During the audit process, auditors have to be increasingly wary of the inherent risks that are involved in the audit process. Risk identification tends to be an important part of the audit engagement process because of the fact that it involves potential changes to the disclosure of opinion that auditors have to put forth when it comes to the audit of these financial statements.
In this regard, it can be seen that engagement risks can be defined as one of the most important risks that need to be considered when it comes to designing audit processes and procedures for the engagement parties.
Engagement risk is defined as the overall risk that is associated with an audit engagement process. As a matter of fact, this specific risk is mainly associated with conducting the process of the audit itself, more so than anything else.
From the perspective of the auditor, it is highly important to consider this type of risk, because of the detrimental impact this kind of risk can have on the audit team, and the company, as a whole.
Engagement risks tend to increase when the client is in a relatively weaker position and is in need of obtaining funding from external sources in order to survive. Alternatively, this phenomenon can also be defined as a position where the company cannot be safely declared as a going concern.
Hence the existing risk that the company faces in this regard is quite substantial and needs to be accounted for in this regard.
The point of concern in this regard is the fact that since the company is likely to default or go bankrupt in the near future, it might also result in the auditor facing litigation because of not having declared the company as not going concerned.
Additionally, it can also be seen that these features and factors tend to exist within the audit process, because of the existing business uncertainty that is true in any case of the business itself. Hence, these engagement risks are inherent need to be identified and dealt with, before the engagement process begins.
Examples of Engagement Risks
Speaking of engagement risks, it can be seen that these are the risks that the auditor is exposed to as a result of taking on the audit process of a certain client. Some examples of engagement risks are mentioned below:
- A high-risk client: This means when the company is exposed to a certain level of risk, which highlights their going concern phenomenon, it is important for the auditor to identify that so that they are not litigated in the future when the company defaults or becomes bankrupt.
- Existing repute: The existing reputation of the company is also an important phenomenon which can be used to assess the underlying engagement risk. Mostly with companies who have been involved in unfair and unethical practices in the past, have a shaky reputation in the industry. Hence, this results in a higher degree of engagement risk for the auditor in this regard.
- Red flags: In certain cases, there is ambiguity about the overall financial position of the company. These red flags can be identified using the Annual Reports and the Financial Statements. Before taking on a client, it is also a good idea to look at these red flags, in order to minimize these engagement risks to an acceptable level.
Engagement Risks and Audit Process
In the cases where the auditor is deemed to be risk averse, it can be seen that they would be increasingly reluctant to work with clients that have a higher engagement risk.
On the contrary, a relatively new auditor, or an audit firm might agree to take on a client with higher engagement risk, because it would then be set off with the help of the payoffs they will get as a result of this.
However, it must be realized in this regard, that audit procedures need to be expanded in order to offset the inherent engagement risk that is involved with a particular client.
Therefore, it can be concluded that engagement risks tend to be one of the most important risks for any audit process. This is mainly because of the potential they have in negatively impacting and subsequently jeopardizing the name, and repute of the auditor.
Regardless of the fact that these risks are inherent in most business cases, yet it can be seen that they can be improved upon if the client is properly scrutinized before signing the audit engagement contract.
This International Standard on Auditing (ISA) deals with the auditor’s responsibility to identify and assess the risks of material misstatement within the financial statements, through understanding the entity and its surroundings which incorporates the entity’s control.
The following risk assessment procedures should be following in an audit:
Understanding the entity and its environment:
The auditor shall obtain an understanding of the following factors:
- Relevant industry and different external factors such as the applicable financial reporting framework.
- The nature of the entity consists of its operations, its ownership and governance structures, the types of investments that the entity is making and plans to make, which include investments in special-purpose entities; and the manner that the entity is established and how it is financed, to permit the auditor to recognize the classes of transactions, account balances, and disclosures in the financial statements.
- The entity’s selection and understanding of accounting policies. The auditor should evaluate whether the entity’s accounting policies are appropriate for its enterprise and consistent with the applicable financial reporting framework.
