The International Federation of Accountants (IFAC) had issued 32 International Standards of Auditing (ISAs) in 2003 and then launched clarity project, that marked the risk-oriented audit approach had established and promoted to the world. The change of the audit risk model is the biggest change between the risk-oriented audit approach and old auditing standards. Under old auditing standards, Audit Risk is defined as: Inherent Risk (IR) × Control Risk (CR) × Detection Risk (DR). It was formalized in the AICPA’s Statement of auditing standards, SAS No. 47, issued in 1983. Auditors use the auditing risk model to estimate the amount of assurance needed from the substantive procedures. Theoretically, the auditor shall assess the amount of assurance of the IR and CR through the control testing, then determine the DR with the audit model according to the acceptable audit risk and guide further audit work, the substantive testing. But in practice, most firms simply treat the IR and CR, which are controlled by clients, as high or at maximum even 100%, then skip the control testing and directly implement substantive testing. Obviously, this measure can possibly meet the requirement of auditing standards more efficiently than assessing the IR and CR before substantive testing because of reduction in procedures of assessing the IR and CR. At the same time, more time and energy are devoted into the substantive testing to ensure the lower detection risk, which represents acceptable audit risk. It seems to have met requirements of the format, but it does not in terms of its content.
The failures of the U.S. corporate like Enron corporation in 2002 highlighted some shortcomings of the old auditing standards. Driven by the request of improving to the audit risk model, IFAC’s International Auditing and Assurance Standards Board (IAASB) approved the international versions of the amended standards in October 2003. To meet the purpose of this revision, Audit Risk is redefined as: Risks of material misstatement (RMM) × Detection Risk (DR). In assessing the RMM, the CPA should have an appropriate, documented basis for their assessment of audit risk. Therefore, the CPA must consider audit risk and cannot default control risk to maximum now and avoid assessing and documenting what the risks are for the entity. After obtaining the required understanding of the entity and its environment, including its internal control, the CPA should emphasize the use of analysis and analytical procedures as risk assessment procedures and decide the time and extent of substantive testing needed. Therefore, analysis and the analytical procedures have come to be the key process in switching to the new audit approach. At the same time, management evaluation methods are widely used in audit after the audit scope has expanded.
There are some empirical studies held by some researchers to verify the impact of audit procedure and concluded that more time and energy should be spent in these audit procedures of plan and risk assessment. Hans Blokdijk, Fred Drieenhuizen, Dan A. Simunic, and Michael T. Stein have selected the audits of 113 clients by 14 public accounting firms in The Netherlands during the late 1990s to conduct an analysis of cross-sectional differences in Big and Non-Big public accounting firms’ audit programs, “We conclude that the difference in audit quality, across auditor types, is not a function of the quantity of audit effort (audit intensity), but rather how that effort is applied (audit technology). In particular, our evidence suggests that higher audit quality is associated with a less procedural and more contextual approach to the audit. The Big 5 auditors in our sample consistently spend relatively more hours in the planning and risk-assessment (the thinking) phases of audits, while non-Big 5 audit firms spend relatively more time in the substantive audit testing (the doing) phase. Big 5 audit firms respond to high-quality client internal controls in a reasonable way—they spend more time assessing and evaluating the controls, and then less time in substantive testing. In contrast, non-Big 5 audit firms increase total audit time when relying on clients’ strong internal controls.” (Blokdijk, Drieenhuizen, Simunic, & Stein, 2006: p. 48)
On February 15, 2006, the Chinese Institute of Certified Public Accountants (CICPA) issued Chinese Certified Public Accountants Auditing Standards and applied the risk-oriented audit approach in China. It drew on international advanced audit concept and put forward higher requirements to the auditors and audit practice circle.
To respond to regulatory requirements, small-and medium-sized CPA firms should design proper audit programmers to apply new auditing standards and pay special attention to analysis and the analytical procedures. Wang and Yao (2007) had studied the international Big Four’s Business Risk-Oriented Auditing which had used audit software and non-financial analytical means. Unlike those big international CPA firms, small-and medium-sized CPA firms could not afford the construction and maintenance costs of the databases of economic situation and industry, large-scale audit software to apply analysis and the analytical procedures. Xiaoping Mei (2008) had described the current status and problems of small-and medium-sized CPA firms when facing the new audit approach. Jing Zhu (2019) revealed that most small-and medium-sized CPA firms didn’t really apply the Risk-Oriented Auditing after 10 years, in fact, the Risk-Oriented Auditing is used in only 14.46% of CPA firms (Jiang, 2017) and small CPA firms did not apply the Risk-Oriented Auditing (Wang & Sun, 2018).
