Audit risk in a brave new world

Auditors whose main professional occupation is to audit the financial statements of entities (predominantly incorporated entities) are exposed to audit risk. It is their occupational hazard. Auditors should therefore understand audit risk, what it is and how to deal with it.

What is audit risk?
Basically, audit risk is the risk arising from carrying out audit work. It is the risk of the auditor 'suffering loss' as a result of giving an inappropriate audit opinion. The loss may be in the form of damage to the auditor's reputation (and resulting business loss) or in the form of monetary compensation for damages to another person (the client or a third party), or indeed both (reputational and monetary). An auditor gives an inappropriate opinion by, for example, stating that the financial statements show a true and fair view when in fact they do not, or that they do not give a true and fair view when in fact they do. This may arise from:

• not gathering appropriate audit evidence
• being deliberately misled by those providing the evidence who conceal evidence that would have led to a different opinion, or who falsify evidence
• misinterpreting (drawing inappropriate conclusions from) the evidence gathered.

In summary, audit risk is the risk that the auditor will suffer financial and/or reputational loss as a result of doing something wrong or omitting to do something during an audit engagement. All audits, therefore, involve risk. There is always the possibility of fraud or error remaining undetected no matter how careful an auditor is in gathering and assessing audit evidence in support of the auditor's resulting opinion. It is possible that the auditor will arrive at an unsuitable opinion. A large part of an audit engagement is dealing with this risk - assessing it at the start of the engagement, and gathering evidence and reassessing it during the engagement.

How does the auditor deal with audit risk?

It is at this point that we should look at the guidance that exists within the international context. This includes guidance from the International Audit and Assurance Standards Board (IAASB) of the International Federation of Accountants (IFAC). This guidance comes in the form of International Standards on Auditing (ISAs) and can be downloaded free of charge from the IAASB and IFAC websites on completion of an online registration form.
Relevant to audit risk are the new ISAs which the IAASB has grouped together and called 'The Risk Standards'. These are:

• ISA 315, Understanding the Entity and its Environment and Assessing the Risks of Material Misstatements
• ISA 330, The Auditor's Procedures in Response to Assessed Risks
• ISA 500 (Revised), Audit Evidence.

As a result of these ISAs being issued, conforming amendments have been made to ISA 200, Objective and General Principles Governing an Audit of Financial Statements. The changes principally relate to the expression of the audit risk model. Changes are being made to other ISAs to ensure conformity and consistency with these 'newly released' audit risk ISAs. For example, ISA 240 (Revised), The Auditor's Responsibility to Consider Fraud and Error in an Audit of Financial Statements, issued in February 2004, makes reference to relevant paragraphs of the risk standards.

The risk standards, which should be effective for audits of financial periods beginning on or after 15 December 2004, replace the following ISAs:

• ISA 310, Knowledge of the Business
• ISA 400, Risk Assessment and Internal Control
• ISA 401, Auditing in a Computer Information Systems Environment.

The requirements in these newly-issued risk standards represent significant changes to the standards governing audits of financial statements. They enable the auditors to focus more clearly on areas where there is a greater risk of misstatement of the financial statements. The belief is that these risk standards will increase audit quality. This is as a result of better risk assessments through a more detailed understanding of the entity and its environment, including internal control, and improved design and performance of audit procedures to respond to assessed risks of material misstatements. The improved linkage of audit procedures and assessed risks is expected to result in a greater concentration of audit effort on areas where there is a greater risk of material misstatements.

The scope of each of the risk standards is reflected in the introduction to the standards, and can be summarised as follows.

ISA 315

This standard provides guidance on performing audit procedures to obtain a broader understanding of the entity and its environment, including its internal control, and on assessing risks of material misstatement. The IAASB recognises that there may be specific considerations relevant to the audit of small entities and ISA 315 includes such considerations.

ISA 330

This standard provides guidance on determining overall responses to assessed risks at the financial statement level and on designing and performing further audit procedures to respond to assessed risks of material misstatements at the assertions level.

