AUDITING CH 4- THE AUDIT RISK MODEL AND INHERENT RISK ASSESSMENT

control risk

-the probability that the client's internal control activities will fail to prevent or detect material misstatements provided that such misstatements enter or would have entered the accounting system in the first place. -Similar to inherent risk, auditors do not create or manage control risk. -They can only evaluate an entity's internal control system and assess its magnitude in an appropriate manner. -External auditors' task of control risk assessment begins with learning about an entity's internal controls that are designed to prevent and detect material misstatements related to each relevant assertion for each significant account and disclosure. -The auditors then perform tests of controls if appropriate to determine whether they are operating effectively. Factors affecting control risk include: •The environment in which the company operates (its "control environment"); •The existence (or lack thereof) and effectiveness of control activities; and •Monitoring activities (audit committee, internal audit function, etc.).

inherent risk

-the probability that, in the absence of internal controls, material errors or frauds could enter the accounting system used to develop financial statements. -the susceptibility of the account to misstatement. Inherent risk is a function of the nature of the client's business and strategy to achieve competitive advantage, the major types of transactions, and the effectiveness and integrity of its managers and accountants. -It is important to understand that for different accounts, various assertions are riskier than others. Factors affecting inherent risk include: •The nature of the client's business and strategy to achieve a competitive advantage •The major types of transactions •The effectiveness and integrity of managers and accountants

company performance measures

The purpose of obtaining an understanding of the company's performance measures is to determine what information management and others deem to be key indicators of company performance that may affect the risk of material misstatement. A key step for auditors to consider is to try to understand those measures to which management or fnancial statement users might be sensitive.

key insights from audit risk model

(1) Auditors cannot estimate inherent risk to be zero and omit other evidence-gathering procedures. (2) Auditors cannot place complete reliance on internal controls (that is, CR = 0) to the exclusion of other audit procedures. (3) Auditors would not seem to exhibit due professional care if the level of audit risk was too high. (4) Although permissible, audit teams rarely choose to rely exclusively on evidence produced by substantive procedures. Even if they think that control risk is high, auditors often perform some tests of controls to make sure the controls are in place.

client computerized processing

-The degree of centralization inherent in the organizational structure can vary. -A highly centralized organizational structure generally has all signifcant computerized processing controlled and supervised at a central location. The control environment, the computer hardware, and the computerized systems can be uniform throughout the company. Auditors can obtain most of the necessary computerized processing information by visiting the central location. -At the other extreme, a highly decentralized organizational structure generally allows various departments, divisions, subsidiaries, or geographical locations to develop, control, and supervise computerized processing in an autonomous fashion. In this situation, the computer hardware and the computer systems are usually not uniform throughout the company. Thus, auditors might need to visit many locations to obtain the necessary audit information.

Assessment of Risks

•Type of risk •Likelihood of risk •Magnitude of risk •Pervasiveness of risk •Assess controls and programs

Relevant assertions

-According to the professional standards (AS 2201.28), a fnancial statement assertion is relevant if it has a "reasonable possibility of containing a misstatement that would cause the fnancial statements to be materially misstated." -Therefore, based on all of the risk assessment procedures performed, auditors must identify those assertions that have a meaningful bearing on whether the account is fairly stated. -Once the likely sources of misstatements that could cause the fnancial statements to be materially misstated have been identifed, the auditors' next task is to assess the types of risk present, the likelihood that material misstatement has occurred, the magnitude of the risk, and the pervasiveness of the potential for misstatement. This lays the groundwork for the identifcation of internal controls that the client should have in place to mitigate the various risks of material misstatement,

Understanding the Client's Business and Its Environment

-Auditing standards require auditors to obtain a thorough understanding of the business to plan and perform the audit work. -More specifcally, a thorough understanding of the business will help identify areas of increased risk of material misstatement. -Obtaining an understanding of the client's business includes understanding: -Relevant industry, regulatory, and other external factors. -The nature of the company and related parties. The effect of client computerized processing. -The company's selection and application of accounting principles, including related disclosures. -The company's objectives and strategies and those related business risks that might reasonably be expected to result in risks of material misstatement. -The company's measurement and analysis of its financial performance.

