S11: Risk Based Audit S11: Risk Based Audit ApproachApproach

Session ObjectivesSession Objectives

To define audit risks and establish the To define audit risks and establish the relationship between materiality and relationship between materiality and audit riskaudit risk

To discuss the Audit Risk ModelTo discuss the Audit Risk Model To explain different kinds of audit risks To explain different kinds of audit risks

and the factors that determine themand the factors that determine them

Audit RiskAudit Risk

Audit accepts the risk that the audit Audit accepts the risk that the audit conclusion may be wrong and that Audit conclusion may be wrong and that Audit may have allowed material error to remain may have allowed material error to remain undetected in the account.undetected in the account.

Only a very small degree of audit risk Only a very small degree of audit risk would be acceptable as otherwise the audit would be acceptable as otherwise the audit process may lose its purpose.process may lose its purpose.

A very high level of assurance (or A very high level of assurance (or confidence) is required when expressing confidence) is required when expressing the audit opinion. the audit opinion.

Relationship between Relationship between materiality and audit riskmateriality and audit risk

Higher the materiality level, lower Higher the materiality level, lower the audit risk and vice versa. the audit risk and vice versa.

To calculate the level of assurance To calculate the level of assurance (or confidence) required from (or confidence) required from substantive audit tests, risk model is substantive audit tests, risk model is employed.employed.

Risk ModelRisk Model

Analytical tool for planning and execution. Analytical tool for planning and execution. Detects high-risk areas for concentrated Detects high-risk areas for concentrated

audit efforts. audit efforts. Audit can thus focus on areas which are Audit can thus focus on areas which are

likely to generate better assurance instead likely to generate better assurance instead of sampling and testing of larger but low of sampling and testing of larger but low risk areas. risk areas.

Structures the audit procedures and Structures the audit procedures and reorganizes the audit work in terms of risk reorganizes the audit work in terms of risk perception perception

Risk ModelRisk Model

Audit Risk

Inherent Risk Control risk Detection Risk

Inherent RiskInherent Risk

The risk that an error will occur in The risk that an error will occur in the first place.the first place.

Determined by the susceptibility Determined by the susceptibility of the classes of transactions to be of the classes of transactions to be audited to material misstatement, audited to material misstatement, irrespective of the related internal irrespective of the related internal controls in the organization. controls in the organization.

Control RiskControl Risk

The risk that internal controls will The risk that internal controls will fail to detect the error fail to detect the error

Determined by the efficacy of Determined by the efficacy of internal control environment in internal control environment in the auditee organization the auditee organization

Detection RiskDetection Risk

Risk that the audit procedures will Risk that the audit procedures will fail to detect the error. fail to detect the error.

Risk that auditor’s substantive Risk that auditor’s substantive tests do not detect a material tests do not detect a material misstatement in the transactions misstatement in the transactions audited by him. audited by him.

Overall Audit RiskOverall Audit Risk

All the three risks are independent All the three risks are independent of each other.of each other.

Overall Audit Risk (AR) is defined Overall Audit Risk (AR) is defined as: as:

OAR=CR x IR x DROAR=CR x IR x DR The overall audit risk is defined by The overall audit risk is defined by

the audit institution and hence is a the audit institution and hence is a constant pre-determined quantity.constant pre-determined quantity.

Objective for the AuditorObjective for the Auditor

To assess inherent and control risks in To assess inherent and control risks in the entity the entity

To design and perform appropriate To design and perform appropriate compliance and substantive compliance and substantive procedures that provide sufficient procedures that provide sufficient assurance that the product of the risks assurance that the product of the risks identified is less than or equal to the identified is less than or equal to the overall audit risk that the auditor is overall audit risk that the auditor is willing to accept. willing to accept.

Determinants of Inherent Determinants of Inherent RiskRisk

√ The number and significance of audit adjustments The number and significance of audit adjustments and difference waived during the audits of and difference waived during the audits of previous years.previous years.

√ Complexity of underlying calculations of Complexity of underlying calculations of accounting principlesaccounting principles

√ The susceptibility of the asset to material fraud or The susceptibility of the asset to material fraud or misappropriation misappropriation

√ Experience and competence of accounting Experience and competence of accounting personnel responsible for the componentpersonnel responsible for the component

√ Judgment involved in determining amount Judgment involved in determining amount √ Mix and size of items subject to the audit testMix and size of items subject to the audit test√ The degree to which the financial circumstances The degree to which the financial circumstances

of the entity may motivate its management to of the entity may motivate its management to misstate the component in regard to this misstate the component in regard to this assertionassertion

√ Integrity and behaviour of the management.Integrity and behaviour of the management.√ Management turnover and reputationManagement turnover and reputation

Assessment of Control Assessment of Control RiskRisk

Evaluate the control Evaluate the control environmentenvironment

Evaluate the control systemsEvaluate the control systems

Determinants of control Determinants of control environmentenvironment

√ Management philosophy and operating styleManagement philosophy and operating style√ The functioning of the board of directors and The functioning of the board of directors and

its committees, particularly the audit its committees, particularly the audit committeecommittee

√ Organizational structureOrganizational structure√ Methods of assigning authority and Methods of assigning authority and

responsibility.responsibility.√ Systems development methodsSystems development methods√ Systems development methodologySystems development methodology√ Personnel policies and practicesPersonnel policies and practices√ Management reaction to external influencesManagement reaction to external influences√ Internal auditInternal audit

Determinants of control Determinants of control environment (Contd.)environment (Contd.)

√ Segregation of incompatible functionsSegregation of incompatible functions√ Controls to ensure completeness of transactions Controls to ensure completeness of transactions

being recordedbeing recorded√ Controls to ensure that transactions are Controls to ensure that transactions are

authorized authorized √ Third party controls (e.g. confirmation of events)Third party controls (e.g. confirmation of events)√ Control over accounting systemsControl over accounting systems√ Controls over computer processingControls over computer processing√ Restricted access to assets (only allow access to Restricted access to assets (only allow access to

authorized personnel)authorized personnel)

Case StudyCase Study