6 Risk assessment

Question 1

What attitude must the auditor carry out audit?

Answer 1

with an attitude of professional scepticism, exercise professional judgement and comply with ethical requirements.

Question 2

Define Professional scepticism

Answer 2

Professional scepticism is an attitude that includes a questioning mind, being alert to conditions which may indicate possible misstatement due to error or fraud, and a critical assessment of audit evidence.

Question 3

Define Professional judgement

Answer 3

Professional judgement is the application of relevant training, knowledge and experience in making informed decisions about the courses of action that are appropriate in the circumstances of the audit engagement.

Question 4

Professional scepticism requires the auditor to be alert to:

Answer 4

• Audit evidence that contradicts other audit evidence obtained • Information that brings into question the reliability of documents and responses to enquiries to be used as audit evidence • Conditions that may indicate possible fraud • Circumstances that suggest the need for audit procedures in addition to those required by ISAs

Question 5

Professional judgement is required in the following areas:

Answer 5

• Materiality and audit risk • Nature, timing and extent of audit procedures • Evaluation of whether sufficient appropriate audit evidence has been obtained • Evaluating management’s judgements in applying the applicable financial reporting framework • Drawing conclusions based on the audit evidence obtained

Question 6

What approach o auditors follow to auditing ISAs

Answer 6

risk-based approach

Question 7

An audit risk is likely to the ___

Answer 7

financial statements

Question 8

Define Audit risk

Answer 8

Audit risk is the risk that the auditor expresses an inappropriate audit opinion when the financial statements are materially misstated. It is a function of the risk of material misstatement (inherent risk and control risk) and the risk that the auditor will not detect such misstatement (detection risk).

Question 9

Audit risk = __risk × __risk × __risk

Answer 9

Audit risk = Inherent risk × control risk × detection risk

Question 10

Inherent risk

Answer 10

Inherent risk is the susceptibility of an assertion to a misstatement that could be material individually or when aggregated with other misstatements, assuming there were no related internal controls

Question 11

Control risk

Answer 11

Control risk is the risk that a material misstatement, that could occur in an assertion and that could be material, individually or when aggregated with other misstatements, will not be prevented or detected and corrected on a timely basis by the entity’s internal control.

Question 12

Detection risk

Answer 12

Detection risk is the risk that the procedures performed by the auditor to reduce audit risk to an acceptably low level will not detect a misstatement that exists and that could be material, either individually or when aggregated with other misstatement

Question 13

One way to decrease detection risk is to increase sample sizes. T/F

Answer 13

True

Question 14

increasing sample sizes and carrying out more work is not the only way to manage detection risk. why?

Answer 14

This is because detection risk is a function of the effectiveness of an audit procedure and of its application by the auditor

Question 15

Although increasing sample sizes or doing more work can help to reduce detection risk, the following actions can also improve the effectiveness and application of procedures and therefore help to reduce detection risk:

Answer 15

• Adequate planning • Assignment of more experienced personnel to the engagement team • The application of professional scepticism • Increased supervision and review of the audit work performed

Question 16

Define Materiality

Answer 16

Materiality for the financial statements as a whole and performance materiality must be calculated at the planning stages of all audits. The calculation or estimation of materiality should be based on experience and judgement. Materiality for the financial statements as a whole must be reviewed throughout the audit and revised if necessary.

Question 17

ISA 320 does not define materiality (in relation to the financial statements as a whole) but notes that while it may be discussed in different terms by different financial reporting frameworks the following are generally the case:

Answer 17

(a) Misstatements are considered to be material if they, individually or in aggregate, could reasonably be expected to influence the economic decisions of users. (b) Judgements about materiality are made in the light of surrounding circumstances, and are affected by the size and nature of a misstatement or a combination of both. (c) Judgements about matters that are material to users of financial statements are based on a consideration of the common financial information needs of users as a group.

