RISK ASSESSMENT

ISA 200 Overall Objectives of the Independent Auditor and the Conduct of an

Audit in Accordance with International Standards on Auditing

Overall objectives

When conducting an audit of financial statements, the overall objectives of the auditor are:

To obtain reasonable assurance about whether the financial statements as a whole are free from

material misstatement, whether due to fraud or error, thereby enabling the auditor to express an

opinion on whether the financial statements are prepared, in all material respects, in accordance

with an applicable financial reporting framework; and to report on the financial statements, and

communicate as required by the ISAs, in accordance with the auditor’s findings.

In order to do this, the auditor should plan and perform the audit with professional scepticism and

apply professional judgement.

Professional skepticism

Professional scepticism: “an attitude that includes a questioning mind, being alert to conditions

which may indicate possible misstatement due to error or fraud, and a critical assessment of

audit evidence

Auditors must plan and perform an audit with an attitude of professional scepticism recognising

that circumstances may exist that cause the financial statements to be materially misstated
 Audit evidence
that contradicts
other audit
evidence

Circumstances that The auditor Conditions

suggest additional audit
should be that may
procedures are needed
alert to indicate
in addition
(ISA 200: para. possible
to those per ISAs

Information that
brings into question
the reliability of
documents
and responses to

Professional judgement

Is the application of relevant training, knowledge and experience in making informed decisions

about the courses of action that are appropriate in the circumstances of the audit engagement.

ISA 200 also requires the auditor to exercise professional judgement in planning and performing

an audit of financial statements (ISA 200: para. 16). Professional judgement is required in the

following areas:

• Determining the level of audit risk and setting materiality

• Determining the nature, timing and extent of audit procedures to be performed

• Evaluating whether sufficient appropriate audit evidence has been obtained

• Evaluating management’s judgements in applying the applicable financial

reporting framework

• Drawing conclusions based on the audit evidence obtained

Risk-based approach to audit

The ISAs require auditors to adopt a risk-based approach to auditing. This means the
 auditor must:

• Analyse the risk in the client’s business, transactions and systems that could lead to

material misstatement in the financial statements

• Direct audit testing to risky areas

Audit risk

Audit risk: the risk that the auditor expresses an inappropriate audit opinion when the financial

statements are materially misstated

In order to obtain reasonable assurance that the financial statements are free from

material misstatement, the auditor shall obtain sufficient appropriate audit evidence to

reduce audit risk to an acceptably low level and thereby enable the auditor to draw

reasonable conclusions on which to base the auditor’s opinion.

Audit risk has two major components:

(a) One is dependent on the entity and is the risk of material misstatement

arising in the financial statements (inherent risk and control risk)

(b) The other is dependent on the auditor and is the risk that the auditor will not detect

material misstatements in the financial statements (detection risk)

Audit risk can be represented by the audit risk model:

Audit risk = Inherent risk × Control risk × Detection risk

Sampling Non-sampling
risk risk
 Inherent risk

Inherent risk: the susceptibility of an assertion about a class of transaction, account balance or

disclosure to a misstatement that could be material either individually or when aggregated with other

misstatements, before consideration of any related internal controls

Inherent risk is affected by the nature of the entity. For example:

• The industry in which the audit client operates

• Any regulations it is subject to

• Whether its financial statements:

- Include complex calculations

- Are subject to complex accounting standards

- Include amounts derived from accounting estimates rather than routine, factual data

Control risk

Control risk: the risk that a material misstatement that could occur in an assertion about a class

of transaction, account balance or disclosure and that could be material, individually or when

aggregated with other misstatements, will not be prevented or detected and corrected on a timely

basis by the entity’s internal control

Some control risk will always exist because of the inherent limitations of internal

control, for example human error.

 Detection risk

Detection risk: the risk that the procedures performed by the auditor to reduce audit risk to an

acceptably low level will not detect a misstatement that exists and that could be material, either

individually or when aggregated with other misstatement

Detection risk is sub-divided into two components: sampling risk and non-sampling risk.

