Chapter 6

Risk assessment

Audit risk Model

Audit risk is the risk that the auditor expresses an

inappropriate audit opinion , when the financial
statement are materially misstated.
i.e. that they give an unmodified audit opinion
when the financial statements contain a material
misstatement.
It has three components
1) Inherent risk
2) Control risk
3) Detection risk
Audit risk = Inherent risk * Control risk * Detection
risk

Audit risk components

Inherent risk
Inherent risk is the risk of a material misstatement in the
financial statements because of the nature of the industry,
entity or the nature of the item itself.(It has nothing to do
with control)
Control risk
is the risk that a misstatement that could occur and that
could be material will not be prevented, or detected and
corrected on a timely basis by the entity's internal controls.
Detection risk
is the risk that the procedures performed by the auditor to
reduce audit risk to an acceptably low level will not detect a
misstatement that exists and that could be material.

Sampling and non Sampling risk

Detection risk comprises sampling risk and non
sampling risk:
Sampling risk
Sampling risk is the risk that the auditor's conclusion
based on a sample is different from the conclusion that
would be reached if the whole population were tested.
In other words that means sample is not a true
representative of the population.
Non sampling risk
Non sampling risk is the risk that the auditor's
conclusion is inappropriate for any other reason, e.g.
the application of inappropriate procedures or the
failure to recognize a misstatement.

ISA 315

ISA 315 (Revised) Identifying and Assessing the Risks of

Material Misstatement Through Understanding the Entity and
its Environment which states :
The objective of the auditor is to identify and assess the risk
of material misstatement, whether due to fraud or error, at
the financial statement and assertion levels, through
understanding the entity and its environment, including the
entity's internal control , thereby providing a basis for
designing and implementing responses to the assessed risks
of material misstatement.
Why to understand
To identify and assess the risk of material misstatement in
financial statements
To enable the auditor design and perform further audit
procedures
For exercising judgment while setting materiality

What is a misstatement?
'A difference between the amount,
classification, presentation, or disclosure of a
reported financial statement item and the
amount, classification, presentation, or
disclosure that is required for the item to be
in accordance with the applicable financial
reporting framework. Misstatements can arise
from error or fraud.

Understanding the entity and its

environment (ISA 315)
What to understand
In order to identify the risks of material misstatement
in the financial statements the auditor is required to
obtain an understanding of: their clients their clients'
environments and their clients' internal controls. This
generally includes:
1. relevant industry, regulatory and other external
factors (including the financial reporting framework)
2. The nature of the entity, including:
its operations
its ownership and governance structures
the types of investment it makes
the way it is structured and financed

Understanding the entity and its

environment (ISA 315)
3. The entity's selection and application of
accounting policies
4. The entity's objectives, strategies and related
business risks
5. The measurement and review of the entity's
financial performance
6. The internal controls relevant to the audit.

Sources of information
The information used to obtain this understanding can
come from a wide range of sources, including:
Information from your firm
Partners , managers , last year audit team , last year
audit working file.
Information from external sources
Industries surveys , Companies house , internet , credit
reference agencies
Information from client
Observation , discussion , brochures
Information from you
Past experience

Risk assessment procedures

( How to understand )

Inquires from management

Observation and inspection
Analytical procedures (Question )
Prior period knowledge
Information from other engagements
undertaken for entity

Assess risk and identify significant risk

Assess risk what can go wrong at financial statement
and assertion level.
Significant risk
Those risks which require special attention .
1) Risk of fraud
2) Its relationship with recent development
3) Degree of subjectivity in financial information
4) It is an unusual transaction
5) The complexity of transaction
When auditor identifies risk he shall obtain an
understanding of entity control relevant to that risk.

Responses to assessed risk (ISA 330)

The auditor must amend the audit approach in
response to risk assessment.
They can achieve this by:
1) Assigning more experienced staff to risk areas
2) Increasing supervision levels
3) Increasing the element of unpredictability in sample
selection
4) Changing the nature, timing and extent of procedures
5) Increasing the emphasis on substantive tests of detail
6) Emphasizing the need for maintaining professional
scepticism.

ISA 320 (Materiality )

Misstatements, including omissions, are considered
to be material if they, individually or in the
aggregate, could reasonably be expected to
influence the economic decisions of users taken on
the basis of the financial statements
Or
An item is said to be material if its omission or
misstatement can effect the decision of users
financial statements.

