Assessment of Business Risk and Control Risk in the Libyan Context

In order to perform risk assessment, current auditing standards emphasize the importance of auditors gaining a broader understanding of an organization, as well as its environment. From this perspective, Schultz Jr. (2010) stated that auditing standards direct auditors to consider business risk and other risk factors when they evaluated the overall risk of material misstatement during the planning stage of an audit [1]. This paper reviews the developments in relevant professional and academic literature in terms of client’s business risk assessment. The model of the current study incorporates some 28 factors viewed as potential influence on client’s business risk and control risk assessment. Attention is also directed to the degree of risk associated with the factors. Predictions of Libyan auditors’ behaviour are drawn from the model and the reviewed literature.


Introduction
The concept of business risk has risen up as a result of new audit methodologies development.Business risk is defined as the risk that the entity objectives will not be achieved because of internal or external factors.Professionally, auditing standards directed the auditors to obtain understanding of the entity's objectives and strategies and the related business risks that may result in material misstatement of the financial statements (ISA 315, IFAC, 2008) [2].ISA 315 directed auditors to consider business risks when they assessed the risk of material misstatement during the planning phase of an audit.The concept of business risk presents a broader vision of the range of risks that considered by auditors.Wu et al. (2002) indicated that the increased emphasis on identifying and assessing business risk had been considered as a major change to the conventional audit approach [3].In the same concern, Knechel (2007) stated that all major firms adopted business risk approach to some extent during the 1990s [4].On the other hand, there is a risk that reflects the effectiveness of the entity's internal control system.More specifically, in an audit of the financial statements, auditors obtain an understanding of internal control to assess the control risk.
Business risk reflects the case that entity will fail to attain its objectives.This term which is associated with the activities of the entity that is being audited should be distinguished from the term of auditor's business risk "engagement risk" which refers to the risk that the auditor will suffer a loss resulting from the engagement (e.g., as potential litigation).Prior studies indicated that auditors could distinguish between business risk and inherent risk (Wu et al., 2002) [3].In this regard, auditing literature indicated that both concepts had different aspects (e.g., Wu et al., 2002).From this perspective, Lemon et al. (2000) [5] mentioned that some audit firms believed that the broader understanding of the client's business risk required by the auditor's risk approach would benefit their management of engagement risk.In the Libyan context, Ritchie and Khorwatt (2007) examined the Libyan external auditors in terms of their capability in distinguishing between inherent and control risk factors and found out that they assessed inherent and control risk factors interdependently.Ritchie and Khorwatt (2007) reported that the Libyan auditors could identify most control risk factors and failed to do the same with the majority of inherent risk factors.The same study revealed that Libyan external auditors differentiated successfully between the factors associated with a high level of risk and those associated with a low level of risk [6].However, there was no study in the Libyan context investigated the perception of external auditors to business risk.This study aims to investigate the Libyan auditors' perceptions of business risk factors in the planning stage of the audit process.To reveal to which extent the Libyan auditors are aware of the business risk concept, they were asked to differentiate between clients' business risk and control risk using factors associated with both concepts.The examined factors have been adopted from the relevant auditing literature.In other words, the current study aims to investigate which factors auditors consider to be business risk, control risk or both by providing descriptive evidence on Libyan auditors' perceptions of business risk in relation to their awareness control risk.This study tries to participate in covering this theoretical and empirical gap and contribute to the wider knowledge of this topic by providing descriptive evidence on auditors' business risk consideration.The key research question is:

Does the Libyan External Auditor Perceive Business Risk Factors?
The paper initially reviews the relevant literature, both professional and academic, relating to business and control risk.Subsequently, the research method employed in the empirical study is presented and evaluated, drawing comparisons with the approaches used in previous studies.The presentation of the empirical evidence is structured around the main research question prior to evaluating the implications for the auditing profession, both specifically within Libya and more widely.

