What is the purpose of audit risk assessment?

We usually perform an audit risk assessment after obtaining an understanding of the client’s business and control environment. In this case, we usually try to identify the risks while gaining an understanding of the client’s business and control environment.

Then, we assess how those risks could impact financial statements and make a proper response to such risks by designing suitable audit procedures.

Risk assessment is performed in the risk-based approach of auditing, in which we focus our audit process on those high-risk areas.

Audit Risk Assessment Procedures

Audit risk assessment procedures usually contain two steps process, including identifying and responding to risks of material misstatement.

Identify Risk of Material Misstatement

Our objective here is to identify the risk of material misstatement that can occur on the financial statements. In this case, we need to identify both inherent and control risks and properly assess their levels (high, moderate, or low).

The procedures of audit risk assessment in this step may include:

• Inquiries of the client’s management and related personnel on the matter related to risks of material misstatement due to fraud or error.
• Performing preliminary analytical procedures.
• Observation of client’s operation and other related areas.
• Inspection of documentation such as internal control procedures and management reports.

Respond to Risk of Material Misstatement

After identifying and assessing the level of risk of material misstatement, we need to properly respond to such risk based on their severity.

In this case, we usually perform the following procedures:

• Designing suitable audit tests that may include both test of controls and substantive audit procedures. This is usually influenced by the assessed risk of internal control. For example, if the control risk is high, we will skip the test of control and perform more substantive procedures.
• Forming an audit team with sufficient knowledge, skills, and experiences concerning the assessed risk.
• Making sure that audit team members maintain professional skepticism at all times.
• Making sure the appropriate level of supervision is in place.

It is useful to note that risk assessment procedures by themselves do not provide us sufficient appropriate audit evidence to form a basis of an opinion. Hence, we need to perform the next stage of the audit that may include the test of controls, substantive analytical procedures and tests of details. This is so that we can obtain sufficient appropriate audit evidence on which to base our audit opinion.

Risk assessment is the identification and analysis of relevant risks to the achievement of an organization's objectives, for the purpose of determining how those risks should be managed.

During the risk assessment process, Internal Auditing identifies and assesses both the likelihood and potential impact of various risks to the organization.    Internal controls are then identified and evaluated to determine how adequate they are in reducing risk to ensure that residual risk is at manageable levels.  Residual risk is the risk that something will occur after controls or procedures are implemented to prevent it.  In addition to audits required by state regulations, those activities or functions with higher levels of residual risk are typically selected for audits.

Developing the Audit Plan:

The WIU Office of Internal Auditing develops the annual audit plan using a risk-based approach.  The annual risk assessment process occurs in late spring or early summer to facilitate the development of a two-year audit plan.  Internal Auditing conducts the risk assessment process through discussions with management; review and analysis of budgets and proposed programs; and a systematic evaluation of risk factors covering the functional and organizational units of the University.  Based upon the results of the risk analysis, a proposed audit plan is presented to the Senior Executive Cabinet for their review and approval.  Upon consensus by the Cabinet, the audit plan is submitted to the University President for approval.  Next, the audit plan is presented to the University Board of Trustees Audit Committee for their review and approval.  The two-year plan is updated annually and may be modified as unplanned issues of potential risk are identified throughout the year.  The plan is required to be completed before June 30th of each year for the next two fiscal year periods. 

Let us consider each of these four stages in more detail.

1. Risk assessment procedures
ISA 315 gives an overview of the procedures that the auditor should follow in order to obtain an understanding sufficient to assess audit risks, and these risks must then be considered when designing the audit plan. ISA 315 goes on to require that the auditor shall perform risk assessment procedures to provide a basis for the identification and assessment of risks of material misstatement at the financial statement and assertion levels. ISA 315 goes on to identify the following three risk assessment procedures:

Making inquiries of management and others within the entity
Auditors must have discussions with the client’s management about its objectives and expectations, and its plans for achieving those goals.

Analytical procedures
Analytical procedures performed as risk assessment procedures should help the auditor in identifying unusual transactions or positions. They may identify aspects of the entity of which the auditor was unaware, and may assist in assessing the risks of material misstatement in order to provide a basis for designing and implementing responses to the assessed risks.

Observation and inspection
Observation and inspection may also provide information about the entity and its environment. Examples of such audit procedures can potentially cover a very broad area, including observation or inspection of the entity’s operations, documents, and reports prepared by management, and also of the entity’s premises and plant facilities.

