F8 – Chapter 2- Planning and risk assessment
Planning and risk assessment
Key Highlights on Chapter 2
Introduction to Risk in Auditing:
- Overview of the risk management process within the organization being audited.
- Understanding how risks are identified, assessed, and managed by the organization’s management and internal control systems.
Materiality in Auditing:
- Significance of errors, misstatements, or omissions in financial statements influencing economic decisions.
- Consideration when planning and performing audit procedures to focus on areas with potential significant impact.
Purpose of Assessing Risks of Material Misstatement:
- Developing audit procedures and responses tailored to address specific risks identified.
- Ensuring effective and efficient audit engagements by focusing efforts on areas of higher risk.
Auditor’s Response to Identified Risks:
- Conducting additional audit procedures to obtain sufficient appropriate audit evidence.
- Enhancing the reliability and effectiveness of audit conclusions and reporting.
Risk Assessment in Auditing:
- Identification and assessment of risks of material misstatement in the organization’s financial statements.
- Developing a risk-based audit plan to address areas of higher risk.
Role of Legal Compliance and Regulations in Risk Assessment:
- External factors influencing risk by imposing legal obligations, standards, and requirements.
- Guiding the audit approach and procedures to ensure adherence to applicable laws and regulations.
Importance of Documentation of Risk Assessment:
- Providing evidence of the audit work performed, including identification, assessment, and response to risks.
- Ensuring transparency, accountability, and quality of the audit engagement.
Primary Objective of Legal Compliance and Regulations:
- Ensuring the organization’s adherence to applicable laws, regulations, and standards governing financial reporting and internal controls.
- Mitigating risks associated with non-compliance, such as financial penalties and reputational damage.
Tolerable Misstatement:
- Acceptable level of error or misstatement in financial statements without affecting the audit opinion.
- Benchmark for assessing sufficiency and appropriateness of audit evidence obtained.
Outcome of a Well-Documented Risk Assessment Process:
- Improved audit efficiency by providing a clear understanding of the organization’s risk profile.
- Development of a risk-based audit plan to address areas of higher risk effectively and allocate audit resources efficiently.
Topic 1 Introduction to Risk
When conducting a risk assessment in accordance with the ISAs (International Standards on Auditing), auditors aim to pinpoint areas in the financial statements that are vulnerable to significant misstatements. This assessment forms the foundation for devising and executing subsequent audit procedures.
The Auditor’s Overall Objectives
Throughout the audit process, including the risk assessment stage, auditors must remain aligned with the overarching objectives. The comprehensive description of these objectives can be found in ISA 200, which defines the primary goals of an independent auditor conducting an audit in accordance with International Standards on Auditing:
“To obtain reasonable assurance about whether the financial statements as a whole are free from material misstatement, whether due to fraud or error, thereby enabling the auditor to express an opinion on whether the financial statements are prepared, in all material respects, in accordance with an applicable financial reporting framework; and to report on the financial statements, and communicate as required by the ISAs, in accordance with the auditor’s findings.”
In the pursuit of reasonable assurance that the financial statements are free from material misstatement, auditors must assess where such misstatements are most likely to occur. A risk assessment, as prescribed by the ISAs, aids auditors in ensuring that areas prone to significant misstatements are thoroughly examined and scrutinized during the audit. Conversely, it also assists in identifying areas with lower risk where more limited testing may be appropriate, preventing unnecessary over-testing.
Conducting the Audit in Accordance with ISAs
Conducting the audit in compliance with the ISAs and meeting individual objectives is pivotal to fulfilling the aforementioned overarching objective. As a result, ISA 200 mandates that auditors possess a complete understanding of all relevant ISAs associated with the audit. Additionally, auditors may need to go beyond ISA requirements if they believe it is necessary to meet the specific objectives of an ISA.
Achieving the overall objective necessitates auditors to exercise professional skepticism, apply professional judgment, and adhere to ethical requirements, topics that will be elaborated upon in the subsequent section.
The ISAs also address the general responsibilities of auditors and their implications for specific subjects. Failing to conduct audits in accordance with recognized auditing standards, such as the ISAs, may result in the omission of crucial responsibilities.
Moreover, auditing standards harmonize the audit reports across the board. If all audits are performed in line with standards defining auditors’ expectations, users of financial statements can have equal confidence in the opinions of different auditors.
Furthermore, adherence to ISAs equips regulatory bodies in the auditing profession with a benchmark for evaluating auditors. Failure to comply with ISAs could lead to restrictions on conducting audit assignments. Consequently, these factors collectively elevate the quality of audit assignments to a higher standard.
