Ch 4: Management Fraud and Audit Risk
enterprise risk management (ERM)
"a process, effected by an entity's board of directors, management and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risks to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives."
an asset amount that can be investigated and found to be false or questionable. the matter of finding and investigating the dangling credit is normally very difficult. It "dangles" off the books.
"dangling debit" theory
company sources
(1) reviewing the corporate charter and bylaws or partnership agreement, (2) reviewing contracts, agreements, and legal proceedings, and (3) reading the minutes of the meetings of directors and committees of the board of directors are all examples of what source of information for assessing risk
set a proper tone for the engagement
A secondary objective of the brainstorming discussions during risk assessment is to....
preliminary
According to auditing standards, analytical procedures must be applied in the ____stages of each audit.
1. direct effect noncompliance 2. indirect effect noncompliance
Auditing standards deal with what two types of noncompliance
1. Discussions with engagement personnel 2. Procedures to identify and assess risk 3. Significant decisions during discussion 4. Specific risks identified and audit team responses. 5. Explanation of why improper revenue recognition is not a risk. 6. Results of audit procedures, particularly procedures regarding management override 7. Other conditions causing auditors to believe that additional procedures are required. 8. Communications to management and those charged with governance, such as the audit committee.
Auditors must carefully document the risk assessment process in the workpapers to provide a record of the procedures performed. Items that must be documented include these:
1. develop an expectation 2. define a significant difference (percent difference that is considered reasonable) 3. compare expectation with recorded amount 4. investigate significant differences 5. document each of the preceding steps
Auditors should perform what five steps when completing analytical procedures
nature, timing, extent
Based on the allowable or planned level of detection risk (which is based on the assessment of IR and CR), auditors modify the ___, the ______, and the _____of further audit procedures.
fraudulent financial reporting
Because management fraud usually takes the form of deceptive financial statements, management fraud is sometimes referred to as....
2, 2
Because of the double-entry bookkeeping system, fraudulent accounting entries always affect at least ____ accounts and ____ places in financial statements.
general business source
Bloomberg Businessweek, Forbes, and Fortune are examples of what source of information for assessing risk
yes
Can an external auditor withdraw from an engagement if management and directors do not take satisfactory action after being notified of noncompliance?
embezzlement, larceny
Employee fraud can be classified as either _____ or ______.
1. the fraudulent act 2. the conversion of funds or property to the fraudster's use 3. the cover-up
Employee fraud consists of what three phases?
(1) the reporting objectives of the engagement and the nature of the communications required by auditing standards, (2) the factors that are significant in directing the activities of the engagement team, and (3) the results of preliminary engagement activities and the auditor's evaluation risk assessment.
In establishing the overall audit strategy, the auditor should take into account (3)
1. industry & external factors 2. nature of company 3. accounting principles and disclosures 4. objectives and strategies 5. measurement and analysis of financial performance
In the first step in the risk assessment process where you understand the company and its environment, what 5 things do you need to know
control
Managers build in controls to prevent errors in financial statements from happening, but they may not function as intended. this is known as ____ risk
1. company's organizational structure and management personnel 2. the sources of funding of the company's operations and investment activities 3. the company's significant investments 4. the company's operating characteristics, including its size and complexity 5. The sources of the company's earnings, including the relative profitability of key products and services, and key supplier and customer relationships.
Obtaining an understanding of the nature of the company includes understanding (5)
inherent risk, control risk
Risk of material misstatement (RMM) is comprised of.... (2)
business risks
Risks that could adversely affect companies' ability to achieve objectives and execute strategies are called....
1. internal environment 2. objective setting 3. event identification 4. risk assessment 5. risk response 6. control activities 7. information and communication 8. monitoring.
The ERM framework is composed of what eight elements
1, SEC
The Private Securities Litigation Reform Act of 1995 imposed another reporting obligation that when auditors believe an illegal act that is more than "clearly inconsequential" has or may have occurred, the auditors must inform the company's board of directors. when the auditors believe the illegal act has a material effect on the financial statements, the board of directors has ______ business day(s) to inform the ____
inform the organization's board of directors
The Private Securities Litigation Reform Act of 1995 imposed another reporting obligation that when auditors believe an illegal act that is more than "clearly inconsequential" has or may have occurred, the auditors must.....
detection risk
The likelihood that an error or fraud will not be caught by the auditor's procedures
effectiveness
The nature of the procedures refers to the overall ____ of further audit procedures in detecting misstatements.
significant, relevant disclosures
Using the audit risk model, the auditor adjusts detection risk for _____ accounts and _____
"The auditors communication with those charged with corporate governance"
What is SAS 114
Focuses on direct effect illegal acts
What is SAS 54
Consideration of fraud in a financial statement audit - must specifically assess the risk of material misstatement due to fraud for every engagement
What is SAS99?
