SESSION 09 UNDERSTANDING THE ENTITY, AUDIT RISK AND ENGAGEMENT RISK

OVERVIEW
Objective

To describe how the auditor, through understanding the entity and controls, aims to
minimise audit risk.

UNDERSTANDING
THE ENTITY

NEW AND
CONTINUING
AUDITS

ANALYTICAL
PROCEDURES

Understanding
Methods
Management monitoring
Impact on audit
Reporting weaknesses

AUDIT RISK

AUDIT
MATERIALITY

Matters to consider
Information needs
Objectives, strategies, business risks
Accounting policies
Updating existing clients

INTERNAL
CONTROL

Planning stage
Ration analysis
Expectations and
performance measures
Information needs

ISA 315
Methods
Team discussions
Sources of knowledge
Using the knowledge

Session 10

Concept
Relationship to business risk
Assessing risk of material misstatement
Basic principles
Inherent risk
Control risk
FRAUD & ERROR
Detection risk
Significant risk
Documentation
Session 11

ENGAGEMENT
RISK

Basic concept
Client business risk
Audit risk
Auditors business risk
Engagement risk process

0901

SESSION 09 UNDERSTANDING THE ENTITY, AUDIT RISK AND ENGAGEMENT RISK

UNDERSTANDING THE ENTITY, ITS ENVIRONMENT AND

CONTROLS

1.1

ISA 315 Identifying and Assessing the Risks of Material Misstatement

through Understanding the Entity and its Environment

ISA 315 requires the auditor to identify risks arising from the entity and its
environment, including relevant controls, by:

understanding the entity, its environment and controls; and

considering the impact on transactions (e.g. sales, expenses), account balances (e.g.
non-current assets, payables) and disclosures (e.g. related party transactions) in the
financial statements.

Relate the risks that have been identified to what can go wrong:

at the assertion level (e.g. occurrence, completeness, accuracy, cut-off, and

classification of transactions and events); and

at the overall financial statement level (e.g. where many assertions are impacted
thus risk is pervasive throughout the financial statements); and

Consider whether the risks are of the type and magnitude that could result in a material
misstatement of the financial statements.

Consider the likelihood that the risks could result in a material misstatement of the
financial statements.

Understand internal control by considering the design and implementation of relevant

internal controls to assess the potential risk of material misstatements.

Plan, design and perform appropriate audit procedures in response to those identified
risks.

In other words:

understand the business, its environment and controls to establish what could go
wrong (in that the financial statements contain a material error); then

identify the ways in which material errors could arise and devise a work
programme to test to see if they have (ISA 330 and ISA 500).

1.2

Methods

Obtaining an understanding of the entity and its environment, including its internal
control, is a continuous, dynamic process of gathering, updating and analyzing
information throughout the audit.

To obtain the necessary level of understanding, auditors must, for example:

0902

SESSION 09 UNDERSTANDING THE ENTITY, AUDIT RISK AND ENGAGEMENT RISK

make inquiries of management and others within the entity (e.g. business
objectives, governance, production, marketing, internal audit, key employees);

carry out analytical procedures (e.g. on internal and external generated

information);

observe (e.g. activities and operations) and inspect (e.g. business plans, strategies,
internal audit risk assessments, records, procedure manuals, premises and plant);

read reports prepared by management (e.g. monthly management accounts) and

those charged with governance (e.g. board minutes);

review external sources of information and benchmark against similar companies

in the same activity; and

carry out other procedures (e.g. visit premises and facilities, walk through systems
relevant to financial reporting, review external sources of information).

Prior year information (e.g. organisational structures, control environment,

management attitude and actions to control breaches) can be used as long as it is up to
date (i.e. check and update as required).

Information obtained from client acceptance procedures and other client engagements
(e.g. review of interim financial statements) may also be relevant in obtaining an
understanding of the entity.

1.2.1

Use of information systems

Much of the information obtained will be used within a series of (expert systems)
business templates to assess and understand potential weaknesses that could result in
material financial statement errors (as well as providing added value business
assessments to the client).

Information systems will be also be used, for example:

to store and categorise the data held on each client and provide quick access
through key word searches;

to search external databases (eg newspapers, trade, regulators) based on key words
(eg entity name, industry name, competitor names, product names) to find data
relevant to the understanding of the entitys business.

1.3

Audit team discussions

Discussions should be held (at least) amongst the (senior and key members of the)
engagement team about the susceptibility of the financial statements to material
misstatement, including fraud risk (see Session 11). By holding such discussions:

the more experienced engagement team members brief other members and share
their knowledge and audit experience of the entity (the engagement partner must
be involved at least with the highest levels of the briefing process);

team members exchange information about the business risks to which the entity is
subject and about how and where the financial statements might be susceptible to
material misstatement;

0903

SESSION 09 UNDERSTANDING THE ENTITY, AUDIT RISK AND ENGAGEMENT RISK

members of the engagement team obtain a better understanding of the potential for
material misstatements of the financial statements resulting from fraud or error in
the specific areas assigned to them; and

understand how the results of the audit procedures that they perform may affect
other aspects of the audit including the decisions about the nature, timing, and
extent of further audit procedures.

The discussion should also emphasise the need to:

address the application of the applicable financial reporting framework to the

entitys facts and circumstances;

maintain professional scepticism throughout the engagement;

be alert for information or other conditions that indicate that a material

misstatement due to fraud or error may have occurred; and

be rigorous in following up on such indications.

Such discussions must always be documented along with the decisions made and the
impact on the audit approach.