Sampling risk relates to the fact that the auditor does not, and cannot, examine all available

evidence and only performs audit procedures on a sample of items. There is, therefore, always a

risk that the conclusion the auditor draws based on the sample they have tested is not appropriate

for the population as a whole.

Non-sampling risk however describes the risk that the auditor’s procedures do not detect material

misstatement due to factors other than the sample tested.

Factors which increase non-sampling risk include:

• Auditor’s lack of experience

• Time pressure

• Financial constraints

• Poor planning

• New client

• Lack of industry knowledge

ISA 320 Materiality in Planning and Performing an Audit

Definition

Material: Information is material if its omission or misstatement could reasonably be expected to

influence the economic decisions of users taken on the basis of the financial statements
There are two aspects to materiality:

Quantitati Qualitati
ve ve
materiali materiali

The materiality level set by the auditor will always be a matter of judgement and will

depend on the level of audit risk. The higher the anticipated level of audit risk, the lower

the value of materiality will be.

The materiality level set has a critical impact on several key areas:

• The nature, timing and extent of audit procedures performed. The lower the

materiality level is set, the more work will need to be performed to ensure audit risk is

kept at an acceptably low level.

• Whether to use sampling techniques

• The evaluation of the effect of misstatements in terms of:

- Whether to seek adjustments to the financial statements; or

- The degree of any auditor’s report modification.

The calculation of materiality

During audit planning, the auditor establishes materiality for the financial statements as a whole

by exercising judgment.

The following benchmarks and percentages may be appropriate in the calculation of materiality

for the financial statements as a whole:

Value Percentage (%)

Revenue 1/2 to 1

Total assets 1 to 2

Profit before tax 5 to 10

Formula to
learn

Performance materiality

Performance materiality: “the amount or amounts set by the auditor at less than materiality for the

financial statements as a whole to reduce to an appropriately low level the probability that the

aggregate of uncorrected and undetected misstatements exceeds materiality for the financial statements

as a whole”.

It also refers to “the amount or amounts set by the auditor at less than the materiality level or

levels for particular classes of transactions, account balances or disclosures”

Determining performance materiality involves the auditor’s professional judgment. It is

affected by their understanding of the entity and the results of risk assessment procedures. It can

be qualitative and quantitative.

For example, if there are particular account balances that could reasonably be expected to

significantly influence the decisions of users (for example, revenue for the year) then the auditors

may decide to use performance materiality when performing their audit procedures
Revising materiality as the audit progresses

Materiality may need to be revised due to events that occur during the audit, new information, or a

change in the auditor’s understanding of the entity and its operations as a result of performing

further audit procedures.

In evaluating whether the financial statements give a true and fair view, the auditor should assess the

materiality of the aggregate of uncorrected misstatements. This is normally documented on a

schedule of unadjusted differences.

Documentation of materiality

ISA 320 requires the following to be documented:

• Materiality for the financial statements as a whole

• Materiality level or levels for particular classes of transactions, account balances or

disclosures if applicable

• Performance materiality

• Any revision of the above as the audit progressed

Understanding the entity and its environment

Objective

ISA 315 (Revised) Identifying and Assessing the Risks of Material Misstatement through

Understanding the Entity and its Environment states that the objective of the auditor is to:

Identify and assess the risks of material misstatement, whether due to fraud or error, through

understanding the entity and its environment, including the entity’s internal control, thereby

providing a basis for designing and implementing responses to the assessed risks of material

misstatement (ISA 315 (Revised).

Requirements

Obtaining an understanding of the entity and its environment

Why? • To identify and assess the risks of material misstatement in the

financial statements

• To enable the auditor to design and perform further audit procedures

• To provide a frame of reference for exercising audit judgment, for

example, when setting audit materiality

(ISA 315 (Revised): para. A1)

What? • Industry, regulatory and other external factors, including the

applicable financial reporting framework.

