Chapter 9

Audit Risk
Assessment

Announcement
QUIZ TWO
The second quiz for this course will open on 8am,
Wednesday 26th August and will close on
11.59pm, Friday 28th August.
Students are once again reminded that you have
only one chance to attempt this quiz, and you
should attempt within the allocated time.
Failure to do so will result in a zero marks being
awarded to the student.
This quiz covers chapters 4, 5 & 6. It will
comprise of 20 multiple choice questions. The
time allocated for this quiz is only 20 minutes.
The quiz is contributes 1% towards your course

Objectives
Appreciate the importance of audit risk assessment and
why it is linked to financial statement assertions
Describe the procedures performed by an auditor to
assess risk
Appreciate the importance of internal control to an entity
and to its independent auditors
Indicate the procedures for obtaining and documenting
an understanding of the entitys internal control
Explain why and how a preliminary assessment of
control risk is made
Explain the importance of the concept of audit risk and
its three components

Managements financial
statement assertions
Existence or occurrence
Assets or liabilities of the entity exist at a given date
and whether recorded transactions or events have
occurred during the period
Completeness
Transactions, events and accounts that should be
presented in the financial statement are included
Cut-off
All transactions, events and accounts have been
recorded in the correct period

Managements financial
statement assertions
Rights and obligations
Assets represent rights of the entity and liabilities are
the obligations of the entity at a given date
Valuation and allocation
Asset, liability, components have been included in the
financial statements at the appropriate amounts
Accuracy
Transactions have been appropriately recorded in the
proper accounts

Managements financial
statement assertions
Presentation and disclosure
Particular components of the financial statements are
properly classified, described and disclosed

Business risk assessment

A business risk approach allows the auditor to:
Identify threats faced by the organisation
Recognises that most business risks will eventually
have an effect on the financial statements
It increase the chances of identifying risks of material
misstatements in the financial reports
Categories of business risk:
Financial risk
Operational risk
Compliance risk

Risk assessment
procedures
Enquiries
Management, staff, internal auditors, company
bankers, legal advisors
Analytical procedures
Provide a broad indication of the likelihood of possible
errors
Observations and inspections
Inspection of manuals, visiting business premises,
observing procedures taking place

Importance of internal
control
The Committee of Sponsoring Organisations (COSO) of
the Treadway Commission defines internal control as:
a process, affected by an entitys board of directors,
management and other personnel, designed to
provide reasonable assurance regarding the
achievement of objectives in the following categories:
Effectiveness and efficiency of operations
Reliability of financial reporting
Compliance with applicable laws and regulations

Management responsibility
Management (not the auditor), must establish and
maintain the entity's control structure
Control structure aids management to ensure:

irregularities are prevented or detected and corrected

assets are safeguarded
financial records are accurately reflected
adherence to management policies
operational efficiency is promoted that prevents
unnecessary duplication of effort

Because of its inherent limitations, an internal control

structure cannot be regarded as completely effective,
regardless of the care taken in its design and
10
implementation

Auditor responsibility
ASA 315 para 12 states that:
The auditor shall obtain an understanding of internal
control relevant to the audit
The auditors understanding of the internal control is
then used to plan the audit and to determine the
nature, timing and extent of tests to be performed
The above has to be done in the context of the
internal control structure as defined in ASA 315

11

The internal control system

Five components (ASA 315 para A51)
Control environment
Risk assessment
Information system
Control activities
Monitoring

12

Control environment
Sets the tone of the entity towards control
consciousness and includes:
Enforcement of integrity and ethical values
e.g. setting the tone at the top of the entity by
demonstrating integrity and ethical behaviour
Commitment to competence
e.g. adequate knowledge and skills at every level
in the entity

13

Control environment
Participation by those charged with governance
Managements philosophy and operating style
e.g. approach to taking and monitoring business
risks
Organisational structure
Assignment of authority and responsibility
Human resource policies and practices
e.g. screening prospective employees

