Advanced Audit and Assurance

Lecture 8
Audit risk and Business Risk

SERVICE EXCELLENCE
 ASSESSING THE RISKS OF MATERIAL
MISSTATEMENT
• Risk are assessed by reference to the audit risk
model.
• AUDIT RISK = the risk of giving the wrong audit
opinion
• So…
• AUDIT RISK = the risk of material errors in the
FS, which the auditor fails to detect

SERVICE EXCELLENCE
 Financial Statement Risk
• FS Risk is the risk of material errors in the
Financial Statements, and comprises 2 parts:
• ● INHERENT RISK – the risk of material errors in
the FS due to the nature of the business and its
transactions
• ● CONTROL RISK – the risk that a company's
own checking procedures (internal controls) fail
to prevent or detect these material errors from
happening.
SERVICE EXCELLENCE
 Detection Risk
• Detection Risk is the risk that the auditor's
substantive tests fail to find material errors
in the FS
• so...
• AUDIT RISK = FS RISK x DETECTION RISK.
• Or more usually…
• AUDIT RISK = INHERENT RISK x CONTROL RISK
x DETECTION RISK

SERVICE EXCELLENCE
 Using the audit risk model
• 1. Assess the client's inherent risk for each area of the
FS, and overall.
• 2. Assess whether the client's internal controls are
good enough to deal with these inherent risks.
• 3. If controls do not look strong (ie Control Risk is
HIGH), then Detection Risk will need to be kept
LOW in order to manage overall audit risk. This can
be done by:
• ● sending a more experienced audit team
• ● carrying out more (or better) substantive tests.

SERVICE EXCELLENCE
The auditor’s response to assessed risks (ISA
330)
• Once audit risks have been identified, the auditor
needs to respond to these risks in an appropriate way.
This will include taking steps such as:
• ● Designing tests of control and substantive tests to
address the risk areas.
• ● Emphasising to the audit team the need to maintain
professional scepticism.
• ● Assigning more experienced staff or those with
special skills or using experts.
• ● Providing more supervision.

SERVICE EXCELLENCE
The auditor’s response to assessed risks (ISA
330)
• ● Incorporating additional elements of
unpredictability in the selection of further audit
procedures to be performed.
• ● Making general changes to the nature,
timing or extent of audit procedures, for
example: performing substantive procedures at
the period end instead of at an interim date;
or modifying the nature of audit procedures
to obtain more persuasive audit evidence.

SERVICE EXCELLENCE
 AUDIT RISK
• Audit risk is the risk that the auditor will draw an
invalid conclusion from his audit. He may fail to qualify
his report when the accounts do not give a true and
fair view or conversely, the report may be qualified
when the accounts in fact give a true and fair view.
• Audit risk is classified as being a function of:
• Inherent risk;
• Control risk; and
• Detection risk

SERVICE EXCELLENCE
 INHERENT RISK
• Inherent risk is the likelihood of fraud or irregularities
occurring in the absence of any controls. It is defined
as the susceptibility of an account balance or class of
transactions to misstatements in other balance or
classes, assuming that there are no related internal
controls. It can be said to be the risk arising from the
nature of clients business and its environment.
• Inherent risk applies both at the entity level and at the
level of the account balance or class of transactions.

SERVICE EXCELLENCE
 INHERENT RISK INDICATIONS
• LOW RISK
• Management Characteristics:
• Management Operating Style: There is effective oversight
group such as an audit committee
• Conservative management philosophy with regard to both
operations and financial reporting
• Low turnover of management and senior accounting personnel
• Little emphasis on meeting earnings projections
• High relevant experience of management and principal
owners.

