Auditing and Assurance Principles

Module 6: Risk Assessment

Lex Daniel S. Quequegan, CPA, CFE

Module 6:
Risk Assessment

At the end of this module, you will learn:

1. Introduction to risk;
2. Materiality;
3. Understanding the entity and its environment;
4. Assessing the risks of material misstatement;
5. Responding to the risk assessment;
6. Fraud, law and regulations; and
7. Documentation of risk assessment.

Introduction to Risk

PSA 200 states that the objectives of the audit are “to obtain reasonable assurance about whether the financial
statements as a whole are free from material misstatement, whether due to fraud or error, thereby enabling the auditor
to express an opinion on whether the financial statements are prepared, in all material respects, in accordance with an
applicable financial reporting framework; and to report on the financial statements, and communicate as required by
the PSAs, in accordance with the auditor’s findings.”1

A risk assessment carried out under the PSAs helps the auditor to identify financial statement areas susceptible to
material misstatement and provides a basis for designing and performing further audit procedures.’

Furthermore, to achieve the overall objective, auditors also need to plan and perform the audit with professional
skepticism, exercise professional judgment, and comply with ethical requirements.

Professional Skepticism

PSA 200 states that auditors must plan and perform audit with an attitude of professional skepticism. It is an attitude
that includes a questioning mind, being alert to conditions which may indicate possible misstatement due to fraud or
error, and a critical assessment of audit evidence.2 The auditor must be alert to:
§ Audit evidence that contradicts other audit evidence obtained
§ Information that brings into question the reliability of documents and responses to inquiries to be used as
audit evidence
§ Conditions that may indicate possible fraud
§ Circumstances that suggest the need for audit procedures in addition to those required by PSAs

Professional skepticism needs to be maintained throughout the audit to reduce the risks of overlooking unusual
transactions, over-generalizing when drawing conclusions, and using inappropriate assumptions in determining the
nature, timing and extent of audit procedures and evaluating the results of them.

It is also necessary to the critical assessment of audit evidence. This includes questioning contradictory audit evidence
and the reliability of documents and responses from management and those charged with governance.

1
PSA 200.10
2
PSA 200.13 (m)

1
Auditing and Assurance Principles
Module 6: Risk Assessment
Lex Daniel S. Quequegan, CPA, CFE

Professional Judgment

PSA 200 requires the auditor to exercise professional judgment in planning and performing an audit of financial
statements. It is the application of relevant training, knowledge and experience, within the context provided by auditing,
accounting and ethical standards, in making informed decisions about the courses of action that are appropriate in the
circumstances of the audit engagement.3

Professional judgment is required in the following areas:

§ Materiality and audit risk
§ Nature, timing and extent of audit procedures
§ Evaluation of whether sufficient appropriate audit evidence has been obtained
§ Evaluating management’s judgments in applying the applicable financial reporting framework
§ Drawing conclusions based on the audit evidence obtained

Audit Risks

Auditors follow a risk-based approach in auditing, as required by the PSAs. In this approach, auditors analyze the
risks associated with the client’s business, transactions and systems which could lead to misstatements in the financial
statements, and direct their testing to risky areas.

Now, understanding the audit risk model helps the auditor to take action to reduce overall audit risk to an acceptable
level. Audit risk is the risk that the auditor expresses an inappropriate audit opinion when the financial statements are
materially misstated. It is a function of the risks of material misstatement (i.e., control risk and inherent risk) and
detection risk.

Audit Risk = Inherent Risk x Control Risk x Detection Risk

Risk of Material
Misstatement

Risk of material misstatement4 is the risk that the financial statement are materially misstated prior to audit. This
consists of two (2) components, to wit:
a. Inherent risk is the susceptibility of an assertion about a class of transaction, account balance or disclosure
to a misstatement that could be material, either individually or when aggregated with other misstatements,
before consideration of any related controls.
b. Control risk is the risk that a misstatement that could occur in an assertion about a class of transaction, account
balance or disclosure and that could be material, wither individually or when aggregated with other
misstatements, will not be prevented, or detected and corrected, on a timely basis by the entity’s internal
control.

Detection risk is the risk that the procedures performed by the auditor to reduce audit risk to an acceptably low level
will not detect a misstatement that exists and that could be material, either individually or when aggregated with other
misstatements.5 This is the component of audit risk that the auditors have a degree of control over, because if risk is

3
PSA 200.13 (k)
4
PSA 200.13 (n)
5
PSA 200.13 (e)

2
Auditing and Assurance Principles
Module 6: Risk Assessment
Lex Daniel S. Quequegan, CPA, CFE

too high to be tolerated, the auditors can carry out more work to reduce this aspect of audit risk and, therefore, audit
risk as a whole.

One way to decrease detection risk is to increase sample sizes. However, increasing sample sizes and carrying out
more work is not the only way to manage detection risk. This is because detection risk is a function of the effectiveness
of an audit procedure and of its application by the auditor. The following actions can also improve the effectiveness
and application of procedures and therefore help to reduce detection risk:
§ Adequate planning
§ Assignment of more experienced personnel to the engagement team
§ The application of professional skepticism
§ Increased supervision and review of the audit work performed

Materiality

Materiality for the financial statements as a whole and performance materiality must be calculated at the planning
stages of all audits. The calculation or estimation of materiality should be based on experience and judgment.
Materiality for the financial statements as a whole must be reviewed throughout the audit and revised if necessary.