Team members not involved in the discussions, must none-the-less be informed of the
outcome and specific impact on areas relevant to their responsibilities. This would
usually be achieved through the use of a client planning memorandum (detailing, for
example, the audit strategy, work programme, areas of risk) and verbal briefing by the
team supervisor/manager prior to commencing each audit section.

All team members must have sufficient understanding of the entity to enable them to
perform the work delegated to them and understand how it fits in, and overlaps, with
the rest of the audit.

1.4

Sources of knowledge

Example 1
Suggest examples of the sources which provide background knowledge.

Client

0904

Auditor

External

SESSION 09 UNDERSTANDING THE ENTITY, AUDIT RISK AND ENGAGEMENT RISK

1.5

Using the knowledge

To establish a framework within which the audit is planned and professional judgment
exercised in assessing risks of material misstatement and responding to those risks
throughout the audit.

Meaning:

To assess various components of audit and business risk and to develop the audit
strategy and audit plan.

To determine materiality levels and judge if they remain appropriate as the audit
progresses (see Session 10).

Developing expectations for use when performing analytical procedures.

Identifying areas where special audit consideration may be necessary, for example,
related party transactions, the appropriateness of managements use of the going
concern assumption, or considering the business purpose of transactions.

Designing and performing further audit procedures to reduce audit risk to an

acceptably low level.

To evaluate the sufficiency and appropriateness of audit evidence (see Session 15)
including, for example, management representations (see Session 20).

To recognize conflicting information, unusual circumstances and effectively apply

professional scepticism.

To make informed enquiries and assess the reasonableness of responses.

To appraise the appropriateness of the selection and application of accounting

policies and the adequacy of financial statement disclosures.

To provide a better service to clients and be responsive to their needs.

0905

SESSION 09 UNDERSTANDING THE ENTITY, AUDIT RISK AND ENGAGEMENT RISK

NEW AND CONTINUING AUDITS

2.1

Matters to consider

BEFORE
ACCEPTING
APPOINTMENT

Capability and resources

Independence

Problems e.g. professional

reasons (enquiry letter).

AFTER
ACCEPTING
APPOINTMENT

Obtain a more detailed

understanding of the entity and its
environment sufficient to plan an
effective and efficient audit

(See Session 5.)

2.2

Information needs
ISA 315 requires the auditor to obtain an understanding of the:

nature of the entity, its operations, ownership, governance, investments, structure

and financing;

relevant industry, regulatory, and other external factors including the applicable
financial reporting framework;

entitys selection and application of accounting policies and changes;

entitys objectives and strategies; and

the measurement and review of the entitys financial performance.

Example 2
For a new client suggest, under the following headings, what information you
will require to enable you to obtain a sufficient understanding of the entity and
its environment under ISA 315.

0906

SESSION 09 UNDERSTANDING THE ENTITY, AUDIT RISK AND ENGAGEMENT RISK

Solution
GENERAL ECONOMIC

INDUSTRY

MANAGEMENT AND OWNERSHIP

BUSINESS

FINANCIAL PERFORMANCE

REPORTING ENVIRONMENT

0907

SESSION 09 UNDERSTANDING THE ENTITY, AUDIT RISK AND ENGAGEMENT RISK

2.3

Objectives, strategies and related business risks

All of the above elements will be taken into account by the entity when setting its
objectives and strategies. As the environment within which the entity changes (as it
will) so the objectives and strategies for achieving those objectives must change. If the
entity fails to change, its business will be at risk business risk through failure to
change (see Session 8 ).

Business risks result from significant conditions, events, circumstances, actions or

inactions that could adversely affect the entitys ability to achieve its objectives and
execute its strategies, or through the setting of inappropriate objectives and strategies.

In addition to the examples given within Session 8, further examples of business risks to
be managed in relation to objectives and strategies include:

Industry developments (e.g. that the entity does not have the personnel or expertise
to deal with changes or increased complexity in the industry, or does not recognise
the need for change).

New products and services (e.g. that there is increased product liability or that the
product may fail).

Expansion of the business (e.g. that the demand has not been accurately estimated,
the market incorrectly analysed).

New accounting requirements (e.g. incomplete or improper implementation of a

new IFRS, or increased costs).

Regulatory requirements (e.g. that there is increased legal exposure).

Current and prospective financing requirements (e.g. the loss of financing due to
the entitys inability to meet requirements).

Use of IT (e.g. the loss of e-commerce facilities due to a failure within the system).

2.4

Selection and application of accounting policies

The auditor needs to understand how the entity selects and applies accounting policies
eg: are they are appropriate for the business and consistent with the financial reporting
framework and accounting polices used in the relevant industry. An incorrect or
aggressive application relates to a financial statement risk.

Of particular risk will be:

the methods the entity uses to account for significant and unusual transactions;

the effect of significant accounting policies in controversial or emerging areas for

which there is a lack of authoritative guidance or consensus; and

the way changes in accounting policies are dealt; and

the impact of reporting standards (eg IFRS), laws and regulations that are new to
the entity which must be understood.

0908

SESSION 09 UNDERSTANDING THE ENTITY, AUDIT RISK AND ENGAGEMENT RISK

For example, where the IFRS is new (ie not an update) is the application appropriate
and the implementation requirements/disclosures applied? Where the IFRS is a revised
standard, have the transition provisions (or IAS 8 where appropriate) been correctly
applied and appropriate disclosures made?

Also note:

2.5

Basic, core IFRS are already in issue. New IFRS will more than likely relate to
complex issues with the financial statement risk of inappropriate application.

