Scribd Logo
Upload

Welcome to Scribd!

  • 5 4-Risk

    Uploaded by

    Danita
    15 views16 pages

    Original Title

    5.4-Risk

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document

    Copyright:

    © All Rights Reserved
    Download as PDF or read online from Scribd
    Flag for inappropriate content
    15 views16 pages

    5 4-Risk

    Uploaded by

    Danita

    Copyright:

    © All Rights Reserved
    Download as PDF or read online from Scribd
    Flag for inappropriate content
    of 16
    (CHAPTER 14 ASK BASED ALOMTNG ant INTRODUCTION definition of business risk contained in ISA 315 ‘Idem Le through understanding the entity and its env cman is: ‘A risk resulting from significant conditions, adversely affect an entity's ability to achieve it ‘inappropriate objectives and strategies” ig and assessing the risks of material misstate- events, circumstances, actions or inactions that could s objectives and execute is strategies or from the setting Iran be split herween both external and internal factors which affect the organization both by virtue of the environment in which it operates and through its own internal structures, policies and processes. ‘The auditor is not simply required to certify that a set of accounts are ‘true and fair’ the auditor is required o express an opinion. Clearly this implies that auditors will not achieve that level of certainty that the financial statements are totally free from error or misstatement. If they could do so they could give a ‘ere to that effect, rather they are expected to state that in their opinion the financial statements are Clearly therefore there is always some element of doubt caused by the fact that, under normal circum srances, the auditor cannot achieve a level of absolute assurance, Rather they will attempt to obtain “eason fhe assurance and this means that chere is always a risk that something has been missed, that they have been misled or that the work that they have done has been somchow inadequate. Performing a failed audit oft teas o legal action against the auditor. ‘Auditors strive to perform audits in an efficient and economical manner and constantly strive to reduce the eel of audit work that they carry out as audit fes are time based and carrying out audit testing involves time commirment. Consequently, auditors walk the tightrope between reducing the amount of work they doand still getting the level of assurance they need, This involves risk. Auditors seek to evaluate the risks of them not being able to achieve the right level. In Cl teoked a the topic of audit risk ~the risk that the auditor will give an incorrect audit opinion and we looked atthe relationship between: «¢inherent and control sk, which together can be classed as business risk: and emu ask ru ter 10 we and we saw thatthe more audit work that is performed, the more checking work is done, the lower the level of audit risk, Tied into this is the question of materiality, which we also looked at in Chapter 10 - the auditor is only Jooking o ensure that any errors oF mistakes are not material ~ i.e they would not affect the economic decs- sions of a user of the accounts In previous chapters we established that the stronger the control environment within the client entity the less substantive testing work the auditors have to do and the more they could rely on the internal controls and the checks and balances within the entity's own systems. Where the control environment is strong. au tors may be more likely to be of the view that materia errors or mistakes will not come from the processing, of routine transactions. Instead they may prefer to look at the risks the business faces, the problems it may fave in running its business and the factors which influence the course of its activities = in other words the business risks i faces every day. ‘The business risk approach to auditing involves: ‘6 ooking at the business ints entirety ‘© evauating the various risks the business faces «¢considering the impact, any, that those risks might have onthe fnancial statements “The concept behind tis approach is that as all businesses face rsks in their normal course of activity, An understanding of these risks requires the auditor to have a thorough understanding of the client's business, ‘which will end to suggest where misstatements are most likely fo occur in the financial statements. || 22 HAPTER 14 ASK BASE veopuaiming an understanding fhe Ey andi | Relevant avin standards ere are ISA 315 IAM TAS pe Auditor’ Procedures np ment and Assessing the Risks of a Material Misstaterme pn to Asse bs sd brig not the same app Students must clearly understand that this approach is 10" Woes a risk assessment process) tt || auditing we covered in Ch, fe eT auditing also involves 2 kas Process hung we covered in Chapter 13 System eo ang areas where ai aCmtog part ofthe proces of evaluating the lent’ sytem and OF EMT Te snes risk approached focused ~ in other words that risk assesment is protective 12% ner chen Sage sal about eK and noc ahog yh as the systems-base in this chapter has some similarities, nso! might cover a lot of the same ground, but the business risk 's0 it is a lot more intense. idit risk (Chapter 10) ‘Ausitors, a pare ofthis rik assessment processes when