|
|||||
|
|||||
Search Software Personal Help |
By Janet L. Colbert, Michael S. Luehlfing, and C. Wayne Alderman
Recent AICPA audit risk alerts utilize the term "engagement risk" in describing various risks auditors consider in performing an engagement. A major portion of the introduction to the 1995 Audit Risk Alert (the alert) deals with the concept of engagement risk. Engagement risk encompasses risks borne by both the auditor and the client entity. Although use of the term engagement risk may be relatively new, the risks comprising engagement risk and factors bearing on those risks are not unfamiliar to practitioners. The concept of engagement risk serves to formalize the auditor's consideration of the factors and risks affecting an engagement.
Engagement Risk Defined
Engagement risk represents the overall risk associated with an audit engagement. Engagement risk consists of three components: client's business risk (also referred to as entity's business risk), audit risk, and auditor's business risk.
An entity's business risk is the risk associated with the entity's survival and profitability. The concept recognizes that because of factors such as rapid changes in the industry, liquidity problems, or speculative ventures, the possibility exists the client may not achieve its profit goals or even continue in existence. As yet, entity's business risk has not been formally recognized in a statement on auditing standards (SAS).
In contrast to entity's business risk, the concept of audit risk is discussed in SAS No. 47, Audit Risk and Materiality in Conducting an Audit (1983). The SAS and the alert define audit risk as the risk that the auditor may unknowingly fail to appropriately modify the opinion on financial statements that are materially misstated.
The concept of auditor's business risk was introduced in the standards in a footnote to SAS No. 47 as simply business risk. Specifically, SAS No. 47 indicates that
The SAS No. 47 focus on business risk relates to risks associated with the issuance of financial statements. However, recent audit risk alerts have added to this concept. In addition to the risk of potential costs from an alleged audit failure, auditor's business risk includes the risk of other costs (whether an audit failure is alleged or not) such as fee realization and reputational effects from association with the client.
Fraud Task Force--Additional Insights
The SEC Practice Section Detection and Prevention of Fraud Task Force (fraud task force) recently developed a list of circumstances that may lead to a higher assessment of engagement risk and its components. The factors provide additional insights into the concept of engagement risk. These factors are sometimes called red flags or warning signs, because they signal the need for caution on the auditor's part.
Entity's Business Risk. As indicated in Exhibit 1, numerous factors may lead to a higher assessment of entity's business risk. The entity's business risk factors are organized into three categories--management, entity, and industry. Factors related to management deal primarily with integrity, attitude, experience, and actions. Entity factors relate to marketing and markets, liquidity, capitalization, and suspect business practices. Industry factors include technology, competition, entry barriers, and regulations.
Audit Risk. The fraud task force also notes numerous factors that may affect audit risk. As indicated in Exhibit 2, the list includes such items as high volume of year-end transactions, significant and unusually complex transactions, and
Auditor's Business Risk. Exhibit 3 illustrates several factors that might lead to a higher assessment of auditor's business risk. These factors include a propensity of the client toward litigation or controversies or frequent auditor changes and special financial statement reliance situations (e.g., initial public offering or pending acquisitions).
Engagement Risk and the Audit
Engagement risk should be addressed throughout the audit, from the initial decision to accept a new client or continue serving an existing client to planning the engagement through to the ultimate issuance of the audit report. Analyzing engagement risk during the planning process is especially critical.
Before planning the audit, the auditor makes a decision to accept a client or to continue serving a client. The client acceptance/continuance decision is made according to firm policy. Procedures may include completing a questionnaire regarding client attributes and obtaining other background information. Given the significance of the decision, review and approval procedures must be documented and adhered to. In making the client acceptance/continuance decision, the auditor considers not only the client in question, but also the auditor's mix of clients.
After deciding to accept a new client or continue serving an existing client, the auditor plans the engagement by continuing to consider engagement risk and its three components. The audit is planned so that, at the conclusion of the engagement, the component risks combine to limit overall engagement risk to an acceptable level.
