Business Risk and Audit Risk

The risk-based approach to
audit: audit judgement
Chapter 5
UseAudit
with Process:
The AuditPrinciples, th Edition
Process 4Practice
Use with The and Cases
By Iain Gray
Third Edition & Stuart
by Iain Gray &Manson ISBN 9781844806782
Stuart Manson ISBN 1-86152-946-5
© 2005
2008 Thomson
Cengage Learning
LEARNING OBJECTIVES
After studying this chapter you should be able to:
• Define audit risk and suggest why risk-based approaches

have become more important recently.
• Identify the components of audit risk and give practical
explanations.
• Identify risk in a number of practical scenarios and show
how auditors approach risk.
UseAudit
with Process:
Process 4Practice
By Iain Gray
© 2005
2008 Thomson
Cengage Learning
LEARNING OBJECTIVES CONT’D
• Define business risk, and show how business risk

approaches differ from audit risk approaches and whether
they are relevant to the audit of companies of all sizes.
• Show how enhanced expectations of corporate
governance have increased business risk.
• Explain why business risk approaches by auditors may

widen the audit expectations gap.
UseAudit
with Process:
Process 4Practice
By Iain Gray
© 2005
2008 Thomson
Cengage Learning
LEARNING OBJECTIVES CONT’D
• Explain why judgement is a vital aspect of accounting and

auditing.
• Make the distinction between judgement and compliance
with accounting standards.
• Explain the relationship between audit judgement and

audit risk.
• Suggest what it is that enables successful judgements to
be made.
UseAudit
with Process:
Process 4Practice
By Iain Gray
© 2005
2008 Thomson
Cengage Learning
KEY POINTS – p.167
‘Audit risk’ (AR), the risk that auditors may give an

inappropriate audit option, has three components:
(a) Inherent risk;
(b) Control risk; and
(c) Detection risk.
UseAudit
with Process:
Process 4Practice
By Iain Gray
© 2005
2008 Thomson
Cengage Learning
KEY POINTS – pp.172–173
Two further elements to audit risk are:

(a) engagement risk, arising from (i) competitive
tendering by audit firms; and (ii) inherent risk
factors not known to the potential auditors when
tendering;
(b) independence in fact risk, or the risk that
auditors may fail to report material
misstatements in the financial statements,
detected by their audit procedures).
UseAudit
with Process:
Process 4Practice
By Iain Gray
© 2005
2008 Thomson
Cengage Learning
ACTIVITY 5.1
Recall the definitions of the components of audit

risk that we gave you earlier in this book.
UseAudit
with Process:
Process 4Practice
By Iain Gray
© 2005
2008 Thomson
Cengage Learning
• Business risk results from significant conditions,

events, circumstances, actions or inactions that
could affect the entity’s ability to achieve its
objectives.
• Business risk is broader than the risk of material
misstatement of the financial statements.
• Business risk may arise from change or
complexity or through a failure to recognize the
need for change.
UseAudit
with Process:
Process 4Practice
By Iain Gray
© 2005
2008 Thomson
Cengage Learning
ACTIVITY 5.2
Read the two definitions above and explain the

differences between audit risk and business risk
and state whether you can see a link between
them and why, giving examples. You should read
paras 30-35 of ISA 315 when doing this activity.
UseAudit
with Process:
Process 4Practice
By Iain Gray
© 2005
2008 Thomson
Cengage Learning
Examples of risks identified in Appendix 2 include:
(i) Changes in operating environment;
(ii) New personnel;
(iii) New or revamped information systems;
(iv) Rapid growth;
(v) New technology;
(vi) New business models, products or activities;
(vii) Corporate restructurings;
(viii)Expanded foreign operations; and
(ix) New accounting pronouncements.
UseAudit
with Process:
Process 4Practice
By Iain Gray
© 2005
2008 Thomson
Cengage Learning
ACTIVITY 5.3
This appears to be a fairly simple scenario, but

there are a number of risks associated with this
kind of company and we ask you to identify the
business risks, which will include industry and
economic risk factors.
UseAudit
with Process:
Process 4Practice
By Iain Gray
© 2005
2008 Thomson
Cengage Learning
ACTIVITY 5.4
Some industries require significant estimates of

revenues and costs. Give examples and suggest
why the existence of significant estimates would
increase the risks of material misstatement of the
financial statements.
UseAudit
with Process:
Process 4Practice
By Iain Gray
© 2005
2008 Thomson
Cengage Learning
ACTIVITY 5.5
Suggest how the above entity-level factors might

