Auditing & Assurance

Services 7e

©McGraw-Hill Education. All rights reserved. Authorized only for instructor use in the classroom.  No reproduction or further distribution permitted without the prior written consent of McGraw-Hill Education.
 Chapter 04

Management Fraud and Audit Risk

“Profit is the result of risks wisely selected.”
Frederick Barnard Hawley

“Risk comes from not knowing what you’re doing.”

Warren Buffett

©McGraw-Hill Education 4-2

• Chapter 4 Learning Objectives
1. Define audit risk and describe how it can be broken down into the three
separate components of the audit risk model to help assess and respond to
such risks during the audit planning process.
2. Explain auditors’ responsibility for fraud risk assessment and define and
explain the differences among several types of fraud and errors that might
occur in an organization.
3. Explain an auditor’s responsibility to assess inherent risk, including a
description of the type of risk assessment procedures that should be
performed when assessing inherent risk on an audit engagement.
4. Understand the different sources of information and the audit procedures used
by auditors when assessing risks, including analytical procedures, brainstorming
and inquiries.
5. Explain how auditors complete and document the overall assessment of
inherent risk.
6. Explain auditors’ responsibilities with respect to a client’s failure to comply with
laws or regulations.
7. Describe the content and purpose of an audit strategy memorandum.
©McGraw-Hill Education. 4-3
 • Management Fraud Overview
• Enron collapse and its aftermath
• Arthur Anderson – 5th largest public accounting firm
• Reputation – labeled as low quality
• Reason?
• The risk each company chose to undertake and the
failure of both to adequately monitor and control
these risks.
• Management Fraud – deliberate by MGT that
injures investors through materially misleading info.
(Fraudulent financial reporting)
• White collar crime vs. blue collar crime
©McGraw-Hill Education.
 • Cont’d …
• Auditors are not responsible to detect all fraud but
materially misstated financial statements.
• Misappropriating inventory in warehouse only if
not material.
• MGT intentionally misappropriate revenue to
reach earning targets.
• Fraud Risk Assessment:
– Existence of red flags
– Auditors skills noticing them & appropriate assessment
– Auditors willingness to follow them – fraud detection
procedures

©McGraw-Hill Education.
 • Steps in Considering the Risk of Fraud
• Step 1: Audit Team Discussion (Brainstorming)
• Step 2: Gather info. Necessary to assess fraud
risk factor (red flags) via Analytical procedure
• Step 3: a) Identify risk factors;
b) Assess fraud risk
• Step 4: Respond to assessed Risks – extended
procedure

• Step 5: Evaluate Audit evidence

• Step 6: Communicate Fraud Matters
• Step 7: Document Fraud Matters
©McGraw-Hill Education.
 • Auditors’ Responsibility
• Audit Risk: auditor will give unqualified opinion on
misstated financial statements
• Management Fraud Risk: management intentionally
misstates financial statements
– Fraudulent financial reporting
• Errors are unintentional misstatements or omissions of
amounts or disclosures in financial statements.
• Auditors’ primary responsibility is to design procedures
to provide reasonable assurance that frauds which
materially misstate the financial statements are detected.

©McGraw-Hill Education.
• Audit Risk
Audit risk is the risk that the auditor will express an
inappropriate audit opinion when the financial statements are
materially misstated;
Giving an unmodified opinion on financial statements that are
misleading because of material misstatements the auditor failed
to discover.
Audit risk can be broken down into the following three
components:
• that a material misstatement will even occur (inherent risk);
• that it would not be prevented or detected by client internal
controls (control risk); and
• that is not detected by the auditor’s own procedures
(detection risk). LO 4-1

©McGraw-Hill Education. 4-8

• Inherent, Control, and Detection Risk

©McGraw-Hill Education. 4-9

• Control Risk
Control Risk (CR) is the likelihood that the client’s
internal control policies and procedures fail to prevent
or detect a material misstatement.
Factors affecting control risk include:
• The environment in which the company operates
(its “control environment”);
• The existence (or lack thereof) and effectiveness
of control activities; and
• Monitoring activities (audit committee, internal
audit function, etc.).