First time application of IFRS under IFRS 1 must be considered high risk as the
entity will have little experience of IFRS application. The experience of the UK
indicates that it may take up to three issues of IFRS statements (ie three years) for
entities to iron out the complications of switching from local GAAP to IFRS.

Updating existing clients

In the case of entities audited in prior years, historic key information required for
planning will be available in the working papers (WPs) and other files (e.g. computer
knowledge bases).

But as entities are adaptive and dynamic and operate in a dynamic environment, the
auditor must consider events, transactions and practices that will have changed during
the financial year.

Basically, where were we; what has changed within the business and its environment to
change the nature of risks; where are we now.

Where changes are identified, their impact on the entity, its business and financial
reporting environment must be understood (e.g. when and how the entity dealt with
such changes).

Changes that will impact the business in a future financial period cannot be ignored.
What business risk is there to the entity arising from these changes? Does that risk
impact the current financial statements? For example, future changes in regulations
may create a going concern risk.

Reasons for changes in the selection of, or method of applying, accounting policies must
be ascertained. Any change must be appropriate and consistent with the requirements
(including disclosure) of the applicable financial reporting framework (e.g. IAS 8
Accounting Policies, Changes in Accounting Estimates and Errors).

Example 3
For an existing client, what changes will need to be documented to ensure a
complete understanding of the entity and its environment?

0909

SESSION 09 UNDERSTANDING THE ENTITY, AUDIT RISK AND ENGAGEMENT RISK

Solution

Internal

External

ANALYTICAL PROCEDURES AND PERFORMANCE

MEASUREMENT (ISA 520 ANALYTICAL PROCEDURES)

3.1

At the planning stage

Meaning

The analysis of
significant ratios and
trends including the
resulting
investigation of
fluctuations and
relationships
that are inconsistent
with other relevant
information or
which deviate from
predictable amounts.

0910

Purpose

Based on

To assist in understanding business

Interim financial
information

To identify areas of
potential risk e.g.
financial condition

Budgets/forecasts and
management accounts

Draft financial
statements

Discussions with
client

Understanding the
entity and its
environment.

To plan nature,
timing and extent of
other audit
procedures

SESSION 09 UNDERSTANDING THE ENTITY, AUDIT RISK AND ENGAGEMENT RISK

3.2

Ratio analysis

Considering one set of ratios for the current year may not, by itself, be sufficient.
Comparison should be made with at least the prior year equivalent ratios, if not at least
a three to five year trend.

For example:

3.3

The deterioration of short-term and/or long-term financial ratios potentially

increases the risk of the entity not being a going concern.

An increase in receivable days may, for example, indicate credit control risk and a
potential increase in bad and doubtful debts.

A decrease in gross profit % may indicate, for example, inventory shrinkage, poor
cut-off procedures or an increase in competition (such that prices were reduced or
increased costs unable to be passed onto the customer).

Expectations and performance measures

By understanding the entity, its environment, performance measures and in performing

analytical procedures at the planning stage (as risk assessment procedures) the
expectations are noted about plausible relationships that are reasonably expected to
exist.

When such expectations are not founded (e.g. with recorded amounts, ratios developed
from recorded amounts or audit test results not meeting original expectations) the audit
plan is reviewed in identifying risks of material misstatement.

Performance measures may be internal or external (e.g. meeting budgets, cash flows,
reported profit forecasts, share price targets). Professional scepticism must apply
when, for example, the auditor is aware of the potential for pressure to be placed upon
management to meet expected performance measures.

For example, following discussions with management over the course of the year, a
review of the management accounts and an understanding of the business environment
in which the entity operates in, the auditor is expecting the results of the entity to be
lower than the previous year. Instead, not only is turnover up, but gross profit % has
also improved.

This would place the auditor on guard that the financial statements may contain
material errors. If combined with other known factors (e.g. performance-based
incentive remunerations such as bonuses or share options) the risk of management
manipulation through profit smoothing, inappropriate revenue recognition or deferral
of expenses, is higher.

0911

SESSION 09 UNDERSTANDING THE ENTITY, AUDIT RISK AND ENGAGEMENT RISK

INTERNAL CONTROL

The process designed and effected by those charged with governance, management, and
other personnel, to provide reasonable assurance about the achievement of the entitys
objectives with regard to reliability of financial reporting, effectiveness and efficiency of
operations and compliance with applicable laws and regulations.

Internal control is designed and implemented to address identified business risks that
threaten the achievement of any of these objectives.

Five components of internal control are defined:

the control environment (i.e. attitude, awareness and actions of management and
those charge with governance);

the entitys risk assessment process (i.e. identifying and assessing business risks);

the entitys information systems, including the related business processes relevant
to financial reporting and communication;

the control activities (e.g. authorisation, performance review, information

processing, physical controls and segregation of duties);

the entitys process of monitoring controls (i.e. are the controls operating as
intended; if not, why not and changes to be made).

The control environment is crucial to determining the quality and existence of the other
components.

Session 8 provides a detailed review of these five internal control components. This
session considers the auditors approach and methods to understanding the design and
implementation of internal controls to assess the risks of material misstatement within
the financial statements. This is different to gaining audit assurance from the
effectiveness of internal controls (see Session 13).

4.1

Understanding internal control

The auditor should obtain an understanding of internal control relevant to the audit (i.e. of
the five elements noted above).
They must also obtain an understanding of the way that the management monitors internal
control, e.g. over financial reporting, and the way corrective action is taken.

