01 TEcHNIcAL
audit risk
REfERENcE TO THE KEY AUDITINg STANDARDS WHIcH gIVE gUIDANcE TO AUDITORS
THIS ARTIcLE OUTLINES AND ExPLAINS THE cONcEPT Of AUDIT RISK, MAKINg
RELEVANT TO AccA QUALIfIcATION PAPERS f8 AND P7 AND
This article outlines and explains WHAT IS AUDIT RISK? likely that errors in transactions
the concept of audit risk, making According to the IAASB Glossary and balances will lead to a
reference to the key auditing of Terms1, audit risk is defined material misstatement in the
standards which give guidance to as follows: financial statements. It would be
auditors about risk assessment. inefficient to address insignificant
Identifying and assessing ‘The risk that the auditor expresses risks in a high level of detail, and
audit risk is a key part of the an inappropriate audit opinion whether a risk is classified as
audit process, and ISA 315, when the financial statements are a key risk or not is a matter of
Identifying and Assessing the Risks materially misstated. Audit risk is a judgment for the auditor.
of Material Misstatement Through function of material misstatement
Understanding the Entity and Its and detection risk.’ RELEVANT ISAs
Environment, gives extensive There are many references
guidance to auditors about WHY IS AUDIT RISK SO throughout the ISAs to audit
audit risk assessment. The IMPORTANT TO AUDITORS? risk, but perhaps the two most
purpose of this article is to give Audit risk is fundamental to the important audit risk‑related ISAs
summary guidance to CAT Paper audit process because auditors are as follows:
8, Paper F8 and P7 students cannot and do not attempt to
about the concept of audit risk. check all transactions. Students ISA 200, Overall Objectives
All subsequent references in should refer to any published of the Independent Auditor
this article to the standard will accounts of large companies and the Conduct of an Audit in
be stated simply as ISA 315, and think about the vast number Accordance with ISAs
although ISA 315 is a ‘redrafted’ of transactions in a statement
standard, in accordance with of comprehensive income and a ISA 200 sets out the overall
the International Auditing and statement of financial position. objectives of the auditor, and
Assurance Standards Board It would be impossible to check the standard explains the nature
(IAASB) Clarity Project. For all of these transactions, and and scope of an audit designed
further details on the IAASB no one would be prepared to to enable an auditor to meet
Clarity Project, read the article by pay for the auditors to do so, those objectives. References to
Lisa Weaver, examiner for Paper hence the importance of the audit risk are frequently made
AbOUT RISK ASSESSMENT.
P7, in the August 2009 issue of risk‑based approach toward by ISA 200, and the standard
Student Accountant. auditing. Traditionally, auditors also requires that the auditor
have used a risk‑based approach shall plan and perform an audit
in order to minimise the chance with professional scepticism,
of giving an inappropriate audit recognising that circumstances
opinion, and audits conducted might exist that may cause
in accordance with ISAs must the financial statements to
follow the risk‑based approach, be materially misstated.
which should also help to ensure Professional scepticism is
that audit work is carried out defined as an attitude that
efficiently, using the most includes a questioning mind and
effective tests based on the audit a critical assessment of evidence.
risk assessment. Auditors should
direct audit work to the key risks
(sometimes also described as
significant risks), where it is more
STUDENT AccOUNTANT 11/2009
02
ISA 315, IDENTIfYINg AND ASSESSINg THE RISKS Of MATERIAL MISSTATEMENT THROUgH
IDENTIfYINg AND ASSESSINg AUDIT RISK IS A KEY PART Of THE AUDIT PROcESS, AND
UNDERSTANDINg THE ENTITY AND ITS ENVIRONMENT, gIVES ExTENSIVE gUIDANcE
cAT PAPER 8
ISA 315, Identifying and 1 Risk assessment procedures Observation and inspection
Assessing the Risks of ISA 315 gives an overview of Observation and inspection may
Material Misstatement Through the procedures that the auditor also provide information about
Understanding the Entity and should follow in order to obtain the entity and its environment.
