AUDITING: A RISK

ANALYSIS APPROACH
5th edition

Larry F. Konrath

Electronic Presentation
by Harold
O. Wilson
1
CHAPTER 5

AUDIT PLANNING:

2
KEY CONCEPTS OVERVIEW
■ Audit Risk: Inherent risk, Control risk,
Detection risk
■ Quantifying audit risk
■ Materiality modeling
■ Fraud “warning signs”& clues
■ Audit planning
■ Analytical procedures

3
 LEARNING
OBJECTIVES
■ Define audit risk & its components
■ Quantify audit risk (joint probability of
components
■ Discuss materiality (quantitative and
qualitative aspects)
■ Relate inherent risk to audit planning,
analytical procedures, warning signs &
fraud, and client acceptance
■ Relate risks to audit programs & evidence
4
AUDIT RISK DEFINED
■ Audit Risk: The risk that the
auditor may unknowingly fail to
appropriately modify his/her
opinion on financial statements
that are materially misstated.

5
Material Misstatements (MM)
■ Errors: Unintentional mistakes of omission
or commission (e.g., improper data
processing , unrecorded transactions).
■ Irregularities (fraud): Intentional
omissions or commissions leading to
misstatements and/or misrepresentations
(e.g., improper reporting,
misappropriations of assets, concealments,
falsified documents).
6
Professional Responsibility
■ Audit design must provide reasonable
assurance of detecting MM.
■ Risk & materiality must be considered
in planning and evaluating the
audit.
■ Assessment of the risk of MM must
be made (and documented).

7
Auditor must …
■ Assess risks & potential areas of both
unintentional and intentional MM.
■ Document responses to such (e.g.,
revisions of audit programs).
■ Perform tests; evaluate results.
■ Communicate conclusions to audit
committees, etc., as considered
necessary.
Never communicate such to just one person!
8
 INHERENT RISK (IR)
■ Inherent risk: The susceptibility of an
assertion to being a MM, assuming that
there are no related controls.
■ If there were no internal controls, i.e., the
only variables were the competence and
integrity of personnel, the odds of a MM
would appear to be quite high!
■ Conservative approach: Assess IR as 100%!

9
 CONTROL RISK (CR)
■ Control risk: The probability of the
occurrence of a MM (i.e., a lack of
prevention) and remaining undetected on
a timely basis by the entity’s internal
controls. (The odds that the prescribed”
internal controls fail to work!)
■ Together, IR and CR determine the pre-
audit probability that the financial
statements are materially misstated!
10
A note on Control Risk

An extensive IC system reduces the

probability of MM; thus, the presumption is
that the more extensive the controls, the
less the audit testing needed to reach the
professional, but unofficial, required level
of “95% confidence” in the
fairness of the financial statements.

11
A note on Control Risk

Initially, CR is subjectively assessed based

on prescribed internal controls. As the
audit testing progresses, CR is revised (either
statistically or subjectively) as the auditor
evaluates the extent and effectiveness of the
internal controls. [If the control risk is
high, say over 45%, perhaps the client is not
yet ready to be audited! Rework needed?]
12
 DETECTION RISK (DR)
■ Detection risk: The probability that the
auditor fails to detect a MM that exists in
an assertion.
■ DR determines exact audit procedures and
the sample sizes selected in the auditor’s
attempt to ascertain the “state of the
universe” under examination.
■ Auditors should attempt to quantify IR, CR
and DR, i.e., audit risk (AR).
13
 QUANTIFYING AUDIT
RISK

Audit risk (AR) : The joint probability of

IR, CR and DR:

AR = IR x CR x DR
The acceptable, but unofficial, risk level for an
auditor to take is presumed to be “about 5%.”
If so, the product of the above should be .05 or
less. Note: To keep AR < 5% may be either
impractical or uneconomical in a given case.
14
Example
Assume AR = .05 (“required” in a specific case)
IR = 1.00 (“ultra-conservative”)
CR = .30 (initially seen as “weak”)

AR = IR x CR x DR
The Detection Risk becomes the variable
now controllable by the auditor, and it, in turn,
is a function of a controllable sample size!
15
Maximum Allowable
Detection Risk = f(AR, IR, CR)
DR = AR / (IR x CR) =
.05 / (1.0 x .30) =
.17
The auditor, in selecting a sample size, must
test until DR = .17 or less, using some form of
statistical sampling mathematics. [To test
beyond that point is “overauditing.”]