Understanding internal controls helps the auditor to:

0912

identify the potential types of misstatement;

consider factors that affect the risks of material misstatement; and
design the nature, timing, and extent of further audit procedures.

SESSION 09 UNDERSTANDING THE ENTITY, AUDIT RISK AND ENGAGEMENT RISK

If controls are poorly designed or are not implemented, there is potentially a greater risk
of material misstatement within the financial statements.

Professional judgement has to be used to identify those controls (which may be in any
of the five elements noted above) that relate to;

the entitys objective of preparing financial statements that give a true and fair
view; and

the management of risk that may result in a material misstatement within the
financial statements.

For example:

Controls to prevent unauthorised ordering of materials, or the curtailment of the

supply of essential material, will be relevant to the audit whereas controls to
prevent the excessive use of material within the manufacturing process are
unlikely to be relevant.

Controls over the completeness and accuracy of information produced by the entity
will be relevant to the auditor where they intend to rely on that information in
designing and performing further procedures.

Controls relating to operations and compliance objectives will be relevant to the

auditor if they relate to data the auditor evaluates or uses in applying audit
procedures.

Controls relating to effective and efficient operations, eg an airlines system of

automated controls to maintain flight schedules, would not normally be relevant to
audit.

4.2

Methods for understanding

To be able to understand internal control, the design of a control and its implementation
must be ascertained by the auditor.

Evaluating the design of a control involves considering whether the control,

individually or in combination with other controls, is capable of effectively
preventing, or detecting and correcting, material misstatements.

Implementation of a control means that the control exists and that the entity is
using it.

A poorly designed control may still result in a material misstatement regardless of

the fact that it is being correctly operated.

4.2.1

Control design

Evidence for understanding and evaluating the design of internal controls can be
obtained through:

previous experience of the entity and its controls (as recorded within the permanent
audit file) there will be a need to update understanding where changes have
occurred in the current year;
0913

SESSION 09 UNDERSTANDING THE ENTITY, AUDIT RISK AND ENGAGEMENT RISK

inquiry of entity personnel, e.g. management, internal audit, those charged with
governance, operating personnel;

observing the application of specific controls;

inspecting documents and reports, e.g.:

the entitys risk strategy assessment and response

internal control procedure manuals
management reports
system error reports
internal audit testing programmes (including reports to management and
management response);

walk-through procedures, e.g. tracing a separate transaction through each relevant

element of the information system for financial reporting, (e.g. the sales system)
and reviewing the design of the appropriate controls. This will often require the
use of computer audit assisted techniques (CAATs see Session 21) to enable the
transaction to be traced through computer based systems (IS).

Questionnaires, e.g. internal control questionnaires (ICQ) and internal control

evaluation questionnaires (ICEQ) are often used as a framework for understanding the
design of internal controls.

4.2.2

Control implementation

Inquiry alone is not sufficient to determine whether a control has been implemented it
must be seen to be in operation.

This may be achieved through a combination of, for example:

walk-through procedures, e.g. tracing a transaction through a system and checking

that the relevant controls are implemented a purchase order is authorised, the
goods received note has been agreed to the purchase order; tracing an internal
audit risk analysis report through management procedures; general ethical
environment (eg staff appear to be ethically compliant and follow ethical guidance);

re-performance of a control, e.g. carrying out a bank reconciliation; management

action from board minutes;

observation of the control in operation, e.g. physical inspection of goods received;

monitoring of IS/internet access and use by web-master; meeting of audit
committee;

use of computer assisted audit techniques for testing individual control

implementation within IS;

actions taken by responsible officials, e.g. follow up of an exception report; business

risk analysis tracking; action taken following disciplinary procedures;

inquiry of control operatives; eg internal audit, audit committee, risk committee.

These procedures are broadly the same as those used for testing the effectiveness of
internal controls (see Session 13) but note that testing implementation and testing
effectiveness are not the same.

0914

SESSION 09 UNDERSTANDING THE ENTITY, AUDIT RISK AND ENGAGEMENT RISK

Implementation is testing to see that a control was in operation at any one point in time
and assists the auditor in understanding the system. Control effectiveness is testing to
see if a control was always in operation over a given period of time (e.g. for the financial
year) in order to obtain audit assurance that the financial statements are free from
material error.

In some circumstances, usually with IS, because of the consistency of operation of

automated controls, both objectives may be achieved through one test (see Session 13).

4.3

Management monitoring of internal controls

Typically management monitoring may be through internal audit reviewing and testing
internal control. Reports produced by internal audit and the resulting action taken by
management may form a suitable basis for the auditor to understand the management
monitoring process of internal control.

Regular management and supervisory activities (e.g. checking that control activities
take place) and review of external information (e.g. regulatory reports and complaints
from customers) are all indicators of management monitoring of internal control.

Where the information used by management for monitoring internal control is

produced by the system (e.g. exception reports, variance analysis) the auditor must
obtain an understanding of how that information is produced and the basis for
management believing it to be sufficient for monitoring purposes.

4.4

Impact on audit approach

As already noted, understanding the design of internal controls and whether or not they
have been implemented, provides the auditor with an understanding of the risks of
material misstatement due to poor design or non-operation.

If the appropriate controls are well designed and in operation, the auditor can then
decide if they wish to obtain audit assurance from those controls. If they decide that
placing reliance on the effectiveness of the controls is an efficient and effective approach
to lowering audit risk to an acceptable level (see next section, Audit Risk), they must
obtain audit evidence about the effectiveness of the control operations throughout the
period of the financial statements. (See Session 13).

