1、第八章 审计过程风险评估过程 “After Equity Funding and the Cohen Commission, the professionrebuffed societys calls for heightened fraud detection responsibilities,but its different this time. We are in a new era where auditors need tobe more responsible for detecting fraud.”Paraphrased from comments by Greg Scate
2、s,Associate Chief Auditor,PCAOB Symposium, December 9, 2004.第八章 目录1、风险基础审计概述 2、签约风险管理 3、审计风险管理风险基础审计概述l 风险基础审计的意义l 经营风险基础审计的基本特征 l 风险的本质l 经营风险基础审计的基本流程财务报表审计的目标和一般原则l第十三条 注册会计师按照审计准则的规定执行审计工作,能够对财务报表整体不存在重大错报获取合理保证。l第十四条 由于审计中存在的固有限制影响注册会计师发现重大错报的能力,注册会计师不能对财务报表整体不存在重大错报获取绝对保证。合理保证的意义l原因:人的有限认知能力和审计
3、的固有局限性l意味:社会所要求水平的保证l等式:合理保证(%)=绝对保证(100%) 审计风险(%)风险基础审计方式l风险基础审计方式就是审计人将审计风险降至可接受的低水平,使得为审计意见提供合理基础的“合理水平”保持在高水平之上的审计方式。 Business risk-based auditingl基本思路:重大财务报表错报的根源在于被审计企业的经营风险l基本概念:审计是一个证据形成、基于判断的风险评估过程lErnst & Young:“全球审计方法”(Global Audit Methodology:GAM)审计模式lKPMG:“经营评估过程”(Business Measurement P
4、rocess:BMP) 基本特征l多方位的风险概念l多元化的信息源l自上而下方式l注重分析经营风险的影响Four critical components of risk 企业风险(Enterprise risk) 影响企业实现其战略目标的不确定性。 财务报告风险(Financial reporting risk)与记录交易以及财务报表披露直接相关的风险。 签约风险(Engagement risk)与某个特定的客户签订审计业务约定而带来的风险。 审计风险(Audit risk) 审计人在实施审计时没能发现财务报表存在重大错报,结果发表了错误审计意见的风险。证据构架工具l软件工具(software
5、 tools)l核对表(checklist)l模板(templet)l产业和经济统计等大型数据库l其他信息源Top-down approachl合伙人或者项目经理参与以审计计划过程为中心的整个审计业务l对高层次控制的评价,比如,直接与经营者讨论企业的风险管理问题例子现实中的经营风险对企业持续能力的影响图表9-1 基本流程 初步评价重大错报风险把握有关财务报表整体的重大错报风险发现要特别对待的风险审计计划编制根据剩余风险的大小确定审计重点和审计程序执行审计程序针对要特别对待风险的审计程序采取措施:增加助理人员、配置专家、保证审计时间等发现要特别发现要特别对待风险对待风险了解企业和企业环境内部控制
6、、经营风险财务报表项目财务报表整体修改审计计划修改审计计划Risk-based approach to auditingl了解客户的风险管理过程l了解客户的经营业务及其面临的风险l根据所识别的风险估计账户余额和财务结果;l评估风险管理中内部控制的质量;l确定剩余风险,更新对账户余额的估计;l通过实施必要的账户余额直接测试以管理账户余额错报风险。COSO defines ERM as a 一个由一个单位的董事会、经营者和其他成员实施的,应用于战略制定并贯穿于整个企业、旨在识别可能影响该单位的潜在事项,管理风险使其控制在风险容量之内,并为单位目标的实现提供合理保证的过程 。 Understandi
7、ng ERM Process -1l了解客户的风险评估过程l复核内部审计所使用的风险基础审计方法l与经营者讨论他们的风险管理方式l复核企业的报酬政策以观察其是否符合企业的风险政策l复核风险管理的文件等Understanding ERM Process-2 If The company has strong risk management processes ,the auditor may focus on testing controls and developing corroborative evidence on account balances.If The company does
8、 not have a comprehensive risk process, the auditor will assess engagement risk as high, set audit risk at a lower level, and increase direct testing.Key Business Processes l关键性业务l影响关键性业务的行业因素l经营者管理这些关键性业务的方式l关键性业务可能产生的经营效果和财务效果Business Riskl因企业的内部因素和影响企业活动的不确定的外部因素对企业的发展和经营成果以及持续经营造成的危险。l基本相等地影响所有企
9、业的宏观层次的风险。l只影响某个行业或某个企业的微观层次的风险。Business Riskl前者如经济不景气、通货膨胀、高利率、战争、石油价格的高涨、政局不稳、技术革新、经济封锁等;l后者如原材料价格的上涨、周转资金不足、罢工、消费动向的变化、诉讼、政府管制、债务保证、或有损失、合同不履行、子公司或联营企业的经营恶化、被投资企业收益下降、购货企业或者供货企业的破产等。Sources of Informationl智能代理(Intelligent agents)l知识管理系统(Knowledge management systems)l在线搜索(Online searches)l电子数据收集及检
10、索系统(Electronic research- Electronic data gathering and retrieval system:EDGAR )l经济统计(Economic statistics)l专业手册(Professional practice bulletins)l股票分析报告(Stock analysts reports)等Sources of Information 审计人还可以通过与经营者和前任审计人沟通、阅读前期审计工作底稿和客户的预算、视察生产车间和业务部门、复核数据处理中心、阅读重要的债务条款和董事会记录、确认政府的相关法律以及客户的有关法律责任获得关键性业务
11、的信息。Developing ExpectationslThe auditor should use information about the companys key processes and risks to develop expectations about its account balances and performance lThese expectations are compared to recorded book values to identify misstatementsSources of data commonly used lFinancial info
