MSAF 608

ADVANCED AUDITING AND

ASSURNCE

Week 4 – Risk Assessment and Materiality

Dr Rita Amoah Bekoe

[email protected]/[email protected]
 INTRODUCTION
• Risk is a natural part of business activities and occurs quite
often. There is always a risk that a new product will fail,
unanticipated economic events will occur or an unlikely
outcome may occur.
• Every choice made in the pursuit of organisational objectives
has its risks. From day to day operational decisions to the
fundamental trade-offs in the boardroom, dealing with risk in
these choices is part of organisational decision making.
• Even success can bring with it additional downside risk—the
risk of not being able to fulfil unexpectedly high demand, or
maintain expected business momentum, for example.
 INTRODUCTION CONT.
• The manner in which an organization manages those risks
affect both the financial viability of the business and the
auditors approach to auditing it.
• Some organizations have management control mechanisms
to identify, manage, mitigate or control risks
 INTRODUCTION CONT.
• A risk assessment carried out in an audit helps the auditor
to identify financial statement areas susceptible to
material misstatement and provides a basis for designing
and performing further audit procedures.
• Auditors usually follow a risk-based approach to auditing.
• In this approach, auditors analyse the risks associated with
the client's business, transactions and systems which could
lead to misstatements in the financial statements, and
direct their testing to risky areas.
• What makes a risk an audit risk is the link to the financial
statement.
 A SCENARIO
• Imagine you are auditing a manufacturing company (XYZ Co
with a profit before tax of GH¢60 million) and the following
information comes to light about your client.
• XYZ Co has significant plant and machinery which it uses to
make its products. During the year the efficiency of the
company’s machinery was improved significantly. This was
because a comprehensive review of each piece of machinery
was undertaken and an assessment was made as to whether a
minor repair, extensive refurbishment or a complete
replacement was needed. XYZ then took the appropriate action
in each case and spent a total of GH¢15 million in doing so.
 Enterprise Risk Management
• Management has a responsibility for managing the risk of an
entity.
• By adopting an Enterprise Risk Management, the company could
gain a competitive advantage by gaining a better understanding
of how risk may impact the choice of a strategy and how well
such a strategy fits with the organisation mission and vision.
• It allows management to feel more confident that they’ve
examined alternative strategies and considered the input of those
in their organization who will implement the strategy selected.
Enterprise Risk Management Cont.
• An ERM that integrates strategy and performance
helps to accelerate growth and enhance performance
• Thus, an Enterprise Risk Management – Integrating
with Strategy and Performance (put together by COSO)
provides a Framework for boards and management in
entities of all sizes
• It also contains principles that can be applied—from
strategic decision-making through to performance.
Enterprise Risk Management Cont.
• The Framework is a set of principles organized into five interrelated
components:
• 1. Governance and Culture: Governance sets the organization’s
tone, reinforcing the importance of, and establishing oversight
responsibilities for, enterprise risk management. Culture pertains to
ethical values, desired behaviours, and understanding of risk in the entity.
• 2. Strategy and Objective-Setting: Enterprise risk
management, strategy, and objective-setting work together in the
strategic-planning process. A risk appetite is established and aligned with
strategy; business objectives put strategy into practice while serving as a
basis for identifying, assessing, and responding to risk.
Enterprise Risk Management Cont.
• 3. Performance: Risks that may impact the achievement of
strategy and business objectives need to be identified and
assessed. Risks are prioritized by severity in the context of risk
appetite. The organization then selects risk responses and
takes a portfolio view of the amount of risk it has assumed.
The results of this process are reported to key risk
stakeholders.
• 4. Review and Revision: By reviewing entity performance,
an organization can consider how well the enterprise risk
management components are functioning over time and in
light of substantial changes, and what revisions are needed.
Enterprise Risk Management Cont.
• 5. Information, Communication, and
Reporting: Enterprise risk management requires a
continual process of obtaining and sharing necessary
information, from both internal and external sources,
which flows up, down, and across the organization.
 Risk Based Audit Approach
• The risk based approach to auditing involves the auditor looking at
the business as a whole and carrying out an evaluation of the risks to
which it may be exposed.
• The auditor therefore identifies the business risks which may have an
impact on the client’s financial statements
• The auditor will;
– Identify the key business risks
– Evaluate their possible impact on the financial statement
– Plan the approach to the audit around the key business risks that have been
identified
• This approach is not effective unless the auditor has a good
understanding of the client’s business and its environment
