RISK ASSESSMENT

PROFESSIONAL SKEPTICISM/JUDGEMENT
Professional skepticism is an attitude that includes a questioning mind, being alert to conditions which
may indicate possible misstatement due to error or fraud, and a critical assessment of audit evidence.
This requires the auditor to be alert to:
• Audit evidence that contradicts other audit evidence obtained
• Information that brings into question the reliability of documents and responses to enquiries to be
used as audit evidence
• Conditions that may indicate possible fraud

• Professional judgement:

Professional judgement is the application of relevant training, knowledge and experience in making
informed decisions about the courses of action that are appropriate in the circumstances of the audit
engagement. Eg: Materiality and audit risk
 AUDIT RISK
• Audit risk is the risk that the auditor expresses an inappropriate audit opinion when the
financial statements are materially misstated.
Audit risk has two major components. One is dependent on the entity, and is the risk of
material misstatement arising in the financial statements (inherent risk and control risk). The
other is dependent on the auditor, and is the risk that the auditor will not detect material
misstatements in the financial statements (detection risk). We shall look in detail at the concept
of materiality in the next section of this chapter. Audit risk can be represented by the audit risk
model:
 TYPES OF AUDIT RISK

• There are three types of audit risk:

1. Inherent risk
2. Control risk
3. Detection risk
 INHERENT RISK
• Inherent risk is the susceptibility of an assertion to a misstatement that could be
material individually or when aggregated with other misstatements, assuming there
were no related internal controls.
Inherent risk is the risk that items will be misstated due to the characteristics of those
items, such as the fact they are estimates or that they are important items in the accounts.
The auditors must use their professional judgement and all available knowledge to assess
inherent risk. If no such information or knowledge is available then the inherent risk is
high.
Inherent risk is affected by the nature of the entity; for example, the industry it is in and
the regulations it falls under, and also the nature of the strategies it adopts.
 CONTROL RISK
• Control risk is the risk that a material misstatement, that could occur in an assertion
and that could be material, individually or when aggregated with other misstatements,
will not be prevented or detected and corrected on a timely basis by the entity's
internal control.
• DETECTION RISK:
Detection risk is the risk that the procedures performed by the auditor to reduce
audit risk to an acceptably low level will not detect a misstatement that exists and
that could be material, either individually or when aggregated with other
misstatements.
• The third element of audit risk is detection risk. This is the component of audit risk that the
auditors have a degree of control over, because if risk is too high to be tolerated, the auditors can
carry out more work to reduce this aspect of audit risk and, therefore, audit risk as a whole. One
way to decrease detection risk is to increase sample sizes.
• However, increasing sample sizes and carrying out more work is not the only way to manage
detection risk. This is because detection risk is a function of the effectiveness of an audit
procedure and of its application by the auditor. Although increasing sample sizes or doing more
work can help to reduce detection risk, the following actions can also improve the effectiveness
and application of procedures and therefore help to reduce detection risk:
• Adequate planning
• Assignment of more experienced personnel to the engagement team
• The application of professional scepticism
• Increased supervision and review of the audit work performed.
All the above reduce the possibility that an auditor might select an inappropriate audit procedure,
misapply an appropriate audit procedure or misinterpret the audit results.
 BUSINESS RISK
The risk resulting from significant conditions, events, circumstances, actions that could
adversely affect an entity’s ability to achieve its objective and execute its strategies, or
from the setting of inappropriate objectives and strategies.
Types of business risk:
1.Financial risk
2. Compliance risk
3. Operational risk
 MATERIALITY
• Materiality is an expression of the relative significance or importance of a particular
matter in the context of the financial statements as a whole. A matter is material if its
omission or misstatement would reasonably be expected to influence the economic
decisions of users taken on the basis of the financial statements. Materiality depends on
