purchasing process.
When you understand the elements of the audit risk model (see the preceding section), it's time to get into the meat of the matter: your risk assessment procedures. You use these procedures to assess the risk that material misstatement exists. This step is important because the whole point of a financial statement audit is finding out whether the financial statements are materially correct (free of material misstatement).
You assess audit risk by following various risk assessment procedures: recognizing the nature of the company and management, interviewing employees, performing analytical procedures, observing employees at work, and inspecting company records. This section explains how.
After you run through all applicable risk-assessment procedures, you use the results to figure out how high the chance is that your client has material financial-statement mistakes. Not every mistake is important. The later section, “Figuring Out What's Material and What Isn't,” explains the difference between important (material) and minor mistakes.
You can make some preliminary judgments about the nature of the company as part of your pre-planning activities (getting ready for your first meet-and-greet with the client). Checking out the company in public records is a good place to start. You'd be surprised how much information you can find out about a business merely by typing its name into a search engine.
Here are some crucial questions to ask the client during your risk assessment process:
Management sets the tone in any organization. Inept management that's lackadaisical about following or enforcing company policies and procedures can be a big issue. Management's attitude influences all employee behavior. When employees don't play by the rules, it increases the chance of the financial statements being incorrect.
You evaluate management attitude through interviews and observations. A possible symptom of mismanagement is high employee turnover, especially among mid- to lower-management. Turnover can lead to gaps in managerial oversight. If a company has to train new staff constantly, procedures may not be followed as closely as they should be.
Having inexperienced managers can be just as bad as (or worse than) having vacancies in the client's managerial lineup. At least if you know key positions aren't filled, you're clued into the fact that managerial oversight is lacking, which directly affects your risk assessment. If you fail to detect that existing managers are unskilled, you may rely on the financial statements more than is appropriate.
If key personnel such as the president, chief financial officer, and chief executive officer have been with the company for many years, that's usually an indication of quality management. Another good sign is if prior audits have required few, if any, accounting adjustments and there have been no financial statement restatements. Here's why:
To effectively assess the risks associated with an audit client, you need to be assessing more than just the numbers. People run businesses, so talking to employees about the company is important.
After you decide to speak with employees, keep these considerations in mind:
You find out more about how internal controls work in Chapter 5.
After you nail down what information you want to obtain from employees, you can make a list of questions. Here are some questions to ask when assessing risk that are effective in extracting the information you need:
These questions are a starting point for assessing risks related to the audit.
For this step, you use analytical procedures to evaluate audit risk. Put simply, analytical procedures test to see whether plausible and expected relationships exist in both financial and nonfinancial data.
Obviously, the figures shown on a client's financial statements are financial data. Nonfinancial data includes the client's overall position in the industry. Another example is how the client goes about achieving company objectives such as marketing, staffing, and opening plants in new locations.
One common type of observation is to watch the staff take a count of physical inventory. Visiting the company's business locations is another. Doing so gives you the opportunity to view the company's operations beyond what's in the books and records and to find out about the company's internal controls.
Touring the business provides you with a baseline as to the validity of facts shown on the books. As you walk around, you can see whether the big assets shown on the balance sheet actually exist. You may also find additional sources of revenue that aren't recorded. For example, if the property is renting a billboard to another business, is your client reporting that revenue?
Your observations will also key you into what's on the financial statements that shouldn't be there. For example, maybe the warehouse is too small to hold the volume of inventory the business reflects on the books. If so, where's the rest of the inventory? Is it in another storage facility, or is the cost of goods sold understated? Understating cost of goods sold artificially inflates a company's net income, which isn't a good thing when you're issuing an opinion on the correctness of the financial statements.
You must also determine whether the business is walking the walk when it comes to internal control procedures. You conduct your tours with employees who are knowledgeable about the departments you're inspecting. You can verify whether the employees in each department are handling their work duties the way they're spelled out in the internal controls manuals. You can also find out whether key duties are separated and whether assets are safeguarded per the internal control manuals. (For example, are customer payments locked in a safe until they're taken to the bank?)
Auditors refer to financial statement information that's not 100 percent correct as a misstatement. You'll probably never see a set of financial statements that's completely accurate. But misstatements aren't the issue in an audit — whether they're material is what matters. Material means that the misstatement is significant enough to influence the judgment of the person reading the financial statement.
Stated very broadly, you must consider the potential of the incorrect information to affect the overall accuracy of the financial statements. Here are some factors you consider when deciding whether a misstatement is material:
The following sections explain how to recognize fraud, which is always material, and describe the three components that lead to fraud.
