Audit Risk

Assessment
Week 7, Chapter 8

10-1
1-2
 Learning objectives
After studying this presentation, you should be able to:
1 understand the importance of audit risk assessment and why it is
linked to financial statement assertions
2 explain the importance of business risks in audit planning
3 describe the procedures performed by an auditor to assess risk
4 understand the importance of internal control to an entity and to
its independent auditors
5 indicate the procedures for obtaining and documenting an
understanding of the entity’s internal control
6 explain why and how a preliminary assessment of control risk is
made
7 explain the importance of the concept of audit risk and its three
components.
 Engagement AUDIT PROCESS
Letter
Financial Statements - Management assertions

Audit Objective: Ensure F/S Risk Assessment

free from material
misstatements Inherent Control
risk risk

Understand the entity and

environment
Audit risk
model
Materiality

Understand internal
Perform preliminary controls
analytical procedures
 Learning objectives

After studying this presentation, you should be

able to:
1 understand the importance of audit risk
assessment and why it is linked to financial
statement assertions.
 1. Importance of Risk Assessment
• Auditor’s responsibility:
– obtain an understanding of the entity for the purposes
of planning the audit
– understanding influences the auditor’s risk assessment
– assessment considers the nature of
• Business risk
• Internal control (and risks related to IC) and
• Audit risk
– to assess the risk that the financial statements contain
material misstatements
1.2.Management’s financial statement
assertions – Account Balances (1)
 Cash and bank balances
$54,224,000

Completeness
Existence
Accuracy, Valuation and Allocation
Obligations and Rights
Classification
Presentation
1-8
1.2 Management’s financial statement
assertions – Transactions (2)
 Revenue
$641,653,000

Occurrence
Completeness
Accuracy
Cut-off
Classification
Presentation
10-10
 Learning objectives

After studying this presentation, you should be

able to:
2 explain the importance of business risks in
audit planning.
 2. Business risk assessment (1)
• Business risk: a risk resulting from
significant conditions, events,
circumstances, actions or inactions that
could adversely affect an entity’s ability
to achieve its objectives
• A business risk approach allows the
auditor to:
– Identify threats
– & their effect on the financial statements
– Increase the chances of identifying risks of
material misstatements
2. Business risk assessment (2)
 2. Business risk assessment (3)
Categories of business risk:
1. Financial risk - risks arising from the
company’s financial activities or the financial
consequences of operations

2. Operational risk - risks arising from

the operations of the business

3. Compliance risk - risks arising from

non-compliance with laws, regulations,
policies, procedures and contracts
 Learning objectives

After studying this presentation, you should be

able to:
3 describe the procedures performed by an
auditor to assess risk
 3. Risk assessment procedures (1)

• Enquiries
– Management, staff, internal
auditors, company bankers, legal
advisors
• Analytical procedure
– Provide a broad indication of the
likelihood of possible errors
• Observations and inspections
– Inspection of manuals, visiting
business premises, observing
10-17
3. Risk assessment procedures (2)
To identify significant risks, the auditor is
required to:
1. Identify the risk and any related controls
2. Consider the account balance, class of
transaction or disclosure that is at risk
3. Link the identified risk to the assertions.
4. Establish whether the risk is material
5. Consider whether it is likely the risk could
lead to misstatement in financial statements
Example: Risk assessment procedure
Example: Risk assessment procedure
1-21
1. Identify the risk:
Subjectivity of valuations

2. Consider the account

balance at risk:
Investment Properties
Valuation
3. Link the identified risk to
the assertions:
• Accuracy, Valuation and
Allocation; Disclosure;
Presentation
4. Establish whether it is
material: $45.3 million
compared to overall group
materiality of $8 million.

5. Consider likelihood of
misstatement: Auditors
comfortable with valuation.
 Learning objectives

After studying this presentation, you should be

able to:
4 understand the importance of internal control
to an entity and to its independent auditors
 4.1. Importance of internal control (1)
The US Committee of Sponsoring Organizations (COSO) of
the Treadway Commission defines internal control as:
a process, effected by an entity’s board of
directors, management, and other personnel,
designed to provide reasonable assurance
regarding the achievement of objectives relating
to operations, reporting, and compliance
4.1.1. Management’s responsibility
in relation to internal control
Management must establish and maintain the entity's
controls
• FMA - Corporate Governance in New Zealand:
Principles and Guidelines
• NZX Corporate Governance Code (NZX Code)
– Auditor does not express an opinion on the corporate
governance statement.
 4.1.2. Auditors’ responsibilities in
relation to internal control
• ISA (NZ) 315 para 12 states that:
– The auditor shall obtain an understanding of internal
control relevant to the audit
• The auditor’s understanding of the internal
control is to facilitate the performance of the
audit rather than to comment on the controls as
part of the audit
 4.2. Internal control system (1)
• The division of internal control into the following five components,
for purposes of the ISAs (NZ), provides a useful framework for
auditors to consider how different aspects of an entity’s internal
control may affect the audit.