- Examples include: markets and competition; product

technology; accounting principles; tax and legislation; interest

rates and inflation.

• Nature of the entity

- Examples include: operations (revenue sources, locations and key

customers/suppliers); ownership and governance; investments;

structure and financing.

• Entity’s selection and application of accounting policies

• Objectives and strategies and related business risks that might

cause material misstatement in the financial statements.

- Examples include: new products/services; expansion plans and use of

IT.

• Measurement and review of the entity’s financial performance

 - Examples include: trends; ratios; KPIs; budgets and forecasts.

• Internal control (which is covered in

Chapter 9) (ISA 315 (Revised): paras. 11–12)

How? • Enquiries of management, appropriate individuals within the

internal audit function and others within the entity

• Analytical procedures

• Observation and inspection

• Prior period knowledge and the permanent audit file

• Client acceptance or continuance process

• Discussion by the audit team of the susceptibility of the financial

statements to material misstatement

• Information from other engagements undertaken for the entity

• Information from the client’s website and publications/websites

relate to the client’s industry

(ISA 315 (Revised): paras. 6–10)

The following diagram summarises the factors the auditor should consider when

obtaining an understanding of the entity and its environment:

Financia Business
operation Expansio
l n Use of
reportin s IT
Investme
Industry
nt Nature Objectives
developmen
of the and ts
Financin entity strategies
g and relating
New
business products
and
Regulatory
Cyclical or framework
seasonal activity

The market Industry Understandi

and , Selection and
competition ng the
regulato application of
ry and entity accounting
other and its policies
Accountin
g external environmen
Product
Energy
technolog
supply Interes Key
y
and cost t performanc
rates e indicators

Financial Financial
Control performan analysis
activitie Informatio ce
Intern Competitor
s n
al s
system
Monitorin contr
g of Employee Budgets,
controls performan forecasts
Entity’s
ce etc
risk
The assessme measures
control nt process
environme

As mentioned above, ISA 315 (Revised) requires auditors to perform the following

procedures to obtain an understanding of the entity and its environment, including

its internal control:

• Enquiries of management and others within the entity

• Analytical procedures

• Observation and inspection

ISA 520 Analytical Procedures

Analytical procedures mean the analysis of relationships to identify inconsistencies and

unexpected relationships.

The auditor should apply analytical procedures as risk assessment procedures and in the overall

review at the end of the audit.

They can also be used as a source of substantive audit evidence when their use is more effective

or efficient than tests of details in reducing detection risk for specific financial statement

assertions.

Analytical procedures include the following types of comparisons:

(a) Prior periods

(b) Budgets and forecasts

(c) Industry information

(d) Predictive estimates ie expectations

(e) Relationships between elements of financial information, ie ratio analysis

(f) Relationships between financial and non-financial information, eg payroll

costs to the number of employees

The auditor must apply analytical procedures as risk assessment procedures to obtain an

understanding of the entity and its environment.

Application of analytical procedures may indicate aspects of the entity of which the auditor was

unaware and will assist in assessing the risks of material misstatement in order to determine the

nature, timing and extent of further audit procedures.

Common ratios for use in analytical procedures include:

Ratio Calculation
Profitability ratios

Return on capital employed (ROCE) Profit before interest and tax (PBIT)

Share capital + reserves + Non-current

liabilities

Net profit margin PBIT

Revenue

Asset turnover Revenue

Share capital + reserves + Non-current

liabilities

Gross profit margin Gross

profit

Revenue

Liquidity ratios

Current ratio Current Assets

Current Liabilities

Quick ratio (acid test) Current Assets -

Inventories Current

Liabilities

Inventory holding period Inventories x 365

days Cost of sales

Receivables collection period Trade receivables x 365

days Credit sales

Payables payment period Trade payables x 365

days Credit purchases

Gearing
 Ratio Calculation

Debt/equity Interest bearing debt

Share capital and

reserves

Interest cover PBIT

Finance costs

Assessing the risks of material misstatement

Once the auditor has obtained an understanding of the entity and its environment,

they shall assess the risks of material misstatement in the financial statements and

identify significant risks.

