financial statements relevant to CAT Paper 8 (UK) and (INT) and ACCA Qualification Papers F8 and P7 (UK) and (INT)
riskThe approach adopted by an audit firm to
a specified audit assignment will be a key factor in determining the outcome of the audit. If auditors fail to adopt the correct audit approach then the likelihood of audit failure increases, failure which could lead to if the relevant management assertions for all balance sheet (statement of financial position) accounts are tested and verified, then the profit/loss figure reported for the accounting period will not be materially misstated. accepted that for most entities of size, the risk-based audit approach will minimise the possibility of audit objectives not being met. Consequently ISA 315, Identifying and Assessing the Risks of Material Misstatement Through Understanding the Entity and its a damaged reputation and potentially costly The systems-based approach Environment (Redrafted)1, compels auditors litigation against the firm. This approach requires auditors to assess to adopt a risk-based approach to audits. In This article is the first of a series on the effectiveness of the internal controls so doing, it requires auditors to make risk risk‑based auditing and audit evidence. of an entity, and then to direct substantive assessments of material misstatements at procedures primarily to those areas where it the financial statement and assertion levels, AUDIT APPROACHES is considered that systems objectives will not based on an appropriate understanding of the Essentially there are four different audit be met. Reduced testing is carried out in those entity and its environment, including internal approaches: areas where it is considered systems objectives controls. Students should be familiar with the substantive procedures approach will be met. assertions made by management, as described the balance sheet approach in ISA 500, Audit Evidence2, and these will be the systems-based approach The risk-based approach covered in a separate article. the risk-based approach. In this approach, audit resources are directed As the auditor is required to focus on the towards those areas of the financial statements entity and its environment when making risk The substantive procedures approach that may contain misstatements (either by assessments, this is known as the ‘top down’ This is also referred to as the vouching error or omission) as a consequence of the approach to identifying risks, and students approach or the direct verification approach. risks faced by the business. should become familiar with this term. The In this approach, audit resources are targeted word ‘top’ refers to the day-to-day operations on testing large volumes of transactions and ADOPTING A RISK-BASED APPROACH of the entity and the environment in which account balances without any particular focus Given the nature of the audit process, it operates; ‘down’ refers to the financial on specified areas of the financial statements. every audit assignment presents a different statements of the entity. In summary, this challenge to an audit firm, with no two audit approach requires auditors to identify the The balance sheet approach assignments being the same. For example, key day-to-day risks faced by a business, to In this approach, substantive procedures no two entities are the same in terms of consider the impact these risks could have on are focused on balance sheet (statement of business sector, location, size, employees, the financial statements, and then to plan their financial position) accounts, with only very governance issues, ethos, and complexity of audit procedures accordingly. limited procedures being carried out on income operations. There is no one single approach For this reason, the approach is often statement/profit and loss account items. The to auditing which ensures the performance referred to as the ‘business risk approach’. justification for this approach is the notion that of a perfect audit. However, it is generally When adopting this approach, in order to
42 student accountant February 2008
technical facilitate the identification of risks and the with detailed control activities and systems From the above, it is apparent that if risk assessment of their effect on the financial objectives in assessing the control risk for a percentage values can be assessed for both statements, risks are categorised as: specified area of the financial statements. inherent risk and control risk, then for a financial risks – such as cash flow risks It is important to appreciate that the desired level of (acceptable) audit risk, a compliance risks – such as breaching of auditor has no control over the extent of either prescribed level of detection risk can be set laws and regulations risk inherent or control risk; these are risks borne and thus the extent of required substantive operational risks – such as loss of key by the entity subject to audit. However, the procedures can be determined. employee risk and loss of data risk. auditor has to assess them in the process For example, if an audit firm works to of determining the extent of the detailed a desired audit risk level of 5%, then for a Specific use of the business risk approach substantive procedures to be carried out. given area of the financial statements where to an audit will be covered in the second inherent risk and control risk factors have article of this series. The ultimate objective Detection risk been assessed as 80% and 25% respectively, of adopting the business risk approach is to This is simply the risk that the auditor’s the required level of detection risk would reduce audit risk – the risk that the auditor procedures will not detect a misstatement that need to be set at 25% (ie 0.05 = 0.8 x 0.25 will give an inappropriate opinion on the exists in an assertion that could be material x 0.25). Remember, the higher the level of financial statements. Students should therefore (individually or when aggregated with other prescribed detection risk then the lower the appreciate how business risk is linked to audit misstatements). Given that auditors use their level of substantive procedures and audit risk and how the business risk approach is judgement in determining levels of applicable resources, and vice-versa. integral to the use of the audit risk model inherent risk and control risk, clearly the Irrespective of the level at which audit when planning audit work. auditor’s input does impact on the level of risk is set, detection risk has an inverse detection risk allowed. In fact, auditors manage relationship with financial statement risk FINANCIAL STATEMENT/DETECTION RISK the overall level of audit risk that they are – the lower the financial statement risk Students should be aware that audit risk is a prepared to accept on a given audit assignment then the higher the detection risk and function of financial statement risk (the risk by not only determining the nature and extent consequently, the lower the level of detailed that the financial statements are materially of the procedures and testing to be carried out, testing required. misstated), and detection risk (the risk that the but also by allocating an appropriate level of It should be noted that once the auditor will not detect such misstatements). audit resource to the assignment. prescribed level of detection risk has been set, audit firms may use manual tables Financial statement risk THE AUDIT RISK MODEL as a guide to the size of samples to be This has two components – inherent risk and The formula for the audit risk model is: tested, or – particularly for larger and control risk. more complex audits – will use dedicated Inherent risk is the susceptibility of an Audit risk = Inherent risk x Control risk computer software. assertion to a misstatement which could be x Detection risk material (individually or when aggregated with CONCLUSION other misstatements), assuming that there Having set out the fundamental points of a were no related internal controls. It is limited risk-based approach to auditing, the second either to the nature of the item in the financial article in this series will cover various statements under review, such as a provision aspects of audit planning and documentation which is estimated, or the nature of the entity where a risk-based approach has been and the industry in which it operates (for adopted. example a retail chain in the fashion industry). A ‘top down’ business risk approach will be NOTES particularly pertinent when identifying inherent 1 In the UK, refer to ISA 315 (UK and risks falling into the latter category. Ireland), Obtaining an understanding Control risk is the risk that a misstatement of the entity and its environment that could occur in an assertion and that could and assessing the risks of material be material individually or when aggregated misstatement. with other misstatements will not be prevented 2 In the UK, refer to ISA 500 (UK and or detected and corrected on a timely basis Ireland), Audit evidence. by the internal control. Auditors consider the control environment of an entity together Brian Pine is examiner for CAT Paper 8