The PSAs did not specifically define materiality, but notes that while it may be discussed in different terms by
different financial reporting frameworks the following are generally the case:
§ Misstatements, including omissions, are considered to be material if they, individually or in the aggregate,
could reasonably be expected to influence the economic decisions of users taken on the basis of the financial
statements;
§ Judgments about materiality are made in light of surrounding circumstances, and are affected by the size or
nature of a misstatement, or a combination of both; and
§ Judgments about matters that are material to users of the financial statements are based on a consideration of
the common financial information needs of users, whose needs may vary widely, is not considered.6

PAS 1 definition of materiality:7

Information is material if omitting, misstating or obscuring it could reasonably be expected to influence decisions
that the primary users of general purpose financial statement make on the basis of those financial statements, which
provide financial information about a specific reporting entity.

Materiality depends on the nature or magnitude of information, or both. An entity assesses whether information,
either individually or in combination with other information, is material in the context of its financial statements
taken as a whole.

Information is obscured if it is communicated in a way that would have a similar effect for primary users of financial
statements to omitting or misstating that information. The following are examples of circumstances that may result
in material information being obscured:

6
PSA 320.2
7
PAS 1.7

3
Auditing and Assurance Principles
Module 6: Risk Assessment
Lex Daniel S. Quequegan, CPA, CFE

(a) information regarding a material item, transaction or other event is disclosed in the financial statements
but the language used is vague or unclear;

(b) information regarding a material item, transaction or other event is scattered throughout the financial
statements;

(c) dissimilar items, transactions or other events are inappropriately aggregated;

(d) similar items, transactions or other events are inappropriately disaggregated; and

(e) the understandability of the financial statements is reduced as a result of material information being hidden
by immaterial information to the extent that a primary user is unable to determine what information is
material.

Assessing whether information could reasonably be expected to influence decisions made by the primary users of
a specific reporting entity’s general purpose financial statements requires an entity to consider the characteristics
of those users while also considering the entity’s own circumstances.

Many existing and potential investors, lenders and other creditors cannot require reporting entities to provide
information directly to them and must rely on general purpose financial statements for much of the financial
information they need. Consequently, they are the primary users to whom general purpose financial statements are
directed. Financial statements are prepared for users who have a reasonable knowledge of business and economic
activities and who review and analyze the information diligently. At times, even well-informed and diligent users
may need to seek the aid of an adviser to understand information about complex economic phenomena.

The practical implication of this is that the auditor must be concerned with identifying material errors, omission and
misstatements. Both the amount (quantity) and nature (quality) of misstatements need to be considered.

To implement this, the auditor therefore has to set their own materiality levels – this will always be a matter of
judgement and will depend on the level of audit risk. The higher the anticipated risk, the lower the value of materiality
will be.

The materiality level will impact on the auditor’s decisions relating to:
§ How many items to examine
§ Which items to examine
§ Whether to use sampling techniques
§ What level of misstatement is likely to result in a modified audit opinion

Determining and Calculating Materiality and Performance Materiality (PM)

During planning, the auditor must establish materiality for the financial statements as a whole, but must also set
performance materiality levels.

Determining materiality for the financial statements as a whole involves the exercise of professional judgment.
Generally, a percentage is applied to a chosen benchmark as a starting point for determining materiality for the
financial statements as a whole. The following factors may affect the identification of an appropriate benchmark:
§ Elements of the financial statements (e.g., assets, liabilities, equity, revenue, expenses)

4
Auditing and Assurance Principles
Module 6: Risk Assessment
Lex Daniel S. Quequegan, CPA, CFE

§ Whether there are items on which users tend to focus

§ Nature of the entity, industry and economic environment
§ Entity’s ownership structure and financing
§ Relative volatility of the benchmark

An example of benchmarks and percentages of materiality may be as follows.

Value Materiality %

Profit before tax 5-10%

Gross margin 1-4%

Revenues 0.5-3%

Operating expenses 0.5-3%

Equity 1-5%

Assets 0.5-3%

For this reason, the auditor is required to set performance materiality levels which are lower than the materiality for
the financial statements as a whole. This means a lower threshold is applied during testing. The risk of misstatements
which could add up to a material misstatements is therefore reduced. Performance materiality means the amount set
by the auditor at less than materiality for the financial statements as a whole to reduce an appropriately low level the
probability that the aggregate of uncorrected and undetected misstatements exceed materiality for the financial
statements as a whole. It is also the amount set by auditor at less than materiality level for particular classes of
transactions, account balances or disclosures.8

Materiality has qualitative aspects. Some misstatements may fall under specified benchmarks, but are still considered
material overall due to their qualitative effects.

Magnitude by itself, without regard to the nature of the item and the circumstances in which the judgement has to be
made, may not be a sufficient basis for a materiality judgement. As a result, qualitative factors may cause
misstatements of quantitatively small amounts to be material.

Examples of qualitative aspects are:9

§ Law, regulation or the applicable financial reporting framework affect users’ regarding the measurement or
disclosure of certain items
§ The key disclosures in relation to the industry in which the entity operates
§ Attention is focused on a particular aspect of the entity’s business that is separately disclosed in the financial
statements

SEC Test of Materiality10

8
PSA 320.9
9
PSA 320.A10
10
SEC Memorandum Circular No.8, Series of 2009

5
Auditing and Assurance Principles
Module 6: Risk Assessment
Lex Daniel S. Quequegan, CPA, CFE

According to the Securities and Exchange Commission (SEC), the following instances are considered a material
deficiency in the financial statements if there is no accounting policy for material account. According to the SEC
guidelines, a material account means a balance sheet or income statement item, the amount of which is equivalent to:
1. For PIE:
§ 5% or more of total current asset, if it is one of the current asset items
§ 5% or more of total non-current asset, if it is one of the non-current asset items
§ 5% or more of total current liabilities, if it is one of the current liabilities items
§ 5% or more of total long-term liabilities, if it is one of the long-term liabilities items
§ 5% or more of the total stockholders’ equity, if it is one of the equity items or the amount of total
assets if there is capital deficiency
§ 5% or more of the gross income, cost of sales/services or the total operating expenses, as may be
applicable
2. For all other corporations, the threshold shall be 10% or more of the items mentioned above.

