Major Audit Risk Areas - Westpac - Case Study Example

Major Audit Risk Areas Name Tutor Unit Code Table of Contents Executive Summary 3 Introduction 4 Company Background 4 Regulatory Compliance 4 Fraud 6 Cybersecurity 7 References 8 Executive Summary Audit risk is the risk that the auditor may well, without knowledge, fail to correctly adjust the opinion on the company’s financial statements that are materially misstated. Therefore, the auditor will issue an inappropriate opinion. In recent times a number of areas have emerged at the top areas that pose great risk to the auditors. This report covers the key audit risks that could affect Westpac. The company is the oldest and one of the largest in Australia. It also has operations across New Zealand, Asia, Pacific, and the United Kingdom. Introduction Audit risk is the risk that the auditor may well, without knowledge, fail to correctly adjust the opinion on the company’s financial statements that are materially misstated. Therefore, the auditor will issue an inappropriate opinion. Today, the business environment continues to face various challenges amid emerging business trends that make the auditor’s work quite difficult as some risks may be bypassed during an audit. Therefore, the auditor needs to be aware of the key audit risk areas pertaining the specific industry or company in which the audit is being performed. The financial sector, and in particular banking is subjected to a number of key audit risk areas that need to be considered keenly during an audit. Below I discuss the key audit risks areas that possibly will affect Westpac’s financial statements along with the audit procedures needed to verify the account balances affected by the risks. These are: (1) regulatory compliance, and (2) fraud Company Background Westpac is the oldest and one of the largest banks in Australia. The company was started in 1817 as the Bank of New South Wales. In 1982 the name was changed to Westpac Corporation after acquiring the Commercial Bank of Australia. Today Westpac serves over 13 million customers. The company has a diversified portfolio of financial services spread around five key business divisions including; (1) Consumer bank, (2) BT financial group, (3) Commercial and business bank, (4) Westpac industrial bank, and (5) Westpac New Zealand. Other business divisions include group technology, customer and business services, treasury, core support, and Westpac pacific. It also has operations in the London, United Kingdom. Regulatory Compliance Westpac operates in a highly complex financial industry. The financial industry is highly regulated due to its sensitivity to the changing business environment. The laws and regulations are set to ensure compliance and proper handling of finances. Besides, the recent global financial crises have led to the introduction of new regulatory requirements pertaining to different elements such as capital requirements under the Basel III Framework. Stakeholder expectations also keep on rising and put more pressure on the bank to protect its brand reputation and value. This is crucial for Westpac, which is the second largest company on the ASX by market capitalization. If the company is subjected to fines and penalties, there is a possibility that the company’s management and employees may decide to conceal this information as they strive to keep a better public image. This may well be presented in the financial statements in form of understated expenses. Furthermore, meeting the regulations may be costly for the company. But the company may want to disclose lower expenses that may well translate into a higher net income for the company. Therefore, the audit will focus on the accounts relating to the fines, penalties and compliance costs. To carry out an audit on compliance, the audit procedures will be carried out in a structured manner as discussed below; The company’s will be checked for compliance with particular legal requirements besides the internal compliance procedures and policies and procedures in order to guarantee complete coverage. Also, the compliance program will be assessed to determine its adequacy. This will also shed light on the sufficiency of the internal risk assessments following that this would have helped to identify key compliance risks that ought to have been identified and proper controls put in place. The assessments are intended to give a meticulous road map of where to focus testing resources. These will also provide info pertaining to the company’s policies and procedures that have to be followed in business processes. If no risk assessments have been carried out, the company’s code of conduct and compliance policies will be considered to help spot the key areas to target. Westpac operates in the financial industry and is by itself a big organization. These factors will be considered including the geographic locations in which it operates across Asia, Pacific, United Kingdom, and New Zealand as well as the recent regulatory focus and lawsuits, and employee/customer complaints. The audit program will also be assessed to determine if it is sufficient and effective. This will entail looking at whether it contains all the required elements. Moreover, the company’s history with fines, lawsuits and regulatory enforcement will be evaluated alongside whether the operative audit reports reflect mirror the compliance with internal process. The company’s compliance program may not effectively avert or detect all compliance matters. Therefore, an acceptable level of performance will be set cognizant of the company’s area of operation. In general, a five percent margin of error will be considered permissible in evaluating whether vital disclosures were provided in time regarding all customer transactions. The audit will also allow for sufficient time in implementing the new process plus the training for employees and to allow for the business operation to be running well. The 120-day rule will be applied with equal force pertaining to the follow-up evaluations conducted following an insufficient audit. Audit sample for testing will be set close by the test date as sensibly as possible to ascertain recent transactions or transactions that may well have happened after any management action has been implemented. The audit can be conducted using various resources, both internal and external resources. Also specialists in different subject matters will be drawn in. More importantly, in selecting the various professional resources to be involved, their independence and expertise will be keenly considered. Generally, auditors and accountants will be ideal for transactional testing, while subject matter specialists such as consultants, lawyers or environmental engineers will be preferred for conducting evaluations in areas that call for expert knowledge. All the reviewers will be required to exercise independence from the core process or function. In conducting transactional testing audit, either judgmental or statistical sampling method will be