Audit Risk ISA 330

Robert Kaunda Siame

Profit is the result of risks wisely selected.

Frederick Barnard Hawley, American economist (1843–1929)
Risk comes from not knowing what you’re doing.
Warren Buffett, widely regarded as one of the most successful investors
in
the world
 Learning Outcome
Define audit risk and describe how it can be broken down into the three separate components of the audit
risk model to help assess and respond to such risks during the audit planning process.

Explain auditors’ responsibility for fraud risk assessment and define and explain the differences among
several types of fraud and errors that might occur in an organization.

Explain an auditor’s responsibility to assess inherent risk, including a description of the type of risk
assessment procedures that should be performed when assessing inherent risk on an audit engagement.

Understand the different sources of information and the audit procedures used by auditors when assessing
risks, including analytical procedures, brainstorming, and inquiries.

Explain how auditors complete and document the overall assessment of inherent risk.

Explain auditors’ responsibilities with respect to a client’s failure to comply with laws or regulations.

Describe the content and purpose of an audit strategy memorandum.

 INTRODUCTION

Enron, one of the world’s largest energy companies, reported revenues that
ranked it among the top 10 companies in the United States. The company
doubled its revenues from 1999 to 2000, and company management predicted
that it would do so again for 2001. Andersen, then one of the world’s five
largest public accounting firms, provided auditing and consulting services to
Enron, earning Andersen a million dollars a week in fees.

While the auditors expressed concerns with respect to some of Enron’s

aggressive accounting practices, the future appeared strong for both companies.
Andersen’s planning team projected both increased growth for Enron and
increased fees for Andersen. Fast-forward nine months. By December 2001,
Enron was a shell of its former self. The company had terminated almost its
entire workforce. Enron’s share price had plummeted from $90 in August 2000
to less than a dollar by December 2001, leaving many of its employees, who had
invested their life savings in the high-flying energy company, out of work and
virtually penniless.
 INTRODUCTION
Enron’s failure struck an irreparable blow to Andersen’s reputation; one by one,
Andersen’s other clients decided to find new audit firms rather than be associated
with a firm that was now labeled by the business press as “low quality.” Beset with
shareholder lawsuits and government-led investigations of its audit practices, the
firm struggled to maintain its very existence. After providing auditing services for
almost a century to some of America’s largest companies, Andersen decided to
leave the practice of auditing public companies by August 31, 2002. The firm’s
partnership equity, depleted by litigation and shareholder settlements, had been
reduced to almost nothing, leaving new partners with nothing to show for the
hundreds of thousands of dollars they paid to buy into the firm’s partnership.

How could one of the oldest and most venerable auditing firms (Andersen) miss the financial
statement fraud going on at one of its largest audit clients, resulting in the firm’s ultimate
dissolution? To start, the audit team assigned to the Enron engagement failed to identify and
then assess the risks of material misstatement. In addition, for those risks that were identified
and assessed properly, the auditors failed to adequately respond to those risks of material
misstatement
 Audit Risk

Audit risk is the probability that an audit team will express an

inappropriate audit opinion when the financial statements are
materially misstated (i.e., give an unmodified opinion on
financial statements that are misleading because of material
misstatements that the auditors failed to discover).

Such a risk always exists, even when audits are well planned and
carefully performed. Of course, the risk is much higher in poorly
planned and carelessly performed audits. The auditing profession
has no official standard for an acceptable level of overall audit
risk except that it should be “appropriately” low.

