RISK ASSESMENT

PERFORMANCE OF RISK ASSESSMENT PROCEDURES TO IDENTIFY/ASSESS

RISK OF MATERIAL MISSTATEMENT THROUGH UNDERSTANDING THE
ENTITY
OVERVIEW OF PHASE 1-C

• PSA 315 deals with the auditor’s responsibility to identify and assess the risk
of material misstatements in the financial statements, through
understanding of the entity and its environment, including its internal
control:
• Risk assessment procedures and sources of information about the entity and its
environment, including its internal control
• Understanding the entity and its environment, including its internal control
• Assessing the risks of material misstatement.
• Material weakness in internal control
• Documentation
 RISK ASSESSMENT PROCEDURES AND SOURCES OF
INFORMATION ABOUT THE ENTITY AND ITS ENVIRONMENT,
INCLUDING ITS INTERNAL CONTROL

• Obtaining an understanding of the entity and its environment,

including its internal control, is a continuous, dynamic process of
gathering, updating and analyzing information throughout the audit.
• As described in PSA 500, audit procedures to obtain an
understanding are referred to as “risk assessment procedures”
because some of the information obtained by performing such
procedures may be used by the auditor as audit evidence to
support assessments of the risks of material misstatement.
 RISK ASSESSMENT PROCEDURES AND SOURCES OF
INFORMATION ABOUT THE ENTITY AND ITS ENVIRONMENT,
INCLUDING ITS INTERNAL CONTROL

• In addition, in performing risk assessment procedures, the auditor may

obtain audit evidence about classes of transactions, account balances,
or disclosures and related assertions and about the operating
effectiveness of controls, even though such audit procedures were not
specifically planned as substantive procedures or as tests of controls.
• The auditor also may choose to perform substantive procedures or
tests of controls concurrently with risk assessment procedures
because it is efficient to do so.
RISK ASSESSMENT PROCEDURES

• The auditor shall perform risk assessment

procedures to provide a basis for the
identification and assessment of risks of
material misstatement at the financial
statement and assertion levels.
 RISK ASSESSMENT PROCEDURES

• The risk assessment procedures shall include the following: (IIOA)

• Inquires of management and others within the entity that is likely to assist the auditor in
identifying risk of material misstatement due to fraud or error
• Analytical procedures.
• Observation and Inspection

• Note: The auditor is not required to perform all the risk assessment
procedures described above for each aspect of the understanding described
in SLIDE 15 AND 16. However, all the risk assessment procedures are
performed by the auditor in the course of obtaining the required
understanding.
 RISK ASSESSMENT PROCEDURES - INQUIRY

• Much of the information the auditor obtains by inquiries can

be obtained from management and those responsible for
financial reporting.
• Inquiries of others within the entity, such as production and
internal audit personnel, and other employees with different
levels of authority, may be useful in providing the auditor with a
different perspective in identifying risks of material misstatement.
 RISK ASSESSMENT PROCEDURES - INQUIRY

• The following example of inquiries are useful in identifying risks of material

misstatement
• Inquiries directed towards those charged with governance may help the
auditor understand the environment in which the financial statements are prepared.
• Inquiries directed toward internal audit personnel may relate to their activities
concerning the design and effectiveness of the entity’s internal control and whether
management has satisfactorily responded to any findings from these activities.
• Inquiries of employees involved in initiating, processing or recording
complex or unusual transactions may help the auditor in evaluating the
appropriateness of the selection and application of certain accounting policies.
 RISKS ASSESMENT - INQUIRY

• Inquiries directed toward in-house legal counsel may relate to

such matters as litigation, compliance with laws and regulations,
knowledge of fraud or suspected fraud affecting the entity, warranties,
post-sales obligations, arrangements (such as joint ventures) with
business partners and the meaning of contract terms.
• Inquiries directed towards marketing or sales personnel may
relate to changes in the entity’s marketing strategies, sales trends, or
contractual arrangements with its customers.
 RISK ASSESSMENT – ANALYTICAL
PROCEDURES
• Analytical procedures may be helpful in identifying the existence of unusual
transactions or events, and amounts, ratios, and trends that might
indicate matters that have financial statement and audit implications.
• In performing analytical procedures as risk assessment procedures, the auditor
develops expectations about plausible relationships that are reasonably
expected to exist.
• When comparison of those expectations with recorded amounts or ratios
developed from recorded amounts yields unusual or unexpected relationships,
the auditor considers those results in identifying risks of material misstatement.
 RISK ASSESSMENT – ANALYTICAL
PROCEDURES
• Analytical procedures involve:
• Analysis of significant ratios and trends or the study of plausible
relationships among both financial and non-financial data
• Investigation of fluctuations and relationships that are inconsistent
with other relevant information or deviate significantly from predicted
amounts by:
• Inquiries of management
• Corroboration of management responses, and
• Applying other appropriate audit procedures
RISK ASSESSMENT – ANALYTICAL
PROCEDURES
RISK ASSESSMENT – ANALYTICAL
PROCEDURES
ANALYTICAL PROCEDURES IN PLANNING STAGE
• To enhance the auditor’s understanding of the
entity’s business and transactions
• To identify areas that may represent specific risks
(such as unusual transactions and events or
abnormal/significant fluctuations in amounts, ratios, or
trends) that the auditor may need to investigate further
RISK ASSESSMENT – ANALYTICAL
PROCEDURES
ANALYTICAL PROCEDURES IN SUBSTANTIVE STAGE
• To obtain audit evidence to confirm individual account balances