Besides assessing the entity's and the auditor's business risks, the auditor sets planned audit risk. Audit risk is established at a level so that the planned level of engagement risk will be achieved. The accounting firm's policies and information gleaned from the acceptance/continuance decision may impact the establishment of planned audit risk. That is, the firm may have a policy that audit risk must be planned at a specified level or below. The level is adjusted (downwards) in response to the risk factors noted during the acceptance/continuance decision process. To achieve the planned lower level of audit risk, the auditor adjusts the nature, timing, and extent of audit procedures.
At the completion of the engagement, the auditor again considers engagement risk and its component risks. The achieved levels of entity's business risk, audit risk, and auditor's business risk are combined to yield achieved engagement risk. The auditor ascertains if the achieved engagement risk is at an acceptable level.
Engagement Risk Components--
As noted above, the concept of engagement risk is applicable to all phases of the audit. However, the extent that engagement risk can be controlled varies with the characteristics of each of its components. For example, entity's business risk is not controllable by the auditor. The auditor simply considers its assessment in controlling engagement risk.
Audit risk is determined solely by the auditor and is set at an appropriately low level.
Auditor's business risk is controllable, to some degree, by the auditor. The auditor can influence auditor's business risk, and thus engagement risk, through the selection of clients. Other factors bearing on auditor's business risks, such as the client being involved in lawsuits, cannot be managed by the auditor.
Because audit risk and auditor's business risk are controllable by the auditor (at least to some extent), while entity's business risk is not, the auditor's focus on managing engagement risk centers on audit risk and auditor's business risk. While audit risk is managed by adjusting the nature, timing, and extent of audit procedures performed; auditor's business risk is controlled through the client acceptance/continuance decision process.
The Client Acceptance/Continuance Decision
The auditor exercises professional judgment when making the decision to accept a new client or to continue serving an existing client. To aid in making the judgment, auditing firms apply prescribed procedures to the potential client. Examples of procedures that might be performed are presented in Exhibit 4.
Of the suggested procedures, perhaps the most important deals with the integrity of management. The auditor's business risk associated with a management that lacks integrity is difficult to overcome. Theoretically, despite auditor's business risk being high, an acceptable engagement risk may still be achieved. That is, audit risk can be adjusted such that the combination of entity's business risk, audit risk, and auditor's business risk yields an engagement risk that is sufficiently low. However, if management lacks integrity, adjusting the nature, timing, and extent of audit procedures performed on management assertions may not produce an acceptably low audit risk.
In making a decision to continue a client, the auditor should carefully consider previous experiences with the entity as well as changes the client has recently experienced. Changes that are particularly significant include rapid modification in the entity's operations and altered management behavior. A deteriorating financial condition and an adverse change in management integrity are also important.
Besides changes in the client, the auditor also considers the combination of findings from applying various procedures when making the client acceptance/continuance decision. The presence of an unsatisfactory result for any one, or even a few procedures, does not automatically imply the client is unacceptable. Rather, negative findings serve to heighten the auditor's skepticism and increase the assessment of auditor's business risk and thus engagement risk.
If engagement risk is assessed at an unacceptably high level, the auditor does not accept a new client or continue serving an existing client. This policy helps to maintain an appropriate mix of clients for the auditor.
If the consideration of findings noted during the client acceptance/continuance process causes auditor's business risk, and thus engagement risk, to be assessed at a marginal level, the auditor may still be able to perform the engagement. By adjusting the nature, timing, and the extent of audit procedures, the auditor reduces audit risk to a low level. In turn, engagement risk is reduced perhaps to an acceptably low level.
The preponderance of the client acceptance/continuance procedures are performed before the engagement begins, i.e., before the engagement letter is signed. However, the auditor should be alert throughout the engagement for the existence of factors that may indicate that one of the three component risks, and thus engagement risk, is at a higher level than originally believed. The auditor may be able to adjust the nature, timing, and extent of audit procedures such that audit risk is lowered and the achieved engagement risk is acceptable *
Editor:
The
CPA Journal is broadly recognized as an outstanding, technical-refereed
publication aimed at public practitioners, management, educators, and
other accounting professionals. It is edited by CPAs for CPAs. Our goal
is to provide CPAs and other accounting professionals with the information
and news to enable them to be successful accountants, managers, and
executives in today's practice environments.
©2009 The New York State Society of CPAs. Legal Notices |
Visit the new cpajournal.com.