Audit Chapter 4

Fraud Risk Assessment Process

- Discussion among the audit team members regarding risks of material misstatement due to fraud - Inquiries of managements, audit committee, and others about their views on the risks of fraud and how it is addressed - Consideration of any unusual or unexpected relationships that have been identified in performing analytical procedures in planning the audit - Understanding of the entity's period-end closing process and investigate unexpected period-end adjustments - Identification and assessment of fraud risk factors

Evaluation of Audit Test Results

At the completion of the audit, auditor should consider whether the accumulated results of the audit procedures cause the financial statements to be materially misstated. If the auditor has determined that the misstatement is or may be the result of fraud, auditor should: - attempt to obtain audit evidence to determine whether, in fact, material fraud has occurred and its effect - consider implications for other aspects of the audit - discuss the matter and the approach to further investigation - suggest that the appropriate level of management consult with legal counsel If the result of the audit tests indicate a significant risk of fraud, auditor should consider withdrawing from the engagement and communicating the reasons for withdrawal to the audit committee or others

AR = RMM x DR

Detection risk has an inverse relationship to inherent risk and control risk. If an auditor judges an entity's inherent and control risk to be high, the auditor would accept a lower level of detection risk in order to achieve the planned level of audit risk. At the end of the audit, the actual or achieved level of audit risk is not known with certainty by the auditor. If the auditor assesses the achieved audit risk as being less than or equal to the planned level of audit risk, an unqualified report can be issued.

Nonsampling risk

risk that auditors will make judgment errors caused by the use of inappropriate audit procedures or misinterpretation of audit evidence and failure to recognize a misstatement or deviation

Objectives, Strategies, and Related Business Risks

As discussed above, these must be identified by the auditor.

Audit Risk Model

AR = RMM x DR RMM = risk of material misstatement = Inherent Risk + Control Risk

Discussion among the Audit Team

Audit team is required to hold discussions (brainstorming sessions) about the entity's financial statements' susceptibility to fraud. Led by engagement partner or manager. Objectives of the meeting are to: - share insight about the entity and its environment and business risks - provide an opportunity for the team members to discuss how and where the entity might be susceptible to fraud - emphasize the importance of maintaining professional skepticism throughout the audit regarding the potential for material misstatement due to fraud

Inquiries of management, other entity personnel, ad others outside the entity

Auditor may make inquiries of: - those charged with governance (board of directors or audit committee) - Internal audit function - employees involved in initiating, authorizing, processing, or recording complex unusual transactions - in-house legal counsel - production, marketing, sales, and other personnel

Consideration of audit risk at the assertion level

Auditor must consider the risk that he or she will conclude that an assertion for a particular account balance or particular disclosure is fairly stated, when in fact it is materially misstated. Consists of: 1) risk that the relevant assertions related to the account balances or disclosures contain misstatements that could be material to the financial statements (inherent risk and control risk) 2) the risk that the auditor will not detect such misstatements (detection risk)

Auditor's Risk Assessment Procedures

Auditor obtains and understanding of the entity and its environment by performing the following risk assessment procedures: - inquiries of management, other entity personnel, ad others outside the entity - analytical procedures - observation and inspection

Inquiries of Management, Audit Committee, and Others

Auditor should inquire about management's knowledge of fraud within the entity. Audit committee should assume and active role in oversight of the assessment of the risk of fraud.

Assessing RMM

Based on knowledge of the entity and its environment, auditor assesses the risk of RMM at the assertion level and determines the audit procedures that are necessary based o n that risk assessment.

Qualitative approach to the ARM

Due to the subjectivity involved, many public accounting firms use qualitative terms rather than %. Categories: Very low, low, moderate, high Ex AR RMM DR 1 VL H L 2 L M M 3 L L H

Factual Misstatements Judgmental Misstatements Projected Misstatements

Factual Misstatements - misstatements about which there is no doubt. For example, an auditor may test a sales invoice and determine that the prices applied to the products are incorrect. Once the products are correctly priced, amount of misstatement is known. In these cases, auditor knows exact amount of misstatement. Judgmental Misstatements - Misstatements that arise from the judgments of management concerning accounting estimates that the auditor considers unreasonable or the selection or application of accounting policies that the auditor consider inappropriate. Projected Misstatements - Auditor's best estimate of misstatements in populations, involving the projection of misstatements identified in an audit sample to the entire population from which the sample was drawn.