Under new pressure with changed auditing standards, for small-and medium-sized CPA firms, how to apply the risk-oriented audit approach economically and efficiently, especially analysis and the analytical procedure, is the top priority.
1.2. Purpose and Significance of This Research
In China, the risk-oriented audit approach is recently introduced from abroad and there are few studies in applying analysis and the analytical procedures in the risk-oriented audit approach. Miao Miao (2008) made a research with fuzzy evaluation method to evaluate the level of risk of material misstatement; Wenkun He (2008) made a similar research with comprehensive fuzzy evaluation method to appraise the business risk on strategy level; Yupin Yin (2008) suggested to uses the balanced scorecard to apply the risk-oriented audit approach; Songsheng Chen (2009) posed how to construct the audit indicators of the balanced scorecard. But the findings of these studies need external experts’ assistant and complex computer procedures, so they are difficult to promote in practice.
How to perform analysis and the analytical procedures to assess the audit risk is a real problem for small-and medium-sized CPA firms in China. It is the worth notices that small-and medium-sized entities are those CPA firms’ main clients. To provide a solution of applying analysis and the analytical procedures economically and efficiently for small-and medium-sized CPA firms, this thesis suggests an analytical framework: firstly, obtain the understanding of the entities and its environment, including its internal control; secondly, establish an analytical construction which borrows from the DuPont analysis structure; thirdly, use financial analysis methods and non-financial analysis means (management evaluation methods) like Porter Five Forces Model, SWOT, PEST to evaluate the rationality of Return on Equity (ROE) and its decomposition indicators with professional skepticism, with required understanding in the first step; finally, find out where the high audit risk are and guide further audit work.
This analytical framework is easy to understand and accomplish by the auditor, for the main analytical construction which borrows from the DuPont analysis structure has adapted into China for more than twenty years and nearly every auditor is familiar with this analysis. On the other hand, the understanding of the entities and its environment, including its internal control, wherever learnt with different means by different auditors, can be unified under this analytical framework, that means, the auditor can assess where the high audit risk are with the understanding of the entities and its environment, including its internal control, through the proposed analytical framework.
This thesis hopes to promote the research in practical approach for small-and medium-sized CPA firms to apply the proposed analytical framework through this case study, and provide method for effective implementation of analytical procedures for similar small-and medium-sized CPA firms.
1.3. Organization of This Research
The structure of this thesis falls into five chapters. Chapter 1, the present chapter, introduces the background and the purpose and significance of this study, and the research method and analysis procedure are reviewed; Chapter 2 describes the essential background to this thesis, including DuPont analysis model, ISAs, and management evaluation methods, some relevant scholarly literature in China is then reviewed. The researches in China are mentioned in Chapter 3. Chapter 4 focuses to the proposed analytical framework to assess the audit risks. In chapter 5, the final chapter, concludes the research. Findings from the study are summarized and further research is recommended.
2. Literature Review
This chapter is concerned with relevant theories and existing research on application of analysis and analytical procedures. Firstly, the DuPont model is focused on. Then the ISAs and professional skepticism are reviewed. Thirdly, some management evaluation methods are discussed. Finally, some related researches in China with the usefulness in practice and the significance of this paper are mentioned.
2.1. DuPont Model
The DuPont model of financial analysis is a method of performance measurement that was started by the DuPont Corporation in the 1920s. With this method, assets are measured at their gross book value rather than at net book value in order to produce a higher return on equity (ROE).
The DuPont model of financial analysis was made by F. Donaldson Brown, an electrical engineer who joined the giant chemical company’s treasury department in 1914. A few years later, DuPont bought 23 percent of the stock of General Motors Corp. and gave Brown the task of cleaning up the car maker’s tangled finances. This was perhaps the first large-scale reengineering effort in the USA. Much of the credit for GM’s ascension afterward belongs to the planning and control systems of Brown, according to Alfred Sloan, GM’s former chairman. It remained the dominant form of financial analysis until the 1970s. The structure, see Figure 1 below.