- The entity’s goals and strategies, and those related commercial enterprise risks that may result in risks of material misstatement.
- The size and assessment of the entity’s financial performance.
Obtaining an understanding of Internal Control:
- The auditor must acquire enough understanding of each component of internal control over financial reporting to become aware of the types of potential misstatements.
- The nature, timing, and extent of procedures that might be important to gain an understanding of internal control depend upon the size and complexity of the company and the company’s nature of documentation of its internal control over financial reporting.
- Obtaining an understanding of internal control consists of comparing the design of controls which can be applicable to the audit and determining whether the controls were implemented.
- Internal control over economic reporting can be described as consisting of components that consist of the control environment, the organization’s assessment process, information and communication, control activities, and tracking of controls.
Components of Internal Control:
The auditor should obtain an understanding of the client’s control environment. Along with obtaining this information, the auditor shall evaluate whether management has created and maintained a culture of honesty and ethical conduct and the strengths in the control environment elements collectively provide the appropriate basis for the other components of internal control and whether those other components are not undermined through deficiencies in the control environment.
Monitoring of Controls:
The auditor should obtain an understanding of the significant activities that the company uses to display the effectiveness of its internal control over financial reporting and how the organization initiates corrective actions related to its controls.
The auditor may carry out walkthroughs as part of obtaining information on internal control over financial reporting. In order to perform a walkthrough, the auditor follows a transaction from origination through the company’s processes.
Walkthrough procedures include a combination of inquiry, observation, an inspection of relevant documentation, and re-performance of controls.
Performing Analytical Procedures:
The auditor should perform analytical procedures that are designed to enhance the auditor’s understanding of the client’s business and the significant transactions and events that have occurred since the prior year-end and become aware of areas that could constitute specific risks relevant to the audit.
Identifying and Assessing Risks of Material Misstatement:
Risks of material misstatement at the financial statements level and assertion level should be determined by the auditor.
In identifying and assessing risks of material misstatement, the auditor should discover risks of misstatement using information obtained from performing risk assessment procedures and decide whether any of the identified risks of material misstatement are significant risks.
Factors Relevant to Identifying Fraud Risks:
The auditor must evaluate whether the information obtained from the risk assessment procedures indicates that one or more fraud risk factors are present and should be considered in identifying and assessing fraud risks.
Further Consideration of Controls:
When the auditor has decided that a significant risk, including a fraud risk, exists, the auditor should evaluate the design of the company’s controls that are meant to address fraud risks and other significant risks and decide whether those controls were properly implemented.
Revision of Risk Assessment:
When the auditor obtains audit evidence during the course of the audit that may challenge the audit evidence on which the auditor originally based his or her risk assessment, the auditor must revise the risk evaluation and modify audit approaches in response to the revised risk assessments.
Risk assessment procedures should be performed by the auditor that are enough to provide a reasonable basis for identifying and assessing the risk of material misstatement at the financial statements and assertion level whether due to fraud and error.
ISA 315 gives an outline of the procedures that should be followed by the auditor in order to obtain an understanding enough to assess audit risk, and these risks must be considered in the audit plan.
Performing Risk Assessment in the Audit
Risks of material misstatement will arise from various sources, which incorporates external factors, which incorporates things inside the company’s enterprise and surroundings, and company-specific components, which incorporates the character of the corporate, its activities, and control over financial coverage.
Thus, the audit procedures that are essential to become aware of and correctly confirm the risks of material misstatement consist of consideration of every external factor and company-specific factors. ISA 315 goes on to become alert to the subsequent risk assessment procedures:
- Auditors need to have discussions with the client’s management just about its targets and expectations, and its plans for achieving those goals. The auditor shall consider whether information received from the auditor’s client reputation or continuance method is applicable to distinguishing risks of material misstatement. Inquiries of management, applicable people inside the internal audit function, others inside the entity, within the auditor’s professional judgment, can also have the knowledge this is often presumed to help in distinguishing risks of material misstatement due to fraud or error.
