CH 7: Planning the Audit: Identifying, Assessing, and Responding to the Risk of Material Misstatement
In Concepts Statement No. 2, the Financial Accounting Standards Board (FASB) defines materiality as:
"the magnitude of an omission or misstatement of accounting information that, in light of surrounding circumstances, makes it probable that the judgment of a reasonable person relying on the information would have been changed or influenced by the omission or misstatement."
A misstatement is an error, either intentional or unintentional, that exists in a transaction or financial statement account balance. Materiality judgments:
(1) are a matter of professional judgment, (2) depend on the needs of a reasonable person relying on the information (e.g., an investor, a potential investor, or other stakeholders), and (3) involve both quantitative and qualitative considerations.
The purpose of making materiality judgments is to help the auditor gather sufficient appropriate evidence to obtain reasonable assurance about whether the financial statements are free of material misstatement. Auditors make materiality judgments for purposes of:
(1) audit planning and (2) evidence evaluation after audit procedures are completed.
Upon analysis, two of these hypotheses would best explain the unaudited changes in sales and gross margin for 2018:
(a) a significant new product introduction that allows higher margins; or (b) fictitious sales.
Recall from Chapter 6 that a basic premise underlying analytical procedures is the existence of plausible relationships among data, and that the relationship continues over time in the absence of known conditions to the contrary. As initially described in Chapter 6, the steps that the auditor will take are:
1. Determine the suitability of a particular analytical procedure for given account(s)/assertion(s), considering the risks of material misstatement. 2. Evaluate the reliability of data that the auditor is using to develop an expectation of account balances or ratios. 3. Develop an expectation of recorded account balances or ratios, and evaluate whether that expectation is precise enough to accomplish the relevant objective. Recall that for planning analytical procedures the objective is to identify accounts with heightened risk of misstatement to provide a basis for designing and implementing responses to the assessed risks. Also recall that the precision of expectation tends to be less precise and based on more aggregated data. However, with highly aggregated data, this procedure will only provide broad indications of potential material misstatements. 4. Define when the difference between the auditor's expectation and what the client has recorded would be considered significant. 5. Compare the client's recorded amounts with the auditor's expectation to determine any significant unexpected differences. 6. Investigate significant unexpected differences. Recall that for planning analytical procedures, significant unexpected differences suggest that substantive procedures for the account/assertion will be increased. 7. Ensure that the following have been appropriately documented: auditor's expectation from Step 3, including the factors that the auditor considered in developing the expectation, the results in Step 4, and the audit procedures conducted relating to Steps 5 and 6.
When considering responses to the assessed risk of material misstatement, the auditor should
1. Evaluate the reasons for the assessed risk of material misstatement 2. Estimate the likelihood of material misstatement due to the inherent risks of the client 3. Consider the role of internal controls, and determine whether control risk is relatively high or low, thereby determining whether the auditor should rely on controls (thereby necessitating tests of controls) or whether the auditor needs to conduct a substantive audit 4. Obtain more evidence and evidence that is of a higher level of rigor and relevance as the auditor's assessment of the risk of material misstatement increases
Brainstorming sessions normally include the following steps:
1. Review prior year client information 2. Consider client information, particularly with respect to the fraud triangle (incentive, opportunity, and rationalization) 3. Integrate information from Steps 1 and 2 into an assessment of the likelihood of fraud in the engagement 4. Identify audit responses to fraud risks
Now, put yourself in the position of management at Target. Let's assume that the auditor (EY) detects a large income-decreasing misstatement in Target's revenue cycle and that on a per share basis, the journal entry necessary to correct that misstatement is as follows: Dr. Revenue $0.07 Cr. Accounts Receivable $0.07 Let's assume that this situation applies to the January 2017 data, whereby analysts' mean forecast is $5.06 per share. Managers know that their actual EPS is going to be $5.01 per share, and that's if they don't correct the detected misstatement. If they do correct the mis- statement, the actual EPS will fall to $4.94 a share. So, instead of missing the analyst estimate by 1%, they will miss it by 2.4%. Answer the following questions as you think about materiality in this situation.
1. Seven cents a share on a stock trading with an EPS of approximately $5/share is seemingly immaterial, $0.014. The quantitative benchmarks that we mention previously state that when using net earnings as a benchmark, anything less than 5% is immaterial. Based on this, is the misstatement material? 2. Do you think management will want to correct the detected misstatement? Why or why not? 3. Qualitative materiality relates to the fact that even a relatively small misstatement can influence the judgments and decisions of users. How does qualitative materiality relate to this situation?
Materiality Levels Auditors consider materiality at multiple levels:
1. overall materiality (also known as planning materiality), which the auditor uses in determining whether the financial statements overall are materially correct 2. performance materiality (also known as tolerable error), which the auditor uses for determining significant accounts, significant locations, and audit procedures for those accounts and locations 3. posting materiality, which signifies the misstatements identified through- out the audit that will be considered at the end of the audit in determining whether the financial statements overall are materially correct.
Once the auditor sets audit risk, the auditor assesses the risk of material misstatement, which represents the client's inherent and control risks. Client business risk is the risk of material misstatement at the financial statement level.
AS 1101 recognizes that risk of material misstatement at the financial statement level relates pervasively to the financial statements as a whole and potentially affects multiple client assertions across multiple accounts. Exhibit 7.2 illustrates that client business risk affects the inherent and control risks associated with the client.
The timing of risk response refers to when the auditor conducts the audit procedures and whether the auditor conducts those procedures at announced or predictable times. When the risk of material misstatement is high, the auditor conducts the audit procedures closer to year-end and/or on an unannounced basis.
Additionally, the auditor could include additional unpredictability in the timing by changing the timing of audit procedures from one audit to the next so that some procedures are performed on an interim basis and others are performed at year end.
In some cases, the auditor may aggregate the populations of various locations and perform testing, including the selection of audit samples, from the combined population, in the same manner as when there is one population. For example, if the underlying information system is centralized and separate reporting by location is not necessary, the auditor can treat multiple locations as one population and use performance materiality for testing (and sampling) a particular account balance across multiple locations. This may be the case for inventory observations conducted at multiple locations.
