Chapter 1

OVERVIEW OF THE RISK-BASED

AUDIT PROCESS

Learning Objectives After studying this chapter, you should be able to:

 Describe the nature of auditing.

 Describe the objectives of the Independent Auditor and conduct of
an Audit in accordance with Philippine Standard on Auditing.
 Distinguish between the risk-based audit process and the accounts-
process.
 Describe the activities in the risk-based audit process.
 Explain the factors to consider in implementing the Audit Risk
Model.
 Explain the limitations of the Audit Risk Model.

Auditing Defined

Auditing is a systematic process by which a competent, independent person of objectively

obtains and evaluates evidence regarding assertions about economic actions and events to
ascertain the degree of correspondence between those assertions and established criteria and
communicating the results to interested users.

Overall Objectives of the Independent Auditor and the Conduct of an Audit in Accordance
with Philippine Standards on auditing (PSA 200)

Introduction

The Philippine Standard on Auditing (PSA) establishes the independent auditor’s overall
responsibilities when conducting an audit of financial statements. Specially, it sets out the overall
objectives of the independent auditor, and explains the nature and scope of an audit designed to
enable the independent auditor to meet those objectives. It also explains the scope, authority and
structure of the PSAs, and includes requirements establishing the general responsibilities of the
independent auditor applicable in all audits, including the obligation to comply with the PSAs.

In conducting an audit of financial statements, the overall objectives of the auditor are:

(a) To obtain reasonable assurance about whether the financial statements as a whole are free
from the material misstatement, wether due to fraud or error, thereby enabling the auditor to
express an opinion on wether the financial statements of the independent auditor applicable
financial reporting framework; and

ACCOUNTING 14 1
 (b) To report on the financial statements, and communicate as required by the PSAs. in
accordance with the auditor’s findings.

The purpose of an audit is to enhance the degree of confidence of intended users in the financial
statements. This is achieved by the expression of an opinion by the auditor on whether the
financial statements are prepared, in all material respects, in accordance with an applicable
financial reporting framework. In the case of most general-purpose frameworks, that opinion is
on whether the financial statements are presented fairly, in all material respects, in accordance
framework. An audit conducted in accordance with PSAs and relevant ethical requirements
enables the auditor to form that opinion.

An audit of financial statements is an assurance engagement, as defined in the Philippine

Framework for Assurance Engagements. The Framework defines and describes the elements and
objectives of an assurance engagement. The PSAs apply the Framework in the context of an
audit of financial statements and contain the basic principles and essential procedures, together
with related guidance, to be applied in such an audit.

Ethical Requirements Relating to an Audit of Financial Statements

The auditor should comply with relevant ethical requirements relating to audit engagements.

As discussed in PSA 220, “Quality Control for an Audits of Financial Statements,” ethical
requirements r elating to audits of financial statements ordinarily comprise Parts A and B of the
Code of Ethics for Professional Accountants in the Philippines (Ethics Code)’ issued by the
Philippines Institute of Certified Public Accountants and adopted and promulgated by the Board
of Accountancy. PSA 220 (Clarified) identifies the fundamental principles of professional ethics
established by Parts A and B of the Ethics Code and sets out the engagement partner’s
responsibilities with respect to ethical requirements. PSA 220 recognizes that the engagement
team is entitled to rely on a firm’s systems in meeting its responsibilities with respect to quality
control procedures applicable to the individual audit engagement (for example, in relation to
capabilities and competence of personnel through their recruitment and formal training;
independence information; maintenance of client relationships through their recruitment and
formal training; independence through the accumulation and communication of relevant
independence information; maintenance of client relationships through acceptance and
continuance systems; and adherence to regulatory and legal requirements through the monitoring
process), unless information provided by Quality Control (PSQC) 1, “Quality Control for Firms
that Perform Audits and Reviews of Financial Statements, and Other Assurance and Related
Services Engagements,” requires the firm to establish policies and procedures designed to
provide it with reasonable assurance that the firm and its personnel comply with relevant ethical
requirements.

ACCOUNTING 14 2
Conduct of an Audit of Financial Statements

The auditor should conduct an audit in accordance with the Philippine Standards on Auditing.