Document Risk Assessment

-Auditors must carefully document the risk assessment process in the workpapers to provide a record of the procedures performed. Items that must be documented include the following: -Discussions with engagement personnel. -Procedures to identify and assess risk. -Significant decisions during discussion. -Specific risks identified and audit team responses. -Explanation of why improper revenue recognition is not a risk, if so deemed. -Results of audit procedures, particularly procedures regarding management override. -Other conditions causing auditors to believe that additional procedures are required. -Communications to management and those charged with governance, such as the audit committee.

Selection and Application of Accounting Principles, Including Related Disclosures

-Auditors should evaluate whether the company's selection and application of accounting principles are appropriate for its business and consistent with the applicable fnancial reporting framework and accounting principles used in the relevant industry. Auditors should pay attention to signifcant changes in the company's accounting principles, fnancial reporting policies, or disclosures and the reasons for such changes; signifcant accounting principles in controversial or emerging areas; and the methods the company uses to account for signifcant and unusual transactions. -Accounting estimates are a concern because numerous fraud cases have involved the deliberate manipulation of estimates to increase net income. -Management is responsible for making accounting estimates. Auditors are responsible for determining that all appropriate estimates have been made, that they are reasonable, and that they are presented in conformity with GAAP and adequately disclosed. -With respect to auditing accounting estimates, auditors are supposed to monitor the differences between management's estimates and the closest reasonable estimates supported by the audit evidence and evaluate the differences taken altogether for indications of a systematic bias.

Impact of Detection Risk on the Nature, Timing, and Extent of Audit Procedures

-Based on the allowable or planned level of detection risk (which is always based on the assessment of IR and CR), auditors modify the nature, the timing, and the extent of further audit procedures. -there is an inverse relationship between RMM (i.e., inherent risk and control risk) and detection risk. -In other words, the greater the risk of material misstatement, the lower the detection risk that auditors could allow in order to maintain the level of audit risk with which they feel comfortable. -If the relevant assertion is risky or the related controls are poor, auditors would want to reduce detection risk by modifying the nature, timing, and extent of further procedures to increase their effectiveness. -On the other hand, if the account is not risky and controls are strong, the auditor could employ less effective (and presumably less costly) substantive audit procedures. lower detection risk allowed--> -more effective tests (nature) -testing at year end (timing) -more tests (extent) higher detection risk allowed--> -less effective tests (nature) -testing at interim (timing) -fewer tests (extent)

Factors related to the susceptibility of accounts to misstatement or fraud may include:

-Dollar size of the account. The higher the account balance, the greater the chance of having errors or fraud in the account. -Liquidity. The greater the account's liquidity (ability to be easily converted to cash), the more susceptible the account is to fraud. For example, cash is more susceptible to theft than, say, a building. -Volume of transactions. The higher the volume of transactions, the higher the chance of error or fraud occurring in the transactions. -Complexity of the transactions. Very complex transactions (e.g., those involving derivative securities or hedging transactions) tend to have a higher percentage of errors than simple transactions. -Subjective estimates. Subjective measurements (e.g., estimating the allowance for doubtful accounts) tend to have more errors and fraud than objective measurements (e.g., counting petty cash). Simply stated, the more subjective the measurement, the easier it is to manipulate. -At a preliminary level, the best indicator of the risk of a material misstatement in the year under audit is a material misstatement that was discovered during the previous audit. -Also, changes in transaction types, technology, personnel, or accounting principles may increase the risk of material misstatement.

Auditors' Responsibilities for Noncompliance With Laws and Regulations

-In addition to errors and fraud, a client's noncompliance with laws and regulations can cause fnancial statements to be materially misstated, and external auditors are advised to be aware of circumstances that could indicate noncompliance (Exhibit 4.12). -Auditors are not required to be legal experts, but they must understand the legal and regulatory framework under which their client operates and how the entity is compliant with that framework. -Auditing standards deal with two types of noncompliance: (1) direct-effect noncompliance, which produces direct and material effects on financial statement amounts (e.g., violations of pension laws or government contract regulations for revenue and expense recognition) that require the same assurance as errors and frauds (i.e., auditors must plan their work to provide reasonable assurance there are no material misstatements), and (2) indirect-effect noncompliance, which refers to violations of laws and regulations that are not directly connected to financial statements (e.g., occupational health and safety, food and drug administration regulations, environmental protection, and equal employment opportunity). -according to professional standards, auditors have the same responsibility for detecting material misstatements resulting from illegal acts that have a direct and material effect on the fnancial statements as they do for those caused by errors or fraud. -If the auditor becomes aware of the possibility that an illegal act occurred that might have a material effect on the fnancial statements, the auditor should perform procedures that are directly focused on whether such an illegal act occurred. Otherwise, because the auditor cannot be considered an expert in all laws and regulations, an auditor is not required to provide assurance about indirect-effect noncompliance.

