Chapter Eight – Risk Assessment Procedures

Summary

This Chapter discusses Horizon’s risk assessment process. Risk assessment

means identifying the risks that could cause the financial statements to be
materially misstated. Risk assessment procedures are performed to understand
the entity and its environment, including its internal control. This understanding is
essential in identifying risks of material misstatements, whether due to error or
fraud, relating them to the financial statement assertions, and assessing the
likelihood that they could cause a material misstatement. Risk assessment
procedures related to obtaining an understanding of internal control are discussed
in Chapter 9.

Introduction
8.01 Professional standards require the audit team to identify and assess
risks of material misstatement at (1) the financial statement level and (2) the
assertion-level for classes of transactions, account balances and disclosures,
whether due to error or fraud. To assess these risks the audit team:
 obtains an understanding of the entity and its environment, including
internal control
 relates the identified risks to what can go wrong at the assertion level
 considers whether the identified risks could result in a material
misstatement
 considers the likelihood that the risks could result in a material
misstatement

8.02 The risk assessment process is the foundation for the audit. This
continuous process requires the audit team to identify and assess risks based on
an appropriate understanding of the entity, including its internal control. The audit
team needs to first conduct a thorough risk assessment process and then the
audit team properly designs and performs procedures that directly respond to the
identified risks.

8.03 To develop an appropriate audit plan (one that reduces audit risk to an
appropriate level), the audit team must understand the entity being audited and
the environment in which it operates, including its internal control. This provides
the audit team with the information necessary to assess the risks of material
financial statement misstatement, whether due to error or fraud. The procedures
used to obtain this understanding are called “risk assessment procedures,” as the
information obtained from them is used as audit evidence to support the audit
team’s assessment of the risks of material misstatement.

8.04 The audit team performs certain risk assessment procedures to identify
and consider areas in the financial statements where material misstatements
(whether caused by error or fraud) are more likely to occur, identify the risks that
could cause the misstatements, evaluate the identified risks to determine the
likelihood of them causing the misstatements and finally to identify other areas
where audit attention will be focused. Understanding the entity and its
environment, including internal control also assists in determining the nature,
extent and timing of audit procedures to employ in response to the identified risks.

8.05 In addition to enhancing the effectiveness and efficiency of the audit,

understanding the entity helps to develop meaningful, timely and constructive
recommendations to management and those charged with governance. All
members of the audit team are expected to contribute to this effort by maintaining
a questioning attitude as they carry out their assignments. The list of possible
recommendations should be accumulated as the work progresses, included in the
audit documentation and communicated timely to management and those
charged with governance.

8.06 Much of the understanding of the entity is learned and enhanced as

experience with the client increases. Audit teams can further improve their
understanding of the entity's industry by obtaining pertinent articles from sources
such as periodicals, trade association publications, professional publications or
internet sites. Important information from these publications should be read and
retained for future reference. Collectively, this knowledge and experience enable
the audit team to evaluate where material misstatements could occur in the
financial statements and to make informed risk assessments.

8.07 Obtaining an understanding of the entity and its environment and

assessing risk is a continuous process that occurs throughout the audit.

Understanding the Entity and Its Environment, including

Internal Control
8.08 Understanding the entity and its environment should encompass the
events, transactions and other practices that may have a significant effect on the
financial statements. This understanding helps to:
 identify areas that may need special attention
 understand how accounting data is produced, recorded, processed,
reviewed and stored
 evaluate the reasonableness of estimates, such as valuation of
inventories, allowances for doubtful accounts, and percentage of
completion of long-term contracts
 make judgments on the valuation of assets
 evaluate the reasonableness of management representations
 make judgments about the appropriateness of the accounting
principles applied and the adequacy of presentation and disclosures in
the financial statements

Nature of Our Understanding

8.09 The nature of our understanding of the entity and its environment that
should be obtained consists of the following:
1. Nature of the Entity
  the entity’s business operations, including location, products and/or
services, sources of revenue, markets, major customers and
suppliers, competition, related parties, outsourced activities,
employment
 its ownership and governance (who owns the business and is
responsible for governance)
 the types of investments (planned or recent acquisitions, securities,
loans, fixed assets, special-purpose entities), including related
matters such as debt covenants, leasing activities, off-balance
sheet arrangements and the use of derivatives
 the way it is structured and how it is financed (this includes how the
business obtains funds to operate)
 accounting principles and industry practices, revenue recognition
policies, accounting for complex or unusual transactions, financial
statement presentation and disclosure
2. Industry, Regulatory and Other External Factors, Including the
Applicable Accounting Framework
 industry conditions, such as the competitive environment, supplier
and customer relationships, technological considerations related to
its products, and energy supply and cost
 regulatory environment including the applicable accounting
principles and industry-specific practices, the type and extent of
regulatory oversight, the legal and political environment, including
taxation and trade issues and government policies, and
environmental requirements
 general economic conditions, interest rates, availability of financing
and inflation
3. Objectives, Strategies, and Related Business Risks
 the objectives or overall plans for the entity (defined by those
charged with governance) to address business risks
 strategies (operational approaches set by management to achieve
these objectives)
 the related business risks (events, conditions, circumstances or
actions that could adversely affect the entity’s ability to achieve its
objectives and execute its strategies, including the risk of a material
financial statement misstatement)
 these risks may be related to:
− industry developments
− new products and services (for example, increased product
liability risks)
− business expansion
− new accounting requirements
− financing requirements (current or future)
− use of IT
4. Measurement and Review of Financial Performance
 key ratios, operating statistics and performance indicators (financial
and non-financial)
  budgets, variance analysis, segment information and divisional,
departmental, and other level performance reports
 comparison of performance with peers
 employee performance measures
5. Internal Control (see further discussion in Chapter 9)
 the five components of internal control
 entity-level controls
 activities-level controls associated with reasonably possible risks

8.10 The nature and extent of audit documentation required to understand

the entity is a matter of professional judgment; however, the key elements of each
characteristic (Nature of the Entity, Industry, Regulatory and Other External
Factors, Objectives, Strategies, and Related Business Risks, Measurement and
Review of Financial Performance, Internal Control) and the sources of the
information used to obtain the understanding should be documented. Voyager
provides a structure for documenting this information.