PSAs contain basic principles and essential procedures together with related guidance in the
form of explanatory and other material, including appendices. The basic principles and essential
procedures are to be understood and applied in the context of explanatory and other material that
provides guidance for their application. The text of a whole Standard is considered in order to
understand and apply the basic principles and essential procedures.

In conducting an audit in accordance with PSAs, the auditor is also aware of and considers
Philippine Auditing Practice Statements (PAPSs) applicable to the audit engagement. PAPSs
provide interpretive guidance and practical assistance to auditors in implementing PAPS needs to
be prepared to explain how the basic principles and essential procedures in the Standard
addressed by the PAPS have been complied with.

The auditor may also conduct the audit in accordance with both ISAs and PSAs. However, there
are currently no fundamental differences between the IAASB pronouncements and
corresponding requirements issued by the AASC and no such differences are expected in the
future.

Scope of an Audit Financial Statements

The term “scope of an audit” refers to the audit procedures deemed necessary in the
circumstances to achieve the objective of the audit. In determining the audit procedures to be
performed in conducting an audit in accordance with Philippine Standards on Auditing, the audit
should comply with each of the Philippine Standards on auditing relevant to the Audit.

The auditor should not represent compliance with Philippine Standards on Auditing unless the
auditor has complied fully with all of the Philippine Standards on auditing relevant to the audit.
The auditor may, in exceptional circumstances, judge it necessary to depart from a basic
principle or an essential procedure that is relevant in the circumstances of the audit, in order to
achieve the objective of the audit. In such a case, the auditor is not precluded from representing
compliance with PSAs, provide the departure is appropriately documented as required by PSA
230 (Clarified),”Audit Documentation.”

Professional Skepticism

The auditor should plan and perform an audit with an attitude of professional skepticism
recognizing that circumstances may exist that cause the financial statements to be materially
misstated.

An attitude of professional skepticism means the auditor makes a critical assessment, with a
questioning mind, of the validity of audit evidence obtained and is alert to audit evidence the
contradicts or brings into question the reliability of documents and responses to inquiries and

ACCOUNTING 14 3
other information obtained from management and those charged with governance. For example,
an attitude of professional skepticism is necessary throughout the audit process for the auditor to
reduce the risk of overlooking unusual circumstances, of over generalizing when drawing
conclusions from audit observations, and of using faulty assumptions in determining the nature,
timing and extent of the audit procedures and evaluating the results thereof. When making
inquiries and performing other audit procedures, and auditor is not satisfied with less-than-
persuasive audit evidence based on a belief that management and those charged with governance
are honest and have integrity. Accordingly, representations from management are not a substitute
appropriate audit evidence to be able to draw reasonable conclusions on which to base the
auditor’s opinion.

Reasonable Assurance

An auditor conducting an audit in accordance with PSAs obtains reasonable assurance that the
financial statements taken as a whole are free from material misstatement, whether due to fraud
or error. Reasonable assurance is a concept relating to the accumulation of the audit evidence
necessary for the auditor to conclude that there are no material misstatements in the financial
statements taken as a whole. Reasonable assurance relates to the whole audit process.

An auditor cannot obtain absolute assurance because there are inherent limitations in an audit
that affect the auditor’s ability to detect material misstatements. These limitations result from
factors such as the following:

 The use of testing.

 The inherent limitations of internal control (for example, the possibility of management
override or collusion)
 The fact that most audit evidence is persuasive rather than conclusive.

Also, the work undertaken by the auditor to form an opinion is permeated by judgment,
particular regarding:

(a) The gathering of audit evidence, for example, in deciding the nature, timing and extent of
audit procedures; and

(b) The drawing of conclusions based on the audit evidence gathered, for example, assessing
the reasonableness of the estimates made by management in preparing the financial
statements.

Further, other limitations may affect the persuasiveness of evidence available to draw
conclusions on particular assertions (for example, transactions between related parties). In these
cases, certain PSAs identify specified audit procedures which will, because of the nature of the
particular assertions, provide sufficient appropriate audit evidence in the absence of:

(a) Unusual circumstances which increase the risk of material misstatement beyond that
which would ordinarily be expected; or

ACCOUNTING 14 4
 (b) Any indication that a material misstatement has occurred.

