Advanced Audit and Assurance

Lecture 8
Audit risk and Business Risk
 ASSESSING THE RISKS OF
MATERIAL MISSTATEMENT
• Risk are assessed by reference to the audit
risk model.
• AUDIT RISK = the risk of giving the wrong audit
opinion
• So…
• AUDIT RISK = the risk of material errors in the
FS, which the auditor fails to detect
 Financial Statement Risk
• FS Risk is the risk of material errors in the
Financial Statements, and comprises 2 parts:
• ● INHERENT RISK – the risk of material errors in the
FS due to the nature of the business and its
transactions
• ● CONTROL RISK – the risk that a company's own
checking procedures (internal controls) fail to
prevent or detect these material errors from
happening.
 Detection Risk
• Detection Risk is the risk that the auditor's
substantive tests fail to find material errors
in the FS
• so...
• AUDIT RISK = FS RISK x DETECTION RISK.
• Or more usually…
• AUDIT RISK = INHERENT RISK x CONTROL RISK
x DETECTION RISK
 Using the audit risk model
• 1. Assess the client's inherent risk for each area of
the FS, and overall.
• 2. Assess whether the client's internal controls
are good enough to deal with these inherent risks.
• 3. If controls do not look strong (ie Control Risk
is HIGH), then Detection Risk will need to be kept
LOW in order to manage overall audit risk. This
can be done by:
• ● sending a more experienced audit team
• ● carrying out more (or better) substantive tests.
The auditor’s response to assessed
risks (ISA 330)
• Once audit risks have been identified, the auditor
needs to respond to these risks in an appropriate way.
This will include taking steps such as:
• ● Designing tests of control and substantive tests to
address the risk areas.
• ● Emphasising to the audit team the need to maintain
professional scepticism.
• ● Assigning more experienced staff or those with
special skills or using experts.
• ● Providing more supervision.
The auditor’s response to assessed
risks (ISA 330)
• ● Incorporating additional elements of
unpredictability in the selection of further audit
procedures to be performed.
• ● Making general changes to the nature,
timing or extent of audit procedures, for
example: performing substantive procedures at
the period end instead of at an interim date;
or modifying the nature of audit procedures
to obtain more persuasive audit evidence.
 AUDIT RISK
• Audit risk is the risk that the auditor will draw an
invalid conclusion from his audit. He may fail to qualify
his report when the accounts do not give a true and
fair view or conversely, the report may be qualified
when the accounts in fact give a true and fair view.
• Audit risk is classified as being a function of:
• Inherent risk;
• Control risk; and
• Detection risk
 INHERENT RISK
• Inherent risk is the likelihood of fraud or irregularities
occurring in the absence of any controls. It is defined as
the susceptibility of an account balance or class of
transactions to misstatements in other balance or
classes, assuming that there are no related internal
controls. It can be said to be the risk arising from the
nature of clients business and its environment.
• Inherent risk applies both at the entity level and at the
level of the account balance or class of transactions.
 INHERENT RISK INDICATIONS
• LOW RISK
• Management Characteristics:
• Management Operating Style: There is effective oversight
group such as an audit committee
• Conservative management philosophy with regard to both
operations and financial reporting
• Low turnover of management and senior accounting
personnel
• Little emphasis on meeting earnings projections
• High relevant experience of management and principal
owners.
 INHERENT RISK INDICATIONS
• LOW RISK
• Operating and Industry Characteristics:
• Adequate financial and operating performance
• Relative insensitivity of operations to interest rate
changes or inflation
• The industry in which the company operates is well
established, stable and relatively uninfluenced by
external conditions.
• Centralised organisation of operations
 INHERENT RISK INDICATIONS
• LOW RISK
• Engagement Characteristics
• Previous audit history of unqualified opinion, no audit
disagreements, few audit adjustments.
• Insignificant conflicts of interest, regulatory problems and
auditor independence problems.
• Recurring engagement relationship with client
• Few difficult to audit transactions or balances.
• Limited management rewards linked to reported results.
• Strong control environment; formal, documented, internal
audit function and high budgetary control system.
 INHERENT RISK INDICATIONS
• HIGH RISK
• Management Characteristics:
• Management Operating Style: Owner manager dominance.
• Aggressive management philosophy with regard to both
operations and financial reporting.
• High turnover of management and senior accounting personnel.
• Very high emphasis on meeting earnings projections.
• Credible allegations of improper conduct and business
reputation of management and principal owners
• Low relevant experience of management and principal owners.
 INHERENT RISK INDICATIONS
• HIGH RISK
• Operating and Industry Characteristics:
• Inadequate or inconsistent financial and operating
performance
• Very sensitive to interest rate changes or inflation.
• The industry in which the company operates is
relatively new, unstable and greatly influenced by
external conditions.
• Decentralised organisation of operations
 INHERENT RISK INDICATIONS
• HIGH RISK
• Engagement Characteristics
• Previous audit history of qualified opinion, audit disagreements,
