Chapter 8 – Identifying and Assessing Risk

Objective: To describe how the auditor, through understanding the entity, aims to minimise audit
risk.

1.0 Introduction
The relevant standard is ISA 315 (Revised 2019), Identifying and Assessing the Risks of Material
Misstatement.
Key point

The auditor must identify and assess the risks of material misstatement, whether due to fraud or
error, at the financial statement and assertion levels, thereby providing a basis for designing and
implementing responses to the assessed risks of material misstatement.

1.1 Steps
The steps required in identifying and assessing the risks of material misstatements can be
summarised as follows:
1. Design and perform risk assessment procedures to obtain an understanding of:
• the entity and its environment;
• the applicable financial reporting framework and the entity’s accounting policies;
• inherent risk factors.

Definition

Inherent risk factors – characteristics of events or conditions that affect susceptibility to

misstatement, whether due to fraud or error, of an assertion about a class of transactions, account
balance or disclosure, before consideration of controls.
2. Evaluate whether the entity’s accounting policies are appropriate and consistent with the
applicable financial reporting framework
3. Obtain an understanding of the components of the entity’s system of internal control (Chapter 9).

4. Identify the risks of material misstatements and determine whether they exist at:
• the assertion level (i.e. affecting material classes of transactions, account balances and
their related disclosures); or
• the financial statement level (i.e. affecting the financial statements).

5. Assess the identified risks including whether any are significant risks.
5a. Optional. Assess control risk if the auditor plans to test the operating effectiveness of controls
(see s.3.5).
6. Plan, design and perform appropriate audit procedures in response to identified risks as
required by ISA 330 The Auditor’s Responses to Assessed Risks.
In summary, the auditor must:
• understand the entity and its environment to assess the risk of material misstatement (RoMM)
in the financial statements; then
• devise a work programme to test whether such misstatements have arisen (ISA 330 and ISA
500 Audit Evidence).

1.2 Obtaining an Initial Understanding

The auditor obtains an understanding of the entity and its environment and the applicable financial
reporting framework by performing risk assessment procedures.

Definition

Risk assessment procedures – audit procedures designed and performed to identify and assess
the risks of material misstatement, whether due to fraud or error, at the financial statement and
assertion levels

Risk assessment procedures include inquiries, observation and inspection and analytical
procedures. Observation and inspection are required to support, corroborate or contradict inquiries
and provide information.

Inquire • Of TCWG, management and others (including internal audit).

• Day-to-day activities and operations.

• Behaviours and actions of management or TCWG (e.g. observe an audit committee
Observe meeting).

• External sources of industrial, legal and economic conditions and events (e.g. trade
journals, credit rating agencies, financial press).
• Internal documents (e.g. business plans), accounting records and procedure manuals.
• The entity’s premises and plant facilities.
• Reports prepared by management (e.g. monthly management accounts) and TCWG
Inspect (e.g. board minutes, audit committee reports).

• Internal and external information; current and prior financial history; financial and
non-financial information.
• Key performance indicators and activity against similar companies.
Analytical • Identifying unusual transactions, amounts, relationships, ratios and trends.
procedure • See Chapter 16 for further details.
 Example 1 Inquiries
Inquiry to: Reason:

To understand the extent of their oversight over the preparation

TCWG of the financial statements by management.

Employees who initiate, process

or record complex/unusual To evaluate the appropriateness of the selection and
transactions application of specific accounting policies.

To obtain information about litigation, compliance with laws and

regulations, knowledge of fraud/suspected fraud, warranties,
In-house legal counsel after-sale obligations and the meaning of contractual terms.

To obtain information about changes in marketing strategies,

Marketing or sales personnel sales trends or contractual arrangements with customers.

To obtain information about operational and regulatory risks

Risk management function that may affect financial reporting.

To obtain information about system changes, system or control

IT personnel failures or other IT-related risks.

1.3 Audit Team Discussions

Discussions should be held between the senior and key members of the engagement team (at least)
about the susceptibility of the financial statements to material misstatement, including fraud risk
(see Chapter 11).
Key Point

Discussions must be documented along with the decisions made and the implications for the audit
approach.

