Professional Documents
Culture Documents
Chapter 8 Identyfing and Assessing Risk
Chapter 8 Identyfing and Assessing Risk
Objective: To describe how the auditor, through understanding the entity, aims to minimise audit
risk.
1.0 Introduction
The relevant standard is ISA 315 (Revised 2019), Identifying and Assessing the Risks of Material
Misstatement.
Key point
The auditor must identify and assess the risks of material misstatement, whether due to fraud or
error, at the financial statement and assertion levels, thereby providing a basis for designing and
implementing responses to the assessed risks of material misstatement.
1.1 Steps
The steps required in identifying and assessing the risks of material misstatements can be
summarised as follows:
1. Design and perform risk assessment procedures to obtain an understanding of:
• the entity and its environment;
• the applicable financial reporting framework and the entity’s accounting policies;
• inherent risk factors.
Definition
4. Identify the risks of material misstatements and determine whether they exist at:
• the assertion level (i.e. affecting material classes of transactions, account balances and
their related disclosures); or
• the financial statement level (i.e. affecting the financial statements).
5. Assess the identified risks including whether any are significant risks.
5a. Optional. Assess control risk if the auditor plans to test the operating effectiveness of controls
(see s.3.5).
6. Plan, design and perform appropriate audit procedures in response to identified risks as
required by ISA 330 The Auditor’s Responses to Assessed Risks.
In summary, the auditor must:
• understand the entity and its environment to assess the risk of material misstatement (RoMM)
in the financial statements; then
• devise a work programme to test whether such misstatements have arisen (ISA 330 and ISA
500 Audit Evidence).
Definition
Risk assessment procedures – audit procedures designed and performed to identify and assess
the risks of material misstatement, whether due to fraud or error, at the financial statement and
assertion levels
Risk assessment procedures include inquiries, observation and inspection and analytical
procedures. Observation and inspection are required to support, corroborate or contradict inquiries
and provide information.
• External sources of industrial, legal and economic conditions and events (e.g. trade
journals, credit rating agencies, financial press).
• Internal documents (e.g. business plans), accounting records and procedure manuals.
• The entity’s premises and plant facilities.
• Reports prepared by management (e.g. monthly management accounts) and TCWG
Inspect (e.g. board minutes, audit committee reports).
• Internal and external information; current and prior financial history; financial and
non-financial information.
• Key performance indicators and activity against similar companies.
Analytical • Identifying unusual transactions, amounts, relationships, ratios and trends.
procedure • See Chapter 16 for further details.
Example 1 Inquiries
Inquiry to: Reason:
Discussions must be documented along with the decisions made and the implications for the audit
approach.
Bladd & Co holds an initial risk assessment meeting for the audit of WWQ Co, a client for which the firm has
been the auditor for a few years.
There were certain factors identified during the year that have been identified as accompanying risks of material
misstatement to this year’s audit, and the engagement partner wants senior members of the engagement team
to be fully aware of these risks.
There has been an observed worsening of WWQ’s current and quick ratios, accompanied by rapid growth in
revenues. The engagement team feels this has significant risk, both for material misstatement and potential
going concern issues.
The engagement partner also shared with the team that he was informed by the board of WWQ that they would
be expanding and diversifying the business to include real estate development and sale and had acquired land
and broken ground for the construction of a property. The engagement partner informs his team that this is an
area of significant risk due to the issue of revenue recognition and capitalisation of assets since the project has
been financed by debt. It is also unclear what operational and financial controls WWQ has over this division.
The auditor’s understanding of the entity and its environment and the applicable financial reporting
framework:
• assists the auditor in understanding the events and conditions that are relevant to the entity;
• assists the auditor in identifying how inherent risk factors affect the susceptibility of assertions to
misstatement in the preparation of the financial statements; and
• informs how the auditor plans and performs further audit procedures.