What is the significance of materiality?

The auditor is responsible for providing 'an opinion
on whether the financial statements are prepared,
in all material respects, in accordance with an
applicable financial reporting framework.
If financial statements contain material
misstatement they cannot be deemed to show a
true and fair view.
At planning stage of an audit , auditors set an
acceptable materiality level to enable them to
detect material misstatement. Materiality will be
considered at the financial statement level and at
more specific transactions and balance level..

Setting materiality
The acceptable level will be calculated with
reference to figure available to them , ideally draft
accounts for the year or recent management
accounts, or if no such current figures are available ,
on budget figures.
The auditor also need to consider the cumulative
effect of immaterial error to see whether they are
material in total to the financial statements.

How is materiality determined?

The guidance in ISA 320 states that the determination
of materiality is a matter of professional judgment and
that the auditor must consider:
1) the circumstances surrounding the entity
2) both the size and nature of misstatements
3) the information needs of the users as a group.
It is a subjective and potentially complex process and
it is vital that materiality is considered in light of the
client's needs.
However, ISA 320 does recognize the need to establish
a financial threshold to guide audit planning and
procedures. For this reason it does allow the use of
standard benchmarks but only as a starting point. The
auditor must consider all of the factors listed above.

Traditional benchmark for materiality

Traditional benchmarks include:

1% of revenue
5% 10% of profit before tax
1 2% of Total assets.
Note that these benchmarks do not come from the auditing
standards.
Materiality is a matter of professional judgment. The above
are common benchmarks used, but different audit firms may
use different benchmarks or a firm may use different
thresholds for each client.
In addition, materiality is not just a purely financial concern.
Disclosures in the financial statements relating to possible
future legal claims, for example, could influence users'
decisions and may be purely narrative. In this case a
numerical calculation is not relevant.

Performance materiality

Materiality, as determined for the financial statements

as a whole, may not be the best guide in determining
the nature and extent of audit tests. For this reason,
ISAs introduce a further concept: performance
materiality.
Performance materiality:
The amount set by the auditor at less than materiality
for the financial statements as a whole to reduce to an
appropriately low level the probability that the
aggregate of uncorrected and undetected
misstatements exceeds materiality for the financial
statements as a whole.
This reduces the risk that the auditor will fail to identify
misstatements that are material in combination.

ISA 240 (Auditor responsibility for fraud)

Fraud is an intentional act by one or more
individuals among management, those charged
with governance, employees or third parties,
involving the use of deception to obtain an illegal
advantage.
Fraud is a broad legal concept it is a criminal
activity. It is not the responsibility of the auditor to
prove whether fraud has actually occurred, that is
the role of the country's legal system. The auditor's
role is to determine whether there is a material
misstatement in the financial statements as a result
of fraud.

ISA 240 (Auditor responsibility for fraud)

Fraud can be split into two types:
Fraudulent financial reporting deliberately
misstating the accounts to make the company look
better/worse than it actually is.
Misappropriation of assets the theft of the
companys assets such as cash or inventory, Misuse of
company assets and payment made to fictitious
employees
The external auditor's responsibilities
The external auditor is responsible for obtaining
reasonable assurance that the financial statements,
taken as a whole, are free from material misstatement,
whether caused by fraud or error. Therefore, the
external auditor has some responsibility for considering
the risk of material misstatement due to fraud

ISA 240 (Auditor responsibility for fraud)

The external auditor's responsibilities
1) Maintain an attitude of professional scepticism. This
means that the auditor must recognize the possibility
that a material misstatement due to fraud could occur,
regardless of the auditor's prior experience of the
client's integrity and honesty.
2) Identify and assess the risks of material misstatement
due to fraud.
3) Identify, through enquiry, how management assesses
and responds to the risk of fraud.
4) Enquire of management, internal auditors and those
charged with governance if they are aware of any
actual or suspected fraudulent activity.

ISA 240 (Auditor responsibility for fraud)

Reporting the fraud

If the auditor identifies a fraud they must communicate the
matter on a timely basis to the appropriate level of
management (i.e. those with the primary responsibility for
prevention and detection of fraud).
If the suspected fraud involves management the auditor must
communicate the matter to those charged with governance. If
the auditor has doubts about the integrity of those charged
with governance they should seek legal advice regarding an
appropriate course of action.
In addition to these responsibilities the auditor must also
consider whether they have a responsibility to report the
occurrence of a suspicion to a party outside the entity. Whilst
the auditor does have an ethical duty to maintain
confidentiality, it is likely that any legal responsibility will take
precedence. In these circumstances it is advisable to seek
legal advice.