Following is the formula of the DuPont model of financial analysis:
The three components of the DuPont ratio, as represented in equation above, cover the areas of profitability, operating efficiency and leverage (liquidity analysis needs to be conducted separately).
Figure 1. DuPont model structure. Resource: https://nickols.us/dupont.gif.
Profitability ratios measure the rate at which either sales or capital is converted into profits at different levels of the operation. The most common are gross, operating and net profitability, which describe performance at different activity levels. A proper analysis of this ratio would include at least three to five years of trend and cross-sectional comparison data.
Operating efficiency is important because they indicate how well the assets of a firm are used to generate sales and/or cash. While profitability is important, it doesn’t always provide the complete picture of how well a company provides a product or service. A company can be very profitable, but not too efficient.
Leverage ratios, also called Equity Multiplier, measure the extent to which a company relies on debt financing in its capital structure. If debt proceeds are invested in projects which return more than the cost of debt, owners keep the residual, and therefore, the return on equity is “leveraged up.” The debt sword, however, cuts both ways. Adding debt creates a fixed payment required of the firm whether or not it is earning an operating profit, and therefore, payments may cut into the equity base. Further, the risk of the equity position is increased by the presence of debt holders having a superior claim to the assets of the firm.
The limitation of the DuPont model of financial analysis is that this model does not take the time value of money, fair value of assets and liability into account because of the reasons of time. As a tool of financial analysis in the industrial age, it is widely used for those small-and medium –sized entities, which run single business forms.
2.2. Audit Risk Assessment Procedures
Risk assessment procedures―The audit procedures designed and performed to identify and assess the risks of material misstatement, whether due to fraud or error, at the financial statement and assertion levels (IAASB, 2019, ISA 315 (Revised 2019)). The purpose of audit risk assessment procedures is to identify and assess the risks of material misstatement at the financial statement and assertion levels. The basis of audit risk assessment procedures is the understanding of the entity and its environment, the applicable financial reporting framework and the entity’s system of internal control. And the audit risk assessment procedures are performed to―provide a basis for designing and performing further audit procedures (IAASB, 2019, ISA 315 (Revised 2019)). Chinese Certified Public Accountants Auditing Standards issued by CICPA are basically in line with the ISAs of IAASB.
“This International Standard on Auditing (ISA) deals with the auditor’s responsibility to identify and assess the risks of material misstatement in the financial statements.” (IAASB, 2018). And the auditor shall perform audit risk assessment procedures like inquiries of management and of others within the entity, analytical procedures, observation and inspection to provide a basis for the identification and assessment of risks of material misstatement at the financial statement and assertion levels.
“The auditor’s assessment of the risks of material misstatement at the assertion level may change during the course of the audit as additional audit evidence is obtained”. “The objective of the auditor is to identify and assess the risks of material misstatement, whether due to fraud or error, at the financial statement and assertion levels, through understanding the entity and its environment, including the entity’s internal control, thereby providing a basis for designing and implementing responses to the assessed risks of material misstatement.” (IAASB, 2018) Obtaining an understanding of the entity and its environment, including the entity’s internal control, is a continuous, dynamic process of gathering, updating and analyzing information throughout the audit. Follow the guide of ISAs revised 2019, to obtain the required understanding of the entity and its environment, the auditor shall get to understand industry, regulatory and other external factors, nature of the entity, the entity’s selection and application of accounting policies, objectives and strategies and related business risks, measurement and review of the entity’s financial performance. Additionally, general nature and characteristics of internal control, controls relevant to the audit, nature and extent of the understanding of relevant controls, components of internal control shall be understood.
