Upload
vuongkhue
View
216
Download
0
Embed Size (px)
Citation preview
Copyright © 2013 by The McGraw-Hill Companies, Inc. All rights reserved. McGraw-Hill/Irwin
Chapter 04 Management Fraud and Audit Risk
Learning Objectives
1. Define business risk and understand how management addresses
business risk with the Enterprise Risk Management Model
2. Explain auditors’ responsibility for risk assessment and define and
explain the differences among several types of fraud and errors that
might occur in an organization.
3. Describe the audit risk model and explain the meaning and importance
of its components in terms of professional judgment and audit
planning
4. Understand sources of inherent risk factors including the client’s
business and environment.
5. Understand sources of information for assessing risks including
analytical procedures brainstorming and inquiries. Explain how
auditors respond to assessed risks.
6. Explain auditors’ responsibilities with respect to noncompliance with
laws or regulations.
7. Describe the content and purpose of an audit strategy.
4-2
Management’s
Risks
• Business Risk—failure to meet objectives
– Objectives—overall plans
– Strategies—methods to meet objectives
• Information Risk---financial statements will
be misstated.
4-3
Sources of Risk
4-4
Enterprise Risk Management
4-5
Auditor’s Risk
Responsibilities • Audit Risk—auditor will give unqualified opinion on
misstated financial statements
• Management Fraud Risk—management intentionally
misstates financial statements
– Fraudulent financial reporting
• Errors are unintentional misstatements or omissions of
amounts or disclosures in financial statements.
• Auditors’ primary responsibility is to design procedures to
provide reasonable assurance that frauds that materially
misstate the financial statements are detected.
4-6
Other Definitions Related to
Fraud
• Employee fraud
• Larceny
– misappropriation of assets
• Defalcation
• Embezzlement
4-7
Overview of Types of Fraud
Risk
4-8
General Categories of Errors
and Frauds • Invalid transactions are recorded.
• Valid transactions are omitted from the accounts.
• Unauthorized transactions are executed and recorded.
• Transaction amounts are inaccurate.
• Transactions are classified in the wrong accounts.
• Transaction accounting and posting is incorrect.
• Transactions are recorded in the wrong period.
4-9
Risk Factors Related to Fraudulent
Financial Reporting
• Management’s characteristics and influence
• Industry conditions
• Operating characteristics and financial
stability
4-10
• Management has a motivation to engage in fraudulent
reporting.
• Management decisions are dominated by an individual or a
small group.
• Management fails to display an appropriate attitude about
internal control.
• Managers’ attitudes are very aggressive toward financial
reporting.
• Managers place too much emphasis on earnings
projections.
Fraud Risk Factors: Management’s
Characteristics and Influence
4-11
Fraud Risk Factors: Management’s
Characteristics and Influence (cont.)
• Nonfinancial management participates excessively
in the selection of accounting principles or
determination of estimates.
• The company has a high turnover of senior
management.
• The company has a known history of violations.
• Managers and employees tend to be evasive when
responding to auditors’ inquiries.
• Managers engage in frequent disputes with
auditors 4-12
Fraud Risk Factors: Industry conditions
• Company profits lag the industry.
• New requirements are passed that could impair stability or profitability.
• The company’s market is saturated due to fierce competition.
• The company’s industry is declining.
• The company’s industry is changing rapidly.
4-13
Fraud Risk Factors: Operating
Characteristics
• A weak internal control environment prevails.
• The company is not able to generate sufficient cash flows to ensure that it is a going concern.
• There is pressure to obtain capital.
• The company operates in a tax haven jurisdiction.
• The company has many difficult accounting measurement and presentation issues.
• The company has significant transactions or balances that are difficult to audit.
• The company has significant and unusual related-party transactions.
• Company accounting personnel are lax or inexperienced in their duties.
4-14
The AUDIT RISK MODEL (ARM)
• Audit risk (AR) is the risk (likelihood) that the auditor may unknowingly fail to modify the opinion on financial statements that are materially misstated (e.g., an unqualified opinion on misstated financial statements.)
• The AUDIT RISK MODEL decomposes overall audit risk into three components: inherent risk (IR), control risk (CR), and detection risk (DR):
AR = IR x CR x DR
(IR x CR = Risk of Material Misstatement (RMM))
4-15
Inherent Risk
• Factors affecting account inherent risk include:
– Dollar size of the account
– Liquidity
– Volume of transactions
– Complexity of the transactions
• New accounting pronouncements
– Subjective estimates
4-16
Control Risk
• Control Risk (CR) is the likelihood that a material misstatement would not be caught by the client’s internal controls.
• Factors affecting control risk include:
– The environment in which the company operates (its ―control environment‖).
– The existence (or lack thereof) and effectiveness of control activities.
– Monitoring activities (audit committee, internal audit function, etc.).
4-17
Detection Risk
• Detection risk (DR) is the risk that a material misstatement would not be caught by audit procedures.
• Factors affecting detection risk include:
– Nature, timing, and extent of audit procedures
– Sampling risk
• Risk of choosing an unrepresentative sample.
