Audit Risk

Risk-based approach to auditing

Key feature of modern auditing is the ‘risk-
based’ approach that is taken in most
audits.

At the planning stage, as required by BSA 315,

the auditor will identify and assess the
main risks associated with the business
to be audited.
 Audit Risk
Audit risk is the risk (chance) that the auditor
reaches an inappropriate (wrong)
conclusion on the area under audit.

For example, if the audit risk is 5%, this means

that the auditor accepts that there will be a 5%
risk that the audited item will be misstated in the
financial statements, and only a 95% probability
that it is materially correct.
Audit Risk Model
 IR (Inherent Risk)
Inherent risk is the risk that items may be
misstated as a result of their inherent
characteristics. Inherent risk may result
from either:

• the nature of the items themselves. For

example, estimated items are inherently
risky because their measurement depends on
an estimate rather than a precise measure; or
 IR
• the nature of the entity and the
industry in which it operates. For
example, a company in the construction
industry operates in a volatile and high-risk
environment, and items in its financial
statements are more likely to be
misstated than items in the financial
statements of companies in a more low-risk
environment, such as a manufacturer of food
and drinks.
 IR

When inherent risk is high,

this means that there is a high
risk of misstatement of an
item in the financial statements.
 CR (Control Risk)
Control risk is the risk that a misstatement
would not be prevented or detected by
the internal control systems that the client
has in operation.

In preparing an audit plan, the auditor needs to

make an assessment of control risk for
different areas of the audit. Evidence about control
risk can be obtained through ‘tests of control’.
 DR (Detection risk)
Detection risk is the risk that the audit testing
procedures will fail to detect a misstatement
in a transaction or in an account balance. For
example, if detection risk is 10%, this means that
there is a 10% probability that the audit tests will fail
to detect a material misstatement.

Detection risk can be lowered by carrying out more

tests in the audit. For example, to reduce the
detection risk from 10% to 5%, the auditor should
carry out more tests.
 Audit Risk
The detection risk can be managed by the auditor in order to control
the overall audit risk through increasing audit work.

Inherent risk cannot be controlled.

Control risk can be reduced by improving the quality of internal

controls.

However, recommendations to the client about improvements in its

internal controls can only affect control risk in the future,
not control risk for the financial period that is subject to audit.

So, audit risk can be reduced by increasing testing, and

reducing detection risk.
 Example
An auditor has set an overall level of acceptable audit risk
in respect of a client of 10%. Assessed Inherent risk is 50%
and control risk is 80%.

Required

• Explain the meaning of a 10% level of audit risk

• What level of detection risk is implied by this
information.
• If the level of audit risk needs to be maintain only at 5%,
how would this affect the level of detection risk and how
would the audit work be affected by this change?
 Answer
a) A 10% level of audit risk means that the auditor will be
90% certain that his opinion on the financial
statements is correct.

b) AR = IR × CR × DR
then DR = AR / (IR × CR)
DR = 0.10 / (0.50 × 0.80)
Therefore DR = 0.25 = 25%

c) If AR is reduced to 5%, DR would now be 12.5%. More

audit work will be needed to achieve this lower level of
detection risk.
 Risk of material misstatement
• Exists at the financial statements level and
assertion level
– Categories of risk within these levels
• Inherent risk
• Control risk
• Risk of material misstatement high -
Auditor accepts less audit risk
• Risk of material misstatement lower -
Auditor accepts more audit risk
What Makes a Risk Significant?
– Whether the risk is a risk of fraud
– Complexity of transactions
– Whether the risk involves transactions with
related parties
– Degree of subjectivity in measurement of
financial information related to risk
– Whether the risk involving significant
transactions outside normal course
of business
 Factors For assessment of inherent risk
• Lack of expertise to deal with changes in industry
• Uncertain likelihood of successful introduction of
new product and acceptance by market
• Information technology being incompatible across
systems
• Expansion of business for which demand not
accurately estimated
• Implementation of incomplete business strategy
• New regulatory requirements increase legal
exposure
Factors For assessment of inherent risk

• Alternative products, services, competitors, or

providers posing a threat to current business
• Significant supply chain risks
• Complex production and delivery processes
• Mature and declining industry
• Inability to control costs with possibility of
unforeseen costs
• Producing products that have multiple substitutes
 Example: identifying inherent risks
A charitable organisation relies for its funding on donations from
the general public, which is mainly in the form of cash collected in
the streets by volunteers and cheques sent in by post to the
charity’s head office. Wealthy individuals occasionally provide
large donations, sometimes on condition that the money is used
for a specific purpose. The constitution of the charity specifies the
purpose of the charity, and also states that no more than 15% of
the charity’s income each year may be spent on administration
costs.

