Chap04 Risk Assessment

Auditing and Assurance Services
A Systematic Approach
Eleventh Edition
CHAPTER 4
Risk Assessment
Copyright © 2019 McGraw-Hill Education. All rights reserved. No reproduction or distribution

without the prior written consent of McGraw-Hill Education.
Learning Objective 04-1
Audit Risk
The risk that an auditor expresses an inappropriate audit
opinion when the financial statements are materially
misstated.
Assertion
level
Individual
Financial account
statement balance or
level disclosure
level

without the prior written consent of McGraw-Hill Education. 4-2
The Audit Risk Model (1 of 2)

Susceptibility of an assertion in an account or disclosure
Inherent to a misstatement due to error or fraud that could be
Risk material, before consideration of any related controls
Risk that a misstatement that could occur in an assertion

Control about an account or disclosure and that could be material
Risk will not be prevented, or detected and corrected, on a
timely basis by the entity’s internal control
Risk that the procedures performed by the auditor to

Detection reduce audit risk to an acceptable low level will not
Risk detect misstatements that exist and could be material
• Inappropriate audit procedure
• Misinterpreting audit evidence
• Failure to recognize a misstatement or deviation
• Nonsampling risk

The Audit Risk Model (2 of 2)
Inherent Risk and Control Risk = Risk of Material Misstatement
Audit Risk = IR x CR x DR
Nonsampling Sampling
OR risk risk
Audit Risk = RMM x DR

Engagement Risk
Litigation
An auditor’s exposure
to financial loss and
damage to
professional reputation
Or other events arising

in connection with
Adverse
the audited financials publicity

Using the Audit Risk Model (1 of 2)
1 Setting a planned level of audit risk
2 Assessing the risk of material misstatement (IR x CR)
3 Determining the appropriate level of detection risk:
AR = IR × CR × DR
AR
DR =
IR × CR
Auditors use this level of detection risk to design audit
procedures that will reduce audit risk to an acceptable level.

Using the Audit Risk Model (2 of 2)
Example AR RMM DR
1 Very low High Low
2 Low Moderate Moderate
3 Low Low High
Auditors assess each component of the audit

risk model using either quantitative or
qualitative terms

Knowledge Assessment
Example AR RMM DR
3 Low Low High
For Example 3 in the table above, why is the auditor setting

DR at high? What does a high assessment of DR mean in
terms of the level of audit testing?
(Stop and Think p. 101)

Example AR RMM DR
3 Low Low High
For Example 3 in the table above, why is the auditor setting

DR at high? What does a high assessment of DR mean in
terms of the level of audit testing?
DR is set high because there is a low risk that a

material misstatement is present in the financial
statements and, as a result, the auditor needs to
gather less evidences.

FIGURE 4-1 The Relationship of the Entity’s

Business Risks to the Audit Risk Model

Limitations of the Audit Risk Model

The audit risk model is a planning tool, but it has
some limitations that must be considered when the
model is used to revise an audit plan or to evaluate
audit results:
• The model is only as good as the judgements and
assessments used as inputs (e.g. it does not
consider potential auditor error
• The desired level of audit risk may not actually be
achieved

The Auditor’s Risk Assessment

Process
Auditors perform risk assessment procedures to
obtain an understanding of the entity and its
environment.
This understanding helps the auditor identify

business risks and understand the potential
misstatements that may result.
Considering the response of the entity to the

business risk leads the auditor to assess the risk of
material misstatement at the financial statement
and assertion level

FIGURE 4-2 An Overview of the Auditor’s Risk

Assessment Process

Auditor’s Risk Assessment Procedures

(How do we gather this evidence?)
Inquires of
management,
Observation
other entity Analytical and
personnel, Procedures inspection
and others
outside the
entity

Understanding the Entity and Its

Environment
Industry, Regulatory,
Nature of the entity
and External Factors
Objectives, strategies,
Internal Control
and business risks
Entity Performance
Measures

Nature of the Entity (1 of 2)