Fraud

Fraud can be classified into two types: 1) misstatements resulting from fraudulent financial reporting 2) misstatements resulting from misappropriation of assets (defalcation), involve the theft of an entity's assets where the theft causes financial statements to be misstated Examples: - embezzling cash received - stealing physical assets and intellectual property - causing the entity to pay for goods or services not received - using an entity's assets for personal use

Assessing Business Risks

Goal of this process is to assess the business risks faced by the entity, and how those risks are controlled or not controlled by the entity. Based on this knowledge, auditor assesses the risk of material misstatement at the assertion level. Unless otherwise noted, the RMM refers to misstatements caused by errors or fraud. Auditors understanding of the entity and its environment involves: - nature of entity - industry, regulatory, and other external factors - objectives, strategies, and related business risks - entity performance measures, - internal control

Engagement Risk

In addition to audit risk, engagement risk is the risk that the auditor is exposed to financial loss or damage to his/her reputation from litigation, adverse publicity, or other events arising in connection with the audited financial statements.

Industry, Regulatory, and other External Factors

Industry, Regulatory, and other External Factors are relevant to the auditor's understanding of the entity and in identifying RMM. Some industries are subject to RMM as a result of unique accounting estimates.

Internal Control

Internal control is the label given to the entity's policies and procedures designed to provide reasonable assurance about the achievement of the entity's objectives. Implemented by board of directors, management, and other personnel. Examples: - active and qualified board of directors and independent audit committee members - effective risk assessment process - competent and objective internal audit function - proper authorization of transactions - proceures to ensure assets exist (inventory counts) - monitoring of controls

Entity Performance Measures

Internally generated information used by management to measure and review the entity's financial performance may include key performance indicators, both financial and nonfinancial; budgets, variance analysis etc. External parties (analysts and credit ratings agencies) may also measure and review the entity's financial performance. A deviation in the entity's performance measures may indicate RMM.

Evaluate entity's risk assessment process

Management has a responsibility to identify, control, and mitigate business risks that may affect the entity's ability to achieve its objectives. The auditor should obtain information about this process. If they are denied, auditor's assessment of the RMM may increase.

Observation and Inspection

May support inquiries of management and others. Examples include: - Observation of entity activities and operations - Inspection of documents, records, and internal control manuals - Reading reports prepared by management, the audit committee, those charged with governance, and the internal audit function - Visits to the entity's premises and plant facilities - Tracing transactions through the information system relevant to financial reporting, which may be performed as part of a walkthrough

Causes and Types of Misstatements

Misstatements can result from errors or fraud. Errors are unintentional acts. Thus, the primary distinction between error and fraud is intention. Misstatements due to error or fraud include: - an inaccuracy in gathering or processing data from which financial statements are prepared. - an omission of an amount or disclosure - a financial statement disclosure that is not presented in accordance with GAAP - an incorrect accouting estimate arising from overlooking or clear misinterpretation of facts - judgements of management concerning accounting estimates that the auditor considers unreasonable

Auditor's Response to the Results of the Risk Assessments

Once the risks of the material misstatement have been identified, the auditor determines whether they relate more pervasively to the overall financial statements and potentially affect many relevant assertions or whether they identified risks relate to specific relevant assertions related to accounts and disclosures. Financial statement level risks are pervasive risks. Auditor's response may include: - assigning more experiences personnel or those with specialized knowledge to assess the risk - evaluating whether the selection and application of accounting policies by the entity may be indicative of fraudulent reporting - incorporating an element of unpredictability in the selection of the nature, timing, and extent of audit procedures If the auditor determines that any of the risks are significant, the auditor must determine the nature of the risk, the likely magnitude of potential misstatement, and likelihood of the risk occurring. Examples of types of items that may result in significant risk include: - assertions identified with fraud risk factors - nonroutine or unsystematically processed transactions - significant accounting estimates and judgments - highly complex transactions - application of new accounting standards - revenue recognition - industry-specific issues

Misappropriation of Assets

Risk factors that relate to misstatements arising from misappropriation of assets are also classified along the three conditions present when fraud exists. Risk Factors: Incentives/ Pressures - personal financial obligations - adverse relationships between entity and employees with access to cash Opportunities - certain characteristics or circumstances may increase the susceptibility of assets to misappropriation - inadequate internal control over assets Attitudes/ Rationalization - disregard for the need for monitoring or reducing risks related to misappropriations of assets - disregard for internal control - changes in behavior or lifestyle that may indicate assets have been misappropriated

Control Risk

Risk that a misstatement that could occur in an assertion about an account or disclosure and that could be material, either individually or when aggregated with other misstatements, will not be prevented, or detected and corrected, on a timely basis by the entity's internal control

Audit risk

Risk that the auditor expresses an inappropriate audit opinion when the financial statements are materially misstated Simply, it is the risk that an auditor will issue an unqualified opinion on materially misstated financial statements