 Risk Based Audit Approach Cont.
• Using this approach depends on having adequate up-to-date
information about the client’s business and business environment
• The auditor needs to be aware of not only of the current position
of the client’s business but also possible future developments
that may affect its goals and objectives
• Larger auditing firms that use this approach often organise their
audit teams into specialised industry groups or may have industry
experts available or may construct specialised databases for
particular industries
• The auditor is thus interested in business risk in light of its
possible impact on the financial statements
 Risk Based Audit Approach Cont.
• The Business Risk is the risk that affects the
operations and potential outcomes of organisational
activities
• The auditor uses various tools such as swot, pestel
etc. to identify the business risks and evaluate their
effects on the financial statements
• Business risks affect the financial statements. Hence
its importance to the auditor
 A Scenario
• Your audit firm has as its client a small manufacturing
company. This company owns the land and buildings
in its statement of financial position, which it
depreciates over 50 years (buildings only) and has
always been valued at cost. The other major item in
the statement of financial position is inventory.
• What conclusions can you draw from the above
scenario
 The Audit Risk Model
• Audit Risk is the risk that the auditor expresses an
inappropriate audit opinion when the financial statements
are materially misstated.
• If the audit risk is 5%, the implication is that, the auditor
accepts that there will be only 5% risk that the audited item
will be misstated in the financial statements and a 95%
chance that it is materially correct
• The audit process is designed to give a high level of
assurance about information subject to audit and not an
absolute level of assurance that information is 100% correct.
 The Audit Risk Model Cont.
• The implication of this is that the auditor will seek to
reduce the level of risk to an acceptable level, but
will not attempt to eliminate audit risk entirely.
• If the auditor is to manage risk effectively, there is
the need to be able to measure the risk attached to
any given audit situation and establish a maximum
acceptable limit to the audit risk.
• Hence the development of the Audit Risk Model
 The Audit Risk Model Cont.
• The following general observation influence the
implementation of the Audit Risk Model;
– Complex or unusual transactions are more likely to be
recorded in error than are recurring or routine
transactions
– The better the organisation’s internal controls, the lower
the likelihood of material misstatements
– The amount and persuasiveness of audit evidence
gathered should vary inversely with audit risk i.e. lower
audit risk requires gathering more persuasive evidence
 The Audit Risk Model Cont.
• These general premise have been incorporated into
an audit risk (AR) model with three components:
inherent risk (IR), control risk (CR) and detection risk
(DR)
• AR = IR * CR * DR
• Setting audit risk is an auditor judgment that is
affected by the riskiness of the client
• It is the starting point for planning what audit work
should be performed and how much work should be
done
 Inherent Risk
• Inherent Risk is the risk that items may be misstated as
a result of their inherent characteristics. Inherent risk
may result from either:
• The nature of the items themselves: e.g. estimated
items are inherently risky because their measurement
depends on an estimate rather than a precise measure;
• The nature of the entity and the industry in which it
operates: e.g. a company in the construction industry
operates in a volatile and high risk environment
 Inherent Risk Cont.
• When inherent risk is high there is a high risk of
misstatement of an item in the financial statements
• Inherent risk operates independently of controls and
therefore cannot be controlled
• The auditor therefore accepts that the risk exists and
will not go away
 Assessment of Inherent Risk
• Assessment of inherent risk will be based mainly on:
– The knowledge gained on previous audit
– An assessment of the current environment within which the entity
operates
• Inherent risk is usually assessed at two levels
– The financial statement level
– The account balances and transactions level
• The auditors must use their professional judgement and all
available knowledge to assess inherent risk. If no such
information or knowledge is available then the inherent risk is
high.
 Assessment of Inherent Risk Cont.
• At the financial statement level the auditor will consider
– The integrity, skills and abilities of management
– The nature of business
– Industry-wide and macroeconomic factors
• At the account balances and transaction level the auditor will
consider
– The degree of subjectivity involved in the account balance or the
transaction
– The degree of complexity of a transaction and how it is processed
– The characteristics of the client’s assets and the level of risk that
may be misappropriated
Areas that give rise to inherent risk
FACTORS AFFECTING THE CLIENT AS A WHOLE
Integrity and attitude to risk of directors and Domination by a single individual can cause
management problems
Management experience and knowledge Changes in management and quality of financial
management
Unusual pressures on management Examples include tight reporting deadlines, or
market or financing expectations

