Expected Learning Outcomes

After studying this chapter, you should be able to:

I. Understand the concept of risk-based audit approach.

2. Know the factors to be considered in implementing the risk-based
audit model.
3. Understand the limitation in applying the risk-based audit
model.
4. Distinguish between risk-based audit and account-based audit.
5. Discuss the activities in risk-based audit.
6. Identify the PSAs to be applied in the activities in the risk based
audit.
 CHAPTER 8
OVERVIEW OF RISK-BASED

AUDIT PROCESS

INTRODUCTION

Risk-Based Audit Approach Defined

Risk-based-audit-approach is an audit approach that, begins with an

assessment of the types and likelihood of misstatements in account balance
and then adjusts the amount and type of audit work, to the -likelihood of
material. misstatements occurring in account balances.

Given the rapidly changing environment in which today's businesses operate,

management, internal auditors and external auditors must focus on the risks to the
entity's operations and ensure controls are in place to eliminate, mitigate, or
compensate for those risks.

Many public accounting firms find themselves using a risk-based auditing

approach that employs a top-down evaluation of the client's risk that goes
beyond the financial statements. For instance, audit teams now devote a
significant amount of their engagement planning to their clients' business risks
(i.e., the risks that the client will fail to achieve its objectives). Firms
adopting this approach believe they must learn more about their clients'
strategies and processes to understand whether the financial statements are
fairly presented.

Under this approach, the auditor performs the following

1. Identification of the client's strategy and the processes for developing

that strategy.
Examination of the core business process and resource management.
 Overview ofRisk-Based Audit Process 201
Identification for each of the key processes (as well as sub-processes) the
objectives, inputs, activities, outputs, systems and transactions.
4. Assessment of the risks that the processes will not meet the goals and
controls related to those risks.

FACTORS TO CONSIDER IN IMPLEMENTING THE AUDIT RISK MODEL

The following general observations on an audit client influence the implementation

of the audit risk model:

1. High-risk activities

• This includes operations or events where a material •misstatement

could easily occur. For example, an inventory of high-value
diamonds or gold bars held by a jeweler, or a new / complex
accounting system being introduced.

2. Existence of large non-routine transactions

• Identified significant related party transactions outside the entity's

normal course of business are to be treated as giving rise to significant
risks. This includes infrequent and large transactions. For example:

Unusual volume of routine transactions with a related party;

A major sales or supply contract;
The purchase or of major business assets or business segments; and

Sale of the business to a third party.

• Routine non-complex transactions that are subject to systematic processing are
less likely to give rise to significant risks.

3. Matters requiring judgment or management intervention

• Examples would include:
 The assumptions and calculations used by management in developing
major estimates;
Complex calculations or accounting principles;
Revenue recognition (presumed to be a significant risk)
that is subject to differing interpretation;
Where management intervention is required to specify the
accounting treatment to be used
203 Chåpter
4. Potential for fraud

• The risk of not detecting a material misstatement resulting from

fraud (which is intentional and deliberately concealed) is higher than
the risk of not detecting one resulting from error.

• In evaluating whether significant risk could result from the

identified fraud risk factors and the possible scenarios and schemes
identified in team discussions. consider the following:
+ Skillfulness of the potential perpetrator;
+ Relative size of individual amount manipulated;
+ Level of authority of management or employee to:

• directly or indirectly manipulate accounting records, and override

control procedures;

• significant fraud risks may be identified at any stage in the audit.as a

result of new information being obtained.

LIMITATION OF THE AUDIT RISK MODEL

Audit risk is a concept that drives the auditor's thinking about planning the audit
and then executing an audit. The illustrations are designed to provide guidance,
but should not be applied rotely to any audit client.

CPA firms in determining their approach to implementing the audit risk model
should consider the following limitations:
a) Inherent risk is difficult to formally assess. Some transactions
because Of their complexity are more susceptible to error but it
is quite difficult to assess that level of risk independent of the client's
accounting system.
b) The model treats each risk component as separate and independent when
in fact the components are not independent. It is also quite difficult to
separate a client's material controls and inherent risk.
C) Audit risk is judgmentally determined.
d) Audit technology is not so fully developed that each component of the
model can be accurately assessed. Auditing is based on testing and precise
estimates of the model's components are not possible. Auditors can, however,
make subjective assessments and use the audit risk model as guide.
 204 Chapter 8

RISK-BASED AUDIT VS. ACCOUNT-BASED AUDIT

In account-based auditing, auditors first obtain an understanding of control and
assess control risk for particular types of error and frauds in specific accounts
and cycle.