Significant risks

Significant risks: those that require special audit consideration

As part of the risk assessment, the auditor shall determine whether any of the risks are significant

risks.

The following factors indicate that a risk might be significant:

• Risk of fraud

• Its relationship with recent economic, accounting or other developments

• The degree of subjectivity in the financial information

• It is an unusual transaction

• It is a significant transaction with a related party

• The complexity of the transaction (ISA 315)

 Routine, non-complex transactions are less likely to give rise to significant risks as client

staff are likely to be more used to processing these transactions and such transactions are

likely to be subject to robust internal controls.

Unusual and complex transactions and matters where judgment is required are

more likely therefore to pose significant risk.

Response to audit risk

The auditor should obtain sufficient appropriate audit evidence regarding the assessed

risks of material misstatement, through designing and implementing appropriate

responses to those risks (ISA 330: para. 3) .

In the exam you are likely to be asked to explain the auditor’s response to each audit risk

you have identified in the scenario. Here you are not required to write out specific audit

procedures, rather you need to explain:

• the types of enquiries the auditor should make (and of whom)

• the information/documentation they would require

• the correspondence they should review

• the impact on the level of materiality

• the type of testing they should perform

• the calculations they would do/re-perform

• the assets they should inspect

The best way to be able to explain the auditor’s response to identified audit risks is to

practice past exam questions and build your confidence at explaining the auditor’s

response. This is because the best response to each risk will depend on the particular

circumstances of the audit client and the environment in which it operates.

To help you with this, we have considered some examples of audit risks along with an

appropriate response to each risk. Note however, that you should not simply learn a list
of responses.
Audit risk Auditor’s response

Risk that inventory has a lower net Examine the instructions to identify

realisable value than cost and is therefore slow moving inventory lines when

overstated (eg NRV falls due to the client attending the inventory count.

being in an industry where tastes/fashions Increase the emphasis on reviewing the

change quickly). year end aged inventory analysis for

evidence of slow-moving inventory.

Ascertain sales values for items sold post

year end that were in inventory at the

year end to ensure their NRV was higher

than the cost recorded as part of the

inventory value in the financial

statements.

Assets are desirable / more susceptible to Focus on testing internal controls over

theft leading to a risk that recorded assets those assets (including physical controls

do not exist (eg inventory/non-current to prevent theft).

assets). Increase sample sizes for inspecting

recorded assets, ensuring any material

assets are verified (in the context of

performance materiality).

Increased risk of revenue expenditure Obtain a breakdown of related costs

being incorrectly classified as capital (or and review accounting entries against

vice versa), leading to misstatement of invoices/details of work done to

assets/expenses (eg extensive ensure expenditure is correctly

refurbishment of non-current assets where treated as capital/revenue.

judgement is needed to establish whether Perform a detailed review of repairs

the nature of the work is to enhance the accounts for any items which should be

asset or repair/replace it). included in non-current assets.

Review the asset register to ensure

only capital items have been

included.

Increased risk of incomplete or Perform analytical procedures focusing on

unrecorded income due to fraud or theft comparing revenue with expected

(eg large amounts of cash collected and seasonal/monthly patterns.

held prior to banking). If a retail client, perform/reperform

a reconciliation of a sample of till

records to actual bankings.

Receipts/invoicing significantly in For a sample of revenue entries recorded

advance/arrears of providing services or prior to the year end, agree the

goods, therefore leading to an increased transactions as relating to pre year end

risk of revenue being in the wrong period sales by inspecting the contract / other

(eg deposits received in advance, supporting documentation.

reservation fees, contracts spanning the Trace post year end transactions back

year end). to a supporting

contract/documentation to test that

revenue was recorded in the proper

period.

