F8 Lecture 6 Audit Risk

7/27/2019 F8 Lecture 6 Audit Risk

1/27

Audit and assurance

engagementsLecture 6 Audit Risk

Copyright myaccanotes.com -


2/27


3/27

Audit risk Take a look at this diagram!

Copyright myaccanotes.com - Founder & CEO: Muhammad Bilal Farooq

AbsoluteAssurance

Re

asonable

As

surance

Limited

Assurance

ZeroRisk

HighLevelofAssurance

Low

Levelof

Assurance

LowRisk

High

Risk


4/27


5/27

Audit riskStatutory audits provide users with a reasonable or high level of assurance

In order to achieve this objective the auditor must ensure that after he has

performed his audit he can say that he has reduced audit risk to a low level!

Only after an auditor has reduced audit risk to a low level can he provide users

with a high level of assurance!

Audit risk is defined as the risk that an auditor expresses in an inappropriate audit

opinion on the financial statements

This means that the auditor in his opinion is stating that the financial statements

are free from material misstatements when in actual fact they are not!

Dont worry about material misstatement we will study in this in detail in the

next lecture! Right now just consider it as a mistake in the FS



6/27

Audit risk

Inherentrisk Controlrisk Detectionrisk

Audit riskcomponents of audit risk



7/27

Audit risk:inherent risk (IR)Definition: the susceptibility of a class of transaction, account balance or disclosure to a

misstatement that could be material, either individually or in aggregate, before

consideration of related controls

Its easier to understand this definition by looking at a few examples:

Poor reputation of client management (i.e. have been investigated or penalized by regulatory bodies)

Complex organizational structure (i.e. a number of divisions & sub divisions) with accounting record

dispersed

Inexperienced management have failed to maintain proper books of account

Complex transactions or account balances which require a high degree of estimation

Client is exporting &/or importing & thus there are many foreign currency transactions

Client operates in a very dynamic industry (e.g. fashion or digital tech) Directors bonuses are linked to annual profits

Client intends to approach bank or investors in order to generate funds

Clients business is geographically dispersed with record maintained at each office

Clients business is of complex or specialized nature (e.g. pension provider) etc



8/27

Audit risk:Control risk (CR) Definition: the risk that a misstatement will not be prevented, detected & corrected on a

timely basis by the entities internal controls

Basically we are saying that the clients internal control system is ineffective or weak

An effective system of internal control would mean fewer fraud & errors in the books ofaccount & consequently in the financial statements & vice versa

Lets look at a few examples:

No passwords on computers

No anti virus software on computers

No backups maintained on computer

Inventory accessible by all

Inventory lying in open area & thus exposed to weather

Lack of supervision of junior staff

No CCTV cameras used etc



9/27

Audit risk:Detection risk (DR)Definition: the risk that procedures performed by the

auditor will not detect material misstatements either

individually or in aggregate

Lets look at a few examples:

Auditor performs inappropriate audit procedures

Auditor misinterprets the evidence he collects

Evidence collected is misleading

Auditor relies on management representations which turn out to

be false (this could be an intentional or an unintentional act from

management)



10/27

Audit risk:inherent risk (IR)



11/27

Audit risk:Sampling riskDefinition: sampling risk is the risk that the auditors conclusion based on a sample is

different from the conclusion that would be reached in the whole population were

tested

Example:

Suppose a bag contains 70 blue balls & 30 red balls

Total population size is 100 & break up is 70% blue & 30% red

Suppose the auditor reaches into the bag & pulls out 10 balls

Thus auditor is taking a sample comprising of 10 balls (which is 10% of the total population)

If 9 of these balls are red & 1 is blue (there is a chance!) then the auditor will conclude (based

on the sample collected) that 90% of the balls in the bag are red & only 10% are blue

Thus the auditor will make an incorrect assessment about the total population because the

sample he collected was unrepresentative of the total population

This is called a sample error

Whenever an assessment is made about a population using a sample (as opposed to studying the

entire population) then there will exist a sampling risk



12/27

Audit risk:non-sampling riskDefinition: non-sampling risk is the risk that the auditors

conclusion is inappropriate because of any reason other than

sampling error

Example:

Auditor performs inappropriate audit procedures

Auditor misinterprets the evidence he collects

Auditor relies on management representations which turn out to befalse (this could be an intentional or an unintentional act from

management)

Evidence collected is misleading sampling error/risk!



13/27

Audit risk:the relationship between IR & CR & DR AR = IR x CR x DR

Note that both IR & CR are not under the auditors control

The auditor merely assesses whether IR & CR are high, medium

or low

The auditor cannot reduce IR & CR from high to low they are

not under his control rather they are under the control of clientmanagement (to some extent)

However what is under the auditors control is DR!



14/27

Audit risk:the relationship between IR & CR & DR

If the auditor assess IR & CR as high then the auditor

must increase his audit procedures & gather sufficient

appropriate audit evidence to be able to reduce DR &

thus AR to low!

