SCHOOL OF BUSINESS, ECONOMICS AND

MANAGEMENT AFIN 318:AUDIT & ASSURANCE

SESSION 5: RISK
PRESENTED BY: Dr. Matthews C Hara
 Upon completion of this Session you will be
able to:
• Identify the objectives of the auditor;
• Describe the need to plan and perform
audits with professional scepticism, and to
exercise professional judgement;
• Explain the need to conduct audits in
accordance with ISAs;
• Explain the components of audit risk;
• Explain how auditors obtain an
understanding of the entity and its
environment; and
2 • Describe the risk assessment procedures.
 Professional Skeptiscism

Professional
Skeptiscism

Audit Risk

CONTROL INHERENT DETECTIO

RISK RISK N RISK

3
4
 How do you define Risk?
Defining and calculating risk is not as easy
we may think. Companies spend a lot of
time and money coming up with a
programme on how to calculate risk for
their organization.
Risk is defined as, “the chance or
probability that a person will be
harmed or experience an adverse
health effect if exposed to a hazard”.
It may also apply to situations with
property or equipment loss, or harmful
5 effects on the environment/circumstances.
  All what this really means is that we put tools
in place to help us to identify risks, assess
those risks, and then take action on the risk.
In finance risk refers to the degree of
uncertainty and/or potential financial
loss inherent in an investment
decision. In general, as investment risks
rise, investors seek higher returns to
compensate themselves for taking such
risks.

6
 Cause and Effect of risk
The components of risk usually manifest
themselves in two forms- Hazards or
Harms.
Hazards represent the potential source of
a harmful event (the cause).
Harms are the resulting damages to
products, persons or the environment (the
effect).
Risk is essentially cause and effect on a
defined scale. It's the scale in which we
mostly struggle.
7
 Risk

The overriding principle of auditing is

introduced in ISA 200 Overall Objectives
of the Independent Auditor and the
Conduct of an Audit in Accordance with
ISA's:
'To obtain reasonable assurance, the
auditor shall obtain sufficient appropriate
evidence to reduce audit risk to an
acceptably low level.....‘

8
 Evidence
Evidence should be sufficient, competent,
and relevant. It is sufficient if there is
enough of it to support the audit finding.
Evidence used to support a finding is
relevant if it has a logical, sensible
relationship to that finding. It is
competent if it is consistent with facts (AS
3.4.5 and 3.5.1).

9
 Audit Risk
Audit risk is the risk that the auditor
expresses an inappropriate audit
opinion.
This is further developed by ISA 315
Identifying and Assessing the Risks
of Material Misstatement Through
Understanding the Entity and its
Environment, which states:

10
 Audit Risk
'The objective of the auditor is to
identify and assess the risk of material
misstatement, whether due to fraud or
error, at the financial statement and
assertion levels, through understanding
the entity and its environment,
including the entity's internal control,
thereby providing a basis for designing
and implementing responses to the
assessed risks of material
misstatement.'
11
 Audit Risk
In short:
• the auditor identifies the risk of material
misstatement; and
• he uses this to guide the design of his audit
testing/procedures.
To assess the risk of material misstatement the
auditor has to understand what a
'misstatement is.
ISA 450 Evaluation of Misstatements
Identified During the Audit considers what a
misstatement is and deals with the auditor’s
responsibility in relation to misstatements.
12
 Audit Risk
A misstatement can arise in either through
inherent or control risks as below:
• Firstly the auditor assesses the unique
operating environment of the client. This
is the root cause of misstatement and is
often referred to as inherent risk.
• Secondly the auditor considers how the
client's control systems, particularly
financial ones, prevent and detect those
misstatements. This is referred to as
control risk.
13
 Audit Risk
A difference between the amount, classification,
presentation, or disclosure of a reported
financial statement item and the amount,
classification, presentation, or disclosure that is
required for the item to be in accordance with
the applicable financial reporting framework.
Misstatements can arise from error or fraud."
There are three categories of misstatements:
• (i) Factual misstatements.
• (ii)Judgemental misstatements.
• (iii)Projected misstatements.

14
 Factual misstatements
Factual misstatements
are misstatements about which there is no
doubt.
An example would be a clear breach of an
IFRS requirement meaning that the
financial statements are incorrect, for
instance if a necessary disclosure is
missing – for example, non-disclosure of
Earnings per share (EPS) for a listed
company.

