Audit & Assurance

Class Synopsis - 05

Prepared by: Abdullah-Al-Mamun, FCA

Risk Assessment

Business Risk

Business risk is the risk inherent to the company in its operations. It includes risks at all
levels of the business. ISA 315 defines business risk as a ‘risk resulting from significant
conditions, events, circumstances, actions or inactions that could adversely affect an
entity’s ability to achieve its objectives and execute its strategies, or from the setting of
inappropriate objectives and strategies. There are three general categories of business
risk:

 Financial risks are the risks arising from the financial activities or financial
consequences of an operation, for example, cash flow issues or overtrading.

 Operational risks are the risks arising with regard to operations, for example, the
risk that a major supplier will be lost and the company will be unable to operate.

 Compliance risks is the risk that arises from non-compliance with laws and
regulations that surround the business, for example, a restaurant failing to comply
with food hygiene regulations might face fines, enforced closure, legal action
from customers and so on.

Directors are required to manage business risks.

Auditors are interested in business risk because issues which pose threats to the business
may in some cases also be a risk of the financial statements being misstated. For
example, if a particular division of a business was threatened with closure, the valuation of
all the assets associated with that division would be affected. In more general terms, if an
economic downturn puts pressure on a company to meet the expectations of providers of
finance, management might be tempted to manipulate the financial statements.

Audit Risk

The risk that the auditors give an inappropriate opinion on the financial statements. There are
three components of audit risk:

 Inherent Risk
 Control Risk
 Detection Risk

1
Inherent Risk

Inherent risk is the susceptibility of an assertion to misstatement that could be material,

individually or when aggregated with other misstatements, assuming there were no
related internal controls.

Inherent risk can be analyzed on a number of levels which are covered in turn below:

 At industry of sector level

Different industries have different levels of inherent risk.

For Garments Industry:

The nature of the industry contributes to high inherent risk, as clothes and
accessories do not stay in fashion and year-end inventory provisions may be
inadequate.

 At entity level

At entity level there will also be different levels of inherent risk.

For two similar clients A and B, if one of the companies was:

 A takeover target
 Up to its overdraft limit
 Had a major supplier or customer in difficulties

It would clearly be more inherently risky than the other.

 At balance level

Different balances can also carry different inherent risks.

The inventory at a jewellers, for example might be considered higher risk than the
same company’s non-current assets, consisting of shopfittings, office equipment
and hopefully, some rather impressive safes and security equipment.

The auditors must use their professional judgment and all available knowledge to assess
inherent risk. If no such information or knowledge is available, then the inherent risk is high.

Control Risk

Control risk is the risk that a misstatement that could occur in an assertion and that could be
material, individually or when aggregated with other misstatements, will not be prevented
or detected and corrected on a timely basis by the entity’s internal control systems.

2
So the key questions are:

 What is management doing to stop things going wrong?

 If measures have been taken, are they effective?

Control risk will be lower where effective control measures are taken. However, there will
always be control risk due to the limitations of internal controls:

 Cost> benefit
 Routine/ non-routine transactions
 Human error
 Management override
 Circumvention by collusion
 Changes in procedures

Detection Risk

Detection risk is the risk that an auditor’s procedures will not detect a misstatement that
exists in an assertion that could be material, individually or when aggregated with other
misstatements.

It is up to the auditor to organize the way the engagement is handled, so that the risk of
material misstatement is reduced to acceptable levels.

This will include:

 Ensuring the audit team (including the engagement partner) has the necessary mix
and depth of experience and skills.

 Devising an audit plan which tackles the audit risks

The audit approach is the way in which the auditor assembles sufficient audit evidence
to build up a satisfactory level of audit confidence, and which can come from tests of
controls, analytical procedures and test of details.

Because the auditor cannot check every transaction, audit work is carried out on a test
basis. The auditor will select a sample.

The possibility that the opinions we form, perfectly validity, from the results of our sample,
are different from those we would have formed if we had been able to examine the whole
population is called sampling risk.

Non-sampling risk is the possibility of coming to the whole conclusion about the financial
statements for any other reason, for example:

 Lack of understanding of the nature of our client’s business

 Use of invalid sampling techniques
 Failure to investigate a particular class of assets, liabilities or transactions

3
Assessing the Risks of Material Misstatements

The best way to learn the skill of identifying and assessing risk of misstatement is to practice
doing it in exam questions. We will cover it during solving cases relating to this chapter.

Significant Risks

A significant risk is a risk of material misstatement that, in the auditor’s judgement, requires
special audit consideration.

These are usually items that are unusual or one-offs. Some risks may be significant risks,
which require special audit consideration. ISA 315 sets out the following factors which indicate
that a risk might be a significant risk:

 Risk of fraud
 Related to recent significant economic, accounting or other development
 The complexity of transactions
 It is a significant transaction with a related party
 The degree of subjectivity in the financial information
 It is an unusual transaction

If the auditor has determined that a significant risk exists, the auditor shall obtain an
understanding of the entity’s controls, including control activities, relevant to that
risk.

Documentation

ISAs 315 and 330 contain a number of requirements about documentation. The following
matters should be documented:

 The discussion among the audit team concerning the susceptibility of the financial
statements to material misstatements, including any significant decisions
reached.
 Key elements of the understanding gained of the entity including the elements of the
entity and its control specified in the ISA as mandatory, the sources of the
information gained and the risk assessment procedures carried out.
 The identified and assessed risks of material misstatements.
 Significant risks identified and related controls evaluated.
 The overall responses to address the risks of material misstatements.
 Nature, extent and timing of further audit procedures linked to the assessed risks
at the assertion level.
 If the auditors have relied on evidence about the effectiveness of controls from
previous audits, conclusions about how this is appropriate.