©McGraw-Hill Education. 4-10

• Detection Risk
Detection risk (DR) is the likelihood that the auditors’
substantive procedures will fail to detect a material
misstatement that exists within an account balance or
class of transactions.
Factors affecting detection risk include:
• Nature, timing, and extent of audit procedures;
• Sampling risk‒the risk of choosing an
unrepresentative sample); and
• No sampling risk‒the risk that auditor may reach
inappropriate conclusions based upon available
evidence.

©McGraw-Hill Education. 4-11

 • Audit Risk Model
• Audit risk (AR) is the risk (likelihood) that the
auditor may unknowingly fail to modify the
opinion on financial statements that are
materially misstated (e.g., an unqualified opinion
on misstated financial statements.)
• The AUDIT RISK MODEL decomposes overall
audit risk into three components:
– inherent risk (IR),
– control risk (CR), and
– detection risk (DR):
AR = IR x CR x DR
(IR x CR = Risk of Material Misstatement (RMM))
©McGraw-Hill Education.
• Audit Risk Model (ARM)

©McGraw-Hill Education. 4-13

 • Audit Risk Model – example

• Formula: AR = IR x CR x DR
• Desired AR: 0.05
• IR = 0.90; CR = 0.50; DR ?
• DR = AR /(IR X CR); DR= 0.05(0.9*0.5) = 0.11
• This means – 11% risk of auditors fails to detect
• If; IR = 0.50; CR=0.30; DR?
• DR = AR /(IR X CR); DR= 0.05(0.5*0.3) = 0.33 or 33%?? Previous Page

• In class exercise:

• IR:0.8; CR: 0.8; DR:0.5 & AR?

• AR = (0.8*0.8*0.5) = 0.32
©McGraw-Hill Education.
• Impact of Detection Risk on the Nature,
Timing, and Extent of Audit Procedures
Lower Detection Risk Higher Detection Risk
Allowed Allowed
Nature More effective tests Less effective tests
Timing Testing at year-end Testing at interim
Extent More tests Fewer tests

©McGraw-Hill Education. 4-15

• Qualitative and Quantitative Control Risk

©McGraw-Hill Education. 4-16

• Matrix Approach to Detection Risk (DR)
Determination

©McGraw-Hill Education. 4-17

• Fraud Risk
Fraud risk is a special case of the risk of material misstatement
related to those situations where management intended to
mislead the marketplace by issuing fraudulent financial
statements. Note that misstatements may be caused by an error
or a fraud; the key difference is intent.

LO 4-2
©McGraw-Hill Education. 4-18
• Definition of Fraud
Fraud is the act of knowingly making material
misrepresentations of fact with the intent of inducing someone
to believe the falsehood and act on it and, thus, suffer a loss or
damage.

©McGraw-Hill Education. 4-19

• Categories of Fraud Risk Factors
There are three categories of factors that might indicate
increased risk of fraudulent financial reporting including:

 Management’s characteristics and influence

 Industry conditions

 Operating characteristics and financial stability

©McGraw-Hill Education. 4-20

• Fraud Risk Factors

©McGraw-Hill Education. 4-21

• Overview of Types of Frauds

©McGraw-Hill Education. 4-22

• Other Definitions Related to Fraud
Errors are unintentional misstatements or omissions of amounts or
disclosures in financial statements. Errors are not considered fraud because
they occur unintentionally, while acts of fraud are intentional. Other fraud-
related definitions include:
• Employee fraud is the use of fraudulent means to misappropriate funds or
other property from an employer.
• Embezzlement is a type of fraud involving employees or nonemployees
wrongfully misappropriating funds or property entrusted to their care,
custody, and control, often accompanied by false accounting entries and
other forms of deception and cover-up.
• Larceny is simple theft. For example, an employee misappropriates an
employer’s funds or property that has not been entrusted to the custody
of the employee.
• Defalcation is another name for employee fraud, embezzlement, and
larceny. Auditing standards also call it misappropriation of assets.

