AAP - Module 6: Risk Assessment PDF
Document Details
Uploaded by Deleted User
Lex Daniel S. Quequegan
Tags
Summary
This document provides an overview of risk assessment in auditing, discussing various aspects like professional skepticism, materiality, and the risks of misstatements. It touches upon fraud and laws related to accounting.
Full Transcript
Auditing and Assurance Principles Module 6: Risk Assessment Lex Daniel S. Quequegan, CPA, CFE Module 6: Risk Assessment At the end of this module, you will learn: 1. Introduction to risk;...
Auditing and Assurance Principles Module 6: Risk Assessment Lex Daniel S. Quequegan, CPA, CFE Module 6: Risk Assessment At the end of this module, you will learn: 1. Introduction to risk; 2. Materiality; 3. Understanding the entity and its environment; 4. Assessing the risks of material misstatement; 5. Responding to the risk assessment; 6. Fraud, law and regulations; and 7. Documentation of risk assessment. Introduction to Risk PSA 200 states that the objectives of the audit are “to obtain reasonable assurance about whether the financial statements as a whole are free from material misstatement, whether due to fraud or error, thereby enabling the auditor to express an opinion on whether the financial statements are prepared, in all material respects, in accordance with an applicable financial reporting framework; and to report on the financial statements, and communicate as required by the PSAs, in accordance with the auditor’s findings.”1 A risk assessment carried out under the PSAs helps the auditor to identify financial statement areas susceptible to material misstatement and provides a basis for designing and performing further audit procedures.’ Furthermore, to achieve the overall objective, auditors also need to plan and perform the audit with professional skepticism, exercise professional judgment, and comply with ethical requirements. Professional Skepticism PSA 200 states that auditors must plan and perform audit with an attitude of professional skepticism. It is an attitude that includes a questioning mind, being alert to conditions which may indicate possible misstatement due to fraud or error, and a critical assessment of audit evidence.2 The auditor must be alert to: § Audit evidence that contradicts other audit evidence obtained § Information that brings into question the reliability of documents and responses to inquiries to be used as audit evidence § Conditions that may indicate possible fraud § Circumstances that suggest the need for audit procedures in addition to those required by PSAs Professional skepticism needs to be maintained throughout the audit to reduce the risks of overlooking unusual transactions, over-generalizing when drawing conclusions, and using inappropriate assumptions in determining the nature, timing and extent of audit procedures and evaluating the results of them. It is also necessary to the critical assessment of audit evidence. This includes questioning contradictory audit evidence and the reliability of documents and responses from management and those charged with governance. 1 PSA 200.10 2 PSA 200.13 (m) 1 Auditing and Assurance Principles Module 6: Risk Assessment Lex Daniel S. Quequegan, CPA, CFE Professional Judgment PSA 200 requires the auditor to exercise professional judgment in planning and performing an audit of financial statements. It is the application of relevant training, knowledge and experience, within the context provided by auditing, accounting and ethical standards, in making informed decisions about the courses of action that are appropriate in the circumstances of the audit engagement.3 Professional judgment is required in the following areas: § Materiality and audit risk § Nature, timing and extent of audit procedures § Evaluation of whether sufficient appropriate audit evidence has been obtained § Evaluating management’s judgments in applying the applicable financial reporting framework § Drawing conclusions based on the audit evidence obtained Audit Risks Auditors follow a risk-based approach in auditing, as required by the PSAs. In this approach, auditors analyze the risks associated with the client’s business, transactions and systems which could lead to misstatements in the financial statements, and direct their testing to risky areas. Now, understanding the audit risk model helps the auditor to take action to reduce overall audit risk to an acceptable level. Audit risk is the risk that the auditor expresses an inappropriate audit opinion when the financial statements are materially misstated. It is a function of the risks of material misstatement (i.e., control risk and inherent risk) and detection risk. Audit Risk = Inherent Risk x Control Risk x Detection Risk Risk of Material Misstatement Risk of material misstatement4 is the risk that the financial statement are materially misstated prior to audit. This consists of two (2) components, to wit: a. Inherent risk is the susceptibility of an assertion about a class of transaction, account balance or disclosure to a misstatement that could be material, either individually or when aggregated with other misstatements, before consideration of any related controls. b. Control risk is the risk that a misstatement that could occur in an assertion about a class of transaction, account balance or disclosure and that could be material, wither individually or when aggregated with other misstatements, will not be prevented, or detected and corrected, on a timely basis by the entity’s internal control. Detection risk is the risk that the procedures performed by the auditor to reduce audit risk to an acceptably low level will not detect a misstatement that exists and that could be material, either individually or when aggregated with other misstatements.5 This is the component of audit risk that the auditors have a degree of control over, because if risk is 3 PSA 200.13 (k) 4 PSA 200.13 (n) 5 PSA 200.13 (e) 2 Auditing and Assurance Principles Module 6: Risk Assessment Lex Daniel S. Quequegan, CPA, CFE too high to be tolerated, the auditors can carry out more work to reduce this aspect of audit risk and, therefore, audit risk as a whole. One way to decrease detection risk is to increase sample sizes. However, increasing sample sizes and carrying out more work is not the only way to manage detection risk. This is because detection risk is a function of the effectiveness of an audit procedure and of its application by the auditor. The following actions can also improve the effectiveness and application of procedures and therefore help to reduce detection risk: § Adequate planning § Assignment of more experienced personnel to the engagement team § The application of professional skepticism § Increased supervision and review of the audit work performed Materiality Materiality for the financial statements as a whole and performance materiality must be calculated at the planning stages of all audits. The calculation or estimation of materiality should be based on experience and judgment. Materiality for the financial statements as a whole must be reviewed throughout the audit and revised if necessary. The PSAs did not specifically define