The SEC also considers the following instances as material misstatement in the financial statements:
§ An accounting policy for a significant account is not consistent with PFRS or GAAP
§ An accounting policy for a significant account is not consistently applied between periods or to similar
transactions and events (inconsistent application)
§ The estimate or assumption used on a significant account is unreasonable and resulted to material
misstatement of the financial statements
§ There is more than one (1) minor misstatement and the aggregate amount involved for said misstatements
meets the test of materiality
§ The financial statements of a corporation with a subsidiary or subsidiaries are not presented on a consolidated
basis in violation of PAS 27
§ Such other misstatements in the financial statement (overstatement or understatement of income, asset,
liability or equity, the SEC may consider material)

Revision of Materiality

The level of materiality must be revised for the financial statements as a whole if the auditor becomes aware of
information during the audit that would have caused the auditor to have determined a different amount during planning.

If the auditor concludes that a lower amount of materiality for the financial statements as a whole is appropriate, the
auditor must determine whether performance materiality also needs to be revised, and whether the nature, timing and
extent of further audit procedures are still appropriate. A revision to materiality might be required for example if during
the audit it appears that actual results are going to be significantly different from the expected results, which were
used to calculate materiality for the financial statements as a whole during planning.

Documentation of Materiality11

The auditor shall include in the audit documentation the following amounts and the factors considered in their
determination:
§ Materiality for the financial statements as a whole
§ If applicable, the materiality level for particular classes of transactions, account balances or disclosures
§ Performance materiality
§ Any revision of the above as the audit progressed

11
PSA 320.14

6
Auditing and Assurance Principles
Module 6: Risk Assessment
Lex Daniel S. Quequegan, CPA, CFE

Understanding the Entity and Its Environment

Under PSA 315, the objective of the auditor is to identify and assess the risks of material misstatement, whether due
to fraud or error, at the financial statement and assertion levels thereby providing a basis for designing and
implementing responses to the assessed risks of material misstatement.12

The following table summarizes the objective as follows.

Why? § To identify and assess the risks of material misstatement in the financial
statements
§ To enable the auditor to design and perform further audit procedures
§ To provide a frame of reference for exercising audit judgment (e.g., when setting
audit materiality
What? § Industry, regulatory and other external factors, including the applicable financial
reporting framework
§ Nature of the entity, including operations, ownership and governance,
investments, structure and financing
§ Entity’s selection and application of accounting policies
§ Objectives and strategies and related business risks that might cause material
misstatement in the financial statements
§ Measurement and review of the entity’s financial performance
§ Internal control
How? § Inquiries of management, appropriate individuals within the internal audit
function and others within the entity
§ Analytical procedures
§ Observation and inspection
§ Prior period knowledge
§ Client acceptance or continuance process
§ Discussion by the audit team of the susceptibility of the financial statements to
material misstatement
§ Information from other engagements undertaken for the entity

What do we need an understanding of?

UNDERSTANDING THE ENTITY AND ITS ENVIRONMENT

Nature of the entity § Financing
§ Investment
§ Financial reporting
§ Business operations
Objectives and strategies and § Expansion
relating business risks § Use of information technology/system
§ Industry developments
§ New products and services

12
PSA 315.12

7
Auditing and Assurance Principles
Module 6: Risk Assessment
Lex Daniel S. Quequegan, CPA, CFE

Selection and application of § GAAP used

accounting policies § Application of accounting policies to complex or unusual/specialized
transactions
Internal control § Control activities
§ Monitoring of controls
§ Control environment
Financial performance § Employee performance measures
§ Budgets, forecasts, etc.
§ Competitors
§ Financial analysis
§ Key performance indicators
Industry, regulatory and other § Taxation
external factors § Regulatory framework
§ Cyclical or seasonal activity
§ The market and competition
§ Accounting principles
§ Energy supply and cost
§ Interest rates
§ Product technology
§ Social, economic and environmental factors

How do we gain an understanding?

The auditor will refer to the following to help in obtaining an understanding of the entity and its environment.
§ The permanent audit file where information of continuing importance to the audit is kept
§ Audit working papers from the previous year’s audit file
§ Information from the client’s website
§ Publication or websites related to the industry the client operates in

A combination of the following procedures should be used to obtain an understanding.

1. Inquiries of management, internal auditors, and others within the entity
2. Analytical procedures
3. Observation and inspection

PSA 315 also states that the auditor shall consider whether information obtained from client acceptance or continuance
processes is relevant.13

If the engagement partner has performed other engagements for the entity, he/she shall consider whether information
from these is relevant to identifying risks of material misstatement.

If the auditor is going to use information from prior year audit, the audit shall determine whether changes have
occurred that could affect the relevance to the current year’s audit.

The engagement partner and other key team members shall discuss the susceptibility of the financial statement to
material misstatement, and the application of the applicable financial reporting framework to the entity’s facts and

13
PSA 315.15

8
Auditing and Assurance Principles
Module 6: Risk Assessment
Lex Daniel S. Quequegan, CPA, CFE

circumstances. The engagement partner shall determine what matters are to be communicated to team members not
involved in the discussion.

