Chapter 5: Risk

Chapter learning objectives

Upon completion of this chapter you will be able to:

  • Identify the objectives of the auditor;
  • Describe the need to plan and perform audits with professional scepticism, and to exercise professional judgement;
  • Explain the need to conduct audits in accordance with ISAs;
  • Explain the components of audit risk;
  • Explain how auditors obtain an understanding of the entity and its environment; and
  • Describe the risk assessment procedures.

1 Risk

The overriding principle of auditing is introduced in ISA 200 Overall Objectives of the Independent Auditor and the Conduct of an Audit in Accordance with ISA's:

'To obtain reasonable assurance, the auditor shall obtain sufficient appropriate evidence to reduce audit risk to an acceptably low level.....'

Audit risk is the risk that the auditor expresses an inappropriate audit opinion.

This is further developed by ISA 315 Identifying and Assessing the Risks of Material Misstatement Through Understanding the Entity and its Environment, which states:

'The objective of the auditor is to identify and assess the risk of material misstatement, whether due to fraud or error, at the financial statement and assertion levels, through understanding the entity and its environment, including the entity's internal control, thereby providing a basis for designing and implementing responses to the assessed risks of material misstatement.'

In simple terms:

  • the auditor identifies the risk of material misstatement; and
  • they use this to guide the design of their audit testing/procedures.

To assess the risk of material misstatement the auditor:

  • Firstly assesses the unique operating environment of the client. This is the root cause of misstatement and is often referred to as inherent risk.
  • Secondly the auditor considers how the client's control systems, particularly financial ones, prevent and detect those misstatements. This is referred to as control risk.

What is a 'misstatement'?

ISA 450 Evaluation of Misstatements Identified During the Audit considers what a misstatement is and deals with the auditor's responsibility in relation to misstatements.

It identifies a misstatement as being:

"A difference between the amount, classification, presentation, or disclosure of a reported financial statement item and the amount, classification, presentation, or disclosure that is required for the item to be in accordance with the applicable financial reporting framework. Misstatements can arise from error or fraud."

There are three categories of misstatements:

(i)Factual misstatements.

(ii) Judgemental misstatements.

(iii)Projected misstatements.

2 Risk assessment as part of the audit process

Auditors are required to perform audits with an attitude of 'professional scepticism' This is defined as:

"An attitude that includes a questioning mind, being alert to conditions which may indicate possible misstatement due to fraud or error, and a critical assessment of audit evidence." (ISA 200 Overall Objectives of the Independent Auditor and the Conduct of an Audit in Accordance with International Standards on Auditing).

Having an enquiring mind in itself is not sufficient to comply with a risk based method of auditing. In order to fulfil this responsibility auditors must also use professional judgement. This means the application of relevant training, knowledge and experience in making informed decisions about the courses of action that are appropriate to the unique circumstances of the audit engagement.

Therefore the use of a risk based approach requires skill, knowledge, experience and an inquisitive, open mind; something that is neither gained quickly nor easily.

3 The importance of risk analysis

Risk analysis is an important stage of the audit. In conducting a thorough assessment of risk auditors will be able to:

  • Identify areas of the financial statements where misstatements are likely to occur early in the audit;
  • Plan procedures that address the significant risk areas identified;
  • Carry out an efficient, focussed and effective audit;
  • Minimise the risk of issuing an inappropriate audit opinion to an acceptable level;
  • Reduce the risk of reputational and punitive damage;

Although risk assessment is a fundamental element of the planning process, it is important to understand that risks can be uncovered at any stage of the audit and that procedures must be adapted in light of revelations that indicate further risks of material misstatement. It is, ultimately, the responsibility of the most senior reviewer (usually the engagement partner) to confirm that the risk of material misstatement has been reduced to an acceptable level.

4 Audit risk

As stated earlier; audit risk is the risk of that the auditor expresses an inappropriate audit opinion, i.e. that they give an unmodified audit opinion when the financial statements contain a material misstatement.

