RISK- BASED AUDIT APPROACH A.

Designing overall responses and further audit

An audit approach that begins with an assessment of procedures to develop appropriate responses to
the types and likelihood of misstatements in account the assessed risk of material misstatement
balance and then adjusts the amount and type of audit B. Implementing responses to assessed risk of
work, to the likelihood of material misstatements material misstatement to reduce audit risk to
occurring in account balances. an acceptably low level
PHASE II: RISK RESPONSE
RISK-BASED AUDIT VS. ACCOUNT-BASED AUDIT A. Evaluating the audit evidence obtained to
1. In account-based auditing, auditors first obtain determine what additional audit work (if any) is
an understanding of control and assess control required
risk for particular types of errors and frauds in B. Forming an option based on audit findings and
specific accounts and cycles. preparing the audit’s report
2. In risk-based audit, the audit team views all
activities in the organization first in terms of PHASE I-A.
risks to strategies and objectives and then in PERFORMANCE OF PRELIMINARY ENGAGEMENT
terms of management’s plans and processes to ACTIVITIES
mitigate the risk.
At the beginning of the current audit engagement, the
NATURE OF RISK auditor should perform following activities:
a concept used to express uncertainty about events a. Perform procedures required by PSA 220, “Quality
and/or their outcomes that could have a material effect Control of an Audit of Financial Statements” regarding
on the organization. the continuance of the client relationship and the
specific audit engagement.
RISK b. Evaluate compliance with ethical requirements
COMPONENTS OF RISK RELEVANT TO CONDUCTING AN including independence as required by PSA 220.
AUDIT c. Establish an understanding of the terms of
1. Audit Risk - the auditor fails to find material engagement as required by PSA 210.
misstatements in the client’s financial
statements. Purpose: to help ensure that the auditor has considered
2. Engagement Risk- associated with a particular any events or circumstances that may adversely affect
client including loss of reputation, inability of the auditor’s ability to plan and perform the audit
the client to pay the auditor, or financial loss. engagement to reduce audit risk to an acceptably low
3. Financial Reporting Risk- could arise from level.
issues such as asset impairments, mark-to-
market accounting, warranties, pensions, The agreed terms of the audit engagement shall be
estimates, as well as competence and integrity recorded in an audit engagement letter or other
of management and its incentives to misstate suitable form of written agreement shall include:
the financial statements.
4. Business Risk- affect the operations and a. The objective and scope of the audit of the financial
potential outcomes of organizational activities. statements
b. Responsibilities of the Auditor
THE RISK BASED AUDIT PROCESS c. Responsibilities of management
PHASE I: RISK ASSESSMENT d. Identification of the applicable financial reporting
A. Performance of preliminary engagement to framework for the preparation of the financial
decide whether to accept or continue an audit statements
engagement e. Reference to the expected form and content of any
B. Planning the audit to develop an overall audit reports to be issued by the auditor and a statement that
strategy and audit plan there may be circumstances in which a report may
C. Performance of Risk Assessment procedures to differ from its expected form and content.
identify assess risk of material misstatement
through understanding the entity Recurring Audits: the auditor shall assess whether the
circumstances require the terms of the audit
PHASE II: RISK RESPONSE engagement to be revised and whether there is a need
to remind the entity of the existing terms of the audit c. Considering the important factors that will determine
engagement. the focus and direction of the engagement teams’
 If the terms of audit engagement are changed, efforts
auditor and management shall agree on and record d. Considering the results of preliminary engagement
the new terms of the engagement in an activities and, where applicable, whether knowledge
engagement letter or other suitable form of written gained on other engagements performed by the
agreement. engagement partner for the entity is relevant
 If the auditor is unable to agree to a change in e. Ascertaining the nature, timing and extent of
terms, the auditor shall: resources necessary to perform the engagement
a. Withdraw from the audit engagement where
withdrawal is possible under applicable law or Materiality: “Information is material if its omission or
regulation misstatement could influence the economic decisions of
b. Determine whether there is any obligation, either users taken on the basis of the financial statements.
contractual or otherwise. In planning the audit, materiality should be considered
by the auditor when:
PHASE I-B a. Determining the nature, timing and extent of audit
PLANNING THE AUDIT TO DEVELOP AN OVERALL procedures
AUDIT STRATEGY AND AUDIT PLAN b. Identifying and assessing the risks of material
misstatement
PSA 300, “Planning on Audit of Financial Statements c. Determining the nature, timing and extent of further
establishes standards and provides guidance on the audit.
considerations and activities applicable to planning an
audit of financial statements. It states that the auditor Levels of Materiality: Overall and specific materiality
should plan the audit so that the engagement will be
performed in an effective manner. Performance Materiality: used by the auditor to reduce
the risk to an appropriate low level that the
Audit Planning involves the establishment of the overall accumulation of uncorrected and unidentified
audit strategy for the engagement and developing an misstatements exceeds materiality for the financial
audit plan, in order to reduce audit risk to an acceptably statements as a whole or materiality levels established
