CHAPTER 11 A RISK-BASED AUDIT APPROACH I Review Questions Holding a belief that a potential conflict of interests always exists causes auditors to perform procedures to search for errors or irregularities that would have a material effect on financial statements This tends to make audits more extensive for the auditor and more expensive for the client The situation is not a desirable one in the vast majority of audits where no errors or irregularities exist Errors and irregularities: Auditors are required to plan the audit to detect errors and irregularities that would have a material effect on the financial statements Clients’ illegal acts: Auditors are not required to search for illegal acts, but they are warned to be alert to any that might be detected in the ordinary course of an audit Seven major assertions in financial statements: a Existence assertion: The practical objective is to establish with evidence that assets, liabilities and equities actually exist and that sales and expense transactions actually occurred Cut-off can be considered an aspect of the existence assertion b Occurrence assertion: The practical objective is to establish with evidence that recorded transactions or events that occurred during a given accounting period pertained to the entity c Completeness assertion: The practical objective is to establish with evidence that all transactions of the period are in the financial statements and all transactions that properly belong in the preceding or following accounting periods are excluded Another term for these aspects of completeness is cut-off Completeness also refers to proper inclusion in financial statements of all assets, liabilities, revenue, expense, and related disclosures 11-2 Solutions Manual - Assurance Principles, Professional Ethics… d Rights and Obligations assertion: The practical objectives related to rights and obligations are to establish with evidence that assets are owned (or rights such as capitalized leases are shown) and liabilities are owed e Measurement assertion: The practical objective is to establish with evidence that a transaction or event is recorded at the proper amount and revenue or expense is allocated to the proper period f Valuation assertion: The practical objective is to establish with evidence that proper values have been assigned to things (assets, liabilities, equities and related disclosures) and events (revenues, expenses and related disclosures) Auditing Standards refer to the practical objective of obtaining evidence about “valuations” achieved by cost allocations such as depreciation and inventory costing methods g Presentation and Disclosure assertion: The practical objective is to establish with evidence that accounting principles used by management are appropriate in the circumstances and are applied properly, and that disclosures contain all information required by generally accepted accounting principles Benefits of preliminary assessment of materiality: Fine-tune the audit for effectiveness and efficiency Help auditors avoid surprises related to: Finding out too late about not auditing enough Finding out later about auditing too much Is P500,000 material? Maybe Absolute size If you think so, it’s material just because it’s a large number Relative size No If P500,000 is less than 5% of a relevant base Maybe If P500,000 is between 5% and 10% of a relevant base Yes If P500,000 is 10% or more of a relevant base Nature of the item Yes, P500,000 is material if it arises from an illegal act Yes, auditors have credited discovery of errors and irregularities to analytical review procedures in 27.1% of the cases in a set of audits, and another 18.5% discovery rate was attributed to “prior expectations” and “discussions.” A Risk-based Audit Approach 11-3 In assessing inherent risk and control risk, the auditor must consider the types of errors or irregularities that might occur and their impact on the financial statements (materiality.) In evaluating materiality, the auditor should consider the impact of errors and irregularities both individually and in the aggregate Auditing Standards require that the auditor design the audit to provide reasonable assurance of detecting errors and irregularities that are material to the financial statements Auditing Standards require that audit risk and materiality be considered both in planning the audit and in evaluating audit results Control risk and inherent risk are also directly related to the setting of materiality thresholds If, for example, application of analytical procedures (inherent risk analysis) leads the auditor to suspect earnings inflation, individual item materiality thresholds should be reduced accordingly (i.e., either the materiality percentage or the amount of unaudited income should be decreased.) Similarly, if control risk analysis leads the auditor to suspect numerous errors, aggregate materiality thresholds need to be lowered accordingly An auditor’s reaction to an immaterial error may differ from his or her reaction to an immaterial irregularity Auditors generally accumulate the amount of individual immaterial errors to be sure that the aggregate of all errors is not material In addition, the auditor is concerned about whether an error came from a misunderstanding or other cause that would have resulted in yet more errors during the period An auditor is expected to report all irregularities to the audit committee or the board of directors and senior management Refer to pages 436 to 437 of the textbook Refer to pages 440 to 441 of the textbook 10 Refer to page 430 of the textbook 11 Inventory is included in the acquisitions and payments, payroll and personnel (for manufacturing concerns), and production and