18/01/2025
AFN417 Advanced Audit and Technology
CHAPTER 9
Risk assessment
1
Business risk
• Business risk is the risk inherent to the company and its operations
• ISA 315: business risk is a 'risk resulting from:
- significant conditions, events, circumstances, actions or inactions that
could adversely affect an entity's ability to achieve its objectives and
strategies
- setting inappropriate objectives and strategies
2
1
18/01/2025
Business risk
1. Financial risk – arising from the financial activities / consequences
of an operation, e.g. cash flow issues or overtrading
2. Operational risk – arising from operational reasons, e.g. the risk
that a major supplier / customer will be lost
3. Compliance risk – arising from non-compliance with laws and
regulations, e.g. a restaurant failing to comply with food hygiene
regulations might face fines, enforced closure, legal action from
customers etc
3
Business risk
• Directors are required to manage business risks:
- To ensure the company continues in business
- To operate efficiently and cost effectively
• Management may employ an internal audit function to (among other
things) monitor internal control effectiveness or seek external
assistance
4
2
18/01/2025
Business risk
• Shareholders / investors – business risk affects their potential returns
• Lenders / creditors – similar risk to shareholders, but lower due to
the priority of paying interest before dividends
• Auditors – business risk may also be a risk of misstatement of FS (i.e.
a component of audit risk)
- For example, if threatened with closure, assets’ values may not be
recoverable, new provisions may be needed, and management may
manipulate FS (e.g. to meet covenants)
5
Audit risk
• ISA 200: audit risk is the risk that the auditor expresses an
inappropriate audit opinion when the FS are materially misstated
• Audit risk = Material misstatement risk x Detection risk
Client’s risk
Auditor’s risk
6
3
18/01/2025
Audit risk
Audit risk = Material misstatement risk x Detection risk
Inherent risk x Control risk
1. At the overall FS level (e.g. directors’ integrity,
incompetent / inexperienced accountants)
2. At the assertion level for classes of transactions,
account balances and disclosures
• Judgements about inherent risk and control risk depend on the
understanding of the client's business, systems and controls
7
Audit risk – Inherent risk
• Inherent risk is the susceptibility of an assertion (about a class of
transaction, account balance or disclosure) to a misstatement that
could be material, either individually or in aggregate, before
consideration of any related controls
• For example:
Inventory’s existence is susceptible to material misstatement, since in the
absence of internal controls can be stolen, so the figure in the FS may
become overstated
8
4
18/01/2025
Audit risk – Inherent risk
• Inherent risk factors can be both quantitative and qualitative:
- Complexity (e.g. terms and arrangements, regulation, accounting
treatment, methodology)
- Change (e.g. economic, accounting, regulatory, industry / market,
geography)
- Subjectivity (e.g. judgemental or limited information)
- Uncertainty (e.g. estimates – lack of knowledge or precision)
- Management bias or other fraud risk
9
Audit risk – Control risk
• Internal controls are the procedures / measures that management
applies to prevent, or detect and correct potential material
misstatements, reducing control risk
• Control risk is the risk that a material misstatement will not be
prevented, or detected and corrected, on a timely basis by the
entity’s internal controls
10
5
18/01/2025
Audit risk – Control risk
• Control risk exists always, due to the limitations of internal controls:
- Cost vs benefit
- Routine vs non-routine transactions
- Human error
- Management override or circumvention by collusion
- Changes in procedures
- New transactions / assets / technology requiring changes in controls
- System failures
11
Audit risk – Control risk
• If the auditor concludes that the entity's controls cannot be relied
upon (i.e. not effective), the risk of material misstatement will be
based on inherent risk alone (i.e. assuming control risk is 100%)
• If effective controls, the auditor will carry out tests of controls
including automated / electronic / IT controls
12
6
18/01/2025
Audit risk
Audit risk = Material misstatement risk x Detection risk
Sampling risk x Non-sampling risk
• Detection risk is the risk that auditor's procedures will not detect a
material (either individually or in aggregate) misstatement
• Under the auditor’s control
13
Audit risk – Detection risk
• The auditor cannot check everything  audit on a sample basis
• Sampling risk – the risk that the sample is not representative of the
population (resulting in a wrong conclusion)
• Non-sampling risk – risk of a wrong conclusion for other reason, e.g.:
- Lack of client's business understanding (e.g. new client)
- Invalid sampling techniques or inappropriate conclusions from samples
- Failure to investigate a class of assets, liabilities or transactions
- Inappropriate procedures
- Inexperienced / incompetent audit staff / partner
- Time pressure
14
7
18/01/2025
Audit risk – Detection risk
• To keep audit risk at an acceptable level, the auditor adjusts the
amount of detection work to balance up material misstatement risks:
(a) Material misstatement risk is HIGH
 More audit work to reduce detection risk – e.g.:
- Include audit team members with necessary experience and skills
- Increase the extent of existing audit tests and / or introduce new
- Increase sample sizes
(b) Material misstatement risk is LOW
 Less audit work, accepting higher detection risk
15
Audit risk – Detection risk
Are internal controls effective?
YES
Tests of controls (usually at interim)
Operate as expected?
Effective?
NO  CR & MMR high
Not OK  CR & MMR high
OK  CR & MMR low
Final audit (accept high DR)
(i) Less substantive tests:
- Analytical review
- Some tests of details
(ii) Additional tests of controls
Final audit (keep DR low)
Full substantive tests:
- Primarily tests of details
- Also analytical review
16
8
18/01/2025
Audit risk – Detection risk
• ISA 315: For routine transactions with no / little manual intervention
(IT processed), substantive procedures alone do not provide sufficient
appropriate audit evidence  auditor must test controls
• For example:
- In auditing revenue for a telecommunications company recorded by the
system (based on call / data activity), the auditor needs to test relevant
IT controls to determine whether data is captured correctly by the
system
17
Significant risk
• A significant risk is an identified material misstatement risk that:
(a) in the auditor's judgement, its inherent risk is close to the upper end
of the spectrum of inherent risk due to likelihood and / or impact; or
(b) is deemed to be a significant risk by another ISA
• A combination of high likelihood and magnitude of a potential
misstatement
• Examples where a significant risk may be identified:
- Acquisition and disposal of businesses
- Diversification into new sectors
- Decision to factor receivables
18
9
18/01/2025
Significant risk
• Significant risk factors / indicators:
- Unusual / one-off transactions, events or conditions
- Subjectivity or differing interpretation in accounting treatment
- High estimation uncertainty
- Complexity in data collection & processing or calculations
- Business changes affecting accounting, e.g. mergers and acquisitions
19
Interaction of risks
Exist by nature or due to
circumstances
Depends on and
controlled by the
client / management
Depends on and
controlled by the
auditor
Business risks
Inherent risks
Significant
risks
x
Control risk
x
Detection risk
20
10