Risk in Organizations
The term risk has been defined through many perspectives.Pure risk addresses the possibility of injury or loss.It focuses exclusively on the occurrence of bad things (Davidson, 2003) [7].In dictionaries, risk mostly refers to the concept of danger.For example, the authoritative Shorter Oxford Dictionary of the English Language defines risk as "Danger; the possibility of loss or injury" (Stevenson et al., 2002) [8].However, there is more to the definition of risk than the concept of danger, depending on the perspective of the study.For example, with business risk, you are concerned with the opportunity for gain as well as loss (Davidson, 2003) [7].
In today's complex business environment, risk has become an inherent part of business and public life.Dynamic market relations increase the uncertainty of the environment where business and public organizations work.Maintaining high competitiveness needs organizations to start initiatives that may have different outputs.The possibility of these outputs occurring determines the risk in the organization's activity (Tchankova, 2002) [9].Organizations are exposed to various types and levels of risk which may be classified in different ways.One approach is to classify risk on the basis of whether all businesses are exposed to the same risks, often unavoidable (i.e.contextual, environmental or systematic risks) as against those avoidable risks where the business elects to be exposed to the risks in order to gain some strategic or competitive advantage (i.e.strategic or unsystematic risks), potentially adding value for shareholders (Philippe, 2001) [10].
As all business involves risk, one of the organisation's management functions is to assess the impact of potential risks to the business and to set in place management controls that will minimize the impact of the identified risk.Management should be aware of the nature of the underlying opportunities in order to identify and manage the associated risk.Failure to do so can result in a failure to capture a fortunate opportunity and success.For example, a sales campaign which generates unexpectedly high demand for a new product may prove a disaster if that demand cannot be met and this stimulates a competitor to enter the market (Chapman & Ward, 2002) [11].

Business Risk Factors
Business risk is defined generally as the risk that the entity's business objectives will not be attained as a result of the external and internal factors, pressure, and forces brought to bear on the entity and ultimately, the risk associated with the entity's survival and profitability.It refers to introducing audit approach that focuses on the business risks in the organization whose financial statements are being audited.This approach has been documented as a major innovation in audit methodology in the second half of the 1990s (Higson, 1997;Lemon et al., 2000).In this concern, Wu et al. (2002) stated that business risk arises from conditions and forces within the entity's internal environment, industry forces and macro-environmental forces.This innovation has been associated with changes in the extent of the planning and the process of assessing the risk in the related evidence gathering procedures used by auditors.This approach has the potential to enhance audit effectiveness, arguing that an in-depth understanding of a business, its environment and the business processes through which value is created is the best way in which an auditor will be able to recognize management fraud and business failure risks [12].
Relevant auditing literature indicate that firms had concluded that perceived audit failures result not from the ineffectiveness of procedures in detecting misstatements, but because of difficulties as recognizing going concern problems or identifying fraud, arising from other aspects of the business context (Lemon et al., 2000: p. 12).Business risk approach encourages the auditors to view the client in terms of key business processes, and risks and controls within those processes, as opposed to a framework based on financial statement balances and transaction streams.The rationale for this approach suggests that if the auditor can identify the sources of business risk and ensure that the client has appropriate systems to monitor and manage that risk, there is little value in extensive substantive testing.It has also been suggested that obtaining such an insight on the business provides auditors with a better basis for generating useful feedback for the client.Lemon et al. (2000) argued that business risk audit approach emphasizes top-down approach to the audit, starting from the business and its processes and working through the financial statement instead of the opposite way that focusing on the financial statements [5].Higson (1997) mentioned that business risk approach was associated with the changes in the process of risk assessment, planning and procedures of gathering evidence by auditors.This approach came to enhance the effectiveness of external auditing, it also enhances the process of understanding of the auditor to the nature of the client and the environment in which enabling a wider range to find out the risks facing activity, and the expected fundamental misstatements [13].
Millchamp (2002) argued that the most important reasons for adopting the client's business risk approach is the conclusion of some audit firms that audit failures may not stems mainly from the lack of efficiency and effectiveness of audit procedures to detect material misstatement, but may be due to the problems faced by the entity under auditing as the continuity problems (going concern) or manipulation arising from the audit environment (such as technological changes and globalization).Millichamp (2002) divided the sources of business risk factors associated with the entity to external and internal factors.Millichamp (2002) mentioned that external factors arises from outside the entity and include: 1) change in legislation (such as the use of genetically modified foods); 2) interest rates change; 3) change the exchange rate; 4) opinion or attitude of the public (such as the public's desire change according to fashion); 5) competition; 6) untested technology; 7) natural threats (such as floods); 8) bad debt; 9) judicial matters; 10) environmental issues.Millichamp (2002) explained that any of the above factors could adversely affect the entity, and therefore the financial statements.For example, when an entity manufactures a certain product exposed to intense competition resulting from the import of the same product, the financial statements may be affected by the value of equipment that may needs replacement and employees who may be laid off, and thus continuity becomes questionable.The risk arising from internal factors include: 1) failure to update products, labour relations or marketing; 2) users; 3) members of the board of directors; 4) failure to update products (failure to qualify for the ISO or the use of e-commerce); 5) operations related to suppliers or customers; 6) excessive reliance on a single executive director; 7) cash flows; 8) the failure of electronic systems; 9) internal control; 10) excessive reliance on a single supplier, a single client or a single product [14].