warehousing cycles 12 Tolerable misstatement is the amount of materiality allocated to an account or class of transactions Tolerable misstatement is a portion of planning materiality allocated to the audit of an account or class of transactions and is directly related to materiality 13 The factors that should be considered are the peso amount of the account, the likelihood of error, and the cost of auditing the account 14 In evaluating audit risk for an engagement, auditing standards indicate that an auditor should consider (1) management characteristics, (2) operating and industry characteristics, and (3) engagement characteristics 11-4 Solutions Manual - Assurance Principles, Professional Ethics… 15 Use the model AR = IR x CR x DR to solve for different values of Audit Risk (AR) when internal control risk (CR) is given different values In all cases IR = 0.90 and DR = 0.10, therefore, AR = 0.90 x CR x 0.10 When CR is 0.10 0.50 0.70 0.90 1.00 AR is 0.009 or 0.9 percent 0.045 or 4.5 percent 0.063 or 6.3 percent 0.081 or 8.1 percent 0.090 or 9.0 percent 16 a Risk of Assessing Control Risk Too Low or Overreliance is a matter of judgment about the importance (“key”) characteristic of a particular client control procedure An auditor can take more risk of assessing control risk too low on unimportant controls than on important (“key”) ones Alternatively, the risk of assessing control risk too low can be considered a constant (say, 0.05) and the importance of a control can be measured in terms of a smaller or larger tolerable rate (The authors prefer the latter approach.) b Risk of Assessing Control Risk Too High or Underreliance is a matter of judgment about the efficiency of an audit engagement The risk can be quite high when the audit team is willing to extensive substantive work anyway If the work budget is tight, auditors need to find objective ways (e.g., larger test of controls audit samples) to mitigate the risk c Tolerable Deviation Rate is a judgment about how many control deviations can exist in the population, yet the control can still be considered effective Auditors need to be careful about brushing aside findings of deviations d Expected Deviation Rate in the Population is an estimate, usually based on assumptions or sketchy information, of the imbedded incidence of control deviations The only use of this estimate in classical attribute sampling is to figure a sample size in advance The statistical evaluation (CUL calculation) does not use it e Population Definition might be called a judgment about identification of the population of control performances that correspond to an audit objective For example, an auditor would want to be sure he is sampling from a file of recorded documents if his objective is to audit the controls over transaction validity 17 Assessing the control risk too low causes auditors to assign less control risk (CR) in planning procedures than proper evaluation would cause them to assign The result could be (1) inadvertently conducting less audit work than properly A Risk-based Audit Approach 11-5 necessary and taking more audit risk (AR) than originally contemplated, perhaps to the unpleasant results of failing to detect material misstatements (damaging the effectiveness of the audit) or (2) discovering in the course of the audit work that control is not as good as first believed, causing an increase in the audit work, perhaps at a time when doing so is very costly (damaging the efficiency of the audit) 18 The important consideration involved in judging an acceptable risk of assessing control risk too high is the efficiency of the audit Assessing control risk too high causes auditors to think they need to perform a level of substantive work which is greater than a proper evaluation of control would suggest Assessing control risk too high leads to overauditing Some auditors may be willing to accept high risks of assessing the control risk too high because they intend to overaudit anyway, and the audit budget can support the work Other auditors want to minimize their work (within acceptable professional bounds of audit risk) and thus want to minimize the risk (probability) of overauditing by mistake Technically, the risk of assessing control risk too high in relation to an attribute sample is the probability of finding in the sample (n) one deviation more than the “acceptable number” for the sampling plan For example, if the plan called for a sample of 100 units and a tolerable rate of percent at a 0.10 risk of assessing control risk too low, the “acceptable number” is zero deviations The probability of finding or more deviations when the population rate is actually percent is: Probability (x > : n = 100, r = 0.02) = = = – (1 – r) n – (1 – 0.02) 100 0.867 or 86.7 percent 19 All the elements of the risk model are products of auditors’ professional judgments Auditors must judge: Inherent risk – the probability that material errors or irregularities have entered the accounting system used to develop financial statements Internal control risk – the probability that client’s system of internal control policies and procedures will fail to detect material errors and irregularities, provided any enter the data accounting system in the first place Analytical procedures risk – the probability that auditors’ analytical procedures will fail to produce evidence of material errors and irregularities, provided any have entered the accounting system in the first place and have not been detected and corrected by the client’s internal control procedures 11-6 Solutions Manual - Assurance Principles, Professional Ethics… Audit risk – the probability that auditors will not discover by any means errors and irregularities that cause an account