Chapter 3 -Audit Risk and Risk Assessment

Chapter 3 - Audit Risk and Risk Assessment

Audit Risk
The risk that the auditor expresses an inappropriate opinion when the FSs are materially misstated. Audit risk can
be divided into two part
● Risk of material misstatement.
○ Inherent risk
○ Control risk
● Detection Risk

What is not included in Audit Risk ?

● Risk that the auditor might express an opinion that the FSs are materially misstated when they are not.
● Audit risk is a technical term related to the process of auditing; it does not refer to the auditor's business
risks such as loss from litigation, adverse publicity, or other events arising in connection with the audit of
FSs.

Components
Risk of material misstatement
● Inherent risk
○ Inherent Risk is the susceptibility of an account balance or class of transaction to a material
misstatements, assuming that there were no internal controls
○ Risk of misstatement in an assertion because of its nature
○ Inherent risk is higher for some assertions and related classes of transactions, account balances,
and disclosures than for others. For example, it may be higher for complex calculations.
○ Inherent risk factors are considered while designing tests of controls and substantive procedures.
○ External circumstances giving rise to business risks may also influence inherent risk. For example,
technological developments might make a particular product obsolete. Factors in the entity and its
environment may also influence the inherent risk related to a specific assertion.
○ Examples
■ Inherent risk arises when management misunderstands complex accounting guidance,
potentially leading to misstatements in financial reporting.
■ High business failure rates in a particular industry increase the inherent risk of misstatement
in financial assertions of entities within that industry.
● Control risk
○ The risk that a material misstatement that could occur in an assertion and that will not be prevented,
or detected and corrected, on a timely basis by the entity's internal control
○ Either IC is Missing or IC is not operating effectively or there is a flaw in designing of IC
○ There exists an inverse relation between control risk and efficiency of internal control of an entity.
○ Example
■ Control risk exists if a company's protocol to secure cash and cheque books in a locked safe
by authorised personnel only is not followed.
■ There's a control risk if fire safety measures, like functional fire extinguishers and smoke
detectors, are not maintained, jeopardising inventory safety.
■ Control risk is present when the petty cash system's rule of limiting expenditures to under ₹
10000 is not followed.

Both inherent risk and control risk are the entity’s risks and they exist independently of the audit of FSs. These are
not influenced by the auditor.

Risks of material misstatement exist at two levels

The auditor must consider whether the risks of material misstatement identified exist at:

Neeraj Arora | www.edu91.org 3.1

 Chapter 3 -Audit Risk and Risk Assessment

● the FS level (i.e. affecting the FSs overall or as a whole); or

● the assertion level for classes of transactions, account balances and disclosures (i.e. existence,
completeness, occurrence, valuation, presentation, etc of line items in the FSs).
● Risks at the FS level are pervasive and therefore affect many assertions. For example, if there is a risk that
the going concern basis of preparation is inappropriate, this could result in overvalued assets, omitted
liabilities and omitted disclosures.
● Risks at the assertion level are assessed to determine the nature, timing and extent of further audit
procedures necessary to obtain sufficient appropriate audit evidence.

Detection risk
● It is the risk that the procedures performed by the auditor to reduce audit risk to an acceptably low level will
not detect a misstatement.
● Detection risk, which relates to the nature, timing and extent of audit procedures, has two elements:
1. Sampling risk; and
2. non-sampling risk.

Sampling Risk
This arises from the possibility that the auditor's conclusion, based on a sample, may be different from the
conclusion reached if the entire population was subjected to the same audit procedure.
● If the auditor concludes that CR is lower than it is or that a material misstatement does not exist when in
fact, it does, there is a higher risk of an inappropriate audit opinion. This affects audit effectiveness.
● If he concludes that CR is higher than it is or that a material misstatement exists when it does not, this
affects audit efficiency, as more work than necessary will be carried out.