Control Risk Factors
After obtaining an understanding of the five components of the internal control system (control environment, risk assessment, control activities, information and communication and monitoring) the auditor should make a preliminary assessment of control risk for each material account balance or class of transactions and the financial statements level.The auditors assess control risk based on the perceived effectiveness of the entity's internal control system in preventing and/or detecting material misstatement.As the organization's internal control becomes more effective, the assessed level of control risk should be decreased.On the other hand, control risk would increase when the internal control system becomes less effective.Cosserat (1999) reported that the assessment of control risk starts by assessing the control environment.The internal control system can be undermined by the weakness of the control environment.Strong individual control procedures cannot compensate for a weak control environment and assessing the control environment is a matter of professional judgment.After assessing the control environment, the auditor should assess the design effectiveness of control procedures and their ability to prevent or correct material misstatements.Finally the auditor can assess whether the controls were effectively applied throughout the period under audit [15].
In assessing the control environment, as an element of the internal control system, the auditor should consider factors that contribute to its quality, test whether those factors are operating effectively, and form an overall conclusion about the environment.These  • The board of directors and its committees; • The method used to assign authority and responsibility; • Human resource policies and practices; • Control methods used by management.Auditors should verify these factors to be able to render their judgement about the internal control evaluation and then control risk assessment.For example, when the auditor finds out that there are effective physical safeguards over records and assets, this may give an indication that the internal control system over a particular area of assets is effective then the control risk may be set at a low level.However, the auditor has to support any assessment of control risk that is less than high.

Relationship between Business Risk and Control Risk
The risk associated with the client and the audit risk can affect each other when auditors assess the risks associated with clients.For example, a client who operates in an industry with a high risk (high business risk) and has a weak internal control system (high control risk) may face great difficulties in obtaining finance with reasonable financial interest, and this would affect the assessment of the auditor to the status of the client's financial position.In contrast, the client facing financial difficulties may be forced to reduce a number of administrative staff, including affects on the strength of the internal control system which may affect the assessment of auditor of to the internal control, therefore, it can be concluded that the auditors' assessment of clients' business risk affects directly the assessment of control risk and vice versa.
The relationship between audit risk and client's business risk arise as a result of the similarity between the risk factors affecting the assessment of inherent risk and those affecting the client's business risk.In this regard, the literature indicate that there is overlap or similarity of some of the factors that affect the client and inherent risk, including, for example, the management integrity that is classified as a factor of business risk as well as an inherent risk factor.On the level of financial statements, auditing standards (SAS, 300, APB and IAS, 400, IFAC) recommended auditors to consider the nature of the entity operations and factors affecting the industry when they assess inherent risk [17].In this regard, Houston et al. (1999) stated that clients business risk expands to include additional factors not reflected in audit risk, and on this basis may be considered inherent risk as a part of the client's business risk, and this is because business risk factors do not include only the factors affecting material misstatement that occur in the system "inherent risk" but it also include the risk of financial failure [18].In the same area, Gay and Simnett (2000) suggest that client's business risk factors can be seen as a part of inherent risk [19].Carmichael et al. (1996) argued that some auditors believe that the assessment of control risk is inevitably a joint assessment of inherent risk and control risk.Other auditors maintain that a separate assessment is feasible as long as matters that can affect both inherent risk and control risk, such as management's control consciousness, are not double counted [20].Hayes et al. (1999) reported that the auditor may make separate or combined assessments of inherent and control risk [21].Nevertheless, Graham (1985) suggests that inherent and control risks can be distinguished conceptually, and inherent risk is often first considered separately in the planning stage of the audit [22].

