The planning phase of an audit engagement of an entity using US GAAP or a special purpose framework will, with minor differences, include similar risk assessment procedures. Among them is assessing risk at the financial statement and assertion levels. We'll now focus on risk assessment at the financial statement level; "business risk" as it is sometimes called. A properly designed Client Acceptance and Continuance Form can facilitate the risk assessment process.
Risk at the Financial Statement Level
Section AU-C 315 of the Clarified Auditing Standards defines risk assessment procedures as the audit procedures performed to obtain an understanding of the entity and its environment—including the entity's internal control—to identify and assess the risks of material misstatement, whether due to fraud or error, at the financial statement and relevant assertion levels.
Audit risk is the risk that the auditor may unknowingly fail to appropriately modify his or her opinion on financial statements that are materially misstated. Audit risk is subjective in nature and represents the likelihood misstatement will remain in the financial statements after auditing procedures are completed. Audit risk at the financial statement level is based on engagement facts and circumstances and the following basic elements that should be considered when completing a Client Acceptance and Continuance Form and performing other risk assessment procedures:
- Integrity of management.
- Use of financial statements.
- Potential for going-concern problems.
Integrity of Management
Management's character and compliance with a company's internal control policies and procedures sets the standards for behavior of other employees. The "tone at the top" is an integral part of the control environment that underpins all other elements of internal control and affects the auditor's risk assessment process at both the financial statement and assertion levels.
Auditors may rely on client employee's responses to inquiries, at least in part, when the integrity of client personnel is high. The documentation of those responses, along with other related risk assessment procedures, contributes substantive evidence for evaluating the appropriateness and reasonableness of financial statement assertions.
Use of Financial Statements
In some circumstances, the client's intended use of audited financial statements may create higher risk at the financial statement level. For example, the user may place greater reliance on the audited financial statements when the user is a lender evaluating an application for credit, a bonding underwriter considering a performance bond for a construction contract, or an attorney for use in litigation support. The use of financial statements for high-risk purposes increases the likelihood of being sued, or business risk. Such likelihood requires more reliable and more extensive evidence in all audit areas to mitigate this risk at the financial statement level.
Potential for Going-Concern Problems
Section AU-C 570, The Auditor's Consideration of an Entity's Ability to Continue as a Going Concern, requires an evaluation of the going concern assumption during planning. The following information may be considered contrary to the going-concern assumption—that is, information that may cast doubt on the ability of an entity to continue its operations:
- Recurring losses from operations.
- Serious deficiencies in working capital.
- Large debt-to-equity ratio.
- Inability to obtain sufficient financing for plant and equipment acquisition or replacement and for continuing operations on a profitable level.
- Defaults on loan covenants that can accelerate debt maturities.
- New entities that have not achieved solid financial position.
- Governmental action or significant lawsuits beyond the entity's control and ability to withstand financially.
- Uncertainty of future operating or market trends; loss of patent, license, franchise, major customer or major supplier; or uninsured catastrophes.
While management may have plans to mitigate information contrary to the going-concern assumption, the presence of such information and the potential for it to materially affect the financial statements should be considered when planning the audit strategy and audit plan for the engagement. The auditor should evaluate whether there is substantial doubt about the entity's ability to continue as a going concern for a reasonable period of time, at least one year from the date of the financial statements.
If substantial doubt exists, the auditor should evaluate management's plans to mitigate the contrary information, plan to subjectively increase the overall level of evidence if necessary and consider the adequacy of footnote disclosures.
An illustrative Client Acceptance and Continuance Form, containing risk assessment questions for the basic elements discussed above, is available upon specific request by clicking the "Contact Us" tab on the home page of my website, www.cpafirmsupport.com.
The Impact of Risk at the Financial Statement Level
The subjective level of risk at the financial statement level (high, moderate, or low) can significantly affect the audit strategy, including the nature, extent, and timing of procedures, and the staffing and supervision of the engagement.
Procedures: High risk at the financial statement level calls for more reliable procedures, increased sample sizes or greater audit coverage of the dollar amount of account balances, and performing procedures as of the client's fiscal year-end. Low risk will permit less-reliable procedures, smaller sample sizes or lesser audit coverage of account balances and performing procedures before year-end. In the discussions of materiality concepts and sampling decisions later in this series of articles, we'll consider the procedural impact of high, moderate and low risk at the financial statement level.
Staffing and supervision: Responses to high risk at the financial statement level will include assigning more experienced engagement personnel to the engagement and/or increased leader supervision. Low risk will permit less experienced personnel and/or less executive supervision. Because assigning personnel to engagements is one of the elements of quality control for a CPA firm, firm engagement files should document these decisions during planning.
Considerations for Special Purpose Frameworks
For entities using special purpose frameworks, management's reasons for selecting the framework are of audit significance. As mentioned in a previous article, an auditor is responsible for evaluating the appropriateness and reasonableness of an entity's applicable financial reporting framework. Management's responsibility is to select a framework that presents financial position and results of operations in a fair presentation framework, one that satisfies the needs of financial statement users. If management selects a framework for reasons other than this, the auditor may not be able to express an unqualified audit opinion.
While the specific risk factors and their planned affects on the audit are considered during the various aspects of the risk assessment process, they are usually best summarized and documented in a spreadsheet I refer to as a General Ledger Analysis Worksheet. This worksheet will be discussed in my next article.