SEC form that requires an explanation of an organization's change of auditors
What is form 8-k
preliminary analytical procedures
When completing _______, auditors are required to develop an expectation about what an account balance should be and then compare that expectation to the recorded balance. When doing so, auditors typically use the prior-year balances as the starting point for their expectation for each account balance.
if noncompliance is "clearly inconsequential," and has impact on FS
When must an auditor respond to a client's noncompliance or suspected noncompliance?
matrix approach
When risk is measured qualitatively, how do firms multiply words to assess risk?
inherent
You can think of this risk as the susceptibility of the account to misstatement.
Business risk
_____ assessment makes auditors much more knowledgeable about their client's business and its environment. We should note that, even when taking a top-down approach that starts with an understanding of the risks faced by the client in executing its strategy within the industry, the audit team ultimately still has to focus its procedures on the key accounts and management assertions
business
a detailed understanding of the client's ______ risk is a precursor to assessing audit risk.
enterprise risk management (ERM)
a framework such as the one developed by the Committee of Sponsoring Organizations (COSO) to facilitate the assessment and mitigation of business risks that the entity faces.
Interviewing the entity's management, internal auditors, directors, the audit committee, and other employees
a required audit process that can bring auditors up to date on changes in the business and the industry. Such inquiries of client personnel have the multiple purposes of building personal working relationships, observing the competence and integrity of client personnel, obtaining a general understanding, and probing for problem areas that could harbor financial misstatements.
embezzlement
a type of employee fraud involving employees or nonemployees wrongfully misappropriating funds or property entrusted to their care, custody, and control, often accompanied by false accounting entries and other forms of deception and cover-up.
1. gather info from client acceptance and retention evaluation, audit planning, past audits and other engagements 2. perform analytical procedures 3. brainstorming 4. inquire of audit committee, management and others
after assessing internal controls over financial planning in the risk assessment process, what 4 things must be done to consider the risk of fraud (first 4 steps of 7)
significant accounts or disclosures
an account or disclosure that has a reasonable possibility of containing a material misstatement regardless of the effect of controls.
reasonableness
analytical procedures are _____ tests; auditors compare their expectation for each of the account balances with those recorded by management.
defalcation
another name for employee fraud, embezzlement, and larceny. Auditing standards also call it misappropriation of assets.
management
any fraud committed by _______ no matter how small is material
accounting estimates
approximations of financial statement numbers that are often included in financial statements.
no
are audit teams concerned with fraud that does not affect the financial statements?
yes
are auditors required to respond to a subpoena issued by a court or other agency (due to client confidentiality)
independent, outside members of the board of directors (those not involved in the company's day-to-day operations) who can provide a buffer between the audit firm and management.
audit committees are composed of...
1. inherent risk 2. control risk 3. detection risk
audit risk can be broken down into....
financial statements as a whole, each relevant assertion for significant accounts and disclosures
audit risk is evaluated for both the _____ and for _____
fraud risk
auditing standards require that auditors must presume that improper revenue recognition is a _____
significant
by definition, fraud risks are all _____ risks
no, it is conceptual
can auditors calculate the exact level of DR?
no
can auditors place complete reliance on internal controls to the exclusion of other audit procedures?
more
complexity of the transactions: does being more or less complex lead to higher percentage of errors?
risk response
component of the ERM framework that addresses how the organization will prevent or respond to the adverse conditions if they actually occur. The responses include management policies and procedures to eliminate, mitigate, or compensate for the risks identified.
control activities
component of the ERM framework that are policies and procedures to ensure that risk responses are appropriate given the circumstances and environment in which the organization operates.