Professional Skepticism, Professional Judgment, and Ethical Requirements
Auditors are obligated to execute audits with a stance of professional skepticism, exercise professional judgment, and adhere to ethical standards.
Professional skepticism involves maintaining a mindset that incorporates a critical approach, remains vigilant for indications of potential misstatement due to error or fraud, and subjects audit evidence to a critical evaluation.
Professional judgment encompasses the application of relevant training, knowledge, and experience to make informed decisions concerning suitable courses of action in the context of the audit engagement.
Professional Skepticism
ISA 200 dictates that auditors should plan and conduct audits with professional skepticism, acknowledging the possibility of circumstances that could lead to material misstatements in the financial statements. This calls for vigilance in identifying:
– Audit evidence that contradicts other obtained evidence.
– Information that raises doubts about the reliability of documents and responses used as audit evidence.
– Conditions that may signal potential fraud.
– Scenarios suggesting the need for audit procedures beyond those mandated by the ISAs.
Sustaining professional skepticism throughout the audit process is essential to avoid neglecting unusual transactions, making overly broad generalizations when drawing conclusions, and employing inappropriate assumptions in determining the nature, timing, and extent of audit procedures and in assessing their results.
Moreover, professional skepticism plays a crucial role in critically assessing audit evidence, encompassing the scrutiny of contradictory evidence and the reliability of documents and responses received from management and governance bodies.
Professional Judgment
ISA 200 further mandates that auditors exercise professional judgment while planning and conducting the audit of financial statements. Professional judgment is exercised in various areas:
– Materiality and audit risk
– Determining the nature, timing, and extent of audit procedures
– Evaluating whether sufficient and appropriate audit evidence has been obtained
– Assessing management’s judgments in applying the relevant financial reporting framework
– Forming conclusions based on the audit evidence collected
Ethical Requirements
ISA 200 underscores that auditors must adhere to the relevant ethical requirements, which encompass aspects of independence, as discussed in Chapter 4 of this study text.
Audit Risks
Auditors customarily adopt a risk-based approach to auditing, as mandated by the ISAs. In this approach, auditors evaluate the risks associated with the client’s business, transactions, and systems that could potentially result in misstatements within the financial statements. Subsequently, they direct their testing efforts toward areas deemed to be at higher risk.
How to Identify Audit Risks
A proficient auditor must possess the ability to pinpoint those risks that could potentially lead to misstatements in the financial statements. This explains why audit risk questions are a common feature of the F8 examination. It is crucial to understand the distinguishing factors that qualify a risk as an audit risk, as opposed to a more general operational or business risk. The pivotal distinction lies in the direct link to the financial statements. Failure to keep a vigilant eye on risks that might result in misstatements in the financial statements can considerably lengthen the audit process, rendering it inefficient.
Consider the situation where you are auditing a manufacturing company, let’s say XYZ Co, with a pre-tax profit of $60 million. During the course of your audit, you uncover the following information about your client:
“XYZ Co owns significant plant and machinery, which it uses for its production. In the past year, the company significantly enhanced the efficiency of its machinery. This was achieved through a comprehensive evaluation of each piece of machinery, followed by a decision on whether to perform minor repairs, extensive refurbishment, or complete replacement as deemed necessary. XYZ Co took appropriate actions in each case, incurring a total expenditure of $15 million.”
From this, it is evident that management had identified a general operational risk from their perspective – that the plant and machinery were not efficient enough for the business’s requirements. Management took actions they deemed suitable, such as replacing, overhauling, or repairing the machinery. There might be additional operational risks stemming from these actions, such as the staff requiring time to adapt to the new machinery.
However, the role of an auditor goes beyond these operational concerns. The auditor must delve deeper and contemplate how the above-mentioned issues could ultimately result in misstatements within the financial statements. This analysis unveils the audit risks. Key considerations involve understanding where the expenditure for repairs, refurbishment, and new machinery should be reflected in the financial statements and what could potentially go awry in this process.
A solid grasp of IAS 16, which you covered in your prior studies, provides insights. It is clear that expenditures must generate future economic benefits to be classified as non-current assets. Costs that do not meet this criterion should be recognized as repair expenses in the statement of profit or loss. In our scenario, it appears that there is expenditure on replacement assets, extensive refurbishment, and general repairs. This presents a situation with some degree of judgment regarding whether certain expenditures qualify as capital or revenue expenditure. The circumstances are unlikely to offer a straightforward resolution. Consequently, there is a risk that the $15 million has not been accurately accounted for, potentially leading to:
– Inclusion of amounts in non-current assets that do not genuinely exist because they essentially constitute repairs (related assertion: existence of non-current assets).
