Chapter Four

Audit risk
• The risk that an auditor expresses an inappropriate audit
opinion when the financial statements are materially
misstated.
Examples of inappropriate audit opinions include the following:
• Issuing an unqualified audit report where a qualification is
reasonably justified;
• Issuing a qualified audit opinion where no qualification is
necessary;
• Failing to emphasize a significant matter in the audit report;
• Providing an opinion on financial statements where no such
opinion may be reasonably given due to a significant
limitation of scope in the performance of the audit.
 Inherent Risk

• Inherent Risk is the risk of a material misstatement

in the financial statements arising due to error or
omission as a result of factors other than the failure
of controls (factors that may cause a misstatement
due to absence or lapse of controls are considered
separately in the assessment of control risk).
• Inherent risk is generally considered to be higher
where a high degree of judgment and estimation is
involved or where transactions of the entity are
highly complex.
 Control Risk

• Control Risk is the risk of a material misstatement in the financial

statements arising due to absence or failure in the operation of
relevant controls of the entity.
• Organizations must have adequate internal controls in place to
prevent and detect instances of fraud and error. Control risk is
considered to be high where the audit entity does not have
adequate internal controls to prevent and detect instances of fraud
and error in the financial statements.
• Assessment of control risk may be higher for example in case of a
small sized entity in which segregation of duties is not well defined
and the financial statements are prepared by individuals who do not
have the necessary technical knowledge of accounting and finance.
 Detection Risk

• Detection Risk is the risk that the auditors fail to detect a

material misstatement in the financial statements.
• An auditor must apply audit procedures to detect material
misstatements in the financial statements whether due to
fraud or error. Misapplication or omission of critical audit
procedures may result in a material misstatement remaining
undetected by the auditor. Some detection risk is always
present due to the inherent limitation of the audit such as
the use of sampling for the selection of transactions.
• Detection risk can be reduced by auditors by increasing the
number of sampled transactions for detailed testing.
 The Audit Risk Model
Inherent risk and control risk:
Risk of material misstatement

Audit Risk = IR × CR × DR

Detection risk:
Risk that auditor will not detect misstatements

 Inappropriate audit procedure

 Improper or incomplete use Nonsampling Sampling
 of an audit procedure risk risk
 Misinterpreting audit results
 Using the Audit Risk Model
 Set a planned level of audit risk such that an opinion
can be issued on the financial statements.
 Assess the risk of material misstatement (IR x CR).
 Use the audit risk equation to solve for the appropriate
level of detection risk:
AR = IR × CR × DR
AR
DR = IR × CR

Auditors use this level of detection risk to design audit

procedures that will reduce audit risk to an acceptable level.
Example
• ABC is an audit and assurance firm which has recently accepted the audit of XYZ.
During the planning of the audit, engagement manager has noted the following
information regarding XYZ for consideration in the risk assessment of the
assignment:
• XYZ is a listed company operating in the financial services
sector
• XYZ has a large network of subsidiaries, associates and foreign
branches
• The company does not have an internal audit department and
its audit committee does not include any members with a
background in finance as suggested in the corporate
governance guidelines
• It is the firm's policy to keep the overall audit risk below 10%
• Inherent risk in the audit of XYZ's financial statements is particularly high because the entity
is operating in a highly regularized sector and has a complex network of related entities which
could be misrepresented in the financial statements in the absence of relevant financial
controls. The first audit assignment is also inherently risky as the firm has relatively less
understanding of the entity and its environment at this stage. The inherent risk for the audit
may therefore be considered as high.
• Control risk involved in the audit also appears to be high since the company does not have
proper oversight by a competent audit committee of financial aspects of the organization.
The company also lacks an internal audit department which is a key control especially in a
highly regulated environment. The control risk for the audit may therefore be considered as
high.
• If inherent risk and control risk are assumed to be 60% each, detection risk has to be set at
27.8% in order to prevent the overall audit risk from exceeding 10%.
• Working

Audit Risk   =   Inherent Risk   x   Control Risk   x   Detection Risk

0.10   =   0.60   x   0.60   x   Detection Risk
0.10   =   Detection Risk   =   0.278   =   27.8% 
0.36
 Limitations of the
Audit Risk Model
The audit risk model is a planning tool, but it has some limitations that
must be considered when the model is used to revise an audit plan or to
evaluate audit results.