Accordingly, because of the factors described above, an audit is not a guarantee that the financial
statements are free from material misstatement, because absolute assurance is not attainable.
Further, an audit opinion does not assure the future viability of the entity nor the efficiency or
effectiveness with which management as conducted the affairs of the entity.

Audit Risk and Materiality

The auditor obtains and evaluates audit evidence to obtain reasonable assurance about whether
the financial statements give a true and fair view or are presented fairly, in all material respects,
in accordance with the applicable financial reporting framework. The concept of reasonable
assurance acknowledges that there is a risk the audit opinion is inappropriate. The risk that the
auditor expresses an inappropriate audit opinion when the financial statements are materially
misstated in known as “audit risk.”

The auditor should plan and perform the audit to reduce audit risk to an acceptably low level that
is consistent with the objective of an audit. The auditor reduces audit risk by designing and
performing audit procedures to obtain sufficient appropriate audit evidence to be able to draw
reasonable conclusions on which to base an audit opinion. Reasonable assurance is obtained
when the auditor has reduced audit risk to an acceptably low level.

Responsibility for the Financial Statements

While the auditor is responsible for forming and expressing an opinion on the financial
statements, the responsibility for the preparation and presentation of the financial statements in
accordance with the applicable financial reporting framework is that of the management of the
entity, with oversight from those charged with governance. The audit of the financial statements
does not relieve management or those charged with governance of their responsibilities.

The Risk-Based Audit Process

Risk-based audit model is an audit approach that begins with an assessment of the types and
likelihood of misstatement in account balances and then adjusts the amount and type of audit
work to the likelihood of material misstatement occurring in account balances.

In risk-based audit, the audit team views all activities in the organization first in terms of risks to
strategies and objectives, and then in terms of management’s plans and processes to mitigate the
risk. The auditors obtain an understanding of the client’s objectives. The risks are identified and
the auditors determine how management plans to mitigate the risk and whether those plans are in
place and operating effectively.

Account-based audit is an approach wherein the auditor obtains an understanding of control and
assesses control risk for particular types of errors and frauds in specific accounts and cycle.

ACCOUNTING 14 5
Under the PSAs which are risk-based specific audit procedures vary form one engagement to the
next. The following stages, are, however, involved in every engagement.

Phase 1. Risk Assessment

This phase involves the following activities:

A. Performance of preliminary engagement activities to decide vary from one engagement

to accept/continue an audit engagement.

B. Planning the audit to develop an overall audit strategy and audit plan.

C. performance of risk assessment procedures to identify/assess risk of material

misstatement through understanding the entity.

Phase II. Risk Response

This phase covers the following activities:

A. Designing overall responses and further audit procedures to develop appropriate

responses to the assessed risk of material misstatement.

B. Implementing responses to assessed risk of material misstatement to reduce audit risk

to an acceptably low level.

Phase III. Reporting

This phase involves the following activities:

A. Evaluating the audit evidence obtained to determine what additional audit work (if any)
is required.

B. Forming an opinion based on audit findings and preparing the auditor’s report.

Figure 1.1 shows the schematic risk-based audit process in accordance with the guidelines
provided by the International Federation of Accounts.

ACCOUNTING 14 6
ACCOUNTING 14 7
Understanding the audit Risk Model

Audit Risk is the risk that the auditor may give an unqualified opinion on materially misstated
financial statements. It is determined and managed by the auditor. The auditor always wants to
minimize that risk but should take into account the costs associated with gathering that evidence
to minimize the risk. It in intertwined with materiality and is influenced by engagement risk.

Engagement Risk deals with whether the auditor wants to be associated with a particular client
including loss reputation, inability of the client to pay the auditor or financial loss because
management is not honest and inhibits the audit process

Business Risk is risk that affects the operations and potential outcomes of organizational
activities.

Financial Reporting Risk relates to the recording of transactions and the presentation of the
financial data in an organization’s financial statements.

The following considerations are important in integrating the concepts of materiality and risk in
an organization’s financial statements.

1. Audit involves testing or sampling and thus cannot provide absolute (100%) assurance that
the financial statements are free of material misstatements without inordinately driving up
the cost of audits.

