“Risk comes from not knowing what you are doing” — Warren Buffet

The collateral damage for the accounting and auditing industry from Enron’s fall has led to the rewriting of auditing theory. Auditing moved away from a standard scope approach to a risk-based one.

Assessment of risk

Today, an audit includes assessing the risks of material misstatement to obtain evidence about the amounts and disclosures in financial statements. Therefore, an auditor shall design and develop responses to address the risk of material misstatement, including specific responses to issues arising from the audit.

Risks are manifold and varied, depending on the size and structure of the entity, the regulations in force, the business and related entities in a group, systems and processes followed, and so on. The auditor, therefore, should have a thorough knowledge of the business and industry. In today’s highly-automated environment, varied platforms, databases and software are used to manage information, including financial accounting, which could give rise to implementation challenges, weaknesses and lapses in process. Expert knowledge is a pre-requisite in identifying and designing appropriate responses. Evaluation of future earnings calls for a specialist to assess the carrying value of assets under consideration for the future projections used in determining impairment of assets, valuation of investments, valuation of Employees Stock Option Plan, and so on. Audit procedures should be a combination of steps to address identified risks and the basic requirements under auditing standards. Understanding technical risk requires industry expertise, business knowledge and prior experience of auditing a similar entity.

Audit of a mining entity calls for understanding the risks related to resource nationalism, infrastructure challenges, project delay, cost inflation, project execution risk and licensing challenges. Auditing a telecom business requires understanding the analytics to detect anomalies in the enormous data generated; obsolescence risk due to fast-changing technology; adequacy of the IT Risk Management Program; revenue leakages from billing system; right-of-way permissions; and so on. Real estate businesses pose challenges in land value, land exploitation, planning permits, construction and revenue risks.

Key aims of an audit

An audit should address such risks and develop adequate mitigation procedures to provide a satisfactory opinion. Audit risks could be of two types. Some are critical enough to impact the opinion rendered, and others could have a bearing on specific financial elements.

A failure to identify and respond to a significant risk could result in a failure to discharge professional duties, causing risk of exposure for the auditor; whereas those that affect financial elements post simpler challenges.

With the cost of audits on the rise, efficiency and effectiveness become a pre-requisite — expert business and IT knowledge, combined with effective procedures is the only way to address risks in the audit of financial statements. The risk in an audit is the failure to address risks and, therefore, the risk of expressing inappropriate opinion on the financial statements.

Professional misconduct due to failure to report on material misstatements could attract penal provisions under the Institute of Chartered Accountants of India’s disciplinary regulations.

The proposed Companies Bill extends the penal provision of fines, refund of remuneration, payment of damages for losses arising out of incorrect audit opinion, and class action suits against professionals and the firm. Therefore, a lapse in identifying risk could potentially be the highest risk.

The author is Partner, Deloitte Haskins & Sells

Related Topics