Relationship between engagement risk and audit risk

Course Hero uses AI to attempt to automatically extract content from documents to surface to you and others so you can study better, e.g., in search results, to enrich docs, and more. This preview shows page 1 - 2 out of 2 pages.

Auditing is a riskier profession than people realize. Every time you agree to take on an auditing engagement, it comes with potential risks: The risk you'll make a mistake, the risk the client will go out of business and the risk that someone will sue you. When considering a new engagement, or even one with an established client, you should evaluate the risks before taking the job.

Audit Risk

1. Audit risk is defined as the risk you'll make a mistake, such as failing to catch a significant error or misstatement on a balance sheet or other document. Possible signs of a high-risk engagement include a company with lots of year-end transactions; extremely complex transactions; a lack of internal controls; and executive compensation based on reported earnings. Management's reputation also plays a role: If the bosses have a history of dishonesty and shady dealing, there's a greater risk of fraud.

Client Business Risk

1. You should also assess the risk that a potential client is foundering financially, or may even go out of business. Knowing the client's situation will let you anticipate the types of fraud or misstatement you might discover if you do take the job. If the client goes out of business or files for bankruptcy after the audit, it's also possible that creditors or investors will sue you, claiming you should have foreseen the problem in your audit.

Auditor Business Risk

1. Your own business may also be at risk if you accept the wrong engagement. Even if the client's not in financial difficulty, some engagements increase the chance of a lawsuit. If you take on a client who's embroiled in litigation or who already changed his auditors multiple times, the risk goes up. You should also consider who will be using the reports the client wants you to audit: If you're going over an official financial statement rather than internal reports, you may be held to a higher professional standard.

Decisions

1. Ask some questions before you agree to a new engagement. Good information sources include the previous auditor and others at her firm; other professionals who deal with the company; and federal regulators. You can also search online for information about the company's situation. This can give you enough information that you know what to ask when you have your initial meeting with company executives. Based on what you learn, assess whether the risk is high, and whether the client is offering enough money to justify it.

During the audit process, auditors have to be increasingly wary of the inherent risks that are involved in the audit process. Risk identification tends to be an important part of the audit engagement process because of the fact that it involves potential changes to the disclosure of opinion that auditors have to put forth when it comes to the audit of these financial statements.

In this regard, it can be seen that engagement risks can be defined as one of the most important risks that need to be considered when it comes to designing audit processes and procedures for the engagement parties.

Definition

Engagement risk is defined as the overall risk that is associated with an audit engagement process. As a matter of fact, this specific risk is mainly associated with conducting the process of the audit itself, more so than anything else.

From the perspective of the auditor, it is highly important to consider this type of risk, because of the detrimental impact this kind of risk can have on the audit team, and the company, as a whole.

Engagement risks tend to increase when the client is in a relatively weaker position and is in need of obtaining funding from external sources in order to survive. Alternatively, this phenomenon can also be defined as a position where the company cannot be safely declared as a going concern.

Hence the existing risk that the company faces in this regard is quite substantial and needs to be accounted for in this regard.

The point of concern in this regard is the fact that since the company is likely to default or go bankrupt in the near future, it might also result in the auditor facing litigation because of not having declared the company as not going concerned.

Related article  How to Identifying Audit Risk? (Guidance)

Additionally, it can also be seen that these features and factors tend to exist within the audit process, because of the existing business uncertainty that is true in any case of the business itself. Hence, these engagement risks are inherent need to be identified and dealt with, before the engagement process begins.

Examples of Engagement Risks

Speaking of engagement risks, it can be seen that these are the risks that the auditor is exposed to as a result of taking on the audit process of a certain client. Some examples of engagement risks are mentioned below:

• A high-risk client: This means when the company is exposed to a certain level of risk, which highlights their going concern phenomenon, it is important for the auditor to identify that so that they are not litigated in the future when the company defaults or becomes bankrupt.
• Existing repute: The existing reputation of the company is also an important phenomenon which can be used to assess the underlying engagement risk. Mostly with companies who have been involved in unfair and unethical practices in the past, have a shaky reputation in the industry. Hence, this results in a higher degree of engagement risk for the auditor in this regard.Advertisements
• Red flags: In certain cases, there is ambiguity about the overall financial position of the company. These red flags can be identified using the Annual Reports and the Financial Statements. Before taking on a client, it is also a good idea to look at these red flags, in order to minimize these engagement risks to an acceptable level.  

Engagement Risks and Audit Process

In the cases where the auditor is deemed to be risk averse, it can be seen that they would be increasingly reluctant to work with clients that have a higher engagement risk.

On the contrary, a relatively new auditor, or an audit firm might agree to take on a client with higher engagement risk, because it would then be set off with the help of the payoffs they will get as a result of this.