balance to be materially misstated Test of detail risk appears at first glance to be the product of a formula and not a professional judgment However, everything in the risk model is a judgment, so the test of detail derived from the model is no less a judgment 20 An incorrect acceptance decision directly impairs the effectiveness of an audit Auditors wrap up the work and the material misstatement appears in the financial statements An incorrect rejection decision impairs the efficiency of an audit Further investigation of the cause and amount of misstatement provides a chance to reverse the initial decision error 21 Detection risk is the component of audit risk that is controllable by the auditor It may be raised or lowered by reducing or increasing the amount of substantive audit testing It is determined by the auditor’s assessment of inherent risk and control risk 22 The auditor deals with both inherent risk and control risk during the planning phase of the audit Inquiry of client personnel, study of the business and industry, application of analytical procedures, and documentation of the auditor’s initial understanding of internal control are all performed during the planning phase of the audit Further study of internal control procedures may occur after the planning phase if the auditor wishes to further reduce the assessed level of control risk, and considers it economically feasible to so 23 An auditor would assess control risk to be at maximum when (1) effective controls for the assertion have either not been designed or not put in place, or (2) when the auditor believes performing substantive tests of the assertion is more cost effective When an auditor assesses control risk to be below the maximum, the auditor should believe that effective controls are present to prevent or detect misstatements in the financial statement assertions 24 When the auditor assesses control risk at a level lower than maximum, the auditor may generally perform fewer substantive tests 25 The audit risk model is useful in managing audit risk for assertions By determining planned audit risk for an assertion, assessing inherent and control risks, an auditor can determine the allowable detection risk (the amount of detection risk an auditor can allow) for an assertion Allowable detection risk is used to determine the nature, timing, and extent of audit procedures for the assertion A Risk-based Audit Approach 11-7 26 Detection risk exists because auditors (1) may use an inappropriate audit procedure, (2) may misapply an audit procedure, (3) may misinterpret the findings, or (4) not examine 100 percent of an account balance or transaction class 27 The amount of audit evidence an auditor must gather varies inversely with allowable detection risk As allowable detection risk decreases, the amount of evidence required increases, and vice versa Chapter 12 introduces audit procedures and discusses how auditors modify audit procedures to obtain sufficient competent evidential matter by changing (1) the nature, (2) the timing, or (3) the extent of procedures 28 The audit risk model is Audit risk (AR) = Inherent risk (IR) x Control risk (CR) x Detection risk (DR) 29 Risks identified at the financial statement level may have a substantial impact on the assessment of inherent risk for specific assertions For example, concern about management integrity, identified as a risk at the financial statement level, would cause an auditor to assess a higher level of inherent risk for existence of sales II Multiple Choice Questions 10 d c c b d a c d c d 11 12 13 14 15 16 17 18 19 20 d a c c a a a d b d 21 22 23 24 25 26 27 28 29 30 b d d c d a b a a b 31 32 33 34 35 36 37 38 39 40 b a d a d d c b a a 41 42 43 44 45 46 47 48 49 50 b d a c c d d c b d 51 52 53 54 55 56 57 58 59 60 a a b a c d b d d c 61 a 62 c 63 d III Comprehensive Cases Case a Antonio’s activity is an irregularity (intentional distortion of financial statements) rather than error (unintentional mistake) It is also an illegal act on Antonio’s individual part b The problem does not describe the kind of related party transactions discussed in PSA 550 11-8 Solutions Manual - Assurance Principles, Professional Ethics… c Yes, a weakness in internal control exists It may be considered a material weakness because the compensating control (internal auditors’ work on slow-moving inventory) did not operate in a timely enough manner to detect the irregularity before it had gotten large If a material weakness in internal control exists, Brava & Campos are obligated to report it to management and/or the board of directors d The problem description indicates that this element of the audit was conducted in a negligent manner There’s nothing wrong about auditing a sample of the transactions, but Campos’ follow-up and explanation of the missing receiving reports leaves much to be desired At the very least he could have reviewed the reports produced by Antonio at a later date, and he could have traced the purchases to the inventory records and perhaps noticed an over-stocking condition The auditors had some evidence that an irregularity might exist, but they failed to apply extended audit procedures properly Case a Yes Nicolas was a party to the issuance of false financial statements and as such is a joint tortfeasor The elements necessary to establish an action for common law fraud are present There was a material misstatement of fact, knowledge of falsity (scienter), intent that the plaintiff bank rely on the false statement, actual reliance and damage to the bank as a result thereof If action is based upon fraud there is no requirement that the bank establish privity of contract with the CPA Moreover, if the action by the bank