have an impact on individual account balances
and transaction classes – at the assertion level in
raespect of those balances and transactions.
UseAudit
with Process:
Process 4Practice
By Iain Gray
© 2005
2008 Thomson
Cengage Learning
The three components of audit risk are related:

audit risk (AR) = inherent risk × (IR) × control
risk (CR) × detection risk (DR).
DR relates to acquiring confidence . If the auditor
needs a low detection risk, more transactions and
balances are tested substantively, and the more
confident the auditor is that all are valid.
UseAudit
with Process:
Process 4Practice
By Iain Gray
© 2005
2008 Thomson
Cengage Learning
Auditors decide initially the level of audit risk

acceptable to them. Some auditors assess risk in
qualitative terms – low, medium and high – but the
principle is clear that if you wish audit risk to be low
and you know that inherent risk and control risk are
both high, detection risk will have to be low.
UseAudit
with Process:
Process 4Practice
By Iain Gray
© 2005
2008 Thomson
Cengage Learning
ACTIVITY 5.6
Can you think of controls that Edengrove Ltd

might introduce to increase the likelihood that the
tenants in the managed properties will pay and
on time?
UseAudit
with Process:
Process 4Practice
By Iain Gray
© 2005
2008 Thomson
Cengage Learning
ACTIVITY 5.7
Explain to your assistant the inherent risks that

may arise for environmental reasons or because
of the nature of the company’s transactions and
balances. Suggest appropriate controls to reduce
the impact of inherent risk.
UseAudit
with Process:
Process 4Practice
By Iain Gray
© 2005
2008 Thomson
Cengage Learning
ACTIVITY 5.8
Identify controls present in the shops reducing

control risk and hence mitigating inherent risk.
UseAudit
with Process:
Process 4Practice
By Iain Gray
© 2005
2008 Thomson
Cengage Learning
ACTIVITY 5.9
You will have noted that internal auditors visit the

shops on a surprise basis at least at once
annually.
How do you think that internal audit work may
reduce control risk and detection risk and thereby
aid the external auditor?
UseAudit
with Process:
Process 4Practice
By Iain Gray
© 2005
2008 Thomson
Cengage Learning
ACTIVITY 5.10
Write a note in which you explain the issues

arising from the matters coming to your attention
and suggest audit actions you would take. In
each case, state whether the problem is
significant in terms of the risk of giving an
inappropriate opinion.
UseAudit
with Process:
Process 4Practice
By Iain Gray
© 2005
2008 Thomson
Cengage Learning
Engagement risk is when incoming auditors have

little in-depth knowledge of new clients.
This is likely to enhance risk, particularly if the
auditor is unaware of management deficiencies
and / or unusual pressures on them.
UseAudit
with Process:
Process 4Practice
By Iain Gray
© 2005
2008 Thomson
Cengage Learning
KEY POINTS – p.186 CONT'D
Tendering for audit services has become important

and is accompanied by lower audit fees. This
possibly results in policies to reduce the amount of
audit work carried out.
Another risk factor related to lower audit fees is that
auditors become more reliant on non-audit services,
with a consequent threat to independence.
UseAudit
with Process:
Process 4Practice
By Iain Gray
© 2005
2008 Thomson
Cengage Learning
ACTIVITY 5.11
‘Business risk’ may be defined as ‘the risk that

the entity will fail to achieve its objectives’. Make
a list of possible business objectives that an
entity might have.
UseAudit
with Process:
Process 4Practice
By Iain Gray
© 2005
2008 Thomson
Cengage Learning
Examples of business objectives are:

• attaining a certain level of profitability;
• maximizing shareholder wealth;
• ensuring efficiency and effectiveness of
operations;
• meeting a desired market share;
UseAudit
with Process:
Process 4Practice
By Iain Gray
© 2005
2008 Thomson
Cengage Learning
• giving customer satisfaction;

