Chapter 6: Risk assessment

Audit risk

inherent risk x control risk x detection risk

Inherent risk

entity risk

Susceptibility of an assertion about a class of transaction, account balance, or disclosure to a misstatement that could be material either individually or when aggregated with other misstatements, before consideration of any related internal controls

… is affected by the nature of the entity (industry, regulation…).

Control risk

entity risk
the risk that a material misstatement that could occur in an assertion about a class of transaction, account balance or disclosure and that could be material, individually or when aggregated with other misstatements, will not be prevented or detected and corrected on a timely basis by the entity's internal control.

eg: human error.

Detection risk

Auditor risk

The risk that the procedures performed by the auditor to reduce audit risk to an acceptably low level will not detect a misstatement that exists and that could be material, either individually or when aggregated with other misstatements

- Two components:

• sampling risk (sample is not appropriate for the population as a whole)

• non-sampling risk (not detect material misstatement due to factors other than the sample tested: eg time pressure, experience, financial constraint, poor planning....)

risk-based approach

• Analyse the risk in the client's business, transactions and systems that could lead to material misstatement in the financial statements

• Direct audit testing to risky area

materiality

Information is material if its omission or misstatement could reasonably be expected to influence the economic decisions of users taken on the basis of the financial statements.

two aspects of materiality:

• Quantitative materiality

• Qualitative materiality

Performance materiality

the amount or amounts set by the auditor at less than materiality for the financial statements as a whole to reduce to an appropriately low level the probability that the aggregate of uncorrected and undetected misstatements exceeds materiality for the financial statements as a whole".

ISA 315 distinguishes two main types of risk

• Risks at the financial statement level are pervasive to the financial statements and may affect any assertion - for example, the effects of a poor management attitude to internal control could be felt in any area of the financial statements.

• Risks at the assertion level are more specific and will take the form of specific issues - for example, a company which keeps inventory in multiple locations will be subject to the inherent risk that not all inventory will be counted, and may also be subject to a control risk in relation to the entity's system for counting that inventory.

Significant risk

For which the assessment of inherent risk is close to the upper end of the spectrum of inherent risk due to the degree to which inherent risk factors affect the combination of the likelihood of a misstatement occurring and the magnitude of the potential misstatement should that misstatement occur; or

•That is to be treated as a significant risk in accordance with the requirements of other ISAs.

Risk factor

• Complexity

• Subjectivity

• Change

• Uncertainty

• Management bias or fraud risk

• Complexity

• Regulatory - lots of complex regulation

• Business model - complex alliances and joint ventures

• Financial reporting framework - complex accounting measurements

• Transactions - complex arrangements (eg off-balance sheet finance)

Subjectivity

Financial reporting framework:

• Wide range of possible accounting estimates (eg depreciation)

• Management choice of valuation technique

Change

Changes in:

• Economic conditions - instability (eg current devaluation)

• Markets - exposure ot volatility (eg, futures trading)

• Customer loss - going concern/liquidity risk

• Industry model - changes in the industry in which the entity operates

• Business model - change in supply chain, new lines of business

• Geography -expanding into new locations

• Entity structure - for example reorganisations, subsidiaries solo

• IT -IT environment change / new IT systems relevant to FR

Uncertainty

Financial reporting - estimation uncertainty Pending litigation and contingent liabilities

Management bias or fraud risk

Opportunities for fraudulent financial reporting Transactions with related parties

Non-routine or non-systemic transactions

Transactions recorded based on management intentions

fraud

• Fraudulent financial reporting (intentional misstatements, including omissions of amounts or disclosures in financial statements, to deceive financial statement users)

• Misappropriation of assets (the theft of an entity's assets)

Benchmarks:

- 0.5 to 1% revenue

- 1to 2% total assets

- 5 to 10% PBT

standardising audit working papers.

Advantages:

• Preparation and review are more efficient when audit files, sections and documents are presented systematically.

• It helps familiarise junior staff with standard procedures (e.g. attending physical inventory counting and requesting direct confirmations from customers).

• Similarly, it facilitates direction (and delegation), supervision and review.

• It helps achieve quality by requiring a consistent approach to all audits and ensuring that essential procedures are not overlooked.

• It provides a consistent approach for specific audit functions (e.g. IFRS Accounting Standards checklist).

