The Risk Based

Approaches to Audit
Audit risk:
“ The auditor obtains and evaluates evidence to
obtain reasonable assurance about whether the
financial statements give a true and fair view (or
are presented fairly in all material respects) in
accordance with the applicable financial reporting
framework. The concept of reasonable assurance
acknowledges that there is a risk the audit
opinion is inappropriate. The risk that the auditor
expresses an inappropriate audit opinion when the
financial statements are materially misstated is
known as “audit risk
risk””.”
(ISA 200, 14)
 Acceptable audit risk:

“ The auditor should plan and perform the

audit to reduce audit risk to an acceptably
low level that is consistent with the objective
of an audit. … Reasonable assurance is
obtained when the auditor has reduced audit
risk to an acceptably low level.
(ISA 200, 15)
A risk based approach
approach::
“The auditor performs audit procedures to assess
the risk of material misstatement and seeks to
limit detection risk by performing further audit
procedures based on that assessment. The audit
process involves the the exercise of professional
judgment in designing the audit approach, through
focusing on what can go wrong at the assertion
level and performing audit procedures in
response to the assessed risks in order to obtain
sufficient appropriate evidence.”
(ISA, 200, 16)
Audit risk - the components (ISA 200):

Inherent risk Control risk

Risk of Material
Detection risk
Misstatement

Audit risk
Inherent risk
“ the susceptibility of an assertion to a
misstatement that could be material, either
individually or when aggregated with other
misstatements, assuming that there are no
related controls.”
(ISA, 200, 20)
Inherent risk factors:
• Pervasive / entity level
– Nature of the business, industry & economy.
– The integrity, quality and experience of management.
– Special pressures.
• Local / assertions level
– Complexity of transaction / calculation.
– Judgement / estimation required.
– Specific technological change / product obsolescence.
– Assets susceptible to misappropriation.
– Make up of population.
– Non-routine transactions.
– Related parties.
Audit risk - the components (ISA 200):

Inherent risk Control risk

Risk of Material
Detection risk
Misstatement

Audit risk
Control risk:
“ the risk that a misstatement that could
occur in an assertion and that could be
material, either individually or when
aggregated with misstatements, will not be
prevented, or detected and corrected, on a
timely basis, by the entity ’ s internal
control
control.”
(ISA, 200, 20)

A function of both design & operation of controls.

Audit risk - the components (ISA 200):

Inherent risk Control risk

Risk of Material
Detection risk
Misstatement

Audit risk
 Detection risk:
“ the risk that auditor will not detect a
misstatement that exists in an assertion that could
be material, either individually or when aggregated
with other misstatements.”
(ISA, 200, 22)
• A function of the design and implementation of
audit procedures:
– Sampling risk
– Design risk
– Application risk
– Interpretation risk
The PwC Approach – identifying &
responding to risk (2000)
• TeamAsset … allows each audit team to build
a tailored audit program from planning to
completion stages by selecting client-specific
risks from a “library” of risks. Each risk that is
selected by the auditor for inclusion in the
client audit file is linked to the identification of
a set of suggested procedures at a given control
risk level that will mitigate the identified risk.”
(Winograd, et al., (2000))
Risk assessment: structure & judgment
“ Instead of viewing an audit as a series of closely
coordinated technical steps, it may be informative to
view it as a social enterprise that relies on language
and certain imbedded perspectives in order to
understand the client organization and to make it
understandable.
Our empirical findings strongly suggest that an
audit firm ’ s philosophical position with respect to
structure, influences what client characteristics audit
team members see as important in assessing
inherent risk.”
(Dirsmith & Haskins, “Inherent risk assessment & audit firm technology”, AOS, 1991, p.82)
 The components of audit risk

X X
AR = IR CR DR

AR - Audit risk
DR - Detection risk
IR - Inherent risk
CR - Control risk
 The components of audit risk

X X
AAR = IR CR PDR

AAR - Acceptable audit risk

PDR - Planned detection risk
IR - Inherent risk
CR - Control risk
Planned detection risk

• Determines the amount of substantive

evidence the auditor must plan to
collect (inverse with size of PDR).