12、rmation for prior periodslExpected or planned results from budgets and forecastslComparison of linked accounts (such as interest expense and debt)lRatios of financial information (such as common-size financial statements)lCompany and industry trendslRelevant non-financial information These expectati
13、ons should belDeveloped independently of managementlDocumented, along with a rationale for the expectationslCommunicated to all audit team membersTechniques commonly used lTrend analysislComparative financial statements (horizontal analysis)lCommon-sized financial statements (vertical analysis)lRati
14、o analysisWhat are thepurposes of preliminary analyticalprocedures?- understanding the clients industry- assessing going concern issues- indicating possible misstatements- reducing detailed testsExamples of key performance indicators lBacklog of work in progresslAmount of return itemslIncreased disp
15、utes regarding accounts receivable or accounts payablelSurveys of customer satisfactionlEmployee absenteeismlDecreased productivitylInformation processing errorslIncreased delays in important processes Residual risk The remaining risk after management has taken action to alter the risks likelihood o
16、r impact.Linkage to direct tests of account balances If the auditor concludes there is a high risk of material misstatement auditor mustlSet materiality at an appropriate levellUse procedures appropriate for the level risk to examine the account balancelThe auditor is required to assess the appropri
17、ateness of the accounting methods used by managementlGuidelines to evaluate appropriateness include:lRepresentational faithfulness - does the accounting reflect the economic substance of the transactionslConsistency of application of GAAPlAccounting estimates - based on proven models, reconciled to
18、actual results, based on valid economic reasons? Quality of accounting principles used Managing Detection & Audit Risk lAdjusting audit staff to reflect risk associated with a clientlDeveloping direct tests of account balances consistent with detection risklAnticipating potential misstatements likel
19、y associated with account balanceslAdjusting the timing of audit tests to minimize overall audit risk签约风险管理l签约风险管理的意义l签约风险管理中对客户的考虑l签约风险管理所需信息的获得l签约风险管理中对自身因素的考虑审计业务约定书审计业务约定书 What is an engagement letter? Executory contract between the auditor and client Why is it necessary? To document terms of th
20、e audit and minimize misunderstandings. Do you know a lawsuit case? The letter is written by the auditor to the client, then signed by both. When should the letter be signed? Before or after the predecessor/successor auditor communication? Before or after the audit procedures? Must an engagement let
21、ter be in a written form?1136 Tenants corporation vs. Rothenberg case lTenants are the ownerslManaged by third party realtorlCPAs maintained accounting books (book keeping)lSued for failure to discover defalcations of management lConfusion between the role of CPA and AuditorlLessonslCPAs are suppose
22、d to audit the financial statements (Expectation Gap) lEngagement letterlAlert for any sign of defalcationlReport any sign of fraud to owners, regardless of services rendered1136 Tenants Corporation CPA firmA realtor (president: Rothenburg)Only book keepingNo Audit service Rothenburg stole $130,000.