Industry factors Competitive conditions, regulatory requirements,

technology developments, changes in customer
demand
Areas that give rise to inherent risk
cont.
FACTORS AFFECTING INDIVIDUAL ACCOUNT BALANCES OR TRANSACTIONS
Financial statement accounts prone to misstatement Accounts which require adjustment in previous
period or require high degree of estimation
Complex accounts Accounts which require expert valuations or are
subjects of current professional discussion
Assets at risk of being lost or stolen Cash, inventory, portable non-current assets (e.g.
laptop computers)
Quality of accounting systems Strength of individual departments (sales,
purchases, cash etc.)
Staff Staff changes or areas of low morale
 Control Risk
• Control risk is the risk that a misstatement will not be prevented or
detected by the internal control system that the client has in
operation
• A preliminary assessment of control risk at the planning stage of the
audit is required to determine the level of controls and substantive
testing to be carried out.
• If the auditor judges that the internal control system is good, then
control risk will probably be low
• Components of a good system of internal controls includes the
following; effective control environment and activities, risk
assessment and response mechanisms, effective information and
communication and efficient monitoring system
 Control Risk Cont.
• Good control systems can prevent or detect and correct
errors. E.g.
– Good management will ensure that only appropriately qualified or
experienced people will process certain transactions.
– Segregation of duties or independent checks reduce the risk of
errors and fraud.
– Reconciliations check the accuracy of numerical data.
– Authorisation and approval lends reliability to transactions.
– Physical measures to safeguard assets.
– Inspection of assets can detect damaged assets or deliveries not
properly made.
 Control Risk Cont.
• Evidence of control risk can be obtained through
tests of control for each of the major transaction
cycles
• The auditor assesses the risk of material
misstatement by considering the inherent and
control risks which have implications on the financial
statement
 DETECTION RISK
• Detection risk is the risk that audit procedures employed
by the auditor may fail to detect material misstatements.
• It also arises and relates to the inability of the auditors to
examine all evidence. Audit evidence is usually persuasive
rather than conclusive so some detection risk is usually
present, allowing the auditors to seek 'reasonable
assurance‘
• The auditors' inherent and control risk assessments
influence the nature, timing and extent of substantive
procedures required to reduce detection risk and thereby
overall audit risk.
 Detection Risk Cont.
• Detection risk is affected by both the effectiveness of the
auditing procedures that the auditor performs and the
extent to which those procedures were performed with
due professional care
• The auditor’s determination of detection risk influences
nature, amount and timing of audit procedures to ensure
that the audit achieves no more than the desired audit
risk
• In summary, inherent risk and control risk are existing
features of the audit client that the auditor cannot control
 DETECTION RISK Cont.
• A high level of inherent or control risk means that the
company is more likely to have misstatements
associated with these risks
• On the other hand detection risk is one that the
auditor faces and that the auditor can manage
thereby controlling the overall audit risk
Limitations of the Audit Risk Model
• Despite it usefulness, the audit risk model has some
limitations
• Inherent risk is difficult to assess. Some transactions
are more susceptible to errors but it is difficult to
assess that level of risk independent of the client’s
accounting system.
• The model treats each risk component as separate
and independent when in fact the components are
not independent
 Point to Note
• Audit risk is a concept that drives the auditor’s plan
and execution of the audit.
• The key to auditing is applying professional judgment
based on the specifics of a given client situation.
• MATERIALITY
 Introduction
• The auditor is expected to design and conduct an
audit that provides reasonable assurance that
material misstatements will be detected
• Audit risk and materiality are interrelated in that
audit risk is defined in terms of materiality; i.e. audit
risk is the risk that unknown, but material
misstatements exist in the financial statements after
the audit has been performed
• Materiality is a concept that conveys a sense of
significance or importance of an item.
 Introduction Cont.
• Significant to whom? And how important?
• What is significant to one person may not be
significant to another
