Risk Assesment – the primary stage involved in the Risk Based Audit Process.

It involves three activities:

1. Performance of Preliminary Engagement Activities

2. Planning the Audit
3. Performance of risk assessment procedures

1. PRELIMINARY ENGAGEMENT ACTIVITIES

a. Perform Procedures regarding the acceptance of the client relationship and specific audit
engagement
b. Communicating with the predecessor auditor; where there has been a change of auditors, in
compliance with relevant ethical requirements.

1. Client Selection and Retention – the firm shall only undertake or continue relationships and
engagements where the firm:
- Is competent to perform the engagement
- Can comply with relevant ethical requirements
- Has considered the Integrity of the client

 If the auditor obtains information that would have caused the firm to decline the audit
engagement had that information been available earlier, the engagement partner shall
communicate that information promptly to the firm, so that the firm and the engagement
partner can take necessary action
 Establish whether the preconditions for an audit are present by:
1. Determining whether the financial reporting framework to be applied is acceptable
2. Obtaining and agreement with the management that it understands and acknowledges
its responsibility.
RESPONSIBILITIES OF MANAGEMENT:
1. Preparation of Financial Statements in accordance to practicable FR standards
2. Have internal control to enable the preparation of FS that are free from material
misstatements due to fraud or error
3. Provide auditor with:
- Access to relevant information
- Additional information that the auditor may request
- Unrestricted access to persons within the entity necessary to obtain evidence

Risks

Engagement Risk - overall risk associated with an audit engagement. It can include a loss of
reputation from being associated with a particular client, and financial losses from the association

 The risk that the auditor (or firm) will suffer harm after the audit is finished, even though the
report was correct.
 Engagement risk is closely related to client business risk because the risk that the auditor
will be sued is often related to business failure after the audit is finished.
  Acceptable Audit Risk = CR X IR x DR
 Auditors must decide (set appropriate audit risk
 Auditors must first decide engagement risk and use it to modify acceptable audit risk

Audit Risk - 'the risk that the auditor expresses an inappropriate audit opinion when the financial
statements are materially misstated.

FACTORS AFFECTING AAR (ER)

1. The degree to which external users rely on the statements based on:

* client Size

* Distribution of Ownership

* Nature and amount of Liabilities

2. The Likelihood that a client will have financial difficulties

* liquidity position

* Profits

*Method of Financing

* Nature of client’s operations

*Competence of management

3. The auditor’s evaluation of management’s integrity

ENGAGEMENT RISK

HIGH MODERATE LOW

AUDIT Do not accept client Set Very Low Set within professional
RISK standards but can be
(1%)
higher than companies
with higher engagement
risk
 2. Agreeing the Terms of Engagement
The agreed terms of the audit engagement shall be recorded in an audit engagement letter or
other suitable form or written agreement and shall include:
1. The objective and cope of audit
2. Responsibilities of the auditor
3. Responsibilities of the management
4. Identification of the applicable financial reporting framework for the preparation of the
financial statements
5. Reference to the expected form and content of any reports to be issued by the auditor and a
statement that there may be circumstances in which a report may differ from its expected
form and content.
 If the terms are changed:
- Auditor and management shall agree on and record the new terms of engagement.
 If the auditor is unable to agree to a change of the terms of the audit and is not permitted by
management to continue the original engagement:
- Withdraw from engagement when possible
- Determine whether there is any obligation either contractual or otherwise to report to:
a. TCWG
b. Owners
c. Regulators

2. PLANNING THE AUDIT

AUDIT PLANNING
- Involves establishment of the overall audit strategy for the engagement and developing an
audit plan to reduce the audit risk to an acceptably low level.
- Involves the engagement partner and other key members of the engagement team
- The nature, timing, and extent will vary according to the size and complexity of the entity,
auditor’s previous experience with the entity and changes in circumstances that occur
during an engagement
- Is a continuous and iterative process

Benefits:

1. Helps ensure that appropriate attention is devoted to important areas of the audit
2. Aids in identifying potential problems and resolving them on timely basis
3. Helps ensure that the audit is properly organized, managed, and performed effectively and
efficiently
4. Assists in proper assignment and review of the work of the engagement team members
5. Helps coordinate the work to be done by auditors of components and other parties involved
such as experts, specialists, etc.
Assessment of Control Risk

