🔵 PART 1: AUDIT RISK

1️⃣ What is Audit Risk?

Audit risk = the risk that the auditor gives an inappropriate opinion when the financial statements are materially misstated.

Audit risk exists because:

  • Auditors test samples

  • Judgement is involved

  • Management prepares the accounts

2️⃣ The Audit Risk Model


Audit Risk (AR) = Inherent Risk (IR) × Control Risk (CR) × Detection Risk (DR)

You must understand each.

🔹 (a) Inherent Risk (IR)

Risk that a misstatement could occur due to the nature of the business or transaction, before considering controls.

Examples:

  • Complex accounting (revenue recognition, provisions)

  • Estimates (depreciation, impairment)

  • New businesses

  • High-value transactions

  • Cash-based businesses

  • Susceptibility to theft

  • Rapid growth

  • Related party transactions

  • Going concern issues

Key point:
IR is higher where judgement and complexity are high.

🔹 (b) Control Risk (CR)

Risk that the client’s internal controls fail to prevent or detect misstatements.

Higher CR if:

  • Weak internal controls

  • No segregation of duties

  • No internal audit

  • Poor IT systems

  • Management override possible

Auditor assesses CR by:

  • Understanding internal control

  • Testing controls (if planning to rely on them)

🔹 (c) Detection Risk (DR)

Risk that audit procedures fail to detect material misstatements.

Auditor controls DR by:

  • Nature of procedures

  • Timing

  • Extent (sample size)

If IR and CR are high → DR must be low
So auditor increases:

  • Sample size

  • More substantive testing

  • More experienced staff

This is critical for exam answers.

3️⃣ Business Risk vs Audit Risk

Business Risk

Risk that the company fails to achieve objectives.

Examples:

  • Competition

  • Loss of customers

  • Technology change

  • Legal issues

Audit Risk

Risk auditor gives wrong opinion.

Business risks often create audit risks.

In exam:
If question gives business scenario → link it to risk of material misstatement.

4️⃣ Risk of Material Misstatement (RMM)

RMM = IR × CR

This exists at:

  • Financial statement level

  • Assertion level

5️⃣ Financial Statement Level Risk

Risks that affect entire financial statements.

Examples:

  • Weak management integrity

  • Poor control environment

  • Going concern problems

  • Inexperienced finance team

Auditor response:

  • More supervision

  • More experienced staff

  • Increased professional scepticism

  • Unpredictable procedures

6️⃣ Assertion Level Risk

Risks affecting specific account balances or transactions.

Assertions include:

For Transactions:

  • Occurrence

  • Completeness

  • Accuracy

  • Cut-off

  • Classification

For Balances:

  • Existence

  • Rights & obligations

  • Completeness

  • Valuation

For Presentation:

  • Occurrence

  • Completeness

  • Classification

  • Accuracy

You must always link:
Risk → Affected assertion → Audit response.

7️⃣ Significant Risks

Risks requiring special audit consideration.

Usually:

  • Fraud risk

  • Revenue recognition

  • Related parties

  • Management override

  • Complex transactions

  • Non-routine transactions

Auditor must:

  • Obtain understanding of controls

  • Perform specific substantive procedures

Exam tip:
Revenue is often automatically a significant risk.

8️⃣ Fraud Risk

Two types:

  1. Fraudulent financial reporting

  2. Misappropriation of assets

Fraud triangle:

  • Pressure

  • Opportunity

  • Rationalisation

Management override = always presumed risk.

Auditor response:

  • Journal entry testing

  • Review estimates for bias

  • Evaluate unusual transactions

9️⃣ Understanding the Entity (ISA 315)

Auditor must understand:

  • Industry

  • Regulatory environment

  • Nature of business

  • Ownership structure

  • Objectives & strategies

  • Measurement of performance

  • Internal control system

Sources:

  • Prior year files

  • Discussions with management

  • Analytical procedures

  • Inspection

  • Observation

🔟 Analytical Procedures in Risk Assessment

Used at planning stage to:

  • Identify unusual fluctuations

  • Identify unexpected relationships

  • Highlight potential misstatements

Example:
Revenue increased 40% but expenses stayed same → suspicious.

🔵 PART 2: PLANNING (ISA 300)

Planning is not optional. It is required.

Purpose:

  • Efficient audit

  • Focus on risky areas

  • Proper resource allocation

1️⃣ Overall Audit Strategy

High-level plan including:

  • Scope

  • Reporting objectives

  • Timing

  • Direction of audit

Includes:

  • Characteristics of engagement

  • Reporting deadlines

  • Significant factors

  • Resources needed

2️⃣ Audit Plan

More detailed than strategy.

Includes:

  • Nature, timing and extent of procedures

  • Risk assessment procedures

  • Further audit procedures

  • Other required procedures

Strategy = big picture
Plan = detailed execution

3️⃣ Materiality (ISA 320)

Materiality = threshold above which misstatements affect user decisions.

Types:

(a) Overall Materiality

Based on benchmark:

  • 5% profit before tax

  • 1% revenue

  • 1–2% total assets

Depends on nature of company.

(b) Performance Materiality

Lower than overall materiality.

Used to:
Reduce risk that total uncorrected errors exceed materiality.

Usually 50–75% of overall materiality.

(c) Specific Materiality

For sensitive areas:

  • Related party transactions

  • Directors’ remuneration

  • Regulatory disclosures

4️⃣ Revision of Materiality

Materiality must be revised if:

  • Profit changes significantly

  • Unexpected events occur

  • New information arises

5️⃣ Documentation

Auditor must document:

  • Audit strategy

  • Audit plan

  • Changes during audit

  • Risk assessment conclusions

No documentation = assumed not done.

6️⃣ Use of Experts

If auditor lacks expertise (e.g., property valuation), may use expert.

Auditor must evaluate:

  • Competence

  • Objectivity

  • Adequacy of work

Auditor still responsible for opinion.

7️⃣ Planning with Internal Audit

If client has internal audit:
Auditor may rely on their work.

But must evaluate:

  • Objectivity

  • Competence

  • Systematic approach

Cannot rely if internal audit weak.

8️⃣ Communication with Those Charged with Governance

Discuss:

  • Scope and timing

  • Significant risks

  • Internal control deficiencies

  • Independence

9️⃣ Small Entity Considerations

Less formal planning but still required.

Controls may be limited → more substantive testing.

🔟 Professional Scepticism

Must:

  • Question management

  • Not assume honesty

  • Consider contradictory evidence

Especially important in:

  • Estimates

  • Going concern

  • Related parties

🔴 EXAM STRUCTURE FOR RISK QUESTIONS

When answering risk & planning question:

Use this format:

  1. Identify risk

  2. Explain why it is a risk

  3. State affected assertion

  4. State audit response

If you don’t follow structure → you lose marks.

🔥 What You Must Be Able to Do in Exam

You should be able to:

  • Calculate audit risk

  • Identify business risks

  • Identify risks of material misstatement

  • Link to assertions

  • Suggest audit responses

  • Calculate materiality

  • Explain performance materiality

  • Identify significant risks

  • Discuss fraud risks

  • Explain planning documentation

If you can’t do these confidently, you are not ready.