Sources of Information

8.11 Sources of information about the entity and its environment include the
following:
 management and others within the organization
 observations of the audit team
 those charged with governance
 office and plant tours
 analytical procedures
 client-prepared reports and other documentation
 external sources
 firm specialists
Additional sources of information about the entity and its environment may
also be obtained from the client’s website and other websites in the
industry.

Management and Others Within the Organization

8.12 Inquiries of management and those responsible for financial reporting

are key audit procedures. Through these interviews the audit team can quickly
obtain an understanding of the entity, its organization and operating
characteristics to assess risk. The understanding obtained should be updated
each year.

8.13 Most inquiries are directed to senior management and financial

reporting personnel. During the course of these discussions, the audit team often
learns about plans and policies that might affect the financial statements, items
which relate to the business and the industry in which it operates, and about
important legal and regulatory matters.

8.14 However, to obtain additional information to identifying risks of material

misstatements, it is often appropriate to interview others who are knowledgeable
about the client's operations, its internal controls, and the manner in which such
functions and controls are carried out. These may include internal auditors,
production, marketing, sales and accounting personnel, employees with different
levels of authority, employees involved in initiating, processing or recording
complex or unusual transactions, in-house legal counsel, and those charged with
governance. Judgment is required to determine the number of such interviews;
avoiding duplication or omissions is often difficult. In addition, the timing of these
interviews may vary widely. Some are most useful during the risk assessment
process, whereas others are best deferred until later in the audit.

8.15 Obtaining detailed information about the entity requires sensitivity and
tact. Client personnel may be defensive about the audit team questioning their
areas of responsibility. They may feel threatened by such questioning or, despite
assurances, they may feel that criticism is implied. Moreover, such personnel,
including executives, often have a very different outlook and perspective than the
audit team. Accordingly, discussions with management and other key personnel,
in particular sensitive discussions about the client’s goals and objectives, should
usually be conducted by a partner or manager.

Those Charged With Governance

8.16 During this meeting, the audit team should explain and discuss the
anticipated scope of their work and obtain knowledge of the expectations or
special needs of those charged with governance. The audit team should also
make inquiries regarding the views of those charged with governance about the
risk of fraud and whether they have knowledge of any fraud or suspected fraud.
The audit team should also reach an understanding regarding the expected
nature and extent of communications about misappropriations perpetrated by
lower-level employees and the aggregate materiality threshold of such
misappropriations. The objective should be to form the working relationship with
those charged with governance necessary to prevent mistaken expectations and
develop a good line of communication.

Office and Plant Tours

8.17 Touring the client’s offices and principal plants may enhance the audit
team’s knowledge. The audit team can learn a great deal about the client's
business, accounting systems, and controls by making such visits and observing
personnel performing their daily activities. Similarly, a tour of the client's plants
and receiving and shipping facilities can convey a great deal of information about
the client's operations and likely control problems. Observations of the
orderliness, cleanliness, and physical layout of facilities and of the employees’
routine functions and work habits can often tell more about the client than can be
learned from studying the accounting records.

Analytical Procedures

8.18 Analytical procedures performed during the planning phase of the audit
are used to identify unusual changes in the financial statements, or the absence
of expected changes, and specific risks. They are required on all audits. During
the planning stage, analytical procedures are usually focused on account
balances aggregated at the financial statement level and relationships between
account balances. Because the analytical procedures at this stage generally use
data aggregated at a high level, the results of those procedures only provide a
broad initial indication about whether a material misstatement of the financial
statements may exist. However, they are helpful in identifying areas where audit
work will be focused.

8.19 All analytical procedures consist of four phases

 expectation formation
 identification
 investigation
 evaluation

8.20 In the planning phase, the most commonly used analytical procedures
are ratio analysis and trend analysis.

8.21 For ratio analysis and trend analysis, the expectation formation is
implicit. This is because the reasonable expectation is that the prior year, budget
or industry data used for comparative purposes will be consistent with the current
period. Therefore, the data used for comparison in executing ratio and trend
analysis (prior year, budget, and industry data) is the expectation. Explicit (or
specific) documentation of the expectation is not required when using these
methods in planning.

8.22 In the identification phase, the audit team uses their understanding of
the entity and its environment to identify fluctuations where further audit work is
necessary. This could be because the fluctuation is unusual or unexpected or
because the expected fluctuation did not occur.

8.23 For those fluctuations identified, the audit team considers the possible
explanations for the differences. This is the investigation phase. The audit team
then evaluates whether the explanations are plausible and whether further audit
work may be required. The accounts or assertions where the risk of material
misstatement is evaluated as possible should be discussed in the risk assessment
meeting among the key audit team members (see Discussion Among Audit Team
Members below). Therefore, the documentation required for the identification,
investigation and evaluation phases for the analytical procedures performed in
planning should reference or link to the documentation of the risk assessment
meeting. In the risk assessment phase of the audit, it is not necessary for the
audit team to resolve whether or not misstatements are present.