ISA 250 (Laws and regulation )

Under ISA 250 Consideration of Laws and Regulations

in an Audit of Financial Statements, management have
a responsibility to ensure that the operations of
Companies are conducted in accordance with the
provisions of laws and regulations. This includes
compliance with laws and regulations that determine
amounts and disclosures in financial statements,
including tax liabilities and charges.
Auditors are not responsible for preventing noncompliance with laws and regulations, and cannot be
expected to detect non-compliance with all laws and
regulations. They have a responsibility to obtain
reasonable assurance that the financial statements are
free from material misstatement, whether caused by
fraud or error.

ISA 250 (Laws and regulation )

Responsibilities of the auditor

Responsibility of auditor differs in relation to the two different
categories of laws and regulations identified below:
Laws and regulations which have a DIRECT effect on the
determination of material amounts and disclosures in financial
statements. Here the auditor is responsible for obtaining sufficient
appropriate audit evidence regarding compliance.
Laws and regulations which DO NOT HAVE A DIRECT EFFECT on
the determination of material amounts and disclosures in financial
statements, but may impact the entitys ability to continue to
trade. Here the auditors responsibility is limited to specified audit
procedures to help identify non-compliance with those laws and
regulations that may have a material effect on the financial
statements. This includes inquiring with management whether the
entity is in compliance with such laws and regulations, and
inspecting correspondence with relevant licensing or regulatory
authorities.

ISA 250 (Laws and regulation )

Auditor also has a responsibility to remain alert, by
maintaining professional scepticism, to the
possibility that other audit procedures may bring
instances of identified or suspected non-compliance
with laws and regulations.

ISA 250 (Laws and regulation )

Reporting of laws and regulation
1) As soon as practicable either communicate with those
charged with governance.
2) However if auditor suspects the senior management
including BOD , are involved , he should report to next
higher level of authority such as audit committee ,
supervisory board.
3) If this does not exists or auditor believe his report will
not be acted upon is unsure who to report to he
should consider legal advice.
4) In case of money laundering ,it might be appropriative
to report the matter directly to the relevant authority.

Question 1

Nepco is a European company that manufactures high quality

computer components and assembles computer parts. It has
existed for some years and is part of a vertical supply chain
for a well known brand of computer hardware. Profits are
coming under increasing pressure from manufacturers in the
Far East and Asia with lower labour costs, and from rising raw
material costs. Nepco is listed on a stock exchange. There is
pressure from institutional investors for better returns in the
form of dividends and the main institutional investors are
considering selling a proportion of their shares in the
company. The directors of Nepco are considering whether to
move into new market areas.
Nepco has good accounting and internal control systems.
Inventory is material to the accounts, and there is a good set
of permanent inventory records

Question 1

No yearend inventory count is conducted. Operational compliance

issues are important to Nepco as many countries have inflexible
quality standards and some projects are being held up because of
difficulties in obtaining approval from regulators for new
components. All staff and directors of Nepco are remunerated (at
least in part) on a performance related basis, some with share
options. Staff are generally highly qualified and well paid.
This is your first year as auditors. Your firm has very little
experience in this industry. External audit costs are tightly
controlled and your firm has agreed to a budget that will allow
very little flexibility.
Required
Describe the risks relating to Nepco under the headings of
inherent risk, control risk and detection risk.
In the light of the risks identified in (a) above, list the matters to
which you will pay particular attention during the audit of Nepco
and explain the work you will perform in relation to them.

Question 2

You are an audit senior responsible for understanding

the entity and its environment and assessing the risk of
material misstatements for the audit of Rock Co for the
year ending 31 December 2012. Rock Co is a company
listed on a stock exchange. Rock Co is engaged in the
wholesale import, manufacture and distribution of
basis cosmetics and toiletries for sale to a wide range of
stores, under a variety of different brand names. You
have worked on the audit of this client for several years
as an audit junior.
Required
Describe the information you will seek, and
procedures you will perform in order to understand
the entity and its environment and assess risk for the
audit of Rock Co for the year ending 31 December
2012.