In risk-based audit, the audit team views all activities in the organization first in
terms of risks to strategies and objectives and then in terms of management's
plans and processes to mitigate the risk. The auditors obtain an understanding of
the client's objectives. Then risks are identified and the auditors determine
how management plans to mitigate the risk and whether those plans are in place
and operating effectively.

THE RISK - BASED AUDIT PROCESS

Although specific audit procedures vary from one engagement to the next,
the following stages are involved in every engagement:

Phase I. Risk Assessment

This phase involves the following activities:

a. Performance of preliminary engagement activities to decide whether to
accept / continue an audit engagement.
b. Planning the audit to develop an overall audit strategy and audit plan.
c. Performance of risk assessment procedures to identify / assess risk of
material misstatement through understanding the entity.

Phase II. Risk Response

This phase covers the following activities:

a. Designing overall responses and further audit procedures to develop appropriate
responses to the assessed risk of material misstatement.
b. Implementing responses to assessed risk of material misstatement to reduce audit
risk to an acceptably low level.
 Overview ofRisk-Based Audit Process 205
Phase III. Reporting

This phase involves the following activities:

a. Evaluating the audit evidence obtained to determine what additional audit
work (if any) is required.
b. Forming an opinion based on audit findings and preparing the auditor's
report.

The audit approach discussed in this book has been divided into three phases. This
is illustrated in Figure 8-2. For each of the Audit phases the diagram outlines the
major activities, their purpose and the resulting documentation.

The audit process is primarily an evidence-gathering process. As we discussed

previously, the audit process can be viewed as having three phases:
1. Risk assessment
2. Risk response
3. Reporting
Although in theory the audit process can be divided into the three distinct phases,
the actual performance of the engagement may not occur in that particular order.
Issuing a report is, of course, always the final phqse, but the other two phases are
more fluid. During the engagement, the auditor may obtain information that
necessitates modifying the audit program or accumulating additional evidence. Or
the auditor may proceed to gather evidence and then go back to planning. For
example, auditors often finalize the audit program after performing the tests of
controls. However, the structure assists in understanding the audit process.

The auditor's standard report states, "We conducted Our audits in accordance
with Philippine Standards on Auditing. Those standards require that we
comply with the ethical requirements and plan and perform the audit to obtain
reasonable assurance about whether the financial statements are free of
material misstatements."

The phrase reasonable assurance is intended to inform the users that auditors do not
guarantee or insure the fair presentation of the financial statements. This phrase
communicates that there is some risk that the financial statements are not fairly stated
even when the opinion of the auditor is unqualified.

The phrase free of material misstatement is intended to inform the users that
the auditor’s responsibility is limited to material financial information.
 206 Chapter 8
Materiality is important because it is impractical for auditors to provide
assurance on immaterial amounts. Thus, materiality and risk are fundamental
concepts that are important to planning the audit and designing the audit
approach.

Figure 8-2: Risk-Based Audit Process*

Perform preliminary
engagement Decide whether to Listing of risk factors
activities accept engagemeny Independence
z Engagement letter
Materiality
Plan the audit Develop an overall audi
strategy and audit pl Audit team discussions
Overall audit strat
Perform risk
Identify / assess Business and fraud risk
assessment RMM" through
including significant risks
rocedures understandin the enti
Risk ofMaterial
Design / Implementation of
relevant internal

Assessed RMM at
• FIS Level
• Assertion le

Update of overall strategy

Design overall Develop appropriate • Overall responses

responses and responses to the • Audit plan that links

z
o
a. further audit assessed RMM assessed RMM to
procedures further audit procedures

Implement uceau I ns o
responses to assessed acceptably low level Work performed;
RMM Audit finfigs

• New I revised risk

factors and audit
procedures
Determine what • Changes in materiality
 Overview ofRisk-Based Audit Process 207
Evaluate the audit additional audit work • Communications on

evidehce obtained (if any) is required audit findings

z • Conclusions on audit
Yes procedures performed
o
Is additional work
required?
No
Significant decisions
Prepare the Auditors Form an opinion
on audit findin s Signed audit opinion
re
Adamedfrom "Gulde to using Intemational Standards ofAudttmg m the ofSmall mdMedtum Seed Entitles" Volumes
ll. Core ProclicalAmljcauon". C November 2016 by IFAC. All rights reserved Used of11UC.