Client-Prepared Reports and Other Documentation

8.24 During the course of their inquiries and visits, the audit team will likely
be referred to many different documents and records. It is not necessary to copy
and retain all such documents and records. The audit team should prepare
abstracts or obtain copies of documents they believe will help document their
understanding of the entity. Examples include:
 policy statements and business plans for the client or its major
subdivisions
 organization charts and job descriptions
  financial statements, tax returns, regulatory filings, etc., for the past
several years
 internally-directed financial information, such as interim financial
statements, budgets, and cost and variance reports. In smaller
companies, this might include comparative trial balances and similar
data
 legal documents, such as articles of incorporation, by-laws, minutes of
directors meetings, loan agreements and significant contracts or
leases
 reports by internal audit staff, if any. Reports on operation or financial
audits conducted by internal auditors may provide significant insight
into the client's operations
 internal control policies or procedures manuals covering the
accounting system and control procedures
 reports of other auditors
 information on the composition of the balances of accounts, such as
capital stock, additional capital, long-term liabilities, reserves,
allowances, property and equipment, deferred charges, and other
similar accounts
 agreements with service organizations, a specification of the work
performed, and how it is accounted for
 information about laws and regulations that have a direct effect on the
financial statements
However, all records and client documents, whether or not included in the
audit workpapers, are to be retained or not retained in accordance with the
firm’s records retention policies.

8.25 Upon obtaining copies of internally prepared financial information, the

audit team should understand how this material is used by management. This is
often an appropriate starting point for the process of gaining an understanding of
the other tools management uses to control and measure the entity's finances and
operations.

External Sources

8.26 External sources can provide valuable information about the client and
its industry. Sources of such external information may include reports distributed
by financial reporting services or by brokerage firms (these reports should be
obtained from the issuer).

8.27 External reference material could include relevant national or

international accounting and auditing guidance. Recent reports about the client or
its industry may be available through services such as Standard and Poor’s, Dun
& Bradstreet and Value Line.

8.28 Other sources of information concerning pertinent external factors

include trade association or other industry publications, publications of
governmental agencies, and local newspapers. It is often useful to read the
annual reports of public companies in the industry. In addition, information can
often be obtained from discussion with individuals knowledgeable about the
company or industry, such as consultants, bankers, and economists specializing
in the industry. Information about the business is often obtained through
performing client acceptance procedures and in communications with bankers,
lawyers, and others.

8.29 The objective in consulting these sources is to gain general familiarity

with the client's business environment, bearing in mind that the knowledge we
need is far less extensive than the knowledge the client needs to operate and
manage the business. Once general familiarity with such external factors has
been obtained, additional knowledge may be acquired during the audit if the
engagement team deems it necessary.

8.30 The same general principle applies to internal factors, such as the
client's operations. A complete study of all phases of operations is seldom
practicable and rarely necessary. Such a study would embrace many disciplines,
involve specialized expertise, and require considerable time. The initial review,
and annual updating, is directed to the client as a whole, with primary emphasis
on the data bearing directly on the audit process. Accordingly, the extent and
detail of information necessary for audit purposes is a matter of professional
judgment.

Identifying Risks of Material Misstatement

8.31 Horizon focuses on obtaining an understanding of the entity and its
environment (also referred to as risk assessment procedures), to determine where
material misstatements are more likely to occur. This understanding is used to
identify risks that could cause the financial statements to be materially misstated.

8.32 Risks can reside at the financial statement level or at the assertion
level. At the financial statement level, risks are pervasive and can affect several
assertions. At the assertion-level, risks typically only affect a single assertion.

8.33 When assertion-level risks are identified, the audit team must evaluate
the likelihood that the risks could cause a material misstatement and develop an
appropriate response. Assertion-level risks that are more likely to be the cause of
a material misstatement are further evaluated to understand whether:
 internal controls that address the risk are established by the client
 the controls are designed effectively
 the controls are implemented
 the operating effectiveness of controls will be tested
The intended control reliance in combination with the inherent risk of an
error occurring determines the response to these assertion-level risks with
a higher likelihood of occurrence. Assertion-level risks with a lower
likelihood of occurrence are addressed entirely with a substantive
response.

8.34 When financial statement level risks are identified, the audit team must
carefully consider where these risks could manifest themselves in the financial
statements and respond to them appropriately. Many times these pervasive risks
do not directly affect any particular assertion, but rather impact many assertions.
Some are so pervasive that the entire audit is affected. The proper response for
pervasive risks may not require a response in the audit program itself, but rather
an overall response such as:
 adding more experienced team members
 applying additional professional skepticism as the work progresses
 providing additional review
 performing procedures at or near year end
 varying the nature of the procedures
 including procedures with an element of unpredictability
 reconsidering continuance

8.35 To identify financial statement level risks, the audit team uses their
understanding of the entity and its environment to assess the presence of certain
indicators that Horizon calls the “risk indicators”.

8.36 To identify assertion-level risks, the audit team carefully considers the
information gathered in obtaining an understanding of the entity and its
environment to identify the matters that could impact the financial statements.
Once these “matters” are identified, the audit team can identify the risks that the
matters pose and the assertions where those risks reside.