Disadvantages:

• A "mechanical" approach may lead to a lack of appreciation of test objectives and the implications of errors and deviations found.

• Adopting a "standard approach" may stifle initiative and discourage the exercise of professional judgement.

• Standard programs may result in a "bare minimum" attitude.

• It may be inappropriate to follow set procedures for a particular client.

• Audit risk increases when the audit approach is not tailored to the client's circumstances.

Note: Only three advantages and three disadvantages are required.

Permanent Audit File

Permanent audit files are usually broken into sections, for example:

• General business information

• Systems and control documentation

• Accounts and financial statements information

• Statutory and legal documentation

• Job administration

• Planning documentation

The content includes:

• Information concerning the entity’s legal structure (e.g. Memorandum and Articles of Association).

• Major shareholders, debentures, debt structure, investments.

• Details of the business environment, the operating industry, nature and history of the client's business, locations, products, key suppliers, key customers, subcontractors, and employees.

• Organisational and management structure. Governance structure, including audit committee. Primary contacts in management and other key staff related to the audit.

• Structure of critical departments (e.g. finance, treasury, internal audit).

• Major suppliers, customers – terms of trade, imports, exports.

• Detail, evaluation and analysis of:

  • control environment;

  • risk assessment procedures;

  • information systems; and

  • control activities and control monitoring.

• Rolling analysis of risks, key performance indicators and risk management.

• Main accounting and other vital records, showing where they are kept and what type (e.g. hand-written, computerised).

• Major assets and liabilities.

• Previous financial statements, auditor's reports and supporting details if opinion modified.

• Principal accounting policies and any IFRS Accounting Standards not applicable.

• New client checklist and other legal/regulatory documents for accepting a new client.

• Major laws and regulations under which the entity operates, including regulatory reporting requirements (e.g. charities, banks, environmental, health and safety).

• Previous partner review notes and matters for the partner’s attention.

• Previous reports to management (of deficiencies found in the accounting system).

• Previous reports and minutes of discussions with TCWG.

• Written representations.

• Insurance cover details, including claims history.

• Significant ratios, trends and performance indicators over the last (say) 10 years.

• Rotational control schedule (e.g. location visits, inventory observation, document examination, controls tested).

• Other documents of continuing importance:

  terms of engagement	mortgages and charges
  letters of authority (e.g. bank mandate)	title deeds
  minutes of important meetings	trade agreements and labour contracts
  key legal resolutions	profit share, bonus and share option agreements
  annual filing returns	royalty agreements
  debenture deeds

• Other professional advisers (bankers, lawyers, brokers).

• Past administration (e.g. budgets, costings).

The content includes

• Information concerning the entity’s legal structure (e.g. Memorandum and Articles of Association).

• Major shareholders, debentures, debt structure, investments.

• Details of the business environment, the operating industry, nature and history of the client's business, locations, products, key suppliers, key customers, subcontractors, and employees.

• Organisational and management structure. Governance structure, including audit committee. Primary contacts in management and other key staff related to the audit.

• Structure of critical departments (e.g. finance, treasury, internal audit).

• Major suppliers, customers – terms of trade, imports, exports.

• Detail, evaluation and analysis of:

  • control environment;

  • risk assessment procedures;

  • information systems; and

  • control activities and

  • control monitoring.

• Rolling analysis of risks, key performance indicators and risk management.

• Main accounting and other vital records, showing where they are kept and what type (e.g. hand-written, computerised).

• Major assets and liabilities.

• Previous financial statements, auditor's reports and supporting details if opinion modified.

• Principal accounting policies and any IFRS Accounting Standards not applicable.

• New client checklist and other legal/regulatory documents for accepting a new client.

• Major laws and regulations under which the entity operates, including regulatory reporting requirements (e.g. charities, banks, environmental, health and safety).

• Previous partner review notes and matters for the partner’s attention.

• Previous reports to management (of deficiencies found in the accounting system).

• Previous reports and minutes of discussions with TCWG.

• Written representations.

• Insurance cover details, including claims history.

• Significant ratios, trends and performance indicators over the last (say) 10 years.

• Rotational control schedule (e.g. location visits, inventory observation, document examination, controls tested).