23、 The auditor did not report the Rothenbergs fraud to the managements of 1136 Tenants Corpororation Compilation fee: $600 Courts judgment: pay $230,000 to the 1136 Tenants Corp.Managed byHiredOral agreementLessonslCPAs are supposed to audit the financial statements (Expectation Gap) lEngagement lette
24、rlAlert for any sign of defalcationlReport any sign of fraud to owners, regardless of services renderedEngagement Risk l签约风险管理是最重要的审计决策之一。l被审计企业经营失败或者其财务报表中存在审计人无法发现的重大错报,往往引发审计诉讼。l签约风险管理的目的是排除高风险客户,从源头控制审计风险。综合考虑l 所有的审计都不可能提供100%的保证;l 审计人是在激烈竞争的市场中竞争客户;l 审计人有义务满足社会对财务报告以及审计的期望;l 审计人应该发展审计方法面对高风险;l
25、审计人可以保持高度的职业怀疑心去发现重要的错报。Factors AffectlQuality of the clients corporate governancelClients financial healthlClients economic prospectsCorporate Governancel企业外部的所有者和债权人等对企业实施控制并要求企业履行经管责任的过程。l公司治理的质量反映了经营者履行经管责任的质量和财务报告的质量。The key factors an auditor will analyze l经营者的诚实性l董事会和审计委员会的独立性及能力lERM以及内部控制的质量
26、l法律和报告要求的遵守l主要利害关系者参与企业经营的程度l关联方交易Why the financial healthl审计之后被审计企业申请破产增加审计人被起诉的可能性l审计人需要通过评估了解:l经营者是否具有制造财务报表错报的动机l识别可能错报的领域l识别不正常的账户余额Economic Prospects High-risk companies are generally characterized byl 营运资本不足;l缺乏长期战略和经营计划;l市场进入成本低;l依赖于有限的产品提供;l依赖于将要过时的技术;l将来的现金流量不稳定;l有不恰当会计处理的历史;l受到过外部监管机构的调查。
27、签约管理信息l前后任审计人的沟通l向其他人员询问 Any communications between the predecessor and management or audit committee regarding fraud, illegal acts or internal control matte .Why?1. To identify clients reasons for an audit- Competency of the prior auditor- Hunting for opinion- Prior CPA left the client because of i
28、llegal acts. 2. Support beginning balances -What if not sure about the beginning balance?Communicate with Predecessor AuditorsProcedures of predecessor and successor auditor communicationlthe successor is required to initiate the communicationlthe client must give permission for the communicationl W
29、hat if a client does not give permission? lAre the predecessor required to respond? l What if a predecessor auditor does not respond?Audit CommitteelAudit committee is responsible for appointment, compensation and oversight of auditorslArrangements for the audit should be made through contact with t
30、he companys audit committeelRequired by NYSE and NASDAQlConsists of at least 3 independent (outside) directorslAudit committee members should not receive any consulting, advisory or other compensatory fees from the companylAudit committee members should be financially literate- Are we independent?-
31、Are we technically competent?- Is client reputable? - client lacking integrity- financially unstable client- client unable to pay audit fees- Why do they want us?What would be the major question What would be the major question in client acceptance?in client acceptance? Whatpotentialclient might the
32、auditor turndown?- training and overall experience- industry and client experience- supervision- need for specialistsAre we technically competent?Components of Engagement LetterlName of the clientlstatements to be auditedlscope of the services including any limitationslthe auditors responsibility fo
33、r detecting fraudlobligation of the clients staff in preparing schedules and statementslfees or method of determining feelprovisions for clients acceptance signature and datel The more specific, the better 审计风险管理l审计风险概述l审计重要性l审计风险评估和控制审计风险概述l审计风险的概念 l审计风险的要素l审计风险的理论模型 l审计风险模型的界限 What is audit risk?