ANALYTICAL PROCEDURES IN REVIEW OR COMPLETION STAGE

• To identify a previously unrecognized risk of material misstatement
(unusual fluctuations that were not identified in the planning and
testing phases of the audit)
• To confirm conclusions reached with respect to the fairness of the
financial statements
 RISK ASSESSMENT PROCEDURES –
OBSERVATION AND INSPECTION
• Observation and inspection may support inquiries of management and
others, and also provide information about the entity and its environment.
• Observation of entity activities and operations.
• Inspection of documents (such as business plans and strategies), records, and
internal control manuals.
• Reading reports prepared by management (such as quarterly management reports
and interim financial statements) and those charged with governance (such as
minutes of board of directors’ meetings).
• Visits to the entity’s premises and plant facilities.
• Tracing transactions through the information system relevant to financial reporting
(walk-throughs).
RISK ASSESSMENT PROCEDURES

• Note: When the auditor intends to use

information about the entity and its
environment obtained in prior periods, the
auditor should determine whether changes have
occurred that may affect the relevance of such
information in the current audit
 UNDERSTANDING THE ENTITY AND ITS ENVIRONMENT
INCLUDING ITS INTERNAL CONTROL

• In understanding the entity and its environment, the auditor shall

obtain an understanding of the following:
• Relevant industry, regulatory, and other external factors including the applicable
financial reporting framework.
• The nature of the entity (to enable the auditor to understand the classes
of transactions, account balances, and disclosures to be expected in
the financial statements. )
• (i) Its operations;
• (ii) Its ownership and governance structures;
• (iii) The types of investments that the entity is making and plans to make; and
(iv) The way that the entity is structured and how it is financed
UNDERSTANDING THE ENTITY AND ITS ENVIRONMENT
INCLUDING ITS INTERNAL CONTROL

• The entity’s selection and application of accounting

policies, including the reasons for changes thereto.
• The entity’s objectives and strategies, and those related
business risks that may result in risks of material
misstatement.
• The measurement and review of the entity’s financial
performance.
INDUSTRY, REGULATORY AND OTHER EXTERNAL FACTORS,
INCLUDING THE APPLICABLE FINANCIAL REPORTING
FRAMEWORK

• The auditor should obtain an understanding of relevant industry, regulatory,

and other external factors including the applicable financial reporting
framework.
• These factors include:
• industry conditions such as the competitive environment, supplier and customer
relationships, and technological developments;
• the regulatory environment encompassing, among other matters, the applicable
financial reporting framework, the legal and political environment, and
environmental requirements affecting the industry and the entity;
• and other external factors such as general economic conditions.
RELEVANT INDUSTRY’S FACTORS

• Industry conditions
• competitive environment
• supplier and customer relationships
• technological developments

• Market and competition (including demand, capacity, and price competition)

• Cyclical or seasonal activity
• Product technology relating to the entity’s products
• Energy supply and cost
 REGULATORY FACTORS

• Accounting principles and industry specific practices

• Regulatory framework for a regulated industry
• Laws/legislations or regulations that significantly affect the entity’s
operations, including direct supervisory activities
• Taxation
• Legal and political environment
• Government policies currently affecting the conduct of the entity’s business
• Environmental requirements affecting the industry and the entity
OTHER EXTERNAL FACTORS AFFECTING THE
ENTITY
• general economic conditions
• interest rates and availability of financing,
• inflation or currency revaluation
 INDUSTRY, REGULATORY AND OTHER EXTERNAL FACTORS,
INCLUDING THE APPLICABLE FINANCIAL REPORTING
FRAMEWORK