– Potential incompleteness of the repairs expense (or, in fact, possible incompleteness of the non-current assets if capital-related expenditures have also been categorized as repairs).
In the event this scenario appears in the exam, one of the resulting audit risks is as follows: “Expenditure on repairs is erroneously classified as non-current assets, which could result in non-existent assets being included in the statement of financial position.”
1.3.2 The Procedural Approach
Contrastingly, a procedural approach deviates from the ISAs. In a procedural approach, the auditor conducts a set of standardized tests regardless of the client’s specific circumstances and nature of their business. Opting for a procedural approach could elevate the risk of the auditor rendering an inaccurate opinion regarding the veracity and fairness of the financial statements.
1.4 Overall Audit Risk
Audit risk refers to the likelihood that the auditor might issue an inappropriate audit opinion in cases where the financial statements contain material misstatements. It encompasses both the risk of material misstatement (comprising inherent risk and control risk) and the risk that the auditor may fail to detect such misstatements (detection risk).
In the preceding section, we examined the process of identifying individual risks that could lead to misstatements in the financial statements, which we also referred to as audit risks (the terminology commonly used in F8 exams). The ISAs, however, refer to these individual risks as the risks of material misstatement.
Each of these individual risks can contribute to the overall audit risk, which represents the risk that the auditor might deliver an inappropriate audit opinion when the financial statements are materially misstated.
Now, let’s delve into the notion of overall audit risk, particularly the audit risk model. Understanding this model empowers the auditor to take measures aimed at reducing the overall audit risk to an acceptable level. It’s important to clarify that when we mention “audit risk” below, we are referring to the comprehensive risk associated with issuing an inappropriate audit opinion.
Audit risk involves two primary components. One component hinges on the attributes of the entity and pertains to the risk of material misstatement emerging in the financial statements (comprising inherent risk and control risk). The other component is contingent upon the auditor and relates to the risk of the auditor failing to detect material misstatements in the financial statements (detection risk). In essence, audit risk can be expressed through the audit risk model:
Audit risk = Inherent risk x control risk x detection risk
Inherent Risk
Inherent risk signifies the vulnerability of a specific assertion to a potential misstatement that could be significant either on an individual basis or when aggregated with other misstatements, assuming that no relevant internal controls exist.
Inherent risk is the risk that items may be inaccurately stated due to their inherent characteristics, such as when they involve estimates or represent substantial items in the financial statements. Auditors need to apply their professional judgment and utilize all accessible knowledge to evaluate inherent risk. If no such information or knowledge is available, inherent risk is regarded as high.
The extent of inherent risk is influenced by various factors, including the nature of the entity (including the industry it operates in and the applicable regulations) and the strategies adopted by the entity. Further examples of inherent risks will be explored in later sections of this chapter.
Control Risk
The other aspect of the risk of material misstatements in the financial statements is control risk. Control risk is the risk that a substantial misstatement, which could occur in an assertion and might be material either individually or when aggregated with other misstatements, will not be prevented or identified and rectified in a timely manner by the entity’s internal controls.
We will delve deeper into control risk in Chapter 9 when we discuss internal controls.
Detection Risk
Detection risk encompasses the risk that the procedures carried out by the auditor to minimize audit risk to an acceptably low level may fail to uncover a misstatement that exists and could be significant, either on an individual basis or when aggregated with other misstatements.
Detection risk represents the component of audit risk over which auditors have a measure of control. In circumstances where the risk is intolerably high, auditors can intensify their efforts to diminish this facet of audit risk and, consequently, reduce overall audit risk. Elevating sample sizes is one means to mitigate detection risk. Sampling risk and non-sampling risk, which will be discussed in greater detail in Chapter 11, are components of detection risk.
However, expanding sample sizes and augmenting the volume of work is not the sole strategy for managing detection risk. This is because detection risk is influenced by the efficacy of an audit procedure and the manner in which it is implemented by the auditor. Beyond increasing sample sizes or conducting more work, the following measures can enhance the effectiveness and application of procedures, thereby diminishing detection risk:
– Adequate planning
– Allocation of more experienced personnel to the engagement team
– Application of professional skepticism
– Heightened supervision and review of audit work
All of the above measures reduce the likelihood of an auditor selecting an inappropriate audit procedure, misapplying a suitable audit procedure, or misinterpreting the results of the audit.
