Audit risk in a brave new world
by
30 Sep 2004

Namasiku

Liandu

Auditors whose main professional occupation is to audit the financial
statements of entities (predominantly incorporated entities) are exposed to
audit risk. It is their occupational hazard. Auditors should therefore understand
audit risk, what it is and how to deal with it.
What is audit risk?
Basically, audit risk is the risk arising from carrying out audit work. It is the risk
of the auditor 'suffering loss' as a result of giving an inappropriate audit
opinion. The loss may be in the form of damage to the auditor's reputation
(and resulting business loss) or in the form of monetary compensation for
damages to another person (the client or a third party), or indeed both
(reputational and monetary). An auditor gives an inappropriate opinion by, for
example, stating that the financial statements show a true and fair view when
in fact they do not, or that they do not give a true and fair view when in fact
they do. This may arise from:




not gathering appropriate audit evidence
being deliberately misled by those providing the evidence who conceal evidence that would
have led to a different opinion, or who falsify evidence
misinterpreting (drawing inappropriate conclusions from) the evidence gathered.

In summary, audit risk is the risk that the auditor will suffer financial and/or
reputational loss as a result of doing something wrong or omitting to do
something during an audit engagement. All audits, therefore, involve risk.
There is always the possibility of fraud or error remaining undetected no
matter how careful an auditor is in gathering and assessing audit evidence in
support of the auditor's resulting opinion. It is possible that the auditor will
arrive at an unsuitable opinion. A large part of an audit engagement is dealing
with this risk - assessing it at the start of the engagement, and gathering
evidence and reassessing it during the engagement.

How does the auditor deal with audit risk?

It is at this point that we should look at the guidance that exists within the
international context. This includes guidance from the International Audit and
Assurance Standards Board (IAASB) of the International Federation of
Accountants (IFAC). This guidance comes in the form of International Standards
on Auditing (ISAs) and can be downloaded free of charge from the IAASB and
IFAC websites on completion of an online registration form.
Relevant to audit risk are the new ISAs which the IAASB has grouped together
and called 'The Risk Standards'. These are:
 ISA 315, Understanding the Entity and its Environment and Assessing the Risks of Material
Misstatements
 ISA 330, The Auditor's Procedures in Response to Assessed Risks
 ISA 500 (Revised), Audit Evidence.
As a result of these ISAs being issued, conforming amendments have been
made to ISA 200, Objective and General Principles Governing an Audit of
Financial Statements. The changes principally relate to the expression of the


audit risk model. Changes are being made to other ISAs to ensure conformity

and consistency with these 'newly released' audit risk ISAs. For example, ISA
240 (Revised), The Auditor's Responsibility to Consider Fraud and Error in an
Audit of Financial Statements, issued in February 2004, makes reference to
relevant paragraphs of the risk standards.
The risk standards, which should be effective for audits of financial periods
beginning on or after 15 December 2004, replace the following ISAs:
 ISA 310, Knowledge of the Business
 ISA 400, Risk Assessment and Internal Control
 ISA 401, Auditing in a Computer Information Systems Environment.
The requirements in these newly-issued risk standards represent significant
changes to the standards governing audits of financial statements. They
enable the auditors to focus more clearly on areas where there is a greater risk
of misstatement of the financial statements. The belief is that these risk
standards will increase audit quality. This is as a result of better risk
assessments through a more detailed understanding of the entity and its
environment, including internal control, and improved design and performance
of audit procedures to respond to assessed risks of material misstatements.
The improved linkage of audit procedures and assessed risks is expected to
result in a greater concentration of audit effort on areas where there is a
greater risk of material misstatements.
The scope of each of the risk standards is reflected in the introduction to the
standards, and can be summarised as follows.

ISA 315

This standard provides guidance on performing audit procedures to obtain a
broader understanding of the entity and its environment, including its internal
control, and on assessing risks of material misstatement. The IAASB recognises
that there may be specific considerations relevant to the audit of small entities
and ISA 315 includes such considerations.


ISA 330

This standard provides guidance on determining overall responses to assessed
risks at the financial statement level and on designing and performing further
audit procedures to respond to assessed risks of material misstatements at the
assertions level.