- If the engagement partner has completed different engagements for the entity, the engagement partner shall consider whether information received has relevancy to distinguishing risks of material misstatement.
- Wherever the auditor intends to use information obtained from the auditor’s previous expertise with the entity and from audit procedures performed in previous audits, the auditor shall decide whether or not modifications have passed off since the previous audit that will additionally have an effect on its connectedness to the present audit.
- The engagement partner and completely different engagement team members shall discuss the status of the entity’s financial statements to material misstatement, and therefore the application of the relevant financial reporting framework to the entity’s facts and circumstances. The engagement partner shall decide which matters are to be communicated to engagement team members not involved inside the discussion.
- Analytical procedures performed as risk assessment procedures should facilitate the auditor in identifying unusual transactions. They may identify aspects of the entity that the auditor was unaware of and may help in assessing the risks of material misstatement to supply a basis for planning and implementing responses to the assessed risks. The auditor should perform the analytical procedure that is designed to reinforce the auditor’s understanding of the client’s business and the important transactions and events that have occurred since the previous year-end and determine areas that may represent risks relevant to the audit. In applying analytical procedures as risk assessment procedures, the auditor should perform analytical procedures with the target of distinguishing unusual transactions, which may indicate a material misstatement. Once the auditor has reviewed the interim financial report, the analytical procedure applied in that review should be considered in planning and implementing risk assessment procedures.
- Observation and inspection may give records concerning the entity and its surroundings. Examples of such audit techniques will cover a large area, like a remark or examination of the entity’s operations, documents, and reports organized by the method of management.
The auditor should obtain an understanding of the information system, as well as the connected business processes, applicable to financial coverage, such as:
- The classes of transactions inside the company’s operations that are important to the financial statements; The procedures, inside each machine-driven and manual systems, by that those transactions are initiated, authorized, processed, recorded, and reported;
- The related accounting records, supporting facts, and accounts in the financial statements which could be used to initiate, authorize, process, and record transactions;
- The information system and its way of capturing events and conditions, except transactions, that are important to the financial statements; and the period-end financial reporting method.
- The auditor should additionally acquire an understanding of how information technology affects the company’s flow of transactions.
ISA 315 needs that the risk assessment procedure should comprise a combination of the above procedures and the standard also needs that the engagement partner and other key engagement team members should discuss the status of the entity’s financial statements to material misstatement.
The goal of the auditor is to become aware of and accurately determine the risks of a material misstatement by providing a basis for designing and enforcing responses to the risks of material misstatement.
It is important to refer to the traditional audit risk model to remain important to the audit process. The audit risk model identifies the following three types of audit risk components:
Inherent risk is the susceptibility of an assertion about a category of transaction, account balance, or disclosure to a misstatement that would be material, either individually or when aggregated with other misstatements, before consideration of any related controls.
Inherent risk is considered to be higher where a high degree of judgment and estimation is involved or where transactions of the entity are highly complex.
Control risk is the risk of a misstatement that could occur in an assertion about a class of transaction, account balance or disclosure, and that the misstatement will be material, either individually or when aggregated with other misstatements, and will no longer be prevented or detected and corrected, on a timely basis, by means of the entity’s internal control.
When the audited entity does not have adequate internal controls to prevent and detect instances of fraud and error in the financial statements, control is considered to be high.
Detection risk is the risk that the procedures performed by the auditor to reduce audit risk to a low degree won’t find a misstatement that exists which may be material, either individually or in aggregate. Detection risk will be reduced by auditors by increasing the amount of sampled transactions for detail testing.
The following terms have the meanings attributed below for the purpose of ISAs:
Assertions – Representations by management, explicit or otherwise, that are embodied inside the financial statements, as used by the auditor to not to forget the possibility of different forms of misstatements that may occur.
Business risk – A risk resulting from significant conditions, events, circumstances, actions that could adversely influence an entity’s potential to gain its targets and execute its strategies.
