NAME: ANGELA NKOBENI

STUDENT NUMBER: 22204302

COURSE: BAF3211

COURSE CODE: AUDITING AND ASSURANCE

LECTURER: MR

DUE DATE: 26TH AUGUST, 2024

ASSIGNMENT TWO:

WHY ARE RISKS KEY TO AUDITING PRACTICE?

6 PAGES

COHORT: JULY 2022

1
What is audit risk?

According to the IAASB Glossary of Terms (1), audit risk is defined as follows:

‘The risk that the auditor expresses an inappropriate audit opinion when the financial statements
are materially misstated. Audit risk is a function of material misstatement (inherent and control
risk) and the risk that the auditor will not detect that misstatement (detection risk.)’

Audit risk has two elements, the risk that the financial statements contain a material
misstatement and the risk that the auditors will fail to detect any material misstatements. Audit
risk has two major components. One is dependent on the entity, and is the risk of material
misstatement arising in the financial statements (inherent risk and control risk). The other is
dependent on the auditor, and is the risk that the auditor will not detect material misstatements in
the financial statements (detection risk). Audit risk can be represented by the audit risk model:

Audit risk = Inherent risk * control risk *detection risk

Inherent risk

Inherent risk is the susceptibility of an assertion about a class of transaction, account balance, or
disclosure to a misstatement that could be material individually or when aggregated with other
misstatements, assuming there were no related internal controls. Inherent risk is the risk that
items will be misstated due to the characteristics of those items, such as the fact they are
estimates or that they are important items in the accounts. The auditors must use their
professional judgement and all available knowledge to assess inherent risk If no such
information or knowledge is available then the inherent risk is high. Inherent risk is affected by
the nature of the entity; for example, the industry it is in and the regulations it falls under, and
also the nature of the strategies it adopts.
Control risk

This is the risk that a misstatement could occur in an assertion about a class of transaction,
account balance or disclosure, and that the misstatement could be material, either individually or

2
when aggregated with other misstatements, and will not be prevented or detected and corrected,
on a timely basis, by the entity’s internal control.

Detection risk

Detection risk is the risk that the procedures performed by the auditor to reduce audit risk to an
acceptably low level will not detect a misstatement that exists and that could be material,
individually or when aggregated with other misstatements. This is the component of audit risk
that the auditors have a degree of control over, because, if risk is too high to be tolerated, the
auditors can carry out more work to reduce this aspect of audit risk, and therefore audit risk as a
whole.

Why is audit risk so important to auditors?

Audit risk is fundamental to the audit process because auditors cannot and do not attempt to
check all transactions. It would be impossible to check all of these transactions, and no one
would be prepared to pay for the auditors to do so, hence the importance of the risk-based
approach toward auditing. Traditionally, auditors have used a risk-based approach in order to
minimise the chance of giving an inappropriate audit opinion, and audits conducted in
accordance with ISAs must follow the risk-based approach, which should also help to ensure that
audit work is carried out efficiently, using the most effective tests based on the audit risk
assessment. Auditors should direct audit work to the key risks (sometimes also described as
significant risks), where it is more likely that errors in transactions and balances will lead to a
material misstatement in the financial statements. It would be inefficient to address insignificant
risks in a high level of detail, and whether a risk is classified as a key risk or not is a matter of
judgment for the auditor.

Why is the identification and assessment of audit risks important to risk management?

ISA 200 states that 'to obtain reasonable assurance, the auditor shall obtain sufficient appropriate
audit evidence to reduce audit risk to an acceptably low level and thereby enable the auditor to

3
draw reasonable conclusions on which to base the auditor’s opinion.’ Auditors will want their
overall audit risk to be at an acceptable level, or it will not be worth them carrying out the audit.
In other words, if the chance of them giving an inappropriate opinion and being sued is high, it
might be better not to do the audit at all. The auditors will obviously consider how risky a new
audit client is during the acceptance process, and may decide not to go ahead with the
relationship. However, they will also consider audit risk for each individual audit, and will seek
to manage the risk.
As stated earlier, it is not in the auditors' power to affect inherent or control risk. These are risks
integral to the client, and the auditor cannot change the level of these risks. The auditors
therefore manage overall audit risk by manipulating detection risk, the only element of audit risk
they have control over. This is because the more audit work the auditors carry out, the lower
detection risk becomes, although it can never be entirely eliminated due to the inherent
limitations of audit. The auditors will decide what level of overall risk is acceptable, and then
determine a level of audit work so that detection risk is as low as possible. It is important to
understand that there is not a standard level of audit risk which is generally considered by
auditors to be acceptable. This is a matter of audit judgement, and so will vary from firm to firm
and audit to audit. Audit firms are likely to charge higher fees for higher risk clients. Regardless
of the risk level of the audit, however, it is vital that audit firms always carry out an audit of
sufficient quality.

Identifying and Assessing the Risks of Material Misstatement Through Understanding the
Entity and Its Environment

ISA 315 deals with the auditor’s responsibility to identify and assess the risks of material
misstatement in the financial statements through an understanding of the entity and its
environment, including the entity’s internal controls and risk assessment process.

The requirements of ISA 315 are summarised in the following table.