Management of Audit Risk
ISA 200 dictates that “to obtain reasonable assurance, the auditor shall obtain sufficient appropriate audit evidence to reduce audit risk to an acceptably low level and thereby enable the auditor to draw reasonable conclusions on which to base the auditor’s opinion.”
Auditors aim to maintain the overall audit risk at an acceptable level. In other words, if there is a substantial risk of providing an erroneous opinion that could result in legal action, it might be wiser for auditors to decline the audit engagement. Auditors evaluate the risk associated with a new audit client during the acceptance process and may choose not to proceed with the engagement. Nonetheless, they also take into account audit risk for each specific audit and endeavor to manage it.
As elucidated earlier, auditors do not have the capacity to influence inherent or control risk, as these factors
Business Risk
The auditor should also be mindful of another significant risk category, which is business risk. We previously discussed the importance of focusing on risks that have an impact on the financial statements. It’s worth mentioning that, while business risk falls beyond the purview of the F8 syllabus from an external audit perspective, a brief consideration of it can help avoid any confusion with audit risk – a crucial aspect of the Audit and Assurance syllabus.
In Chapter 5, we briefly introduced the concept of business risk in the context of the internal audit’s role in risk management and organizational control. It’s important to remember that business risk pertains to the innate risks associated with a company’s operations.
Topic 2 Materiality
The determination of materiality for the financial statements as a whole and the establishment of performance materiality are crucial steps in the planning of all audits. These calculations or estimations must rely on professional judgment and past experiences. Materiality for the overall financial statements should also be reevaluated as needed during the audit.
Guidance for auditors in this domain is provided by ISA 320 – Materiality in planning and performing an audit. This standard outlines the auditor’s objective of appropriately applying the concept of materiality when planning and executing the audit.
Although ISA 320 doesn’t explicitly define materiality concerning the financial statements as a whole, it highlights the following general considerations:
(a) Misstatements are deemed material when they, individually or collectively, could reasonably be expected to affect the economic decisions of users.
(b) Judgments on materiality are context-dependent and influenced by the size and nature of a misstatement, or a combination thereof.
(c) Assessments of matters that are material to financial statement users are based on an understanding of the common financial information needs of users as a collective.
This implies that auditors must concentrate on identifying “material” errors, omissions, and misstatements, taking into account both the quantity and quality of these discrepancies. For instance, the lack of disclosure regarding ongoing litigation could be regarded as material.
The auditor’s task is to define their own materiality thresholds, a process inherently guided by judgment and dependent on the level of audit risk. The higher the anticipated risk, the lower the materiality value.
This materiality level significantly influences the auditor’s decisions, including:
– The extent to which items are examined.
– The selection of items for examination.
– The potential use of sampling techniques.
– The threshold for a modified audit opinion.
Determining and calculating materiality and performance materiality during the audit’s planning phase
During the planning phase, the auditor is responsible for establishing materiality for the financial statements as a whole and for setting performance materiality levels. Determining materiality for the entire financial statement requires professional judgment and often involves applying a percentage to a chosen benchmark. The choice of a benchmark may be influenced by several factors, including elements of the financial statements, user focus areas, the entity’s nature, industry, economic environment, ownership structure, and financing arrangements. Different benchmarks may include percentages based on values like profit before tax, gross profit, revenue, total assets, net assets, or profit after tax.
However, applying the same materiality for the financial statements as a whole to individual account balances may lead to the omission of testing on seemingly immaterial balances. This oversight can accumulate errors or misstatements that, when combined, become material. To address this issue, the auditor is required to establish performance materiality levels, which are lower than the materiality for the financial statements as a whole, reducing the risk of aggregated misstatements exceeding materiality. These performance materiality levels may vary depending on the level of risk or qualitative considerations.
Determining performance materiality largely hinges on the auditor’s professional judgment and considers factors like previous audit findings, the auditor’s knowledge of the entity, and the results of risk assessment procedures.
It’s essential to understand that materiality isn’t solely quantitative. Qualitative factors must also be considered. Some misstatements may fall under predefined benchmarks but are still considered material due to their qualitative implications. This can happen when laws, regulations, financial reporting frameworks, or industry-specific standards influence the perception of users. In such cases, even small misstatements could be considered material due to their qualitative impacts. For example, a company’s research and development costs could be seen as a key disclosure for users in the pharmaceutical industry. Additionally, the significance of a specific aspect of an entity’s business, separately disclosed in the financial statements (e.g., a recently acquired business), can also make small misstatements material.