Risk Indicators

8.37 The risk indicators are conditions, events or characteristics of the entity
and its environment. They reveal the extent to which incentives, opportunities or
circumstances exist that could cause the financial statements to be materially
misstated. The audit team evaluates the applicability of the indicators to
demonstrate their understanding of the entity and to identify matters that could
impact the financial statements. Risk indicators are included in Voyager.

8.38 The risk indicators should not be evaluated until the audit team has a
thorough understanding of the entity and its environment. The risk indicators
reflect the audit team’s knowledge that was obtained by performing the risk
assessment procedures.

8.39 Voyager analyzes the audit team’s applicability assessment of the

indicators and suggests matters that could impact the financial statements (see
next section). The audit team ultimately must determine whether the matters
impact the financial statements and if so, where they would manifest themselves.

8.40 The risk indicators are divided into the categories to which they relate.
Most categories contain several indicators. The applicability of any one indicator
may or may not generate a matter. The categories are:
 business practices
 economic
 external
 going concern
 skills
 management
 nature of transactions
 operating
  ownership
 lifestyle
 reporting pressures
 workplace

8.41 It should be emphasized that the audit team is evaluating applicability of

the risk indicators. The risk indicators are not an individual evaluation of audit risk,
and it is important for the audit team to keep this perspective in mind as they
evaluate them.

8.42 If the audit team believes that an indicator is singularly important

enough that a matter should be generated, but Voyager does not suggest one,
they should manually add the relevant matter.

Matters

8.43 The audit team summarizes the information learned and identified
during the performance of the risk assessment procedures and the evaluation of
the risk indicators by identifying “matters”. Horizon uses the term “matters” to
describe the items identified by the audit team while performing the risk
assessment procedures that may have an impact on the financial statements.

8.44 The audit team should carefully consider each matter to determine
whether it could impact the financial statements. Matters that do not impact the
financial statements need not be considered further; however, the audit team
should document their reasoning.

8.45 For the remaining matters, the audit team should carefully consider
what impact each matter could have on the financial statements. A matter can
affect a single transaction cycle within the financial statements or it could affect
several cycles. For example, the matter “Inventory activities core to operations”
likely affects only the inventory cycle whereas the matter “Inadequate skills of
personnel may increase likelihood of errors” may affect several cycles.

8.46 Matters may be suggested by Voyager based on the documentation

entered by the audit team as they perform risk assessment procedures or matters
may be identified by the audit team.

8.47 Matters suggested by Voyager come from several places, including

those suggested based on:
 the entity’s industry
 an evaluation of the design of entity-level controls
 the presence of certain risk indicators
 the client acceptance process
 the presence of certain revenue indicators
 certain characteristics of the entity

8.48 Matters related to the entity’s industry are linked to risks at the assertion
level. For example, for a commercial entity these matters relate to cycles in the
financial statements such as revenues and inventory. For a depository institution,
they relate to cycles such as loans and deposits. The audit team can accept these
risks, deselect those that do not apply or link the matter to additional risks.

8.49 The matters generated based on the design of entity-level controls are
the result of a very high-level evaluation. Since these matters also relate to control
deficiencies, they are separately evaluated on the Summary of Control
Deficiencies. However, because these particular matters are so pervasive and
could cause misstatements in the financial statements, their effect on the financial
statements should be considered. These matters include:
 lack of segregation of duties
 lack of management oversight
 lack of supervision over business units
 lack of monitoring related parties
 weak governance controls.

8.50 The audit team must determine whether these matters could impact the
financial statements and, if so, link them to the appropriate risks that could cause
a material misstatement.

8.51 The existence of risk indicators may result in matters being suggested
(the evaluation of the risk indicators was discussed in the previous section of this
Chapter). Again, the audit team must determine whether these matters could
impact the financial statements and, if so, link them to the risks that could cause a
material misstatement. If the audit team believes that an indicator is singularly
important enough that a matter should be generated, but Voyager does not
suggest one, they should manually add the relevant matter.

8.52 Indicators are also evaluated in the client acceptance process and in
documenting the nature of the entity’s revenue sources.

8.53 When a Voyager file is created for a new client, the audit team should
import the information gathered in the GTI client acceptance tool. This import
process is important for all new clients because it passes information gathered
during client acceptance to Voyager. For a few clients, there could be
circumstances identified that might have an impact on the audit. These include,
among others:
 resignation of the prior auditor
 regulatory investigations
 communication of internal control deficiencies
These circumstances are identified and vetted during the client
acceptance process and when the judgment is made to accept the client,
the Voyager import process ensures that the audit team does not fail to
consider them again in performing risk assessment procedures.

8.54 In documenting the nature of revenue sources, matters may be

suggested. These include contract revenues and revenues that include multi-
deliverables. The audit team is also able to enter additional matters directly in
Voyager’s revenue tool.
8.55 In documenting the understanding of the entity and its environment,
certain characteristics of the entity may be identified that generate a matter. For
example, if the entity has foreign operations a matter will be generated. The audit
team must determine whether these matters could impact the financial statements
and if so, link them to the appropriate risks that could cause a material
misstatement.

8.56 Finally, matters may be identified by the audit team as they perform the
risk assessment procedures. These matters can be entered into the summary and
linked to the risks that could cause a material misstatement.

Evaluating the Likelihood that Assertion-Level Risks Could

Cause a Material Misstatement
8.57 As previously discussed, matters are the bridge between the
information gathered by the audit team in obtaining an understanding of the entity
and its environment to the financial statement assertions and the financial
statement risks that could cause material misstatements.

