Auditing Course Assignment
3-1
Risk Assessment Part I Audit Risk and Audit Strategy
CHAPTER 3
Au di
t d at
a an
al yt
ic s
Ch ap
te r 7
Au di
t e vi
de nc
e Ch
ap te
r 5
Client Acceptance/Continuance and Risk Assessment Chapters 3 & 4
Develop Responses to Risk and an Audit Strategy
Gain an understanding of
the client
Identify significant accounts and transactions
Set planning materiality
Identify what can go wrong (WCGW)
Gain an understanding of internal controls
Chapter 6
Overview and Audit Assurance Chapter 1
Concluding the Audit and Reporting Chapter 14 & 15
ReportingDrawing auditconclusions Procedures performed near
the end of the audit
Auditing the balance sheet and related income accounts
Chapter 13
Auditing purchases, payables, and payroll
Chapter 12
Auditing sales and receivables
Chapter 11
Reliance on internal controls Chapter 8
Substantive strategy Chapter 9
Audit sampling for substantive tests Chapter 10
Professionalism and Professional Responsibilities Chapter 2
c03RiskAssessmentPartI.indd Page 3-1 07/08/18 7:15 PM f-389 c03RiskAssessmentPartI.indd Page 3-1 07/08/18 7:15 PM f-389 /208/WB02435/9781119401810/ch03/text_s/208/WB02435/9781119401810/ch03/text_s
Pr op
er ty
o f J
oh n
W ile
y &
So ns
, L td
. N ot
fo r g
en er
al re
di st
rib ut
io n.
3-2 CHAPTER 3 Risk Assessment Part I
Cloud 9 - Continuing Case Sharon and Josh have already discussed some specifi c client accep- tance issues, such as independence threats and safeguards. Sharon explains they also must consider the overall integrity of the client (that is, management of Cloud 9). This means they need to perform and document procedures that are likely to provide information about the client’s integrity. Josh is a little skeptical. “Do you mean that we should ask them if they are honest?” Sharon suggests it is probably more useful to ask others, and the key people to ask are the existing auditors. Josh is still skeptical. “The existing auditors are Ellis & Associates. Are they going to help us take one of their clients from them?” Sharon says the client must give permission fi rst, and, if that is given, the existing auditor will usually state whether or not there were any issues that the new auditor should be aware of before accepting the work. This type of communica- tion is covered by AS 2610 (AU-C 210 for private company clients)
and is part of professional ethics. Sharon also gives Josh the task of researching Cloud 9’s press coverage, with special focus on any- thing that may indicate poor management integrity.
Sharon emphasizes they must perform and document proce- dures to determine whether W&S Partners is competent to per- form the engagement and has the capabilities, time, and resources to do so. For example, they must make sure they have audit team members who understand the clothing and footwear business. They also must have enough staff to complete the audit on time.
In addition, Sharon and Josh must perform and document procedures to show that W&S Partners can comply with all parts of the code of professional conduct, not just those that focus on independence threats and safeguards. Finally, they can draft the engagement letter to cover the contractual relationship between W&S Partners and Cloud 9.
Auditing and Assurance Standards
PCAOB AS 1015 Due Professional Care in the Performance of Work
AS 1101 Audit Risk
AS 1301 Communications with Audit Committees
AS 2101 Audit Planning
AS 2105 Consideration of Materiality in Planning and Performing an Audit
AS 2110 Identifying and Assessing Risk of Material Misstatement
AS 2301 The Auditor’s Responses to the Risks of Material Misstatement
AS 2401 Consideration of Fraud in a Financial Statement Audit
AS 2610 Initial Audits—Communication Between Predecessor and Successor Auditors
AUDITING STANDARDS BOARD AU-C 200 Overall Objectives of the Independent Auditor and the Conduct of an Audit in Accordance With Generally Accepted Auditing Standards
AU-C 210 Terms of Engagement
AU-C 240 Consideration of Fraud in a Financial Statement Audit
AU-C 300 Planning an Audit
AU-C 315 Understanding the Entity and Its Environment and Assessing the Risks of Material Misstatement
AU-C 320 Materiality in Planning and Performing an Audit
AU-C 330 Performing Audit Procedures in Response to Assessed Risks and Evaluating Audit Evidence Obtained
QC10 A Firm’s System of Quality Control
Learning Objectives
LO 1 Evaluate client acceptance and continuance decisions.
LO 2 Identify the diff erent phases of an audit.
LO 3 Explain and apply the concept of materiality.
LO 4 Explain professional skepticism and apply the audit risk model.
LO 5 Explain how auditors determine their audit strategy and how audit strategy aff ects audit decisions.
LO 6 Analyze fraud risk and explain the fraud risk assessment process.
c03RiskAssessmentPartI.indd Page 3-2 07/08/18 7:15 PM f-389 c03RiskAssessmentPartI.indd Page 3-2 07/08/18 7:15 PM f-389 /208/WB02435/9781119401810/ch03/text_s/208/WB02435/9781119401810/ch03/text_s
Pr op
er ty
o f J
oh n
W ile
y &
So ns
, L td
. N ot
fo r g
en er
al re
di st
rib ut
io n.
Client Acceptance and Continuance Decisions 3-3
Chapter Preview: Audit Process in Focus This chapter marks the beginning of our overview of how an audit is conducted. First, we consider the factors that impact an auditor’s client acceptance/continuation decision. The fi rst step for any audit is the decision to accept a company as a new audit client or to continue as the auditor of an existing client.
Risk assessment is an important topic that we will cover in this and the next chapter. In this chapter we begin with a discussion of the diff erent phases (or stages) of the audit: (1) the risk assessment phase, (2) the risk response phase (where the detailed work is conducted), and (3) the reporting phase (where the audit opinion is formed). In the risk assessment phase, auditors adopt a broad view of the client as a whole and the industry in which it operates. In this context, auditors obtain a more detailed understanding of the client in the early stages of each audit; that knowledge drives the audit planning decisions about the nature, extent, and timing of audit evidence to collect. Auditors cannot economically audit everything; therefore, the concepts of materiality, professional skepticism, and audit risk guide auditors in deciding which areas of the fi nancial statements are most important to examine. Ultimately, auditors will develop a detailed audit strategy for the execution of the audit.
This chapter will conclude with a discussion of the assessment of fraud risk, which is part of the risk assessment phase of the audit. The remainder of the risk assessment procedures will be covered in Chapter 4.
LEARNING OBJECTIVE 1 Evaluate client acceptance and continuance decisions.
The fi rst stage of any audit is the client acceptance or continuance decision. While the deci- sion to take on a new client is more detailed than the decision to continue with an existing client, they have much in common. QC 10, A Firm’s System of Quality Control, provides guid- ance on the procedures used when making the client acceptance or continuance decision. Illustration 3.1 summarizes factors that infl uence client acceptance and retention decisions and these factors are discussed below.
Client Acceptance and Continuance Decisions
ILLUSTRATION 3.1 Factors that infl uence client acceptance and retention
Positive Factors Influencing Client Acceptance and Retention Decisions
Factors that Influence Client Acceptance and Retention
Negative Factors Influencing Client Acceptance and Retention Decisions
Management shows integrity in business and accounting decisions.
Management places a premium on representational faithfulness of accounting information.
Integrity of management Concerns exist about the integrity of management in business and accounting decisions.
Management is preoccupied with meeting specific accounting numbers.
The firm has expertise to perform services requested by the client or has access to specialists that can meet client needs.
Competence issues The firm does not have expertise needed to provide the full scope of services requested by the client, or does not have aff iliation with specialists to meet client needs.
No independence problems exist, or independence problems can be resolved prior to client acceptance.
Independence issues Independence and conflict of interest issues exist that cannot be resolved prior to client acceptance.
(continued)
c03RiskAssessmentPartI.indd Page 3-3 07/08/18 7:15 PM f-389 c03RiskAssessmentPartI.indd Page 3-3 07/08/18 7:15 PM f-389 /208/WB02435/9781119401810/ch03/text_s/208/WB02435/9781119401810/ch03/text_s
Pr op
er ty
o f J
oh n
W ile
y &
So ns
, L td
. N ot
fo r g
en er
al re
di st
rib ut
io n.
3-4 CHAPTER 3 Risk Assessment Part I
You may be wondering why the decision to take on a new client or continue with an exist- ing client is such a big deal. More clients mean more revenue for the CPA accounting fi rm, so why not accept all client engagement opportunities? The answer is because being associated with a “bad client” can damage the fi rm’s reputation, which causes the public to lose trust in the fi rm. A good example of this situation is the accounting fi rm Arthur Andersen LLP (“Andersen”), formerly one of the largest fi rms in the world. In the 1990s and early 2000s, several of Andersen’s clients were investigated by the Securities and Exchange Commission (SEC) for accounting fraud, the most well-known being Enron and WorldCom. Andersen was convicted of a felony (obstruction of justice) in the Enron case, but that was reversed by the Supreme Court in 2005.1 With the felony conviction overturned, Andersen could resume operations and audit public company clients. That has not happened. Why? The damage to the Andersen name and reputation was so severe that companies do not want to be associated with the Andersen name.
One of the key factors that infl uences the client acceptance decision is the assessment of the integrity of the client’s management. When assessing management integrity, the auditor will consider the following factors:
• the reputation of the client, its management, directors, and key stakeholders • client’s reasons for switching audit fi rms, if the company was previously audited • management’s attitude to risk exposure • management’s attitude to the implementation and maintenance of adequate internal
controls • the appropriateness of management’s interpretation of accounting rules • management’s willingness to allow the auditors full access to client personnel, records,
and information required to form their opinion
How do auditors gather information on these factors? Information is gathered primarily through communication with individuals internal and external to the prospective client. Some of the key communications are as follows:
• communication with the previous auditor, if the company was previously audited AU-C 210 Terms of Engagement and AS 2610 Initial Audits—Communications Between Predecessor and Successor Auditors require that the auditor obtain permission from the prospective client before communicating with the predecessor, or previous, auditor. If that permission is not granted, the auditor should consider the implications of that re- fusal when deciding whether to accept the engagement (AU-C 210.11). Illustration 3.2 lists the types of inquiries the auditor should make of the predecessor auditor.
• communication with client personnel • communication with third parties such as client bankers and lawyers
There are minimal regulatory reporting requirements.
The client is financially stable and profitable, with no significant concerns about debt covenants.
No scope limitations exist.
The entity has a strong accounting system with good internal controls.
Special circumstance and unusual risks
There are significant regulatory reporting requirements with close monitoring by regulators.
The client is experiencing profitability issues, weak cash flows, and is close to violation of debt covenants.
The client voices significant concerns about the scope of audit work.
The entity has a weak accounting system with few internal controls.
ILLUSTRATION 3.1 (continued)
Positive Factors Influencing Client Acceptance and Retention Decisions
Factors that Influence Client Acceptance and Retention
Negative Factors Influencing Client Acceptance and Retention Decisions
1Arthur Andersen LLP vs. United States (04-368) 544 U.S. 696 (2005).
c03RiskAssessmentPartI.indd Page 3-4 07/08/18 7:15 PM f-389 c03RiskAssessmentPartI.indd Page 3-4 07/08/18 7:15 PM f-389 /208/WB02435/9781119401810/ch03/text_s/208/WB02435/9781119401810/ch03/text_s
Pr op
er ty
o f J
oh n
W ile
y &
So ns
, L td
. N ot
fo r g
en er
al re
di st
rib ut
io n.
Client Acceptance and Continuance Decisions 3-5
• communication with the client’s industry peers • review of newspaper and magazine articles about the client, or articles in industry trade
journals
Before accepting a new client, consideration must be given to any threats to compli- ance with the fundamental principles of professional ethics, such as integrity, objectivity, independence, professional competence, and due care, as discussed in Chapter 2. Threats to the fundamental principles of professional ethics will occur if the prospective client is dishonest, involved in illegal activities, or aggressive in its interpretations of accounting rules. An accounting fi rm should not accept a new client if the fi rm is concerned about any of these issues. Potential threats to compliance with the fundamental principles of pro- fessional ethics for existing clients should be considered regularly as part of continuation decisions.
To ensure professional competence and due care, a fi rm must be certain it has the staff available for the time required to complete the audit. The fi rm must ensure its audit staff has the knowledge and competence required to conduct the audit. The fi rm must have access to independent specialists, if required. The use of specialists will be discussed in Chapter 5.
To ensure that it is independent of prospective and continuing clients, the accounting fi rm must review the threats to independence, described in Chapter 2, and make certain that safeguards are put in place to limit or remove those threats. If an independence threat appears insurmountable, a fi rm should decline an off er to be the auditor of a prospective client or resign from the audit of an existing client. An example of such a threat is fee dependence, where the fees from a client would form a signifi cant proportion of the fi rm’s total fees. This can occur if a prospective client is much larger than a fi rm’s current clients or if an existing client has grown signifi cantly.
The fi rm should also consider any special circumstances or unusual risks that could be unique to a prospective or continuing client. For example, is the client fi nancially stable, or is it experiencing profi tability issues? Another issue is the regulatory environment for the client. Auditors should be aware of any issues being raised by regulators or whether the client may be close to violating regulatory requirements. These and other special circumstances should be carefully considered by the fi rm.
Inquiries of the predecessor auditor may be oral or written and should include:
1. Information that might bear on the integrity of management.
2. Disagreements with management about accounting policies, auditing procedures, or other significant matters.
3. Communications to those charged with governance regarding fraud and noncompliance with laws or regulations by the entity.
4. Communications to management and those charged with governance regarding significant deficiencies and material weaknesses in internal control.
5. The predecessor auditor’s understanding about the reasons for the change of auditors.
Source: AU-C 210 Terms of Engagement, paragraph A31; AS 2610 Initial Audits—Communications Between Predecessor and Successor Auditors, paragraph 9
ILLUSTRATION 3.2 Communication with the predecessor auditor
Audit Reasoning Example Acceptance of New Client
A software company is looking for a new auditor. The company has grown through an acquisition and needs an auditor that can handle its needs. The company has paid attention to good internal controls, and the new auditor sees no independence issues. Discussions with the predecessor auditor, the audit committee, and management indicate a good tone at the top and provide a consistent story about the company and its reasons for changing auditors. The new fi rm, with national and international offi ces and many clients in the software industry, sees this as a client with good potential for the fi rm.
c03RiskAssessmentPartI.indd Page 3-5 07/08/18 7:15 PM f-389 c03RiskAssessmentPartI.indd Page 3-5 07/08/18 7:15 PM f-389 /208/WB02435/9781119401810/ch03/text_s/208/WB02435/9781119401810/ch03/text_s
Pr op
er ty
o f J
oh n
W ile
y &
So ns
, L td
. N ot
fo r g
en er
al re
di st
rib ut
io n.
3-6 CHAPTER 3 Risk Assessment Part I
The fi nal stage in the client acceptance or continuance decision process involves the preparation of an engagement letter. AU-C 210 Terms of Engagement and AS 1301 Commu- nications with Audit Committees provide guidance on the preparation of engagement letters. An engagement letter is prepared by an auditor and acknowledged by a client before the audit begins. It is a form of contract between an auditor and the client. It is not necessary to send a new engagement letter each year for a continuing client unless the terms of the engagement change. If no revisions are necessary, the auditor should remind client management of the terms of the engagement. The reminder can be in writing or orally, and the auditor should document the reminder was made.
The purpose of an engagement letter is to set out the terms of the audit engagement to avoid any misunderstandings between the auditor and the client. The engagement letter in- cludes an explanation of the scope of the audit, the timing of the completion of various aspects of the audit, an overview of the client’s responsibility for the preparation of the fi nancial state- ments, the requirement that the auditor have access to all information required to perform the audit, and independence considerations and fees. An example of an engagement letter for a private company client is provided in the appendix to AU-C 210 and is reproduced in Illustra- tion 3.3. (Appendix C of AS 1301 details matters that should be included in the engagement letter for a public company client.)
engagement letter sets out the terms of the audit engagement, to avoid any misunderstandings between the auditor and the client
Audit Reasoning Example Refusal of New Client
A fi rm has been asked to submit a bid on a new engagement. An individual with experience in the investment industry is starting a new hedge-fund company. The company is looking for an auditor so that audited fi nancial statements can be provided to potential investors. While the fi rm has 15 offi ces in the United States, the fi rm has very limited experience auditing investment com- panies or hedge funds. A background check on the CEO indicates he had allegations of improper business dealings and possible fraud with a company he ran fi ve years before. The fi rm chooses not to bid on the audit because of concerns about possible management integrity issues, as well as concerns about its own expertise.
To the appropriate representative of those charged with governance of ABC Company:
[The objective and scope of the audit]
You have requested that we audit the financial statements of ABC Company, which comprise the balance sheet as of December 31, 20XX, and the related statements of income, changes in stockholders’ equity, and cash flows for the year then ended, and the related notes to the financial statements. We are pleased to confirm our acceptance and our understanding of this audit engagement by means of this letter. Our audit will be conducted with the objective of our expressing an opinion on the financial statements.