materiality, but notes that while it may be discussed in different terms by different financial reporting frameworks the following are generally the case: § Misstatements, including omissions, are considered to be material if they, individually or in the aggregate, could reasonably be expected to influence the economic decisions of users taken on the basis of the financial statements; § Judgments about materiality are made in light of surrounding circumstances, and are affected by the size or nature of a misstatement, or a combination of both; and § Judgments about matters that are material to users of the financial statements are based on a consideration of the common financial information needs of users, whose needs may vary widely, is not considered.6 PAS 1 definition of materiality:7 Information is material if omitting, misstating or obscuring it could reasonably be expected to influence decisions that the primary users of general purpose financial statement make on the basis of those financial statements, which provide financial information about a specific reporting entity. Materiality depends on the nature or magnitude of information, or both. An entity assesses whether information, either individually or in combination with other information, is material in the context of its financial statements taken as a whole. Information is obscured if it is communicated in a way that would have a similar effect for primary users of financial statements to omitting or misstating that information. The following are examples of circumstances that may result in material information being obscured: 6 PSA 320.2 7 PAS 1.7 3 Auditing and Assurance Principles Module 6: Risk Assessment Lex Daniel S. Quequegan, CPA, CFE (a) information regarding a material item, transaction or other event is disclosed in the financial statements but the language used is vague or unclear; (b) information regarding a material item, transaction or other event is scattered throughout the financial statements; (c) dissimilar items, transactions or other events are inappropriately aggregated; (d) similar items, transactions or other events are inappropriately disaggregated; and (e) the understandability of the financial statements is reduced as a result of material information being hidden by immaterial information to the extent that a primary user is unable to determine what information is material. Assessing whether information could reasonably be expected to influence decisions made by the primary users of a specific reporting entity’s general purpose financial statements requires an entity to consider the characteristics of those users while also considering the entity’s own circumstances. Many existing and potential investors, lenders and other creditors cannot require reporting entities to provide information directly to them and must rely on general purpose financial statements for much of the financial information they need. Consequently, they are the primary users to whom general purpose financial statements are directed. Financial statements are prepared for users who have a reasonable knowledge of business and economic activities and who review and analyze the information diligently. At times, even well-informed and diligent users may need to seek the aid of an adviser to understand information about complex economic phenomena. The practical implication of this is that the auditor must be concerned with identifying material errors, omission and misstatements. Both the amount (quantity) and nature (quality) of misstatements need to be considered. To implement this, the auditor therefore has to set their own materiality levels – this will always be a matter of judgement and will depend on the level of audit risk. The higher the anticipated risk, the lower the value of materiality will be. The materiality level will impact on the auditor’s decisions relating to: § How many items to examine § Which items to examine § Whether to use sampling techniques § What level of misstatement is likely to result in a modified audit opinion Determining and Calculating Materiality and Performance Materiality (PM) During planning, the auditor must establish materiality for the financial statements as a whole, but must also set performance materiality levels. Determining materiality for the financial statements as a whole involves the exercise of professional judgment. Generally, a percentage is applied to a chosen benchmark as a starting point for determining materiality for the financial statements as a whole. The following factors may affect the identification of an appropriate benchmark: § Elements of the financial statements (e.g., assets, liabilities, equity, revenue, expenses) 4 Auditing and Assurance Principles Module 6: Risk Assessment Lex Daniel S. Quequegan, CPA, CFE § Whether there are items on which users tend to focus § Nature of the entity, industry and economic environment § Entity’s ownership structure and financing § Relative volatility of the benchmark An example of benchmarks and percentages of materiality may be as follows. Value Materiality % Profit before tax 5-10% Gross margin 1-4% Revenues 0.5-3% Operating expenses 0.5-3% Equity 1-5% Assets 0.5-3% For this reason, the auditor is required to set performance materiality levels which are lower than the materiality for the financial statements as a whole. This means a lower threshold is applied during testing. The risk of misstatements which could add up to a material misstatements is therefore reduced. Performance materiality means the amount set by the auditor at less than materiality for the financial statements as a whole to reduce an appropriately low level the probability that the aggregate of uncorrected and undetected misstatements exceed materiality for the financial statements as a whole. It is also the amount set by auditor at less than materiality level for particular classes of transactions, account balances or disclosures.8 Materiality has qualitative aspects. Some misstatements may fall under specified benchmarks, but are still considered material overall due to their qualitative effects. Magnitude by itself, without regard to the nature of the item and the circumstances in which the judgement has to be made, may not be a sufficient basis for a materiality judgement. As a result, qualitative factors may cause misstatements of quantitatively small amounts to be material. Examples of qualitative aspects are:9 § Law, regulation or the applicable financial reporting framework affect users’ regarding the measurement or disclosure of certain items § The key disclosures in relation to the industry in which the entity operates § Attention is focused on a particular aspect of the entity’s business that is separately disclosed in the financial statements SEC Test of Materiality10 8 PSA 320.9 9 PSA 320.A10 10 SEC Memorandum Circular No.8, Series of 2009 5 Auditing and Assurance Principles Module 6: Risk Assessment Lex Daniel S. Quequegan, CPA, CFE According to the Securities and Exchange Commission (SEC), the following instances are considered a material deficiency in the financial statements if there is no accounting policy for material account. According