ISA 500 (Revised)

This standard provides guidance on:
 what constitutes audit evidence
 the sufficiency and appropriateness of audit evidence obtained
 the
auditor's
use
of
and
 the auditor's procedures for obtaining audit evidence.

assertions

It provides additional guidance about the auditor's use of assertions and the
qualitative aspects of audit evidence.

Addition to ISA 200

This standard explains the traditional audit risk model in an appendix where
the additional guidance is underlined. Audit risk is defined as 'the risk that the
auditor expresses an inappropriate audit opinion when the financial

statements are materially misstated'. This definition does not include the risk
that the auditor might erroneously express an opinion that the financial


statements are materially misstated. The components of audit risk are
explained (inherent risk plus control risk and detection risk). Audit risk is a
function of the risk of material misstatements and detection risk. The auditor
carries out audit procedures to assess the risk of material misstatement and
seeks to limit detection risk by performing further audit procedures based on
that assessment. The audit process involves the exercise of professional
judgment in designing the audit approach, through focusing on what can go
wrong (the potential misstatements) at the assertion level and performing
audit procedures in response to the assessed risks in order to obtain sufficient
appropriate audit evidence.
ISA 240 (Revised) builds on these risk standards and requires the auditor to
focus on areas where there is a risk of material misstatement due to fraud,
including management fraud. The revised standard emphasises the need for
the auditor to maintain an attitude of professional scepticism throughout the
audit, notwithstanding the auditor's past experience about the honesty and
integrity of management and those charged with governance. Among other
things, ISA 240 (Revised) requires:
 the engagement team to discuss how the financial statements may be susceptible to material
misstatement due to fraud and the audit procedures that should be more effective for their
detection
 the auditor to design and perform audit procedures to respond to the identified risks of
material misstatement due to fraud, including procedures to address the risk of management
overriding controls.

Some practical implications of these new international standards on auditing
External auditors have responsibilities in respect of the risk of fraud and error

in an audit of financial statements. These include:
 conducting the audit in accordance with ISAs
 obtaining reasonable assurance that the financial statements as a whole are free from
material misstatements, whether caused by fraud or error
 performing risk assessment procedures in order to obtain an understanding of the entity and
its environment, including its internal control. The procedures include making inquiries of
management, of those charged with governance and of appropriate others within the entity
(eg operating personnel, chief ethics officer and fraud investigating officer), considering
whether one or more fraud factors exist, considering any unusual relationships that have
been identified in performing analytical procedures and considering other information that
may be helpful in identifying the risks of material misstatements due to fraud
 maintaining an attitude of professional scepticism throughout the audit
 considering the potential for management override of controls and recognising the fact that
audit procedures that are effective for detecting error may not be appropriate in the context
of an identified risk of material misstatement due to fraud
 accepting records and documents as genuine unless the auditor has reason to believe the
contrary
 investigating further by, for example, using the work of an expert or confirming directly
with a third party if conditions identified during the audit cause the auditor to believe that a
document may not be authentic
 discussing with the members of the engagement team the susceptibility of the entity to
materially misstate the financial statements.
Auditors seek information and perform procedures during the planning, risk
assessment and determination of the audit approach for the audit of a


company. The information sought includes that relating to:
 the entity's organisational structure, business and controls
 past misstatements and whether or not they were corrected on a timely basis (beware of
changes in the entity and its environment that would render this historical information

irrelevant)
 the environment in which the financial statements are prepared
 litigation compliance with laws and regulations, knowledge of fraud or suspected fraud
affecting the entity, post-sales obligations, arrangements (eg joint ventures) with business
partners, warranties and the meaning of contract terms
 information relating to changes in the entity's marketing strategies, sales trends, or
contractual arrangements with customers
 the design and effectiveness of the entity's internal control and whether management has
satisfactorily responded to any findings from these activities
 the appropriateness of the selection and application of certain accounting policies.
The procedures to be performed include:
 inquiries of management and others within the entity
 analytical procedures
 observation and inspection
 any other procedures where the information obtained may be helpful in identifying risks of
material misstatements.
In performing risk assessment procedures, auditors may obtain evidence about
classes of transactions, account balances, or disclosures and related assertions
about the operating effectiveness of controls. For audit efficiency reasons,
auditors may choose to perform substantive procedures or tests of controls
concurrently with risk assessment procedures.
Auditors should expect to see certain types of audit working papers on the
audit files and those working papers should have certain features that show
they have been properly completed. The types of working papers include
permanent audit files and current audit files.