[The responsibilities of the auditor]
We will conduct our audit in accordance with auditing standards generally accepted in the United States of America (GAAS). Those standards require that we plan and perform the audit to obtain reasonable assurance about whether the financial statements are free from material misstatement. An audit involves performing procedures to obtain audit evidence about the amounts and disclosures in the financial statements. The procedures selected depend on the auditor’s judgment, including the assessment of the risks of material misstatement of the financial statements, whether due to fraud or error. An audit also includes evaluating the appropriateness of accounting policies used and the reasonableness of significant accounting estimates made by management, as well as evaluating the overall presentation of the financial statements.
Because of the inherent limitations of an audit, together with the inherent limitations of internal control, an unavoidable risk that some material misstatements may not be detected exists, even though the audit is properly planned and performed in accordance with GAAS.
ILLUSTRATION 3.3 Example of an audit engagement letter for a private company client
c03RiskAssessmentPartI.indd Page 3-6 07/08/18 7:15 PM f-389 c03RiskAssessmentPartI.indd Page 3-6 07/08/18 7:15 PM f-389 /208/WB02435/9781119401810/ch03/text_s/208/WB02435/9781119401810/ch03/text_s
Pr op
er ty
o f J
oh n
W ile
y &
So ns
, L td
. N ot
fo r g
en er
al re
di st
rib ut
io n.
Client Acceptance and Continuance Decisions 3-7
In making our risk assessments, we consider internal control relevant to the entity’s preparation and fair presentation of the financial statements in order to design audit procedures that are appropriate in the circumstances but not for the purpose of expressing an opinion on the eff ectiveness of the entity’s internal control. However, we will communicate to you in writing concerning any significant deficiencies or material weaknesses in internal control relevant to the audit of the financial statements that we have identified during the audit.
[The responsibilities of management and identification of the applicable financial reporting framework]
Our audit will be conducted on the basis that [management and, when appropriate, those charged with governance] acknowledge and understand that they have responsibility
a. for the preparation and fair presentation of the financial statements in accordance with accounting principles generally accepted in the United States of America;
b. for the design, implementation, and maintenance of internal control relevant to the preparation and fair presentation of financial statements that are free from material misstatement, whether due to fraud or error; and
c. to provide us with
i. access to all information of which [management] is aware that is relevant to the preparation and fair presentation of the financial statements such as records, documentation, and other matters;
ii. additional information that we may request from [management] for the purpose of the audit; and
iii. unrestricted access to persons within the entity from whom we determine it necessary to obtain audit evidence.
As part of our audit process, we will request from [management and, when appropriate, those charged with governance], written confirmation concerning representations made to us in connection with the audit.
[Other relevant information]
[Insert other information, such as fee arrangements, billings, and other specific terms, as appropriate.]
[Reporting]
[Insert appropriate reference to the expected form and content of the auditor’s report. Example follows:]
We will issue a written report upon completion of our audit of ABC Company’s financial statements. Our report will be addressed to the board of directors of ABC Company. We cannot provide assurance that an unmodified opinion will be expressed. Circumstances may arise in which it is necessary for us to modify our opinion, add an emphasis-of-matter or other-matter paragraph(s), or withdraw from the engagement.
We also will issue a written report on [Insert appropriate reference to other auditor’s reports expected to be issued.] upon completion of our audit.
Please sign and return the attached copy of this letter to indicate your acknowledgment of, and agreement with, the arrangements for our audit of the financial statements including our respective responsibilities.
XYZ Partners
Acknowledged and agreed on behalf of ABC Company by
___________________________
[Signed]
[Name and Title]
[Date]
Source: AU-C 210 Terms of Engagement, Appendix
ILLUSTRATION 3.3 (continued)
c03RiskAssessmentPartI.indd Page 3-7 07/08/18 7:15 PM f-389 c03RiskAssessmentPartI.indd Page 3-7 07/08/18 7:15 PM f-389 /208/WB02435/9781119401810/ch03/text_s/208/WB02435/9781119401810/ch03/text_s
Pr op
er ty
o f J
oh n
W ile
y &
So ns
, L td
. N ot
fo r g
en er
al re
di st
rib ut
io n.
3-8 CHAPTER 3 Risk Assessment Part I
Before You Go On 1.1 What will an auditor consider in assessing the integrity of a client’s management, board, and
other personnel? 1.2 What are the key components of an engagement letter? 1.3 Why must an auditor seek a client’s permission before communicating with its prior auditor
or any other relevant third party?
Cloud 9 - Continuing Case “Great news!” announces Sharon Gallagher at the weekly team meeting. “We just received word that the audit engagement letter for Cloud 9 has been signed. We are now offi cially the auditors and the risk assessment phase starts now!”
Later, at the fi rst planning meeting, Sharon and Josh Thomas focus on assigning the tasks for gaining an understanding of Cloud 9. Ian Harper, a fi rst-year staff , is not happy. He grumbles to another member of the team, Suzie Pickering, as he leaves the room. “This is such a waste of time. Why did we sign an engage- ment letter if we don’t understand the client? Why don’t we just get on with the audit? What else is there to know?”
“Oh boy, are you missing the point!” Suzie says. “If you don’t understand where the risks are greatest, where are you going to start ‘getting on with it’?”
“The same place you always start,” replies Ian. Ian thinks that all audits are pretty much the same and that
W&S Partners must have an audit plan they can use for the Cloud 9 audit. Suzie explains that if they tailor the plan to the client, the audit is far more likely to be effi cient and eff ective. That is, they will get the job done without wasting time and ensure that quality evidence is gathered for the accounts that are most at risk of being misstated. If they can do this, W&S Partners will not only issue the right audit report, but they will make a profi t from the audit as well. In other words, if the plan is good, performing the audit properly will be easier.
Suzie realizes it will be a big job explaining this to Ian and invites him for a coff ee in the staff room so that they can talk. Suzie is an experienced staff and has worked with other clothing and footwear clients.
LEARNING OBJECTIVE 2 Identify the diff erent phases of an audit.
Before we begin the discussion of the diff erent phases of an audit, it is important to emphasize that each audit is unique. For example, risks associated with the audit of a grocery store will not be the same as the risks associated with an audit of a jewelry store, even though both are retailers. Risks associated with the oil and gas industry will be diff erent from risks associated with the computer technology industry because of factors like diff erent laws and regulations that apply to each industry. Auditors must tailor their audit to be specifi c to each client, but broadly speaking, there are three general phases of every audit. An overview of these phases is represented in Illustration 3.4. The main phases of an audit are risk assessment, risk re- sponse, and reporting. Once the client acceptance or continuation decision has been made, the fi rst phase is risk assessment and planning the audit. The risk assessment phase in- volves gaining an understanding of the client, identifying factors that may impact the risk of a material misstatement occurring in the fi nancial statements, performing a risk and materi- ality assessment, and developing an audit strategy. The risk response phase of the audit involves the performance of detailed tests of controls and substantive, or detailed, testing of transactions and accounts. The reporting phase involves an evaluation of the results of the detailed testing in light of the auditor’s understanding of the client and forming an opinion on the fair presentation of the client’s fi nancial statements. An overview of each phase of the audit follows.
risk assessment phase gaining an understanding of the client, identifying risk factors, develop- ing an audit strategy, and setting planning materiality audit strategy the determi- nation of the amount of time spent testing the client’s internal controls and conducting detailed testing of transactions and account balances risk response phase perform- ing tests of controls and detailed substantive testing of transactions and accounts, concentrating eff ort where the risk of material misstatement is greatest reporting phase evaluation of the results of the detailed testing in light of the auditor’s under- standing of the client and forming an opinion on the fair presen- tation of the client’s fi nancial statements
Phases of an Audit
c03RiskAssessmentPartI.indd Page 3-8 07/08/18 7:15 PM f-389 c03RiskAssessmentPartI.indd Page 3-8 07/08/18 7:15 PM f-389 /208/WB02435/9781119401810/ch03/text_s/208/WB02435/9781119401810/ch03/text_s
Pr op
er ty
o f J
oh n
W ile
y &
So ns
, L td
. N ot
fo r g
en er
al re
di st
rib ut
io n.
Phases of an Audit 3-9
Risk Assessment Phase AU-C 300 Planning an Audit and AS 2101 Audit Planning require auditors to plan the au- dit by assessing risk to reduce audit risk to an acceptably low level. Audit risk is the risk that an auditor expresses an inappropriate audit opinion when the fi nancial statements are materially misstated (AU-C 200.14). An auditor will perform various risk assessment pro- cedures to ensure that appropriate attention is paid to the accounts and transactions most at risk of being materially misstated. For example, the inventory account at The Boeing Company has a higher risk of material misstatement than the prepaid expenses account. Why is that? First, think about the diff erence in the dollar amount of the two accounts. In- ventory will most likely be the largest current asset and prepaid expenses will be one of the smallest. Also, the number and complexity of transactions in the inventory account will be much higher than the number of transactions in the prepaid expenses account. Therefore, auditors should plan to devote more audit time to the inventory account than to the prepaid expenses account. This Boeing example illustrates that the risk assessment phase of the audit provides the opportunity to optimize effi ciency and eff ectiveness when conducting an audit. Effi ciency refers to the amount of time spent gathering audit evidence. Eff ectiveness refers to minimizing audit risk.
You should also understand that the risk assessment process is an iterative process. Auditors make preliminary risk assessments while planning the audit. Those risk assessments are later confi rmed, or refuted, when auditors perform tests of the system of internal control, or tests of account balances, transactions, or disclosures. On occasion, auditors might obtain informa- tion in the risk response phase that causes them to revise their preliminary conclusions drawn during the risk assessment phase. Auditors must be open to evaluating evidence obtained at any phase of the audit and to considering its implications for risk assessments made earlier in the audit.
Illustration 3.5 provides a graphical depiction of the risk assessment phase of the audit and some key concepts that are applied during risk assessment and the other phases of the audit. The key concepts of materiality, professional skepticism, and audit risk are discussed in the sections Materiality, and Professional Skepticism and Audit Risk. The section Audit Strategy in this chapter discusses how, once the elements of risk assessment have been con- sidered, auditors can develop their audit strategy. The section Fraud Risk closes this chapter. The remaining elements of risk assessment will be discussed in Chapter 4.
Risk Response Phase The risk response phase of the audit involves detailed testing of internal controls, transac- tions, account balances, and disclosures the auditors have determined to be at high risk of material misstatement. Auditors determine whether they plan to rely on the client’s system of internal controls. If so, they will test the effectiveness of internal controls, which is discussed in the section Audit Strategy and further in Chapter 8. Auditors will also make decisions about the extent and timing of detailed testing of account balances and trans- actions, which is discussed in Audit Strategy and further in Chapters 9 through 13. This detailed testing provides the evidence needed by auditors to determine if the financial statements are fairly presented.
audit risk the risk that an auditor expresses an inappropriate audit opinion when the fi nancial statements are materially misstated
Understanding
the Client
Risk
Identification
and Strategy
Risk and
Materiality
Assessment
Tests of
Control
Substantive
Testing
Conclusion
and Forming
an Opinion
Risk Assessment Phase
Risk Response Phase
Reporting Phase
ILLUSTRATION 3.4 Overview of the audit
c03RiskAssessmentPartI.indd Page 3-9 07/08/18 7:15 PM f-389 c03RiskAssessmentPartI.indd Page 3-9 07/08/18 7:15 PM f-389 /208/WB02435/9781119401810/ch03/text_s/208/WB02435/9781119401810/ch03/text_s
Pr op
er ty
o f J
oh n
W ile
y &
So ns
, L td
. N ot
fo r g
en er
al re
di st
rib ut
io n.
3-10 CHAPTER 3 Risk Assessment Part I
Concluding and Reporting on an Audit The fi nal phase of the audit involves drawing conclusions based upon the evidence gathered and arriving at an opinion regarding the fair presentation of the fi nancial statements. The auditor’s opinion is expressed in the audit report (see Chapter 15). At this stage of the audit, auditors draw on their understanding of the client, their detailed knowledge of the risks faced by the client, and the conclusions drawn when testing the client’s controls, transactions, and account balances.
ILLUSTRATION 3.5 Risk assessment
Closing procedures Risk Assessment Client performance
measurement
Corporate governance Related parties
Understand the entity
and the industry
Audit Strategy
Professional SkepticismMateriality Audit Risk
Analytical proceduresUnderstand internal
controls and IT
Fraud risk Compliance with
laws and regulations
Before You Go On 2.1 What are the three main phases of the audit? 2.2 Briefl y discuss why auditors must treat every audit as unique. 2.3 Explain how the risk assessment phase helps to improve the effi ciency and eff ectiveness of
the audit.
LEARNING OBJECTIVE 3 Explain and apply the concept of materiality.
The concept of materiality is used to guide audit testing and assess the validity of informa- tion contained in the fi nancial statements and the notes. Information is considered material if it impacts the decision-making process of users of the fi nancial statements. PCAOB AS 2105 includes the defi nition stated by the U.S. Supreme Court that “information is material if there
materiality the ability of infor- mation to infl uence decisions that users make on the basis of the fi nancial information of a specifi c reporting entity
Materiality
c03RiskAssessmentPartI.indd Page 3-10 07/08/18 7:15 PM f-389 c03RiskAssessmentPartI.indd Page 3-10 07/08/18 7:15 PM f-389 /208/WB02435/9781119401810/ch03/text_s/208/WB02435/9781119401810/ch03/text_s
Pr op
er ty
o f J
oh n
W ile
y &
So ns
, L td
. N ot
fo r g
en er
al re
di st
rib ut
io n.
Materiality 3-11
is a substantial likelihood that the . . . fact would have been viewed by a reasonable investor as having signifi cantly altered the total mix of information made available (para 2).” This in- cludes information that is misstated and information that is omitted but should be disclosed.
Materiality is a key auditing concept that is fi rst assessed during the risk assessment phase of every audit. This overall or planning materiality guides audit planning and testing for the fi nancial statements as a whole. Before explaining how auditors arrive at their planning ma- teriality assessment, it is important to diff erentiate between the qualitative and quantitative considerations of materiality.
Qualitative and Quantitative Materiality Information can be considered material because of its nature and/or its magnitude. An item that is considered material due to its nature is referred to as being qualitatively material. An item that is considered material due to its magnitude is referred to as being quantitatively ma- terial. While these concepts are not mutually exclusive as it is possible for information to be both qualitatively and quantitatively material, they are now explained separately to help you diff erentiate between the two concepts.
Qualitative Materiality Factors Information is considered qualitatively material if it aff ects a user’s decision-making pro- cess for a reason other than its magnitude. For example, a fraud, by its nature, is considered signifi cant no matter how small the fraud may be. Fraud that is small today could grow to a massive fraud in the future. Throughout the audit, auditors use their understanding of the client to be alert to qualitative factors that refl ect on the client’s fi nancial position, results of operations, and/or cash fl ows.
When reading the notes to the fi nancial statements, an auditor will assess accounting disclosure accuracy and compliance with any regulations and legislation and ensure any legal matters that should be disclosed are disclosed correctly. If any of these disclosures are inaccu- rate or omitted in error, the auditor will consider the potential impact on users. If the auditor believes an inaccurate disclosure or omission will aff ect a user’s decision-making process, it is considered qualitatively material, and the auditor will request that the client correct the disclosure or include any omitted information. Examples include a change in an accounting method, a change in operations that aff ects the level of risk faced by the client, or the client being in danger of breaching a debt covenant. AU-C 320 and AS 2105 refer to other items that may be considered material due to their nature rather than their size.
Quantitative Materiality Factors Information is considered quantitatively material if it exceeds the magnitude of an audi- tor’s planning materiality assessment. Auditors use their professional judgment to arrive at an appropriate planning materiality amount for each client. Planning materiality is typically a percentage of an appropriate benchmark from the fi nancial statements. AU-C 320 provides guidance for determining an appropriate benchmark. An auditor will select a benchmark, as discussed in the section Setting Materiality, and then decide on the percentage to use, depend- ing upon the client’s circumstances.
Setting Materiality When determining planning materiality, auditors will use professional judgment and are mindful of the primary users of the fi nancial statements. For publicly traded companies, the primary users are the stockholders. For private companies, the primary users are generally the owners and/or major lenders. Accounting fi rms may vary in the method they use to set planning materiality in the risk assessment phase, but common practice is to calculate a per- centage of an appropriate benchmark. In selecting an appropriate benchmark, auditors can choose an item from the balance sheet or the income statement. Balance-sheet benchmarks
qualitative materiality information or misstatements that impact a user’s decision-making process for a reason other than its magnitude
quantitative materiality information or misstatements that exceed the magnitude of an auditor’s preliminary materiality assessment, which is a percentage of an appropriate benchmark
c03RiskAssessmentPartI.indd Page 3-11 07/08/18 7:15 PM f-389 c03RiskAssessmentPartI.indd Page 3-11 07/08/18 7:15 PM f-389 /208/WB02435/9781119401810/ch03/text_s/208/WB02435/9781119401810/ch03/text_s
Pr op
er ty
o f J
oh n
W ile
y &
So ns
, L td
. N ot
fo r g
en er
al re
di st
rib ut
io n.
3-12 CHAPTER 3 Risk Assessment Part I
are generally total assets or equity. Income-statement benchmarks are typically profi t before tax or total revenue. Auditors select an appropriate benchmark using their professional judg- ment based on their knowledge of the client, the client’s industry, and the needs of fi nancial statement users for their decision making. For example, if a client is listed on the securities exchange, profi t before tax is an appropriate benchmark because it drives dividends and re- turn-on-investment decisions. However, if a client is a not-for-profi t organization, either total assets or total revenue are more generally used as a benchmark.