to the SEC guidelines, a material account means a balance sheet or income statement item, the amount of which is equivalent to: 1. For PIE: § 5% or more of total current asset, if it is one of the current asset items § 5% or more of total non-current asset, if it is one of the non-current asset items § 5% or more of total current liabilities, if it is one of the current liabilities items § 5% or more of total long-term liabilities, if it is one of the long-term liabilities items § 5% or more of the total stockholders’ equity, if it is one of the equity items or the amount of total assets if there is capital deficiency § 5% or more of the gross income, cost of sales/services or the total operating expenses, as may be applicable 2. For all other corporations, the threshold shall be 10% or more of the items mentioned above. The SEC also considers the following instances as material misstatement in the financial statements: § An accounting policy for a significant account is not consistent with PFRS or GAAP § An accounting policy for a significant account is not consistently applied between periods or to similar transactions and events (inconsistent application) § The estimate or assumption used on a significant account is unreasonable and resulted to material misstatement of the financial statements § There is more than one (1) minor misstatement and the aggregate amount involved for said misstatements meets the test of materiality § The financial statements of a corporation with a subsidiary or subsidiaries are not presented on a consolidated basis in violation of PAS 27 § Such other misstatements in the financial statement (overstatement or understatement of income, asset, liability or equity, the SEC may consider material) Revision of Materiality The level of materiality must be revised for the financial statements as a whole if the auditor becomes aware of information during the audit that would have caused the auditor to have determined a different amount during planning. If the auditor concludes that a lower amount of materiality for the financial statements as a whole is appropriate, the auditor must determine whether performance materiality also needs to be revised, and whether the nature, timing and extent of further audit procedures are still appropriate. A revision to materiality might be required for example if during the audit it appears that actual results are going to be significantly different from the expected results, which were used to calculate materiality for the financial statements as a whole during planning. Documentation of Materiality11 The auditor shall include in the audit documentation the following amounts and the factors considered in their determination: § Materiality for the financial statements as a whole § If applicable, the materiality level for particular classes of transactions, account balances or disclosures § Performance materiality § Any revision of the above as the audit progressed 11 PSA 320.14 6 Auditing and Assurance Principles Module 6: Risk Assessment Lex Daniel S. Quequegan, CPA, CFE Understanding the Entity and Its Environment Under PSA 315, the objective of the auditor is to identify and assess the risks of material misstatement, whether due to fraud or error, at the financial statement and assertion levels thereby providing a basis for designing and implementing responses to the assessed risks of material misstatement.12 The following table summarizes the objective as follows. Why? § To identify and assess the risks of material misstatement in the financial statements § To enable the auditor to design and perform further audit procedures § To provide a frame of reference for exercising audit judgment (e.g., when setting audit materiality What? § Industry, regulatory and other external factors, including the applicable financial reporting framework § Nature of the entity, including operations, ownership and governance, investments, structure and financing § Entity’s selection and application of accounting policies § Objectives and strategies and related business risks that might cause material misstatement in the financial statements § Measurement and review of the entity’s financial performance § Internal control How? § Inquiries of management, appropriate individuals within the internal audit function and others within the entity § Analytical procedures § Observation and inspection § Prior period knowledge § Client acceptance or continuance process § Discussion by the audit team of the susceptibility of the financial statements to material misstatement § Information from other engagements undertaken for the entity What do we need an understanding of? UNDERSTANDING THE ENTITY AND ITS ENVIRONMENT Nature of the entity § Financing § Investment § Financial reporting § Business operations Objectives and strategies and § Expansion relating business risks § Use of information technology/system § Industry developments § New products and services 12 PSA 315.12 7 Auditing and Assurance Principles Module 6: Risk Assessment Lex Daniel S. Quequegan, CPA, CFE Selection and application of § GAAP used accounting policies § Application of accounting policies to complex or unusual/specialized transactions Internal control § Control activities § Monitoring of controls § Control environment Financial performance § Employee performance measures § Budgets, forecasts, etc. § Competitors § Financial analysis § Key performance indicators Industry, regulatory and other § Taxation external factors § Regulatory framework § Cyclical or seasonal activity § The market and competition § Accounting principles § Energy supply and cost § Interest rates § Product technology § Social, economic and environmental factors How do we gain an understanding? The auditor will refer to the following to help in obtaining an understanding of the entity and its environment. § The permanent audit file where information of continuing importance to the audit is kept § Audit working papers from the previous year’s audit file § Information from the client’s website § Publication or websites related to the industry the client operates in A combination of the following procedures should be used to obtain an understanding. 