Professional Documents
Culture Documents
Professional scepticism
It is a requirement of ISA 200 that, when planning and performing an audit
the auditor should adopt an attitude of professional scepticism. Professional
scepticism is defined by ISA 200 as:
ISA 210
Establish an overall strategy for the audit that sets the scope, timing and
direction of the audit and that guides the development of the audit plan
Develop an audit plan which includes a description of the nature, timing
and extent of planned risk assessment procedures and planned further audit
procedures
Document the overall audit strategy and the audit plan, including any
the financial reporting framework used (for example, international financial reporting standards)
any industry specific reporting requirements
the location of the components of the entity (for example, there might be overseas branches).
Ascertaining the reporting objectives of the engagement, such as reporting deadlines and the
nature of communications required.
Considering important factors which will determine the focus of the audit team’s efforts, such as:
materiality thresholds
high risk areas of the audit
the audit approach (for example, whether the auditor is planning to rely on the entity’s internal
controls)
any recent developments in relation to the entity, the industry or financial reporting requirements.
Contents of the overall audit strategy and the audit plan
The audit procedures to be performed by audit team members will be those needed in
order to:
obtain sufficient appropriate audit evidence, and
Most firms now use a mixture of the audit risk approach and a systems-based approach.
Materiality: ISA 320
The IASB’s Framework for the preparation and presentation of financial statements states that:
“Information is material if its omission or misstatement could influence the economic
decisions of users taken on the basis of the financial statements.”
However, it is important to bear in mind that ‘qualitative’ characteristics may also be taken into
account. For example, many auditors would take the view that certain figures in financial
statements should be absolutely correct and that any errors in those figures would be judged to
be material. Examples might include a requirement for 100% accuracy in reporting issued share
capital and directors’ remuneration.
Audit risk: ISA 330
risks. The objective of ISA 330 is to gather adequate appropriate audit evidence about assessed
risks of material misstatement, by designing and putting in place appropriate responses to the
risks.
Responses to assessed risks:
At the financial statement level these ‘responses’ are overall ones, which may include:
emphasising to the audit team the need to maintain an attitude of professional scepticism
assigning more experienced staff or increased supervision of staff ̈ the use of experts
changing the nature, timing and extent of audit procedures
The assessment of the risks at this level and therefore the auditor’s response is very much
affected by the auditor’s assessment of the control environment. An effective control
environment will be likely to increase the auditor’s confidence in controls in all areas and allow
him to carry out more procedures at the interim audit and to carry out less tests of detail
At the assertion level these ‘responses’ take the form of further audit procedures, discussed in
detail in later chapters. Audit procedures can take the form of tests of controls and/or substantive
procedures.
Audit risk: ISA 330
The audit risk model
A standard audit risk model is available to help auditors identify and quantify the main elements
making up overall audit risk.
Audit risk is the risk (chance) that the auditor reaches an inappropriate (wrong) conclusion on
the area under audit. For example, if the audit risk is 5%, this means that the auditor accepts that
there will be a 5% risk that the audited item will be misstated in the financial statements, and
only a 95% probability that it is materially correct.
Under the
Client Risk control of the
auditor
Audit risk: ISA 330
The audit risk model
This model can be stated as a formula:
AR = IR × CR × DR
where: AR = audit risk
IR = inherent risk CR = control risk,
and DR = detection risk.
Risks are expressed as proportions, so a risk of 10% would be included in the formula as
0.10.
Inherent Risk
Inherent risk is the risk that items may be misstated as a result of their inherent characteristics.
Inherent risk may result from either:
the nature of the items themselves. For example, estimated items are inherently risky because their
measurement depends on an estimate rather than a precise measure; or
the nature of the entity and the industry in which it operates. For example, a company in the
construction industry operates in a volatile and high-risk environment, and items in its financial
statements are more likely to be misstated than items in the financial statements of companies in a
more low-risk environment, such as a manufacturer of food and drinks.
When inherent risk is high, this means that there is a high risk of misstatement of an item in the
financial statements.
Inherent risk operates independently of controls. It cannot be controlled. The auditor must
accept that the risk exists and will not ‘go away’.
Audit risk: ISA 330
Control Risk
Control risk is the risk that a misstatement would not be prevented or detected by the internal
control systems that the client has in operation.
In preparing an audit plan, the auditor needs to make an assessment of control risk for different
areas of the audit. Evidence about control risk can be obtained through ‘tests of control’.
The initial assumption should be that control risk is very high, and that existing internal controls
are insufficient to prevent the risk of material misstatement. However, tests of control may
provide sufficient evidence to justify a reduction in the estimated control risk, for the purpose of
audit planning
Detection Risk
Detection risk is the risk that the audit testing procedures will fail to detect a misstatement in a
transaction or in an account balance. For example, if detection risk is 10%, this means that there
is a 10% probability that the audit tests will fail to detect a material misstatement.
Detection risk can be lowered by carrying out more tests in the audit. For example, to reduce the
detection risk from 10% to 5%, the auditor should carry out more tests.
The detection risk can be managed by the auditor in order to control the overall audit risk.
Inherent risk cannot be controlled.
Control risk can be reduced by improving the quality of internal controls. However,
recommendations to the client about improvements in its internal controls can only affect
control risk in the future, not control risk for the financial period that is subject to audit.
However, audit risk can be reduced by increasing testing, and reducing detection risk.
Fraud: ISA 240
̈ The entity’s profitability being under threat (for example, due to increased competition or