34、Audit risk is the risk that an auditor may issue an unqualified opinion on materially misstated financial statements.审计风险的要素l 固有风险l 控制风险 环境风险l 检查风险Inherent Risk-财务报表项目受会计偏向、如错误或舞弊影响的可能性,指假定被审计企业不存在相关内部控制政策或程序的情况下,某一账户或交易类别产生重大错报的可能性。- - some accounts, components, cycles are inherently riskier than o
35、thersControl Risk-The risk that material misstatements will not be prevented or detected by internal controls控制风险的特点l控制风险水平与被审计企业的内部控制水平有关。l控制风险不可能为零。l不同交易循环的控制风险的程度可能不同。 Sampling risk auditor samples Non-sampling risk auditors may select ineffective audit procedures auditors may apply procedures in
36、effectively auditors may incorrectly evaluate the results of proceduresDetection Risk a risk that material misstatements will not be detected by the audit procedures抽样风险l抽样风险是审计人依据抽样结果得出的结论与审计对象总体特征不相符合的可能性,起因于抽样的不确定性,与样本不能代表总体有关。 非抽样风险l非抽样风险是指审计人因采用不恰当的审计程序或方法,或因误解审计证据等而未能发现重大误差的可能性,起因于证据评价错误等观察上的问
37、题。Non-Sampling Risk is the Primary Culprit 2003年SEC公布的SOX704条报告分析审计失败的原因后指出l对非经常性事项、期末交易或者关联方交易未能保持应有的职业怀疑心(professional skepticism),l没有获得充分适当的证据资料支持他们关于财务报表的意见是审计人被指控的最主要原因。图表8-2 SEC的审计失败原因分析Failure to obtain sufficient, competent evidential matter to support audit opinion(37)Failure to exercise pr
38、ofessional skepticism on unusual, last minute, or related party transactions(30)Failure to maintain independence(19)Failure to respond adequately to red flags(16)Failure to communicate adequately with predecessor auditor6Failure to supervise assistants(4)Failure to respond adequately to internal con
39、trols deficiencies)(3)Failure to perform appropriate inventory observations(2)Failure to confirm account receivables Sufficiently(2) the greater the certainty the auditor wants to achieve98%thegreaterthe amountof auditevidenceandcoststhelowerthe audit risk2%Audit Risk VS. Engagement Risk审计风险和签约风险之间存
40、在着反向关系。l如果审计人接受了具有较高签约风险的审计业务,审计人需要执行相应严格的审计,为此审计人需要把审计风险水平设置在较低的水平上。l反之,如果签约风险比较低,则审计人可以设置较高的审计风险水平。audit risk model =xxaudit riskinherent riskcontrol riskdetection riskRisk that material misstatements has occurredRisk that auditors do not detect the misstatement检查风险的特点 DR =AR IR x CRl检查风险与环境风险之间存在
41、着反比的关系。因此,尽管审计人无法控制环境风险,但审计人可以通过必要的审计程序来分析和判断固有风险水平,根据被审计企业的内部控制的健全性和有效性情况,估计控制风险水平,计划可接受的检查风险水平,使审计风险降低到可接受的水平。l检查风险的水平直接决定实质性审计的严格程度。检查风险水平越低,实质性测试的严格程度越高。 例子 审计人关于某个特定财务报表项目所能接受的审计风险水平为3%,并估计该财务报表项目的固有风险为90%,当控制风险分别为80%和20%时: 第一种情况 第二种情况 AR: 3% 3% IR: 90% 90% CR: 80% 20% DR: 4.17% 16.70%解释l第一种情况表
