Lecture 5

Risk assessment, Audit planning

and documentation

Prepared by
Mr. Gustav Ohene-Asa, CA

1
 Lecture Outcome
• Identify and describe the need to plan and perform audits with an attitude of
professional scepticism.
• Identify and describe engagement risks affecting the audit of an entity.
• Explain the components of audit risk.
• Compare and contrast risk based, procedural and other approaches to audit work.
• Describe the use of information technology in risk analysis.
• Identify how auditors obtain an initial understanding of the entity and knowledge
of its business environment.
• Understand the concepts of materiality and tolerable error.
• Discuss the effect of fraud and misstatements on the audit strategy and extent of
audit work.
• Explain the nature and purpose of analytical procedures in planning.
• Identify and explain the need for planning an audit.
• Identify and describe the contents of the overall audit strategy and audit plan.
• Explain the difference between interim and final audit.
• Explain the need for and the importance of audit documentation.
• Describe and prepare working papers and supporting documentation.
• Explain the procedures to ensure safe custody and retention of working papers
2
ISA 200- talks about the Overall objective of Independent
Auditor
• Under ISA 200 Objective and General Principles Governing an Audit
of Financial Statements, the auditor should plan and perform the
audit to reduce audit risk to an acceptably low level.
• ISA 200 s3 the purpose of an audit is to enhance the degree of
confidence of intended users of the FS. This is achieved by the
expression of an opinion by the auditor on whether the FS are
prepared in all material aspects, in accordance with and
applicable financial reporting framework
• Audit risk is the 'risk that the auditor expresses an
inappropriate audit opinion when the financial statements
are materially misstated'.

3
 Professional skepticism
The auditor should plan and perform an audit with an
attitude of professional scepticism recognising that
circumstances may exist that cause the financial statements
to be materially misstated.
This requires:
• Critical assessment, with a questioning mind, of the validity of evidence obtained
• Alertness to contradictory evidence
• Neither the assumption that management is dishonest nor the assumption of
unquestioned honesty.

4
 Audit Risk Model

Audit risk =Inherent Risk *Control Risk*Detection Risk

• Which is represented by?
• AR=IR*CR*DR

Inherent risk and control risk together form the 'risk of material misstatement'.

5
 Let’s look at the case of ‘Enron and Arthur Andersen’
Arthur Andersen gave the wrong opinion that the FS of Enron was true and fair while
they were not. Today the is no more Arthur Andersen
Inherent Risk the risk of material errors in the FS due to the nature of the business
and its transactions. The risk posed by an error or omission in a financial statement
due to a factor other than a failure of control. In a financial audit, inherent risk is most
likely to occur when transactions are complex, or in situations that require a high
degree of judgment in regards to financial estimates. This type of risk represents a
worst-case scenario because all controls have failed. You can also define Inherent risk
as a category of threat that describes potential losses or pitfalls that exist before
internal (security) controls or mitigating factors are implemented

Control Risk: This is the risk that a misstatement could occur in an assertion and that
could be material, either individually or when aggregated with other misstatements,
will not be prevented, or detected and corrected, on a timely basis by the entity's
internal control. Control risk is a function of the effectiveness of the design and
operation of internal control in achieving the entity’s objectives relevant to preparation
of the entity’s financial Statements. Some control risk will always exist because of the
inherent limitations of internal control

6
 Examples of inherent risk or factors that increases inherent risk

 Changes in industry
 High degree of Regulations
 New product or Service
 New locations
 Complex transactions
 Pending litigation
 Increasing interest rate
 Changing exchange rate
 New IT systems
 Change in key management personal
 Inflation

7
 Examples Control Risk
 Improper segregation of duties
 Improper upper level management review
 Lack of personnel with accounting
qualification
 Inadequate training to perform function
 Double payment of invoices

8
Detection Risk: This is the risk that the auditor's procedures will not
detect a misstatement that exists in an assertion that could be material
either individually or when aggregated with other misstatements.
Detection risk is a function of the effectiveness of an audit procedure
and of its application by the auditor. It is primarily the consequence of
the fact that the auditor does not, and cannot, examine all available
evidence (sampling risk).
Simply put the auditor won’t spot material misstatement that exist