Detection Risk

Risk that the procedures performed by the auditor to reduce audit risk to an acceptably low level will not detect a misstatement that exists and that could be material, either individually or when aggregated with other misstatements Determined by the effectiveness of the audit procedures and how well the procedures are applied by the auditor Audit evidence is a collection of audit procedures, analysis, assessments, and professional judgement and such processes are subject to human error, sometimes referred to as nonsampling risk

Documentation of Auditor's Risk Assessment and Response

Standards require extensive documentation of the auditor's risk assessment procedures and audit responses to identified risks. For example, auditor should document the risk of material misstatement for all material accounts and disclosures in terms of the related assertions. Other areas of documentation include: - discussion among engagement team, significant decisions reached, how and when they occurred, and audit team members present - steps performed in obtaining knowledge about entity's business and its environment > risks identified > evaluation of management's response to these risks > auditor's assessment of the risk of error or fraud - Fraud risks or other conditions that cause the auditor to believe that additional audit procedures or other responses were required to address such risks - nature, timing, and extent of procedures performed in response to the risks of material misstatement due to fraud and the results of that work - nature of the communications about error or fraud made to management, the audit committee, and others

Management's Strategies, Objectives, and Business Risks

Strategies are the operational approaches used by management to achieve objectives. To achieve their business objectives, managers pursue strategies. Business risks are threats from significant conditions, events, circumstances, actions, or inactions that could adversely affect the entity's ability to achieve its objective and execute its strategies. Management is responsible for identifying such risks and responding to them. If the entity faces pressure to maintain historical profit margins, this may increase the risk of misstatement associated with the valuation of assets such as receivables and inventory.

Inherent Risk

The susceptibility of an assertion in an account or disclosure to a misstatement due to error or fraud that could be material, either individually or when aggregated with other misstatements, before consideration of any related controls.

Analytical Procedures

These are evaluations of financial information made through analysis of plausible relationships among both financial and nonfinancial data. Auditing standards require that the auditor perform analytical procedures as risk assessment procedures. They can be helpful in identifying the existence of unusual transactions or events and amounts, ratios, and trends that might have implications for audit planning.

Identification and Assessment of Fraud Risk Factors

Three conditions are generally present when material misstatements due to fraud occur: 1) Management or other employees have an incentive or are under pressure that provides a reason to commit fraud 2) Circumstances exist that provide an opportunity for a fraud to be carried out 3) Those involved are able to rationalize committing a fraudulent act. Some individuals possess an attitude, character, or set of ethical values that allow them to knowingly and intentionally commit a dishonest act. These three conditions are referred to as the fraud risk triangle.

Use of the ARM

Three steps are involved in the auditor's use of the ARM: 1) Setting a planned level of audit risk - Auditor sets audit risk for each account balance or disclosure in such a way that, at the completion of the engagement, an opinion can be issued on the financial statements with an acceptably low level of audit risk. For public companies, it's usually about 5% or less. 2) Assessing the risk of material misstatement - Requires that the auditor assess the risk of material misstatement by evaluating the entity's business risks and how those business risks could lead to material misstatements. 3) Solving the audit risk equation for the appropriate level of detection risk - auditor determines the appropriate level of detection risk by solving the audit risk model as follows: AR = RMM x DR DR = AR/RMM

Auditor's Risk Assessment process

To properly assess risk of material misstatement and engagement risk, auditor needs to understand management's objectives and strategies, and business risks.

Nature of Entity

To understand the nature of the entity, auditor should obtain information about the entity's: - business operations (nature of revenue sources, products or services, markets, location of production facilities, warehouses and offices, key customers, suppliers) - investments and investment activities - financing and financing activities (major subsidiaries, debt structure, leasing arrangements, related parties, use of derivative financial instruments) - financial reporting (accounting principles, industry-specific practices, revenue recognition practices, accounting for fair values, accounting for unusual/ complex transactions) PCAOB recommends these additional procedures: - reading public information about teh company - observing or reading transcripts of earnings calls conducted by management - obtaining information about significant unusual developments regarding trading activity in the company's securities - obtaining an understanding of compensation arrangements, changes or adjustments to those arrangements, and special bonuses

Communications about Fraud to Management, Audit Committee, and Others

Whenever the auditor has found evidence that a fraud may exist, that matter should be brought to the attention of an appropriate level of management. The auditor should recognize that in the following circumstances a duty to disclose outside the entity may exist: - to comply with certain legal and regulatory requirements - to a successor auditor - in response to a subpoena - to a funding agency in accordance with requirements for the audits of entities that receive governmental financial assistance