Chapter 4:

Risk
The importance of risk assessment
Objectives of an auditor:
To obtain reasonable assurance, the auditor shall obtain sufficient
appropriate evidence to reduce audit risk to an acceptably low level.

Audit risk is the risk that the auditor expresses an inappropriate audit
opinion.

The objective of the auditor is to identify and assess the risk of

material misstatement, whether due to fraud or error through
understanding the entity and its environment, including the entity's
internal control, thereby providing a basis for designing and
implementing responses to the assessed risks of material
misstatement.

The auditor must identify the risks of material misstatement; and use
this to guide the design of their audit procedures.
The importance of risk assessment
What is a misstatement?
A difference between the amount, classification, presentation, or
disclosure of a reported financial statement item and the amount,
classification, presentation, or disclosure that is required for the item
to be in accordance with the applicable financial reporting framework.
Misstatements can arise from error or fraud.
There are three categories of misstatements:
1. Factual misstatements: A misstatement about which there is no
doubt.
2. Judgemental misstatements: A difference in an accounting
estimate that the auditor considers unreasonable, or the selection
or application of accounting policies that the auditor considers
inappropriate.
3. Projected misstatements: A projected misstatement is the
auditor’s best estimate of the total misstatement in a population
through the projection of misstatements identified in a sample.
 Materiality
What is materiality?
Misstatements, including omissions, are considered to be material if
they, individually or in the aggregate, could reasonably be expected to
influence the economic decisions of users taken on the basis of the
financial statements.

What is the significance of materiality?

If financial statements contain material misstatement they cannot be
deemed to show a true and fair view.

As a result, the focus of an audit is identifying the significant risks of

material
misstatement in the financial statements and then designing procedur
es aimed at identifying and quantifying material misstatement.
 Materiality
How is materiality determined?
The determination of materiality is a matter of professional judgement
and that the auditor must consider:
• Whether the misstatement would affect the economic decision
of the users
• Both the size and nature of misstatements
• The information needs of the users as a group.

Materiality is a matter of professional judgement. But ISA does

recognize the need to establish a financial threshold to guide audit
planning and procedures. For this reason it does allow the use of
standard benchmarks.
Benchmarks include:
• ½ – 1% of revenue
• 5% – 10% of profit before tax
• 1 – 2% of total assets.
Materiality
 Materiality
Material by nature:
Materiality is not just a purely financial concern. Some items may be
material by nature i.e. the impact they have on the financial statement.
Examples of items which are material by nature or material by impact
include:
• Misstatements that, when adjusted, would turn a reported profit into
a loss for the year.
• Misstatements that, when adjusted, would turn a reported net­asset
position into a net­liability position
• Transactions with directors, e.g. salary and benefits, personal use of
assets, etc.
• Disclosures in the financial statements relating to possible future leg
al claims or going concern issues, for example, could influence user
s‘ decisions and may be purely narrative. In this case a numerical
calculation is not relevant.
 Materiality
Performance materiality:

The amount set by the auditor at less than materiality for the financial
statements as a whole to reduce to an appropriately low level the
probability that the aggregate of uncorrected and undetected
misstatements exceeds materiality for the financial statements as a
whole.

• The auditor sets performance materiality at a value lower than

overall materiality, and uses this lower threshold when designing and
performing audit procedures.
• In using this lower threshold, the auditor is more likely to identify
misstatements.
• This reduces the risk that the auditor will fail to identify misstatement
s that are material when added together.
 Audit Risk
Audit risk is the risk that the auditor expresses an inappropriate audit
opinion, i.e. that the financial statements contain a material
misstatement.

Audit risk is made up of two components:

1. Risk of material misstatement and

2. Detection risk.

1. Risk of material misstatement:

Risk of material misstatement is the risk that the financial statements
are materially misstated prior to audit and consists of two components;

I. Inherent risk and

II. Control risk.
 Audit Risk
I. Inherent Risk:
Inherent risk is the susceptibility (Likelihood or prone to error) of a
class of transaction, account balance or disclosure to misstatement
that could be material, before consideration of any related controls.

Inherent risk is the risk of a material misstatement in the financial

statements because of the nature of the industry, entity or the natu
re of the item itself.

• Complex accounting treatment is an example of an inherent risk. F

or
example, where an accounting standard provides guidance on
a
specific accounting treatment this might not be understood by
the client and material misstatement could result.
• Transaction requiring estimates and judgements.
• Going concern validity.
 Audit Risk
II. Control Risk:
Control risk is the risk that a misstatement that could occur and that
could be material will not be prevented, or detected and corrected on
a timely basis by the entity's internal controls.
Examples:
• Lack of interest by management in financial reporting.
• Inadequate segregation of duties.
• Ineffective HR policies
• Lack of budgetary control
• Lack of internal audit function
• Absence of ethical code

2. Detection Risk:
Detection risk is the risk that the procedures performed by the
auditor to reduce audit risk to an acceptably low level will not detect a
Misstatement that exists and that could be material.
 Audit Risk
Detection risk comprises sampling risk and non­sampling risk:
• Sampling risk is the risk that the auditor's conclusion
based on a sample is different from the conclusion that
would be reached if the whole population were tested.
• Non­sampling risk is the risk that the auditor's conclusion
is inappropriate for any other reason, e.g. the application of
inappropriate
procedures or the failure to recognize misstatement
 Audit Risk
Auditor's Response:

The auditor must amend the audit approach in response to risk

assessment. They can achieve this by:
• Assigning more experienced staff to risk areas
• Increasing supervision levels
• Increasing the element of unpredictability in sample selection
• Changing the nature, timing and extent of procedures
• Increasing the emphasis on substantive tests of detail
• Emphasizing the need for professional scepticism.