• Five components:
– Control environment
– Risk assessment processes
– Control activities
– Information system
– Monitoring of controls.

• ISA (NZ) 315 paragraph A59

 Influence Identify, Assess quality of
control analyse & internal control
awareness of manage risks performance
Mgt & Emp. relevant to FR over time
Control
Risk Assessment Monitoring
Environment

Quality of info Trans auth., Seg. of

duties, Supervision,
impacts Acc Records, Access
reliability of FS Control, Independent
verification.

Information & Control

Communication Activities

1-29
 4.2.1. Control environment (1)

Sets the tone of the entity towards control consciousness and

includes:
(a) Enforcement of integrity and ethical value
(b) Commitment to competence
(c) Participation by those charged with governance
(d) Management’s philosophy and operating style
(e) Organisational structure
(f) Assignment of authority and responsibility
(g) Human resource policies and practices
 4.2.2. Risk assessment process (1)

• Risk assessment is the process used to identify the

risks and to put effective controls in operation to
manage those risks.
• Management should consider:
– The entity’s business risks and their financial
consequences
– The inherent risks of misstatements in financial statement
assertions
– The risk of fraud and its financial consequences
4.2.2. Risk assessment process (2)
• Key factors include for example:
– changes in the operating environment
– new personnel
– new or revamped information systems
– rapid growth
– new technology
– new business models
– corporate restructurings
– expanded foreign operations
– new accounting pronouncements.
 4.2.3. Control activities

• Control activities are detailed policies and procedures

that help ensure that management directives are
carried out to reduce risks that threaten the
achievement of entity objectives.
• Control activities include:
1. Information processing controls.
2. Segregation of duties.
3. Physical controls.
4. Performance reviews.
 Control Activities
Information
• Authorisation, completeness and accuracy of transactions.
processing
• General IT controls and Application Controls.
controls

Segregation • Ensures individuals do not perform incompatible duties.

of duties • Executing, recording and maintaining custody of assets; various
steps in a transaction; certain accounting operations.

• Limit access to assets and important records.

Physical
• Direct (safekeeping, limit access e.g. safes) or indirect
controls
(preparation or processing of documents authorising use or
disposal of assets).

• Involve managers’ participation in the supervision of

Performance
reviews operations.
• Management review and analysis of reports, actual vs budgets
performance, financial vs non-financial data relationships.
 4.2.4. Information system
• Information systems consist of procedures and
records established to:
– initiate, record, process and report an entity's
transactions
– maintain accountability for the related assets and
liabilities.
• A major focus is that transactions are handled in such a
way that financial statements are presented fairly in
accordance with accounting standards.
• An effective accounting system should provide a
complete audit trail for each transaction.
 4.2.5. Monitoring of controls
• Monitoring is the process by which the entity
monitors the quality of internal controls over time.
1. Ongoing monitoring activities, could include:
– an active internal audit function
2. Separate periodic evaluations:
– including evaluations of computer general controls due to
pervasive effect on various programmed application controls
3. Reporting deficiencies to the audit committee (or
full board of directors) for discussion and decisions
about corrective actions.
 4.3. Limitations of control
• Inherent limitations in internal control structure:
– Cost versus benefits
– Management override
– Non-routine transactions
– Mistakes in judgement
– Collusion
– Breakdowns due to human failure and error
– Changes in conditions.
• Internal controls provide reasonable, not absolute, assurance of
achieving objectives.
 Learning objectives

After studying this presentation, you should be

able to:
5 indicate the procedures for obtaining and
documenting an understanding of the entity’s
internal control.
5.1. Internal Control Procedures

• Procedures can include:

– reviewing previous experience with the entity
– inquiries of management, supervisory and staff
personnel
– inspection of documents and records
– observation of the entity’s activities and operations
– transaction walk-through reviews to confirm
documented understanding.
5.2. Documenting the understanding
of the Internal Controls

1-40
 7. Documenting the
understanding (continued)
 Learning objectives

After studying this presentation, you should be

able to:
6 explain why and how a preliminary assessment
of control risk is made.
 6. Preliminary assessment of
control risk
• Control risk is the risk that a material misstatement
could occur in an assertion, either individually or when
aggregated with other misstatements, and not be
prevented, detected, or corrected on a timely basis by
the entity’s internal control structure.

