Question

You are the audit senior responsible for the audit of Noyers Ltd. In your initial planning meeting, you become aware of the following event:

Due to the CFO's workload, the company employed a senior financial manager. The CFO is excited about the appointment because in the two months that the senior financial manager has been employed by the company he has realised a small profit for the company through foreign exchange transactions in Russian Roubles.

Identify the specific component(s) of the audit risk model affected, explain the effect on overall audit risk, and explain the effect on overall audit approach of the above-mentioned event.

Answer 1

A) What is Audit?

The audit basically means an examination of financial reports or other reports by the independent person or organization where the opinion is expressing based on the fact of their review.

There are many types of audits and different level of assurance provided by auditors.

For example, the financial audit is the audit of the entity’s financial statements by the independent audit firm and an internal audit is performing by an internal audit team that employed by the entity itself.

Auditor helps the users of financial statements especially shareholders or owners of the entity to get a better comfort on the financial statements that they are using.

Purpose of an Audit:

• The auditor is the watchdog who its main objective is to protects its entity or owner’s interest. This is why auditors exist. But, now the requirement of auditors scale up from just to project the owner’s attention to significant stakeholders. If we talk about external auditors like KPMG, EY, and PWC, the primary purpose of an audit to financial statements is to let these firms provide an assurance or express their opinion on whether the financial statements that prepare by the management of entity are true and fair or not. Some entities are required by law or regulations to have their financial statements audited. Some entities are requested by banks or creditors, while some entities are voluntary to have the audit of their financial statements.
• For compliant auditors, the purpose of an audit is to let auditors assess whether policies, laws, and regulations are fully and correctly implement by entities or not. For example, the national bank or central bank required all financial institutions to operate in the country to set up compliant auditors and regularly report to them whether those banks fully and correctly implement the law and regulation they put or not.
• Internal auditors might have a different purpose. The main purpose of internal auditors is to review the internal control of entity both operation and internal control over financial reporting, the value of money audit, and compliant. Check here for detail of the Internal Audit. As you can see above, the purposes are different based on the type of audit and level of assurance they are providing.

B) Who is an auditor?

He/she is someone who leaves home at early morning and back at midnight. Just kidding. An auditor is an independent person or entity who conducts audit work. External auditors are normally hired by audit firms like PWC, KPMG, EY, or GT.

And internal auditors are normally hired by private or public entities. Internal auditors can be employed to work in the internal audit department or division as the result of the requirement of the entity or local regulator.

Internal audit offices normally hired through the HR department, but the head of the internal audit or Chief of Internal Audit is sometimes hired by shareholders.

Auditors need to be independent of the operation and any kind of interest that might be impaired to the quality of their works.

C) What is Audit risk?

Audit risk is the risk that auditors issued the incorrect audit opinion to the audited financial statements.

For example, auditors issued an unqualified opinion to the audited financial statements even though the financial statements are materially misstated. In other words, the material misstatements of financial statements fail to identify or detect by auditors.

Or the qualified opinion is issued as the result of immaterial misstatement found in financial statements which the correct opinion should be unqualified since the fact is financial statements are materially misstated.

Audit risks come from two main different sources: Clients and Auditors themselves. The risks are classified into three different types: Inherent risks, Control Risks, and Detection Risks.

We will discuss this in detail below.

The auditor is required to assess the risks of material misstatements in the financial statements as per requirement from ISA 315 Identifying and Assessing the Risks of Material Misstatement Through Understanding the Entity and Its Environment.

The procedures that auditors use to perform risk assessment are inquiry, inspection, observation, and analytical procedures.

The auditor assesses the risks at the entity control level deep dive into the risks related to activities control level that could significantly affect the quality of financial information.

They also study the trend of balance or transactions of accounting items in the financial statements over the period of time to see if the change is normal or not and is there any risks of misstatement related to the change.

D) Audit Risks Model

Audit risk can be presented by the audit risks model as the combination of inherent risks, control risks, and detection risks.

Model

Audit Risk = Inherent Risk x Control Risk x Detection Risk

Audit risk may be considered as the product of the various risks which may be encountered in the performance of the audit. In order to keep the overall audit risk of engagements below acceptable limit, the auditor must assess the level of risk pertaining to each component of audit risk.