Clearly this requires the audit team to have a good knowledge of how
the client’s activities are likely to affect its financial statements, and the
audit team should discuss these matters in a planning meeting before
deciding on the detailed approach and audit work to be used.
 Risk Assessment Procedures
ISA requires auditors to perform the following risk assessment
procedures:

1. Enquiries
2. Analytical procedures
3. Observation and inspection

Understanding the entity and its environment

In order to identify the risks of material misstatement in the financial

statements the auditor is required to obtain an understanding of:

• their clients;
• their clients' environments; and
• their clients' internal controls.
 Risk Assessment Procedures
This generally includes:

• Relevant industry, regulatory and other external factors (including t

he financial reporting framework).
• The nature of the entity, including:
• its operations
• its ownership and governance structures
• the types of investment it makes
• the way it is structured and financed

• The entity's selection and application of accounting policies

• The entity's objectives, strategies and related business risks
• The measurement and review of the entity's financial performance
• The internal controls relevant to the audit.
 Risk Assessment Procedures
1. Enquiries: Enquiries of management, of appropriate individuals
within the internal audit function, and of others within the entity
who in auditors judgement may have information that is likely to
assist in identifying risk of material misstatement due to fraud or
error.
• Enquiries directed towards those charged with governance.
• Enquiries of employees.
• Enquiries directed towards in-house legal council, marketing
or sales team, risk management personnel, and IT personnel.

2. Analytical procedures: Evaluations of financial information

through analysis of plausible relationships among both financial
and non­financial data and investigation of identified fluctuations,
inconsistent relationships or amounts that differ from expected
values.
 Risk Assessment Procedures
2. Analytical procedures (Continued…)

Analytical procedures are fundamental to the auditing process.

The auditor is required to perform analytical procedures as risk

assessment procedures in order to:
• Obtain an understanding of the entity and its environment
• Assist in assessing the risks of material misstatement in order to
provide a basis for designing and implementing responses to the
assessed risks
• Help identify the existence of unusual transactions or events, and
amounts, ratios, and trends that might indicate matters that have
audit implications
• Assist the auditor in identifying risks of material misstatement due
to fraud.
 Risk Assessment Procedures
2. Analytical procedures (Continued…)

Analytical procedures include comparisons of the entity’s financial

information with, for example:

• Comparable information for prior periods.

• Anticipated results of the entity, such as budgets or forecasts, or
expectations of the auditor, such as an estimation of depreciation
• Similar industry information, such as a comparison of the entity’s
ratio of sales to accounts receivable with industry averages or with
other entities of comparable size in the same industry.
 Risk Assessment Procedures
2. Analytical procedures (Continued…)

Analytical procedures also include consideration of relationships, for

example:
• Among elements of financial information that would be expected
to match to a predictable pattern based on the entity’s
experience, such as gross margin percentages.
• Between financial information and relevant non­financial
information, such as payroll costs to number of employees.

Computer assisted auditing techniques are now often used to perform

data analysis.
 Risk Assessment Procedures
2. Analytical procedures (Continued…)

Analytical procedures can be used at all stages of an audit.

However, ISA 315 Identifying and Assessing the Risks of Material

Misstatement through Understanding the Entity and Its Environment
requires the auditor to perform analytical procedures as risk
assessment procedures in order to help the auditor to obtain an
understanding of the entity and assess the risk of material
misstatement,.

The auditor must also use analytical procedures at the final review
stage, near the end of the audit, when forming an overall conclusion
as to whether the financial statements are consistent with the
auditor’s understanding of the entity.
 Risk Assessment Procedures
2. Analytical procedures (Continued…)
 Risk Assessment Procedures
2. Analytical procedures (Continued…)

Profitability Ratios:
Auditors would expect the relationships between costs and revenues
to stay relatively stable. Things that can affect these ratios include:
Changes in sales prices, bulk purchase discounts, economies of
scale, new marketing initiatives, changing energy costs, wage
Inflation.
Therefore, any unusual fluctuation in the profitability ratio could mean
that the figures are materially misstated. For example, if gross profit
margin improves, this could be caused by any or all of the following:
• Overstated revenue because of inappropriate revenue recognition
• Understated cost of sales because of incomplete recording of
purchases.
• Understated cost of sales because of overvaluation of closing
inventory
 Risk Assessment Procedures
2. Analytical procedures (Continued…)

Efficiency Ratios:
These ratios show how long, on average, companies take to collect
cash from customers and pay suppliers and how long they hold
inventory for. Companies should strive to reduce receivables and
inventory days to an acceptable level and increase payables days
because this strategy maximizes cash flow.

Any changes can indicate significant issues to the auditor, such as:
• Worsening credit control and increased need for receivables
allowance.
• Ageing and possible obsolete inventory that could be overvalued.
• Poor cash flow leading to going concern problems which would
require disclosure.
 Risk Assessment Procedures
2. Analytical procedures (Continued…)

Liquidity Ratios:
These ratios indicate how able a company is to meet its short term
debts. As a result these are key indicators when assessing going
Concern.

Investor Ratios:
Any change in gearing or ROCE could indicate a change in the
financing structure of the business or it could indicate changes in over
all performance of the business. These ratios are important for
identifying potentially material changes to the statement of financial
position (new/repaid loans or share issues) and for obtaining an
overall picture of the annual performance of the business.
 Risk Assessment Procedures
3. Observation and Inspection

Observation and inspection may support enquiries of management

and others, and may provide information about the entity and its
Environment.
Examples of such audit procedures include:

• The entity’s operations

• Documents (such as business plan and strategies), records and
internal control manuals.
• Reports prepared by management or those charged with
governance (such as quarterly management reports, interim
financial statements and board of directors’ meetings).
• The entity’s premises and plant facilities.