This article is going to take you through the practical steps that an auditor follows in order to identify audit risk. We have covered the theoretical understanding of audit risk in the previous article, and we use this knowledge just like the auditor does to find the issues that increase audit risk with the client.
Audit risk is the risk of the auditor giving an inappropriate opinion on the financial statements. For example, stating the financial statements are true and fair when there is a material misstatement uncorrected.
The auditor has the audit risk model to understand and calculate audit a risk. They categorized the risks into three areas.
- Inherent risk.
- Control risk.
- And detection risk.
The aim is to identify the risks and then plan how to manage these issues to keep the overall audit risk an acceptable level.
ISA315 requires auditors to perform risk assessment procedures.
ISA200 requires auditors to apply professional skepticism during the audit, including planning the audit. This means they must be alert to issues that may cause these statements and have a questioning mind when carrying out their work.
Both of these auditing standards help guide the auditor through the planning stage and ensure audit risk is assessed properly.
The auditor must somehow identify audit risks so they can be included in the plan.
The risk assessment includes two main pieces of work carried out at this stage.
- Understanding the entity and its environment
- And using analytical procedures.
Both of these methods will help identify potential material misstatements and will allow the auditor to factor in the time and work needed to ensure their opinion is an appropriate one.
When obtaining knowledge of the business, the auditor must gain an understanding of.
- The structure of the organization.
- The industry operates in.
- And any events that may be relevant to the audit.
At the planning stage, the auditor will have access to all books and records, plus they will also be able to discuss issues with the client management and staff. Therefore, the three main methods of gathering information about the client are.
- Inquiring with management staff.
- Observation of control procedures carried out.
- And inspection of important documents and procedure manuals.
To understand an entity fully, the auditor must gather information on the following.
- Industry and other external factors that impact on the client and its accounts.
- Laws and regulations directly affecting the operations of financial statements.
- The client organizational structure, including how it operates, who owns it, any investment it makes, and the management structure.
- The accounting policies it follows.
- The client business planning risks.
- The financial performance.
- And internal controls.
This is a lot of information together at the planning stage. However, there are many sources where this information can be obtained.
The four main sources of information are.
- Within the audit firm.
- External sources.
- From the client.
- And from the individual auditor.
If the client is an existing one, much of the information can be gathered internally within the audit firm. The previous audits will have gained a lot of ground backed information about the client and its structure. Therefore, the previous year’s audit files holding the working papers and the permanent audit file will be a good source of information.
Discussions with the audit partner who will have much knowledge about the client along with the audit manager is also advisable.
Previous years audit teams will also be able to assist in the understanding of the client.
External sources will give you some independent information about the client, these include.
- Companies House where information on the structure of financial statements can be found.
- The Internet trade press where auditors may find events related to the client that may be relevant to the audit and the financial statements.
- Industry surveys and credit reference agencies will also give relevant information on how their food performing and their financial position.
Information from the client regarding their systems and controls and any events relevant can be obtained from the following.
- Discussions with client management and staff.
- Observation of procedures.
- Their website.
- And any brochures.
Finally, understanding the client also take some audit experience. Past experience from similar clients, for example, will ensure the auditor can identify what is necessary for this particular audit.
Now we have discussed the work in understanding the entity. We can move into the other key piece of work in identifying audit risks, analytical procedures.
The definition of analytical procedures is given in ISA520 as.
Evaluation of financial information through analysis of plausible relationships among both financial and non-financial data. I like to put it more simply as comparing financial and non-financial data to understand changes.
This is an important tool within the audit process, and it must be used at the planning stage.
Auditors are also advised they must again use analytical procedures at the end of the audit process at the completion and review stage and can use it to gather evidence during the substantive testing stage.
The purpose of performing analytical procedures at the planning stage is.
- To understand the business the client operates.
- Identify unusual balances and transactions and events that may indicate potential water risks.
- And identify potential material misstatements due to fraud and error.
The way the auditor does this is to compare the most up-to-date center financial statements. For example, a draft set of financial statements to the previous year, budgets or forecasts, and industry averages with the use of ratios.
Knowledge of ratio calculations is required here as this accounting tool will help highlight potential issues with the numbers better than just looking at the figures in the financial statements.
Ratios can be categorized to review the following.
Profitability, efficiency, liquidity and return.
Profitability ratios include .
- The gross profit margin, calculated as gross profit divided by revenue multiplied by 100%.
- Net margin is calculated as profit before tax(PBIT) divided by revenue/sales and multiplied by 100%.
These ratios will give you the proportion of profit to revenue in a percentage form.
Efficiency ratios include.
- Receivable days ratio calculated as receivables divided by revenue multiplied by 365 days.
- Payable days ratio calculated as payables divided by purchases multiplied by 365 days.
- Inventory days ratio calculated as inventory divided by cost of sales multiplied by 365 days.
These ratios will keep the average number of days customers take to pay the client, pay suppliers and inventory is held in the business.
Liquidity ratios include.
- The current ratio calculated as current assets divided by current liabilities.
- The quick ratio calculated as current assets minus inventory divided by current liabilities.
These ratios will show you how comfortably the company can repay its current liabilities.
Return ratios, such as the gearing ratio will show you how much debt is in the business.
This is calculated as debt divided by equity or borrowings divided by share capital and reserves.
The auditor can calculate ratios on the current figures in the financial statements and compare them to the previous year, budgets, and industry averages. This will then highlight unusual differences in results, which can then be investigated in more detail during the audit.
Any unusual results from analytical procedures could be the result of material misstatement. Therefore, lots of variations in figures and disclosures would increase audit risk.
To summarize, to help calculate audit risk, the auditor must identify potential issues that could cause misstatements.
There are many sources where information can be obtained and the auditor must use those resources available, including talking to and observing the client staff and management.
Review of the financial statement is also important and using analytical procedures is required as per audited standards.
All this information obtained from the work we have discussed must be documented in the audio file. This will ensure there is evidence that the work to identify audit risks was in accordance with auditing standards.
I hope you found this article useful. Thank you.