©McGraw-Hill Education. 4-23

• Inherent Risk Assessment
Risk assessment underlies the entire audit process. At
both the overall financial statement level and at the
management financial statement assertion level,
inherent risk refers to the exposure or susceptibility of
an assertion within an entity’s financial statements to a
material misstatement without regard to the system of
internal controls.

LO 4-3
©McGraw-Hill Education. 4-24
• General Categories of Misstatements

©McGraw-Hill Education. 4-25

• The Risk Assessment Process

©McGraw-Hill Education. 4-26

• Inherent Risks of Accounts
Factors related to the susceptibility of accounts to
misstatement or fraud may include:
• Dollar size of the account
• Liquidity
• Volume of transactions
• Complexity of the transactions
• Subjective estimates

©McGraw-Hill Education. 4-27

• Understanding the Client’s Business and Its
Environment
Gaining a detailed understanding and knowledge of the client’s
business and its environment within the context of its industry is
essential in an audit. Auditing standards require auditors to obtain a
thorough understanding of the business to plan and perform the
audit work. Obtaining an understanding of the client’s business
includes understanding:
• Industry, regulatory, and other external factors
• Nature of the company and related parties
• Effect of client’s computerized processing (Chapter 3)
• Accounting principles and related disclosures
• Company objectives, strategies, and related business risks
• Company performance measures and analysis
©McGraw-Hill Education. 4-28
• Information Sources
• General Business Sources
– Trade magazines and journals
– General business magazines and newspapers
• Company Sources
– Corporate charter and bylaws or partnership agreement
– Contracts, agreements and legal proceedings
– Minutes of meetings of directors and committees of the
board of directors
• Information from client acceptance or continuance
evaluation, audit planning, past audits, and other
engagements
LO 4-4
©McGraw-Hill Education. 4-29
• Preliminary Analytic Procedures

RECORDED ESTIMATED
ACCOUNT ACCOUNT
BALANCE BALANCE

• Attention directing
– Identify potential problem areas
• An organized approach
– A standard starting place to start examining the financial statements
• Describe the financial activities
– Identify unusual changes in relationships in the data
• Ask relevant questions
– What could be wrong?
– What legitimate reasons are there for these results?
• Cash flow analysis
©McGraw-Hill Education. 4-30
• Steps for Performing Analytic Procedures
Auditors are required to complete preliminary analytical procedures at
the preliminary stage of the audit (planning stage). At this stage,
analytical procedures are referred to as reasonableness tests. Auditors
should perform the following five steps when completing analytical
procedures:
1. Develop an expectation.
2. Define a significant difference.
3. Compare expectation with the recorded amount.
4. Investigate significant differences.
5. Document each of the preceding steps.
While the use of analytic procedures for substantive testing is optional,
professional standards require the use of analytical procedures at the
end of the audit when the partners in charge review the overall quality
of the work.
©McGraw-Hill Education. 4-31
• Audit Team Brainstorming Discussions
• Required procedure
• Objectives
– Gain understanding of
• Previous experiences with client
• How a fraud might be perpetrated and concealed in the entity
• Procedures that might detect fraud

– Set proper tone for engagement

• Discussions should be ongoing throughout the engagement

©McGraw-Hill Education. 4-32

• Inquiries
Inquiries should be made of the follow client personnel and
groups:
 Management
 Internal Auditors
 Directors
 Audit Committee
 Other Employees

©McGraw-Hill Education. 4-33

• Overall Assessment and Documentation of
Inherent Risk
The assessment of inherent risk needs to occur for each
significant financial statement account and disclosure. Such is
the case if there is a chance that an account or disclosure could
contain a material misstatement. The auditor should evaluate
both the quantitative and qualitative risk factors associated with
the financial statement account or disclosure.

Once the significant accounts and disclosure have been

identified, the auditor then needs to identify the relevant
financial statement assertions. A financial statement assertion is
relevant if it has a “reasonable possibility of containing a
misstatement that would cause the financial statements to be
materially misstated.”
LO 4-5
©McGraw-Hill Education. 4-34
• What can go wrong?
• The auditor must identify the likely sources of misstatements
that could cause the financial statements to be materially
misstated. In doing so, the auditor should consider “what can
go wrong” when thinking about each of the relevant financial
statement assertions.