– Nonsampling risk
• Risk that the auditor may reach inappropriate conclusions based upon available evidence
4-18
Detection Risk and the
Nature, Timing, and Extent
of Audit Procedures
Lower
Detection Risk
Higher
Detection Risk
Nature More effective
tests.
Less effective
tests.
Timing Testing
performed at
year-end.
Testing can be
performed at
Interim.
Extent More tests. Fewer tests.
4-19
Audit Risk Process
4-20
Matrix Approach to ARM
4-21
Risk Assessment Process
4-22
Factors Affecting Overall
Inherent Risk
• Company and its environment
• Nature of Company
– Related parties
• Accounting Principles and Disclosures
• Objectives and Strategies
• Measurement and Analysis of Financial
Performance
4-23
Information Sources
• General Business Sources
• Company Sources
– Minutes
• Client acceptance, Planning, Past audits,
and Other Engagements
4-24
Preliminary Analytic Procedures
RECORDED
ACCOUNT
BALANCE
ESTIMATED
ACCOUNT
BALANCE
• Attention directing
– Identify potential problem areas
• An organized approach
– A standard starting place to start examining the financial statements
• Describe the financial activities
– Identify unusual changes in relationships in the data
• Ask relevant questions
– What could be wrong?
– What legitimate reasons are there for these results?
• Cash flow analysis
4-25
Analytic Procedure Steps
1. Develop an expectation.
2. Define a significant difference.
3. Calculate predictions and compare them
with the recorded amount.
4. Investigate significant differences.
5. Document each of the above steps.
4-26
Analytic Procedures:
Stages of Use
• Preliminary planning-- required
• Substantive testing -- optional
• Final review -- required
4-27
Audit team discussions
(brainstorming) • Required procedure
• Objectives
– Gain understanding of
• Previous experiences with client
• How a fraud might be perpetrated and concealed in
the entity
• Procedures that might detect fraud
– Set proper tone for engagement
• Discussions should be ongoing throughout the
engagement
4-28
Inquiries
• Management
• Audit committee
• Internal auditors
• Others
• Risk of Fraud
4-29
Assess Fraud Risks
• Type of risk
• Significance of risk
• Likelihood of risk
• Pervasiveness of risk
• Assess controls and programs
4-30
Required Risk Assessments
• Presume that improper revenue recognition is a
fraud risk.
• Identify risks of management override of controls.
– Examine journal entries and other adjustments.
– Review accounting estimates for biases.
– Evaluate business rationale for significant
unusual transactions.
• Identify Significant Risks
4-31
Respond to Assessed Risks
• Respond to Significant Risks
– Assignment of personnel
– Choice of accounting principles
– Predictability of auditing procedures
– Retrospective review of prior year accounting
estimates
• Accumulated Results of Procedures
• Extended procedures
4-32
Evaluate Audit Evidence
• Discrepancies in the accounting records.
• Conflicting or missing evidential matter.
• Problematic or unusual relationships between the auditor and management.
• Results from substantive of final review stage analytical procedures.
• Vague, implausible or inconsistent responses to inquiries.
4-33
Communicate Fraud Matters
• Evidence that fraud may exist must be communicated to appropriate level of management.
• Sarbanes Oxley: Significant deficiencies must be communicated to those charged with governance.
• Any fraud committed by management (no matter how small) is material.
4-34
Document Fraud Matters
• Discussion of engagement personnel.
• Procedures to identify and assess risk.
• Specific risks identified and auditor response.
• If revenue recognition not a risk—explain why.
• Results of procedures regarding management override.
• Other conditions causing auditors to believe additional procedures are required.
• Communication to management, audit committee, etc.
4-35
Noncompliance With Laws
and Regulations
– Direct-effect noncompliance produce direct and material effects on the financial statements . The law or regulation can be identified with a specific account or disclosure (e.g., income tax .evasion).
• Auditor’s responsibility--design procedures to provide reasonable assurance
– Indirect-effect noncompliance are not related to specific accounts or disclosures on the financial statements (e.g., violations relating to insider securities trading, occupational health and safety, food and drug administration, environmental protection, and equal employment opportunity).
• Auditor's responsibility—Follow up on suspected violations material to the financial statements
4-36
Red Flags of Potential
Noncompliance
• Unauthorized transactions.
• Government investigations.
• Regulatory reports of violations.
• Payments to consultants, affiliates, or employees for unspecified services.
• Excessive sales commissions and agents’ fees.
• Unusually large cash payments.
• Unexplained payments to government officials.
• Failure to file tax returns or to pay duties and fees.
4-37
Audit Strategy Memorandum
• Identify significant accounts and disclosures
• Establish overall audit strategy for each relevant assertion
• Take into account
– Reporting objectives and communications required
– Auditor’s risk assessment.
– Other requirements of laws or regulations.
• Nature, timing, and extent of necessary resources
• Planned tests of controls, substantive procedures, and other
planned audit procedures
• Memo is basis for preparing detailed audit plans (often
called audit programs)
• Written audit plan documenting audit strategy is required 4-38