Detection Risk is made of two components that is

 Sampling Risk eg. Incorrect sampling technique and incorrect
sampling sizes
 Non-sampling Risk eg. Inadequate planning, inappropriate staff and
failing to apply professional skepticism

9
Understanding the entity and its business environment
• ISA 315 Understanding the Entity and its
Environment and Assessing the Risks of Material
Misstatement
• Perform audit procedures to understand the entity
and its environment
• Assess the risk of material misstatement at the
financial statement and assertion level
The above can be done by the following techniques
i. Inquiries from management, and of others who are
relevant
ii. Analytical procedures
iii.Observation and investigation

10
11
 Assessing risk process
Will include this steps but they are not exhaustive
• Identifying risks by considering the entity and its environment,
including its internal control
• Relating the identified risks to what can go wrong at the
assertion level
• Considering the significance and likelihood of the risks
• Establishing materiality and evaluating whether the original
level set remains appropriate as the audit progresses
• Developing expectations for use when performing analytical
procedure
• Designing and performing further audit procedures to reduce
audit risk to an acceptably low level
• Evaluating the sufficiency and appropriateness of audit
evidence

12
• Risk assessment includes both an assessment of:
• Business risk resulting from the entity's objectives and
strategies that may result in material misstatement of the
financial statements
• Audit risk and its component parts
Business risk
Business risks 'result from significant conditions, events,
circumstances or actions that could adversely affect the entity's
ability to achieve its objectives and execute its strategies, or
through the setting of inappropriate objectives and strategies'
[ISA 315].
• It is usually split into financial risk, operational risk and
compliance risk

13
 Business Risk vs. Audit Risk
Example 1 of real business situation
• ‘the travel agents are given a 90 days credit period to pay Ama
& co. However due to difficulty in trading conditions, a number
of receivables are struggling to pay’.
• Problem: this will result in liquidity risk. Ama & co. should
consider employing a debt factoring company to help them
recover the outstanding balances.
• This however is not a strategy lecture or class but an audit
class so this risk should be looked from the FS perspective. That
is how it will lead to a misstatement of the FS. In relating it to the
FS the audit risk is Receivable may be overstated. The audit team
should plan to extend post-year end cash receipts testing and
carefully review the aged of receivables to access valuation

14
• Example 2 Purchase orders for overseas paints are made six
month in advance and goods can be in transit for up to two month
and an order was made in June 2014. The company’s year ends
on 31st December 2014.
• The Business Risk here is as there is a long period of time
between ordering & delivering there is a risk of stock running out
and will result in losses.
• Management control or strategy: the company should establish
a predetermine order level system to reduce risk of stock outs.
• Again how does this affect the financial statement?
• As only goods that have been received in the warehouse
should be included in the inventory there is a risk that cut off of
purchase and inventory may not be accurate.
• The audit team should plan to perform detailed cut-off testing
on goods received prior year to year end and post year. 15
Sample Exams question
• Explain the component of audit risk and for
each component, state an example of a factor
which can result in increased audit risk

16
• ISA 300 (revised) Planning an audit of
financial statements sets out the basic
reasoning for audit planning: the auditor
should plan the audit work so that the
audit will be performed in an effective
manner.
‘Audit Planning' entails developing a general
strategy and a detailed approach for the
expected nature, timing and extent of the
audit.
The auditor plans to perform the audit in an
efficient and timely manner.

17
 Why do we have to our Plan audit
• Ensuring that appropriate attention is devoted to
important areas of the audit
• Ensuring that potential problems are identified
• Ensuring that the work is completed expeditiously
• Proper assignment of work to assistants
• Coordination of work done by other auditors and experts;
and
• Facilitating review.