ISA 315 requires that risk assessment procedures should, at a minimum, comprise a combination of the above three procedures, and the standard also requires that the engagement partner and other key engagement team members should discuss the susceptibility of the entity’s financial statements to material misstatement. Key risks can be identified at any stage of the audit process, and ISA 315 requires that the engagement partner should also determine which matters are to be communicated to those engagement team members not involved in the discussion.

2. Understanding an entity
ISA 315 gives detailed guidance about the understanding required of the entity and its environment by auditors, including the entity’s internal control systems. Understanding of the entity and its environment is important for the auditor in order to help identify the risks of material misstatement, to provide a basis for designing and implementing responses to assessed risk (see reference below to ISA 330, The Auditor’s Responses to Assessed Risks), and to ensure that sufficient appropriate audit evidence is collected. Given that the focus of this article is audit risk, however, students should ensure that they also make themselves familiar with the concept of internal control, and the components of internal control systems.

3. Identification and assessment of significant risks and the risks of material misstatement
In exercising judgement as to which risks are significant risks, the auditor is required to consider the following:

• Whether the risk is a risk of fraud.
• Whether the risk is related to recent significant economic, accounting or other developments, and therefore requires specific attention.
• The complexity of transactions.
• Whether the risk involves significant transactions with related parties.
• The degree of subjectivity in the measurement of financial information related to the risk, especially those measurements involving a wide range of measurement uncertainty.
• Whether the risk involves significant transactions that are outside the normal course of business for the entity, or that otherwise appear to be unusual.

4. ISA 330 and responses to assessed risks
The requirements of ISA 330, The Auditor’s Responses to Assessed Risks, will be covered in a future article, but essentially ISA 330 gives guidance about the nature and extent of the testing required, based on the risk assessment findings.

AUDIT RISK AND BUSINESS RISK

For the purposes of the Paper F8 exam, it is important to make a distinction between audit risk and business risk (which is not examinable in Paper F8), even though ISA 315 itself does not make such a distinction clear. ISA 315(2) defines business risk as follows:

‘A risk resulting from significant conditions, events, circumstances, actions or inactions that could adversely affect an entity’s ability to achieve its objectives and execute its strategies, or from the setting of inappropriate objectives and strategies.’

Hence, business risk is a much broader concept than audit risk. Students are reminded that business risk is excluded from the Paper FAU and Paper F8 syllabus, although it is examinable in Paper P7.

THE AUDIT RISK MODEL

Finally, it is important to make reference to the so called traditional audit risk model, which pre-dates ISA 315, but continues to remain important to the audit process. The audit risk model breaks audit risk down into the following three components:

Inherent risk
This is the susceptibility of an assertion about a class of transaction, account balance, or disclosure to a misstatement that could be material, either individually or when aggregated with other misstatements, before consideration of any related controls.

Control risk
This is the risk that a misstatement could occur in an assertion about a class of transaction, account balance or disclosure, and that the misstatement could be material, either individually or when aggregated with other misstatements, and will not be prevented or detected and corrected, on a timely basis, by the entity’s internal control.

Detection risk This is the risk that the procedures performed by the auditor to reduce audit risk to an acceptably low level will not detect a misstatement that exists and that could be material, either individually or when aggregated with other misstatements. The interrelationship of the three components of audit risk is outside the scope of this current article. Paper F8 students, however, will typically be expected to have a good understanding of the concept of audit risk, and to be able to apply this understanding to questions in order to identify and describe appropriate risk assessment procedures.

THE UK AND IRELAND PERSPECTIVE

The UK Auditing Practices Board announced in March 2009 that it would update its auditing standards according to the clarified ISAs, and that these standards would apply for audits of accounting periods ending on or after 15 December 2010. UK and Irish students should note that there are no significant differences on audit risk between ISA 315 and the UK and Ireland version of the standard.

CONCLUSIONS

The concept of audit risk is of key importance to the audit process and Paper F8 students are required to have a good understanding of what audit risk is, and why it is so important. For the purposes of the Paper F8 exam, it is important to understand that audit risk is a very practical topic and is therefore examined in a very practical context. Any definition or explanation of the audit risk model itself will usually only be allocated a small number of marks, but many students still include such definitions in answers to case study and scenario questions which require a practical application of audit risk assessment procedures. Students must also be prepared to apply their understanding of audit risk to questions and come up with appropriate risk assessment procedures.

Written by the assessor for Paper F8

References

1. IAASB Handbook 2009, Glossary of Terms.
2. ISA 315, Identifying and Assessing the Risks of Material Misstatement Through Understanding the Entity and Its Environment, paragraph 4 (b).