is based upon ordinary negligence, which does not require a showing of scienter, the bank may recover as a third-party beneficiary (an exception to the strict privity requirement) Thus, the bank will be able to recover its loss from Nicolas under either theory b No The lessor was a party to the secret agreement As such, the lessor cannot claim reliance on the financial statements and cannot recover uncollected rents Even if he was damaged indirectly, his own fraudulent actions led to his loss, and the equitable principle of “unclean hands” precludes him from obtaining relief c Nicolas was not independent His report is improper and he is probably subject to disciplinary action by the professional organization or regulatory body According to the ethics interpretation on actual or threatened litigation: “An expressed intention by the present management to commence litigation against the auditor alleging deficiencies in audit work for the client is considered to impair independence if the auditor concludes that there is a strong possibility that such a claim will be filed.” A Risk-based Audit Approach 11-9 Case 3 h k g j f a Case a b Sales and collections cycle Presentation and disclosure a b Production and warehousing Valuation a b Acquisitions and payments Existence a b Investing and financing Existence a b Acquisitions and payments Existence a b Investing and financing Valuation a b Investing and financing Rights and obligations o l c 10 b 11 n 12 p Case a Audit Risk = Inherent Risk x Control Risk x Detection Risk Detection Risk = Audit Risk / (Inherent Risk x Control Risk) Detection Risk = 3% / (100% x 50%) Detection Risk = 6% b Detection Risk = Audit Risk / (Inherent Risk x Control Risk) Detection Risk = 5% / (100% x 50%) Detection Risk = 10 % 13 i 14 d Case (1) Adjustment is not necessary for two reasons: (a) The amount involved is not material (b) The present classification is an acceptable one (2) Reclassification of the credit balances is not warranted because the amounts are not material (3) Making direct entries in the general ledger without use of journals is not an 11-10 Solutions Manual - Assurance Principles, Professional Ethics… acceptable practice It prevents proper authorization, is conducive to errors, and may be used to conceal fraud Journal entries should be developed by the client for the transactions in question regardless of the amounts involved (4) Credit memoranda should be controlled by serial numbers and should bear the approval signature of an executive in all cases Any violation of these rules is a virtual invitation to the concealment of irregular transactions The client should be so advised in the report on internal control (5) Explanations should be required for all general journal entries A transaction regarded as usual by one employee might be considered as unusual by another, and the practice now in effect will surely lead to journal entries not readily understandable The client should be so advised (6) Missing posting references should be determined and inserted in the ledger by the client’s employees (7) No adjustment is required because the amount is not material Even if the amount were material, no adjustment would be required for the purpose of calendar year financial statements (8) This insignificant shortage should be called to the attention of the petty cash custodian and any paper work thereby avoided; the amount involved does not warrant any action by the auditors (9) An adjusting entry should be proposed as follows: Advertising Expense 3,000 Miscellaneous Expense 3,000 To correct erroneous classification for expenditures for advertising (10) An adjusting entry is probably warranted in the case although the amount is relatively small As a means of assuring that all notes payable outstanding are reflected in the accounts, it is helpful to compute each period’s interest expense exactly and to reconcile this amount with the notes shown as outstanding Prepaid Interest 1,000 Interest Expense 1,000 To defer interest expense applicable to the succeeding period (P12,000 x 10/120.) Case The purposes of obtaining the representation letter are to have management acknowledge their primary responsibility for the financial statements, and to get A Risk-based Audit Approach 11-11 in writing the important oral representations that have been obtained from management during the course of the audit PSA 500, Audit Evidence, requires that the auditors obtain written representations from management on every audit engagement Failure to so is a “scope limitation,” which precludes the auditors from issuing an unqualified opinion The representation letter should be signed by members of management that are responsible for and knowledgeable about the matters covered by the representations and that, normally, they should be signed by the chief executive officer and the chief financial officer The auditors should consider the effects of management’s refusal to furnish written representations on their ability to rely on other of their representations PSA 700, The Auditor’s Report on Financial Statements, states that when the client imposes restrictions that significantly limit the scope of the audit, the auditors generally should issue a disclaimer of opinion (a) The following are alternative courses of action that are available to you, and supporting arguments (1) You could accept Angeles’ suggestion and issue an unqualified opinion Delos Santos is no longer part of management of the company Therefore, there is no reason to require his signature on the representation letter Your firm can still adhere to the letter of the standard by having Gamboa sign the letter (2) You could issue a qualified opinion because of the scope limitation