Question 18

The materiality level will impact on the auditor’s decisions relating to:

Answer 18

• How many items to examine • Which items to examine • Whether to use sampling techniques • What level of misstatement is likely to result in a modified audit opinion

Question 19

Conforming amendments to ISA 320 published in 2015 make it clear that auditors must consider the risks of material misstatement in qualitative disclosures. In doing so, the auditor should consider:

Answer 19

• The circumstances of the entity (eg any business acquisitions or disposals during the period) • The applicable financial reporting framework (eg new qualitative disclosures may be required by a new financial reporting standard) • Qualitative disclosures that are important to the users of the financial statements because of the nature of the entity (eg liquidity risk disclosures for a financial institution)

Question 20

The following factors may affect the identification of an appropriate benchmark:

Answer 20

• Elements of the financial statements (eg assets, liabilities, equity, revenue, expenses) • Whether there are items on which users tend to focus • Nature of the entity, industry and economic environment • Entity’s ownership structure and financing • Relative volatility of the benchmark

Question 21

Define performance materiality

Answer 21

Performance materiality is the amount or amounts set by the auditor at less than materiality for the financial statements as a whole to reduce to an appropriately low level the probability that the aggregate of uncorrected and undetected misstatements exceeds materiality for the financial statements as a whole. Performance materiality also refers to the amount or amounts set by the auditor at less than the materiality level or levels for particular classes of transactions, account balances or disclosures.

Question 22

As you can see, determining performance materiality is very much dependent on the auditor’s professional judgement. In summary, it is affected by:

Answer 22

• The nature and extent of misstatements identified in prior audits • The auditor’s understanding of the entity • Result of risk assessment procedures

Question 23

Materiality has qualitative aspects give examples

Answer 23

• Law, regulation or the applicable financial reporting framework affect users’ expectations regarding the measurement or disclosure of certain items (for example, related party transactions, and the remuneration of management and those charged with governance). • Some disclosures are key disclosures in relation to the industry in which the entity operates (for example, research and development costs for a pharmaceutical company). • Attention is sometimes focused on a particular aspect of the entity’s business that is separately disclosed in the financial statements (for example, a newly acquired business).

Question 24

ISA 320 requires the following to be documented:

Answer 24

• Materiality for the financial statements as a whole • Materiality level or levels for particular classes of transactions, account balances or disclosures if applicable • Performance materiality • Any revision of the above as the audit progresses

Question 25

Why do we need an understanding? what does ISA 315 say about this?

Answer 25

ISA 315 (Revised) Identifying and assessing the risks of material misstatement through understanding the entity and its environment states that the objective of the auditor is to identify and assess the risks of material misstatement, whether due to fraud or error, through understanding the entity and its environment, including the entity's internal control, thereby providing a basis for designing and implementing responses to the assessed risks of material misstatement

Question 26

OBTAINING AN UNDERSTANDING OF THE ENTITY AND ITS ENVIRONMENT Why is this important?

Answer 26

– To identify and assess the risks of material misstatement in the financial statements – To enable the auditor to design and perform further audit procedures – To provide a frame of reference for exercising audit judgement, for example, when setting audit materiality

Question 27

OBTAINING AN UNDERSTANDING OF THE ENTITY AND ITS ENVIRONMENT What is important?

Answer 27

– Industry, regulatory and other external factors, including the applicable financial reporting framework – Nature of the entity, including operations, ownership and governance, investments, structure and financing – Entity's selection and application of accounting policies – Objectives and strategies and related business risks that might cause material misstatement in the financial statements – Measurement and review of the entity's financial performance – Internal control

Question 28

OBTAINING AN UNDERSTANDING OF THE ENTITY AND ITS ENVIRONMENT How do we go about obtaining this information?

Answer 28

– Enquiries of management, appropriate individuals within the internal audit function and others within the entity – Analytical procedures – Observation and inspection – Prior period knowledge – Client acceptance or continuance process – Discussion by the audit team of the susceptibility of the financial statements to material misstatement – Information from other engagements undertaken for the entity

Question 29

In addition to the sources shown in the diagram above, the auditor will refer to the following to help in obtaining an understanding of the entity and its environment.

Answer 29

• The permanent audit file where information of continuing importance to the audit is kept • Audit working papers from the previous year's audit file • Information from the client's website • Publications or websites related to the industry the client operates in

Question 30

A combination of the following procedures should be used to obtain an understanding:

Answer 30

• Enquiries of management, internal auditors and others within the entity • Analytical procedures • Observation and inspection

Question 31

What are analytical procedures?

