The Audit Risk Model (ARM) is defined as:
Inherent Risk is the auditor’s measure of assessing whether material misstatements exist in the financial statement before considering of internal controls. Ignoring internal controls, if the auditor assesses that the likelihood of material errors is high, the auditor will assume that the Inherent Risk is high. As the Control Risk constitutes a separate component of the Audit Risk Model, it is ignored here.
Control Risk is the auditor’s measure of assessing the likelihood that the client’s internal control system is unable to prevent or detect material misstatements exceeding a tolerable level. In assessing the level of the Control Risk, the auditor will assess the effectiveness of the firm’s internal control system during his audit, e.g. through questionnaires. The lower the effectiveness of internal controls the greater the frequency of error.
Detection Risk is the auditor’s measure of assessing the likelihood that the auditor won’t detect material misstatements. Auditors will carry out more audit work to increase the detection rate if Internal Risk and Control Risk are too high in order to meet the Audit Risk target.
When applying the Audit Risk Model, the auditor has to determine a target level of Audit Risk that is in accordance with providing reasonable assurance. The Internal Risk and Control Risk can be pooled together as Occurrence Risk (OR), i.e. the risk of the existence of misstatements before the actual audit. The Detection Risk on the other hand is the risk of the existence of misstatements during the actual audit. The first step in applying the Audit Risk Model is to determine a tolerable level of Audit Risk. In the next step the Audit Risk is decomposed into its three components. The auditor has no control over the Internal Risk and Control Risk but must assess their levels in order to determine the level of Detection Risk that is sufficient to achieve the target Audit Risk. The Detection Risk can be influenced by the extent of testing.
Applying the formula of the Audit Risk Model, the auditor will need to perform more testing, that is collect more evidence, and thus reduce the Detection Risk, in case the level of Internal Risk and/or Control Risk is high in order to achieve (maintain) the target. The Detection Risk can be influenced by the nature, timing, and extent of the audit procedures.
2. One of the components of the audit risk model is inherent risk. Describe typical factors that auditors evaluate assessing inherent risk. With the benefit of hindsight, what inherent risk factors were present during the audits of the 1989 through 1992 Comptronix financial statements?
Internal Risk is the auditor’s measure of assessing whether material misstatements exist in the financial statement before considering the effectiveness of internal controls. Besides factors related to the peculiar assertion, the auditor needs to take external circumstances into account that might influence the Internal Risk. Those can comprise the nature of business and industry, the integrity of management, the size of account balances, the existence of related parties, the lack of sufficient working capital to continue operations, etc. Taking into account those numerous factors, professional judgment has to be applied by the auditor.
Examples of accounts that pose low Internal Risk comprise traded securities or fixed assets in contrast to accounts with high Internal Risk such as those for which estimates have to be used or complex calculation have to be conducted.
With hindsight the following inherent risk factors were present:
Fictitious purchases of equipment – An audit that would have included a physical inspection of Comptronix’s equipment might have revealed that certain recognized assets do not exist or that considering the age of and thus the depreciation for the equipment that certain pieces of equipment are not worth their book values.
Fictitious accounts payments for the equipment – Besides auditing in a manner that would have revealed the nonexistence of certain purchases of equipment the auditors could have also audited check records and bank statements to see where and by whom the checks were cashed in. This would have revealed that the checks were never cashed in by a third, outside party, but were cashed internally.
Fictitious sales and accounts receivables – In the same manner as with the fictitious accounts for equipment, the auditor could have checked the inventory to verify the decrease in inventory of goods for sale as well as the payments by the customers. The former would have revealed the lack of sales while the latter would have revealed the lack of external customers for no outside party deposited money in Comptronix’s account. Another approach would have comprised matching the sales with the order papers and invoices. Here the auditor would have realized that there are no records for the bogus sales and hence no sales were realized.
