AUDACA – 01 Handouts

CARLOS HILADO MEMORIAL STATE UNIVERSITY

AUDITING AND ASSURANCE CONCEPTS AND APPLICATIONS 1
BSA 3A

THE RISK BASED AUDIT PROCESS

THE RISK-BASED AUDIT PROCESS

Audit Approaches
Essentially, there are four (4) different audit approaches:
• The substantive audit approach
• The balance sheet approach
• The system-based approach
• The risk-based approach

The substantive procedures approach. This is also referred to as the vouching approach or the direct
verification approach. In this approach, audit resources are targeted on testing large volumes of
transactions and account balances without any particular focus on specified areas of the financial
statements.

The balance sheet approach. In this approach, substantive procedures are focused on balance sheet
(statement of financial position) accounts, with only very limited procedures being carried out on income
statement/profit and loss account items. The justification for this approach is the notion that if the relevant
management assertions for all balance sheet (statement of financial position) accounts are tested and
verified, then the profit/loss figure reported for the accounting period will not be materially misstated.

The systems-based approach. This approach requires auditors to assess the effectiveness of the
internal controls of an entity, and then to direct substantive procedures primarily to those areas where it is
considered that systems objectives will not be met. Reduced testing is carried out in those areas where it
is considered systems objectives will be met.

The risk-based approach. In this approach, audit resources are directed towards those areas of the
financial statements that may contain misstatements (either by error or omission) as a consequence of the
risks faced by the business.

ADOPTING A RISK-BASED APPROACH

• Given the nature of the audit process, every audit assignment presents a different challenge to an
audit firm, with no two audit assignments being the same. For example, no two entities are the
same in terms of business sector, location, size, employees, governance issues, ethos, and
complexity of operations. There is no one single approach to auditing which ensures the
performance of a perfect audit.

• However, it is generally accepted that for most entities of size, the risk-based audit approach will
minimize the possibility of audit objectives not being met. Consequently PSA 315 (Redraft),
Identifying and Assessing the Risks of Material Misstatement Through Understanding the Entity
and its Environment, compels auditors to adopt a risk-based approach to audits. In so doing, it
requires auditors to make risk assessments of material misstatements at the financial statement
and assertion levels, based on an appropriate understanding of the entity and its environment,
including internal controls.

• To achieve the overall objectives of the audit, the auditor shall design and perform audit
procedures which enable the gathering of audit evidence. Such evidence will be used as a basis

1|8Page
 AUDACA – 01 Handouts

in expressing the opinion required by the audit of financial statements.

In risk-based audit approach auditors need to:

• Identify key risks in day-to-day business operation
• Assess the impacts that those risks can have on financial statements
• Plan audit procedures according to the assessed risk

AUDIT PROCESS: GENERAL APPROACH

General Overview of the Audit Process

Entity prepares
The auditor The auditor The auditor
and presents
performs audit gathers audit expresses an
financial
procedures evidence audit opinion
statments

FINANCIAL STATEMENTS AUDIT PROCESS

Preliminary Risk Assessment Responses to Assessed Evaluate and Conclude

Engagement Activities Risks

•Presence of •Identifying and •Test of controls •Formation of

requirements assessing RoMMs •Substantive tests opinion
•Agreeing the terms •Establishing overall •Expression of
of audit audit strategy opinion
engagement •Developing an audit •Audit
plan documentation and
•Directing, communicaiton
supervising and
reviewing the
engagement

THE AUDIT RISK MODEL

Inherent Limitations of an Audit
The audit of financial statements is not a guarantee that all material misstatements in the financial
statements are detected. Due to the inherent limitations of the audit, there is always a risk that the
auditor may not be able to detect material misstatements in the financial statements. The auditor’s
responsibility is to design the audit to provide reasonable assurance that the financial statements taken
as a whole are free from material misstatements.

The concept of reasonable assurance means that the auditor accepts some level of uncertainty in
performing the audit function. The auditor’s objective is not to eliminate the risk but to reduce the risk at
an acceptably low level by applying effective audit procedures.

When designing substantive tests, the auditor should consider three main issues:
1. What level of assurance does the auditor wish to attain that the financial statements do not
contain material misstatements? (Higher level of assurance = Increase in substantive tests)
2. How susceptible is the account to material misstatement? (Higher inherent risk = Increase in
scope of audit)

2|8Page
 AUDACA – 01 Handouts

3. How effective is the client’s internal control in preventing or detecting misstatements? (More
effective internal control = Decrease in scope of substantive test)
These three issues are the preliminary basis for the development of the audit risk model.

Audit risk refers to the risk that the auditor might give an inappropriate audit opinion on the financial
statements.

Inherent risk is the susceptibility of an account balance or class of transactions to a material

misstatement assuming that there were no related internal controls.

3|8Page
 AUDACA – 01 Handouts

Control risk is the risk that a material misstatement that could occur in an account balance or class of
transactions will not be prevented or detected, and corrected in a timely manner by accounting and
internal control systems.

