Risk Based Audit
Risk Based Audit
Risk Based Audit
GENERAL
PURPOSE
1. The audit assurance risk model sets out how the firm obtain overall assurance for the
potential errors for each significant account balance or disclosure.
a. The firm obtains inherent assurance by assessing risk at the potential-error level for
account balances or disclosures for the potential errors for which the firm do not
identify specific risks. Ordinarily, these are potential errors relating to transactions,
account balances, or disclosures that are not associated with one of the risk
factors highlighted.
2. Based on the reasonable conclusions drawn from the audit evidence obtained, the
firm express or decline to express in firm’s audit report an opinion on the fair
presentation of the financial statements.
1. Introduction
1. The firm obtain audit evidence to draw reasonable conclusions on which to base firm’s audit opinion
by performing audit procedures to:
a. Obtain an understanding of the entity and its environment, including its internal control, to assess
the risks of material misstatement at the financial statement and account balance levels
b. When necessary or if the firm have planned to do so, test the operating effectiveness of controls in
preventing or detecting and correcting material misstatements at account balance level
c. Detect material misstatements at the account balance error level; audit procedures performed
for this purpose are referred to as “substantive procedures” and include tests of details,
substantive analytical procedures, or a combination of the two.
2. Audit procedures to obtain an understanding of the entity and its environment, including its internal
control, to assess the risks of material misstatement at the financial statement and potential-error
levels are referred to as “risk assessment procedures” because some of the information obtained by
performing such procedures may be used as audit evidence to support assessments of the risks of
material misstatement. Risk assessment procedures are a subset of audit procedures.
6
3. In performing risk assessment procedures, the firm may obtain audit evidence about classes of
transactions, the potential errors for account balances or disclosures, and about the operating
effectiveness of controls, even though such audit procedures were not specifically planned as
substantive procedures or as tests of the operating effectiveness of controls. The firm may also
choose to perform substantive procedures or tests of the operating effectiveness of controls
concurrently with risk assessment procedures because it is efficient to do so.
1. Introduction
AUDIT EVIDENCE
1. The information used in arriving at the conclusions on which the audit opinion is based
is audit evidence. Audit evidence includes the information contained in the
accounting records underlying the financial statements and other information.
2. The firm should obtain sufficient appropriate audit evidence to be able to draw
reasonable conclusions on which to base the audit opinion.
3. Other information that the firm may use as audit evidence includes minutes of
meetings; confirmations from third parties; analysts’ reports; comparable data about
competitors (benchmarking); controls manuals; information obtained by us from such
audit procedures as inquiry, observation, and inspection; and other information
developed by or available to us that permits us to reach conclusions through valid
reasoning.
7
4. Sufficiency is the measure of the quantity of audit evidence. Appropriateness is the
measure of the quality of audit evidence; that is, its relevance and its reliability in
providing support for the potential errors related to account balances or disclosures or
detecting misstatements in account balances or disclosures.
1. Introduction
BENEFITS
POLICY
1. The firm should comply with the ethical standards applicable to the audit
engagement as required by ISA
2. The firm should plan and perform the audit to reduce audit risk to an
acceptably level using reliance factor.
ACTIVITIES
ACTIVITIES
3. Planning is a continual and iterative process that often begins shortly after
11 (or in connection with) the completion of the previous audit and continues
until the completion of the current audit engagement. However, in
planning an audit, The firm consider the timing of certain planning activities
and audit procedures that need to be completed prior to the performance
of further audit procedures.
1. Introduction
RISK-BASED APPROACH
1. The firm should plan and perform the audit to reduce audit risk to an
acceptably low level that is consistent with the objective of an audit. The
firm reduce audit risk by designing and performing audit procedures to
obtain sufficient appropriate audit evidence to be able to draw
reasonable conclusions on which to base an audit opinion.
Reasonable assurance is obtained when the firm have reduced audit risk to
an acceptably low level. The audit assurance model sets out how the firm
obtain overall assurance for the potential errors for each significant
account balance or disclosure and assists us in planning and performing
the audit engagement to reduce audit risk to an acceptably low level.
RISK-BASED APPROACH
3. As part of firm’s pre-engagement activities, the firm assesses engagement risk. Firm’s
assessment of engagement risk is based on a combination of firm’s assessment of the
risk resulting from (1) firm’s association with the client or prospective client, (2) the audit
engagement, and (3) the financial statements as a whole.