ISA 500 (Revised)

This standard provides guidance on:

• what constitutes audit evidence
• the sufficiency and appropriateness of audit evidence obtained
• the auditor's use of assertions
  and
• the auditor's procedures for obtaining audit evidence.

It provides additional guidance about the auditor's use of assertions and the qualitative aspects of audit evidence.

Addition to ISA 200

This standard explains the traditional audit risk model in an appendix where the additional guidance is underlined. Audit risk is defined as 'the risk that the auditor expresses an inappropriate audit opinion when the financial statements are materially misstated'. This definition does not include the risk that the auditor might erroneously express an opinion that the financial statements are materially misstated. The components of audit risk are explained (inherent risk plus control risk and detection risk). Audit risk is a function of the risk of material misstatements and detection risk. The auditor carries out audit procedures to assess the risk of material misstatement and seeks to limit detection risk by performing further audit procedures based on that assessment. The audit process involves the exercise of professional judgment in designing the audit approach, through focusing on what can go wrong (the potential misstatements) at the assertion level and performing audit procedures in response to the assessed risks in order to obtain sufficient appropriate audit evidence.

ISA 240 (Revised) builds on these risk standards and requires the auditor to focus on areas where there is a risk of material misstatement due to fraud, including management fraud. The revised standard emphasises the need for the auditor to maintain an attitude of professional scepticism throughout the audit, notwithstanding the auditor's past experience about the honesty and integrity of management and those charged with governance. Among other things, ISA 240 (Revised) requires:

• the engagement team to discuss how the financial statements may be susceptible to material misstatement due to fraud and the audit procedures that should be more effective for their detection
• the auditor to design and perform audit procedures to respond to the identified risks of material misstatement due to fraud, including procedures to address the risk of management overriding controls.

Some practical implications of these new international standards on auditing

External auditors have responsibilities in respect of the risk of fraud and error in an audit of financial statements. These include:

• conducting the audit in accordance with ISAs
• obtaining reasonable assurance that the financial statements as a whole are free from material misstatements, whether caused by fraud or error
• performing risk assessment procedures in order to obtain an understanding of the entity and its environment, including its internal control. The procedures include making inquiries of management, of those charged with governance and of appropriate others within the entity (eg operating personnel, chief ethics officer and fraud investigating officer), considering whether one or more fraud factors exist, considering any unusual relationships that have been identified in performing analytical procedures and considering other information that may be helpful in identifying the risks of material misstatements due to fraud
• maintaining an attitude of professional scepticism throughout the audit
• considering the potential for management override of controls and recognising the fact that audit procedures that are effective for detecting error may not be appropriate in the context of an identified risk of material misstatement due to fraud
• accepting records and documents as genuine unless the auditor has reason to believe the contrary
• investigating further by, for example, using the work of an expert or confirming directly with a third party if conditions identified during the audit cause the auditor to believe that a document may not be authentic
• discussing with the members of the engagement team the susceptibility of the entity to materially misstate the financial statements.

Auditors seek information and perform procedures during the planning, risk assessment and determination of the audit approach for the audit of a company. The information sought includes that relating to:

• the entity's organisational structure, business and controls
• past misstatements and whether or not they were corrected on a timely basis (beware of changes in the entity and its environment that would render this historical information irrelevant)
• the environment in which the financial statements are prepared
• litigation compliance with laws and regulations, knowledge of fraud or suspected fraud affecting the entity, post-sales obligations, arrangements (eg joint ventures) with business partners, warranties and the meaning of contract terms
• information relating to changes in the entity's marketing strategies, sales trends, or contractual arrangements with customers
• the design and effectiveness of the entity's internal control and whether management has satisfactorily responded to any findings from these activities
• the appropriateness of the selection and application of certain accounting policies.

The procedures to be performed include:

• inquiries of management and others within the entity
• analytical procedures
• observation and inspection
• any other procedures where the information obtained may be helpful in identifying risks of material misstatements.