2. Not all clients are worth accepting. Since audits rely on testing and to some extent on the
integrity of management, there are some clients that an audit firm should not accept
because the engagement risk is too high.

3. Competition for clients among audit firm is high. Clients choose auditors based on a
number of factors including fees, service, industry knowledge, personal rapport and
ability to assist the client.

4. Auditors should understand society’s expectations of financial reporting to reduce audit

risk to an acceptably low level and therefore minimize lawsuits that the users may
possibly bring forth.

5. Risky areas of a business must be identified by the auditors to determine which account
balances are more prone to material misstatements, how the misstatements might occur
and how a client might be able to cover them up.

6. Auditors need to develop approaches and methodologies to allocate overall assessments

of materiality ti individual account balances because some account balances may be more
important to users.

ACCOUNTING 14 8
Although audit risk is a concept, it is often illustrated using quantitative examples.

For instance, the relationship between engagement risk and audit risk may be presented as
follows:

Engagement Risk
High Moderate Low
Audit Risk Do not accept Set very low Set within
client (1%) professional standards
but can be higher than
companies with
higher engagement
risk (5%)

 Setting audit risk at 1% is equivalent to performing a statistical test using 99% confidence
level. Audit risk set at 1% implies that the auditor is willing to take a 1% chance of
issuing an unqualified opinion on materially misstated financial statements.
 Audit risk set at 5% implies that the auditor is willing to take a 5% chance for issuing an
unqualified opinion on materially misstated financial statements.
 High levels of audit risk are appropriate for clients with lower levels of engagement risk.

Based on the assessment of engagement risk, the auditor sets the desired audit risk. Audit risk is
often times illustrated using numeric or quantitative examples. In fact many audit firms use the
measures associated with statistical sampling to set audit risk, e.g. setting audit risk at 1% level
for high-risk clients and 5% for lower risk clients. Other auditing firms use a broader description
of audit risk as high, moderate or low and adjust the nature of their audit procedures accordingly.

The following general observations are considered to have influenced the implementation of the
audit risk model:

 The better the company’s internal controls, the lower the likelihood of material
misstatement.
 Unusual or complex transactions are more likely to be erroneously recorded than are
recurring or routine transactions.
 The amount and persuasiveness of audit evidence gathered should vary inversely with
audit risk; i.e., lower audit risk requires gathering more persuasive evidence.

These general premises have been incorporated into an audit risk (AR) model with three
components: inherent risk (IR), control risk (CR) and detection risk (DR) as follows:

AR = IR x CR x DR

ACCOUNTING 14 9
 where

Inherent risk (IR) is the initial susceptibility of a transaction or accounting adjustment to

be recorded in error, or for the transaction not to be recorded in the absence of internal
controls

Control Risk (CR) is the risk that the client’s internal control system will fail to prevent
or detect a misstatement.

Detection risk (DR) is the risk that the audit procedures will fail to detect a material
misstatement.

Stated differently, audit risk is the risk that the auditor may give an unqualified opinion
on materially misstated financial statements. It is influenced by: (IR) the likelihood that a
transaction, estimate, or adjustment might be recorded incorrectly; (CR) the likelihood
that the client’s internal control processes would fail to prevent or detect the misstatement
and (DR) the likelihood that, if a misstatement occurred, the auditor’s procedures would
fail to detect the misstatement.

The audit risk model may also be illustrated using a quantitative approach with
probability assessments applied to each of the model’s component.

Illustrative Case I: Quantitative Example of Audit Risk: High risk

of Material Misstatement

XYZ Mining Corporation, an audit client of Aquino and Marcos CPAs., has many
complex transactions and weak internal control. The auditors assess both inherent risk
and control risk at their maximum. This implies that the client does not have effective
control (CR) and there is a high risk that the transaction would be recorded incorrectly
(IR).
The auditors believe that engagement risk is high and have set audit risk at the 0.01 level.
This means that the auditors do not want to take much of a risk that the misstatement
goes undetected in the financial statements.

The effect on the extent of audit procedures and thus, detection risk is as follows:

AR = IR x CR x DR

DR = ( )

.
DR = or 0.01 or 1%
( . . )

In this particular case, detection risk and audit risk are the same because the auditor cannot rely
on internal control to prevent or detect misstatements.