SERVICE EXCELLENCE
 INHERENT RISK INDICATIONS
• LOW RISK
• Operating and Industry Characteristics:
• Adequate financial and operating performance
• Relative insensitivity of operations to interest rate
changes or inflation
• The industry in which the company operates is well
established, stable and relatively uninfluenced by
external conditions.
• Centralised organisation of operations

SERVICE EXCELLENCE
 INHERENT RISK INDICATIONS
• LOW RISK
• Engagement Characteristics
• Previous audit history of unqualified opinion, no audit
disagreements, few audit adjustments.
• Insignificant conflicts of interest, regulatory problems and
auditor independence problems.
• Recurring engagement relationship with client
• Few difficult to audit transactions or balances.
• Limited management rewards linked to reported results.
• Strong control environment; formal, documented, internal
audit function and high budgetary control system.

SERVICE EXCELLENCE
 INHERENT RISK INDICATIONS
• HIGH RISK
• Management Characteristics:
• Management Operating Style: Owner manager dominance.
• Aggressive management philosophy with regard to both
operations and financial reporting.
• High turnover of management and senior accounting personnel.
• Very high emphasis on meeting earnings projections.
• Credible allegations of improper conduct and business reputation
of management and principal owners
• Low relevant experience of management and principal owners.

SERVICE EXCELLENCE
 INHERENT RISK INDICATIONS
• HIGH RISK
• Operating and Industry Characteristics:
• Inadequate or inconsistent financial and operating
performance
• Very sensitive to interest rate changes or inflation.
• The industry in which the company operates is
relatively new, unstable and greatly influenced by
external conditions.
• Decentralised organisation of operations

SERVICE EXCELLENCE
 INHERENT RISK INDICATIONS
• HIGH RISK
• Engagement Characteristics
• Previous audit history of qualified opinion, audit disagreements,
numerous audit adjustments.
• Significant conflicts of interest, regulatory problems and auditor
independence problems.
• New client
• Many difficult to audit transactions or balances.
• Substantial management rewards linked to reported results.
• Informal control environment lacking documentation, no
internal audit function and or budgetary control system.

SERVICE EXCELLENCE
 INHERENT RISK INDICATIONS
• Factors to consider at the class of transactions
account balance level include:
• The portability and attractiveness of assets such as
cash.
• The possible impact on profit, such as closing stock
• The complexity of accounting issues involved, for
example legal contingent liability.
• The degree of management judgment involved,
such as provision for doubtful debts.

SERVICE EXCELLENCE
 CONTROL RISK
• It is the risk that misstatement that could occur
in an account balance or class of transactions
and could be material, individually or when
aggregated with misstatements in other
balances or classes. Will not be prevented or
detected by the system of internal control.
• There will always be some control risk because
of the intrinsic limitations of any system of
internal control.
SERVICE EXCELLENCE
 CONTROL RISK
• Control risk assessment involves consideration of the
adequacy of the control design as well as testing
adherence to control procedures. In the absence of such
assessment the auditor should assume that control risk
is high.
• On completion of the assessment the auditor will be
able to assess the strength of internal controls over each
account balances or class of transactions, and thus the
extent of reliance, the converse of risk, that may be
placed on controls when designing substantive tests.

SERVICE EXCELLENCE
 CONTROL RISK
• The auditor may decide that for certain account balances
and class of transactions controls are likely to be
insufficient to place reliance on, as in small businesses,
or that reliance may not be cost-effective as in account
balances involving few transactions which are readily
verifiable by substantive testing such as long-term debt.
In such cases, control risk will be assessed typically as
being high, medium or low. However, knowledge of the
control environment may still affect the design of
substantive tests even where no reliance is to be placed
on controls.

SERVICE EXCELLENCE
 DETECTION RISK
• It is the risk that the auditors’ substantive tests will
not detect a misstatement in an account balance or
class of transactions that could be material
individually or when aggregated with misstatements
in other balances or classes.
• In other words, detection risk is the risk that audit
procedures will fail to detect material
misstatements. It relate to substantive procedures
and the inability of the auditors to examine all
evidence.
SERVICE EXCELLENCE
 DETECTION RISK
• Some detection risk would always be present
even if the auditor were to examine 100% of
the account balance or class of transactions
because the auditor may:
• May select an inappropriate audit procedure; or
• Misapplication of an appropriate audit
procedure; or
• Misinterpreting audit result.