8.58 Matters themselves are not the end objective. Matters are simply the
way Horizon connects the information obtained about the entity and its
environment to financial statement risks. The ultimate objective is to identify the
risks that could cause the financial statements to be materially misstated.

Linking Matters to Financial Statement Risks

8.59 Voyager provides the audit team with the ability to link matters to the
financial statement risks. With the matter highlighted, Voyager displays all of the
significant audit cycles. Within each significant cycle, the financial statement risks
are grouped by the relevant assertion to which they apply. As mentioned earlier,
at this point the audit team can accept these risks, deselect those that do not
apply or link the matter to additional risks.

Significant Cycles

8.60 Horizon utilizes the cycle approach in designing an audit program. This
permits consideration of the interrelationships among income and expense
accounts and corresponding balance sheet accounts in designing an audit
strategy.

8.61 As a reminder, Horizon defines a significant transaction cycle as one

that contains accounts or disclosure amounts that are quantitatively or
qualitatively material to the financial statements. Quantitative materiality is
determined by the audit team and generally includes all accounts or disclosure
amounts greater than tolerable error. Some cycles may not include any accounts
or disclosures that are quantitatively greater than tolerable error, but rather for
qualitative reasons are scoped into the audit. Examples of qualitative factors
include related party transactions, liability accounts where understatement is a
concern, and regulatory importance, among others.
8.62 Horizon does not require the same level of audit effort for every account
or disclosure amount in a significant cycle. Each transaction cycle is viewed in
terms of the financial statement assertions.

Assertions

8.63 The financial statement assertions were discussed in Chapter 1 and

articulate the representations of management that are embodied in the financial
statements. Horizon uses the following assertions:
 existence or occurrence
 completeness
 cut-off
 rights and obligations
 valuation or allocation (gross and net)
 presentation and disclosure

8.64 Not every assertion is relevant to every transaction cycle. For example,
valuation in the cash cycle. Also, not every assertion is an audit concern. For
example, existence for a building. In this example, existence may be relevant, but
little audit effort is required to verify existence.

8.65 For assertions relevant to a transaction cycle, Horizon includes specific

risks, grouped within the relevant assertion where they could manifest
themselves. The audit team selects the risks that could cause a material
misstatement. To make these selections, the audit team uses all the knowledge
gathered during performance of the risk assessment procedures.

Financial Statement Risks

8.66 The financial statement risks generally fall into four broad categories.
These are:
 accounting errors
 financial reporting errors
 fraud
 going concern

8.67 While it is helpful to think of risks in such broad terms, it is difficult to

focus audit effort at this level. Accordingly, Horizon further breaks down these
broad risks into specific risks at the financial statement assertion level. This allows
Horizon to suggest an appropriate response when a risk is identified by the audit
team.

8.68 Many of the specific assertion-level risks are common to entities in the
same industry and will be present in most audits. These include risks such as:
 recorded receivables not valid
 allowance for loan losses not adequate
 inventory quantities not valid
 inventory prices not valid
 payables understated or not recorded in correct period
 fair value measurements not correct
  intangible asset allowances not adequate

8.69 Some specific assertion-level risks may not apply to every entity. The
audit team should select these risks only when the circumstances of the
engagement cause these items to be an audit concern. These risks may include:
 bill and hold revenue not valid
 share-based obligations understated
 theft perpetuated through payments to fictitious employees
 deferred tax assets not realizable

8.70 Most of the specific risks included in Horizon are clear. The use of risk
terms such as “understated”, “not correct”, “not adequate”, and “not realizable” are
commonly used in auditing literature. Horizon uses the term “not valid” to describe
circumstances where the population being tested may include items that should
not be there. This could be because a transaction was recorded in error, a price
was not updated, or a quantity overstated.

8.71 Audit effort will only be expended on risks that could cause a material
misstatement. Therefore it is important that the audit team identify all assertion-
level risks that could be the cause of a material misstatement. This importance
requires the audit partner and manager to actively participate in the risk
assessment process.

Determining Identified Risks with Higher Likelihood of Material

Misstatement

8.72 Horizon is designed to focus audit effort on assertions that pose the
greatest risk. This requires the audit team to first identify the specific risks within
an assertion that could cause a material misstatement, which was discussed in
the previous section. Next, because the same degree of risk of material
misstatement does not necessarily apply to all the identified risks within an
assertion, the audit team must make a judgment about the likelihood that each
risk could cause a material misstatement. Accordingly, Horizon categorizes risks
as those that are reasonably possible and those that are not reasonably possible.

8.73 A risk is “reasonably possible” when the likelihood of it occurring is

more than remote. When the audit team believes that a material misstatement is
not very likely in a particular account, then the associated risks are remote (not
reasonably possible).

8.74 Risk of misstatement is implicit in all financial statements and therefore

every audit will have risks that are reasonably possible. Designating a risk as
reasonably possible does not mean that the audit team expects to find material
errors or fraud. However, it does cause the program to reflect the possibility that
material errors or fraud could be present.