low level. for particular classes of transactions, account balances,
or disclosures.
Benefits of Audit Planning
a. It helps ensure the that appropriate attention is Relationship between Materiality and Audit Risk
devoted to important areas of the audit. - the higher the materiality leve,the lower the audit risk
b. It aids in identifying potential problems and resolving and vice versa.
them on a timely basis.
c. It helps ensure that the audit is properly organized, Audit Plan: The auditor should develop an audit plan for
managed and performed in an effective and efficient the audit in order to reduce audit risk to an acceptably
manner. low level
d. It assists in the proper assignment and review of the The audit plan shall include a description of:
work of the engagement team members. a. The nature, timing and extent of
e. It helps coordinate the work to be done by auditors planned risk assessment procedures
of components and other parties involved such as b. The nature, timing and extent of
experts, specialists, etc. planned further audit procedures at the
assertion level
Overall Audit Strategy c. Other planned audit procedures that
a. Identifying the characteristics of the engagement that are required to be carried out so that
define its scope the engagement complies with PSAs.
b. Ascertaining the reporting objectives of the
engagement to plan the timing of the audit and the The auditor shall document:
nature of the communication required a. Overall audit strategy
b. Audit plan
c. Any significant changes made during the audit that might indicate matters that have financial
engagement to the overall audit strategy or the audit statements and audit implications.
plan, and the reasons for such changes
Observation and inspection
The auditor shall undertake the ff activities prior to Observation and inspection may support inquiries of
starting an initial audit: management and others, and also provide information
a. Performing procedures required by PSA 220 about the entity and its environment. Such audit
regarding the acceptance of the client relationship and procedures ordinarily include the following:
to specific audit engagement a. Observation of entity activities and
b. Communicating with the predecessor auditor, where operations
there has been a change of auditors, in compliance with b. Inspection of documents
relevant ethical requirements c. Reading reports prepared by management
d. Visits to the entity’s premises and plant
Discussion of Other Critical Matters in Engagement facilities
Planning: e. Tracing transactions through the information
1. Application of Analytical Procedures in Planning system relevant to financial reporting
the audit
2. Establishment of an Engagement or Audit Team II. Understanding the entity and its environment
3. Consideration of Work Performed by Other including its internal control
Auditors/Parties (a) Relevant industry, regulatory, and other external
4. assessment of Going Concern Assumption factors including the applicable financial reporting
5. Identification of Related Parties framework.
6. Client’s Legal Obligations (b) The nature of the entity, including:
7. Preparation of a Time budget (i) Its operations;
8. Assignment of Personnel to the Engagement (ii) Its ownership and governance structures;
9. Scheduling of Work (iii)The types of investments that the entity is making
and plans to make; and
PHASE I-C PERFORMANCE OF RISK ASSESSMENT (iv) The way that the entity is structured and how it is
PROCEDURES TO IDENTIFY/ASSESS RISK OF MATERIAL financed, to enable the auditor to
MISSTATEMENT THROUGH UNDERSTANDING THE understand the classes of transactions, account
ENTITY balances, and disclosures to be expected in the
financial statements.
I. Risk Assessment Procedures and Sources of (c) The entity's selection and application of accounting
Information About the Entity and Its Environment, policies, including the reasons for changes thereto. The
Including its Internal Control auditor shall evaluate whether the entity's accounting
Risk assessment procedures and sources of information, policies are appropriate for gits business and consistent
including its internal control, is a continuous, dynamic with the applicable financial reporting framework and
process of gathering, updating and analyzing accounting policies used in the relevant industry.
information throughout the audit. (d) The entity's objectives and strategies, and those
RISK ASSESSMENT PROCEDURES related business risks that may result in risks of material
The auditor should perform the following risk misstatement,
assessment procedures to provide a basis for the (e) The measurement and review of the entity's
identification and assessment of risk of material financial performance
misstatement of the financial statements and assertion
levels: III. Identifying and Assessing the Risk of Material
a. Inquiries of management and others within Misstatement
the entity The auditor should identify and assess the risks of
b. Analytical procedure material misstatement at the financial statement level,
c. Observation and inspection and at the assertion level for classes of transactions,
account balances, and disclosures.
Analytical procedures: Analytical procedures may be Identifies risks throughout the process of obtaining an
helpful in identifying the existence of unusual understanding of the entity and its environment
transactions or events, and amounts, ratios, and trends
Relates the identified risks to what can go wrong at the control risk. The risk that auditors will not detect the
assertion level misstatement is called detection risk.
Considers whether the risks are of a magnitude that Inherent risk is the susceptibility of an account balance
could result in a material misstatement of the financial or class of transactions to misstatement that could be
statement material, individually or when aggregated with
Considers the likelihood that the risks could result in a misstatements in other balances or classes, assuming
material misstatement of the financial statements there are no related internal controls.