evalla M8 rer 10), should ey uate the ory ea as Hh k oy suis based on their knowledge of it and its trading enviton oe i ore isk ase p ase, Sound risk assessment PFOCESES BY Mangpin® quent, auditors should Be very much ayy ome to their own conclusions as £0 its effet are an integral part of the control environment and, conse the effectiveness of these management processes i Fa he ae aretreenyasessments of ak as an intePal PAT Of theie audit planning EXTERNAL RISKS : is no such thing as a foo 1 but needs to be made at the outset. There 18a a Foolproof ig assessment process and, however well thought out and operated, organiza¥t wil contin to be sup by the unespeted or by events which, with hindsight, might have been anticipate Howeve the omni ae ee eremtsjuce the likelihood of unexpected events and co minimize che damage cay if one materializes. Ics an obvious stavem “There are several types of risk arising from outside the organization. Political risk These ate risks arising from chi also risks arising from changes in the poli climate. This may be particularly relevant to companies operating globally where, in some counties \ political situation may suffer sudden and often violent change. This may bring with it for example the har Pe nationalization of assets or actions against foreign ownership. In more stable countries a change int political climate may have an effect on economic policy which, in turn, could affect such things as ince! regulation, nflation and interest rates. il Economic risk This isthe risk caused by ch anges inthe economic situation of the country which might result in chases higher or lower unemployment, interest rate movements etc It may a0 ae rm 23 nsider the risk ‘he effect on UK man Ind and China, ompettion from low-cost e risk Legisial Changes in legislation may result in restrictions 4 tent legislaion has increased ‘elean up" costs and b od costs of compliance. Eavirom om bodies nd businesses increasingly have to provide information to (lean up co connection wth ol spi Compliance risk This the risk arising from non-compliance with laws and regulations. Most organizations are capable of {eng compliance with ta o6 VAT ules but rnany ‘still have, judging by the number of cases still coming ‘or the courts and Ghadequace procedures for convplying with employment law or health and Frere the law and finance interact, in particular with reference ro fling and tax or VAT fraud, awarded against fancia a CHAPTER 14 FISK: BASED AUOTING Physical risk ral hazards such as floods, fires, tornag, des consideration 0 mata gations because Of 138 of ower tS ory, Evaluation of physical risk inclu eas aula effects of global warming, Ie nclodes ee inert oiten by dixgrantled employee, key cg ee ee erate in some of the more volatile parsaf ret "sees nes daa tron, practi where companies EXAMPLE 5 isaffected employees, “The damage caused to businesses as a result of arson by disaffected employ Technological risk Many businesses, and not only those involved in so-ca developing technologies. Businesses which fail 1o spot the potential or the risks to their existing operon presented by new and emerging technologies may well find themselves overtaken by competition or find ix markets so radically changed they are no longer able to compete in them. Developments in computing are an obvious area for most businesses but more scientific advances sah developments in biotechnologies may well lead to changes which will have a major impact on current businse, led “hi-tech” operations, face risks from new ax EXAMPLE 6 Eiectronic books such as the Kindle and the E-reader atfecting the business models for conventional booksellers Market risk A 14 ASK BASED ALONG. oe nancial risk sis probably the BIEEESt Single rea afetng businesses Cred tsk te risks arising rom nonpayment of, TEN of debts c putes. 18 ether to Insole é ther 'o Insolvency of customers, raud or unvesoWved | Fre 000 Pk cass ae oy soos hold foregn curencies overseas autssanes see Ie tarsaton fk onthe conversion of rate risks — risks to business fin intrest 8s fnancing and is very wide ranging. It includes: ‘Caused by unexpected movernents in interest rates. ns {Tom unpaid debts ~ insolvency causes many defaults in o invle some element of fraud. Problems caused by se of near collapse of several banks in itn some element of failure of internal systems, caused . banks in the UK, USA and leland with predictable knock-on effects EXAMPLE 8 A), Royal Bank of Scotland (UK), Setanta (reland), Landsbanki Note that organizations often face a combination of risks so auditors should avoid the temptation of opting a ‘tick list’ approach and consider the possibility of what might be perceived to be a number of low-level risks combining to produce a very serious problem. ‘An understanding of the risks facing a client adds to an auditor's understanding of the client. The auditors ako need to extrapolate their risk analysis into a consideration of how some of these may affect the financial statements. Some may affect the value of assets and some may affect the going concern concept for all or par ofthe enterpri INTERNAL RISKS These are risks arising from inside the company and include the following Strategic risk This involves management making a set of bad strategic