• The desired level of audit risk may not actually be achieved.

• It does not consider potential auditor error.
• There is no way of knowing what the preliminary level of risk
of material misstatement actually was.

Preliminary Actual
Assessment +/–
or Achieved
Level of Risk Level of Risk
Assessing the Risk of Material Misstatement

Errors are unintentional misstatements of amounts or

disclosures in the financial statements.
Fraud refers to an intentional act by one or more among
management, those charged with governance, employees,
or third parties, involving the use of deception that results in
a misstatement in the financial statements.
The Fraud Risk Assessment Process
Fraud involves intentional misstatements. The
fraud risk identification process includes:
 Sources of information about possible fraud―
 Communications among the audit team
 Inquires of management and others

 Analytical procedures

 Investigation of unexpected period-end adjustments

Conditions Indicative of Fraud and Fraud Risk Factors

Three conditions usually

exist when fraud occurs.

Incentive or Opportunity Attitude or

pressure to to carry out rationalization
perpetrate fraud the fraud to justify fraud
 Auditor’s Response to the Risk Assessment

Assess the risk of material misstatement at the financial statement

and assertion levels.

Financial statement level risks Assertion level risks

Do these
risks relate
No
pervasively to Determine what might go wrong
the financial at the assertion level.
statements?

Yes

Design audit
Develop an overall procedures for
response. assertion level risks.
 Financial report assertions and objectives

• Audit Assertions are the implicit or explicit claims and representations made

by the management responsible for the preparation of financial statements
regarding the appropriateness of the various elements of financial
statments and disclosures.
• Audit Assertions are also known as Management Assertions and Financial
Statement Assertions.

• The objective of audit testing is to assist the auditor in coming to a conclusion

as to whether the financial statements are free from material misstatement.

• Assertions assist auditors in considering a wide range of issues that are

relevant to the authenticity of financial statements. The consideration of
management assertions during the various stages of audit helps to reduce the
audit risk.
Assertions about classes of transactions and events and related disclosures for
the period under audit
(i) Occurrence – the transactions and events that have been recorded or disclosed,
have occurred, and such transactions and events pertain to the entity.
Relevant test – select a sample of entries from the sales account in the nominal
ledger and trace to the appropriate sales invoice and supporting goods
dispatched notes and customer orders.
(ii) Completeness – all transactions and events that should have been recorded
have been recorded and all related disclosures that should have been included in
the financial statements have been included.
Relevant test – select a sample of customer orders and check to dispatch notes
and sales invoices and the posting to the sales account in the nominal ledger.
iii) Accuracy – amounts and other data relating to recorded transactions and events
have been recorded appropriately, and related disclosures have been appropriately
measured and described.
Relevant test – calculation checks on invoices, payroll, etc, and the review of
control account reconciliations are designed to provide assurance about accuracy.
• (iv) Cut–off – transactions and events have been recorded in the correct accounting
period.
Relevant test – recording last goods received notes and despatch notes at the inventory
count and tracing to purchase and sales invoices to ensure that goods received before
the year–end are recorded in purchases at the year end and that goods despatched are
recorded in sales.
• (v) Classification – transactions and events have been recorded in the proper accounts.
Relevant test – check purchase invoices postings to nominal ledger accounts.
• (vi) Presentation – transactions and events are appropriately aggregated or
disaggregated and clearly described, and related disclosures are relevant and
understandable in the context of the requirements of the applicable financial reporting
framework.
Relevant test – check the total employee benefits expense is analysed in the notes to the
financial statements under separate headings– ie wages and salaries, pension costs,
social security contributions and taxes, etc.
Assertions about account balances and related disclosures at
the period end
• (i) Existence – assets, liabilities and equity interests exist.
• Relevant tests – physical verification of non–current assets,
circularization of receivables, payables and the bank letter.
• (ii) Rights and obligations – the entity holds or controls the
rights to assets, and liabilities are the obligations of the entity.
• Relevant tests – in the case of property, deeds of title can be
checked. Current assets are often checked to purchase
invoices although these are primarily used to confirm cost.
Long term liabilities such as loans can be checked to the
relevant loan agreement.
• (iii) Completeness – all assets, liabilities and equity
interests that should have been recorded have been
recorded and all related disclosures that should have been
included in the financial statements have been included.
• Relevant tests – A review of the repairs and expenditure
account can sometimes identify items that should have
been capitalized and have been omitted from non–current
assets. Reconciliation of payables ledger balances to
suppliers’ statements is primarily designed to confirm
completeness although it also gives assurance about
existence.
• (iv) Accuracy, valuation and allocation – assets,
liabilities and equity interests have been included in
the financial statements at appropriate amounts and
any resulting valuation or allocation adjustments
have been appropriately recorded and related
disclosures have been appropriately measured and
described.
• Relevant tests – Vouching the cost of assets to
purchase invoices and checking depreciation rates
and calculations.
• (v) Classification – assets, liabilities and equity interests have been
recorded in the proper accounts.
• Relevant tests – the test for transactions of checking purchase invoice
postings to the appropriate accounts in the nominal ledger will be
relevant again. 