5. When the firm assesses risk at the potential-error level for an account balance or
disclosure, the firm seek to specifically identify the potential errors for significant
13 account balances or disclosures that have an increased risk of material misstatement.
For the potential errors for account balances or disclosures for which the firm have
identified a specific risk, the firm assess inherent risk as high and take no inherent
assurance when planning the scope of firm’s work.
1. Introduction
RISK-BASED APPROACH
6. The audit plan for a potential error for an account balance or disclosure for
which the firm have identified a specific risk will involve one of the following:
14
1. Introduction
FOCUS ON QUALITY
16 ii. In managing risk and developing and executing the audit plan, the audit
Engagement Partner and other engagement management are the key
decision makers and main influences on the firm approach. Timely
involvement of engagement management in the key stages of the audit
engagement is essential to optimizing the effectiveness and efficiency of
planning and performance of the audit engagement.
1. Introduction
2. The firm considers the potential for management override of controls and
recognizes the fact that audit procedures that are effective for detecting
error may not be appropriate in the context of an identified risk of material
misstatement due to fraud. The distinguishing factor between fraud and
error is whether the underlying action that results in the misstatement of the
17 financial statements is intentional or unintentional.
4. Owing to the inherent limitations of an audit and internal control, there is a possibility
that material misstatements resulting from fraud and, to a lesser extent, error may not
be detected. Because fraud usually involves acts designed to conceal it, the risk of
not detecting a material misstatement resulting from fraud is greater than one resulting
from error. Furthermore, the risk of not detecting a material misstatement resulting
from management fraud is greater than for employee fraud, because management is
frequently in a position to directly or indirectly manipulate accounting records and
present fraudulent financial information.
DOCUMENTATION
1. The audit working papers are the property of the Member Firm performing the audit
and support the firm audit report. They are not part of, nor a substitute for, the entity’s
accounting records. Although the amount of documentation required varies, the
working papers need to provide evidence that the work has been performed in
accordance with firm policies.
a. Standard index
b. Forms that support the following:
1. Every audit engagement should be under the control and supervision of an audit
Engagement Partner to whom responsibility for the conduct of the audit
engagement in accordance with the policies in the Manual, the applicable
professional standards and regulatory and legal requirements is assigned.
3. The effectiveness with which the audit engagement is managed will be improved if
each person involved has a clear understanding of the respective roles and
responsibilities of each member of the engagement team. The division of
responsibilities discussed in this policy needs to be regarded as a guide only. Roles
will vary in practice depending on the nature, size, and complexity of the entity’s
20 operations.
TEAMWORK
POLICY
DOCUMENTATION
i. In managing the audit engagement, the firm would normally document the
following:
INTRODUCTION
An explanation of the purpose and scope of the ISA, including how the ISA relates
to other ISAs, the subject matter of the ISA, specific expectations on the auditor
and others, and the context in which the ISA is set.
OBJECTIVES
DEFINITIONS
A description of the meanings attributed to certain terms for purposes of the ISAs. These are provided to assist
in the consistent application and interpretation of the ISAs. They are not intended to override definitions that
may be established for other purposes, such as those contained in laws or regulations. Unless otherwise
indicated, these terms carry the same meanings throughout the ISAs.
REQUIREMENTS
This policy outlines the specific auditor requirements. Each requirement contains the word “shall.”
The application and other explanatory material provides further explanation of the requirements of an ISA,
and guidance for carrying them out. In particular, it may:
While such guidance does not in itself impose a requirement, it is relevant to the proper application of the
requirements of an ISA. The application and other explanatory material may also provide background
information on matters addressed in an ISA.
3. Audit Diagram
ACTIVITIES
The firm should be of the audit approach consists of the following Activities :
27
3. Audit Diagram
ACTIVITIES
28
AUDIT PLANNING
29
3. Audit Diagram
• ISA 220 runs in collaboration with ISQC 1 'Quality Control for Finns that Perform Audits and
Reviews of Financial Statements, and Other Assurance and Related Services Engagements’.
• ISA 220 requires the firm to establish and maintain a system of quality control to provide it
with reasonable assurance that:
(a) the firm and personnel comply with professional standards and applicable legal and
regulatory requirements; and
(b) the reports issued by the firm or engagement partners are appropriate in the
circumstances.
31 • The engagement partner takes full responsibility for the audit and overall quality control.
• Engagement partners must take appropriate action where there is evidence that members
of the engagement team have not been complying with applicable ethical requirements.
• In recurring audits, the engagement partner must consider any information that would have
caused the firm to decline the audit engagement had that information been available at
the time.