Topic 3 Assessing the Risks of Material Misstatement
After gaining an understanding of the entity, the auditor must evaluate the risks of material misstatement in the financial statements, including the identification of significant risks. Assessing and responding to risk is a core element of the audit process, and you might encounter scenarios in the exam where you’ll need to pinpoint risks related to a client. For additional insights on the requirements of ISA 315, you can refer to an article published in the November 2009 edition of Student Accountant.
Identification and Assessment of Risks of Material Misstatement
According to ISA 315, the auditor is tasked with identifying and assessing the risks of material misstatement at both the financial statement level and the assertion level for various transaction classes, account balances, and disclosures. This process entails the following steps:
– The identification of risks while gaining an understanding of the entity and its operating environment.
– The assessment of these identified risks, including an evaluation of whether they have a more pervasive impact on the entire financial statements.
– Relating the identified risks to potential misstatements at the assertion level.
– Considering the likelihood of these risks resulting in a material misstatement.
Assertions represent management’s representations, either explicit or implicit, that are reflected in the financial statements. Auditors use these assertions to evaluate the different types of possible misstatements in detail, a subject explored in Chapter 8.
Significant Risks
Significant risks are characterized by complex or unusual transactions that might indicate the presence of fraud or other specific risks. These are the risks that necessitate special attention during the audit.
As part of the aforementioned risk assessment process, the auditor must determine whether any of the risks qualify as significant risks. Several factors indicate that a risk might be considered significant:
– The potential for fraud (as discussed in Section 6).
– Its connection to recent economic, accounting, or other developments.
– The degree of subjectivity involved in the financial information.
– Unusual nature of the transaction.
– A substantial transaction involving a related party.
– The complexity of the transaction.
Routine, straightforward transactions are less likely to pose significant risks compared to unusual transactions or matters reliant on management’s judgment. This is because unusual transactions tend to involve more:
– Managerial involvement.
– Complex accounting principles or calculations.
– Manual intervention.
– Opportunities for control procedures to be disregarded.
Upon identifying a significant risk, the auditor, if not done already, must develop an understanding of the entity’s controls relevant to that risk.
Topic 4 Responding to the Risk Assessment
Once the auditor has assessed the risks of material misstatement, they must develop an appropriate strategy to address these risks. ISA 330, titled “The auditor’s responses to assessed risks,” aims to gather sufficient and suitable audit evidence related to these risks by devising and executing appropriate responses.
In the context of your examination, you may be required to propose procedures as a response to identified risks. To deepen your understanding of how to handle these risks during the audit process, consider reading an article published in the August 2010 edition of Student Accountant. Additionally, you should revisit the article from November 2011 mentioned in a previous exam focus point.
Comprehensive Responses
Overall responses encompass various aspects, such as stressing to the audit team the importance of professional skepticism, allocating more staff, employing experts, or enhancing supervision.
In response to the risks of material misstatement at the financial statement level, overall responses may involve modifying the general audit strategy or reaffirming the general audit strategy to the staff. For example:
– Emphasizing to the audit staff the necessity of maintaining professional skepticism.
– Assigning additional or more experienced staff to the audit team.
– Providing greater oversight throughout the audit.
– Introducing more unpredictability into the audit procedures.
– Implementing general changes in the nature, timing, or extent of audit procedures.
The audit team’s evaluation of the control environment, conducted as part of the assessment of the client’s internal control systems, will help determine the appropriate audit approach.
Responses to Risks of Material Misstatement at the Assertion Level (December 2007)
The ISA stipulates that the auditor must design and carry out additional audit procedures. The nature, timing, and extent of these procedures should be based on and responsive to the assessed risks of material misstatement at the assertion level. “Nature” refers to the purpose and type of tests performed, which may include tests of controls and substantive tests.
When suggesting responses to identified audit risks, it’s crucial to consider responses the auditor should take, not responses that should be implemented by management. In the June 2011 exam, students lost marks for proposing management responses instead of auditor responses to identified risks.
Tests of Controls
Tests of controls are audit procedures intended to assess the operational effectiveness of controls in preventing, detecting, and rectifying material misstatements at the assertion level.
When the auditor’s risk assessment anticipates that controls are operating effectively, they should devise and conduct tests of controls to obtain sufficient and appropriate audit evidence regarding the controls’ functionality.
The auditor should also undertake tests of controls when it is impossible to obtain sufficient and appropriate audit evidence solely from substantive procedures. This might be the case if the entity conducts its operations using IT systems that do not produce transaction documentation.
In performing tests of controls, auditors should utilize inquiry but should also employ other procedures. Re-performance and inspection procedures often prove to be valuable.