Determined by other factors in

–Determined
model.
AAR = IR X CR X PDR

X X
2% = 50% 50% ?%
AAR = IR X CR X PDR

X X
2% = 50% 50% 8%
 AAR = IR X CR X PDR

X X
2% = 100% 100% 2%

For a given level of audit risk, the greater the risk of material
misstatement (IR x CR), the less detection risk can be accepted.
 AAR = IR X CR X PDR

X X
Low = High High Low

Quantifying the components of audit risk is highly problematic

Low PDR = High amount of substantive audit evidence required

 The components of audit risk

AAR
PDR =
IR X CR

5%
PDR
X
= 50% 40%

PDR 25%

=
 Risk, materiality & substantive audit evidence

AAR IR CR

Materiality
|
PDR Tolerable
misstatement

Planned
substantive
audit
 Materiality:
• “Information is material if its omission could
influence the economic decisions of users taken on
the basis of the financial statements. …”
(ISA 320.3)
“The objective of an audit of financial statements is
to enable the auditor to express an opinion whether
the financial statements are prepared in all material
respects, in accordance with an applicable financial
reporting framework. The assessment of what is
material is a matter of professional judgement.
judgement.””
(ISA 320.4)
Materiality - levels:

• Preliminary judgement of materiality at level of

the overall financial statements (ISA, 320, 7).

• Allocate materiality at level of overall financial

statements to segments - tolerable
misstatement per segment (class of
transactions, account balances, and disclosures)
(ISA, 320, 7).
The assessment of materiality:
• Materiality is relative rather than absolute.
– Bases needed for materiality assessment.
• Both quantitative and qualitative factors affect
materiality (ISA, 320, 5).
• The cumulative effects of errors (ISA, 320, 7).
• Legal & regulatory considerations relating to
particular assertions / disclosures (ISA, 320, 7).
– Different materiality levels may then apply to
different elements of the financial statements.
 Enron - Andersen & Materiality
• “While auditing Enron’s 1997 financial results,
Andersen proposed that the energy company
make ‘adjustments’ that would have cut its
annual income by almost 50 percent, to $54
million from $105 million … Enron chose not to
make those adjustments and Andersen put its
stamp of approval on the company’s financial
report anyway.”
(Hilzenrath, D.S., (2001), Early Warnings of Trouble
at Enron”, The Washington Post, December 30th.)
 Enron - Andersen & Materiality
• “In 1997, Enron had taken large nonrecurring
charges. When the company decided to pass these
proposed adjustments, our audit team had to
determine whether the company’s decision had a
material impact on the financial statements. The
question was whether the team should use reported
income of $105 million, or should it also consider
adjusted earnings before items that affect
comparability - what accountants call “normalized”
income?”
(Bernadino, J.F., (2001), Remarks before the Committee
on Financial Services of the US Representatives)
Enron Fina ncia l Da ta & M a te ria lity Rule s of Thum b

1997 1994-97
$M $M
5% of net incom e 5.25 20.78
10% of net incom e 10.50 41.55
1% of total assets 234.22 161.91
1.5% of total assets 352.33 242.87
1% of Sales revenue 202.73 129.34
1.5% of Sales revenue 304.10 194.01
Conservative blend 147.40 104.01
non-conservative blend 221.98 159.48

5% of net incom e + 1997

non-recurring loss 28.4 26.56
10% of net incom e + 1997
non-recurring loss 56.8 53.13
Internal Control
Internal Control:
“ is the process designed and effected by those
charged with governance, management, and other
personnel to provide reasonable assurance about the
achievement of the entity’s objectives with regard to
reliability of financial reporting
reporting, effectiveness and
efficiency of operations and compliance with
applicable laws and regulations. It follows that
internal control is designed and implemented to
address identified business risks that threaten the
achievement of any of these objectives.”
(ISA, 315, 42)
 Auditor concerns

“The auditor should obtain an understanding

of internal control relevant to the audit. The
auditor uses understanding of internal control
to identify types of potential misstatements,
consider factors that affect the risks of
material misstatements, and design the
nature, timing, and extent of further audit
procedures.”
(ISA, 315, 41)
 Elements of Internal Control

The control environment

The Entity
Entity’’s Monitoring
The information Control
risk of
system activities
assessment controls