Fraud and Other Significant Risks

-In addition to the risk assessment based on factors previously identified, auditing standards require several other fraud risk assessments to be made. -First, auditors must presume that improper revenue recognition is a fraud risk. -Another risk is that, despite the existence of controls, management might override the controls through force of authority. -Examine journal entries and other adjustments. -Review accounting estimates for biases. -Evaluate business rationale for significant unusual transactions. -In addition, while completing risk assessment procedures, auditors may determine that an identifed risk represents a signifcant risk. -Significant risks are those risks that require special audit consideration because of the nature of the risk or the likelihood and potential magnitude of misstatement related to the risk. -By defnition, fraud risks are signifcant risks. -Auditors should specifcally examine controls and design tests to address signifcant risks. Auditors should evaluate quantitative and qualitative risk factors based on the likelihood and potential magnitude of misstatements. -Auditors must next respond to the results of the risk assessments. -Using the audit risk model, the auditor adjusts detection risk for signifcant accounts and relevant disclosures. -Additional considerations must be made for risks identifed as signifcant risks. -For example, if the potential for fraud is high, auditors should include more experienced team members. -Other responses include examining more transactions, performing extended procedures, including targeting tests toward higher risk areas, performing more tests of transactions at year-end rather than at interim points, and gathering higher quality evidence. -Finally, the auditors should use less predictable audit procedures such as "surprise" inventory observations in which management is not told at which company warehouse locations auditors will show up to watch the client counting inventory or extended procedures such as using larger sample sizes. -Discrepancies in the accounting records, conficting evidence, and missing documentation are all symptomatic of fnancial statement fraud. When such instances are identifed, auditors must follow up with management to identify the source of the problems. -Management's response is a key source of evidence; vague, implausible, or inconsistent responses to inquiries can be a key indicator of the pervasiveness of the fraud. -Similarly, problematic or unusual reactions such as refusal to cooperate, hostility, or management delays in responding to the auditors are often present in fnancial statement frauds. -The evaluation for potential fraud continues throughout the audit.

inherent risk assessment

-Risk assessment underlies the entire audit process. -Inherent risk refers to the exposure or susceptibility of an assertion within an entity's financial statements to a material misstatement without regard to the system of internal controls. -A detailed understanding of an audit client's business model, including its products and services, is an essential part of an auditor's inherent risk assessment process at both the fnancial statement and the fnancial statement assertion levels. -helps to guide the auditor in allocating more and stronger resources to test specifc accounts and disclosures that present a higher likelihood of material misstatement and therefore present a higher level of inherent risk. -provides the basis for executing an appropriate response to the risks identifed general categories of misstatements: (1) invalid transactions are recorded (occurrence) (2) valid transactions or disclosures are omitted from the FS (completeness) (3) transaction or disclosure amounts are inaccurate (accuracy) (4) transactions are classified in the wrong accounts (classification) (5) transaction accounting and posting are incorrect (accuracy) (6) transactions are recorded in the wrong period (cutoff) (7) disclosures are incomplete or misleading (presentation and disclosure)

Overall Assessment and Documentation of Inherent Risk

-The overall goal of the risk assessment process that has been described in this chapter is to identify and then properly assess the risks of material misstatement that exist at an audit client. -Once the risk assessment process is complete, auditors have a basis to plan and then implement an appropriate testing response for each of the assessed risks. This process must be completed in a very detailed manner for each relevant assertion related to each signifcant fnancial statement account and disclosure. -The assessment of inherent risk needs to occur for each significant financial statement account and disclosure. -The auditor should evaluate both quantitative and qualitative risk factors associated with the financial statement account or disclosure. -After the significant accounts and disclosure have been identified, the auditor needs to identify the relevant financial statement assertions. -A financial statement assertion is relevant if it has a "reasonable possibility of containing a misstatement that would cause the financial statements to be materially misstated."

