Chapter 9

Audit Risk Assessment

Prepared by Dr Phil Saj

1

Learning objectives

1. Appreciate the importance of audit risk assessment and

why it is linked to financial statement assertions.

2. Explain the importance of business risks in audit

planning.

3. Describe the procedures performed by an auditor to

assess risk.

4. Appreciate the importance of internal control to an

entity and to its independent auditors.

2

Learning objectives

5. Indicate the procedures for obtaining and documenting

an understanding of the entity’s internal control.

6. Explain why and how a preliminary assessment of

control risk is made.

7. Explain the importance of the concept of audit risk and

its three components.

3

Management’s financial statement assertions

Existence or occurrence

Assets or liabilities of the entity exist at a given date

and whether recorded transactions or events have

occurred during the period.

Completeness

Transactions, events and accounts that should be

presented in the financial statement are included.

Cut-off

All transactions, events and accounts have been

recorded in the correct period.

4

Management’s financial statement assertions

Rights and obligations

Assets represent rights of the entity and liabilities

are the obligations of the entity at a given date.

Valuation and allocation

Asset, liability, components have been included in the

financial statements at the appropriate amounts.

Accuracy

Transactions have been appropriately recorded

in the proper accounts.

5

Management’s financial statement assertions

Presentation and disclosure

Particular components of the financial statements are

properly classified, described and disclosed.

Refer to the textbook Table 9.1, page 363, for

illustrations of each of these assertions.

6

Business risk assessment

A business risk approach allows the auditor to:

Identify threats faced by the organisation.

Recognises that most business risks will eventually

have an effect on the financial statements.

Increase the chances of identifying risks of material

misstatements in the financial reports

Categories of business risk:

Financial risk

Operational risk

Compliance risk

7

Risk assessment procedures

Enquiries

Management, staff, internal auditors, company bankers,

legal advisors.

Analytical procedures

Provide a broad indication of the likelihood of possible

errors.

Observations and inspections

Inspection of manuals, visiting business premises,

observing procedures taking place.

8

Importance of internal control

The Committee of Sponsoring Organisations (COSO) of

the Treadway Commission defines internal control as:

a process, effected by an entity’s board of directors,

management and other personnel, designed to

provide reasonable assurance regarding the

achievement of objectives in the following categories:

Effectiveness and efficiency of operations

Reliability of financial reporting

Compliance with applicable laws and regulations

9

Management responsibility

Management must establish and maintain the entity's control

structure, which aids management by ensuring:

irregularities are prevented or detected and corrected;

assets are safeguarded;

financial records are accurately reflected;

adherence to management policies;

operational efficiency is promoted that prevents; and

unnecessary duplication of effort.

Because of its inherent limitations, an internal control

structure cannot be regarded as completely effective,

regardless of the care taken in its design and implementation.

10

Auditor responsibility

ASA 315 para 12 states that:

The auditor shall obtain an understanding of

internal control relevant to the audit

The auditor’s understanding of the internal control is

then used to plan the audit and to determine the nature,

timing and extent of tests to be performed.

The above has to be done in the context of the internal

control structure as defined in ASA 315.

11

The internal control system

Five components:

Control environment

Risk assessment processes

Information system

Control activities

Monitoring controls

(ASA 315 paragraph A58)

12

Control environment

Sets the tone of the entity towards control

consciousness and includes:

Enforcement of integrity and ethical values

example: setting the ‘tone at the top’ of the

entity by demonstrating integrity

and ethical behaviour.

Commitment to competence

example: adequate knowledge and skills at

every level in the entity

13

Control environment

Participation by those charged with governance

Management’s philosophy and operating style

example: approach to taking and monitoring

business risks.

Organisational structure

Assignment of authority and responsibility

Human resource policies and practices

example: screening prospective employees.

14

Risk assessment

Risk assessment is the process used to

identify, analyse and manage the relevant risks

which may affect the achievement of the

entity’s objectives, including the preparation of

financial statements.

15

Risk assessment

Key factors include for example:

changes in the operating environment

new personnel

new or revamped information systems

rapid growth

corporate restructuring

expanded foreign operations

All of the key factors have inherent risks with

potential adverse financial consequences.

16

Information systems and communication

Information systems consist of procedures and records established to:

initiate, record, process and report an entity's transactions

maintain accountability for the related assets, liabilities and equity

A major focus is that transactions are handled in such a way that financial statements are presented fairly in accordance with accounting standards.

17

Control activities

Control activities are policies and procedures

that help ensure that management directives

are carried out to address risks that threaten

the achievement of entity objectives.

18

Control activities(examples include)

Performance reviews

Information processing controls

example: general controls and application controls over

input, processing and output in a

computerised system.

Physical controls

Segregation of duties

example: ensuring that individuals do not perform

incompatible duties such as banking cash and

performing bank reconciliations.

19

Information Processing Controls

General controls (apply to systems as a whole):

Organisational controls

Systems development and maintenance controls

Access controls

Data and procedural controls

Application controls (input, processing and output

controls)

Segregation of duties

Physical controls

Performance reviews

20

Monitoring

Monitoring is the process by which the entity monitors t

he quality of internal controls over time

Involves assessing the design and operation of controls

on a timely basis and taking the necessary corrective

actions

Ongoing monitoring activities could include:

internal audit;

continual management review of exception and

operation reports; and

review/response to customer complaints.