14

Risk assessment
Risk assessment is the process used to identify,
analyse and manage the relevant risks which may
affect the achievement of the entitys objectives,
including the preparation of financial statements

15

Risk assessment
Key factors include for example:
changes in the operating environment
new personnel
new or revamped information systems
rapid growth
corporate restructuring
expanded foreign operations
All of the key factors have inherent risks with potential
adverse financial consequences

Information systems and

communication
Information systems consist of procedures and
records established to
initiate, record, process and report an entity's
transactions
maintain accountability for the related assets,
liabilities and equity
A major focus is that transactions are handled in such
a way that financial statements are presented fairly in
accordance with accounting standards

17

Control activities
Control activities are policies and procedures that help
ensure that management directives are carried out to
address risks that threaten the achievement of entity
objectives

18

Control activities
Key factors include:
performance reviews
information processing controls
e.g. general controls and application controls over
input, processing and output in a computerised
system
physical controls
segregation of duties
e.g. ensuring that individuals do not perform
incompatible duties such as banking cash and
performing bank reconciliations

Information Processing
Controls
General controls
Apply to systems as a whole:
Organisational controls
Systems development and maintenance controls
Access controls
Data and procedural controls
Application controls (input, processing & output
controls)
Segregation of duties
Physical controls
Performance reviews
20

Monitoring
Monitoring is the process by which the entity monitors
the quality of internal controls over time
Involves assessing the design and operation of
controls on a timely basis and taking the necessary
corrective actions
Ongoing monitoring activities could include:
internal audit
continual management review of exception and
operation reports
review/response to customer complaints
21

Limitations of control

Cost versus benefits

Management override
Non-routine transactions
Mistakes in judgment
Collusion
Breakdown
Changes in conditions

22

Understanding internal
control
Issues can include:
Identifying the types of potential misstatements that
may occur
e.g. where to look for potential errors and fraud
Understanding factors that affect the risk of material
misstatement
e.g. revenue recognition issues in some entities
Designing further audit procedures
e.g. assess adequacy of risk assessment
procedures and plan tests of controls
Testing general and application controls in
computerised systems
23

Procedures to obtain an
understanding
Procedures can include:
reviewing previous experience with the entity
being audited
inquiries of management, supervisory and staff
personnel
inspection of documents and records
observation of the entitys activities and operations
transaction walk-through reviews to confirm
documented understanding

24

Example 1
Refer to Professional Application
Question 9.23

Example 1
(a) Business risks are threats that the organisation faces in
attempting to achieve its goals. In this case there are a couple
of main business risks to HealthyGlow, both are in relation to
the purchase of the new full-body scanning machines.
Studies that have shown the potential side-effects of the
new machines is a concern, which is a risk in the longer
term. In the short term, the bad publicity is a risk although
it appears to have had little effect on the level of bookings.
The potential ban of the use of the machines by the Medical
Association of NSW is a much more significant short term
business risk even though management only assesses
this likelihood at 20% (the auditor would want more
evidence on this). HealthyGlow have significant capital
investment in these machines and also significant revenue
that is contingent on the continued operation of the
machines.

Example 1
(b) i. The scanners (property, plant and equipment)
ii. Revenue and unearned revenue
(c) i. Valuation. The scanners may become worthless if they
cannot be used due to the possible decision by the Medical
Association of NSW. There may be an overseas market for
them but this presumably would result in a significant
discounting of value.
ii. Accuracy and cut-off for revenue. There is a risk that
HealthyGlow has been incorrectly recording revenue before
the service is provided. The auditor will need to ensure that
only those services provided before the end of June have been
included in revenue and payments received for bookings after
the end of June should be included as Unearned revenue.
Completeness for unearned revenue. There is a risk that
revenue that has not been earned has not been accounted for
properly.