Example 3 Why an Understanding is Required
The auditor uses an understanding of the entity and its environment to:
• Identify and assess risks of material misstatement;
• Determine materiality levels and judge whether they remain appropriate as the audit progresses (see
Chapter 10);
• Perform procedures to help identify non-compliance with laws and regulations that may have a material
effect on the financial statements (see Chapter 11);
• Evaluate whether the financial statements provide adequate disclosures;
• Consider the appropriateness of the selection and application of accounting policies and the adequacy
of financial statement disclosures;
• Develop expectations for use in analytical procedures (see Chapter 16);
• Identify areas where special audit consideration may be necessary (e.g. the appropriateness of the
going concern assumption);
• Design and perform further audit procedures to reduce audit risk to an acceptably low level;
• Evaluate the sufficiency and appropriateness of audit evidence (see Chapter 15), including
management representations (see Chapter 20);
• Recognise conflicting information and unusual circumstances and effectively apply professional
scepticism;
• Make informed enquiries and assess the reasonableness of responses;
• Provide better service to clients and be responsive to their needs.
Suggest, under the following headings, the information you will require to enable you to obtain a
sufficient understanding of the entity and its environment:
• General economic factors
• Industry
• Management and ownership
• Business
• Financial performance
• Reporting environment
*Please use the notes feature in the toolbar to help formulate your answer.
• Recession • Market/competition
• Growth • Costs of entry
• Interest rates • Cyclical/seasonal trade
• Sources of finance • Technology/fashion
• Inflation • Key ratios and performance measures
• Government policy (e.g. monetary, fiscal, trade) • Specific accounting practices, GAAP
• Investment incentive (e.g. regional • Regulatory/environmental requirements
development grants) • Energy supply and costs
• Foreign exchange (rates and controls) • Workforce skills
• Availability and education of the workforce
Management and Ownership Business
Key Point
To use information obtained from previous experience and audit procedures performed in previous audit
the auditor must evaluate whether such information remains relevant and reliable as audit evidence for th
current audit.
Previous experience and audit procedures may provide the auditor with information about such
matters as:
• Past misstatements and whether they were corrected on a timely basis;
• The nature of the entity and its environment and its system of internal control;
• Complex transactions and other events or account balances and related disclosures;
• Significant changes that the entity or its operations may have undergone since the prior financial period.
Where changes are identified, their effects on the entity, its business and the financial reporting
environment must be understood. Changes that will affect the business in a future financial period
cannot be ignored. What risk arises from these changes? Does that risk affect the current financial
statements? For example, known future changes in regulations may create a going concern risk.
Activity 3 Changes to be Documented
For an existing client, identify the internal and external changes (compared to the previous year)
that must be documented to understand the entity and its environment.
*Please use the notes feature in the toolbar to help formulate your answer.
Internal External
• Business developments (e.g. ecommerce, • New legislation and regulation (e.g. environmental,
discontinued operations) health and safety)
• Changes in products, services • New/updated IFRS Standards
• Changes in key personnel and positions • Application of accounting policies by management
• Business and financial control system • Competitors and their products
changes • Economic (interest/foreign exchange/ tax rates, etc)
• Governance/internal audit work and reports • Volatility of markets (supplier, customer, financial)
• Regulator visits and reports • Industrial practices
• Administration and IT functions • Local and national governments
• Pending litigation
3.1 Concept
Definition
Audit risk – the risk that the auditor expresses an inappropriate audit opinion when the financial statemen
are materially misstated. It is a function of the risks of material misstatement and detection risk. (ISA 200)
An audit in accordance with ISAs is designed to provide reasonable assurance that the financial
statements as a whole are free from material misstatement. The concept of "reasonable assurance"
implies a risk that the audit opinion may be inappropriate.
This risk may be reduced to an acceptable level through the risk-based approach to auditing:
• identifying and assessing risks of material misstatement at the financial statement and
assertion levels (ISA 315);
• designing and performing audit procedures to obtain sufficient appropriate audit evidence to
draw reasonable conclusions on which to base the audit opinion (ISA 330).
The assessment of audit risk is a matter of professional judgment (rather than a matter capable of
precise measurement) and encompasses two types of risk:
• the risk of material misstatement in the financial statements (i.e. before audit); and
• the risk that the auditor may not detect such material misstatement (i.e. detection risk).
Risks at the financial statement level are pervasive and therefore affect many assertions. For
example, if there is a risk that the going concern basis of preparation is inappropriate, this could
result in overvalued assets, omitted liabilities and omitted disclosures.
Risks at the assertion level are assessed to determine the nature, timing and extent of further audit
procedures necessary to obtain sufficient appropriate audit evidence.
Should each of the following factors be evaluated at the financial statement level or at the assertion
level?
Financial Assertion
statement
*Please use the notes feature in the toolbar to help formulate your answer.
