Lecture 6 Audit Risk.pdf

Full Transcript

AUDIT RISK

Audit Risk : Introduction
Relevant Audit Standards
The Components of Total Audit Risk
The Audit Risk Model
The Limitations of the Audit Risk Model
Audit Risk and Materiality Level
Classification of risk
AUDIT RISK

According to ISA 315 (revised) ,the auditor is required
to understand the entity and its environment,
including the internal control systems, to be able to
identify and assess the risk of material misstatements (
errors or mistakes that would have a significant impact
on the users of accounts) in the financial statements.
This process provides the basis for designing and
implementing responses to the assessed risks of
material misstatement.
AUDIT RISK

Audit risk can be looked at from :
Entity’s perspective
Auditor’s perspective ( ISA 315)

Audit is a CONTRACT- involves Two Parties- where there is Mutual
Responsibilities
AUDIT RISK
AUDIT ASSIGNMENT
INPUT ( Accounting and IC systems)( Mgt
Responsibilities -----PROCESS ( Audit procedures +
the Financial Statements)( Mutual commitments)--
--OUTPUT ( Audit Opinion)(Auditor
responsibilities)( Inappropriate Audit Opinion)
Inappropriate Audit opinion can only be minimised
when the appropriate and sufficient audit
procedures are performed.
AUDIT RISK
Audit risk is the risk that the auditor gives an inappropriate audit opinion
when the financial statements are materially misstated.
It is the risk that the financial statements contain material misstatements and
the audit procedures fail to detect them.
If this situation happens, the auditor will come to a wrong conclusion and an
invalid audit report will be issued.
Two scenarios may arise:

either, the auditor gives an unqualified audit report ( favourable
report)but subsequently material errors are found in the financial
statements.

or a qualified report( unfavourable report) is given but subsequently no
material errors are found.
IMPACT: AR would mislead users of Accounts/tarnish the reputation of the
Entity.
It is therefore vital that auditors perform the audit with due diligence,
otherwise they may be sued for negligence and damages.
AUDIT RISK
The audit risk should be reduced to an acceptable low
level at both the financial statements level and the
assertion levels.
At the financial statement level, all the figures
appearing in the financial statements could be true,
but overall, the financial statements could still not
show a true and fair view.
For example, going concern issues may be concealed
through window dressing. Misstatements at the
financial statement level are potentially more subtle
and require a higher level of skill to detect.
Audit Risk :Relevant Audit Standards
In order to minimize the audit risk, auditors are required to
understand the entity and its environment
develop audit procedures to detect risks
document the audit procedures for review (Advanced
Audit)

Relevant standards in respect to Audit Risk:

ISA 300 ‘Planning an audit of financial statements’
ISA 315 ‘Identifying and assessing the Risks of Material Misstatement
through Understanding the Entity and its Environment’
ISA 330 ‘The Auditor’s Procedures in Response to Assessed Risk’
According to ISA 315:

‘The auditor is required to understand the entity and its
environment and to perform risk assessment procedures to provide
a basis for the identification and assessment of risks of material
misstatement at the financial statements and assertion(
assumptions/bases) levels.’
ISA 315:
The auditor is required to understand the following:

Relevant industry, regulatory, and other external factors including the applicable
financial reporting framework
The nature of the entity, including:
its operations, its ownership and governance structures
the types of investments that the entity is making and plans to make, including
investments in special-purpose entities
the way that the entity is structured and how it is financed

The entity’s selection and application of accounting policies, including the reasons
for changes thereto.
The auditor shall evaluate whether the entity’s accounting policies are
appropriate for its business and consistent with the applicable financial reporting
framework and accounting policies used in the relevant industry.
The entity’s objectives and strategies, and those related business risks that may
result in risks of material misstatement.
The measurement and review of the entity’s financial performance
ISA 315:

The risk assessment procedures include:
Inquiries of management and of others within the entity that in
the auditor’s judgment may have information that is likely to
assist in identifying risks of material misstatement due to fraud
or error.
Analytical procedures.
Observation and inspection.
ISA 330 The Auditor’s Procedures in Response to Assessed Risk

“The auditors are required to design and perform further audit
procedures whose nature, timing and extent are based on and are
responsive to the assessed risks of material misstatement at the
assertion level”(Final Audit)

Assessment of risk is not at the Planning Stage only….it is a
continuous process that affects the whole audit processes.
It applies at Interim Audit, Final Audit and Audit report.
Risk assessment procedures will vary from one stage to the
other depending on the nature of the audit.
ISA 330 The Auditor’s Procedures in Response to Assessed Risk
In designing the further audit procedures (substantive procedures)to be
performed, the auditor is required to consider:
the reasons for the assessment given to the risk of material misstatement at
the assertion level for each class of transactions(IS), account balances(BS)
and disclosures(Notes)
The likelihood of material misstatement due to the particular characteristics
of the relevant class of transactions, account balance, or disclosure( Nature
and Complexity of the Entity and its environment) (inherent risk)
Whether the risk assessment takes account of relevant controls (the control
risk).
The auditor is required to obtain audit evidence to determine whether the
controls are operating effectively (that is, the auditor intends to rely on the
operating effectiveness of controls in determining the nature, timing and
extent of substantive procedures ( detection risk)
Obtain more persuasive audit evidence the higher the auditor’s assessment
of risk ISA 500 Audit Evidence: Assertations ( Final audit)
THE RISK MODEL
The Components of Total Audit Risk

