Evolving Risk Landscape and its Impact on the Audit Opinion By Alan W. Anderson, CPA President, ACCOUNT-ability Plus © Copyright 2011 Alan W. Anderson, used with permission.
many of us, auditing used to mean “beating up the balance sheet” and sending a handful of
confirmations to support our audit opinion. Due to some significant events of late, such as the subprime mortgage crisis, the risk profile of today’s auditing environment is significantly different from those earlier audits. More importantly, it’s rapidly changing and evolving.
Bob Dylan’s 1964 ballad, “The Times They Are A-Changin’ ” was conceivably a call to action to deal with those turbulent changing times. The song’s lyrics seem as appropriate today as they were back then. The song begins with: “Come gather ‘round people Wherever you roam And admit that the waters Around you have grown Accept it that soon You’ll be drenched to the bone If your time to you Is worth savin’ Then you better start swimmin’ Or you’ll sink like a stone For the times they are a-changin’”
So, come gather ‘round auditors, as the changing waters of the risk landscape are impacting us and our clients. None of us wants to “sink like a stone” in the riskier waters of today’s audit environment. This article focuses on recent changes in the risk environment and learning how such changes impact the audit process. We must be prepared to navigate these waters.
Our Evolving Risk Landscape
Heightened Fraud Risk
The topic of “Risk” is appearing with greater frequency on board of director agendas for companies of all sizes. The events of the past few years, coupled with a stagnant economy, have highlighted weaknesses in the corporate governance structure. These weaknesses surfaced the need for boards to place greater emphasis on enterprise risk management processes within the organization. Although certain criticisms are undoubtedly justified, many of these boards were suddenly dealing with new-found risk areas with little or no experience to draw upon when navigating these murky waters.
The financial stress on organizations in today’s economic environment cannot be underestimated. Such stress may lead some organizations to intentionally misstate their numbers or omit significant disclosures. Typically, fraudulent financial reporting starts with pressure or incentive to commit fraud and given the current landscape, the pressure is on.
For example, the global stock market meltdown in 2008 and the resulting financial crisis squeezed out the ability for many organizations to maintain or secure financing. In turn, finance and accounting departments faced unprecedented pressure to produce detailed information to justify and support any lending requests. The heightened scrutiny and rigor with which banks followed to make their lending decisions was new to many of those in a governance capacity, since prior to the meltdown the process was nimble and financing was abundant. This credit crisis placed enormous pressure on the governance function to keep existing financing in place. As these pressures mounted, fraud risk also mounted. Organizations might purposely misstate their financial statements in an attempt to meet their lending requirements. Such organizations most likely sought to hide any misstatements from their auditors or placed undue pressure on them to “look the other way.” Furthermore, many organizations lacked robust enterprise risk management (ERM) processes which meant they inadvertently ignored the compounding effect of multiple risk events as each risk was considered independently. For example, if financing was lost, then operations were forced to contract and employees were laid off. This decision likely resulted in the need to consider writing off the cost of idle plant and equipment and excess inventory, all of which was an unintended result. This article considers the compounding effect or interdependencies of risk as a key component of a robust ERM process.
The auditor should not ignore the heightened possibility of fraud on all audits. Audit standards require the auditor to assess the risk of material misstatement whether due to unintentional error or fraud. While attempts to mislead may be well-planned or difficult to detect – such as the case of collusion or falsified documentation – the auditor’s responsibility is not diminished in this area. Other attempts to mislead can be far more subtle. Organizations can manipulate earnings by adjusting bad debt reserves or by changing the useful lives of assets. They can also accelerate revenue recognition by shipping product at year-end for orders not needed until the following year. Auditors should be on alert for these sorts of subtle actions. Upon discovery, it’s critical to focus on management’s intent. Was management pressured to “make their numbers” and saw the “opportunity” by making these adjustments? Determining intent may be difficult, especially if the audit is a first-time audit or the team is inexperienced. Be cautious and suspicious any time you are being pressured to let management get away with it “just this once.” It may be difficult to determine fraud, but its importance cannot be minimized. Fraud, whether blatant or subtle, should be promptly and properly dealt with upon discovery by the auditor. This will prevent an inappropriate audit opinion from being issued and – equally important – prevent compromising the auditor’s personal integrity. The core fiber of a CPA’s ethics and integrity must never be compromised because trust is a CPA’s stock and trade. Audit firm leadership needs to reinforce a firm environment which emphasizes ethics and integrity through their actions and tone. It should be clear to everyone, and never assumed, that the firm will not tolerate breaches in ethical conduct by anyone.