1. Inquiries of management, internal auditors, and others within the entity 2. Analytical procedures 3. Observation and inspection PSA 315 also states that the auditor shall consider whether information obtained from client acceptance or continuance processes is relevant.13 If the engagement partner has performed other engagements for the entity, he/she shall consider whether information from these is relevant to identifying risks of material misstatement. If the auditor is going to use information from prior year audit, the audit shall determine whether changes have occurred that could affect the relevance to the current year’s audit. The engagement partner and other key team members shall discuss the susceptibility of the financial statement to material misstatement, and the application of the applicable financial reporting framework to the entity’s facts and 13 PSA 315.15 8 Auditing and Assurance Principles Module 6: Risk Assessment Lex Daniel S. Quequegan, CPA, CFE circumstances. The engagement partner shall determine what matters are to be communicated to team members not involved in the discussion. Inquiry The auditors will usually obtain most of the information they require from staff in the accounts department but may also need to make inquiries of other personnel: for example, production staff and those charged with governance. Those charged with governance may give insight into the environment in which the financial statements are prepared. In-house legal counsel may help with understanding such matters as outstanding litigation and compliance with laws and regulations. Sales and marketing personnel may give information about marketing strategies and sales trends. If the client has an internal audit function, inquiries should be made of internal auditors as appropriate as part of risk assessment procedures. Analytical Procedures Analytical procedures consist of evaluations of financial information through analysis of plausible relationships among both financial and non-financial data. Analytical procedures also encompass investigation of identified fluctuations or relationships that are inconsistent with other relevant information or that differ from expected values by a significant amount. As a matter of fact, analytical procedures can be used at all stages of the audit. Analytical procedures include: 1. The consideration of comparisons with: § Similar information for prior periods § Anticipated results of the entity, from budgets or forecasts § Predictions prepared by the auditor § Industry information 2. The consideration of the relationship between elements of financial information that are expected to conform to a predicted pattern based on the entity’s experience, such as the relationship of gross profit to sales. 3. The consideration of the relationship between financial information and relevant non-financial information, such as the relationship of payroll costs to number of employees. A variety of methods can be used to perform the procedures discussed above, ranging from simple comparisons to complex analysis using statistics, on a company level, branch level or individual account level. Ratio analysis can be a useful technique when carrying out analytical procedures. The choice of procedures is a matter for the auditors' professional judgement. The use of information technology may be extensive when carrying out analytical procedures during risk assessment. Auditors may also use specific industry information or general knowledge of current industry conditions to assess the client's performance. As well as helping to determine the nature, timing and extent of other audit procedures, such analytical procedures may also indicate aspects of the business of which the auditors were previously unaware. Auditors are looking to see if developments in the client's business have had the expected effects. They will be particularly interested in changes in audit areas where problems have occurred in the past. 9 Auditing and Assurance Principles Module 6: Risk Assessment Lex Daniel S. Quequegan, CPA, CFE Analytical procedures at the risk assessment stage of the audit are usually based on interim financial information, budgets or management accounts. Observation and Inspection These techniques are likely to confirm the answers given to enquiries made of management. They will include observing the normal operations of a company, reading documents or manuals relating to the client's operations and visiting premises and meeting staff. Assessing the Risks of Material Misstatement PSA 315 says that the objective of the auditor is to identify and assess the risks of material misstatement, whether due to fraud or error, at the financial statement and assertion levels thereby providing a basis for designing and implementing responses to the assessed risks of material misstatement.14 Assertions are representations, explicit or otherwise, with respect to the recognition, measurement, presentation and disclosure of information in the financial statements which are inherent in management representing that the financial statements are prepared in accordance with the applicable financial reporting framework. Assertions are used by the auditor to consider the different types of potential misstatements that may occur when identifying, assessing and responding to the risks of material misstatement.15 It requires the auditor to take the following steps: § Identify the risks throughout the process of obtaining an understanding of the entity and its environment § Assess the identified risks and evaluate whether they relate more pervasively to the financial statement as a whole § Relate the risks to what can go wrong at the assertion level § Consider the likelihood of the risks causing a material misstatement Significant Risks Significant risks are complex or unusual transactions that may indicate fraud, or other special risks. It is an identified risk of material misstatement for which the assessment of inherent risk is close to the upper end of the spectrum of inherent risk due to the degree to which inherent risk factors affect the combination of the likelihood of a misstatement occurring and the magnitude of the potential misstatement should that misstatement occur.16 These require special audit consideration. As part of the risk assessment, the auditor shall determine whether any of the risks are significant. The following factors indicate that a risk might be significant: § Risk of fraud § Its relationship with recent economic, accounting or other developments § The degree of subjectivity in the financial information § It is an unusual transaction § It is a significant transaction with a related party 14 PSA 315.11 15 PSA 315.12(a) 16 PSA 315.12(l) 10 Auditing and Assurance Principles Module 6: Risk Assessment Lex Daniel S. Quequegan, CPA, CFE § The complexity of the transaction Routine, non-complex transactions are less likely to give rise to significant risk than unusual transactions or matters of management judgment. This is because unusual transactions are likely to have more: § Management intervention § Complex accounting principles or calculations § Manual intervention § Opportunity for control procedures not to be followed When the auditor identifies a significant risk, if they have not done so already, they shall obtain an understanding of the entity’s controls relevant to that risk. Responding to the Risk Assessment Overall Responses Overall responses include such issues as emphasizing to the team the importance of professional skepticism, allocating more staff, using experts or providing more supervision. Overall responses to address the risks of material misstatements at the financial statement level will be changes to the general audit strategy or reaffirmations to staff or the general audit strategy. For example: § Emphasizing to audit staff the need to maintain professional skepticism § Assigning additional or more experienced staff to the audit team § Providing more supervision on the audit § Incorporating more unpredictability into the audit procedures § Making general changes to the nature, time or extent of audit procedures The evaluation of the control environment that will have taken place as part of the assessment of the client’s internal control systems will help the auditor determine what type of audit approach to take. Responses to the Risks of Material Misstatement at the Assertion Level The PSA says that the auditor shall design and perform further audit procedures whose nature, timing and extent are based on and are responsive to the assessed risks of material misstatement at the assertion level. “Nature” refers to the purpose and type of test that is carried out, which include tests of controls and substantive tests. Tests of Controls Tests of controls are audit procedure designed to evaluate the operating effectiveness of controls in preventing, or detecting and correcting, material misstatements at the assertion level.17 When the auditor’s risk assessment includes an expectation that controls are operating effectively, the auditor shall design and perform tests of controls to obtain sufficient appropriate audit evidence that the controls were operating. 