Required

Identify the inherent risks for this charitable organisation that an

auditor of its financial statements would need to consider.
 Solution
• Volunteers collecting cash from the general public may
keep for themselves some or all of the cash they
collect.

• There are no controls that can ensure that all the

money received by the charity is properly recorded.
This is because there are no sales invoices against which
receipts of income can be checked.

• When money is given to the charity for spending on a

specific purpose, there are no controls to ensure that
the money is actually spent on its intended purpose.
• Similarly there are no controls to ensure that
the money collected by the charity is spent on
the purposes specified in the
constitution of the charity.

• There are possibly no controls to ensure that

money spent on administration is
actually recorded as
administration costs.
 Assessing Factors Affecting Control Risk

• Difficulty gaining access to the organization

or determining the controllers of the organization

• Little interaction between senior

management and operating staff

• Weak tone at the top leading to a poor

control environment

• Inadequate accounting staff and

information systems
 Assessing Factors Affecting Control Risk
• Growth of organization exceeding accounting system
infrastructure

• Disregard of regulations for prevention of illegal acts

• No internal audit function, or lack of respect for

internal audit function by management

• Weak design, implementation, and monitoring

of internal controls

• Lack of supervision of accounting personnel

 Determining Detection Risk and Audit Risk

• Auditor determines level of

detection risk on the basis of:

– Assessment of risk of material

misstatement at all levels
– Consideration of desired level of audit
risk
 Detection Risk and Audit Risk

• Detection risk is affected by:

• Effectiveness of substantive auditing procedures
performed
• Extent to which the procedures were performed
with due professional care
• High level of detection risk
• Audit firm is willing to take higher risk of not
detecting a material misstatement
• Audit risk is also high
 Detection Risk and Audit Risk

• Low level of detection risk

– Audit firm is not willing to take as much of a risk of
not detecting material misstatement
– Audit risk is also low
• Audit risk usually set at between 1% and 5%
• Detection risk ranges from 1% to 100%
Risks and Their Effects on Audit Work
Risks and Their Effects on Audit Work
High Risk of Material Misstatement
• Assuming an account with many complex
transactions and weak internal controls
– Inherent risk and control risk assessed at their
maximum
– Audit risk set at a low level
• Audit risk model
Audit Risk = Inherent Risk × Control Risk × Detection Risk
0.01 = 1.00 × 1.00 × Detection Risk
Detection Risk = 0.01 / (1.0 × 1.0) = 1%
Low Risk of Material Misstatement
• Assuming an account with simple transactions
and well-trained personnel with no incentive
to misstate financial statements
• Inherent risk and control risk assessed at 50% and
20% respectively
• Audit risk set at 5%
Audit Risk = Inherent Risk × Control Risk × Detection Risk
0.05 = 0.50 × 0.20 × Detection Risk
Detection Risk = 0.05 / (0.50 × 0.20) = 50%
 Planning Audit Procedures to Respond to the
Assessed Risks of Material Misstatement

• Auditor should design:

– Controls reliance audit
– Substantive audit
• When considering risk responses, auditor
should:
– Evaluate reasons for assessed risk of material
misstatement
– Estimate likelihood of material misstatement due
to inherent risks of client
Planning Audit Procedures to Respond to the Assessed
Risks of Material Misstatement

– Consider the role of internal controls, and

determine whether control risk is relatively high or
low
– Obtain more relevant and reliable evidence with
increase in assessment of risk of material
misstatement
 Nature of Risk Response
• Types of audit procedures applied given the
nature of account balance and relevant
assertions regarding that account balance
• Procedures
• Assembling audit team with more experienced auditors
• Including on audit team outside specialists
• Increasing emphasis on professional skepticism
 Timing of Risk Response
• When audit procedures are conducted and
whether they are conducted at announced or
predictable times
• When risk of material misstatement is
heightened
– Audit procedures conducted closer to year end on
an unannounced basis
– Some element of unpredictability included in
timing
 Timing of Risk Response
• Introducing unpredictability
– Performance of some audit procedures on low risk
accounts, disclosures, and assertions
– Change in timing of audit procedures from year to
year
– Selection of items for testing that are lower than
prior-year materiality
– Performance of audit procedures on a surprise or
unannounced basis
– Varying location or procedures year to year
 Timing of Risk Response
• Procedures that can be completed only at or
after period end
– Comparison of financial statements to accounting
records
– Evaluation of adjusting journal entries made by
management in preparing financial statements
– Conduct procedures to respond to risks that
management may have engaged in improper
transactions at period end
 Thank You for Your Attention
Any Questions?