Audit Risk

Assessment
Week 7, Chapter 8
 Learning objectives
After studying this presentation, you should be able to:
1 understand the importance of audit risk assessment and why it is
linked to financial statement assertions
2 explain the importance of business risks in audit planning
3 describe the procedures performed by an auditor to assess risk
4 understand the importance of internal control to an entity and to
its independent auditors
5 indicate the procedures for obtaining and documenting an
understanding of the entity’s internal control
6 explain why and how a preliminary assessment of control risk is
made
7 explain the importance of the concept of audit risk and its three
components.
 Engagement AUDIT PROCESS
Letter
Financial Statements - Management
assertions

Audit Objective: Ensure F/S

free from material Risk Assessment
misstatements
Inherent Control
risk risk

Understand the entity and

environment
Audit risk
model
Materialit
y

Understand internal
Perform preliminary controls
analytical procedures
 Learning objectives

After studying this presentation, you should be

able to:
1 understand the importance of audit risk
assessment and why it is linked to financial
statement assertions.
1. Importance of Risk Assessment
Auditor’s responsibility:
obtain an understanding of the entity for the purposes
of planning the audit
understanding influences the auditor’s risk assessment
assessment considers the nature of
Business risk
Internal control (and risks related to IC) and
Audit risk
to assess the risk that the financial statements contain
material misstatements
1.2.Management’s financial statement
assertions – Account Balances (1)
 Cash and bank balances
$54,224,000

Completeness
Existence
Accuracy, Valuation and Allocation
Obligations and Rights
Classification
Presentation
1.2 Management’s financial statement
assertions – Transactions (2)
 Revenue
$641,653,000

Occurrence
Completeness
Accuracy
Cut-off
Classification
Presentation
 Learning objectives

After studying this presentation, you should be

able to:
2 explain the importance of business risks in audit
planning.
 2. Business risk assessment (1)
Business risk: a risk resulting
from significant conditions,
events, circumstances,
actions or inactions that
could adversely affect an
entity’s ability to achieve
its objectives
A business risk approach allows the
auditor to:
Identify threats
& their effect on the financial statements
Increase the chances of identifying risks
of material misstatements
2. Business risk assessment (2)
 2. Business risk assessment (3)

Categories of business risk:

Financial risk - risks arising from the
company’s financial activities or the
financial consequences of operations
Operational risk - risks arising from
the operations of the business
Compliance risk - risks arising from
non-compliance with laws,
regulations, policies, procedures and
contracts
 Learning objectives

After studying this presentation, you should be

able to:
3 describe the procedures performed by an
auditor to assess risk
3. Risk assessment procedures (1)

Enquiries
Management, staff, internal
auditors, company bankers,
legal advisors
Analytical procedure
Provide a broad indication of
the likelihood of possible errors
Observations and inspections
Inspection of manuals, visiting
business premises, observing
procedures taking place
3. Risk assessment procedures (2)
To identify significant risks, the auditor is
required to:
1.

1. Identify the risk and any related controls

2. Consider the account balance, class of
transaction or disclosure that is at risk
3. Link the identified risk to the assertions.
4. Establish whether the risk is material
5. Consider whether it is likely the risk could lead
to misstatement in financial statements
Example: Risk assessment procedure
Example: Risk assessment procedure
1. Identify the risk:
Subjectivity of valuations

2. Consider the account

balance at risk:
Investment Properties
Valuation

3. Link the identified risk to

the assertions:
Accuracy, Valuation and
Allocation; Disclosure;
Presentation
4. Establish whether it is
material: $45.3 million
compared to overall group
materiality of $8 million.

5. Consider likelihood of
misstatement: Auditors
comfortable with valuation.
 Learning objectives

After studying this presentation, you should be

able to:
4 understand the importance of internal control to
an entity and to its independent auditors
 4.1. Importance of internal control (1)
The US Committee of Sponsoring Organizations (COSO) of
the Treadway Commission defines internal control as:

a process, effected by an entity’s board of

directors, management, and other
personnel, designed to provide reasonable
assurance regarding the achievement of
objectives relating to operations, reporting,
and compliance
4.1.1. Management’s responsibility in
relation to internal control
Management must establish and maintain the entity's
controls
FMA - Corporate Governance in New Zealand:
Principles and Guidelines
NZX Corporate Governance Code (NZX Code)
Auditor does not express an opinion on the corporate
governance statement.
4.1.2. Auditors’ responsibilities in
relation to internal control
ISA (NZ) 315 para 12 states that:
The auditor shall obtain an understanding of
internal control relevant to the audit
The auditor’s understanding of the internal
control is to facilitate the performance of the
audit rather than to comment on the controls as
part of the audit
 4.2. Internal control system (1)
The division of internal control into the following five components,
for purposes of the ISAs (NZ), provides a useful framework for
auditors to consider how different aspects of an entity’s internal
control may affect the audit.