17 PSA 315.4(b) 11 Auditing and Assurance Principles Module 6: Risk Assessment Lex Daniel S. Quequegan, CPA, CFE The auditor shall also undertake tests of controls when it will not be possible to obtain sufficient appropriate audit evidence simply from substantive procedures. This might be the case if the entity conducts its business using IT systems which do not produce documentation of transactions. In carrying out tests of controls when it will not be possible to obtain sufficient appropriate audit evidence simply from substantive procedures. This might be the case if the entity conducts its business using IT systems which do not produce documentation of transactions. In carrying out tests of control, auditors shall use inquiry, but shall also use other procedures. Reperformance and inspection will often be helpful procedures. When considering timing in relation to tests of controls, the purpose of the test will be important. For example, if the company carries out a year-end inventory count, controls over the inventory count can only be tested at year end. Other controls will operate all year round, and the auditor may need to test that those controls have been effective throughout the period. Some controls may have been tested in prior audits and the auditor may choose to rely on that evidence of effectiveness. If this is the case, the auditor shall obtain evidence about any changes since the controls were last tested and shall test the controls if they have changed. In any case, controls shall be tested for effectiveness at least once in every three audits. If the related risk has been designated a significant risk, the auditor shall not rely on testing done in prior years, but shall perform testing in the current year. Substantive Procedures Substantive procedures are audit procedure designed to detect material misstatement at the assertion level. These procedures include (1) test of details (of classes of transaction, account balances, and disclosures) and (2) substantive analytical procedures.18 The auditor shall always carry out substantive procedures on material items. The PSA says that irrespective of the assessed risk of material misstatement, the auditor shall design and perform substantive procedures for each material class of transactions, account balance and disclosure.19 In addition, the auditor shall carry out the following substantive procedures: § Agreeing or reconciling the financial statements to the underlying accounting records § Examining material journal entries § Examining other adjustments made in preparing the financial statements Substantive procedures fall into two categories: analytical procedures and tests of details. The auditor must determine when it is appropriate to use which type of substantive procedure. Substantive analytical procedures tend to be appropriate for large volumes of predictable transactions (for example, wages and salaries). Test of detail may be appropriate to gain information about account balances, for example, inventory and trade receivables. 18 PSA 315.4(a) 19 PSA 315.18 12 Auditing and Assurance Principles Module 6: Risk Assessment Lex Daniel S. Quequegan, CPA, CFE Tests of detail rather than analytical procedures are likely to be more appropriate with regard to matters which have been identified as significant risks, but the auditor must develop procedures that are specifically responsive to that risk, which may include analytical procedures. Significant risks are likely to be the most difficult to obtain sufficient appropriate audit evidence about. Examples of Responses to Audit Risks Examples of Risks Possible Responses Risk that inventory has a lower net realizable value than Examine the instructions to identify slow moving cost and is therefore overstated (e.g., NRV falls due to inventory lines when attending the inventory count. the client being an industry where tastes/fashions Increase the emphasis on reviewing the year end aged change quickly). inventory analysis for evidence of slow moving inventory. Ascertain sales value for items sold post year end that were in inventory at the year end to ensure their NRV was higher than the cost recorded as part of the value in the financial statements. Assets are desirable/more susceptible to theft leading to Focus on testing internal controls over those assets a risk that recorded assets do not exist (e.g., (including physical controls to prevent theft). inventory/non-current assets). Increase sample sizes for inspecting recorded assets, ensuring any material assets are verified (in the context of performance materiality). Increased risk of revenue expenditure being incorrectly Obtain a breakdown of related costs and review classified as capital (or vice versa), leading to accounting entries against invoices/details of work done misstatement of assets/expenses (e.g., extensive to ensure expenditure is correctly treated as refurbishment of non-current assets where judgment is capital/revenue. needed to establish whether the nature of the work is to Perform a detailed review of repairs accounts for any enhance the asset or repair/replace it). items which should be included in non-current assets. Review the asset register to ensure only capital items have been included. Increased risk of incomplete or unrecorded income due Perform analytical procedures focusing on comparing to fraud or theft (e.g., large amounts of cash collected revenue with expected seasonal/monthly patterns. and held prior to banking). If a retail client, perform/reperform a reconciliation of a sample of till records to actual bankings. Receipts/invoicing significantly in advance/arrears of For a sample of revenue entries recorded prior to the providing services or goods, therefore leading to an year end, agree the transactions as relating to pre year increased risk of revenue being in the wrong period end sales by inspecting the contract / other supporting (e.g., deposits received in advance, reservation fees, documentation. contracts spanning the year end). Trace post year end transactions back to a supporting contract/documentation to test that revenue was recorded in the proper period. For a sample of contracts or GDNs, verify the revenue was recognized according to the provision of services/goods. 