Chapter 3

Risk assessment I
 Learning objectives

After studying this presentation you should be able to:

3.1 explain the different phases of an audit
3.2 relate the process used in gaining an understanding of
the entity and of the financial reporting framework
3.3 evaluate fraud risk
3.4 explain the going concern assumption
3.5 appraise corporate governance structures
3.6 evaluate how a client’s information technology (IT) can
affect risk
3.7 demonstrate how client closing procedures can affect
reported results.
 Phases of an audit

• The main stages of an audit are:

1. Risk assessment phase
2. Risk response phase
3. Reporting phase.
 Phases of an audit

1. Risk assessment phase:

– Auditor must plan the audit by developing an audit strategy,
which sets the scope, timing and direction of the audit.
– The audit strategy guides the development of the audit plan.
– A well planned audit ensures that the auditor gathers sufficient
appropriate evidence for the accounts most at risk of material
misstatement.
 Phases of an audit

1. Risk assessment phase:

 Phases of an audit

2. Risk response phase:

- Risk response involves detailed tests of controls and
substantive testing of transactions and accounts.
 Phases of an audit

3. Concluding and reporting on an audit:

- Reporting involves evaluating results of detailed
testing in light of the auditor’s understanding of their
client and forming an opinion on the truth and
fairness of the client’s financial report.
Outline the steps in planning an audit – Video
 Gaining an understanding of the entity

• The auditor needs to gain an understanding of the entity

and its environment, the financial reporting framework
and the system of internal control.
 Gaining an understanding of the entity

• The auditor will consider:

- structure, ownership and governance, and business
model.
- industry, regulatory and external factors.
- measures used to assess financial performance.
- applicable reporting framework and accounting
policies.
- inherent risk factors affecting the susceptibility of
assertions to misstatement.
 Gaining an understanding of the entity

• Stages of gaining an understanding of the entity:

1. Entity level
2. Industry level
3. Economy level.
Gaining an understanding of the entity

1. Entity level:
• applicable financial reporting framework
• major customers
• major suppliers
• international transactions
• capacity to adapt to changes in technology
• warranties and discounts
• client reputation and operations
• client relations with employees
• sources of financing
• ownership structures
• system of internal controls:
• control environment
• risk assessment process
• process to monitor system of internal control
• information system and communication
• control activities
 Gaining an understanding of the entity

2. Industry level:
• level of competition
• client reputation
• level of government support
• level of government regulation
• level of demand for client goods/services.
 Gaining an understanding of the entity

3. Economy level:
– How do overall economic conditions affect client?
• interest rate changes
• financial crises
• shareholder expectations of increasing profits in
good times.
– What are specific pressures on client to understate or
overstate profits in these conditions?
 Fraud risk

• Auditor must asses risk of material misstatement due to

fraud (ASA 240; ISA 240).
• Auditor adopts attitude of professional scepticism:
– Maintaining an independent questioning mind.
– Search thoroughly for corroborating evidence to
validate information provided by the client.
– Also search for evidence that potentially disconfirms
information provided by the client.
– Don’t just rely on past experience with client.
 Fraud risk

• Indicators (red flags) of possible fraud:

– high turnover of key employees
– key finance personnel refusing to take leave
– overly dominant management
– poor compensation practices
– inadequate training programs
– complex business structure
– no, or ineffective, internal audit
– high turnover of auditors
– unusual transactions
– weak internal controls.
 Fraud risk

• Examples of frauds:
 Fraud risk

1. Incentives and pressures to commit a fraud:

– In assessing the risk of fraud, an auditor will
consider incentives and pressures faced by their
client to commit a fraud.
 Fraud risk

1. Incentives and pressures to commit a fraud:

– Examples of incentives and pressures that increase the risk of fraud
include:
• the client operates in a highly competitive industry
• a significant decline in demand for the client’s products or services
• falling profits
• a threat of takeover
• a threat of bankruptcy
• ongoing losses
• rapid growth, low cash with high profits
• pressure to meet market expectations
• planning to list on a stock exchange
• planning to raise debt or renegotiate a loan
• about to enter into a significant new contract
• remuneration tied to profits (e.g. bonus and options).
 Fraud risk