3. Audit Diagram
33
3. Audit Diagram
• Control environment
• Risk assessment
• Information and communication
• Monitoring controls
• Control Activities
3. Audit Diagram
1. Preliminary planning starts with Engagement Partner to perform strategic planning meeting with
audit team member. To effectively plan the engagement an understanding is required of the:
• Some laws and regulations have a direct effect on the financial statements. Others may
not have a direct effect on the financial statements but may directly affect the conduct of
the entity's business, for example Health and Safety at Work legislation.
• Laws and regulations need to be considered because a breach in such could result in fines
or other consequences which may have a material effect on the financial statements.
• Responsibility for compliance with laws and regulations rests with management and those
charged with governance.
• The auditor shall discuss with management and, where applicable, those charged with
governance any suspected acts of non-compliance with laws and regulations.
37 • Any acts of non-compliance between management and those charged with governance
must be notified to the next higher level of authority. Where no higher level of authority
exists legal advice must be sought.
• A qualified or adverse opinion is expressed if the act of non-compliance with laws and
regulations has a material effect on the financial statements which has not been reflected
within those financial statements.
• A qualified, or disclaimer of, opinion will be expressed by the auditor if the auditor is unable
to obtain sufficient and appropriate audit evidence to evaluate whether non-compliance
that may be material to the financial statement has occurred.
• If the auditor encounters situations giving rise to a limitation on the scope of the audit work,
the auditor shall evaluate the effect of such a scope limitation on the audit opinion
3. Audit Diagram
• Risk features heavily in auditing and one of the primary functions of audit is to reduce risk to
an acceptable level.
• Auditors can gather sufficient and appropriate audit evidence through substantive
procedures and control tests.
• All audit procedures must be responsive to the assessed levels of risk.
38 • Detailed tests of control in recurring audits should be undertaken at least every third audit,
but auditors shall consider other relevant factors when considering the time period that
should elapse before further detailed testing.
• Substantive procedures include analytical procedures and tests of detail.
• Audit procedures generate the audit evidence, audit procedures in themselves are not
audit evidence.
• The risk assessment must be modified if information comes to the auditor's attention which
the auditor was not previously aware of.
• Audit evidence must be evaluated for sufficiency and appropriateness to determine if the
evidence reduces the risk of material misstatement to an acceptably low level.
3. Audit Diagram
PERFORM PRELIMINARY PLANNING
39
3. Audit Diagram
Measurement
Percentage
b. Calculate Materiality
Measurement
Benchmark Amount Percentage Materiality
(from Step 1b) (from Step 1a) Amount
x =
3. Audit Diagram
High 15%
Medium 30%
43 Normal 40%
X =
3. Audit Diagram
2. The following ISA should be considered in assess risk and establish materiality activities:
• Information is material if its omission or misstatement could influence the economic decisions
of users taken on the basis of the financial statements. Materiality depends on the size of the
item or error judged in the particular circumstances of its omission or misstatement. Thus
materiality provides a threshold or cut-off point rather than being a primary qualitative
characteristic which information must have if it is to be useful
44
3. Audit Diagram
In assessing acceptable audit risk the auditors may accept some level of risk in
performing the audit. An effective auditor recognizes that risks exist, are difficult to
measure, and require careful thought to respond. Consequently, responding to risks
45 properly is critical to achieving a high-quality audit.
Auditors gain an understanding of the client’s business and industry and assess client
business risk. The auditors use the audit risk model to further identify the potential for
misstatements and where they are most likely to occur. Furthermore, auditor should
decide engagement risk and use that risk to modify acceptable audit risk. The
engagement risk closely relates to client business risk.
3. Audit Diagram
The method to assess acceptable audit risk can be describe in the following table :
The auditors can change the audit to respond to risks by performing: (a) the
engagement may require more experienced staff, and (b) the
engagement will be reviewed more carefully than usual
The firm methodology for designing control and substantive testing are as follow:
49
3. Audit Diagram
The audit risk model is used to determine plan detection risk (PDR) by using
audit risk model:
AR = DR x IR × CR
Reliability Factors
The firm using Reliability Factor (R factor) to Plan Detection Risk (PDR). The tables of risk
factor are as follow:
51
Note:
LOA = Level of Assurance
CF = Confidence Factor
3. Audit Diagram
DEVELOP AUDIT PLAN
Case 1
If the Auditor believe that Inherent Risk (IR) is High and Control Risk (CR) is also High (Control Risk
at the maximum), but the Audit Risk (AR) determined by 5%. How much Reliance Factor should be
applied?