By holding such discussions:

• the more experienced engagement team members brief other members and share their
insights based on their knowledge of the entity and audit experience;
• information can be exchanged about the entity's risks and how and where the financial
statements might be susceptible to material misstatement;
• the audit team obtains a better understanding of the potential for material misstatements
resulting from fraud or error in the specific areas assigned to them; and
• the audit team understands how the results of the audit procedures that they perform may
affect other aspects of the audit, including the decisions about the nature, timing and extent of
further audit procedures.
Team members not involved in the discussions must be informed of the outcomes and specific
effects on areas relevant to their responsibilities. This is usually achieved through a client planning
memorandum.
 Example 2 Team Discussion

Bladd & Co holds an initial risk assessment meeting for the audit of WWQ Co, a client for which the firm has
been the auditor for a few years.
There were certain factors identified during the year that have been identified as accompanying risks of material
misstatement to this year’s audit, and the engagement partner wants senior members of the engagement team
to be fully aware of these risks.
There has been an observed worsening of WWQ’s current and quick ratios, accompanied by rapid growth in
revenues. The engagement team feels this has significant risk, both for material misstatement and potential
going concern issues.
The engagement partner also shared with the team that he was informed by the board of WWQ that they would
be expanding and diversifying the business to include real estate development and sale and had acquired land
and broken ground for the construction of a property. The engagement partner informs his team that this is an
area of significant risk due to the issue of revenue recognition and capitalisation of assets since the project has
been financed by debt. It is also unclear what operational and financial controls WWQ has over this division.

1.4 Sources of Information

Audit evidence is obtained through risk assessment procedures from multiple sources, including the
entity, the auditor’s acceptance or continuation procedures, previous audits and third parties (e.g.
regulators).
Activity 1 Sources of Information
Suggest examples of information that might be obtained from each of the following sources:
a. Audit client;
b. Auditor;
c. Other sources.
*Please use the notes feature in the toolbar to help formulate your answer.

(a) Client (b) Auditor (c) Other sources

• Directors/senior operating personnel • Previous relevant • Predecessor auditor

• Internal audit and Governance experiences • Legal advisers
• Website • Specialist publications • Industry regulators
• Visit premises and plant facilities (e.g. on hotel audits) • Government data
• Specific employees involved in the process • Technical experts (e.g. • Customers
• Minutes of meeting IS, extractive industries) • Suppliers
• Documents sent to shareholders/filed with • In-house knowledge • Competitors
authorities base • Trade journals
• Financial budgets and management reports • Permanent audit file • Financial press
• Chart of accounts and job descriptions • Business process • Websites
• Procedures manuals templates

1.5 Using the Information

Key Point

The auditor’s understanding of the entity and its environment and the applicable financial reporting
framework:
• assists the auditor in understanding the events and conditions that are relevant to the entity;
• assists the auditor in identifying how inherent risk factors affect the susceptibility of assertions to
misstatement in the preparation of the financial statements; and
• informs how the auditor plans and performs further audit procedures.
 Example 3 Why an Understanding is Required

The auditor uses an understanding of the entity and its environment to:
• Identify and assess risks of material misstatement;
• Determine materiality levels and judge whether they remain appropriate as the audit progresses (see
Chapter 10);
• Perform procedures to help identify non-compliance with laws and regulations that may have a material
effect on the financial statements (see Chapter 11);
• Evaluate whether the financial statements provide adequate disclosures;
• Consider the appropriateness of the selection and application of accounting policies and the adequacy
of financial statement disclosures;
• Develop expectations for use in analytical procedures (see Chapter 16);
• Identify areas where special audit consideration may be necessary (e.g. the appropriateness of the
going concern assumption);
• Design and perform further audit procedures to reduce audit risk to an acceptably low level;
• Evaluate the sufficiency and appropriateness of audit evidence (see Chapter 15), including
management representations (see Chapter 20);
• Recognise conflicting information and unusual circumstances and effectively apply professional
scepticism;
• Make informed enquiries and assess the reasonableness of responses;
• Provide better service to clients and be responsive to their needs.

2.1 Matters to Consider

2.1.1 Before Accepting Appointment
Before accepting an appointment, the auditor should obtain a general understanding sufficient to
make an appropriate proposal.
2.1.2 After Accepting Appointment
After accepting an appointment, the auditor should obtain a more detailed understanding sufficient
to plan an effective and efficient audit.
2.2 Information Needs
ISA 315 requires the auditor to obtain an understanding of the following:
• nature of the entity and its environment, including:
o organisational structure, ownership, governance, and business model, including the extent to which
the business model integrates the use of IT;
o industry, regulatory and other external factors
o the measures used, internally and externally, to assess financial performance;
• the applicable financial reporting framework, the entity’s accounting policies and the reasons for any
changes to it; and
• how inherent risk factors affect the susceptibility of assertions to misstatements and the degree to which
they do so.

Activity 2 Information Requirements

Suggest, under the following headings, the information you will require to enable you to obtain a
sufficient understanding of the entity and its environment:
• General economic factors
• Industry
• Management and ownership
• Business
• Financial performance
• Reporting environment
*Please use the notes feature in the toolbar to help formulate your answer.