• (vi) Presentation – assets, liabilities and equity interests re appropriately

aggregated or disaggregated and clearly described, and related
disclosures are relevant and understandable in the context of the
requirements of the applicable financial reporting framework.
• Relevant tests – auditors often use disclosure checklists to ensure that
financial statement presentation complies with accounting standards and
relevant legislation. These cover all items (transactions, assets, liabilities
and equity interests) and would include for example checking that
 disclosures relating to non–current assets include cost, additions,
disposals, depreciation, etc.
 Linking assertions to tests
• When the auditor designs further audit procedures they must ensure that
they test a range of the assertions listed. For transactions (i.e. incomes
and expenses recorded in the income statement) the auditor should test:
occurrence; completeness; accuracy; cut-off; and classification
• For accounts balances (i.e. those balances recorded on the statement of
financial position) the auditor should test:
existence; rights and obligations; completeness; and valuation and
allocation.
• Whilst the testing of accounts balances and transactions will probably be
the focus of the audit, the auditor must also design tests to ensure that
transactions, balances and other relevant information/matters are
appropriately disclosed in the financial statements. Assertions relevant to
the disclosures are:
occurrence; rights and obligations; completeness; classification and
understandability; and accuracy and valuation.
 Audit Evidence
• Audit evidence is all the information used by the auditor in
arriving at the conclusions on which the audit opinion is
based, and
• includes the information contained in the accounting records
underlying the financial statements and other information.
• The following concepts of audit evidence are important to
understanding the conduct of the audit:
 The nature of audit evidence.
 The sufficiency and appropriateness of audit evidence.
 The evaluation of audit evidence.
• Third standard of field work:
– The auditor must obtain sufficient appropriate audit
evidence by performing audit procedures to perform a
reasonable basis for an opinion regarding the financial
statements under audit

• Sufficient audit evidence

– The quantity of audit evidence that must be obtained
• To be appropriate audit evidence must be:
– Relevant
– Reliable
• Principles—Audit evidence is ordinarily more reliable when it
is
– Obtained from knowledgeable independent sources outside the
company rather than nonindependent sources
– Generated internally through a system of effective controls rather than
ineffective controls.
– Obtained directly by the auditor rather than indirectly or by inference
– Documentary in form rather than oral
– Provided by original documents rather than copies
 Reliability of Certain Types of
Audit Evidence

RELIABILITY TYPE EXAMPLE

High Physical Inventory Observation

Documentary
External Cutoff Bank Statement
External/Internal Purchase Invoice
Internal Sales Invoice

Low Client Representations Management Representation

Letter
 Types of Audit Evidence
Type Example
Accounting Information System The accounting records and support
for transactions and journal entries

Documentary evidence Checks, invoices, contracts, minutes

of meetings.