It can be further defined by way of the following formula:

Inherent risk

This is the susceptibility of a class of transaction, account balance or disclosure to a misstatement that could be material, either individually or in aggregate, before consideration of related controls. In other words this is the risk that a misstatement occurs in the first instance.

Inherent risk is often considered in relation to business risk. These are the risks resulting from conditions, events, circumstances, actions or inactions that could adversely affect an entity's ability to achieve its business objectives and goals. Ultimately these business risks can lead to complications and deficiencies in the accounting process, which could lead to fraud, error or omission.

Clearly this requires the audit team to have a good knowledge of how the client's activities are likely to affect its financial statements, and the audit team should discuss these matters in a planning meeting before deciding on the detailed approach and audit work to be used.

Control risk

This is the risk is that a misstatement will not be prevented, or detected and corrected on a timely basis by the entity's internal controls. This is either due to the internal control system being insufficient in the circumstances of the business or because the controls have not been applied effectively during the period.

We will consider internal control in depth later in the text.

Detection risk

This is the risk that the procedures performed by the auditor to reduce audit risk to an acceptable level will not detect potentially material misstatements, either individually or in aggregate.

Detection risk comprises sampling risk and non-sampling risk.

Sampling risk is the risk that the auditor's conclusion based on a sample is different from the conclusion that would be reached if the whole population were tested (see sampling in the audit evidence chapter).

Non-sampling risk is the risk that the auditor's conclusion is inappropriate for any other reason, e.g. the application of inappropriate procedures or the failure to recognise a misstatement.

5 Understanding the Entity and its Environment

Auditors are required to obtain an understanding of: their clients; their clients' environments; and their clients' internal controls. This is often referred to as Knowledge of the Business, or "KOB." This generally includes:

  • Relevant industry, regulatory and other external factors (including the financial reporting framework);
  • The nature of the entity, including:
    • its operations;
    • its ownership and governance structures;
    • the types of investment it makes; and
    • the way it is structured and financed.
  • The entity's selection and application of accounting policies;
  • The entity's objectives, strategies and related business risks;
  • The measurement and review of the entity's financial performance; and
  • The internal controls relevant to the audit.

(ISA 315 Identifying and Assessing the Risks of Material Misstatement...)

The purpose of acquiring this knowledge is to identify the risks that the business is exposed to and, ultimately, how could these lead to a risk of material misstatement in the financial statements.

The information used to complete these references can come from a wide range of sources, including:

Risk assessment procedures

ISA 315 requires auditors to perform the following procedures to understand the entity and its environment:

  • Enquiries with management and others within the client entity (e.g. about external and internal changes the company has experienced);
  • Analytical procedures; and
  • Observation (e.g. of control procedures) and inspection (e.g. of key strategic documents and procedural manuals).

6 Analytical procedures

Analytical procedures are fundamental to the auditing process and are used at the planning, performance and review stage of the audit. They are defined in ISA 520 Analytical Procedures as:

"The evaluation of financial information through analysis of plausible relationships among both financial and non-financial data."

Traditionally they incorporate the comparison of:

  • Current and prior year figures;
  • Current and budgeted/forecast figures; and
  • Client and industry average figures.

At the planning stage analytical procedures are useful for helping to gain an understanding of the client's performance over the last twelve months and to identify any significant changes to the business, for example: the disposal of significant land and buildings. In addition, analytical procedures are also used to identify peculiar deviations (from either prior year figures, budget or the auditor's knowledge) that could indicate misstatement in the reported figures. These must then be investigated during final audit procedures.

For example; when conducting an analytical review of a current audit client you notice that turnover had increased by 20% in comparison to last year but delivery costs have increased by 50%. Normally you would expect costs to rise in line with changes in activity but clearly delivery costs have increased at a much higher rate. Plausible reasons for this variance include:

  • Increasing sales by attracting customers from more distant geographical locations;
  • Reducing delivery waiting times by making more frequent deliveries; or
  • There is an error in either sales or delivery costs.