monitoring
component of the ERM framework that includes regular management and supervisory activities over risk management activities to make sure they remain in place and operate effectively. (internal audit groups)
objective setting
component of the ERM framework that is management's responsibility to determine the goals and objectives of the organization.
internal environment
component of the ERM framework that is the "risk consciousness" of the organization and includes the organization's risk management philosophy and "risk appetite," its integrity and ethical values, and the environment in which it operates.
event identification
component of the ERM framework that is the identification of conditions and events that could adversely affect management's objectives. Supplier problems, poor weather conditions that can affect the trucks supplying the stores, and information system breakdowns are just several of the events that could adversely affect Walmart's ability to keep its stores' shelves stocked.
risk assessment
component of the ERM framework that is the systematic process for estimating the likelihood of adverse conditions occurring. Risks are assessed in terms of both likelihood and impact.
Information and communication
component of the ERM framework that links all components of the ERM. I
management fraud
deliberate fraud committed by management that injures investors and creditors through materially misstated information.
yes
do different types of accounts have different levels of risk for the same assertions (existence, valuation, etc)
yes
do professional auditing standards require auditors to let financial statement users know whether they have substantial doubts as to whether the client will able to survive into subsequent periods?
no, except that it should be "appropriately" low.
does the audit profession have an official standard for acceptable level of audit risk?
higher
dollar size of the account: does a higher account balance lead to a lower or greater chance of having errors or fraud in the account
yes
due to the fact that auditors are required to keep client information confidential, under AICPA auditing standards, can limited disclosures to outside agencies of frauds and clients' noncompliance be permitted.
horizontal analysis
during analytical procedures, many auditors start with comparative financial statements and calculate year-to-year changes in balance-sheet and income- statement accounts. this is known as....
vertical analysis
during analytical procedures, this is when auditors calculate common-size statements in which financial statement amounts are expressed as percent- ages of a base, such as sales for the income-statement accounts or total assets for the balance-sheet accounts
1. dollar size of the account 2. liquidity 3. volume of transactions 4. complexity of the transactions 5. subjective estimates
factors that have been suggested as being related to the susceptibility of accounts to misstatement or fraud (5)
10%, 100,000$
for companies that have not undergone any significant changes in operations, current year recorded amounts should be fairly similar to those of prior year. Because changes are not expected, auditors can identify any changes more than ______% AND _______$ as deserving additional attention
audit risk
giving an unmodified audit opinion when unknown material misstatements (whether due to errors, frauds, or noncompliance with laws or regulations that directly affect the financial statements) actually exist in the statements causes what type of risk?
vague, implausible, or inconsistent responses to inquiries can be a key indicator of the pervasiveness of the fraud. Similarly, problematic or unusual reactions such as refusal to cooperate, hostility, or management delays in responding to the auditors are often present in financial statement frauds.
how can management's response to follow up question be a key source of evidence
generally by examining more evidence
how can the auditor affect detection risk?
reviewing the board of directors' meeting minutes, making inquiries of key executives, and reviewing stock ownership records (5 percent ownership in the company is usually used as a good cutoff).
how do auditors identify related party relationships and transactions? (name a few methods) (3)
1. within one business day give the SEC the same report they gave the board of directors OR 2. resign from the engagement and, within one business day, give the SEC the report. If the auditors do not fulfill this legal obligation, the SEC can impose a civil penalty (e.g., monetary fine) on them.
if an auditor reports an illegal act that has a material effect on the financial statements to the board of directors and they board does not inform the SEC, the auditors must.... (2)
8-k
if the audit firm resigns or is fired for reporting client's fraud to an outside entity, the firm can cite these matters in the letter attached to SEC Form....
no, detection risk depends on and is planned for based on the assessment of the other risk factors.
is detection risk an independent judgement?
greater
liquidity: does greater or smaller account liquidity lead to being more susceptible to fraud?
relevant assertions
management assertions that have a reasonable possibility of containing material misstatements without regard to the effect of controls
direct effect noncompliance
noncompliance that produces direct and material effects on financial statement amounts (e.g., violations of tax or pension laws or government contracting regulations for cost and revenue recognition) that require the same assurance as errors and frauds (i.e., auditors must plan their work to provide reasonable assurance there are no material misstatements),
indirect effect noncompliance
noncompliance which refers to violations of laws and regulations that are not directly connected to financial statements (e.g., violations relating to insider securities trading, occupational health and safety, food and drug administration regulations, environmental protection, and equal employment opportunity).