8.75 At this point in the audit process the audit team has identified the
financial statement risks that could cause a material misstatement and separated
them into two categories:
  those where the risk of material misstatement is reasonably possible
(more likely)
 those where the risk of material misstatement is not reasonably
possible (less likely)

8.76 To determine whether a particular risk is reasonably possible or not

reasonably possible, it might be helpful to think about the attributes of financial
statement risks. The key attributes that affect this determination are summarized
in the following table:
Reasonably Possible Risks Not Reasonably Possible Risks
Inherent risk of the related Inherent risk of the related assertion
assertion is NOT low is low
Management establishes
Management establishes high level
numerous and often very precise
and less precise controls
controls
Substantive procedures could vary Substantive procedures would not
by applying a controls-testing vary, regardless of strength of
strategy controls

It is not logical for risks affecting assertions with low inherent risk to be
reasonably possible of causing a material misstatement. Either inherent
risk is not assessed correctly or the risk is actually a not reasonably
possible risk. Also, clients establish more precise controls over the
processes where material misstatements are more likely. When the audit
team finds numerous controls addressing a particular risk, this indicates
that the risk is reasonably possible. Finally, the substantive response for
some risks do not vary significantly regardless of the number of controls
established by the client or whether such controls are tested by the audit
team. For such risks, this is an indicator that they are not reasonably
possible.

8.77 It is fundamental to the Horizon approach to identify financial statement

risks that could cause a material misstatement and to judge these risks as either
being reasonably possible or not reasonably possible. As discussed in the next
section, these assessments directly impact how the audit team responds to the
identified risks, which is why it is so important to assess them correctly.

Responding to Assertion-Level Risks

Reasonably Possible Risks

8.78 Because a reasonably possible risk is one where the risk of a material
misstatement is more than remote, the audit team must design a response that
will identify material misstatements, if present. Horizon suggests the appropriate
response based on a combined risk assessment that is determined by:
 the intended reliance on internal controls
 the assessment of inherent risk for the related assertion
 Activities-Level Internal Controls

8.79 Clients establish internal controls to address the risks of a material

misstatement. The audit team must understand these controls for reasonably
possible risks. Chapter 9 describes the Horizon approach to understanding
controls.

8.80 After the audit team understands the internal controls established by
management, they must decide whether the audit strategy for a particular risk will
include an expectation that the controls operate effectively.

8.81 When controls are designed effectively and are implemented, it is often
most efficient to test such controls. Nevertheless, Horizon does not require the
audit team to test the operating effectiveness of internal controls. For each risk,
Horizon provides for three levels of control reliance. These are:
 tests of key controls establish that controls operate effectively (high
reliance)
 walkthrough tests support that controls are designed effectively and
implemented as designed (some reliance)
 controls are missing, not designed effectively, not implemented, or not
operating effectively (no reliance)

8.82 Chapter 10 describes the Horizon approach to testing the operating

effectiveness of internal controls.

Inherent Risk

8.83 Inherent risk is defined in the standards as the susceptibility of a

relevant assertion to a misstatement that could be material, either individually or
when aggregated with other misstatements, assuming that there are no related
controls. In Horizon, inherent risk is assessed for assertions that contain
reasonably possible risks. Inherent risk is assessed as High, Medium or Low.

8.84 Inherent risk is greater for some assertions than for others. For
example, cash transactions are generally more susceptible to theft than certain
raw materials inventories. Complex calculations are more likely to be materially
misstated than simple calculations. Accounts consisting of amounts derived from
accounting estimates will have greater risk than accounts consisting of relatively
routine, factual data.

8.85 Ordinarily, audit teams will assess inherent risk as being either medium
or high since it is not logical to assess inherent risk as low for an assertion that
contains reasonably possible risks. In rare cases where the audit team considers
the proper assessment of inherent risk for an assertion to be low, therefore
requiring only a minimal response to the risks within that assertion, it is likely that
the associated risks were incorrectly assessed as being reasonably possible.

8.86 The audit team is required to document their reasoning for the inherent
risk assessment. Voyager includes inherent risk indicators that can be selected by
the audit team to support their assessment on inherent risk. This provides
sufficient support for the inherent risk assessment. The audit team may choose
not to use the inherent risk indicators as their documentation and if they make this
choice, they should document the basis of their assessment by placing a short
memorandum in the text box provided in Voyager.

8.87 The assertion-level inherent risk indicators relate to:

 misstatements identified by the audit team in prior audits
 difficulties experienced in performing prior audits
 unexplained relationships identified in performing planning analytics
 negative trends identified in performing planning analytics
 accounts associated with the assertion include large monetary
amounts
 a cycle associated with the assertion processes high volumes of
transactions
 proper accounting requires specialized skills
 the characteristics of the accounts associated with the assertion
involve complex accounting matters or significant judgments or
estimates
 accounts associated with the assertion that involve significant,
numerous or questionable related party transactions
 accounts associated with the assertion, particularly those accounts
with potential for fraudulent financial reporting
 accounts associated with the assertion comprised of assets with the
potential for misappropriation
 recent changes in the processing of transactions or accounts
associated with the assertion
 recent accounting changes regarding the accounts associated with the
assertion

Not Reasonably Possible Risks

8.88 Horizon requires an audit response for all significant cycles. The audit
team may judge that a transaction cycle has no reasonably possible risks even
though it may contain material monetary amounts.

8.89 When the risk of material misstatement is not reasonably possible,

substantive procedures alone appropriately reduce the risk of a material
misstatement to an acceptably low level. Also, the substantive procedures
performed in response to not reasonably possible risks are ordinarily less
extensive than those procedures required for reasonably possible risks. For
example, the risk of material misstatement for the risk “capital asset activity not
valid” may be addressed by performing procedures such as scanning and
vouching large and unusual additions whereas sampling might be appropriate if
the risk were reasonably possible.