To understand the nature of the entity, the auditor
should obtain information about the entity’s:
• Business Operations
– The nature of revenue sources, products and services, and
markets; the conduct of operations; alliances, joint ventures,
and outsourcing activities; location of production facilities,
warehouses, and offices; and key customers and important
suppliers of goods and services
• Ownership and Governance Structures
• Investments and Investment Activities
– Planned or recent acquisitions or divestitures; investments and
dispositions of securities and loans; capital investment
activities; and investments in partnerships and joint ventures

Nature of the Entity (2 of 2)

• Financing and Financing Activities
– Major subsidiaries and associated entities; debt structure;
leasing arrangements; related parties; and the use of derivative
financial instruments
• Financial Reporting
– Accounting principles and industry-specific practices; revenue
recognition practices; accounting for fair values; and accounting
for unusual or complex transactions

Consider an entity that sells goods to a declining customer

base. What risks does this entity face? How will these risks
impact the audit?

Industry, Regulatory, and Other

External Factors (Table 4-1)

Objectives, Strategies, and

Related Business Risks
The auditor must identify and understand:
Business risks
Strategies
Entity’s associated with
used to
objectives those
achieve its
objectives and
objectives
strategies

Internal Control
The auditor needs to understand and assess
the effectiveness of internal control in order to:
Identify the
types of potential
It also assists in
misstatements
designing
and factors that
appropriate
affect the risks of
audit procedures
material
misstatement

Assessing the Risk of Material

Misstatement (1 of 5)
Errors are unintentional misstatements of
amounts or disclosures in the financial statements.
Fraud refers to an intentional act by one or more

among management, those charged with
governance, employees, or third parties, involving
the use of deception that results in a misstatement
in the financial statements.


Examples of misstatements include:
● An inaccuracy in gathering or processing data from
which financial statements are prepared.
● An omission of an amount or disclosure.
● A financial statement disclosure that is not presented in
accordance with GAAP.
● An incorrect accounting estimate arising from
overlooking or clear misinterpretation of facts.
● Judgments of management concerning accounting
estimates that the auditor considers unreasonable or
accounting policies that the auditor considers
inappropriate.


Fraud involves
intentional misstatements.
Fraudulent Misappropriation
financial reporting of assets


Misappropriation of assets involves the theft of
an entity’s assets to the extent that financial
statements are misstated.
Examples include:
• Stealing assets
• Paying for goods and services not received by the company
• Embezzling cash received


Fraudulent financial reporting includes acts
such as the following:
• Manipulation, falsification, or alteration of accounting
records or supporting documents used to prepare
financial statements.
• Misrepresentation in, or intentional omission from, the
financial statements of events, transactions, or
significant information.
• Intentional misapplication of accounting principles
relating to amount, classification, manner of
presentation, or disclosure.

The Fraud Risk Assessment

Process
The fraud risk identification process includes:
Sources of information about possible fraud―

▪ Discussion among the audit team
▪ Inquiries of management and others
▪ Analytical procedures
▪ Investigation of unexpected period-end adjustments
▪ Identification of fraud risk factors

Conditions Indicative of Fraud and

Fraud Risk Factors
Three conditions usually exist when fraud occurs.
Incentive or Opportunity to
pressure to carry out the
perpetrate fraud Fraud fraud
Risk
Triangle
Attitude or
rationalization to
justify fraud

Risk Factors Relating to Incentive/Pressure

(See Table 4-2)
Fraudulent Financial Reporting

Risk Factors Relating to Incentive/Pressure include:
Excessive Management’s
pressure for Financial
personal
management to stability or
financial
meet third party profitability is
situation is
expectations threatened
threatened

Risk Factors Relating to Opportunities

(See Table 4-3)

Risk Factors Relating to Opportunities include:
Nature of the Complex or

Industry or unstable
entity’s organizational
operations structure
Ineffective Deficient
monitoring of internal
management control

Risk Factors Relating to

Attitudes/Rationalizations (See Table 4-4)