13 Auditing and Assurance Principles Module 6: Risk Assessment Lex Daniel S. Quequegan, CPA, CFE Perform analytical procedures where monthly revenue is compared to expectations and budgeted revenue. Unexpected deviations should be investigated. Invoices received (or payments made) in Review post year end bank statements / cash book advance/arrears of goods or services delivery date payments for evidence of amounts relating to the leading to overstatement or understatement of costs financial year but not included in liabilities. and/or liabilities. For a sample of documents pre and post year end indicating date of delivery of goods/services (eg GRNs), verify the cost and liability were recorded in the appropriate period. There is an increased risk of irrecoverable debts (e.g., Identify year end receivable balances still outstanding at due to the nature of the client's industry or customers), the date of the audit by reviewing post year end receipts resulting in assets being potentially overstated. from customers. For amounts still outstanding establish whether these are provided for. Review aged receivables analysis and customer correspondence files for evidence of disputes with receivables and consider the adequacy of any related receivables allowance. Significant client borrowing and/or overdraft with cash Review correspondence with the bank/lender for any flow problems which may indicate going concern evidence of withdrawal or extension of facilities. problems. If there are bank covenants linked to performance on which facilities depend, review compliance with these, and increase testing on areas where management could manipulate performance indicators (such as provisions). Review post year end results and cash flow forecasts (if prepared) for evidence the company can continue as a going concern. New client systems/controls/staff impacting on amounts Undertake additional visits (e.g., interim audit) to assess recorded in the financial statements, increasing the risk the effectiveness of controls operating over areas of errors and the risk of internal controls not operating affected. effectively. Perform extra work to document and evaluate new systems/controls, performing tests of controls where necessary. Increase sample sizes for substantive testing over financial statement areas impacted. Management has an incentive to manipulate Focus on and increase testing on judgmental areas in the performance, increasing the risk of profits being financial statements (e.g., provisions, revenue overstated (e.g., remuneration or bank funding is reliant recognition accounting policies). on performance). Above are just some examples of risks you may encounter in an exam question on audit risks and responses. The best response to each risk will depend on the particular circumstances of the client and the environment in which it operates. Your approach should not be to simply learn a list of responses. Instead, your focus should be on understanding the link between audit risks and responses, and being able to identify and explain risks and suitable responses when presented with different scenarios. 14 Auditing and Assurance Principles Module 6: Risk Assessment Lex Daniel S. Quequegan, CPA, CFE Fraud, Law and Regulations Illegal Acts Errors Fraud Direct Effect Other Laws Definition Unintentional Intentional Violations of laws Violations of laws or misstatements or omissions misstatement or or regulations regulations not having a omissions having a material material and direct effect on effect on financial financial statement amounts statement and disclosures amounts and disclosures Examples Mistakes in processing Two types: (1) Tax laws, post- Securities, occupational safety accounting data, incorrect fraudulent employment and heal, food and drug accounting estimates due to financial reporting benefits administration, environmental oversight, mistakes in and (2) protection, employment application of accounting misappropriation principles of assets Detection 1. Assess risk of (Same as for (Same as for 1. Be aware of possibility responsibility misstatement. errors) errors) that they may have 2. Based on assessment, occurred. design audit to provide 2. Inquire of management reasonable assurance and those charged with of detection of material governance. misstatement. 3. Inspect correspondence 3. Exercise due cate in with licensing or planning, performing, regulatory agencies. and evaluating results 4. If specific information of audit procedures, comes to attention on an and proper degree of illegal act with a possible professional material indirect financial skepticism to achieve statement effect, apply reasonable assurance audit procedures of detection. necessary to determine whether illegal act has occurred. Reporting 1. Modify audit report for (Same as for (Same as for (Similar to errors) responsibility remaining departures errors) errors) from financial reporting framework or scope limitations. 2. Report to audit committee, if needed. Fraud is an intentional act by one or more individuals among management, those charged with governance, employees, or third parties, involving the use of deception to obtain an unjust or illegal advantage. Fraud may be perpetrated by an individual, or colluded in, with people internal or external to the business. Fraud risk factors are event or conditions that indicate an incentive or pressure to commit fraud or provide an opportunity to commit fraud. Fraud is a wide legal concept, but the auditor’s main concern is with fraud that causes a material misstatement in the financial statements. It is distinguished from error, which is when a material misstatement is caused by mistake. 15 Auditing and Assurance Principles Module 6: Risk Assessment Lex Daniel S. Quequegan, CPA, CFE There are two types of fraud causing material misstatement in financial statements: 1. Fraudulent financial reporting 2. Misappropriation of assets Fraudulent Financial Reporting Fraudulent financial reporting involves intentional misstatements, including omissions of amounts or disclosures in financial statements, to deceive financial statement users. This may include: § Manipulation, falsification or alteration of accounting records/supporting documents § Misrepresentation (or omission) of events or transactions in the financial statements § Intentional misapplication of accounting principles Such fraud may be carried out by overriding controls that would otherwise appear to be operating effectively, for example by recording fictitious journal entries and improperly adjusting assumptions or estimates used in financial reporting. Misappropriation of Assets Misappropriation of assets involves the theft of an entity's assets and is often perpetrated by employees in relatively small and immaterial amounts. However, it can also involve management who are usually more capable of disguising or concealing misappropriations in ways that are difficult to detect. Employees may be involved in such fraud in small and immaterial amounts, but it can also be carried out on