3. Another component of the audit risk model is control risk. Describe the five components of internal control. What characteristics of Comptronix’s internal control increased control risk for the audits of the1989 – 1992 year-end financial statements?
Control risk is an auditors¶ assessment of the internal control systems of a company. This also includes the attitude and expertise directors and management have towards internal controls.
If control risk is high then the amount of substantive procedures that have to be conducted increases accordingly.
The internal control: Integrated Framework published 1994 by COSO breaks effective internal control into five interrelated components:
information and communication
The control environment encompasses the internal control framework and is considered a foundation for all other elements. Included factors are integrity, ethical values, competence, management’s philosophy, operating cycles, assignment of authority and the attention and direction provided by the board. Generally the control environment materializes in a written statement being the code of conduct.
The risk assessment is best described as the means of identifying and analyzing internal and external risks to the achievement of financial reporting control objectives. Control activities are developed to address each control objective and to minimize risks identified.
Information and communication from management to personnel must be clearly stated and should stress that control responsibilities must be taken seriously. The personnel must understand its role in the internal control system. Thus the company identifies methods and procedures by which right information is provided to the right people.
Finally, monitoring is the process (internal or external) to evaluate the performance of the internal control system over time.
At Comptronix various factors increased the control risk for the company. First, the loss of one of the major customers is a circumstance that increases control risk as management has an incentive to misstate earnings and other accounts to stay profitable. Second, the accounting system could be bypassed by management with factious manual entries. This increases control risk as it grants unlimited authority to top management for changing and manipulating accounts.
Also cash disbursements could be approved by management based solely on an invoice. Finally the computerized accounting system in the shipping department, which constitutes a good internal control device, could be accessed and manipulated by the controller. In summary management had too much authority to enter and change the electronic accounting systems of the company, while there were no double checks in place to verify and control manual changes in the system.
4. The board of directors, and its audit committee, can be an effective corporate governance mechanism
.a) Discuss the pros and cons of allowing inside directors to serve on the board. Describe typical responsibilities of audit committees.
Inside directors on the board can facilitate its effectiveness by establishing strong connections between the board and day to day business. However, inside directors can also comprise the independence of the board when it comes to personal interests. For example, the ability of the board to set bonuses that are tied to performance and salaries of management is an important argument against inside directors. Another common topic in research is that adding insiders to the board of directors reduces board monitoring. On the other hand, a study by George Drymiotes shows that a less independent board, one that also looks after the agent’s interests to some degree, can sometimes fulfill its monitoring role more effectively than a board that is completely independent. A fully independent board’s inability to commit to a specific level of monitoring effort makes monitoring ineffective. Having insiders as part of the board, however, shifts the board’s interests closer to those of the agent and mitigates the board’s incentives to short-change the agent (Drymiotes, 2007). The paper also suggests that any other mechanisms that align the board’s interests, to some extent, with those of the manager may be beneficial to organizations. For instance, board and management interests can become more aligned when management owns a portion of the firm. Giving management a share of the firm means that a group of shareholders is managing the firm. Importantly, this particular group of shareholders finds ex post monitoring desirable, the same way inside directors do. Thus, a board representing shareholder interests may have stronger incentives to monitor the agent ex post.
The audit committees’ responsibilities can be summarized as assisting the board of directors in verifying:
the integrity of the company’s financial statements
the independence, integrity, qualification and performance of the external auditors
the performance of the company’s internal audit functions
the appropriateness of the internal control systems
the monitoring of compliance with laws and regulatory requirements and the code of conduct
b) What strengths or weaknesses were present related to Comptronix’s board of directors and audit committee?
First of all the CEO and COO of Comptronix represented management of the board which constitutes already for 28.6% of the board of directors. Despite the evidence above and considering that the managers engaged in fraud, the high percentage of inside directors on the board is a considerable weakness. Moreover, the remaining five outside board directors, rather undermined than strengthened the board’s independence: Two of them had close affiliations with management, the other maintained relations that were not that apparent at first glance, but nevertheless substantial. One, for example, was the partner in the venture capital firm that owned over 5% of Comptronix.