©McGraw-Hill Education. 4-35

• Assessment of Risks
• Type of risk
• Significance of risk
• Likelihood of risk
• Pervasiveness of risk
• Assess controls and programs

©McGraw-Hill Education. 4-36

• Respond to Assessed Risks
• Respond to Significant Risks
– Assignment of personnel
– Choice of accounting principles
– Predictability of auditing procedures
– Retrospective review of prior year accounting estimates

• Accumulated Results of Procedures

• Extended procedures

©McGraw-Hill Education. 4-37

• Evaluate Audit Evidence
• Discrepancies in the accounting records.
• Conflicting or missing evidential matter.
• Problematic or unusual relationships between the
auditor and management.
• Results from review of the final stage of substantive
analytical procedures.
• Vague, implausible or inconsistent responses to
inquiries.

©McGraw-Hill Education. 4-38

• Document Risk Assessment
Auditors must carefully document the risk assessment process in the work
papers to provide a record of the procedures performed. Items that must be
documented include:
• Discussions with engagement personnel.
• Procedures to identify and assess risk.
• Significant decisions during discussion.
• Specific risks identified and audit team responses.
• Explanation of why improper revenue recognition is not a risk.
• Results of audit procedures, particularly procedures regarding
management override.
• Other conditions causing auditors to believe that additional procedures
are required.
• Communications with management and those charged with governance,
such as the audit committee.
©McGraw-Hill Education. 4-39
• Fraud and Other Significant Risks
• Presume that improper revenue recognition is a
fraud risk.
• Identify risks of management override of controls.
– Examine journal entries and other adjustments.
– Review accounting estimates for biases.
– Evaluate business rationale for significant unusual transactions.

• Identify Significant Risks

©McGraw-Hill Education. 4-40

• Communication of Fraud Risks
• Auditors must always exercise significant care
because accusations of fraud are taken very seriously
by audit clients.
• Evidence that fraud may exist must be communicated
to appropriate level of management, usually at least
one level above the people involved.
• Any fraud committed by management (no matter
how small) is material and should be reported to
those charged with governance, usually the entity’s
audit committee of its board of directors.

©McGraw-Hill Education. 4-41

• Noncompliance With Laws and Regulations
– Direct-effect noncompliance produce direct and material
effects on the financial statements. The law or regulation
can be identified with a specific account or disclosure (e.g.,
income tax evasion).
• Auditor’s responsibility—design procedures to provide reasonable
assurance
– Indirect-effect noncompliance are not related to specific
accounts or disclosures on the financial statements (e.g.,
violations relating to insider securities trading,
occupational health and safety, food and drug
administration, environmental protection, and equal
employment opportunity).
• Auditor's responsibility—Follow up on suspected violations material to the
financial statements

LO 4-6
©McGraw-Hill Education. 4-42
• Indicators of Noncompliance

©McGraw-Hill Education. 4-43

• Audit Strategy Memorandum
The auditor establishes an overall audit strategy that sets the
scope, timing, and direction for auditing each relevant assertion.
The strategy is a result of the audit risk model. In establishing
the overall audit strategy, the auditor should take into account:

1. the reporting objectives of the engagement and the nature

of the communications required by auditing standards;

2. the factors that are significant in directing the activities of

the engagement team; and

3. the results of preliminary engagement activities and the

auditor’s evaluation risk assessment.

Also, various laws or regulations may require other matters to be

communicated.
LO 4-7
©McGraw-Hill Education. 4-44
• Audit Strategy Memorandum (continued)
In summary, the audit strategy should:

• Identify significant accounts and disclosures

• Establish overall audit strategy for each relevant assertion
• Take into account
– Reporting objectives and communications required
– Auditor’s risk assessment
– Other requirements of laws or regulations
• Nature, timing, and extent of necessary resources
• Planned tests of controls, substantive procedures, and other planned
audit procedures
• Memo is basis for preparing detailed audit plans (often called audit
programs)
• Written audit plan documenting audit strategy is required
©McGraw-Hill Education. 4-45
• Example of an Audit Strategy Memorandum

©McGraw-Hill Education. 4-46