Assessment of Inherent Risk

 Inherent Risk = the susceptibility of an assertion to material misstatements before

considering controls.
 Predicts where misstatements are most and least likely in FS segments
 Either in a particular cycle or account balance
 Affects the amount of evidence

Materiality = Professional judgement

Materiality is the magnitude of misstatement that individually or when aggregated with other
misstatements that individually or when aggregated with other misstatements could reasonably
be expected to influence the economic decision of users (Investors & Creditors)

Investors- we have different types of investors, some are just this regular people acquiring
shares from the company, some are larger investors or institutions that put million or billions of
money to a company. These investors vary in their goals of their investments, different
motivation and different financial capability that is why role of the auditors here is to define
materiality in these users. With the saying “What goes for me might not go for you the” so
materiality is 100% professional judgment

Materiality level---The materiality threshold in audits refers to the benchmark used to obtain
reasonable assurance that an audit does not detect any material misstatement that can
significantly impact the usability of financial statements.

Detection risk is the chance that an auditor will fail to find material misstatements that exist in an
entity's financial statements.

OVERALL AUDIT STRATEGY (PAS 300)

- sets the scope, timing, and direction of the audit

 - this is done in reference to the results of the preliminary activities.
- Helps the auditor to ascertain the nature, timing, and extent of resources necessary to
perform the engagement
- The process involves:
1. Determining the characteristics of the engagement that define its scope
2. Ascertaining the reporting objectives of the engagement to plan the timing of the audit
and the nature of the communication required
3. Considering the important factors that will determine the focus of the engagement
teams efforts.

AUDIT PLAN

- More detailed
- Addresses various matters identified in the audit strategy
- Includes nature, timing, and extent of audit procedures to be performed by the engagement
team members in order to obtain SAAE
- Serves as record of proper planning and performance of the audit procedures that can be
reviewed and approved prior to performance of the audit that can be reviewd and approved
prior to the performance of further audit procedures.
- Although the auditor ordinarily establishes the audit strategy before developing the detailed
audit plan, the two planning activities are not necessarily discrete or sequential processes
but are closely interrelated since changes in one may result in consequential changes to the
other.

Includes:

A description of Nature, Timing, and Extent of

1. Planned risk assessment procedures sufficient to assess the risks of material misstatement,
as determined under PSA 315 ( Understanding the Entity and Its Environment and Assessing
the Risks of Material Misstatement”
2. Planed further audit procedures at the assertion level for each material class of transactions,
account balances, and disclosure under PSA 330
- Changes to Planning Decisions During the course of the Audit
-As a result of unexpected events, changes in conditions, or the audit evidence obtained from
the results of audit procedures, the auditor may need to modify the overall audit strategy
and audit plan
- Direction, Supervision, and Review
-The auditor plans the nature, timing, and extent of direction and supervision of engagement
team members based on the assessed risk of material misstatement. The higher the risk for
material misstatement, the more frequent the supervision is, hence, more detailed review of
their work is necessary
- The auditor plans the nature, timing, and extent of direction and supervision of
engagement team members based on the capabilities and competence of the individual
team members performing the audit work
- Communications with those Charged With Governance
-made to improve the effectiveness and efficiency of the audit
 -Include the overall strategy and timing of the audit, including any limitation thereon
- occurs to facilitate the conduct and management of the audit engagement

ADDITIONAL CONSIDERATIONS

1. Arrangements to be made with the previous auditor, unless prohibited

2. Any major issues discussed with management in connection with initial selection as auditors,
the communication of these matters to TCWG and these matters affect the overall audit
strategy and audit plan
3. The planned audit procedures to obtain SAAE regarding opening balances (PSA510)
4. Assignment of firm personnel with appropriate levels of capabilities
5. Other procedures required by the firm’s system of quality control for initial audit engagements

