SAS No. 107 defines audit risk as the risk that the auditor may unknowingly fail to appropriately modify his or her opinion on financial statements that are materially misstated. Audit risk is subjective in nature and represents the likelihood misstatement will remain in the financial statements after we complete our auditing procedures. SAS No. 107 discusses risk at both the financial statement level and the assertion level. Engagement risk, or overall engagement risk as some call it, is audit risk at the financial statement level and is primarily affected by certain factors:
From a client acceptance and/or continuance form, and the related client investigation procedures, among other things, we can evaluate:
1. Integrity of management.
2. Use of financial statements.
3. Potential for going-concern problems.
Questions concerning the integrity of management and the use of financial statements should be documented in a client acceptance and/or continuance form. Management’s character and compliance with a company’s internal control policies and procedures sets the standards for behavior of other employees. The “tone at the top” is an integral part of the control environment that underpins all other elements of internal control and affects the auditor’s risk assessment process at both the financial statement and assertion levels..
The client’s intended use of audited financial statements may create higher risk at the financial statement level in some circumstances. For example, the user may place greater reliance on the audited financial statements when the user is a lender evaluating an application for credit, a bonding underwriter considering a performance bond for a construction contract or an attorney for use in litigation support. Essentially, the use of financial statements for high risk purposes increases the likelihood of being sued by users! Such likelihood requires more reliable and more extensive evidence in all audit areas to mitigate this risk at the financial statement level.
SAS No. 59 requires an evaluation of the going concern assumption during planning. While management may have plans to mitigate information contrary to the going-concern assumption, the presence of such information and the potential for it materially affecting the financial statements under examination should be considered when planning the desired level of evidence for the engagement. The auditor should evaluate whether there is substantial doubt about the entity’s ability to continue as a going concern for a reasonable period of time, at least one year. If substantial doubt exists, the auditor should evaluate management’s plans to mitigate the contrary information and plan to subjectively increase the overall level of evidence on the engagement.
Our audit strategies for large and small audits must reflect our evaluation of risk at the financial statement level.