42、示,要使审计风险控制在3%以内,必须将检查风险控制在4.17%以内,也就是说,所计划的测试范围要足够大到至少要保证审计有效性的水准达到96%。l在第2种情况下,同样的审计风险水准所必要的审计程序有效性只要达到84%即可,相对于第1种情况而言测试范围可以大幅度地缩小。Audit Risk Model: Limitations lInherent risk is difficult to formally assesslAudit risk is subjectively determinedlThe model treats each risk component as separate and
43、 independent when clearly, this is not the caselAudit technology is not so precise that each component can be accurately assessedMaterialityl重要性的意义l重要性的概念 l重要性及其运用 Audit Risk VS. Engagement Risk审计风险和签约风险之间存在着反向关系。l如果审计人接受了具有较高签约风险的审计业务,审计人需要执行相应严格的审计,为此审计人需要把审计风险水平设置在较低的水平上。l反之,如果签约风险比较低,则审计人可以设置较高的
44、审计风险水平。 the greater the certainty the auditor wants to achieve98%thegreaterthe amountof auditevidenceandcoststhelowerthe audit risk2%Materiality is the magnitude of omitted or misstated information that probably would have made a difference in the judgment of someone relying on that information (FAS
45、B 2).What ismateriality?three significant dimensionsl错报的金额:重要性的程度和金额的大小有关;l对照环境:重要性的程度取决于被审计企业的经营规模和业务性质。l对信息使用者的影响:impact on potential users and the type of judgments made$1000 - WOW!$1000.peanutsFactors affecting the preliminary judgment about materiality - Circumstances and User impact :舞弊或违法行为造成
46、的错报比同样金额的错误造成的错报重要;与合同条款(例如债务协议中的比率)有关的细小差异也可能是重要的;单个账户的不重要的错报可能累计为重要的财务报表错报。 Factors affecting the preliminary judgment about materialitySEC staff accounting bulletin #99 故意的错误计量引起的错报; 改变收益趋势的错报; 达到扭亏为赢或者相反目的的错报; 重要分部或业务发生的错报; 违反法规的错报; 借以满足债务契约的错报; 关系到管理者报酬的错报; 隐蔽非法交易的错报。重要性及其运用l确定财务报表层次的重要性 l确定账户交
47、易层次的重要性水平 Set Planning Materiality for the Statements as a Whole- Not required to quantify- Judgmental- Rules of thumbs-5% to 10% of net income before tax-% to 1% of total asset-% to 1% of total revenue-1% of total equity-Multiple bases of materiality-E.g., net income is not misstated by $100,000, a
48、nd total assets is not misstated by $300,000.materiality VS. volume of audit evidence (Audit cost)?“Investigate mis- statements over $1.”A small materialityestimate will resultin more/less evidence.A large materialityestimate will resultin more/less evidence.“Investigate misstate- ments over $1,000,
49、000.”Allocate Planning Materiality Auditors initially set planning materiality for the statements as a whole, and then allocate this to individual accounts based on their susceptibility to misstatement 性质上的重要性判断一般应考虑的事项包括:l发生舞弊或者损失的可能性l主观判断或者人为操纵的容易程度l账户自身的性质、如在建工程账户等l数据计算以及记账的复杂性l交易自身的性质、如关联方交易图表8-
50、3 财务报表层次和账户交易层次的重要性判断F/S项目金额金额重要总分类账户明细分类帐户性质重要综合重要性B/S货币资金 10,000现金本公司A子公司银行存款-其他货币资金-短期投资 1,000短期投资-跌价准备-应收票据 10,000应收票据-应收账款 35,000应收账款国内应收账款国外应收账款坏账准备预付账款400预付账款-存货8,000产成品-存货跌价准备-其他流动资产1,500内部往来- Steps in Risk Assessmentsl了解被审计企业的经营业务以及行业情况l评估被审计企业所面临的风险及其对财务报表的影响l初步评估被审计企业的财务报告内部控制1. to identi