SERVICE EXCELLENCE
 DETECTION RISK
• The auditors inherent and control risk
assessment influence the nature, timing and
extent of substantive procedures required to
reduce detection risk and thereby audit risk.
• AR = IR × CR × DR × SR
• DR is Detection risk from substantive tests other
than sampling such as analytical review
• SR is Detection risk from substantive tests based
on sampling
SERVICE EXCELLENCE
 BUSINESS RISK
• Business Risk is the threat that an event or
action will adversely affect a business’s ability
to achieve its ongoing objectives.
• It can be split between external factor and
internal factors.

SERVICE EXCELLENCE
 External Business Risks Factors
• Changing legislation (example, minimum wage)
• Changing interest rate (especially with highly geared companies)
• Changing exchange rates
• Public opinion, attitude, fashions (example environmental
factors)
• Price wars initiated by competitors.
• Import competition (example the textile trade)
• Untried technologies and ideas
• Bad debts resulting from economic factors
• Political factors
• Natural hazards (example, fire or flood)

SERVICE EXCELLENCE
 Internal Business Risks Factors
• Failure to modernize products, processes, labour relations, or marketing
resulting in loss of competitive edge.
• Employees (example: ineffective recruitment and training policies)
• Board members (example ineffective corporate governance)
• The process of dealing with suppliers or customers
• Excessive reliance on a dominant chief executive, thereby weakening
internal control
• Inappropriate gearing resulting in lack of financial efficiency
• Inappropriate acquisitions and poor future prospects
• Excessive reliance on one of a few products, customers and suppliers
• Computer system failures and loss of records
• Fraud

SERVICE EXCELLENCE
 Business Risks
• Businesses are at risk if their business
objectives are not achieved. It is therefore
desirable for the management of accompanies
to identify all business risks and, if necessary,
to amend the plan to accommodate the risk or
make contingency plans to survive.

SERVICE EXCELLENCE
 Management reactions to Business Risks

• What management can do about the risks once

they are identified depends on the risk and there
are indefinite varieties of risks. One possible
classification of possible reactions by
management is as follows
• Do nothing and hope for the best
• Develop internal controls
• Develop quality controls over production of
goods, production of services, staff recruitment.
SERVICE EXCELLENCE
 Management reactions to Business Risks

• Train staff
• Diversify – acquisition, new products, multiple
sourcing, adding to customer base perhaps by
exporting.
• Risk reduction – raising staff awareness of risk,
tighter discipline in all area, physical measures.
• Transfer of risk – by insurance, sub-contracting,
outsourcing.

SERVICE EXCELLENCE
 Business and Entrepreneur
• In the nutshell, the business of the
entrepreneur is risk-taking and all risks cannot
be removed. The basic economic truism is that
there is a correlation between risk and
returns, and higher returns are not possible
without risk.

SERVICE EXCELLENCE
 AUDIT RISK AND BUSINESS RISK
• Audit risk is often categorized as the product of inherent
risk, control risk and detection risk.
• Auditors should consider business risk in three ways:
• By enquiring into and assessing business risk, thereby,
gaining an excellent knowledge of the business.
• By helping their clients to recognize, assess and respond
to risk.
• By seeing the connection between audit risk and the risk
of misstatement in the financial statements which focuses
the audit on risks likely to lead to possible misstatements.

SERVICE EXCELLENCE
 Question
• Audit risk is a combination of the risk that the financial
statements being audited may contain material errors and
that these errors may not be detected by the auditor’s
testing procedures. Risk can be categorised as ‘low, medium
or high’ and is evaluated during the planning stage of an
audit. The auditor should devote attention to the critical
areas of the financial statements by considering and
evaluating materiality and risks specific to the company.
Materiality limits should be set at the planning stage of the
audit to act as a guideline for deciding whether adjustment
should be made to the financial statements.

