RELEVANT TO ACCA QUALIFICATION PAPER F8 AND
  PERFORMANCE OBJECTIVES 17 AND 18
  Audit risk
  Candidates studying Paper F8, Audit and Assurance, are required under the
  syllabus to: ‘Explain the components of audit risk and explain the risks of
  material misstatement in the financial statements’。
  This element of the syllabus has been examined in the last three sessions of
  Paper F8 – in June 2010, December 2010 and June 2011. However, the
  performance of candidates has on the whole been unsatisfactory. This article
  aims to identify the most common mistakes made by candidates as well as
  clarifying how audit risk questions should be tackled in order to maximise
  marks.
  An example question requirement relating to audit risks is as follows:
  Describe the audit risks and explain the auditor’s response to each risk in planning
  the audit of XYZ Co.
  Previously examined risk questions have carried a mark allocation of 10 marks.
  However, a significant majority of candidates have not passed this part of the
  question. Common mistakes made include:
  ? providing definitions of the audit risk model, even though this was not
  part of the question requirement
  ? a lack of understanding of what audit risk is and providing business risks
  instead
  ? not providing an adequate response to the risk. This needs to be from
  the perspective of the auditor and not from management’s perspective
  ? a limited range of risks identified, often just focusing on one area such
  as going concern.
  Audit risk definitions
  Audit risk is defined as ‘the risk that the auditor expresses an inappropriate
  audit opinion when the financial statements are materially misstated. Audit
  risk is a function of the risks of material misstatement and detection risk’。
  Hence, audit risk is made up of two components – risks of material
  misstatement and detection risk.
  Risk of material misstatement is defined as ‘the risk that the financial
  statements are materially misstated prior to audit. This consists of two
  components… inherent risk … control risk.’
  Inherent risk is ‘the susceptibility of an assertion about a class of transaction,
  account balance or disclosure to a misstatement that could be material, either
  2
  AUDIT RISK
  NOVEMBER 2011
  individually or when aggregated with other misstatements, before
  consideration of any related controls.’
  Control risk is ‘the risk that a misstatement that could occur in an assertion
  about a class of transaction, account balance or disclosure and that could be
  material, either individually or when aggregated with other misstatements, will
  not be prevented, or detected and corrected, on a timely basis by the entity’s
  internal control.’
  Detection risk is defined as ‘the risk that the procedures performed by the
  auditor to reduce audit risk to an acceptably low level will not detect a
  misstatement that exists and that could be material, either individually or when
  aggregated with other misstatements.’
  Audit risk questions require candidates to identify risks of material
  misstatements, which include inherent and control risks as well as detection
  risks.
  Audit risk model
  In all three sessions a number of candidates have wasted valuable time by
  describing the audit risk model along with definitions of audit risk, inherent
  risk, control and detection risk. Unless the question requirement specifically
  asks for the ‘components of audit risk’ or ‘a description of the audit risk
  model’, candidates should not provide definitions of audit risk, inherent risk,
  control risk or detection risk as no marks are available.
  Audit risk versus business risk
  The main area where candidates continue to lose marks is that they do not
  actually understand what audit risk relates to. Hence, they frequently provide
  answers that consider the risks the business would face or ‘business risks’,
  which are outside the scope of the syllabus. There are no marks available for
  business risks.
  Business risks are defined as ‘a risk resulting from significant conditions,
  events, circumstances, actions or inactions that could adversely affect an
  entity’s ability to achieve its objectives and execute its strategies, or from the
  setting of inappropriate objectives and strategies’。
  Risks must be related to the risk arising in the audit of the financial statements
  and should include the financial statement assertion impacted. Therefore,
  audit risks should be related back to relevant assertions. 3
  AUDIT RISK
  NOVEMBER 2011
  ISA 315, Identifying and Assessing the Risks of Material Misstatement Through
  Understanding the Entity and Its Environment identifies the following assertions:
  ? Assertions about classes of transactions and events for the period under
  audit – occurrence completeness, accuracy, cut off and classification.
  ? Assertions about account balances at the period end – existence, rights
  and obligations completeness, and valuation and allocation.
  ? Assertions about presentation and disclosure – occurrence and rights
  and obligations, completeness, classification and understandability, and
  accuracy and valuation.
  In addition, a risk can relate to a practical problem the audit team may face,
  such as attendance at inventory counts where the company has multiple sites
  holding simultaneous inventory counts, or if the company has had significant
  changes in their finance department and so the risk of fraud and error has
  increased.