Industry, regulatory, and other external factors

-This includes a detailed understanding of the regulatory environment, including the applicable fnancial reporting framework (e.g., U.S. GAAP or IFRS). Auditors must also understand the broad economic environment in which the client operates, including such things as the effects of national economic policies (e.g., price regulations and import/export restrictions), the geographic location and its economy (e.g., northeastern states versus sunbelt states), and developments in taxation and regulatory areas (e.g., industry regulation, approval processes for products in the drug and chemical industries). -Industry characteristics are also important. -Industry expertise also involves knowledge of the competition and an understanding of the client's market. Few auditors are experts in all of these areas. Public accounting frms must have experts in all industries they examine and rely on them to supervise audits in their industry of expertise.

The Private Securities Litigation Reform Act of 1995

-Under this law, when auditors believe an illegal act that is more than "clearly inconsequential" has or may have occurred, the auditors must inform the organization's board of directors. -When the auditors believe the illegal act has a material effect on the financial statements, the board of directors has one business day to inform the SEC. -If the board decides not to inform the SEC, the auditors must (1) within one business day give the SEC the same report they gave the board of directors or (2) resign from the engagement and, within one business day, give the SEC the report. -If the auditors do not fulfill this legal obligation, the SEC can impose a civil penalty (e.g., monetary fine) on them.

fraud risk

-a special case of risk of material misstatement related to those situations where management intended to mislead the marketplace by issuing fraudulent financial statements. -Prior to assessing inherent risk, it is important to understand fraud risk and the role it plays in the assessment of risk of material misstatement. -not a specific part of the audit risk model, but can never be ignored and does have an impact on the risk of material misstatement (that is, inherent risk and control risk) assessments. -Auditors are required to consider fraud risk on each audit engagement for each relevant assertion related to each significant account and disclosure identified for an audit client. -When applying the audit risk model and assessing the risk of material misstatement, the auditor must always remember that a misstatement in the fnancial statements may be caused by an error or a fraud. What makes fraud different from errors is intent. -Because of the damage to the capital markets caused by fraudsters who have intentionally misstated their fnancial statements, and the diffculty of discovering misstatements that management is actively trying to hide, auditors must give separate and careful attention to fraud risk on every audit engagement. -required brainstorming session to consider the risk of fraud on every audit engagment -the nature, timing, and extent of audit work should change as a result of the auditor's ultimate fraud risk assessment. In general, the lower the risk of material misstatement due to fraud, the less persuasive the audit evidence needs to be. It therefore follows that when fraud risk factors are identifed, the auditor generally must obtain more persuasive audit evidence. -Most importantly, once fraud risk factors are identifed, the auditor should clearly identify the fraud risks and then design and perform procedures that respond directly to fraud risks. -audit teams are concerned with fraud only as it affects the financial statements. That is, audit teams are not responsible to detect all fraud but are responsible to detect cases where fraudulent activity results in materially misstated financial statements.

misappropriation of assets

-also called employee fraud -involving "the theft of an entity's assets and is often perpetrated by employees in relatively small or immaterial amounts." -Employee fraud is the use of fraudulent means to misappropriate funds or other property from an employer. -It usually involves falsifications of some kind: using false documents, lying, exceeding authority, or violating an employer's policies. -It consists of three phases: (1) the fraudulent act, (2) the conversion of the funds or property to the fraudster's use, and (3) the cover-up. -Employee fraud can be classified as either embezzlement or larceny. Other definitions related to misappropriation of assets are (1) Embezzlement is a type of fraud involving employees or non-employees wrongfully misappropriating funds or property entrusted to their care, custody, and control, often accompanied by false accounting entries and other forms of deception and cover-up. (2) Larceny is simple theft; for example, an employee misappropriates an employer's funds or property that has not been entrusted to the custody of the employee. (3) Defalcation is another name for employee fraud, embezzlement, and larceny

audit committee

-composed of independent, outside members of the board of directors (those not involved in the company's day-to-day operations) who can provide a buffer between the audit firm and management. -All companies with securities traded on the exchanges (e.g., New York, American, and NASDAQ) are required to have

audit risk model (ARM)