Five components:

Control environment
Risk assessment processes
Control activities
Information system
Monitoring of controls.

ISA (NZ) 315 paragraph A59

 Influence Identify, Assess quality of
control analyse & internal control
awareness of manage risks performance over
Mgt & Emp. relevant to FR time
Control Risk Monitoring
Environment Assessment

Quality of info Trans auth., Seg. of

duties, Supervision,
impacts Acc Records, Access
reliability of FS Control, Independent
verification.

Information & Control

Communicatio Activities
n
 4.2.1. Control environment (1)
Sets the tone of the entity towards control consciousness and
includes:
(a) Enforcement of integrity and ethical value

(b) Commitment to competence

(c) Participation by those charged with governance

(d) Management’s philosophy and operating style

(e) Organisational structure

(f) Assignment of authority and responsibility

(g) Human resource policies and practices

 4.2.2. Risk assessment process (1)

Risk assessment is the process used to identify

the risks and to put effective controls in
operation to manage those risks.
Management should consider:
The entity’s business risks and their financial
consequences
The inherent risks of misstatements in financial
statement assertions
The risk of fraud and its financial consequences
4.2.2. Risk assessment process (2)

Key factors include for example:

changes in the operating environment
new personnel
new or revamped information systems
rapid growth
new technology
new business models
corporate restructurings
expanded foreign operations
new accounting pronouncements.
 4.2.3. Control activities

Control activities are detailed policies and procedures

that help ensure that management directives are
carried out to reduce risks that threaten the
achievement of entity objectives.
Control activities include:
1. Information processing controls.
2. Segregation of duties.
3. Physical controls.
4. Performance reviews.
 Control Activities
Informatio Authorisation, completeness and accuracy of transactions.
n General IT controls and Application Controls.
processing
controls

Segregation Ensures individuals do not perform incompatible duties.

of duties Executing, recording and maintaining custody of assets; various
steps in a transaction; certain accounting operations.

Physical Limit access to assets and important records.

controls Direct (safekeeping, limit access e.g. safes) or indirect
(preparation or processing of documents authorising use or
disposal of assets).

Performanc Involve managers’ participation in the supervision of

e reviews operations.
Management review and analysis of reports, actual vs budgets
performance, financial vs non-financial data relationships.
 4.2.4. Information system
Information systems consist of procedures and
records established to:
initiate, record, process and report an entity's
transactions
maintain accountability for the related assets and
liabilities.
A major focus is that transactions are handled in such a
way that financial statements are presented fairly in
accordance with accounting standards.
An effective accounting system should provide a
complete audit trail for each transaction.
 4.2.5. Monitoring of controls
Monitoring is the process by which the entity monitors
the quality of internal controls over time.
1. Ongoing monitoring activities, could include:
an active internal audit function
2. Separate periodic evaluations:
including evaluations of computer general controls due to
pervasive effect on various programmed application controls
3. Reporting deficiencies to the audit committee (or full
board of directors) for discussion and decisions about
corrective actions.
 4.3. Limitations of control
Inherent limitations in internal control structure:
Cost versus benefits
Management override
Non-routine transactions
Mistakes in judgement
Collusion
Breakdowns due to human failure and error
Changes in conditions.
Internal controls provide reasonable, not absolute,
assurance of achieving objectives.
 Learning objectives

After studying this presentation, you should be

able to:
5 indicate the procedures for obtaining and
documenting an understanding of the entity’s
internal control.
5.1. Internal Control Procedures

Procedures can include:

reviewing previous experience with the entity
inquiries of management, supervisory and staff
personnel
inspection of documents and records
observation of the entity’s activities and operations
transaction walk-through reviews to confirm
documented understanding.
5.2. Documenting the understanding
of the Internal Controls
7. Documenting the understanding
(continued)
 Learning objectives

After studying this presentation, you should be

able to:
6 explain why and how a preliminary assessment
of control risk is made.
6. Preliminary assessment of control
risk
Control risk is the risk that a material misstatement
could occur in an assertion, either individually or when
aggregated with other misstatements, and not be
prevented, detected, or corrected on a timely basis by
the entity’s internal control structure.
Purpose of preliminary assessment:
Assessment to obtain a reasonable expectation of controls
in place decide on appropriate audit strategy so as to design
a detailed audit program.
 6.1. Process of assessing control risk