ACCOUNTING 14 10
This illustration therefore yields the instinctive result:

“Poor controls and a high likelihood of misstatement would lead to extended audit work
to maintain audit risk at an acceptable level.”

Illustrative Case II: Quantitative Example of Audit Risk: Low Risk

of Material Misstatement

Zoren Trading Corporation is an audit client of Cayetano and Loren CPAs. Zoren has simple
transactions, well-trained accounting personnel effective control and no incentive to misstate the
financial statements.

The auditor’s previous audit experience with the client; an understanding of the client’s internal
controls and the results of preliminary testing this year indicate a low risk of material
misstatement existing in the accounting records. The auditor assesses inherent risk as low as
50% and control risk of 20%.

Audit risk consistent with a low engagement risk is of 0.05.

The detection risk for this engagement is determined as follows:

DR=
( )

.
DR = (. . )
or 0.50 or 50%

The auditor could therefore design tests of the accounting records with a lower detection risk, in
this situation 50%, because only minimal substantive tests of account balances are needed to
provide corroborating evidence on the expectations that the accounts are not materially
misstated. The auditor, however would have had to test whether the controls are operating
effectively in order to support a control risk assessment below 100%.

Factors to Consider in Implementing the Audit Risk Model

The following general observations on an audit client influence the implementation of the audit
risk model:

1. High-risk activities


This includes operations or events where a material misstatement could easily
occur. For example, an inventory of high-value diamonds or gold bars held by a
jeweler, or a new/complex accounting system being introduced.
2. Existence of large non-routine transactions

ACCOUNTING 14 11
  Identified significant related party transactions outside the entity’s normal course
of business are to be treated as giving rise to significant risks. This includes
infrequent and large transactions.
For example:

 Unusual volume of routine transactions with a related party;

 A major sales or supply contract;
 The purchase or sale of major business assets or business segments; and
 Where management intervention is required to specify the accounting
treatment to be used.
 Routine non-complex transactions that are subject to a systematic processing are
less likely to give rise to significant risks.

3. Matters requiring judgment or management intervention

 Examples would include:

 The assumptions and calculations used by management in developing

major estimates;
 Complex calculations or accounting principles;
 Revenue recognition (presumed to be a significant risk) that is subject to
differing interpretation;
 Extensive manual data collection and processing; and
 Where management intervention is required to specify the accounting
treatment to be used.
4. Potential for fraud

 The risk of not detecting a material misstatement resulting from fraud (which is
intentional and deliberately concealed) is higher than the risk of not detecting
one resulting from error.
 In evaluating whether significant risks could result from the identified fraud risk
factors and the possible scenarios and schemes identified in team discussions,
consider the following:

 Skillfulness of the potential perpetrator;

 Relative size of individual amounts manipulated;
 Level of authority of management or employee to:
- directly or indirectly manipulate accounting records, and
- override control procedures;

 Frequency and extent of manipulation involved;

 Possible degree of collusion;
 Intentional misrepresentations being made to the auditor; and
 Previous audit experience or concerns expressed by other persons.

ACCOUNTING 14 12
  Significant fraud risks may be identified at any stage in the audit as a result of
new information being obtained.

Limitations of the Audit Risk Model

Audit risk is a concept that drives the auditor’s thinking about planning the audit and then
executing an audit. The illustrations are designed to provide guidance, but should not be applied
rotely to any audit client.

CPA firms in determining their approach to implementing the audit risk model should consider
the following limitations:

(a) Inherent risk is difficult to formally assess. Some transactions because of their
complexity are more susceptible to error but it is quite difficult to assess that level of risk
independent of the client’s accounting system.

(b) The model treats each risk component as separate and independent when in fact the
components are not independent. It is also quite difficult to separate a client’s material
controls and inherent risk.

(c) Audit risk is judgmentally determined.

(d) Audit technology is not so fully developed that each component of the model can be
accurately assessed. Auditing is based on testing and precise estimates of the model’s
components are not possible. Auditors can, however, make subjective assessments and use
the audit risk model as guide.

ACCOUNTING 14 13