OTHER CRITICAL MATTERS

1. Application of Analytical Procedures in Planning the Audit

2. Establishment of an Engagement or Audit Team
3. Consideration of Work Performed by other Auditors/Parties
4. Assessment of Going Concern Assumption
5. Identification of Related Parties
6. Client’s Legal Obligations
7. Completion of Initial Audit Program
8. Preparation of A Time Budget
9. Assignment of Personnel to the Engagement
10. Scheduling of Work

PERFORMANCE OF RISK ASSESSMENT PROCEDURES

-It’s the auditor’s responsibility to identify and assess the risk of material misstatements

I. RISK ASSESSMENT PROCEDURES AND SOURCES OF INFORMATION ABOUT THE ENTITY AND ITS
ENVIRONMENT, INCLUDING ITS INTERNAL CONTROL

- Obtaining an understanding of the entity and its environment, including its internal control is a
continuous, dynamic process of gathering, updating and analyzing information throughout the
audit.
- PSA 500: Audit procedures to obtain understanding=risk assessment procedures
- In performing risk assessment procedures, the auditor would obtain audit evidences

RISK ASSESSMENT PROCEDURES

a. Inquiries of management and others within the entity

- INQUIRY: an act of asking information
b. Analytical Procedures
- Expectations about plausible relationships that are reasonably expected to exist
c. Observation and inspection
- May Support the Inquiries of management & others
 - When the auditor intends to use prior period information obtained from the
entity, the auditor should determine whether the changes occurred may affect
the relevance of such information in the current audit
- The members of the engagement team should discuss the susceptibility of the
entity’s financial statements to material misstatements

-Auditor is not required to perform all the risk assessment procedures

II. UNDERSTANDING THE ENTITY AND ITS ENVIRONMENT INCLUDING ITS INTERNAL CONTTROL

a. Industry, Regulatory and Other External Factors, including the applicable financial reporting
framework
- Factors include industry conditions such as the competitive environment, supplier and
customer relationships and technological developments.
- May also include the regulatory, legal and political environment and general economic
conditions
- Such factors may subject the client to specialized risks that may in turn affect the audit
- The industry in which the entity operates may give rise to specific risks of material
misstatement arising from the nature of the business or the degree of regulation. In
such case, the Auditor considers whether the engagement team includes members with
sufficient relevant knowledge and experience
- Legislative and regulatory requirements often determine the applicable financial
reporting framework to be used by management in preparing the entity’s financial
statements.
- The auditor considers whether local regulations specify certain financial reporting
requirements for the industry in which the entity operates.
b. Nature of the entity
- Refers to the entity’s operations, its ownership and governance, types of investments
that it is making and plans to make, the way that the entity is structured and how it is
financed.
- Enables the auditor to understand the classes of transactions, account balances and
disclosures to be expected in the FS.
- The auditor should obtain an understanding of the entity’s selection and application of
accounting policies and consider whether they are appropriate for its business and
consistent with the applicable financial reporting framework and accounting policies
used in the relevant industry.
- The auditor also identifies financial reporting standards and regulations that are new to
the entity will adopt such requirements. Considers reasons for the change
- The presentation of financial statements in conformity with the applicable financial
reporting framework includes adequate disclosure of material matters
- The auditor considers whether the entity has disclosed a particular matter appropriately
in light of the circumstance and facts of which the auditor is aware at the time.
c. Objectives and strategies and related business risks
- Strategies are operational approaches by which management intends to achieve its
objectives
 - Business risks are significant events or conditions that adversely affect the entity’s
ability to achieve its objective and execute its strategies.
- Business risks arise from change or complexity, though a failure to recognize the need
for change may also give rise to risk
- Significant risks that may be identified for a particular client might include risks related
to competition, changes in government regulations, changes in technology, volatility of
raw materials, interruption of supplies of critical raw materials, changes in major
markets, or increases interest rates.
- An understanding of this process can assist the auditors in identifying significant
business risks and evaluating their audit significance
- The auditors consideration of whether a business risk may result in material
misstatement is; therefore, made in light of the entity’s circumstance
d. Measurement and review of the entity’s financial performance
- Performance measures and their review indicate to the auditor aspects of the entity’s
performance that management and others consider to be of importance
- Performance measures create pressures in the management
- This assists the auditor in considering whether such pressures result in management
actions that may have increased the risk of material misstatement
- When the auditor intends to make use of the performance measures for the purpose of
the audit, the auditor considers whether the information related to management’s
review of the entity’s performance provides a reliable basis and is sufficiently precise for
such purpose.
- The auditor considers whether they are precise enough to detect material
misstatements
e. Understanding the Client’s Internal Control
- Internal control is designed to provide reasonable assurance of achieving objectives
related to reliable financial reporting, efficiency and effectiveness of operations and
compliance
- Before the auditors can evaluate the effectiveness of internal control, they need a
knowledge and understanding of how it works; what controls exist and who performs
them, how various types of transactions are processed and recorded and what accounting
records and supporting documentation exist.

