UNIT 7

Assessing the Risk of Material Misstatement

 Auditors accept some level of risk and uncertainty in performing audits.

 Risk in Auditing - Auditing standards require the auditor to have a deep understanding on the entity and its
environment, including the internal control to assess the risk of material misstatements in the FS.
 Audit risk (or residual risk) refers to the risk an auditor may cause due to material misstatement either due
to error or fraud.
o Example is when an auditor issued an unqualified opinion to the audited financial statements even
though the financial statements are materially misstated.
o Or the reverse, which means that there is a qualified opinion due to immateriality found in the financial
statements which the correct opinion should be unqualified.
 Risk of Material Misstatement at the Overall FS....
o Means that aside from the measurable risks, there are also other types that may be difficult to quantify
such as the uncertainty on the appropriateness of the obtained evidence, uncertainty on the
effectiveness of the client's internal controls, and uncertainty on the fair statement of the financial
statements after audit.
 There are 4 types of risks: Planned detection risk, acceptable audit risk, inherent risk, control risk
o PDR - two key points
 It is dependent on the other three factors, obviously. Thus PDR will be changed if you change one
of the other factors
 Determines the amount of substantive evidence that the auditor plans to accumulate, inversely
with the size of planned detection risk.
 STATE EXAMPLE USING THE TABLE (Focus on D) - PDR is low, planned evidence is high
o Inherent risk - measures the auditor's assessment of the susceptibility of an assertion to material
misstatement, before considering the effectiveness of related internal controls.
 High risk of misstatement, there is high inherent risk
 When transactions are complex, or in situations that require high degree of judgment
 Inversely related to PDR thus directly related to evidence.
 In addition to increasing audit evidence for a higher inherent risk in a given audit area, auditors
commonly assign more experienced staff to that area and review the completed audit tests more
thoroughly. For example, if inherent risk for inventory obsolescence is extremely high, it makes
sense for the CPA firm to assign an experienced staff person to perform more extensive tests for
inventory obsolescence and to more carefully review the audit results.
 STATE EXAMPLE, A.
o Control Risk
 Not detected on a timely basis of the client's internal controls
 Assume that the auditor concludes that internal controls are completely ineffective to prevent or
detect misstatements. That is the likely conclusion for inventory and warehousing (B) in Table 9-
2 (p. 259). The auditor will therefore assign a high, perhaps 100 percent, risk factor to control
risk. The more effective the internal controls, the lower the risk factor that can be assigned to
control risk.
 The audit risk model shows the close relationship between inherent and control risk.
 Refer to the formula. Both are in the denominator side. Inherent x Control = Risk of
Material Misstatements
 Possible to make combined assessment.
 Control inversely related to PDR, while direct for planned evidence
 Auditors of larger public companies choose to rely extensively on controls because they must test
the effectiveness of internal control over financial reporting to satisfy Sarbanes–Oxley Act
requirements. Auditors of other companies and other types of entities are also likely to rely on
controls that are effective, especially when day-today transaction processing involves highly
automated procedures.
o Acceptable Audit Risk (AAR)
 When auditors decide on a lower acceptable audit risk, they want to be more certain that the
financial statements are not materially misstated.
  Zero risk is certainty, and a 100 percent risk is complete uncertainty.
 Complete assurance (zero risk) of the accuracy of the financial statements is not economically
practical.
 Audit Assurance is the complement of AAR, so (1-AAR)
 Direct relationship between acceptable audit risk and planned detection risk, and an inverse
relationship between acceptable audit risk and planned evidence.

UNIT 8
 Test of Controls
o The purpose is to test the effectiveness of controls in support of a reduced control risk for the
audit
o During the understanding phase, the auditor will have already gathered some evidence in support
of both the design of the controls and their implementation by using procedures to obtain and
understanding.
o Auditor = likely that enough evidence won’t be gathered for the reduction of assessed risk
 THUS, obtain additional evidence about the operating effectiveness of controls throughout
all, or at least most of the period
 Types of Procedures
o 1. Although inquiry is not necessarily a highly reliable source of evidence about the effective
operation of controls, it is still appropriate. (If unauthorized personnel are denied access to
computer files, it is possible to ask the computer library controller)
o 2. Many controls leave a clear trail of documentary evidence that can be used to test controls.
(Customer order receipt -> create customer sales order -> which is approved for credit)
o 3. Some controls do not leave an evidence trail, which means that it is not possible at a later date to
examine evidence that the control was executed (separation of duties -> specific persons and tasks -
> and there is no documentation available
o Control-related activities for which there are related documents and records, but their content is
insufficient for the auditor’s purpose of assessing whether controls are operating effectively
 Extent of Procedures – depends on the preliminary assessed control risk. Lower assessed control risk
would result to more extensive tests of controls are applied, both in terms of the number of controls tested
and the extent of the tests for each control. (Auditor -> low assessed control risk -> larger sample size for
inspection, observation, and reperformance procedures)
 Testing less than the audit period – depends on the frequency of the operation of the controls (end of the
year, quarterly, monthly)
o Evidence from prior year’s audit – When auditors plan to use evidence about the operating
effectiveness of internal control obtained in prior audits, auditing standards require tests of the
controls’ effectiveness at least every third year. (If change was observed by the auditor since last
testing, they should test it in the current year), automated or manual.

o Testing of Controls Related to Significant Risks – significant risks are those risks that the auditor
believes require special audit consideration. When the auditor’s risk assessment procedures
identify significant risks, the auditor is required to test the operating effectiveness controls that
mitigate these risks in the current year audit.

o Testing less than the entire audit period – PCAOB auditing standards require the auditor to perform
tests of controls that are adequate to determine whether controls are operating effectively at year
end. Timing will depend on the nature of controls and when the company uses them.
 Internal Controls in Outsourced Systems – Auditing standards require the auditor to
consider the need to obtain an understanding and test the internal controls if it involves
processing significant financial data.; Depth of the auditor’s understanding depends on the
complexity of the system and the extent to which the control is relied upon to reduce
control risk.
 Reliance on Service Center Auditors – Understanding of the service center ‘s internal
controls (Service Organization Controls or SOC), and issue a SOC report for use by all
 customers and their independent auditors. This independent assessment is to provide
service center customers reasonable assurance about the adequacy of the service center’s
general and application controls. It is also to eliminate the need for redundant audits by
customers’ auditors.

 Decide Planned Detection Risk and Design Substantive Tests

o The completion of the assessment of control risk for each related audit objective is sufficient for the
audit of internal control over financial reporting, even though the report will not be finalized until
the auditor completes the audit of FS.
o The appropriate level of detection risk for each balance-related audit objective is then deicided
using the audit risk model.

 Auditor Reporting on Internal Control

o Communications to Those Charged with Governance
o Management Letters