Non-sampling Risk
Non-sampling risk arises from factors that cause the auditor to reach an erroneous conclusion for any reason not
related to sampling, for example:
● failure to adequately understand the entity or carry out the risk assessment; inadequate audit strategy,
planning and work programme;
● misapplication of an audit procedure by the audit team (e.g. through lack of training);
● misinterpretation of test results (e.g. not recognising the significance of an error or nor recognising that
there is an error); and
● poor quality management (e.g. lack of briefing, supervision and review).

Non-sampling risk can be minimised through, for example, adequate planning, assigning appropriate staff (e.g.
experienced, professional and technically competent), the application of professional judgment, supervision and
review of audit work.

Example
1. Auditor doesn't attend inventory counts for significant work-in-progress inventories, relying on alternative
procedures instead.
2. Auditors audits company's revenue based on a sample which may not represent the total revenue, risking
oversight of anomalies.

Relationship
● Audit risk = Risks of material misstatement X Detection risk
● Since risks of material misstatement is a function of inherent risk and control risk, it can also be shown as:
○ Audit risk = Inherent risk X Control risk X Detection risk

Assessment of risks- A matter of professional Judgment

The assessment of risks is a matter of professional judgment, rather than a matter capable of precise
measurement.

Neeraj Arora | www.edu91.org 3.2

 Chapter 3 -Audit Risk and Risk Assessment

Combined Assessment of the Risk of Material Misstatement

● Auditing standards usually address inherent and control risks together as the "risks of material
misstatement."
● Auditors may assess inherent and control risks separately or combined, based on their audit approach and
practicality.
● Risk assessments can be quantified (e.g., percentages) or non-quantitative (High, medium, low).
● The crucial point is the auditor's need to conduct suitable risk assessments, regardless of the method used.

Risks that require special audit consideration

As part of the risk assessment, the auditor shall determine whether any of the risks identified are, in the auditor’s
judgement, a significant risk. In exercising judgement as to which risks are significant risks, the auditor shall
consider at least the following:
a. Whether the risk is a risk of fraud
b. Whether the risk is related to recent significant economic, accounting, or other developments like changes in
regulatory environment, etc., and, therefore, requires specific attention
c. The complexity of transactions
d. Whether the risk involves significant transactions with related parties
e. The degree of subjectivity in the measurement of financial information related to the risk, especially those
measurements involving a wide range of measurement uncertainty and
f. Whether the risk involves significant transactions that are outside the normal course of business for the
entity, or that otherwise appear to be unusual.

Identifying Significant Risks

● Significant risks often relate to significant non-routine transactions or judgmental matters.
○ Non-routine transactions are transactions that are unusual, due to either size or nature, and that
therefore occur infrequently.
○ Judgmental matters may include the development of accounting estimates for which there is
significant measurement uncertainty.
● Significant risks are inherent risks with both a higher likelihood of occurrence and a higher magnitude of
potential misstatement.
● The auditor assesses assertions affected by a significant risk as higher inherent risk. The following are
always significant risks:
○ Risks of material misstatement due to fraud
○ Significant transactions with related parties that are outside the normal course of business for the
entity

Risks of Material Misstatement – Greater for Significant Non-Routine Transactions

Risks of material misstatement may be greater for significant non-routine transactions arising from matters such
as the following:
● Greater management intervention to specify the accounting treatment.
● Greater manual intervention for data collection and processing.
● Complex calculations or accounting principles.
● The nature of non-routine transactions, which may make it difficult for the entity to implement effective
controls over the risks.

Risks of material misstatement– Greater for Significant Judgmental Matters

Risks of material misstatement may be greater for significant judgmental matters that require the development of
accounting estimates, arising from matters such as the following:
● Accounting principles for accounting estimates or revenue recognition may be subject to differing
interpretations.
● Required judgment may be subjective or complex, or require assumptions about the effects of future events,
for example, judgment about fair value.

Neeraj Arora | www.edu91.org 3.3

 Chapter 3 -Audit Risk and Risk Assessment

SA 315 Identifying and assessing the risk of material misstatement through understanding the entity
and its environment
The objective of the auditor is to
● identify and assess the risks of material misstatement,
● whether due to fraud or error,
● at the FS and assertion levels,
○ through understanding the entity and its environment, including the entity’s internal control,
○ thereby providing a basis for designing and implementing responses to the assessed risks of
material misstatement.