Answer 31

Analytical procedures consist of evaluations of financial information through analysis of plausible relationships among both financial and non-financial data. Analytical procedures also encompass investigation of identified fluctuations or relationships that are inconsistent with other relevant information or that differ from expected values by a significant amount.

Question 32

Analytical procedures include:

Answer 32

(a) The consideration of comparisons with: • Similar information for prior periods • Anticipated results of the entity, from budgets or forecasts • Predictions prepared by the auditors • Industry information (b) The consideration of the relationship between elements of financial information that are expected to conform to a predicted pattern based on the entity's experience, such as the relationship of gross profit to sales. (c) The consideration of the relationship between financial information and relevant non-financial information, such as the relationship of payroll costs to number of employees.

Question 33

The auditor also needs to have a good understanding of the business to assess the significance of e-commerce and its effect on audit risk. The auditor should consider the following

Answer 33

• The entity's business activities and industry • The entity's e-commerce strategy • The extent of e-commerce activities • Outsourcing arrangements Specific risks affecting entities that engage in e-commerce include: • Loss of transaction integrity • Security risks • Improper accounting policies (eg capitalisation of expenditure, translation of foreign currency, allowances for warranties and returns, revenue recognition) • Non-compliance with taxation and other laws and regulations • Failure to ensure that contracts are binding • Overreliance on e-commerce • Systems and infrastructure failures or crashes

Question 34

Identifying and assessing the risks of material misstatement ISA 315 says that the auditor shall identify and assess the risks of material misstatement at the financial statement level and at the assertion level for classes of transactions, account balances and disclosures. It requires the auditor to take the following steps:

Answer 34

It requires the auditor to take the following steps: • Identify risks throughout the process of obtaining an understanding of the entity and its environment • Assess the identified risks and evaluate whether they relate more pervasively to the financial statements as a whole • Relate the risks to what can go wrong at the assertion level • Consider the likelihood of the risks causing a material misstatement

Question 35

When the auditor has obtained an understanding of the entity, (s)he shall assess the risks of material misstatement in the financial statements, also identifying significant risks. True/ False

Answer 35

True

Question 36

Define significant risks

Answer 36

Significant risks are complex or unusual transactions that may indicate fraud, or other special risks.

Question 37

As part of the risk assessment described above, the auditor shall determine whether any of the risks are significant risks. The following factors indicate that a risk might be significant.

Answer 37

• Risk of fraud (see Section 6) • Its relationship with recent economic, accounting or other developments • The degree of subjectivity in the financial information • It is an unusual transaction • It is a significant transaction with a related party • The complexity of the transaction

Question 38

Routine, non-complex transactions are less likely to give rise to significant risk than unusual transactions or matters of management judgement. This is because unusual transactions are likely to have more:

Answer 38

• Management intervention • Complex accounting principles or calculations • Manual intervention • Opportunity for control procedures not to be followed When the auditor identifies a significant risk, if they have not done so already, they shall obtain an understanding of the entity's controls relevant to that risk.

Question 39

Overall responses include such issues as emphasising to the team the importance of professional scepticism, allocating more staff, using experts or providing more supervision. Overall responses to address the risks of material misstatement at the financial statement level will be changes to the general audit strategy or re-affirmations to staff of the general audit strategy. For example

Answer 39

• Emphasising to audit staff the need to maintain professional scepticism • Assigning additional or more experienced staff to the audit team • Providing more supervision on the audit • Incorporating more unpredictability into the audit procedures • Making general changes to the nature, timing or extent of audit procedures The evaluation of the control environment that will have taken place as part of the assessment of the client's internal control systems will help the auditor determine what type of audit approach to take.

Question 40

What are tests of control?

Answer 40

Tests of controls are audit procedures designed to evaluate the operating effectiveness of controls in preventing, or detecting and correcting, material misstatements at the assertion level.

Question 41

What are substantive procedures?

Answer 41

Substantive procedures are audit procedures designed to detect material misstatements at the assertion level. They consist of tests of details (of classes of transactions, account balances and disclosures) and substantive analytical procedures.