2. Opportunities to perpetrate a fraud:

– After identifying one or more incentives or pressures to commit a fraud, an
auditor will assess whether a client has an opportunity to perpetrate a fraud.
– Examples of opportunities that increase the risk that a fraud may have been
perpetrated include:
• accounts that rely on estimates and judgement
• a high volume of transactions close to year-end
• significant adjusting entries and reversals after year-end
• significant related party transactions
• poor corporate governance mechanisms
• poor internal controls
• a high turnover of staff
• reliance on complex transactions
• transactions out of character for a business (for example, if a client leases
its motor vehicles they should not have car registration expenses).
 Fraud risk

3. Attitudes and rationalisation to justify a fraud:

– An auditor will assess the attitudes and
rationalisation of client management and staff to
fraud.
 Fraud risk

3. Attitudes and rationalisation to justify a fraud:

– Examples of attitudes and rationalisations used to justify a
fraud include:
• a poor tone at the top (that is, from senior management)
• the implementation of an effective internal control
structure is not seen as a priority
• an excessive focus on maximisation of profits and/or share
price
• a poor attitude to compliance with accounting regulations
• rationalisation that other companies make the same
inappropriate accounting choices.
 Going concern

• Auditor must consider whether it is appropriate to

assume the client will remain a going concern (ASA 570;
ISA 570).
– Going concern means belief that the company will
remain in business for foreseeable future.
• Going concern justifies valuing assets on the basis they
will continue to be used in business and liabilities paid
when due.
 Going concern

• Remaining a going concern is the responsibility of client

governance.
• Auditor must obtain sufficient appropriate evidence to
assess validity of going concern assumption.
• Auditor makes professional judgement about going
concern risk, based on risk indicators.
 Going concern

1. Going concern risk — indicators:

– ASA 570; ISA 570 has list of going concern risk indicators.
– Examples include:
• significant debt/equity ratio
• long term loans due, no alternative finance
• prolonged losses, inability to pay debts when due
• loss of significant customer, supplier problems
• high staff turnover, loss of key personnel or strikes
• problems obtaining raw materials, inputs
• poor growth planning, inadequate risk management
• being under investigation for non-compliance
• competitive pressures, drought etc.
 Going concern

1. Going concern risk — indicators:

‒ If going concern is in doubt, undertake additional
audit procedures.
• assess cash flow, revenues, expenses, interim
results
• review debt contracts, board meeting minutes
• discussions with client management and lawyers.
 Going concern

2. Going concern risk — mitigating factors:

– Auditor should also consider factors that mitigate
(reduce) going concern risk.
• letter of guarantee from parent company
• availability of assets or segment of business for
sale for cash
• ability to raise funds through share issue or
borrowing
• consider adequacy of client disclosures in
financial report about going concern issues.
 Corporate governance

• Corporate governance is the rules, systems and

processes within companies used to guide and control
activities.
– Help monitor actions of staff and assess level of risk
faced.
– Controls reduce identified risks and ensure future
viability of the company.
• ASX principles and recommendations for listed
companies.
– Companies required to disclose their compliance.
 Information technology

• Auditor should consider particular risks arising from IT (ISA 315), for
example:
– lack of backup and loss of data.
– unauthorised access to computers, software and data:
• Need security and passwords to prevent distorted data.
• Can occur if not thoroughly tested before implementation, or
errors introduced when changing programs.
• Restrict program change rights to authorised personnel.
– Programs need to be suitable for client requirements. errors in
programs:
• Can occur if not thoroughly tested before implementation, or
errors introduced when changing programs.
• Restrict program change rights to authorised personnel.
• Programs need to be suitable for client requirements.
 Information technology

• Client should have appropriate IT installation and

security procedures, and training for staff.
• Risks arising from IT will vary significantly from one client
to the next.
 Closing procedures

• Client closes accounts when preparing financial reports

at year-end.
– Revenue and expense accounts should include all
transactions for the year, and none that relate to
other periods.
– Accrued assets and liabilities should be complete.
– Assets and liabilities should include all relevant
items.
 Closing procedures

• Auditor faces risk that client closing procedures are

inadequate.
• Audit procedures to assess adequacy of client closing
procedures:
– assess adequacy of client interim reporting procedures
– check accuracy of accrual calculations
– analyse results to assess reasonableness
– consider pressures on client to overstate profit or
report smoothed income
– trace transactions around year-end to documents to
determine appropriate dates.
Thank you