numerous audit adjustments.
• Significant conflicts of interest, regulatory problems and auditor
independence problems.
• New client
• Many difficult to audit transactions or balances.
• Substantial management rewards linked to reported results.
• Informal control environment lacking documentation, no
internal audit function and or budgetary control system.
 INHERENT RISK INDICATIONS
• Factors to consider at the class of transactions
account balance level include:
• The portability and attractiveness of assets such as
cash.
• The possible impact on profit, such as closing stock
• The complexity of accounting issues involved, for
example legal contingent liability.
• The degree of management judgment involved, such
as provision for doubtful debts.
 CONTROL RISK
• It is the risk that misstatement that could occur
in an account balance or class of transactions and
could be material, individually or when
aggregated with misstatements in other balances
or classes. Will not be prevented or detected by
the system of internal control.
• There will always be some control risk because of
the intrinsic limitations of any system of internal
control.
 CONTROL RISK
• Control risk assessment involves consideration of the
adequacy of the control design as well as testing
adherence to control procedures. In the absence of
such assessment the auditor should assume that
control risk is high.
• On completion of the assessment the auditor will be
able to assess the strength of internal controls over
each account balances or class of transactions, and
thus the extent of reliance, the converse of risk, that
may be placed on controls when designing substantive
tests.
 CONTROL RISK
• The auditor may decide that for certain account balances
and class of transactions controls are likely to be
insufficient to place reliance on, as in small businesses,
or that reliance may not be cost-effective as in account
balances involving few transactions which are readily
verifiable by substantive testing such as long-term debt.
In such cases, control risk will be assessed typically as
being high, medium or low. However, knowledge of the
control environment may still affect the design of
substantive tests even where no reliance is to be placed
on controls.
 DETECTION RISK
• It is the risk that the auditors’ substantive tests
will not detect a misstatement in an account
balance or class of transactions that could be
material individually or when aggregated with
misstatements in other balances or classes.
• In other words, detection risk is the risk that
audit procedures will fail to detect material
misstatements. It relate to substantive
procedures and the inability of the auditors to
examine all evidence.
 DETECTION RISK
• Some detection risk would always be present even if
the auditor were to examine 100% of the account
balance or class of transactions because the auditor
may:
• May select an inappropriate audit procedure; or
• Misapplication of an appropriate audit procedure; or
• Misinterpreting audit result.
 DETECTION RISK
• The auditors inherent and control risk
assessment influence the nature, timing and
extent of substantive procedures required to
reduce detection risk and thereby audit risk.
• AR = IR × CR × DR × SR
• DR is Detection risk from substantive tests other
than sampling such as analytical review
• SR is Detection risk from substantive tests based
on sampling
 BUSINESS RISK
• Business Risk is the threat that an event or
action will adversely affect a business’s ability
to achieve its ongoing objectives.
• It can be split between external factor and
internal factors.
 External Business Risks Factors
• Changing legislation (example, minimum wage)
• Changing interest rate (especially with highly geared companies)
• Changing exchange rates
• Public opinion, attitude, fashions (example environmental factors)
• Price wars initiated by competitors.
• Import competition (example the textile trade)
• Untried technologies and ideas
• Bad debts resulting from economic factors
• Political factors
• Natural hazards (example, fire or flood)
 Internal Business Risks Factors
• Failure to modernize products, processes, labour relations, or marketing
resulting in loss of competitive edge.
• Employees (example: ineffective recruitment and training policies)
• Board members (example ineffective corporate governance)
• The process of dealing with suppliers or customers
• Excessive reliance on a dominant chief executive, thereby weakening
internal control
• Inappropriate gearing resulting in lack of financial efficiency
• Inappropriate acquisitions and poor future prospects
• Excessive reliance on one of a few products, customers and suppliers
• Computer system failures and loss of records
• Fraud
 Business Risks
• Businesses are at risk if their business
objectives are not achieved. It is therefore
desirable for the management of accompanies
to identify all business risks and, if necessary,
to amend the plan to accommodate the risk or
make contingency plans to survive.
Management reactions to Business
Risks
• What management can do about the risks once
they are identified depends on the risk and there
are indefinite varieties of risks. One possible
classification of possible reactions by
management is as follows
• Do nothing and hope for the best
• Develop internal controls
• Develop quality controls over production of
goods, production of services, staff recruitment.
Management reactions to Business
Risks
• Train staff