-decomposes overall audit risk into three components: inherent risk (IR), control risk (CR), and detection risk (DR). -designed to help auditors understand how the assessment of each component affects the overall audit risk being faced on the engagement -Audit risk (AR) = Inherent risk (IR) × Control risk (CR) × Detection risk (DR) -detection risk depends on and is planned for based on the assessment of the other risk factors DR = AR/(IR × CR) -that amount ^ is how much DR the auditor can allow and still maintain the allowable level of audit risk

extent

-extent refers to the number of tests performed. -Clearly, the larger the number of accounts receivable confrmations that are mailed to customers, the greater the chance of fnding errors and fraud, and therefore, the lower the detection risk.

related parties

-include those individuals or organizations that can influence or be influenced by decisions of the company, possibly through family ties or investment relationships. -According to the professional standards, an auditor's primary objective in regard to related parties is to obtain the evidence needed to determine whether "related parties and relationships and transactions with related parties have been properly identifed, accounted for, and disclosed in the fnancial statements." -Some methods include reviewing the board of directors' meeting minutes, making inquiries of key executives, and reviewing stock ownership records (5 percent ownership in the company is usually used as a good cutoff). Auditors also should question the persuasiveness of the evidence obtained from related parties because the source of the evidence may be biased. Hence, auditors should obtain evidence of the purpose, nature, and extent of related-party transactions and their effect on fnancial statements, and the evidence should extend beyond inquiry of management.

indicators of a company's noncompliance

-investigations, fines, penalties -payments for unspecified services or loans to consultants, related parties, employees, or government employees -excessive sales commissions or agent's fees purchase significantly above or below market -unusual transactions with companies in tax havens -payments to countries other than origination -inadequate audit trail -unauthorized or improperly recorded transactions -media comment -noncompliance cited in reports of examinations -failure to file tax returns or pay government duties or fees

Qualitative and Quantitative Control Risk

-low control risk- 0.1-0.45 -moderate control risk- 0.4-0.7 -

fraudulent financial reporting

-management fraud -"intentional misstatements, including omissions of amounts or disclosures in financial statements to deceive financial statement users. -It can be caused by the efforts of management to manage earnings in order to deceive financial statement users by influencing their perceptions about the entity's performance and profitability." -Management fraud is deliberate fraud committed by management that injures investors and creditors through materially misstated information.

nature

-of an audit procedure refers to the type of procedure (e.g., observation, recalculation, inquiry). -When determining, the auditor is considering what to do. -When doing so, the auditor considers the overall effectiveness of different types of audit procedures in detecting misstatements.

timing

-refers to when the audit procedures will be completed. -To do so, the auditor typically considers whether to complete the procedures at an interim date or at the balance sheet date. -While confrmation of accounts receivable may be performed at an interim date, auditors are expressing an opinion on year-end balances. -The closer the procedures are performed to year-end (the balance sheet date), the more effective they are because there is less chance of a material misstatement occurring between the interim confrmation date and year-end.

Preliminary Analytical Procedures

-required for auditors to complete during preliminary stage -auditors are required to develop an expectation about what an account balance should be and then compare that expectation to the recorded balance. -When doing so, auditors typically use the prior-year balances as the starting point for their expectation for each account balance. -At this stage, analytical procedures are reasonableness tests; auditors compare their expectation for each of the account balances with those recorded by management -During this critical point of the engagement, auditors use analytical procedures to identify potential problem areas so that subsequent audit work can be designed to reduce the risk of missing something important. -Analytical procedures during the preliminary stages also provide an organized approach—a standard starting place—for becoming familiar with the client's business and identifying areas of risk. -Auditors need to remember that preliminary analytical procedures are based on unaudited data, so they should consider the effectiveness of controls over their reliability when deciding how much weight to place on the results.