Internal control – The procedure designed, applied, and maintained by using those charged with governance, management, and other employees to provide reasonable assurance about the achievement of an entity’s goals with reference to reliability of financial reporting, effectiveness, and performance of operations, and compliance with relevant laws and regulations.
Risk assessment procedures – The audit techniques done to attain an understanding of the entity and its environment, such as the entity’s internal control, to become aware of and identify the risks of material misstatement at the financial statement and assertion levels whether due to fraud and error.
Significant threat – An identified and assessed risk of material misstatement that, in the auditor’s judgment, requires special audit consideration.
Here are some tips to follow while identifying audit risk:
– To plan the audit, you need to pick out your client’s precise risks. To become aware of the risks, you’ll want to gain an understanding of the entity, and which means asking a lot of questions. If you want clarification of something, don’t be shy — ask questions.
– In gaining an understanding of the entity, it’s necessary that you just grasp their business. It’s additionally necessary that you just get a better understanding of your client’s important accounts and group action cycles.
The intention here is simple: the more you acknowledge your client, the additional you’ll be able to determine their risks.
– All entities have controls. If you have a customer in which the owner reviews financial results, communicates the importance of quality or sets a strong “tone on the top” via demonstrating integrity, your client has controls.
When in search of to discover your client’s controls, the Committee of Sponsoring Organizations of the Treadway Commission (COSO) elements and principles can help you detect feasible gaps.
– On each audit, you are required to assess the layout of controls applicable to the audit and decide whether those controls were implemented. This isn’t the identical element as trying out the working effectiveness of controls.
To provide a basis for designing and performing further audit procedures the auditor must identify the risk of material misstatements following these steps_
- Identify risk throughout the process of understanding the entity and its environment.
- Assess the identified risk and evaluate its impact on the financial statements.
- Relate the identified risk at the assertion level considering the controls to be tested.
- Consider the possibility of misstatements and their effect on the financial statements.
Identifying and assessing audit risk is a necessary part of the audit process. ISA 315, distinguishing and Assessing the Risks of Material Misstatement Through Understanding the Entity and Its surroundings, offers in-depth guidance to auditors regarding audit risk assessment. Risk assessment is the more important activity to the overall success of an audit.
the risk assessment method performed at the design stage of the audit, then constantly challenged and reevaluated as procedures are done and a lot of proof is gained. This is genuinely what can drive a top-quality audit. Risk assessment, whereas conducted properly, allows to try and do the audit better.
It offers auditors insights into what the most effective use of time will be. From the results, it may be determined in a very general sense what’s needed to try and do serving to the audit to be a lot of economical and effective. Risk assessments bring many different comprehensive advantages on the audit method, as well.
Audit risk consists of inherent risk, management risk, and detection risk. Audit risk is that there is a chance that financial statements are materially misstated, although the audit opinion states that the financial statements are free from any material misstatements.
The aim of an audit is to reduce the audit risk to a suitably low level through adequate testing and enough proof. Audit firms carry insurance to manage audit risk and thus the potential legal liability.
Audit Risk and its importance
Assessment of audit risk is vital for the audit procedure because of the fact auditors cannot and do not arrange to check all transactions. It might not be possible for the auditor to check all these transactions, and no-one would be ready to pay for the auditors to do.
Traditionally, auditors have used a risk-based approach if you’d wish to minimize the prospect of giving inappropriate audit opinion, and audits conducted in accordance with ISAs should follow the risk-based approach, that has got to make sure that the audit work is dispensed with efficiency, using the foremost effective tests supported the audit risk assessment.
Auditors ought to direct audit work to the key risks where it is more possible that mistakes in transactions and balances may end up in a material misstatement in the financial statements.
ISA 315 offers the auditor’s obligation to find out the risks of material misstatement in the financial statements through an understanding of the entity and its environment, consisting of the entity’s internal controls and risk analysis method.
