Professional Documents
Culture Documents
Chapter 5 Audit Planing and Risk Assessment
Chapter 5 Audit Planing and Risk Assessment
Chapter 5 Audit Planing and Risk Assessment
Professional scepticism
It is a requirement of ISA 200 that, when planning and performing an audit
the auditor should adopt an attitude of professional scepticism. Professional
scepticism is defined by ISA 200 as:
ISA 210
Establish an overall strategy for the audit that sets the scope, timing and
direction of the audit and that guides the development of the audit plan
Develop an audit plan which includes a description of the nature, timing
and extent of planned risk assessment procedures and planned further audit
procedures
Document the overall audit strategy and the audit plan, including any
The auditor is required by ISA 315 to identify and assess the risks of material misstatement at
both the financial statement and assertion levels.
The financial statement level refers to risks which are pervasive to the financial statements as a
whole and which potentially affect many assertions. An example might be if management have a
tendency to override internal controls – this would affect all areas of the accounting systems.
The assertion level refers to specific objectives of the financial statements, for example, that all
liabilities have been recorded and that recorded assets exist.
Understanding the Business and Materiality
Risk and materiality
The auditor will then focus his work on balances in the financial statements where he considers
there is a material risk of misstatement. High risk/material items will be audited in detail, but
low risk/immaterial items will receive less attention.
This audit risk approach was developed in the 1980s. Previous approaches included the
following:
The substantive approach whereby every item in the financial statements is tested and vouched
to supporting documents. This approach is still sometimes used for small entities where internal
controls are weak and there are few transactions. It may be more efficient to just test everything
(especially if the auditor is also providing accountancy services, where he will see all of the
supporting documents in any case).
The systems approach which was developed to avoid over-auditing. Under this method the
underlying accounting systems were tested with less emphasis on the testing of individual
transactions and balances. However, this approach could still lead to over-auditing as systems
covering low-risk/immaterial areas were also tested.
Most firms now use a mixture of the audit risk approach and a systems-based approach.
Materiality: ISA 320
The IASB’s Framework for the preparation and presentation of financial statements states that:
“Information is material if its omission or misstatement could influence the economic
decisions of users taken on the basis of the financial statements.”
ISA 320 Materiality in planning and performing an audit states that, in assessing what is or is
not material, auditors are entitled to assume that users:
have a reasonable knowledge of business and are willing to study the information in the
recognise the uncertainties inherent in certain amounts in the financial statements (such as
provisions)
ISA 320 requires the auditor to apply the concept of materiality:
when planning and performing the audit, and
when evaluating the effect of misstatements on the financial statements and therefore on his
audit opinion
Materiality: ISA 320
However, it is important to bear in mind that ‘qualitative’ characteristics may also be taken into
account. For example, many auditors would take the view that certain figures in financial
statements should be absolutely correct and that any errors in those figures would be judged to
be material. Examples might include a requirement for 100% accuracy in reporting issued share
capital and directors’ remuneration.
Audit risk: ISA 330
risks. The objective of ISA 330 is to gather adequate appropriate audit evidence about assessed
risks of material misstatement, by designing and putting in place appropriate responses to the
risks.
Responses to assessed risks:
At the financial statement level these ‘responses’ are overall ones, which may include:
emphasising to the audit team the need to maintain an attitude of professional scepticism
assigning more experienced staff or increased supervision of staff ̈ the use of experts
changing the nature, timing and extent of audit procedures
The assessment of the risks at this level and therefore the auditor’s response is very much
affected by the auditor’s assessment of the control environment. An effective control
environment will be likely to increase the auditor’s confidence in controls in all areas and allow
him to carry out more procedures at the interim audit and to carry out less tests of detail
At the assertion level these ‘responses’ take the form of further audit procedures, discussed in
detail in later chapters. Audit procedures can take the form of tests of controls and/or substantive
procedures.
Audit risk: ISA 330
The audit risk model
A standard audit risk model is available to help auditors identify and quantify the main elements
making up overall audit risk.
Audit risk is the risk (chance) that the auditor reaches an inappropriate (wrong) conclusion on
the area under audit. For example, if the audit risk is 5%, this means that the auditor accepts that
there will be a 5% risk that the audited item will be misstated in the financial statements, and
only a 95% probability that it is materially correct.
Under the
Client Risk control of the
auditor
Audit risk: ISA 330
The audit risk model
This model can be stated as a formula:
AR = IR × CR × DR
where: AR = audit risk
IR = inherent risk CR = control risk,
and DR = detection risk.
Risks are expressed as proportions, so a risk of 10% would be included in the formula as
0.10.
Inherent Risk
Inherent risk is the risk that items may be misstated as a result of their inherent characteristics.
Inherent risk may result from either:
the nature of the items themselves. For example, estimated items are inherently risky because their
measurement depends on an estimate rather than a precise measure; or
the nature of the entity and the industry in which it operates. For example, a company in the
construction industry operates in a volatile and high-risk environment, and items in its financial
statements are more likely to be misstated than items in the financial statements of companies in a
more low-risk environment, such as a manufacturer of food and drinks.
When inherent risk is high, this means that there is a high risk of misstatement of an item in the
financial statements.
Inherent risk operates independently of controls. It cannot be controlled. The auditor must
accept that the risk exists and will not ‘go away’.
Audit risk: ISA 330
Control Risk
Control risk is the risk that a misstatement would not be prevented or detected by the internal
control systems that the client has in operation.
In preparing an audit plan, the auditor needs to make an assessment of control risk for different
areas of the audit. Evidence about control risk can be obtained through ‘tests of control’.
The initial assumption should be that control risk is very high, and that existing internal controls
are insufficient to prevent the risk of material misstatement. However, tests of control may
provide sufficient evidence to justify a reduction in the estimated control risk, for the purpose of
audit planning
Detection Risk
Detection risk is the risk that the audit testing procedures will fail to detect a misstatement in a
transaction or in an account balance. For example, if detection risk is 10%, this means that there
is a 10% probability that the audit tests will fail to detect a material misstatement.
Detection risk can be lowered by carrying out more tests in the audit. For example, to reduce the
detection risk from 10% to 5%, the auditor should carry out more tests.
The detection risk can be managed by the auditor in order to control the overall audit risk.
Inherent risk cannot be controlled.
Control risk can be reduced by improving the quality of internal controls. However,
recommendations to the client about improvements in its internal controls can only affect
control risk in the future, not control risk for the financial period that is subject to audit.
However, audit risk can be reduced by increasing testing, and reducing detection risk.
Fraud: ISA 240
stealing physical assets (such as stock) or intellectual property (for example, by selling
̈ The entity’s profitability being under threat (for example, due to increased competition or
rapid changes in technology).
The nature of the industry or the entity’s operations providing opportunities for fraud (for
by management. ̈
Personal pressure on staff to misappropriate assets (for example, personal financial