Alternatively, if the information systems across multiple locations are decentralized, or if separate reporting is required, or if certain locations or segments are especially important, the auditor faces additional testing considerations.
The extent of risk response refers to the sufficiency of evidence that is necessary given the risk of material misstatement and the level of acceptable audit risk. When the risk of material misstatement is high, the auditor increases the extent of audit procedures and obtains more evidence.
An example of increasing the extent of risk response would be to increase the number of locations to be included in the scope of the audit (e.g., observing inventory counts at more warehouse locations).
When the risk of material misstatement is higher, detection risk is lower, in order to reduce audit risk to an acceptable level. The auditor reduces detection risk through the selection of substantive audit procedures.
As detection risk decreases, evidence that the auditor obtains through substantive audit procedures should increase and/or be more appropriate (reliable and relevant). When the risk of material misstatement is lower, the auditor can accept a higher detection risk and still achieve an acceptable level of audit risk.
Application of the Audit Risk Model: Low Risk of Material Misstatement Assume an account with simple transactions, well-trained accounting personnel recording those transactions, no incentive to misstate the financial statements, and effective internal control over the account. The auditor's previous experience with the client and an understanding of the client's internal controls indicate a low risk of material misstatement for the existence assertion for this account. The auditor assesses inherent and control risk as low (at 50% and 20%, respectively). Audit risk has been set at 5%. This level implies that the auditor is willing to take a 5% chance of expressing an audit opinion that the financial statements are fairly presented when they are materially misstated. The auditor's determination of detection risk for this engagement is:
Audit Risk = Inherent Risk x Control Risk x Detection Risk 0.05 = 0.50 x 0.20 x Detection Risk therefore: Detection Risk = 0.05/(0.50 x 0.20) = 50% In this example, the auditor could design substantive tests of the accounting records with a higher detection risk—in this case 50%. Because inherent and control risk are relatively low, the auditor is willing to accept a greater risk that substantive audit procedures will not detect a material misstatement. However, because the auditor is planning to rely on controls, the auditor will need to test the operating effectiveness of controls to support the lower control risk assessment. As in the prior illustration, this illustration yields an intuitive result: a low likelihood of material misstatement leads to less extensive substantive audit work to maintain audit risk at an acceptable level.
Exhibit 7.4 shows the directional relationships among the various risks, along with interpretations of their meanings. You can think of these concepts in terms of the components of the audit risk model:
Audit Risk = Inherent Risk x Control Risk x Detection Risk, where Inherent Risk and Control Risk combine to determine Risk of Material Misstatement. After you are comfortable with the relationships in Exhibit 7.4, you can work through numerical applications of the audit risk model that we present next. In practice, audit firms do not typically assign numerical values to inherent risk, control risk, and detection risk. However, working through the applications will provide you with a better understanding of the relationships in the audit risk model.
Individually important locations are those that are financially significant to the client's financial statements over- all. A common quantitative approach to determining individually significant locations is to identify locations where the net income is greater than 10% of total consolidated net income or where the assets are greater than 10% of total consolidated assets. In practice, the percentage might range from 10% to 15%.
Auditors will also consider qualitative factors when deter- mining individually significant locations. For example, does the location have specific risks that could create a material misstatement in the overall financial statements? One such risk might be the resignation of the location's top financial manager following allegations of ineffective controls or inappropriate reporting practices.
Auditors should be skeptical about assurances that client personnel provide, verify the authenticity of documentation, and choose new and different audit procedures each year even if the results of brainstorming in the current year are similar to those in prior years.
Brainstorming sessions usually last up to an hour, but occasionally may exceed two hours, depending on the complexity and risk profile of the client.
Technological change also presents risk. For example, companies that were not previously in the phone business, such as Google and Apple, added communication products and greatly affected the phone business of Motorola and Nokia.
Competitor actions, such as discounting prices or adding new product lines, also affect business risks. Finally, geographic locations of suppliers can represent a business risk. For example, sourcing products in China might offer a competitive advantage, but it might also expose the organization to business risk if the products contain lead. Management is responsible for managing its business risk. All organizations are subject to business risks; management reactions may worsen them or mitigate them.
Having set audit risk and assessed risk of material misstatement, the auditor determines detection risk. Detection risk is under the control of the auditor, and the audit evidence that the auditor obtains depends on the level of detection risk.
Detection risk relates to the substantive audit procedures that will achieve the desired overall audit risk.
Assessing Control Risk at the Assertion/Account Level Control risk relates to the susceptibility that a misstatement, due to either error or fraud, will not be prevented or detected on a timely basis by the organization's internal control system.
During audit planning, the auditor makes a preliminary assessment of control risk. Because control effectiveness can vary across accounts and assertions, most audit firms require that auditors assess control risk at the assertion level for all significant accounts.
Assessing Fraud Risk Although fraud risk is not explicitly included in Exhibit 7.2, auditing standards require the audit team to have a team discussion, often referred to as brainstorming.
During brainstorming, auditors are to assess client risks relevant to the possible existence of fraud and should identify where fraud might likely occur. Brainstorming sessions occur predominantly during the planning phase of the audit, but the audit team will repeat these sessions if fraud is detected or at the end of the audit to ensure that all ideas generated during brainstorming have been addressed during the audit opinion formulation process.
When client business risk is high, the auditor is concerned that the organization might have difficulty operating effectively or profitably. The overall economic climate—whether favorable or unfavorable—can have a tremendous effect on the organization's ability to operate effectively and profitably.
Economic down- turns are often associated with the failure of otherwise successful organizations.
A practical analogy to conceptualize these steps is to compare an umbrella in a rainstorm to effective internal controls. Risks might result in material misstatement (rain); management is responsible for keeping the financial statements free of mate- rial misstatements (dry). The auditor's objective is to gather enough information to assess how well management is doing in keeping the financial statements free from material misstatement (dry).