4.5

Reporting of weaknesses
Those charged with governance, or management, must be informed by the auditor of
material weaknesses in the design or implementation of internal control. For example:

risks of material misstatement which the entity has not controlled;

risks of material misstatement for which the relevant control is inadequate or has
not been implemented; and (if in the auditors judgment there are)

material weaknesses in the entitys risk assessment process (i.e. the business risk
approach and control procedures of the entity).

This will be done through the use of a management letter (sometimes referred to as a
weakness letter). See Session 13.

0915

SESSION 09 UNDERSTANDING THE ENTITY, AUDIT RISK AND ENGAGEMENT RISK

AUDIT RISK

5.1

Concept

The risk that the auditor gives an inappropriate audit opinion when the financial statements
are materially misstated.

An audit in accordance with ISAs is designed to provide reasonable assurance that the
financial statements taken as a whole are free from material misstatement. The concept
of reasonable assurance implies that there is a risk that the audit opinion will be
inappropriate (eg an unqualified opinion when the financial statements are materially
misstated).

This risk may be reduced to an acceptable level by designing and performing audit
procedures to obtain sufficient appropriate audit evidence to be able to draw reasonable
conclusions on which to base the audit opinion.

This will be achieved through an appropriate audit strategy and work programme (see
Session 8) which will be developed following a detailed understanding and analysis of
the business, its environment and controls (as discussed above).

Audit risk therefore considers two base risks:

that the financial statements may be materially misstated prior to audit financial
statement risk;

and that the auditor may not detect such material misstatement detection risk.

5.2

Relationship of audit risk to business risk

Business risk is much broader than financial statement risk but as most business risks
will eventually have financial consequences, there will be a cascading impact on the
financial statements and consequently, financial statement risk.

Embodied within business risk controls will be those controls that directly, or indirectly,
relate to financial reporting, operations and compliance.

As already discussed, business risks that have the potential to create financial statement
risks (the ultimate business risk relating to a financial statement risk being going
concern) must be identified by the auditor.

5.3

Assessing risk of material misstatement

Through obtaining an understanding of the business and its environment, including
relevant controls, and considering the classes of transactions, account balances and
disclosures in the financial statements, under ISA the auditor must consider the risk of
material misstatement at the:

overall financial statement level (eg such that the financial statements as a whole
are misleading); and at the

transaction, balance and disclosure level (eg an individual item is in error).

0916

SESSION 09 UNDERSTANDING THE ENTITY, AUDIT RISK AND ENGAGEMENT RISK

No one model for doing this is proposed within ISA. The key points are:

the auditor is concerned with material misstatement within the financial

statements;

audit risk is reduced to an acceptably low level by the exercise of professional

judgement;

and audit procedures are designed to ensure that audit risk is at an acceptable level.

5.4

Basic principles

Whist it is irrelevant what names and approaches are used (so long as the model follows
the basic principles required by ISAs) the traditional model considers that inherent
risk, control risk and detection risk are the basic components of audit risk.

Inherent risk and control risk, although separately defined, are often subject to a
combined assessment to assess the risk of material misstatement, eg financial statement
risk because of inherent risk and the fact that the controls will not detect such errors.
Detection risk is then referred to as residual risk.

The traditional audit risk model deals with inherent risk and control risk separately:
Components
Audit
Risk

Inherent
Risk (IR)

Control
Risk (CR)

(Ultimate risk)

Detection
Risk (DR)

Auditor manages/manipulates to
achieve acceptable audit risk
Auditor assesses
exist independently of audit

An overall acceptable level of audit risk may be quantified as a matter of practice (i.e.
audit firm) policy (e.g. 5% meaning that there is a 5% risk of a material error being
undetected or conversely, the auditor obtains 95% assurance that there are no
undetected material errors). This % may provide the basis for mathematical derivation
of detection risk and sample sizes.

Alternately inherent risk and control risk may be designated as High, Medium or Low,
with detection risk being the inverse of this relationship (e.g. if both inherent and
control risk are high, detection risk will be low).

5.5

Inherent risk

5.5.1

Definition

The susceptibility of an assertion to misstatement that could be material (individually or in

aggregate) assuming no related internal controls.

0917

SESSION 09 UNDERSTANDING THE ENTITY, AUDIT RISK AND ENGAGEMENT RISK

5.5.2

Financial statement vs assertion levels

Auditor assesses

At overall financial
statement level

At account balance,
transaction or
disclosure level

Example 4
State at which level (financial statement or assertion) the following factors
would be evaluated.

Solution
(1) Doubts about the integrity of management
(2) Management inexperience in the preparation of the financial statements
(3) Accounts which involve a high degree of estimation
(4) Entity lacks sufficient capital to continue operations
(5) Potential for technological obsolescence of products and services
(6) Complex underlying transactions which might require using the work of an expert
(7) Highly desirable and movable assets (e.g. cash) susceptible to loss or misappropriation
(e.g. theft, embezzlement)
(8) Unusual and complex transactions completed at or near the period end
(9) Changes in consumer demand
(10) Transactions not subject to ordinary processing

0918

SESSION 09 UNDERSTANDING THE ENTITY, AUDIT RISK AND ENGAGEMENT RISK

5.6

Control risk

5.6.1

Definition

The risk that a misstatement that could occur (at the assertion level) and be
material will not be:

prevented; or
detected and corrected on a timely basis;

by the internal control system.

5.6.2

Preliminary assessment

An understanding of the design and implementation of internal control will be obtained

through understanding the entity and its environment (see Session 9).