chosen. Statistical sampling allows a person to draw inferences regarding the compliance rate of the whole population from the outcomes observed from the sample population. On the other hand, the outcome of judgmental sampling, cannot be spread to the whole population, however the occurrence of exclusions in the sample possibly will point to areas for more review. Notwithstanding the sampling technique to be deployed, interviews and questionnaires will be used to collect more information from employees. This will be very much helpful in identifying areas that may draw concern as regards the management or employees and highlight superficial flaws or strong points of the compliance program. Record keeping is also an important reflection. To have credible audit results that stand with integrity, the procedure must be subject to recurrence and the examination subjected to analysis. In view of that, audit work papers need to be generated to document the audit process and be kept for a suitable period of time to allow for review by the board, management, or by regulatory agencies, as may be deemed appropriate. Some situations may necessitate a written report of the audit results to be generated. All the reported to be generated may well be subject to discovery, the resolution whether to generate a report will be arrived at through careful reflection, before starting the review. Generating written reports of the audit results helps to show a meticulous path of gaps and/or problems that may permeate in a company’s compliance program. If possible, the report will cover an authentic depiction of the risk assessment process plus the results devoid of speculation or conjecture. Besides, the standards for the rating levels to be used will be set in advance. The management will be given a chance to react to issues that will be identified, with action plans and due dates for deliverables. Completion of action items will be hunted down and re-analysis done before the 120 days after implementing the new process to evade the hostile state of having to identify a concern and failing to rectify it. The audit results will be communicated, preferably in writing to all interested parties including the company’s senior management, business unit, and the board of directors. The management’s response, action plans and due dates will be captured in the written reports. The realization of the deliverables will be tracked, with follow up authentication of accomplishment, as well as re-assessment of the efficacy of the curative action. By and large, the audit results impartially establish either the efficacy of the compliance program or the faults and gaps in the compliance program. They generally deliver valued facts for the management to use in constantly refining the compliance program. As such, from the start of designing the audit program we will endeavor to reserve whatever freedoms that might be relevant to guard the work papers and/or reports from being exposed. There are various applicable ways to realize this including the work product doctrine, the attorney-client privilege and the self-evaluative honor will be thought about and emphasized. Fraud Fraud keeps evolving and is a major risk in banking. Indeed recent reports indicates that in UK online banking fraud surged by 70 per cent in 2014. It is necessary for sample transaction testing to be conducted routinely to gain assurance of the vigor of the internal controls in averting and/or detecting fraud and errors. The fraud triangle is mainly used to identify the various causes of corporate fraud. According to Beresford (2003), the fraud triangle identifies three key broad reasons as to why people commit corporate fraud. These are the pressure to commit the fraud, the opportunity to commit the fraud, and the attitude/rationalization of the person committing the fraud. By and large, fraud has two major effects: (1) hiding the amounts and this possibly will affect the cash balances and (2) overstatement of assets. Therefore, auditors have a duty to spot material misstatements in the company's financial statements caused by either fraud or error. Hence, generally accepted auditing principles propose particular audit procedures to discover fraud that ought to be conducted all through each audit. First, it is important for the audit engagement teams to hold a fraud brainstorming sitting. Of course this will be guided by the partner in charge of the audit. The session is to be planned such that there is adequate time for the audit team to ponder on how the company (management and employees) may possibly commit fraud. Moreover, brainstorming allows the team to set a tone of professional skepticism in the audit. The meeting will include a fraud expert to offer deeper understanding into other frauds committed by comparable companies and help detect the client's risk factors. Committing material financial statement fraud largely necessitates alterations to the company's financial records. Therefore, the auditing will focus on testing the company's journal entries for any indications of manipulation. After getting to understand the company's controls and procedures, a selection from the company's journal entries will be made so as to carry out the test. An adequate number of entries will be selected particularly those executed by the top management and that have been posted late in the accounting period. As soon as the selections are made, a request for supporting documentation will be made so as to corroborate each entry. Accounting estimates are also likely to be falsified. In view of the fact that they are subjective, the management and employees may well be able to sway the accounting estimates so as to influence the financial statements. There are two key ways through which accounting estimates can be verified by the auditors. The first approach is to complete a "look back" procedure to decide if the method for finalizing accounting estimates changed from the previous year. If there is a change of techniques, it shows that there could be some form of manipulation. The assessment will also look into the entire directionality of estimates. Lastly, recently there have been revisions touching on the generally accepted auditing principles that require auditors to carefully scrutinize major few and far between transactions out of a company's day to day business activities. Companies are called upon to clarify the determination and corporate basis for the business deal. As soon as the management's explanation is obtained, the engagement team will substantiate the management's answer with additional info gathered for the period of the audit. Cybersecurity References BCBS (2005), Compliance and the compliance function in banks, BIS, Basel, Switzerland, www.bis.org/publ/bcbs113.pdf BCBS (2010a), Principles for enhancing corporate governance, BIS, Basel, Switzerland, www.bis.org/publ/bcbs176.pdf Hayes, R., and others, (2005). Principles of Auditing. An Introduction to International Standards on Auditing, Prentice Hall. Read More