Exhibit 7.5 shows that Client A has effective internal controls (the umbrella without holes) that prevent material misstatement (rain) from getting into the accounting records. Client B's umbrella has holes in it (weak internal controls), resulting in wet accounting records (they are likely to contain material misstatements). Because of the weak controls, it is unlikely that the auditor will perform any testing of controls, and the use of substantive analytical procedures will probably be limited. Thus, the auditor must perform extensive direct tests of the account balances to identify any misstatements.
Auditors will consider engagement risk (also known as auditor business risk) when planning and pricing an audit. This risk is the potential for loss to the auditor because of being associated with the client.
Factors increasing this risk include the engagement: being a publicly traded company, not being a profitable engagement, damaging the auditor's reputation, and/or resulting in litigation. Engagement risk is higher when the client is issuing an initial public stock offering, or of likely interest to the PCAOB's inspection team.
Risk Assessment Procedures for Assessing Control Risk To have an appropriate level of understanding of the client's internal controls, the auditor needs to understand the controls management has designed and implemented to mitigate identified risks of material misstatement.
For entity-wide controls, auditors will typically review relevant documentation prepared by management and interview appropriate individuals.
Most audit firms encourage participants in the brainstorming session to explicitly consider professional skepticism, both in general throughout the engagement and with respect to specific accounts with a higher risk of fraud.
For example, audit firms encourage the brainstorming group to answer questions such as, "How could someone commit fraud at this client, or for a certain account balance?"
The auditor begins by setting the appropriate level of acceptable audit risk, which the auditor bases on the audit firm's potential exposure or risk of being associated with a client.
For example, consider a public company client in a high-risk industry that has been the focus of PCAOB inspections. In this case, the auditor would set the audit risk they are willing to accept at a low level because of the higher potential risk to the audit firm. Contrast this example with a privately held company where the financial statements will not be widely distributed. In this case, the auditor would set the audit risk they are willing to accept at a higher level because the firm's potential risk due to association with this client is relatively low.
In planning the audit, auditors consider planning materiality in terms of the smallest aggregate level of misstatements that could be material to any one of the financial statements.
For example, if the auditor believes that misstatements aggregating approximately $100,000 would be material to the income statement, but misstatements aggregating approximately $200,000 would be material to the balance sheet, the auditor typically assesses overall materiality at $100,000 or less (not $200,000 or less).
Assessing Inherent Risk at the Assertion/Account Level Inherent risk relates to the susceptibility of an account or assertion to a misstatement, due to either error or fraud, before considering any related controls. Most audit firms require that auditors assess inherent risk at the assertion level for all significant accounts. The level of inherent risk for an assertion is dependent on the account associated with the assertion.
For example, since cash is more susceptible to theft than industrial equipment, the auditor will typically assess the existence assertion as having a higher level of inherent risk for cash than equipment. As another example, the auditor is likely to assess the valuation assertion as having a higher level of inherent risk for an account based on management estimates (e.g., pension liability) than for an account whose valuation is derived from routine, factual data (e.g., payroll expense).
Audit Procedures to Respond to the Assessed Risk of Material Misstatement Recall from Chapter 5 that for an integrated audit and for a financial statement audit where the auditor wants to rely on controls as part of the basis for the audit opinion, the auditor should design a controls reliance audit—an audit that includes tests of controls and substantive procedures.
For some audits, the auditor might determine that it is not efficient or effective to rely on the client's controls. In those audits, the auditor designs a substantive audit—an audit that includes substantive procedures and does not include tests of controls.
Application of the Audit Risk Model: High Risk of Material Misstatement Assume an account with many complex transactions and weak internal controls that heighten the risk of the existence assertion for this account. The auditor assesses both inherent risk and control risk at their maximum (100%) for the existence assertion for this account. This assessment implies that for the existence assertion for this account, the client does not have effective internal control and there is a high risk that transactions posted to this account would contain a mate- rial misstatement.
Further, assume that the auditor has set audit risk at 1%. This level implies that the auditor is willing to take only a 1% chance of expressing an audit opinion that the financial statements are fairly presented when they are materially misstated. A numerical depiction of the relationship between inherent risk, control risk, detection risk, and audit risk is referred to as the audit risk model, and it is calculated as follows: Audit Risk = Inherent Risk x Control Risk x Detection Risk 0.01 = 1.00 x 1.00 x Detection Risk therefore: Detection Risk = 0.1/(1.0 x 1.0) = 1% This example yields an intuitive result: a high likelihood of material misstatement leads to more substantive audit work to achieve audit risk at an acceptable level.
Auditors also need to obtain an understanding of the controls designed and implemented at the process or transaction level. For process or transaction controls, auditors will typically review relevant documentation prepared by management and interview appropriate individuals with knowledge about these controls.
Further, auditors will perform walkthroughs, following a transaction from origination to when it is reflected in the financial records to determine if the controls are effectively designed and have been implemented.
With this analysis, the auditor can prioritize which hypothesis to investigate first. For example, if the company has not introduced a new product and the company's sales growth and gross margin are significantly higher than the competition, then it is likely that the fictitious sales hypothesis is the most likely.
Going through this process of performing planning analytical procedures helps the auditor identify areas where the risk of material misstatement is high and then allows the auditor to plan appropriate procedures to address those risks. Importantly, the auditor should determine potential hypotheses rather than just inquiring of management as to the reasons for the change.
Alternative Planning Materiality Benchmarks While auditors commonly use net income, total assets, or net sales to set materiality, circumstances may indicate that other bench- marks are more appropriate. If an organization has significant and nonrecurring charges to nonoperating expenses, then income from continuing operations may be a more appropriate materiality benchmark than net income.
If an organization's net income varies significantly from year to year, the auditor might consider using an average of net income from the prior three to five years to determine materiality. For non-profit organizations, appropriate benchmarks would include total expenses, total contributions, or total assets.
