Question

Auditor Firm XYZ has just submitted a proposal to audit the financial statements of Company X. The auditor gained permission from the Company to have a discussion with the predecessor auditor. The predecessor auditor stated that they tended to have a high amount of disagreements with management. The auditing firm won the engagement and signed an engagement letter to complete the year-end audit. Company X is operating in a highly regularized sector and has a complex network of related entities which could be misrepresented in the financial statements. The Company also does not have any controls over financial reporting, but has minimal controls in place to prevent collusion in some areas of operations. There is also no Internal Audit department. The audit firm has relatively less understanding of the entity and its environment at this stage.

Explain the associated risks and the level of the risk. Then explain how the auditor would want to adjust their auditing procedures based on the assessments of these risks. Use the audit risk model within your explanation.

Answer 1

The audit risk model is the foundation of any audit. This might seem like CPA 101, but are you correctly applying it to your engagements?

In doing so, your first consideration is your client’s risks of material misstatement (RMM), which is made up of inherent risk and control risk. As a reminder, inherent risk is the risk of material misstatement assuming no related controls, while control risk is the risk that your client’s controls won’t prevent or detect and correct a material misstatement. So how do you apply this to your audit?

Understand your client and its environment

Because RMM drives your audit planning and procedures, your first step in applying the audit risk model is to obtain an understanding of your client and its environment. You should consider the nature of your client’s business, external factors that impact it, and how the organization measures and reviews its financial performance. This includes:

• Nature of the client – Make sure to think about business operations, investment and financing activities, and financial reporting.
• External factors – Consider industry conditions, the regulatory environment, and government policies. How competitive is your client’s industry? How easy is it to enter? What are its revenue characteristics? How quickly do products change?
• Organization strategies – How does your client address these external factors?
• Financial Performance – Consider your client’s financial performance, including key ratios and operating statistics; key performance indicators; employee performance measures and incentive compensation policies; trends, forecasts, budgets, variance analysis, and competitor analysis; and period-on-period financial performance (revenue growth, profitability, and leverage).

With each of these areas, make sure to document the steps you took to gain an understanding, any changes to your understanding of the client from previous years as well as risks identified and whether they are significant.

Understand your client’s internal control

Your next step in applying the audit risk model is to obtain an understanding of your client’s internal control. You’ll want to know what controls (either individually or in combination) are in place, if they are designed properly to meet their objective, and if they have been implemented. Make sure to consider the following:

• Control environment: What are management’s attitudes and actions related to internal control? How much emphasis do they put on achieving reliable financial reporting?
• Control activities: For all material classes of transactions, account balances, and disclosures, you’ll need to identify the relevant assertion(s), control objective, key controls, whether the control’s design is effective or ineffective, and whether the control is properly implemented.
• Your client’s risk assessment, information and communication, and monitoring: While smaller entities may not have well-documented controls or procedures in these areas, they likely still have some controls in place. For example, does the owner review financial results on a monthly basis?

Again, you’ll want to document your understanding of your client’s internal control, including the control environment. Then document the steps you took to understand it, any changes over the previous period, and all identified risks.

Use RMM to drive detection risk

Based upon your assessment of RMM, you’ll determine the nature, timing, and extent of your audit procedures. For example, if you determine that your client has low inherent and control risks at the assertion level, you might accept detection risk at high and thus use less rigorous substantive tests (i.e., analytical procedures or tests of details). On the other hand, if your client’s inherent and control risks are moderate to high, you would plan more rigorous substantive tests in order to obtain more persuasive audit evidence about the assertion as part of your audit.

The key for using RMM to drive detection risk is to remember that the nature, timing, and extent of further audit procedures planned needs to be responsive to the RMM identified.