Risk-Based Approach to Financial Statement Audit
Risk-Based Approach to Financial Statement Audit
In the late 1990s, Enterprise Risk Management (ERM) began to evolve as an approach for companies to manage risks on a holistic, company-wide basis. Audit departments employing a risk-based audit approach are probably already focusing on the same key risks that management focuses on as part of the ERM process. However, there are other characteristics of the ERM that a risk-based audit approach does not comprehensively address. Therefore, a fourth generation of auditing, risk management-based auditing, is necessary to optimize in an ERM environment. Risk management-based auditing embodies many of the characteristics of risk-based auditing with an expanded focus on key business objectives, management’s tolerance to risk, key risk measurements or performance indicators, and risk management capabilities. Additionally, risk-based auditing primarily focuses on mitigating risks to an acceptable level. Risk-based audits have the following characteristics:
1. Objective – Determine the primary business objectives, risks, measurements, and tolerances, and evaluate how effectively the risk management activities are supporting the objectives by managing the risks to an acceptable level
2. Approach – Focus on the following
- Understanding management’s strategic, operational and value objectives
- Identifying and evaluating the key business risks that are barriers to achieving those objectives
- Understanding management’s tolerance relative to risk occurrence
- Understanding how management monitors and measures and how successfully they are managing those risks
- Determining the risk management activities deployed to manage the risks to an acceptable level
- Assessing how effectively the risk management activities manage those risks to an acceptable level
3. Focus – Identify gaps between the current and desired level of risk management effectiveness.
4. Testing Approach – Typically, a combination of substantive and compliance testing is utilized, depending on how effectively the risk management activities are designed.
5. Recommendations – Relate gaps in risk management effectiveness to the underlying risks and key business objectives (Sobel 2005).
Risk-based auditing centers on the efficient review of the key elements of the financial statements. Essentially, this involved the concentration of audit resources on the material areas of the financial statements. This approach entails:
- A systematic approach to planning where the auditors related audit task to audit risk by reducing the time spent on low-risk situations and concentrated on the coverage of high-risk situations
- The evaluation of the internal control systems of the auditee
- The use of analytical procedures to form an opinion that is within the desired level of assurance (Wanna and Ng 2001)
At the planning stage, the main consideration for determining a level for audit risk is the extent to which external users rely on the financial statements. Accordingly, questions such as who the potential users are, their purpose for using information and the total effect of using materially misstated information for their purpose are considered by the auditor. Apart from the audit risk, auditors also assess a risk that is related to the organization itself – inherent risk. The higher the inherent risk, the more audit effort required. This approach is currently evolving in practice and is referred to as the ‘business risk’ approach. Central to this audit methodology is an understanding of the auditee's business, how it is organized, and how transactions are controlled and recorded. The methodology focuses the financial statement audit on those activities that could give rise to a risk of a material misstatement in the financial statements. A SWOT (strengths, weaknesses, environmental opportunities and threats) analysis is carried out for the assessment of business, operational, financial, management, computerized information systems and control risks. Consideration of a client's business risks requires the auditor to know and understand the client's business strategy and how it plans to respond to changes in its environment. An emphasis on the client's business risks will lead to a more strategic and systematic approach to auditing. The auditor can use this knowledge of the client's business and industry to develop a more efficient and effective audit. The auditor will then place less emphasis on routine transactions that are likely to be tightly controlled through the client's internal control structure and concentrate on identifying non-routine transactions, accounting estimates and valuation issues that are much more likely to lead to misstatements in the financial statements.
Forensic Accounting Investigation vs. Statutory Audit
Forensic accounting investigation involves litigation. In such circumstances, accountants may be called on to provide expert investigations and evidence. Forensic accounting according to Crumbley et al (2005) is the use of accounting for legal purposes. It is the use of intelligence-gathering techniques and accounting/business skills to develop information and opinion for use by attorneys involved in civil litigation and give trial testimony if called upon. Forensic accounting in the action of identifying, recording, setting, extracting, sorting, reporting, and verifying past financial data or other accounting activities for settling current or prospective legal disputes or using such past financial data for projecting future financial data to settle legal disputes.
Statutory audit is an audit of a company as required by the Companies Act (1985), subject to small company exemptions. The auditors are required to report to the company’s member on all accounts of the company, copies of which are laid before the company in general meeting.