Finally four annual board meetings seem to not have been sufficient to exert control over management. Concerning the audit committee it can be maintained that it was neither independent nor qualified. The committee members, two outside and one gray director, were drawn from the board of directors which was already evaluated as not being independent. Furthermore, not any of the members had accounting or financial reporting backgrounds, therefore lacking crucial expertise and experience in their function as an audit committee.
5. Public Companies must file quarterly financial statements in Form 10-Qs, that have been reviewed by the company’s external auditor. Briefly describe the key requirements of Auditing Standards (AU) Section 722, Interim Financial Information. Why wouldn’t all companies (public and private) engage their auditors to perform timely reviews of interim financial statements?
The SEC requires all public companies to have quarterly financial statements reviewed by the external auditor on a timely basis. SAS No. 71 provides guidance on the nature, timing, and extent of procedures to be applied by the independent accountant in conducting a review of interim financial information. The objective of a review of interim financial information is to determine whether material modifications should be made for such information to conform to GAAP. A review of interim financial information consists principally of inquiries and analytical procedures. It does not include (1) tests of accounting records, (2) the evaluation of corroborating evidential matter in response to inquiries, or (3) other normal procedures ordinarily performed during an audit. Thus, the accountant does not obtain reasonable assurance that would serve as the basis for an opinion on that financial information.
In performing a review of interim financial information, the accountant needs to have sufficient knowledge of a client’s internal control as it relates to the preparation of both interim and annual financial statements. That knowledge assists the accountant in identifying the likelihood of potential material misstatements in interim financial information and in selecting the inquiries and analytical procedures that will provide the accountant a basis for reporting whether material modifications should be made to the interim financial information in order for it to conform to GAAP.
Non-public companies are not required to engage independent accountants to perform a review of interim financial statements. Thus, a private company’s decision to engage an independent accountant to conduct a review of interim financial information is a cost-benefit decision. The services associated with obtaining such a review require time and money. If top executives and the board of directors do not believe the related benefits exceed the costs, then they are not likely to engage independent accountants. The guidance in SAS No. 71 applies to interim financial information that is included in a note to the audited financial statements of a non-public company. If the interim financial Information for the non-public company is presented in a separate complete set of interim financial statements, the accountant should comply with the AICPA’s
Statements on Standards for Accounting and Review Services.
Recently, there has been increased attention on interim reviews because of alleged financial reporting fraud involving interim financial statements. The SEC requirement for timely interim reviews for public companies was sparked by the February 1999 Report and Recommendations of the Blue Ribbon Committee on Improving the Effectiveness of Corporate Audit Committees
(The Blue Ribbon Report). That report included a recommendation that the SEC require a reporting company’s outside auditor to conduct a SAS No. 71 interim review prior to the company’s filing of its Form 10-Q with the SEC. According to the Blue Ribbon Panel’s report, the ³increased involvement by the outside auditors and the audit committee in the interim financial reporting process should result in more accurate interim reporting.
7. Provide a brief summary of each of the three fraud conditions. Additionally, provide anexample from the Comptronix fraud of each of the three fraud conditions.
ncentive or pressure to perpetrate fraud ± Bonus for superb performance. Company awardstock incentive to key employees2) An opportunity to carry out the fraud ± Executive positions that may bypass existing accountsystem.
nternal controls are insufficient. Board of directors composes of mostly internaldirectors and acquaintances.3) Attitude or rationalization to justify the fraudulent action. ± helped company avoidingreporting net losses.
8. Auditing Standards (AU) Section
16, Consideration of Fraud in a Financial StatementAudit, notes that there is a possibility that management override of controls could occur inevery audit and accordingly, the auditor should include audit procedures in every audit toaddress that risk.a) What do you think is meant by the term ³management override´?
