Welcome to

Audit Risk Assessment

 Outcomes
Having studied this chapter. you will be able to:
•Identify and describe the need to plan and perform audits
with an attitude of professional skepticism.
•Identify and describe engagement risks affecting the audit of
an entity.
•Explain the components of audit risk.
•Compare and contrast risk based, procedural and other
approaches to audit work.
•Discuss the importance of risk analysis.
•Describe the use of information technology in risk analysis.
•Explain how auditors obtain an initial understanding of the
entity and knowledge of its business environment.
Risk Assessment
 Plan the audit
Stage of Audit
Understand entity

Assess risk of material misstatement

Respond to risk
Expect effective Expect ineffective
controls controls

Unsatisfactory Report significant deficiencies

Tests of controls to those charged with
governance to management
and all weaknesses to
Satisfactory management

Restricted subst- Full substantive tests

antive tests Overall review
of F/S
Report to management
Expect ineffective controls
• ISA 315 – auditor should obtain an understanding of the
entity and its environment…sufficient to identify and
assess the risk of material misstatement in the financial
statements..
Business risk
• Financial risk
Total risk • Operational risk
• Compliance risk
Audit risk = risk of inappropriate
opinion
 The Importance of Risk Assessment
•The overriding principle of auditing is introduced in ISA 200
Overall Objectives of the Independent Auditor and the Conduct
of an Audit in Accordance with ISA's:
•'To obtain reasonable assurance, the auditor shall obtain
sufficient appropriate evidence to reduce audit risk to an
acceptably low level...'
•Through assessment of risk, auditors will be able to:
 Identify the areas of the financial statements where
misstatements are likely to occur;
 Plan procedures that address the significant risk areas identified;
 Carry out an efficient and effective audit;
 Minimise the risk of issuing an inappropriate audit opinion to an
acceptable;
 Reduce the risk of reputational and punitive damage;
• This is further developed by ISA 315 (Revised)
Identifying and Assessing the Risks of Material
Misstatement Through Understanding the Entity and its
Environment states:
• 'The objective of the auditor is to identify and assess the
risk of material misstatement, whether due to fraud or
error, at the financial statement and assertion levels,
through understanding the entity and its environment,
including the entity's internal control, thereby providing
a basis for designing and implementing responses to the
assessed risks of material misstatement.'
• The auditor must identify the risks of material
misstatement; and use this to guide the design of their
audit procedures.
 What is Audit Risk
• Under ISA 200 Objective and General Principles
Governing an Audit of Financial Statements, the
auditor should plan and perform the audit to reduce
audit risk to an acceptably low level.

• Audit risk is the “risk that the auditor expresses an

inappropriate audit opinion when the financial
statements are materially misstated”.
 General Principles
• Professional Skepticism
• The auditor should plan and perform an audit with an
attitude of professional skepticism recognising that
circumstances may exist that cause the financial
statements to be materially misstated.
• This requires:
 Critical assessment, with a questioning mind, of
the validity of evidence obtained
 Alertness to contradictory evidence
 Neither the assumption that management is
dishonest nor the assumption of unquestioned
honesty.
Risk-based vs. Other Approaches
 Components of Audit Risk
• Audit risk is made up of 3 component parts, inherent
risk, control risk and detection risk:

