Responses which will gain little or no credit in the exam:
Stating a business risk rather than a RoMM or audit risk
‘The company may be fined as a result of the data breach during the year’
Failure to use scenario specific information
‘If this is the case then there may be a requirement to create a provision for such a fine and make associated disclosures which management have not included in the financial statements’
Given that management haven’t reported the breach in order to avoid the fine, management will not have made a provision and or provide any disclosures in the financial statements. This is because management are trying to conceal it – this is scenario specific information, often candidates are told in a scenario whether a provision is made and any failure to make a provision would not then be the relevant risk.
Failure to apply financial reporting knowledge to the specific scenario
‘A provision is required where there is a present obligation as a result of a past event where settlement is probable, and a reliable estimate can be made’
This is deemed financial reporting knowledge from the FA exam and will not attract much credit as unapplied knowledge, as it is stated without reference to the scenario |
Examples of evaluated responses
Application of judgement
‘Given that the company do not wish to disclose the breach to the regulator, it is likely that a fine would be probable should the regulator be made aware of the breach’
‘If the breach is not reported to the regulator and is not disclosed by any other party, then the fine is not probable’
‘However, if it is possible the regulator would be made aware then there would be a contingent liability which would require disclosure in the financial statements’
These are demonstrations of candidate’s judgement as they are assessing the information in the scenario to draw conclusions and to evaluate the extent of the risk.
Demonstration of the wider commercial aspects of the lack of disclosure (credit for commercial acumen)
‘The disclosure of the contingent liability would effectively notify the regulator of the breach making the fine probable‘
Further actions relevant to the assertion and scenario
‘A reliable estimate will be obtained from reference to historical fines issued to other organisations for similar breaches hence a provision should be made’
This is an evaluation as to the correct action
Demonstration of recognition of potential management bias (scepticism by the auditor) ‘Management may be reluctant to provide for the fine as the reduction in profit as a result might mean interest cover covenants are breached’
Assessment of the scale and impact of the risk
‘As a result a provision might be omitted from the company liabilities and profits may be overstated as a result’
This is an assessment of the impact of the risk on the financial statements.
‘The amounts payable might be higher as a result of failure to self-report which increases the impact of the misstatement’
This is part of evaluating the scale of the risk
‘The potential impact of the understated expenses on the interest cover covenant may make this material by nature if it would result in a breach of covenants’
This demonstrates that the candidate has assessed the materiality of the breach, and even without a specific figure being stated, management’s attitude and the risk of breaching the bank covenants, are likely to make this risk material to the audit.
Linking the risk to wider issues
‘Management’s failure to self-report may give rise to concerns regarding management’s integrity. Which then gives rise to risks of material misstatement at the financial statements level, thereby reducing the reliability of management’s assertion as a form of audit evidence’ |
The above example is far longer than candidates would be required to make in exam conditions, however, this is the sort of good analysis which well-prepared candidates provided in the exam and illustrates the depth of evaluation possible using the information provided in the scenario.
Where more complex financial reporting is examined, such as those topics examined only at Strategic Business Reporting (SBR) level, additional credit will be available for the relevant underlying financial reporting knowledge, or where the candidate provides additional guidance on the relevant area of financial reporting raised in the scenario.
Other question styles
Other question styles may examine the understanding of inherent risks and RoMM in slightly different ways. One such approach would be for the candidates to justify why a particular risk has been classified as a RoMM by the audit partner. In this sort of question, the underlying skills are the same: These risks should be assessed for materiality and against the inherent risk factors to determine the likelihood and magnitude of the risk arising.
Using the provision example above – the answer would contain similar points of evaluation should the requirement ask candidates to explain why the fine gave rise to a significant risk of material misstatement in the financial statements. An answer here would focus on why the issue was material, where judgements and uncertainties arise and how that links to management bias risk.
Audit risk
Audit risk is the combination of RoMM and detection risk. Detection risks arise where the auditor procedures are such that audit procedures may not detect a material misstatement. Where a question requires audit risks, both detection risks and RoMM should be considered.
Some of these detection risks arise in special circumstances, such as group audits where the group auditor is reliant on component auditors or new clients where there is no past experience of the client and their business. Detection risks may also arise in audits where quality management or ethical threats may prevent the auditor from obtaining sufficient appropriate evidence. Examples of ethical and quality management threats which may increase detection risk include specialised industries where the audit team do not have appropriate, specialised competencies or where intimidation or self-interest threats prevent appropriate challenge of management. It is also the case that a lack of professional scepticism and confirmatory bias increase detection risk which is why the skills examined in this exam are important for auditors.
Professional marks
Professional marks awarded in audit risk and RoMM questions typically fall into the following broad categories
Analysis and evaluation
Prioritisation of significant risks. Here candidates will be awarded a mark for prioritising their most significant risks. This must be clearly stated. Simply saying 'significant risks include….' will not be awarded the professional skill mark. All the identified risks should be significant, so this is not specific enough. Stating 'the most significant risk is….' or 'the two most significant risks are…' should be enough to obtain the credit provided that the identified risk is a significant risk. A second professional skill mark is available for saying why that risk was selected. This may be justified on the basis of the likelihood or potential magnitude of the material misstatement. The mark here is for the demonstration of that evaluation to determine why something is important. There is no specific correct answer that the examining team are looking for, but rather a demonstration of the thought process behind the judgement.
This can be demonstrated in a conclusion at the end of the relevant requirement or through specific numbering and ordering of paragraphs. The former approach is likely to be easier for candidates in exam conditions.
Professional scepticism and judgement
These skills will test the ability of the candidate to challenge management’s accounting decisions and treatments, or to draw conclusions on why risks are significant in the specific scenario as well as the identification of areas of risk and bias. Often the examining team will allow credit for identifying a specific risk of bias from the scenario and additional marks for drawing conclusions on the accounting treatments used by management Scepticism is required to link risks and issues to management motives and consider the wider implications of the issue.
Commercial acumen
This skill can also be demonstrated through the evaluation of risks. Had the marks in the evaluation of business risks not been awarded for appreciating that failure to report may increase the severity of the fine, it could have been awarded here. Commercial acumen can sometimes by thought of as ‘how the world works’ as opposed to how the auditor thinks. For example, in a scenario assessing the risks arising in a group where a subsidiary has a year-end date a month earlier than the parent company, there are several risks arising from the group accounting implications of this situation. There are, however, further risks arising because the additional month of management accounts will make up the difference. Knowing that this extra month will not have been subject to audit, as well as that the company month end procedures are often less comprehensive than their year-end procedures, demonstrates a knowledge of commercial reality and this would form part of the assessment of commercial acumen.
Summary
Candidates preparing for the AAA exam should be mindful that they will be required to evaluate risks in the context of specific information provided in a scenario in the exam. The examining team are looking for depth of evaluation of significant risks, rather than brief and untailored answers covering large numbers of risks. Candidates are recommended to use past published questions to practice evaluating risks in scenarios, but should remain mindful that unless the answer is tailored to the specific information in their current exam scenario , very little credit will be awarded. Well prepared candidates using good technique often achieve full marks in risk questions and this is often indicative of those candidates demonstrating the requisite skills of an auditor.
Reference:
(1) Glossary of Terms, IAASB (2020)