ISA, 315, 43
 The control environment (ISA 315, 67-69):
• Governance & management philosophy,
attitudes, awareness & action in respect of
controls.
– Communication and enforcement of integrity &
ethical values.
– Methods of imposing control, including board &
internal audit functions.
– Commitment to competence - personnel policies &
practices.
– Organisational structure & methods of assigning
authority & responsibility (including segregation of
duties and supervisory controls).
 Elements of Internal Control

The control environment

The Entity
Entity’’s Monitoring
The information Control
risk of
system activities
assessment controls
The Entity
Entity’’s Risk Assessment Process
“The auditor should obtain an understanding
of the entity’s process for identifying business
risks relevant to financial reporting objectives
and deciding about actions to address those
risks, and the results thereof.”
(ISA, 315, 76)
Information System,

“The auditor should obtain an understanding

of the information system, including the
related business processes, relevant to
financial reporting, …”
(ISA, 315, 81)
Control Activities
“The auditor should should obtain a sufficient
understanding of control activities to assess
the risks of material misstatements at the
assertion level and to design further audit
procedures responsive to assessed risks.
(ISA, 315, 90)
Monitoring
“The auditor should obtain an understanding
of the major types of activities that the entity
uses to monitor internal control over financial
reporting, including those related to those
control activities relevant to the audit, and how
the entity initiates corrective action to its
controls.”
(ISA, 315, 96)
 Steps to reliance on control

Preliminary review of accounting system & control environment

Is reliance on controls potentially

possible and efficient ?

YES
NO
Understand & document internal
Assume high control risk, control: design and operation
and move on to planning
substantive testing Assess control risk

Test controls

Decide planned detection risk

and substantive tests
Is reliance on internal control feasible ? –
Relevance to financial statement assertions

• Existence
• Rights & Obligations
• Occurrence
• Completeness
• Valuation & allocation
• Measurement, accuracy & cut-off
• Classification, presentation & disclosure
(ISA, 500, 17)
Transaction Related Assertions & Objectives: Sales
M an agem en t S p e c ific a u d it o b je c tiv e s
a s s e r tio n s
O ccu rren ce R e c o rd e d s a le s a re fo r d is p a tc h e s
m a d e to re a l c u s to m e rs
C o m p le te n e s s A ll s a le s tra n s a c tio n s a re re c o rd e d
M easu rem en t S a le s a re re c o rd e d a t p ro p e r
a m o u n t a n d a llo c a te d to th e c o rre c t
p e rio d .
R e c o rd e d s a le s a re fo r th e a m o u n t
o f g o o d s d is p a tc h e d , c o rre c tly
b ille d & re c o rd e d .
S a le s tra n s a c tio n s a re p ro p e rly
c la s s ifie d .
S a le s tra n s a c tio n s a re re c o rd e d o n
c o rre c t d a te s .
P r e s e n ta tio n S e g m e n ta l a n a ly s is is p ro p e rly
& d is c lo s u r e c o m p ile d a n d d is c lo s e d .
 Understand & document internal
control: design and operation
• Evaluate previous experience.
• Inquiry of client - various levels, note
developments.
• Review client's policy and system
documentation.
• Examine documents & records.
• Observe activities.
• Transaction walk through.
Understand & document internal
control: design and operation

• Narrative.
• Flowchart.
• Internal control questionnaire.
 Internal control questionnaire: Sales
Recorded sales are for goods dispatched to
real customers (occurrence):
• Is the recording of sales supported by authorized
dispatch documents and approved customer
orders?
• Is customer credit approved by a responsible
person and is access to alter credit limit files
restricted?
• Is a prenumbered written dispatch note required
before any goods leave store?
 Internal control questionnaire: Sales
All existing sales transactions are recorded
(completenness
completenness): ):
• Is a record of dispatches maintained?
• Are dispatch documents controlled in a way that
helps ensure that all dispatches are billed?
• Are dispatch documents prenumbered and
accounted for?
• Are sales invoices prenumbered and accounted
for?
 Internal control questionnaire: Sales
Recorded sales are for the amount of goods
dispatched and are correctly billed and
recorded (measurement):
• Is there independent comparison of quantities on
dispatch notes and on sales invoices?
• Is an authorized price list used and is access to
amend the price list restricted?
• Are monthly statements sent to customers?
• Is there independent comparison of dates on
dispatch documents and dates of recorded sales?
 Internal control questionnaire: Sales