III. IDENTIFYING AND ASSESSING THE RISK OF MATERIAL MISSTATEMENT

- The auditor should identify and assess the risks of material misstatement at the financial
statement level, and at the assertion level for classes of transactions, accounts balances and
disclosures. The auditor
o Identifies risk
o Relates the identified risk to what can go wrong at the assertion level
o Considers whether the risks are of a magnitude that could result in a material
misstatement of the financial statements
o Considers the likelihood that the risks could result in a material misstatement of the FS
- The auditor should determine which of the risk identified are, in the auditors professional
judgment, risks that require special audit consideration (significant risk).
 - Significant risk often relate to significant non-routine transactions and judgmental matters.

IV. MATERIAL WEAKNESS IN INTERNAL CONTROL

- The auditor shall evaluate whether the auditor has identified a material weakness in the design,
implementation, or maintenance of internal control
- The auditor must communicate material weakness to management
- Types of material weaknesses in internal control
o RMM that the auditor identifies and which the entity has not controlled or forwihch the
relevant control is inadequate.
o A weakness in the entity’s risk assessment process that the auditor identifies as material
or the absence of a risk assessment process in those cases where it would be appropriate
for one to have been established

RISK ASSESSMENT PROCESS

Identifying and Assessing Risks of Material Misstatement at the Financial Statement Level

● Risks of material misstatement at the financial statement level refer to risks that relate pervasively
to the financial statements as a whole, and potentially affect many assertions

● Risks of this nature are not necessarily risks identifiable with specific assertions at the class of
transactions, account balance or disclosure level

● The auditor’s identification and assessment of risks of material misstatement at the financial
statement level is influenced by the auditor’s understanding of the entity’s system of internal
control

Why the Auditor Identifies and Assesses Risks of Material Misstatement at the Financial Statement
Level?

● The auditor identifies risks of material misstatement at the financial statement level to
determine whether the risks have a pervasive effect on the financial statements, and would
therefore require an overall response in accordance with ISA 330.

Identifying and Assessing Risks of Material Misstatement at the Assertion Level

● Risks of material misstatements that do not relate pervasively to the financial statements are risks
of material misstatement at the assertion level.

● They Include risk related to fraud or error

Why Relevant Assertions and Significant Classes of Transactions, Account Balances and Disclosures
Are Determined ?

● Determining relevant assertions and the significant classes of transactions, account balances and
disclosures provides the basis for the scope of the auditor’s understanding of the entity’s
information system required to be obtained. This understanding may further assist the auditor
in identifying and assessing risks of material misstatement
Assessing Inherent Risk

 Inherent risk is described as the susceptibility of an assertion about a class of transaction,

account balance or disclosure to a misstatement that could be material, either individually or
when aggregated with other misstatements, before consideration of any related controls.
● In assessing inherent risk, the auditor uses professional judgment in determining the significance
of the combination of the likelihood and magnitude of a misstatement.
● In considering the likelihood of a misstatement, the auditor considers the possibility that a
misstatement may occur, based on consideration of the inherent risk factors.

● In considering the magnitude of a misstatement, the auditor considers the qualitative and
quantitative aspects of the possible misstatement

Why the auditor assesses likelihood and magnitude of misstatement ?

● The auditor assesses the likelihood and magnitude of misstatement for identified risks of
material misstatement because the significance of the combination of the likelihood of a
misstatement occurring and the magnitude of the potential misstatement were the
misstatement to occur determines where on the spectrum of inherent risk the identified risk is
assessed, which informs the auditor’s design of further audit procedures to address the risk
● Assessing the inherent risk of identified risks of material misstatement also assists the auditor in
determining significant risks. The auditor determines significant risks because specific responses
to significant risks are required in accordance with ISA 330 and other ISAs.