Auditing standards mention benchmarks the auditor can use, but the standards do not recommend any specifi c percentages that should be applied to these benchmarks. Therefore, auditors rely heavily on their professional judgment to determine an appropriate percentage of the selected benchmark. The discussion in the Professional Environment box provides more detail of percentages that fi rms use when determining planning materiality. The audit- ing standards do require auditors to reevaluate their overall level of materiality throughout the audit. If new information comes to light that would cause the auditors to establish a diff erent level of planning materiality, then they should examine the information and make adjustments to materiality as needed.
Professional Environment Materiality Practices of the Major Public Accounting Firms
Since auditing standards provide no guidance to auditors about what percentage to apply to benchmarks for determining planning materiality, what are public accounting fi rms doing? And more im- portantly, is there consistency among the major public accounting fi rms regarding the determination of planning materiality? These are important research questions that were studied by Eilifsen and Messier (2015) in their article titled “Materiality Guidance of the Major Public Accounting Firms.”2
For their study, Eilifsen and Messier asked the eight largest U.S. public accounting fi rms to provide them with a copy of the fi rm’s materiality guidance. The eight fi rms, in alphabetical order, were BDO USA, Crowe Horwath LLP, Deloitte & Touche LLP, EY, Grant Thornton LLP, KPMG LLP, McGladrey LLP (now RSM), and PricewaterhouseCoopers LLP. An analysis of the eight fi rms’ materiality guidance revealed that for public company audits, seven of the eight fi rms use “income before income taxes” as the primary benchmark for determining planning materiality. One of the fi rms uses “income after income taxes” as the primary benchmark. For private company audits, in addition to income before income tax- es, other acceptable benchmarks are total assets and total revenues. Firms will use other benchmarks if appropriate for unusual circum- stances. For example, if the company is experiencing a loss or very poor operating results, another measure such as total equity may be a more reliable benchmark for determining planning materiality.
Once a benchmark has been selected, what percentage should be used for determining planning materiality? Six of the eight fi rms “expect, suggest, or require the use of 5% of income before taxes, while one fi rm allows 5–10%.”3 As an example, as- sume you are the auditor for The Boeing Company. At Decem- ber 31, 2017, Boeing had income (earnings) before income tax of $10.047 billion. To determine planning materiality, you would multiply 5% by $10.047 billion, which results in planning mate- riality of $502,350,000. In addition, you would also consider any qualitative factors in making your fi nal assessment of planning materiality.
For the benchmarks of total assets and total revenues, seven of the eight fi rms used ranges of 0.25% to 2%. Using The Boeing Company example, at December 31, 2017, Boeing had total reve- nues of $93.392 billion. If you use 1% of total revenues, then plan- ning materiality would be $933,920,000. This results in a higher planning materiality than using 5% of income before income tax. Ultimately, the auditors must use their professional judgment to decide on the planning materiality amount.
Overall, the research by Eilifsen and Messier indicate there is signifi cant agreement among the large fi rms regarding both the benchmarks used and the percentages applied to the benchmarks for determining planning materiality.
Using the Boeing example from the Professional Environment discussion above, assume that planning materiality is $502 million. Does this mean auditors will only look for errors or misstatements that are $502 million or larger? If an account balance is less than $502 million, will auditors not perform any audit procedures on that account? The answer to both of these questions is no. Auditors plan the audit to detect material misstatements, but they must also consider the eff ects of smaller misstatements that may be immaterial on their own but, when added with other immaterial misstatements, in total may be material to the fi nancial state- ments as a whole. In addition, what about misstatements that may not be detected during the audit? Auditors need to consider some margin of error for misstatements that may not be
2A. Eilifsen and W. F. Messier, Jr. “Materiality Guidance of the Major Public Accounting Firms,”Auditing: A Journal of Practice & Theory 34, no. 2 (2015): 3–26. 3Ibid.
c03RiskAssessmentPartI.indd Page 3-12 07/08/18 7:15 PM f-389 c03RiskAssessmentPartI.indd Page 3-12 07/08/18 7:15 PM f-389 /208/WB02435/9781119401810/ch03/text_s/208/WB02435/9781119401810/ch03/text_s
Pr op
er ty
o f J
oh n
W ile
y &
So ns
, L td
. N ot
fo r g
en er
al re
di st
rib ut
io n.
Materiality 3-13
detected due to the sampling procedures used in an audit. Therefore, after determining plan- ning materiality, auditors must determine performance materiality at the account or disclo- sure level. Performance materiality is an amount set by the auditor that is less than plan- ning materiality and is used to make decisions about the extent of audit procedures for a particular class of transaction, account balance, or disclosure.
Performance materiality at the individual account level should be less than the planning materiality. For example, if the planning materiality for Boeing is $502 million, auditors may decide that half that amount, $251 million, is an appropriate performance materiality at the account level. Auditors would then plan and perform their audit procedures using the perfor- mance materiality amount of $251 million to determine if individual accounts or transactions were materially misstated. If any account balances are less than the performance materiality amount, auditors may decide not to perform detailed audit procedures on the account because the entire account balance is considered immaterial. For example, in Note 9 of the 12/31/17 Boeing fi nancial statements, the “other investments” account has a balance of $30 million. Since $30 million is well below the performance materiality of $251 million, auditors would not spend time performing detailed audit testing on that account. As we have discussed, au- ditors also consider qualitative factors when deciding if an account is material. For example, in Note 5 of the 12/31/17 Boeing fi nancial statements, the “valuation allowance” account for accounts receivable has a balance of $62 million. At fi rst glance this account balance may seem immaterial. However, the related account, accounts receivable, is a material amount ($10.516 billion) so the valuation allowance will be audited in conjunction with accounts re- ceivable. In addition, since the valuation allowance is an estimate, there is risk that manage- ment may be biased when determining the amount of the allowance. Management might be overly optimistic about collection of receivables and underestimate the allowance, which would lead to overstated net accounts receivable. Therefore, because of these qualitative fac- tors, auditors will perform detailed audit testing on the valuation allowance even though the balance is less than performance materiality.
The use of performance materiality should reduce the probability that the sum of imma- terial and/or undetected misstatements in the fi nancial statements is greater than materiality for the fi nancial statements as a whole. The auditing standards do not provide any guidelines for the determination of performance materiality. As stated in AU-C 320 Materiality in Plan- ning and Performing an Audit:
The determination of performance materiality is not a simple mechanical calcula- tion and involves the exercise of professional judgment. It is aff ected by the auditor’s understanding of the entity, updated during the performance of the risk assessment procedures, and the nature and extent of misstatements identifi ed in previous audits and, thereby, the auditor’s expectations regarding misstatements in the current period. (para. A14)
Overall, the determination of both planning and performance materiality is a subjective process that will vary across fi rms and across clients, and it may change during the perfor- mance of an audit. The materiality level is a starting point for auditors to do the following:
1. Determine the type and extent of risk assessment procedures to be performed. 2. Identify and assess the risk of material misstatements occurring at the fi nancial state-
ment level and the account balance level. 3. Begin development of an audit strategy.
This discussion of materiality can be concluded with an example of how the concept of materiality impacts the planning of the audit. If auditors determine a higher planning ma- teriality level (higher dollar amount) is appropriate, then they will plan to gather less exten- sive audit evidence. A lower materiality level (lower dollar amount) will translate to auditors performing more extensive audit procedures to ensure that material misstatements will be detected. In other words, holding everything else constant, as the auditor’s evaluation of ma- teriality decreases, the auditor is looking to obtain a more precise conclusion about the fi nan- cial statements. The increased precision of the audit will cause the auditor to perform more extensive audit procedures.
performance materiality amount or amounts set by the auditors at less than the materi- ality level for particular classes of transactions, account balances, or disclosures
c03RiskAssessmentPartI.indd Page 3-13 07/08/18 7:15 PM f-389 c03RiskAssessmentPartI.indd Page 3-13 07/08/18 7:15 PM f-389 /208/WB02435/9781119401810/ch03/text_s/208/WB02435/9781119401810/ch03/text_s
Pr op
er ty
o f J
oh n
W ile
y &
So ns
, L td
. N ot
fo r g
en er
al re
di st
rib ut
io n.
3-14 CHAPTER 3 Risk Assessment Part I
Audit Reasoning Example Materiality
Consider the following information:
2022 2021 2020
Revenues $1,810M $1,941M $1,916M
Total Assets $1,600M $1,721M $1,774M
Pretax Income $1.5 M $45.2 M $31.9 M
In 2020 and 2021, the auditor used 5% of pretax income as a base for planning materiality. However, in 2022 pretax income was abnormally low while revenues and total assets had not shown the same level of change. Because pretax income was less than eight-tenths of 1% of revenue (the company basically broke even for the year), the auditor decided to use ½ of 1% of the lesser of total revenues or total assets as the base for determining planning materiality. Both revenues and assets showed more stability than pretax income in 2022.
Before You Go On 3.1 What is qualitative materiality? 3.2 What is quantitative materiality? 3.3 What are considered appropriate benchmarks when setting planning materiality? 3.4 What is performance materiality?
Cloud 9 - Continuing Case Throughout their conversation, Suzie and Ian have been discuss- ing “material” misstatements in fi nancial statements. What is ma- terial for Cloud 9? Suzie explains that if they set materiality at a low level (low dollar amount) in the risk assessment phase, they will have to plan to gather more and better quality evidence to be sure that a mistake of this low magnitude has not occurred. This will give the auditor confi dence that the opinion is the appropriate
one. If their risk assessment for Cloud 9 indicates there is low risk at the account level, then they can set materiality levels relatively high (high dollar amount).
Ian is worried about getting the materiality level right. “What if we set it too low or too high?” Suzie explains that all parts of the audit plan, including the materiality decision, will be reviewed throughout the audit and changed if necessary.
LEARNING OBJECTIVE 4 Explain professional skepticism and apply the audit risk model.
As depicted in Illustration 3.5, two more key concepts that apply to all phases of the audit are professional skepticism and audit risk. These concepts were fi rst introduced in Chapter 1 and will be explained in more detail next.
Professional Skepticism and Audit Risk
c03RiskAssessmentPartI.indd Page 3-14 07/08/18 7:15 PM f-389 c03RiskAssessmentPartI.indd Page 3-14 07/08/18 7:15 PM f-389 /208/WB02435/9781119401810/ch03/text_s/208/WB02435/9781119401810/ch03/text_s
Pr op
er ty
o f J
oh n
W ile
y &
So ns
, L td
. N ot
fo r g
en er
al re
di st
rib ut
io n.
Professional Skepticism and Audit Risk 3-15
Professional Skepticism Auditors have a responsibility to plan and perform an audit with professional skepticism. Professional skepticism is an attitude adopted by auditors when conducting all phases of the audit. It means that auditors remain independent of the entity, its management, and its staff when completing the audit work. In a practical sense, professional skepticism means au- ditors maintain a questioning mind and thoroughly investigate all evidence presented by the client (AS1015.07). For example, AU-C 200.A22 states auditors should be skeptical if any of the following arise during the audit:
• audit evidence recently gathered that is contradictory to other evidence previously gathered • new information that brings into question the reliability of client documents or responses
to auditor inquiries • conditions that may provide evidence of possible fraud • situations that indicate the need for additional audit procedures beyond what is required
by generally accepted auditing standards
Does maintaining professional skepticism mean auditors should assume client manage- ment is being dishonest? The answer is no. Auditors should not assume management is dis- honest, but at the same time, auditors should not assume management is always honest or correct. Using professional skepticism means that even if auditors believe management and those charged with governance are being honest, they should gather reliable evidence to sup- port management’s responses to auditor inquiries and to support amounts and disclosures in the fi nancial statements. Throughout all phases of the audit, auditors should keep these questions in mind when gathering audit evidence: Is this information reliable? Do we need to perform more audit procedures? When auditors exercise professional skepticism during the risk assessment phase, it helps to ensure they are using appropriate assumptions when devel- oping their audit strategy that will be used in the risk response phase. In the reporting phase, auditors use professional skepticism when evaluating the evidence gathered and forming an opinion that the fi nancial statements are presented fairly.
professional skepticism an attitude that includes a question- ing mind, being alert to condi- tions that may indicate possible misstatement due to fraud or error, and a critical assessment of audit evidence
Audit Reasoning Example Professional Skepticism
An auditor was auditing a recreational vehicle (RV) dealership. The auditor had obtained some initial fi nancial information from the client showing unaudited results for the end of the third quarter. Sales were up and profi t margins were up, making it the best year so far for the client. Interim records showed that inventory was also up, and the client’s inventory records showed over 300 RVs on hand at the end of the third quarter. The audit senior went to talk to the audit man- ager about the good news and the client’s performance. The audit manager asked the senior a key question. “You did the inventory observation last year. How many RVs did the client have then?” “I think it was about 210,” the senior replied. Then the audit manager asked, “How full was the lot last year?” The senior replied that it was “almost overfl owing” the year before. The manager then said, “Let’s look at this more skeptically. I don’t think they have storage capacity for another 90 RVs even though sales are up. There could be an error in the inventory records. This information makes me believe that the existence of inventory is a very high inherent risk.”
Audit Risk Audit risk is the risk that an auditor expresses an inappropriate audit opinion when fi nancial statements are materially misstated (AU-C 200 Overall Objectives of the Independent Auditor and the Conduct of an Audit in Accordance With Generally Accepted Auditing Standards and AS 1101 Audit Risk). This means the audit report states the fi nancial statements are presented fairly, in all material respects, when in actuality the fi nancial statements contain a material error or fraud. While it is impossible to eliminate audit risk, auditors aim to reduce it to an
c03RiskAssessmentPartI.indd Page 3-15 07/08/18 7:15 PM f-389 c03RiskAssessmentPartI.indd Page 3-15 07/08/18 7:15 PM f-389 /208/WB02435/9781119401810/ch03/text_s/208/WB02435/9781119401810/ch03/text_s
Pr op
er ty
o f J
oh n
W ile
y &
So ns
, L td
. N ot
fo r g
en er
al re
di st
rib ut
io n.
3-16 CHAPTER 3 Risk Assessment Part I
acceptably low level. During the risk assessment phase, auditors will perform audit proce- dures to identify transactions and accounts where the risk of material misstatement is highest.
The fi rst stage in audit risk assessment involves the identifi cation of accounts and related assertions most at risk of material misstatement, referred to as inherent risk. An asser- tion is a statement or representation, explicit or implied, made by management regarding the recognition, measurement, presentation, and disclosure of items included in the fi nancial statements and notes. Assertions help guide the procedures conducted by auditors and are discussed in more depth in Chapter 5. Inherent risk assessment is aff ected by factors both internal and external to the client. For example, if a client sells valuable goods (e.g., jewelry), there is a risk of overstatement of inventory as goods may be stolen but remain recorded in the client’s books. Therefore, there is a risk that management’s assertion, or claim, that recorded inventory exists is not valid. In this example, the auditor may spend more time testing the exis- tence assertion of recorded inventory than in the case of a client that sells lower-valued goods (e.g., offi ce supplies). Illustration 3.6 provides examples of traits that would indicate higher or lower inherent risk for accounts or assertions.
inherent risk the susceptibility of an assertion to a misstatement that could be material, either indi- vidually or when aggregated with other misstatements, before con- sideration of any related controls assertions statements or rep- resentations, explicit or implied, made by management regarding the recognition, measurement, presentation, and disclosure of items included in the fi nancial statements
Higher Inherent Risk Traits Lower Inherent Risk Traits
Transactions or account balances derived from signifi cant estimates
Transactions or account balances easily confi rmed with reliable sources
Technological developments in the client’s industry increase the risk of obsolescence of certain assets
Technological developments a minimal factor in the valuation of the client’s assets
Client location at risk of natural disasters such as hurricanes and fl ooding
Client location has minimal risk of being aff ected by a natural disaster
Client’s industry experiencing a period of decline Client’s industry is thriving
Client has insuffi cient working capital and is at risk of violating loan contracts
Client has suffi cient working capital and is not at risk of violating loan contracts
ILLUSTRATION 3.6 Examples of inherent risk traits for accounts or assertions
When identifying accounts and related assertions at risk of material misstatement, some risks are classifi ed as being more signifi cant than others. A signifi cant risk is an identifi ed and assessed risk of material misstatement that, in the auditor’s judgment, requires special audit consideration (AU-C 315 Understanding the Entity and Its Environment and Assessing the Risks of Material Misstatement and AS 2110 Identifying and Assessing the Risks of Material Misstatement). When classifying risks as being signifi cant, consideration is given to whether the risk:
• involves fraud • is related to signifi cant economic or accounting developments • involves complex transactions • involves signifi cant related-party transactions (discussed further in Chapter 4) • involves signifi cant subjectivity in measurement of fi nancial information • involves signifi cant transactions outside the client’s normal course of business
The second stage in audit risk assessment involves gaining an understanding of the cli- ent’s system of internal controls. Auditors assess control risk, which is the risk that a client’s internal controls will not prevent or detect a material misstatement on a timely basis. Auditors are interested in whether the client has controls in place that are designed to minimize the risk of material misstatement for each account and related assertion identifi ed as being high risk by the auditors. In the above example, if a client sells jewelry, auditors will assess whether the client has controls in place, such as a security system, to reduce the risk that inventory may be stolen.