When considering the timing of tests of controls, the nature and purpose of the test should be taken into account. For example, if a company carries out a year-end inventory count, controls over inventory counting can only be tested at year-end. Other controls may operate throughout the year, requiring testing to ensure their effectiveness over the entire period.
Some controls may have been tested in prior audits, and the auditor may decide to rely on that evidence of their effectiveness. However, if the related risk has been identified as a significant risk, the auditor should not rely on past testing but should perform testing in the current year.
Substantive Procedures
Substantive procedures refer to audit procedures designed to detect material misstatements at the assertion level. These encompass tests of details of classes of transactions, account balances, and disclosures, as well as substantive analytical procedures.
The auditor is required to perform substantive procedures on material items, regardless of the assessed risk of material misstatement. The ISA mandates that substantive procedures be designed and executed for each material class of transactions, account balance, and disclosure.
In addition, the auditor should perform the following substantive procedures:
– Agreeing or reconciling the financial statements with the underlying accounting records.
– Examining significant journal entries.
– Reviewing other adjustments made during the preparation of the financial statements.
Substantive procedures can be categorized into two groups: analytical procedures and tests of details. The auditor must determine when each type of substantive procedure is most appropriate. While these procedures are discussed in greater detail in Chapter 11, they are briefly introduced here.
Analytical procedures, as substantive procedures, are typically suitable for high volumes of predictable transactions (such as wages and salaries). Tests of detail may be more appropriate when examining account balances, such as inventory or trade receivables.
Tests of detail, rather than analytical procedures, are generally better suited to addressing matters identified as significant risks. However, the auditor must develop procedures that are specifically tailored to address these risks, which may include using analytical procedures. Significant risks are often the most challenging in terms of obtaining sufficient and appropriate audit evidence.
6 Fraud, Legal Compliance, and Regulations
In the process of conducting risk assessment procedures, the auditor must also take into account the risk of fraud or noncompliance with laws and regulations, as these factors could lead to inaccuracies in the financial statements.
Understanding Fraud
Fraud is a deliberate act carried out by one or more individuals within management, those overseeing governance, employees, or third parties. It involves the use of deceit to gain an unfair or unlawful advantage. Fraud can be perpetrated by an individual acting alone or in collusion with others, whether internal or external to the business.
Fraud risk factors refer to events or circumstances that suggest an incentive or opportunity for committing fraud.
Fraud, within the auditor’s purview, primarily pertains to fraud leading to a significant distortion in financial statements. It is distinct from error, which results from unintentional mistakes, such as misapplying an accounting policy.
Specifically, there are two types of fraud that can lead to significant distortions in financial statements:
i. Fraudulent Financial Reporting
ii. Misappropriation of Assets
Fraudulent Financial Reporting
Fraudulent financial reporting encompasses intentional misrepresentations or omissions, including the manipulation, falsification, or alteration of accounting records and supporting documents. It can involve misrepresenting events or transactions in financial statements, or intentionally misapplying accounting principles. This form of fraud may involve overriding controls that would otherwise appear to be functioning effectively, for instance, by recording fictitious journal entries or improperly adjusting assumptions and estimates used in financial reporting.
Misappropriation of Assets
Misappropriation of assets involves the unlawful taking of an organization’s assets and is often perpetrated by employees in relatively small and inconspicuous amounts. However, this type of fraud can also be committed by management, who tend to be more adept at concealing misappropriations in ways that are challenging to uncover. These acts may include embezzling receipts, stealing physical assets or intellectual property, causing the entity to pay for goods not received, or using assets for personal gain.
Fraud and the Auditor
ISA 240, titled “The auditor’s responsibilities relating to fraud in an audit of financial statements,” offers guidance to auditors in this domain.
Auditor’s Responsibilities vs. Management’s Responsibilities
It is vital to differentiate between the responsibilities of auditors and those of management in the context of fraud prevention and detection. Careful reading of questions is crucial, as you may be asked to compare the auditor’s responsibilities with those of management, or to identify the responsibilities of one of the parties. In the June 2012 exam, question 3(a) specifically sought auditors’ responsibilities regarding fraud and error prevention and detection, and the examining team noted that many candidates mistakenly included management’s responsibilities, despite there being no marks available for such information.
The primary obligation for preventing and detecting fraud lies with those overseeing governance and the management of an entity. This is achieved through fostering a culture of integrity and ethical behavior and through active oversight by those charged with governance.