extent
refers to the number of tests performed
timing
refers to when the further audit procedures take place.
audit risk (AR) = inherent risk (IR) x control risk (CR) x detection risk (DR)
risk model formula
general business sources, company sources, information from Client Acceptance or Continuance Evaluation, Audit Planning, Past Audits, and Other Engagements, preliminary analytical procedures
sources of information for assessing risks includes (4)
more
subjective estimates: do subjective measurements have more or less errors and fraud than objective measurements?
fraud
the act of knowingly making material misrepresentations of fact with the intent of inducing someone to believe the falsehood and act on it and, thus, suffer a loss or damage.
information risk
the probability that the information distributed by an entity will be materially false and misleading
brainstorming
the risk assessment process includes required audit team _____ sessions in which critical audit areas are discussed.
audit strategy memorandum
the scope, timing, and direction for auditing each relevant assertion based on the results of the audit risk model
employee fraud
the use of fraudulent means to misappropriate funds or other property from an employer. It usually involves falsifications of some kind: using false documents, lying, exceeding authority, or violating an employer's policies.
detection risk
there is an inverse relationship between RMM and ______ risk (the greater the risk of material misstatement, the lower the detection risk that auditors could allow in order to maintain the level of audit risk with which they feel comfortable.)
related parties
those individuals or organizations that can influence or be influenced by decisions of the company, possibly through family ties or investment relationships
significant risks
those risks that require special audit consideration because of the nature of the risk or the likelihood and potential magnitude of misstatement related to the risk.
avoid it, control it and share it (can also just accept it)
three basic ways that management can mitigate risk are (3)
white collar crime
type of crime that is the misdeeds of people who wear ties to work and steal with a pencil or a computer terminal.
larceny
type of employee fraud that is simple theft; for example, an employee misappropriates an employer's funds or property that has not been entrusted to the custody of the employee.
errors
unintentional misstatements or omissions of amounts or disclosures in financial statements.
higher
volume of transactions: does a higher or lower volume in transactions lead to a higher percentage of errors or fraud?
examining more transactions, performing extended procedures, including targeting tests toward higher risk areas, performing more tests of transactions at year-end rather than at interim points, and gathering higher quality evidence.
what are some responses to significant risks? (5)
1. invalid transactions are recorded 2. valid transactions or disclosures are omitted from the FSs 3. Transaction or disclosure amounts are inaccurate 4. transactions are classified in the wrong accounts 5. transaction accounting an posting are incorrect 6. transactions are recorded in the wrong period 7. disclosures are incomplete or misleading
what are the 7 categories of misstatements
assess risk factors, respond (re substantive procedures, specialists, etc), communicate
what are the last three steps of the risk assessment process?
auditors view all activities in a client's organization first in terms of risks that threaten the attainment of strategies and objectives and then in terms of management's plans and processes to mitigate the identified risks (for example, by using the ERM framework).
what is a top-down approach to risk assessment?
limited to performing specified audit procedures that may identify noncompliance with those laws and regulations that may have a material effect on the financial statements, making inquiry of management and those charged with governance, and inspection of correspondence with relevant licensing or regulatory authorities
what is an auditor's responsibility for detecting indirect-effect noncompliance?
understand the company and its environment
what is the first step in the risk assessment process?
understand internal control over financial reporting
what is the second step in the risk assessment process?
information from client acceptance and retention evaluation, audit planning and other engagements
what is the third step in the risk assessment process?
cash flow analysis
what time of analysis is good for detecting issues regarding going concern?
inherent
when results of events and transactions are recorded through information processing where errors and frauds can occur resulting in misstated financial statements, this is _____ risk
going concern (whether the company can remain a going concern)
whether the client will able to survive into subsequent periods is called _____
directly to those charged with governance, usually the entity's audit committee of its board of directors. (never inconsequential and should be reported)
who should frauds involving senior managers or employees with significant internal control roles (along with any frauds that cause material misstatement in the financial statements) be reported to?
management at least one level above the people involved
who should minor frauds be reported to?
no
with the risk model/ formula, can auditors estimate inherent risk to be zero and omit other evidence-gathering procedures? AR = IR (=0) x CR x DR = 0
