Risk-Based Audit Approach
Risk-Based Audit Approach
LIMITATIONS:
1. Inherent Risk
2. Treat risks as independent and separate
3. Professional Judgment
4. Inaccuracy
THE RISK - BASED AUDIT PROCESS
Phase I. Risk Assessment: This phase involves the following activities:
a. Performance of preliminary engagement activities to decide whether to accept / continue an audit
engagement.
b. Planning the audit to develop an overall audit strategy and audit plan. –
c. Performance of risk assessment procedures to identify / assess risk of, material misstatement through
understanding the entity.
Phase II. Risk Response This phase covers the following activities:
a. Designing overall responses and further audit procedures to develop appropriate responses to the
assessed risk of material misstatement.
b. Implementing responses to assessed risk of material misstatement to reduce audit risk to an acceptably
low level.
THE RISK - BASED AUDIT PROCESS
Phase III. Reporting : This phase involves the following activities:
a. Evaluating the audit evidence obtained to determine what additional audit work (if any) is required.
b. Forming an opinion based on audit findings and preparing the auditor's report.
Nature of Risk
Risk is a concept used to express uncertainty about events and/or their outcomes that
could have a material effect on the organization.
b. Evaluate compliance with ethical requirements, including independence as required by PSA 220.
c. Establish an understanding of the terms of engagement as required by PSA 210, "Agreeing the Terms of
Audit Engagements
PSA 220 (Redrafted) (Effective for audits of financial statements for
periods beginning on or after December 15, 2009)
The firm has an obligation to establish and maintain a system of quality control to provide it with
reasonable assurance that:
(a) The firm and its personnel comply with professional standards and regulatory and legal requirements;
and
(b) The reports issued by the firm or engagement partners are appropriate in the circumstances
PSA 220 (Redrafted) (Effective for audits of financial statements for
periods beginning on or after December 15, 2009)
Engagement partner – The partner or other person in the firm who is responsible for the audit
engagement and its performance, and for the auditor’s report that is issued on behalf of the firm, and
who, where required, has the appropriate authority from a professional, legal or regulatory body.
Engagement team – All partners and staff performing the engagement, and any individuals engaged by
the firm or a network firm who perform audit procedures on the engagement. This excludes an
auditor’s external expert engaged by the firm or a network firm.
PHASE I-A: PERFORMANCE OF PRELIMINARY
ENGAGEMENT ACTIVITIES
a. Perform procedures required by PSA 220, "Quality Control of an Audit of Financial Statements" regarding
the continuance of the client relationship and the specific audit engagement.
• The integrity of the principal owners, key management and those charged with governance of the
entity;
• Whether the engagement team is competent to perform the audit engagement and has the necessary
capabilities, including time and resources;
• Whether the firm and the engagement team can comply with relevant ethical requirements; and
• Significant matters that have arisen during the current or previous audit engagement, and their
implications for continuing the relationship.
PHASE I-A: PERFORMANCE OF PRELIMINARY
ENGAGEMENT ACTIVITIES
b. Evaluate compliance with ethical requirements, including independence as required by PSA 220.
The engagement partner shall form a conclusion on compliance with independence requirements that
apply to the audit engagement. In doing so, the engagement partner shall:
(a) Obtain relevant information from the firm and, where applicable, network firms, to identify and
evaluate circumstances and relationships that create threats to independence;
(b) Evaluate information on identified breaches, if any, of the firm’s independence policies and
procedures to determine whether they create a threat to independence for the audit engagement;
and
(c) Take appropriate action to eliminate such threats or reduce them to an acceptable level by applying
safeguards, or, if considered appropriate, to withdraw from the audit engagement, where withdrawal
is permitted by law or regulation. The engagement partner shall promptly report to the firm any
inability to resolve the matter for appropriate action.
PSA 220 (Redrafted) (Effective for audits of financial statements for
periods beginning on or after December 15, 2009)
(Effective for audits of financial statements for periods beginning on or after December 15, 2022)
Philippine Standard on Auditing 210 (Redrafted)
AGREEING THE TERMS OF AUDIT
ENGAGEMENTS
(a) Establishing whether the preconditions for an audit are present; and
(i) For the preparation of the financial statements in accordance with the
applicable financial reporting framework, including where relevant
their fair presentation; (Ref: Para. A15)
(a) If the auditor has determined that the financial reporting framework to
be applied in the preparation of the financial statements is unacceptable,
except as provided in paragraph 19; or
(b) If the agreement referred to in paragraph 6(b) has not been obtained
If the auditor has determined that the financial reporting framework prescribed by law or regulation
would be unacceptable but for the fact that it is prescribed by law or regulation, the auditor shall
accept the audit engagement only if the following conditions are present:
(a) Management agrees to provide additional disclosures in the financial statements required to avoid
the financial statements being misleading; and
(i) The auditor’s report on the financial statements will incorporate an Emphasis of Matter
paragraph, drawing users’ attention to the additional disclosures, in accordance with PSA 706 (Revised
and Redrafted);and
(ii) Unless the auditor is required by law or regulation to express the auditor’s opinion on the
financial statements by using the phrases “present fairly, in all material respects” in accordance with
the applicable financial reporting framework, the auditor’s opinion on the financial statements will not
include such phrases.