The auditor’s role is to obtain reasonable assurance that the financial statements are free from material misstatements, whether caused by fraud or error. The risk of failing to detect a material misstatement resulting from fraud is higher than that for error because:
– Fraud can involve complex schemes designed to conceal it.
– Fraud may involve collusion among individuals.
– Fraud committed by management is harder to uncover as they can manipulate accounting records and override control procedures.
The auditor must maintain professional skepticism throughout the audit, considering the potential for management to override controls and acknowledging that audit procedures effective for detecting errors may not be as effective for uncovering fraud.
Topic 5 :Risk Assessment
ISA 315 requires that team discussions place significant emphasis on areas where the financial statements may be susceptible to fraud.
Risk assessment procedures to gather information regarding the risks of material misstatement due to fraud must encompass the following:
– Inquiries to management about:
– Their evaluation of the risk of financial statement misstatement due to fraud.
– Their processes for recognizing and responding to fraud risk.
– Their communication with those overseeing governance concerning their processes for identifying and responding to fraud risk.
– Their communication with employees regarding business practices and ethical conduct.
– Awareness of any actual, suspected, or alleged fraud.
– Inquiries to the internal audit function to acquire knowledge of any actual, suspected, or alleged fraud and their insights into fraud risk.
– Gaining an understanding of how those overseeing governance supervise management’s fraud risk processes and the internal controls established to mitigate these risks.
– Inquiries to those overseeing governance to learn about any actual, suspected, or alleged fraud.
– Evaluation of unusual relationships identified through analytical procedures that might indicate the risk of material misstatement due to fraud.
– Consideration of any other information that might indicate the risk of material misstatement due to fraud.
– Assessment of the presence of any fraud risk factors.
According to ISA 315, the auditor is obliged to identify and evaluate the risks of material misstatement due to fraud at the financial statement level and the assertion level for classes of transactions, account balances, and disclosures. These identified risks should be treated as significant risks.
In line with ISA 330, the auditor must determine overall responses to address the assessed risks of material misstatement due to fraud at the financial statement level. In this context, the auditor is required to:
– Assign and supervise staff, taking into account their competence.
– Assess whether the accounting policies may suggest fraudulent financial reporting.
– Introduce unpredictability in the selection of audit procedure type, timing, and extent.
Management fraud is typically more challenging to detect compared to employee fraud because management can override controls, manipulate accounting records, and conceal their actions. ISA 240 asserts that regardless of the auditor’s assessment of the risk of management overriding controls, they must design and implement audit procedures to:
– Verify the propriety of journal entries and other adjustments.
– Assess accounting estimates for bias.
– For significant transactions outside the ordinary course of business, appraise whether they were entered into for the purpose of fraudulent financial reporting or to conceal misappropriation of assets.
Written Confirmations
ISA 240 necessitates that the auditor procure written confirmations from both management and those overseeing governance. These confirmations should encompass the following:
– Acknowledgment of their responsibility for designing, implementing, and maintaining internal controls for fraud prevention and detection.
– Disclosure to the auditor of management’s evaluation of the risk of fraud in the financial statements.
– Notification to the auditor of their awareness of any fraud or suspected fraud involving management, employees with significant roles in internal control, and other parties whose fraudulent actions could significantly affect the financial statements.
– Report to the auditor of any allegations of fraud or suspected fraud communicated by employees, former employees, analysts, regulators, or others.
You can find more detailed information about written confirmations from management in Chapter 18 of this Study Text.
Communication with Management and Those Overseeing Governance
If the auditor identifies fraud or becomes aware of information suggesting fraud, they should promptly report this to the appropriate management level. When the auditor identifies or suspects fraud involving management, employees with key roles in internal control, or other parties whose fraudulent actions could materially impact the financial statements, they should promptly communicate this information to those overseeing governance.
The auditor must also consider whether there is an obligation to report to regulatory or enforcement authorities. In some jurisdictions, professional confidentiality obligations may be overridden by legal requirements and statutes.
Topic 6 Legal Compliance and Regulations
In the audit process, it is also essential to consider the aspect of legal compliance and regulations. Auditors are guided by ISA 250, titled “Consideration of Laws and Regulations in an Audit of Financial Statements.” The objectives of auditors in this context include:
- Acquiring sufficient and appropriate audit evidence related to compliance with laws and regulations that directly impact the determination of significant amounts and disclosures in the financial statements.
- Executing specified audit procedures to detect instances of non-compliance with other laws and regulations that could have a material impact on the financial statements.
- Appropriately responding to identified instances of non-compliance or suspected non-compliance during the audit.