fraud

-the act of knowingly making material misrepresentations of fact with the intent of inducing someone to believe the falsehood and act on it and, thus, suffer a loss or damage. -Through both fraud and aggressive fnancial reporting, some companies have caused fnancial statements to be misstated, usually by (1) overstating revenues and assets, (2) understating expenses and liabilities, and (3) giving disclosures that are misstated or that omit important information. -Fraud that affects fnancial (or other) information and causes fnancial statements to be materially misstated often arises from the perceived need to get through a diffcult period. -The diffcult period may be characterized by cash shortage, increased competition, cost overruns, and similar events that cause fnancial diffculty. -Managers usually view these conditions as temporary, believing that getting a new loan, selling stock, or otherwise buying time to recover can overcome them. -In the meantime, falsifed fnancial statements are used to beneft the company. Generally, fraudulent fnancial statements show fnancial performance and ratios that are more favorable than current industry experience or than the company's own history. There are three categories of factors that might indicate increased risk of fraudulent financial reporting including: Ø Management's characteristics and influence Ø Industry conditions Ø Operating characteristics and financial stability -A very common reason cited for falsifying fnancial statements is so a company can meet its earnings projections either provided by management or set by fnancial analysts. Simply stated, when a company fails to meet earnings projections, its stock price usually falls and the managers of the company face great scrutiny -Because of the double-entry bookkeeping system, fraudulent accounting entries always affect at least two accounts and two places in fnancial statements. -Because many frauds involve improper recognition of assets, there is a theory of the "dangling debit," which is an asset amount that can be investigated and found to be false or questionable. -Frauds may involve the omission of liabilities, but the matter of fnding and investigating the dangling credit is normally very diffcult. It "dangles" off the books. In other words, the "dangling credit" is a credit that was never recorded to a liability account, resulting in an omission of a liability that should have been recorded. (Consider the implications for the completeness assertion in this scenario.) -Misstated disclosures also present diffculty, mainly because they involve words and messages instead of numbers. Omissions may be diffcult to notice, and misleading inferences may be very subtle.

extended procedures

-the audit procedures used in response to heightened fraud awareness as the result of the identification of significant risks. -includes targeting tests toward higher risk areas, performing more tests of transactions at year-end rather than at interim points, and gathering higher quality evidence.

Risk assessment

-the foundation of the audit process. -It should drive what audit procedures to perform in order for the auditor to obtain reasonable assurance that the financial statements are free of material misstatement. -Improper assessment can lead to improper audit responses which, in turn, can lead to audit failure. -Proper assessments yet failure to respond to those assessments can also lead to audit failure, that is, issuing an unmodifed (or unqualifed) opinion when in fact there is a material misstatement in the financial statements

white-collar crimes

-the misdeeds of people who wear ties to work and steal with a pencil or a computer terminal

audit risk

-the probability that an audit team will express an inappropriate audit opinion when the financial statements are materially misstated (i.e., give an unmodifed opinion on fnancial statements that are misleading because of material misstatements that the auditors failed to discover). -Such a risk always exists, even when audits are well planned and carefully performed. -Of course, the risk is much higher in poorly planned and carelessly performed audits. -The auditing profession has no official standard for an acceptable level of overall audit risk except that it should be "appropriately" low. -In practice, audit risk is evaluated at both the overall financial statement level (as a whole) and for each significant account and disclosure through a focus on the relevant assertions identified. Audit risk can be broken down into three components: •that a material misstatement will even occur (inherent risk); •that it would not be prevented or detected by client internal controls (control risk); and •that is not detected by the auditor's own procedures (detection risk).

detection risk

-the probability that the auditor's own procedures will fail to detect material misstatements provided that any have entered the accounting system in the first place and have not been prevented or detected and corrected by the client's internal controls. -In contrast to inherent risk and control risk, auditors are responsible for performing the evidence-gathering procedures that manage and establish this risk. -These audit procedures represent the auditors' opportunity to detect material misstatements that may exist in the financial statements. -In other words, unlike inherent risk and control risk, auditors can and do influence the level of detection risk. -Auditors are able to reduce detection risk by completing more and stronger substantive tests. -Generally speaking, in response to a higher assessed risk of material misstatement for a relevant assertion being audited, auditors must reduce detection risk to an appropriate level by planning appropriate substantive procedures. This relationship is now further illustrated with a discussion of the audit risk model. Factors affecting detection risk include: •Nature, timing, and extent of audit procedures; •Sampling risk‒the risk of choosing an unrepresentative sample); and •No sampling risk‒the risk that auditor may reach inappropriate conclusions based upon available evidence. detection risk depends on and is planned for based on the assessment of the other risk factors