delos Santos was an important part of management during the period under audit He is knowledgeable of and responsible for many of the matters covered by the representations Failure to obtain his signature would be a significant scope limitation Since delos Santos is no longer part of management, this is not a scope limitation imposed by the client that would generally result in a disclaimer of opinion (3) You could issue a disclaimer of opinion, using the arguments from (2), but concluding that the refusal to sign is a scope limitation imposed by management The mysterious circumstances surrounding the resignation of delos Santos might also support this conclusion (4) You could withdraw from the engagement This course of action may be justified if delos Santos’ refusal to sign the letter causes you to question the integrity of management The unanswered questions regarding the reasons for delos Santos’ resignation also provide some support for this course of action 11-12 Solutions Manual - Assurance Principles, Professional Ethics… (b) Our opinion: The mysterious circumstances surrounding the resignation of delos Santos should be of as much concern as delos Santos’ failure to sign the representation letter Perhaps delos Santos’ was being forced by other members of management to misstate the financial statements Assuming that the auditors could resolve their concerns about that matter, it probably would not be necessary to obtain delos Santos’ signature on the letter, and an unqualified opinion could be issued Obtaining the signature of Gamboa on the letter also is probably not important, because he is neither knowledgeable of nor responsible for the matters contained in the representation letter Case Factors that will affect your evaluation of audit risk include • • • • • integrity of management – Jimenez’s reputation and lawsuit trend toward domination of operating and financial decisions by Jimenez increased management compensation based on performance aggressive attitude toward financial reporting by new personnel profitability inconsistent with the industry Case The factors that will affect Josefina’s audit risk and business risk are (a) this is a special audit, (b) the audit will be used to set the value of certain assets, (c) the auditor is to evaluate any disputed amount (although this is a common provision in purchase agreements, one might question whether auditors should agree to such terms), and (d) the materiality level is set at P50,000, even though that is considerably below an amount that might be determined using a percentage of assets and/or income These factors will increase the risk at the financial statement level and potentially increase business risk Case 10 a The audit risk model gives the following results: AR = IR x CR x DR (or) DR x AR / (IR x CR) (1) 2.5% (2) 0.67% (3) (4) 3.33% (5) 2.5% In the third situation, the auditor does not have to accumulate any evidence because inherent risk and control risk give the appropriate level of planned audit risk b (1) (tied) (2) (4) (5) (tied) A Risk-based Audit Approach Case 11 a b Case 12 (3) (1) (2) (3) b a b a b a b Medium (4) Low Low (5) Low Low (1) Least (2) (tied) (3) (tied) a a b 11-13 (4) (tied) (5) (tied) This will have an impact on audit risk for valuation of accounts receivable Accumulation of additional evidence regarding collectability of receivables will be necessary This situation may or may not affect overall audit risk, depending on the impact of the financing needed and whether the company will become so heavily leveraged that profitability becomes inadequate This situation might create increased business risk because of the potential change in ownership It would have an impact on audit risk for valuation of stockholders’ equity Additional evidence will have to be accumulated relating to stockholders’ equity, as well as any additional debt incurred The client’s changing of its accounting system will affect control risk in each cycle, primarily for existence, completeness, and valuation Additional information will have to be accumulated about the system in each cycle This will affect risk at the financial statement level, which may also have an impact on risk for assertions relating to earnings and valuation of assets For example, the volatility in the industry may indicate the potential for inadequate industry earnings or for a client’s earnings being inconsistent with the industry Additional evidence will have to be accumulated about the financial viability of the client and to provide evidence that management fraud does not exist The increase in inventory will affect existence and valuation of inventory Additional evidence will have to be accumulated about the existence and valuation assertions 11-14 Solutions Manual - Assurance Principles, Professional Ethics… Case 13 a b c Sales and collection Primarily affects existence, completeness, and valuation assertions Increase a b c Acquisitions and payments Potential impact on all assertions Increase a b c Sales and collections Valuation, cutoff, and existence No effect a b c Production and warehousing Valuation Increase ... corrected by the client’s internal control procedures 11-6 Solutions Manual - Assurance Principles, Professional Ethics… Audit risk – the probability that auditors will not discover by any means... audit risk that is controllable by the auditor It may be raised or lowered by reducing or increasing the amount of substantive audit testing It is determined by the auditor’s assessment of inherent... should be signed by members of management that are responsible for and knowledgeable about the matters covered by the representations and that, normally, they should be signed by the chief executive