Risk Factors Relating to Attitudes/Rationalizations include:
Nonfinancial management’s Ineffective communication of ethical

excessive participation in selection of standards or selection of
accounting principles and estimates inappropriate ethical standards
Recurring attempts to justify

Excessive interest by management in
marginal or inappropriate accounting
stock prices and earning trends
based on materiality
Committing to aggressive or History of violations of securities laws

unrealistic forecasts or allegations of fraud

TABLE 4-5 Risk Factors Relating to the

Misappropriation of Assets

Which of the following is an example of fraudulent financial

reporting?
A. Company management falsifies the inventory count, thereby overstating

ending inventory and understating cost of sales.
B. An employee diverts customer payments to his personal use, concealing
his actions by debiting an expense account, thus overstating expenses.
C. An employee steals inventory, and the shrinkage is recorded as cost of
goods sold.
D. An employee borrows small tools from the company and neglects to
return them; the cost is reported as a miscellaneous operation expense.
(MC Question 4-20)

Which of the following is an example of fraudulent financial

reporting?
A. Company management falsifies the inventory count, thereby

overstating ending inventory and understating cost of sales.
B. An employee diverts customer payments to his personal use, concealing
his actions by debiting an expense account, thus overstating expenses.
C. An employee steals inventory, and the shrinkage is recorded as cost of
goods sold.
D. An employee borrows small tools from the company and neglects to
return them; the cost is reported as a miscellaneous operation expense.
(MC Question 4-20)

FIGURE 4-3 The Process of Responding to the Risk of

Material Misstatement and the Design and Performance of
Audit Procedures

Auditor’s Response to the Risk

Assessment Results
To respond appropriately to financial statement level
risks, the auditor may do the following:
● Assign more experienced personnel or those with
specialized knowledge.
● Evaluate the selection and application of accounting
policies to identify earnings management or bias
that may create a material misstatement.
● Incorporate additional elements of unpredictability
in the selection of audit procedures.

Evaluation of Audit Test Results

(1 of 2)
At the completion of the audit, the auditor should
consider:
● 1. Whether the total misstatements cause the financial
statements to be materially misstated.
● THEN …
● If the financial statements are materially misstated, the

auditor should:
● 1. Request management to eliminate the material
misstatement, or
● 2. If management does not make needed adjustments, the
auditor should issue a qualified or adverse opinion.

Evaluation of Audit Test Results

(2 of 2)
If the auditor determines that the misstatement is or may
be the result of fraud, and has determined that the effect
could be material, the auditor should:
● Attempt to obtain audit evidence to determine whether, in
fact, material fraud has occurred and, if so, its effect.
● Consider the implications for other aspects of the audit.
● Discuss the matter and the approach to further investigation
with an appropriate level of management that is at least one
level above those involved in committing the fraud and with
senior management.
● Suggest that the appropriate level of management consult
with legal counsel.
● Consider withdrawing from the engagement.

Documentation of the Auditor’s

Risk Assessment
The auditor should document:
● Discussions among engagement personnel.
● Procedures performed to identify and assess the risks of
material misstatement due to error or fraud.
● Fraud risks or other conditions that result in additional
audit procedures.
● The nature, timing, and extent of procedures performed
in response to fraud risks identified and the results of
that work.
● The nature of the communications about error or fraud
made to management, the audit committee, and others.

Communications about Fraud

(1 of 2)
Whenever the auditor has found evidence that a fraud
may exist, that matter should be brought to the
attention of an appropriate level of management. Fraud
involving senior management and fraud that causes a
material misstatement of the financial statement should
be reported directly to the audit committee.
The auditor should reach an understanding with the

audit committee regarding the expected nature and
extent of communications about misappropriations
perpetrated by lower-level employees.

Communications about Fraud

(2 of 2)
The disclosure of fraud to parties other than the client’s
senior management and its audit committee ordinarily is
not part of the auditor’s responsibility and ordinarily would
be precluded by the auditor’s ethical or legal obligations of
confidentiality, except when the following conditions exist:
● To comply with certain legal and regulatory
requirements.
● To a successor auditor when the successor makes
inquiries of the predecessor auditor about the client.
● In response to a subpoena.
● To a funding agency or other specified agency in
accordance with requirements for the audits of entities
that receive governmental financial assistance.


