CHAPTER 4: RISK ASSESSMENT

1) AUDIT RISK

- (Acceptable) Audit risk is the risk that the auditor expresses an inappropriate (unqualified) audit opinion when the
financial statements are materially misstated. (how much risk are we willing to accept that FS are materially misstated and
we issue clean opion – auditor’s risk aversion)

- At the assertion level, audit risk consists of:

1. The risk that the relevant assertions related to the account balances or disclosures contain misstatements that could be
material to the financial statements (inherent risk and control risk).

2. The risk that the auditor will not detect such misstatements (detection risk).

 audit risk: entity’s financial statements contain material misstatements and that the auditor fails to detect any such
misstatements.

- Achieved audit risk can be directly controlled by manipulating detection risk (change the scope).

a) The Audit Risk Model: assists the auditor to plan the appropriate audit procedures for the accounts, transactions, or
disclosures

- The risk that the relevant assertions are misstated consists of two components:

o Inherent risk (IR). The susceptibility of an assertion in an account or disclosure to a misstatement due to error
or fraud that could be material, either individually or when aggregated with other misstatements, before
consideration of any related (internal) controls

o Control risk (CR). The risk that a misstatement that could occur in an assertion about an account or disclosure
and that could be material, either individually or when aggregated with other misstatements, will not be prevented,
or detected and corrected, on a timely basis by the entity’s internal control

 IR + CR = RMM (risk of material misstatement). The auditor has little or no control over these risks (Client risk)

- The risk that auditor will not detect:

o (planned)Dectection Risk (DR). the procedures performed by the auditor to reduce audit risk to an acceptably
low level will not detect a misstatement that exists and that could be material, either individually or when
aggregated with other misstatements (based on the work we’ve done, what’s the probability we issue clean opnion
when it’s materially misstated)

 not reduced to zero because the auditor seldom examines 100 percent of the transactions in an account.

 subject to human error (non sampling risk), use of inappropriate audit procedures or misinterpretation of audit evidence and
failure to recognize a misstatement or deviation

 Detection risk has an inverse relationship to inherent risk and control risk.

- The audit risk model assists the auditor in determining the scope of auditing procedures for an assertion in an account or
disclosure

- If the auditor assesses the achieved audit risk as being less than or equal to the planned level of audit risk, an unqualified
report can be issued. If the assessment of the achieved level of audit risk is greater than the planned level, the auditor
should either conduct additional audit work or qualify/modify the audit report.

- Engagement Risk: the risk that the auditor is exposed to financial loss or damage to his or her professional reputation
from litigation, adverse publicity, or other events arising in connection with the audited financial statements.

b) Use of the Audit Risk Model

- Three steps are involved in the auditor’s use of the audit risk model at the assertion level:

o 1. Setting a planned level of audit risk: the auditor sets audit risk for each account balance or disclosure in
such a way that, at the completion of the engagement, an opinion can be issued on the financial statements with
an acceptably low level of audit risk. (<=5%)

o 2. Assessing the risk of material misstatement: auditor evaluates the entity’s business risks and how those
business risks could lead to material misstatements.
 o 3. Solving the audit risk equation for the appropriate level of detection risk: to design the substantive audit
procedures that will reduce audit risk to an acceptably low level.

- Can use qualitative > percentage: planned audit risk might be classified into two categories, very low and low. The risk
of material misstatement and detection risk might be classified into three categories (e.g., low, moderate, or high)

- Example 1:

o Very low level of audit risk is appropriate: because of its importance to the financial statements

o High RMM: high risk of a material misstatement that was not prevented, or detected and corrected

o Low detection risk: auditor will conduct a more careful or thorough investigation of this account

- Example 3:

o High deteciton risk: low risk that a material misstatement is present in the financial statements and, as a result,
the auditor needs to gather less evidence.

2) AUDITOR’S RISK ASSESSMENT PROCESS: understand management’s objectives and strategies and the related business
risks that may result in material misstatements

a) Management’s Strategies, Objectives, and Business Risks

- Strategies are the operational approaches used by management to achieve objectives (low cost, high quality, growth
market share,…)

- Business risks are threats from significant conditions, events, circumstances, actions, or inactions that could adversely
affect the entity’s ability to achieve its objectives and execute its strategies (development of new product).  Management
is responsible for identifying such risks and responding to them.  business risks have the potential to affect the financial
statements

b) Auditor’s Risk Assessment Procedures

- Step 1: Inquiries of Management, Other Entity Personnel, and Others Outside the Entity: to obtain information
about entity and environment. The auditor might make inquiries of:

o Inside

 Those charged with governance (e.g., board of directors or audit committee).