This will help the auditor to reduce the risk of material misstatement to an acceptably low level.

For the purpose of Identifying and assessing the risk of material misstatement, the auditor shall:
a. Identify risks throughout the process of obtaining an understanding of the entity and its environment,
including relevant controls that relate to the risks, and by considering the classes of transactions, account
balances, and disclosures in the financial statements;
b. Assess the identified risks, and evaluate whether they relate more pervasively to the financial statements as
a whole and potentially affect many assertions;
c. Relate the identified risks to what can go wrong at the assertion level, taking account of relevant controls
that the auditor intends to test; and
d. Consider the likelihood of misstatement, including the possibility of multiple misstatements, and whether
the potential misstatement is of a magnitude that could result in a material misstatement.

Risk assessment procedures

The audit procedures are performed to obtain an understanding of the entity and its environment, including the
entity's internal control, to identify and assess the risks of material misstatement at the FS and assertion levels.

Risk assessment procedures includes

Risk assessment procedures include inquiries, observation and inspection and analytical procedures. Observation
and inspection are required to support, corroborate or contradict inquiries and provide information.

Inquiries of management, and of others within the entity

● Information obtained through inquiry from
○ management and
○ from those who are responsible for financial reporting and
○ from others within the entity and
○ other employees with different levels of authority
■ help in identifying risks of material misstatement.
○ Inquiry alone is not sufficient.

Example of Inquiries
Auditors gather information mainly from management and financial reporting heads. Inquiries with different authority levels
within the entity can offer diverse perspectives on risks of material misstatement.
● Internal audit personnel can inform about internal control design effectiveness and management's response to
internal audit findings.
● Inquiries to employees handling complex transactions can clarify the suitability of accounting policies applied.
● Legal counsel can provide insights into litigation, compliance, fraud, warranties, and contractual meanings.
● Marketing/sales personnel can shed light on marketing strategy shifts, sales trends, and customer contracts.
● Risk management can highlight operational and regulatory risks impacting financial reporting.
● Information systems personnel can detail system changes, failures, and related risks.

Neeraj Arora | www.edu91.org 3.4

 Chapter 3 -Audit Risk and Risk Assessment

Analytical procedures
● Analytical procedures may help identify the existence of
○ unusual transactions or
○ events and amounts,
○ ratio and trends
■ that might indicate matters that have audit implications.
● Unusual or unexpected relationships that are identified may assist the auditor in identifying risks of material
misstatement, especially risks of material misstatements due to fraud.
● Analytical procedures using high-level aggregated data, often employed in risk assessment, offer a general
initial indication of potential material misstatements
● In such cases combining these results with other gathered information aids auditors in evaluating and
understanding these initial findings.

Observation and inspection

Observation and inspection are required to support, corroborate or contradict inquiries and provide information.
Examples of such audit procedures include observation or inspection of the following:
● The entity’s operations.
● Documents (such as business plans and strategies), records, and internal control manuals.
● Reports prepared by management (such as quarterly management reports and interim FSs) and those
charged with governance (such as minutes of board of director’s meetings)
● The entity’s premises and plant facilities

RAPs and SAAE

● Risk assessment procedures by themselves, however, do not provide sufficient appropriate audit evidence
on which to base the audit opinion.
● The auditor also may choose to perform substantive procedures or tests of controls concurrently with risk
assessment procedures because it is efficient to do so.
● The risks to be assessed include both those due to error and those due to fraud,

Understanding the Entity and its Environment

SA 315 Identifying and Assessing the Risks of Material Misstatement Through Understanding the Entity and its
Environment states that the auditor shall obtain an understanding of the following:
1. Relevant industry, regulatory and other external factors including applicable financial reporting framework.
2. The nature of the entity
3. The entity’s selection and application of accounting policies, including the reasons for changes thereto.
4. The entity’s objectives and strategies, and those related Business risks that may result in risks of material
Misstatement.
5. The measurement and review of the entity’s financial performance

Relevant industry, regulatory and other external factors including applicable financial reporting framework.
Industry Factors
Examine industry dynamics like competition, supplier/customer relations, and tech progress. Consider market
status, seasonal operations, and product technology.