• maintaining a desired level of liquidity;
• maintaining reputation;
• meeting the challenge of changes;
• adherence to accepted principles of corporate
governance.
UseAudit
with Process:
Process 4Practice
By Iain Gray
© 2005
2008 Thomson
Cengage Learning
ACTIVITY 5.12
Kellie is a rapidly growing company providing

advertising copy to a variety of individuals and
companies. It currently has 10% of the
market but its management has as one of its
objectives to increase this to 20% within
the next two years. Management is of the view
that this will be necessary if its desired level of
profitability is to be maintained and if the
company is to retain and attract high quality staff.
UseAudit
with Process:
Process 4Practice
By Iain Gray
© 2005
2008 Thomson
Cengage Learning
ACTIVITY 5.12 CONT'D
Do you think that the information you have about

the business is of relevance to the auditors who
are required to give an opinion on the company’s
financial statements at the end of the current
year?
What are the matters that you would wish to
discuss with management about their declared
objective?
Do you think that you might be able to give
management any helpful advice?
UseAudit
with Process:
Process 4Practice
By Iain Gray
© 2005
2008 Thomson
Cengage Learning
Business risk assessment is a management

technique.
Objectives may change as circumstances change
so assessment should take place regularly.
The approach has been adapted to allow auditors
to provide business risk assessments as
consultancy exercises to audit clients.
UseAudit
with Process:
Process 4Practice
By Iain Gray
© 2005
2008 Thomson
Cengage Learning
There are similarities between business and

inherent risk approaches:
(a) both use a ‘top-down’ approach;
(b) factors that increase inherent and control risk
may make it less likely that business objectives
will be obtained;
(c) analysis of both helps auditors to prove that
financial statements give a true and fair view.
UseAudit
with Process:
Process 4Practice
By Iain Gray
© 2005
2008 Thomson
Cengage Learning
KEY POINTS – p.191CONT'D
Dissimilarities are:
(a) auditors consider inherent risks in relation to the
impact they may have on financial statements,
but the business risk approach considers risks
inhibiting the company in achieving objectives;
(b) business objectives and audit objectives are so
dissimilar that the above factors cannot create a
similarity.
UseAudit
with Process:
Process 4Practice
By Iain Gray
© 2005
2008 Thomson
Cengage Learning
Benefits of the business risk approach are that it:

(a) improves the basic audit of financial statements
and makes erroneous conclusions less likely;
(b) makes audit more efficient and therefore more
profitable;
(c) expands potential for giving assurance to
management to ‘add value’ and to create
additional sources of income.
UseAudit
with Process:
Process 4Practice
By Iain Gray
© 2005
2008 Thomson
Cengage Learning
This leads in turn to:

(d) expanded audit, which has the potential to
contribute to corporate governance
arrangements and disclosures;
(e) a better understanding of a client’s business
and its risks, thus reducing auditors’
engagement risk.
UseAudit
with Process:
Process 4Practice
By Iain Gray
© 2005
2008 Thomson
Cengage Learning
Another potential benefit is

(f) advances in IT have resulted in company
records being inherently more reliable, leaving
more scope for audit effort to be devoted to
higher level assessments.
UseAudit
with Process:
Process 4Practice
By Iain Gray
© 2005
2008 Thomson
Cengage Learning
Business risk approaches mean much planning

work is performed by experienced staff. But
knowledge about management allows auditors to
form views on the reliability of management and the
control environment, and on analytical evidence.
This may lead to a loss of independence and, by
cutting down on over-auditing in non-risk, to under-
auditing.
UseAudit
with Process:
Process 4Practice
By Iain Gray
© 2005
2008 Thomson
Cengage Learning
ACTIVITY 5.13
Now that you know what the business risk

approach involves, do you think that it can be
applied in the audit of smaller companies by
small audit firms?
UseAudit
with Process:
Process 4Practice
By Iain Gray
© 2005
2008 Thomson
Cengage Learning
Analytical procedures are defined in ISA 520 as:
‘Evaluations of financial information made by a

study of plausible relationships among both financial
and non-financial data. Analytical procedures also
encompass the investigation of identified
fluctuations and relationships that are inconsistent
with other relevant information or deviate
significantly from predicted amounts.’
UseAudit
with Process:
Process 4Practice
By Iain Gray
© 2005
2008 Thomson
Cengage Learning
ACTIVITY 5.14
You are auditing a company and have obtained the
following information in from a variety of sources.
UseAudit
with Process:
Process 4Practice
By Iain Gray
© 2005
2008 Thomson
Cengage Learning
The liquidity ratio is calculated as (current assets

less stock)/current liabilities. This ratio is a measure
of the ability of the company to pay its short-term
liabilities as they fall due. Gearing is calculated as
long-term debt/net assets employed x 100.
Both liquidity and borrowings are factors that need
to be taken into account in assessing risk.
UseAudit
with Process:
Process 4Practice
By Iain Gray
© 2005
2008 Thomson
Cengage Learning
The question is whether the company looks more