A forensic audit is different from statutory audit (typical financial audit) a financial audit is generally a sampling activity that does not look at every transaction. Thus, the system can be exploited by someone, such as an executive who knows the ins and outs of the company’s finances. A forensic audit looks at every detail of a specific aspect of the records, trying to determine why everything does not or should not add up. Thus a forensic audit is much more time consuming and can be significantly more expensive than a statutory audit (Crumbley et al 2005). Forensic accounting is a science dealing with the application of accounting facts gathered through auditing methods and procedures to resolve legal problems. Forensic accounting is much different from traditional auditing. The main purpose of a traditional audit id to examine the financial statements of an organization and express an opinion on the fairness of the financial statements. In other words, auditors give an opinion whether the financial statements have been prepared in accordance with generally accepted accounting principles. Auditors employ limited procedures and use extensive testing and sampling techniques. Audits are performed by independent accountants and are not conducted with a view to present the evidence in a judicial forum. An audit is not an investigation; its main objective is not to uncover fraud. Forensic accounting, on the other hand, is for investigation of an allegation with the assumption that the forensic accountant will have to present the evidence in a judicial forum. A forensic accountant often employs specialists in other areas as part of a team to gather evidence. In order to present the evidence in court, there must be absolute assurance; thus, testing and sampling methods are usually not employed as part of the evidence-gathering procedures. The scope of the investigation is limited because it is determined by the client (Siegel and Shim 2006).
Auditor’s Roles and Responsibilities
While both management and the auditor address some of the same issues, their roles are vastly different. There has been some confusion on this point, especially within the general public, which tends to attribute to the auditor certain responsibilities that actually rest with management. The professional standards of the American Institute of Certified Public Accountants (AICPA) have long made clear that the financial statements and the decisions shaping the financials are the responsibility of management. The financial statements are management’s responsibility. The auditor’s responsibility is to express an opinion on the financial statements (Golden et al 2006).
There are three most common audit deficiencies that auditors commit. One is the auditor’s failure to gather sufficient evidence. In some instances, this failure was pervasive throughout the engagement; in other instances, the allegations were more specific. For example, many cases involved inadequate evidence in the areas of:
- Asset Valuation – the auditor did not obtain evidence to support key assumptions.
- Asset Ownership – the auditor did not obtain evidence to indicate the company owed certain assets.
- Management Representations – the auditor did not corroborate management responses to inquiries.
Some cases involved the auditor's failure to examine relevant supporting documents (for example, examining a draft, instead of a final, sales contract) or failure to perform steps listed in the audit program. Overall, this failure contributed to management's success in overstating assets, the most common fraud technique.
Another common problem relates to audit program design. Planning the audit engagement is crucial to its success. Deficiencies in audit planning are very common. Specifically the auditor fails to:
- Properly assess inherent risk and adjust the audit program accordingly
- Recognize the heightened risk associated with non-routine transactions
- Prepare an audit program
Still one of the most common deficiencies in auditing is failure in confirming accounts receivable. These deficiencies include:
- Failure to confirm enough receivables
- Failure to perform alternative procedures when confirmations were not returned or were returned with material exceptions
- Problems with sending and receiving confirmation requests
Another common problem is the auditor's failure to recognize or disclose transactions with related parties. The auditor is either unaware of the related party or appears to cooperate in the client's decision to conceal a transaction with this party. Such transactions often resulted in inflated asset values (Beasly et al 2001).
Fraud symptoms--the specific, observable signs that fraud might be present--may be of the actual fraud or of the cover-up attempt. The easiest symptoms to spot involve cash and inventory shortages. But even there, clever thieves find ways to obscure the symptoms. For example, it's hard to tell immediately whether missing original documentation may be due to filing errors or because someone destroyed the documents to cover up a theft.
Here is a short list of some fraud symptoms:
- Multiple endorsements on commercial checks.
- The use of common or repetitive names for refunds--such as Smith or Jones or a commercial name that is very similar to one in your industry but is spelled slightly differently.
- Line items in standard reconciliations that do not go away.
- Customer complaints about having paid invoices for which they are being dunned.
- Adjustments to either inventory records and customer accounts.
- The addresses of vendors that are the same as employee addresses.
- No proceeds from the disposition of used assets (Hall 1996).
When one of these symptoms appears, use caution. Often there are reasonable explanations and they usually do not lead to a thief--just an error or an ill-designed process.
Risk factors pertaining to management’s characteristics and influence over the control environment are aimed at identifying pressure or an incentive to engage in financial statement fraud and perceived opportunity to commit such fraud. The risk factors involving management’s motivations to engage in financial statement fraud are the following:
- A considerable portion of management’s compensation, represented by bonuses, stock options, or other incentives that pressure management to achieve unduly aggressive targets for operating results, financial position or cash flow.
