01 TEcHNIcAL audit risk - ACCA Global

01 technical

This article outlines and explains the concept of audit risk, making audit risk
reference to the key auditing standards which give guidance to auditors
about risk assessment. RELEVANT to ACCA QUAlification papers f8 and p7 and

This article outlines and explains WHAT IS AUDIT RISK? likely that errors in transactions
the concept of audit risk, making According to the IAASB Glossary and balances will lead to a
reference to the key auditing of Terms1, audit risk is defined material misstatement in the
standards which give guidance to as follows: financial statements. It would be
auditors about risk assessment. inefficient to address insignificant
‘The risk that the auditor expresses risks in a high level of detail, and
Identifying and assessing an inappropriate audit opinion whether a risk is classified as
audit risk is a key part of the when the financial statements are a key risk or not is a matter of
audit process, and ISA 315, materially misstated. Audit risk is a judgment for the auditor.
Identifying and Assessing the Risks function of material misstatement
of Material Misstatement Through and detection risk.’ RELEVANT ISAs
Understanding the Entity and Its There are many references
Environment, gives extensive WHY IS AUDIT RISK SO throughout the ISAs to audit
guidance to auditors about IMPORTANT TO AUDITORS? risk, but perhaps the two most
audit risk assessment. The Audit risk is fundamental to the important audit risk-related ISAs
purpose of this article is to give audit process because auditors are as follows:
summary guidance to CAT Paper cannot and do not attempt to
8, Paper F8 and P7 students check all transactions. Students ISA 200, Overall Objectives
about the concept of audit risk. should refer to any published of the Independent Auditor
All subsequent references in accounts of large companies and the Conduct of an Audit in
this article to the standard will and think about the vast number Accordance with ISAs
be stated simply as ISA 315, of transactions in a statement
although ISA 315 is a ‘redrafted’ of comprehensive income and a ISA 200 sets out the overall
standard, in accordance with statement of financial position. objectives of the auditor, and
the International Auditing and It would be impossible to check the standard explains the nature
Assurance Standards Board all of these transactions, and and scope of an audit designed
(IAASB) Clarity Project. For no one would be prepared to to enable an auditor to meet
further details on the IAASB pay for the auditors to do so, those objectives. References to
Clarity Project, read the article by hence the importance of the audit risk are frequently made
Lisa Weaver, examiner for Paper risk‑based approach toward by ISA 200, and the standard
P7, in the August 2009 issue of auditing. Traditionally, auditors also requires that the auditor
Student Accountant. have used a risk-based approach shall plan and perform an audit
in order to minimise the chance with professional scepticism,
of giving an inappropriate audit recognising that circumstances
opinion, and audits conducted might exist that may cause
in accordance with ISAs must the financial statements to
follow the risk‑based approach, be materially misstated.
which should also help to ensure Professional scepticism is
that audit work is carried out defined as an attitude that
efficiently, using the most includes a questioning mind and
effective tests based on the audit a critical assessment of evidence.
risk assessment. Auditors should
direct audit work to the key risks
(sometimes also described as
significant risks), where it is more

student accountant 11/2009 02

cat paper 8 Identifying and assessing audit risk is a key part of the audit process, and 1 Risk assessment procedures Observation and inspection
ISA 315, Identifying and Assessing the Risks of Material Misstatement Through ISA 315 gives an overview of Observation and inspection may
ISA 315, Identifying and Understanding the Entity and Its Environment, gives extensive guidance the procedures that the auditor also provide information about
Assessing the Risks of to auditors about audit risk assessment. should follow in order to obtain the entity and its environment.
Material Misstatement Through an understanding sufficient to Examples of such audit
Understanding the Entity and assess audit risks, and these procedures can potentially cover
Its Environment risks must then be considered a very broad area, including
when designing the audit plan. observation or inspection
ISA 315 deals with the auditor’s ISA 315 goes on to require of the entity’s operations,
responsibility to identify and that the auditor shall perform documents, and reports prepared
assess the risks of material risk assessment procedures by management, and also
misstatement in the financial to provide a basis for the of the entity’s premises and
statements through an identification and assessment of plant facilities.
understanding of the entity and risks of material misstatement
its environment, including the at the financial statement and ISA 315 requires that risk
entity’s internal controls and risk assertion levels. ISA 315 goes on assessment procedures should,
assessment process. The first to identify the following three risk at a minimum, comprise a
version of ISA 315 was originally assessment procedures: combination of the above
published in 2003 after a joint three procedures, and the
audit risk project had been carried Making inquiries of management standard also requires that
out between the IAASB, and the and others within the entity the engagement partner and
United States Auditing Standards Auditors must have discussions other key engagement team
Board. Changes in the audit risk with the client’s management members should discuss the
standards have arguably been the about its objectives and susceptibility of the entity’s
single biggest change in auditing expectations, and its plans for financial statements to
standards in recent years, so achieving those goals. material misstatement. Key
the significance of ISA 315, and risks can be identified at any
the topic of audit risk, should Analytical procedures stage of the audit process,
not be underestimated by Analytical procedures performed and ISA 315 requires that the
auditing students. as risk assessment procedures engagement partner should also
should help the auditor in determine which matters are
The requirements of ISA 315 identifying unusual transactions to be communicated to those
are summarised in Table 1 on or positions. They may identify engagement team members not
page 4. Let us consider each of aspects of the entity of which the involved in the discussion.
these four stages in more detail. auditor was unaware, and may
assist in assessing the risks of
material misstatement in order to
provide a basis for designing and
implementing responses to the
assessed risks.