Third-party representations Confirmations, lawyer’s letters,

specialist’s reports

Physical evidence Examination of asset

Computations Footing, recalculations
Data interrelationships Analytical procedures
Client representations Representation letter
 Overall Types of Audit Procedures
• Risk assessment procedures
– To obtain an understanding of the client and its
environment, including its internal control, to assess
the risks of material misstatement
• Further Audit Procedures
– Tests of controls
– When appropriate, to test the operating effectiveness of controls in
preventing material misstatements
– Substantive procedures
– To detect material misstatements at relevant assertion level.
Substantive procedures include (a) analytical procedures, (b) tests of
details of account balances, transactions and disclosures
 Substantive Procedures
• Analytical procedures
• Tests of details
• Tests of account balances
• Tests of classes of transactions
• Tests of disclosures
– One may change the scope of audit procedures by
changing the (NTE, or re-ordered as NET):
• Nature (type and form)
• Timing (when performed)
• Extent (quantity of evidence obtained)
 Nature and Timing of Procedures
Holding the extent of procedures constant, one
may increase the scope of procedures (make
them more effective) by either changing the
– Nature-- obtain more reliable evidence
• often externally generated evidence.
– Timing--wait until year-end to obtain evidence from entire
set of transactions as contrasted to performing interim
testing, say two months prior to year-end and simply
updating those procedures.
 Extent of Procedures
Holding other factors such as the nature and
timing of procedures constant:
– The greater the risk of material misstatement, the
greater the needed extent of substantive
procedures
– The main way to increase the extent of audit
procedures is to examine more items
– Sample sizes should reduce detection risk so as to
restrict audit risk to a low level
 Analytical Procedures (1 of 2)
• Steps involved
– Develop expectation of account (or ratio) balance
– Determine amount of difference that can be accepted without
investigation
– Compare the company’s account (ratio) with the expectation
– Investigate and evaluate significant differences
• Developing an expectation
– Prior period information
– Anticipated results
– Relationships among elements of financial information within a period
– Industry information
– Relationships between financial information and relevant nonfinancial
data.
 Analytical Procedures (2 of 2)
• Types of Expectations
– Trend analysis—analyze changes in accounts of a company
over time
– Ratio analysis – compare relationships between two or
more financial statement accounts or comparisons of
account balances to nonfinancial data
• Liquidity (e.g., current ratio)
• Leverage (e.g., debt to equity)
• Profitability (e.g., gross profit percentage)
• Activity (e.g., inventory turnover)
 Ratio Analysis
• Approaches to ratio analysis
– Horizontal analysis
• Review ratios over time
– Cross sectional analysis
• Analyze ratios of similar firms at a point in time
– Vertical analysis
• Analyze relationships within a period
• “Common size” statements prepared
– Other methods
• Regression analysis, reasonableness test
In conducting audit procedures, the auditor examines various types of
audit evidence. Evidence is commonly categorized into the following
types:
• Inspection of records or documents
• Inspection of tangible assets
• Observation
• Inquiry
• Confirmation
• Recalculation
• Reperformance
• Analytical procedures
• Scanning
• Level of Reliability Type of Evidence
High
 Inspection of tangible assets
 Reperformance
 Recalculation
Medium
 Inspection of records and documents
 Scanning
 Confirmation
 Analytical procedures
Low
 Inquiry
 Observation
Sufficient and appropriate audit evidence

• Sufficiency is the measure of the quantity of

audit evidence.
• Appropriateness is a measure of the quality of
audit evidence.
• Sufficiency and appropriateness of audit
evidence are interrelated. The auditor must
consider both concepts when assessing risks
and designing audit procedures
• The quantity of audit evidence needed is affected by
the risk of misstatement and by the quality of the
audit evidence gathered.
• Thus, the greater the risk of misstatement, the more
audit evidence is likely to be required to meet the
audit test.
• And the higher the quality of the evidence, the less
evidence that may be required to meet the audit test.
Accordingly, there is an inverse relationship between
the sufficiency and appropriateness of audit evidence.
• Evidence is considered appropriate when it provides
information that is both relevant and reliable.
• Relevance : The appropriateness of evidence
depends on its relevance to the assertion being
tested.
• Reliability The reliability or validity of evidence
refers to whether a particular type of evidence can
be relied upon to signal the true state of an
assertion.
 Audit documentation
• Audit documentation consists of the record of audit
procedures performed, relevant audit evidence
obtained, and conclusions the auditor reached
• Audit documentation also facilitates the planning,
performance, and supervision of the engagement
and provides the basis for the review of the quality
of the work by providing the reviewer with written
documentation of the evidence supporting the
auditor’s significant conclusions
• Audit documentation is also referred to as
working papers or the audit file.
• have two functions:
(1) to provide principal support for the
representation in the auditor’s report that the
audit was conducted in accordance with GAAS
and
(2) to aid in the planning, performance, and
supervision of the audit
Sufficiency of Audit Documentation

