Risk Assessment

and
Risk Response
AUDITING AND ASSURANCE SERVICES – Advance
Week – 5 & 6
agung nugroho soedibyo
300–499 RISK ASSESSMENT AND RESPONSE TO ASSESSED RISKS
1. ISA 300, Planning an Audit of Financial Statements
2. ISA 315 (Revised), Identifying and Assessing the Risks of Material
3. Misstatement through Understanding the Entity and Its
Environment
4. ISA 320, Materiality in Planning and Performing an Audit
5. ISA 330, The Auditor’s Responses to Assessed Risks
6. ISA 402, Audit Considerations Relating to an Entity Using a
Service
7. Organization
8. ISA 450, Evaluation of Misstatements Identified during the Audit
OVERALL AUDIT STRATEGY

Planning involves developing anoverallaudit strategy an audit plan that
detailsthenature, timing and extentof theplanned audit procedures.

Adequate planning helps to ensure thatappropriateattention is devoted
toimportant areasof the audit, that potentialproblems are identified and that
the workis completed on time.
decision tree

Has a significant risk been identified?

yes no

Are substantive analytical

procedures appropriate?
Inherent risk assessed
Fraud risk.
as Significant.

yes no
Does our approach
consist only of Perform substantive
substantive Perform tests of details.
analytical procedures.
procedures?

no
Did the substantive analytical
yes procedures provide sufficient
appropriate audit evidence?

Perform tests of details yes no

or
tests of details and
substantive analytical No further
Perform tests of
procedures. procedures details.
required.

6
 If we fail to plan, we plan to fail

Tuesday, November 16, 2021 agung nugroho soedibyo 7

Question

Who assessed the Risk :

 What kind of Risk Risk
Risk Responses:
Responses:
•• By
By who
who
 What is the objective
•• What
What isis the
the objective
objective
of risk assessment
•• How
How isis the
the process
process
 How is the process

Tuesday, November 16, 2021 agung nugroho soedibyo 8

Technical terms

Audit Risk
Business risk

Assertions Risk assessment

procedures
Internal control
Significant risk

Tuesday, November 16, 2021 agung nugroho soedibyo 9

 Risk that we
Risk that the express an
financial
statements are Audit Risk inappropriate audit
opinion.
materially
misstated.

Risk of Material
Misstatement Detection Risk Risk that our audit
procedures don’t
identify material
misstatements.
Inherent Risk Control Risk

Risk inherent in Risk that the controls

the account implemented by management to
(before prevent or detect and
considering correct misstatements do not
internal operate as intended.
controls).

10
 Glossary
Assertions – Representations by management, explicit or otherwise, that are embodied in the financial statements, as
used by the auditor to consider the different types of potential misstatements that may occur.
Business risk – A risk resulting from significant conditions, events, circumstances, actions or inactions that could adversely
affect an entity’s ability to achieve its objectives and execute its strategies, or from the setting of inappropriate objectives
and strategies.
Internal control – The process designed, implemented and maintained by those charged with governance, management
and other personnel to provide reasonable assurance about the achievement of an entity’s objectives with regard to
reliability of financial reporting, effectiveness and efficiency of operations, and compliance with applicable laws and
regulations. The term “controls” refers to any aspects of one or more of the components of internal control.
Risk assessment procedures – The audit procedures performed to obtain an understanding of the entity and its
environment, including the entity’s internal control, to identify and assess the risks of material misstatement, whether due
to fraud or error, at the financial statement and assertion levels.
Significant risk – An identified and assessed risk of material misstatement that, in the auditor’s judgment, requires special
audit consideration

Tuesday, November 16, 2021 agung nugroho soedibyo 11

 INTERNATIONAL STANDARD ON AUDITING 315 (REVISED)
IDENTIFYING AND ASSESSING THE RISKS OF MATERIAL
MISSTATEMENT THROUGH UNDERSTANDING THE ENTITY AND ITS
ENVIRONMENT

The objective of the auditor is to identify and assess the risks of material
misstatement, whether due to fraud or error, at the financial statement and
assertion levels, through understanding the entity and its environment,
including the entity’s internal control, thereby providing a basis for designing
and implementing responses to the assessed risks of material misstatement

Tuesday, November 16, 2021 agung nugroho soedibyo 12

INTERNATIONAL STANDARD ON AUDITING 315 (REVISED)
IDENTIFYING AND ASSESSING THE RISKS OF MATERIAL
MISSTATEMENT THROUGH UNDERSTANDING THE ENTITY AND ITS
ENVIRONMENT

The auditor shall perform risk assessment procedures to provide a

basis for the identification and assessment of risks of material
misstatement at the financial statement and assertion levels.
Risk assessment procedures by themselves, however, do not provide sufficient appropriate audit
evidence on which to base the audit opinion.