Company objectives, strategies, and related business risk

-the purpose is to identify business risks that could reasonably be expected to result in material misstatement of the fnancial statements. -The best starting point is with management, whose job it is to be knowledgeable about the company's business risks. -Any risks that could adversely affect a company's ability to achieve its objectives and execute its strategies are called business risks. -Although not all business risks are relevant to auditors, the following are examples of potential business risks that might result in material misstatement of the financial statements: -Industry developments for which the company does not have the personnel or expertise to deal with the changes. -New products and services that might not be successful. -Expansion of the business when the demand for the company's products or services has not been accurately estimated. -The effects of implementing a strategy that will lead to new accounting requirements. -Financing requirements that the company may be unable to meet, resulting in a loss of financing. -Gaining an understanding of strategies and processes involves gathering evidence in areas not historically addressed by auditors. Auditors might ask production personnel about labor problems or marketing personnel about product quality or competition. -Business risk assessment also makes auditors much more knowledgeable about their client's business and its environment. We should note that, even when taking a top-down approach that starts with an understanding of the risks faced by the client in executing its strategy within the industry, the audit team ultimately still has to focus its procedures on the signifcant accounts and relevant management assertions.

risk of material misstatement (RMM)

-the risk a material misstatement exists in the financial statements before auditors apply their own procedures -the combined inherent and control risk -IR x CR

audit strategy memorandum

-the scope, timing, and direction for auditing each relevant assertion based on the results of the audit risk model. -the audit plan includes a description of it -In establishing the overall audit strategy, the auditor should take into account: (1) the reporting objectives of the engagement and the nature of the communications required by auditing standards, (2) the factors that are signifciant in directing the activities of the engagement team, and (3) the results of preliminary engagement activities and the auditor's evaluation risk assessment. -Also, various laws or regulations may require other matters to be communicated. -The strategy should outline the nature, timing, and extent of resources necessary to perform the engagement. -Planned tests of controls, substantive procedures, and other planned audit procedures required to be performed so that the engagement complies with auditing standards should be documented with specific directions about the effect on the audit. -The audit strategy memorandum becomes the basis for preparing the audit plan that lists the audit procedures to be completed for each relevant assertion related to each signifcant account and disclosure identifed on the audit engagement.

errors

-unintentional misstatements or omissions of amounts or disclosures in financial statements. -are not considered fraud because they occur unintentionally.

Steps for Performing Analytic Procedures

1. Develop an expectation. 2. Define a significant difference. 3. Compare expectation with the recorded amount. 4. Investigate significant differences. 5. Document each of the preceding steps. (1) Develop an expectation. A variety of sources can provide evidence for auditors' expectations of the balance in a particular account: -Balances for one or more comparable periods (e.g., vertical and horizontal analyses). -Anticipated results found in the company's budgets and forecasts. -Leveraging predictable patterns among account balances based on the company's experience. -Relevant information from third-party sources for the industry in which the company operates. -Relevant nonfinancial information (e.g., physical production statistics, sales orders). (2) Define a significant difference. Basically, the question is, "What percentage (or dollar) difference from your expectation can still be considered reasonable?" It is important that this decision be made before making the comparison to prevent auditors from rationalizing differences and failing to follow up. (3) Compare expectation with the recorded amount. Many auditors start with comparative financial statements and calculate year-to-year changes in balance-sheet and income-statement accounts (horizontal analysis). They next calculate common-size statements (vertical analysis) in which fnancial statement amounts are expressed as percentages of a base, such as sales for the income-statement accounts or total assets for the balance-sheet accounts. These initial calculations (see Exhibit 4.9) provide a basis for describing the fnancial activities for the current year under audit. Although vertical and horizontal analyses are fairly basic, other analytical procedures—including mathematical time series and regression calculations, comparisons of multiyear data, and trend analyses—can be more complex. (4) Investigate significant differences. Auditors typically look for relationships that do not make sense as indicators of problems in the accounts, and they use such indicators to plan additional audit work. In the planning stage, analytical procedures are used to identify potential problem areas so that subsequent audit work can be designed to reduce the risk of missing something important. The application demonstrated here can be described as attention directing: pointing out accounts that could contain errors and frauds. The insights derived from preliminary analytical procedures do not provide direct evidence about the numbers in the fnancial statements. Although the insights derived from preliminary analytical procedures provide only limited evidence about the numbers in the fnancial statements, they do help auditors identify risks as an aid in preparing the audit plan. (5) Document each of the preceding steps. The investigation of signifcant differences (step 4) is probably the most critical step in the analytical procedures process.