If engagement risk is higher, the auditor will set audit risk at a low level, for example, 1%, whereas the auditor might be willing to set audit risk at a higher level, for example, 5% for a client with lower engagement risk.
In addition to influencing audit risk, engagement risk also influences audit pricing because the audit firm will need to factor in current and potential future engagement costs in making sure it negotiates considering these costs. However, if engagement risk is too high, the audit firm may decide to not audit the organization.
A high level of detection risk means that the audit firm is willing to take a higher risk of not detecting a material misstatement through its substantive procedures.
In that case, the auditor is able to obtain less, and/or less appropriate, evidence from substantive procedures.
One potential decision rule, for example, is to investigate any change exceeding a specified percentage. Auditors often use a trend analysis over several years for significant accounts, as shown in the following example, in planning for the 2018 audit (2018 data are unaudited).
In this example, the auditor's expectation might be that gross margin percentage and sales percentage would increase at about the same rate. Further, the auditor might have an expectation that sales returns would be relatively stable in comparison with that of the prior year.
Trend analysis includes simple year-to-year comparisons of account balances, graphic presentations, analysis of financial data, histograms of ratios, and projections of account balances based on the history of changes in the account.
It is imperative for the auditor to develop expectations and to establish decision rules, or thresholds, in advance, in order to identify unexpected results for additional investigation.
Consider the role that stock analysts may play in how auditor-detected misstatements get resolved. An auditor-detected mis- statement occurs when, during the audit, the auditor comes to find that there exists an error in the recording of a particular transaction, regardless of whether it was intentional or unintentional. Managers and auditors will jointly determine how to proceed. They must decide whether the misstatement is material enough for management to correct it.
Let's use a real company and work through this complex set of circumstances. Below is a chart that shows you the consensus earnings forecast for a company you likely know, Target Corporation, which is a large, global retail company that sells items such as clothing, shoes, household items, and food. Below is a chart showing the number of analysts that follow Target, followed by a com- parison between the actual earnings per share (EPS) for both yearly and quarterly results, along with the mean analyst EPS forecast for those related periods. What the results above show is that 26 analysts are following Target's stock and making EPS predictions. The last three years included the following number of analysts respectively, 12, 26, and 24; this implies that fewer analysts are following Target's stock now as compared to the last few years.
The auditor designs and performs an audit that provides reasonable assurance that the audit will detect material misstatements.
Materiality relates to the significance or importance of an item.
Comparisons Used in Planning Analytical Procedures Comparison with Industry Data: A comparison of client data with industry data may identify potential problems. For example, if the average collection period for accounts receivable in an industry is 43 days, but the client's average collection period is 65 days, this might indicate problems with product quality or credit risk. As another example, a bank's concentration of loans in a particular industry may indicate greater problems if that industry is encountering economic problems.
One potential limitation to using industry data is that such data might not be directly comparable to the client's data. Companies may be quite different but still classified within one broad industry. Also, other companies in the industry may use accounting principles different from the client's (e.g., LIFO versus FIFO).
As suggested previously, trend analysis can incorporate ratio analysis, which takes advantage of economic relationships between two or more accounts. It is widely used because of its power to identify unusual or unexpected changes in relationships.
Ratio analysis is useful in identifying significant differences between the client results and a norm (such as industry ratios) or between auditor expectations and actual results. It is also useful in identifying potential audit problems when ratios change between years (such as inventory turnover).
As an example of a planning analytical procedure, the auditor may develop an expectation of revenue based on production capacity.
Recorded revenue in excess of this expectation may indicate a heightened risk of misstatement in the revenue account—due to either fraud or error. In light of this heightened risk, the auditor will plan audit procedures to obtain sufficient appropriate evidence for the revenue account.
Auditors will then assess the risk of material misstatement at the assertion level for significant accounts. That approach provides a basis for planning the audit.
Risk of material misstatement (i.e., inherent risk and control risk) originate with the client, are controllable by the client, and relate to characteristics of the client (e.g., environment, internal control).
Now, let's find out what the analysts are predicting in terms of yearly and quarterly EPS, and compare that to Target's actual EPS. See the graph below for details
Sometimes Target exceeds the mean analyst estimate, and sometimes they "miss" the estimate. Managers feel excessive pressure to at least "meet" or "beat" the mean analyst estimate, because missing the estimate yields negative stock market reactions when that happens. (If you are ambitious, you could prove that to yourself by looking at the daily stock market reaction for the latest EPS reported versus mean estimate).
ISA 320, Materiality in Planning and Performing an Audit, makes the point that auditors should make materiality judgments based on a consideration of the information needs of users as an overall group.
The Supreme Court of the U.S. offers a somewhat different definition, stating that "a fact is material if there is a substantial likelihood that the ... fact would have been viewed by the reasonable investor as having significantly altered the 'total mix' of information made available" (see AS 2105).
Exhibit 7.2 Risks Relevant to the Audit
The audit risk model is presented as Audit Risk 5 Inherent Risk 3 Control Risk 3 Detection Risk. This model provides a conceptual way to consider risks relevant to the audit.
Materiality differs from one audit client to another; that is, what is material for one client may not be material for another client, and may change for the same client from one period to another.
The auditor and management may even disagree about the level of materiality.
Types of Analytical Procedures Two frequently used analytical procedures during risk assessment include trend analysis and ratio analysis. Most commonly, the auditor imports the client's unaudited data into a spreadsheet or software program to calculate trends and ratios and help pinpoint areas for further investigation.
The auditor compares these trends and ratios with auditor expectations developed from knowledge obtained in previous years, industry trends, and current economic development in the geographic area served by the client.
Comparing ratio data over time for the client and its industry can yield useful insights. The auditor could rely on industry data to develop expectations for preliminary analytics.
The auditor could rely on industry data to develop expectations for preliminary analytics.
However, we know that umbrellas are not always perfect—they can spring leaks when least expected, or one of the supporting arms can fail, letting rain come through on one side.
The auditor has to test the umbrella (controls) to see that it is working, but must do enough substantive testing of the account balance to determine that leaks (misstatements) had not occurred in an amount that would be noticeable (material misstatement).