• ISA 320 – Materiality in planning and performing an
audit – stipulates that judgments about materiality
should be based on a consideration of the
information needs of users as an overall group.
• The possible effect of misstatements on specific
individual users, whose needs may vary widely, is not
considered.
 Introduction Cont.
• The assessment of materiality and performance materiality at
the planning stage should be based on the most recent and
reliable financial information and will help to determine an
effective and efficient audit approach.
• Materiality assessment will help the auditors to decide:
– How many and what items to examine
– Whether to use sampling techniques
– What level of misstatement is likely to lead to a modified audit
opinion
• The resulting combination of audit procedures should help to
reduce audit risk to an appropriately low level
 Overall Materiality
• The auditor considers materiality at both the
financial statement level and in relation to classes of
transactions, account balances and disclosures
• The overall materiality for the financial statement as
a whole is set at the planning stage
• For the purposes of planning the audit, auditors
should consider overall materiality in terms of the
smallest total level of misstatement that could be
material to anyone of the financial statements
 Overall Materiality Cont.
• For instance, if the auditor believes that
misstatements aggregating approximately GH
¢100,000 will be material to the income statement,
but misstatements aggregating approximately GH
¢200,000 will be material to the statement of
financial position, the auditor typically assesses
overall materiality at GH¢100,000 or less (not GH
¢200,000 or less)
 Benchmark for Materiality
• Typically there are three key steps:
– choosing the appropriate benchmark;
– determining a level (usually a percentage) of this
benchmark; and
– justifying the choices (i.e. explaining the judgement).
 Materiality Threshold
• To deal with materiality on a consistent basis, most
audit firms set their own materiality thresholds.
• These threshold vary from one firm to the other, but
will typically fall within the following ranges:
– Revenue 1%-2% an item of revenue is
material if it is at least 1% or
2% of annual sales revenue
– Pre-tax profit 5%-10% an item is material if it is at
least 5% or 10% of reported
pre-tax profit
 – Total assets 1%-2% a balance is material if it
represents at least 1% or
2% of total assets
• An item may be material due to its;
• Nature of the item involved – the valuation of some items of
the financial are more subjective than others and depend on
estimates.
• The significance of the item – some items may be insignificant
in terms of their monetary amount, but may nevertheless be
of particular interest to the users of the financial statement.
For instance, the bonus payments to directors
 Materiality Threshold Cont.
– The impact of the item on the view presented by the
financial statement – a small and apparently insignificant
error or omission may be material if, by correcting it:
• a reported profit is converted into a reported loss; or
• the correction significantly alters the trend of profit
• The reason for these guidelines are;
• The guidelines give the auditor a framework within which to
base his thoughts on materiality
• The guidelines provide a benchmark against which to assess
the quality of auditing, for example, in the event of litigation or
disciplinary action
 Performance Materiality
• Performance materiality is the amount(s) set by
auditors at below overall materiality to reduce to an
appropriately low level the probability that the
aggregate of uncorrected and undetected misstatements
exceeds overall materiality.
• In simple terms, performance materiality is the
‘working materiality’. It sets a numerical level which
helps guide auditors to do enough work (but,
importantly, not too much) to support their audit
opinion.
 Performance Materiality Contd.
• Thus, performance materiality relates to the concept
of tolerable misstatement, which is the amount of
misstatement in an account balance that the auditor
could tolerate and still not judge the underlying
account balance to be materially misstated.
 Performance Materiality Contd.
• Broadly it serves two functions:
– to reduce the aggregation risk (the risk that the aggregate of
uncorrected and undetected misstatements individually
below materiality will exceed materiality for the financial
statements as a whole) to an acceptable level; and
– to provide a safety net against the risk of undetected
misstatements.
 Performance Materiality Contd.
• Thus having set the overall materiality, the
performance materiality is a lower figure. How much
lower usually depends on the assessed level of risk of
material misstatement.