General Economic Factors Industry

• Recession • Market/competition
• Growth • Costs of entry
• Interest rates • Cyclical/seasonal trade
• Sources of finance • Technology/fashion
• Inflation • Key ratios and performance measures
• Government policy (e.g. monetary, fiscal, trade) • Specific accounting practices, GAAP
• Investment incentive (e.g. regional • Regulatory/environmental requirements
development grants) • Energy supply and costs
• Foreign exchange (rates and controls) • Workforce skills
• Availability and education of the workforce
Management and Ownership Business

• Corporate structure • Nature (manufacturer, exporter)

• Owners • Locations (office/production/storage)
• Local/foreign • Employment (union contracts)
• Capital structure • Products/services/markets
• Organisational structure • Conduct of operations (e.g. service logistics,
• Philosophy and strategic plans production, segments)
• Acquisitions and disposals • Major/dependent suppliers/customers (delivery
• Sources of finance methods such as JIT)
• Board of directors and governance • Outsourced activities
• Operating management • Inventors (type, location, quantities)
• Internal audit • Research and development
• Attitude to internal control environment • Information systems and use of ecommerce
(nature and dependency)
• Debt structure (including covenants)
Financial Performance Reporting Environment

• Key ratios, trends • Legislation and regulations

• Performance indicators (e.g. share price, EPS)
• Employee measures and compensation
• Period-on-period financial performance
• Accounting principles
• Accounting policies
• Earnings/cash flow
• Leasing commitments
• Lines of credit
• Off-balance sheet finance
• Foreign currency and interest rates
• Appropriate selection and application of
accounting principles
• Auditor's reporting requirements (shareholders,
regulators and other third parties)
• Taxation
• Revenue recognition
• Use of fair values
• Users of financial statements

2.3 Selection and Application of Accounting Policies

The auditor needs to understand how the entity selects and applies accounting policies. (Are they
appropriate to the business and consistent with the financial reporting framework and relevant
industry?) An incorrect or aggressive application is a risk of material misstatement.
The following may increase the risk related to the selection and application of accounting policies:
• the methods used to account for unusual or complex transactions (including those in
controversial or emerging areas for which there is a lack of authoritative guidance);
• changes in the environment (e.g. the financial reporting framework or tax reforms) that may
necessitate a change in the entity’s accounting policies; and
• the effect of financial reporting standards and laws and regulations that are new to the entity.
For example, whether a new IFRS has been correctly applied.
2.4 Updating Existing Clients
For entities audited in prior years, historic key information required for planning will be available in
the working papers and other files (e.g. computer knowledge bases).

Key Point

To use information obtained from previous experience and audit procedures performed in previous audit
the auditor must evaluate whether such information remains relevant and reliable as audit evidence for th
current audit.

Previous experience and audit procedures may provide the auditor with information about such
matters as:
• Past misstatements and whether they were corrected on a timely basis;
• The nature of the entity and its environment and its system of internal control;
• Complex transactions and other events or account balances and related disclosures;
• Significant changes that the entity or its operations may have undergone since the prior financial period.

Where changes are identified, their effects on the entity, its business and the financial reporting
environment must be understood. Changes that will affect the business in a future financial period
cannot be ignored. What risk arises from these changes? Does that risk affect the current financial
statements? For example, known future changes in regulations may create a going concern risk.
Activity 3 Changes to be Documented

For an existing client, identify the internal and external changes (compared to the previous year)
that must be documented to understand the entity and its environment.
*Please use the notes feature in the toolbar to help formulate your answer.

Internal
• Business developments (e.g. ecommerce,
discontinued operations)
• Changes in products, services
• Changes in key personnel and positions
• Business and financial control system
changes
• Governance/internal audit work and reports
• Regulator visits and reports
• Administration and IT functions
• Pending litigation
External
• New legislation and regulation (e.g. environmental,
health and safety)
• New/updated IFRS Standards
• Application of accounting policies by management
• Competitors and their products
• Economic (interest/foreign exchange/ tax rates, etc)
• Volatility of markets (supplier, customer, financial)
• Industrial practices
• Local and national governments

3.1 Concept
Definition

Audit risk – the risk that the auditor expresses an inappropriate audit opinion when the financial statemen
are materially misstated. It is a function of the risks of material misstatement and detection risk. (ISA 200)

An audit in accordance with ISAs is designed to provide reasonable assurance that the financial
statements as a whole are free from material misstatement. The concept of "reasonable assurance"
implies a risk that the audit opinion may be inappropriate.
This risk may be reduced to an acceptable level through the risk-based approach to auditing:
• identifying and assessing risks of material misstatement at the financial statement and
assertion levels (ISA 315);
• designing and performing audit procedures to obtain sufficient appropriate audit evidence to
draw reasonable conclusions on which to base the audit opinion (ISA 330).

The assessment of audit risk is a matter of professional judgment (rather than a matter capable of
precise measurement) and encompasses two types of risk:
• the risk of material misstatement in the financial statements (i.e. before audit); and
• the risk that the auditor may not detect such material misstatement (i.e. detection risk).