However, it must be realized in this regard, that audit procedures need to be expanded in order to offset the inherent engagement risk that is involved with a particular client.

Conclusion

Therefore, it can be concluded that engagement risks tend to be one of the most important risks for any audit process. This is mainly because of the potential they have in negatively impacting and subsequently jeopardizing the name, and repute of the auditor.

Regardless of the fact that these risks are inherent in most business cases, yet it can be seen that they can be improved upon if the client is properly scrutinized before signing the audit engagement contract.

ENGAGEMENT RISK

By Janet L. Colbert, Michael S. Luehlfing, and C. Wayne Alderman

Recent AICPA audit risk alerts utilize the term "engagement risk" in describing various risks auditors consider in performing an engagement. A major portion of the introduction to the 1995 Audit Risk Alert (the alert) deals with the concept of engagement risk. Engagement risk encompasses risks borne by both the auditor and the client entity. Although use of the term engagement risk may be relatively new, the risks comprising engagement risk and factors bearing on those risks are not unfamiliar to practitioners. The concept of engagement risk serves to formalize the auditor's consideration of the factors and risks affecting an engagement.

Engagement Risk Defined

Engagement risk represents the overall risk associated with an audit engagement. Engagement risk consists of three components: client's business risk (also referred to as entity's business risk), audit risk, and auditor's business risk.

An entity's business risk is the risk associated with the entity's survival and profitability. The concept recognizes that because of factors such as rapid changes in the industry, liquidity problems, or speculative ventures, the possibility exists the client may not achieve its profit goals or even continue in existence. As yet, entity's business risk has not been formally recognized in a statement on auditing standards (SAS).

In contrast to entity's business risk, the concept of audit risk is discussed in SAS No. 47, Audit Risk and Materiality in Conducting an Audit (1983). The SAS and the alert define audit risk as the risk that the auditor may unknowingly fail to appropriately modify the opinion on financial statements that are materially misstated.

The concept of auditor's business risk was introduced in the standards in a footnote to SAS No. 47 as simply business risk. Specifically, SAS No. 47 indicates that

...in addition to audit risk, the auditor is exposed to loss or injury to his professional practice from litigation, adverse publicity, or other events arising in connection with financial statements that he has examined and reported on. This exposure is present even though the auditor has performed his examination in accordance with generally accepted auditing standards and has reported appropriately on those financial statements.

The SAS No. 47 focus on business risk relates to risks associated with the issuance of financial statements. However, recent audit risk alerts have added to this concept. In addition to the risk of potential costs from an alleged audit failure, auditor's business risk includes the risk of other costs (whether an audit failure is alleged or not) such as fee realization and reputational effects from association with the client.

Fraud Task Force--Additional Insights

The SEC Practice Section Detection and Prevention of Fraud Task Force (fraud task force) recently developed a list of circumstances that may lead to a higher assessment of engagement risk and its components. The factors provide additional insights into the concept of engagement risk. These factors are sometimes called red flags or warning signs, because they signal the need for caution on the auditor's part.

Entity's Business Risk. As indicated in Exhibit 1, numerous factors may lead to a higher assessment of entity's business risk. The entity's business risk factors are organized into three categories--management, entity, and industry. Factors related to management deal primarily with integrity, attitude, experience, and actions. Entity factors relate to marketing and markets, liquidity, capitalization, and suspect business practices. Industry factors include technology, competition, entry barriers, and regulations.

Audit Risk. The fraud task force also notes numerous factors that may affect audit risk. As indicated in Exhibit 2, the list includes such items as high volume of year-end transactions, significant and unusually complex transactions, and affiliates that are unaudited or audited

by others.

Auditor's Business Risk. Exhibit 3 illustrates several factors that might lead to a higher assessment of auditor's business risk. These factors include a propensity of the client toward litigation or controversies or frequent auditor changes and special financial statement reliance situations (e.g., initial public offering or pending acquisitions).

Engagement Risk and the Audit

Engagement risk should be addressed throughout the audit, from the initial decision to accept a new client or continue serving an existing client to planning the engagement through to the ultimate issuance of the audit report. Analyzing engagement risk during the planning process is especially critical.

Before planning the audit, the auditor makes a decision to accept a client or to continue serving a client. The client acceptance/continuance decision is made according to firm policy. Procedures may include completing a questionnaire regarding client attributes and obtaining other background information. Given the significance of the decision, review and approval procedures must be documented and adhered to. In making the client acceptance/continuance decision, the auditor considers not only the client in question, but also the auditor's mix of clients.

After deciding to accept a new client or continue serving an existing client, the auditor plans the engagement by continuing to consider engagement risk and its three components. The audit is planned so that, at the conclusion of the engagement, the component risks combine to limit overall engagement risk to an acceptable level.