Answer:
AR 0,05
Plan Detection Risk (PDR) = = = 0, 05 (5%) R = 3 (see table Risk Factor)
IR x CR 1x 1
Case 2
If the Auditor believe that Inherent Risk (IR) is High but Control Risk (CR) is Low (The Auditor believe
52 that the Control is effective or Control Risk below maximum), and Audit Risk (AR) determined by 5%.
How much Reliance Factor should be applied?
Answer:
AR 0,05
Plan Detection Risk (PDR) = = = 0, 11 (11%) R = 2,3 (see table Risk
Factor) IR x CR 1 x 0,45
3. Audit Diagram
If the Auditor believe that Inherent Risk (IR) is Low, but the Control Risk (CR) is High (the Auditor
plan not to rely on control (Control Risk is at the Maximum), and Audit Risk (AR) determined by 5%.
How much Reliance Factor should be applied?
Answer:
AR 0,05
Plan Detection Risk (PDR) = = = 0, 16 (16%) R= 1,8 (see table Risk Factor)
IR x CR 0,31 x 1
Case 4
53
If the Auditor believe that Inherent Risk (IR) and Control Risk (CR) is Low (the Auditor believe that
the control is effective or Control Risk below Maximum), and Audit Risk (AR) determined by 5%. How
much Reliance Factor should be applied?
Answer:
AR 0,05
Plan Detection Risk (PDR) = = = 0,5 (50%) R = 0,7 (see table Risk Factor)
IR x CR 0,31 x 0,31
3. Audit Diagram
3. Diagram
55
3. Audit Diagram
2. If firms test the operating effectiveness of a control, the firm should obtain
audit evidence about the accuracy and completeness of any information
produced by the entity that we use in performing audit procedures.
3. Audit Diagram
PERFORM AUDIT PLAN
Perform audit plan consists of several activities are as follows:
3. During the course of Audit , the auditor should consider specific fraud
procedures such as : (i) In response to the risk of management override, (ii)
Appropriateness of journals, (iii) Review of estimates for bias, and (iv)
Significant and unusual transactions
3. Audit Diagram
1. In conduct of Audit, the Auditor should Perform Financial Statement Review for
2. If, after the date of our audit report but before the financial statements are issued, we become
aware of a fact that may materially affect the financial statements, we normally document the
following:
1. The firm should obtain audit evidence that management (1) acknowledges its responsibility for the
fair presentation of the financial statements in accordance with the applicable financial reporting
framework and (2) has approved the financial statements. These representations are normally
made and dated on the same date as our audit report on the financial statements.
2. The firm should obtain a written representation from management regarding the completeness of
information provided regarding the identification of related parties and the adequacy of related
party disclosures in the financial statements.
60
3. The firm should review the response of each of the entity’s legal counsel to whom our inquiry letters
were sent to determine if:
4. The firm should attempt to resolve them or, failing to do so, should consider the effect on our audit
report.
3. Audit Diagram
CONCLUDE AND REPORT
2. In preparing our audit summary memorandum, the firm normally also document the
following:
ENGAGEMENT REPORTING
1. The firm should document communications about fraud made to management, those charged with
governance, regulators, and others.
ENGAGEMENT REPORTING
1. The firm should document communications about fraud made to management, those
charged with governance, regulators, and others.
ENGAGEMENT REPORTING
• The auditor must consider whether the two-way communication process has been adequate to
enable an efficient audit.
• Laws and regulations may prevent communication of specific matters by the auditor. In such
cases the auditor may consider legal advice.
• The auditor shall communicate their responsibilities in relation to the audit of the financial
statements. The auditor shall communicate the planned scope and timing of the audit.
• Significant findings from the audit must be communicated to those charged with governance,
64 including any significant difficulties or any other significant matters.
• Additional matters are required to be communicated to those charged with governance in
respect of listed clients.
• Communication can be made orally or in writing, but must be made on a timely basis. The
auditor shall communicate to those charged with governance:
a) Qualitative aspects of the entity's accounting practices and financial reporting.
b) Significant difficulties, if any, encountered during the audit.
c) Significant matters, if any, discussed, or subject to correspondence with management.
d) Written representations the auditor is requesting.
e) Other significant matters
3. Audit Diagram
CONCLUDE AND REPORT
ENGAGEMENT REPORTING
65
3. Audit Diagram