Detection risk is the risk that an auditor may not detect a material misstatement that exists in an
assertion.

PRELIMINARY ENGAGEMENT ACTIVITIES

This phase will require a decision from the auditor whether or not to accept a new client or continue a
relationship with an existing one. This process would require evaluation not only of the auditor’s
qualification, but also the integrity and auditability of the client’s financial statements.

MAJOR AUDIT PROCEDURES

In deciding whether to accept or reject an engagement, the auditor’s firm should consider the following:
1. Its competence,
2. Its independence,
3. Its ability to serve the client properly, and
4. The integrity of the prospective client’s management.

To adequately address the above items, the auditor is expected to perform the following:
1. Obtain a preliminary knowledge of the client’s business and industry to determine whether the
auditor has the degree of competence required by the engagement.
As prescribed by the Code of Ethic for Professional Accountants, a professional accountant in public
practice should agree to provide only those services that the professional accountant in public practice
is competent to perform. This means that the auditor can only accept engagements whose
requirements are within the auditor’s capacity and capability. To determine whether the auditor has
the degree of competence required by the engagement the auditor obtains preliminary knowledge of
the client’s business and industry.

2. Consider whether there are any threats to the firm’s independence and objectivity, and if so,
whether adequate safeguards can be established.
Before accepting a specific audit engagement, the auditor considers whether there are any threats to
the firm’s independence and objectivity, and if so, whether adequate safeguards can be established.

Independence consists of both independence in mind and independence in appearance.

Independence in mind – the state of mind that permits the expression of a conclusion without being
affected by influences that comprise professional judgment, allowing an individual to act with integrity,
and exercise objectivity and professional skepticism.

Independence in appearance – the avoidance of facts and circumstances that are so significant that a
reasonable and informed third party, having knowledge of all relevant information, including safeguards
applied, would reasonably conclude a firm, or a member of the assurance team’s integrity, objectivity
or professional skepticism had bene compromised.

The Code of Ethics for Professional Accountants requires all members of the audit team to be
independent of the client. The audit team includes members of the engagement team, the firm, and its
network firm/s.

4|8Page
 AUDACA – 01 Handouts

3. Evaluate the firm’s ability to serve the prospective client.

Before the acceptance of an engagement, the firm considers its resources (e.g. personnel) in evaluating
whether the firm has the ability to serve the prospective client properly.

4. Evaluate auditability.
In an audit engagement, the auditor gathers sufficient appropriate evidence to form and express an
opinion as to the fairness of preparation and presentation of the client’s financial statements. For the
auditor to do this, accounting records, documents and other information that supports the client’s
financial statements should be made available to the auditor. The absence of records, documents, and
other information raises significant doubt about the client’s auditability.

5. Investigate the integrity of the prospective client’s management.

The proposed auditor (formerly called successor auditor) considers whether acceptance of a new or
continuing an existing client relationship would create any threats to compliance with the fundamental
principles.

Potential threats to integrity or professional behavior may be created from, for example, questionable
issues associated with the client (its owners, management, and activities).

The main objective of this procedure is to minimize the likelihood of being associated with a client whose
management lacks integrity.

Mattes to be discussed with the previous auditor include the following:

a. The previous auditor’s understanding as to the reasons for change in auditors;
b. Information that might bear on the integrity of the management; and
c. Disagreements between the previous auditor and management as to accounting principles,
auditing procedures, etc.

6. Agree on the terms of the engagement and prepare an engagement letter.

After considering the above factors (procedures 1-5), the auditor shall decide whether to accept or
decline the proposed audit engagement. If the auditor decided to accept the engagement, the auditor
and the client shall agree on the terms of the engagement.

REVIEW OF THE RISK ASSESSMENT PROCESS

PRELIMINARY ENGAGEMENT ACTIVITIES

The auditor shall perform the following activities at the beginning of the current audit engagement:
1. Perform procedures regarding the acceptance and continuance of the client relationship
and the specific audit engagement.
2. Evaluate compliance with relevant ethical requirements, including independence.
3. Establish an understanding of the terms of the engagement.

PLANNING THE AUDIT

Planning is not a discrete phase, but rather a continual and iterative process that often begins shortly after
(or in connection with) the completion of the previous audit and continues until the completion of the
current audit engagement. With this, initial plans may be subjected to changes depending on information
received while performing the engagement.

5|8Page
 AUDACA – 01 Handouts

Audit Planning Phase

Evaluate and Pre- Assessment of Responses to Evaluate and

conclude engagement risks assessed risks conclude

OVERVIEW OF RISK ASSESSMENT PROCESS AND RISK ASSESSMENT PROCEDURES

Risk assessment procedures enable the auditor to identify and assess risks of material misstatements
(RoMMs). To properly identify the RoMMS, the auditor obtains an understanding of the entity, the
applicable financial reporting framework, and the entity’s system of internal control.