Audit risk is a function of two main components :
risks of material misstatement( Inherent Risk and Control Risk- Entity’s level)
detection risk.( Audit procedures-auditor’s level )
Risk of material misstatement is made up of two components, inherent
risk and control risk.
THE RISK MODEL
Inherent risk is the susceptibility of an assertion about a class of transaction,
account balance or disclosure to a misstatement that could be material, either
individually or when aggregated with other misstatements assuming that there
were no related internal controls.
Inherent risk arises mainly due to the nature and complexity of the business
operations and its environment.
Control risk is the risk that a misstatement which could occur in an assertion
about a class of transaction, account balance or disclosure and which could be
material, either individually or when aggregated with other misstatements, will
not be prevented, or detected and corrected, on a timely basis by the entity’s
internal control.
This implies that control risk would arise due to weaknesses in the internal controls and
accounting systems.
Detection risk is the risk that the procedures performed by the auditor to reduce
audit risk to an acceptably low level will not detect a misstatement which exists,
and which could be material, either individually or when aggregated with other
misstatements.
This implies that the audit procedures fail to detect material statements in the
FSs.
THE RISK MODEL

AR = IR x CR x DR , where
AR-Audit risk
IR- Inherent risk
CR- Control risk
DR- Detection risk
THE RISK MODEL

AR
is always determined by the audit firm/auditors
Is usually set at a level which is reasonable to and attainable by the
audit firm
In practice, the AR is usually set at 3-5%.
If the Audit Firm is willing to take an AR at 3% , this implies that AF
will take responsibility of 3% that the Audit report may not give the
appropriate opinion.
But at the same time , it implies that the AF is confident to give an
appropriate Audit Report at 97% - Confidence Level.
THE RISK MODEL

IR- nature and complexity of the entity and its environment
IR would be expressed in %
The higher the complexity , the higher will be the IR and vice
versa.
It implies that so long the business would be in operation the IR
will exist
IR can only be minimised if the entity stops its operations

CR- weaknesses in the IC and AS ( systemic)
CR would be expressed in %
The higher the weaknesses in IC and AS, the higher will be the CR.
THE RISK MODEL

DR is determined by the level AR, IR and CR
DR will be determined on the prevailing conditions in the
entity and its environment
DR= AR / (IR x CR)
If DR is high, AF will reject the Audit assignment, the
predetermined AR may not be achieved.
DR is low , this means that the present audit procedures will
be able to detect material misstatement in the FSs.
Essential component in the Risk Model = DR( from the auditor
point of view)
THE RISK MODEL

Essential component in the Risk Model = DR

The DR cannot be determined with accuracy prior to the start of
the audit.
DR- depends largely on the appropriateness and effectiveness
of the audit procedures.
It would be quite difficult to know whether the audit
procedures will be effective at the start of the audit.
And that’s why : the audit procedures will be amended as and
when required during the audit engagement--- minimise the DR
THE RISK MODEL

What would be the actions of the auditors if the DR is HIGH?
Auditors may reject the audit engagement because high risk factor.
Risk factor: IR is high or CR is high or both; impact on the AR which may
go beyond the threshold of 3-5 %.
Auditors may accept the audit engagement after discussions with
management to minimise the level of risk at the entity’s level such
that it impacts on a reduction in the DR and ultimately on AR.
This would imply that management would have to take some actions to
reduce the level of risk – IR and CR.
Which actions management would be more likely to take?
To minimise the CR instead of IR.
Generally speaking, it is management responsibility to design and
implemement of system of Accounting and Control which are
appropriate and effective.
 Classification of Risks
Explain how the classification of risks into categories such as ‘high’,
medium or ‘low’ helps entities to manage their businesses.
Risk classification helps management run their business
because it is part of the overall process of identifying and
assessing risks.
Risk can be on an individual level or on a strategic level and will
potentially affect all aspects of the business. As such it is an
essential part of business management.
Risk must be managed by the company and not the auditors.
Risk classification enables effective use of resources. Resources
can be directed towards dealing with high and medium risk
problems so that the benefits are maximized.
 Classification of Risk
Risk classification assists management in adopting the right
response to risk. For example, a low risk might be accepted. A
high or medium risk should be :
Reduced: by instituting a system of Internal Control
Transferred : by taking out insurance