decisions which defin ‘wrongly and result in trading losses and, in the worse cases, insolvency. Strategic isk includes: emphasis on outdated or outmoded products 4 tempting to break in to untamiar markets wihout adequate expertise te or expensive acquistions processes {on key objectives by senior management ance indicators procedures Imanagement information systems ¢ the company’s objectives 216 nT 4 GK BASED ALOT J he business is carried Onis proceses ang pee erect POOr PFOCESES afc 7° Operational risk These ate risks caused by underlying flaw ‘These are not confined ro manufacturing service has adversely affected many service-based Operational risk includes: sin the way th industry: the f ‘organizations: fadure to modernize products and processes a aera errcn rio badness erese ver the cruacaeon ea oO ‘i coduets or customer servie® fom low cost suppliers poor quality increased compettion fr increased use of electronic media to trade ‘poor labour relations weak marketing loss of key employees breakdown of relationships with key suppliers oF customers reliance on a few products, customers, suppliers lack of research and development of new products Governance risk Risks to the organization can be includes problems arising from inappropriate ‘a strong internal control porate Governance (see Chapter 2.7 reated by poor or inadequate Cot por communications within th base, board structures, po wironment. and no support for Governance risk includes: ‘© excessive relance on a dominant chief executive «8 woak or non-existent non-executive directors © weak or incompetent executives lack of board review and performance evaluation 4 inefoctve decison making processes ‘¢ poor monitoring of operational decisions {poor internal contol environment «¢falur to communicate goals end objectives ineticient feedback mechanisms and poor corporate communications ¢_lack of, or ineffective, internal aut function Financial risks “These include risks arising both from the structure and financing of the bus tems, Auditors have to consider not only the detail ofthe financial processes within the bus ihess ofits structure and the ability to finance its operations so as to achieve its objectives fort iness and the operation of finan ® ness but the appeopes he foreseeable fos Financial risks include: inadequate finance for future operations or development of new products and markets levels of goaring ata ime of rising interest rates, 3g resulting in cash flow difficulties involved in the business with no obvious commercial mative o inappropriate terms O13" and loss of records TER 14 FISK. BASED AUDITING a7 internal control weaknesses oad Any of these risks can damage a company and may impact on the financial The auditor thus has to consider two things belore eoharkine oneal pe ol know my client and all aspects of its operations fisks my client faces? The auditor must decide whethe theie client, anticipate the key risks which may result statements. 1g on audit planning. These are how well id will my audit procedures identify all the potential + they can, from what they have discovered about serious error or misstatement in the financial THE CLIENT'S APPROACH TO RISK Many smaller companies do nor have a formal risk assessment process and their goals and objectives may rot be incorporated into detailed plans. Such companies though are often very flexble, know their markets tnd can respond quickly to threats and changes . : Larger organizations often have a hierarchy of plans involving: «© Strategic planning — longer-term planning (often incorporating a Mission Statement or Statement of Goals). This ‘may include Key Performance Indicators (KPIs) which indicate progress towards stated objectives. © Detail t 1 ~ shorter-term operational planning in order to achieve milestones or goals 8s part of the achievement of the wider strategic plan, © Budgets and forecasts - in detail for shorter-term tactical plans and sometimes on a wider scale to consider fnanc- Ing implications as part of strategy planning, Auditors need to be familiar with the plans and the processes which are used to derive the plans. In other words, they need to be assured that both strategic and operational planning, and the financial information derived from it, is based on an ordered and systematic consideration of the business’ future carried out by experienced and competent senior management. ‘Where the management use KPIs to evaluate achievement the auditor must reassuce themselves that the KPIs are valid indicators and that they have been properly evaluated and calculated. [As part of the development of these plans the organization should carry out risk assessments from which the auditors can begin to derive their audit planning, Risk assessment This has two components: (© Fisk dentication Fisk evaluation Risk identification requires the organization to carry outa systematic review of itself its place in its industry and its industry’ place in the wider economic context. “This encompasses consideration of all the forms of rsk highlighted above. I is not appeopriate for the ‘company simply to identify al its internal risks; it must look at the factors affecting its own industry and the wider economic and soca actors which might have an impactonisimustn. i ‘Often organizations are surprised by events which do them harm. Frequently a post-disaster review reveals this wll ot help predict a sudden catastrophic event such sa fir or explosion although good saery practice may minimize damage) but it may help anticipare commercial difficulties if the organization is able to rea the signs of impending doom. oren 4 RRO 218 . 