Audit Risk Assessment in the National Audit Office of the Republic of Lithuania: Evaluation and Development

The article deals with audit risk assessment in the National Audit Office of the Republic of Lithuania (hereinafter referred to as the NAOL). The audit risk features, classification, elements and the place of audit risk assessment are outlined. The text includes the legitimate environment of audit risk assess ment in the NAOL and the evaluation of the NAOL Financial Audit Assurance Model. The Public Insti tutions Financial Audit Manuals of the United Kingdom and Sweden are taken into consideration. As a result of the survey; the NAOL Financial Audit Risk Assessment Guide is recommended. The principal conceptions dealt with in the article: audit risk and its assessment, Financial Audit Assurance Model, Financial Audit Risk Assessment Guide, classification, elements, the National Audit Office of the Republic of Lithuania.


Introduction
The Law on the Amendment of the Law on the State Control No IX-650 of December 13, 2001 issued a new mandate to the NAOL. From that date on, the NAOL has become an institution that carries out public audit instead of public control to help the nation effectively manage and use State budget and property, national funds and the funds of the European Union allocated to Lithuania (e.g., PHARE, ISPA, SAPARD) as well as other resources. From that date on, the NAOL has started to focus on the risk-based audit in order to pro-vide an audited body with a greater added value and to present a more exhaustive reporting both to the Seimas and to the European Commission. In conformity with the Public Audit Requirements, the state auditor must be at least 95 per cent confident that gross misstatements or irregular transactions do not occur in the audited financial statements. Therefore, the state auditor is obliged to reduce the audit risk to less than 5 per cent.
The aim of the current work was to evaluate audit risk assessment in the NAOL and to offer suggestions on how it could be improved. To meet the above-mentioned goal, the following aspects will be covered: 1. Audit risk features and classification. 2. Elements of audit risk assessment and the place it takes in the overall audit process. 3. Evaluation of the NAOL Financial Audit Assurance Model. 4. The proposed NAOL Audit Risk Assessment Guide.
The subject of the research is audit risk assessment in the NAOL, namely the NAOL Financial Audit Assurance Model.
The survey methods. In observance of legal acts and normative documents regulating audit risk assessment in the NAOL, analysis of different literature sources, logical analysis, comparison, classification, elaboration, and generalisation methods were applied.

Audit risk features and classification
The National Auditing Standard No 6, which in all material aspects corresponds with the International Auditing Standard No 400, defines audit risk as the risk that the auditor gives an inappropriate audit opinion when the financial statements are materially misstated (AADV, 2003, P. 16). There is the audit risk definition, which states that audit risk is the risk that misleading data in the financial statements might not be revealed during the audit, which might lead the auditor to an inappropriate audit opinion (JFAV, 2002, p. 1; J. Mackevicius, 2001, P. 262). The above definition expands the meaning of audit risk from the result of the audit (audit opinion), to the overall audit process. The majority of auditing literature describes audit risk as the risk that the auditor may non-deliberately fail to appropriately modify audit opinion on the financial statements that are materially misstated (L.E Konrath, 1993, P. 153; D.H. Tay-44 lor, G.w. Glezen 1985, P. 195; K. Gupta, 2002, p. 203). Some authors present audit risk as the risk that the auditor will issue an inappropriate audit opinion, which might be either that the financial statements taken as a whole are fairly stated (unqualified opinion) when they are not, or that they are not fairly stated (qualified or adverse opinion) when they are (V.M. O'Reilly, lP. McDonnell and B.N. Winograd, 1998, P. 612). Consequently, the auditor might release an inappropriate opinion under two circumstances desricibed above. Some authors maintain that audit risk is a chance of issuing an unqualified opinion on financial statements that are materially misstated (W.B. Meigs, O.R. Whittington, K.J. Pany, 1988, P. 31).11 should be noted that outlining audit risk in this way lacks precision, because issuing an inappropriate audit opinion on the financial statements is by no means a chance, but a risk or a threat.
The above described analysis of different audit risk definitions suggests four fundamental audit risk features: the presence of threat, the existence of audit risk in all the process of auditing, issuing an inappropriate audit opinion, the audit risk caused by gross misstatements (Scheme 1).
Hence we may conclude that audit risk involves the failure to disclose material misleading data in the financial statements during all auditing process, which can lead to a non-deliberate rendering of an inappropriate audit opinion. Audit opinion does not present a true and fair view either when the auditor concludes that the financial statements taken as a whole are fairly stated when they are not, or that they are not fairly stated when they are.
Audit risk is classified in conformity with a number of factors: audit risk depending on the client or the auditor, audit risk level, peculiarity of funds, and conclusions from performing aUditing procedures. The classification divides audit risk into separate components: inherent, control, and detection risks; low, medium, and high risks; ordinary and specific risks; sampling and non-sampling risks (Scheme 2).
The components outlined are interrelated. The inherent, control and detection risks are measured in terms of low, medium and high risks within ordinary and specific risk areas of financial statements. Conclusions reached by performing aUditing procedures depend on  The factors reliant on the auditor are classified into the factors contingent on the auditor and those not contingent on the auditor. The factors of audit risk types influence inherent, control and detection risks (Scheme 3) (J. Mackevicius, 2001, p. 284).
As is presented in Scheme 3, inherent and control risk influences audit risk factors contigent on the auditor, and detection risk influences audit risk factors not contingent on the auditor.
transactions. To evaluate these features, the auditor may sometimes need the help of specialists. Control risk is affected by the following factors: the personnel management and control system, authorisation of responsibilities to the personnel, qualification and competence of the staff of the client, computerisation level in the accounting system, and the level of restriction of access to data in the accounting system, internal control functions and documentation. Detection risk depends on such fac-