After setting a threshold and comparing the expectation to the client's data, the auditor, in this example, might conclude that the changes in gross margin and sales returns warrant further investigation.
The auditor should gain an understanding about why gross margin is increasing more rapidly than sales and why sales returns are increasing.
Since many financial statement users of public companies focus on net income, a common approach for setting planning materiality for the financial statements is to use net income as the benchmark, and a percentage threshold of 5%.
The auditor should use the result of the calculation as a starting point for planning materiality and then adjust as necessary for qualitative characteristics of the particular audit client. For example, if the client is planning a secondary stock offering, the auditor may want to set materiality at a lower level than suggested by the calculation, as the client may be very biased to make the company look particularly successful.
The auditor commonly sets posting materiality at 5% of planning materiality; however, this percentage typically ranges from 3% to 5%. Continuing with our example where planning materiality is set at $100,000, posting materiality would then be set at $5,000.
The auditor will accumulate all errors identified throughout the audit that are $5,000 or more, and at the end of the audit will consider all of these errors in determining whether the financial statements over- all are materially correct.
Comparisons Used in Planning Analytical Procedures Comparison with Previous Years' Data Simple ratio analysis comparing current and past data that is prepared as a routine part of planning an audit can highlight risks of misstatement. The auditor often develops ratios on asset turnover, liquidity, and product-line profitability to search for potential signals of risk. For example, an inventory turnover ratio might indicate that a particular product line had a turnover of four times for the past three years, but only three times this year.
The change may indicate potential obsolescence problems or errors in the accounting records. Even when performing simple ratio analysis, it is important that the auditor go through each of the steps in the process, beginning with the development of expectations.
Planning Materiality The starting point to determining the various levels of materiality is planning materiality. How does an auditor determine planning material? Most audit firms provide firm-specific guidance and decision aids to assist auditors in making consistent materiality judgments.
The guidelines usually involve applying a percentage to some benchmark, such as total assets, total revenue, or net income. In choosing a benchmark, the auditor considers the stability of the base from year to year, and the focus of the financial statement users.
Exhibit 7.3 provides commonly used financial ratios that the auditor can use in performing planning analytical procedures. The first three ratios provide information on potential liquidity problems. The turnover and gross margin ratios are helpful in identifying fraudulent activity or items recorded more than once, such as fictitious sales or inventory.
The leverage and capital turnover ratios help in evaluating going-concern problems or adherence to debt covenants. Although the auditor chooses the ratios deemed most useful for a particular client, auditors routinely calculate and analyze the ratios listed in Exhibit 7.3 on a trend basis over time.
Nature,Timing, and Extent of Risk Responses The nature, timing, and extent of the auditor's risk responses depend on the auditor's assessment of the risk of material misstatement. The nature of risk response includes the types of audit procedures the auditor will perform, with a focus on the appropriateness (relevance and reliability) of those procedures. For example, certain audit procedures may be more appropriate for some assertions than other assertions. The auditor can more effectively test the existence of inven- tory by inspecting the inventory, whereas the auditor can more effectively test the valuation of inventory by engaging a specialist.
The nature of risk response could occur at the engagement level such as assembling an audit team with more experienced auditors and auditors with specialized skills or including on the audit team outside specialists to address assessed risks. Other ways to address assessed risks at the engagement level include putting increased emphasis on professional skepticism or incorporating elements of unpredictability in the selection of audit procedures.
In Staff Accounting Bulletin (SAB) No. 99, the SEC expresses concern about auditors not considering qualitative factors in their materiality assessments:
The use of a percentage as a numerical threshold, such as 5%, may provide the basis for a preliminary assumption that—without considering all relevant circumstances—a deviation of less than the specified percentage with respect to a particular item on the registrant's financial statements is unlikely to be material. The staff has no objection to such a "rule of thumb" as an initial step in assessing materiality. Quantifying, in percentage terms, the magnitude of a misstatement is only the beginning of an analysis of materiality; it can- not appropriately be used as a substitute for a full analysis of all relevant considerations.
Using Planning Analytical Procedures to Assess the Risk of Material Misstatement Planning analytical procedures used as a risk assessment procedure help auditors improve their understanding of the client's business.
These procedures also help auditors identify risks of material misstatement in particular account balances and direct the auditor's attention to high-risk areas.
Identifying and Assessing the Risk of Material Misstatement Client Business Risks You cannot audit what you do not understand! When making client acceptance or continuance decision, the auditor obtains an initial understanding of the client and its business risks. The auditor continues to increase this understanding when planning the audit. Client business risks are risks affecting the business operations and potential outcomes of an organization's activities.
These risks likely have pervasive effects across an organization and can potentially affect the risk of material misstatement for many accounts and assertions (the risk of material misstatement at the financial statement level).
The entire audit team attends the brainstorming sessions, which the audit partner or manager often lead.
These sessions are a way to transfer knowledge from top-level auditors to less senior members of the audit team via interactive and constructive group dialogue and idea exchange.
For example, if a particular industry ratio increased over time, the auditor should expect that the client's ratio would also increase over time. In the following example, the percentage of sales returns and allowances to net sales for the client does not vary significantly from the industry average for the current period, but comparing the trend over time yields an unexpected result.
This comparison shows that even though the percentage of sales returns for 2018 is close to the industry average, the client's percentage declined significantly from 2017, while the industry's percentage increased. In addition, except for the current year, the client's percentages exceeded the industry average. The result is different from the auditor's expectation that the percentage would increase from the prior period—it likely exceeds the auditor's threshold, and, thus, the auditor should investigate the potential cause.
The audit risk model is presented as Audit Risk 5 Inherent Risk 3 Control Risk 3 Detection Risk.
This model provides a conceptual way to consider risks relevant to the audit.
When this risk is high, the auditor is concerned that management has recorded transactions or presented financial data inaccurately. When assessing this risk, auditors consider all of the items on a company's financial statements that are subjective and based on judgment, such as asset impairments, mark-to-market accounting, warranties, returns, pensions, and estimates regarding the useful lives of assets, among others.