In performing risk assessment procedures, auditors may obtain evidence about classes of transactions, account balances, or disclosures and related assertions about the operating effectiveness of controls. For audit efficiency reasons, auditors may choose to perform substantive procedures or tests of controls concurrently with risk assessment procedures.

Auditors should expect to see certain types of audit working papers on the audit files and those working papers should have certain features that show they have been properly completed. The types of working papers include permanent audit files and current audit files.

Permanent audit files

These contain information of continuing importance and are updated during each audit. The information includes:

• statutory material
• the rules and regulations of the enterprise
• copies of documents of continuing importance (eg letter of engagement)
• addresses of the registered office and other premises
• list of books and other records and where they are kept
• history of the organisation
• list of important accounting matters
• other information of a continuing nature.

Current audit files

Current audit files include information relating to a single audit (accounting) period. The information includes:

• a copy of the financial statements
• an index to the file
• a description of the internal control system
• an audit programme
• a schedule for each of the balance sheet items showing the opening balance
• movement during the period and the closing balance
• a schedule for each of the income statement (profit and loss account) items showing its makeup
• a statutory checklist
• a schedule of important statistics, copies of all communications with other people
• letters of representation
• conclusions reached by the auditor concerning significant aspects of the audit
• anything else that contributes to the audit evidence for the current year's audit.

Features to show that the papers have been completed properly include evidence:

• of who performed the actual audit work and when it was performed
• that the work performed was supervised and reviewed
• that the performers, supervisors and reviewers were appropriately qualified and experienced for their tasks.

Management is responsible for the fair presentation of financial statements that reflect the nature and operations of the entity. In representing that the financial statements give a true and fair view (or present fairly, in all material respects) in accordance with the applicable financial reporting framework, management implicitly or explicitly make assertions regarding the recognition, measurement, presentation and disclosure of the various elements of financial and related information. The financial statements assertions in ISA 500 (Revised) fall into three categories as follows:

1. Assertions about classes of transactions and events for the period under audit:
   • occurrence
   • completeness
   • accuracy
   • cut-off classification.
2. Assertions about account balances at the period end:
   • existence
   • rights and obligations
   • completeness
   • valuation and allocation.
3. Assertions about presentation and disclosure:
   • occurrence and rights and obligations
   • completeness
   • classification and understandability
   • accuracy and valuation.

As auditors we should know and be able to describe these financial statements assertions made by management in financial statements. We may use these assertions as described above or may express them differently provided all aspects described above have been covered. We should be able to describe and explain the main audit procedures and processes that take place during the interim and final audit of a large entity. The nature of these audit procedures and processes refers to their type (ie whether they are tests of controls or substantive procedures) and their type, that is, inspection (of records and documents and of tangible assets), observation, inquiry, confirmation, recalculation, re-performance, or analytical procedures.

The nature and timing of the audit procedures to be used may be affected by the fact that some of the accounting data and other information may be available only in electronic form or only at certain points or periods in time. Certain audit procedures - such as agreeing the financial statements to the accounting records and examining adjustments made during the course of preparing the financial statements - can be performed only at or after the period end. Most other procedures can be performed at either the final stage (at or after the period end) or at an interim stage. These procedures and processes include:

• risk assessment procedures to provide a satisfactory basis for the assessment of risks at the financial statement and assertion levels
• tests of relevant controls to obtain audit evidence about their operating effectiveness
• designing and performing further audit procedures to respond to assessed risks at the assertion level
• obtaining audit evidence about the accuracy and completeness of information produced by the entity's information system when that information is used in performing audit procedures. For example, if the auditor uses budget data to compare with actual data then the auditor should obtain audit evidence about the accuracy and completeness of the budget data
• performing tests of relevant controls to obtain audit evidence about their operating effectiveness.

Auditing students should remember that the auditor is responsible for forming and expressing an opinion on the financial statements. The responsibility for preparing and fairly presenting the financial statements in accordance with the applicable financial reporting framework lies with the management of the entity, with oversight from those charged with governance. We should remember that the audit of the financial statements does not relieve management and those charged with governance of their responsibilities.