Chapter 8

Before we move on how to carry out audit testing (test of controls and substantive procedures), we
have to further explain some of the procedures that needs to be carried out at the planning stage. The
auditor must assess the risk (materially incorrect) attached to the audit opinion and the elements that
contribute to that risk.

This chapter looks at the auditor’s obligations with regard to assessing the risks that the company is
exposed to, with particular reference to those that will affect the financial statement assertions.

Learning outcomes 8.1.

Understand the importance of audit risk assessment and why it is linked to financial statement
assertions.

Audit risk assessment procedures

 are performed to obtain an understanding of the company and its environment, including
the company's internal control,
 to identify and assess the risks of material misstatement of the financial statements,
whether due to fraud or error.

Referring to the overall objectives of a financial statement audit, as described in paragraph 11 of ASA
200 Overall Objectives of the independent auditor and the conduct of an audit in accordance with
Australian auditing standards (ISA 200), ‘the auditor to express an opinion on whether the financial
report is prepared, in all material respects, in accordance with an applicable financial reporting
framework’.

As part of the audit planning stage, the auditor must obtain an understanding of the entity and its
environment, including internal controls in order to assess the risk that the financial statements contain
material misstatements (the information obtained is not only evidence to support the auditor's risk
assessment but also is used to determine the further audit procedures that are required)

Financial statement assertions referred as set of assertions about each transaction class and account
balances including items that are presented and disclosed which are made by the management of the
entity when preparing the financial statements.

Learning outcomes 8.2.

Explain the importance of business risks in audit planning

First of all, business risk defined as “risk resulting from significant conditions, events, circumstances,
actions or inactions that could adversely affect an entity's ability to achieve its objectives and execute
its strategies, or from the setting of inappropriate objectives and strategies”.

For example

 damage by fire, flood or other natural disasters.

 unexpected financial loss due to an economic downturn, or bankruptcy of other businesses that
owe you money.
 loss of important suppliers or customers.
  decrease in market share because new competitors or products enter the market.
 High financial risk
 Cash flow issues
 High risk of theft and fraud
 Increase in production cost
 Lack of financing
 Decline in demand
 Loss of profitability
 Legal issues
 Increased competition
 Decrease in customers
 Over trading
 Political or economic instability

Having identified the business risks facing an organization, the auditor must consider the extent to
which these risks could lead to a material misstatement in the financial statements and to what extent
the company has implemented controls to reduce these risks.

A business risk approach allows the auditor

 Identify threats faced by the organisation

 Recognises that most business risks will eventually have an effect on the financial statement
 Increase the chances of identifying risks of material misstatements in the financial reports.

The in-depth understanding of the business that the auditor obtains in taking a business risk approach
should increase the chances that the auditor will identify the risks of material misstatement in the
financial statements and therefore improve the quality of the audit and the audit opinion. A well-
informed auditor is of significant benefit to the company, since he or she is able to provide better quality
advice to the company concerning the types of controls that could be implemented to reduce these risks

Business risk has three types

1. Financial risk
 Risks that arise from the company’s financial activities or the financial consequences.
For example, the going concern problems arising from poor performance, the credit risk
of not being able to collect debts and so on.

2. Compliance risk (aki iran te tua ma kainibaire)

 Risk that arise from non-compliance with laws, regulations, policies, procedures and
contract. For example, sued by a customer for supplying faculty goods, breaches of
health and safety requirement leads to the closure of the business
 3. Operational risk
 Risks that arise from the operations of the business. For example, no stock on hands
leads to loss of sales, disasters that affect the stock or machinery, loss of key and skills
staff and so on.

Learning Outcomes 8.3.

Describe the procedures performed by an auditor to assess risk

The work the auditor does in obtaining an understanding of the entity, includes obtaining an
understanding of business risks and the company's own risk assessment procedures. These procedures
are known as discussions with management (enquires) as well as performing analytical procedures,
making observations of processes in action and inspecting relevant documents (observations and
inspecting).

Learning outcomes 8.4.