1 banking in the UK. a ba en fr 9 Nunc yes Bag 1 8 of ranches 10 88 the pbk ~_ rants 8 ising societies were etl Om ee ome buying marke tively smal and were ners ant meant that ‘cornpetition for banking Some ofthese were ed i ty ther mam ation DY STG ae 0 te, Dela Hye tar on ches were shit. Bulkeg sere ee Le a PES oa ot loses, to loss of thousand of fan Sed epic Ce ustormang gant seeking 10 one he era wages ttnneeentomeg autem ‘spes compo gaat ona barks and bung SoC regorcn Cad ae i bankin rastacame compete ciferent 1 what ass jon of retail banking has PIT nave individual banking companies or gre created new opportunites, ne Teoma ego Chae j Saige acre rues Nee rar eee pean Oa Tye fering cect carers sel sea by sarin tod ore sof may Rodern practice has core from traitor orthe nereasing eves of competion i IS area and hi ‘banking. Risk evaluation ‘Once risks are identified they should be eval uated. There are many ways of doing this but the least comph cated is a simple matrix. ed i ample based on a company sling specialist skateboarding clothing over the Internet. High likelihood Low likelihood High impact * Distibution cffcuties_* Loss of computer systems with parcel delivery duo to software failure based on present supplier + Smal parcels and low + Loss of consumer trust due créer qarties re to breakdown inascuty of oe : 0 . Campion for new + Loss of popuaty of ate griesiabiomertat, boating ~ ching may ot Position at this time ‘and are well known to customers 210 n be categorized into: aan be seen, risks ase nh imoact/tigh kelinood gh impact/iow likelthood 7 ° eimpacow Ik dypizaions can use some form of analysis co attribute probabilities of i tate che impact in financial terms. They can Been socal ? They can thus calculate the possible risk impact to theit organi Probability it will occur = possible impact of risk Financial cost of risk occurri tof this is subjective, particularly the estimate of the likelihood, or probability, of the risk Clearly alo qslling which is why it requires involvement of senior, experienced management and staff ACTIONS TO MITIGATE RISK sare identified and evaluated the organization is faced with a range of actions. This approach is Once ts Avoid) approach to risk management but there are others, inown as the TARA (Transfer, Accept, Reduce, rosy dealing with risk in the same way subcontracting or outsourcing ‘+ Accept the risk ~ do nothing and hope forthe best ~ ts. The level of risk which the organization wil be prepared ss materialize is known as residual risk or sometimes by, for example: ‘© Reduce tho risk — reduce the risk raising staff awareness of rsk estabishing physical measure ms instead of having one compiex one rch as improved securty work well= this i imply overauditing to ile effective purpose. Far better to spend that tne evalatnt™ entity's response to assessed business risks which may, if not identi re probes eS ates 0 ee! busines may; if not identified and acted on, cause far more pt sight be expected, both adva thar major audi problems tages and disadvantages to adopting a business risk app are rarely caused by accounts processing errors. Maio ™ _d r , i FLA FISK BASED ALON za ans es. companies failing shoray ple ; afer receiv oblems Urcern, major fraud by toy ing an unqual pe oing ©? ee P Management, lene en alificd audit report) arise out of issues such 15 Fite lack of response to market forces, ere MTBEPCAle systems reahdenen allen tenet recat change in business and fees ‘The Pes of failure than ever bet ™Puting and communica wraonal eco iness, and more unforgiving than 1 control are all now more significant f and the nature of manage- tec ems wish to be inthe forefront of innoy nae mee i ‘Me business risk evaluation may sh stan in Order to attract clients bagvolve partners and senior managers wat tt Othe highs areas. Tis akcbased appeoach z ‘h more in the cial benefits to the client in improv commercia ‘ing TOCESSES OF re saga aysterbased ait approachisimpracar erp mel kas As we ave et ian vironment nog ane mcm oy a fenfitsand a bet ie simply confirming that internal checks and controls are working. There are , however some important disadvantages which also have to by ceplccd Therisk-basedl approach increases the level of risk vo he aut fm, This agus he fem e eal control procedures and to document all its processes th scaharbiapshend ithe q Pantie dry esses thoroughly. In order to make it work effectively FE process requires highly qualified and competent tall beak rere Setanta eth dl ‘Throughout the audit process firms must be % the careful to maintain their objectivity and independence. The seaming om of mutual trust. Auditors may come to discover facts which the management may not wish to disclose and uditors may have to take hard decisions which may cause a “Gt Arthur Andersen following the collapse of Enron is fetto cose to their client 4 rift in that relationship. However, the destruction a