Discussion Among Audit Team Members

8.90 The culmination of the risk assessment process is the meeting of the
audit team to discuss the risk assessments (see Exhibit 8.1). Active participants
should include the engagement partner, along with all key members of the audit
team, which could include the IT specialists, valuation specialists and tax
personnel. The discussion participants also could include members of the audit
team that may operate in different offices, including GTI member firms and other
auditors. The quality control reviewer may attend this meeting, but should not
actively participate to remain impartial.

8.91 The audit team should complete the necessary risk assessment
procedures before tailoring the audit programs, setting scopes, and performing
significant substantive procedures or tests of controls. The risk assessment
process is ongoing and as such, the audit team considers risks throughout the
performance of the entire engagement. The risk assessment process does not
end merely because the audit team finished a formal risk assessment meeting. If
additional risks are noted in other stages of the audit, the audit team addresses
them by developing an appropriate response.

8.92 The objective of the discussion is for audit team members to:
 gain a better understanding of the potential for material misstatements
resulting from fraud or error in the specific areas assigned to them
 understand how the results of the audit procedures in one area may
affect other aspects of the audit

8.93 The discussion among the audit team members should specifically
include how and where they believe the entity’s financial statements might be
materially misstated.

Fraud

Overview

8.94 The term “fraud” refers to intentional acts of one or more individuals that
result in a material misstatement of financial statements. In assessing risks, the
audit team needs to be alert to the possibility of fraud. The audit team should plan
and perform the audit to determine that the financial statements are free of
material errors, including those due to fraud. Further, the audit team should
consider whether factors are present that could indicate fraud. This involves
considering where in the business or in the financial statements fraud could be
occurring. If fraud factors are present, audit procedures should be designed to
obtain reasonable assurance that material fraud will be identified. Horizon
includes the fraud risk factors in the inherent risk indicators discussed above.

8.95 For audit purposes, two types of misstatements are relevant when
considering fraud: misstatements arising from fraudulent financial reporting and
misstatements arising from misappropriation of assets.

8.96 Fraudulent financial reporting may be accomplished by the following:

 manipulation, falsification or alteration of records or documents
 misrepresentation in or intentional omission from the financial
statements of events, transactions, or other significant information
 intentional misapplication of accounting principles relating to amounts,
classification, manner of presentation, or disclosure
8.97 Misappropriation of assets may be accomplished by the following:
 embezzling funds
 stealing assets
 causing the entity to pay for goods or services that have not been
received

8.98 Three conditions are normally present when fraud occurs. First,
management or employees have an incentive or are under pressure, which
provides a reason to commit fraud. Second, circumstances exist – for example,
the absence of controls, ineffective controls, or the ability of management to
override controls – that provide an opportunity for a fraud to be perpetrated. Third,
those involved are able to rationalize committing a fraudulent act. Some
individuals possess an attitude, character, or set of ethical values that allow them
to knowingly and intentionally commit an act of fraud. These three conditions are
known as the fraud triangle and all three elements are present in frauds. While the
auditor cannot read minds to evaluate the rationalization or attitude of the
individual(s) committing the fraud, the incentives or pressures and opportunities
are often red flags that could indicate fraud.

Obtaining Information to Identify Fraud Risks

8.99 Certain information should be obtained and evaluated to assess fraud

risks, such as:
 considering the presence of one or more of the fraud risk factors.
These factors are classified according to the conditions that are always
present in frauds: incentives to perpetrate fraud, opportunity to carry
out the fraud, and rationalization to justify the fraudulent action
 inquiring of management and others within the entity (including those
charged with governance, internal auditors, and others, such as in-
house legal counsel and lower-level employees) to obtain their views
about the risks of fraud and how they are addressed
 inquiring of internal auditors about whether management has
satisfactorily responded to findings resulting from their procedures and
whether they have knowledge of any fraud or suspected fraud.
 considering any unusual or unexpected relationships that have been
identified in performing analytical procedures. Analytical procedures for
revenues are required while planning the audit, as well as through the
end of the reporting period, on every engagement.
 considering information obtained from:
− discussions among audit team members
− procedures relating to the acceptance and continuance (re-
acceptance) of clients and engagements
− reviews of interim financial statements
− other risk assessment procedures

8.100 This information should enhance the audit team’s ability to identify
areas (assertions, accounts, classes of transactions or disclosures) where fraud
could occur and to develop an appropriate response. This identification process
includes considering the type, significance, pervasiveness, and likelihood of the
risk of fraud.
8.101 The risk of improper revenue recognition is presumed to be reasonably
possible within Voyager.

Evaluating Programs and Controls That Address Fraud Risks

8.102 As part of understanding internal control sufficient to plan the audit, the
audit team should evaluate whether entity programs and controls that address
identified risks of fraud have been suitably designed and placed in operation. The
audit team then considers whether these programs and controls mitigate or
exacerbate the identified risks before responding to those risks.

8.103 The risk of management override is always present and requires

consideration, especially when understanding internal control (see Chapter 9).

8.104 The results of audit tests may indicate fraud or the audit team’s risk
assessment may indicate high risk of fraudulent financial reporting or
misappropriation of asserts. In such cases, the audit team should consider
withdrawing from the engagement and communicating the reasons for withdrawal
to those charged with governance. The appropriate course of action depends on
the diligence and cooperation of senior management and those charged with
governance in investigating the circumstances and taking appropriate action.
Because of the variety of circumstances that may arise, it is not possible to
describe definitively when withdrawal is appropriate.

8.105 The PSP and the OMP or RPPS should be consulted in these
situations. The OMP or RPPS will determine the need to consult with the firm's
legal counsel.

