Chapter 7: Risk Assessment and Inherent Risk

The Audit Risk Model

Audit Risk: The Risk that the auditor expresses an inappropriate audit opinion when the financial
statements are materially misstated

Auditors need to gather enough evidence about the financial statements so that the level of risk is
low enough to draw a reasonable conclusion.

Audit Risk Model – Foundation of all audits - Two Components

1. Risk of Material Misstatement (RMM):

• RMM exists when there is a reasonable possibility of a misstatement occurring or, being
material if it were to occur (it’s likelihood and it’s magnitude)
• RMM exists at two levels:
1) Overall FS level – risks that are pervasive to the financial statements as a whole
and potentially affect many assertions (ie: fraud, internal control deficiencies, a
significant change such as going concern risk)
2) At assertion level - risks that happen at the transaction level and can be easily
traced to specific assertions. (ie: goods being in another currency have an
exchange rate risk specific to cash/AR valuation).
• Two components:
1) Inherent Risk: Assessment of risk before considering internal controls
2) Control Risk: risk that misstatements could occur and not be
prevented/detected by client’s internal controls

2. Detection Risk (DR):

• The risk that audit procedures will fail to detect material misstatements

Audit Risk Model

There is an inverse relationship between [Inherent Risk and Control Risk] and Detection Risk

• If Inherent Risk and Control Risk are low, auditor will set Detection Risk as high, and reduce
reliance on detailed substantive procedures
• If Inherent Risk and Control Risk are high, auditor will set Detection Risk as low, and perform
more detailed substantive procedures

Account/Assertion Risk of Material Misstatement Risk Approach

Audit risk = f Inherent risk Control risk Detection risk Level of Evidence

Low Low High Low

High High Low High

Inherent Risk Assessment

Inherent Risk factors:

1) Complexity - more complex transactions

2) Subjectivity - more judgement used
3) Change - the more changes, the greater risk of error
4) Uncertainty - outcome requires estimation, difficult to predict/measure
5) Susceptibility to management bias/fraud - the greater pressure to produce results, the
greater risk

Identifying and Assessing Overall FS Risks

Overall FS Risks are pervasive to the FS as a whole and can potentially affect many assertions,
auditors need to:
 o Determine whether the risks affect assertion level risk
o Evaluate nature and extent of their pervasive effect on FS

Examples of Overall FS Risks:

• Inexperienced/incompetent accounting staff

• Significant control deficiencies that would allow for management override
• A history of ongoing losses or liquidity issues that may indicate going concern risk
• History of significant errors or misstatements
• Misstatement due to fraud is relevant at the overall FS level (ie: management bias)
• Concern over management integrity

Audit Risk Example

You, CPA, are the external auditor of a new software development firm, Jack and Jill Inc. (J&J), and
you are preparing for the 2022 audit. J&J just finished its second year of operations, and this is its
first time being audited. The company has secured a number of new software contracts, which are
dependent on product completion. It expects the new software will be ready in 2024. J&J is reporting
a loss in its first year and has a heavy debt load. This is normal for a company still in the
development stage. Although the company is only a small outfit, it has heavy involvement and
oversight from its board members. J&J's management has ensured that there is appropriate
segregation of duties among its employees.

Identify the factors that increase or decrease the RMM, categorizing them as control or inherent risk
factors.

Inherent risk factors:

• Not previously audited: The opening numbers have not been scrutinized before and are therefore
more likely to contain errors. This increases RMM
• Heavy debt load and net loss: The company's lenders will be interested in the performance of the
business and its ability to repay its debt. This may put pressure on J&J management to make
results appear more favourable than they actually are. This increases RMM.
• Complex transactions: The company has secured several software contracts, which are dependent
on product completion. The relevant software is not expected to be completed until 2024.
Accounting for these contracts and the software development may be complex. This increases
RMM.

Control risk factors:

• Oversight from board members: Oversight from board members increases the likelihood that
errors or fraudulent activity would be detected. This decreases RMM.
• Segregation of duties: Adequate segregation of duties decreases the risk that employees will
commit fraud or that errors will go undetected. This decreases RMM.
Identifying and Assessing Risk of Material Misstatement at Assertion Level

• First need to determine significant areas (transaction classes, accounts, disclosures)

o Based on inherent risk and materiality:

Identify Significant Risks

• Significant Risks require special attention in the audit.