Documenting the
understanding
Internal Control Questionnaire (ICQ)
consists of a series of questions about accounting
and control policies and procedures the auditor feels
are necessary to prevent material misstatements in
the financial statements
Flow chart
is a schematic diagram that uses standardised
symbols, interconnecting flow lines and annotations
to portray the steps involved in processing
information through the information system
28

Documenting the
understanding
Narrative memoranda
may be used to supplement other forms of
documentation by summarising the auditors overall
understanding of the information system or specific
control policies or procedures

Preliminary assessment of
Control Risk
ASA 315 para 25:
The auditor shall identify and assess the risks of
material misstatement at the financial report level, and
the assertion level for classes of transactions, account
balances and disclosures
Purpose of preliminary assessment
Assessment to obtain a reasonable understanding
of controls in place
decide on appropriate audit strategy so as to
design a detailed audit program
30

Process of assessing
control risk
Use professional judgement to assess the control
environment
Assess the design effectiveness of control procedures
and their ability to prevent or correct misstatements
Assess whether controls were effectively applied
throughout the period under audit

31

The audit risk model

Audit risk is the risk that the auditor gives an
inappropriate audit opinion when the financial
statement is materially misstated
In setting the desired audit risk, auditors seek an
appropriate balance between the costs of an
incorrect audit opinion and the costs of performing
the additional audit procedures necessary to
reduce audit risk

32

Audit risk components

Inherent risk (ASA 200)
Is the possibility that a material misstatement could
occur in an assertion, either individually or when
aggregated with other misstatements, assuming there
are no related controls
Inherent risk exists independently of the audit of
financial statements and thus auditors cannot change
the actual level of inherent risk
As defined by auditing standards, inherent risk is
confined to the risk of material misstatements
33

Audit risk components

Control risk (ASA 200)
Is the risk that a material misstatement could occur in
an assertion, either individually or when aggregated
with other misstatements, and not be prevented,
detected, or corrected on a timely basis by the entitys
internal control structure?
Control risk is a function of the effectiveness of the
internal control structure as good controls reduce risk

34

Audit risk components

Detection risk (ASA 200)
Is the risk that an auditors substantive procedures will not
detect any material misstatements that exist in an
assertion, either individually or when aggregated with other
misstatements
a function of the effectiveness of substantive procedures
and their application by an auditor and thus is fundamental
to the amount of audit work undertaken
actual level of detection risk is controllable by the auditor
through:
appropriate planning, direction, supervision and review
variation in the nature, timing and extent of audit
procedures
effective performance of the audit procedures and
35
evaluation of their results

The relationships among

risk components
An auditors objective is to achieve an acceptably low
level of audit risk, as is practicable
Recognising the cost of performing audit procedures,
there is an inverse relationship between the assessed
levels of inherent and control risks and the level of
detection risk that the auditor can accept
Auditors, although unable to control inherent risk (IR)
and control risk (CR), can assess these risks and
design substantive procedures to produce an
acceptable level of detection risk, thus reducing the
audit risk to an acceptable level
36

The relationships among

risk components
The audit risk model provides a framework for
auditors to follow in responding to these assessed
risks through their choice of audit procedures
The audit risk model expresses the relationship
among the audit risk (AR) components as follows:
AR = IR CR DR
That is, Audit risk = Inherent risk Control risk
Detection risk

37

The relationships among

risk components
Acceptable detection risk matrix

Non-quantified audit risk

model
Auditors may use non-quantified expressions for risk
Is consistent with the quantified audit risk model, in that the
acceptable levels of detection risk are inversely related to
the assessments of inherent and control risks
If assessment of control and inherent risks are both high,
then the acceptable level of detection risk will generally
have to be very low
That is, the risk that the auditors substantive procedures
will not detect material misstatements will need to be low
which means more substantive testing by the auditor
Conversely, if an auditors assessment of control and
inherent risks are both low, then the acceptable level of
detection risk can be high, i.e. the auditors substantive
39
procedures can be reduced