For a sample of contracts or GDNs, verify

the revenue was recognised according to

the provision of services/goods.

Perform analytical procedures where

monthly revenue is compared to

expectations and budgeted revenue.

Unexpected deviations should be

investigated.
Audit risk Auditor’s response

Invoices received (or payments made) in Review post year end bank statements /

advance/arrears of goods or services cash book payments for evidence of

delivery date leading to overstatement amounts relating to the financial year

or understatement of costs and/or but not included in liabilities.

liabilities. For a sample of documents pre and post

year end indicating date of delivery of

goods/services (eg GRNs), verify the cost

and liability were recorded in the

appropriate period.

There is an increased risk of Identify year end receivable balances

irrecoverable debts (eg due to the still outstanding at the date of the

nature of the client’s industry or audit by reviewing post year end

customers), resulting in assets being receipts from customers. For amounts

potentially overstated. still outstanding establish whether

these are provided for.

Review aged receivables analysis and

customer correspondence files for

evidence of disputes with receivables and

consider the adequacy of any related

receivables allowance.

Significant client borrowing and/or Review correspondence with the

overdraft with cash flow problems bank/lender for any evidence of

which may indicate going concern withdrawal or extension of facilities.

problems. If there are bank covenants linked to

performance on which facilities depend,

 review compliance with these, and

increase testing on areas where

management could manipulate

performance indicators (such as

provisions).

Review post year end results and cash

flow forecasts (if prepared) for evidence

the company can continue as a going

concern.

New client systems/controls/staff Undertake additional visits (eg interim

impacting on amounts recorded in the audit) to assess the effectiveness of

financial statements, increasing the risk controls operating over areas affected.

of errors and the risk of internal Perform extra work to document and

controls not operating effectively. evaluate new systems/controls,

performing tests of controls where

necessary.

Increase sample sizes for substantive

testing over financial statement areas

impacted.

Management has an incentive to Focus on and increase testing on

manipulate performance, increasing the judgemental areas in the financial

risk of profits being overstated (eg statements (eg provisions, revenue

remuneration or bank funding is reliant recognition accounting policies).

on performance).

Fraud, laws and regulations

Fraud

Fraud: an “intentional act by one or more individuals among management, those charged with

governance, employees, or third parties, involving the use of deception to obtain an unjust or illegal

advantage” (ISA 240).

Fraud may be perpetrated by an individual, or colluded in, with people internal or external to the

business.

Fraud risk factors are “events or conditions that indicate an incentive or pressure to commit fraud or

provide an opportunity to commit fraud

There are two types of fraud which may cause material misstatement in the financial statements:

 Fraudulent financial reporting (intentional misstatements, including omissions of

amounts or disclosures in financial statements, to deceive financial statement users)

 Misappropriation of assets (the theft of an entity’s assets)

(ISA 240: para. 3)

The responsibility to prevent and detect fraud lies with an entity’s management and those

charged with governance. It is their responsibility to establish a culture of honesty and ethical

behaviour and to implement a system of internal control to mitigate the risk of fraud.

(ISA 240: para. 4)

ISA 240 The Auditor’s Responsibilities Relating to Fraud in an Audit of Financial Statements

states that the auditor is responsible for obtaining reasonable assurance that the financial

statements are free from material misstatement, whether caused by fraud or error. (ISA 240:

para. 5)

The auditor is responsible for maintaining professional scepticism throughout the audit,

considering the possibility of management override of controls, and recognising that the

audit procedures effective for detecting errors may not be effective for detecting

fraud.
(ISA 240: para. 12)

Where the auditor’s risk assessment suggests there is a risk of material misstatement due

to fraud the risk should be treated as a significant risk.