3.2 Risks of Material Misstatement

The auditor must consider whether the risks of material misstatement identified exist at:
• the financial statement level (i.e. affecting the financial statements overall or as a whole); or
• the assertion level for classes of transactions, account balances and disclosures (i.e. existence,
completeness, occurrence, valuation, presentation, etc of line items in the financial statements).

Risks at the financial statement level are pervasive and therefore affect many assertions. For
example, if there is a risk that the going concern basis of preparation is inappropriate, this could
result in overvalued assets, omitted liabilities and omitted disclosures.
Risks at the assertion level are assessed to determine the nature, timing and extent of further audit
procedures necessary to obtain sufficient appropriate audit evidence.

Activity 4 Inherent Risk Factors

Should each of the following factors be evaluated at the financial statement level or at the assertion
level?
Financial Assertion
statement

1. Doubts about the integrity of management.

2. Management inexperience in the preparation of the financial statements

3. Accounts which involve a high degree of estimation.

4. Lack of sufficient capital to continue operations.

5. Potential for technological obsolescence of products and services.

6. Complex underlying transactions that might require an expert’s work.

7. Highly desirable and movable assets (e.g. cash) susceptible to loss or

misappropriation (e.g. theft).

8. Unusual and complex transactions completed at or near the reporting date.

9. Changes in consumer demand.

10. Transactions not subject to ordinary processing.

*Please use the notes feature in the toolbar to help formulate your answer.
Financial statement level
1 (see the following discussion), 2, 4, 5 and 9.
Per ISA 315 and 330, factors concerning the nature of an entity's business (5, 7 and 10) are also
relevant to the assertion level.
Assertion level
3, 5, 6, 7 (see discussion), 8 and 10.
Discussion
1. Consider doubts about the integrity of management: could that inherent risk affect the financial statements
as a whole or just a few individual account balances? Suppose management wanted to overstate profit
(to pay themselves bonuses, say). To increase profit, management could:
o overstate revenue (e.g. through a deliberate cut-off error by bringing forward next year's revenue from
contracts with customers into the current year);
o understate costs (e.g. by suppressing purchase and expense invoices).

Because every DR has a CR, there are then implications for the statement of financial position:
o overstatement of trade receivables (because they do not owe the money at the year-end);
o understatement of trade payables (because liabilities are not recorded).

Profit could also be increased by understating allowances against assets:

o obsolescence allowances against inventory;
o depreciation allowances against tangible long-term assets;
o credit loss allowances against trade receivables.

In conclusion, doubt about management integrity has a pervasive effect on the financial statements
so this risk is assessed at the financial statement level.

7. Consider cash balances (i.e. physical money rather than bank balances). These balances may
be minimal in relation to the assets as a whole (e.g. cash floats in the till/register of a shop). At
the financial statement level, the auditor may take no account of these and ignore them in the
overall audit plan. However, cash is inherently risky (because it can be stolen if safeguards are
inadequate) and cannot be overlooked at the account balance level.

However, in a cash-based business (i.e. with cash revenue; purchases and assets paid for in cash),
this would be considered at the financial statement level (i.e. in the preparation of the overall audit
plan) because it has a pervasive effect.

Key point

No one audit risk model is used by all auditors. The main features of a risk-based model are:
• the auditor's concern for material misstatement in the financial statements;
• audit risk is reduced to an acceptably low level by the exercise of professional judgment; and
• audit procedures are designed to ensure that audit risk is at an acceptable level.

Example 4 Audit Response to Audit Risks

It is 1 July 20X5. An audit manager is planning the audit of the financial statements of Basil Co for
the year ending 31 July 20X5. During a planning meeting with the finance director of Basil Co, the
audit manager noted the following:
• Basil Co replaced two major items of machinery on the production line in its main factory. There were
significant staff costs involved in preparing the site for the new machinery and testing that it was operating
correctly. These costs have been included in wages and salaries expense for the period.
• During the year, Basil Co purchased land and a building adjacent to the main factory and converted it
to another production facility.
• The increased production capacity resulted in a significant increase in the inventory quantities held. At
the year end, inventory will be held in four regional warehouses. The finance director plans to conduct
full inventory counts at the warehouses on 2, 3 and 4 August and make necessary adjustments for post
year-end movements.
• Basil Co obtained an interest-bearing bank loan of $5 million to finance the new machinery and
purchase of land and buildings. The loan must be paid in equal instalments over the next five years.
• A portion of the new production facility was used for research and development. During the year, Basil
Co spent $2 million researching and developing new products.
• To increase revenues and expand its customer base, Basil Co relaxed its credit terms. Due to the past
success of the credit controller in collecting past due accounts, the finance director has decided not to
increase the allowance for irrecoverable receivables.
• Basil Co introduced a new bonus plan in which managers are paid bonuses based on the increase in
total revenue during the year.