The reason for the variance will be investigated during the audit until a satisfactory explanation is obtained.

More recently, computer aided auditing techniques have been used to perform data analysis.

Example risks

Test your understanding 1: FIXED TEST 2

(a)Explain the term 'audit risk'.

(4 marks)

(b)You are the audit manager for Parker, a limited liability company which sells books, CDs, DVDs and similar items via two divisions: mail order and on-line ordering on the Internet. Parker is a new audit client. You are commencing the planning of the audit for the year-ended 31 May 20X5. An initial meeting with the directors has provided the information below.

The company's sales revenue is in excess of $85 million with net profits of $4 million. All profits are currently earned in the mail order division, although the Internet division is expected to return a small net profit next year. Sales revenue is growing at the rate of 20% p.a. net profit has remained almost the same for the last four years.

In the next year, the directors plan to expand the range of goods sold through the Internet division to include toys, garden furniture and fashion clothes. The directors believe that when one product has been sold on the Internet, then any other product can be as well.

The accounting system to record sales by the mail order division is relatively old. It relies on extensive manual input to transfer orders received in the post onto Parker's computer systems. Recently errors have been known to occur, in the input of orders, and in the invoicing of goods following despatch. The directors maintain that the accounting system produces materially correct figures and they cannot waste time in identifying relatively minor errors. The company accountant, who is not qualified and was appointed because he is a personal friend of the directors, agrees with this view.

The directors estimate that their expansion plans will require a bank loan of approximately $30 million, partly to finance the enhanced web site but also to provide working capital to increase inventory levels. A meeting with the bank has been scheduled for three months after the year end. The directors expect an unmodified auditor's report to be signed prior to this time.


Identify and describe the matters that give rise to audit risks associated with Parker.

(10 marks)

Test your understanding 2

You are an audit senior at JPR Edwards LLP and you are currently planning the statutory audit of Hook Ltd for the year ending 30th June 2011. Your firm were appointed auditors in January 2011 after a successful tender to provide audit and tax services. JPR Edward LLP were asked to tender after the lead partner, Neisha Selvaratalm, met Hook Ltd's CEO, Pete Tucker, at a charity cricket match. Neisha explained that they were unhappy with the previous auditors as Pete Tucker felt their audit didn't add much value to Hook Ltd.

Hook Ltd was established in 1985 and manufacturers electrical goods such as MP3 players, smart phones and personal computers for the entertainment market. They do not retail their goods under their own name but manufacture for larger companies with established brands. Their key client, who represents 70% of their revenue, was the market leader in smart phones and MP3 players in 2010 with 60% market share.

Hook uses a number of suppliers to source components for their products. Most suppliers are based in the UK however Hook imports microchips, a key component in all their goods, from a number of suppliers based in San Jose, Costa Rica. They assemble their goods in their one factory in Staines, UK, and package their products for their customers before distribution across the UK.

During the year Hook started developing applications which can be downloaded onto their smart phones. They have spent $1million on an application called "snore-o-meter" which allows the users to record the sounds they make while they are asleep. There was a technical difficulty in production which meant the launch of "snore-o-meter" was delayed from the 31st March 2011 to its anticipated release on the 31st July 2011.

To fund their expansion into Smartphone applications Hook is seeking a listing on the London Stock Exchange in the fourth quarter of 2011. In preparation Pete Tucker has read the 'UK Corporate Governance Code' and understands the need and benefit of many of its principles however he is unsure how the formation of an audit committee will benefit Hook Ltd.


(a)In your role planning the audit of Hook Ltd:

(i)Identify and explain the key risks for the audit of Hook Ltd.

(9 marks)

(ii) Explain the effect on your audit approach for each risk identified.

(6 marks)

(b)Briefly describe the benefits of Hook Ltd forming an audit committee.