  The common mistake is for candidates to identify a relevant issue from the
  scenario and then consider the risk to the company rather than to the auditor,
  linking into the related assertion.
  Therefore, using Question 3b from the June 2011 exam: ‘The travel agents are
  given a 90-day credit period to pay Donald Co; however, due to difficult trading
  conditions, a number of the receivables are struggling to pay.’ The audit risk
  related to this point is that if receivables are struggling to pay, then they may
  be overstated and, hence, valuation of receivables is the relevant risk.
  The business faces the risk of slow cash flows and so there is a business risk
  related to the liquidity of Donald Co. While going concern is an audit risk, the
  above point from the scenario is not sufficient on its own to indicate going
  concern risk.
  In addition, Question 1a from the June 2010 exam told candidates: ‘Purchase
  orders for overseas paint are made six months in advance and goods can be in
  transit for up to two months.’ The explanation of the audit risk would be to
  ascertain that the cut-off of inventory is appropriate at the year end. However,
  many candidates explained that the company may encounter problems with
  stock-outs of goods, which is focused more on operational business risk rather
  than on the risks to the financial statements.
  Other examples of audit risks include:
  ? treatment of capital and revenue expenditure – the risk here could relate
  to existence of property plant and equipment if revenue expenditure has
  been capitalised rather than charged as an expense in the income
  statement
  4
  AUDIT RISK
  NOVEMBER 2011
  ? valuation of inventory – when, for example, there are considerable levels
  of aged inventory
  ? completeness of liabilities – this could arise if provisions have been
  incorrectly treated as contingent liabilities
  ? completeness of revenue – this could be relevant where the entity being
  audited has significant cash sales.
  Responses to audit risks
  Having identified the audit risk candidates are often required to identify the
  relevant response to these risks. A common mistake made by candidates is to
  provide a response that management would adopt rather than the auditor.
  From Question 3b June 2011, in relation to the risk of valuation of receivables,
  as Donald Co had a number of receivables who were struggling to pay, many
  candidates suggested that management needed to chase these outstanding
  customers. This is not a response that the auditor would adopt, as they would
  be focused on testing valuation through after date cash receipts or reviewing
  the aged receivables ledger.
  Auditor’s responses should focus on how the team will obtain evidence to
  reduce the risks identified to an acceptable level. Their objective is confirming
  whether the financial statement assertions have been adhered to, and whether
  the financial statements are true and fair.
  Responses are not as detailed as audit procedures; instead they relate to the
  approach the auditor will adopt to confirm whether the transactions or
  balances are materially misstated. Therefore, in relation to the risk of going
  concern, the response is to focus on performing additional going concern
  procedures, such as reviews of cash flow forecasts.
  Also, auditor responses should not be too vague such as ‘increase substantive
  testing’ without making it clear how, or in what area, this would be addressed.
  In addition, candidates’ must ensure that they do not provide impractical
  responses. A common example of this is to request directly from the
  company’s bank as to whether the bank will provide a loan or renew a bank
  overdraft. The bank is not going to provide this type of information to the
  auditor, especially if they have not yet informed the company, and therefore
  this response will not generate any marks.
  Limited range of risks identified
  In order to score well in risk questions it is advisable to aim to identify a
  breadth of points from the question scenario. If the question asks for a specific
  number of audit risks, such as five, then it is not sufficient to identify just one
  or two risks. In addition, a common mistake is to identify a risk such as going
  5
  AUDIT RISK
  NOVEMBER 2011
  concern and then give this answer over and over again. In Question 3b of the
  June 2011 exam, there was only a maximum of one mark available for the
  description of going concern risk.
  Each scenario will have a variety of audit risks and candidates should, as part
  of their planning, aim to identify as many as possible. They should then decide
  which of the identified risks they will explain/describe in their answer. If the
  question asks for five risks, candidates should aim to identify six or seven
  points during their initial reading of the question. Candidates should then
  review their list and pick the five risks and responses that they feel they can
  expand on the most when writing up their answer.
  Conclusion
  Audit risk is, and will continue to be, an important element of the Paper F8
  syllabus. Candidates must understand the syllabus outcomes, understand what
  the question requirements involve and practise risk questions prior to the
  exam.
  Pami Bahl is the examiner for Paper F8