21

Limitations of control

Cost versus benefits

Management override

Non-routine transactions

Mistakes in judgment

Collusion

Breakdown

Changes in conditions

22

Understanding internal control

Issues can include:

Identifying the types of potential misstatements that may occur

example: where to look for potential errors and fraud

Understanding factors that affect the risk of materialmisstatement

example: revenue recognition issues in some entities

Designing further audit procedures

example: assess adequacy of risk assessment procedures and plan tests of controls.

Testing general and application controls in computerisedsystems.

23

Procedures to obtain an understanding

Procedures can include:

reviewing previous experience with the entity being

audited

inquiries of management, supervisory and staff personnel

inspection of documents and records

observation of the entity’s activities and operations

transaction walk-through reviews to confirm documented

understanding

24

Documenting the understanding

Internal Control Questionnaire (ICQ)

Consists of a series of questions about accounting and

control policies and procedures the auditor feels are

necessary to prevent material misstatements in the

financial statements.

Flow chart

Is a schematic diagram that uses standardised

symbols, interconnecting flow lines and annotations to

portray the steps involved in processing information

through the information system.

25

Documenting the understanding

Narrative memoranda

May be used to supplement other forms of

documentation by summarising the auditor’s overall

understanding of the information system or specific

control policies or procedures.

26

Preliminary assessment of Control Risk

ASA 315 paragraph 25:

The auditor shall identify and assess the risks of

material misstatement at the financial report level, and

the assertion level for classes of transactions, account

balances and disclosures.

Purpose of preliminary assessment

Assessment to obtain a reasonable understanding of

controls in place decide on appropriate audit strategy

so as to design a detailed audit program.

27

Process of assessing control risk

Use professional judgement to assess the control

environment.

Assess the design effectiveness of control procedures

and their ability to prevent or correct misstatements.

Assess whether controls were effectively applied

throughout the period under audit.

28

The audit risk model

Audit risk is the risk that the auditor gives an

inappropriate audit opinion when the financial

statement is materially misstated.

In setting the desired audit risk, auditors seek an

appropriate balance between the costs of an

incorrect audit opinion and the costs of performing

the additional audit procedures necessary to reduce

audit risk.

29

Audit risk components

Inherent risk (ASA 200)

The possibility that a material misstatement could

occur in an assertion, either individually or when

aggregated with other misstatements, assuming there

are no related controls.

Inherent risk exists independently of the audit of

financial statements and thus auditors cannot change

the actual level of inherent risk.

As defined by auditing standards, inherent risk is

confined to the risk of material misstatements.

30

Audit risk components

Control risk (ASA 200)

Is the risk that a material misstatement could occur in

an assertion, either individually or when aggregated

with other misstatements, and not be prevented,

detected, or corrected on a timely basis by the entity’s

internal control structure?

Control risk is a function of the effectiveness of the

internal control structure as good controls reduce risk.

31

Audit risk components

Detection risk (ASA 200)Is the risk that an auditor’s substantive procedures will not

detect any material misstatements that exist in an assertion,

either individually or when aggregated with other misstatements.

It is a function of the effectiveness of substantive procedures

and their application by an auditor and thus is fundamental to

the amount of audit work undertaken.

The level of detection risk is controllable by the auditor through:

appropriate planning, direction, supervision and review

variation in the nature, timing and extent of audit procedures

effective performance of the audit procedures and evaluation of their results

32

The relationships among risk components

An auditor’s objective is to achieve an acceptably low level

of audit risk, as is practicable.

Recognising the cost of performing audit procedures, there

is an inverse relationship between the assessed levels of

inherent and control risks and the level of detection risk

that the auditor can accept

Auditors, although unable to control inherent risk (IR) and

control risk (CR), can assess these risks and design

substantive procedures to produce an acceptable level of

detection risk, thus reducing the audit risk to an acceptable

level.

33

The relationships among risk components

The audit risk model provides a framework for auditors to

apply in responding to these assessed risks through their

choice of audit procedures.

The audit risk model expresses the relationship between

the components audit risk (AR) as follows:

AR = IR CR DR

I.e. Audit risk = Inherent risk Control risk Detection risk

34

The relationships among risk components

Auditor’s Assessment of

Control Risk

High Medium Low

Auditor’s

Assessment

of

Inherent

Risk

High Lowest Lower Medium

Medium Lower Medium Higher

Low Medium Highest Highest

35

Non-quantified audit risk model

Auditors may use non-quantified expressions for risk.

This is consistent with the quantified audit risk model, in that

the acceptable levels of detection risk are inversely related

to the assessments of inherent and control risks.

If the assessments of control and inherent risks are both

high, then the acceptable level of detection risk will generally

have to be very low.

36

Non-quantified audit risk model

That is, the risk that the auditor’s substantive procedures will

not detect material misstatements will need to be low —

which means more substantive testing by the auditor

Conversely, if an auditor’s assessment of control and

inherent risks are both low, then the acceptable level of

detection risk can be high, i.e. the auditor’s substantive

procedures can be reduced.

37