Evaluating the effectiveness of the design and operation of an

entity’s internal controls in preventing or detecting material
misstatements in the financial statements.
Steps:
1. Assess the control environment.
2. Assess the design effectiveness of control procedures and their
ability to prevent or correct misstatement.
3. Assess whether controls were effectively applied throughout the
period under audit.
If control risk assessed as less than high, the auditor must
perform tests of controls to obtain evidence to support level.
 Learning objectives

After studying this presentation, you should be

able to:
7 explain the importance of the concept of audit
risk and its three components.
 Audit risk
Audit risk is the risk that the auditor gives an
inappropriate audit opinion when the financial
statement is materially misstated:
In setting the acceptable audit risk, auditors seek an
appropriate balance between the costs of an incorrect
audit opinion and the costs of performing the
additional audit procedures necessary to reduce audit
risk.
 Audit Risk Model

Auditor sets AR Auditor

(Acceptable) determines DR
Sufficient and Auditor (Planned)
Auditor assesses
appropriate assesses IR Analytical
CR
evidence Risk procedures
Procedures to
assessment Test of details
understand
procedures internal controls
Test of controls
 Audit risk components

Inherent risk (ISA NZ 200)

The possibility that a material misstatement could
occur in an assertion assuming there are no
related controls.
Auditors cannot change the actual level of
inherent risk.
 Inherent Risk - Examples
Non-routine transactions
Estimates (e.g. FV)
Judgement
Complexity
Rapid change
State of the economy
Prior period misstatements
Susceptibility to fraud and theft
 Audit risk components

Control risk (ISA NZ 200)

Risk that a material
misstatement could occur in
an assertion and not be
prevented, detected, or
corrected by the entity’s
internal control structure
Effective internal control
structure reduces control
risk
 Audit risk components
Detection risk (ISA NZ 200)
Risk that an auditor’s substantive procedures will not
detect any material misstatements that exist in an
assertion
Depends on effectiveness of substantive procedures
(and so the amount of audit work)
 Audit risk components

Detection risk (ISA NZ 200)

The level of detection risk is controllable by the
auditor through:

appropriate planning, direction, supervision and

review,
variation in the nature, timing and extent of audit
procedures, and
effective performance of the audit procedures and
evaluation of their results.
 Examples of Detection Risk
Poor audit planning, selection of wrong audit
procedures on part of the auditor.
Poor interaction and engagement with the
audit management by auditor.
Poor understanding of client’s business and
complexity of financial statements.
Wrong selection of sample size.
 Audit Risk

Source Journal Financial

Document s& Statement
Ledger s
s
$10,000 $15,000 $15,000

Error: Inherent risk

(complex transaction) Misstatement
Controls: Detect & Prevent
 Example

Business Risk Audit Risk

The risk that
the entity will The risk that
fail to achieve auditors may
its objectives give an
inappropriate
opinion on the
financial
statements
Inherent Risk Control risk
Detection Risk
(IR) (CR) (DR)
At the FS level At the Materiality Quality
assertion level risk & control risk
Sampling risk
Management Unusual Susceptibility to Collusion to Auditor fails Auditor fails
need to attain pressure on misstatement or circumvent to set to collect
a certain level management. loss; Income controls; appropriate sufficient
smoothing.
of profitability. Management level for appropriate
override. performance audit
materiality. evidence.
Sample is not
representative
of the
population.
 7.2. The relationships among risk
components
An auditor’s objective is to achieve an acceptably
low level of audit risk
There is an inverse relationship between
inherent and control risks and the level of
detection risk that the auditor can accept
Auditors,
cannot control inherent risk (IR) and control risk (CR),
can assess these risks and design substantive
procedures to produce an acceptable level of
detection risk
7.2.1. Non-quantified audit risk model

Auditors may use non-quantified expressions for risk:

This is consistent with the quantified audit risk model, in that
the acceptable levels of detection risk are inversely related
to the assessments of inherent and control risks.
If the assessments of control and inherent risks are both
high, then the acceptable level of detection risk will
generally have to be very low.
Conversely, if control and inherent risks are both low, then
the acceptable level of detection risk can be high.
7.3. Acceptable detection risk matrix (1)

If IR and CR are high = DR low (lots of testing required)

If IR and CR are low = DR high (low risk of material misstatements)
If IR is high and CR is low = DR medium (controls offset high IR)
If IR is low and CR is high = DR medium (could be indicative of
fraud)
 Summary
Audit risk assessment and financial statement
assertions
Business risks in audit planning
Audit risk procedures
Internal control system and documentation
procedures
Preliminary assessment of control risk
Audit risk and its three components – IR, CR and
DR