On another hand, analytical procedures are mentioned as an important mean to be performed as risk assessment procedures. Analytical procedures performed as risk assessment procedures may identify aspects of the entity of which the auditor was unaware and may assist in assessing the risks of material misstatement in order to provide a basis for designing and implementing responses to the assessed risks. Analytical procedures performed as risk assessment procedures may include both financial and non-financial information, for example, the relationship between sales and square footage of selling space or volume of goods sold. Analytical procedures may help identify the existence of unusual transactions or events, and amounts, ratios, and trends that might indicate matters that have audit implications. Unusual or unexpected relationships that are identified may assist the auditor in identifying risks of material misstatement, especially risks of material misstatement due to fraud.” (IAASB, 2018)
There are some things to be considered. One is the extent of the understanding. “The auditor uses professional judgment to determine the extent of the understanding required.” (IAASB, 2018) This point means that different auditor may obtain different understanding of the same audited entity depends on the specific audit policy. The depth or extent of the overall understanding may be flexible. Another is how many risk assessment procedures should to be performed. “Although the auditor is required to perform all the risk assessment procedures described in paragraph 6 in the course of obtaining the required understanding of the entity, the auditor is not required to perform all of them for each aspect of that understanding. Other procedures may be performed where the information to be obtained therefrom may be helpful in identifying risks of material misstatement.” (IAASB, 2018) The auditor can determine how many and which procedures to be performed with professional judgment. Therefore, audit risk assessment procedures may be performed differently by different auditor.
For practice, there is an unresolved issue. ISAs revised 2019 identified that, the auditor shall perform risk assessment procedures, including inquiries of management and of others within the entity, analytical procedures, observation and inspection, based on the understanding the entity and its environment, including the entity’s internal control, and the risk assessment procedures provide a basis for designing and performing further audit procedures. But how to perform the audit risk assessment procedures, there are no examples or models to follow, only the provisions of principle mentioned in ISAs revised 2019. There is a huge space left for the auditor to play, likewise, there are no standards to judge how well the audit risk assessment procedures perform. This is the topic discussed in this study. Standardization of audit risk assessment procedures and audit quality assurance are main respects.
2.3. Professional Skepticism
Several of the auditing standards address or refer to professional skepticism. The 1997 revisions of SAS No.1 emphasize that without the exercise of professional skepticism an auditor cannot be conducted with due professional care (American Institute of Certified Public Accountants (AICPA), 1997). The characteristics of skepticism described in that standard are a “questioning mind”, critical assessment and objective evaluation of evidence, and a willingness to suspend judgment about the honesty of client management. With ISA, professional skepticism is defined as“an attitude that includes a questioning mind, being alert to conditions which may indicate possible misstatement, and a critical assessment of evidence.” (IAASB, 2018)
Both accounting academics and practicing auditors have recognized the need and importance of professional skepticism during the audit process (Gramling, 1999). In a case study of the failure of the PTL club, Tidwell (1995) comments that, “All auditing work is premised on the assumption that auditors have an obligation to exercise due care and act with professional skepticism.”
2.4. Management Evaluation Methods
With changes of the audit scope, management evaluation methods are put into use within audit processes to meet the requirements of audit standard. It has unique advantages to perform strategic analysis and business analysis than traditional audit means. Management evaluation methods would help auditor evaluate the business risks and audit risks and, in consequence, more and more management evaluation methods are becoming the favorite means of auditor.
The PEST analysis is a useful tool for understanding growth or decline of market, the external environment of the entity, and as much the position and direction for a specific business. The PEST analysis is an acronym for Political, Economic, Social and Technological factors, which are used to assess the market for a business or entity. The model of PEST analysis has prompted several variations on the theme, more confusingly PEST is also extended to seven or even more factors, by adding Ecological (or Environmental), Legislative (or Legal), and Industry Analysis, which produces the PESTELI model. It’s a matter of personal choice, but for most situations the original PEST analysis model arguably covers all of the “additional” factors within the original four main sections.
No matter the original PEST analysis model or the extended PESTELI model, the purpose of this helpful analysis is to assess a specific market, including competitors, from the standpoint of a particular proposition or a business. Through this model, even for a very small local business, a PEST analysis can still throw up one or two very significant issues that might otherwise be missed.
2.4.2. Porter’s Five Forces
“Assuming the potential entrant will properly analyze the elements of the decision described above, where is internal entry most likely to be attractive? The answer to this question flows from the basic framework of structural analysis. The expected profitability of firms in an industry depends on the strength of the five competitive forces: rivalry, substitution, bargaining power of suppliers and buyers, and entry.” (Porter, 1980: p. 344)
Porter’s Five Forces is a framework for industry analysis and business strategy development formed by Michael E. Porter of Harvard Business School in 1979. This model provides a framework that models an industry as being influenced by five forces and the entity seeks to develop an edge over rival firms can use this model to better understand the industry context in which the entity operates. Threat of new entrants, threat of substitute products, bargaining power of customers, bargaining power of suppliers and competitive rivalry within an industry are the five forces with which to assess the competitive position of an entity. Figure 2 shows the connection between Porter’s Five Forces.