IV. Material Weakness in Internal Control Control risk is the risk that a misstatement, that could
The auditor shall evaluate whether, on the basis of the occur in an account balance or class of transactions and
audit work performed, the auditor has identified a that could be material, individually or when aggregated
material weakness in the design, implementation or with misstatements in other balances or classes, will not
maintenance of internal control. Types of material be prevented or detected and corrected on a timely
weaknesses may include: basis by the accounting and internal control system.
Risks of material misstatement that the auditor Detection risk is the risk that an auditor's substantive
identifies and which the entity has not controlled, or for procedures will not detect a misstatement that exists in
which the relevant control is inadequate. an account balance or class Of transactions that could
A weakness in the entity's risk assessment process that be material, individually or when aggregated with
the auditor identifies as material, or the absence of a misstatements in other balances or classes.
risk assessment process in those cases where it would
be appropriate for one to have been established. (Audit risk = Inherent risk x Control risk x Detection
risk)
V. Documentation Called the audit risk model, auditors use this
The auditor should document: relationship to determine the nature, timing, and extent
(a) The discussion among the engagement team of audit procedures to manage and control audit risk.
regarding the susceptibility of the entity's financial
statements to material misstatement due to error or DISCUSSION
fraud, and the significant decisions reached; Step 1. Determine Planned Audit Risk Plan the audit risk
(b) Key elements of the understanding obtained for each financial statement assertion.
regarding each of the aspects of the entity and its Step 2. Assess Inherent Risk The assessment of inherent
environment risk implies that the auditor attempts to predict where
(c) The identified and assessed risks of material misstatements are most and least 'likely in the financial
misstatement at the financial statement level and at the statement segments.
assertion level as required by paragraph 24 of PSA 315 Step 3. Assess Control Risk if after the auditor has
(Clarified); and obtained an understanding of internal control and
(d) The risks identified and related controls evaluated as concludes that internal controls are completely
a result Of the requirements in paragraphs 26-29 of PSA ineffective, to prevent or detect misstatement, the
315 (Clarified). auditor would assign a high, perhaps 100% (maximum
level) risk factor to control risk.
VI. ASSESSING INHERENT RISK AND CONTROL RISK AT Step 4. Determine Allowable Detection Risk Allowable
THE ASSERTION LEVEL detection risk or Planned detection risk is the amount of
Auditors in designing audits, consider factors that affect risk the auditor can allow for an assertion or a measure
the risk of material misstatements at the financial of the risk that audit evidence for a segment will fail to
statement level and at the assertion level. For each detect misstatements exceeding a tolerable amount,
financial statement account, audit risk consists of the should such misstatements exist.
possibility that:
(1) A material misstatement in an assertion about the AUDIT RISK IN THE SMALL BUSINESS
account has occurred, and Audit Risk in the Small Business The auditor needs to
(2) The auditors do not detect the misstatement. obtain the same level of assurance in order to express
an unqualified opinion on the financial statements of
The risk of occurrence of a material misstatement may both small and large entities.
be separated into two components, inherent risk and
CONSIDERATION OF INTERNAK CONTROL IN A a. the control environment;
FINANCIAL STATEMENT AUDIT b. the entity's risk assessment process;
c. the information system, including the related
PSA 315 (Clarified), "Identifying and Assessing the Risks business processes, relevantto financial reporting, and
of Material Misstatements Through Understanding the communication;
Entity and Its Environment" establishes standards and d. control activities;
provides guidance in obtaining an understanding of the e. monitoring of controls.
accounting and internal control system and on audit risk
and its components: inherent risk, control risk, and Objective of the Study of Internal Control
The auditor should obtain an understanding of the
detection risk.
accounting and internal systems sufficient to plan the
Nature and Purpose of Internal Control audit and develop an effective audit approach. The
auditor should use professional judgment to assess
PSA 315 (Clarified) paragraph 4 (c) defines internal
audit risk and to design audit procedures to ensure it is
control as the process designed and effected by those
reduced to an acceptably low level.
charged with governance, management, and other
personnel to provide reasonable assurance about the Stages of Study and Evaluation of Internal Control
achievement of the entity'sobjectives with regard to
The stages / activities involved in studying and
reliability of financial reporting. Those objectives fall
evaluating internal control are:
into three categories:
A. Obtaining an understanding of the entity's internal
• Reliability of the entity's financial reporting
control structure.
• Effectiveness and efficiency of operations
B. Assessing the preliminary level of control risk.
• Compliance with applicable laws and regulations
C. Obtaining evidential matter to support the assessed
level of control risk.
Internal Control System Defined
D. Evaluating the results of evidential matter.
Internal control system means all the policies and
E. Determining the necessary level of detection risk.
procedures (internal controls)adopted by the
management of an entity to assist in achieving Flowcharting Symbols
management's objective of ensuring, as far as  Input / Output- Indicates the can be used in
practicable, the orderly and efficient conduct of its place of the document symbol when a
business, including adherence to management policies, document first enters the system for (e.g.sales
the safeguarding of assets, the prevention and order from customer. customer remittance,
detection of fraud and error, the accuracy and invoice.)
completeness of the accounting records, and the timely  Process- Indicates the Can be used in place of
preparation of reliable financial information. the document symbol when a document first
Elements of Internal Control enters the system for (e.g.sales order from
customer. customer remittance, invoice.)
Internal control structures vary significantly from one  Cross Flow Lines- If flow lines cross, they are
company to the next. Factors such as size Of the not related
business, nature of operations, the geographical  Annotation- For the addition of comments. May
dispersion of its activities, and objectives of the be connected to a symbol of a flow line.
organization affect the specificcontrol features of an
organization. However, certain elements or features Input/Output symbols
must be present to have a satisfactory System of control
 Punched Card- Using any kind of punched card
in almost any large-scale organization.
in an input/output function
The internal control system extends beyond these  Card Deck- A deck of punched cards.
matters which relate directly to the functions of the  On-line Storage- Using some sort of on-line
accounting system and consists of the following storage (e.g., payroll transaction uploaded ona
components: tape drive under the control of a processing
unit) in a function.
  Off-line Storage- Storage of information or
documents.
 Magnetic Tape-Using magnetic tape in an
input/output function.
 Magnetic Disc- Using magnetic disc in an
input/output function.
 Punched Tape-Using punched paper tape in an
input/output function.