When you find misstatements, you're responsible for making a fraud-versus-error assessment. Errors aren't deliberate; fraud is. Specifically, fraud is defined as willful intent to deceive. Fraud and a related term, collusion, are covered in Chapter 2. This section explains how to tell the difference between errors and fraud.
Here are some common errors you'll come across:
Fraud occurs when someone intends to deceive. You need to be on the lookout for two types of fraud:
Fraud can take the form of the falsification or alteration of accounting records or the financial statements. Deliberately making a mistake when coding expense checks is fraud. Intentionally booking a lower allowance for bad debt than is deemed reasonable by normal estimation methods is another type of fraud.
Fraud also includes intentional omissions of significant information. For example, if a company knows its largest customer is getting ready to close its doors and doesn't disclose this fact, that's fraud. Not properly disclosing loss contingencies is another example — for instance, if a company doesn't disclose that it's likely going to lose a lawsuit brought against it and the damages can be reasonably estimated. Head over to Book V, Chapter 4 for more on contingencies.
Of course, the theft of assets such as cash, inventory, or equipment is also fraud. Paying personal expenses out of the company checking account is fraud. Another example is taking company computers home to use personally.
One example of asset theft is paying for goods or services the company didn't receive, which can take place in related party transactions. A related party transaction occurs when a company sells to or buys from other businesses or individuals who are deemed to have significant influence over the company.
You'll hear auditors referring to the triangle of fraud. That's because in most fraudulent acts, three circumstances lead to the commission of fraud:
For fraud to occur, all three sides of the triangle must be present.
Management employees may perpetrate fraud differently from non-management employees. However, overlap between the two groups may exist. A manager, for example, may commit fraud based on an incentive listed in the upcoming non-management list. The following sections start with incentives to commit fraud, and then cover the other two sides of the triangle — opportunity and rationalization.
Incentives exist when an employee has an overriding reason to steal from the company. Sometimes the employee has bills he can't pay or a money-sucking addiction. Many times the incentive springs from not wanting a spouse, child, or parent to know about the problem. The employee resorts to self-help rather than risk being embarrassed by admitting that his debt is out of control. Of course, the incentive could merely be greed. Maybe the employee has expensive tastes and feels the company should foot the bill for a new car or fine jewelry. Or he suffers from the keeping-up-with-the-Joneses syndrome.
Managers are often motivated to commit fraud because of the way they're compensated. For example, a department manager may be angling for a higher raise at year's end. How well each department performs could be senior management's method of allocating available bonuses to the managers. A common performance measure is comparing actual department expenses to the budget.
Suppose the department manager artificially forces expenses to stay under budget to get a bigger bonus. For example, she may fail to book reasonable warranty estimates. Booking warranty estimates takes place whenever a company sells a product with a warranty. The company has to recognize the estimated repair expense it may incur to fix the product over the life of the warranty. Low-balling the estimate reduces expenses. Check out Book IV, Chapter 4 for more on warranties.
Other methods of deflating expenses include manipulating inventory and purchase expenses. Higher inventory figures reduce the cost of goods sold expense. Waiting to record current purchases until after the end of the year also serves to reduce expenses. Book IV, Chapter 3 is the place to go for more on inventories.
Another senior-management incentive is pressure from outside sources, such as the board of directors or shareholders. Shareholders, who are interested in protecting their investments, want to see positive numbers on the financial statements. Shareholders own the corporation and elect the corporation's board of directors. The board of directors oversees corporate operations and is responsible for hiring the corporate officers: president, vice president, secretary, and treasurer. Officers hire and approve bonuses for senior management. So keeping the board of directors happy is in the best interest of senior management, and some managers may believe that pleasing the board is more important than acting with integrity.
Regardless of the strength of the incentive, fraud can take place only if the opportunity is present. The opportunity for fraud can come in many forms. Here are some examples of circumstances that can open the door to fraudulent transactions:
Think back to any less-than-optimal decision you've ever made. Usually, the more harum-scarum the decision, the more you had to talk yourself into the wisdom of going down that rocky road. Employees go through the same process to justify fraud — at least to themselves. In some cases, the employee's rationale is that he works harder than the owner. In the employee's eye, the owner is vastly overpaid, and, therefore, a little fraud on the part of the employee levels the playing field.
Here are some other common rationalizations:
Keep in mind that the employee could also have some sort of psychiatric illness or personality disorder that prevents him from being able to control his actions. Or the employee may lack the ability to realize or care that his actions are inappropriate. Nor does the worker stop to consider the consequences of his actions. In these truly sad situations, the employee is very likely to be caught.