Inquiry

The auditors will usually obtain most of the information they require from staff in the accounts department but may
also need to make inquiries of other personnel: for example, production staff and those charged with governance.

Those charged with governance may give insight into the environment in which the financial statements are prepared.
In-house legal counsel may help with understanding such matters as outstanding litigation and compliance with laws
and regulations. Sales and marketing personnel may give information about marketing strategies and sales trends.

If the client has an internal audit function, inquiries should be made of internal auditors as appropriate as part of risk
assessment procedures.

Analytical Procedures

Analytical procedures consist of evaluations of financial information through analysis of plausible relationships
among both financial and non-financial data. Analytical procedures also encompass investigation of identified
fluctuations or relationships that are inconsistent with other relevant information or that differ from expected values
by a significant amount. As a matter of fact, analytical procedures can be used at all stages of the audit.

Analytical procedures include:

1. The consideration of comparisons with:
§ Similar information for prior periods
§ Anticipated results of the entity, from budgets or forecasts
§ Predictions prepared by the auditor
§ Industry information
2. The consideration of the relationship between elements of financial information that are expected to conform
to a predicted pattern based on the entity’s experience, such as the relationship of gross profit to sales.
3. The consideration of the relationship between financial information and relevant non-financial information,
such as the relationship of payroll costs to number of employees.

A variety of methods can be used to perform the procedures discussed above, ranging from simple comparisons to
complex analysis using statistics, on a company level, branch level or individual account level. Ratio analysis can be
a useful technique when carrying out analytical procedures.

The choice of procedures is a matter for the auditors' professional judgement. The use of information technology may
be extensive when carrying out analytical procedures during risk assessment.

Auditors may also use specific industry information or general knowledge of current industry conditions to assess the
client's performance.

As well as helping to determine the nature, timing and extent of other audit procedures, such analytical procedures
may also indicate aspects of the business of which the auditors were previously unaware. Auditors are looking to see
if developments in the client's business have had the expected effects. They will be particularly interested in changes
in audit areas where problems have occurred in the past.

9
Auditing and Assurance Principles
Module 6: Risk Assessment
Lex Daniel S. Quequegan, CPA, CFE

Analytical procedures at the risk assessment stage of the audit are usually based on interim financial information,
budgets or management accounts.

Observation and Inspection

These techniques are likely to confirm the answers given to enquiries made of management. They will include
observing the normal operations of a company, reading documents or manuals relating to the client's operations and
visiting premises and meeting staff.

Assessing the Risks of Material Misstatement

PSA 315 says that the objective of the auditor is to identify and assess the risks of material misstatement, whether due
to fraud or error, at the financial statement and assertion levels thereby providing a basis for designing and
implementing responses to the assessed risks of material misstatement.14

Assertions are representations, explicit or otherwise, with respect to the recognition, measurement, presentation
and disclosure of information in the financial statements which are inherent in management representing that the
financial statements are prepared in accordance with the applicable financial reporting framework. Assertions are
used by the auditor to consider the different types of potential misstatements that may occur when identifying,
assessing and responding to the risks of material misstatement.15

It requires the auditor to take the following steps:

§ Identify the risks throughout the process of obtaining an understanding of the entity and its environment
§ Assess the identified risks and evaluate whether they relate more pervasively to the financial statement as a
whole
§ Relate the risks to what can go wrong at the assertion level
§ Consider the likelihood of the risks causing a material misstatement

Significant Risks

Significant risks are complex or unusual transactions that may indicate fraud, or other special risks. It is an identified
risk of material misstatement for which the assessment of inherent risk is close to the upper end of the spectrum of
inherent risk due to the degree to which inherent risk factors affect the combination of the likelihood of a misstatement
occurring and the magnitude of the potential misstatement should that misstatement occur.16 These require special
audit consideration. As part of the risk assessment, the auditor shall determine whether any of the risks are significant.

The following factors indicate that a risk might be significant:

§ Risk of fraud
§ Its relationship with recent economic, accounting or other developments
§ The degree of subjectivity in the financial information
§ It is an unusual transaction
§ It is a significant transaction with a related party

14
PSA 315.11
15
PSA 315.12(a)
16
PSA 315.12(l)

10
Auditing and Assurance Principles
Module 6: Risk Assessment
Lex Daniel S. Quequegan, CPA, CFE

§ The complexity of the transaction

Routine, non-complex transactions are less likely to give rise to significant risk than unusual transactions or matters
of management judgment. This is because unusual transactions are likely to have more:
§ Management intervention
§ Complex accounting principles or calculations
§ Manual intervention
§ Opportunity for control procedures not to be followed

When the auditor identifies a significant risk, if they have not done so already, they shall obtain an understanding of
the entity’s controls relevant to that risk.

Responding to the Risk Assessment

Overall Responses

Overall responses include such issues as emphasizing to the team the importance of professional skepticism,
allocating more staff, using experts or providing more supervision.

Overall responses to address the risks of material misstatements at the financial statement level will be changes to the
general audit strategy or reaffirmations to staff or the general audit strategy. For example:
§ Emphasizing to audit staff the need to maintain professional skepticism
§ Assigning additional or more experienced staff to the audit team
§ Providing more supervision on the audit
§ Incorporating more unpredictability into the audit procedures
§ Making general changes to the nature, time or extent of audit procedures

The evaluation of the control environment that will have taken place as part of the assessment of the client’s internal
control systems will help the auditor determine what type of audit approach to take.