While client business risk does not necessarily lead to material misstatements in the financial statements, the risk represents issues that could threaten the financial viability and financial reporting accuracy of the organization.
Once the auditor determines planning materiality, the auditor then sets performance materiality to determine significant accounts and the audit procedures to perform. A common approach to determining performance materiality is to calculate 75% of planning materiality. Continuing the example of a client where planning materiality is set at $100,000, performance materiality would then be set at $75,000.
While the auditor will commonly use 75% to set performance materiality, this percentage typically ranges from 50% to 75%. If performance materiality is set too high, the auditor might not perform sufficient procedures to detect material misstatements in the financial statements. If performance materiality is set too low, the auditor might perform more substantive procedures than necessary.
Responding to Identified Risk of Material Misstatement Determining Evidence Needed in the Audit By combining assessed inherent risk and control risk for each significant assertion/ account, the auditor obtains the risk of material misstatement for each significant assertion/account. In practice, inherent risk and control risk are typically set at one of two levels: high or low. When the auditor combines these two risks into the risk of material misstatement, the risk of material misstatement will be at one of three levels: high, moderate, or low.
With the assessment of the risk of material misstatement, and consideration of the desired level of audit risk (usually 1% or 5%), the auditor determines detec- tion risk. Detection risk provides guidance to the auditor on the substantive audit procedures needed to ensure that the audit achieves the desired audit risk. The sufficiency and appropriateness (relevance and reliability) of the evidence the auditor needs from substantive auditing procedures affect detection risk. Detection risk incorporates both types of substantive procedures—substantive analytical procedures and tests of details.
According to AU-C 315, a significant risk is an identified and assessed risk of material misstatement that, in the auditor's professional judgment, requires special consideration. AU-C 315 provides guidance on factors that the auditor should consider when determining if a risk is significant. The standard states: In exercising professional judgment about which risks are significant risks, the auditor should consider:
a. whether the risk is a risk of fraud; b. whether the risk is related to recent significant economic, accounting, or other developments and, therefore, requires specific attention; c. the complexity of transactions; d. whether the risk involves significant transactions with related parties; e. the degree of subjectivity in the measurement of financial information related to the risk, especially those measurements involving a wide range of measurement uncertainty; and f. whether the risk involves significant transactions that are outside the normal course of business for the entity or that otherwise appear to be unusual.
Some ratios are industry specific. In the banking industry, for example, auditors calculate ratios on percentages of nonperforming loans, operating margin, and average interest rates by loan categories. Auditors generally perform ratio and trend analysis through a comparison of client data with expectations:
• Based on industry data • Based on similar prior-period data • Developed from industry trends, client budgets, other account balances, or other bases of expectations
Further, the auditor can only complete certain procedures at or after period end. These procedures include:
• Compare the financial statements to the accounting records • Evaluate adjusting journal entries made by management in preparing the financial statements • Conduct procedures to respond to risks that management may have engaged in improper transactions at period end
Materiality judgments provide a basis for:
• Determining the nature and extent of risk assessment procedures • Identifying and assessing the risks of material misstatement • Determining the tests of controls and substantive audit procedures to perform
While audit firms typically have policies related to setting materiality, professional judgment is very important. The auditor should consider the following items when setting materiality:
• Financial statement items on which users will focus their attention • Nature of the client and industry • Size of the client • Manner in which the client is financed • Volatility of the benchmark • Intensity of the level of analyst following
The Audit Risk Model Exhibit 7.2 provides an overview of the risks relevant to an audit and introduces the following risks included in the audit risk model:
• Inherent Risk—The susceptibility of an assertion about a class of transaction, account balance, or disclosure to a misstatement that could be material, either individually or when aggregated with other misstatements, before consideration of any related controls. • Control Risk—The risk that a misstatement that could occur in an assertion about a class of transaction, account balance, or disclosure and that could be material, either individually or when aggregated with other misstatements, will not be prevented, or detected and corrected, on a timely basis by the entity's internal control. • Audit Risk—The risk that the auditor expresses an inappropriate audit opinion when the financial statements are materially misstated. • Detection Risk—The risk that the procedures performed by the auditor to reduce audit risk to an acceptably low level will not detect a misstatement that exists and that could be material, either individually or when aggregated with other misstatements.