a larger scale by management who may then conceal the misappropriation, for example, by: § Embezzling receipts (diverting them to private bank accounts) § Stealing physical assets or intellectual property (inventory, selling data) § Causing an entity to pay for goods not received (payments to fictitious vendors) § Using assets for personal use. Fraud and the Auditor The primary responsibility for the prevention and detection of fraud is with those charged with governance and the management of an entity. This is effected by having a commitment to creating a culture of honesty and ethical behavior and active oversight by those charged with governance. The auditor is responsible for obtaining reasonable assurance that the financial statements are free from material misstatement, whether caused by fraud or error. The risk of not detecting a material misstatement from fraud is higher than from error because of the following reasons: § Fraud may involve sophisticated schemes designed to conceal it § Fraud may be perpetrated by individuals in collusion § Management fraud is harder to detect because management is in a position to manipulate accounting records or override control procedures. The auditor is responsible for maintaining professional skepticism throughout the audit, considering the possibility of management override of controls, and recognizing that audit procedures effective for detecting errors may not be effective for detecting fraud. Risk Assessment 16 Auditing and Assurance Principles Module 6: Risk Assessment Lex Daniel S. Quequegan, CPA, CFE PSA 315 requires a discussion among team members that places particular emphasis on how and where the financial statements may be susceptible to fraud.20 Risk assessment procedures to obtain information in identifying the risk of material misstatement due to fraud shall include the following: a. Inquiries of management regarding: i. Management’s assessment of the risk that the financial statements may be misstated due to fraud ii. Management’s process for identifying and responding to the risk of fraud iii. Management’s communication to those charged with governance in respect of its process for identifying and responding to the risk of fraud iv. Management’s communication to employees regarding its views on business practices and ethical behavior v. Knowledge of any actual, suspected or alleged fraud b. Inquiries of internal audit for knowledge of any actual, suspected or alleged fraud, and its views on the risks of fraud. c. Obtaining an understanding of how those charged with governance oversee management’s processes for identifying and responding to the risk of fraud and the internal control established to mitigate these risks. d. Inquiries of those charged with governance for knowledge of any actual, suspected or alleged fraud. e. Evaluating whether any unusual relationships have been identified in performing analytical procedures that may indicate risk of material misstatement due to fraud. f. Considering whether any other information may indicate risk of material misstatement due to fraud. g. Evaluating whether any fraud risk factors are present. In accordance with PSA 315, the auditor shall identify and assess the risks of material misstatement due to fraud at the financial statement level and at the assertion level for classes of transactions, account balances and disclosures. These risks shall be treated as significant risks. Additionally, PSA 330 provided that the auditor shall determine overall responses to address the assessed risks of material misstatement due to fraud at the financial statement level. In this regard, the auditor shall: § Assign and supervise staff responsible taking into account their knowledge, skill and ability § Evaluate whether the accounting policies may be indicative of fraudulent financial reporting § Incorporate unpredictability in the selection of the nature, time and extent of audit procedures Management fraud is more difficult to detect than employee fraud because of management’s ability to override controls and therefore manipulate accounting records. PSA 240 states that irrespective of the auditor’s assessment of the risks of management override of controls, the auditor shall design and perform audit procedures to: § Test the appropriateness of journal entries and other adjustments § Review accounting estimates for vias § For significant transactions outside the normal course of business, evaluate whether they have been entered into to engage in fraudulent financial reporting or to conceal misappropriation of assets Written Representations PSA 240 requires the auditor to obtain written representations (known as management representation letter) from management and those charged with governance that: a. They acknowledge their responsibility to design, implementation and maintenance of internal control to prevent and detect fraud. 20 PSA 315.A42 17 Auditing and Assurance Principles Module 6: Risk Assessment Lex Daniel S. Quequegan, CPA, CFE b. They have disclosed to the auditor management’s assessment of the risk of fraud in the financial statements. c. They have disclosed to the auditor their knowledge of fraud/suspected fraud involving management, employees with significant roles in internal control, and others where fraud could have a material effect on the financial statements. d. They have disclosed to the auditor their knowledge of any allegations of fraud/suspected fraud communicated by employees, former employees, analysts, regulators or others. Communication to Management and Those Charged with Governance If the auditor identifies fraud or receives information that a fraud may exist, the auditor shall report this on a timely basis to the appropriate level of management. If the auditor identifies or suspects fraud involving management, employees with significant roles in internal control, and others where fraud could have a material effect on the financial statements, they shall communicate this on a timely basis to those charged with governance. The auditor also needs to consider whether there is a responsibility to report to the regulatory or enforcement authorities—the auditor’s professional duty of confidentiality may be overridden by laws and statutes in certain jurisdictions. Law and Regulations The auditor is also required to consider the issue of law and regulations in the audit. The objectives of the auditor are: a. To obtain sufficient appropriate audit evidence regarding compliance with the provisions of those laws and regulations generally recognized to have a direct effect on the determination of material amounts and disclosures in the financial statements; b. To perform specified audit procedures to help identify instances of non-compliance with other laws and regulations that may have a material effect on the financial statements; and c. To respond appropriately to identified or suspected non-compliance with laws and regulations identified during the audit.21 Responsibilities of Management Compared to Auditors It is management’s responsibility to ensure that the entity complies with the relevant laws and regulations. It is not the auditor’s responsibility to prevent or detect non-compliance with laws and regulations. The auditor’s responsibility is to obtain reasonable assurance that the financial statements are free from material misstatement and, in this respect, the auditor must take into account the legal and regulatory framework within which the entity operated. PSA 250 distinguishes the auditor’s responsibilities in relation to compliance with two different categories of laws and regulations: 1. Those that have a direct effect on the determination of material amounts and disclosures in the financial statements. 