Subject to paragraph 11, the agreed terms of the audit engagement shall be
recorded in an audit engagement letter or other suitable form of written
agreement and shall include:
(a) The objective and scope of the audit of the financial statements;
(b) The responsibilities of the auditor;
(c) The responsibilities of management;
(d) Identification of the applicable financial reporting framework for the
preparation of the financial statements; and
(e) Reference to the expected form and content of any reports to be issued
by the auditor and a statement that there may be circumstances in which a
report may differ from its expected form and content
Recurring Audits
• Any indication that the entity misunderstands the objective and scope of the audit.
• Any revised or special terms of the audit engagement.
• A recent change of senior management.
• A significant change in ownership.
• A significant change in nature or size of the entity’s business.
• A change in legal or regulatory requirements.
• A change in the financial reporting framework adopted in the preparation of the financial
statements.
• A change in other reporting requirements.
PHILIPPINE STANDARD ON AUDITING 300 (REDRAFTED)
PLANNING AN AUDIT OF FINANCIAL STATEMENTS
(Effective for audits of financial statements for periods beginning
on or after December 15, 2009)
Objective
The objective of the auditor is to plan the audit so that it
will be performed in an effective manner.
Planning Activities
6. The auditor shall establish an overall audit
strategy that
>sets the scope, timing and direction of the audit,
and
>that guides the development of the audit plan.
In establishing the overall audit strategy, the auditor shall:
(a) Identify the characteristics of the engagement that define its scope;
(b) Ascertain the reporting objectives of the engagement to plan the timing
of the audit and the nature of the communications required;
(c) Consider the factors that, in the auditor’s professional judgment, are
significant in directing the engagement team’s efforts;
(d) Consider the results of preliminary engagement activities and, where
applicable, whether knowledge gained on other engagements performed by
the engagement partner for the entity is relevant; and
(e) Ascertain the nature, timing and extent of resources necessary to
perform the engagement.
In establishing the overall audit strategy, the auditor shall:
(a) Identify the characteristics of the engagement that define its
scope;
Characteristics of the Engagement
• The financial reporting framework on which the financial information to be audited
has been prepared, including any need for reconciliations to another financial
reporting framework.
• Industry-specific reporting requirements such as reports mandated by industry
regulators.
• The expected audit coverage, including the number and locations of components
to be included.
• The nature of the control relationships between a parent and its components that
determine how the group is to be consolidated.
In establishing the overall audit strategy, the auditor shall:
(b) The nature, timing and extent of planned further audit procedures
at the assertion level, as determined under PSA 330, “The Auditor’s
Responses to Assessed Risks.”
(c) Other planned audit procedures that are required to be carried out
so that the engagement complies with PSAs.
Documentation
11. The auditor shall document:
(c) Any significant changes made during the audit engagement to the
overall audit strategy or the audit plan, and the reasons for such
changes. (Ref: Para. A17-A20)
Additional Considerations in Initial Audit Engagements
12. The auditor shall undertake the following activities prior to starting
an initial audit:
(a) Whether, and to what extent, to use specific work of the internal
auditors;
And
(b) If so, whether such work is adequate for the purposes of the audit.
Determining Whether and to What Extent to Use the Work of the
Internal Auditors
8. The external auditor shall determine:
(b) If so, the planned effect of the work of the internal auditors on the
nature, timing or extent of the external auditor’s procedures.
In determining whether the work of the internal auditors is likely to be
adequate for purposes of the audit, the external auditor shall evaluate:
The auditor has sole responsibility for the audit opinion expressed,
and that responsibility is not reduced by the auditor’s use of the work
of an auditor’s expert.
(b) Evaluate the adequacy of that work for the auditor’s purposes.
11. The auditor shall agree, in writing when appropriate, on the following
matters with the auditor’s expert: (Ref: Para. A23-A26)
(a) The nature, scope and objectives of that expert’s work; (Ref: Para.
A27)
(b) The respective roles and responsibilities of the auditor and that
expert; (Ref: Para. A28-A29)
(c) The nature, timing and extent of communication between the auditor
and that
expert, including the form of any report to be provided by that expert;
and (Ref: Para. A30)
(c) If that expert’s work involves the use of source data that is
significant to that expert’s work, the relevance, completeness, and
accuracy of that source data. (Ref: Para. A38-A39)
13. If the auditor determines that the work of the auditor’s expert is
not adequate for the auditor’s purposes, the auditor shall: (Ref:
Para. A40)
(a) Agree with that expert on the nature and extent of further work
to be performed by that expert; or
(c) The entity’s selection and application of accounting policies, including the
reasons for changes thereto.
(d) The entity’s objectives and strategies, and those related business risks that
may result in risks of material misstatement.