Approval and Communication of the Audit Plan

8.106 The tailored audit plan, including the logs in Voyager, should be
reviewed and approved by both the audit manager and the audit partner before
fieldwork is started. The quality control reviewer should also review the audit plan
before the start of substantive audit procedures for all initial audits of public
companies and for engagements where the RPPS will be involved. Confirming
significant aspects of the audit plan and risk assessments with the quality control
reviewer is encouraged for all other audits.

8.107 The nature and extent of communicating the audit plan will vary,
depending on the circumstances. At a minimum, the plan should be
communicated to all staff assigned to the audit to the extent that they are affected
and should include the information necessary to enable such personnel to have
an appropriate understanding of their individual role in the audit.

8.108 The overall audit plan should be discussed with client management and
those charge with governance to ensure that the audit team will obtain appropriate
client assistance and that client's expectations are in line with the plan. The client
also should be aware of the anticipated timetable.
 Consideration of Laws and Regulations
8.109 Knowledge of the business includes obtaining an understanding of the
legal and regulatory framework applicable to both the client and the industry. The
audit team should also obtain a clear understanding of how the client is complying
with the framework.

8.110 When planning and performing audit procedures and in evaluating and
reporting the results thereof, the audit team should recognize that non-compliance
by the client with laws and regulations may affect the financial statements.

8.111 Procedures to help identify instances of non-compliance include:

 making inquiries to management if they are aware of any breach of
laws or regulations that could have a material effect on the financial
statements
 inspecting correspondence with the relevant licensing or regulatory
authorities

8.112 The audit team should obtain written representations from management
that all known actual or possible non-compliance is disclosed.

8.113 If the audit team becomes aware of possible non-compliance they

should obtain a sufficient understanding of the issues to assess its effect on the
financial statements. This may include consulting with outside professional
advisors. They should also document their findings and discuss them with
management.

Illegal Acts by Clients

8.114 Illegal acts refer to violations of laws or government regulations. In an

audit, illegal acts by clients are acts attributable to an entity or acts by
management or employees acting on behalf of the entity. Based on training,
experience and knowledge of the client's industry, the audit team may recognize
that an act is potentially illegal. However, the determination of whether an act is, in
fact, illegal is normally beyond our professional competence. The audit team
should bring any potential illegal acts to the partner’s attention.

8.115 In an audit, laws and regulations that are generally recognized to have
a direct and material effect on the financial statements (e.g. tax laws) are
considered from the perspective of their relationship to pertinent financial
statement assertions, rather than from the perspective of legality.

8.116 The audit team’s responsibility to detect and report misstatements

resulting from illegal acts having a direct and material effect on the determination
of financial statement amounts is the same as for errors and fraud.

8.117 Other illegal acts are those that may have an indirect financial
statement effect. Entities may be affected by many laws or regulations (e.g.
securities trading, occupational safety and health, environmental protection) which
generally relate more to operations than to financial and accounting matters, and
their financial statement effect is indirect (e.g., normally, the need to disclose a
contingent liability). Ordinarily, the audit team does not have sufficient basis for
recognizing possible violations of such laws and regulations. Even when violations
of such laws and regulations can have a material financial statement effect, they
may not become aware of such illegal acts unless they are informed by the client
or they find evidence of an investigation concerning legality in the client's
accounting records normally subjected to audit procedures.

8.118 Ordinarily, an audit does not include procedures specifically designed to

detect illegal acts. However, certain customary procedures, such as reading
minutes and inquiries of management and client legal counsel, may bring possible
illegal acts to our attention. The audit team ordinarily obtains written
representations from management concerning the absence of violations or
possible violations of laws or regulations that might have a financial statement
impact. In applying audit procedures and evaluating the results of those
procedures, the audit team may become aware of specific information regarding
possible illegal acts, such as unauthorized or improperly recorded transactions,
investigations by a government agency, payment of unusual fines or penalties, or
failure to file tax returns. There is no requirement to perform further procedures in
this area in the absence of specific information concerning possible illegal acts.
 Exhibit 8.1 - Conducting Effective Brainstorming
Sessions
8.500 Who should participate in the risk assessment meeting, including the
brainstorming session?
The audit partner must attend and actively participate in the meeting. In addition,
all key audit team members should participate, including IT specialists, valuation
specialists and tax personnel, when circumstances warrant and as required by
firm policy. This includes professionals in other offices of the firm, GTI member
firms and other auditors.
The quality control reviewer may attend the meeting to observe discussions and
raise concerns. However, to remain impartial, the quality control reviewer should
not actively participate in risk assessment discussions.
Less experienced staff members may also be invited to attend to aid in their
professional development and to assist them in gaining a better understanding of
the client.

8.501 When should the brainstorming session take place?

The brainstorming session should take place during the risk assessment
meeting, but should not occur prior to completing all the other risk assessment
procedures.
The amount of time required for the brainstorming session will depend on the
complexity of the audit. Keeping the meeting focused will help the participants
stay engaged, while allowing enough time for participants to share all their ideas.
Arbitrary time limits should not be used as a reason to stop a productive session.

8.502 What actions should the audit team take after the risk assessment
meeting?
The audit partner should remind the audit team to maintain, throughout the entire
audit, a mindset that recognizes the possibility that a material misstatement due
to fraud could be present, regardless of any past experience with the entity or the
beliefs about management’s honesty and integrity. In other words, it is important
to maintain professional skepticism throughout the audit.