Audit risk is the risk that the auditor might give
an incorrect or inappropriate opinion on the financial statements.
an incorrect or inappropriate opinion on the financial statements.
A wrong audit opinion means, for example, saying
that the financial statements show a true and fair view when in fact they do
not nor saying they do not show a
that the financial statements show a true and fair view when in fact they do
not nor saying they do not show a
true and fair view when, in fact, they do.
This can result in damage to the audit firm for
giving a negligent opinion if the audit has not been performed properly. Damage
to the audit firm may be in the form of monetary damages paid to a client or
third party as compensation for loss caused by the conduct (e.g. negligence) of
the audit firm or simply loss of reputation with the client and the business
community.
giving a negligent opinion if the audit has not been performed properly. Damage
to the audit firm may be in the form of monetary damages paid to a client or
third party as compensation for loss caused by the conduct (e.g. negligence) of
the audit firm or simply loss of reputation with the client and the business
community.
ISA 200 objective and general principles governing
an audit of financial statements and ISA 315 obtaining an understanding of the
entity and its environment and assessing the risks of a material misstatement,
set out the basis of how auditors should approach assessing audit risk.it is
important for the student to appreciate that audit risk is not the same as
business risk, although there are some common features. Audit risk is the risk
auditors have to assess, business risks are the totality of risks faced by a
business or organization carrying on its on its everyday activities.
an audit of financial statements and ISA 315 obtaining an understanding of the
entity and its environment and assessing the risks of a material misstatement,
set out the basis of how auditors should approach assessing audit risk.it is
important for the student to appreciate that audit risk is not the same as
business risk, although there are some common features. Audit risk is the risk
auditors have to assess, business risks are the totality of risks faced by a
business or organization carrying on its on its everyday activities.
Audit risk is not business risk and nor is it the
sort of areas of audit difficulty (i.e. new subsidiary, branch in Wigan, new
staff, etc.) identified in our metalbash example above-although thsese
contribute to the auditors overall assessment of audit risk, but as part of a
much wider consideration.
sort of areas of audit difficulty (i.e. new subsidiary, branch in Wigan, new
staff, etc.) identified in our metalbash example above-although thsese
contribute to the auditors overall assessment of audit risk, but as part of a
much wider consideration.
Audit risk must be assessed at both the
organizational level, i.e. looking at the financial statements as a whole, and
at the transaction level where the auditor is seeking to verify disclosure of
individual components of the financial statements, e.g. the value of stock and
work in progress or the turnover figure. However, the general approach to
assessing audit risk is the same whether it is being considered at the
organizational level or at the transaction level.
organizational level, i.e. looking at the financial statements as a whole, and
at the transaction level where the auditor is seeking to verify disclosure of
individual components of the financial statements, e.g. the value of stock and
work in progress or the turnover figure. However, the general approach to
assessing audit risk is the same whether it is being considered at the
organizational level or at the transaction level.
Audit risk is calculated by using a formula which
is:
is:
AR
= IR X CR X DR
= IR X CR X DR
AR is audit risk- the risk that the auditor will
draw an invalid conclusion.
draw an invalid conclusion.
Inherent risk (IR)
IR is inherent risk – risk which derives from the
nature of the entity itself, its business and of its environment, or at the
transaction level it is the susceptibility of the transaction to possible
misstatement due to their nature or complexity.
nature of the entity itself, its business and of its environment, or at the
transaction level it is the susceptibility of the transaction to possible
misstatement due to their nature or complexity.
Factors influencing inherent risk are:
·
The
nature of the entity’s business, e.g. a construction company is a more volatile
business than a fruit importing business.
The
nature of the entity’s business, e.g. a construction company is a more volatile
business than a fruit importing business.
·
The
quality and experience of the management.
The
quality and experience of the management.
·
The level
of competition in its market.
The level
of competition in its market.
·
The
complexity of its operation in its market.
The
complexity of its operation in its market.
·
The
complexity of its operations.
The
complexity of its operations.
·
The cash
situation of the business.
The cash
situation of the business.
·
The
trading history the susceptibility to misappropriation.
The
trading history the susceptibility to misappropriation.
At the transaction level inherent risk is affected
by:
by:
·
The
susceptibility to misappropriation.
The
susceptibility to misappropriation.
·
The
complexity of the transactions.
The
complexity of the transactions.
·
The
degree of judgments involved.
The
degree of judgments involved.
Control risk (CR)
CR is control risk- this is the risk that the
client’s internal control procedures will fail to detect a material error or
misstatement.
client’s internal control procedures will fail to detect a material error or
misstatement.
Control risk is influenced by:
·
The
attitude of the directors and management towards internal control-what is known
as the ‘control environment’
The
attitude of the directors and management towards internal control-what is known
as the ‘control environment’
·
The level
of supervision in the business
The level
of supervision in the business
·
The
integrity of the staff and management.