Based on this information, the audit manager has identified the following audit risks and outlined
the audit responses that the engagement team will need to address during the audit.
Audit Risks Audit Response

Basil Co has included in wages and salaries, The audit team should discuss with
significant staff costs involved in installing and management the accounting treatment
testing new machinery. applied and request that the relevant staff
costs are included in the cost of property, plant
However, such costs that are directly attributable
and equipment (PPE). (See Chapter 22.)
to bringing the asset to the location and condition
The audit team should undertake a review of
necessary for its intended use are an element of
the staff costs expensed and the process for
the cost of the asset (IAS 16 Property, Plant and
allocating staff costs to work undertaken to
Equipment).
confirm the amounts that should be
It appears that these staff costs have been
capitalised as part of the cost of machinery. If
accounted for incorrectly, resulting in
an adjusting journal is made by management
understated PPE and overstated wages and
this should be reviewed for accuracy.
salaries expense.
The costs of the land and building purchased The audit team should confirm that the land
should be accounted for separately. was not depreciated and that the building was
depreciated correctly according to Basil Co’s
Only the cost of the building should be
depreciation policy. The accuracy of the
depreciated. If the cost of the land is
depreciation should be tested through
depreciated, PPE will be understated and
recalculation. (See Chapter 22.)
depreciation expense overstated.
There will be inventory counts at all four regional The audit team should attend the inventory counts
warehouses shortly after the year end. If inventory at all four warehouses and document details of
movements are not completely and accurately inventory movements (goods
controlled, year-end inventory could be under or received/despatched) to ensure recorded in the
overstated. correct accounting period. (See Chapter 23.)

Basil Co obtained a new interest-bearing bank loan
in the year repayable over five years. There is a risk
that the loan has not been correctly allocated
between current and noncurrent liabilities which
would give rise to a classification error and misstated
liabilities.
The audit team should review the loan agreement
and confirm the amount repayable with the bank.
The team should verify that the loan is correctly
analysed between current and non-current
liabilities. (See Chapter 26.)

Basil Co has spent $2 million on research and The audit team should examine the supporting
development. documentation, such as invoices and descriptions
from the board of director minutes, for significant
Expenditure related to research should be research and development expenses and apply
expensed. Expenditure related to development relevant tests to determine whether it has been
should be capitalised if it is distinguishable from correctly classified as capital or revenue
research expense and meets the asset expenditure. (See Chapter 22.)
recognition criteria. If incorrectly classified, profit
and intangible assets could be overstated or
understated.
 Relaxing credit terms increases the risk that
customers do not pay. There is a risk that receivables
are overvalued because the allowance for
irrecoverable receivables has not been increased.
The audit team should review the receivables age
analysis to assess the need to increase the
allowance for receivables. The team should also
review irrecoverable debts and cash collection
patterns for the year to identify any changes that
might indicate a need to increase the allowance.
(See Chapter 24.)

There is a risk that management may have felt Throughout the audit, the team should be alert to
pressured to overstate revenue because of the new this risk and any indications that revenue has been
bonus plan. overstated. The team will need to maintain
professional scepticism. Cut-off procedures
should be performed to verify that sales were
recorded in the correct accounting period.
(See Chapter 24.)

Exam advice

Always answer risk questions from the auditor’s perspective (as shown in this example).
Answers from the client’s perspective concerning business risks (that are not examinable in
AA) rather than audit risks earn no marks.
If asked to identify audit risks, you should identify the risk, refer to the related account balance
and describe the possible misstatement in the financial statements.
If asked to describe the auditor's response to identified audit risks, you should describe the
auditor’s approach to assess whether the balance or transaction is materially misstated. A two
column method, as used above, is recommended.

3.3 Audit Risk Model

The "traditional" audit risk model considers the essential components of audit risk to be:
• inherent risk (IR);
• control risk (CR); and
• detection risk (DR).
Although IR and CR are separately assessed, their combined effect is the risk of material
misstatement (i.e. the risk that controls will not detect misstatements that arise due to inherent risk).
DR is then often referred to as the "residual risk".
An overall acceptable level of audit risk may be quantified as a matter of the audit firm’s policy (e.g.
5% means that there is a 5% chance that a material misstatement goes undetected or, conversely,
that the auditor obtains 95% assurance that there are no undetected material misstatements). This
percentage may provide the basis for a mathematical derivation of detection risk and sample sizes.
Alternatively, IR and CR may be expressed qualitatively as high, medium or low, with DR being the
inverse of this relationship. For example, where IR and CR are high, DR must be minimised
(rendered low) by the audit procedures performed.

3.4 Inherent Risk (ISA 315)

3.4.1 Assessing Inherent Risk

Definitions

Inherent risk – the susceptibility of an assertion about a class of transaction, account balance or
disclosure to a misstatement that could be material (either individually or when aggregated with
other misstatements) before considering any related controls.