Inquiries of audit committee, management, and others within the company

Inquiries should be made of the follow client personnel and groups: Ø Management Ø Internal Auditors Ø Directors Ø Audit Committee Ø Other Employees a required audit process that can bring auditors up to date on changes in the business and the industry. -Such inquiries of client personnel have the multiple purposes of building personal working relationships, observing the competence and integrity of client personnel, obtaining a general understanding of the client or company, and probing for problem areas that could harbor financial misstatements. Issues to discuss include selection of accounting principles; susceptibility to errors and fraud, including known or suspected fraud; and how management controls and monitors fraud risks. -Other company employees to question might include operations or marketing managers or those involved in significant and unusual transactions. -Another source of information is company discussion boards or apps where anonymous whistleblowers can post information that management may not wish to disclose to auditors

the nature of the company

includes understanding -The company's organizational structure and management personnel. Is the client centralized or decentralized? Who makes the decisions? Are senior managers familiar with accounting and reporting requirements? Do they value the importance of good controls? Are any offcers, employees, or shareholders involved in related-party transactions? -The sources of funding of the company's operations and investment activities. Is the company funded by debt or equity? Are there restrictions placed by lenders that management must meet (e.g., debt covenants)? Does it have the fnancing in place to meet future cash requirements? Are any lenders or shareholders involved in related-party transactions? -The company's significant investments. Is the company invested in other companies for strategic purposes? Do investments provide a signifcant source of income? What is the company's investment policy? Do overseas investments present a risk of nationalization? Are any subsidiaries involved in related-party transactions? Is the company planning to acquire another company? As the following Auditing Insight reveals, there are additional risks for auditors if their client is either about to be acquired by or planning to acquire another company. -The company's operating characteristics, including its size and complexity. Does the company operate internationally? Do subsidiaries operate in diverse industries? -The sources of the company's earnings, including the relative proftability of key products and services, and key supplier and customer relationships. Are there any threats to loss of revenue from losing suppliers or customers? Could key products be overtaken by competitors' products? Could advances in technology make the client's products obsolete? Are any customers or suppliers related parties?

Communication of Fraud Risks

•Auditors must always exercise significant care because accusations of fraud are taken very seriously by audit clients. -Auditors may consider some minor frauds clearly inconsequential, especially when they involve misappropriations of assets by employees at low organizational levels. -Auditors should report these to management at least one level above the people involved. -On the other hand, frauds involving senior managers or employees with signifcant internal control roles are never inconsequential and should be reported (along with any frauds that cause material misstatement in the fnancial statements) directly to those charged with governance, usually the entity's audit committee of its board of directors. -Auditors are normally required to keep client information confidential. However, under AICPA auditing standards, limited disclosures to outside agencies of frauds and clients' noncompliance are permitted. -reason for changing auditors Form 8-5 -predecessor and new auditor -subpoenas -generally accepted government auditing standards- auditors must report fraud and noncompliance to the client agency

information sources

•General Business Sources -Trade magazines and journals -General business magazines and newspapers •Company Sources -Corporate charter and bylaws or partnership agreement -Contracts, agreements and legal proceedings -Minutes of meetings of directors and committees of the board of directors •Information from client acceptance or continuance evaluation, audit planning, past audits, and other engagements

Audit Team Brainstorming Discussions

•Required procedure •Objectives: -Gain understanding of: •Previous experiences with client •How a fraud might be perpetrated and concealed in the entity •Procedures that might detect fraud -Set proper tone for engagement: These sessions address not only fraud risk, but also other client business and audit-related risk assessments. These sessions update audit team members on important aspects of the audit and heighten team members' awareness of the potential for fraud and errors in the engagement. Items typically discussed include previous experiences with the client, how a fraud might be perpetrated and concealed by the client, and procedures that might detect fraud. When studying a business operation, auditors' ability to think like a criminal and devise ways to steal can help in creating procedures to determine whether fraud has happened. -While these sessions typically begin during the planning stage of engagements, they should be held on a continual basis through the conclusion of the engagement.