How Adequacy or Inadequacy of Internal Control

Affects Audit Procedures
The primary reason for studying and evaluating internal
control is to provide abasis for relying upon the system
and for determining the extent of year-end substantive
tests to be performed. There is an inverse relationship
between the effectiveness of internal control and the
extent of detailed audit procedures; more effective
systems require less detailed testing.

Furthermore, if additional evidence indicates that there

are irregularities which may materially affect the
financial statements, it may be appropriate for the
auditor to:

l) qualify his opinion or disclaim an opinion

based on an uncertainty
2) consider withdrawing from the engagement
and notifying the board of directors in writing
the reason for the withdrawal.

Documentation of the Assessed Level of Control Risk

The auditor should document in the audit working
papers.

(a) the understanding obtained of the entity's

accounting and internal control systems; and
(b) the assessment of control risk. When control risk is
assessed at less than high, the auditor would also
document the basis for the conclusions.

Communication of Performance, Improvements and

Observations in Internal Control to Management
As a result of obtaining an understanding of the
accounting and internal control systems and tests of
control, the auditor may become aware of weaknesses
in the systems. The auditor should make management
aware, as soon as practical and at an appropriate level
of responsibility, of material weaknesses in the design
or operation of the accounting and internal control
systems, which have come to the auditor’s attention.