The entity’s management or those charged with governance define objectives, which
are the overall plans for the entity. Strategies are the approaches by which management intends
to achieve its objectives. The entity’s objectives and strategies may change over time.
An understanding of the business risks facing the entity increases the likelihood of identifying risks of
material misstatement, since most business risks will eventually have financial consequences and, therefore, an effect
on the financial statements.
(e) The measurement and review of the entity’s financial performance. (Ref:
Para. A32-A37)
Management and others will measure and review those things they regard as important. Performance
measures, whether external or internal, create pressures on the entity. These pressures, in turn, may
motivate management to take action to improve the business performance or to misstate the financial
statements.
The Entity and Its Environment
11. The auditor shall obtain an understanding of the following:
(a)Relevant industry, regulatory, and other external factors including the applicable financial
reporting framework. (Ref: Para. A15-A20)
Relevant industry factors include industry conditions such as the competitive environment,
supplier and customer relationships, and technological developments.
The regulatory environment encompasses, among other matters, the applicable financial
reporting framework and the legal and political environment.
Examples of other external factors affecting the entity that the auditor may consider include
the general economic conditions, interest rates and availability of financing, and inflation or
currency revaluation.
The Entity and Its Environment
(b) The nature of the entity, including:
(i) Its operations;
(ii) Its ownership and governance structures;
(iii) The types of investments that the entity is making and plans to make; and
(iv) The way that the entity is structured and how it is financed, to enable the auditor to understand the
classes of transactions, account balances, and disclosures to be expected in the financial statements. (Ref:
Para. A21- A23)
Examples of matters that the auditor may consider when obtaining an understanding of the nature of the
entity include:
• Business operations – such as: ○ Nature of revenue sources, products or services, and markets, including
involvement in electronic commerce such as Internet sales and marketing activities.
Investments and investment activities – such as: ○ Planned or recently executed acquisitions or
divestitures. ○ Investments and dispositions of securities and loans.
Financial reporting – such as: ○ Accounting principles and industry specific practices, including industry
specific significant categories (for example, loans and investments for banks, or research and development
for pharmaceuticals). ○ Revenue recognition practices
Risk assessment procedures – The audit procedures
performed to obtain an understanding of the entity and its
environment, including the entity’s internal control, to
identify and assess the risks of material misstatement,
whether due to fraud or error, at the financial statement
and assertion levels.
The risk assessment procedures shall include the following:
Steps involved
Develop expectation of account (or ratio) balance
Determine amount of difference that can be accepted without
investigation
Compare the company’s account (ratio) with the expectation
Investigate and evaluate significant differences
General on Analytical Procedures
2/3
Developing an expectation
Prior period information
Anticipated results
Relationships among elements of financial information within a
period
Industry information
Relationships between financial information and relevant
nonfinancial data
General on Analytical Procedures
3/3
Types of Expectations
Trendanalysis—analyze changes in accounts of a
company over time
Ratioanalysis — compare relationships between two or
more financial statement accounts or comparisons of
account balances to nonfinancial data
Liquidity (e.g., current ratio)
Leverage (e.g., debt to equity)
Profitability (e.g., gross profit percentage)
Activity (e.g., inventory turnover)
Identifying and Assessing the Risks of Material Misstatement
24. The auditor shall identify and assess the risks of material
misstatement at:
(a) Assertions about classes of transactions and events for the period under audit:
(i) Occurrence—transactions and events that have been recorded have occurred and
pertain to the entity.
(ii) Completeness—all transactions and events that should have been recorded have
been recorded.
(iii) Accuracy—amounts and other data relating to recorded transactions and events
have been recorded appropriately.
(iv) Cutoff—transactions and events have been recorded in the correct accounting
period.
(v) Classification—transactions and events have been recorded in the proper accounts.
Assertions – Representations by management, explicit or otherwise, that are
embodied in the financial statements, as used by the auditor to consider the
different types of potential misstatements that may occur.
©McGraw-Hill Education.
Audit Risk
©McGraw-Hill Education.
Assertions with High Inherent Risk
Involve:
Difficult-to-audit transactions or balances
Complex calculations
Difficult accounting issues
Significant judgment by management
Valuations that vary significantly based on economic factors
©McGraw-Hill Education.
Types of Transactions
Routine
Recurring financial statement activities recorded in the
accounting records in the normal course of business
Lower inherent risk
Nonroutine
Involve activities that occur only periodically such as the
taking of physical inventories
High inherent risk
Estimation transactions
Activities that create accounting estimates
Higher inherent risk
©McGraw-Hill Education.
The Risk of Material Misstatement (Inherent Risk and Control Risk)
The risk that the auditors will fail to detect a material misstatement that
exists in a relevant assertion.
(a) Identify risks throughout the process of obtaining an understanding of the entity
and its environment
(b) Assess the identified risks, and evaluate whether they relate more pervasively to
the financial statements as a whole and potentially affect many assertions;
(c) Relate the identified risks to what can go wrong at the assertion level, taking
account of relevant controls that the auditor intends to test; and