 Internal audit function

 Employees involved in initiating, authorizing, processing, or recording complex or unusual transactions.

 In-house legal counsel.

 Production, marketing, sales, and other personnel

o Outside: customers, suppliers, or valuation specialists to detect fraud.

- Step 2: Analytical Procedures: evaluations of financial information made through analysis of plausible relationships
among both financial and nonfinancial data.  understanding the entity and its environment and in identifying areas that
may represent specific risks relevant to the audit OR can be helpful in identifying the existence of unusual transactions or
events and amounts, ratios, and trends that might have implications for audit planning.

- Step 3: Observation and Inspection: include:

o Observation of entity activities and operations. ∙ Inspection of documents, records, and internal control manuals. ∙
Reading reports prepared by management, the audit committee or those charged with governance, and the
internal audit function

o Visits to the entity’s premises and plant facilities.

 o Tracing transactions through the information system relevant to financial reporting, which may be performed as
part of a walkthrough

o read about industry developments and trends, read the current year’s interim financial statements, and review
regulatory or financial publications.

c) Assessing Business Risks: assess the business risks faced by the entity and how those risks are controlled or not
controlled by the entity.  assesses the risk of material misstatement at the assertion level. Include:

- Nature of the Entity:

o Business operationsn

o Investments and investments activities: planned or recent acquisitions or divestitures; investments and
dispositions of securities and loans; capital investment activities; and investments in partnerships and joint
ventures

o Financing and financing activities: major subsidiaries and associated entities; debt structure; leasing
arrangements; related parties; and the use of derivative financial instruments

o Financial reporting: accounting principles and industry-specific practices; revenue recognition practices;
accounting for fair values; and accounting for unusual or complex transaction

o Reading public information

o Observing or reading transcripts of earnings calls conducted by management.

o Obtaining information about significant unusual developments regarding trading activity in the company’s
securities.

o Obtaining an understanding of compensation arrangements with senior management

- Industry, Regulatory and Other External Factors: Some industries are subject to risks of material misstatement as a result
of unique accounting estimates

- Objectives, Strategies and Related Business Risks:

- Entity Performance Measurement: a deviation in the entity’s performance measures may indicate a risk of misstatement in
the related financial statement information. (financial and nonfinancial; budgets; variance analysis)

- Internal Control: to identify the types of potential misstatements and factors that affect the risks of material misstatement.
It also assists in designing appropriate audit procedures

d) Evaluate the Entity’s Risk Assessment Process

- should obtain information on the entity’s risk assessment process and whether it is operating effectively. If the entity’s
response to the identified risk is adequate, the risk of material misstatement may be reduced. However, if the entity’s
response to the identified risk is inadequate, the auditor’s assessment of the risk of material misstatement may increase

3) ASSESSING THE RISK OF MATERIAL MISSTATEMENT

a) Causes and Types of Misstatements

- Misstatements can result from errors or fraud.

o Errors: unintentional misstatements of amounts or disclosures in financial statements.

o Fraud: intentional act by one or more among management, those charged with governance, employees, or third
parties, involving the use of deception that results in a misstatement in the financial statements.

- Include:

o An inaccuracy in gathering or processing data from which financial statements are prepared.

o An omission of an amount or disclosure.

o A financial statement disclosure that is not presented in accordance with GAAP.

o An incorrect accounting estimate arising from overlooking or clear misinterpretation of facts.

o Judgments of management concerning accounting estimates that the auditor considers unreasonable or the
selection or application of accounting policies that the auditor considers inappropriate
- 2 types of Fraud:

o Fraudulent financial reporting (mentioned above)

o Misappropriation of assets (defalcation), include:

 Embezzling cash received.

 Stealing physical assets and intellectual property.

 Causing the entity to pay for goods or services not received.