Finally, the assessed level of inherent and control risk for each assertion will guide audi- tors in developing their audit strategy to gather appropriate audit evidence. This fi nal assess- ment will depend upon the assessed risks of the account and related assertion and the deemed eff ectiveness of the client’s system of internal controls.
signifi cant risk an identifi ed and assessed risk of material mis- statement that, in the auditor’s judgment, requires special audit consideration
control risk the risk that a client’s system of internal controls will not prevent or detect a material misstatement on a timely basis
c03RiskAssessmentPartI.indd Page 3-16 07/08/18 7:15 PM f-389 c03RiskAssessmentPartI.indd Page 3-16 07/08/18 7:15 PM f-389 /208/WB02435/9781119401810/ch03/text_s/208/WB02435/9781119401810/ch03/text_s
Pr op
er ty
o f J
oh n
W ile
y &
So ns
, L td
. N ot
fo r g
en er
al re
di st
rib ut
io n.
Professional Skepticism and Audit Risk 3-17
The Audit Risk Model and Its Components Inherent risk and control risk are the client’s risks and exist separately from the audit of the fi nancial statements. In other words, the auditors have no control over a client’s inherent and control risks. Inherent risk is driven by industry, economic, and client factors that are out of the control of the auditor. Control risk is impacted by the client’s design and implementation of internal controls, which are also out of the control of the auditor. When these two risks are combined, we refer to it as risk of material misstatement.
The risk of material misstatement (RMM) is the risk that the fi nancial statements are materially misstated prior to the audit (AU-C 200.14). Risk of material misstatement exists at the fi nancial statement level and at the assertion level. At the fi nancial statement level, the risk of material misstatement refers to risks that aff ect the fi nancials as a whole. For example, if a client purchases a new computer system and does not adequately train staff in its use, there is a risk of errors when recording transactions used to prepare the fi nancial statements. In this scenario, all accounts are at risk of material misstatement. At the assertion level, the risk of material misstatement refers to risks that aff ect classes of transactions, account balances, and disclosures. For example, if a client sells goods overseas, there is a risk that transactions may not be recorded correctly using appropriate exchange rates at the date of each transaction. In this scenario, revenue and accounts receivable are at risk of material misstatement.
RMM considers (1) the inherent risk that an assertion is misstated and (2) the eff ective- ness of the internal controls in preventing, or detecting and correcting, misstatements on a timely basis. Therefore, auditors must identify client characteristics that place its fi nancial statements at risk of material misstatement (inherent risk) and determine whether controls designed to limit such a risk exist and are eff ective (control risk). Once RMM has been as- sessed, auditors can plan the audit procedures to be performed in response to the assessed RMM. This leads us to the fi nal component of audit risk, which is detection risk. Detection risk is the risk that the auditor’s procedures will not be eff ective in detecting a material mis- statement should there be one. Detection risk is the only component of audit risk that can be controlled by the auditor, which we will discuss in more depth next. But note that it is
risk of material misstatement (RMM) the risk that the fi nan- cial statements are materially misstated prior to the audit; a combination of inherent risk and control risk
detection risk the risk that the auditor’s testing procedures will not be eff ective in detecting a material misstatement
Cloud 9 - Continuing Case Ian is still struggling with the idea of risk. He knows that audit risk is the risk that the auditor issues the wrong audit report, or gives an inappropriate audit opinion, and that audit risk is related to the client’s circumstances. But how does that actually work in practice? What does an auditor do diff erently for each audit?
“Let’s break this down,” Suzie advises. “Auditors face the risk of stating that in their opinion the fi nancial statements are not ma- terially misstated, when in fact they are. So, how does a material misstatement get into the published fi nancial statements?”
Ian works through the logic. “First, the error has to be cre- ated, either by accident or on purpose. Second, the client’s internal control system must fail to either prevent the error getting into the accounts or detect the error once it is in the system. And, fi nally, the auditor has to fail to fi nd the error during the audit.”
“Correct!” says Suzie. “Now, before we go on, I want to break down the idea of ‘fi nancial statements,’ too. The fi nancial state- ments are the balance sheet (statement of fi nancial position), in- come statement (statement of comprehensive income), cash fl ow statement (statement of cash fl ows), statement of changes in eq- uity, and all the notes. So when we talk of the risk of misstate- ments, we are referring to the risk of misstatement in every line item in each of these statements. If we focus on just one line in a balance sheet—say, accounts receivable—what are the possible misstatements that could occur?”
Ian tries to work through the logic again. “The amount could be either understated or overstated. I suppose there are lots of er- rors that could occur. Obviously, basic adding mistakes and other clerical errors could aff ect the total in either direction. In addition, accounts receivable would be understated if management omitted some customer receivables when they calculated the total. I think the deliberate ‘mistakes’ are more likely to overstate accounts re- ceivable because that makes the balance sheet look better, and probably means profi t is overstated, too. Accounts receivable would be overstated if some of the receivables management claimed in the total did not exist at year-end, or did not belong to Cloud 9, or were overvalued because bad debts were not written off , or sales from the next period were included in the earlier period.”
“Very good,” says Suzie. “It is the same for every line item. Every time management prepares a fi nancial statement, they assert that all these errors did not occur—that all the individual items in the fi nancial statements are not materially misstated. The auditor has to break down the fi nancial statement audit into accounts and assertions and consider the risk of misstatement for each assertion for each account or transaction class. The auditor deals with the risk of material misstatement of the entire set of fi nancial statements by gathering evidence at the assertion level for each account. Then, all the evidence is put together so the auditor can form an opinion on the overall fi nancial statements.”
c03RiskAssessmentPartI.indd Page 3-17 07/08/18 7:15 PM f-389 c03RiskAssessmentPartI.indd Page 3-17 07/08/18 7:15 PM f-389 /208/WB02435/9781119401810/ch03/text_s/208/WB02435/9781119401810/ch03/text_s
Pr op
er ty
o f J
oh n
W ile
y &
So ns
, L td
. N ot
fo r g
en er
al re
di st
rib ut
io n.
3-18 CHAPTER 3 Risk Assessment Part I
impossible to reduce any of these risks to zero. Risk will always exist in an audit, whether it is from economic or industry factors (inherent risk), a failure of an internal control (control risk), or a failure of an audit procedure (detection risk).
Audit risk can be presented in a model that indicates the relationship between its com- ponents (AU-C 200.A36). The model states that audit risk is a function ( f ) of risk of material misstatement (which consists of inherent risk and control risk) and detection risk, as illus- trated below.
Auditors plan and perform their audit to keep audit risk at an acceptably low level (AU-C 200). If inherent and control risks are high for an assertion, the auditor will set detection risk as low, to maintain a low audit risk. Illustration 3.7 provides an example of a high-risk assertion at the account level. After reviewing the example, you’ll see there is an inverse re- lationship between the risk of material misstatement (inherent and control risks combined) and detection risk (as set by the auditor). A low detection risk means the auditors increase the amount of detailed audit procedures used to test the year-end account balances and transac- tions from throughout the year.
ILLUSTRATION 3.7 High risk assertion with qualitative analysis Audit risk =
Risk of Material Misstatement Detection risk
Inherent risk Control risk
High High Low
Audit Reasoning Example High Risk Assertion
A client sells high-end fashion clothing and has inadequate security. Inherent risk is high for the existence assertion of inventory as clothing may be stolen. Control risk is high since there is inad- equate security, which increases the risk of theft. The auditor cannot rely on the client’s security system to reduce the risk of material misstatement associated with the existence of inventory. The auditor will set a low detection risk and spend more time performing audit procedures to deter- mine that recorded inventory actually exists.
Audit Reasoning Example High Risk Assertion
A client is an importer with inexperienced clerical staff . Inherent risk is high for the accuracy as- sertion of recorded purchases as they involve foreign currency translation. Control risk is high as clerical staff are inexperienced and not accustomed to recording complex foreign currency trans- actions. The auditor will set a low detection risk and spend more time performing audit proce- dures to determine that purchases are recorded at appropriate amounts.
AR = f(RMM * DR)
AR = f(IR * CR * DR)
where: AR = Audit risk
RMM = Risk of material misstatement IR = Inherent risk
CR = Control risk DR = Detection risk
c03RiskAssessmentPartI.indd Page 3-18 07/08/18 7:15 PM f-389 c03RiskAssessmentPartI.indd Page 3-18 07/08/18 7:15 PM f-389 /208/WB02435/9781119401810/ch03/text_s/208/WB02435/9781119401810/ch03/text_s
Pr op
er ty
o f J
oh n
W ile
y &
So ns
, L td
. N ot
fo r g
en er
al re
di st
rib ut
io n.
Professional Skepticism and Audit Risk 3-19
The audit risk model can also be used for quantitative analysis in which all risks are stated as a percentage ranging from 1% to 100%. Suppose auditors want to keep audit risk relatively low at 5%, which means a 5% risk they will issue an inappropriate opinion. If in- herent risk and control risk are both high, say 100% inherent risk and 80% control risk, then what will detection risk be? Refer to Illustration 3.8 for the mathematical analysis. Solving for detection risk, the answer would be a 6% risk that the auditors’ procedures will not be eff ective in detecting a material misstatement. A 6% detection risk is a low detection risk, which implies auditors will perform extensive detailed testing of related account balances and use larger sample sizes.
ILLUSTRATION 3.9 Low risk assertion with qualitative analysisAudit risk =
Risk of Material Misstatement Detection risk
Inherent risk Control risk
Low Low High
Audit Reasoning Example Low Risk Assertion
A client sells concrete pipe and has a high-voltage fence surrounding the pipe inventory. Inherent risk is low for the existence assertion of inventory as concrete pipe is very heavy and diffi cult to move. It is unlikely that recorded pipe does not exist. After testing that the security system is working and has been operational throughout the year, the auditor can set control risk low. In this case the auditor will need to spend relatively little time performing detailed audit procedures to determine that recorded pipe actually exists.
ILLUSTRATION 3.8 High risk assertion with quantitative analysisAudit risk
Risk of Material Misstatement Detection risk
= Inherent risk × Control risk ×
.05 = 1.00 × .80 × ?
.05 = 1.00 × .80 × .06
In contrast, if inherent risk and control risk are low, the auditor can set detection risk as high. Review Illustration 3.9 for an example of this situation. Remember, there is an inverse relationship between the risk of material misstatement (inherent and control risks combined) and detection risk (as set by the auditor). By setting detection risk as high, auditors reduce the level of reliance placed on their detailed testing of the account balance or transactions. Auditors are not eliminating the detailed testing of account balances and transactions; rather, they are acknowledging that the account, transaction class, or assertion is low risk. If risk of material misstatement is low, then extensive detailed testing is not required.
Audit Reasoning Example Low Risk Assertion
A client has implemented a strong system of internal controls over purchases of raw materials (e.g., grain). Inherent risk is low for the accuracy assertion of recorded purchases as the pric- ing of raw materials is not complex. After testing that programmed controls and related manual
c03RiskAssessmentPartI.indd Page 3-19 07/08/18 7:15 PM f-389 c03RiskAssessmentPartI.indd Page 3-19 07/08/18 7:15 PM f-389 /208/WB02435/9781119401810/ch03/text_s/208/WB02435/9781119401810/ch03/text_s
Pr op
er ty
o f J
oh n
W ile
y &
So ns
, L td
. N ot
fo r g
en er
al re
di st
rib ut
io n.
3-20 CHAPTER 3 Risk Assessment Part I
Using the quantitative analysis, suppose auditors assess inherent risk and control risk as low: 30% and 5% respectively. Refer to Illustration 3.10 for the mathematical analysis. Solving for detection risk, the answer would be a 333% risk that the auditors’ procedures will not be eff ective in detecting a material misstatement. This is a stark contrast to the detection risk of 6% in Illustration 3.8. But remember, as inherent risk and/or control risk decrease, detection risk will increase, refl ecting that less extensive substantive testing will be conducted by auditors because the client’s internal controls are eff ective for the related account balance and assertion.
follow-up are working properly, the auditor will verify that access to the program is limited to authorized personnel and that the program has not been tampered with. When the auditor is satisfi ed the program is working well and the client’s controls are eff ective, the auditor can set control risk as low. In this case, the auditor will spend relatively little time performing detailed audit procedures on raw materials to determine that the recorded amount is accurate.
ILLUSTRATION 3.10 Low risk assertion with quantitative analysis Audit risk
Risk of Material Misstatement Detection risk
= Inherent risk × Control risk ×
.05 = .30 × .05 × ?
.05 = .30 × .05 × 3.33
The quantitative analysis highlights the role of detection risk in changing how auditors respond to their client’s risk of material misstatement. As stated earlier, inherent risk and control risk are the client’s risks, and the auditor has no control over them. Auditors can only evaluate the level of inherent and control risks. Auditors can control detection risk by plan- ning to perform more or less detailed audit procedures. The components of the model can be rearranged to solve for detection risk as follows:
The examples provided in this section are extremes. The reality will often fall some- where in between, where inherent risk is high, but the client has an eff ective system of internal controls in place to mitigate that risk. For example, a client sells high-end fashion clothing and has eff ective security and controls, so the risk of material misstatement for the existence assertion of inventory is low. Alternatively, if inherent risk is low, the client may not consider it worthwhile investing in sophisticated control procedures (that is, any benefi t is perceived to exceed the cost). For example, a client sells concrete pipe and has minimal security controls because the pipe would be very diffi cult to steal. In both cases, auditors will perform less extensive audit procedures when testing the existence of inventory.
DR = AR/RMM
where: DR = Detection risk AR = Audit risk
RMM = Risk of material misstatement
c03RiskAssessmentPartI.indd Page 3-20 07/08/18 7:15 PM f-389 c03RiskAssessmentPartI.indd Page 3-20 07/08/18 7:15 PM f-389 /208/WB02435/9781119401810/ch03/text_s/208/WB02435/9781119401810/ch03/text_s
Pr op
er ty
o f J
oh n
W ile
y &
So ns
, L td
. N ot
fo r g
en er
al re
di st
rib ut
io n.
Audit Strategy 3-21
Before You Go On 4.1 Why is an attitude of professional skepticism important for auditors? 4.2 What is signifi cant risk? 4.3 What are the components of audit risk? 4.4 What is the relationship between risk of material misstatement and detection risk?
Cloud 9 - Continuing Case Cloud 9 sells customized basketball shoes. The shoes are likely to “go out of fashion” reasonably quickly, making obsolescence a big issue. These factors aff ect the inherent risk of inventory valuation. There is also a risk of errors occurring in transactions with suppli- ers and customers, which will aff ect inventory balances. How high
is the control risk? Much to Suzie’s delight, Ian suggests they will be able to make better assessments of both inherent and control risk for all assertions once they have a better understanding of the client and its system of internal control.
LEARNING OBJECTIVE 5 Explain how auditors determine their audit strategy and how audit strategy aff ects audit decisions.
The results of the auditor’s determination of materiality and audit risk lead to the devel- opment of an overall audit strategy. The audit strategy provides the basis for developing an audit plan that details the nature, extent, and timing of audit procedures to be performed. The nature of an audit procedure refers to what type of procedure will be used, such as tests of controls or substantive procedures. The auditor also needs to determine that the evi- dence collected is both reliable and relevant to the assertion being tested. The extent of an audit procedure refers to how much testing will be done, for example, how large of a sample size to use. Detection risk infl uences decisions about sample size. For example, when detec- tion risk is low, auditors will use larger sample sizes than when detection risk is high. The timing refers to when the procedure will be performed. The determination of when proce- dures will be performed is dependent on the eff ectiveness of the client’s controls and will be further discussed below. The process of developing an audit strategy helps auditors allocate audit resources effi ciently and make decisions such as which audit staff will be assigned to the audit, a time budget for the completion of the audit, and a schedule for when certain audit procedures will be performed.
Illustration 3.11 illustrates a general timeline of when audit activities occur for the au- dit of a client that uses a calendar year-end. Most of the audit planning and risk assessment occur during the second and third quarters of the client’s accounting year. The period referred to as “interim” is typically during the latter part of the third quarter and into the fourth quar- ter. The “year-end” period is just before the client’s balance sheet date and the 4- to 6-week period after the client’s year-end. The period is referred to as “year-end” because the client’s accounting year has substantially fi nished and the account balances refl ect the totals for the year under audit. In the audit of private companies, many times the auditor will not begin
nature the determination of what type of audit procedure to use, such as tests of controls or substantive procedures tests of controls (controls testing) audit procedures designed to evaluate the operat- ing eff ectiveness of controls in preventing, or detecting and cor- recting, material misstatements at the assertion level substantive procedures (substantive testing or tests of details) audit procedures designed to detect material misstatements at the assertion level extent the determination of the quantity of audit procedures to be performed timing the determination of when an audit procedure is to be performed
Audit Strategy
c03RiskAssessmentPartI.indd Page 3-21 07/08/18 7:15 PM f-389 c03RiskAssessmentPartI.indd Page 3-21 07/08/18 7:15 PM f-389 /208/WB02435/9781119401810/ch03/text_s/208/WB02435/9781119401810/ch03/text_s
Pr op
er ty
o f J
oh n
W ile
y &
So ns
, L td
. N ot
fo r g
en er
al re
di st
rib ut
io n.