18
 Factors to consider when planning
• Size of the entity
• Complexity of the audit
• Auditor’s experience with the entity
• Knowledge of the business
• Commercial environment
• Method of processing transactions
• Reporting requirements
• Materiality level

19
 Sources of information
The auditors can obtain knowledge of the industry and
the entity from a number of sources, for example.
 Previous experience with the entity and its industry
 Discussion with people within the entity( for example
the junior and senior managers)
 Discussion with internal audit personnel and review
of internal audit reports.
• Discussion with auditors(including predecessor
auditors) and with legal and other advisors who have
provided services for the entity or within the industry
• Discussion with knowledgeable people outside the
entity,( for example industry economists, industry 20
regulators, customers, suppliers, competitors)
• Publications related to the industry(from government,
banks. And securities dealers, financial newspapers)
etc
• Legislations and regulations that significantly affect
the entity
• Visit to the entity’s premises and plant facilities
• Documents produced by the entity( for example
minutes if meetings, materials sent to shareholders,
promotional literature, prior – years annual and
financial reports, budgets, management reports,
interim financial reports, management policies,
accounts, job descriptions, marketing and sales plans
• Industry – specific guidance
21
22
23
 Audit documentation/working papers
• ISA 230: (revised) Documentation states that the auditor
should document matters which are important in providing
audit evidence to support the auditor's opinion and evidence
that the audit was carried out in accordance with ISAs.
Working papers:
• Assist in the planning and performance of the audit
• Assist in the supervision and review of audit work
• Enable the audit team to be accountable for its work
• Retain a record of matters of continuing significance to future
audits; and
• Enable quality control reviews to be performed

24
25
 Materiality
An error is material if it is important enough for those reading the
Financial Statements to care that it is wrong.
There are 2 types of materiality:
● QUANTITATIVE (Material by size)
● QUALITATIVE (Material by nature).

26
 Types of documentation
There are two types of audit files
• Permanent file
(information of continuing importance)
• Current file
(information of relevance to current year's
audit)

27
 Permanent file
documents that can be found on PF
• Engagement letters
• Legal documents such as prospectuses, leases,sales
agreement
• Details of the history of the client's business
• Previous years' signed accounts, analytical review and
management letters
• Accounting systems notes, previous years' control
questionnaires
• An Organisation Chart showing who the key employees
are at the company.
• An Organization Chart of account

28
 Current file
documents that can be found on CF
• Financial statements
• Accounts checklists
• A summary of unadjusted errors
• Review notes
• Audit planning memorandum
• Time budgets and summaries
• Letter of representation
• Management letter
• Notes of board minutes
• Communications with third parties
• A lead schedule including details of the figures to
• be included in the accounts
• Problems encountered and conclusions drawn
• Audit programmes
• Analytical review
29
• Details of substantive tests and tests of control
 Content of working paper
• the precise content of working papers will depend on the
nature of the work being performed and the size and
complexity of the client.

However all working papers should have

• The name of the person who prepared it
• The date it was prepared
• The name of the person who reviewed it
• The date it was reviewed
• The name of the client
• The accounting year end
• A file reference, and cross-referencing to other pages in the file
• Some explanation of the aim of the work that was done, how it was
done
• The conclusions of the work
• If a sample was selected, which items were tested and how the sample
was chosen.
30
Standardized working papers

31
 Custody and retention of working papers

Audit firm should establish policies and procedures

designed to maintain the confidentiality, safe custody,
integrity, accessibility and retrievability of
documentation, for example:
• Passwords to restrict access to electronic
documentation to authorized users
• Back-up routines
• Confidential storage of hard copy documentation.
• Local laws will specify determine retention periods.
They are unlikely to be shorter than fiveyears. In
Ghana it is 6 years
32
Sample exams question
• Audit risk is a combination of the risk that the financial statements
being audited may contain material errors and that these errors
may not be detected by the auditor‟s testing procedures. Risk can
be categorised as „low, medium or high‟ and is evaluated during
the planning stage of an audit. The auditor should devote
attention to the critical areas of the financial statements by
considering and evaluating materiality and risks specific to the
company. Materiality limits should be set at the planning stage of
the audit to act as a guideline for deciding whether adjustment
should be made to the financial statements.
• Required
• (a) Briefly describe what you understand by the terms „inherent
risk‟, „control risk‟ „detection risk‟ and „audit risk
• (b) List eight factors which the auditor would bear in mind when
assessing the audit risk of a company. You should set out your
answer under the headings „inherent risk‟ and „control risk‟.
• (c) Define and explain the Risk Equation, describing how it should
be used in audit planning.
• (d) Discuss the considerations which would determine whether an
item is material in relation to financial statements.
• (e) Discuss the validity of the statement that “materiality limits
should be set at the planning stage of the audit and should be
rigidly adhered to throughout the audit”.

33
34