. Audit Risk Factors
To the factors contingent on the auditor belong the auditor's professional competence and qualification, both theoretical and practical. The non-contingent on the auditor are factors related to the client's specific actions. For example, an economical crime when a client offends tax law, state legislative basis and company's status.
Inherent risk is influenced by such factors as macroeconomic environment, features of a business niche in which the client functions, the client's business, qualification and competence of the management of the audited body, complexity of the accounting system, business tors as the auditor's qualification, experience, and personal features, auditing tests and procedures, materiality level and errors noted. The National Auditing Standard No 6 demands that when developing the audit approach the auditor should consider a preliminary assessment of control risk (in conjunction with the assessment of inherent risk) to determine the appropriate detection risk to accept the financial statement assertions and to determine the nature, timing and extent of substantive procedures for such assertions (AADV, 2003, P. 16). In the auditing literature (Kabasinskas J., Toliatiene I., 1997, p. 76; MackeviCius J., 2001, p. 172, 173; O'Reilly Y.M., McDonnell J.P., Winograd B.N. and others, 1998, p. 6,21.) it is also outlined that audit risk is assessed at the planning stage of an audit in order to develop an appropriate audit strategy.
However, the Swedish National Audit Office in its Financial Audit Guide indicates that audit risk assessment continues on different levels during the whole audit engagement.
Inherent risk should be evaluated at three levels. Primary evaluation is at the beginning of audit, when information on the client's business is collected. When developing the overall auditing plan, inherent risk is evaluated at the level of financial statements. When developing the aUditing programme, inherent risk is assessed from material account balances and classes of transactions (Gupta K., 2002, p. 206).
The auditor examines the control risk by evaluating the effectiveness of the client's accounting and internal control systems for detecting, correcting and preventing gross misstatements throughout the period. The auditor, when obtaining audit evidence about the effective operation of internal controls, has to consider how internal controls are applied, the consistency with which they are applied, and by whom they are applied.
Detection risk is related to the effectiveness of the auditor's procedures and can be changed at his discretion. The auditor, therefore, assesses the degree of inherent and control risks and only then he detennines the degree of detection risk, to make the audit risk acceptable. The higher the assessment of inherent and control risk, the more audit evidence the auditor should obtain from substantive procedures.

Evaluation of the NAOL Financial Audit Assurance Model
In the NOAL, audit risk assessment is based on the Financial Audit Assurance Model (hereinafter referred to as the FAAM). It is presented in the NAOL Public Institutions Financial Audit Manual. The Manual helps the state auditor to apply the Public Auditing requirements which were developed following the Law on the Amendment of the Law on the State Control, the Law on Local Government National Auditing Standards, INTOSAI (International Organisation of Supreme Audit Institutions) Standards. The experience shared by auditors of other national Supreme State Audit institutions (e.g. United Kingdom, Sweden, Belgium) helps the NAOL auditors to use the FAAM efficiently (Scheme 4).
The FAAM is based on assurance (A) factors that are used for qualitative expression of inherent, control, and substantial assurance. The FAAM detennines that to achieve the overall audit assurance at 95 per cent on the financial statements the individual factors A assigned should add up to 3.0 ( Table 1).
The Audit risk theory and practice, beside low (lA equals to O.O) and high (lA equals to 1.0) inherent risk levels, point out one more inherent risk level, which is the medium. Therefore, in case the state auditor identifies that there is inherent risk but the audited body has controls mitigating that risk, the inherent assurance factor A may be set as 0.7, which corresponds to 50 per cent. In this formulation, there are two circumstances allowing to   in case inherent risk exists and the internal control system does not correspond with the requirements.
The state auditor may assess control risk by evaluating internal control and its reliability, taking into account the fact that the inherent assurance factor A may be set as 2.0, which corresponds to 86 per cent. In this fonnulation, T  Table 2).
Substantive assurance is the audit assurance which the state auditor obtains by sub-stantive procedures (lFAY, 2002, p. 35). According to the FAAM, substantive assurance might be assessed under four circumstances and three levels of factor A, depending on the determined inherent risk factor and the reliance on internal control system: 1. SA equals to 3.0 (95 percent assurance), and focused substantive procedures take place in case there is inherent risk, the management does not take measures mitigating the risk, the internal control tests are not perfonned or the results are considered unreliable. 2. SA equals to 2.0 (86 percent assurance), and standard substantive procedures take place in case there is no inherent risk, but the internal control system is considered unreliable. 3. SA equals to 0.7 (50 per cent assurance), and lowest scope detail procedures take place in case there is no inherent risk and the evaluated internal control system corresponds with the requirements. 4. SA equals to 0.7 (50 per cent assurance), and lowest scope detail procedures take place in case inherent risk exists, but the management is able to take effective control measures to eliminate every risk factor and the internal control system is in accordance with the requirements.  The less substantive the assurance factor A, the fewer substantive auditing procedures the state auditor has to perform. It should be noted that the substantive assurance factor A cannot be equal to 0.0, which corresponds to 74 per cent, because the auditor must perform substantive procedures (detailed tests and substantive analytical procedures) at the level ensuring 50 per cent assurance, irrespective of the inherent and control assurance level, as required by the International Auditing Standards and as identified in the FAAM.
The survey of the FAAM shows that it enables the state auditor to focus effort on the Table 3. The Financial Alulit Risk Assessment Guide EighJ steps to assess audit risk key areas of risk, therefore the state auditor is able to reduce audit risk to less than 5 per cent. However, there is always room for improvement. The above-mentioned suggestions could contribute to making the FAAM more flexible (Scheme 5).
The Audit Assurance Decision Tree (hereinafter referred to as the AADT) identifies all the possible circumstances the state auditor applying the FAAMI may use to achieve the overall audit assurance at 95 per cent (to reach that the overall audit assurance factor A equals to 3.0) on the financial statements, or reduce the audit risk to less than 5 per cent.