21 PSA 250.11 18 Auditing and Assurance Principles Module 6: Risk Assessment Lex Daniel S. Quequegan, CPA, CFE 2. Those that do not have direct effect on the determination of material amounts and disclosures in the financial statements but where compliance may be fundamental to the operating aspects, ability to continue in business, or to avoid material penalties. For the first category, the auditor’s responsibility is to obtain sufficient appropriate audit evidence about compliance with those laws and regulations. For the second category, the auditor’s responsibility is to undertake specified audit procedures to help identify non- compliance with laws and regulations that may have a material effect on the financial statements. These include inquiries of management and inspecting correspondence with the relevant licensing or regulatory authorities. Audit Procedures In accordance with PSA 315, the auditor shall obtain a general understanding of: § The applicable legal and regulatory framework § How the entity complies with that framework The auditor can achieve this understanding by using their existing understanding and updating it, and making inquiries of management about other laws and regulations that may affect the entity, and about its policies and procedures for ensuring compliance and about its policies and procedures for identifying, evaluating and accounting for litigation claims. The auditor shall remain alert throughout the audit to the possibility that other audit procedures may bring instances of non-compliance or suspected non-compliance to the auditor’s attention. These audit procedures could include: § Reading minutes § Making inquiries of management and in-house/external legal advisers regarding litigation, claims and assessments § Performing substantive tests of details of classes of transactions, account balances or disclosures The auditor shall request written representations from management that all known instances of non-compliance or suspected non-compliance with laws and regulations whose effects should be considered when preparing the financial statements have been disclosed to the auditor. Audit Procedures When Non-compliance is Identified or Suspected The following factors may indicate non-compliance with laws and regulations: § Investigations by regulatory authorities and government departments § Payment of fines or penalties § Payments for unspecified services or loans to consultants, related parties, employees or government employees § Sales commissions or agents’ fees that appear excessive § Purchasing at prices significantly above/below market price § Unusual payments in cash § Unusual transactions with companies registered in tax havens § Payment for goods and services made to a country different to the one in which the goods and services originated § Payments without proper exchange control documentation § Existence of an information system that fails to provide an adequate audit trail or sufficient evidence 19 Auditing and Assurance Principles Module 6: Risk Assessment Lex Daniel S. Quequegan, CPA, CFE § Unauthorized transactions or improperly recorded transactions § Adverse media comment The following may be the audit procedures to be performed when non-compliance is identified or suspected. § Obtain understanding of nature of act and circumstances § Obtain further information to evaluate possible effect on financial statements § Discuss with management and those charged with governance § Consider need to obtain legal advice if sufficient information not provided and matter is material § Evaluate effect on auditor’s opinion if sufficient information not obtained § Evaluate implications on risk assessment and reliability of written representations Reporting Identified or Suspected Non-Compliance The auditor shall communicate with those charged with governance, but, if the auditor suspects that those charged with governance are involved, the auditor shall communicate with the next highest level of authority, such as the audit committee or supervisory board. If this does not exist, the auditor shall consider the need to obtain legal advice. The auditor shall consider the impact on the auditor's report if they conclude that the non-compliance has a material effect on the financial statements and has not been adequately reflected or is prevented by management and those charged with governance from obtaining sufficient appropriate audit evidence to evaluate whether non-compliance is material to the financial statements. The auditor shall determine whether identified or suspected non-compliance has to be reported to the regulatory and enforcement authorities. Although the auditor must maintain the fundamental principle of confidentiality, in some jurisdictions the duty of confidentiality may be overridden by law or statute. Documentation of Risk Assessment Auditors must ensure they have documented the work done at the risk assessment stage, such as the discussion among the audit team of the susceptibility of the financial statements to material misstatements, significant risks, and overall responses. The need for auditors to document their audit work is discussed in the next chapter where we will look in particular at the audit plan and the audit strategy, two documents for planning. PSAs 315 and 330 contain a number of general requirements about documentation, and we shall briefly run through those here. The following matters shall be documented during planning. § The discussion among the audit team concerning the susceptibility of the financial statements to material misstatements, including any significant decisions reached § Key elements of the understanding gained of the entity regarding the elements of the entity and its internal control component specified in PSA 315, the sources of the information gained and the risk assessment procedures carried out § The identified and assessed risks of material misstatement at the financial statement level and at the assertion level § Risks identified and related controls evaluated § The overall responses to address the risks of material misstatement at the financial statement level § Nature, extent and timing of further audit procedures linked to the assessed risks at the assertion level 20 Auditing and Assurance Principles Module 6: Risk Assessment Lex Daniel S. Quequegan, CPA, CFE § Results of audit procedures § If the auditors have relied on evidence about the effectiveness of controls from previous audits, conclusions about how this is appropriate § Demonstration that the financial statements agree or reconcile with the underlying accounting records 21