Its Environment an understanding sufficient to Examples of such audit
assess audit risks, and these procedures can potentially cover
ISA 315 deals with the auditor’s risks must then be considered a very broad area, including
responsibility to identify and when designing the audit plan. observation or inspection
assess the risks of material ISA 315 goes on to require of the entity’s operations,
misstatement in the financial that the auditor shall perform documents, and reports prepared
statements through an risk assessment procedures by management, and also
understanding of the entity and to provide a basis for the of the entity’s premises and
its environment, including the identification and assessment of plant facilities.
entity’s internal controls and risk risks of material misstatement ISA 315 requires that risk
assessment process. The first at the financial statement and assessment procedures should,
version of ISA 315 was originally assertion levels. ISA 315 goes on at a minimum, comprise a
published in 2003 after a joint to identify the following three risk combination of the above
TO AUDITORS AbOUT AUDIT RISK ASSESSMENT.
audit risk project had been carried assessment procedures: three procedures, and the
out between the IAASB, and the standard also requires that
United States Auditing Standards Making inquiries of management the engagement partner and
Board. Changes in the audit risk and others within the entity other key engagement team
standards have arguably been the Auditors must have discussions members should discuss the
single biggest change in auditing with the client’s management susceptibility of the entity’s
standards in recent years, so about its objectives and financial statements to
the significance of ISA 315, and expectations, and its plans for material misstatement. Key
the topic of audit risk, should achieving those goals. risks can be identified at any
not be underestimated by stage of the audit process,
auditing students. Analytical procedures and ISA 315 requires that the
Analytical procedures performed engagement partner should also
The requirements of ISA 315 as risk assessment procedures determine which matters are
are summarised in Table 1 on should help the auditor in to be communicated to those
page 4. Let us consider each of identifying unusual transactions engagement team members not
these four stages in more detail. or positions. They may identify involved in the discussion.
aspects of the entity of which the
auditor was unaware, and may
assist in assessing the risks of
material misstatement in order to
provide a basis for designing and
implementing responses to the
assessed risks.
03 TEcHNIcAL
fOR THE PURPOSES Of THE PAPER f8 ExAM, IT IS IMPORTANT TO MAKE A DISTINcTION
bETWEEN AUDIT RISK AND bUSINESS RISK (WHIcH IS NOT ExAMINAbLE IN PAPER f8),
EVEN THOUgH ISA 315 ITSELf DOES NOT MAKE SUcH A DISTINcTION cLEAR.
2 Understanding an entity ¤ The degree of subjectivity ‘A risk resulting from significant
ISA 315 gives detailed guidance in the measurement of conditions, events, circumstances,
about the understanding required financial information related actions or inactions that could
of the entity and its environment to the risk, especially adversely affect an entity’s ability
by auditors, including the those measurements to achieve its objectives and
entity’s internal control systems. involving a wide range of execute its strategies, or from the
Understanding of the entity and measurement uncertainty. setting of inappropriate objectives
its environment is important ¤ Whether the risk involves and strategies.’
for the auditor in order to help significant transactions that
identify the risks of material are outside the normal course Hence business risk is a much
misstatement, to provide a basis of business for the entity, broader concept than audit
for designing and implementing or that otherwise appear to risk. Students are reminded
responses to assessed risk (see be unusual. that business risk is excluded
reference below to ISA 330, from the CAT Paper 8 and
The Auditor’s Responses to 4 ISA 330 and responses to Paper F8 syllabus, although it is
Assessed Risks), and to ensure assessed risks examinable in Paper P7.