• CAS 315 provides guidance on matters that may have a higher risk of material misstatement,
and therefore may be a significant risk – these align with the inherent risk factors noted
above
• Two risks that are always defined as Significant Risks:
o Related party transactions outside the normal course of business
o Fraud in the revenue cycle

Risk Response for Levels of Risk

Overall Risk Response

• Assign more experienced staff

• Use experts as needed
• Increase involvement of audit managers and partners
• Closer supervision and review
• Increase elements of unpredictability in selection of procedures

Risk Response at Assertion Level

• Tests of controls
• Substantive testing (Test of Details)

Considering Fraud Risk

The risk of not detecting a material misstatement due to fraud is higher than due to error – why?
Consideration of fraud risk occurs at the Overall FS level and assertion level. CAS 240 outlines four
procedures required to assess fraud risk:

1) Discuss among audit team: share ideas and insights, brainstorm where fraud could occur
2) Inquiries of Management, Those Charged with Governance, and others: inquire as to
whether they have any knowledge of fraud, and their process for assessing fraud risk
3) Evaluate Unusual or Unexpected Relationships identified in Analytics: when differing
from auditor expectations, may indicate material misstatement
4) Use Automated tools and techniques: can perform advanced data analytics

Conditions for Fraud

There are three conditions to be aware of that may facilitate fraudulent reporting and
misappropriate of assets. These are referred to as the fraud triangle.

1) Incentives/Pressures: Management or other staff have incentive or pressure to commit

fraud (ie: bonus based on revenue, pressure to meet market expectations, personal financial
obligations)
2) Opportunities: circumstances provide opportunities for management or staff to commit
fraud (ie: accounts that rely on estimates, high volume of transactions, poor internal
controls, lack of mandatory vacation for key control functions, large cash amounts on hand)
3) Attitudes/Rationalizations: attitude, character, or ethical values that allow management or
employees to rationalize and intentionally commit a dishonest act (ie: poor tone at the top,
excessive focus on maximizing profits, feeling unappreciated/underpaid)

Fraud Risk Example

Blockham & Lug LLP (B&L) recently became the audit engagement firm for At The Barre Inc. (ATB), a
private chain of fitness studios offering barre and introductory ballet classes for adults. You, CPA,
are the audit senior on the engagement, and you are preparing for the 2021 audit.
You have been given the following preliminary information on this new client:

• ATB is seeking an audit for the first time, as it has recently obtained a three-year term loan from
its bank. The bank requires ATB to maintain a return on assets of at least 5% and obtain an annual
audit.

• The loan was obtained during the current fiscal period to help ATB overcome what it believes are
temporary financial difficulties resulting from increased competition in the market. ATB's owner and
founder, Ella Moon, insists that since ATB was one of the first studios of its kind, it will have staying
power over the new competition.

• Ella is normally highly involved in the day-to-day operations of the business, but she was less
present during 2021, as she has been exploring new and different opportunities to grow her
personal brand.

• When asked about controls in place to prevent and detect fraud, Ella was happy to share that
she hired each of ATB's employees herself and she has complete trust in them.

Assess the risk of material misstatement due to fraud.

In assessing the risk of material misstatement due to fraud for the 2021 audit of ATB, I have considered
the following:

• ATB is required to maintain a return on assets of at least 5% as part of a newly obtained bank loan.
Management at ATB may feel pressure to overstate revenues, understate expenses, or understate assets in
order to ensure the covenant set by the bank is met. This increases the risk of material misstatement due
to fraud

• ATB is facing financial difficulties due to new competition that has recently entered the market. ATB
management, again, may feel pressure to commit fraud in order to maintain financing, meet its
obligations, or create the appearance that it is continuing to be successful despite competition. This
increases the risk of material misstatement due to fraud at the OFSL.

• ATB's owner and founder is normally very involved in the company's day-to-day operations. Typically,
this would reduce the risk of fraud, however, during 2021 Ella has been less involved in the oversight of the
company as she pursues other opportunities. This lack of oversight may create an opportunity for
management or other employees to commit fraud without detection. This increases the risk of material
misstatement due to fraud

• While Ella has indicated that she has hired each of her employees and that she trusts them, there is no
indication that there are formal controls in place that could help to prevent or detect fraud. This increases
the risk of material misstatement due to fraud

Conclusion: Based on this analysis I have assessed risk of material misstatement due to fraud as HIGH for
the purposes of the 2021 audit of ATB.
Risk Response for Fraud Risks

When risks of material misstatement due to fraud are identified, auditor must develop response at
three levels:

1) Overall risk response: adjust overall risk response, may incorporate unpredictability
testing, may assign a fraud specialist
2) Response at assertion level: perform audit procedures to response to specific risk
3) Response related to management override: procedures performed in almost all
audits:
a. Examine manual journal entries and other adjustments (ie: “top side”)
b. Review accounting estimates for bias (could be at the high end one year, and low
end the next, in line with a bias)
c. Evaluate rationale for significant unusual transactions (ie: overpaying for
purchase of a capital asset that may not have been necessary)