Recorded sales are correctly classified

(presentation & disclosure):
• Is there independent comparison of sales and
the chart of accounts?

and so on
Assess control risk

• Specify audit objectives

• Identify specific controls - key controls.
• Identify control weaknesses.
• Assess control risk.
• Report – appropriately
Tests of controls:

“ The auditor selects audit procedures to

obtain assurance about the operating
effectiveness of controls. As planned level of
assurance increases, the auditor seeks more
reliable audit evidence.”
(ISA, 500, 28)
 ompliance tests of internal control
Compliance

• Inquiries at appropriate levels.

• Examine documentation, reports records.
• Observe activities.
• Re-perform procedures.
Compliance versus Substantive tests

Distinction one of motive.

• Is a control working ?
• Is there error in an account balance ?
Consider cases of failure of internal control:
• For example, the collapse of Barings Bank (1995):
– Lack of segregation of duties: Leeson (the rogue trader)
controlled both front and back office – dealing and
settlement.
• Internal Audit noted issues in 1994
• External auditors noted problems early 1995
– Personnel selection
– Weak supervision / ethos
• Lack of understanding of business & controls
• Acceptance of excuses / feeble explanations
• High risk-taking incentivized
• Weak IT system (account 88888 & so on)
 Consider cases of failure of internal control:
• For example, Equity Funding Corporation of
America (1973).
– Goldblum, inflating revenue and assets to sustain share
price to fuel expansion programme (1965 – 1973):
• 64,000 insurance policies with a face value of $2 billion had
been falsified, sold on under reinsurance arrangements

– Flagrant non-application / failure of ICs

• From top down – including massive collusion
– Auditors didn’t notice (independence compromised)
• had inadequately checked controls
• allowed time for “parties” to create documents!
• Hadn’t even noticed by scale (analytic review)

– 22 people charged
 Audit planning –

understanding the
client
 Audit Planning:
• Adequate planning helps to ensure that
appropriate attention is devoted to important
areas of the audit, that potential problems are
identified and resolved on a timely basis and
that the audit engagement is properly
organized and managed in order to be
performed in an effective and efficient
manner.
(ISA, 300, 4)
Audit Planning – stages:

1 Preliminary engagement activities.

2 Understand the entity & its environment - make an
assessment of risks.
3 Develop overall audit plan and program of tests
(compliance & substantive).
1. Preliminary engagement activities
• Establish client's reasons for the audit.
• Consider acceptance & retention.
• Clarify / specify the terms of engagement.
• Staff the engagement.
Consider Acceptance & Retention:

• “the engagement partner should be satisfied

that appropriate procedures regarding the
acceptance and continuance of client
relationships and specific audit engagements
have been followed, and that conclusions
reached in this regard are appropriate and have
been documented.”
(ISA, 220, para.14)
Consider Acceptance & Retention:
New clients issues:
• Communication with predecessor:
– If client refuses permission for existing auditor to
communicate, the audit should be refused.
• Communicate with third parties.
• Excessive risks? (low acceptable audit risk - high fee)..

Continuing client issues (consider changes):

• Previous conflicts (on opinion or fees)? - Integrity of
management?
• Independence compromised - law suits, outstanding fees?
• Excessive risk?
 Consider Acceptance & Retention:
PwC & client acceptability
• At a simplified level, FRISK determines the
acceptability of clients by reviewing quantitative
information (e.g., Z-scores, credit analyses), qualitative
business information (e.g., company information and
management information), financial-reporting
information (e.g., incentive-plans, controls) and recent
audit results. Together, risks are identified in each of
these areas and sophisticated algorithims
algorithims,, developed
by PwC based on past experience, are used to
determine whether to accept or continue the client.
(Winograd, et.al., (2000))
Clarify/specify the terms of engagement