of a risk for the auditor in the current year
compared with last year?
How would the information above affect your
planning?
What specific additional information would you
seek as part of your audit procedures?
UseAudit
with Process:
Process 4Practice
By Iain Gray
© 2005
2008 Thomson
Cengage Learning
Judgement is one of the ‘enduring principles of

auditing’, but it is intangible in nature. The
relationship between judgement and risk is direct,
as judgement is exercised in the context of risk.
In forming judgements the auditor makes initial risk
assessments, but modifies them on the basis of
controls in existence and on the validity of figures
in the accounting records.
UseAudit
with Process:
Process 4Practice
By Iain Gray
© 2005
2008 Thomson
Cengage Learning
ACTIVITY 5.15
Wedel Ltd operates a city-centre restaurant

specializing in fast food. During the audit you
discover that a customer has sued the company
for personal injury caused by food poisoning. The
amount claimed is £100,000, but management has
told you that the company has good defences
against the claim.
UseAudit
with Process:
Process 4Practice
By Iain Gray
© 2005
2008 Thomson
Cengage Learning
You are aware that judgement cannot be exercised

in a vacuum and that you require evidence before
you can make a decision. Describe the evidence
that you think you will require. In doing this, give
consideration to matters that you might have
considered at the planning stage.
UseAudit
with Process:
Process 4Practice
By Iain Gray
© 2005
2008 Thomson
Cengage Learning
ACTIVITY 5.16
You have been performing a cut-off test at 31

December 2007 to satisfy yourself that purchases
are recorded in the proper period. You have
compared the pre-numbered goods received notes
(GRNs) with purchase invoices to ensure that the
invoices are recorded in 2007 where the GRN has
been issued up to the end of December.
UseAudit
with Process:
Process 4Practice
By Iain Gray
© 2005
2008 Thomson
Cengage Learning
You judged initially that purchase invoices were

recorded in the proper period. However, you had
written to some creditors to confirm amounts owed
to them at 31 December and some had confirmed
higher amounts owing than had been recorded by
your client.
Do you believe that you, as auditor, are at risk?
How would you exercise professional judgement
in respect of this matter?
UseAudit
with Process:
Process 4Practice
By Iain Gray
© 2005
2008 Thomson
Cengage Learning
In managing the audit process there are two basic

related objectives:
(a) being professionally effective;
(b) making a fair profit in performing professional
duties.
UseAudit
with Process:
Process 4Practice
By Iain Gray
© 2005
2008 Thomson
Cengage Learning
The starting point for effective management of the

audit process is to create a logical structure within
the firm and to allocate responsibilities to partners,
managers, seniors and assistant auditors, ranging
from overall professional effectiveness to
performing detailed audit work.
UseAudit
with Process:
Process 4Practice
By Iain Gray
© 2005
2008 Thomson
Cengage Learning
Figure 5.2 Schematic diagram of an audit firm
UseAudit
with Process:
Process 4Practice
By Iain Gray
© 2005
2008 Thomson
Cengage Learning
ACTIVITY 5.17
What conclusions do you think can be drawn from

the above?
UseAudit
with Process:
Process 4Practice
By Iain Gray
© 2005
2008 Thomson
Cengage Learning
The letter of engagement provides the audit

framework and contains:
(a) responsibilities of directors and auditors;
(b) scope of audit;
(c) other services; and
(d) fees.
UseAudit
with Process:
Process 4Practice
By Iain Gray
© 2005
2008 Thomson
Cengage Learning
ACTIVITY 5.18
Do you think that during the course of discussions

you would be able to form an impression of the
competence and integrity of David Jones and Carol
Henshaw?
What would you be looking for in particular?
What do you think that management would expect
from you?
UseAudit
with Process:
Process 4Practice
By Iain Gray
© 2005
2008 Thomson
Cengage Learning
The time and fee budgets are directly dependent

on evaluation of risk, which determines the extent
of substantive procedures.
The most important resource used is the time
of partners and staff of the audit firm. The time
budget is designed to give sufficient time to
reduce audit risk to acceptable levels.
UseAudit
with Process:
Process 4Practice
By Iain Gray
© 2005
2008 Thomson
Cengage Learning
CHAPTER SUMMARY
In this chapter we set the scene for the audit,
introducing you to:
• An audit firm, the people who work for it and the

way in which their time is charged;
• A risk-based approach to audit;
• Definitions of audit and business risk;
• Approaches to deal with such risks;
UseAudit
with Process:
Process 4Practice
By Iain Gray
© 2005
2008 Thomson
Cengage Learning
CHAPTER SUMMARY CONT’D
• The link between risk and judgement;