Key Point

Inherent risk is presumed to be high if not assessed as less than high.

3.4.2 Assertion Level

Definition

Relevant assertion– an assertion about a class of transactions, account balance or disclosure that
has an identified risk of material misstatement.

For identified risks at the assertion level, the auditor assesses inherent risk by evaluating
the likelihood and magnitude of misstatement by considering how and the degree to which:
• Inherent risk factors affect the susceptibility of relevant assertions to misstatement; and
• The risks of material misstatement at the financial statement level affect assessing inherent risk at the
assertion level.

The auditor must also determine whether:

• Any of the assessed risks are significant risks; and
• Substantive procedures alone can provide sufficient appropriate audit evidence for significant risks.

3.4.3 Inherent Risk Factors

Definition

Inherent risk factors – characteristics of events or conditions that affect the susceptibility of an assertion to
misstatement, before consideration of controls. Such factors may be qualitative or quantitative.

Qualitative inherent risk factors include:

• Complexity – factors arising from the nature of the information or the process of preparing it (e.g. when
there are many potential data sources for calculating an accounting estimate or alternative valuation
models).
• Subjectivity – arises from inherent limitations in the knowledge or information that is reasonably
available (e.g. in estimating allowances for potential irrecoverability of trade receivables or inventory
obsolescence).
• Change – arises from events or conditions that, over time, affect the entity’s business or the
environment in which it operates. For example, developing new products, geographical expansion,
installing new IT systems, new IFRS Standards, etc.
• Uncertainty – arises when there is a lack of sufficiently precise and comprehensive data verifiable
through direct observation. Constraints on the availability of knowledge or data, which are not within
management’s control, are sources of uncertainty that cannot be eliminated. For example, estimation
uncertainty arises when a monetary amount cannot be determined with precision (e.g. a warranty
provision).
• Susceptibility to misstatement due to management bias or fraud – results from conditions that
create susceptibility to intentional or unintentional management bias (i.e. a lack of neutrality). For
example, pressure or incentive to achieve the desired result (e.g. a target profit).

Definition

Management bias – a lack of neutrality by management in the preparation of information.

3.4.4 Spectrum of Inherent Risk

The assessment of inherent risk depends on the likelihood and magnitude of misstatement. The
degree to which inherent risk varies is the “spectrum of inherent risk”.
• The higher the likelihood and magnitude of a misstatement, the higher that risk on the spectrum.
• Those risks assessed to be close to the upper end of the spectrum are significant risks.

3.4.5 Significant Risks

Definition

Significant risk – an identified risk of material misstatement:

• For which the assessment of inherent risk is close to the upper end of the spectrum of inherent risk; or
• That is to be treated as a significant risk in accordance with the requirements of other ISAs.

Determining which of the assessed risks are significant risks is a matter of professional judgment
unless specified to be treated as a significant risk under an ISA (e.g. presumption of risk of fraud in
revenue recognition).
Significant risks may arise from matters such as:
• Transactions for which there are multiple acceptable accounting treatments (i.e. involving subjectivity);
• Accounting estimates that have high estimation uncertainty or use complex models;
• Complexity in data collection and processing to support account balances;
• Account balances or quantitative disclosures that involve complex calculations.

Key Point

The auditor determines significant risks to focus more attention on them through the performance
of required responses, including:
• The identification and evaluation of related controls (see s.3.5)
• Substantive procedures that are specifically responsive to the risk;
• Obtaining more persuasive audit evidence;
• Communication to TCWG (see Chapter 3);
• Determining key audit matters (see Chapter 30).
 Example 5 Inherent risk Assessment
Dramatik Co manufactures fast-fashion apparel for distribution to wholesalers and retailers.
You have uncovered the following information in an assessment of the Dramatik Co’s business for
this year’s audit:
The company has raw materials, consumables and work in progress at its factory base. Finished
goods are stored in a separate warehouse 10 kilometres away. The company does not hold
inventories owned by third parties.
Why would the inherent risk associated with inventory at Dramatik Co be assessed as “high”
in the financial statements of Dramatik Co for this year’s audit?
The inherent risk associated with stocks would affect quantity and valuation.
1. The company has significant amounts of inventory at its factory base and goods held at a separate
warehouse and possibly third-party retail outlets.
2. There would be difficulties quantifying inventories at different stages of work-in-progress and accounting
for transfers/movements between stock-holding locations. There is also the risk of theft or loss due to fire,
weather, or other factors.
3. There might be issues in the valuation of the inventory, which should be measured at lower of cost and
net realisable value. As Dramatik Co operates in the fast-fashion industry, selling prices will fall rapidly in
a short time as product lines go out of fashion. This would significantly affect the valuation of slow-moving
product lines.
4. Because of the reasons above, there is a significant risk that the inventory of Dramatik Co might be
overstated.