salutary lesson in what happens to audit firms who UNDERSTANDING THE BUSINESS RISK APPROACH Suudents need to obtain a business risk and audit risk There is still a lack of clarity in the articulation between business risk and audit risk, however the ideas ofinherent risk and control risk have tended to merge into the larger idea of business risk. To simplify the postion: ar understanding of the business risk approach and of the difference between Aust risk (see Chapter 10) s the risk the aucit fim has to consider. (Business risks are the risks facing the clent. The interaction between the two is that audit risk includes assessment of inherent and control risk, which include some of the components of business tisk. Looking at the business risk approach it is important to realize that the direction of the audit is from the valuation of external and internal risks towards the financial statements, Earlier approaches to auditing. ‘ended to start with the financial statements and work backwards into the organization, : approach is very much a strategic one - much less of the ‘can wuges be paid to non-employees?* and tush more of'the cent has closed its Bristol factory and now manufactures in China so what are the co ‘ences for the ynd its financial statementss” MT “a ee ‘easier or are simplified. In practice because of the better understanding eview more frequently asa verification of assertions pro- use they are a natural by-product of business ible to use analytical r jiderations (see Chapter 23), beca = CHAPTER 14 ISK-BASED AUDITING yp necessary. Howey, concern may be unineces eh, aud cmalized approach to audit is neither Prod consideration of going € tsk investigation and separate consider en realize that the audit needs t0 ooh an m economical ip with the client rather than a one-off ach yey "The concept implies a continuing relationship With Me we want this cent, "Mr view. It is an aid to the client acceptance and contin dow h ee asthe top-down approach. In this the general risks ar become knot saditor must gain an understanding of the business g Auditors can adopt what has rr ociated with business operations and the contain first and then specific risks are evaluated. both current and furure, as well a the risk Ce sed te his assessment of the busines 1 expectations developed from thi 2 With The aur can then ses the expos developed cause tbe ware rc highest level nthe uses and then aed ey a eo capt to look a the accounts holistically, a8 a part ofthe ongoing by, pay epeemaa ee aremPigyon the bass of the financial statements a8 a whole and loka Are caer ccitoument rors the point of view ofthe highest level of control, i.e. senior managemen downwards through the organization. shown by the accounts. The approa\ ‘ment discussions and evaluations of controls at t THE IMPLICATIONS OF THE BUSINESS RISK APPROACH FoR THE AUDIT Planning ‘The auditor needs to plan the audit (ISA 300) and needs to develop a thorough understanding ofthe busines The planning process still needs an assessment of audit risk (Chapter 10). The effects on planning may include: ‘® A consideration ofthe control envionment. Is the control environment strong, including the assessment intemal avait unction? if isnot, the business risk approach may not be appropriate. ‘© Does the management manage risk effectively? Do they have in place procedures wich can identi and ere the business risks faced by the organization? This should be evaluated at al levels of management. ‘¢ [the Management Information System (MIS) adequate to provide the information needed to manage thebusres oftectvaly? (Do ary risks threaten the going concer status of the company? Do any of tho risks have implications for cash flow? 's there a high risk of frau? For example, poor controls, management override, egotistical ambition and arog! in the chot executive? Are there related partes with diferent agendas? Is the business under threat of being taken over withthe risk of management misstating financial stems? Is there a risk of ligation against the company? Is there ay risk of withdrawal of support by loan or trade creditors? Audit procedures Although detailed systems-based audit checking work may be eliminated altogether because the awit relying on the strength of the company’s own internal controls this does not mean that the auditor docs ™ ‘our any detailed checking. The auditors must be sure that the internal control proces (CHAPTER 14 Fisk BaseD ALONG za | ne ess of corpor the effectiven POFatE Rovernance within jo PethaPs by considering the internal audit function | sened. hin the organization. These ests eed oe carried out and | ietabl AUTOS CANNOE eS Some Jee gy racial Position. Whilst they may coneig ‘tantive testing of items comprising the Statement of Fi balances and et issues such Fee ledger bala nd possibly even inventor such 38 BOn-currentaset recording, receivables and Fe died tig Ach mates a ony emi heimernal contol sytem and therefore | emt ee et ee ee see @ mount of testing carried out will — completely Reena enteric © be se ny mated face eink oeach item in the Statement of Financial Posi iis assesment wil be arid out etal saerents at 3 whole not showing re an bit ors he context of the business risks identified and evaluated by

    You might also like