Tuesday, November 16, 2021 agung nugroho soedibyo 13

INTERNATIONAL STANDARD ON AUDITING 315 (REVISED)
IDENTIFYING AND ASSESSING THE RISKS OF MATERIAL
MISSTATEMENT THROUGH UNDERSTANDING THE ENTITY AND ITS
ENVIRONMENT

The risk assessment procedures shall include the following:

a. Inquiries of management, of appropriate individuals within the internal audit

function (if the function exists), and of others within the entity who in the
auditor’s judgment may have information that is likely to assist in identifying
risks of material misstatement due to fraud or error. (Ref: Para. A6–A13)
b. Analytical procedures. (Ref: Para. A14–A17)
c. Observation and inspection. (Ref: Para. A18)

Tuesday, November 16, 2021 agung nugroho soedibyo 14

The Entity and Its Environment
The auditor shall obtain an understanding the entity, industry and its operation to enable the auditor to
understand the classes of transactions, account balances, and disclosures to be expected in the financial
statements
The entity’s objectives and strategies, and those related business risks that may result in risks of material
misstatement
The auditor shall evaluate whether the entity’s accounting policies are appropriate for its business and
consistent with the applicable financial reporting framework and accounting policies used in the relevant
industry

Business Risk Audit Risk

Tuesday, November 16, 2021

agung nugroho soedibyo 15
 ACTIVITY 5.11

‘Business risk’ may be defined as ‘the risk that

the entity will fail to achieve its objectives’. Make
a list of possible business objectives that an
entity might have.

Use with The Audit Process: Principles, Practice and Cases

Use with The Audit Process 4th Edition
Third Edition by Iain Gray & Stuart Manson ISBN 1-86152-
By Iain Gray & Stuart Manson ISBN 9781844806782
946-5
© 2008 Cengage Learning
© 2005 Thomson Learning
 KEY POINTS – p.187

Examples of business objectives are:

 
• attaining a certain level of profitability;
• maximizing shareholder wealth;
• ensuring efficiency and effectiveness of
operations;
• meeting a desired market share;

Use with The Audit Process: Principles, Practice and Cases

Use with The Audit Process 4th Edition
Third Edition by Iain Gray & Stuart Manson ISBN 1-86152-
By Iain Gray & Stuart Manson ISBN 9781844806782
946-5
© 2008 Cengage Learning
© 2005 Thomson Learning
The Entity and Its Environment

Relevant industry, regulatory, and other external factors including the

applicable financial reporting framework. (Ref: Para. A24–A29)
• The nature of the entity
• its operations;
• its ownership and governance structures;
• the types of investments that the entity is making and plans to
• make, including investments in special-purpose entities; and
• the way that the entity is structured and how it is financed,

Tuesday, November 16, 2021 agung nugroho soedibyo 18

 Inherent Risk

Misstatements

Control Environment

Misstatements

nts
m e
ate
l St
c i a
a n
Fin
Tuesday, November 16, 2021 agung nugroho soedibyo 19
 KEY POINTS – p.191

There are similarities between business and

inherent risk approaches:
 
(a) both use a ‘top-down’ approach;
(b) factors that increase inherent and control risk
may make it less likely that business objectives
will be obtained;
(c) analysis of both helps auditors to prove that
financial statements give a true and fair view.

Use with The Audit Process: Principles, Practice and Cases

Use with The Audit Process 4th Edition
Third Edition by Iain Gray & Stuart Manson ISBN 1-86152-
By Iain Gray & Stuart Manson ISBN 9781844806782
946-5
© 2008 Cengage Learning
© 2005 Thomson Learning
 KEY POINTS – p.191CONT'D

Dissimilarities are:
 
(a) auditors consider inherent risks in relation to the
impact they may have on financial statements,
but the business risk approach considers risks
inhibiting the company in achieving objectives;
(b) business objectives and audit objectives are so
dissimilar that the above factors cannot create a
similarity.

Use with The Audit Process: Principles, Practice and Cases

Use with The Audit Process 4th Edition
Third Edition by Iain Gray & Stuart Manson ISBN 1-86152-
By Iain Gray & Stuart Manson ISBN 9781844806782
946-5
© 2008 Cengage Learning
© 2005 Thomson Learning
 The Entity and its Internal Control
The auditor shall obtain an
understanding of internal control
relevant to the audit. Although most
controls relevant to the audit are likely
to relate to financial reporting, not all
controls that relate to financial
reporting are relevant to the audit.
It is a matter of the auditor’s
professional judgment whether a
control, individually or in combination
with others, is relevant to the audit

Tuesday, November 16, 2021 agung nugroho soedibyo 22

Risk Assessment

Risk Response

Further Audit Procedures

Further
Audit
procedures
Non-significant inherent risk and effective controls = May test controls and perform less substantive procedures.

Tuesday, November 16, 2021 agung nugroho soedibyo 25

We perform audit procedures to obtain reasonable assurance that the financial statements are free from
material misstatement.
Significant inherent risk and ineffective controls = - More substantive procedures
Audit Evidence
Test
Test of
of controls
controls only
only provides
provides Substantive audit evidence does
evidence
evidence about
about effectiveness
effectiveness of
of the
the not come from test of controls,
controls
controls which
which may
may bebe used
used to
to
reduce
reduce the
the extent
extent of
of substantive
substantive
but from substantive audit
testing
testing through
through impact
impact onon Risk
Risk of
of procedures.
Material
Material Misstatement
Misstatement (RoMM).
(RoMM).