Question 42

The auditor shall always carry out substantive procedures on material items. The ISA says that, irrespective of the assessed risk of material misstatement, the auditor shall design and perform substantive procedures for each material class of transactions, account balance and disclosure. In addition, the auditor shall carry out the following substantive procedures:

Answer 42

• Agreeing or reconciling the financial statements to the underlying accounting records • Examining material journal entries • Examining other adjustments made in preparing the financial statements

Question 43

Analytical procedures as substantive procedures tend to be appropriate for large volumes of predictable transactions (for example, wages and salaries). Tests of detail may be appropriate to gain information about account balances; for example, inventory and trade receivables. True / false

Answer 43

True

Question 44

Substantive procedures fall into two categories

Answer 44

analytical procedures and tests of details

Question 45

Define analytical tests

Answer 45

Analytical procedures as substantive procedures tend to be appropriate for large volumes of predictable transactions (for example, wages and salaries).

Question 46

Define tests of detail

Answer 46

Tests of detail may be appropriate to gain information about account balances; for example, inventory and trade receivables.

Question 47

Give examples of audit risks. Risk that inventory has a lower net realisable value than cost and is therefore overstated (eg NRV falls due to the client being in an industry where tastes/fashions change quickly).

Answer 47

Examine the instructions to identify slow moving inventory lines when attending the inventory count. Increase the emphasis on reviewing the year end aged inventory analysis for evidence of slow moving inventory. Ascertain sales values for items sold post year end that were in inventory at the year end to ensure their NRV was higher than the cost recorded as part of the inventory value in the financial statements

Question 48

Give examples of audit risks. Assets are desirable / more susceptible to theft leading to a risk that recorded assets do not exist (eg inventory/non-current assets).

Answer 48

Focus on testing internal controls over those assets (including physical controls to prevent theft). Increase sample sizes for inspecting recorded assets, ensuring any material assets are verified (in the context of performance materiality).

Question 49

Give examples of audit risks: Increased risk of revenue expenditure being incorrectly classified as capital (or vice versa), leading to misstatement of assets/expenses (eg extensive refurbishment of non-current assets where judgement is needed to establish whether the nature of the work is to enhance the asset or repair/replace it).

Answer 49

Obtain a breakdown of related costs and review accounting entries against invoices/details of work done to ensure expenditure is correctly treated as capital/revenue. Perform a detailed review of repairs accounts for any items which should be included in non-current assets. Review the asset register to ensure only capital items have been included.

Question 50

Give examples of audit risks: Increased risk of incomplete or unrecorded income due to fraud or theft (eg large amounts of cash collected and held prior to banking)

Answer 50

Perform analytical procedures focusing on comparing revenue with expected seasonal/monthly patterns. If a retail client, perform/reperform a reconciliation of a sample of till records to actual bankings.