In this event the auditor should:

• Assign and supervise audit staff taking into account their knowledge, skill and ability;

• Evaluate whether the client’s accounting policies may indicate fraudulent financial

reporting; and

• Incorporate unpredictability in the selection of the nature, timing and extent

of audit procedures (ISA 240: para.29).

There should be a discussion among audit team members that places particular emphasis

on how and where the financial statements may be susceptible to fraud.

Risk assessment procedures to obtain information in identifying the risks of material

misstatement due to fraud shall include the following:

(a) Enquiries of management regarding:

(i) Management’s assessment of the risk that the financial statements may be

misstated due to fraud

(ii) Management’s process for identifying and responding to the risk of fraud

(iii) Management’s communication to those charged with governance in

respect of its process for identifying and responding to the risk of fraud

(iv) Management’s communication to employees regarding its views on business

practices and ethical behaviour

(v) Knowledge of any actual, suspected or alleged fraud

(b) Enquiries of internal audit for knowledge of any actual, suspected or alleged

fraud, and its views on the risks of fraud

(c) Obtaining an understanding of how those charged with governance oversee

 management’s processes for identifying and responding to the risk of fraud and

the internal control established to mitigate these risks

(d) Enquiries of those charged with governance for knowledge of any actual,

suspected or alleged fraud

(e) Evaluating whether any unusual relationships have been identified in performing

analytical procedures that may indicate risk of material misstatement due to

fraud

(f) Considering whether any other information may indicate risk of material

misstatement due to fraud

(g) Evaluating whether any fraud risk factors are present

(ISA 240: paras. 17–24)

If the auditor identifies fraud or receives information that a fraud may exist, the

auditor shall report this on a timely basis to the appropriate level of management (ISA

240: para. 40).

If the auditor identifies or suspects fraud involving management, employees with

significant roles in internal control, and others where fraud could have a material

effect on the financial statements, they shall communicate this on a timely basis to those

charged with governance (ISA 240: para. 41).

The auditor also needs to consider whether there is a responsibility to report to the

regulatory or enforcement authorities – the auditor’s professional duty of

confidentiality may be overridden by laws and statutes in certain jurisdictions (ISA

240: para. 43).

Laws and regulations

An entity is likely to be subject to several laws and regulations.

The auditor is not responsible for preventing non-compliance and cannot be expected to detect
non-compliance with all laws and regulations (ISA 250 (Revised).

The auditor’s responsibility is to obtain reasonable assurance that the financial statements are free

from material misstatement whether due to fraud or error and, in this respect, the auditor must take

into account the legal and regulatory framework within which the entity operates (ISA 250

(Revised).

ISA 250 (Revised) distinguishes the auditor’s responsibilities in relation to compliance with two

different categories of laws and regulations:

 Those that have a direct effect on the determination of material amounts and

disclosures in the financial statements (such as tax or pension laws and

regulations)

 Those that do not have a direct effect on the determination of material

amounts and disclosures in the financial statements but where compliance may

be fundamental to the operating aspects, ability to continue in business, or to

avoid material penalties (such as regulatory compliance or compliance with the

terms of an operating licence)

For the first category, the auditor’s responsibility is to obtain sufficient appropriate audit

evidence about compliance with those laws and regulations (ISA 250 (Revised): para. 14).

For the second category, the auditor’s responsibility is to undertake specified audit

procedures to help identify non-compliance with laws and regulations that may have a

material effect on the financial statements. These include enquiries of management and

inspecting correspondence with the relevant licensing or regulatory authorities (ISA 240

(Revised): para. 15).

Examples of laws and regulations that may be included in these categories include the

following:
 • Fraud, corruption and bribery

• Money laundering, terrorist financing and proceeds of crime

• Securities markets and trading

• Banking and other financial products and services

• Data protection

• Tax and pension liabilities and payments

• Environmental protection

• Public health and safety

The responsibility to comply with relevant laws and regulations lies with an entity’s

management and those charged with governance.