RELEVANT PHILIPPINE STANDARDS ON AUDITING (PSAs) TO BE USED IN THE

RISK-BASED AUDIT PROCESS
GUIDANCE ON FUNDAMENTAL CONCEPTS

TOPIC A licable PSA s

General Principles PSA 200, Overall Objectives of the Independent Auditor and
the Conduct ofan Audit in Accordance with Intemational
Standards on Auditin
Qualit Control PSA 200, Qualit Control for an audit of Financial Statements
Management Assertions PSA 315, Identifying and Assessing the Risks of Material
Misstatement through Understanding the Entity and Its
Environment (Newly Revised Standard effective for audits of
financial statements forperiods ending on or after December
15, 2013
Audit Evidence PSA 500, Audit Evidence
Audit Documentation PSA 230, Audit Documentation

PHASE I - RISK ASSESSMENT INCLUDING MAKING CLIENT ACCEPTANCE

AND CONTINUANCE DECISIONS

Client Acceptance and PSA 210, Agreeing the Terms ofAudit Engagements
Continuance
Considering Fraud PSA 240, The Auditor's Responsibilities Relating to Fraud in
an Audit ofFinancial Statements
 208 Chapter 8
Consideration of Laws
and Regulations in
Planning the Audit
Plannin an Audit
Assessing Risk of Material
Misstatements
Plannin Audit Procedures
Understanding Related Parties PSA 550, Related Parties
PSA 250, Consideration ofLaws and Regulations in an Audit
of Financial Statements
PSA 300;Plannin an Audit ofFinancial Statements
PSA 315, Identifying and Assessing the Risks of Material
Misstatement through Understanding the Entity and its
Environment (Newly Revised Standard effective for audits of
financial statements for periods ending on or after
December 15, 2013)
PSA 320, Materialit inPlanni andPedomi anAudit
PSA 330, The Auditor's Res onses to Assessed Risks

with those PSA 260, Communication with Those Charged with Govemance
Charged Govemance about
the Audit Pian

PHASE Il - RISK RESPONSE

Testing Controls for the PSA 330, The Auditor's Responses to Assessed Risks
Financial Statement Audit
Audit Sampling for Tests of PSA 530, Audit Sampling
Controls
Testing Controls in an
Inte rated Audit
 Overview ofRisk-Based Audit Process 209
Obtaining Evidence about PSA 250, Consideration-ofLaws and Regulations in an Audit of
Compliances with Laws Financial Statements
and Re ulations

Substantive Audit PSA 330, The Auditor's Responses to Assessed

Procedures Risks PSA 500, Audit Evidence
Audit Evidence regarding the PSA 501 , Audit Evidence Specific Considerations for Selected
a. Valuation of Items
investments in
securities and
derivative
instruments;
b. Existence and
condition of
inventory;
c. Completenes
s of
litigation,
claims, and
assessments
involving the
entity; and
d. Presentation and
disclosure of
segment information,
in accordance with
the applicable
financial reporting
framework

External Confirmations PSA 505, Extemal Confirmations

Audit Sampling for PSA 530, Audit Sampling
Substantive Tests
Obtaining Evidence about PSA 550, Related Parties
Related Parties
Auditing Accounting PSA 540, Auditing Accounting Estimates, Including Fair Value
Estimates Accounti Estimates end relate Disclosures
 210 Chapter 8
Analytical Procedures as a PSA 520, Analytical Procedures
Substantive Test
Using an Auditors PSA 620, Using the Work of an Auditors Exped
Specialist/ Ex rt

PHASE Ill -
REPORTING

Evaluating the PSA 250, Consideration of Laws and Regulation in an Audit

Implications of of Financial Statements
Noncompliance with
Laws and R ulations
Evaluating Financial PSA 450, Evaluation of Misstatements Identified during the Aldit
Statement Misstatements
Subs uent Events PSA 560, Subse uent Events
Disclosures about Related PSA 550, Related Parties
Parties
Goin Concem PSA 570, Goin Concern
Management PSA 580, Written Representations
Re resentations

Omitted Procedures
Communicating with those PSA 260, Communication with Those Charged with
Cha ed with Governance Govemance
Su rvision
En a ement Qualit Review

Audit Opinions PSA 700, Forming an Opinion and Reporting on Financial

Statements
Audit Opinion PSA 705, Modifications to the Opinion in the Independent Auditor's
Modifications Re ort
Matter Paragraphs in the PSA 706, Emphasis ofMatter Paragraphs and Other Matter
Audit Re rt Para ra hsin the Inde endentAuditor's Re ort
Special Considerations PSA 800, Special Considerations - Audits of Financial
Statements Prepared in Accordance with Special Purpose
Frameworks
PSA 805, Special Considerations - Audits of Single Financial
Statements and Specific Elements, Accounts or Items of a
Financial Statement
Overview ofRisk-Based Audit Process 211
 Overview Risk-Based Audit Process 212
UNDERSTANDING THE AUDIT RISK MODEL

Nature of Risk

Risk is a concept used to express uncertainty about events and/or their outcomes
that could have a material effect on the organization.

