Audit Risk and a Client’s

Business Risk

Copyright © 2008 Thomson South-Western, a part of the Thomson Corporation. Thomson, the Star logo,
and South-Western are trademarks used herein under license. 1
THE NATURE OF RISK
In this chapter, we identify four critical components of risk
that affect the audit approach and audit outcome
 Enterprise risk - those that affect the operations and potential
outcomes organization activities
 Engagement risk - comes with association with a specific client
 Financial reporting risk - those that relate directly to the
recording transactions and the presentation of the financial
statements
 Audit risk - risk an auditor may provide an unqualified opinion
on financial statements that are materially misstated
Each of these components can be managed
The effectiveness of risk management processes will
determine whether the company continues to exist

2
ENTERPRISE RISK MANAGEMENT
(ERM)
COSO defines ERM as a
"process effected by an entity's board of directors,
management and other personnel, applied in
strategy setting and across the enterprise, designed
to identify potential events that may affect the
entity, and manage risks to within its risk appetite,
to provide reasonable assurance regarding the
achievement of entity objectives."

3
ENTERPRISE RISK MANAGEMENT
(ERM) (CONTINUED)
COSO elements:
 Risk management environment: management culture and
attitude towards risk
 Event identification: of events that may affect organization's
ability to implement strategies or achieve objectives
 Risk assessment: to determine response
 Risk Response
 Control activities: policies and procedures designed to reduce
risks and to assure management's directives and strategies are
implemented
 Information and communication
 Monitoring
An effective ERM process within an organization is
designed to provide assurance that risks are identified,
understood, and addressed
4
ORGANIZATIONAL RISK RESPONSES

Once risk has been identified and assessed, an

organization has four choices:
 - Control the risk
 - Share or transfer the risk
 - Diversify against or avoid the risk
 - Accept the risk
Depending on the circumstances, each of these
may be an acceptable approach to manage risk

5
RISK FACTORS AFFECTING THE AUDIT

Engagement Risk
 Risk auditors incur by being associated with a particular client
 Risk is high whenever there is increased likelihood that
 Auditor is associated with a failed client
 Financial statements contain material misstatement that the
auditor fails to find
 These conditions increase the likelihood that the auditor will be
sued
Client Acceptance or Retention Decision
 Perhaps the most important audit decision
 A number of factors affect this decision, but most important
involve
 Quality of the client's corporate governance
 Client's financial health

6
RISK FACTORS AFFECTING THE AUDIT:
CORPORATE GOVERNANCE & CLIENT
ACCEPTANCE
 The key factors an auditor will analyze
include
 Management integrity
 Independence and competence of the
audit committee and board
 Quality of ERM and controls
 Regulatory and reporting requirements
 Participation of key stakeholders
 Existence of related party transactions
7
RISK FACTORS AFFECTING THE AUDIT:
FINANCIAL HEALTH OF THE
ORGANIZATION
There are a number of reasons why the auditor
needs to evaluate a potential client's financial
health:
 The auditor will most likely be sued if a client
declares bankruptcy
 Investors and creditors who have lost money will look for
recovery
 Attorneys will claim the financial statements were misstated
and the auditors should have known they were misstated
 The auditor also needs to understand the financial
health in order to:
 Assess management's motivation to misstate the financial
statements
 Identify areas that are likely to be misstated
 Identify account balances that appear unusual 8
RISK FACTORS AFFECTING THE AUDIT:
OTHER FACTORS AFFECTING ENGAGEMENT
RISK
The auditor should evaluate the company's economic prospects
to help ensure that
 Important areas will be investigated
 The company will likely stay in business
High-risk companies are generally characterized by
 Inadequate capital
 Lack of long-run strategic and operational plans
 Low cost entry into the market
 Dependence on limited product offerings
 Dependence on technology subject to obsolescence
 Instability of future cash flows
 History of questionable accounting practices
 Previous inquiries by the SEC or other regulatory agencies
9
RISK FACTORS AFFECTING THE AUDIT:
FINANCIAL REPORTING RISK
Financial reporting risk is influenced by
 The company's financial health
 The quality of the company's internal controls
 The complexity of the company's transactions and
financial reporting
 Management's motivation to misstate the financial
statements
These factors are interrelated
The auditor will gather information on these issues
through reviews of previous audits, or by
talking with the predecessor auditor
10
ACCEPTING NEW CLIENTS:
AUDITING STANDARDS ON AUDITOR
CHANGES
SAS 84 requires a successor auditor to initiate discussions with
the predecessor to discuss the reasons for the change in
auditors
Because of the confidentiality rule, the successor must first
obtain client permission to talk with predecessor
The successor is particularly interested in factors that bear on
 Management integrity
 Disagreements with management on any substantive auditing or
accounting issues
 The predecessor's understanding of the reasons for the change
 Any communications between the predecessor and management
or audit committee regarding fraud, illegal acts or internal
control matte

11
ACCEPTING NEW CLIENTS: THE
ENGAGEMENT LETTER
The auditor and client should have a mutual understanding of
the audit process
The auditor should prepare an engagement letter to clarify the
responsibilities and expectations of each party, and to
summarize and document this understanding including the
 Nature of the services to be provided
 Timing of those services
 Expected fees and basis on which they will be billed (fixed fee,
hourly rates)
 Auditor responsibilities including the search for fraud
 Client responsibilities including preparing information for the
audit
 Need for any other services to be performed by the firm

12
BUSINESS RISK AND THE
AUDIT PROCESS
Risk-based approach to auditing:
 Develop understanding of management's risk
management process
 Develop understanding of the business and the risks it
faces
 Use the identified risks to develop expectations about
account balances and financial results
 Assess the quality of control systems to manage risks
 Determine residual risks, and update expectations about
account balances
 Manage remaining risk of account balance
misstatement by determining the direct tests of account
balances (detection risk) that are necessary
13
UNDERSTANDING MANAGEMENT'S RISK
MANAGEMENT PROCESS
To understand the client's risk management process,
auditors will normally use the following techniques:
 Understand the processes used to evaluate risks
 Review the risk-based approach used by internal auditing
 Interview management about their risk approach
 Review regulatory agency reports that address company's policies
towards risk
 Review company polices and procedures for addressing risk
 Review company compensation policies to see if they are consistent
with company's risk policies

14
UNDERSTANDING MANAGEMENT'S RISK
MANAGEMENT PROCESS (CONTINUED)
 Review prior years' work to determine if current
actions are consistent with risk approach
discussed with management
 Review risk management documents
If the company has strong risk management
processes, the auditor may focus on testing
controls and developing corroborative evidence on
account balances
On the other hand, if the company does not have a
comprehensive risk process, the auditor will assess
engagement risk as high, set audit risk at a lower
level, and increase direct testing
15
DEVELOPING AN UNDERSTANDING OF
BUSINESS AND RISK
There are a number of information sources (including
electronic sources) that auditors use to develop an
understanding:
 Intelligent agents
 Knowledge management systems
 Online searches
 Review SEC filings
 Company web sites
 Economic statistics
 Professional practice bulletins
 Stock analysts' reports
16
UNDERSTANDING KEY BUSINESS
PROCESSES
Each organization has a few key processes
that give them a competitive advantage (or
disadvantage)
The auditor should gather sufficient
information to understand
 The key processes
 The industry factors affecting key processes
 How management monitors key processes
 The potential operational and financial effects
associated with key processes
17