 Using an entity’s assets for personal use

- 3 types of Misstatements:

o Factual: These are misstatements about which there is no doubt (EX: sales invoice with false price)

o Judgemental: arise from the judgments of management concerning accounting estimates/policies that the auditor
considers unreasonable/inappropriate

o Projected: auditor’s best estimate of misstatements in populations

b) The Fraud Risk Assessment Process: steps to assess fraud risk:

- Discussion among Audit Team: about FS’ susceptibility to fraud. Objectives:

o Share insights about the entity and its environment and the entity’s business risks.

o Provide an opportunity for the team members to discuss how and where the entity might be susceptible to fraud.

o Emphasize the importance of maintaining professional skepticism throughout the audit regarding the potential for
material misstatement due to fraud.

- Inquiries of Management, Audit Committee, and Others:

o inquire about management’s knowledge of fraud, programs to mitigate risk factors and how well they monitor

o understanding of how the audit committee exercises its oversight activities + inquire of the internal audit function
about its assessment of the risk of fraud

o inquiries from others within the entity and third parties

- Identification and Assessment of Fraud Risk Factors: Three conditions are generally present when material misstatements
due to fraud occur: (fraud risk triangle)

o Management or other employees have an incentive or are under pressure that provides a reason to commit fraud.

o Circumstances exist that provide an opportunity for a fraud to be carried out.

o Those involved are able to rationalize committing a fraudulent act. Some individuals possess an attitude, character,
or set of ethical values that allow them to knowingly and intentionally commit a dishonest act.
 - Misapppropriation of Assets: (one type of fraud)

4) THE AUDITOR’S RESPONSE TO THE RESULTS OF THE RISK ASSESSMENTS

- Assess the risk of material misstatement at the financial statement and assertion levels  auditor determines whether they
relate to the overall financial statements and many relevant assertions OR whether the identified risks relate to specific
relevant assertions related to accounts and disclosures.

- Financial Statement level risks response:

o Assigning more experienced/specialized personnel

o Evaluating whether the selection and application of accounting policies by the entity indicative of fraudulent
financial reporting

o Incorporating an element of unpredictability in the selection of the nature, timing, and extent of audit procedures.

- Signficant risks mentioned below that the auditor must determine the nature of the risk, the likely magnitude of the
potential misstatement, and the likelihood of the risk occurring:

o Assertions identified with fraud risk factors.

o Nonroutine or unsystematically processed transactions.

o Significant accounting estimates and judgments.

o Highly complex transactions.

 o Application of new accounting standards.

o Revenue recognition (see Practice Insight below).

o Industry specific issues

 the auditor should perform tests of controls that mitigate the significant risk or substantive procedures that directly respond to the
significant risk.

5) EVALUATION OF AUDIT TEST RESULTS

- At the completion of the audit, the auditor should consider whether the accumulated results of audit procedures cause the
financial statements to be materially misstated

o total misstatements cause the financial statements to be materially misstated  request managet to eliminate
otherwise, qualified/modified/adverse

o uncorrected total misstatements do not cause the financial statements to be materially misstated  unqualified

- If the auditor has determined that the misstatement is or may be the result of fraud and material, the auditor should

o Attempt to obtain audit evidence to determine whether, in fact, material fraud has occurred and, if so, its effect.

o Consider the implications for other aspects of the audit.

o Discuss the matter and the approach to further investigation with an appropriate level of management that is at
least one level above those involved in committing the fraud and with senior management.

o Suggest that the appropriate level of management consult with legal counsel

o withdrawing from the engagement and communicating the reasons for withdrawal to the audit committee or others
with equivalent authority and responsibility

6) DOCUMENTATION OF THE AUDITOR’S RISK ASSESSMENT AND RESPONSE

- Standards require extensive documentation of the auditor’s risk assessment procedures (including fraud risk assessment)
(for material accounts and related assertions) and audit responses to identified risks

- Other areas:

o The discussion, decisions, when/how occur, who join

o Steps performed in obtaining knowledge about entity’s business and environment, including:

 Risks identified

 Evaluation of management’s response to risk

  Auditor’s assessment of risk of error or fraud after considering the entity’s response

7) COMMUNICATIONS ABOUT FRAUD TO MANAGEMENT, THE AUDIT COMMITTEE, AND OTHERS

- When there’s evidence of fraud  brought to appropriate level of management.

- If fraud involves management  report to audit committee

- Don’t need to disclose to other not mentioned parties, except these circumstances:

o To comply with certain legal and regulatory requirements. ∙

o To a successor auditor when the successor makes inquiries of the predecessor auditor about the client.

o In response to a subpoena.

o To a funding agency or other specified agency in accordance with requirements for the audits of entities that
receive governmental financial assistance