The four critical components of risk that are relevant to conducting the audit are:

l . Audit risk that an auditor may give an unqualified opinion on financial

statements that are materially misstated.
2. Engagement Risk. The economic risk that a CPA Firm is exposed to
simply because it is associated with a particular client including loss
of reputation, inability of the client to pay the auditor, or financial
loss because management is not honest and inhibits the audit
process. Engagement risk is controlled by careful selection and
retention of client.
3. Financial reporting risk The risks that relate directly to the recording
of transactions and the presentation of financial data in an
organization's financial statements.
4. Business Risk. Those risks that affect the operations and potential
outcomes of organizational activities.
Audit risk is defined as the risk that the auditor fails to find material misstatements
in the client’s financial statements and thereby inappropriately issues an unqualified
opinion on the financial statements. The auditor can control audit risk in two
different ways:
1. Avoid audit risk by not accepting certain companies as client, i.e. reduce
engagement risk to zero.

2. Set audit risk at a level that the auditor believes will mitigate the likelihood
that the auditor will fail to identify material misstatements.

In controlling audit risk, the auditor must recognize that it is not possible to ever
completely eliminate audit risk, but it can be reduced by doing more work.
However, doing more work raises audit fees, which may create tension with the
client and its management.
 Overview ofRisk-Based Audit Process
At the broadest level, business risk and financial reporting risk originate with
the audit client and its environment, and these risks then affect the auditor's
engagement risk and audit risk. The effectiveness of risk management processes
will determine whether a company or audit firm continues to exist.

A number of factors affect a client's business risk. For example, the overall
economic climate - favorable or unfavorable - can have a tremendous effect on
the organization's ability to operate effectively. Economic downturn,
technological change, competitor actions, new product lines also affect business
risk.
Financial reporting risk could arise from issues such as asset impairments, mark-
to-market accounting, warranties, pensions, estimates as well as competence
and integrity of management and its incentives to misstate the financial
statements.
Business risk and financial reporting risk may affect each other. For instance,
management facing strong competition and weak financial results may be
motivated to circumvent a weak internal control system or to take advantage of
complex financial instruments to achieve desired financial reporting results that
do not necessarily portray economic reality. Audit firms have discovered that
being associated with companies with poor integrity creates risk that can destroy
the audit firm or significantly increase the cost of conducting the audit.

Figure 9-3 illustrates the relationship among these risks.

 214 Chapter 8

21 1

The following considerations are important in integrating the concepts of materiality

and risk in the conduct of a risk-based audit:
Risky areas of a business must be identified by the auditors to determine which
account balances are more prone to material misstatements, how the
misstatements might occur and how a client might be able to cover them up.
(2) Auditors need to develop approaches and methodologies to allocate overall
assessments of materiality to individual account balances because some
account balances may be more important to users.
Audits involve testing or sampling and thus cannot provide absolute
(100%) assurance that the financial statements are free of material
misstatements without inordinately driving up the cost of audits.
 Overview ofRisk-Based Audit Process
(4) Not all clients are worth accepting. Since audits rely on testing and to
some extent on the integrity of management, there are some clients
that an audit firm should not accept because the engagement risk is too
high.
(5) Competition for clients among audit firms isbigh. Clients choose auditors
based on a number of factors including fees, service, industry knowledge,
personal rapport and ability to assist the client.
f) Auditors should understand society's expectations of financial reporting to
reduce audit risk to an acceptably low level- and therefore minimize
lawsuits that the users may possibly bring forth.

Although audit risk is a concept, it is often illustrated using quantitative

examples. For instance, the relationship between engagement risk and audit risk
may be presented as follows:
En a ement Risk
Hi h Moderate Low
Audit Risk Do not accept client Set very low Set within professional
(1%) standards but can be higher
than companies with higher
engagement risk (5%)

• Setting audit risk at 1% is equivalent to performing a statistical test

using 99% confidence level. Audit risk set at 1% implies that the
auditor is willing to take a 1% chance of issuing an unqualified
opinion on materially misstated financial statements.
216
ter8
Cha

• Audit risk set at 5% implies that the auditor is willing to take a 50/9
chance of issuing an unqualified opinion on materially misstated
financial statements.

• High levels of audit risk are appropriate for client with lower levels of
engagement risk:

Based on the assessment of engagement risk, the auditor sets the desired audit
risk. Audit risk oftentimes illustrated using numeric or quantitative examples. In
fact many audit firms use the measures associated with statistical sampling to set
audit risk, e.g., setting audit risk at a 1% level for high-risk clients and 5% for
lower-risk clients. Other auditing firms use a broader description of audit risk as
high, moderate or low and adjust the nature of their audit procedures accordingly.