15
 Judgemental Misstatements
Judgmental misstatements are
differences arising from the judgments of
management concerning accounting
estimates that the auditor considers
unreasonable, or the selection or
application of accounting policies that the
auditor considers inappropriate.
For example; use of inappropriate
depreciation rates,
judgements around capitalisation of
installation expenses and borrowing costs,
and;
16
judgement of impairment/revaluation
 Accounting estimates
 Examples of accounting estimates include
net realizable values of inventory and
accounts receivable, property and
casualty insurance loss reserves,
revenues from contracts accounted for by
the percentage-of-completion method, and
pension and warranty expenses.
 Or it can be said that an accounting estimate is
a measurement or recognition in the
financial statements of (or a decision to
not recognize) an account, disclosure,
transaction, or event that generally involves
subjective assumptions and measurement
17
uncertainty.
 Projected misstatement
A projected misstatement is when an
auditor estimates misstatements that are
likely to be found in a certain population.
The auditors base this on misstatements
they've found during other audits within
that population.

18
 Audit Risk
Error is caused either through
ignorance or carelessness omission as a
result of lack of commitment on the part
of the practitioner(accountant)

19
 Risk assessment as part of the
audit process
• Auditors are required to perform audits with
an attitude of 'professional scepticism'
This is defined as:
"An attitude that includes a
questioning mind, being alert to
conditions which may indicate possible
misstatement due to fraud or error,
and a critical assessment of audit
evidence
" (ISA 200 Overall Objectives of the
Independent Auditor and the Conduct of an
Audit in Accordance with International
20
Standards on Auditing).
 Risk assessment as part of the
audit process
 Having an enquiring mind in itself is
not sufficient to comply with a risk based
method of auditing.
 In order to fulfil this responsibility auditors
must also use professional judgement.
 This means the application of relevant
training, knowledge and experience in
making informed decisions about the courses
of action that are appropriate to the unique
circumstances of the audit engagement.

21
 Risk assessment as part of the
audit process
Therefore the use of a risk based approach
requires skill, knowledge, experience and
an inquisitive, open mind; something that is
neither gained quickly nor easily.

22
 Risk analysis
Risk analysis is an important stage of the audit.
 In conducting a thorough assessment of risk auditors
will be able to know the organisation’s risky areas.
 Although risk assessment is a fundamental element of
the planning process, it is important to understand that
risks can be uncovered at any stage of the audit and
are therefore not restricted to planning only.
 In this regard, procedures must be adapted in light
of revelations that indicate further risks of material
misstatement.
 It is, ultimately, the responsibility of the most senior
reviewer (usually the engagement partner) to
confirm that the risk of material misstatement has
been reduced to an acceptable level.

23
 Risk analysis
Risk analysis is an important stage of the
audit. In conducting a thorough assessment
of risk auditors will be able to:
Identify areas of the financial statements
where misstatements are likely to occur
early in the audit;
Plan procedures that address the
significant risk areas identified;
Carry out an efficient, focussed and
effective audit;
Minimise the risk of issuing an
24 inappropriate audit opinion to an
 Audit risk
Audit risk is the risk that the auditor
expresses an inappropriate audit
opinion, i.e. that they give an
unmodified audit opinion when the
financial statements contain a material
misstatement.

25
 Inherent risk

This is the susceptibility of a class of

transaction, account balance or
disclosure to a misstatement that could
be material, either individually or in
aggregate, before consideration of
related controls.
In other words this is the risk that a
misstatement occurs in the first
instance.

26
 Inherent risk

Inherent risk is often considered in

relation to business risk. These are the
risks resulting from conditions, events,
circumstances, actions or inactions that
could adversely affect an entity's ability
to achieve its business objectives and
goals.
Ultimately these business risks can lead
to complications and deficiencies in the
accounting process, which could lead to
fraud, error or omission.
27
 Inherent risk

this requires the audit team to have a

good knowledge of how the client’s
activities are likely to affect its financial
statements, and the audit team should
discuss these matters in a planning
meeting before deciding on the detailed
approach and audit work to be used.

28
 Inherent risk

Business risk is the possibility that a

company/business if you wish will have
lower than anticipated profits, or that it
will experience a loss rather than a
profit.
Business risk is influenced by numerous
factors, including sales volume, per-
unit price, input costs, competition,
overall economic climate and
government regulations.