Figure 2. A graphical representation of porter’s five forces. Resource: https://upload.wikimedia.org/wikipedia/commons/6/66/Porters_five_forces.PNG.
Each of those five forces is based on structural features which collectively impact the profit potential. All five forces jointly determine the intensity of the industry competition and profitability. The strongest forces become crucial from the point of view of strategy formulation. Accordingly, the result of this analysis may indicate the possible financial performance of the entity.
2.4.3. SWOT Analysis
The SWOT analysis is credited to Albert Humphrey, who led a convention at Stanford University in the 1960s and 1970s. It is an easy to understand technique. This analysis model can be simply understood as the review of an entity’s internal strengths and weakness, and its environments, opportunities, and threats.
Strengths: characteristics of the business or team that give it an advantage over others in the industry.
Weaknesses: are characteristics that place the firm at a disadvantage relative to others.
Opportunities: external chances to make greater sales or profits in the environment.
Threats: external elements in the environment that could cause trouble for the business.
In China, Jinfeng Wang (2006) has tried to apply the SWOT in assessment of audit risk and taken a case study, which may make a role model.
3. Research in China
3.1. Research Method
Literature research and case study are the research methods used in this paper. This thesis has reviewed literatures of the ISAs, related management evaluation methods and studies with the usefulness in audit practice. Based on the study of the literatures, this thesis proposes an analytical framework to assess the audit risk.
Case study is another research method. In next article, this thesis will interview a small-and medium-sized CPA firm named Guangdong Baihua CPA Firm, discover the problems with the audit procedures and find out possible reasons; with these disclosed problems, this thesis takes an audit example, to describe how to apply analysis and the analytical procedures with this thesis’s suggested analytical framework to solve the problems in this CPA firm and show this framework’s practical value.
3.2. Research on Modern Risk-Oriented Audit
Miao Miao (2008) made a research with fuzzy evaluation method to evaluate the “degree of risk” (the amount of assurance of risk) of material misstatement of financial statement in the thesis in 2008, the proposed steps are: firstly, assign a pre-given weight ratio to each element of the risk which may impact the material misstatement of financial statement; secondly, assess the score of each element; thirdly, calculate the “degree of risk” of each element according to the pre-given weight ratio and the assessed score; finally, sum each “degree of risk” of each element and obtain the total “degree of risk”.
This suggested method is a possible mean to evaluate the amount of assurance of risk of material misstatement of financial statement. But it may not be so easy to apply in practice. Like Miao Miao mentioned in the thesis, the pre-given weight ratio is not a certain figure, but a ranger which can fluctuate up and down; it need to be redefined according to the specific audit entity, that means, the pre-given weight ratio is changed with different decision maker and different audit entity. It may be a tough problem to persuade the reviewer of audit quality about the correctness of this weight ratio. On the other hand, how to score each element of the risk is demanding to be solved in practice, otherwise, good solution may not to be used with the auditor if lack of guidance.
3.3. The Study on the Assessment of Risk Based on Modern Risk-Oriented Auditing Approach
Wenkun He (2008) made research with comprehensive fuzzy evaluation method to appraise the business risk on strategy level. The article studies and analyzes the six major factors of the strategy risks of the entity, and establishes an indicator system to appraise the strategy risk. The six major factors are external environment of the audited entity, the nature of audited entity, accounting policies of the audited entity, goals and strategies of the audited entity, financial performance of the audited entity, internal control of the audited entity, and each major factor is broken down into several secondary indicators. The indicator system is composed by scoring the six major factors and the secondary indicators: firstly, 20 experts evaluate the weight ratio of each secondary indicator and complexly calculate defined weight ratio of each secondary indicator and six major factors; secondly, the auditor scores each indicator and the business risk on strategy level can be calculated out; finally, the auditor can design and guide further audit work through the scores of each secondary indicator or major factor.
This method obviously has practical value because of the clear guidance and the details of the operation. There are still two barriers to consider in practice, the first one is most auditor are not familiar with the fuzzy mathematical calculation and more time and energy than expected need to be devoted into the complex calculation; the second one is the cost, the professional fees of more than 20 experts are huge for a specific audit for small-and medium-sized CPA firms, obviously, each audit task need to recalculate in different year for the changed situations.