- Commitments to analysts or creditors of unduly aggressive unrealistic forecasts
- Undue pressure on management and/or interest by management in maintaining or increasing the company’s stock price or earnings trend through the use of unusually aggressive accounting practices
- The use of inappropriate means to minimize earnings for tax-motivated purposes
- Domination of management by a single person or small group without effective monitoring oversight by the board of directors and/or the audit committee
- Ineffective communication and support of entity values and ethics
- Management failure to correct known reportable conditions
- Management disregard for regulatory authorities
- Management setting unduly aggressive financial targets and expectations for operating personnel
- High turnover of senior management, counsel, or board members
- Management continuing to employ ineffective and incompetent accounting, information technology, or internal audit staff
- Unreasonable demands for auditor completion of the audit report issuance
- Formal or informal restrictions on auditor access to people or information
- Domineering management behavior or attempts to influence audit scope
- Known history of securities law violations or fraud or allegations of financial statement fraud (Rezaee 2002)
Benefits and Limitations of Risk-Based Approach
Risk-Based Auditing is an auditing technique that responds to the risk factors in an audit by assessing the levels of risk attached to different areas of an organization’s system and using the results to devise audit tests. The purpose is to focus the audit in the areas of highest risk in order to improve the chances of detecting errors (Hussey 1999).
In recent years, many auditors have expanded their focus to explicitly include the client's strategy and business processes. A number of recent studies examine whether a business process focus affects auditors' effectiveness in identifying risks. Bell et al. (1997) describe how this approach moves auditors from a balance sheet orientation to a broader focus on the overall organization, its environment, and its key processes.
Lemon et al. (2000) describe the extent to which firms are adopting this focus in their audit methodology, and Eilifsen et al. (2001) describe how this approach is applied to an individual audit. The approach involves:
- Understanding and developing a mental model of the client's strategic environment,
- Understanding the key processes for executing that strategy, including the related risks and controls, and
- Relating these factors to financial statement assertions.
Understanding the client's business processes aids in understanding key performance indicators and in developing expectations for financial statement accounts. Several studies examine the advantages of the business process approach. Organizing information about controls around business processes produces stronger category knowledge during auditor training and improves internal control evaluation performance compared to organizing information around traditional control objectives (Kopp and O'Donnell 2005). Using such an approach also increases the extent to which auditors integrate assessments of strategic business risks (O'Donnell et al. 2005). Auditors using strategic business risk analysis document more client business risks, and they assess the strength of the control environment and inherent risk differently (i.e., they perceive a stronger link between the strength of the control environment and the risk of material misstatement, and between inherent risk and the risk of material misstatement) (Kotchetova 2005). Additionally, auditors' assessments of client business risk and the analysis and documentation of business processes influence their business process-level risk assessments (Kotchetova et al. 2005). When auditors analyze and document business processes, their process-level risk assessments are related to their previous assessments of entity-level business risk, indicating that documenting the process analysis creates linkages between risks at different levels. Finally, using software adapted to a business risk approach allows auditors to identify more risks (O'Donnell and Schultz 2003).
Two recent studies, however, document potential disadvantages of the business risk approach. First, Ballou et al. (2004) find that when the strategic analysis of a client indicates that it is typical of its industry, auditors may underweight small problems within business processes. Second, O'Donnell and Schultz (2005) find evidence of a "halo effect" when auditors use strategic risk assessment. Specifically, auditors performing such strategic assessments with favorable results are less likely to adjust their risk assessments at the account level when they uncover unusual fluctuations. Thus, both studies suggest that auditors getting positive news from the strategic-level risk assessment may be less attuned to specific risks noted subsequently.
Most firms have developed decision aids to help identify client business risks, particularly on first-time audits (e.g., see Bell et al. 2002). Moreover, many have developed software that facilitates the use of the business risk approach discussed above (O'Donnell and Schultz 2003). However, practitioners should be aware that the orientation of a decision aid (i.e., a negative focus emphasizing risks and their consequences versus a positive focus) can affect auditors' judgments (Bedard and Graham 2002). Investigating auditors' responses relative to their actual (as opposed to hypothetical) clients, Bedard and Graham (2002) find that auditors who use a negatively focused decision aid identify more risk factors than auditors using a positively focused decision aid, and auditors who use a negatively focused decision aid link substantive tests to the risk factors. Auditors also can use analytical procedures that use a business risk approach and are adapted to clients' key processes (Ballou and Heitger 2004).