In the past, lacking in identifying and assessing risks had been typically solely a causative part of different audit deficiencies. The concept that a poorly performed risk assessment ought to end in an audit failure should send shockwaves through corporations of all sizes. It’s important to acknowledge one among the key risk assessment activities – Performing Walkthroughs.
In performing a walkthrough, the auditor follows a transaction from origination through the company’s processes, together with information systems, until it’s mirrored within the company’s financial records. PCAOB standards tend to specialize in the role of the walkthrough in evaluating the design and implementation of key controls.
What’s frequently lost on auditors is that one of the key objectives of understanding every side of control over financial records is to understand the categories of possible misstatements that may occur. This can be a very important understanding for an auditor to possess so as to be ready to discover the key controls to check.
Most critical to your audit plan, performing a risk assessment permits you to discover the risks which could be aiming to be the most effective priority. Usually, the risk assessment will simply become long which will hold you back from conducting the audit. Taking the time to try and do it properly saves you lots of your time and energy throughout the audit.
Firms should be focused on how they will improve the standard and extent of their risk assessments. A way they will improve is to place good targeted team discussions into their risk assessment method.
Involving senior engagement group leadership within risk analysis method, together with at intervals the performance of walkthroughs, can end in an additional rigorous assessment of the sorts of potential misstatements that may occur.
A bigger rigorous risk assessment, alongside with accurately designed and executed audit techniques to take care of the assessed risks, can bring on grown audit satisfactory.
Inherent audit risks are the risks that the material misstatements could possibly happen in financial statements due to other reasons rather than the failure of internal control over financial reporting as well as detection risks. There are many reasons that lead to increase inherent risks in the audit of financial statements.
Those including the complexity of elements being reported in financial statements while those elements involved many justification and adjustments from the management of the company.
The high degree of involvement from management could increase the inherent risks and subsequently lead to material misstatements due to the leak of experiences on dealing with complexity element being evaluated or managements’ intention.
There are many other factors that auditors need to pay serious attention to when assessing or dealing with inherent risks. In other words, auditors should consider reviewing or modifying the current auditor procedures to ensure that the detection risk is as low as possible so that the inherent risk and audit risk is subsequently decreased to the acceptable level.
The following are the detail explanation and examples:
As we mentioned above, inherent risks are the risks that the financial statements could contain the material misstatements on an account or group of accounts that are pervasive to financial statements.
Inherent risks cause by external factors rather than internal factors. There are examples:
- Judgment: If the elements of financial statements involve a high judgment or justification from management, the degree of incorrect judgments is likely to increases. This is because of inexperience or intention from the involved management.
- Estimates: There are larges or significant accounting estimated in the financial statements may increase the inherent risks. The auditor needs to make sure that the accounting estimate complies with the accounting principles and accounting standards.
- The complexity of the business might affect certain items in the financial statements. For example, complex contracts with many different kinds of terms and conditions as well as variability.
- A rapid change of business could make certain financial assets or financial liability obsolete. These changes increase the inherent risks and critical assessment is required.
Inherent Risk Assessment:
Normally, the auditor performs a risk assessment on the financial statements that they are auditing. This usually happens at the planning stage of financial statements auditing. Audit risks need to be assessed, identity, and management.
Three major audits’ risks are normally assessed and calculate. Inherent Risk is one out of three including control risks and detection risks.
As mention above, most of the factors that affect the inherent risks are from external factors rather than internal factors.
Therefore, when assessing the inherent risks that could materially affect the entity’s financial statements, auditors should assess how those factors could affect the entity’s financial statements.
The assessments should also be depending on the experiences and expertise of the industry that auditors have.
If the entity being audit is in the complex environment or fast-changing, then expertise auditors in those industries should be part of the team. These could decrease the audit risks through decrease detection risks.
It is important to understand that assessing inherent risks is subjective processes. This is due to each entity may have completely different external factors.
However, the best approach to perform this assessment is to take a look at the external environments that could potentially affect the quality of financial statements.