• Diversify – acquisition, new products, multiple
sourcing, adding to customer base perhaps by
exporting.
• Risk reduction – raising staff awareness of risk,
tighter discipline in all area, physical measures.
• Transfer of risk – by insurance, sub-contracting,
outsourcing.
 Business and Entrepreneur
• In the nutshell, the business of the
entrepreneur is risk-taking and all risks cannot
be removed. The basic economic truism is that
there is a correlation between risk and
returns, and higher returns are not possible
without risk.
 AUDIT RISK AND BUSINESS RISK
• Audit risk is often categorized as the product of inherent risk,
control risk and detection risk.
• Auditors should consider business risk in three ways:
• By enquiring into and assessing business risk, thereby, gaining
an excellent knowledge of the business.
• By helping their clients to recognize, assess and respond to
risk.
• By seeing the connection between audit risk and the risk of
misstatement in the financial statements which focuses the
audit on risks likely to lead to possible misstatements.
 Question
• Audit risk is a combination of the risk that the financial
statements being audited may contain material errors and
that these errors may not be detected by the auditor’s
testing procedures. Risk can be categorised as ‘low, medium
or high’ and is evaluated during the planning stage of an
audit. The auditor should devote attention to the critical
areas of the financial statements by considering and
evaluating materiality and risks specific to the company.
Materiality limits should be set at the planning stage of the
audit to act as a guideline for deciding whether adjustment
should be made to the financial statements.
 Question
• Required:
• (a) Briefly describe what you understand by the terms ‘inherent
risk’, ‘control risk’ ‘detection risk’ and ‘audit risk’. (4 marks)
• (b) List eight factors which the auditor would bear in mind when
assessing the audit risk of a company. You should set out your
answer under the headings ‘inherent risk’ and ‘control risk’. (4 marks)
• (c) Define and explain the Risk Equation, describing how it should be
used in audit planning. (5 marks)
• (d) Discuss the considerations which would determine whether an item is
material in relation to financial statements. (3 marks)
• (e) Discuss the validity of the statement that “materiality limits should be
set at the planning stage of the audit and should be rigidly adhered
to throughout the audit”. (4 marks) (20 marks)
 Answer
• (a) Inherent risk
• Inherent risk is the risk that a material misstatement
may come into existence because of the factors related to
the nature of the client.
• Control risk
• Control risk is the risk that a material misstatement will
get through the control system unprevented.
• Detection risk
• Detection risk is the risk that the material misstatement
will get through the auditor undetected.
 Answer
• Audit risk
• So, audit risk is the risk of the material
misstatement occurring, then getting by the
control system unprevented, then getting
by the auditor undetected and into the FS.
• In other words, it is the risk of an auditor
giving the wrong opinion.
 Answer
• (b) Inherent risk
• Tiredness– The risk of errors occurring increases when staff
are tired.
• Incompetence– The risk of errors increases as staff
experience and expertise decreases.
• Organisation – The risk of error increases the more
chaotic the client organisation.
• Time pressure – The risk of error increases the greater
the time pressure on accounting staff.
• Others– Complex transactions, profit pressure, boredom,
cultural issues.
 Answer
• Control risk
• Authorisation – The risk of the system failing to detect
an error goes up if there is less authorization.
• Segregation– The risk of the system failing to detect an error
goes up if there is insufficient segregation.
• Passwords – The risk of a system failing to prevent an
error goes up in an environment with no passwords.
• Reconciliation– The risk of a system failing to prevent an
error goes up in an area without reconciliations.
 Answer
• (c) Audit risk equation
• This is defined as follows:
• IR x CR x DR = AR
• Translation
• This equation says if an error occurs
• And
• The system fails to prevent it
• And
• The auditor does not detect it
• Then
• The auditor will give the wrong opinion
 Answer
• Application
• It is used in the deepest philosophies of
modern audit and underpins everything we
do.
• Audit risk
• Auditors are prepared to accept a low
audit risk which then feeds into different
levels of audit work.
 Answer
Client sets Client sets Auditor sets Auditor sets Vol of subs
tests

IR CR DR AR

Situation 1 Low Low High Low Reduced

Situation 2 High Low Low Low Full

 Answer
• (d) Materiality
• Materiality is determined by two factors:
• (i) Size– Clearly the bigger the error the greater the
materiality.
• (ii) Context– But the context of the error is relevant to its
materiality as well. Some errors are material by nature.
• Example
• A small fraud of £10,000 by directors of a company with
a profit of £10m is immaterial by size but material by
context and so is material.
 Answer
• (e) Planning stage
• It is true materiality threshold is calculated at the
planning stage.
• Calculation – The threshold can be 10% of profit
(or a more complicated calculation).
• Rigid adherence – But it is not true that it is
rigidly adhered to. Materiality threshold is just a
guide.
• Change – In fact, the materiality threshold can
change, eg, if the auditor discovers a fraud.