As an example, consider the risk assessment procedures that auditors might perform related to one component of internal controls—management's risk assessment. To obtain this understand- ing, the auditor typically uses some or all of the following risk assessment procedures:
• Interview relevant parties to develop an understanding of the processes used by the board of directors and management to evaluate and manage risks • Review the risk-based approach used by the internal audit function with the director of the internal audit function and with the audit committee • Interview management about its risk approach, risk preferences, risk appetite, and the relationship of risk analysis to strategic planning • Review outside regulatory reports, where applicable, that address the company's policies and procedures toward risk • Review company policies and procedures for addressing risk • Gain a knowledge of company compensation schemes to determine if they are consistent with the risk policies adopted by the company • Review prior years' work to determine if current actions are consistent with risk approaches discussed with management • Review risk management documents • Determine how management and the board monitor risk; identify changes in risk; and react to mitigate, manage, or control the risk
Risk Assessment Procedures for Assessing Client Business Risks The auditor performs many procedures when obtaining an understanding of the client's business and associated business risks. These procedures include monitoring the financial press and SEC filings and broker analyses, developing a firm-specific and industry-based knowledge management system, and utilizing other online information sources about a company. The auditor also inquires of management, reviews internal risk management documentation, inquires of other knowledgeable individuals at the client, and reviews legal or regulatory proceed- ings against the company. Following are some resources an auditor can use to learn more about an organization's business risks:
• Management inquiries—The auditor should interview management to identify its strategic plans, its analysis of industry trends, the potential impact of actions it has taken or might take, and its management style. • Review of client's budget—The budget, representing management's fiscal plan for the forthcoming year, provides insight into management's approach to operations and to risks the organization might face. The auditor looks for significant changes in plans and deviations from budgets, such as planned disposal of a line of business, significant research or promotion costs associated with a new product introduction, new financing or capital requirements, changes in compensation or product costs due to union agreements, and significant additions to property, plant, and equipment. • Tour of client's plant and operations—A tour of the client's production and distribution facilities offers much insight into potential audit issues. The auditor can visualize cost centers, as well as shipping and receiving procedures, inventory controls, potentially obsolete inventory, and possible inefficiencies. The tour increases the auditor's awareness of company procedures and operations, providing direct experience into sites and situations that are otherwise encountered only in company documents or observations of client personnel. • Review relevant government regulations and client's legal obligations—Few industries are unaffected by governmental regulation, and much of that regulation affects the audit. For example, auditors need to determine potential liabilities associated with cleanup costs defined by the Environmental Protection Agency. The auditor normally seeks information on litigation risks through an inquiry of management, but follows up that inquiry with an analysis of litigation prepared by the client's legal counsel. • Knowledge management systems—Audit firms have developed these systems around industries, clients, and best practices. These systems also capture information about relevant accounting or regulatory requirements for the companies and can be used to develop risk alerts for the companies. • Online searches—Internet search companies (such as Hoovers at www .hoovers.com) are an excellent source of information about companies. Other online searches can be conducted through other portals such as Google. Yahoo has two excellent sources of information: (1) a financial section that provides data about most companies and (2) a chat line that contains current conversations about the company (much of which, of course, might be unreliable). • Review of SEC filings—The auditor can search the SEC filings online through the EDGAR system. The filings include company annual and quarterly reports, proxy information, and registration statements for new security issues. These filings contain substantial information about the company and its affiliates, officers, and directors. The auditor can use this information to obtain an understanding of management's compensation arrangements, including incentive compensation that may provide important information about management incentives and bonus arrangements. Further, the auditor should monitor trading activity of the company's securities, along with the relevant holdings of top-level management and/or board members. • Company websites—A company's web site can contain information that is useful in understanding its products and strategies. As companies provide more information online, auditors should review the information to keep informed of developments. • Economic statistics—Most industry data, including regional data, can now be found online. The auditor can compare the results of a client with regional economic data. For example, the auditor would likely question why a company is growing at a rate of 50%, while the overall industry is growing at a significantly slower rate. That question arises only if the auditor has industry information. • Professional practice bulletins—The American Institute of Certified Public Accountants (AICPA) publishes Audit Risk Alerts, and the SEC often issues practice bulletins to draw the profession's attention to important issues. Both the Public Company Accounting Oversight Board (PCAOB) and the International Auditing and Assurance Standards Board (IAASB) have also published several Staff Audit Practice Alerts dealing with topics such as significant unusual transactions, fair value measurements, and the economic environment. • Stock analysts' reports—Brokerage firms invest significant resources in conducting research about companies, their strategies, competitors, quality of management, and likelihood of success. Many of the major investment analysts have access to top management and are the beneficiaries of frequent analysts' meetings. These reports may contain a wealth of useful information about a client. • Company earnings calls—The auditor can observe or read the transcripts of management's earnings calls in order to understand the most up-to-date issues that the company is facing, along with management's publicly disclosed plans.
A difficulty that auditors face with some clients is how to identify significant locations and accounts when the client has:
• Many locations • Some locations requiring separate reporting (regulatory reports) in addition to consolidated financial reports • Significant segments and the importance of segments vary
Some ways to introduce unpredictability include:
• Perform some audit procedures on accounts, disclosures, and assertions that would otherwise not receive audit attention because they are considered low risk • Select items for testing that are outside the normal boundaries for testing (e.g., that are lower than prior-year materiality) • Perform audit procedures on a surprise or unannounced basis • Vary the locations or procedures year to year for multilocation audits
When control risk is high, the auditor is concerned that a material mis- statement may not be prevented or that if a material misstatement exists in the organization's financial statements that it will not be detected and corrected by management. Some level of control risk is always present because of the limitations in internal control. The following factors can lead auditors to assess control risk at a higher level:
• Poor controls in specific countries or locations • Difficulty gaining access to the organization or determining the individuals who own and/or control the organization • Little interaction between senior management and operating staff • Lack of supervision of accounting personnel
Risk Assessment Procedures for Assessing Management Integrity Evaluating management integrity is critical in assessing client business risk. However, making such an evaluation is difficult and subjective. This feature identifies information sources an auditor might use to evaluate management integrity.
• Predecessor auditor—Information obtained directly through inquiry of the predecessor auditor is required by professional auditing standards. The predecessor is required to respond to the auditor unless such data are under a court order or if the client will not approve communicating confidential information. • Other professionals in the business community—Examples include lawyers and bankers with whom the auditor normally has good working relationships and of whom the auditor makes inquiries as part of the process of getting to know the client. • Other auditors within the audit firm—Other auditors within the firm may have dealt with current management in connection with other engagements or with other clients. • News media and web searches—Information about the company and its management might be available in financial journals, magazines, industry trade magazines, or on the web. • Public databases—Computerized databases can be searched for public documents dealing with management or any articles on the company. Similarly, public databases such as LEXIS can be searched for the existence of legal proceedings against the company or against key members of management. • Preliminary interviews with management—These interviews can be helpful in understanding the amount, extent, and reasons for turnover in key positions. Personal interviews can also be helpful in analyzing the frankness or evasive- ness of management in dealing with important company issues affecting the audit. • Audit committee members—Members of the audit committee might have been involved in disputes between the previous auditors and management and might have additional insight. • Inquiries of federal regulatory agencies—Although this is not a primary source of information, the auditor might want to make inquiries of specific regulatory agencies regard- ing pending actions against the company or the history of regulatory actions taken with respect to the company and its management. • Private investigation firms—Use of such firms is rare, but is increasingly being done when the auditor becomes aware of issues that merit further inquiry about management integrity or management's involvement in potential illegal activities.