Responsibilities of Management vs. Auditors
As previously emphasized, it is crucial to carefully consider the auditor’s and management’s respective roles when addressing legal compliance and regulations. Management is primarily responsible for ensuring that the entity complies with applicable laws and regulations. Detecting and preventing non-compliance with laws and regulations is not within the purview of the auditor.
The auditor’s responsibility is to obtain reasonable assurance that the financial statements are free from material misstatements, taking into account the legal and regulatory framework in which the entity operates. ISA 250 distinguishes between two categories of laws and regulations in relation to the auditor’s responsibilities:
- Laws and regulations that directly affect the determination of material amounts and disclosures in the financial statements.
- Laws and regulations that do not directly impact material amounts and disclosures in the financial statements but are vital for the entity’s operations, continued business viability, or avoidance of substantial penalties.
For the first category, the auditor is responsible for gathering sufficient appropriate audit evidence regarding compliance. For the second category, the auditor must conduct specific audit procedures to identify non-compliance with laws and regulations that could materially affect the financial statements. These procedures may include discussions with management and examination of correspondence with relevant licensing or regulatory authorities.
Audit Procedures
In line with ISA 315, the auditor is required to gain a comprehensive understanding of:
- The relevant legal and regulatory framework
- How the entity complies with this framework
To achieve this understanding, the auditor can build on their existing knowledge and inquire with management about laws and regulations affecting the entity, the entity’s policies and procedures for ensuring compliance, and its mechanisms for identifying, assessing, and accounting for legal claims and disputes.
Throughout the audit, the auditor must remain vigilant for potential instances of non-compliance or suspected non-compliance that might come to their attention through various audit procedures, including reviewing meeting minutes, consulting with management and legal advisors, and conducting substantive tests on transactions, account balances, or disclosures.
The auditor should also request written representations from management, confirming that all known instances of non-compliance or suspected non-compliance with laws and regulations, which may materially affect the financial statements, have been disclosed to the auditor.
Audit Procedures for Identifying or Suspecting Non-Compliance
Instances of non-compliance or suspected non-compliance may be indicated by various factors, such as investigations by regulatory authorities, the payment of fines or penalties, unusual cash transactions, or adverse media reports. When such issues are identified or suspected, the auditor should:
Gain an understanding of the nature of the act and the circumstances.
- Collect additional information to assess the potential impact on the financial statements.
- Engage in discussions with both management and those charged with governance.
- Consider the need for legal advice if sufficient information is not provided, and the matter is material.
- Evaluate the effect on the auditor’s opinion if adequate information is not obtained.
- Assess the implications for the risk assessment and the reliability of written representations.
Reporting Identified or Suspected Non-Compliance
The auditor is responsible for communicating with those charged with governance. If there is a suspicion that those charged with governance may be involved in the non-compliance, the auditor should communicate with a higher level of authority, such as the audit committee or supervisory board. If no such higher authority exists, the auditor should consider the need for legal advice.
The auditor must evaluate the impact on their audit report if they conclude that the non-compliance materially affects the financial statements and has not been adequately reflected, or if management and those charged with governance prevent the auditor from obtaining sufficient appropriate audit evidence to assess the materiality of the non-compliance.
The auditor should also determine whether identified or suspected non-compliance needs to be reported to regulatory and enforcement authorities. While the auditor is bound by the principle of confidentiality, in certain jurisdictions, this duty may be overridden by legal or statutory requirements.
Topic 7 Documentation of Risk Assessment
Auditors must ensure that their work during the risk assessment stage, including discussions among the audit team regarding the susceptibility of financial statements to material misstatements, significant risks, and overall responses, is properly documented.
Further documentation requirements are covered in the subsequent chapter, particularly concerning the audit plan and audit strategy. ISAs 315 and 330 contain various general requirements regarding documentation. The following matters should be documented during the planning phase:
– Discussion among the audit team regarding the susceptibility of financial statements to material misstatements, along with significant decisions made during these discussions.
– Key elements of the understanding gained about the entity, including its components, internal controls, information sources, and risk assessment procedures performed.
– Identified and assessed risks of material misstatement at both the financial statement level and the assertion level.
– Risks identified and the corresponding controls assessed.
– Overall responses to address the risks of material misstatement at the financial statement level.
– The nature, extent, and timing of further audit procedures related to the assessed risks at the assertion level.
– Results of audit procedures.
– Conclusions regarding the appropriateness of relying on evidence about control effectiveness from previous audits.
– Evidence that the financial statements reconcile with the underlying accounting records.