Responses to the Risks of Material Misstatement at the Assertion Level

The PSA says that the auditor shall design and perform further audit procedures whose nature, timing and extent are
based on and are responsive to the assessed risks of material misstatement at the assertion level. “Nature” refers to the
purpose and type of test that is carried out, which include tests of controls and substantive tests.

Tests of Controls

Tests of controls are audit procedure designed to evaluate the operating effectiveness of controls in preventing, or
detecting and correcting, material misstatements at the assertion level.17

When the auditor’s risk assessment includes an expectation that controls are operating effectively, the auditor shall
design and perform tests of controls to obtain sufficient appropriate audit evidence that the controls were operating.

17
PSA 315.4(b)

11
Auditing and Assurance Principles
Module 6: Risk Assessment
Lex Daniel S. Quequegan, CPA, CFE

The auditor shall also undertake tests of controls when it will not be possible to obtain sufficient appropriate audit
evidence simply from substantive procedures. This might be the case if the entity conducts its business using IT
systems which do not produce documentation of transactions.

In carrying out tests of controls when it will not be possible to obtain sufficient appropriate audit evidence simply
from substantive procedures. This might be the case if the entity conducts its business using IT systems which do not
produce documentation of transactions.

In carrying out tests of control, auditors shall use inquiry, but shall also use other procedures. Reperformance and
inspection will often be helpful procedures.

When considering timing in relation to tests of controls, the purpose of the test will be important. For example, if the
company carries out a year-end inventory count, controls over the inventory count can only be tested at year end.
Other controls will operate all year round, and the auditor may need to test that those controls have been effective
throughout the period.

Some controls may have been tested in prior audits and the auditor may choose to rely on that evidence of effectiveness.
If this is the case, the auditor shall obtain evidence about any changes since the controls were last tested and shall test
the controls if they have changed. In any case, controls shall be tested for effectiveness at least once in every three
audits.

If the related risk has been designated a significant risk, the auditor shall not rely on testing done in prior years, but
shall perform testing in the current year.

Substantive Procedures

Substantive procedures are audit procedure designed to detect material misstatement at the assertion level. These
procedures include (1) test of details (of classes of transaction, account balances, and disclosures) and (2) substantive
analytical procedures.18

The auditor shall always carry out substantive procedures on material items. The PSA says that irrespective of the
assessed risk of material misstatement, the auditor shall design and perform substantive procedures for each material
class of transactions, account balance and disclosure.19

In addition, the auditor shall carry out the following substantive procedures:
§ Agreeing or reconciling the financial statements to the underlying accounting records
§ Examining material journal entries
§ Examining other adjustments made in preparing the financial statements

Substantive procedures fall into two categories: analytical procedures and tests of details. The auditor must determine
when it is appropriate to use which type of substantive procedure.

Substantive analytical procedures tend to be appropriate for large volumes of predictable transactions (for example,
wages and salaries). Test of detail may be appropriate to gain information about account balances, for example,
inventory and trade receivables.

18
PSA 315.4(a)
19
PSA 315.18

12
Auditing and Assurance Principles
Module 6: Risk Assessment
Lex Daniel S. Quequegan, CPA, CFE

Tests of detail rather than analytical procedures are likely to be more appropriate with regard to matters which have
been identified as significant risks, but the auditor must develop procedures that are specifically responsive to that
risk, which may include analytical procedures. Significant risks are likely to be the most difficult to obtain sufficient
appropriate audit evidence about.

Examples of Responses to Audit Risks

Examples of Risks Possible Responses

Risk that inventory has a lower net realizable value than Examine the instructions to identify slow moving
cost and is therefore overstated (e.g., NRV falls due to inventory lines when attending the inventory count.
the client being an industry where tastes/fashions Increase the emphasis on reviewing the year end aged
change quickly). inventory analysis for evidence of slow moving
inventory.
Ascertain sales value for items sold post year end that
were in inventory at the year end to ensure their NRV
was higher than the cost recorded as part of the value in
the financial statements.
Assets are desirable/more susceptible to theft leading to Focus on testing internal controls over those assets
a risk that recorded assets do not exist (e.g., (including physical controls to prevent theft).
inventory/non-current assets). Increase sample sizes for inspecting recorded assets,
ensuring any material assets are verified (in the context
of performance materiality).
Increased risk of revenue expenditure being incorrectly Obtain a breakdown of related costs and review
classified as capital (or vice versa), leading to accounting entries against invoices/details of work done
misstatement of assets/expenses (e.g., extensive to ensure expenditure is correctly treated as
refurbishment of non-current assets where judgment is capital/revenue.
needed to establish whether the nature of the work is to Perform a detailed review of repairs accounts for any
enhance the asset or repair/replace it). items which should be included in non-current assets.
Review the asset register to ensure only capital items
have been included.
Increased risk of incomplete or unrecorded income due Perform analytical procedures focusing on comparing
to fraud or theft (e.g., large amounts of cash collected revenue with expected seasonal/monthly patterns.
and held prior to banking). If a retail client, perform/reperform a reconciliation of a
sample of till records to actual bankings.
Receipts/invoicing significantly in advance/arrears of For a sample of revenue entries recorded prior to the
providing services or goods, therefore leading to an year end, agree the transactions as relating to pre year
increased risk of revenue being in the wrong period end sales by inspecting the contract / other supporting
(e.g., deposits received in advance, reservation fees, documentation.
contracts spanning the year end). Trace post year end transactions back to a supporting
contract/documentation to test that revenue was
recorded in the proper period.
For a sample of contracts or GDNs, verify the revenue
was recognized according to the provision of
services/goods.