Obtain an Engagement Letter

“The engagement letter documents and confirms the
auditor ’ s acceptance of the appointment, the
objective and scope of the audit, the extent of the
auditor’s responsibilities to the client and the form
of any reports.”
(ISA, 210, 5)
Consider staffing of the engagement:

“The engagement partner should be satisfied

that the engagement team collectively has the
appropriate capabilities, competence and time
to perform the audit engagement in accordance
with professional standards and regulatory and
legal requirements, and to enable an auditor’s
report that is appropriate in the circumstances
to be issued.”
(ISA, 220, 19)
 Audit Planning – stages:
1 Preliminary engagement activities

2 Understand the entity & its environment -

make an assessment of risks:
3 Develop overall audit plan and program of tests
(compliance & substantive).
Understand the entity & its environment:

• “The auditor should obtain an understanding of

the entity and its environment, including its internal
control, sufficient to identify and assess the risks of
material misstatement of the financial statements
whether due to fraud or error, and sufficient to
design and perform further audit procedures.”
(ISA, 315, 2)
Understand the entity & its environment:

“The auditor should perform the following risk

assessment procedures to obtain an
understanding of the entity and its environment,
including its internal control:

a Inquiries of management and others within the

entity;
b Analytical procedures; and
c Observation and inspection.
(ISA, 315, 7)
a. Inquiries of management and others
within the entity:
“Although much of the information the auditor
obtains by inquiries can be obtained from
management and those responsible for financial
reporting, inquiries of others within the entity, such
as production and internal audit personnel, and other
employees with different levels of authority, may be
useful in providing the auditor with a different
perspective in identifying risks of material
misstatement.
(ISA, 315, 9)
b. Preliminary analytical review

“The auditor should apply analytical procedures as

risk assessment procedures to obtain an
understanding of the entity and its environment and
in the overall review at the end of the audit.
Analytical procedures may also be applied as
substantive procedures
procedures.”
(ISA, 520, 2)
b. Preliminary analytical review
Types of analytical procedures
• Compare client & industry data / ratios.
• Compare with prior period data / ratios.
• Compare with client's expected results.
• Compare with auditor estimates / expectations.
• Consider relationships among financial and
relevant non-financial information that would be
expected to conform to a predictable patterns.

• Techniques range from simple comparisons to

complex statistical analysis.
c. Observation and inspection:

“may support inquiries of management and

others, and also provide information about the
entity and its environment.”
(ISA, 315, 11)
 Preliminary determination of risks of
material misstatement.

• “The auditor should identify and assess the

risks of material misstatement at the financial
statement level, and at the the assertion level
for classes of transactions, account balances,
and disclosures.”
(ISA, 315, 100)
Preliminary determination of risks of
material misstatement.
• “Complete the strategic phase of the audit … :
– Determination of materiality levels.
– Preliminary identification of areas where there may be
high risk of material misstatement.
– Preliminary identification of material components and
account balances,
– Evaluation of where the auditor may plan to obtain
evidence regarding the effectiveness of internal controls.
– Identification of recent significant entity-specific,
industry, financial reporting or other relevant
developments”.
(ISA 300, 9)
 The Evolution of Audit
• Transaction based audit.
• Systems audit.
• Risk based audit.
– Understanding the client’s business and industry.
– Identification of audit risks through analytical review.
– Assessment of reliance that can be placed on internal
controls.
– Drawing evidence from a wide variety of sources.
– Focussing audit effort on areas where risks are
greatest.
The Evolution of Audit responsive to:
• Commercial pressures – cost-cutting & “added
value”.
• Legal environment.
• Still in progress:
– Emphasis on client strategic & business risk (as
distinct from narrow focus on audit risk), see
– “The Audit Implosion: regulating risk from the
inside” (Mike Power, 2000).
– The impact of Enron.
The Business risk approach:
• Focus on the Business risk - the risk that the entity
will fail to achieve its objectives:
– profitability, market share, wealth, governance, etc,
• A way of adding value.
• Justifiable because business risk bears on the
financial statements & on audit risk (sometimes only
indirectly of course).
• May increase audit efficiency / profitability.
• May reduce the auditor’s own business /
engagement risk - through improved knowledge of
client viability, etc.
KPMG Business Measurement Process (BMP) Approach