(5 marks)

(Total: 20 marks)

Test your understanding 3

Nepco is a European company that manufactures high quality computer components and assembles computer parts. It has existed for some years and is part of a vertical supply chain for a well-known brand of computer hardware. Profits are coming under increasing pressure from manufacturers in the Far East and Asia with lower labour costs, and from rising raw material costs. Nepco is listed on a stock exchange. There is pressure from institutional investors for better returns in the form of dividends and the main institutional investors are considering selling a proportion of their shares in the company. The directors of Nepco are considering whether to move into new market areas.

Nepco has good accounting and internal control systems. Inventory is material to the accounts, and there is a good set of permanent inventory records. No year-end inventory count is conducted. Operational compliance issues are important to Nepco as many countries have inflexible quality standards and some projects are being held up because of difficulties in obtaining approval from regulators for new components. All staff and directors of Nepco are remunerated (at least in part) on a performance-related basis, some with share options. Staff are generally highly qualified and well-paid.

This is your first year as auditors. Your firm has very little experience in this industry. External audit costs are tightly controlled and your firm has agreed to a budget that will allow very little flexibility.


(a)Describe the risks relating to Nepco under the headings of inherent risk, control risk and detection risk.

(12 marks)

(b)In the light of the risks identified in (a) above, list the matters to which you will pay particular attention during the audit of Nepco and explain the work you will perform in relation to them.

(8 marks)

(Total: 20 marks)

Test your understanding 4

(a) With reference to ISA 520 Analytical Procedures explain

(i)what is meant by the term 'analytical procedures';

(2 marks)

(ii) the different types of analytical procedures available to the auditor; and

(3 marks)

(iii)the situations in the audit when analytical procedures can be used.

(3 marks)

Tribe Co sells bathrooms from 15 retail outlets. Sales are made to individuals, with income being in the form of cash and debit cards. All items purchased are delivered to the customer using Tribe's own delivery vans; most bathrooms are too big for individual's to transport in their own motor vehicles. The directors of Tribe indicate that the company has had a difficult year, but are pleased to present some acceptable results to the members.

The income statements for the last two financial years are shown below:

Income statement


(b)As part of your risk assessment procedures for Tribe Co, identify and provide a possible explanation for unusual changes in the income statement.

(9 marks)

7 Chapter summary

The principle is simple: the auditor amends the audit approach in response to risk assessment. They can achieve this by:

  • emphasising the need for professional scepticism;
  • assigning more experienced staff to risk areas;
  • increasing supervision levels;
  • increasing the element of unpredictability in sample selection;
  • changing the nature, timing and extent of procedures.
  • increasing the emphasis on substantive tests of detail.

Test your understanding answers

Test your understanding 1: FIXED TEST 2

THIS IS A FIXED TEST – Please answer the question in full (long form written). Then log on to EN-gage at the following address: Follow the link to 'Fixed Test 2' and answer the questions based on your homework answer.

Once you have answered the questions on EN-gage a model answer will be available for your reference.

Test your understanding 2

(a)Audit risks and effect on audit approach

(b)Benefits of audit committee for Hook Ltd

At present the directors of Hook Ltd appoint the external auditors via a tender process. JPR Edwards were invited to tender following a meeting between the audit partner and the CEO at a charity cricket match. This may raise an issue of independence as the board may appoint auditors based on friendship rather than merit. If the audit committee is established it will consist of independent NED's who, based on their experience, can run the tender process and provide an independent recommendation to the board and the shareholders.

JPR Edwards also provides tax services to Hook Ltd. This may result in a conflict of interest or a self review threat to the auditors objectivity. The audit committee will have the time and expertise to review the provision of all services by the auditor to ensure that they are appropriate and do not threaten the independence of the auditor.

Hook Ltd has previously complained the previous auditor did not add any value. The audit committee can assist in providing better communications between the directors and external auditors. They can set a time frame for the external auditor to deliver their 'management letter' and ensure that the auditors recommendations are considered and implemented where appropriate.