• Purpose of preliminary assessment:

– Assessment to obtain a reasonable expectation of controls
in place decide on appropriate audit strategy so as to
design a detailed audit program.
 6.1. Process of assessing control
risk
• Evaluating the effectiveness of the design and operation of
an entity’s internal controls in preventing or detecting
material misstatements in the financial statements.
• Steps:
1. Assess the control environment.
2. Assess the design effectiveness of control procedures and their
ability to prevent or correct misstatement.
3. Assess whether controls were effectively applied throughout
the period under audit.
• If control risk assessed as less than high, the auditor must
perform tests of controls to obtain evidence to support level.
 Learning objectives

After studying this presentation, you should be

able to:
7 explain the importance of the concept of audit
risk and its three components.
 Audit risk
• Audit risk is the risk that the auditor gives an
inappropriate audit opinion when the financial
statement is materially misstated:
– In setting the acceptable audit risk, auditors seek an
appropriate balance between the costs of an incorrect
audit opinion and the costs of performing the
additional audit procedures necessary to reduce audit
risk.
 Audit Risk Model

Auditor sets AR Auditor

(Acceptable) determines DR
• Sufficient and Auditor Auditor (Planned)
appropriate assesses IR assesses CR • Analytical
evidence • Risk • Procedures to procedures
assessment understand • Test of details
procedures internal
controls
• Test of
controls
1-49
 Audit risk components

• Inherent risk (ISA NZ 200)

– The possibility that a material misstatement could
occur in an assertion assuming there are no related
controls.
– Auditors cannot change the actual level of inherent
risk.
 Inherent Risk - Examples
• Non-routine transactions
• Estimates (e.g. FV)
• Judgement
• Complexity
• Rapid change
• State of the economy
• Prior period misstatements
• Susceptibility to fraud and theft
1-51
 Audit risk components
• Control risk (ISA NZ 200)
– Risk that a material misstatement
could occur in an assertion and not
be prevented, detected, or corrected
by the entity’s internal control
structure
– Effective internal control structure
reduces control risk
 Audit risk components
• Detection risk (ISA NZ 200)
– Risk that an auditor’s substantive procedures will not
detect any material misstatements that exist in an
assertion
– Depends on effectiveness of substantive procedures
(and so the amount of audit work)
 Audit risk components

• Detection risk (ISA NZ 200)

– The level of detection risk is controllable by the
auditor through:
• appropriate planning, direction, supervision and
review,
• variation in the nature, timing and extent of audit
procedures, and
• effective performance of the audit procedures and
evaluation of their results.
 Examples of Detection Risk
• Poor audit planning, selection of wrong audit
procedures on part of the auditor.
• Poor interaction and engagement with the
audit management by auditor.
• Poor understanding of client’s business and
complexity of financial statements.
• Wrong selection of sample size.

1-55
 Audit Risk

Source Journals Financial

Document & Statements
Ledgers
$10,000 $15,000 $15,000

Error: Inherent risk

(complex transaction) Misstatement
Controls: Detect & Prevent

1-56
 Example

Business Risk Audit Risk

The risk that
the entity The risk that auditors may give an inappropriate opinion on the financial
will fail to statements
achieve its
objectives

Inherent Risk (IR) Control risk Detection Risk (DR)

(CR)
At the FS At the Materiality Quality
level assertion risk & control risk
level Sampling risk
Management Unusual Susceptibility Collusion to Auditor fails to Auditor fails to
need to attain pressure on to circumvent set appropriate collect
a certain level management. misstatement controls; level for sufficient
of profitability. or loss; Income Management performance appropriate
smoothing. override. materiality. audit evidence.
Sample is not
representative
of the
population.

10-57
 7.2. The relationships among risk
components
• An auditor’s objective is to achieve an acceptably
low level of audit risk
• There is an inverse relationship between
inherent and control risks and the level of
detection risk that the auditor can accept
• Auditors,
– cannot control inherent risk (IR) and control risk (CR),
– can assess these risks and design substantive
procedures to produce an acceptable level of
detection risk
 7.2.1. Non-quantified audit risk
model
• Auditors may use non-quantified expressions for risk:
– This is consistent with the quantified audit risk model, in
that the acceptable levels of detection risk are inversely
related to the assessments of inherent and control risks.
– If the assessments of control and inherent risks are both
high, then the acceptable level of detection risk will
generally have to be very low.
– Conversely, if control and inherent risks are both low, then
the acceptable level of detection risk can be high.
 7.3. Acceptable detection risk matrix (1)

If IR and CR are high = DR low (lots of testing required)

If IR and CR are low = DR high (low risk of material misstatements)
If IR is high and CR is low = DR medium (controls offset high IR)

If IR is low and CR is high = DR medium (could be indicative of fraud)

 Summary
• Audit risk assessment and financial statement
assertions
• Business risks in audit planning
• Audit risk procedures
• Internal control system and documentation
procedures
• Preliminary assessment of control risk
• Audit risk and its three components – IR, CR and DR

1-61