مدیریت ریسک حسابرسی گروهی در مجموعه حسابرسی چند جزئی Managing group audit risk in a multicomponent audit setting

1 | INTRODUCTION The recent focus on the inherent complexities of conducting the audit of a large, dispersed entity in a group audit setting (e.g., Public Company Accounting Oversight Board [PCAOB], 2016) has brought to the forefront a longstanding issue in audit sampling: how to control for the risks associated with performing audit procedures at a limited number of components or locations in a multiple component entity. Since 1938, when the inventory misstatement at McKesson and Robbins was revealed (e.g., Dutta, 2013, p. 62), auditors have been challenged to provide reasonable assurance on the fair statement of aggregate financial statements when components exist at multiple, geographically dispersed locations, while simultaneously controlling audit costs. The extensive use of component auditors while conducting a global audit accentuates the challenges with sampling, materiality, audit effort allocation, and evidence aggregation. Notably, reports from the PCAOB and other auditing regulators continue to highlight “group audits” as a source of concern.1 While this issue is commonly discussed in the context of global group audits for Big 4 firms (e.g., Downey & Bedard, 2017), it is also a real and practical audit issue for an increasing number of medium and smaller entities that have a profile for which allocating audit effort across components or subsidiaries is needed. The purpose of this paper is to extend the professional and academic literature by providing a justifiable and flexible method for determining a minimum number of components (or locations) to audit and the assurance needed at those selected units, in order to provide a desired level of overall audit assurance. This method is most applicable when a large number of components or locations exist and it is impractical to audit (or visit) all significant (individual or in the aggregate) components. Current professional guidance for group (multinational) audits—ISA 600 (International Audit and Attest Standards Board, 2009) and AU‐C section 600 (American Institute of Certified Public Accountants [AICPA], 2012d)—require allocating overall audit effort to components,2 but does not provide a methodology for doing so. Consequently, implementation problems have arisen and auditors are having difficulty with demonstrating compliance with the standard as noted in endnote 1. Typical audit sampling methods also do not provide guidance to the auditor on controlling the risks while minimizing cost, when entity operations are geographically dispersed and preliminary audit planning reveals that components vary in characteristics suggesting a differential risk profile (e.g., size of component, internal controls effectiveness). Extant methods in the academic literature for allocating audit effort to elements or components of the auditee (Dutta & Graham, 1998; Elliott & Rogers, 1972; Glover, Prawitt, Liljegren, & Messier, 2008; Stewart & Kinney, 2013) do not directly address the risk associated with unsampled components. These methods assume that all elements that are significant, individually and in the aggregate, will be audited. However, as recently noted in a summary of practice issues in multinational auditing (Sunderland & Trompeter, 2017, p. 170),