3.5 Control Risk (ISA 315)

Definitions

Control risk – the risk that a misstatement that could occur in an assertion and that could be
material (either individually or in aggregate with other misstatements) will not be:
• prevented; or
• detected and corrected, on a timely basis,
by the entity’s controls.

3.5.1 Assessing Control Risk

Key Point

ISA 315 requires control risk to be assessed separately from inherent risk.
Control risk is assessed if the auditor plans to test the operating effectiveness of controls. If not,
the assessment of the RoM is the same as the assessment of inherent risk.
• The auditor will only plan to test the operating effectiveness of controls if they are expected to operate
effectively.
• The initial expectation is based on the auditor’s evaluation of the design and implementation of
identified control activities.
• If tests of controls do not then confirm the initial expectation, the control risk assessment must be revised.

3.5.2 Risk Assessment Procedures

Risk assessment procedures to obtain audit evidence about the design and implementation of
identified control components may include:
• Inquiring of entity personnel;
• Observing the application of specific controls;
• Inspecting documents and reports.
Inquiry alone, however, is not sufficient for such purposes.
3.5.3 Testing Controls
The auditor may plan to test:
• direct controls (i.e. that are sufficiently precise to prevent, detect or correct misstatements);
• indirect controls (i.e. that support direct controls), including general IT controls.
Tests of controls are described in Chapter 12.

Key Point

No matter how well designed and operated, internal control can only reduce, but not eliminate, the risk of
material misstatement (RoMM) in the financial statements because of the inherent limitations of controls.

3.6 Detection Risk (ISA 200)

Definitions

Detection risk – the risk that audit procedures performed to reduce audit risk to an acceptably low level will
not detect a misstatement that exists and that could be material (either individually or in aggregate).

Key Point

To obtain reasonable assurance, the auditor must obtain sufficient appropriate audit evidence to reduce
audit risk to an acceptably low level (to enable the auditor to draw reasonable conclusions on which to
base the audit opinion).

Detection risk, which relates to the nature, timing and extent of audit procedures, has two elements:
1. sampling risk; and
2. non-sampling risk.

3.6.1 Sampling Risk

This arises from the possibility that the auditor's conclusion, based on a sample, may be different
from the conclusion reached if the entire population was subjected to the same audit procedure.
• If the auditor concludes that CR is lower than it is or that a material misstatement does not exist when in
fact, it does, there is a higher risk of an inappropriate audit opinion. This affects audit effectiveness.
• If he concludes that CR is higher than it is or that a material misstatement exists when it does not, this
affects audit efficiency, as more work than necessary will be carried out (see also Chapter 19).

3.6.2 Non-sampling Risk

Non-sampling risk arises from factors that cause the auditor to reach an erroneous conclusion for
any reason not related to sampling, for example:
• failure to adequately understand the entity or carry out the risk assessment; inadequate audit strategy,
planning and work programme;
• misapplication of an audit procedure by the audit team (e.g. through lack of training);
• misinterpretation of test results (e.g. not recognising the significance of an error or nor recognising that
there is an error); and
• poor quality management (e.g. lack of briefing, supervision and review).

Non-sampling risk can be minimised through, for example, adequate planning, assigning
appropriate staff (e.g. experienced, professional and technically competent), the application of
professional judgment, supervision and review of audit work.
 As IR and CR assessments influence the nature, timing and extent of substantive procedures, to
reduce DR (and therefore audit risk) to an acceptably low level, any inappropriate assessment will
directly affect DR.
3.7 Application of Audit Risk Model
3.7.1 Calculating Detection Risk
Example 6 Mathematical Audit Risk Model
An audit firm uses a mathematical audit risk model to determine the levels of detection risk.
• Audit risk: a 5% risk of drawing the wrong conclusion is acceptable. (Most firms operate between 1% and
5%.)
• IR: assessed at a 75% (“high”) risk that material misstatements could arise.
• CR: assessed at a 20% (“low”) risk that controls may fail to prevent or detect and correct material
misstatements.
Using the model, 0.05 = 0.75 × 0.2 × DR
Therefore DR = 0.33 (e.g. medium).
This means that planned substantive procedures will be adequate even if there is a 33% chance that
they fail to detect material misstatements.
Because of the high IR, audit tests will be specifically targeted at the factors giving concern. The low
CR implies that the controls should prevent or detect and correct material misstatements for routine
transactions. In addition, note that most audit work programmes require material items (based on
performance materiality) to be selected and substantively tested anyway, regardless of the DR
assessed and the sample size calculated.