Testable Hypotheses
On the contrary, Cosserat (1999) and Manson (1997) claim that there is often an interrelationship between inherent risk and the control environment factors.For example, some of the factors which affect inherent risk, such as management's integrity may also affect the control environment and hence influence control risk.In this vein, auditing literature highlighted that some factors that affect control risk assessment can also affect business risk assessment such as management integrity.On this basis, if auditors assess business risk and control risk separately they have to be able to distinguish between the factors associated with business risk and those that are associated with control risk [23].Accordingly the first hypothesis of this research addresses the nature of assessing inherent risk and control risk and predicts the following behaviour: Libyan external auditors do not distinguish between client's business risk and control risk.
The auditing literature shows that, since auditors are concerned about being exposed to litigation as a result of providing reports not reflecting the real picture of the financial position of the audited entity, they tend to collect more evidence than may be justified, relying primarily on conducting substantive testing (test of details).For that reason, auditors who are aware that additional work (more evidence gathering) will lead to a decrease in the likelihood of expressing an incorrect audit opinion, may choose to undertake more work than the required minimum to decrease the possibility of injury or loss to his professional practice (Carmichael et al., 1996) [20].In other words, for self-protection, the auditor may do more investigation.Arens et al. (2002) reported that auditors are generally conservative in making risk assessments and they give more weight to those factors at a high risk level considering low risk factors as high risk factors [24].Accordingly, the second hypothesis of this research addresses the evaluation of the degree of risk associated with the risk factors and predicts the following behavior: Libyan external auditors differentiate between the factors associated with a high level of risk and those associated with a low level of risk.

Research Method
In order to gather empirical evidence on business risk assessment, in the light of the appropriate literature, business risk factors associated with clients and control risk factors were identified, revised and adopted, and the questionnaire was developed and distributed among the Libyan external auditors.The questionnaire enclosed 18 factors associated with client's business risk and 10 factors affect the assessment of control risk.The participants were asked to: 1) Distinguish between the two key risk categories, client's business risk and control risk.
2) Differentiate between the factors associated with a high level of risk and those associated with a low level of risk.
The two main hypotheses that have been tested empirically in this study are: 1) Libyan external auditors do not distinguish between client's business risk and control risk.
2) Libyan external auditors differentiate between the factors associated with a high level of risk and those associated with a low level of risk.
The analysis of the data provided by the participants can help to reveal empirical evidence on the Libyan auditors' perceptions of business risk and give a chance to conduct some comparisons between the finding of the current study and those that were conducted in other countries.

Statistical Analysis
The primary approach to analysing the questionnaire data employed Signal Detection Theory.This theory is applicable in situations where the respondent is required to distinguish between two discrete states of the world (signal and noise).In such situations, a respondent is faced with the task of identifying one of the states.Therefore, the respondent must make a decision, is the signal there or not.What makes this situation confusing and difficult is the presence of other distraction that is similar to the signal, these distractions are called noise.Because noise can sometimes look like a signal (or vice versa), the responses of the participant fall into four categories (see Table 1).
In the present study, we sought to measure the degree of differentiation between: 1) Factors associated with business and control risk; 2) Factors generating high and low risk levels.
The responses of each respondent to the three sets of questions were analysed on this basis calculating the d-prime (d') 1 .
Table 2 illustrates the application of signal detection theory on the isolation of business risk factors from control risk factors.
For the calculation of d-prime, tables of Z-scores distribution are used to determine the values.A high value of d-prime shows a high degree of separation and, thus, high respondent sensitivity (i.e.d-prime < 1.0 sensitivity of the respondents is low; 1.0 < d-prime < 1.5 sensitivity of the respondent is moderate; and d-prime > 1.5 suggests high levels of sensitivity).Hence, in the current study, high values in d-prime indicate high sensitivity in differentiating business risk factors from control risk factors; and factors generating a high level of risk from factors generating a low risk level.In order to enhance the result of applying the signal detection theory, contingency tables (2 × 2) are utilized to examine the independence between: a) business and control risk factors; b) the risk factors that are associated with a high or a low level of risk.Chi-square is calculated to assess the statistical significance of association between the mentioned factors in the contingency tables.