Financial statement level
1 (see the following discussion), 2, 4, 5 and 9.
Per ISA 315 and 330, factors concerning the nature of an entity's business (5, 7 and 10) are also
relevant to the assertion level.
Assertion level
3, 5, 6, 7 (see discussion), 8 and 10.
Discussion
1. Consider doubts about the integrity of management: could that inherent risk affect the financial statements
as a whole or just a few individual account balances? Suppose management wanted to overstate profit
(to pay themselves bonuses, say). To increase profit, management could:
o overstate revenue (e.g. through a deliberate cut-off error by bringing forward next year's revenue from
contracts with customers into the current year);
o understate costs (e.g. by suppressing purchase and expense invoices).
Because every DR has a CR, there are then implications for the statement of financial position:
o overstatement of trade receivables (because they do not owe the money at the year-end);
o understatement of trade payables (because liabilities are not recorded).
In conclusion, doubt about management integrity has a pervasive effect on the financial statements
so this risk is assessed at the financial statement level.
7. Consider cash balances (i.e. physical money rather than bank balances). These balances may
be minimal in relation to the assets as a whole (e.g. cash floats in the till/register of a shop). At
the financial statement level, the auditor may take no account of these and ignore them in the
overall audit plan. However, cash is inherently risky (because it can be stolen if safeguards are
inadequate) and cannot be overlooked at the account balance level.
However, in a cash-based business (i.e. with cash revenue; purchases and assets paid for in cash),
this would be considered at the financial statement level (i.e. in the preparation of the overall audit
plan) because it has a pervasive effect.
Key point
No one audit risk model is used by all auditors. The main features of a risk-based model are:
• the auditor's concern for material misstatement in the financial statements;
• audit risk is reduced to an acceptably low level by the exercise of professional judgment; and
• audit procedures are designed to ensure that audit risk is at an acceptable level.
Based on this information, the audit manager has identified the following audit risks and outlined
the audit responses that the engagement team will need to address during the audit.
Audit Risks Audit Response
Basil Co has included in wages and salaries, The audit team should discuss with
significant staff costs involved in installing and management the accounting treatment
testing new machinery. applied and request that the relevant staff
costs are included in the cost of property, plant
However, such costs that are directly attributable
and equipment (PPE). (See Chapter 22.)
to bringing the asset to the location and condition
The audit team should undertake a review of
necessary for its intended use are an element of
the staff costs expensed and the process for
the cost of the asset (IAS 16 Property, Plant and
allocating staff costs to work undertaken to
Equipment).
confirm the amounts that should be
It appears that these staff costs have been
capitalised as part of the cost of machinery. If
accounted for incorrectly, resulting in
an adjusting journal is made by management
understated PPE and overstated wages and
this should be reviewed for accuracy.
salaries expense.
The costs of the land and building purchased The audit team should confirm that the land
should be accounted for separately. was not depreciated and that the building was
depreciated correctly according to Basil Co’s
Only the cost of the building should be
depreciation policy. The accuracy of the
depreciated. If the cost of the land is
depreciation should be tested through
depreciated, PPE will be understated and
recalculation. (See Chapter 22.)
depreciation expense overstated.
There will be inventory counts at all four regional The audit team should attend the inventory counts
warehouses shortly after the year end. If inventory at all four warehouses and document details of
movements are not completely and accurately inventory movements (goods
controlled, year-end inventory could be under or received/despatched) to ensure recorded in the
overstated. correct accounting period. (See Chapter 23.)
Basil Co obtained a new interest-bearing bank loan The audit team should review the loan agreement
in the year repayable over five years. There is a risk and confirm the amount repayable with the bank.
that the loan has not been correctly allocated The team should verify that the loan is correctly
between current and noncurrent liabilities which analysed between current and non-current
would give rise to a classification error and misstated liabilities. (See Chapter 26.)
liabilities.
Basil Co has spent $2 million on research and The audit team should examine the supporting
development. documentation, such as invoices and descriptions
from the board of director minutes, for significant
Expenditure related to research should be research and development expenses and apply
expensed. Expenditure related to development relevant tests to determine whether it has been
should be capitalised if it is distinguishable from correctly classified as capital or revenue
research expense and meets the asset expenditure. (See Chapter 22.)
recognition criteria. If incorrectly classified, profit
and intangible assets could be overstated or
understated.