The
integrity of the staff and management.
·
The
strength of the individual controls in each area of the system.
The
strength of the individual controls in each area of the system.
The ICQs, flow charts and ICEQs will all influence
the assessment of control risk, as will some of the areas of audit difficulty
such as those described in the metalbash example above:
the assessment of control risk, as will some of the areas of audit difficulty
such as those described in the metalbash example above:
·
New and
inexperienced staff
New and
inexperienced staff
·
Changes
in accounting systems.
Changes
in accounting systems.
·
Additional
locations.
Additional
locations.
·
New products.
New products.
Detection risk (DR)
DR is detection risk- the the auditor’s own
procedures and review of the financial statements will not detect material
errors or misstatements.
procedures and review of the financial statements will not detect material
errors or misstatements.
Evaluating audit risk
The auditor will make a preliminary assessment of
the levels of inherent and control risk.
the levels of inherent and control risk.
This can be done either by a simple subjective judgments,
assessing risk as ‘high’, medium or ‘low’ or by applying a value weighting or a
statistical technique.
assessing risk as ‘high’, medium or ‘low’ or by applying a value weighting or a
statistical technique.
Auditors generally aim to have no more than a 5 per
cent risk that the financial statements are materially incorrect – in other
words they would be 95 per cent certain that their opinion is the correct one.
This is known as the confidence level.
cent risk that the financial statements are materially incorrect – in other
words they would be 95 per cent certain that their opinion is the correct one.
This is known as the confidence level.
The important thing for the student to appreciate
is that detection risk is the variable in the equation. The higher the level of
inherent and control risk, the more checking work the auditor has to do.
is that detection risk is the variable in the equation. The higher the level of
inherent and control risk, the more checking work the auditor has to do.
This can be illustrated by using an arithmetical
example.
example.
Suppose the auditors estimate the level of inherent
risk to be 50 per cent and the level of control risk to be 20 per cent, i.e.
that there is an 90 per cent chance that an error or mistake would be detected
by the internal control system.
risk to be 50 per cent and the level of control risk to be 20 per cent, i.e.
that there is an 90 per cent chance that an error or mistake would be detected
by the internal control system.
By rearranging the equation we can determine the
level of detection risk.
level of detection risk.
DR
= AR ÷ (IR X CR)
= AR ÷ (IR X CR)
With audit risk at 5 per cent, the equation
becomes:
becomes:
DR
= 0.05 ÷ (0.5 X0.2) = 0.5 OR 50%
= 0.05 ÷ (0.5 X0.2) = 0.5 OR 50%
Auditors would then have to consider the level of
audit work they would have to do to maintain detection risk at the 50 per cent
level.
audit work they would have to do to maintain detection risk at the 50 per cent
level.
Care must be taken to weigh the risk from each
source of evidence as it is gathered an then to avoid over auditing in the
remaining evidence gathering. For example, if adequate weight is given to
inherent factors and analytical review it may be that minimal internal control
evaluation and/or detailed testing will be required.
source of evidence as it is gathered an then to avoid over auditing in the
remaining evidence gathering. For example, if adequate weight is given to
inherent factors and analytical review it may be that minimal internal control
evaluation and/or detailed testing will be required.
In order to properly evaluate the levels of
inherent and control risk auditors need to carry out the investigatory
procedures described above, namely:
inherent and control risk auditors need to carry out the investigatory
procedures described above, namely:
·
Get to
know their client – as part of their planning procedures; and
Get to
know their client – as part of their planning procedures; and
·
Review
the client’s internal control systems by documenting them thoroughly and by the
use of questionnaires.
Review
the client’s internal control systems by documenting them thoroughly and by the
use of questionnaires.
It cannot be
stressed enough that without this preliminary review of the client’s business
and its systems and thorough documentation the audit may be seriously flawed.
stressed enough that without this preliminary review of the client’s business
and its systems and thorough documentation the audit may be seriously flawed.
Auditors base all of their checking work, indeed
their whole audit strategy, on their opinion of the client’s financial
capabilities and the business risks involved in the client’s activities. All
the auditors’ subsequent activity stems from this preliminary investigation and
discovery work which, if it is incomplete or flawed may well lead to:
their whole audit strategy, on their opinion of the client’s financial
capabilities and the business risks involved in the client’s activities. All
the auditors’ subsequent activity stems from this preliminary investigation and
discovery work which, if it is incomplete or flawed may well lead to:
·
Inadequate
testing of key areas.
Inadequate
testing of key areas.
·
Being
misled by managers because of incomplete knowledge of the business.
Being
misled by managers because of incomplete knowledge of the business.
·
Failing
to indentify areas where frauds could be committed.
Failing
to indentify areas where frauds could be committed.