Risk Assessment Procedures (RAPs)

Risk assessment procedures are audit procedures performed to obtain an understanding of the entity and
its environment, including the entity’s internal control, to identify and assess the risk of material
misstatement, whether due to fraud or error, at the financial statement and assertion levels. (PSA 315)
Risk assessment procedures include the following:
1. Obtain an understanding of the following:
a. Entity and its environment
b. Applicable financial reporting framework
c. Entity’s system of internal control.
2. Consider materiality.
3. Identify and assess risks of material misstatements (RoMMs).
4. Determine the acceptable level of audit risk.
5. Identify detection risk to determine the nature, timing and extent of further audit procedures.

Information obtained from performing these risk assessment procedures may be used by the auditor as
evidence to support assessment of risk of material misstatement. In addition, in performing risk
assessment procedures, the auditor may obtain audit evidence about the fair presentation of financial
statements or about the operating effectiveness of internal control even though such procedures were not
specifically planned as substantive tests or tests of control.

Objective of the Auditor when Performing Risk Assessment Procedures

PAS 315 states that the objective of the audit is to identify and assess the risks of material
misstatement, whether due to fraud or error, at the financial statement and assertion levels, through
understanding the entity and its environment, including the entity’s internal control, thereby providing a
basis for designing and implementing responses to the assessed risks of material misstatement.

The main purpose of performing risk assessment procedures (RAPs) is to enhance the understanding of
the entity in order to specifically identify the applicable further audit procedure (FAP) and to
appropriately respond to the different risks assessed related to the audit.

Test of Controls
Risk Assessment Further Audit
Procedures Procedures
Substantive Tests

6|8Page
 AUDACA – 01 Handouts

Types of Risk Assessment Procedures

a. Inquiry of management and others within the entity
b. Analytical procedures
c. Observation and inspection

Inquiry
Inquiry consists of seeking information from knowledgeable persons, both financial and nonfinancial, within
the entity or outside the entity. Inquiry is used extensively throughout the audit in addition to other audit
procedures. Inquiries may range from formal written inquiries to informal oral inquiries. Evaluating
responses to inquiries is an integral part of the inquiry process.

Inquiries during the planning stage

The auditor may obtain information, or a different perspective in identifying risks of material misstatement
through inquiries of others within the entity and other employees with different levels of authority, for
example:

Inquiries directed toward those charged May help the auditor understand the
with governance environment in which the financial statements
are prepared.

Inquiries directed toward internal audit May provide information about internal audit
personnel procedures performed during the year relating
to the design and effectiveness of the entity’s
internal control and whether management has
satisfactorily responded to findings form those
procedures.

Inquiries of employees involved in initiating, May help the auditor to evaluate the
processing, or recording complex or appropriateness of the selection and application
unusual transactions of certain accounting policies.
Inquiries directed toward in-house legal May provide information about such matters as
counsel litigation, compliance with laws and regulations,
knowledge of fraud or suspected fraud affecting
the entity, warranties, post-sales obligations,
arrangements (such as joint ventures) with
business partners, and the meaning of contract
terms.
Inquiries directed towards marketing or May provide information about changes in the
sales personnel entity’s marketing strategies, sales trends, or
contractual arrangements with its customers.

Observation
Observation consists of looking at a process or procedures being performed by others, for example, the
auditor’s observation of inventory counting by the entity’s personnel, or of the performance of control
activities.

Observation during the planning stage

The auditor aims to obtain an understanding of the entity through observation of the entity’s:
• Processes used in processing information to be reported; and
• Activities and operations.

7|8Page
 AUDACA – 01 Handouts

Inspection
Inspection involves examining records or documents, whether internal or external, in paper form,
electronic form, or other media, or a physical examination of an asset.

Inspection activities during the planning state include the following:

• Review of prior year’s working papers and prior year’s financial statements
• Review of reports prepared by the entity’s management (such as quarterly management reports
and interim financial statements) and those charged with governance (such as minutes of the
board of directors’ meetings)
• Review of documents (such as business plans and strategies), records, and internal control
manuals
• Reading articles, books, periodicals, and other publications related to the entity’s industry
• Visits to the entity’s premises and plant facilities

Analytical Procedures
Analytical procedures consist of evaluations of financial information made by a study of plausible
relationships among both financial and non-financial data. Analytical procedures also encompass the
investigation of identified fluctuations and relationships that are inconsistent with other relevant information
or deviate significantly from predicted amounts.

PSA requires the auditor to use analytical procedures in the planning and overall review stages of
the audit. In the planning stage of the audit, the application of analytical procedures helps the auditor in
assessing the risk of material misstatements in the financial statements.

Auditing & Assurance Services 2021 Edition; Escala and Bercasio

Auditing Theory 2021 Edition; Salosagcol, Tui and Hermossila

8|8Page