Besides assessing the entity's and the auditor's business risks, the auditor sets planned audit risk. Audit risk is established at a level so that the planned level of engagement risk will be achieved. The accounting firm's policies and information gleaned from the acceptance/continuance decision may impact the establishment of planned audit risk. That is, the firm may have a policy that audit risk must be planned at a specified level or below. The level is adjusted (downwards) in response to the risk factors noted during the acceptance/continuance decision process. To achieve the planned lower level of audit risk, the auditor adjusts the nature, timing, and extent of audit procedures.

At the completion of the engagement, the auditor again considers engagement risk and its component risks. The achieved levels of entity's business risk, audit risk, and auditor's business risk are combined to yield achieved engagement risk. The auditor ascertains if the achieved engagement risk is at an acceptable level.

Engagement Risk Components--
Control Considerations

As noted above, the concept of engagement risk is applicable to all phases of the audit. However, the extent that engagement risk can be controlled varies with the characteristics of each of its components. For example, entity's business risk is not controllable by the auditor. The auditor simply considers its assessment in controlling engagement risk.

Audit risk is determined solely by the auditor and is set at an appropriately low level.

Auditor's business risk is controllable, to some degree, by the auditor. The auditor can influence auditor's business risk, and thus engagement risk, through the selection of clients. Other factors bearing on auditor's business risks, such as the client being involved in lawsuits, cannot be managed by the auditor.

Because audit risk and auditor's business risk are controllable by the auditor (at least to some extent), while entity's business risk is not, the auditor's focus on managing engagement risk centers on audit risk and auditor's business risk. While audit risk is managed by adjusting the nature, timing, and extent of audit procedures performed; auditor's business risk is controlled through the client acceptance/continuance decision process.

The Client Acceptance/Continuance Decision

The auditor exercises professional judgment when making the decision to accept a new client or to continue serving an existing client. To aid in making the judgment, auditing firms apply prescribed procedures to the potential client. Examples of procedures that might be performed are presented in Exhibit 4.

Of the suggested procedures, perhaps the most important deals with the integrity of management. The auditor's business risk associated with a management that lacks integrity is difficult to overcome. Theoretically, despite auditor's business risk being high, an acceptable engagement risk may still be achieved. That is, audit risk can be adjusted such that the combination of entity's business risk, audit risk, and auditor's business risk yields an engagement risk that is sufficiently low. However, if management lacks integrity, adjusting the nature, timing, and extent of audit procedures performed on management assertions may not produce an acceptably low audit risk.

In making a decision to continue a client, the auditor should carefully consider previous experiences with the entity as well as changes the client has recently experienced. Changes that are particularly significant include rapid modification in the entity's operations and altered management behavior. A deteriorating financial condition and an adverse change in management integrity are also important.

Besides changes in the client, the auditor also considers the combination of findings from applying various procedures when making the client acceptance/continuance decision. The presence of an unsatisfactory result for any one, or even a few procedures, does not automatically imply the client is unacceptable. Rather, negative findings serve to heighten the auditor's skepticism and increase the assessment of auditor's business risk and thus engagement risk.

If engagement risk is assessed at an unacceptably high level, the auditor does not accept a new client or continue serving an existing client. This policy helps to maintain an appropriate mix of clients for the auditor.

If the consideration of findings noted during the client acceptance/continuance process causes auditor's business risk, and thus engagement risk, to be assessed at a marginal level, the auditor may still be able to perform the engagement. By adjusting the nature, timing, and the extent of audit procedures, the auditor reduces audit risk to a low level. In turn, engagement risk is reduced perhaps to an acceptably low level.

The preponderance of the client acceptance/continuance procedures are performed before the engagement begins, i.e., before the engagement letter is signed. However, the auditor should be alert throughout the engagement for the existence of factors that may indicate that one of the three component risks, and thus engagement risk, is at a higher level than originally believed. The auditor may be able to adjust the nature, timing, and extent of audit procedures such that audit risk is lowered and the achieved engagement risk is acceptable *

Janet L. Colbert, PhD, CPA, is the Meany-Holland Professor of Accounting at Western Kentucky University. Michael S. Luehlfing, PhD, CPA, is assistant professor of accounting at Louisiana State University. C. Wayne Alderman, DBA, CPA, is professor of accounting and Dean, College of Business, Auburn
University.

Editor: Douglas R. Carmichael, PhD, CPA

Baruch College

Home | Contact | Subscribe | Advertise | Archives | NYSSCPA | About The CPA Journal

The CPA Journal is broadly recognized as an outstanding, technical-refereed publication aimed at public practitioners, management, educators, and other accounting professionals. It is edited by CPAs for CPAs. Our goal is to provide CPAs and other accounting professionals with the information and news to enable them to be successful accountants, managers, and executives in today's practice environments.