Audit Risk Assessment , Chapter 9

1. Chapter 9
Audit Risk Assessment
Prepared by Dr Phil Saj
1

2. Learning objectives
1. Appreciate the importance of audit risk assessment and
why it is linked to financial statement assertions.
2. Explain the importance of business risks in audit
planning.
3. Describe the procedures performed by an auditor to
assess risk.
4. Appreciate the importance of internal control to an
entity and to its independent auditors.
2

3. Learning objectives
5. Indicate the procedures for obtaining and documenting
an understanding of the entity’s internal control.
6. Explain why and how a preliminary assessment of
control risk is made.
7. Explain the importance of the concept of audit risk and
its three components.
3

4. Management’s financial
statement assertions
Existence or occurrence
Assets or liabilities of the entity exist at a given date
and whether recorded transactions or events have
occurred during the period.
Completeness
Transactions, events and accounts that should be
presented in the financial statement are included.
Cut-off
All transactions, events and accounts have been
recorded in the correct period.
4

5. Management’s financial
statement assertions
Rights and obligations
Assets represent rights of the entity and liabilities
are the obligations of the entity at a given date.
Valuation and allocation
Asset, liability, components have been included in the
financial statements at the appropriate amounts.
Accuracy
Transactions have been appropriately recorded
in the proper accounts.
5

6. Management’s financial
statement assertions
Presentation and disclosure
Particular components of the financial statements are
properly classified, described and disclosed.
Refer to the textbook Table 9.1, page 363, for
illustrations of each of these assertions.
6

7. Business risk assessment
A business risk approach allows the auditor to:
Identify threats faced by the organisation.
Recognises that most business risks will eventually
have an effect on the financial statements.
Increase the chances of identifying risks of material
misstatements in the financial reports
Categories of business risk:
Financial risk
Operational risk
Compliance risk
7

8. Risk assessment procedures
Enquiries
Management, staff, internal auditors, company bankers,
legal advisors.
Analytical procedures
Provide a broad indication of the likelihood of possible
errors.
Observations and inspections
Inspection of manuals, visiting business premises,
observing procedures taking place.
8

9. Importance of internal control
The Committee of Sponsoring Organisations (COSO) of
the Treadway Commission defines internal control as:
a process, effected by an entity’s board of directors,
management and other personnel, designed to
provide reasonable assurance regarding the
achievement of objectives in the following categories:
Effectiveness and efficiency of operations
Reliability of financial reporting
Compliance with applicable laws and regulations
9

10. Management responsibility
Management must establish and maintain the entity's control
structure, which aids management by ensuring:
irregularities are prevented or detected and corrected;
assets are safeguarded;
financial records are accurately reflected;
adherence to management policies;
operational efficiency is promoted that prevents; and
unnecessary duplication of effort.
Because of its inherent limitations, an internal control
structure cannot be regarded as completely effective,
regardless of the care taken in its design and implementation.
10

11. Auditor responsibility
ASA 315 para 12 states that:
The auditor shall obtain an understanding of
internal control relevant to the audit
The auditor’s understanding of the internal control is
then used to plan the audit and to determine the nature,
timing and extent of tests to be performed.
The above has to be done in the context of the internal
control structure as defined in ASA 315.
11

12. The internal control system
Five components:
Control environment
Risk assessment processes
Information system
Control activities
Monitoring controls
(ASA 315 paragraph A58)
12

13. Control environment
Sets the tone of the entity towards control
consciousness and includes:
Enforcement of integrity and ethical values
example: setting the ‘tone at the top’ of the
entity by demonstrating integrity
and ethical behaviour.
Commitment to competence
example: adequate knowledge and skills at
every level in the entity
13

14. Control environment
Participation by those charged with governance
Management’s philosophy and operating style
example: approach to taking and monitoring
business risks.
Organisational structure
Assignment of authority and responsibility
Human resource policies and practices
example: screening prospective employees.
14

15. Risk assessment
Risk assessment is the process used to
identify, analyse and manage the relevant risks
which may affect the achievement of the
entity’s objectives, including the preparation of
financial statements.
15

16. Risk assessment
Key factors include for example:
changes in the operating environment
new personnel
new or revamped information systems
rapid growth
corporate restructuring
expanded foreign operations
All of the key factors have inherent risks with
potential adverse financial consequences.
16

17. Information systems and
communication
Information systems consist of procedures
and records established to:
initiate, record, process and report an
entity's transactions
maintain accountability for the related
assets, liabilities and equity
A major focus is that transactions are handled
in such a way that financial statements are
presented fairly in accordance with accounting
standards.
17

18. Control activities
Control activities are policies and procedures
that help ensure that management directives
are carried out to address risks that threaten
the achievement of entity objectives.
18

19. Control activities
(examples include)
Performance reviews
Information processing controls
example: general controls and application controls over
input, processing and output in a
computerised system.
Physical controls
Segregation of duties
example: ensuring that individuals do not perform
incompatible duties such as banking cash and
performing bank reconciliations.
19

20. Information Processing Controls
General controls (apply to systems as a whole):
Organisational controls
Systems development and maintenance controls
Access controls
Data and procedural controls
Application controls (input, processing and output
controls)
Segregation of duties
Physical controls
Performance reviews
20