03 technical

2 Understanding an entity ¤ The degree of subjectivity For the purposes of the Paper F8 exam, it is important to make a distinction ‘A risk resulting from significant
ISA 315 gives detailed guidance in the measurement of between audit risk and business risk (which is not examinable in Paper F8), conditions, events, circumstances,
about the understanding required financial information related even though ISA 315 itself does not make such a distinction clear. actions or inactions that could
of the entity and its environment to the risk, especially adversely affect an entity’s ability
by auditors, including the those measurements to achieve its objectives and
entity’s internal control systems. involving a wide range of execute its strategies, or from the
Understanding of the entity and measurement uncertainty. setting of inappropriate objectives
its environment is important and strategies.’
for the auditor in order to help ¤ Whether the risk involves
identify the risks of material significant transactions that Hence business risk is a much
misstatement, to provide a basis are outside the normal course broader concept than audit
for designing and implementing of business for the entity, risk. Students are reminded
responses to assessed risk (see or that otherwise appear to that business risk is excluded
reference below to ISA 330, be unusual. from the CAT Paper 8 and
The Auditor’s Responses to Paper F8 syllabus, although it is
Assessed Risks), and to ensure 4 ISA 330 and responses to examinable in Paper P7.
that sufficient appropriate audit assessed risks
evidence is collected. Given that The requirements of ISA 330, THE AUDIT RISK MODEL
the focus of this article is audit The Auditor’s Responses Finally, it is important to make
risk, however, students should to Assessed Risks, will be reference to the so called
ensure that they also make covered in a future article, traditional audit risk model,
themselves familiar with the but essentially ISA 330 gives which pre-dates ISA 315, but
concept of internal control, and guidance about the nature continues to remain important to
the components of internal and extent of the testing the audit process. The audit risk
control systems. required, based on the risk model breaks audit risk down into
assessment findings. the following three components:

3 Identification and assessment AUDIT RISK AND BUSINESS RISK Inherent risk
of significant risks and the risks of For the purposes of the Paper This is the susceptibility of
material misstatement F8 exam, it is important to make an assertion about a class of
In exercising judgement as a distinction between audit risk transaction, account balance,
and business risk (which is not or disclosure to a misstatement
to which risks are significant examinable in Paper F8), even that could be material, either
though ISA 315 itself does not individually or when aggregated
risks, the auditor is required to make such a distinction clear. with other misstatements,
ISA 3152 defines business risk before consideration of any
consider the following: as follows: related controls.
¤ Whether the risk is a risk

of  fraud.
¤ Whether the risk is related to

recent significant economic,

accounting or other

developments, and therefore

requires specific attention.
¤ The complexity of transactions.
¤ Whether the risk involves

significant transactions with

related parties.

student accountant 11/2009 04

Control risk UK and Irish students should The concept of audit risk is of key importance to the audit process and TABLE 1: ISA 315 – SUMMARY OF
This is the risk that a note that there are no significant Paper F8 students are required to have a good understanding of what audit REQUIREMENTS
misstatement could occur in differences on audit risk between risk is, and why it is so important. For the Paper F8 exam, it is important to 1 The auditor shall perform
an assertion about a class of ISA 315 and the UK and Ireland understand that audit risk is a practical topic examined in a practical context.
transaction, account balance version of the standard. risk assessment procedures
or disclosure, and that the in order to provide a basis
misstatement could be CONCLUSIONS for the identification and
material, either individually or The concept of audit risk is of assessment of the risks of
when aggregated with other key importance to the audit material misstatement.
misstatements, and will not process and Paper F8 students 2 The auditor is required to
be prevented or detected and are required to have a good obtain an understanding of
corrected, on a timely basis, by understanding of what audit risk the entity and its environment,
the entity’s internal control. is, and why it is so important. including the entity’s internal
For the purposes of the Paper control systems.
Detection risk F8 exam, it is important to 3 The auditor shall identify and
This is the risk that the understand that audit risk is assess the risks of material
procedures performed by the a very practical topic and is misstatement, and determine
auditor to reduce audit risk to therefore examined in a very whether any of the risks
an acceptably low level will not practical context. Any definition identified are, in the auditor’s
detect a misstatement that exists or explanation of the audit risk judgement, significant
and that could be material, either model itself will usually only risks. This is in order to
individually or when aggregated be allocated a small number provide a basis for designing
with other misstatements. of marks, but many students and performing further
still include such definitions audit procedures.
The interrelationship of the in answers to case study and 4 ISA 330 then deals with
three components of audit risk scenario questions which require the required responses to
is outside the scope of this a practical application of audit assessed risks.
current article. Paper F8 students, risk assessment procedures.
however, will typically be expected Students must also be prepared
to have a good understanding of to apply their understanding
the concept of audit risk, and to be of audit risk to questions and
able to apply this understanding come up with appropriate risk
to questions in order to identify assessment procedures.
and describe appropriate risk
assessment procedures. References
1 IAASB Handbook 2009,
THE UK AND
IRELAND PERSPECTIVE Glossary of Terms.
The UK Auditing Practices Board 2 ISA 315, Identifying and
announced in March 2009 that
it would update its auditing Assessing the Risks of Material
standards according to the Misstatement Through
clarified ISAs, and that these Understanding the Entity and Its
standards would apply for audits Environment, paragraph 4 (b).
of accounting periods ending
on or after 15 December 2010. Martyn Jones is assessor for
Paper F8