3-22 CHAPTER 3 Risk Assessment Part I
“year-end” procedures until several weeks after year-end when the client has completed all year-end closing procedures. This timeline will be a helpful resource for you as we discuss audit strategy and activities occurring during the diff erent phases of the audit. The remainder of this section discusses two broad audit strategies that auditors can follow. These strategies are detailed in depth in AU-C 330 Performing Audit Procedures in Response to Assessed Risks and Evaluating Audit Evidence Obtained and AS 2301 The Auditor’s Responses to the Risks of Material Misstatement.
ILLUSTRATION 3.11 Timeline of audit activities
1/1/2022 6/30 9/30 11/30
12/31/2022 1/31 2/15
3/31/2023
Risk assessment & audit planning
Interim testing
Year-end substantive testing
Issue audit report
Period covered by the 2022 financial statements
Risk Assessment Phase
Risk Response Phase
Reporting Phase
Reliance on Controls Approach An audit strategy is developed at the account or assertion level, such as for accounts re- ceivable, inventory, and other line items on the fi nancial statements. The fi rst step is to identify inherent risks at the account or assertion level during the risk assessment phase when auditors are gaining an understanding of the client and the environment in which it operates, which is discussed in depth in Chapter 4. If inherent risk is determined to be high for an account or assertion, the next step is to determine if an internal control is in place to mitigate the risk of a material misstatement. If an internal control is in place, auditors will determine if the control is operating eff ectively—that is, does it work? Audi- tors will usually perform tests of controls during interim testing. If results from the tests of controls show the internal control is eff ective at preventing and/or detecting material misstatements, auditors will conclude that control risk is low and overall risk of material misstatement (RMM) is low. Recall that RMM is a function of both inherent risk and con- trol risk. Therefore, an eff ective internal control can mitigate the high inherent risk for an account or assertion.
If RMM is low, the audit strategy will be to rely more on the client’s internal controls and less on the auditor’s substantive procedures. The nature, extent, and timing of substan- tive procedures would be adjusted since the client’s internal control is strong. For example, auditors may perform substantive procedures for balance sheet accounts one or two months prior to year-end, rather than at year-end, and may decide to use smaller sample sizes since RMM is low. Performing substantive procedures one or two months prior to year-end for lower-risk accounts, rather than waiting to perform the procedures at year-end, helps au- ditors use their time effi ciently. The year-end time period can be more focused on perform- ing substantive procedures for higher-risk accounts and assertions. Note that auditors can never completely rely on a client’s system of internal controls and will always conduct some substantive procedures to gather evidence regarding the account balances in the fi nancial statements.
c03RiskAssessmentPartI.indd Page 3-22 07/08/18 7:15 PM f-389 c03RiskAssessmentPartI.indd Page 3-22 07/08/18 7:15 PM f-389 /208/WB02435/9781119401810/ch03/text_s/208/WB02435/9781119401810/ch03/text_s
Pr op
er ty
o f J
oh n
W ile
y &
So ns
, L td
. N ot
fo r g
en er
al re
di st
rib ut
io n.
Audit Strategy 3-23
Illustration 3.12 provides a diagram of the process used when developing the audit strat- egy for an account or assertion. Notice that the left side of the diagram provides an overview of the reliance on controls approach described in this section.
Audit Reasoning Example Existence of Inventory
Jennifer is auditing a private company that manufactures batteries for cell phones. The company has good perpetual inventory records and inventory controls. In the prior year audit, tests of con- trols confi rmed the company had excellent internal controls over inventory. In planning this year, based on inquiries with various client personnel, the system has not changed. Therefore, Jennifer is planning to test controls at an interim date, and if this year’s tests of controls confi rm that controls continue to be strong, she will also perform substantive procedures on the existence of inventory at an interim date.
Determine whether an internal control(s) can mitigate the risk factor
Identify inherent risks at the account or assertion level
Test the control(s)
Su bs
ta nt
iv e
Ap pr
oa ch
Re lia
nc e
on C
on tr
ol s A
pp ro
ac h
Is the control(s) effective? Does it work?
Increase extent of detailed substantive procedures performed at year-end
Does the control(s) exist? No
No
No
Perform less extensive detailed substantive
procedures at interim
Yes
Yes
Yes
ILLUSTRATION 3.12 Process used when developing an audit strategy at the account or assertion level
c03RiskAssessmentPartI.indd Page 3-23 07/08/18 7:15 PM f-389 c03RiskAssessmentPartI.indd Page 3-23 07/08/18 7:15 PM f-389 /208/WB02435/9781119401810/ch03/text_s/208/WB02435/9781119401810/ch03/text_s
Pr op
er ty
o f J
oh n
W ile
y &
So ns
, L td
. N ot
fo r g
en er
al re
di st
rib ut
io n.
3-24 CHAPTER 3 Risk Assessment Part I
Substantive Approach Referring to Illustration 3.12, the substantive approach is detailed on the right side of the diagram. The process for a substantive approach begins in the same way as a reliance on controls approach. Auditors identify inherent risks at the account or assertion level during the risk assessment phase. If inherent risk is determined to be high for an account or assertion, the next step is to determine if an internal control is in place to mitigate the risk of a material misstatement. If there is no internal control in place, auditors assess RMM as high since both inherent and control risk are high. If there is an internal control in place, auditors may decide to test the eff ectiveness of the internal control. The test of controls may reveal that the internal control is not operating eff ectively. This situation would also cause auditors to assess RMM as high.
If RMM is high, the audit strategy will be to perform extensive detailed substantive pro- cedures and place little or no reliance on the client’s internal controls. The nature, extent, and timing of substantive procedures would be adjusted since the client’s internal control is weak or non-existent. For example, auditors will perform their substantive procedures at year-end so the entire account balance can be tested rather than testing at interim when the account bal- ance is not yet refl ecting the entire year’s activity. Auditors will also use larger sample sizes and perform more extensive substantive procedures since RMM is high and detection risk is low.
Illustration 3.12 illustrates the extreme of each approach, but auditors can also use a blended approach. For example, if inherent risk is assessed as moderate or low, auditors may decide to perform some tests of controls or not perform any tests of controls. The decision regarding control testing would then impact the nature, extent, and timing of the substantive procedures. Control risk and the testing of controls are discussed further in Chapters 6 and 8. Essentially, the process of determining an audit strategy for an account or assertion is heavily infl uenced by materiality, professional skepticism, and the risk of material misstatement.
Audit Reasoning Example Valuation of Inventory
Jennifer is auditing a private company that manufactures batteries for cell phones. While the company has good perpetual inventory records and inventory controls, Jennifer is concerned about reported problems with lithium-ion battery fi res. It is not clear that the industry has solved these problems. The company has already noted a slowing in sales of one battery model. As a result, Jennifer is concerned about the lower-of-cost-or-net-realizable-value (LCNRV) issues that may arise by year-end. Will the company have problems selling the inventory of batteries on hand at year-end? Because of the volatile market of lithium-ion batteries, Jennifer plans to audit the valuation of inventory at net realizable value after year-end, using a primarily substantive approach.
Cloud 9 - Continuing Case Suzie explains that Cloud 9’s audit could be planned and conducted in diff erent ways, depending on the audit strategy adopted. In fact, the overall audit strategy sets the scope, timing, and direction of the audit, and guides the development of the detailed audit plan.
“What audit strategy would be suitable for Cloud 9? Start by thinking about the scope of the audit,” she prompts. “The scope is about the diff erent types of work we have to do—some audits have extra requirements.”
“I suppose we should fi nd out if Cloud 9 has any special re- quirements. The fact that it is a public company means we must follow the PCAOB auditing standards and conduct an audit of both the fi nancial statements and the eff ectiveness of internal controls,” Ian suggests.
“That is a good start,” says Suzie. “What else?”
“Well, I can think of several other things, such as whether any other auditors will be involved (including Cloud 9’s internal auditors), whether there are any foreign currency translation is- sues, any industry-specifi c regulations (although I don’t think this is as big an issue for clothing and footwear as it would be for banks, for example), whether there are any service organizations involved such as payroll services, and whether computer-aided au- dit technology is going to be used.”
“Very good,” says Suzie. “That will do for now. What about timing issues? Are there any special things we should take into account for Cloud 9?”
“What is the date the audit has to be fi nished?” asks Ian. “Good question,” says Suzie. “We will have a deadline, so we
obviously have to work toward it.”
c03RiskAssessmentPartI.indd Page 3-24 07/08/18 7:15 PM f-389 c03RiskAssessmentPartI.indd Page 3-24 07/08/18 7:15 PM f-389 /208/WB02435/9781119401810/ch03/text_s/208/WB02435/9781119401810/ch03/text_s
Pr op
er ty
o f J
oh n
W ile
y &
So ns
, L td
. N ot
fo r g
en er
al re
di st
rib ut
io n.
Fraud Risk 3-25
“Also,” says Ian, “when are our staff available, and when are Cloud 9’s key people available to talk to us?”
“Yes,” says Suzie. “This is all basic. But if we don’t ask these really important questions we will fi nd ourselves unable to meet the deadline, and perhaps under pressure to cut corners. We also have to think about timing of requests to third parties for infor- mation. Now, can you think of anything regarding the direction of the audit?”
“I understand about the extra requirements and working out the timing. But I don’t really know what you mean by direction,” Ian says, confused.
“We have already discussed it to some extent,” Suzie ex- plains. “Remember when we spoke about the risk for Cloud 9 created by obsolescence of inventory, and errors occurring with transactions with customers and suppliers? ‘Direction’ is about where we think there should be extra attention because of higher risk, and how we give that extra attention. We could, for exam- ple, make sure we have suitable experts available, if required, to value the inventory. This is also where we bring in our work on
materiality, both setting materiality for planning purposes, and identifying the material account balances. In our plan, we need to allocate additional time to areas where there may be higher risk of material misstatement. And, one of our biggest tasks will be considering the evidence about the design and operating ef- fectiveness of internal controls at Cloud 9, which we haven’t yet considered in detail.”
“I see,” says Ian. “If we assess the internal controls as being strong, then we plan to do more testing of controls (to confi rm our assessment), and less testing of the underlying substance of transactions and account balances. We have to put this in our plan now. But what if our fi rst thoughts about controls are wrong? Will our plan be wrong?”
“That happens,” replies Suzie. “That is why our initial plan is constantly changing as we gather more information about the client. Particularly, as in this case, for a new client that we don’t have a lot of detailed information on yet. However, we already know what accounts are important to Cloud 9—the client’s previ- ous years’ fi nancial statements and interim results show us that.”
Before You Go On 5.1 What is the purpose of developing an overall audit strategy? 5.2 Describe the audit strategy when the auditor adopts a predominantly substantive approach. 5.3 Why would the auditors adopt a reliance on controls approach?
LEARNING OBJECTIVE 6 Analyze fraud risk and explain the fraud risk assessment process.
During the risk assessment phase of the audit, auditors assess the risk of a material misstate- ment due to fraud (AU-C 240 and AS 2110). Auditors should adopt an attitude of professional skepticism to ensure any indicator of a potential fraud is properly investigated. This means auditors must remain independent of the client, maintain a questioning attitude, and search thoroughly for corroborating evidence to validate information provided by the client. Auditors must not assume that past experience with the client’s management and staff is indicative of the current risk of fraud.
Fraud is an intentional act involving the use of deception that results in the misstatement of the fi nancial statements that are being audited (AU-C 240.11 and AS2401.05). Auditors should be alert for red fl ags4 that indicate a fraud may have occurred. Examples of red fl ags include:
• a high turnover of key employees • key employees with accounting or internal control responsibilities refusing to take leave • overly dominant management
fraud an intentional act through the use of deception that results in a misstatement in fi nancial statements that are the subject of an audit
Fraud Risk
4J. D. Wilson and J. J. Root. Internal Auditing Manual, 2nd ed., (Warren Gorham & Lamont, 1989).
c03RiskAssessmentPartI.indd Page 3-25 07/08/18 7:15 PM f-389 c03RiskAssessmentPartI.indd Page 3-25 07/08/18 7:15 PM f-389 /208/WB02435/9781119401810/ch03/text_s/208/WB02435/9781119401810/ch03/text_s
Pr op
er ty
o f J
oh n
W ile
y &
So ns
, L td
. N ot
fo r g
en er
al re
di st
rib ut
io n.
3-26 CHAPTER 3 Risk Assessment Part I
• poor compensation practices • inadequate training programs • a complex business structure • no (or ineff ective) internal auditing staff • a high turnover of auditors • unusual transactions such as large adjusting entries at the end of a period • weak internal controls
There are two kinds of fraud. Fraudulent fi nancial reporting is intentionally misstat- ing items or omitting important facts from the fi nancial statements. Misappropriation of assets involves some form of theft. Illustration 3.13 provides examples of fi nancial reporting and misappropriation of assets frauds.
fraudulent fi nancial reporting intentional misstatements, including omissions of amounts and disclosures in fi nancial statements, to deceive fi nancial statement users misappropriation of assets intentional theft of a company’s assets by employees
Fraudulent Financial Reporting Misappropriation of Assets
• Improper asset valuations • Unrecorded liabilities • Timing differences such as bringing forward the recognition of
revenues and delaying the recognition of expenses • Recording fictitious sales • Capitalizing items that should be expensed • Inappropriate application of accounting principles
• Using a company credit card for personal use • Employees remaining on the payroll after ceasing employment • Unauthorized discounts or refunds to customers • Theft of inventory by employees or others • Using a company car for unauthorized personal use • Writing checks to fictitious vendors
ILLUSTRATION 3.13 Examples of frauds
The responsibility for preventing and detecting fraud rests with client management and those charged with governance. Prevention refers to the use of controls and procedures aimed at avoiding a fraud. Detection refers to the use of controls and procedures aimed at uncovering a fraud should one occur. It is the responsibility of auditors to assess the risk of fraud and the eff ectiveness of the client’s attempts to prevent and detect fraud via its internal control system. When assessing the risk of fraud, auditors consider the fraud risk factors that may be pres- ent, such as incentives and pressures to commit a fraud, opportunities to perpetrate a fraud, and attitudes and rationalizations used to justify committing fraud (AU-C 240 Appendix 1). Illustration 3.14 illustrates the fraud risk factors, which are explained in more depth in the following sections.
fraud risk factors conditions that indicate an incentive or pres- sure to commit fraud, provide an opportunity to commit fraud, or indicate rationalizations to justify fraudulent actions
Opportunity
Pressure Rationalization
Fraud
ILLUSTRATION 3.14 Fraud risk factors
c03RiskAssessmentPartI.indd Page 3-26 07/08/18 7:15 PM f-389 c03RiskAssessmentPartI.indd Page 3-26 07/08/18 7:15 PM f-389 /208/WB02435/9781119401810/ch03/text_s/208/WB02435/9781119401810/ch03/text_s
Pr op
er ty
o f J
oh n
W ile
y &
So ns
, L td
. N ot
fo r g
en er
al re
di st
rib ut
io n.
Fraud Risk 3-27
Incentives and Pressures to Commit a Fraud In assessing the risk of fraud, auditors consider incentives and pressures faced by client per- sonnel to commit a fraud. While the examples provided below indicate that client personnel may be inclined to commit a fraud, they in no way indicate that a fraud has defi nitely oc- curred. When auditors become aware of any of these risk factors, in isolation or combination, they plan their audit to obtain evidence in relation to each risk factor.
Examples of incentives and pressures that increase the risk of fraud include:
• the client operating in a highly competitive industry • a signifi cant decline in demand for the client’s products or services • falling profi ts • a threat of takeover • a threat of bankruptcy
Professional Environment Importance of Professional Skepticism
The PCAOB periodically issues Staff Audit Practice Alerts (“Alerts”). These Alerts “highlight new, emerging, or otherwise noteworthy circumstances that may aff ect how auditors conduct audits under the existing requirements of PCAOB standards and relevant laws.”5 The Alerts are not rules of the board, but are meant to provide guidance in the application of the standards. Alert No. 10, Maintaining and Applying Professional Skepticism in Audits, was issued on December 4, 2012. The purpose of Alert No. 10 is to remind auditors of the requirement to appropriately apply professional skepticism throughout the audit, but especially in sit- uations that involve signifi cant management judgment and in the consideration of fraud.
During inspections of the work of registered accounting fi rms, PCAOB inspectors found many instances of auditors failing to appropriately apply professional skepticism in certain aspects of the audit. Alert No. 10 identifi es some impediments to the ap- plication of professional skepticism of which auditors should be aware. One impediment is unconscious human bias toward client preferences. For example, auditors may feel pressure to maintain good client relationships to ensure future audit engagements. This could cause auditors to rationalize or evaluate information in a manner that is consistent with what the client wants rather than what would be in the best interests of external users of the fi nan- cial statements. Other examples of human bias include an over- confi dence in management, a desire to keep audit costs low, and/ or a desire to sell other services to the client.
Another impediment to the application of professional skep- ticism is the workload of the auditors. Audit fi rms typically expe- rience a “busy season” in which the audits of many of the fi rm’s clients happen simultaneously. Audit team partners and managers may experience heavy workloads and try to meet multiple dead- lines simultaneously. They may feel pressure to complete work too quickly, which could lead to gathering less evidence than is nec- essary, or to gathering evidence that is the easiest to obtain rather than gathering evidence that is the most reliable and relevant.
