1.0
INTRODUCTION
The term ’audit risk’
refers to the possibility that the auditors may
unknowingly fail to appropriately modify their opinion on financial statements that are not well stated. It can
also be stated that audit
risk means the
chance of damage to the audit firm as a result of giving an audit opinion that is wrong in some
particular.
Damage to the audit form may be in the form of monetary damages
paid to a client or third party as
compensation for loss caused by the conduct (for example, negligence) of the audit firm or simply loss
of reputation with the client (and
perhaps also the audit) or the business community.
Audit risk is reduced
by gathering evidence – the more the evidence
gathered, the less the audit risk assumed.
In this note, you
will be considering the following topics.
· Types of audit risks;
· Audit firm
organization and audit risk;
· Particular audits and
audit risk;
· Risk-based audit
methodology.
2.0
OBJECTIVES
At the end of this note,
you should be able to:
· define audit risk
· explain the types of
audit risk
· describe the features
of audit firm organization which may minimize
risk
· explain the
risk-based audit methodology.
3.0
MAIN CONTENT
3.1
Audit Risks – Types
There are three types
of audit risks, namely:
(a) normal audit risk
(b) higher than
normal audit risk and
(c) audit work risk
3.1.1
Normal Audit Risk
All audits involve
risk. However strong the audit evidence and however careful the auditor, there is always a
possibility of an error or fraud being
undetected.
In general, if there
are indications that audit risk is normal and there are no indications of higher than normal risk,
then the auditor could be regarded as
one that:
(a) organizes his
office and staff in a competent manner;
(b) follows the
auditing standards and guidelines; he is unlikely to be found negligent and to have to pay damages
as a consequence of fraud or error not
discovered by him.
Indications that risk
is normal may include the following:
(a) Past experience
indicates risk is normal;
(b) The management
and staff of the client are competent and have
integrity;
(c) The accounting
system is well designed, it works and it is subject to strong internal controls;
(d) The client is old
established and is not subject to rapid change;
(e) The board of
directors is actively engaged in the company and control and its leadership is of good
quality;
(f) The board of
directors has competent non-executive directors and better still, an audit committee.
Where audit risk is
normal, then the auditor may approach his audit by relying on:
(a) key controls;
(b) substantive
tests;
(c) analytical
review.
3.1.2
Higher than Normal Risk
Some audit
assignments involve high audit risk. Some audits contain at least one area of high risk.
Indications of higher
than normal audit risk are as follows:
(a) Previous
experience;
(b) Future plans of
the enterprise which include sale or flotation on the Stock Exchange of the company;
(c) High gearing;
(d) Liquidity
problems;
(e) Poor management;
(f) Lack of controls
and/or poor book-keeping;
(g) Recent changes of
ownership/control;
(h) Dominance by a
single person;
(i) Rapid staff
turnover;
(j) In small
companies, non-involvement of the proprietor or
conversely over-reliance on management for control;
(k) Changes of
accounting procedures or policies;
(l) Evidence from
background research;
(m) Over-reliance on
one or a few products, customers, suppliers;
(n) Recent high
investment in new ventures or products;
(o) Problems inherent
in the nature of the business e.g. stock
counting or valuing
difficulties, difficulty in determining the
extent of liabilities, warranty claims, cut-off; (p) The existence of ‘put upon enquiry’
situation.
The audit approach in
high risk situations must be:
(a) sceptical;
(b) to use high
caliber audit staff;
(c) collection of a
wide range of audit evidence in each area;
(d) meticulous
preparation of audit working papers;
(e) probing of all
high risk areas to the bottom;
(f) extreme care in
drafting the audit report.
3.1.3
Audit Work Risk
All audit work
involves normal risk and some audit works involve higher than normal risk. This is because
there is always a possibility of the
accounts containing a misstatement due to error or fraud.
In addition to the
audit risk arising from client activity, there is also a risk that the audit work may be of an
inadequate standard.
The risk arising from
audit work may include the following:
(a) Failure to
recognise ‘put upon enquiry’ situations;
(b) Failure to draw
the correct inferences from audit evidence and the
analytical review;
(c) Use of the wrong
procedures in a particular situation;
(d) Failure to
perform necessary audit work because of time or cost considerations; (e) Failure to detect error or fraud because
of poor sampling method or inadequate
sample sizes.
