top of page
  • CCS

When doing a Risk Assessment on a client, what does an auditor look at?

T

Because risk is such a significant component of an audit, it is of the utmost significance that auditors approach risk evaluation with the utmost caution.


The auditor is tasked with several overall objectives, one of which is to identify the risks that a company faces (both business risk and the risk of material misstatement) and then minimise these risks to an acceptable level.


In light of this difficulty, the objective of ISA 330, entitled The Auditor's Responses to Assessed Risks, is to address the responsibilities that an auditor must face when developing and putting into practice audit procedures tailored to respond specifically to the risk of material misstatement.


ISA 330 and ISA 315, "Identifying and Assessing the Risks of Material Misstatement Through Understanding the Entity and its Environment," have a substantial amount of interaction.


The auditor's methodology/approach in planning and carrying out further audit procedures is referred to as being "responsive to the assessed risk of material misstatement."


There are generally two fundamental methods of obtaining audit evidence to help reduce audit risk:

  1. Substantive Testing (or Tests of Detail); and

  2. Tests of Control (or Compliance Testing).

ISA 330 defines substantive testing and tests of control as follows:


Substantive procedures: an audit procedure designed to detect material misstatements at the assertion level. Substantive procedures comprise:

  1. Tests of details (of classes of transactions, account balances, and disclosures); and

  2. Substantive Analytical Procedures.

Tests of controls: an audit procedure designed to evaluate the operating effectiveness of controls in preventing, or detecting and correcting, material misstatements at the assertion level.’


The auditor could think that doing tests of control is not an effective way [especially for SME clients] to acquire sufficient and appropriate audit evidence to address the levels of risk. As a result, they would think that a more substantive approach would be needed. These concepts illustrate that audit procedures must be responsive to the assessed levels of risk.


Risk at the Assertion Level

When referring to what management has asserted [stated] to be true, the term "assertion" should be used.


As an instance, management will declare (at the assertion level of the financial statement) that all transactions that should have been documented have been recorded.


As a result, management will make an assertion, and it will be the auditor's responsibility to provide audit evidence that substantiates this assertion.


As part of their risk assessment, the auditor will identify important areas (transactions, balances, and disclosures) that are prone to the risk of material misstatement.


Hence, the auditor will look at both the "inherent" and the "control" risks.


Inherent Risk

The possibility that the account or section being audited has been materially misstated due to fraud or error without considering the related internal controls is known as the "inherent risk."

In assessing inherent risk, these are some of the factors that the auditor needs to consider:

  • The complexity of determining the account amount (especially if the amount is estimated);

  • History (have there been past errors discovered);

  • The circumstances of the entity's business and the environment in which it operates; and

  • Management's overall risk awareness.

Control Risk

The control risk is the risk that the internal control environment in a particular part of the accounting system will not prevent, detect and correct a material misstatement.


As a result, the auditor shall consider the inherent risk and control risk at the financial statement assertions level and then evaluates the probability that the financial statements include a material misstatement.


In some cases, the assessed levels of risk might be such that the auditor decides it is appropriate to obtain more persuasive audit evidence in areas where the assessed levels of risk are so high (for example, cash in a cash-based business such as a restaurant).


Significant risks are those that need extra attention from the auditor.


The following are signs that risk could be considered significant:

  1. Risk of fraud.

  2. A significant degree of subjectivity in the financial information.

  3. Unusual transactions.

  4. Significant transactions are undertaken with a related party.

  5. The transactions undertaken are complex.

Responses to the Assessed Risks

The objective of ISA 330 is:


to obtain sufficient, appropriate audit evidence regarding the assessed risks of material misstatement, through designing and implementing appropriate responses to these risks.’


Responses can include exercising professional scepticism, using auditor's experts, deploying extra or alternative employees with suitable levels of experience and competence to meet the assessed levels of risk, and using more unexpected audit processes by the auditor.


Tests of Control


Tests of control are what the auditor does to determine how well the entity's control environment works.

For example, the auditor might watch the sales invoice processing cycle to see if the controls over the entity's sales processing can find and fix [identifying and correcting] mistakes quickly.


The auditor can also do tests of control if they think that just doing tests of substantive won't be enough to provide enough audit evidence at the assertion level.


Financial statement risk, which is the risk that the financial statements contain a material misstatement, and detection risk, which is the risk that the auditor's procedures won't catch [fail to detect] a material misstatement, are opposites (the lower the financial statement risk, the higher the detection risk becomes and vice versa).


For recurring audits, tests of controls will have been done in previous audits, and there will be evidence in the audit files from previous years about how well those controls work.

In some jurisdictions, rules say that detailed tests of control can only be done every third audit. But the auditor's risk assessment should decide how often control tests should be done. Usually, these are the things to think about:

  • The risk of material misstatement;

  • The general operating effectiveness of the internal controls;

  • The extent of reliance on internal control;

  • The effectiveness of general IT-related internal controls; and

  • The application of internal control by the entity.

The above list is not exhaustive, and the auditor may think other factors should also be considered when deciding how long it should pass before detailed control tests are performed.


No matter what procedures are performed, ISA 330 says that the auditor must do substantive procedures on important areas, such as:

  • Agreeing on the financial statements to the underlying accounting records.

  • Examining material journal entries.

  • Examine other adjustments that have been made in preparing the financial statements.

Documentation

The auditor should make sure that proper records have been kept for the following things:

  • The discussion among the audit engagement team relating to the susceptibility of the financial statements to material misstatement (including any significant decisions reached).

  • Key elements of understanding the entity and the environment in which it works. Also, the sources of the information gathered and the methods used to assess the risks [risk assessment procedures].

  • The identified and assessed risks of material misstatement.

  • Significant risks that have been identified together with an evaluation of the related controls.

  • Overall responses to address the risks of material misstatement.