AR = IR x CR x DR

Low = High x High x Low

By increasing work performed & reducing DR to L the

auditor is able to achieve his objective of providing

reasonable assurance/reducing AR to low



15/27

Audit risk:the relationship between IR & CR & DR If the auditor assesses IR & CR as low then the auditor may reduce the work he performs

leaving DR as high & still achieve his objective of giving a reasonable level of

assurance/low AR!

AR= IR x CR x DR

Low = Low x Low x High

Essentially what we are saying is that if:

Clients management have integrity

Clients business is simple

Client have installed a robust internal control system

Then the auditors job is made easy!

The auditor can take advantage of the above & reduce the amount of work he performs &

still be able to collect sufficient appropriate audit evidence to provide a reasonable level

of assurance!

In the end how much work the auditor performs is a matter of professional judgment



16/27

Audit risk:audit approach In order for the auditor to decide

Just how much work he needs to perform

& which areas to focus on (i.e. spend more time & resources)

the auditor must first assess IR & CR

In this lecture we will focus on IR whereas CR will be

looked at in later lectures (youll understand why later!)

This is often referred to as a risk based approach to

auditing or risk based audit methodology



17/27

Audit risk:benefits of a risk based audit methodologyHelps focus time & resources on high risk areas in the FS & less on low risk areas in the FS (and

not vice versa)

A preliminary assessment of audit risk will help in developing an effective audit strategy & audit

plan (discussed in next lecture)

Assists in deciding size & composition of audit team (high risk audits require bigger teams withmore experienced members)

Assists in allocating staff (i.e. more experienced staff to the more high risk areas of the audit)

Audit firms are private sector profit making entities & they like others want to minimize costs in

order to maximize their profits (efficient audit)

thus audit firms dont want to spend more time than is necessary & will reduce work done by placing relianceon an entities internal control system if it is evaluated as strong/effective/robust!

Ultimately achieve their objective of providing reasonable assurance (an effective audit) & avoid

litigation or damage to reputation



18/27

Audit risk:how to assess IR ISAs require that auditors gain an understanding of the

entity & its environment in order to assess IR

Standards require auditors gain knowledge of:

1. Relevant industry, regulatory & other external factors

2. Nature of the entity & selection of accounting policies

3. Objectives & strategies & related business risks

4. Review of entities financial performance

5. Internal controls



19/27

Audit risk:relevant industry, regulatory & other external factors

Industry conditions:

Competitive environment

Suppliers & customers

Technological developments

Regulatory environment

Financial reporting framework

Political environment

Economic conditions



20/27

Audit risk:nature of the entityBusiness operations

Ownership

Corporate governance arrangements

Organizational structure Capital structure

Classes of transactions, account balances & disclosures

Related party transactions

Selection of accounting policies

Are they appropriate for its business &

Consistent with the applicable financial reporting framework &

Consistent with policies used in the industry



21/27

Audit risk:objectives & strategies & related business risks

Objectives

Strategies developed to achieve objectives

Business risks facing entity



22/27

Audit risk:review of entities financial performance

External performance measures

Analysts reports

Credit ratings agencies

Internal performance measures

Budgets

Segment or divisional information

Departmental performance

Benchmarking with industry competitors

This information:

May indicate pressure on management

May indicate unexpected results

May indicate unusual trends



23/27

Audit risk:internal control

We will look at this section in detail in later

lectures!



24/27

Audit risk:where does this information come from?



25/27

Audit risk: ir ISAs require auditors to perform the following procedures when assessing IR:

Enquiries with client management & staff including:

Those charged with governance

Internal audit personnel

Staff responsible for recording complex or unusual transactions

In-house legal counsel Staff responsible for marketing & business strategies

Perform analytical procedures

Discussed in next slide

Observation

Observation of entity activities & operations

Visit to entity premises & plant

Inspection

Inspection of documents (e.g. management reports, interim FS)

Tracing transactions through the IS



26/27

Audit risk:analytical procedures (AP)Definition: the evaluation of financial information through the analysis of plausible relationships

among both financial & non-financial data

Analytical procedures (or analytical review) involves making comparisons:

Example: comparing financial with non-financial data

Power bill with units produced or Units produced with cost of production

Example: comparing financial data with financial data

Sales & delivery costs, sales returns & warranty claims

Example: comparing client data & information with benchmarks

Budget & actual output or Industry growth rate & client sales increase

Example: comparing current with past trend

Current year sales growth with that of past 5 years

Example: comparing current with forecasts

Actual with that of management forecast



27/27

Audit risk:analytical procedures (AP)Definition: the evaluation of financial information through the analysis of

plausible relationships among both financial & non-financial data

Analytical procedures (also referred to as analytical review) can be used at:

Start of the audit: to assess IR & to develop audit plan

During the audit: as an audit procedure designed to gather audit evidence

End of audit: to review audit before forming opinion

ISAs however state that APs must be used at the planning & review stage of an

audit


Documents

F8 Lecture 6 Audit Risk