REVIEW QUESTIONS

Questions

Define and describe the risk-based audit process.

2. Compare the risk-based audit approach and account. based audit approach.

3. Give and explain four (4) factors to consider in implementing the risk-based
audit model.

4. Give two (2) limitations of the risk-based audit model.

5. Describe the three (3) stages of the risk-based audit process.

6. How does an audit enhance the quality of financial statements and

management's reports on internal control? Does an audit guarantee a fair
presentation of a company's financial statements?
213
 Overview of Risk-Based Audit Process
Multiple Choice Questions

Which of the following is included as part of the principles governing an audit?

a. Auditors need to obtain a high level of assurance that the financial
statements are free of all misstatements.
b. An audit has inherent limitations such that auditor cannot
provide absolute assurance about whether the financial
statements are free of misstatement.
c. Auditors need to maintain professional skepticism only on audits
where there is a high risk of material misstatement.
d. All of the above are included as part of the principles governing an
audit.

2. Which of the following statements is true about the audit opinion

formulation process?
a. The audit opinion formulation process is significantly different for
the financial statement only audit and the integrated audit.
b. The audit opinion formulation process is based on the premise
that management has responsibility to prepare the financial
statements and maintain internal control over financial
reporting.
c. The audit opinion formulation process is comprised of seven phases.

d. All of the above are true statements regarding the audit opinion
formulation process.

3. Which of the following activities is not part of the activities within the audit
opinion formulation process?
a. The auditor develops a common understanding of the audit engagement with
the client
b. the auditor determines the appropriate nonaudit consulting services to
provide to the client.

c. The auditor identifies and assess risks of material misstatements and then
responds to those identified risks.
d. The auditor determines the appropriate audit opinion(s) to issue.

4. Which of the following is not one of the management assertions?

218
a. Completeness
b. Existence
c. Rights and obligations
d. They are all management assertions.

5. Which management assertion addresses whether the components of the

financial statements are properly classified, described, and disclosed?
a. Completeness c. Rights and obligations
b. Existence d. Presentation and disclosure

6. Which of the following is a true statement regarding audit evidence and

audit procedures?
a. The auditor has a responsibility to design and perform audit
procedures to obtain sufficient appropriate audit evidence.
b. Inquiry is a type of audit procedure that typically does not require
corroborating evidence.
c. The audit procedures that are performed during an audit are
summarized in a document referred to as an audit engagement letter.
d. Reperformance involves checking the mathematical accuracy of a
document or record, such as an inventory count sheet.

7. Which of the following items should be included in audit documentation?

a. Procedures performed
b. Audit evidence examined
c. Conclusions reached with respect to relevant financial statement
assertions
d. All of the above should be included
8. Which of the following statements is a false statement regarding audit
documentation?
a. An audit program is an example of audit documentation.
b. The only purpose of audit documentation is to provide evidence that
the audit was planned and performed in accordance with auditing
standards.
c. Audit documentation helps facilitate internal and external inspections of
completed audits.
 Overview of Risk-Based Audit Process
d. All of the above statements are true.

9. Which of the following procedures is least likely to be performed during the

final phase of the audit opinion formulation process?
a. Assessment of misstatements detected during the performance Of
substantive procedures and tests of controls.
b. Performance of preliminary analytical review procedures.
c. Performance of an engagement quality review.
d. Determination of the appropriate audit opinion(s) to issue.

10. Which Of the following factors does not create a demand for external audit
services?
a. Potential bias by management in providing information,
b. Requirement of PICPA.•
c. Complexity of the accounting processing systems.
d. Remoteness between a user and the organization.

11. Which of the following expectations can users of the audit report reasonably
expect with regards to the audited financial statements?
a. The financial statements include all financial disclosures desired by users.

b. The financial statements are presented fairly according to the substance

of PFRS.
c. The financial statements are free from all errors.
d. All of the above are reasonable expectations.

12. Which of the following parties are involved in preparing and auditing financial
statements?
a. Management
b. Audit committee
c. Internal audit function
d. External auditor

13. Which of the following are the responsibilities of the external auditor in
auditing financial statements?
a. Maintaining internal controls and preparing financial reports
 220
b. Providing internal assurance on internal control and financial reports
c. Providing internal oversight of the reporting process
d. None of the above.

14. In terms of technical knowledge and expertise, which of the following should
external auditors do?
a. Understand accounting and auditing authoritative literature.
b. Develop industry and client-specific knowledge.
c. Develop and apply computer skills.
d. All of the above.