SERVICE EXCELLENCE
 Question
• Required:
• (a) Briefly describe what you understand by the terms ‘inherent
risk’, ‘control risk’ ‘detection risk’ and ‘audit risk’. (4 marks)
• (b) List eight factors which the auditor would bear in mind when
assessing the audit risk of a company. You should set out your
answer under the headings ‘inherent risk’ and ‘control risk’. (4 marks)
• (c) Define and explain the Risk Equation, describing how it should
be used in audit planning. (5 marks)
• (d) Discuss the considerations which would determine whether an item
is material in relation to financial statements. (3 marks)
• (e) Discuss the validity of the statement that “materiality limits should
be set at the planning stage of the audit and should be rigidly
adhered to throughout the audit”. (4 marks) (20 marks)

SERVICE EXCELLENCE
 Answer
• (a) Inherent risk
• Inherent risk is the risk that a material misstatement
may come into existence because of the factors related
to the nature of the client.
• Control risk
• Control risk is the risk that a material misstatement
will get through the control system unprevented.
• Detection risk
• Detection risk is the risk that the material
misstatement will get through the auditor undetected.

SERVICE EXCELLENCE
 Answer
• Audit risk
• So, audit risk is the risk of the material
misstatement occurring, then getting by the
control system unprevented, then getting
by the auditor undetected and into the FS.
• In other words, it is the risk of an auditor
giving the wrong opinion.

SERVICE EXCELLENCE
 Answer
• (b) Inherent risk
• Tiredness– The risk of errors occurring increases when staff
are tired.
• Incompetence– The risk of errors increases as staff
experience and expertise decreases.
• Organisation – The risk of error increases the more
chaotic the client organisation.
• Time pressure – The risk of error increases the greater
the time pressure on accounting staff.
• Others– Complex transactions, profit pressure, boredom,
cultural issues.

SERVICE EXCELLENCE
 Answer
• Control risk
• Authorisation – The risk of the system failing to
detect an error goes up if there is less authorization.
• Segregation– The risk of the system failing to detect an
error goes up if there is insufficient segregation.
• Passwords – The risk of a system failing to prevent
an error goes up in an environment with no
passwords.
• Reconciliation– The risk of a system failing to prevent
an error goes up in an area without reconciliations.

SERVICE EXCELLENCE
 Answer
• (c) Audit risk equation
• This is defined as follows:
• IR x CR x DR = AR
• Translation
• This equation says if an error occurs
• And
• The system fails to prevent it
• And
• The auditor does not detect it
• Then
• The auditor will give the wrong opinion

SERVICE EXCELLENCE
 Answer
• Application
• It is used in the deepest philosophies of
modern audit and underpins everything we
do.
• Audit risk
• Auditors are prepared to accept a low
audit risk which then feeds into different
levels of audit work.

SERVICE EXCELLENCE
 Answer
Client sets Client sets Auditor sets Auditor sets Vol of subs
tests

IR CR DR AR

Situation 1 Low Low High Low Reduced

Situation 2 High Low Low Low Full

SERVICE EXCELLENCE
 Answer
• (d) Materiality
• Materiality is determined by two factors:
• (i) Size– Clearly the bigger the error the greater the
materiality.
• (ii) Context– But the context of the error is relevant to its
materiality as well. Some errors are material by nature.
• Example
• A small fraud of £10,000 by directors of a company
with a profit of £10m is immaterial by size but
material by context and so is material.

SERVICE EXCELLENCE
 Answer
• (e) Planning stage
• It is true materiality threshold is calculated at the
planning stage.
• Calculation – The threshold can be 10% of profit
(or a more complicated calculation).
• Rigid adherence – But it is not true that it is
rigidly adhered to. Materiality threshold is just a
guide.
• Change – In fact, the materiality threshold can
change, eg, if the auditor discovers a fraud.
SERVICE EXCELLENCE
SERVICE EXCELLENCE