• Legislative and regulatory requirements often determine the

applicable financial reporting framework to be used by management
in preparing the entity’s financial statements.
• In most cases, the applicable financial reporting framework will be
that of the jurisdiction in which the entity is registered or operates
and the auditor is based, and the auditor and the entity will have a
common understanding of that framework.
INDUSTRY, REGULATORY AND OTHER EXTERNAL FACTORS,
INCLUDING THE APPLICABLE FINANCIAL REPORTING
FRAMEWORK

• The auditor considers whether local regulations specify

certain financial reporting requirements for the industry
in which the entity operates, since the financial
statements may be materially misstated in the context
of the applicable financial reporting framework if
management fails to prepare the financial statements in
accordance with such regulations. (e.g. RR No. 15-2010)
 NATURE OF THE ENTITY

• The auditor should obtain an understanding of the nature of the entity.

• The nature of an entity refers to the
• entity’s operations,
• its ownership and governance,
• the types of investments that it is making and plans to make,
• the way that the entity is structured and how it is financed.

• An understanding of the nature of an entity enables the auditor to

understand the classes of transactions, account balances, and disclosures
to be expected in the financial statements.
NATURE OF THE ENTITY

• An understanding of an entity enables the auditor to

understand such matters as:
• Whether the entity has a complex structure, for
example with subsidiaries or other components in multiple
locations. Complex structures often introduce issues that
may give rise to risks of material misstatement. Such issues
may include whether goodwill, joint ventures, investments,
or special-purpose entities are accounted for appropriately.
NATURE OF THE ENTITY

• An understanding of an entity enables the auditor to understand such

matters as:

• The ownership, and relations between

owners and other people or entities. This
understanding assists in determining whether
related party transactions have been identified
and accounted for appropriately.
NATURE OF THE ENTITY

• Business operations –
• Nature of revenue sources, products or services, and markets, including
involvement in electronic commerce such as Internet sales and marketing
activities.
• Conduct of operations (for example, stages and methods of production, or
activities exposed to environmental risks).
• Alliances, joint ventures, and outsourcing activities.
• Geographic dispersion and industry segmentation.
• Location of production facilities, warehouses, and offices, and location and
quantities of inventories.
NATURE OF THE ENTITY

• Business operations –
• Key customers and important suppliers of goods and services,
employment arrangements (including the existence of union
contracts, pension and other post employment benefits, stock
option or incentive bonus arrangements, and government
regulation related to employment matters).
• Research and development activities and expenditures.
• Transactions with related parties.
NATURE OF THE ENTITY

• Investments and investment activities

• Planned or recently executed acquisitions or divestitures.
• Investments and dispositions of securities and loans.
• Capital investment activities.
• Investments in non-consolidated entities, including partnerships, joint
ventures and special-purpose entities.
NATURE OF THE ENTITY

• Financing and financing activities

• Major subsidiaries and associated entities, including consolidated and
nonconsolidated structures.
• Debt structure and related terms, including off-balance-sheet financing
arrangements and leasing arrangements.
• Beneficial owners (local, foreign, business reputation and experience) and
related parties.
• Use of derivative financial instruments.
NATURE OF THE ENTITY

• Financial reporting – such as:

• Accounting principles and industry specific practices, including industry
specific significant categories (for example, loans and investments for
banks, or research and development for pharmaceuticals).
• Revenue recognition practices.
• Accounting for fair values.
• Foreign currency assets, liabilities and transactions.
• Accounting for unusual or complex transactions including those in
controversial or emerging areas (for example, accounting for stock-based
compensation).
THE ENTITY’S SELECTION AND APPLICATION OF ACCOUNTING
POLICIES, INCLUDING THE REASONS FOR CHANGES THERETO.

• The auditor should obtain an understanding of the entity’s selection and

application of accounting policies and consider whether they are
appropriate for its business and consistent with the applicable
financial reporting framework and accounting polices used in the relevant
industry.
• The understanding encompasses
• the methods the entity uses to account for significant and unusual transactions;
• the effect of significant accounting policies in controversial or emerging areas for
which there is a lack of authoritative guidance or consensus;
• changes in the entity’s accounting policies.
OBJECTIVES AND STRATEGIES AND RELATED
BUSINESS RISKS
• The auditor should obtain an understanding of the entity’s objectives and strategies,
and the related business risks that may result in material misstatement of the
financial statements.
• Objectives are the overall plans for the entity.
• Strategies are the operational approaches by which management intends to
achieve its objectives.
• Business risks result from significant conditions, events, circumstances, actions or
inactions that could adversely affect the entity’s ability to achieve its objectives and
execute its strategies, or through the setting of inappropriate objectives and
strategies.
OBJECTIVES AND STRATEGIES AND RELATED
BUSINESS RISKS
• Business risk is broader than the risk of material misstatement of the
financial statements
• Business risk particularly may arise from change or complexity, though a
failure to recognize the need for change may also give rise to risk.
• An understanding of business risks increases the likelihood of identifying
risks of material misstatement.
• Note: Most business risks will eventually have financial consequences and,
therefore, an effect on the financial statements. However, not all business
risks give rise to risks of material misstatement
OBJECTIVES AND STRATEGIES AND RELATED
BUSINESS RISKS

