Slides on Risk Based Approach to Auditing Financial Statements suitable for students preparing for the Auditing Exam either for the university course or for professional body
2. Risk Based Approach to Auditing
• Business Risk
– The risk that the entity will fail to achieve its
business objectives such as:
• S/H wealth maximisation
• Market share
• Audit Risk
– The risk that an incorrect audit opinion is given on
the financial statements
3. The Components of Audit Risk
• Engagement risk
• Inherent risk
– Entity level
– Account balance & class of transactions level
• Control risk
• Detection risk
– Sampling risk
– Quality control risk
• Independent in fact risk
4. Engagement Risk
• Audit of a new client is more risky than an
existing client due to the lack of in-depth
knowledge of the client
• Risk also stems from the tendering process –
too low an audit fee may result in reduced
audit work
5. Independence in Fact Risk
• There is a close link between engagement risk
and independence in fact risk
• This is the risk of auditor giving a clean audit
report despite the fact that the audit tests and
procedures have detected misstatements
causing the financial statements not to give a
true and fair view
6. Inherent Risk (1)
• This is the risk arising from the nature of the
environment in which the company operates.
• Factors which affects the impact of inherent risk at
the entity level per SAS 300 are:
1. Integrity of directors & management
2. Management experience
3. Changes in management during the period
4. Pressures on directors such as:
• Tight reporting deadlines
• Market expectations
• Large number of business failures in the industry
7. Inherent Risk (2)
5. Nature of entity’s business such as
• The speed at which the company’s products & services
become obsolete
• The complexity of the company’s capital structure
• Significance of the company’s related parties
• Number of locations & geographical spread of the
company’s production facilities
6. Factors affecting the entity’s industry such as
• Economic & competitive conditions
• Regulatory requirements & changes in technology
• Consumer demand
• Accounting practices common in the industry
8. Inherent Risk (3)
• Factors which affect the impact of inherent
risk at account balance level per SAS 300 are:
1.Susceptibility to misstatement evidenced by prior
year’s audit
2.Complexity of underlying transactions
3.Degree of judgement involved in determining
account balances
4.Quality of accounting systems
5.Unusual or complex transactions at year end
6.Number of transactions not subject to ordinary
processing (e.g. politically sensitive transactions)
9. Control Risk (1)
• This is the risk that controls do not operate properly
and fail to reduce the impact of inherent risk
• Factors increasing control risk include:
1. Trade-off between cost & benefit
2. Human error
3. Ability to override controls
4. Controls not keeping pace with change
5. Complex computer systems
6. Not covering non-routine transactions
10. Control Risk (2)
Factors reducing control risk include:
• Good control environment
• Specific controls over account balances &
classes of transactions
SAS 300.3 clearly states
• ‘In planning the audit, auditors should obtain and
document an understanding of the accounting
system and control environment sufficient to
determine their audit approach’.
11. Detection Risk
• This is the risk that material misstatements are
not detected through the planned audit tests
and procedures
• Detection risk can be analysed into:
– Sampling risk
– Quality control risk
12. Sampling risk
Sampling Risk includes:
The risk that sample is not representative of
the population and that results are
misinterpreted
Judgement risk – incorrect conclusion derived
from the sample test
13. Quality Control Risk
• This is the risk that the auditor fails to:
– Collect sufficient audit evidence and/or
– Evaluate the evidence collected properly
• This includes judgement risk by staff and
reviewers of audit files
14. Relationship Between
the Components of Audit Risk
AR = IR x CR x DR
AR = Audit Risk
IR = Inherent Risk
CR = Control Risk
DR = Detection Risk
15. Business Risk & Inherent Risk Approaches (1)
• Similarities
– Both use a top-down approach in that initially the
company is considered in its entirety before
deciding what steps are needed to achieve its
objectives
– Factors affecting inherent risk (and indeed factors
affecting control risk) may well affect business risk
– Analysis of both inherent risk & business risk help
auditors better understand the company and its
operations and in planning and conducting their audit
16. Business Risk & Inherent Risk Approaches (2)
• Dissimilarities
– Auditors consider inherent risk in relation to its
impact on the financial statements whereas the
business risk approach considers those risks
impacting the company in achieving its
objectives
– Some argue that since business objectives are
different from audit objectives, then factors
affecting these two sets of objectives cannot be
similar
17. Business Risk & Audit Process
• A business risk approach might benefit auditors
in the following ways:
– It improves the basic audit of the financial
statements and the chances of giving a correct
audit opinion
– It makes the audit more efficient and
consequently more profitable
– Potential for giving assurance to management
beyond traditional audit
– Due to better understanding of business & its
risks:
Potential to contribute to corporate governance & disclosure
Potential to reduce engagement risk
18. Analytical Review (1)
• Analytical procedures are defined in SAS 410
as:
– The analysis of relationships:
Between items of financial data, or between items of
financial & non-financial data, deriving from the same
period; or
Between comparable financial information deriving
from the different periods or different entities
to identify consistencies and predicted patterns or
significant fluctuations and unexpected
relationships, and the results of investigation
thereof
19. Analytical Review (2)
• SAS 410 also sates:
– Analytical procedures should be applied by
auditors particularly at the planning stage to assist
in:
understanding the entity’s business,
identifying areas of potential audit risk, and
planning the nature, timing and extent of other audit
procedure
• Analytical procedures are an important aid in reducing
overall audit risk and for reducing detection risk