• Audit documentation should be sufficient to:

– Enable an experienced auditor to understand the work
performed and the significant conclusions reached
– Identify who performed and reviewed the work
– Show that the accounting agree or reconcile to the
financial statements
• Audit documentation should include all significant
audit findings and the actions taken to address
them
 Business risk and materiality

• The complexities of modern day businesses

and accounting practices have necessitated
the consideration of business risks during the
course of the audit.
• Business risks are the factors that could
prevent or hinder the achievement of
organizational goals and objectives
• Difference between Audit Risk and Business Risk
• Business risks facing an organization can be wide-ranging and diverse. The
ultimate business risk any organization faces is the risk that it seizes to be a 
going concern. Business risks therefore comprise any factors that may
contribute towards business failure.
• Examples of business risks include:
• Loss of customers
• Increase in production costs
• Cash flow problems
• Decline in product demand
• Litigations and claims
• Technological obsolescence
• Increase in market competition Decrease in profitability Political and
economic instability Over trading Inadequate financing High financial risk Risk
of fraud and theft
• Audit risk is the risk that the auditor expresses an
inappropriate audit opinion on the financial
statements. Audit risk therefore includes any factors
that may cause a material misstatement or omission
in the financial statements. Whereas business risks
relate to the organization and its stakeholders, audit
risk relates specifically to an auditor. Although audit
risks and business risks are dissimilar in nature, it is
often the case that identification of significant
business risks lead to the detection of audit risks
 Importance of considering business risks in
audit planning
• In view of the high profile accounting scandals in recent times, the role
and responsibilities of auditors has been questioned. In the particular
instance of Enron, the company auditors, Arthur Anderson, were alleged
to have lacked sufficient understanding of the business, risks and
exposures of the Company which ultimately caused them to overlook the
effects of Enron's aggressive accounting practices. It is in view of such
scandals that the adoption of a top down approach in auditing has been
emphasized where the auditor proceeds by gaining an understanding of
the entity, its environment, significant business risks and how these risks
might translate into audit risks. ISA 315 requires auditors to obtain an
understanding of the entity and its environment in order to assess the
risks of material misstatement of financial statements. This reinforces the
importance of obtaining a bird's eye view of the entity's business and
significant business risks by the auditor at the audit planning stage
 Types of Audit test
There are three general types of audit tests
• Risk assessment procedures.
• Tests of controls.
• Substantive procedures
 Risk assessment procedures.
• Auditor risk assessment procedures are used
to obtain an understanding of the entity and
its environment, including its internal control.
• Risk assessment procedures include inquiries
of management and others, analytical
procedures, and observation and inspection.
Such procedures are used to assess the risks of
material misstatement at the financial
statement and assertion levels.
 Tests of controls
Tests of controls are audit procedures performed to test
the operating effectiveness of controls in preventing
or detecting material misstatements at the relevant
assertion level. The following audit procedures are
examples of tests of controls:
• Inquiries of appropriate management, supervisory,
and staff personnel.
• Inspection of documents, reports, and electronic files.
• Observation of the application of specific controls.
• Walkthroughs, which involve tracing a
transaction from its origination to its inclusion
in the financial statements through a
combination of audit procedures including
inquiry, observation, and inspection.
• Reperformance of the application of the
control by the auditor.
 Substantive procedures
• Substantive procedures detect material
misstatements (that is, monetary errors) in a
transaction class, account balance, and
disclosure component of the financial
statements. There are two categories of
substantive procedures:
(1) tests of details of classes of transactions,
account balances, and disclosures and
(2) Substantive analytical procedures.
• Substantive tests of transactions test for errors
or fraud in individual transactions.
• Tests of details of account balances and
disclosures focus on the items that are
contained in the financial statement account
balances and disclosures