• “Serious thought, formal analysis of an entity’s strategy,

Serious thought
and whether it can be achieved have not been financial
statement audit steps. KPMG’s Business Measurement
Process (BMP) approach makes common this type of
thoughtful analysis. The viability of a business is
formally considered, and it provides a basis for forming
expectations about what should be the financial-statement
balances for the audit period. If an entity has a viable
strategy, reasonable plans, effective internal control,
and account balances that are close to expectations,
then the need for detailed auditing is limited to
exceptional items
items.”
(Kinney, 1997)
KPMG Business Measurement Process (BMP) Approach

• “Similar
Similar to a traditional auditor, the BMP auditor is
concerned about assessing the three components of
audit risk - inherent, control and detection risk. The
BMP auditor, however grounds his judgments in a
much broader view of the client than does an auditor
following a transaction-detail audit approach. He uses
more holistic perspectives to frame the assessment of the
validity of the financial statements taken as a whole, and
the account balances contained therein.”
(Bell, et.al., (1997))
KPMG Business Measurement Process (BMP) Approach

• “The traditional “risk-based” audit focuses the auditor’s

assessment of risk through a narrow “accounting lens lens”” -
a lens that directs his attention and his related assessment
and testing activities, to the nature of account balances,
classes of transactions, and properties of the client’s
accounting system for the purpose of assessing the risk
that financial-statement assertions are materially
misstated. We believe that this disaggregative
disaggregative,,
“bottom-up
bottom-up” ” focus can inhibit the auditor
auditor’’s
development of the level of business understanding
needed to effectively judge financial-statement
assertions
assertions.”
(Bell, et.al., (1997))
KPMG Business Measurement Process (BMP) Approach
“A
A proposed knowledge acquisition framework for risk-
based strategic-systems audit:
1 Understand the client’s strategic advantage.
2 Understand the risks that threaten attainment of client business
objectives.
3 Understand the key processes and related competencies needed to
realize strategic advantage.
4 Measure and benchmark process performance
5 Document the understanding of the client’s ability to create value
and generate future cash flows using a client business model,
process analyses, key performance indicators, and a business risk
profile.
6 Use the comprehensive business knowledge decision frame to
develop expectations about key assertions embodied in the overall
financial statements.
7 Compare reported financial results to expectations and design
additional audit test work …”
(Bell, et.al., (1997))
 The PwC Approach (2000)
• “In today’s environment, an effective audit has to be
knowledge-based and industry-focused. One of the
fundamental concepts of the PwCAA methodology
is to develop a better understanding of our client
client’’s
business by looking at the business through
management’’s eyes.
“management ” We seek to understand
eyes.”
management’s business objectives, not just financial
objectives, to increase shareholder value, to identify
the significant risks that may prevent management
from achieving its business objectives and to
identify related controls …”
(Winograd, et.al., (2000))
The Business risk approach:
• Please refer to papers in the special section of
Accounting, Organizations and Society, 2007,
Vol.32, No.4-5.

– “SSA was an appropriate and necessary means

of enhancing audit quality in the 1990s, and it is
all the more so today”
(Peecher et al, AOS, 2007, vol.32, p.464)
The Business risk approach:
• “Bell et al. (2002, p. 8) argue that ‘‘[p]erhaps the most
important principle giving rise to the need for SSA is
the strong relation between RMM and the auditee’s
business risks.’’ … When … business risks increase or
spike, it generally becomes more difficult for entity
management to estimate how to fairly depict select
entity business states within financial-statement
representations. And, at the same time, management
generally faces greater temptation to optimistically
distort their business-state representations. Thus, shifts
in business risks have audit risk implications.”
(Peecher et al, AOS, 2007, vol.32, p.474)
The Business risk approach:
• “Is the Development of SSA an attempt to enhance
auditor’s reputations by ‘‘borrowing’’ prestige from
consultants?”
• “Is SSA an attempt to expand the sale of non-audit
advisory services rather than to improve audit
quality?”
• “Are too few substantive tests of details performed
under SSA?”
• “What do we know about economic (cost)
considerations under SSA?”
(Peecher et al, AOS, 2007, vol.32, p.479-481)