16
MATERIALITY and its IMPACT
ON AUDIT EVIDENCE
■ Materiality: An amount … that would
affect the decisions of a reasonably
informed user of the [information].
■ Quantitative Factors (absolute amount,
impacts on interpretations, ratios, etc.)
■ Qualitative Factors (nature, impact,
intent, industry, legalities, ethics, etc.)
■ Suggesting AJEs to the client in light of
materiality thresholds & aggregates!
17
MATERIALITY and its IMPACT
ON AUDIT EVIDENCE
■ Materiality is constant in auditor’s mind.

■ “Compared to…” is linked to net income

and to total assets.
■ “Expecting” many errors (weak controls)
prompts a low “aggregate materiality”
threshold.
■ If errors are “rampant,” a small sample
should disclose such. 18
AUDIT RISK, AUDIT EVIDENCE
and MATERIALITY
■ Professional skepticism: a questioning
attitude, prompting a critical assessment
of audit evidence.
■ The sleuth’s “But what if…” applies to
auditing, often viewing the dark side
creatively. [Could this document have
been faked?]
■ “Projected” misstatements, not just
“discoveries,” should be emphasized.
19
ANALYSIS OF
INHERENT RISK
■ Auditor suspicions of intent to have
misleading financial reporting or asset
misappropriations (i.e., fraud) is an
overall influence on the IR assessment.
■ Industry complexity or uncertainty also
influences audit planning & programs.
■ Careful interviewing may give clues to
client attitudes, pressures, problems,
contingencies, high risk areas.
20
Notes on Inherent Risk
■ Studiesof the business, the industry,
the economy, and/or the client may
lead to declining the engagement.
■ Losing confidence in the client should
lead to withdrawal from the
engagement.
Note: Clients are not likely to be inconsistent with
their industry!
21
Clues from cases…are there…
■ Inordinate third-party dealings, pressures?
■ Unusual sales of receivables?
■ “Gloomy” industry trends (e.g., layoffs)?
■ “Gloomy” trends in client’s customers?
■ High-tech with low assets?
■ Cycles of mergers, seasons, finances?
■ High fixed costs and low adaptability?
■ Unique industries, unique scenarios?

22
Clues from cases…
■ Abnormal ratios & trends?
■ Complications with taxes, IRS?
■ Unusual accounting/GAAP applications?
■ International competition, complications?
■ Inordinate contingencies, lawsuits?
■ Unusual inventory changes, problems?
■ Unusual changes in personal (actual,
pending)?
23
RISK ANALYSIS SOURCES
Although evidence and clues emerge as the
audit progresses, sources of inputs for
audit attention are ever-present, such as…
■ Management inquiry
■ Auditor’s current and prior workpapers
■ Permanent files
■ Predecessor audit correspondence, contact
■ Analytical procedures
■ Industry guides/GAAP

24
 Detection of MM should
prompt ...
■ Request for client to correct; auditor’s
suggested AJEs.
■ Consideration of extent and nature of risk
of more of the same
■ Revision(s) in current and future audit
program(s).
■ Management Letter comments to improve
controls and/or surveillance.
■ Consideration of impact on audit report.

25
RISK ANALYSIS &
AUDIT PROGRAMS
Professional Standards require specific
assessment of risk of MM and specific
audit procedures (alterations from
standard programs) as risk requires it.
■ The pre-sampling calculation of the Detection
Risk formula will influence the sample sizes
(i.e., testing).
■ Potential for deliberate MM must trigger
deliberate, maybe unique, audit procedures
(i.e., substantive testing)!
26
 n=? FAQ?
What is the difference in substantive testing
and tests of controls, i.e., tests of transactions?

■ Tests of Controls: audit procedures designed

to assess the ability of internal controls to
prevent and/or detect MM.
■ Substantive Tests: audit procedures designed
to detect MM or identify accounts likely to
contain MM.
27
Note: Time Budgets & Staffing
Experience is required to estimate when an overall
opinion might be reached, after a pre-audit
conference with the client, in light of the nature
of the client, and…
■ Inherent risks & fraud potential
■ Prescribed internal controls
■ Prior audit results, timing, etc.
■ Experience of the staff & expertise required
■ Scheduling demands of various types
■ Fairness to the client, in light of the above

28
Critical Terms Review
■ Audit design ■ Professional
■ Aggregate skepticism
materiality ■ Time budgets & fees
■ Audit risk analysis ■ Warning signs
■ Inherent risk ■ Errors
■ Control risk
■ Fraudulent financial
■ Detection risk
reporting
■ Materiality
thresholds
■ Misappropriations
■ Misrepresentations
29
End of Chapter 5

30