• Other documents of continuing importance:

  terms of engagement	mortgages and charges
  letters of authority (e.g. bank mandate)	title deeds
  minutes of important meetings	trade agreements and labour contracts
  key legal resolutions	profit share, bonus and share option agreements
  annual filing returns	royalty agreements
  debenture deeds

• Other professional advisers (bankers, lawyers, brokers).

• Past administration (e.g. budgets, costings).

Current Audit File

• Financial statements audited (evidenced as agreed to accounting records, cross-referenced to supporting schedules with comparatives, accounting policies, notes and disclosures, all evidenced as audited).

• Completion checklists:

  • Compliance with statutory requirements and IFRS Accounting Standard disclosures.

  • Partner sign-off completion, including confirmation of auditor's report.

  • Second partner review (as necessary).

  • Audit completion checklists (partner, manager, senior).

• Closedown:

  • Written representations.

  • Report to management (final and interim) plus responses from the client.

  • Matters for the attention of the partner (final and interim).

  • Minutes of meetings with directors and audit committee.

  • Minutes of board meeting approving financial statements.

  • Schedule of corrected and uncorrected misstatements.

  • Queries raised during the audit and subsequent clearance.

  • Review notes (partner, manager, senior) and how cleared.

  • Analytical review and performance indicators.

  • Going concern and subsequent events.

  • Ethical matters (e.g. proposed acceptance to continue as auditor).

  • Confirmation of continued independence.

  • Audit team assessments and reviews.

  • Initial planning for the next audit.

• Job administration:

  • Engagement team and relevant experience.

  • Budget and fee estimates.

  • Actual time/cost summaries and variance analysis.

  • Fee notes.

• Planning:

  • Ethical matters (e.g. client acceptance, independence, competence).

  • Minutes of meetings with client, audit committee and audit team.

  • Initial audit strategy, audit plan and tailored work programmes.

  • Updated plans with explanations.

  • Understanding of entity and its environment.

  • Design of internal control and its implementation.

  • Risk assessments, analytical review, materiality, sampling approach.

  • Direction, supervision and review of the audit team.

• Audit sections:

  • Final audit lead schedule showing the makeup of key figures in the financial statements (cross-referenced to financial statements and supporting schedules).

  • Work programmes (interim and final).

  • Supporting schedules detailing the objective of the test, testing approach, sampling, work done, matters arising, action taken and conclusion.

  • Supporting work schedules detailing the actual work carried out, including balances, transactions and evaluation of control effectiveness.

  • Supporting internal and external documentation (e.g. bank letters, receivable confirmations, expert valuations).

  • Evidence of review, review notes and clearance of review point.

ACCA Recommended Minimum Period

ACCA recommends the following minimum periods:

• Audit working papers – seven years.

• Tax files – seven years and then returned to the client (or former client).

Purpose

First and foremost, audit documentation provides evidence:

• Of the basis for the auditor’s conclusion; and

• That the audit was planned and performed in accordance with ISAs and legal and regulatory requirements.

Additional purposes for documenting the audit process include:

• Increasing the economy, efficiency and effectiveness of the audit.

• Assisting the audit engagement team in planning and performing the audit (e.g. analysing information to assess risks).

• Facilitating the supervision and review of audit work (e.g., briefing and instructing assistants; engagement partner can agree that the work has been completed according to the audit plan).

• Retaining a record of matters of continuing significance to future audits.

• Enabling the engagement team to be accountable for its work.

• Enabling an experienced auditor, having no connection with the audit, to understand the audit process and conclusions.

• Enabling quality management reviews and external inspections in accordance with applicable legal, regulatory or other requirements

Ownership

General Principles

The general principles of ownership of audit documentation include the following:

• Working papers are the auditor's property, and clients have no right to demand access.

• Portions of or extracts from working papers may be made available to the client at the auditor’s discretion. (They are not a substitute for the client's accounting records.)

• All documents relating to clients are confidential.

• A client may require the auditor to disclose documents which belong to the client (only) to a third party.

Determining Ownership

The primary consideration in determining ownership is the contract with the client, which is agreed upon and evidenced in the engagement letter. If there is no specific agreement, consider:

• the capacity in which members act, for example, as principals (auditing services), or agents (tax compliance); and

• the purpose for which documents and records exist or are created (e.g. to support the audit opinion).