• overall financial statement level (as a whole) and

In practice, audit risk is • for each significant account and disclosure
evaluated at both the; through a focus on the relevant assertions
identified.
 Significant Account or
Disclosure

A significant • is an account or disclosure that has a reasonable

account or possibility of containing a material misstatement
regardless of the effect of internal controls.
disclosure

• is a management declaration that has a reasonable

possibility of containing a material misstatement
A relevant without regard to the effect of internal controls. The
concern an auditor has regarding any particular
assertion assertion depends on the significant account that the
auditor is testing (or to which the assertion relates).
 Example

An auditor may deem the

occurrence assertion to
present more risk when
testing revenue than the It is more likely that a
completeness assertion company reports sales that
presents. Most companies did not occur to present
want to report a healthy more revenue, which
stream of revenue, so it is would violate the
unlikely that they will occurrence assertion.
omit sales that would
violate the completeness
assertion.
 Understanding and Mitigating
Audit Risk
• that a material misstatement will occur
To better understand and (inherent risk)
ultimately mitigate audit • that it would not be prevented or detected by
risk, professional client internal controls (control risk), and
standards break down • that is not detected by the auditor’s own
overall audit risk into;
procedures (detection risk).

Because inherent risk and control risk are

related to the company and its overall
environment, these two components are
combined into the risk of material
misstatement (RMM), which is the risk a
material misstatement exists in the financial
statements before auditors apply their own
procedures.
 The Audit Risk Model

A standard audit risk model is available to help auditors identify and

quantify the main elements making up overall audit risk.

Audit risk is the risk (chance) that the auditor reaches an inappropriate
(wrong) conclusion on the area under audit.
For example, if the audit risk is 5%, this means that the auditor accepts
that there will be a 5% risk that the audited item will be misstated in the
financial statements, and only a 95% probability that it is materially
correct.
 The Audit Risk Model

This model can be stated as a

formula:
AR = IR × CR × DR
where:
AR = audit risk
IR = inherent risk
CR = control risk, and
DR = detection risk.
 Inherent Risk
Inherent risk is the probability that, in the
absence of internal controls, material errors or
frauds could enter the accounting system used
to develop financial statements. You can think
of inherent risk as the susceptibility of the
account to misstatement.

• the nature of the client’s business

• strategy to achieve competitive advantage
Inherent risk is a function of; • the major types of transactions, and
• the effectiveness and integrity of its managers
and accountants.

It is important to understand
that for different accounts,
various assertions are riskier
than others.
 Example

For cash, existence is riskier than completeness because it is more likely that a client

would try to include more cash than it really had on its balance sheet rather than less; and
for accounts payable, completeness is riskier than existence because it is more likely that
a client would try to understate what it really owed rather than overstate the amount.

As a result, auditors focus their attention on relevant assertions.

Finally, it is important to remember that auditors do not create or control inherent risk.
They can only try to assess its magnitude in an appropriate manner.
 Example

Inherent • The nature of the items themselves.

• For example, estimated items are inherently risky

risk may
because their measurement depends on an estimate
rather than a precise measure; or
• The nature of the entity and the industry in which it

result
operates.
• For example, a company in the construction industry
operates in a volatile and high-risk environment, and

from items in its financial statements are more likely to be

misstated than items in the financial statements of
companies in a more low-risk environment, such as

either: a manufacturer of food and drinks.

 Control Risk

Control risk is the risk that a misstatement

would not be prevented or detected by the
internal control systems that the client has in
operation.

In preparing an audit plan, the auditor needs to

make an assessment of control risk for different
areas of the audit. Evidence about control risk
can be obtained through ‘tests of control’.
 Detection risk

Detection risk is the

risk that the audit • For example, if detection risk is 10%,
testing procedures this means that there is a 10%
will fail to detect a probability that the audit tests will
misstatement in a
transaction or in an fail to detect a material misstatement.
account balance.

Detection risk can be • For example, to reduce the detection

lowered by carrying risk from 10% to 5%, the auditor
out more tests in the
audit.
should carry out more tests.
 The Audit Plan

In preparing an audit plan, the auditor

will usually:

Set an overall level of audit risk which he judges

to be acceptable for the particular audit

Assess the levels of inherent risk and

control risk, and then

Adjust the level of detection risk in order to achieve

the overall required level of risk in the audit.
 Example
An auditor has set an overall level of acceptable audit
risk in respect of a client of 10%. Inherent risk has
been assessed at 50% and control risk at 80%.
Required
a) Explain the meaning of a 10% level of audit risk
b) What level of detection risk is implied by this
information?
c) If the level of audit risk were only 5%, how
would this affect the level of detection risk and
how would the audit work be affected by this
change?
 Answer

a) A 10% level of audit risk means that the auditor will be 90%
certain that his opinion on the financial statements is correct (or
there is a 10% risk that his opinion will be incorrect).
b) AR = IR × CR × DR
then DR = AR / (IR × CR) DR = 0.10 / (0.50 × 0.80)
Therefore DR = 0.25 = 25%
c) If AR is reduced to 5%, DR would now be 12.5%. More audit
work will be needed to achieve this lower level of detection risk.
 Identifying Risks
Your assurance firm is the auditor of Risky Sounds, a retailer
selling hi-tech recording equipment. Risky Sounds was
started up just under a year ago by its sole shareholder and
director, Sam Smith. Sam has employed a series of book-
keepers to help him with the accounting records and financial
statements, and the most recent one has just left. In order to
start up the business Sam re-mortgaged his house and, in
addition, took out a business loan. As a condition of
continuing to provide the loan, the bank has asked to be
provided with a copy of the annual financial statements.
Required
Identify the risks in the above scenario and explain why they
are risks.
 Solutions
• Hi-tech recording equipment. Any hi-tech product is likely to become
obsolete very quickly, as more advanced products come on to the
market. There is therefore a risk of obsolete inventory, which will need
to be written down, and ultimately, if the entity cannot keep up with
trends, the business may not be able to continue in existence.
• Started up just under a year ago. Any start-up business is inherently
risky, as many businesses fail in their first year.
• The first set of annual financial statements is due (a problem, given
the lack of a book-keeper).
• Detection risk, as the assurance firm will also be unfamiliar with the
business and no prior year figures will be available for comparison.
• Sole shareholder and director. This may give Sam personal motivation
to misstate the figures.
• No other (perhaps, more experienced) director to keep Sam in check
and ensure that he is making sound business decisions. This could
increase the risk of business failure.
 Solutions

• A series of book-keepers. This perhaps indicates that Sam is putting

undue pressure on his book-keeper (perhaps to misstate the figures)
• Or that the business is so chaotic that the book-keepers have perhaps
all despaired of ever being able to put a decent accounting system in
place. Either of the factors indicates a high risk of misstatement
(intentional or otherwise).
• The most recent book-keeper has just left. Again, this indicates a high
risk of misstatement in the financial statements as there is currently
no book-keeper to prepare them. Even assuming that one is recruited,
he will be unfamiliar with the business and any accounting systems.
• Mortgage and bank loan. Both of these give Sam possible personal
motivation to misstate the figures to ensure that the business does not
go under and his home is safe from repossession.
 The Link Between Sampling &
the Audit Risk Model
Auditors do not
normally check
100% of
transactions and
balances that go
into the production Sampling is the
of financial application of audit
statements. Instead, they select procedures to less
a sample of items than 100% of items
• For example, they for testing, and test within a population,
do not count the sample for in order to draw
every item of accuracy/reliability. conclusions about
inventory, and the population as a
• do not check whole.
100% of
customer
balances in the
trade receivables
ledger.
 Detection Risk

Detection risk is the risk of failure

to detect a material misstatement
of an item in the financial
statements as a result of
insufficient audit testing. It can be
analyzed into two sub-risks:

Sampling risk, and Non-sampling risk.

 Sampling Risk

Sampling risk is the risk that the auditor’s

conclusion based on a sample may be
different from the conclusion had he tested
the entire population.

In order to decrease sampling

risk, the auditor could select a This will happen if the
larger sample. By the laws of sample is not
probability, sampling risk should representative of the
be lower when a larger sample is population as a whole.
taken.
 Non-Sampling Risk

Non-sampling risk is the risk that the auditor reaches

an incorrect conclusion for reasons other than
sampling risk.

Because this could only occur due to factors

involving errors by the auditors or incompetence of
the audit team, or the need to work to very tight
deadlines, in practice, the non-sampling risk will
usually be set at zero.