the size of the item or error judged in the particular circumstances of its omission or
misstatement.
The materiality level will impact on the auditor's decisions relating to:
• How many items to examine
• Which items to examine
• Whether to use sampling techniques
• What level of misstatement is likely to result in a modified audit opinion
 PERFORMANCE MATERIALITY
• Performance materiality also refers to the amount or amounts set by the auditor at less
than the materiality level or levels for particular classes of transactions, account
balances or disclosures
UNDERSTANDING THE ENTITY AND ITS ENVIRONMENT
 INTERNAL CONTROL SYSTEM
• Internal control is the process designed, implemented and maintained by those charged with
governance, management, and other personnel to provide reasonable assurance about the
achievement of the entity's objectives with regard to reliability of financial reporting,
effectiveness and efficiency of operations, and compliance with applicable laws and
regulations.
• Identifying and assessing the risks of material misstatement through understanding the entity
and its environment points out that there is a direct relationship between an entity's
objectives and the controls it implements to provide reasonable assurance about their
achievement. Many of these controls will relate to financial reporting, operations and
compliance, but not all of the entity's objectives and controls will be relevant to the auditor's
risk assessment.
 COMPONENTS OF INTERNAL CONTROL
Internal control has five components:
• The control environment
• The entity's risk assessment process
• The information system relevant to financial reporting
• Control activities
• Monitoring of controls
 CONTROL ENIVIRONMENT
• The control environment is the framework within which controls operate. The control
environment is very much determined by the management of a business.
• Control environment includes the governance and management functions and the attitudes,
awareness and actions of those charged with governance and management concerning the
entity's internal control and its importance in the entity.
• A strong control environment does not, by itself, ensure the effectiveness of the overall
internal control system, but can be a positive factor when assessing the risks of material
misstatement. A weak control environment can undermine the effectiveness of controls.
• Aspects of the control environment (such as management attitudes towards control) will
nevertheless be a significant factor in determining how controls operate. Controls are more
likely to operate well in an environment where they are treated as being important. In
addition, consideration of the control environment will mean determining whether certain
controls (internal auditors, budgets) actually exist.
ELEMENTS OF CONTROL ENVIRONMENT
 ENTITY’S RISK ASSESSMENT PROCESS
• Identifying business risks relevant to financial reporting objectives
• Estimating the significance of the risks
• Assessing the likelihood of their occurrence
• Deciding on actions to address those risks
 INFORMATION SYSTEM RELEVANT TO
FINANCIAL REPORTING
• The information system relevant to financial reporting is a component of internal control
that includes the financial reporting system, and consists of the procedures and records
established to initiate, record, process and report entity transactions (as well as events and
conditions) and to maintain accountability for the related assets, liabilities and equity.
 CONTROL ACTIVITIES
• Control activities are those policies and procedures that help ensure that management
directives are carried out.
• Control activities include those activities designed to prevent or to detect and correct errors.
Examples include activities relating to authorisation, performance reviews, information
processing, physical controls and segregation of duties.
 MONITORING OF CONTROLS
• Monitoring of controls is a process to assess the effectiveness of internal control
performance over time. It includes assessing the design and operation of controls on a timely
basis and taking necessary corrective actions modified for changes in conditions.
• The auditor shall obtain an understanding of the major activities that the entity uses to
monitor internal control over financial reporting, including those related to control activities
relevant to the audit, and how the entity initiates corrective actions to deficiencies in its
controls.
 TARA /SARA APPROACH
• T/S: TRANSFER/SHARE
• A: AVOID
• R: REDUCE
• A:ACCEPT

IF THE RISK IS HIGH AND ITS LIKELIHOOD IS ALSO HIGH : THEN WE WILL EITHER
TRANSFER IT OR WILL WE SHARE .
IF THE RISK IS HIGH AND ITS LIKELIHOOD IS LOW : THEN WE WILL AVOID IT .
IF THE RISK LOW AND ITS LIKELIHOOD IS HIGH : THEN WE WILL REDUCE IT.
IF THE RISK LOW AND ITS LIKELIHOOD IS LOW THEN WE WILL ACCEPT IT