After completing your risk assessment procedures, your last step in this phase of the audit is to evaluate your findings. You must decide whether you can use normal audit procedures (for a low-risk assessment) or must use extended procedures (for a high-risk assessment). This section explains how to proceed with both low-risk and high-risk situations.
After looking at major financial statement accounts or classes of transactions, if you decide the risk of material misstatement is relatively low, you design your audit procedures accordingly. Here are three characteristics of company transactions that indicate low risk:
Many audit firms assign less experienced auditors to work low-risk engagements and save the big guns for the tough cases. You're more likely to have the pleasure of working these easier engagements early in your career, as a staff associate.
Also, in low-risk situations, sample sizes (the number of records you look at) are set at normal levels. Normal levels of any audit criteria are usually set as firm policy, meaning that your senior associate tells you what size samples to use. Professional skepticism is also set at normal levels, which simply means you'll be more apt to take transactions at face value. In other words, you assume the transactions are correct unless you discover otherwise.
If an audit engagement is high-risk, you have to sit back, evaluate how the company does business, and think about how material misstatements may slip through the cracks. You then design a more extensive audit to provide as much assurance as possible that you'll detect those misstatements. The following sections offer some prime examples of high-risk items.
A change in accounting principle can distort the financial statements and cause confusion for the financial statement reader. Assume, for example, a company changes its method of valuing ending inventory from the first-in, first-out (FIFO) method to the last-in, first-out (LIFO) method. (For more about LIFO and FIFO, see Book VIII, Chapter 3.)
Changing the method of valuing inventory distorts the cost of sales expense and, ultimately, net income. FIFO assumes you sell the oldest units first. Because inflation causes prices to rise, the older units are typically the cheapest units, so selling the least expensive goods first generates more net income sooner.
Keep in mind that total units sold and total cost of sales for all units is the same using either method. When you start selling those newer, more expensive units by using FIFO, you recognize more cost of sales and less income. If you apply FIFO and LIFO correctly, your revenue, cost of sales, and profit are the same by using either method, after all the units have been sold.
If you change the inventory valuation method in midstream, you can imagine how costs and profits are distorted. Specifically, the change in method may mean that you never apply the higher or lower costs to the units. In either case, the financials are distorted.
The financial impact of the change in accounting method must be disclosed, as explained in Book V, Chapter 4. But even if it is disclosed, the change in method may be an attempt to manipulate the financial statements.
You may encounter warning signs of fraud when you conduct your initial assessment. If, during your initial assessment, you determine that a company's internal controls are weak, you may need to dig deeper to find out why and identify any incidents of fraud. Weak internal controls facilitate fraud by making prevention and detection less likely.
Another red flag for potential fraud is the recording of executive compensation as a loan to the employee instead of an expense on the income statement. This situation reflects poorly on management integrity and also serves to artificially inflate net income.
Consider a company that has an international presence that involves cross-border transactions. At the very least, you have to deal with currency conversions such as dollars (USD) to euros (EUR), which can be subjective. For example, should certain accounts be valued at the year-end conversion rate, the conversion rate on the date of occurrence of the accounting event, or an average conversion rate representing fluctuations taking place all year? What's the right answer? This is something evaluated company by company and is a topic for discussion with your audit supervisor.
You also may have to deal with international financial records that may be in an unfamiliar format or a language you can't read or speak. The books may not be prepared in accordance with U.S. GAAP, which takes you out of your area of expertise.
Actions you take during a low-risk engagement are flip-flopped for a high-risk one. More experienced staff associates work on the engagement. The senior associates become more hands-on. Your firm may hire outside specialists who have knowledge and skills relating to the business's specific needs that are lacking in the CPA firm.
Professional skepticism increases, as does the number of items selected for sampling. You may use more extensive analytical procedures, which compare the business's financial data with your expectations of how the data should look. For example, if the industry standard is that the current ratio (current assets/current liabilities) is 2 percent, you rigorously question the client if its current ratio deviates from the norm.
As you do your investigative work getting to know your client, following your risk assessment procedures, and assessing the risk of material misstatement, you must extensively document everything you do. You use this documentation to provide a clear audit trail of what steps you took so you have written substantiation for the various levels of risk you've assessed for the financial statement accounts and transactions.
What seems perfectly evident one day becomes less and less memorable as the audit goes forward. Your job while documenting is to be concise yet provide enough information about each audit risk factor so that both you and those at your firm unfamiliar with the client can understand how you reached your conclusions about the factors you're responsible for.
3.16.54.63