From this understanding, controls that are key to assessing the risk of material
misstatement at the assertion level will have been identified.

Where the controls are suitably designed to prevent, or detect and correct, a material
misstatement, tests of the operating effectiveness of the controls can be carried out if
considered to be efficient to do so (see Session 13)

5.6.3

Measuring control risk

Control risk is assumed to be high (i.e. high risk of material misstatements in the
financial statements) unless:

internal controls which are likely to prevent/detect/correct material misstatement

relevant to the assertion are identified; and

tests of the operating effectiveness are planned to be performed to support the

assessment.

Control risk will be assessed as high when:

internal control is not assessed to be effective; or

evaluating the operating effectiveness of controls would not be an efficient audit

approach; or

sufficient audit evidence can be obtained purely from substantive testing.

There will always be some control risk because of the inherent limitations of any
internal control system.

Example 5
Suggest factors may indicate high control risk.

0919

SESSION 09 UNDERSTANDING THE ENTITY, AUDIT RISK AND ENGAGEMENT RISK

Solution

5.7

Detection risk

5.7.1

Definition

That the auditor will not detect a misstatement that exists (in the financial
statements at the assertion level) that could be material (either individually or
in aggregate with other misstatements).

It is a function of the effectiveness of the planning of substantive audit procedures, their

application and interpretation by the auditor.

Substantive procedures are those procedures that are performed in order to detect
material misstatements in the financial statements and include:

5.7.2

tests of detail of transactions

tests of detail on account balances
tests of detail on disclosures; and
analytical review

Basic principles

Factors that must be considered to avoid incorrect assessment of detection risk include:

the possible selection at the planning stage of inappropriate audit procedures (e.g.
deciding not to carry out any confirmations, low sample sizes, biased sample
selection methods) ;

misapplication of an audit procedure by the audit team (e.g. through lack of

training, incorrect directional application) and

misinterpretation of test results (e.g. not recognising the significance of an error or

nor recognising that there is an error).

Such factors can be minimised through adequate planning, assignment of appropriate

staff (e.g. experienced, trained, technically competent) the application of professional
scepticism, clear supervision and strong review of the work carried out.

0920

SESSION 09 UNDERSTANDING THE ENTITY, AUDIT RISK AND ENGAGEMENT RISK

As inherent and control risk assessments influence the nature, timing and extent of
substantive procedures to be performed to reduce detection risk (and therefore audit
risk) to an acceptably low level, any inappropriate assessment will have a direct,
negative, impact on detection risk.

Because of the nature of the audit process and the factors outlined above, some
detection risk would always be present even if examining 100% of an account balance or
class of transactions. The aim is to reduce this risk to an acceptable level.

Illustration 1
An audit firm uses a mathematical audit risk model to determine the levels of
detection risk.

Audit risk: Say 5% risk of drawing the wrong conclusion is acceptable.

(Most firms operate between 1% and 5%.)

Inherent risk: Assessed at 75% risk that material problems could arise (e.g.
High).

Control risk: Assessed at 20% risk that controls may miss material errors
(e.g. Low).

Required:
Calculate detection risk.

Solution
Using the model 0.05 = 0.75 0.2 DR therefore DR = 0.33 (e.g. Medium).

This means that substantive testing levels will be adequate even if there is a 33% chance
of them failing to detect material errors or omissions.

But note that most audit work programmes require material items to be selected and
tested anyway - regardless of the detection risk assessed and the sample size calculated.

Example 6
The same firm as in the above example, has a new client company that
undertakes research and development for the pharmaceutical industry. The
client is seeking a listing on the Stock Exchange. Inherent risk is therefore
assessed as high (100%) high risk enterprise, high risk as seeking listing.
However, the client appears to have reasonable internal control. Control risk is
assessed at 40%.

Required:
Calculate detection risk and comment on how it compares with that calculated
in the preceding illustration.

0921

SESSION 09 UNDERSTANDING THE ENTITY, AUDIT RISK AND ENGAGEMENT RISK

Solution

This mathematical model demonstrates the relationship between inherent risk, control
risk and detection risk, in that the nature, extent and timing of substantive procedures
are inversely related to the assessment of inherent and control risks.

For a given acceptable audit risk, when both inherent and control risks are high (high
risk that the financial statements may contain a material error), detection risk is assessed
as low (higher degree and level of substantive work required) and vice-versa.
Audit
Risk

Inherent
Risk

Control
Risk

Detection
Risk

Policy

Policy

High detection risk means that it is only necessary to carry out a minimum level of
substantive testing (which will usually include testing all items greater than the
materiality level).

Because of the low(er) risks of there being a material error within the financial
statements (low inherent and low control risks), a lower quantity (e.g. sample size) and
lower quality (e.g. indirect evidence rather than direct evidence) of substantive testing
may be acceptable.

Low detection risk, means that higher levels of substantive testing are required as there
is greater risk of a material error being within the financial statements (ie greater testing
to lower the risk of a material error not being discovered).

Methods of varying
detection risk

Examples where inherent/control risk are

high

1 Change nature of audit work

Direct tests toward independent parties rather than

documentation within entity.
Use tests of detail in addition to analytical
procedures.

2 Change extent of audit work

Use a larger sample size.

3 Change timing of audit work

Perform a procedure at the period end rather than

at an earlier (interim) date.

Some substantive procedures should always be carried out for material account balances
and classes of transactions.

0922

SESSION 09 UNDERSTANDING THE ENTITY, AUDIT RISK AND ENGAGEMENT RISK

More evidence should be obtained from substantive procedures the higher the inherent
and control risk assessments.