The proposed NAOL Audit Risk Assessment Guide
In order to perform a high quality and efficient financial audit at the state level, the use of the Financial Audit Risk Assessment Guide (hereinafter referred to as the FARAG) is presented for consideration (Table 3).

Aim
To issue a true and fair view of audit opinion.

Assessment
Preliminary assessment at the planning stage of the audit which continues during place the overall audit process

Classification
Inherent, control and detection risks can be measured in terms of low, medium and high risk within ordinary and specific risk areas of financial statements Conclusions reached by perfonning auditing procedures depend on whether sampling is used or not when detennining the extent of substantive procedures

Factors
When assessing audit risk, the state auditor is obliged to evaluate the following factors: . factors reliant on the auditor . factors not reliant on the auditor 5. Inherent risk To be detennined within the evaluation of a client's business environment

Control risk
To be detennined within the evaluation of the client's internal controls 7. Detection risk To be detennined within the appropriate quality control procedures 8. Assurance 95 per cent assurance or less than 5 per cent of audit risk applying the FAAM and AADT The FARAG involves eight steps, which the state auditor has to make in order to reduce audit risk to less than 5 per cent. The first step requires to set out the aim, the second -to define the place of audit risk assessment, the third -to classify audit risk, the fourth -to estimate audit risk factors, the fIfth, sixth and seventh -to determine inherent, control and detection risks, the last but not the least -to apply the FAAM and AADT to reach a 95 per cent assurance or reduce audit risk to less than 5 per cent.

Conclusions
The article has dealt with audit risk assessment in the National Audit Office of the Republic of Lithuania (the NAOL). Herein audit risk features, classification, elements and the place of audit risk assessment are outlined. The text included the legitimate environment of audit risk assessment in the NAOL and the evaluation of the NAOL Financial Audit Assurance Model (the FAAM). The Public Institutions Financial Audit Manuals of the United Kingdom and Sweden have been taken into consideration. As a result ofthe sUJVey, the NAOL Financial Audit Risk Assessment Guide (the FARAG) is recommended.
We identified and described four fundamental audit risk features: the presence of threat, the existence of audit risk in all auditing process, issuing an inappropriate audit opinion, audit risk caused by gross misstatements.
Audit risk has been classified in conformity with the following factors: audit risk contingent on the client or the auditor, audit risk level, peculiarity of funds, and conclusions from performing the auditing procedures. Audit risk factors have been analysed according to two features: reliance on the auditor and audit risk type.

52
The auditor considers the preliminary assessment of control risk (in conjunction with the assessment of inherent risk) to determine the appropriate detection risk to accept for the financial statement assertions and to determine the nature, timing and extent of substantive procedures for such assertions. Audit risk assessment continues during the overall audit process.
The Financial Audit Manuals -of the Lithuanian and the United Kingdom Public Institutions in the aspect of audit risk assessment are similar, and the Swedish Manual differs from them in two aspects: level of assurance and audit risk levels.
In the NAOL audit, risk assessment is based on the FAAM, which is presented in the NAOL Public Institutions Financial Audit Manual. The following suggestions could contribute to making the FAAM more flexible: • Inherent risk at the entity and account balance level might be determined as highly, medium and slightly material. • It is recommended to supplement the FAAM with two circumstances how to get a 95 per cent audit assurance when the inherent assurance factor A equals to 0.7, and one circumstance how to get a 95 per cent audit assurance when the control assurance factor A equals to 2.0.
The AADT identified all the possible circumstances the state auditor applying the FAAM may use to achieve the overall audit assurance at 95 per cent on the financial statements.