3.4. The Application of the Balanced Scorecard in the Assessment of Audit Risk
Yupin Yin (2008) suggested to use the balanced scorecard to apply the risk-oriented audit approach. The article suggested that, the auditor shall pay special attention to the balanced relationship between the financial indicators and non-financial indicators, and analysis and evaluate the audit risk through business process of the audited entity.
This article is a discussion of theoretical orientation. Lack of clear guidance, this discussion may be difficult to apply in practice for now.
4. Proposed Analytical Framework
To perform analysis and the analytical procedures to assess the audit risk for small-and medium-sized CPA firms, this thesis establishes an analytical framework, which shows in Figure 3, as the bridge connected with the understanding the audited entity and its environment, including its internal control, and the results of the assessment of the audit risk. As mentioned in chapter one, this analytical framework is easy to understand and accomplish by auditors, for the main analytical construction borrows from the DuPont analysis structure, which has adapted into China for more than twenty years and nearly every auditor is familiar with this analysis.
On the other hand, the understanding of the entities and its environment, including its internal control, wherever learnt with different means, can be unified under this analytical framework, that means, the auditor can assess where the high audit risk are with the understanding of the entities and its environment, including its internal control, through the proposed analytical framework.
With the proposed analytical framework, all kinds of personalized audit means can be united into one centralized analytical structure and standardized to analysis. For small-and medium-sized CPA firms, it is an easy framework to accept in practice, not only for the reviewer of the audit quality, but also for the project managers and professional assistants, newcomers.
Figure 3. Proposed audit risk assessment procedure. Resource: proposed by Wenmin Luo.
The issues on how to apply the risk assessment procedures are not new after Chinese Certified Public Accountants Auditing Standards had released. But it seems that very little research on this practical problem has been studied. Therefore, this neglected area is focused on in this dissertation. With ISAs, there are details to guide to understand the audited entity and its environment, including its internal control, and inquiries, analytical procedures, observation and inspection are suggested to be involved with the risk assessment procedures. How to bridge the gap between the required understanding and the result of the risk assessment procedures, that means, how to apply the risk assessment procedures after understanding the audited entity, is the issue in front of us.
Based on practical experience, this thesis proposes an analytical framework to apply the audit risk assessment procedures. With this analytical framework, the information, which collected through various channels with various means, can be combined into one standardized analytical framework. Through the analysis within this analytical framework, each auditor can easily assess the rationality of each indicator within this framework; therefore, each auditor can dynamically keep assessing with the indicators in the charge of him (or her) in the audit work.
Each audit team member, including partners, project managers, professional assistants, newcomers, can use their unique procedures or means to obtain information or (and) perform analysis. At last, all information and analysis are combined to evaluate each indicator within this analytical framework, to find out where the high audit risks are and guide further audit work. Personalized audit procedures and means are encouraged to perform and the standardized analytical framework is easy to understand and perform for everyone within the CPA firm.
This thesis hopes to promote the research in practical approach for small-and medium-sized CPA firms to apply analytical procedure through this case study, and provide method for effective implementation of analytical procedure for similar small-and medium-sized CPA firms.
However, it must be taken into account that the research has several limitations. First, the proposed framework has strict scope of application. The core analytical structure is borrowing from the DuPont model, which is analysis of the industrial age. That means, the object being analyzed should be the small-and medium-sized entities without complex financial transactions or restructuring transactions. Second, since this analytical framework has no data collected from the comparison test, this may affect the generality of the creation.
In this respect, further studies should be accomplished to perform comparison test, and adjustment of the core analytical structure is valuable to investigate the adaptability of this framework.
 Blokdijk, H., Drieenhuizen, F., Simunic, D. A., & Stein, M. T. (2006). An Analysis of Cross-Sectional Differences in Big and Non-Big Public Accounting Firms’ Audit Programs. Auditing, 25, 27-48.
 IAASB (2018). Handbook of International Quality Control, Auditing, Review, Other Assurance, and Related Services Pronouncements, 2018 Edition.
 IAASB, 2019, ISA 315 (Revised 2019). Identifying and Assessing the Risks of Material Misstatement.