3.2
Audit Firm Organization and Audit Risk
It is essential that
an audit firm should organize its affairs in such a way as to minimize the risk of paying damages to
clients or others arising out of
negligent work.
Features of organization,
which may minimize risk are as follows:
(a) Proper
recruitment and training of all personnel;
(b) Allocation of
staff with appropriate ability to particular audits;
(c) Planning of the
work of the firm in such a way that each audit can be approached in a relaxed but disciplined
way and timing problems can be
accommodated;
(d) Two-way
communication with staff on matters of general
concern and in connection with specific audits; (e) Use of audit manuals which conform to the
audit standards and guidelines;
(f) Use of audit
documentation which is comprehensive and yet
which allows for special situations;
(g) Use of budgeting and other techniques to
ensure that audits are remunerative and
yet risk- minimizing;
(h) Use of precise
and frequently updated letters of engagement;
(i) Use of review
techniques for all audits;
(j) Existence of
technical section so that all new developments
(accounting, law, audit procedures) are rapidly incorporated into the firm’s actions.
3.3
Particular Audits and Audit Risk
Risks arising from a
particular audit can be minimized by:
(a) techniques for recognizing
the existence of audit risk;
(b) segregating
normal risk areas from high risk areas;
(c) allocating staff
who are competent to do the work especially in
high risk areas;
(d) extensive
background research into the client and its industry;
(e) careful planning
with emphasis on high risk areas;
(f) comprehensive
documentation;
(g) good briefing of
audit staff;
(h) emphasis to staff
on the need for recognition of high risk
situations and good communication when high risk or put upon enquiry situations are discovered;
(i) particular
attention to the conclusions reached from audit
evidence;
(j) special emphasis
on the analytical review;
(k) review of the
audit work by a senior auditor unconnected with the particular audit;
(l) emphasis on
materiality considerations and sample sizes.
3.4
Risk- based Audit Methodology
Audit costs have been
rising steadily in the last few years. At the same time, audit fee resistance has risen due to
competition, low growth in the market
and the growth of competitive tendering for audits.
Consequently, audit
firms are continually trying to reduce audit costs while at the same time reducing audit risk.
This has led to the idea of risk-based
auditing being in some sense a distinct approach to auditing.
Historically,
auditing has progressed from being a largely substantive testing process, through a largely systems
based process into a risk based method
which uses a range of audit techniques including: substantive testing, internal control
compliance, analytical review and the
use of inherent factors.
Inherent factors
include background knowledge of the client and past audit record indicating no special
difficulties. According to Mautz and Sharaf,
it is a valid auditing postulate that ‘in the absence of evidence to the contrary, what has held true for the
client in the past will hold true in the
future’.
Essentially, auditing is the gathering of
evidence about each part of the accounts;
but as absolute assurance is impossible, there are always some elements of residual risks which have to be
accepted. The extent of acceptable risk
is a matter of judgement. It can be seen as the product of the separate risks accepted in each type of
evidence gathering. Thus:
Overall risk =
Inherent risk x Control risk x Analytical review x Substantive risk.
Thus if, for example,
an audit situation was examined, found to be
material and the risk factors assessed, the following set of figures
might be assembled: (the may be debtors)
Overall acceptable
risk 5% (= 5 chances in 100 of giving a wrong
opinion).
Inherent risk (client
is old established, well-managed and no problems have been encountered in the area previously)
50%.
Control risk
(internal control is strong, unchanged from last year, little possibility of management override) 20%.
Analytical control
risk (figures tie up with credit sales, with previous years and with budgets subject to small
changes stemming from
different external
conditions) 50%.
Thus, substantive
risk = OR/IR x CR x AR = 0.05/0.5 x 0.2 x
0.5 = 1
This means the audit
assurance required from substantive testing is
100% – 100% i.e. no assurance is required. Assurances from the other sources of evidence are sufficient to support
an audit opinion with 5% risk. Most
auditors would find this a bit strong, but if you change the risk factor from control to 30% then the
substantive risk becomes 67% and the
level of assurance required from the evidence source substantive testing is only 100% – 67% = 33%. In effect,
in designing statistical sampling tests
for substantive testing, the level of confidence required is only 33%. The sample sizes corresponding to
this are likely to be very small.