A qualified opinion (or a disclaimer of opinion) should be expressed if detection risk

cannot be reduced to an acceptable level. (See Session 30)

5.8

Significant risks
What ever risk model is used, care must be taken to identify significant risks, i.e.
those risks that relate to significant non-routine transactions and judgemental matters,
where there is for example;

greater ability for management intervention, e.g. aggressive application of

accounting policies, overriding of internal controls;

greater ability to use manual override with IS collection and processing of data;

complex calculations (e.g. fair value, provisions and estimates that provide
opportunity for varying outcomes) or accounting policies open to different
interpretations;

subjective judgement based on a significant measurement uncertainty (e.g. a range

of values); and

the nature of the transactions make it difficult to implement effective controls over
the risks.

A full understanding of such risks and the managements internal control and risk
assessment procedures must be obtained by the auditor. Such risks would normally be
specifically fully tested (ie 100%).

5.9

Matters requiring documentation

The discussion among the engagement team regarding the susceptibility of the entitys
financial statements to material misstatement due to error or fraud, and the significant
decisions reached.

Key elements of the understanding obtained regarding each aspect of the entity and its
environment e.g.,

industry, regulatory, and other external factors;

the applicable financial reporting framework;

nature of the entity, including the entitys selection and application of accounting
policies;

objectives and strategies and the related business risks that may result in a material
misstatement of the financial statements;

measurement and review of the entitys financial performance.

Internal control components:

the control environment;

the entitys risk assessment procedures;

0923

SESSION 09 UNDERSTANDING THE ENTITY, AUDIT RISK AND ENGAGEMENT RISK

the entitys information systems, including the related business processes relevant
to financial reporting and communication;

the control activities;

the entitys process of monitoring controls.

The sources of information from which the understanding was obtained.

The risk assessment procedures.

The identified and assessed risks of material misstatement at the financial statement
level and at the assertion level.

ENGAGEMENT RISK

6.1

Basic concept

Engagement risk is the overall risk associated with an assurance engagement, eg risk of
litigation, loss of reputation, unpaid fees, low fee recoveries, inappropriate audit
opinions, poor client relationships, failure to understand the clients business. It must
be managed by the auditor and reduced to an acceptable level.

The basic components are:

6.2

the clients business risk;

audit risk; and
the auditors business risk.

Clients business risk

The clients business risk cannot be controlled by the auditor it is independent of the
auditor. However, a thorough understanding of the clients business risks and how
they are managed assists the auditor in understanding potential engagement risk, eg
what is the risk that management actions (or inaction) will result in the entity failing to
continue in business.

6.3

Audit risk

Audit risk is controlled and determined solely by the auditor. Through a thorough
understanding of the entity and its environment (including business risk and internal
controls) the auditor can adjust the nature, timing and extent of audit procedures to
reduce audit risk to an acceptable level.

In normal circumstances, engagement risk may also be reduced to an acceptable level

by an appropriate reduction in audit risk. However, where audit risk cannot be
reduced to an acceptable level, engagement risk will remain high, eg the integrity of
management is in doubt and no audit procedures can eliminate this fact.

0924

SESSION 09 UNDERSTANDING THE ENTITY, AUDIT RISK AND ENGAGEMENT RISK

6.4

Auditors business risk

As with their clients, auditors are faced with business risk, ie the risk that they will not
achieve their objectives. For example, their business is regulated (eg loss of registered
auditor status will impact earning capabilities), exposed to litigation, adverse publicity,
inability to attract/retain experienced staff, failure to keep technically up to date, failure
to maintain fee levels and high risk clients (engagement risk).

Such business risks can be managed. In respect of engagement risk, the risk related to
clients can be managed through good client acceptance and retention procedures (see
Session 5).

6.5

Engagement risk procedures

Engagement risk must be addressed throughout the audit, from the initial decision to
accept a new client (or continue to service an existing client) to planning the
engagement, carrying out the audit procedures, reviewing the results of such
procedures and the issue of the audit report.

The key to an acceptable engagement risk are:

strong client acceptance procedures (eg do not accept clients who have a tendency
to change auditors on a regular basis, who are litigation happy, who require
services beyond the auditors capabilities);

continuous review for change of client relationships and behaviour throughout the
audit (eg reducing integrity, sudden use of aggressive application of accounting
policies; continuous challenges to auditor recommendations for changes to financial
statements);

closedown review of client continuance (eg are there any factors that will increase
engagement risk for the next audit).

FOCUS
You should now be able to:

explain how auditors obtain an initial understanding of the entity and knowledge of its
business environment;

explain the components of audit risk;

explain why an auditor needs to obtain an understanding of internal control activities

relevant to the audit;

describe the use of information technology in risk analysis;

identify and describe engagement risks affecting the audit of an entity.