that sufficient appropriate audit The requirements of ISA 330,
evidence is collected. Given that The Auditor’s Responses THE AUDIT RISK MODEL
the focus of this article is audit to Assessed Risks, will be Finally, it is important to make
risk, however, students should covered in a future article, reference to the so called
ensure that they also make but essentially ISA 330 gives traditional audit risk model,
themselves familiar with the guidance about the nature which pre‑dates ISA 315, but
concept of internal control, and and extent of the testing continues to remain important to
the components of internal required, based on the risk the audit process. The audit risk
control systems. assessment findings. model breaks audit risk down into
the following three components:
3 Identification and assessment AUDIT RISK AND bUSINESS RISK
of significant risks and the risks of For the purposes of the Paper Inherent risk
material misstatement F8 exam, it is important to make This is the susceptibility of
In exercising judgement as a distinction between audit risk an assertion about a class of
to which risks are significant and business risk (which is not transaction, account balance,
risks, the auditor is required to examinable in Paper F8), even or disclosure to a misstatement
consider the following: though ISA 315 itself does not that could be material, either
¤ Whether the risk is a risk make such a distinction clear. individually or when aggregated
of fraud. ISA 3152 defines business risk with other misstatements,
¤ Whether the risk is related to as follows: before consideration of any
recent significant economic, related controls.
accounting or other
developments, and therefore
requires specific attention.
¤ The complexity of transactions.
¤ Whether the risk involves
significant transactions with
related parties.
STUDENT AccOUNTANT 11/2009
04
UNDERSTAND THAT AUDIT RISK IS A PRAcTIcAL TOPIc ExAMINED IN A PRAcTIcAL cONTExT.
PAPER f8 STUDENTS ARE REQUIRED TO HAVE A gOOD UNDERSTANDINg Of WHAT AUDIT
RISK IS, AND WHY IT IS SO IMPORTANT. fOR THE PAPER f8 ExAM, IT IS IMPORTANT TO
THE cONcEPT Of AUDIT RISK IS Of KEY IMPORTANcE TO THE AUDIT PROcESS AND
control risk UK and Irish students should TAbLE 1: ISA 315 – SUMMARY Of
This is the risk that a note that there are no significant REQUIREMENTS
misstatement could occur in differences on audit risk between 1 The auditor shall perform
an assertion about a class of ISA 315 and the UK and Ireland risk assessment procedures
transaction, account balance version of the standard. in order to provide a basis
or disclosure, and that the for the identification and
misstatement could be cONcLUSIONS assessment of the risks of
material, either individually or The concept of audit risk is of material misstatement.
when aggregated with other key importance to the audit 2 The auditor is required to
misstatements, and will not process and Paper F8 students obtain an understanding of
be prevented or detected and are required to have a good the entity and its environment,
corrected, on a timely basis, by understanding of what audit risk including the entity’s internal
the entity’s internal control. is, and why it is so important. control systems.
For the purposes of the Paper 3 The auditor shall identify and
Detection risk F8 exam, it is important to assess the risks of material
This is the risk that the understand that audit risk is misstatement, and determine
procedures performed by the a very practical topic and is whether any of the risks
auditor to reduce audit risk to therefore examined in a very identified are, in the auditor’s
an acceptably low level will not practical context. Any definition judgement, significant
detect a misstatement that exists or explanation of the audit risk risks. This is in order to
and that could be material, either model itself will usually only provide a basis for designing
individually or when aggregated be allocated a small number and performing further
with other misstatements. of marks, but many students audit procedures.
The interrelationship of the still include such definitions 4 ISA 330 then deals with
three components of audit risk in answers to case study and the required responses to
is outside the scope of this scenario questions which require assessed risks.
current article. Paper F8 students, a practical application of audit
however, will typically be expected risk assessment procedures.
to have a good understanding of Students must also be prepared
the concept of audit risk, and to be to apply their understanding
able to apply this understanding of audit risk to questions and
to questions in order to identify come up with appropriate risk
and describe appropriate risk assessment procedures.
assessment procedures.
REfERENcES
THE UK AND 1 IAASB Handbook 2009,
IRELAND PERSPEcTIVE Glossary of Terms.
The UK Auditing Practices Board 2 ISA 315, Identifying and
announced in March 2009 that Assessing the Risks of Material
it would update its auditing Misstatement Through
standards according to the Understanding the Entity and Its
clarified ISAs, and that these Environment, paragraph 4 (b).
standards would apply for audits
of accounting periods ending Martyn Jones is assessor for
on or after 15 December 2010. Paper F8