Permanent audit files

These contain information of continuing importance and are updated during
each audit. The information includes:

 statutory material
 the rules and regulations of the enterprise
 copies of documents of continuing importance (eg letter of engagement)
 addresses of the registered office and other premises
 list of books and other records and where they are kept
 history of the organisation
 list of important accounting matters
 other information of a continuing nature.

Current audit files

Current audit files include information relating to a single audit (accounting)
period. The information includes:
 a copy of the financial statements
 an index to the file
 a description of the internal control system
 an audit programme
 a schedule for each of the balance sheet items showing the opening balance










movement during the period and the closing balance
a schedule for each of the income statement (profit and loss account) items showing its

makeup
a statutory checklist
a schedule of important statistics, copies of all communications with other people
letters of representation
conclusions reached by the auditor concerning significant aspects of the audit
anything else that contributes to the audit evidence for the current year's audit.

Features to show that the papers have been completed properly include
evidence:
 of who performed the actual audit work and when it was performed
 that the work performed was supervised and reviewed
 that the performers, supervisors and reviewers were appropriately qualified and experienced
for their tasks.
Management is responsible for the fair presentation of financial statements
that reflect the nature and operations of the entity. In representing that the
financial statements give a true and fair view (or present fairly, in all material
respects) in accordance with the applicable financial reporting framework,
management implicitly or explicitly make assertions regarding the recognition,
measurement, presentation and disclosure of the various elements of financial
and related information. The financial statements assertions in ISA 500
(Revised) fall into three categories as follows:
1. Assertions about classes of transactions and events for the period under audit:
o occurrence
o completeness
o accuracy
o cut-off classification.
2. Assertions about account balances at the period end:
o existence
o rights and obligations
o completeness

o valuation and allocation.
3. Assertions about presentation and disclosure:
o occurrence and rights and obligations
o completeness
o classification and understandability
o accuracy and valuation.
As auditors we should know and be able to describe these financial statements
assertions made by management in financial statements. We may use these
assertions as described above or may express them differently provided all
aspects described above have been covered. We should be able to describe
and explain the main audit procedures and processes that take place during
the interim and final audit of a large entity. The nature of these audit
procedures and processes refers to their type (ie whether they are tests of
controls or substantive procedures) and their type, that is, inspection (of
records and documents and of tangible assets), observation, inquiry,
confirmation, recalculation, re-performance, or analytical procedures.
The nature and timing of the audit procedures to be used may be affected by


the fact that some of the accounting data and other information may be
available only in electronic form or only at certain points or periods in time.
Certain audit procedures - such as agreeing the financial statements to the
accounting records and examining adjustments made during the course of
preparing the financial statements - can be performed only at or after the
period end. Most other procedures can be performed at either the final stage
(at or after the period end) or at an interim stage. These procedures and
processes include:
 risk assessment procedures to provide a satisfactory basis for the assessment of risks at the
financial statement and assertion levels
 tests of relevant controls to obtain audit evidence about their operating effectiveness

 designing and performing further audit procedures to respond to assessed risks at the
assertion level
 obtaining audit evidence about the accuracy and completeness of information produced by
the entity's information system when that information is used in performing audit
procedures. For example, if the auditor uses budget data to compare with actual data then
the auditor should obtain audit evidence about the accuracy and completeness of the budget
data
 performing tests of relevant controls to obtain audit evidence about their operating
effectiveness.
Auditing students should remember that the auditor is responsible for forming
and expressing an opinion on the financial statements. The responsibility for
preparing and fairly presenting the financial statements in accordance with the
applicable financial reporting framework lies with the management of the
entity, with oversight from those charged with governance. We should
remember that the audit of the financial statements does not relieve
management and those charged with governance of their responsibilities.