As mention above, inherent risks and control risks have come from clients whereas detection risks are control by auditors. All of these three risks are discussed below:

1-Inherent Risks:

Inherent risk refers to the risk that could not be protected or detected by the entity’s internal control. This risk could happen as a result of the complexity of the client’s nature of business or transactions.

Sometime, that nature of business could link to the complexity of financial transactions and require high involvement with judgment.

The risk is normally high if the transaction or even involve highly with human judgment. For example, the exposure in the complex derivative instrument.

This kind of risk could also be affected by the external environment; for example, climate change, political problem, or some other PESTEL effect on the business.

Auditors required to assess those kinds of risks and set up audit procedures to address inherent risks properly.

2-Control Risks:

Control risk or internal control risk is the risk that current internal control could not detect or fail to protect significant error or misstatement in the financial statements.

Basically, management is required to set up and assess the effectiveness and efficiency of internal control over financial reporting to make sure that financial statements are free from material misstatements.

Why is the weakness of internal control leads bring risk to the auditor?

Basically, if the control is weak, there is a high chance that financial statements are materially misstated, and there is subsequently a high chance that auditors could not detect all kinds of those misstatements.

That means to control risk could lead to audit risk. Don’t be confused that it is the detection risk.

The auditor needs to understand and assess the client’s internal control over financial reporting conclude whether those control could be relied on or not.

3-Detection Risk:

Well, detection risk is the risk that auditor fails to detect the material misstatement in the financial statements and then issued an incorrect opinion to the audited financial statements.

The common cause of detection risk is improper audit planning, poor engagement management, wrong audit methodology, low competency and lack of understanding of audit clients.

Detection risk is occurred because of the auditor part rather than the client part.

As mentioned, detection risk could be the result of poor audit planning. For example, if audit planning is poor, not all kinds of risks are defined and the audit program that use to detect those risks is to deploy incorrectly. Then, the result is the material misstates are not detected.

There are certain guidelines that could help auditors to minimize detection risks so that the audit risks are also subsequently minimized.

E) Overall Responses & Effects on overall audit approach of the above-mentioned event.

The auditor should design and implement overall responses to address the assessed risks of material misstatement as follows:

Making appropriate assignments of significant engagement responsibilities. The knowledge, skill, and ability of engagement team members with significant engagement responsibilities should be commensurate with the assessed risks of material misstatement.

Providing the extent of supervision that is appropriate for the circumstances, including, in particular, the assessed risks of material misstatement.

• Incorporating elements of unpredictability in the selection of audit procedures to be performed. As part of the auditor's response to the assessed risks of material misstatement, including the assessed risks of material misstatement due to fraud ("fraud risks"), the auditor should incorporate an element of unpredictability in the selection of auditing procedures to be performed from year to year. Examples of ways to incorporate an element of unpredictability include:
  1. Performing audit procedures related to accounts, disclosures, and assertions that would not otherwise be tested based on their amount or the auditor's assessment of risk;
  2. Varying the timing of the audit procedures;
  3. Selecting items for testing that have lower amounts or are otherwise outside customary selection parameters;
  4. Performing audit procedures on an unannounced basis; and
  5. In multi-location audits, varying the location or the nature, timing, and extent of audit procedures at related locations or business units from year to year.                                                                                                                       

The auditor also should determine whether it is necessary to make pervasive changes to the nature, timing, or extent of audit procedures to adequately address the assessed risks of material misstatement. Examples of such pervasive changes include modifying the audit strategy to:

1. Increase the substantive testing of the valuation of numerous significant accounts at year end because of significantly deteriorating market conditions, and
2. Obtain more persuasive audit evidence from substantive procedures due to the identification of pervasive weaknesses in the company's control environment.

Due professional care requires the auditor to exercise professional skepticism. Professional skepticism is an attitude that includes a questioning mind and a critical assessment of the appropriateness and sufficiency of audit evidence. The auditor's responses to the assessed risks of material misstatement, particularly fraud risks, should involve the application of professional skepticism in gathering and evaluating audit evidence. Examples of the application of professional skepticism in response to the assessed fraud risks are (a) modifying the planned audit procedures to obtain more reliable evidence regarding relevant assertions and (b) obtaining sufficient appropriate evidence to corroborate management's explanations or representations concerning important matters, such as through third-party confirmation, use of a specialist engaged or employed by the auditor, or examination of documentation from independent sources.