3.7.2 Relationship between Components of Audit Risk

The mathematical model demonstrates the relationship between IR, CR and DR. The nature, extent
and timing of substantive procedures are inversely related to the assessment of IR and CR.
For a given acceptable audit risk (determined by the audit firm's policy), when both IR and CR are
high (i.e. when there is a high risk that the financial statements may contain a material
misstatement), DR must be rendered low (i.e. a higher degree and level of substantive work is
required) and vice versa:
Audit Risk Inherent Risk Control Risk Detection Risk
Policy H H L

Policy L L H

3.7.3 Implications of Detection Risk for Substantive Procedures

Definition

Substantive procedure – an audit procedure designed to detect material misstatements at the assertion level.

• The level and detail of substantive procedures (e.g. greater use of external, direct
Low detection risk and independent evidence and larger sample sizes) must be at a sufficiently high
level that the risk that a material misstatement is not detected is low.

• In theory, it is more likely that the level of substantive procedures will be

High detection risk insufficient to detect a material error. However, as IR and CR are low, the probability
of material error in the financial statements is also low.
When detection risk is high, because of the low(er) risks of a material error in the financial
statements, a lower quantity (e.g. sample size), lower quality (e.g. indirect evidence rather than
direct evidence) and form (e.g. analytical procedures) of substantive procedures may be acceptable
(together with the fact that all material items will be tested).
Low detection risk means that higher levels of substantive tests are required as there is a greater
risk that a material error exists (i.e. increased testing is necessary to reduce the risk that a material
error is not discovered).
There are three ways in which detection risk can be varied:
• change the nature of audit procedures; and/or
• change the extent of audit procedures; and/or
• change the timing of audit procedures.

Methods of
Varying Detection
Risk Examples where Inherent/Control Risk are High

• Direct tests towards independent parties rather than documentation held by the entity.
• Use tests of details in addition to substantive analytical procedures.
1. Change nature • Use computer-assisted audit techniques (CAATs).

• Use a larger sample size.

• Reduce tolerable error (e.g. 50% of materiality level). This will mean testing more
items.
• Extend the scope of CAATs for 100% testing, comparison and analysis (e.g. re-
2. Change extent perform 100% calculation of inventory valuation rather than just sample size).

• Perform a procedure at the reporting date rather than at an earlier (interim) or later
(final) date (e.g. receivables circularisation at the year end or before the year end and
3. Change timing “roll forward” the movements).

3.8 Matters Requiring Documentation

The following matters must be documented:
• The discussion between the engagement team regarding the susceptibility of financial
statements to material misstatement due to error or fraud and the significant decisions reached.
• Key elements of the understanding obtained regarding each aspect of the entity and its
environment, for example:
o industry, regulatory and other external factors;
o the applicable financial reporting framework;
o nature of the entity, including selection and application of accounting policies;
o measurement and review of financial performance; and
o objectives and strategies and related risks that may result in a material misstatement of the
financial statements.
• Internal control components:
o the control environment;
o risk-assessment procedures;
o IS and related business processes relevant to financial reporting;
o the control activities; and
o the process of monitoring controls.
• The sources of information from which the understanding was obtained.
• The risk assessment procedures.
• The identified and assessed risks of material misstatement at the financial statement level and
at the assertion level.
Syllabus Coverage
This chapter covers the following Learning Outcomes.
B. Planning and Risk Assessment
Assessing audit risks
1. Explain the components of audit risk.
2. Describe the audit risks in the financial statements and explain the auditor's response to each risk.
Understanding the entity, its environment and the applicable financial reporting framework
1. Explain how auditors obtain an initial understanding of the entity, its environment and the applicable
financial reporting framework.

Summary and Quiz

• Risk assessment procedures are required to obtain an understanding of:
o the entity and its environment;
o the applicable financial reporting framework and accounting policies; and
o how inherent risk factors affect the susceptibility of assertions to misstatements.

• Risk assessment procedures include:

o Inquiry
o Observation
o Inspection
o Analytical procedures.

• Audit risk is the risk that the auditor will express an inappropriate audit opinion on the financial
statements. It is the risk of material misstatement arising (inherent risk) which is not prevented
or corrected by the entity (control risk) or detected by the auditor (detection risk).
• Inherent risk factors arise from complexity, subjectivity, change, uncertainty, and the
susceptibility to misstatement due to management bias or other fraud risk factors.
• Significant risks may be non-routine (e.g. fraud) or involve significant estimation uncertainty
(e.g. complex provisions) and require special consideration (e.g. more persuasive evidence).
• Inherent risk and control risk require separate assessments.
• Control risk is assessed if the auditor plans to test the operating effectiveness of controls. If
not, the assessment of the RoMM is the same as the assessment of inherent risk.
• Detection risk is managed by changing the nature, extent and timing of audit work. Detection
risk is "inversely" related to inherent risk and control risk. Low detection risk is achieved through
increased substantive procedures.