Assessing Control Risk

 Control risk is described as the risk that a misstatement that could occur in an assertion about a
class of transaction, account balance or disclosure and that could be material, either individually
or when aggregated with other misstatements, will not be prevented, or detected and corrected,
on a timely basis by the entity’s system of internal control.

● If the auditor plans to test the operating effectiveness of controls, the auditor shall assess control
risk. If the auditor does not plan to test the operating effectiveness of controls, the auditor’s
assessment of control risk shall be such that the assessment of the risk of material misstatement
is the same as the assessment of inherent risk.

● The auditor’s assessment of control risk may be performed in different ways depending on
preferred audit techniques or methodologies, and may be expressed in different ways

RISK THAT REQUIRE SPECIAL AUDIT CONSIDERATION

● The auditor shall determine whether any of the risks identified are, in the auditor’s judgment, a
significant risk

The auditor shall consider at least the following:

● (a) Whether the risk is a risk of fraud;

● (b) Whether the risk is related to recent significant economic, accounting or other developments
and, therefore, requires specific attention;
 ● (c) The complexity of transactions;

● (d) Whether the risk involves significant transactions with related parties;

● (e) The degree of subjectivity in the measurement of financial information related to the risk,
especially those measurements involving a wide range of measurement uncertainty; and

● (f) Whether the risk involves significant transactions that are outside the normal course of
business for the entity, or that otherwise appear to be unusual.

RISKS FOR WHICH SUBSTANTIVE PROCEDURES ALONE DO NOT PROVIDE SUFFICIENT APPROPRIATE
AUDIT EVIDENCE

Why risks for which substantive procedures alone do not provide sufficient appropriate audit evidence
are required to be identified?

Due to the nature of a risk of material misstatement, and the control activities that address that risk, in
some circumstances the only way to obtain sufficient appropriate audit evidence is to test the operating
effectiveness of controls. Accordingly, there is a requirement for the auditor to identify any such risks
because of the implications for the design and performance of further audit procedures in accordance
with ISA 330 to address risks of material misstatement at the assertion level.

Evaluating the Audit Evidence Obtained from the Risk Assessment Procedures

Audit evidence obtained from performing risk assessment procedures provides the basis for the
identification and assessment of the risks of material misstatement. This provides the basis for the
auditor’s design of the nature, timing and extent of further audit procedures responsive to the assessed
risks of material misstatement, at the assertion level, in accordance with ISA 330. Accordingly, the audit
evidence obtained from the risk assessment procedures provides a basis for the identification and
assessment of risks of material misstatement whether due to fraud or error, at the financial statement
and assertion levels

The Evaluation of the Audit Evidence

Audit evidence from risk assessment procedures comprises both information that supports and
corroborates management’s assertions, and any information that contradicts such assertions.

REVISION OF RISK ASSESSMENT

The auditor’s assessment of the risks of material misstatement at the assertion level may change during
the course of the audit as additional audit evidence is obtained.

During the audit, new or other information may come to the auditor’s attention that differs significantly
from the information on which the risk assessment was based.

If the auditor obtains new information which is inconsistent with the audit evidence on which the auditor
originally based the identification or assessments of the risks of material misstatement, the auditor shall
revise the identification or assessment
V. DOCUMENTATION

- The auditor should document:

o Any identified significant risks
o The assertions affected
o Assessments of inherent risk and control risk and the risk of material misstatement for
relevant assertions
o Audit procedures beyond the standard work program procedures needed to mitigate the
risks identified
o Linkage of the audit procedures in the work program to these risks (cross-referencing)
- Audit documentation should be developed in a manner such that a professional not involved in
the audit engagement, or a peer reviewer, could properly identify significant risks and other risks
as well as how those risks were reduced through audit testing.
- To that end, documentation needs to reflect the fact that the risk assessments were performed,
the results of those risk assessments and the procedures that will be performed as a result of
those risk assessments.