Relaxing credit terms increases the risk that The audit team should review the receivables age
customers do not pay. There is a risk that receivables analysis to assess the need to increase the
are overvalued because the allowance for allowance for receivables. The team should also
irrecoverable receivables has not been increased. review irrecoverable debts and cash collection
patterns for the year to identify any changes that
might indicate a need to increase the allowance.
(See Chapter 24.)
There is a risk that management may have felt Throughout the audit, the team should be alert to
pressured to overstate revenue because of the new this risk and any indications that revenue has been
bonus plan. overstated. The team will need to maintain
professional scepticism. Cut-off procedures
should be performed to verify that sales were
recorded in the correct accounting period.
(See Chapter 24.)
Exam advice
Always answer risk questions from the auditor’s perspective (as shown in this example).
Answers from the client’s perspective concerning business risks (that are not examinable in
AA) rather than audit risks earn no marks.
If asked to identify audit risks, you should identify the risk, refer to the related account balance
and describe the possible misstatement in the financial statements.
If asked to describe the auditor's response to identified audit risks, you should describe the
auditor’s approach to assess whether the balance or transaction is materially misstated. A two
column method, as used above, is recommended.
Definitions
Inherent risk – the susceptibility of an assertion about a class of transaction, account balance or
disclosure to a misstatement that could be material (either individually or when aggregated with
other misstatements) before considering any related controls.
Key Point
Relevant assertion– an assertion about a class of transactions, account balance or disclosure that
has an identified risk of material misstatement.
For identified risks at the assertion level, the auditor assesses inherent risk by evaluating
the likelihood and magnitude of misstatement by considering how and the degree to which:
• Inherent risk factors affect the susceptibility of relevant assertions to misstatement; and
• The risks of material misstatement at the financial statement level affect assessing inherent risk at the
assertion level.
Inherent risk factors – characteristics of events or conditions that affect the susceptibility of an assertion to
misstatement, before consideration of controls. Such factors may be qualitative or quantitative.
Definition
Definition
Determining which of the assessed risks are significant risks is a matter of professional judgment
unless specified to be treated as a significant risk under an ISA (e.g. presumption of risk of fraud in
revenue recognition).
Significant risks may arise from matters such as:
• Transactions for which there are multiple acceptable accounting treatments (i.e. involving subjectivity);
• Accounting estimates that have high estimation uncertainty or use complex models;
• Complexity in data collection and processing to support account balances;
• Account balances or quantitative disclosures that involve complex calculations.
Key Point
The auditor determines significant risks to focus more attention on them through the performance
of required responses, including:
• The identification and evaluation of related controls (see s.3.5)
• Substantive procedures that are specifically responsive to the risk;
• Obtaining more persuasive audit evidence;
• Communication to TCWG (see Chapter 3);
• Determining key audit matters (see Chapter 30).
Example 5 Inherent risk Assessment
Dramatik Co manufactures fast-fashion apparel for distribution to wholesalers and retailers.
You have uncovered the following information in an assessment of the Dramatik Co’s business for
this year’s audit:
The company has raw materials, consumables and work in progress at its factory base. Finished
goods are stored in a separate warehouse 10 kilometres away. The company does not hold
inventories owned by third parties.
Why would the inherent risk associated with inventory at Dramatik Co be assessed as “high”
in the financial statements of Dramatik Co for this year’s audit?
The inherent risk associated with stocks would affect quantity and valuation.
1. The company has significant amounts of inventory at its factory base and goods held at a separate
warehouse and possibly third-party retail outlets.
2. There would be difficulties quantifying inventories at different stages of work-in-progress and accounting
for transfers/movements between stock-holding locations. There is also the risk of theft or loss due to fire,
weather, or other factors.
3. There might be issues in the valuation of the inventory, which should be measured at lower of cost and
net realisable value. As Dramatik Co operates in the fast-fashion industry, selling prices will fall rapidly in
a short time as product lines go out of fashion. This would significantly affect the valuation of slow-moving
product lines.
4. Because of the reasons above, there is a significant risk that the inventory of Dramatik Co might be
overstated.
Control risk – the risk that a misstatement that could occur in an assertion and that could be
material (either individually or in aggregate with other misstatements) will not be:
• prevented; or
• detected and corrected, on a timely basis,
by the entity’s controls.