Question 51

``` Give examples of audit risks: Invoices received (or payments made) in advance/arrears of goods or services delivery date leading to overstatement or understatement of costs and/or liabilities ```

Answer 51

Review post year end bank statements / cash book payments for evidence of amounts relating to the financial year but not included in liabilities. For a sample of documents pre and post year end indicating date of delivery of goods/services (eg GRNs), verify the cost and liability were recorded in the appropriate period

Question 52

Give examples of audit risks: There is an increased risk of irrecoverable debts (eg due to the nature of the client's industry or customers), resulting in assets being potentially overstated.

Answer 52

Identify year end receivable balances still outstanding at the date of the audit by reviewing post year end receipts from customers. For amounts still outstanding establish whether these are provided for. Review aged receivables analysis and customer correspondence files for evidence of disputes with receivables and consider the adequacy of any related receivables allowance.

Question 53

Give examples of audit risks: Management has an incentive to manipulate performance, increasing the risk of profits being overstated (eg remuneration or bank funding is reliant on performance).

Answer 53

Focus on and increase testing on judgemental areas in the financial statements (eg provisions, revenue recognition accounting policies).

Question 54

What is fraud?

Answer 54

Fraud is an intentional act by one or more individuals among management, those charged with governance, employees, or third parties, involving the use of deception to obtain an unjust or illegal advantage. Fraud may be perpetrated by an individual, or colluded in, with people internal or external to the business.

Question 55

What is fraud risk factors?

Answer 55

Fraud risk factors are events or conditions that indicate an incentive or pressure to commit fraud or provide an opportunity to commit fraud.

Question 56

Specifically, there are two types of fraud causing material misstatement in financial statements

Answer 56

• Fraudulent financial reporting • Misappropriation of assets

Question 57

What is Fraudulent financial reporting?

Answer 57

Fraudulent financial reporting involves intentional misstatements, including omissions of amounts or disclosures in financial statements, to deceive financial statement users.

Question 58

What does Fraudulent financial reporting include:

Answer 58

This may include: • Manipulation, falsification or alteration of accounting records / supporting documents • Misrepresentation (or omission) of events or transactions in the financial statements • Intentional misapplication of accounting principles

Question 59

What is Misappropriation of assets?

Answer 59

Misappropriation of assets involves the theft of an entity's assets and is often perpetrated by employees in relatively small and immaterial amounts. However, it can also involve management who are usually more capable of disguising or concealing misappropriations in ways that are difficult to detect.

Question 60

Examples of misappropriation of assets includes:

Answer 60

Employees may be involved in such fraud in small and immaterial amounts, but it can also be carried out on a larger scale by management who may then conceal the misappropriation, for example, by: • Embezzling receipts (for example, diverting them to private bank accounts) • Stealing physical assets or intellectual property (inventory, selling data) • Causing an entity to pay for goods not received (payments to fictitious vendors) • Using assets for personal use 6

Question 61

The risk of not detecting a material misstatement from fraud is higher than from error because of the following reasons :

Answer 61

• Fraud may involve sophisticated schemes designed to conceal it. • Fraud may be perpetrated by individuals in collusion. • Management fraud is harder to detect because management is in a position to manipulate accounting records or override control procedures

Question 62

ISA 315 requires a discussion among team members that places particular emphasis on how and where the financial statements may be susceptible to fraud. Risk assessment procedures to obtain information in identifying the risks of material misstatement due to fraud shall include the following:

Answer 62

• Enquiries of management regarding: – Management's assessment of the risk that the financial statements may be misstated due to fraud – Management's process for identifying and responding to the risk of fraud – Management's communication to those charged with governance in respect of its process for identifying and responding to the risk of fraud – Management's communication to employees regarding its views on business practices and ethical behaviour – Knowledge of any actual, suspected or alleged fraud

Question 63

ISA 315 requires a discussion among team members that places particular emphasis on how and where the financial statements may be susceptible to fraud. Risk assessment procedures to obtain information in identifying the risks of material misstatement due to fraud shall include the following (part 2):

Answer 63

• Enquiries of internal audit for knowledge of any actual, suspected or alleged fraud, and its views on the risks of fraud • Obtaining an understanding of how those charged with governance oversee management's processes for identifying and responding to the risk of fraud and the internal control established to mitigate these risks • Enquiries of those charged with governance for knowledge of any actual, suspected or alleged fraud • Evaluating whether any unusual relationships have been identified in performing analytical procedures that may indicate risk of material misstatement due to fraud • Considering whether any other information may indicate risk of material misstatement due to fraud • Evaluating whether any fraud risk factors are presen

Question 64

In accordance with ISA 330, the auditor shall determine overall responses to address the assessed risks of material misstatement due to fraud at the financial statement level. In this regard, the auditor shall:

Answer 64

• Assign and supervise staff responsible taking into account their knowledge, skill and ability • Evaluate whether the accounting policies may be indicative of fraudulent financial reporting • Incorporate unpredictability in the selection of the nature, timing and extent of audit procedures

Question 65

As we mentioned above, management fraud is more difficult to detect than employee fraud because of management's ability to override controls and therefore manipulate accounting records. ISA 240 states that irrespective of the auditor's assessment of the risks of management override of controls, the auditor shall design and perform audit procedures to:

Answer 65

• Test the appropriateness of journal entries and other adjustments • Review accounting estimates for bias • For significant transactions outside the normal course of business, evaluate whether they have been entered into to engage in fraudulent financial reporting or to conceal misappropriation of asset

Question 66

ISA 240 requires the auditor to obtain written representations from management and those charged with governance that:

Answer 66

(a) They acknowledge their responsibility for the design, implementation and maintenance of internal control to prevent and detect fraud. (b) They have disclosed to the auditor management's assessment of the risk of fraud in the financial statements. (c) They have disclosed to the auditor their knowledge of fraud / suspected fraud involving management, employees with significant roles in internal control, and others where fraud could have a material effect on the financial statements. (d) They have disclosed to the auditor their knowledge of any allegations of fraud / suspected fraud communicated by employees, former employees, analysts, regulators or others.

Question 67

Auditors are given guidance in ISA 250 Consideration of laws and regulations in an audit of financial statements. The objectives of the auditor are:

Answer 67

(a) To obtain sufficient appropriate audit evidence regarding compliance with the provisions of those laws and regulations that have a direct effect on the determination of material amounts and disclosures in the financial statements (b) To perform specified audit procedures to help identify non-compliance with other laws and regulations that may have a material effect on the financial statements (c) To respond appropriately to non-compliance / suspected non-compliance identified during the audit

Question 68

ISA 250 distinguishes the auditor's responsibilities in relation to compliance with two different categories of laws and regulations:

Answer 68

a) Those that have a direct effect on the determination of material amounts and disclosures in the financial statements (b) Those that do not have a direct effect on the determination of material amounts and disclosures in the financial statements but where compliance may be fundamental to the operating aspects, ability to continue in business, or to avoid material penalties

Question 69

In accordance with ISA 315, the auditor shall obtain a general understanding of:

Answer 69

• The applicable legal and regulatory framework • How the entity complies with that framework

Question 70

The auditor shall remain alert throughout the audit to the possibility that other audit procedures may bring instances of non-compliance or suspected non-compliance to the auditor's attention. These audit procedures could include:

Answer 70

• Reading minutes • Making enquiries of management and in-house/external legal advisers regarding litigation, claims and assessments • Performing substantive tests of details of classes of transactions, account balances or disclosure

Question 71

The following factors may indicate non-compliance with laws and regulations:

Answer 71

• Investigations by regulatory authorities and government departments • Payment of fines or penalties • Payments for unspecified services or loans to consultants, related parties, employees or government employees • Sales commissions or agents' fees that appear excessive • Purchasing at prices significantly above/below market price • Unusual payments in cash

Question 72

The following factors may indicate non-compliance with laws and regulations Part 2:

Answer 72

• Unusual transactions with companies registered in tax havens • Payment for goods and services made to a country different to the one in which the goods and services originated • Payments without proper exchange control documentation • Existence of an information system that fails to provide an adequate audit trail or sufficient evidence • Unauthorised transactions or improperly recorded transactions • Adverse media comment

Question 73

The following table summarises audit procedures to be performed when non-compliance is identified or suspected Non-compliance: audit procedures

Answer 73

Obtain understanding of nature of act and circumstances. Obtain further information to evaluate possible effect on financial statements. Discuss with management and those charged with governance. Consider need to obtain legal advice if sufficient information not provided and matter is material. Evaluate effect on auditor's opinion if sufficient information not obtained. Evaluate implications on risk assessment and reliability of written representations

Question 74

The auditor shall communicate with those charged with governance, but, if the auditor suspects that those charged with governance are involved, the auditor shall communicate with the next highest level of authority, e.g....

Answer 74

such as the audit committee or supervisory board. If this does not exist, the auditor shall consider the need to obtain legal advice.

Question 75

Auditors must ensure they have documented the work done at the risk assessment stage, such as the discussion among the audit team of the susceptibility of the financial statements to material misstatements, significant risks, and overall responses. The following matters shall be documented during planning:

Answer 75

• The discussion among the audit team concerning the susceptibility of the financial statements to material misstatements, including any significant decisions reached • Key elements of the understanding gained of the entity regarding the elements of the entity and its internal control components specified in ISA 315, the sources of the information gained and the risk assessment procedures carried out

Question 76

Auditors must ensure they have documented the work done at the risk assessment stage, such as the discussion among the audit team of the susceptibility of the financial statements to material misstatements, significant risks, and overall responses. The following matters shall be documented during planning: (part 2)

Answer 76

• The identified and assessed risks of material misstatement at the financial statement level and at the assertion level • Risks identified and related controls evaluated • The overall responses to address the risks of material misstatement at the financial statement level • Nature, extent and timing of further audit procedures linked to the assessed risks at the assertion level • Results of audit procedures • If the auditors have relied on evidence about the effectiveness of controls from previous audits, conclusions about how this is appropriate • Demonstration that the financial statements agree or reconcile with the underlying accounting record