Enterprise Risk and ERM Process – From Top to Bottom The risk profile of most organizations is constantly changing due to internal and external influences. The risk landscape in today’s environment has pointed to the need for organizations to adopt a robust ERM culture and process. ERM should be aligned with overall organizational objectives from top to bottom. In its Enterprise Risk Management – Integrated Framework, The Committee of Sponsoring Organizations of the Treadway Commission (COSO) outlines the following 4 categories of high-level organizational objectives: • Strategic – relating to high-level goals, aligned with and supporting the entity’s mission • Operations – relating to effective and efficient use of the entity’s resources • Reporting – relating to the reliability of the entity’s reporting • Compliance – relating to the entity’s compliance with applicable laws and regulations The above categories allow for better understanding the interdependencies in an organization’s identified risks and related responses. To illustrate, one area of increasing prominence is corporate social responsibility. A failure in this area can carry many risks for the organization. The following table provides an example of such interdependence across all categories: Event: Oil Spill
Category Strategic Operations
Objective Solid corporate citizen Efficient operations that protect the environment Follow GAAP
Comply with environmental guidelines
Risk Reputational Loss of operational focus due to clean up activities Adequately accrue clean up costs and environmental contingencies Loss of license to operate and potential fines
This event could cause both reputational and financial damage to the organization. The extent of these damages hinges on the ERM process and its ability to identify the risks and associated potential responses. The event itself may not be within the control of the organization but a plan to minimize the risk from occurring, and the identification of a reasonable response should the event occur, is exactly what the ERM process is designed to address. Even with a lack of control over which risk may occur, the organization must be prepared; e.g., have individuals trained and ready, to respond in the event of a crisis. ERM is a process that cannot prevent poor judgment or bad decisions. It can, however, enhance the decision-making process to incorporate responses for events both inside and outside of the organization’s control. Frequently, I am asked “Does the auditor have any responsibility to perform procedures on a company’s ERM process in relation to the audit of their financial statements?” The auditor’s responsibility to minimize audit risk remains the same for all organizations regardless of any ERM process. The auditor desires to issue an appropriate opinion on the organization’s financial statements. Financial reporting is a category or a subset within enterprise risk, as noted above. COSO has developed two frameworks; namely, the ERM framework mentioned above and Internal Control – Integrated Framework. It is important to note that they were designed to be somewhat connected and use consistent terminology and categories. The auditor should look to the COSO internal control framework to carry out their responsibilities to understand the design of an organization’s internal control to prevent or detect a material misstatement from occurring. The auditor is not required to look at the COSO ERM framework to carry out an audit of the company’s financial statements. The linkage of these two frameworks is important, however, for the auditor to understand. The absence of an ERM process in an organization could heighten audit risk for the auditor, even when the design of the organization’s system of internal control is aligned with the COSO internal control framework, as sited in the earlier examples. An organization’s financial statement is the product or end result of decisions made by management. An effective ERM process can enhance the
organization’s decision making and can also help to minimize the impact of any negative risk events. Thus, ERM generally should improve the quality of the organization’s end product – its financial statements.
global audit approach of McGladrey and Pullen, overseeing the AICPA’s technical audit and accounting standards, including self-regulation and the CPA examination and implementing paperless solutions.
Al served as Chair of the AICPA Assurance Services Executive Committee for 6 years and continues to lead task forces of the Committee.
The ever-changing risk landscape has an impact on the auditor and the audit opinion. It is important that the auditor understand the changing risk landscape and consider any necessary changes to their audit approach. Robust enterprise risk management processes can positively impact and influence the audit process. However, the auditor should know where the responsibility starts and stops between ERM and the audit of the financial statements. The audit firm itself should also be aware of this landscape and the pressures placed upon their clients and audit teams. During times such as these, the firm must continue to lead by statement and example with a proper tone and culture of ethics and integrity. Mr. Dylan’s song from almost 40 years ago is just as relevant today …for these times – and our audit approach - will always be a-changin’.
Alan W. Anderson - Bio Al has over 25 years of experience in the accounting profession. After working primarily as a partner and National Director of Audit in the firm of McGladrey and Pullen, LLP and with the American Institute of CPAs as Senior Vice President of Member and Public Interest, Al founded ACCOUNT-ability Plus headquartered in Minneapolis. Prior to starting his new company, Al led the firm of LarsonAllen, LLP in coordinating accounting and assurance services across industry groups as the Managing Principal of Accounting & Assurance Services. As President of ACCOUNT-ability Plus, Al is building a company to address the educational needs of auditors and to help push the vision of those he teaches to exceed client expectations by providing relevant services and meaningful information using real-time methodology. Al’s experience in the world of auditing reaches far and wide. This includes helping to standardize the
The 8th in a Series of “ANDERSON’S AUDIT EXPRESS” The KSCPA is excited to that Al Anderson is committed to helping the Society enhance the quality of the Accounting & Auditing (A&A) professional development and, therefore, the quality of our members’ A&A services. This article is the seventh of a series of 13 articles to be published over the next year. We asked Al to create articles that will stand the test of time and at the same time create a vision for how CPAs can stay relevant by adding value to their clients and organizations they serve. You can look forward to the following topics: “Internal Control: so Much Time for so Little Benefit”
“Total Client Service: Did you deliver all of Your Services, or Just the Audit?” “What Brings Value to the Audit? Value-Based Audits?”
“The Characteristics of an Auditor” “The Goal of the Audit”
Register for “ANDERSON’S AUDIT EXPRESS” Today! Each article is supplemented with a video webcast or podcast produced and delivered by the KSCPA. Go to www.kscpa.org for the complete list of live webinars. Register on the KSCPA website, or call 785.272.4366 for more information. Webcasts that provide 2 hours of A&A CPE are $79 each. Al will also be providing A&A courses in our PD catalog, speaking at conferences, and is available for in-firm training, including a new offering “Reality Based Learning.” Contact Mary MacBain at firstname.lastname@example.org for further information.