What can auditors do to improve the application of profes- sional skepticism throughout the audit process? PCAOB standards
require that registered audit fi rms establish a system of quality control to provide reasonable assurance that audit personnel are complying with professional standards. Some elements of a fi rms’ quality control system that can help ensure the appropriate appli- cation of professional skepticism include:
• Firm culture—Communication from fi rm leadership should emphasize the application of professional skepticism.
• Performance appraisal, promotion, and compensation pro- cesses—Firm personnel should be rewarded for adhering to professional standards in performing the audit rather than rewarded for getting work done faster or selling more ser- vices to existing clients.
• Professional competence and assigning personnel to en- gagement teams—Personnel assigned to audit engagements should possess the appropriate technical training and experi- ence required for the client circumstances.
• Documentation—All areas of the audit should be properly documented. This is especially relevant for areas that require signifi cant judgment.
• Monitoring—If a fi rm identifi es a defi ciency in which there was a failure to appropriately apply professional skepticism in performing the audit, the fi rm should take corrective ac- tion and modify its procedures as needed.
It is the responsibility of the engagement partner to supervise the audit team members by being actively involved in planning, directing, and reviewing the work of the other team members. The partner and senior audit team members can help less expe- rienced team members to apply professional skepticism. More senior team members may also be better equipped to challenge the fi nancial reporting position of senior management when nec- essary. Ultimately, it is the responsibility of each individual audi- tor on the engagement team to appropriately apply professional skepticism throughout the audit to better serve the interests of external users.
5PCAOB Staff Audit Practice Alert No. 10, Maintaining and Applying Professional Skepticism in Audits, December 4, 2012. www.pcaobus.org/standards/pages/guidance.
c03RiskAssessmentPartI.indd Page 3-27 07/08/18 7:15 PM f-389 c03RiskAssessmentPartI.indd Page 3-27 07/08/18 7:15 PM f-389 /208/WB02435/9781119401810/ch03/text_s/208/WB02435/9781119401810/ch03/text_s
Pr op
er ty
o f J
oh n
W ile
y &
So ns
, L td
. N ot
fo r g
en er
al re
di st
rib ut
io n.
3-28 CHAPTER 3 Risk Assessment Part I
• ongoing losses • rapid growth • poor cash fl ows combined with high earnings • pressure to meet market expectations and profi t targets • planning to list on a stock exchange • planning to raise debt or renegotiate a loan • the client being about to enter into a signifi cant new contract • a signifi cant proportion of remuneration tied to earnings (that is, bonuses or stock options)
Audit Reasoning Example Toshiba
You may be familiar with Toshiba Corporation, a publicly traded Japanese company headquar- tered in Tokyo that makes consumer electronics, household electronics, offi ce equipment, and more. In July 2015, the CEO of Toshiba announced he was resigning amid an accounting scandal in which profi ts had been overstated for the past seven years by approximately $1.9 billion (224.8 billion yen). What incentives and pressures were involved that led to the fraud? The technology industry is extremely competitive and Toshiba’s upper management set aggressive profi t targets. The home electronics and appliances division was showing losses and the memory chip division was feeling pressure because of decreasing demand from Chinese electronics companies.6 As an example, in September 2012, the head of the digital products and service division was told by the CEO to improve a 24.8 billion yen loss into a 12 billion yen profi t in just three days!7 Think about how the external auditor would learn about the incentives given to lower-level management. How might an internal auditor learn about these incentives?
Opportunities to Perpetrate a Fraud After identifying one or more incentives or pressures to commit a fraud, auditors assess whether a client’s employees have an opportunity to perpetrate a fraud. Auditors utilize their knowledge of how other frauds have been perpetrated to assess whether the same opportuni- ties exist at the client. While the examples below of opportunities to commit a fraud suggest a fraud may have been committed, their existence does not mean a fraud has defi nitely oc- curred. Auditors must use professional judgment to assess each opportunity in the context of other risk indicators and consider available evidence thoroughly.
Examples of opportunities that increase the risk that a fraud may have been perpetrated include:
• accounts that rely on estimates and judgment (discussed further in Chapter 9, in the sec- tion Auditing Accounting Estimates)
• a high volume of transactions close to year-end • signifi cant adjusting entries and reversals after year-end • signifi cant related party transactions (discussed further in Chapter 4, in the section
Related Parties) • poor corporate governance mechanisms • poor system of internal control (discussed further in Chapters 6 and 8) • a high turnover of staff with accounting or internal control responsibilities
6E. Pfanner and M. Fujikawa, M. “Toshiba Slashes Earnings for Past Seven Years,” The Wall Street Journal, September 7, 2015. https://www.wsj.com/articles/toshiba-slashes-earnings-for-past-7-years-1441589473 7K. Nagata. “Pressure to show a profi t led to Toshiba’s accounting scandal,” The Japan Times, September 18, 2015. http://www.japantimes.co.jp/news/2015/09/18/business/corporate-business/pressure-to-show-a-profi t- led-to-toshibas-accounting-scandal/#.WNJjNmQrLjA
c03RiskAssessmentPartI.indd Page 3-28 07/08/18 7:15 PM f-389 c03RiskAssessmentPartI.indd Page 3-28 07/08/18 7:15 PM f-389 /208/WB02435/9781119401810/ch03/text_s/208/WB02435/9781119401810/ch03/text_s
Pr op
er ty
o f J
oh n
W ile
y &
So ns
, L td
. N ot
fo r g
en er
al re
di st
rib ut
io n.
Fraud Risk 3-29
Attitudes and Rationalization to Justify a Fraud Together with the identifi cation of incentives or pressures to commit a fraud and opportu- nities to perpetrate a fraud, auditors assess the attitudes and rationalization of client man- agement and staff to fraud. Attitude refers to ethical beliefs about right and wrong, while rationalization refers to an ability to justify an act. While the examples below indicate that a fraud may occur in companies where these characteristics are identifi ed, they do not mean a fraud has occurred.
Examples of attitudes and rationalizations used to justify a fraud include:
• management and employees who do not place a high priority on the entity’s value or ethical standards
• management attempts to justify marginal or inappropriate accounting, on the basis of materiality, on a recurring basis
• an excessive focus on maximization of profi ts and/or stock price • a poor attitude regarding compliance with accounting regulations • rationalization that other companies make the same inappropriate accounting choices
Audit Reasoning Example Toshiba
Returning to the Toshiba fraud, what opportunities existed at Toshiba for such a massive fraud to oc- cur? Overall, there was a lack of internal controls in upper management and an unethical corporate culture led by upper management. Controls that did exist were overridden by upper management’s pressure to show profi ts. Compounding the problem was the Japanese culture of obedience, which disallows subordinates refusing orders from upper management. One of the areas that was heavily manipulated was estimates involving long-term projects. Estimation techniques relied heavily on internal data, and internal controls over the estimation process were easily overridden by upper management.8 It is easier to see these risk factors with hindsight. However, if you were working on the Toshiba audit, could you fi nd the warning signs and adjust the audit appropriately?
8“Toshiba Accounting Scandal,” Summary for a meeting of the International Ethics Standards Board for Accountants (IESBA), Agenda item F-2, September 2015. https://www.ethicsboard.org/system/fi les/meetings/ fi les/Agenda_Item_F-2_-_Toshiba_Accounting_Scandal_0.pdf 9Ibid. 10T. Uranaka and M. Yamazaki. “Trust banks plan to sue Toshiba over 2015 accounting scandal,” Reuters, January 30, 2017. http://www.reuters.com/article/us-toshiba-accounting-idUSKBN15E03A.
• reliance on complex transactions • transactions out of character for a business (for example, invoicing sales before delivery
of the goods to customers)
Audit Reasoning Example Toshiba
In the Toshiba fraud, upper management’s rationalization for fraudulent fi nancial reporting was to maintain the company’s stock price by maximizing profi ts. One thing history tells us is that fraud never successfully maintains the stock price nor maximizes profi ts. As a result of the Toshiba fraud, the stock price dropped about 70% from May 2015 to February 2016. Nine mem- bers of senior management resigned in the wake of the fraud, including the CEO at the time the scandal was made public, and two former CEOs who were still with the company but in diff erent roles.9 Toshiba is also being sued by multiple groups, including a Japanese bank seeking 1 billion yen ($8.7 million) in damages on behalf of its pension fund clients, 45 overseas institutional inves- tors seeking 16.7 billion yen in damages, and 15 diff erent groups and individuals in Japan seeking a total of 15.3 billion yen.10
c03RiskAssessmentPartI.indd Page 3-29 07/08/18 7:15 PM f-389 c03RiskAssessmentPartI.indd Page 3-29 07/08/18 7:15 PM f-389 /208/WB02435/9781119401810/ch03/text_s/208/WB02435/9781119401810/ch03/text_s
Pr op
er ty
o f J
oh n
W ile
y &
So ns
, L td
. N ot
fo r g
en er
al re
di st
rib ut
io n.
3-30 CHAPTER 3 Risk Assessment Part I
Fraud Risk Assessment Process Perpetrators of fraud will go to great lengths to hide their activities from auditors. That is why auditors must maintain an attitude of professional skepticism and investigate any indicators of potential fraud. The primary procedures auditors use in the fraud risk assessment process are brainstorming among the audit team members and inquiry of management and others internal or external to the client.
Auditors are required to discuss among the audit team members the susceptibility of the client’s fi nancial statements to a material fraud. This discussion usually takes place in a “brainstorming session” in which members of the audit team are encouraged to share thoughts and ideas about how a fraud might be conducted and concealed (AU-C 240.15 and AS 2110.52). The discussion includes topics related to gaining an understanding of the entity and its environment as these topics are also related to risk of fraud. For example, discussions about changes in the client’s industry or changes in the client’s internal controls lead to ideas about why management would have an incentive or opportunity to commit fraud. The brain- storming session also serves as an opportunity for more senior members of the audit team to share important information about the client with new members of the audit team. The audit team members should be encouraged to share information about fraud risk at any time during the performance of the audit.
Auditors inquire of management and other client personnel about any knowledge of fraud that has occurred. They inquire about specifi c internal controls that management has in place to prevent and detect fraud, and how often these controls are monitored and modifi ed as needed. The client’s audit committee of the board of directors (discussed further in Chapter 4) should also be involved in the assessment of fraud risk. Auditors should directly inquire of the audit committee members regarding their role in fraud prevention and detection. If the client has an internal audit function, auditors also make inquiries about fraud risk assessment of the internal auditors. Auditors may also consider inquiry of external parties, such as vendors and customers, if necessary. Auditors must extensively document their fraud risk assessment. The documentation should provide details of the brainstorming session, including when it took place and the audit team members who participated. The signifi cant risks identifi ed by auditors and the planned audit response to those risks are also documented.
Before You Go On 6.1 What are the responsibilities of the client and the auditor when it comes to fraud? 6.2 Explain four incentives and pressures that increase the risk of fraud. 6.3 Explain four opportunities that increase the risk of fraud.
Cloud 9 - Continuing Case Suzie explains fraud risk is always present, even though actual fraud is reasonably rare, and auditors must explicitly consider it as part of their risk assessment. Being aware of the incentives, pressures, opportunities, and attitudes within the client relating to fraud helps the auditor make the assessment. Ian admits he has a little trouble understanding the diff erence between incentives and attitudes. He thinks he understands the concept of opportunity.
Suzie explains that incentives relate to the factor that pushes (or pulls) a person to commit a fraud. Examples include a need for money to pay debts or gamble. Attitudes, or rationalization, relate to the thinking about the act of fraud. For example, the person believes it is acceptable to steal from a mean boss; that is, the theft is justifi ed by the boss’s “meanness.”
In future chapters on internal control, we will discuss the importance of “tone at the top” and the control environment. While a goal of management is to maximize profi ts, auditors must be alert to a management that is willing to give tacit approval of fraud in order to keep share price high.
c03RiskAssessmentPartI.indd Page 3-30 07/08/18 7:15 PM f-389 c03RiskAssessmentPartI.indd Page 3-30 07/08/18 7:15 PM f-389 /208/WB02435/9781119401810/ch03/text_s/208/WB02435/9781119401810/ch03/text_s
Pr op
er ty
o f J
oh n
W ile
y &
So ns
, L td
. N ot
fo r g
en er
al re
di st
rib ut
io n.
Key Terms Review 3-31
Learning Objectives Review
1 Evaluate client acceptance and continuance decisions.
Factors to consider include the integrity of the client, such as its rep- utation and its attitude to risk, accounting policies, and internal con- trols (see Illustration 3.1). An auditor will gain an understanding of the client via communication with the client’s prior auditor (in the case of a client acceptance decision), staff , management, and other relevant parties. The fi nal stage in the client acceptance or contin- uance decision process involves the preparation of an engagement letter, which sets out the terms of the audit engagement, to avoid any misunderstandings between the auditor and the client.
2 Identify the diff erent phases of an audit.
The phases of an audit include risk assessment, risk response, and reporting. During the risk assessment phase, an auditor will gain an understanding of the client, identify risks, set the planning material- ity, and develop an audit strategy. During the risk response phase, an auditor will execute the detailed testing of controls, account balances, and transactions. The fi nal phase of every audit involves reviewing all of the evidence gathered throughout the audit and arriving at a con- clusion regarding the fair presentation of the client’s fi nancial state- ments. The auditor will then prepare an audit report that refl ects the auditor’s opinion based upon the audit fi ndings.
3 Explain and apply the concept of materiality.
Information is considered to be material if it impacts the decision- making process of users of the fi nancial statements. Planning mate- riality guides audit planning and testing for the fi nancial statements as a whole. Performance materiality is an amount less than planning materiality that is determined at the account balance, class of trans- actions, or disclosure level. Auditors consider both quantitative and qualitative factors when determining materiality.
4 Explain professional skepticism and apply the audit risk model.
Auditors are required to maintain professional skepticism, or a ques- tioning attitude, during the planning and performance of an audit. Audit risk is the risk that an auditor expresses an inappropriate au- dit opinion when the fi nancial statements are materially misstated. The three components of audit risk are inherent risk, control risk, and detection risk. The risk of material misstatement consists of in- herent risk and control risk. Both professional skepticism and audit risk are key concepts used by the auditor when developing an audit strategy.
5 Explain how auditors determine their audit strategy and how audit strategy aff ects audit decisions.
The assessed level of the risk of material misstatement (RMM) for an account or assertion drives the development of the audit strategy and the nature, extent, and timing of audit procedures to be performed. If RMM is low, the auditors may rely on a controls approach. Un- der this approach, the auditors will extensively test internal controls to determine if they are eff ective, and spend less time performing substantive procedures. If RMM is high, the auditors may pursue a substantive approach. Under this approach, the auditors will spend little or no time testing internal controls and will focus their eff orts on performing substantive procedures on the year-end account balance and assertions.
6 Analyze fraud risk and explain the fraud risk assess- ment process.
Fraud is an intentional act using deception that results in the mis- statement of the fi nancial statements that are being audited. The two kinds of fraud are fi nancial-reporting fraud and misappropriation of assets. When assessing the risk of fraud, the auditors should consider the fraud risk factors that may be present, such as incentives and pressures to commit a fraud, opportunities to perpetrate a fraud, and attitudes and rationalizations used to justify committing a fraud. The primary procedures that auditors use in the fraud risk assessment pro- cess are brainstorming among the audit team members and inquiry of management and others internal or external of the client.
Key Terms Review Assertions Audit risk Audit strategy Control risk Detection risk Engagement letter Extent of an audit procedure Fraud Fraud risk factors
Fraudulent fi nancial reporting Inherent risk Materiality Misappropriation of assets Nature of an audit procedure Performance materiality Professional skepticism Qualitative materiality Quantitative materiality
Reporting phase Risk assessment phase Risk of material misstatement Risk response phase Signifi cant risk Substantive procedures Tests of controls Timing of an audit procedure
c03RiskAssessmentPartI.indd Page 3-31 07/08/18 7:15 PM f-389 c03RiskAssessmentPartI.indd Page 3-31 07/08/18 7:15 PM f-389 /208/WB02435/9781119401810/ch03/text_s/208/WB02435/9781119401810/ch03/text_s
Pr op
er ty
o f J
oh n
W ile
y &
So ns
, L td
. N ot
fo r g
en er
al re
di st
rib ut
io n.
3-32 CHAPTER 3 Risk Assessment Part I
Audit Decision-Making Example
Background Information You have been assigned to the audit of inventory for a private company that owns and operates a chain of retail jewelers. The company’s sales revenue has grown by 300% in the last two years, primarily by acquisitions. Seventy-eight percent of the value of the company’s inventory is in wedding rings, diamonds, gold neck- laces, and high-end watches. Because the company has grown through acquisition, the company has not yet brought two ac- quired companies (representing 35% of sales) under the compa- ny’s inventory system. As a result, the company is currently op- erating with three diff erent inventory-control systems. The core inventory system being used by retail stores represents 65% of sales. Sixty percent of inventory was tested in the prior year and controls over the existence of inventory were eff ective. The CFO’s top priority is to put all retail operations under this one inventory- control system by the end of the fi scal year (January 31). He is particularly concerned about lower than expected gross margins at some of the acquired stores, and he expects that better inventory control will improve this situation. In addition, gold prices have risen 15% in the last 12 months, and the company is making sure it is not selling “confl ict diamonds” illegally traded to fund confl ict in war-torn areas of Africa. Your responsibility is to develop an audit strategy for testing the existence of inventory.