0925

SESSION 09 UNDERSTANDING THE ENTITY, AUDIT RISK AND ENGAGEMENT RISK

EXAMPLE SOLUTION
Solution 1 Sources

Client

Auditor

Directors/senior
operating personnel

Internal audit and

Governance

Specialist publications
(e.g. on hotel audits)

Website

Visit to premises and

plant facilities

Technical experts (e.g. IS,

extractive industries)

Specific employees
involved in process

Minutes of meeting

Documents sent to
shareholders/filed with
authorities

Financial budgets and

management reports

Chart of accounts and

Job descriptions

Procedures manuals

0926

Previous relevant
experience

External

Predecessor auditor

Legal advisors

Industry regulators

Government data

Customers

In-house knowledgebase

Suppliers

CAF/PAF

Competitors

Business process
templates

Trade journals

Financial press

Websites

SESSION 09 UNDERSTANDING THE ENTITY, AUDIT RISK AND ENGAGEMENT RISK

Solution 2 Information
GENERAL ECONOMIC FACTORS

THE INDUSTRY

Recession

Market/competition

Growth

Costs of entry

Interest rates

Cyclical/seasonal trade

Sources of finance

Technology/fashion

Inflation

Key ratios and performance measures

Government policy (e.g. monetary,

fiscal, trade)

Specific accounting practices, GAAP

Investment incentives (e.g. regional

development grants)

Regulatory/environmental
requirements

Energy supply and costs

Workforce skills

Foreign exchange (rates and

controls)

Fresh-field sites

Availability and education of

workforce

MANAGEMENT & OWNERSHIP

BUSINESS

Corporate structure

Nature (manufacturer, exporter)

Owners and related parties

Locations (office/production/storage)

Local/foreign

Employment (union contracts)

Capital structure

Products/services/markets

Organizational structure

Philosophy and strategic plans

Conduct of operations (e.g. service

logistics, production, segments)

Acquisitions and disposals

Sources of finance

Major/dependent suppliers/customers
(delivery methods e.g. JIT)

Board of directors and governance

Alliances, joint ventures and

outsourcing activities

Operating management

Inventories (type, location, quantities)

Internal audit

Research and development

Attitude to internal control

environment

Information systems and use of ecommerce (nature and dependency)

Debt structure (including covenants)

0927

SESSION 09 UNDERSTANDING THE ENTITY, AUDIT RISK AND ENGAGEMENT RISK

REPORTING ENVIRONMENT

FINANCIAL PERFORMANCE

Key ratios, trends

Legislation and regulations

Performance indicators (e.g. share

price, EPS)

Appropriate selection and application of

accounting principles and use of GAAP

Employee measures and

compensation

Period-on-period financial
performance

Audit reporting requirements

(shareholders, regulators and other
third parties)

Taxation

Accounting principles

Revenue recognition

Accounting policies

Use of fair values

Earnings/cash flow

Users of financial statements

Leasing commitments

Lines of credit

Off-balance sheet finance

Foreign currency and interest rates

Solution 3 Changes

Internal

Business developments (e.g. ecommerce, discontinued

operations)

New products, services

Key personnel (starters and

leavers)

Changes within business and

financial control systems

Governance/internal audit
work and reports

Regulator visits and reports

Administration and IT
functions

0928

Pending litigation

External

New legislation and regulation (e.g.

environmental, health and safety)

Latest financial reporting standards

Changes in the application of accounting

policies

Changes in specialist regulations (and trade

unions)

Competitors and their products

Economic (interest/foreign exchange/ tax

rates etc)

Volatility of markets (supplier, customer,

financial)

Industry practices

Changes in local and national government

SESSION 09 UNDERSTANDING THE ENTITY, AUDIT RISK AND ENGAGEMENT RISK

Solution 4 Inherent risk factors

Financial statements level
1 (see Discussion below), 2, 4, 5 & 9

Assertion level
3, 5, 6, 7 (see Discussion), 8 & 10

Discussion
(1)

Consider doubts about the integrity of management, could that inherent risk affect
the financial statements as a whole or just a few individual account balances?
Suppose management wanted to overstate profit (in order to pay themselves bonuses
say). To increase profit management could

overstate revenue (e.g. by bringing forward next years sales revenue into the
current year i.e. a deliberate cut-off error)

understate costs (e.g. by suppressing purchase and expense invoices)

Because every Dr has a Cr there are then implications for the statement of financial
position

overstatement of trade receivables (because they do not owe the money at the
year end)

understatement of trade payables (because liabilities are not recorded).

Profit could also be increased by understating provisions against assets

obsolescence provisions against inventory

depreciation provisions against tangible long-term assets
Bad and doubtful debt provisions against trade receivables.

In conclusion then, doubts about management integrity has a pervasive effect on the
financial statements as a whole and so this risk is assessed at the financial statement
level.
(7)

Consider cash balances (i.e. physical money rather than bank balances). These
balances may be very small in relation to the assets as a whole (e.g. cash floats in the
till/register of a shop). At the financial statement level the auditor may take no
account of these and so ignore them in the overall audit plan. However, cash is
inherently risky (because it can be stolen if safeguards are not adequate) and cannot
be ignored at the account balance level.
However, in a cash-based business (i.e. cash revenue, purchases and assets paid for in
cash) this would be considered at the financial statement level (i.e. in the preparation
of the overall audit plan) because, again, it has a pervasive effect.

0929

SESSION 09 UNDERSTANDING THE ENTITY, AUDIT RISK AND ENGAGEMENT RISK

Solution 5 Control risk factors

History of errors found by auditor

System changes

Management attitude/dominance

Lack of manuals

Inexperienced/incompetent staff

Few formal procedures

Lack of segregation of duties/ inadequate

supervision

Late approval of transactions

Size of entity/accounting systems

Poor monitoring controls

Solution 6 Detection risk

AR = IR CR DR

DR =

AR
IR CR

DR =

0.05
= 0.125
1.0 0.4

DR must be rendered lower than in the Illustration. (We should have anticipated this as both
IR and CR have been assessed as higher.) The level of substantive procedures is therefore
relatively higher.
Another way of expressing this is that the level of audit assurance required from substantive
procedures is
100 12.5 = 87.5%
i.e. a relatively high level of assurance is required.

0930