Application of the Business Risk Audit Model: A Field Study

Article excerpt

SYNOPSIS: After confronting unprecedented challenges in the last decade, accounting firms have undertaken extensive effort to improve the basic financial statement audit and to expand external assurance beyond the traditional audit. The reexamination of audit methods has produced a new emphasis on assessing business and process risks in the conduct of an audit. This paper describes the fundamental changes in the audit process and examines their impact in an actual engagement. We first identify outcomes that we expect to observe in an audit based on the business risk model and then study an actual engagement to gather preliminary evidence about our expectations.

The engagement used in this study is the 1997 audit of the Czech bank Ceskoslovenska Obchodni Banka (CSOB). Important observations about the new audit process included changes to the audit team structure, changes in administration and timing of the engagement, changes in the risks addressed during the audit and the evidence gathered, increased assurance to the client, and increased opportunities for value-added services. Although the generalization of results from a field study is constrained, this study identifies expectations and effects that can be examined in future larger sample studies.

INTRODUCTION

Current trends in auditing are creating new challenges for the profession, leading to the development of new methods and services. Audit practice has evolved in recent years due to unprecedented market pressures including market saturation, "commodity" based pricing, pressure to reduce substantive testing, focus on value-added assurance and increasing costs from training, technology, and litigation. [1] As a consequence, many large accounting firms concluded that the audit process needed new skills, techniques, and service deliverables. [2] Initial efforts to redesign the audit process focused on: (1) reducing or shifting costs, and (2) increasing the value of the audit, leading to changes in staffing and recruiting, specialization by industry, reduced reliance on substantive testing, increased emphasis on qualitative and analytical evidence, and mounting investments in technology assets. Small changes in audit practice eventually became radical and pervasive, as can be seen in KPMG's BMP audit methodology, Arthur Andersen & Co's Business Audit and Ernst & Young's Audit Innovation efforts, among others. [3]

This paper discusses some of the fundamental changes in the audit process and examines their impact in an actual engagement. Instead of focusing on a narrow view of audit risk, auditors are now urged to consider a broad array of risks potentially affecting a client organization. [4] Audit techniques based on the analysis of business and strategic risk are relatively new to the profession and firms are still wrestling with how to implement such methods. A major challenge to auditors is linking the knowledge gained about client strategy, competitive advantage, and business risk to the fairness of the financial statements. This study examines how the business risk audit model impacted an actual audit engagement. We identified outcomes that we expect to observe in engagements using business risk audit methods and tested our expectations by gathering evidence from an actual audit.

CONTROL, ASSURANCE, AND THE FINANCIAL AUDIT

Poor decisions, information breakdowns, or fraudulent activity may result when employees, management, or other stakeholders take improper or incompetent actions that adversely affect an organization. Problems can also arise from ineffective responses to strategic risks, such as a failure to identify and properly react to changes in the business environment, or misalignments between strategic objectives and business processes. Control processes within an organization attempt to alleviate these problems.

External assurance--the "audit"--can be considered a specialized form of control, and the demand for auditing or other forms of external assurance is conditional upon the business risks facing an organization and the methods available to control them. …