Identify the Audit Issue The focus of attention in this instance is to develop an audit strat- egy for testing the existence of inventory. The auditor may develop a diff erent audit strategy for testing the valuation of that inventory.
Gather Information and Evidence Important information includes:
• A signifi cant portion of the inventory is high in value, small in size, and susceptible to theft.
• A good system of internal controls may not be operating eff ectively and uniformly.
• The weak gross margins in some stores may be evidence of inventory shrinkage or theft.
• Fraud risk may be high in some locations due to the opportu- nity off ered by weak internal controls.
• The auditor needs to determine how internal controls aff ect audit strategy, and whether the auditor wants one audit strat- egy for part of the inventory and another audit strategy for another part of the inventory.
Analysis and Evaluation of Alternatives Analysis of risk:
• Inherent risk factors include valuable inventory that is sub- ject to theft and misappropriation.
• Internal controls are not uniform. Based on prior year’s evi- dence and a preliminary understanding of the system in the current year, strong internal controls appear to operate over only 60% of the inventory.
• It may be more effi cient to physically inspect inventory as of one date and use one audit strategy for all inventory testing.
• Fraud risk is considered to be high at locations where inven- tory controls are not strong.
Conclusions Regarding Audit Strategy for the Existence of Inventory
• Inherent risk is set at the maximum because inventory is high in value and susceptible to theft and misappropriation.
• Control risk is set at high, as 40% of inventory may not have suffi cient internal controls.
• Fraud risk is considered high due to the opportunity off ered by weak internal controls.
• This results in setting detection risk at low. • Low detection risk impacts the nature, timing, and extent of
substantive testing. For example, the auditor will plan test- ing of the physical existence of inventory at year-end, select a larger number of locations to visit, and vary the extent of inventory testing at each location depending on internal con- trols over the counting of inventory at each location.
1. (LO 1) If a prospective new audit client does not allow the auditor to contact its existing auditor:
a. the auditor should contact the existing auditor anyway because it is their duty.
b. the auditor should consider that a negative factor on the integrity of client management.
c. the existing auditor should contact the new auditor to tell them all about the client.
d. the auditor should respect the prospective client’s right to privacy.
Multiple-Choice Questions
CPAexcel CPAexcel questions and other resources are available in WileyPLUS.
c03RiskAssessmentPartI.indd Page 3-32 07/08/18 7:15 PM f-389 c03RiskAssessmentPartI.indd Page 3-32 07/08/18 7:15 PM f-389 /208/WB02435/9781119401810/ch03/text_s/208/WB02435/9781119401810/ch03/text_s
Pr op
er ty
o f J
oh n
W ile
y &
So ns
, L td
. N ot
fo r g
en er
al re
di st
rib ut
io n.
Review Questions 3-33
2. (LO 2) The risk assessment phase of an audit does not include: a. gaining an understanding of the client.
b. audit execution and reporting.
c. identifi cation of factors that may aff ect the risk of a material misstatement in the fi nancial statements.
d. development of an audit strategy and a risk and materiality assessment.
3. (LO 3) The relationship between risk and materiality: a. is inverse. b. is positive. c. is irrelevant. d. depends on the size of the client.
4. (LO 4) An attitude of professional skepticism means: a. the auditor can rely on past experience to determine current
risk of fraud. b. any indicator of fraud is properly investigated. c. the auditor can rely on management assertions. d. the auditor is independent of the client.
5. (LO 4) An auditor will identify accounts and related assertions at risk of material misstatement:
a. after testing internal controls. b. before writing the audit report. c. to plan the audit to focus on those accounts. d. to eliminate audit risk.
6. (LO 4) Which component of audit risk can the auditor control? a. inherent risk b. control risk c. fi nancial risk d. detection risk
7. (LO 5) Testing controls means that: a. the auditor can completely rely on a client’s system of inter-
nal controls. b. no substantive testing is required. c. the auditor can plan to reduce the reliance on detailed
substantive testing of transactions and account balances. d. materiality will be set at a low dollar amount.
8. (LO 5) The audit strategy known as the predominantly “substan- tive approach”:
a. is appropriate when internal controls are very strong. b. means the auditor will gain the minimum necessary knowl-
edge of the client’s system of internal controls. c. requires the auditor to conduct extensive control testing. d. means the auditor will conduct some interim testing and
minimal year-end account-balance testing.
9. (LO 5) The audit strategy known as “reliance on controls approach”:
a. is appropriate when internal controls are minimal. b. means the auditor will gain the minimum necessary knowl-
edge of the client’s system of internal controls. c. requires the auditor to conduct extensive control testing. d. means the auditor will conduct extensive year-end account-
balance testing.
10. (LO 6) An example of an incentive or pressure that increases the risk of fraud is:
a. the client operates in a highly competitive industry. b. the client has a history of reporting losses. c. a signifi cant percentage of management pay is tied to
earnings. d. all of these answer choices are correct.
Review Questions R3.1 (LO 1) Why are there procedures governing the client accep- tance or continuance decision? Explain why auditors do not accept every client.
R3.2 (LO 1) What is the purpose of the engagement letter? Are all engagement letters the same?
R3.3 (LO 2) Explain the relationship between the risk assessment, risk response, and reporting phases of an audit.
R3.4 (LO 2) Are all audits the same? Why might an audit change from year to year?
R3.5 (LO 3) How does the auditor’s assessment of overall or planning materiality aff ect audit planning? What does an audi- tor consider when making the preliminary assessment of planning materiality?
R3.6 (LO 3) The quantitative materiality of an item is assessed rela- tive to a particular base number. What are some of the choices for this base, and what factors guide the auditor in this choice?
R3.7 (LO 3) Explain the relationship between planning materiality and performance materiality.
R3.8 (LO 3) Explain how setting a lower materiality level aff ects the number of items that are material and aff ects the decisions about the nature, extent, and timing of the audit procedures.
R3.9 (LO 4) Consider this statement, “Auditors should only use professional skepticism when considering fraud risk.” Do you agree or disagree with this statement? Support your position.
R3.10 (LO 4) Explain the approach adopted by auditors of identifying accounts and related assertions at risk of material misstatement. How does this approach help reduce audit risk to an acceptably low level?
R3.11 (LO 4) Consider the following statement: “When inherent and control risk are assessed as high, the risk of material misstatement is assessed as high, and an auditor will set detection risk as low to reduce audit risk to an acceptably low level.” Explain what it means to set de- tection risk as low. What does this mean for the operation of the audit?
c03RiskAssessmentPartI.indd Page 3-33 07/08/18 7:15 PM f-389 c03RiskAssessmentPartI.indd Page 3-33 07/08/18 7:15 PM f-389 /208/WB02435/9781119401810/ch03/text_s/208/WB02435/9781119401810/ch03/text_s
Pr op
er ty
o f J
oh n
W ile
y &
So ns
, L td
. N ot
fo r g
en er
al re
di st
rib ut
io n.
3-34 CHAPTER 3 Risk Assessment Part I
Analysis Problems AP3.1 (LO 1) Basic Client continuance Star Software is a client of Jones & Parker, LLP. Star has experienced increased competition in its industry thathas resulted in decreased profi ts over the last three years. In an eff ort to stay fi nancially sound, Star is considering employee layoff s to decrease expenses. Star is planning signifi cant layoff s in the accounting and fi nance department and within the internal au- dit function. Star management feels that internal controls are well established and fewer employees are needed to monitor the internal control system. Also, since the accounting function is heavily dependent on IT, fewer employees are needed to keep track of the company’s accounting data.
Required What issues should Jones & Parker consider when deciding whether to continue the client relationship with Star Software? If Star were your client, would you continue to be the auditors? Explain.
AP3.2 (LO 1) Moderate Research Client acceptance decision The audit committee of the board of directors of WaterFun Corporation asked DDD LLP to audit WaterFun’s fi nancial statements for the 2022 fi scal year. DDD requested permission to communicate with the predecessor auditor and was granted permission by WaterFun’s management to do so.
Required a. What inquiries should DDD make of the predecessor auditor? b. Assuming that DDD is satisfi ed with the results of the communication with the predecessor auditor,
the next step is to draft an engagement letter that will be presented to the audit committee of Water- Fun. Discuss the key items that should be included in an engagement letter. (Research AU-C 210.A23 to provide a full response. ASB standards can be accessed at www.aicpa.org/research/standards)
c. What if WaterFun’s management does not grant permission for DDD to communicate with the pre- decessor auditor? What action would DDD take next?
AP3.3 (LO 1) Challenging Public Company Client acceptance decision Godwin, Key & Associates is a small, but rapidly growing, accounting fi rm. Its success is largely due to the growth of sev- eral clients that have been with the fi rm for more than fi ve years. One of these clients, Carolina Company Inc., is now publicly traded and must comply with additional reporting regulations. Carolina Company’s rapid growth has meant that it is fi nancially stretched, and its accounting systems are struggling to keep up with the growth in business. The client continuance decision is about to be made for the next fi nancial year.
The managing partner of Godwin, Key & Associates, Rebecca Sawyer, has recognized that the fi rm needs to make some changes to deal with the issues created by the changing circumstances of its major client and the fi rm’s overall growth. She is particularly concerned that the fi rm could be legally liable if Carolina Company’s fi nancial situation worsens and it fails.
Required Evaluate the factors that Rebecca should consider when making the client continuance decision for Carolina Company Inc. for the next fi nancial year.
AP3.4 (LO 3) Basic Materiality assessment One of the clients of MMM CPAs operates a restau- rant. From January of the current year, the business has consistently paid its suppliers late, well in excess of the suppliers’ normal credit terms. This has resulted in some suppliers requesting cash on delivery from the business. The auditors reviewed the correspondence between the business and its bank and found that the business has been experiencing cash fl ow problems for two years.
R3.12 (LO 5) If auditors adopt a predominantly substantive ap- proach to the audit, do they have to consider and test the client’s in- ternal controls? Explain.
R3.13 (LO 5) If auditors adopt a reliance on controls approach, do they have to perform any substantive procedures? Explain.
R3.14 (LO 5) A client has physical controls over inventory, includ- ing a locked warehouse with access restricted to authorized person- nel. Testing of these physical controls over inventory shows that they
are very eff ective. Can the auditor conclude that the valuation asser- tion for inventory is not at risk? Explain.
R3.15 (LO 6) In the context of fraud, explain the diff erences be- tween (1) incentives and pressures, (2) opportunity, and (3) attitudes and rationalization. Why is it important for an auditor to consider cli- ent systems relevant to all three concepts?
R3.16 (LO 6) In the context of fraud risk assessment, what is the purpose of the brainstorming session?
c03RiskAssessmentPartI.indd Page 3-34 07/08/18 7:15 PM f-389 c03RiskAssessmentPartI.indd Page 3-34 07/08/18 7:15 PM f-389 /208/WB02435/9781119401810/ch03/text_s/208/WB02435/9781119401810/ch03/text_s
Pr op
er ty
o f J
oh n
W ile
y &
So ns
, L td
. N ot
fo r g
en er
al re
di st
rib ut
io n.
Analysis Problems 3-35
Required Explain whether the information provided impacts the auditor’s assessment of planning materiality. Why or why not?
Source: Adapted from the CA Program’s Audit & assurance exam, March 2012.
AP3.5 (LO 2, 4) Basic Audit risk and inventory Cheap-as-Chips stocks thousands of items that range in value from $1 to $100. The inventory on hand represents a material portion of current assets. The merchandise items change according to the season and the promotional theme adopted by the stores’ management for the year. Merchandise is ordered up to four months in advance from Chinese and Korean suppliers. These special orders require Cheap-as-Chips to give the suppliers substantial deposits upon placement of the orders.
Required Analyze the inherent risks for Cheap-as-Chips’ inventory. Discuss the assertions being made by manage- ment about the inventory.
Source: Adapted from the CA Program’s Audit & assurance exam, December 2010.
AP3.6 (LO 3, 4) Moderate Audit risk components and materiality Carl’s Computers imports computer hardware and accessories from China, Japan, and Korea. It has branches in every capital city, and the main administration offi ce and central warehouse are in Chicago. There is a branch manager in each store plus a number (depending on the size of the store) of full-time staff . There are also several part- time staff who work on weekends since the stores are open both Saturday and Sunday. Either the branch manager or a senior member of the full-time staff is on duty at all times to supervise the part-time staff . Both part-time and full-time staff members are required to attend periodic company training sessions covering product knowledge and inventory- and cash-handling requirements.
The inventory is held after its arrival from overseas at the central warehouse and distributed to each branch on receipt of an inventory transfer request authorized by the branch manager. The value of in- ventory items ranges from a few cents to several thousand dollars. Competition is fi erce in the computer hardware industry. New products are continuously coming onto the market, and large furniture and offi ce supply discount retailers are heavy users of advertising and other promotions to win customers from spe- cialists like Carl’s Computers. Carl’s Computers’ management has faced diffi culty keeping costs of supply down and has started to use new suppliers for some computer accessories such as printers and ink.
Required a. Evaluate the inherent risks for inventory for Carl’s Computers. How would these risks aff ect the
accounts? b. Identify strengths and weaknesses in the inventory control system. c. Comment on materiality for inventory at Carl’s Computers. Is inventory likely to be a material bal-
ance? Would all items of inventory be audited in the same way? Explain how the auditor would deal with these issues.
AP3.7 (LO 4) Basic Control risk Clear Sky Aviation credits prepayments of air travel to a deferred (unearned) revenue account until the travel service is provided, at which point it transfers the appro- priate amount to sales revenue. A problem with its control system means that the proper allocation of revenue between “sales revenue” recorded in the income statement and the “deferred revenue” account in the balance sheet does not always occur. The auditor is considering conducting additional substantive testing to test whether the sales transactions have been properly classifi ed.
Required Analyze how the balance sheet and income statement may be at risk of material misstatement if the controls regarding the proper allocation of revenue are not functioning properly.
Source: Adapted from the CA Program’s Audit & assurance exam, December 2010.
AP3.8 (LO 4) Basic Audit risk and revenue Ajax Finance Inc. (Ajax) provides small and medium-sized personal, car, and business loans to clients. It has been operating for more than 10 years and has always been run by Bill Short. Bill has been the public face of the fi nance company, appearing in most of its television and radio advertisements, and developing a reputation as a friend of the “little person” who has been mistreated by the large fi nance companies and banks.
Ajax’s major revenue stream is generated by obtaining large amounts on the wholesale money mar- ket and lending in small amounts to retail customers. Margins are tight, and the business is run as a “no frills” service. Offi ces are modestly furnished, and the mobile lenders drive small, basic cars when
c03RiskAssessmentPartI.indd Page 3-35 07/08/18 7:15 PM f-389 c03RiskAssessmentPartI.indd Page 3-35 07/08/18 7:15 PM f-389 /208/WB02435/9781119401810/ch03/text_s/208/WB02435/9781119401810/ch03/text_s
Pr op
er ty
o f J
oh n
W ile
y &
So ns
, L td
. N ot
fo r g
en er
al re
di st
rib ut
io n.
3-36 CHAPTER 3 Risk Assessment Part I
visiting clients. Ajax prides itself on full disclosure to its clients, and all fees and services are explained in writing to clients before loans are fi nalized. However, although full disclosure is made, clients who do not read the documents closely can be surprised by the high exit charges when they wish to make early repayments or transfer their business elsewhere.
Ajax’s mobile lenders are paid on a commission basis. They earn more when they write more loans. For example, they are encouraged to sell credit cards to any person seeking a personal loan. Ajax receives a commission payment from the credit-card companies when it sells a new card, and Ajax also receives a small percentage of the interest charges paid by clients on the credit card.
Required Analyze the inherent and control risks for Ajax’s revenue What type of misstatements would be most likely for revenue?
AP3.9 (LO 4, 5) Challenging Determining an audit strategy Avery Island Dairy is a boutique cheese maker based on Avery Island, Louisiana. Over the years, the business has grown by supplying local retailers and through exports. In addition, there is a “farm-gate” shop and café located next to the main processing plant on Avery Island serving tourists who also visit the other specialist food and wine businesses in the region. Quality control over the cheese-manufacturing process and storage of raw ma- terials and fi nished products at Avery Island Dairy is extremely high. All members of the business are committed to high product quality because any poor food-handling practices that could result in a drop in cheese quality or contamination of the products would ruin the business very quickly.
The export arm has become the largest revenue earner for the business and is managed by the younger of the two brothers who have run Avery Island Dairy since it was established. Jim Guidry has a natural fl air for sales and marketing but is not so good at completing the associated detailed paperwork. Some of the export deals have been poorly documented, and Jim often agrees to diff erent prices for diff er- ent clients without consulting his older brother, Bob, or informing the sales department. Consequently, there are often disputes about invoices, and Jim makes frequent adjustments to customer accounts using credit notes when clients complain about their statements. Jim sometimes falls behind in responding to customer complaints because he is very busy juggling the demands of making export sales and running his other business, Café Consulting, which provides contract staff for the café business at Avery Island Dairy.