29
 Inherent risk

 Clearly this requires the audit team to

have a good knowledge of how the client’s
activities are likely to affect its financial
statements, and the audit team should
discuss these matters in a planning
meeting before deciding on the detailed
approach and audit work to be used.
 As an auditor it is important to have an
understanding of calculating and interpreting
ratios
 It is equally important for an accountant to be
in control of these variables to continue being
30
in business.
 Inherent risk

Both the auditor and accountant should

understand the various business risks
and be able to correctly interpret them
against obtaining circumstances
Investor risk
Government regulation risk
Interest risk
Competition risk
Credit risk
Debtor risk among others

31
 Control risk

• This is the risk that a misstatement

will not be prevented, or detected
and corrected on a timely basis by
the entity's internal controls.
• This is either due to the internal
control system being insufficient in
the circumstances of the business or
because the controls have not been
applied effectively during the period.

32
 Detection risk

This is the risk that the procedures

performed by the auditor to reduce audit
risk to an acceptable level will not
detect potentially material
misstatements, either individually or in
aggregate.
Detection risk comprises sampling risk
and non sampling risk.

33
 Detection risk

• Sampling risk is the risk that the auditor's

conclusion based on a sample is different
from the conclusion that would be reached
if the whole population were tested (see
sampling in the audit evidence chapter).
• Non sampling risk is the risk that the
auditor's conclusion is inappropriate for any
other reason, e.g. the application of
inappropriate procedures or the failure to
recognise a misstatement.

34
 Understanding the Entity and its Environment

Auditors are required to obtain an understanding of:

their clients; their clients' environments; and their
clients' internal controls. This is often referred to as
Knowledge of the Business, or "KOB." This generally
includes:
(ISA 315 Identifying and Assessing the Risks of
Material Misstatement...)
The purpose of acquiring this knowledge is to
identify the risks that the business is exposed to
and, ultimately, how these could lead to a risk of
material misstatement in the financial statements.
• Relevant industry, regulatory and other external
factors (including the financial reporting framework);

35
 Understanding the Entity and its
Environment
The nature of the entity, including:
– its operations;
– its ownership and governance
structures;
– the types of investment it makes; and
– the way it is structured and financed.
• The entity's selection and application
of accounting policies;
• The entity's objectives, strategies and
related business risks;
36
 Understanding the Entity and its
Environment
The measurement and review of the
entity's financial performance; and
• The internal controls relevant to the
audit.
The information used to complete these
references can come from a wide range
of sources, including both internal &
external sources.

37
 Risk assessment procedures

ISA 315 requires auditors to perform the

following procedures to understand the entity
and its environment:
• Enquiries with management and others
within the client entity (e.g. about external and
internal changes the company has
experienced);
• Analytical procedures; and
• Observation (e.g. of control procedures)
and inspection (e.g. of key strategic
documents and procedural manuals).

38
 Analytical procedures

Analytical procedures are fundamental

to the auditing process and are used at
the planning, performance and review
stage of the audit. They are defined in ISA
520 Analytical Procedures as:
"The evaluation of financial
information through analysis of
plausible relationships among both
financial and nonfinancial data."

39
 For example: the disposal of significant land
and buildings.
In addition, analytical procedures are also used
to identify peculiar deviations (from either
prior year figures, budget or the auditor's
knowledge) that could indicate misstatement in
the reported figures.

40
 Analytical procedures

These must then be investigated during final audit

procedures.
For example; when conducting an analytical
review of a current audit client you notice that
turnover had increased by 20% in comparison
to last year but delivery costs have increased by
50%.
Normally you would expect costs to rise in line
with changes in activity but clearly delivery costs
have increased at a much higher rate. Possible
reasons for this variance may include and not
restricted to some of the following:

41
 Analytical procedures

• Increasing sales by attracting

customers from more distant
geographical locations;
• Reducing delivery waiting times by
making more frequent deliveries; or
• There is an error in either sales or
delivery costs.
The reason for the variance will be
investigated during the audit until a
satisfactory explanation is obtained.
42
 Analytical procedures

More recently, computer aided

auditing techniques (CAATs) have
been used to perform data analysis

43
 TEST
Explain the term ‘audit risk’.
Identify and explain the components of
audit risk.

44
 END
Next Session 6 Planning

45