One issue critical to understanding the client's financial reporting risks involves analyzing management's selection and application of accounting principles, including related disclosures. The auditor needs to determine whether management's decisions are appropriate for its business and are consistent with the applicable financial reporting framework for its industry. For example, AS 2101 requires that the auditor obtain an understanding of the following types of matters relevant to under- standing management's application of accounting principles and related disclosures, (These factors suggest that client business risk is associated with recording trans- actions and presenting financial data in an organization's financial statements).:
• Significant changes in the company's accounting principles, financial reporting policies, or disclosures and the reasons for such changes • The financial reporting competencies of personnel involved in selecting and applying significant new or complex accounting principles • The accounts or disclosures for which judgment is used in the application of significant accounting principles, especially in determining management's estimates and assumptions • The effect of significant accounting principles in controversial or emerging areas for which there is a lack of authoritative guidance or consensus • The methods the company uses to account for significant and unusual transactions • Financial reporting standards and laws and regulations that are new to the company, including when and how the company will adopt such requirements
To encourage interactive and constructive group dialogue and idea exchange, the audit team typically follows important guidelines during the brainstorming session:
• Suspension of criticism—Participants are to refrain from criticizing or making value judgments during the session. • Freedom of expression—Participants are encouraged to overcome their inhibitions about expressing creative ideas, and the audit team should note and accept every idea as a possibility. • Quantity of idea generation—Participants are encouraged to provide more ideas rather than fewer, with the intent to generate a variety of possible risk assessment scenarios that the team can explore during the conduct of the audit. • Respectful communication—Participants are encouraged to exchange ideas, further develop those ideas during the session, and to respect the opinions of others.
The following factors should lead an auditor to assess assertion level inherent risk higher, as the auditor is concerned that there is an increased likelihood of a material misstatement:
• The account balance represents an asset that is relatively easily stolen, such as cash • The account balance is made up of complex transactions • The account balance requires a high level of judgment or estimation to value • The account balance is subject to adjustments that are not in the ordinary processing routine, such as year-end adjustments • The account balance is composed of a high volume of nonroutine transactions
Sometimes auditors will revise their initial materiality judgments after more facts about the client and its circumstances become known. Situations potentially requiring a change in materiality judgments include:
• The auditor based initial materiality judgments on estimated or preliminary financial statement amounts that turn out to be different from the audited amounts. • The financial statement amounts used in initially making the materiality judgments have changed significantly. For example, if during the course of the audit, the client significantly adjusted its financial statements, then the auditor may need to revise initial materiality judgments accordingly. • The auditor obtains information indicating that a member of top management or those charged with governance lack integrity.
More importantly, the auditor should develop some potential hypotheses as to why gross margin increased along with the reason for the substantial increase in sales. Then, once the hypotheses are developed, the auditor should determine which set of hypotheses is most likely and then use those for prioritizing audit work. Potential hypotheses for the increase in gross margin include:
• The company has introduced a new product that is a huge market success (e.g., launches of the iMac Pro and the HomePod by Apple). • The company has changed its product mix. • The company has improved its operational efficiencies. • The company has fictitious sales (and consequently no cost of goods associated with those sales).
Each organization has key processes that influence its competitive advantage. The auditor should gather sufficient information to understand these processes, the industry factors affecting key processes, how management monitors the processes and performance, and the potential operational and financial effects associated with key processes. The following factors are examples of factors that would lead the auditor to assess client business risk at a higher level:
• The company lacks personnel or expertise to deal with the changes in the industry • New products and service offerings have uncertain likelihood of successful introduction and acceptance by the market • The use of information technology is incompatible across systems and processes • Expansion of the business for which the demand for the company's products or services has not been accurately estimated • A new business strategy is incompletely or improperly implemented • Financing is lost due to the company's inability to meet financing requirements • Competence and integrity of financial and accounting management • Potential incentives to misstate the financial statements
Exhibit 7.1 provides examples of auditor inquiries when assessing client business risk relating to financial reporting. Questions to Ask When Assessing Financial Reporting Quality: (Selected Excerpts from the NACD Blue Ribbon Commission on Audit Committees)
• What are the significant judgment areas (reserves, contingencies, asset values, note disclosures) that affect the current-year financial statements? What considerations were involved in resolving these judgment matters? What is the range of potential impact on future reported financial results? • What issues or concerns exist that could adversely affect the future operations and/or financial condition of the company? What is management's plan to deal with these future risks? • What is the overall quality of the company's financial reporting, including the appropriateness of important accounting principles followed by the company? • What is the range of acceptable accounting choices the company has available to it? • Were there any significant changes in accounting policies, or in the application of accounting principles during the year? If yes, why were the changes made and what impact did the changes have on earnings per share (EPS) or other key financial measures? • Were there any significant changes in accounting estimates, or models used in making accounting estimates during the year? If yes, why were the changes made and what impact did the changes have on earnings per share (EPS) or other key financial measures? • Are there any instances where the company may be thought of as pushing the limits of revenue recognition? If so, what is the rationale for the treatment chosen? • Have similar transactions and events been treated in a consistent manner across divisions of the company and across countries in which the company operates? If not, what are the exceptions and the reasons for them? • Do the accounting choices made reflect the economic substance of transactions and the strategic management of the business? If not, where are the exceptions and why do they exist? • To what extent are the financial reporting choices consistent with the manner in which the company measures its progress toward achieving its mission internally? If not, what are the differences? • How do the significant accounting principles used by the company compare with leading companies in the industry, or with other companies that are considered leaders in financial disclosure? What is the rationale for any differences? • Has there been any instance where short-run reporting objectives (e.g., achieving a profit objective or meeting bonus or stock option requirements) were allowed to influence accounting choices? If yes, what choices were made and why?
Some possible explanations for the differences include:
•The client has improved its quality control. •The client recorded fictitious sales in 2018. • • The client is not properly recording sales returns in 2018. The auditor designs audit procedures to identify the cause of this difference to determine whether a material misstatement exists.