Understand the importance of internal control of an entity and its independent auditors

Generally, as companies grown in size and complexity, the importance of internal control within those
companies has also grown. This is because the size and the complexity have made it difficult for
managers and those charged with governance to manage the company’s risks without appropriate
control systems in place. Similarly, the growth in size and complexity of companies has meant that for
auditors to provide assurance, some reliance on these controls is usually needed.

The fundamental concept of internal control

Internal control defined as “a process, effected by an entity's board of directors, management, and
other personnel, designed to provide reasonable assurance regarding the achievement of objectives
relating to operations, reporting, and compliance.”

• Internal control is a process. It is a means to an end, not an end in itself. It consists of a series of
actions that are pervasive and integrated with, not added onto, an entity’s infrastructure.

• Internal control is effected by people. It is not achieved merely by having policy manuals and
forms, but by the actions and attitudes of people at every level of an organisation, including the
board of directors and management.

• Internal control can be expected to provide only reasonable assurance, not absolute
assurance, for an entity’s management and board. This is because limitations are inherent in all
internal control systems and because the entity must consider the relative costs and benefits of
establishing controls.

• Internal control is geared to the achievement of objectives in the categories of operations,

reporting and compliance.
Internal control systems

 Control environment
 Risk assessment processes
 Information system
 Control activities
 Monitoring of controls.

Learning outcomes 8.5.

Indicate the procedures for obtaining and documenting an understanding of the entity’s internal control.

A sufficient understanding of internal control is essential for an effective audit because it informs the
auditor about where misstatements are likely to occur

a. Procedures to obtain an understanding

 Reviewing previous experience with the entity
 Enquiring of appropriate management, supervisory and staff personnel
 Inspecting documents and records
 Observing entity activities and operations

b. Documenting the understanding

Internal Control Questionnaire (ICQ):

 Consists of a series of questions about accounting and control policies and procedures
the auditor considers necessary to prevent material misstatements in the financial
statements.
Flow chart:
 Is a schematic diagram that uses standardised symbols, interconnecting flow lines and
annotations to portray the steps involved in processing information through the
information system
Narrative memoranda
 May be used to supplement other forms of documentation by summarising the auditor’s
overall understanding of the information system or specific control policies or
procedures.
 In small entities, a narrative memorandum may serve as the only documentation of the
auditor’s understanding.

Learning Outcomes 8.6.

Explain why and how a preliminary assessment of control risk is made

First of all, control risk defined as “is the risk that a material misstatement could occur in an assertion,
either individually or when aggregated with other misstatements, and not be prevented, detected, or
corrected on a timely basis by the entity's internal control structure”.
a. Why a preliminary assessment of control risk is made

The auditor uses preliminary assessment to assess the strengths and weaknesses of those internal
controls and the level of control risk.

• Purpose of preliminary assessment:

– Assessment to obtain a reasonable expectation of controls in place decide on

appropriate audit strategy so as to design a detailed audit program.

How preliminary control risk is made

Assessing control risk

 Evaluating the effectiveness of the design and operation of an entity’s internal controls in
preventing or detecting material misstatements in the financial statements

These are the steps:

– assess the control environment

– assess the design effectiveness of control procedures and their ability to prevent or
correct misstatement

– assess whether controls were effectively applied throughout the period under audit.

Learning outcomes 8.7.

Explain the importance of the concept audit risk and its three components

Audit risk is the risk that the auditor gives an inappropriate audit opinion when the financial
statements are materially misstated

Audit risk is commonly assessed within three components:

• inherent risk - is the possibility that a material misstatement could occur in an assertion,
either individually or when aggregated with other misstatements, assuming there are no
related controls

• control risk - is the risk that a material misstatement could occur in an assertion, either
individually or when aggregated with other misstatements, and not be prevented,
detected, or corrected on a timely basis by the entity’s internal control structure

• detection risk - is the risk that an auditor’s substantive procedures will not detect any
material misstatements that exist in an assertion, either individually or when aggregated
with other misstatements