JPR Edwards is looking to list on the London Stock Exchange later in the year. Setting up an audit committee in advance would demonstrate the company is committed to good corporate governance. Potential shareholder's confidence will be increased in published financial information that has been reviewed by an independent audit committee.

The audit committee can also provide specialist knowledge of financial reporting as at least one of the members should have relevant and recent financial reporting experience. As Hook Ltd operates in the technological market the accounting treatment of smart phone application development costs may be difficult and the committee can advise on best practice in the industry.

The audit committee can also help the management of Hook Ltd to fulfil their responsibilities to implement and maintain an appropriate system of risk management and internal control. As Hook Ltd is operating in a dynamic, technological market and has already entered new markets, with their smart phone applications, the audit committee can provide advice on risk management. This will help the company to evaluate and decrease the risk exposure of the company. They can raise awareness throughout Hook Ltd about the need for effective internal control systems and advise on the implementation of and testing of internal controls.

If Hook Ltd does not already have an internal audit department, best corporate governance practice recommends they set up an internal audit function. To ensure the internal function is independent as possible they should report to the audit committee. This will help to ensure internal audit's findings are fully and fairly considered and their recommendations are actioned.

Test your understanding 3


(i)Inherent risks include:

  • The competition from Asian and Far Eastern companies, and rising raw material prices. This means that there is pressure on profits and the ability to reward employees and pay dividends to institutional shareholders which increases the pressure to manipulate the financial statements to show good returns.
  • The potentially volatile market (computer components) in which new technology can render hardware obsolete in a very short time. This means that there is an ongoing risk to the business as a whole (a potential going concern risk) – the company must be adaptable.
  • The risk that regulators may reject a product which has taken many months or years to develop.
  • The pressures for returns from institutional investors which means that there may be a temptation to manipulate the financial statements.
  • The possible sale of shares, increasing the pressure for returns in order to get the best possible price, which increases the pressure to manipulate the financial statements.
  • The inherent risks in diversification into unknown areas (the supply of other customers) –but these are not current risks.

(ii) Control risks: there are apparently very few except for the performance-related payment, including share options, which provides an incentive to produce 'acceptable' figures.

(iii)Detection risk: this is the firm's first year as auditors and there are tight controls on audit costs, which may lead to inadequate audit evidence unless the audit is properly directed, supervised and reviewed. This is compounded by the firm's lack of experience in this area. It is important that those with experience are employed on this audit, at least in a review capacity.

(b)Matters to which attention should be paid and work to be performed

(i)The good accounting records and internal control combined with the need to keep audit costs down means that a compliance approach, rather than a substantive approach will be necessary wherever possible.

(ii) Audit work will need to be directed towards inventory (despite the fact that it is well controlled) because it is material to the accounts. There is no year-end inventory count, and inventory is relatively easy to manipulate. It is likely that there will be a substantial amount of work-in-progress and its valuation will need to be reviewed carefully. It may be possible to rely on any interim or cyclical inventory counting.

(iii)The projects on which compliance problems have arisen should be examined carefully as the costs may be significant and there may be a temptation to understate them.

(iv)Overall profits and any unadjusted errors should be examined carefully because of the inherent risks noted above and the performance-related pay.

(v) The company's going concern status should be reviewed by examining its financial status, financial support and likely future developments in high risk areas.

Test your understanding 4

(a) (i)Explanation of analytical procedures

(ii)Types of analytical procedures

Analytical procedures can be used as:

(iii)Use of analytical procedures

Risk assessment procedures

Created at 5/24/2012 2:35 PM  by System Account  (GMT) Greenwich Mean Time : Dublin, Edinburgh, Lisbon, London
Last modified at 10/3/2012 2:47 PM  by System Account  (GMT) Greenwich Mean Time : Dublin, Edinburgh, Lisbon, London

Rating :

Ratings & Comments  (Click the stars to rate the page)


Recent Discussions

There are no items to show in this view.