• Inherent risk and control risk together form the 'risk

of material misstatement'.
 Inherent Risk
• This is the susceptibility of an assertion to a
misstatement that could be material, either
individually or when aggregated with other
misstatements, assuming that there were no related
internal controls.
• The risk of such misstatement is greater for some
assertions and related classes of transactions, account
balances, and disclosures than for others. For
example,
 Complex calculations are more likely to be misstated than
simple calculations
  Accounts consisting of amounts derived from accounting
estimates that are subject to significant measurement
uncertainty pose greater risks than accounts consisting
of relatively routine, factual data.
• External circumstances giving rise to business risks may
also influence inherent risk.
 Control risk
• This is the risk that a misstatement could occur in an
assertion and that could be material, either
individually or when aggregated with other
misstatements, will not be prevented, or detected
and corrected, on a timely basis by the entity's
internal control.
• Control risk is a function of the effectiveness of the
design and operation of internal control in achieving
the entity’s objectives relevant to preparation of the
entity’s financial statements.
• Some control risk will always exist because of the
inherent limitations of internal control.
Detection Risk
•This is the risk that the auditor's procedures will not detect
a misstatement that exists in an assertion that could be
material either individually or when aggregated with other
misstatements.
•Detection risk is a function of the effectiveness of an audit
procedure and of its application by the auditor.
•It is primarily the consequence of the fact that the auditor
does not, and cannot, examine all available evidence
(sampling risk).
•Factors affecting non-sampling risk are
• Auditor's Experience • Poor Planning
• Time Pressure • New Client
• Financial Constraints • Industry Knowledge
Understanding The Entity And Its Business
Environment
• Matters to consider when obtaining an understanding
of the entity.
 Assessing Risk
This includes:
a)Identifying risks by considering the entity and its
environment, including its internal control
b)Relating the identified risks to what can go wrong at
the assertion level
c)Considering the significance and likelihood of the
risks
d)Establishing materiality and evaluating whether the
original level set remains appropriate as the audit
progresses
e)Developing expectations for use when performing
analytical procedure
f) Designing and performing further audit procedures to
reduce audit risk to an acceptably low level
g) Evaluating the sufficiency and appropriateness of
audit evidence
• Risk assessment includes both an assessment of:
 Business risk resulting from the entity's objectives
and strategies that may result in material
misstatement of the financial statements
 Audit risk and its component parts.
 Business Risk
• Business risks 'result from significant conditions,
events, circumstances or actions that could adversely
affect the entity's ability to achieve its objectives and
execute its strategies, or through the setting of
inappropriate objectives and strategies' [ISA 315].
• It is usually split into financial risk, operational risk
and compliance risk.
• The auditor should obtain an understanding of the
entity's process for identifying business risks relating
to financial reporting objectives and deciding about
actions to address those risks, and the results
thereof.
 Risk Assessment Procedures
• ISA 315 requires auditors to perform the following
procedures to obtain an understanding of the entity
and its environment, including its internal control:
 Enquiries of management and other within the entity
 Analytical procedures
 Observation and inspection.
• The members of the audit team should also discuss
the susceptibility of the entity's financial statements
to material misstatements.
 Effect of Fraud and Misstatements
• ISA 240 The auditor's responsibility to consider fraud in an
audit of financial statements contains very similar
requirements to those listed in risk assessment procedure.
It has a particular emphasis on:
• Obtaining an understanding of how those charged with
governance exercise oversight over the identification of
the fraud risks and the implementation of controls.
• Where the risk assessment suggests there may be
material misstatements arising from fraud the main
effects on the audit strategy will relate to:
 Assignment and supervision of personnel
 Consideration of accounting policies
 Unpredictability in nature, timing and extent of audit
procedures.
 ISA 520 Analytical Procedures

• 'Analytical procedures' means the analysis of

relationships to identify inconsistencies and
unexpected relationships.
• The auditor should apply analytical procedures as risk
assessment procedures and in the overall review at
the end of the audit.
• They can also be used as a source of substantive
audit evidence when their use is more effective or
efficient than tests of details in reducing detection
risk for specific financial statement assertions.
• Analytical procedures include the following type of
comparisons:
a. Prior periods
b. Budgets and forecasts
c. Industry information
d. Predictive estimates
e. Relationships between elements of financial information,
i.e., ratio analysis
f. Relationships between financial and non-financial
information, e.g. payroll costs to the number of
employees.
a. Application of analytical procedures may indicate aspects
of the entity of which the auditor was unaware and will
assist in assessing the risks of material misstatement in
order to determine the nature, timing and extent of
further audit procedures
Common Ratios for Use in Analytical
Review
 Audit Materiality (ISA 320)
•The auditor should consider materiality and its
relationship with audit risk when conducting an audit.
•The objective of an audit of financial statements is to
enable the auditor to express an opinion whether the
financial statements are prepared in all material
respects, with an identified financial reporting
framework.
 What is Materiality?
a) Information is material if its omission or
misstatement could influence the economic decisions
of users taken on the basis of the financial
statements.
b) The auditor must be concerned with identifying
'material' errors, omissions and misstatements. Both
the amount (quantity) and nature (quality) of
misstatements need to be considered.
c) To put this into practice the auditor therefore has to
set his own materiality levels – this will always be a
matter of judgement.
d) The level set has a critical impact on two key areas:
i. The nature, timing and extent of audit procedures;
and
ii. Evaluating the effect of misstatements:
• Whether to seek adjustments; or
• The degree of any auditor’s report modification.
The Calculation of Materiality

a) It is a matter of professional judgement

b) Most firms set criteria for guidance
For example:
• between ½ and 1% of revenue
• between 1 and 2% of total assets; or
• between 5 and 10% of profit before tax.
• The figure chosen will depend on the confidence
the auditor has in the client's figures, the uses the
financial statements will be put to and any other
factors affecting the auditor's judgement.
Thanks All For Today