Regulatory Factors
Assess regulatory framework, financial reporting standards, and legal/political climate. Review industry-specific
practices, laws impacting operations, taxes, government policies, and environmental mandates.

External Factors
Evaluate economic climate, interest rates, financing availability, and inflation trends.

Neeraj Arora | www.edu91.org 3.5

 Chapter 3 -Audit Risk and Risk Assessment

The nature of the entity

● The nature of the entity, including: -
○ its operations;
○ its ownership and governance structures;
○ the types of investments that the entity is making and plans to make, including investments in
special-purpose entities; and
○ the way that the entity is structured and how it is financed; to enable the auditor to understand the
classes of transactions, account balances, and disclosures to be expected in the FSs.
● An understanding of nature of entity enables the auditor to understand whether entity has a complex
structure for example, whether it has subsidiaries.
● Understanding complex structures helps to identify potential material misstatement risks. Understand
ownership and inter-entity/personnel relationships to ensure related party transactions are properly
identified and recorded.
Examples of matters that the auditor may consider while obtaining understanding of nature of entity
● Business Operations: Investigate revenue origins, offerings, operational practices, production locales, and
principal trade associates.
● Investment Activities: Capital investments and recent or forthcoming acquisitions.
● Financing Activities: The structure of major subsidiaries and debt arrangements.
● Financial Reporting: Understand the appropriateness of accounting policies and the application of revenue
recognition standards.

The entity’s selection and application of accounting policies, including the reasons for changes thereto.
Assess if the entity's accounting policies suit its business, align with the financial reporting framework, and match
industry norms.

The entity’s objectives and strategies, and those related Business risks that may result in risks of material
misstatement.
● The entity operates within various factors, setting objectives and strategies to navigate changes and risks,
including material misstatement risks.
● Business risk is broader than the risk of material misstatement of the FSs, though it includes the latter.
Business risk may arise from change or complexity.
● Understanding the entity's business risks enhances the detection of material misstatement risks due to their
financial impact, yet not all such risks are the auditor's responsibility.

Examples of matters that the auditor may consider when obtaining an understanding of the entity’s objectives,
strategies and related business risks that may result in a risk of material misstatement of the FSs
Industry changes may risk the entity's capacity to adapt without adequate expertise; new offerings could raise
product liability; business growth risks misjudging demand.

The measurement and review of the entity’s financial performance

Understanding the entity's performance measures helps auditors assess if the pressure to meet targets could lead
to actions heightening the risk of material misstatement.

Examples for measuring and reviewing financial performance which may be used by an auditor
Auditors may assess financial performance through key indicators, ratios, trends, comparative analyses, budgets,
forecasts, variances, department reports, and credit ratings.

Why understanding the entity and its environment is significant?

It helps the auditor in planning the audit and in identifying areas requiring special attention. Gaining knowledge
about client’s business is one of the important principles in developing an overall audit plan. In fact, without
adequate knowledge of client’s business, a proper audit is not possible.

Neeraj Arora | www.edu91.org 3.6

 Chapter 3 -Audit Risk and Risk Assessment

Understanding the entity-a continuous process

Obtaining an understanding of the entity and its environment, including the entity’s internal control (referred to
hereafter as an “understanding of the entity”), is a continuous, dynamic process of gathering, updating and
analysing information throughout the audit. The understanding establishes a frame of reference within which the
auditor plans the audit and exercises professional judgment throughout the audit, for example, when:
● Assessing ROMM of the FSs
● Determining materiality in accordance with SA 320
● Considering the appropriateness of the selection and application of accounting policies
● Identifying areas where special audit consideration may be necessary, for example, related party
transactions, the appropriateness of management’s use of the going concern assumption, or considering
the business purpose of transactions
● Developing expectations for use when performing analytical procedures
● Evaluating the sufficiency and appropriateness of audit evidence obtained such as the appropriateness of
assumptions and of management’s oral and written representations.

Neeraj Arora | www.edu91.org 3.7