21. Monitoring
Monitoring is the process by which the entity monitors t
he quality of internal controls over time
Involves assessing the design and operation of controls
on a timely basis and taking the necessary corrective
actions
Ongoing monitoring activities could include:
internal audit;
continual management review of exception and
operation reports; and
review/response to customer complaints.
21

22. Limitations of control
Cost versus benefits
Management override
Non-routine transactions
Mistakes in judgment
Collusion
Breakdown
Changes in conditions
22

23. Understanding internal control
Issues can include:
Identifying the types of potential misstatements that may occur
example: where to look for potential errors and fraud
Understanding factors that affect the risk of material
misstatement
example: revenue recognition issues in some entities
Designing further audit procedures
example: assess adequacy of risk assessment
procedures and plan tests of controls.
Testing general and application controls in computerised
systems.
23

24. Procedures to obtain an
understanding
Procedures can include:
reviewing previous experience with the entity being
audited
inquiries of management, supervisory and staff personnel
inspection of documents and records
observation of the entity’s activities and operations
transaction walk-through reviews to confirm documented
understanding
24

25. Documenting the understanding
Internal Control Questionnaire (ICQ)
Consists of a series of questions about accounting and
control policies and procedures the auditor feels are
necessary to prevent material misstatements in the
financial statements.
Flow chart
Is a schematic diagram that uses standardised
symbols, interconnecting flow lines and annotations to
portray the steps involved in processing information
through the information system.
25

26. Documenting the understanding
Narrative memoranda
May be used to supplement other forms of
documentation by summarising the auditor’s overall
understanding of the information system or specific
control policies or procedures.
26

27. Preliminary assessment of
Control Risk
ASA 315 paragraph 25:
The auditor shall identify and assess the risks of
material misstatement at the financial report level, and
the assertion level for classes of transactions, account
balances and disclosures.
Purpose of preliminary assessment
Assessment to obtain a reasonable understanding of
controls in place decide on appropriate audit strategy
so as to design a detailed audit program.
27

28. Process of assessing control risk
Use professional judgement to assess the control
environment.
Assess the design effectiveness of control procedures
and their ability to prevent or correct misstatements.
Assess whether controls were effectively applied
throughout the period under audit.
28

29. The audit risk model
Audit risk is the risk that the auditor gives an
inappropriate audit opinion when the financial
statement is materially misstated.
In setting the desired audit risk, auditors seek an
appropriate balance between the costs of an
incorrect audit opinion and the costs of performing
the additional audit procedures necessary to reduce
audit risk.
29

30. Audit risk components
Inherent risk (ASA 200)
The possibility that a material misstatement could
occur in an assertion, either individually or when
aggregated with other misstatements, assuming there
are no related controls.
Inherent risk exists independently of the audit of
financial statements and thus auditors cannot change
the actual level of inherent risk.
As defined by auditing standards, inherent risk is
confined to the risk of material misstatements.
30

31. Audit risk components
Control risk (ASA 200)
Is the risk that a material misstatement could occur in
an assertion, either individually or when aggregated
with other misstatements, and not be prevented,
detected, or corrected on a timely basis by the entity’s
internal control structure?
Control risk is a function of the effectiveness of the
internal control structure as good controls reduce risk.
31

32. Audit risk components
Detection risk (ASA 200)
Is the risk that an auditor’s substantive procedures will not
detect any material misstatements that exist in an assertion,
either individually or when aggregated with other misstatements.
It is a function of the effectiveness of substantive procedures
and their application by an auditor and thus is fundamental to
the amount of audit work undertaken.
The level of detection risk is controllable by the auditor through:
appropriate planning, direction, supervision and review
variation in the nature, timing and extent of audit procedures
effective performance of the audit procedures and evaluation
of their results
32

33. The relationships among risk
components
An auditor’s objective is to achieve an acceptably low level
of audit risk, as is practicable.
Recognising the cost of performing audit procedures, there
is an inverse relationship between the assessed levels of
inherent and control risks and the level of detection risk
that the auditor can accept
Auditors, although unable to control inherent risk (IR) and
control risk (CR), can assess these risks and design
substantive procedures to produce an acceptable level of
detection risk, thus reducing the audit risk to an acceptable
level.
33

34. The relationships among risk
components
The audit risk model provides a framework for auditors to
apply in responding to these assessed risks through their
choice of audit procedures.
The audit risk model expresses the relationship between
the components audit risk (AR) as follows:
AR = IR  CR  DR
I.e. Audit risk = Inherent risk  Control risk  Detection risk
34

35. The relationships among risk
components
Auditor’s Assessment of
Control Risk
High Medium Low
Auditor’s
Assessment
of
Inherent
Risk
High Lowest Lower Medium
Medium Lower Medium Higher
Low Medium Highest Highest
35

36. Non-quantified audit risk model
Auditors may use non-quantified expressions for risk.
This is consistent with the quantified audit risk model, in that
the acceptable levels of detection risk are inversely related
to the assessments of inherent and control risks.
If the assessments of control and inherent risks are both
high, then the acceptable level of detection risk will generally
have to be very low.
36

37. Non-quantified audit risk model
That is, the risk that the auditor’s substantive procedures will
not detect material misstatements will need to be low —
which means more substantive testing by the auditor
Conversely, if an auditor’s assessment of control and
inherent risks are both low, then the acceptable level of
detection risk can be high, i.e. the auditor’s substantive
procedures can be reduced.
37