• Business risk may arise, for example, from:

• The development of new products or services that may
fail;
• A market which, even if successfully developed, is
inadequate to support a product or service; or
• Flaws in a product or service that may result in liabilities
and reputational risk.
 OBJECTIVES AND STRATEGIES AND RELATED
BUSINESS RISKS
• Examples of matters that the auditor may consider when obtaining an
understanding of the entity’s objectives, strategies and related business
risks that may result in a risk of material misstatement of the financial
statements include:
• Industry developments (a potential related business risk might be, for example,
that the entity does not have the personnel or expertise to deal with the
changes in the industry).
• New products and services (a potential related business risk might be, for example,
that there is increased product liability).
• Expansion of the business (a potential related business risk might be, for example,
that the demand has not been accurately estimated).
 OBJECTIVES AND STRATEGIES AND RELATED
BUSINESS RISKS
• New accounting requirements (a potential related business risk might be, for example,
incomplete or improper implementation, or increased costs).
• Regulatory requirements (a potential related business risk might be, for example, that there
is increased legal exposure).
• Current and prospective financing requirements (a potential related business risk might be,
for example, the loss of financing due to the entity’s inability to meet
requirements).
• Use of IT (a potential related business risk might be, for example, that systems and
processes are incompatible).
• The effects of implementing a strategy, particularly any effects that will lead to new
accounting requirements (a potential related business risk might be, for example,
incomplete or improper implementation).
MEASUREMENT AND REVIEW OF THE
ENTITY’S FINANCIAL PERFORMANCE
• The auditor should obtain an understanding of the measurement
and review of the entity’s financial performance.
• Performance measures, whether external or internal, create pressures on
the entity that, in turn, may motivate management to take action to
improve the business performance or to misstate the financial statements.
• Obtaining an understanding of the entity’s performance measures assists the
auditor in considering whether such pressures result in management
actions that may have increased the risks of material misstatement.
MEASUREMENT AND REVIEW OF THE
ENTITY’S FINANCIAL PERFORMANCE

• The measurement and review of financial performance

is not the same as the monitoring of controls:
• The measurement and review of performance is directed at
whether business performance is meeting the objectives set
by management (or third parties).
• Monitoring of controls is specifically concerned with the
effective operation of internal control.
 MEASUREMENT AND REVIEW OF THE
ENTITY’S FINANCIAL PERFORMANCE
• Examples of internally-generated information used by management for
measuring and reviewing financial performance, and which the auditor may
consider, include: •
• Key performance indicators (financial and non-financial) and key ratios, trends and
operating statistics.
• Period-on-period financial performance analyses.
• Budgets, forecasts, variance analyses, segment information and divisional,
departmental or other level performance reports.
• Employee performance measures and incentive compensation policies.
• Comparisons of an entity’s performance with that of competitors.
 MEASUREMENT AND REVIEW OF THE
ENTITY’S FINANCIAL PERFORMANCE
• Internal measures may highlight unexpected results or trends requiring management
to determine their cause and take corrective action (including, in some cases, the
detection and correction of misstatements on a timely basis).
• Performance measures may also indicate to the auditor that risks of misstatement of
related financial statement information do exist.
• For example, performance measures may indicate that the entity has unusually
rapid growth or profitability when compared to that of other entities in the same
industry. Such information, particularly if combined with other factors such as
performance-based bonus or incentive remuneration, may indicate the potential risk
of management bias in the preparation of the financial statements.
UNDERSTANDING THE ENTITY’S INTERNAL
CONTROL
• Internal control is the process designed and effected by
those charged with governance, management, and
other personnel to provide reasonable assurance about
• the achievement of the entity’s objectives with regard to
reliability of financial reporting,
• effectiveness and efficiency of operations and
• compliance with applicable laws and regulations.
UNDERSTANDING THE ENTITY’S INTERNAL
CONTROL
• Internal control, consists of the following components:
• (a) The control environment.
• (b) The entity’s risk assessment process.
• (c) The information system, including the related business processes,
relevant to financial reporting, and communication.
• (d) Control activities.
• (e) Monitoring of controls.
UNDERSTANDING THE ENTITY’S INTERNAL
CONTROL
• The auditor should obtain an understanding of internal
control relevant to the audit.
• The auditor uses the understanding of internal control to
• identify types of potential misstatements,
• consider factors that affect the risks of material misstatement,
• and design the nature, timing, and extent of further audit
procedures.
IDENTIFYING AND ASSESSING THE RISKS OF
MATERIAL MISSTATEMENT
• The auditor shall identify and assess the risks of material misstatement
at:
• (a) The financial statement level;
• (b) The assertion level