Required a. Identify the factors that would aff ect the preliminary assessment of inherent risk and control risk at
Avery Island Dairy. b. Analyze how these factors would infl uence your choice between the predominantly substantive
approach and the reliance on controls approach for sales, inventory, and receivables.
AP3.10 (LO 5) Basic Audit strategy The partner in charge of the audit of Big Boy Freight Inc. (BBF) planned to obtain evidence of BBF’s revenue recognition by relying on internal controls rather than any substantive tests of detail. BBF receives most freight payments in advance and holds them in a deferred (unearned) revenue account, transferring the appropriate amount to sales revenue when goods are transported. However, during subsequent testing of internal controls, a signifi cant number of instances occurred where revenue was incorrectly recognized immediately upon customers’ payments in advance, rather than when goods were actually shipped.
Required Discuss the type of strategy planned by the audit partner. Why is it no longer appropriate after the initial testing of controls?
Source: Adapted from the CA Program’s Audit & assurance exam, July 2010.
AP3.11 (LO 4, 6) Moderate Public Company Financial reporting fraud risk Vaughan En- terprises Inc. has grown from its beginnings in the steel fabrication business to become a multinational manufacturer and supplier of all types of packaging, including metal, plastic, and paper-based prod- ucts. It has also diversifi ed into a range of other businesses, including household appliances in Europe, Australia, and Asia. The growth in the size of the business occurred gradually under the leadership of the last two CEOs, both of whom were promoted from within the business.
At the beginning of last year, the incumbent CEO died of a heart attack and the board took the opportunity to appoint a new CEO from outside the company. Despite the company’s growth, returns to shareholders have been stagnant during the last decade. The new CEO has a reputation of turning around struggling businesses by making tough decisions. The new CEO has a fi ve-year contract with gen- erous bonuses for improvements in various performance indicators, including sales/assets, profi t from continuing operations/net assets, and stock price.
c03RiskAssessmentPartI.indd Page 3-36 07/08/18 7:15 PM f-389 c03RiskAssessmentPartI.indd Page 3-36 07/08/18 7:15 PM f-389 /208/WB02435/9781119401810/ch03/text_s/208/WB02435/9781119401810/ch03/text_s
Pr op
er ty
o f J
oh n
W ile
y &
So ns
, L td
. N ot
fo r g
en er
al re
di st
rib ut
io n.
During the fi rst year, the new CEO disposed of several components of the business that were not profi table. Very large losses on the discontinued operations were recorded, and most non-current assets throughout the business were written down to recognize impairment losses. These actions resulted in a large overall loss for the fi rst year, although a profi t from continuing operations was recorded. During the second year, recorded sales in the household appliances business in Europe increased dramatically, and, combined with various cost-saving measures, the company made a large profi t.
The auditors have been made aware through various conversations with middle management that there is now an extreme focus on maximizing profi ts through boosting sales and cutting costs. The attitude toward compliance with accounting regulations has changed, with more emphasis on pleasing the CEO rather than taking care to avoid breaching either internal policies or external regu- lations. The message is that the company has considerable ground to make up to catch up with other companies in both methods and results. Meanwhile, the share price over the fi rst year-and-a-half of the CEO’s tenure has increased 65%, and the board has happily approved payment of the CEO’s bonuses and granted the CEO additional stock options in recognition of the change in the company’s results.
Required a. Analyze the incentives, pressures, and opportunities to commit fi nancial reporting fraud, and atti-
tudes and rationalizations to justify a fraud in the above case. b. What fraudulent fi nancial reporting would you suspect could have occurred at Vaughan? c. Explain why professional skepticism would be critical in assessing the risk of fraud.
AP3.12 (LO 6) Moderate Fraud risk An airline company has been adversely impacted by a global fi nancial crisis that is negatively aff ecting business travel. In addition to lower overall demand, the air- line company faces increased competition from other airlines who are heavily discounting fl ights. The airline company policy for revenue is to credit “revenue received in advance from customers” (a liability account), and subsequently adjust that account to revenue when passengers or freight are uplifted, or tours and travel air tickets and land content are utilized.
In preparing for the 2022 audit, you review the 2021 fi nancial statements and note that revenue from passengers represents 8% of total revenue. The interim fi nancial information for the 2022 year shows a 6% decrease in revenue from passengers, and an 11% decrease in revenue from passengers in advance.
You read in the fi nancial press that the global fi nancial crisis has led to increased incidences of fraud, and the majority of these frauds are committed by company directors and senior managers.
Required Explain why the revenue from passenger accounts in the income statement is at signifi cant risk of fraud- ulent fi nancial reporting by management.
Source: Adapted from the CA Program’s Audit & assurance exam, May 2010.
AP3.13 (LO 6) Challenging Research The auditor and the Ponzi scheme Bernard Madoff was convicted in 2009 of running a Ponzi scheme, the biggest in U.S. history. A Ponzi scheme is essen- tially the process of taking money from new investors on a regular basis and using the cash to pay prom- ised returns to existing investors. The high and steady returns received by existing investors are the attraction for new investors, but they are not real returns from investments.
As long as new investors keep contributing and existing investors do not seek redemptions (the return of their money), the scheme continues. However, eventually, as in the Madoff situation, cir- cumstances change, the scheme is discovered, and the remaining investors fi nd that their capital has disappeared.
At age 71, Madoff was sentenced to prison for 150 years and will die in jail. Madoff ’s auditor, David G. Friehling was accused of creating false and fraudulent audited fi nancial statements for Madoff ’s fi rm, Bernard L. Madoff Investment Securities LLC. Prosecutors alleged that these fraudulent reports covered the period from the early 1990s to the end of 2008.11
Required a. Research the case against David Friehling. Write a report explaining his role in the Madoff Ponzi
scheme and the outcome of the legal action against him. b. Explain how Friehling’s actions violated U.S. auditing standards and professional ethics.
11D. Searcey and A. Efrati. “Sins and admission: getting into top prisons,” The Wall Street Journal: Europe, July 17–19, 2009, 29; C. Bray and Efrati., 2009. “Madoff ex-auditor set to waive indictment,” The Wall Street Journal: Europe, July 17–19, 2009, 29.
Analysis Problems 3-37
c03RiskAssessmentPartI.indd Page 3-37 07/08/18 7:15 PM f-389 c03RiskAssessmentPartI.indd Page 3-37 07/08/18 7:15 PM f-389 /208/WB02435/9781119401810/ch03/text_s/208/WB02435/9781119401810/ch03/text_s
Pr op
er ty
o f J
oh n
W ile
y &
So ns
, L td
. N ot
fo r g
en er
al re
di st
rib ut
io n.
3-38 CHAPTER 3 Risk Assessment Part I
Audit Decision Cases Featherbed Surf & Leisure Holidays, Inc.
Questions C3.1 and C3.2 are based on the following case.
Featherbed Surf & Leisure Holidays Inc. (Featherbed) is a resort company based in Hawaii. Its operations include boating, surfi ng, diving, and other leisure activities; a backpacker’s hostel; a family hotel; and a fi ve-star resort. Justin and Sarah Morris own the majority of the shares in the Morris Group, which owns 100% of Featherbed. Justin is the chairman of the board of directors of both Featherbed and the Morris Group, and Sarah is a director of both companies as well as the CFO of Featherbed.
In October 2021, Justin Morris approached your audit fi rm, KFP LLP, to carry out the Featherbed audit for the year ended December 31, 2022. Featherbed has not been audited before, but this year the audit has been requested by the company’s bank because of anticipated bank loans and by a new private equity investor that has just acquired a 20% share of Featherbed.
Featherbed employs 30 full-time staff . These workers are employed in administration, accounting, catering, cleaning, and hotel/restaurant duties. During peak periods, Featherbed also uses part-time and casual workers. These workers tend to be travelers visiting Hawaii who are looking for short-term work to help pay their traveling expenses.
Justin and Sarah have a fairly laid-back management style. They trust their workers to work hard for the company and reward them well. The accounting staff , in particular, is very loyal to the company. Justin tells you that some accounting staff enjoy their jobs so much they have never taken any annual leave, and hardly any workers ever take sick leave.
There are three people currently employed as accounting staff , the most senior of whom is Peter Pinn. Peter heads the accounting department and reports directly to Sarah. He is in his fi fties and plans to retire in two or three years. Peter prides himself on his ability to delegate most of his work to his two accounting staff members, Kristen and Julie. He claims he has to do this because he is very busy developing a policy and procedures manual for the accounting department. This delegated work includes opening mail, processing payments and receipts, depositing funds received, perform- ing reconciliations, posting journals, and performing the payroll function. Julie is a recent college graduate who just passed the CPA exam. Kristen works part-time, coming into the offi ce on Mondays, Wednesdays, and Fridays. Kristen is responsible for posting all journal entries into the accounting system and the payroll function. Julie does the balance of the work, but they often help each other out in busy periods.
The eff ects of global warming on the Hawaiian Islands have been investigated by a governmental agency. The agency’s report reveals that climate change is likely to cause increasing damage to the islands and the surrounding reefs and devastating tropical storms over the next ten years.
Source: Adapted from the CA Program’s Audit & assurance exam, May 2008.
C3.1 (LO 3, 4) Challenging Materiality and audit risk What qualitative factors in the background information would you consider when determining prelim- inary materiality for the 2022 audit of Featherbed? Evaluate how each factor aff ects your assessed audit risk and your initial assessment of the preliminary materiality.
C3.2 (LO 6) Challenging Date Assessing fraud risk a. Identify and explain any signifi cant fraud risk factors for Featherbed. b. For each fraud risk factor you identify, analyze how the risk will aff ect your approach to the audit
of Featherbed.
Securimax Inc.
Questions C3.3 and C3.4 are based on the following case.
Securimax Inc. (Securimax) has been an audit client of Leo and Lee, LLP for the past 15 years. Securimax is a publicly traded company based in Cleveland, Ohio, where it manufactures high-tech armor-plated personnel carriers. Securimax often has to go through a competitive bid process to win large government contracts. Its main product, the small but powerful Terrain Master, is highly specialized, and Securimax only does business with nations that have a democratically elected government. Securimax maintains a highly secure environment, given the sensitive and confi dential nature of its vehicle designs and its clients.
c03RiskAssessmentPartI.indd Page 3-38 07/08/18 7:15 PM f-389 c03RiskAssessmentPartI.indd Page 3-38 07/08/18 7:15 PM f-389 /208/WB02435/9781119401810/ch03/text_s/208/WB02435/9781119401810/ch03/text_s
Pr op
er ty
o f J
oh n
W ile
y &
So ns
, L td
. N ot
fo r g
en er
al re
di st
rib ut
io n.
Audit Decision Cases 3-39
In September 2022, Securimax installed an off -the-shelf inventory costing system to support the highly sophisticated and cost-sensitive nature of its product designs. The new system replaced one that had been developed in-house, as the old system could no longer keep up with the complex and detailed manufacturing costing process that provides information to support competitive bidding. The old system also had diffi culty with the company’s broader reporting requirements.
The manufacturing costing system uses all of the manufacturing unit inputs to calculate and pro- duce a database of all product costs and recommended sales prices. It also integrates with the general ledger each time there are product inventory movements such as purchases, sales, waste, and damaged stock losses.
Securimax’s fi scal year-end is June 30. The following table shows fi nancial information for the fi rst two quarters of the fi scal year-end June 30, 2023.
Item 1st Quarter 2nd Quarter Total Assets $96 million $92 million
Total Revenues $33 million $31 million
Pre-tax Income $3.2 million $2.79 million
The pre-tax income for the fi rst two quarters is reasonable with a net profi t margin falling between 8–10% of sales. Based on prior years, pre-tax income for the third quarter usually holds steady relative to the second quarter, but pre-tax income for the fourth quarter typically decreases by 20% over the third- quarter as governments reach the end of their spending budgets.
C3.3 (LO 4) Challenging Public Company Assessing inherent risk Based on the background information, what are the major inherent risks in the Securimax audit? Consider both industry and entity risks in your answer.
C3.4 (LO 3) Challenging Public Company Assessing planning materiality The audit team is in the planning stage of the audit for fi scal year-end June 30, 2023. Discuss the factors to consider when determining planning materiality for Securimax. Calculate an amount for planning materiality for the audit of fi scal year-end June 30, 2023.
Health Care Holdings Group
Question C3.5 is based on the following case.
C3.5 (LO 6) Challenging Fraud risk Goodfellow and Perkins LLP is a successful mid-tier account- ing fi rm with a large range of clients across Texas. During 2022, Goodfellow and Perkins gained a new client, Health Care Holdings Group (HCHG), which owns 100% of the following entities:
• Shady Oaks Hospital, a private hospital group • Gardens Nursing Home Inc., a private nursing home • Total Cancer Care Inc., a private oncology clinic that specializes in the treatment of cancer
Fiscal year-end for all HCHG entities is June 30. The audit partner for the audit of HCHG, Tania Goodfellow, has discovered that two months
before the end of the fiscal year, one of the senior nursing officers at Gardens Nursing Home was dismissed. Her employment was terminated after it was discovered she had worked in collusion with a number of patients to reduce their fees. The nurse would then take secret payments from the patients.
The nursing offi cer had access to the patient database. While she was only supposed to update room-location changes for patients, she was able to reduce the patient period of stay and the value of other services provided. The fraud was detected by a fellow employee who overheard the nurse discuss- ing the “scam” with a patient. The employee reported the matter to the Gardens Nursing Home’s general manager.
Source: Adapted from the CA Program’s Audit & assurance exam, December 2008.
Required a. Identify which accounts—balance sheet and income statement—are potentially aff ected by the
fraud. b. Analyze how Gardens Nursing Home’s business could be aff ected as a result of the fraud event.
c03RiskAssessmentPartI.indd Page 3-39 07/08/18 7:15 PM f-389 c03RiskAssessmentPartI.indd Page 3-39 07/08/18 7:15 PM f-389 /208/WB02435/9781119401810/ch03/text_s/208/WB02435/9781119401810/ch03/text_s
Pr op
er ty
o f J
oh n
W ile
y &
So ns
, L td
. N ot
fo r g
en er
al re
di st
rib ut
io n.
3-40 CHAPTER 3 Risk Assessment Part I
Cloud 9 - Continuing Case W&S Partners has just won the December 31, 2022, audit for Cloud 9. The audit team assigned to this client is:
• Partner, Jo Wadley • Audit Manager, Sharon Gallagher • Audit Senior, Josh Thomas • IT Audit Manager, Mark Batten • Experienced staff , Suzie Pickering • First year staff , Ian Harper
As a part of the risk assessment phase for the new audit, the audit team needs to gain an understanding of Cloud 9’s structure and its business environment, determine materiality, and assess the risk of material misstatement. This will assist the team in de- veloping an audit strategy and designing the nature, extent, and timing of audit procedures.
One task during the planning phase is to consider the con- cept of materiality as it applies to the client. Auditors will de- sign procedures to identify and correct errors or irregularities that would have a material effect on the financial statements and affect the decision making of the users of the financial statements. Materiality is used in determining audit procedures and sample selections, and evaluating differences from client records to audit results. Materiality is the maximum amount of misstatement, individually or in aggregate, that can be accepted in the financial statements. In selecting the base figure to be used to calculate materiality, the auditors should consider the key drivers of the business. They should ask, “What are the end users (that is, stockholders, banks, etc.) of the accounts going to be looking at?” For example, will stockholders be interested in profit figures that can be used to pay dividends and increase share price?
W&S Partners’ audit methodology dictates that one planning materiality (PM) amount is to be used for the fi nancial statements as a whole (that is, rather than separate PMs for the income state- ment and the balance sheet). Further, only one basis should be selected—a blended approach or average should not be used. The basis selected is the one determined to be the key driver of the business.
W&S Partners use the following percentages as starting points for the various bases:
Base Threshold (%) Income before tax 5.0 Total revenue 0.5 Gross profi t 2.0 Total assets 0.5 Equity 1.0
These starting points can be increased or decreased by taking into account qualitative client factors, which could be:
• the nature of the client’s business and industry (for example, rapidly changing, either through growth or downsizing, or an unstable environment)
• whether the client is a public company (or subsidiary of) sub- ject to regulations
• the knowledge of or high risk of fraud
Typically, income before tax is used; however, it cannot be used if reporting a loss for the year or if profi tability is not consistent.
When calculating PM based on interim fi gures, it may be nec- essary to annualize the results. This allows the auditors to plan the audit properly based on an approximate projected year-end balance. Then, at year-end, the fi gure is adjusted, if necessary, to refl ect the actual results.
Required Answer the following questions based on the information pre- sented for Cloud 9 in the appendix to this book and in the current chapter and previous chapters.
a. Using the September 30, 2022, trial balance (in the appendix to this book), calculate planning materiality and include the justifi cation for the basis that you have used for your calculation.
b. Discuss how the planning materiality would be used to deter- mine performance materiality.
c. If the planning materiality amount is subsequently increased or decreased later in the audit, how would that impact the audit?
c03RiskAssessmentPartI.indd Page 3-40 07/08/18 7:15 PM f-389 c03RiskAssessmentPartI.indd Page 3-40 07/08/18 7:15 PM f-389 /208/WB02435/9781119401810/ch03/text_s/208/WB02435/9781119401810/ch03/text_s
Pr op
er ty
o f J
oh n
W ile
y &
So ns
, L td
. N ot
fo r g
en er
al re
di st
rib ut
io n.