Management override can be defined as the possibility for management to circumvent internalcontrols that appear to work efficiently, in order to manipulate accounting records and preparing
fraudulent financial statements directly or indirectly. As the internal control system is expectedto function properly, the ways in which management can override controls are unpredictable.
b) Provide two examples of where management override of controls occurred in theComptronix fraud
The executives were able to bypass the existing accounting system. They could record fictitious journal entries of sales and purchases manually inventing some customer order numbers andquantities that did not exist and obviously were not cross-checked with other internal systems,like the customer order- or inventory system. Next to that it was possible to record fictitious purchases of equipment without creating thenecessary documents accompanying such purchases. The internal control failed to detect thisirregularity.Another example is the possibility of overriding control systems over cash disbursements. With afictitious vendor invoice it was possible to make an accountant payable clerk prepare a check without the necessity to crosscheck whether the delivery of the goods actually took place or anorder number generated by the vendor existed that should have been found on the invoice later on.
c) Research AU Section
16 to identify the three required auditor responses to furtheraddress the risk of management override of internal controls
Paragraphs 58 ± 67 in Section 316 of the Auditing Standards by the PCAOB describe proceduresthat should be performed to further address the risk of management override of controls. Thethree main responses that should be undertaken by the auditor are as follows:1. Examining journal entries and other adjustments for evidence of possible materialmisstatement due to fraud.Material misstatements due to fraud mostly occur by:a. recording inappropriate or unauthorized journal entries throughout the year or at periodend or b. making adjustments to amounts reported in the financial statements that are not reflectedin formal journal entries due to consolidating adjustments, report combinations andreclassifications.Therefore, the auditor should test the appropriateness of journal entries recorded in the generalledger and other adjustments.
n particular, the auditor should:î€€ Obtain an understanding of the entity’s financial reporting process and the controls over journal entries and other adjustments
dentify and select journal entries and other adjustments for testingî€€ Determine the timing of the testingî€€
nquire of individuals involved in the financial reporting process about inappropriate or unusual activity relating to the processing of journal entries and other adjustments2. Reviewing accounting estimates for biases that could result in material misstatement due tofraud.The assumptions and resulting accounting estimates that management has to make to prepare thefinancial statements affect the underlying accounting techniques and figures. Therefore, a lot of fraudulent financial reporting is done by intentional false estimations of management. Theauditor¶s task is to consider retrospectively whether single estimates are supported by auditevidence and whether the ones that underlie the reported financial figures widely diverge and, if so, investigate whether the assumptions and accounting estimates were intentionally biased in part of management. Thereby, the auditor should test those accounting estimates that are basedon highly sensitive assumptions or are otherwise significantly affected by management judgements.
f single management estimates were biased, affecting the financial figuresmaterially, the auditor should investigate whether there have been circumstances that led to this bias and if these circumstances can constitute a risk for financial statement fraud. Also theestimates taken as a whole should then be re-considered by the auditor.3. Evaluating the business rationale for significant unusual transactions.Transactions that are outside the normal course of business for the company or entityinvestigated or that appear to be unusual should be investigated by the auditor .
t should also beevaluated whether there is an underlying rationale behind those transactions or whether they are possibly an indication of fraudulent financial reportingTo understand the underlying rationale for the transactions in question, the auditor shouldinvestigate:î€€ Whether the form of such transactions is overly complex (e.g. whether it involves multipleentities within a consolidated group or unrelated third parties)î€€ Whether management has discussed the nature of and accounting for such transactions withthe audit committee or board of directorsî€€ Whether management is placing more emphasis on the need for a particular accountingtreatment than on the underlying economics of the transactionî€€ Whether transactions that involve unconsolidated related parties, including special purposeentities, have been properly reviewed and approved by the audit committee or board of directors
î€€ Whether the transactions involve previously unidentified related parties or parties that do nothave the substance or the financial strength to support the transaction without assistance from theentity under audit