Sufficient and appropriate audit

evidence is required to support the
audit opinion given in the Auditor’s
report

Tuesday, November 16, 2021 agung nugroho soedibyo 27

Further Audit
procedures
Tuesday, November 16, 2021 agung nugroho soedibyo 37
Tuesday, November 16, 2021 agung nugroho soedibyo 38
 Significant accounts – factors

Risk factors relevant to the identification of significant accounts and disclosures and their
relevant assertions include:
inherent risk factors:
• change in account or disclosure characteristics
• account balance or disclosure in relation to performance materiality
• nature of the balance or disclosure, or the underlying transactions
• volume of transactions
• assertions related to estimates
• exposure to losses in the account
• possibility of significant contingent liabilities arising from the activities reflected in the
account

Tuesday, November 16, 2021 agung nugroho soedibyo 39

Significant accounts – Other factors

• susceptibility to misstatement due to errors or fraud

• complexity, and homogeneity of the individual transactions
processed through the account or reflected in the disclosure
• accounting and reporting complexities associated with the account
or disclosure
• existence of related party transactions in the account.

Tuesday, November 16, 2021 agung nugroho soedibyo 40

 What Can Go Wrong
ACGW analysis
Failure Mode and Effects Analysis

Tuesday, November 16, 2021 agung nugroho soedibyo 41

WCGW

What is a WCGW?

• A RISK in the entity’s process where

there is a reasonable possibility that a
material misstatement, including a
misstatement due to fraud, either
individually or in combination with
other misstatements, could occur.

42
 Mind Mapping

Diagram
created in
Inspiration®
by
Inspiration
Software®,
Inc.

Copyright 2008 Health Administration Press. All rights reserved. 6-43

Reliance on controls

Process Activities

WCGWs

Identify Relevant
Controls

Perform TOE
Evaluate

44
 WCGW could be in any stages of the process
 how the information is entered into the information system (e.g. data entry/upload/interface)
 how the information is stored within the information system, and the ways in which it may be accessed (e.g.
centralized servers, or decentralized desktops hard disks; accessible on-line-real-time, or accessible by
download)
 points in the process in which the information is summarized, accumulated or subjected to calculations (e.g.
calculated and accumulated daily in Excel and the daily total is entered/uploaded on day end)
 manual processes that affect the information (e.g. manual journal entries)
 management's review processes over the information and how management determines that the information
has integrity (the level of detail in management’s review and how management checks the C&A of the data
sources they use)
 judgments made by management in determining whether or not to adjust the information, and the amounts
of those adjustments, if necessary (e.g. determining if a reconciling item indicates an error or a legitimate
timing difference)
 how the information is affected when it is summarized for inclusion in the financial statements (e.g. top-side
entries during the period-end financial reporting process).

45
WCGWs and relevant controls
WCGW

Control
Initiation Process Activities Recording
Control

WCGW WCGW

46
 Evaluating Controls: Design and Implementation
 Design: Is the control capable of
effectively preventing, or detecting
and correcting material
misstatements?
 Implementation: Is the control
actually being used

An effective internal control system provides

reasonable assurance that policies, processes,
tasks, behaviours and other aspects of an
organisation, taken together, facilitate its
effective and efficient operation, help to ensure
the quality of internal and external reporting,
and help to ensure compliance with ...

47
RoMM matrix

RoMM
RoMM

RoMM

48
 Substantive Procedures

Substantive Analytical Type of Procedures Test of Details

Method Method

Entire
Predictive Population

Data Analysis Specific items

Ratio Analysis Substantive

Sampling
Trend Analysis

Statistical MUS Non Statistical

Tuesday, November 16, 2021 agung nugroho soedibyo 49

Substantive Analysis
Analytical Developing Expectation Example

Predictive analysis Key factors and key Key factor = number of employees
relationships Key relationship = average salary per employee

Data analysis Developed at detailed What would be unusual for a specific

transaction level transaction
.
Ratio analysis Key relationships Relationship between account balances or
disclosures (Sales and Accounts receivable)

Trend analysis The trend We expect the results to follow the trend

50
What is a test of details (“ToD”)

Inspection

Observation

External Confirmation

Recalculation

Re-performance

Inquiry *
* Inquiry alone does not provide sufficient audit evidence. When we use inquiry, we use it in conjunction with one of
these other techniques
51
Cumulative audit evidence - example

52
decision tree

Has a significant risk been identified?

yes no

Are substantive analytical

procedures appropriate?
Inherent risk assessed
Fraud risk.
as Significant.

yes no
Does our approach
consist only of Perform substantive
substantive Perform tests of details.
analytical procedures.
procedures?

no
Did the substantive analytical
yes procedures provide sufficient
appropriate audit evidence?

Perform tests of details yes no

or
tests of details and
substantive analytical No further
Perform tests of
procedures. procedures details.
required.

53