Findings
Out of 400 questionnaires were distributed among the Libyan auditors who are registered with the Libyan Accounting and Auditing Association, 164 representing 41% were analyzable.The results of the data analysis relating to the perceptions of Libyan auditors' to client's business risk were largely consistent with the first hypothesis developed in this study lending support to the suggestion in the academic auditing literature that client's business risk factors may not be distinguished from control risk factors.As can be seen from Table 3, most Libyan auditors thought most business risk factors were control risk factors.More specifically, out of the 18 business risk factors, 12 were classified as control risk by 67% or more of the auditors.Factors relating to generating sales from few customers, exposing to potentially significant liabilities, failure in obtaining relevant  information about the external environment, failure to support change of the company's business strategies, domination of competitors, and ineffective communication system that affect the assessment of business risk were all considered control risk factors by the majority of auditors.Table 4 shows that of the control risk factors, only 2 of the 10 factors were classified as business risk by 47% or more of the auditors.67% or more of the auditors could successfully distinguish 8 of 10 control risk factors.
It should be mentioned at this stage that despite the results showing consistency with the academic literature with regard to the assessment of business risk and audit risk components.In this regard, Wu et al. (2002) reported that there is some overlapping of business risk and inherent risk factors.In the same concern, Mock and Wright (1999) provided evidence that auditors may not be able to identify business risk factors under the conventional risk model.In the current study, the Libyan auditors considered most business risk factors to be control risk, but most of them could identify the ten control risk factors [25].This could signify that the Libyan auditors rely mostly on control risk in their assessment of the audit risk.The results of the data relating to the perceptions of Libyan auditors' to the degree of factors assessment were also largely consistent with the second hypothesis developed in this study lending support to the suggestion in the academic auditing literature that auditors can differentiate between high and low risk factors (e.g.Ritchie & Khorwatt, 2007).In this vein, Libyan auditors were able to divorce factors associated with a high level of risk from others associated with a low risk level.In this respect, out of the 28 factors, the majority of auditors (80%) succeeded in recognizing more than 14 factors and about 70% of auditors can identify 25 factors (see Table 1 and Table 2) giving support to the conclusion that the Libyan auditors could perceive the risk factors at a high level and a low level of risk.This could result in relying heavily on substantive testing in collecting evidence, and worries about negligence claims.On the basis of the above explanation, it can be mentioned that paying more attention to high risk factors than low ones and considering factors at a low level of risk as high risk factors might result in allocating more audit resources than necessary in the low risk areas.This could result in the over-auditing of low risk areas and possibly under-auditing of other high risk areas.Academic auditing literature indicates that developing a cost effective, risk-based audit approach requires that the auditor should be able to identify areas of greatest risk to be able to determine the nature, timing and the extent of the audit tests to be applied (see Houghton & Fogarty, 1991).

Conclusions
The empirical evidence of this research reported that the auditors could identify most control risk factors and fail to do the same with the majority of business risk factors.The majority of Libyan auditors considered most business risk factors as control risk factors.Although this result gives an impression that most Libyan auditors are not familiar with the concept of business risk, based on previous studies, this overlap between business risk factors and inherent and control risk factors lends support to the academic auditing literature which suggests that business and audit risk factors are interdependent.The conclusions of the Libyan auditors' responses on this issue are consistent with some previous studies.In this regard, Lemon et al. (2000) found out that the audit risk components assessment is significantly influenced by the client's business risk assessment.
The current study contributes evidence that, despite working in a different context, the Libyan auditors' busi-ness risk assessment does not differ from their counterparts in the UK and USA.In other words, the results of this study revealed no significant differences between Libyan auditors and their counterparts in developed countries in respect to their attitude to clients' business risk.

Table 1 .
The four outcomes of signal detection theory.

Table 2 .
The four outcomes of signal detection theory-the application on identifying business risk factors.

Table 3 .
Auditors' perceptions towards business risk factors.

Table 4 .
Auditors' perceptions towards control risk factors.