(1). The auditor shall perform risk assessment procedures in order to provide a basis for the
identification and assessment of the risks of material misstatement.

(2). The auditor is required to obtain an understanding of the entity and its environment,
including the entity’s internal control systems.

4
(3). The auditor shall identify and assess the risks of material misstatement, and determine
whether any of the risks identified are, in the auditor’s judgement, significant risks. This is in
order to provide a basis for designing and performing further audit procedures.

(4). ISA 330 then deals with the required responses to assessed risks.

Let us consider each of these four stages in more detail.

Risk assessment procedures

ISA 315 gives an overview of the procedures that the auditor should follow in order to obtain an
understanding sufficient to assess audit risks, and these risks must then be considered when
designing the audit plan. ISA 315 goes on to require that the auditor shall perform risk
assessment procedures to provide a basis for the identification and assessment of risks of
material misstatement at the financial statement and assertion levels. ISA 315 goes on to identify
the following three risk assessment procedures:

Making inquiries of management and others within the entity

Auditors must have discussions with the client’s management about its objectives and
expectations, and its plans for achieving those goals.

Analytical procedures

Analytical procedures performed as risk assessment procedures should help the auditor in
identifying unusual transactions or positions. They may identify aspects of the entity of which
the auditor was unaware, and may assist in assessing the risks of material misstatement in order
to provide a basis for designing and implementing responses to the assessed risks.

Observation and inspection

Observation and inspection may also provide information about the entity and its environment.
Examples of such audit procedures can potentially cover a very broad area, including observation
or inspection of the entity’s operations, documents, and reports prepared by management, and
also of the entity’s premises and plant facilities.

5
ISA 315 requires that risk assessment procedures should, at a minimum, comprise a combination
of the above three procedures, and the standard also requires that the engagement partner and
other key engagement team members should discuss the susceptibility of the entity’s financial
statements to material misstatement. Key risks can be identified at any stage of the audit process,
and ISA 315 requires that the engagement partner should also determine which matters are to be
communicated to those engagement team members not involved in the discussion.

1. Understanding an entity

ISA 315 gives detailed guidance about the understanding required of the entity and its
environment by auditors, including the entity’s internal control systems. Understanding of the
entity and its environment is important for the auditor in order to help identify the risks of
material misstatement, to provide a basis for designing and implementing responses to assessed
risk (see reference below to ISA 330, The Auditor’s Responses to Assessed Risks), and to ensure
that sufficient appropriate audit evidence is collected. Given that the focus of this article is audit
risk, however, students should ensure that they also make themselves familiar with the concept
of internal control, and the components of internal control systems.

2. Identification and assessment of significant risks and the risks of material misstatement

In exercising judgement as to which risks are significant risks, the auditor is required to consider
the following:

 Whether the risk is a risk of fraud.

 Whether the risk is related to recent significant economic, accounting or other
developments, and therefore requires specific attention.
 The complexity of transactions.
 Whether the risk involves significant transactions with related parties.
 The degree of subjectivity in the measurement of financial information related to the risk,
especially those measurements involving a wide range of measurement uncertainty.

6
  Whether the risk involves significant transactions that are outside the normal course of
business for the entity, or that otherwise appear to be unusual.

3. ISA 330 and responses to assessed risks

The requirements of ISA 330, The Auditor’s Responses to Assessed Risks, will be covered in a
future article, but essentially ISA 330 gives guidance about the nature and extent of the testing
required, based on the risk assessment findings. ISA 200, Overall Objectives of the Independent
Auditor and the Conduct of an Audit in Accordance with ISAs

ISA 200 sets out the overall objectives of the auditor, and the standard explains the nature and
scope of an audit designed to enable an auditor to meet those objectives. References to audit risk
are frequently made by ISA 200, and the standard also requires that the auditor shall plan and
perform an audit with professional scepticism, recognising that circumstances might exist that
may cause the financial statements to be materially misstated. Professional scepticism is defined
as an attitude that includes a questioning mind and a critical assessment of evidence

Auditing is a critical process that enhances the credibility of financial reporting and operational
efficiency in organizations. At its core, auditing seeks to provide an objective assessment of
financial statements and internal controls. A fundamental element of auditing is the concept of
risk. Understanding and managing risks is crucial for auditors to fulfill their responsibilities
effectively. This paper explores the significance of risks in auditing practice, examining the types
of risks, their impact on audit planning and execution, and the methodologies employed by
auditors to address these risks.

The Importance of Risk Assessment

Enhancing Audit Effectiveness

Risk assessment is a foundational aspect of the audit process. By identifying and evaluating
risks, auditors can focus their efforts on areas that are most likely to contain material
misstatements. This prioritization allows for more efficient use of resources and a higher quality
audit.

Tailoring Audit Procedures

7
Understanding the risk profile of an entity allows auditors to tailor their procedures accordingly.
For example, if a company operates in a volatile industry, auditors may increase substantive
testing in areas related to revenue recognition or asset valuation.

Improving Communication

Effective risk assessment fosters better communication between auditors and management. It
encourages a dialogue about the internal controls and risk management processes in place,
leading to a more collaborative audit environment.