• The importance of analytical procedures as a
tool of risk analysis and an aid to audit
judgement;
• The importance of the engagement letter;
• The need for an auditor to understand the client
company in terms of its internal and external
environment.
UseAudit
with Process:
Process 4Practice
By Iain Gray
© 2005
2008 Thomson
Cengage Learning
FURTHER READING
Colbert, J.L. (1987) ‘Audit risk: Tracing the
evolution’, Accounting Horizons, September, pp.
49–57.
Eilifsen, A., Knechel, W. and Wallage, P. (2001)

‘Application of the business risk audit model: a field
study’, Accounting Horizons, 15(3): 193–207.
Gwilliam, D. (2003) ‘Audit methodology, risk

management and non-audit services’, Centre for
Business Performance Briefing, 05.03, ICAEW.
UseAudit
with Process:
Process 4Practice
By Iain Gray
© 2005
2008 Thomson
Cengage Learning
FURTHER READING CONT’D
Lemon, Tatum and Turley (2000) Developments in

the Audit Methodologies of Large Accounting
Firms, APB
Williams, P. (2003) ‘Walking away’, Accountancy,

April, pp. 26–7.
Woolf, E. (2003). Audits: ‘An endangered species’,
Accountancy, October p. 91.
UseAudit
with Process:
Process 4Practice
By Iain Gray
© 2005
2008 Thomson
Cengage Learning
FURTHER READING CONT’D
ISA 210, Terms of Audit Engagements.

ISA 300, Planning an Audit of Financial
Statements.
ISA 315, Understanding the Entity and Its
Environment and Assessing the Risks of Material
misstatement.
ISA 330, The Auditor’s Procedures in Response to
Assessed Risks.
ISA 520, Analytical Procedures.
UseAudit
with Process:
Process 4Practice
By Iain Gray
© 2005
2008 Thomson
Cengage Learning

Business Risk and Audit Risk

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Business Risk and Audit Risk

Uploaded by

Copyright:

Available Formats

The risk-based approach to

audit: audit judgement

After studying this chapter you should be able to:

• Define audit risk and suggest why risk-based approaches

• Define business risk, and show how business risk

• Explain why business risk approaches by auditors may

• Explain why judgement is a vital aspect of accounting and

• Explain the relationship between audit judgement and

‘Audit risk’ (AR), the risk that auditors may give an

Two further elements to audit risk are:

Recall the definitions of the components of audit

• Business risk results from significant conditions,

Read the two definitions above and explain the

This appears to be a fairly simple scenario, but

Some industries require significant estimates of

Suggest how the above entity-level factors might

The three components of audit risk are related:

Auditors decide initially the level of audit risk

Can you think of controls that Edengrove Ltd

Explain to your assistant the inherent risks that

Identify controls present in the shops reducing

You will have noted that internal auditors visit the

Write a note in which you explain the issues

Engagement risk is when incoming auditors have

Tendering for audit services has become important

‘Business risk’ may be defined as ‘the risk that

Examples of business objectives are:

• giving customer satisfaction;

Kellie is a rapidly growing company providing

Do you think that the information you have about

Business risk assessment is a management

There are similarities between business and

Benefits of the business risk approach are that it:

This leads in turn to:

Another potential benefit is

Business risk approaches mean much planning

Now that you know what the business risk

Analytical procedures are defined in ISA 520 as:

‘Evaluations of financial information made by a

The liquidity ratio is calculated as (current assets

The question is whether the company looks more

Judgement is one of the ‘enduring principles of

Wedel Ltd operates a city-centre restaurant

You are aware that judgement cannot be exercised

You have been performing a cut-off test at 31

You judged initially that purchase invoices were

In managing the audit process there are two basic

The starting point for effective management of the

What conclusions do you think can be drawn from

The letter of engagement provides the audit

Do you think that during the course of discussions

The time and fee budgets are directly dependent

• An audit firm, the people who work for it and the

• The link between risk and judgement;

Eilifsen, A., Knechel, W. and Wallage, P. (2001)

Gwilliam, D. (2003) ‘Audit methodology, risk

Lemon, Tatum and Turley (2000) Developments in

Williams, P. (2003) ‘Walking away’, Accountancy,

ISA 210, Terms of Audit Engagements.

You might also like