3.4.1
Using the Risk-based Audit Strategy
We would comment on
this sub-heading as follows.
(a) The risk based
equation outlined above is one of several.. Others
include:
AR = IR x CR x DR
AR = IR x DR x SR
AR stands for overall
audit risk. This is the risk that the auditor will draw an invalid conclusion from and wrongly
qualify or not qualify his/her audit
report.
IR is inherent risk – risk which derives from
the nature of the entity and of its
environment prior to the establishment of internal controls. Some enterprises are inherently more risky than
others e.g. new v. old established, high
tech (computer manufacturer) v. low tech (hand-made up-market furniture).
DR is detection risk
– the risk that the auditor’s substantive procedures and his review of the financial statements
will not detect material errors.
SR is sampling risk –
detection risk arising out of sample based
substantive tests.
Some of these are
sub-sets of others (e.g. sampling risk of detection risk).
(b) Care must be
taken to weigh the risk from each source of
evidence as it is gathered and then to avoid over-auditing in the remaining evidence gathering. For example, if
adequate weight is given to inherent
factors and analytical review, it may be that
minimal internal control evaluation and/or substantive testing will be required.
(c) It may be
undesirable to carry out detailed Internal Control Evaluation (ICE) and compliance testing
techniques if:
(i) a high level of
assurance can be gained from inherent factors and analytical review;
(ii) a preliminary
review indicates that controls appear to be very strong;
(iii) a high level of
assurance was obtained in the previous year and
the system has not changed;
(iv) the area is not
material;
(x) a preliminary review indicates that controls are not strong and a high level of assurance will have to come
from substantive testing.
(d) Use computer
aided auditing techniques wherever possible.
(e) Use the same
sample, as far as possible, for several tests both compliance and substantive. However, care
must be taken to think through each
sample and clearly record what evidence is
being obtained whether it is compliant (if so, on what controls) or substantive.
(f) In using
sampling, always look for rational sampling methods including stratification.
(g) Increase the role
of internal audit. Smaller and smaller firms are turning to internal audit and audit firms
should make maximum use of this
resource.
(h) Increase the use
of accounting technicians for the actual sampling and employ high level staff for the thought
behind the audit work. As a matter of
comment, the use of clever recent graduates for
audit work seems to be expensive (high salaries, low output as learners and with time off for study) and a
turn off from auditing.
4.0
CONCLUSION
In this note, you
have discovered that risk is a useful concept in planning all audit work. Modern audit firms
are increasingly adopting a risk-based
approach, which means that audits are divided into normal and high risk audits and individual audits
are divided into normal risk areas and
high risk areas.
The normal risk areas
are covered with emphasis on key controls and
analytical review and the larger part of the audit effort is placed on
the high risk areas.
5.0
SUMMARY
What you have learnt
in this note can be summarised as follows:
· Audit risk is a term
which has grown in importance in recent
years;
86
· Audit risk may be
defined in two stages.
(a) The possibility
that the financial statements contain material
misstatements which have escaped detection by any internal controls on which the auditor has relied and
on the auditor’s own substantive tests
and other works;
(c) The possibility
that the auditor may be required to pay damages
to the client or other persons as a consequence of:
i. the financial statements containing a misstatement, and
ii. the complaining party suffering loss as a direct consequence of relying on the financial statements, and
i. the financial statements containing a misstatement, and
ii. the complaining party suffering loss as a direct consequence of relying on the financial statements, and
iii. negligence by
the auditor in not detecting and reporting on the misstatement can be demonstrated.
· Audit risk can be
seen as normal or higher than normal;
· Normal audit risk
exists in all auditing situations;
· Higher than normal
audit risk can be associated with particular
clients or with particular areas of a client’s affairs;
· Audit risk can arise
from a client which is high risk as a whole,
for particular areas of a client’s affairs, or, from inadequacies in audit work;
· Audit risk can be minimized
by appropriate audit firm organization
and appropriate audit work on a particular client;
· Many modern writers
consider the use of risk-based auditing as a
new direction in auditing, contrasting with the older substantive testing and systems-based auditing.
Risk-based auditing takes account of
substantive test risk, internal control risk, detection risk, analytical control risk, sampling risk
and inherent risk.
0 comments:
Post a Comment