Key Point
ISA 315 requires control risk to be assessed separately from inherent risk.
Control risk is assessed if the auditor plans to test the operating effectiveness of controls. If not,
the assessment of the RoM is the same as the assessment of inherent risk.
• The auditor will only plan to test the operating effectiveness of controls if they are expected to operate
effectively.
• The initial expectation is based on the auditor’s evaluation of the design and implementation of
identified control activities.
• If tests of controls do not then confirm the initial expectation, the control risk assessment must be revised.
Key Point
No matter how well designed and operated, internal control can only reduce, but not eliminate, the risk of
material misstatement (RoMM) in the financial statements because of the inherent limitations of controls.
Detection risk – the risk that audit procedures performed to reduce audit risk to an acceptably low level will
not detect a misstatement that exists and that could be material (either individually or in aggregate).
Key Point
To obtain reasonable assurance, the auditor must obtain sufficient appropriate audit evidence to reduce
audit risk to an acceptably low level (to enable the auditor to draw reasonable conclusions on which to
base the audit opinion).
Detection risk, which relates to the nature, timing and extent of audit procedures, has two elements:
1. sampling risk; and
2. non-sampling risk.
Non-sampling risk can be minimised through, for example, adequate planning, assigning
appropriate staff (e.g. experienced, professional and technically competent), the application of
professional judgment, supervision and review of audit work.
As IR and CR assessments influence the nature, timing and extent of substantive procedures, to
reduce DR (and therefore audit risk) to an acceptably low level, any inappropriate assessment will
directly affect DR.
3.7 Application of Audit Risk Model
3.7.1 Calculating Detection Risk
Example 6 Mathematical Audit Risk Model
An audit firm uses a mathematical audit risk model to determine the levels of detection risk.
• Audit risk: a 5% risk of drawing the wrong conclusion is acceptable. (Most firms operate between 1% and
5%.)
• IR: assessed at a 75% (“high”) risk that material misstatements could arise.
• CR: assessed at a 20% (“low”) risk that controls may fail to prevent or detect and correct material
misstatements.
Using the model, 0.05 = 0.75 × 0.2 × DR
Therefore DR = 0.33 (e.g. medium).
This means that planned substantive procedures will be adequate even if there is a 33% chance that
they fail to detect material misstatements.
Because of the high IR, audit tests will be specifically targeted at the factors giving concern. The low
CR implies that the controls should prevent or detect and correct material misstatements for routine
transactions. In addition, note that most audit work programmes require material items (based on
performance materiality) to be selected and substantively tested anyway, regardless of the DR
assessed and the sample size calculated.
Policy L L H
Substantive procedure – an audit procedure designed to detect material misstatements at the assertion level.
• The level and detail of substantive procedures (e.g. greater use of external, direct
Low detection risk and independent evidence and larger sample sizes) must be at a sufficiently high
level that the risk that a material misstatement is not detected is low.
Methods of
Varying Detection
Risk Examples where Inherent/Control Risk are High
• Direct tests towards independent parties rather than documentation held by the entity.
• Use tests of details in addition to substantive analytical procedures.
1. Change nature • Use computer-assisted audit techniques (CAATs).
• Perform a procedure at the reporting date rather than at an earlier (interim) or later
(final) date (e.g. receivables circularisation at the year end or before the year end and
3. Change timing “roll forward” the movements).
• Audit risk is the risk that the auditor will express an inappropriate audit opinion on the financial
statements. It is the risk of material misstatement arising (inherent risk) which is not prevented
or corrected by the entity (control risk) or detected by the auditor (detection risk).
• Inherent risk factors arise from complexity, subjectivity, change, uncertainty, and the
susceptibility to misstatement due to management bias or other fraud risk factors.
• Significant risks may be non-routine (e.g. fraud) or involve significant estimation uncertainty
(e.g. complex provisions) and require special consideration (e.g. more persuasive evidence).
• Inherent risk and control risk require separate assessments.
• Control risk is assessed if the auditor plans to test the operating effectiveness of controls. If
not, the assessment of the RoMM is the same as the assessment of inherent risk.
• Detection risk is managed by changing the nature, extent and timing of audit work. Detection
risk is "inversely" related to inherent risk and control risk. Low detection risk is achieved through
increased substantive procedures.