• Risks of material misstatement at the financial statement level refer to

risks that relate pervasively to the financial statements as a whole and
potentially affect many assertions.
• Risks of material misstatement at the assertion level for classes of
transactions, account balances, and disclosures
IDENTIFYING AND ASSESSING THE RISKS OF
MATERIAL MISSTATEMENT
• The auditor
• Identifies risks throughout the process of obtaining an understanding of the entity
and its environment, including relevant controls that relate to the risks, and by
considering the classes of transactions, account balances, and disclosures in the
financial statements;
• Relate the identified risks to what can go wrong at the assertion level, taking account
of relevant controls;
• Considers whether the risks are of a magnitude that could result in a material
misstatement of the financial statements; and
• Considers the likelihood that the risks could result in a material misstatement of the
financial statements.
IDENTIFYING AND ASSESSING THE RISKS OF
MATERIAL MISSTATEMENT
• As part of the risk assessment, the auditor shall determine
whether any of the risks identified are, in the auditor’s
judgment, a significant risk. In exercising this judgment, the
auditor shall exclude the effects of identified controls related
to the risk.
• In exercising judgment as to which risks are significant risks,
the auditor shall consider at least the following (See next
slide)
IDENTIFYING AND ASSESSING THE RISKS OF
MATERIAL MISSTATEMENT
• (a) Whether the risk is a risk of fraud;
• (b) Whether the risk is related to recent significant economic, accounting or other
developments and, therefore, requires specific attention;
• (c) The complexity of transactions;
• (d) Whether the risk involves significant transactions with related parties;
• (e) The degree of subjectivity in the measurement of financial information related to the
risk, especially those measurements involving a wide range of measurement uncertainty;
and
• (f) Whether the risk involves significant transactions that are outside the normal course of
business for the entity, or that otherwise appear to be unusual.
IDENTIFYING AND ASSESSING THE RISKS OF
MATERIAL MISSTATEMENT
• Significant risks often relate to significant non-routine transactions or
judgmental matters.
• Non-routine transactions are transactions that are unusual, due to either
size or nature, and that therefore occur infrequently.
• Judgmental matters may include the development of accounting estimates
for which there is significant measurement uncertainty.

• Note: Routine, noncomplex transactions that are subject to systematic

processing are less likely to give rise to significant risks.
IDENTIFYING AND ASSESSING THE RISKS OF
MATERIAL MISSTATEMENT
• Risks of material misstatement may be greater for significant non-
routine transactions arising from matters such as the following:
• Greater management intervention to specify the accounting treatment.
• Greater manual intervention for data collection and processing.
• Complex calculations or accounting principles.
• The nature of non-routine transactions, which may make it difficult for the
entity to implement effective controls over the risks.
IDENTIFYING AND ASSESSING THE RISKS OF
MATERIAL MISSTATEMENT
• Risks of material misstatement may be greater for significant
judgmental matters that require the development of accounting
estimates, arising from matters such as the following:
• Accounting principles for accounting estimates or revenue recognition may
be subject to differing interpretation.
• Required judgment may be subjective or complex, or require assumptions
about the effects of future events, for example, judgment about fair value.
MATERIAL WEAKNESS IN INTERNAL CONTROL

• The auditor shall evaluate whether, on the basis of the audit work
performed, the auditor has identified a material weakness in the
design, implementation or maintenance of internal control.
• The auditor shall communicate material weaknesses in internal control
identified during the audit on a timely basis to management at an
appropriate level of responsibility, and, as required by PSA 260
(Revised), “Communication with Those Charged with Governance,”
DOCUMENTATION

• The auditor should document:

• The discussion among the engagement team regarding the susceptibility of the entity’s
financial statements to material misstatement due to error or fraud, and the significant
decisions reached;
• Key elements of the understanding obtained regarding each of the aspects of the entity
and its environment, including each of the internal control components, to assess the
risks of material misstatement of the financial statements; the sources of information
from which the understanding was obtained; and the risk assessment procedures;
• The identified and assessed risks of material misstatement at the financial statement
level and at the assertion level
• The risks identified and related controls evaluated