Chap04 Risk Assessment

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Chap04 Risk Assessment

Uploaded by

Copyright:

Available Formats

Auditing and Assurance Services

Copyright © 2019 McGraw-Hill Education. All rights reserved. No reproduction or distribution

Copyright © 2019 McGraw-Hill Education. All rights reserved. No reproduction or distribution

The Audit Risk Model (1 of 2)

Risk that a misstatement that could occur in an assertion

Risk that the procedures performed by the auditor to

Copyright © 2019 McGraw-Hill Education. All rights reserved. No reproduction or distribution

The Audit Risk Model (2 of 2)

Inherent Risk and Control Risk = Risk of Material Misstatement

Audit Risk = RMM x DR

Copyright © 2019 McGraw-Hill Education. All rights reserved. No reproduction or distribution

Or other events arising

Copyright © 2019 McGraw-Hill Education. All rights reserved. No reproduction or distribution

Using the Audit Risk Model (1 of 2)

1 Setting a planned level of audit risk

2 Assessing the risk of material misstatement (IR x CR)

3 Determining the appropriate level of detection risk:

Copyright © 2019 McGraw-Hill Education. All rights reserved. No reproduction or distribution

Using the Audit Risk Model (2 of 2)

1 Very low High Low

2 Low Moderate Moderate

3 Low Low High

Auditors assess each component of the audit

Copyright © 2019 McGraw-Hill Education. All rights reserved. No reproduction or distribution

3 Low Low High

For Example 3 in the table above, why is the auditor setting

(Stop and Think p. 101)

Copyright © 2019 McGraw-Hill Education. All rights reserved. No reproduction or distribution

3 Low Low High

For Example 3 in the table above, why is the auditor setting

DR is set high because there is a low risk that a

Copyright © 2019 McGraw-Hill Education. All rights reserved. No reproduction or distribution

FIGURE 4-1 The Relationship of the Entity’s

Copyright © 2019 McGraw-Hill Education. All rights reserved. No reproduction or distribution

Limitations of the Audit Risk Model

Copyright © 2019 McGraw-Hill Education. All rights reserved. No reproduction or distribution

The Auditor’s Risk Assessment

This understanding helps the auditor identify

Considering the response of the entity to the

Copyright © 2019 McGraw-Hill Education. All rights reserved. No reproduction or distribution

FIGURE 4-2 An Overview of the Auditor’s Risk

Copyright © 2019 McGraw-Hill Education. All rights reserved. No reproduction or distribution

Auditor’s Risk Assessment Procedures

Copyright © 2019 McGraw-Hill Education. All rights reserved. No reproduction or distribution

Understanding the Entity and Its

Copyright © 2019 McGraw-Hill Education. All rights reserved. No reproduction or distribution

Nature of the Entity (1 of 2)

Copyright © 2019 McGraw-Hill Education. All rights reserved. No reproduction or distribution

Nature of the Entity (2 of 2)

Copyright © 2019 McGraw-Hill Education. All rights reserved. No reproduction or distribution

Consider an entity that sells goods to a declining customer

(Stop and Think p. 102)

Copyright © 2019 McGraw-Hill Education. All rights reserved. No reproduction or distribution

Industry, Regulatory, and Other

Copyright © 2019 McGraw-Hill Education. All rights reserved. No reproduction or distribution

Objectives, Strategies, and

The auditor must identify and understand:

Copyright © 2019 McGraw-Hill Education. All rights reserved. No reproduction or distribution

Copyright © 2019 McGraw-Hill Education. All rights reserved. No reproduction or distribution

Assessing the Risk of Material

Fraud refers to an intentional act by one or more

Copyright © 2019 McGraw-Hill Education. All rights reserved. No reproduction or distribution

Assessing the Risk of Material