13
Auditing and Assurance Principles
Module 6: Risk Assessment
Lex Daniel S. Quequegan, CPA, CFE

Perform analytical procedures where monthly revenue

is compared to expectations and budgeted revenue.
Unexpected deviations should be investigated.
Invoices received (or payments made) in Review post year end bank statements / cash book
advance/arrears of goods or services delivery date payments for evidence of amounts relating to the
leading to overstatement or understatement of costs financial year but not included in liabilities.
and/or liabilities. For a sample of documents pre and post year end
indicating date of delivery of goods/services (eg GRNs),
verify the cost and liability were recorded in the
appropriate period.
There is an increased risk of irrecoverable debts (e.g., Identify year end receivable balances still outstanding at
due to the nature of the client's industry or customers), the date of the audit by reviewing post year end receipts
resulting in assets being potentially overstated. from customers. For amounts still outstanding establish
whether these are provided for.
Review aged receivables analysis and customer
correspondence files for evidence of disputes with
receivables and consider the adequacy of any related
receivables allowance.
Significant client borrowing and/or overdraft with cash Review correspondence with the bank/lender for any
flow problems which may indicate going concern evidence of withdrawal or extension of facilities.
problems. If there are bank covenants linked to performance on
which facilities depend, review compliance with these,
and increase testing on areas where management could
manipulate performance indicators (such as provisions).
Review post year end results and cash flow forecasts (if
prepared) for evidence the company can continue as a
going concern.
New client systems/controls/staff impacting on amounts Undertake additional visits (e.g., interim audit) to assess
recorded in the financial statements, increasing the risk the effectiveness of controls operating over areas
of errors and the risk of internal controls not operating affected.
effectively. Perform extra work to document and evaluate new
systems/controls, performing tests of controls where
necessary.
Increase sample sizes for substantive testing over
financial statement areas impacted.
Management has an incentive to manipulate Focus on and increase testing on judgmental areas in the
performance, increasing the risk of profits being financial statements (e.g., provisions, revenue
overstated (e.g., remuneration or bank funding is reliant recognition accounting policies).
on performance).

Above are just some examples of risks you may encounter in an exam question on audit risks and responses. The best
response to each risk will depend on the particular circumstances of the client and the environment in which it operates.

Your approach should not be to simply learn a list of responses. Instead, your focus should be on understanding the
link between audit risks and responses, and being able to identify and explain risks and suitable responses when
presented with different scenarios.

14
Auditing and Assurance Principles
Module 6: Risk Assessment
Lex Daniel S. Quequegan, CPA, CFE

Fraud, Law and Regulations

Illegal Acts
Errors Fraud Direct Effect Other Laws
Definition Unintentional Intentional Violations of laws Violations of laws or
misstatements or omissions misstatement or or regulations regulations not having a
omissions having a material material and direct effect on
effect on financial financial statement amounts
statement and disclosures
amounts and
disclosures
Examples Mistakes in processing Two types: (1) Tax laws, post- Securities, occupational safety
accounting data, incorrect fraudulent employment and heal, food and drug
accounting estimates due to financial reporting benefits administration, environmental
oversight, mistakes in and (2) protection, employment
application of accounting misappropriation
principles of assets
Detection 1. Assess risk of (Same as for (Same as for 1. Be aware of possibility
responsibility misstatement. errors) errors) that they may have
2. Based on assessment, occurred.
design audit to provide 2. Inquire of management
reasonable assurance and those charged with
of detection of material governance.
misstatement. 3. Inspect correspondence
3. Exercise due cate in with licensing or
planning, performing, regulatory agencies.
and evaluating results 4. If specific information
of audit procedures, comes to attention on an
and proper degree of illegal act with a possible
professional material indirect financial
skepticism to achieve statement effect, apply
reasonable assurance audit procedures
of detection. necessary to determine
whether illegal act has
occurred.
Reporting 1. Modify audit report for (Same as for (Same as for (Similar to errors)
responsibility remaining departures errors) errors)
from financial
reporting framework or
scope limitations.
2. Report to audit
committee, if needed.

Fraud is an intentional act by one or more individuals among management, those charged with governance, employees,
or third parties, involving the use of deception to obtain an unjust or illegal advantage. Fraud may be perpetrated by
an individual, or colluded in, with people internal or external to the business. Fraud risk factors are event or
conditions that indicate an incentive or pressure to commit fraud or provide an opportunity to commit fraud.

Fraud is a wide legal concept, but the auditor’s main concern is with fraud that causes a material misstatement in the
financial statements. It is distinguished from error, which is when a material misstatement is caused by mistake.

15
Auditing and Assurance Principles
Module 6: Risk Assessment
Lex Daniel S. Quequegan, CPA, CFE

There are two types of fraud causing material misstatement in financial statements:
1. Fraudulent financial reporting
2. Misappropriation of assets

Fraudulent Financial Reporting

Fraudulent financial reporting involves intentional misstatements, including omissions of amounts or disclosures
in financial statements, to deceive financial statement users. This may include:
§ Manipulation, falsification or alteration of accounting records/supporting documents
§ Misrepresentation (or omission) of events or transactions in the financial statements
§ Intentional misapplication of accounting principles

Such fraud may be carried out by overriding controls that would otherwise appear to be operating effectively, for
example by recording fictitious journal entries and improperly adjusting assumptions or estimates used in financial
reporting.

Misappropriation of Assets

Misappropriation of assets involves the theft of an entity's assets and is often perpetrated by employees in relatively
small and immaterial amounts. However, it can also involve management who are usually more capable of disguising
or concealing misappropriations in ways that are difficult to detect.

