In: Accounting
Auditor Firm XYZ has just submitted a proposal to audit the financial statements of Company X. The auditor gained permission from the Company to have a discussion with the predecessor auditor. The predecessor auditor stated that they tended to have a high amount of disagreements with management. The auditing firm won the engagement and signed an engagement letter to complete the year-end audit. Company X is operating in a highly regularized sector and has a complex network of related entities which could be misrepresented in the financial statements. The Company also does not have any controls over financial reporting, but has minimal controls in place to prevent collusion in some areas of operations. There is also no Internal Audit department. The audit firm has relatively less understanding of the entity and its environment at this stage.
Explain the associated risks and the level of the risk. Then explain how the auditor would want to adjust their auditing procedures based on the assessments of these risks. Use the audit risk model within your explanation.
The audit risk model is the foundation of any audit. This might seem like CPA 101, but are you correctly applying it to your engagements?
In doing so, your first consideration is your client’s risks of material misstatement (RMM), which is made up of inherent risk and control risk. As a reminder, inherent risk is the risk of material misstatement assuming no related controls, while control risk is the risk that your client’s controls won’t prevent or detect and correct a material misstatement. So how do you apply this to your audit?
Understand your client and its environment
Because RMM drives your audit planning and procedures, your first step in applying the audit risk model is to obtain an understanding of your client and its environment. You should consider the nature of your client’s business, external factors that impact it, and how the organization measures and reviews its financial performance. This includes:
With each of these areas, make sure to document the steps you took to gain an understanding, any changes to your understanding of the client from previous years as well as risks identified and whether they are significant.
Understand your client’s internal control
Your next step in applying the audit risk model is to obtain an understanding of your client’s internal control. You’ll want to know what controls (either individually or in combination) are in place, if they are designed properly to meet their objective, and if they have been implemented. Make sure to consider the following:
Again, you’ll want to document your understanding of your client’s internal control, including the control environment. Then document the steps you took to understand it, any changes over the previous period, and all identified risks.
Use RMM to drive detection risk
Based upon your assessment of RMM, you’ll determine the nature, timing, and extent of your audit procedures. For example, if you determine that your client has low inherent and control risks at the assertion level, you might accept detection risk at high and thus use less rigorous substantive tests (i.e., analytical procedures or tests of details). On the other hand, if your client’s inherent and control risks are moderate to high, you would plan more rigorous substantive tests in order to obtain more persuasive audit evidence about the assertion as part of your audit.
The key for using RMM to drive detection risk is to remember that the nature, timing, and extent of further audit procedures planned needs to be responsive to the RMM identified.