Employees may be involved in such fraud in small and immaterial amounts, but it can also be carried out on a larger
scale by management who may then conceal the misappropriation, for example, by:
§ Embezzling receipts (diverting them to private bank accounts)
§ Stealing physical assets or intellectual property (inventory, selling data)
§ Causing an entity to pay for goods not received (payments to fictitious vendors)
§ Using assets for personal use.

Fraud and the Auditor

The primary responsibility for the prevention and detection of fraud is with those charged with governance and the
management of an entity. This is effected by having a commitment to creating a culture of honesty and ethical behavior
and active oversight by those charged with governance.

The auditor is responsible for obtaining reasonable assurance that the financial statements are free from material
misstatement, whether caused by fraud or error. The risk of not detecting a material misstatement from fraud is higher
than from error because of the following reasons:
§ Fraud may involve sophisticated schemes designed to conceal it
§ Fraud may be perpetrated by individuals in collusion
§ Management fraud is harder to detect because management is in a position to manipulate accounting records
or override control procedures.

The auditor is responsible for maintaining professional skepticism throughout the audit, considering the possibility of
management override of controls, and recognizing that audit procedures effective for detecting errors may not be
effective for detecting fraud.

Risk Assessment

16
Auditing and Assurance Principles
Module 6: Risk Assessment
Lex Daniel S. Quequegan, CPA, CFE

PSA 315 requires a discussion among team members that places particular emphasis on how and where the financial
statements may be susceptible to fraud.20 Risk assessment procedures to obtain information in identifying the risk of
material misstatement due to fraud shall include the following:
a. Inquiries of management regarding:
i. Management’s assessment of the risk that the financial statements may be misstated due to fraud
ii. Management’s process for identifying and responding to the risk of fraud
iii. Management’s communication to those charged with governance in respect of its process for
identifying and responding to the risk of fraud
iv. Management’s communication to employees regarding its views on business practices and ethical
behavior
v. Knowledge of any actual, suspected or alleged fraud
b. Inquiries of internal audit for knowledge of any actual, suspected or alleged fraud, and its views on the risks
of fraud.
c. Obtaining an understanding of how those charged with governance oversee management’s processes for
identifying and responding to the risk of fraud and the internal control established to mitigate these risks.
d. Inquiries of those charged with governance for knowledge of any actual, suspected or alleged fraud.
e. Evaluating whether any unusual relationships have been identified in performing analytical procedures that
may indicate risk of material misstatement due to fraud.
f. Considering whether any other information may indicate risk of material misstatement due to fraud.
g. Evaluating whether any fraud risk factors are present.

In accordance with PSA 315, the auditor shall identify and assess the risks of material misstatement due to fraud at
the financial statement level and at the assertion level for classes of transactions, account balances and disclosures.
These risks shall be treated as significant risks.

Additionally, PSA 330 provided that the auditor shall determine overall responses to address the assessed risks of
material misstatement due to fraud at the financial statement level. In this regard, the auditor shall:
§ Assign and supervise staff responsible taking into account their knowledge, skill and ability
§ Evaluate whether the accounting policies may be indicative of fraudulent financial reporting
§ Incorporate unpredictability in the selection of the nature, time and extent of audit procedures

Management fraud is more difficult to detect than employee fraud because of management’s ability to override controls
and therefore manipulate accounting records. PSA 240 states that irrespective of the auditor’s assessment of the risks
of management override of controls, the auditor shall design and perform audit procedures to:
§ Test the appropriateness of journal entries and other adjustments
§ Review accounting estimates for vias
§ For significant transactions outside the normal course of business, evaluate whether they have been entered
into to engage in fraudulent financial reporting or to conceal misappropriation of assets

Written Representations

PSA 240 requires the auditor to obtain written representations (known as management representation letter) from
management and those charged with governance that:
a. They acknowledge their responsibility to design, implementation and maintenance of internal control to
prevent and detect fraud.

20
PSA 315.A42

17
Auditing and Assurance Principles
Module 6: Risk Assessment
Lex Daniel S. Quequegan, CPA, CFE

b. They have disclosed to the auditor management’s assessment of the risk of fraud in the financial statements.
c. They have disclosed to the auditor their knowledge of fraud/suspected fraud involving management,
employees with significant roles in internal control, and others where fraud could have a material effect on
the financial statements.
d. They have disclosed to the auditor their knowledge of any allegations of fraud/suspected fraud communicated
by employees, former employees, analysts, regulators or others.

Communication to Management and Those Charged with Governance

If the auditor identifies fraud or receives information that a fraud may exist, the auditor shall report this on a timely
basis to the appropriate level of management.

If the auditor identifies or suspects fraud involving management, employees with significant roles in internal control,
and others where fraud could have a material effect on the financial statements, they shall communicate this on a
timely basis to those charged with governance.

The auditor also needs to consider whether there is a responsibility to report to the regulatory or enforcement
authorities—the auditor’s professional duty of confidentiality may be overridden by laws and statutes in certain
jurisdictions.

Law and Regulations

The auditor is also required to consider the issue of law and regulations in the audit. The objectives of the auditor are:
a. To obtain sufficient appropriate audit evidence regarding compliance with the provisions of those laws and
regulations generally recognized to have a direct effect on the determination of material amounts and
disclosures in the financial statements;
b. To perform specified audit procedures to help identify instances of non-compliance with other laws and
regulations that may have a material effect on the financial statements; and
c. To respond appropriately to identified or suspected non-compliance with laws and regulations identified
during the audit.21

Responsibilities of Management Compared to Auditors

It is management’s responsibility to ensure that the entity complies with the relevant laws and regulations. It is not the
auditor’s responsibility to prevent or detect non-compliance with laws and regulations.

The auditor’s responsibility is to obtain reasonable assurance that the financial statements are free from material
misstatement and, in this respect, the auditor must take into account the legal and regulatory framework within which
the entity operated.

PSA 250 distinguishes the auditor’s responsibilities in relation to compliance with two different categories of laws
and regulations:
1. Those that have a direct effect on the determination of material amounts and disclosures in the financial
statements.

21
PSA 250.11

18
Auditing and Assurance Principles
Module 6: Risk Assessment
Lex Daniel S. Quequegan, CPA, CFE

2. Those that do not have direct effect on the determination of material amounts and disclosures in the financial
statements but where compliance may be fundamental to the operating aspects, ability to continue in business,
or to avoid material penalties.

For the first category, the auditor’s responsibility is to obtain sufficient appropriate audit evidence about compliance
with those laws and regulations.

For the second category, the auditor’s responsibility is to undertake specified audit procedures to help identify non-
compliance with laws and regulations that may have a material effect on the financial statements. These include
inquiries of management and inspecting correspondence with the relevant licensing or regulatory authorities.

Audit Procedures

In accordance with PSA 315, the auditor shall obtain a general understanding of:
§ The applicable legal and regulatory framework
§ How the entity complies with that framework

The auditor can achieve this understanding by using their existing understanding and updating it, and making inquiries
of management about other laws and regulations that may affect the entity, and about its policies and procedures for
ensuring compliance and about its policies and procedures for identifying, evaluating and accounting for litigation
claims.

The auditor shall remain alert throughout the audit to the possibility that other audit procedures may bring instances
of non-compliance or suspected non-compliance to the auditor’s attention. These audit procedures could include:
§ Reading minutes
§ Making inquiries of management and in-house/external legal advisers regarding litigation, claims and
assessments
§ Performing substantive tests of details of classes of transactions, account balances or disclosures

The auditor shall request written representations from management that all known instances of non-compliance or
suspected non-compliance with laws and regulations whose effects should be considered when preparing the financial
statements have been disclosed to the auditor.

Audit Procedures When Non-compliance is Identified or Suspected

The following factors may indicate non-compliance with laws and regulations:
§ Investigations by regulatory authorities and government departments
§ Payment of fines or penalties
§ Payments for unspecified services or loans to consultants, related parties, employees or government
employees
§ Sales commissions or agents’ fees that appear excessive
§ Purchasing at prices significantly above/below market price
§ Unusual payments in cash
§ Unusual transactions with companies registered in tax havens
§ Payment for goods and services made to a country different to the one in which the goods and services
originated
§ Payments without proper exchange control documentation
§ Existence of an information system that fails to provide an adequate audit trail or sufficient evidence

19
Auditing and Assurance Principles
Module 6: Risk Assessment
Lex Daniel S. Quequegan, CPA, CFE

§ Unauthorized transactions or improperly recorded transactions

§ Adverse media comment

The following may be the audit procedures to be performed when non-compliance is identified or suspected.
§ Obtain understanding of nature of act and circumstances
§ Obtain further information to evaluate possible effect on financial statements
§ Discuss with management and those charged with governance
§ Consider need to obtain legal advice if sufficient information not provided and matter is material
§ Evaluate effect on auditor’s opinion if sufficient information not obtained
§ Evaluate implications on risk assessment and reliability of written representations

Reporting Identified or Suspected Non-Compliance

The auditor shall communicate with those charged with governance, but, if the auditor suspects that those charged
with governance are involved, the auditor shall communicate with the next highest level of authority, such as the audit
committee or supervisory board. If this does not exist, the auditor shall consider the need to obtain legal advice.

The auditor shall consider the impact on the auditor's report if they conclude that the non-compliance has a material
effect on the financial statements and has not been adequately reflected or is prevented by management and those
charged with governance from obtaining sufficient appropriate audit evidence to evaluate whether non-compliance is
material to the financial statements.

The auditor shall determine whether identified or suspected non-compliance has to be reported to the regulatory and
enforcement authorities. Although the auditor must maintain the fundamental principle of confidentiality, in some
jurisdictions the duty of confidentiality may be overridden by law or statute.

Documentation of Risk Assessment

Auditors must ensure they have documented the work done at the risk assessment stage, such as the discussion among
the audit team of the susceptibility of the financial statements to material misstatements, significant risks, and overall
responses.

The need for auditors to document their audit work is discussed in the next chapter where we will look in particular at
the audit plan and the audit strategy, two documents for planning. PSAs 315 and 330 contain a number of general
requirements about documentation, and we shall briefly run through those here.

The following matters shall be documented during planning.

§ The discussion among the audit team concerning the susceptibility of the financial statements to material
misstatements, including any significant decisions reached
§ Key elements of the understanding gained of the entity regarding the elements of the entity and its internal
control component specified in PSA 315, the sources of the information gained and the risk assessment
procedures carried out
§ The identified and assessed risks of material misstatement at the financial statement level and at the assertion
level
§ Risks identified and related controls evaluated
§ The overall responses to address the risks of material misstatement at the financial statement level
§ Nature, extent and timing of further audit procedures linked to the assessed risks at the assertion level

20
Auditing and Assurance Principles
Module 6: Risk Assessment
Lex Daniel S. Quequegan, CPA, CFE

§ Results of audit procedures

§ If the auditors have relied on evidence about the effectiveness of controls from previous audits, conclusions
about how this is appropriate
§ Demonstration that the financial statements agree or reconcile with the underlying accounting records

21