Audit Risk; Materiality and Audit Risk:

At the account-balance or class-of-transactions level, audit risk consists of-

(a) inherent risk and control risk that the balance or class and related assertions contain misstatements,
whether caused by error or fraud, that could be material to the financial statements when aggregated with
misstatements in other balances or classes and
(b) detection risk that the auditor will not detect such misstatements.

Audit Risk Model

AR = IR x CR x DR; where, AR = Audit risk – Also referred to as Residual Risk – The risk that the
auditor will incorrectly issue an unqualified opinion,
IR = Inherent risk – The risk of material misstatements absent any internal controls or testing,
CR = Control risk – The risk that internal controls will fail to prevent or detect material misstatement;
DR = Detection risk – The risk that audit tests will fail to detect material misstatement.

Therefore, audit risk is a function of inherent risk, unchecked by controls and not detected by the auditor
Risk Components. Inherent risk – Higher in complex transactions – Higher where items are more
naturally prone to fraud – Based in part on prior experience – Industry and management pressures.

Inherent risk cannot be changed by the auditor.

Audit Risk = risk that internal controls will FAIL to prevent or detect misstatement – High CR means
high risk controls will fail – Low CR means low risk controls will fail. If CR is high, auditor will not rely
much on controls. If CR is low, auditor can rely on Internal Control System and reduce other types of
testing.

Is Risk Quantifiable? (Yes and No)

It is often assessed in percentage terms. It requires judgment because no number is out there to be
measured. Detection risk needs to be quantified for statistical testing.

Acceptable audit risk is the risk that the auditor will unknowingly fail to appropriately modify his or
her opinion on financial statements that are materially misstated. In other words it is the
probability of audit failure.
Preliminary materiality judgment are determined during the planning phase by the auditor and its
related to the amount of misstatements in an assertion or class of transactions that an auditor could
tolerate.
Audit risk and materiality are two separate but overlapping concepts. In other words, the auditor
to determine the acceptable level of audit risk uses Preliminary judgments about materiality. As
materiality decreases, the auditor will lower the acceptable audit risk.

Materiality and audit risk are inversely related : There is an inverse relationship between materiality
and the level of audit risk, that is, the higher the materiality level, the lower the audit risk and vice versa.
The auditor takes the inverse relationship between materiality and audit risk into account when
determining the nature, timing and extent of audit procedures. For example, if, after planning for specific
audit procedures, the auditor determines that the acceptable materiality level is lower, audit risk
is increased.
The auditor would compensate for this by either "a. reducing the assessed risk of material
misstatement, where this is possible, and supporting the reduced level by carrying out extended or
additional tests of control orb.
Reducing detection risk by modifying the nature, timing and extent of planned substantive
procedures.

Introduction to Audit Sampling (SA 530)

Standard on Auditing (SA 530) applies when the auditor has decided to use audit sampling in
performing audit procedures. It deals with the auditor's use of statistical and non-statistical
sampling when designing and selecting the audit sample, performing tests of controls and tests of
details, and evaluating the results from the sample.
Objective

The objective of the auditor when using audit sampling is to provide a reasonable basis for the
auditor to draw conclusions about the population from which the sample is selected.

Definitions

5. For purposes of the SAs, the following terms have the meanings attributed below:

a. Audit sampling (sampling) - The application of audit procedures to less than 100% of items
within a population of audit relevance such that all sampling units have a chance of selection in
order to provide the auditor with a reasonable basis on which to draw conclusions about the
entire population.

b. Population - The entire set of data from which a sample is selected and about which the
auditor wishes to draw conclusions.

c. Sampling risk - The risk that the auditor's conclusion based on a sample may be different from
the conclusion if the entire population were subjected to the same audit procedure, Sampling risk
can lead to two types of erroneous conclusions:

(i) In the case of a test of controls, that controls are more effective than they actually are, or in
the case of a test of details, that a material misstatement does not exist when in fact it does. The
auditor is primarily concerned with this type of erroneous conclusion because it affects audit
effectiveness and is more likely to lead to an inappropriate audit opinion.

(ii) In the case of a test of controls, that controls are less effective than they actually are, or in the
case of a test of details, that a material misstatement exists when in fact it does not. This type of
erroneous conclusion affects audit efficiency as it would usually lead to additional work to
establish that initial conclusions were incorrect.

d. Non-sampling risk - The risk that the auditor teaches an erroneous conclusion for my reason
not related to sampling risk.

e. Anomaly - A misstatement or deviation that is demonstrably not representative of

misstatements or deviations in a population.

f. Sampling unit - The individual items constituting a population.

g. Statistical sampling - An approach to sampling that has the following characteristics:

(i) Random selection of the sample items; and

(ii) The use of probability theory to evaluate sample results, including measurement of sampling
risk.

A sampling approach that does not have characteristics (i) and (d) is considered non-statistical
sampling.

h. Stratification - The process of dividing a population into sub-populations, each of which is a

group of sampling units, which have similar characteristics (often, monetary value).

i. Tolerable misstatement- A monetary amount set by the auditor in respect of which the auditor
seeks to obtain an appropriate level of assurance that the monetary amount set by the auditor is
not exceeded by the actual misstatement in the population.

j. Tolerable rate of deviation - A rate of deviation from prescribed internal control procedures set
by the auditor in respect of which the auditor seeks to obtain an appropriate level of assurance
that the rate of deviation set by the auditor is not exceeded by the actual rate of deviation in the
population.
Sample Design, Size and Selection of Items for Testing

When designing an audit sample, the auditor shall consider the purpose of the audit procedure
and the characteristics of the population from which the sample will be drawn.

The auditor shall determine a sample size sufficient to reduce sampling risk to an acceptably low
level.

The auditor shall select items for the sample in such a way that each sampling unit in the
population has a chance of selection.

Performing Audit Procedures

The auditor shall perform audit procedures, appropriate to the purpose, on each item selected.

If the audit procedure is not applicable to the selected item, the auditor shall perform the
procedure on a replacement item.

If the auditor is unable to apply the designed audit procedures, or suitable alternative procedures,
to a selected item, the auditor shall treat that item as a deviation from the prescribed
control, in the case of tests of controls, or a misstatement, in the case of tests of details.

Nature and Cause of Deviations and Misstatements

The auditor shall investigate the nature and cause of my deviations or misstatements identified,
and evaluate their possible effect on the purpose of the audit procedure and on other areas of the
audit.

In the extremely rare circumstances when the auditor considers a misstatement or deviation
discovered in a sample to be an anomaly, the auditor shall obtain a high degree of certainty that
such misstatement or deviation is not representative of the population. The auditor shall obtain
this degree of certainty by performing additional audit procedures to obtain sufficient appropriate
audit evidence that the misstatement or deviation does not affect the remainder of the population.

Evaluating Results of Audit Sampling

The auditor shall evaluate:

a. The results of the sample; and

b. Whether the use of audit sampling has provided a reasonable basis for conclusions about the
population that has been tested.

Application and Other Explanatory Material Definitions

Non-Sampling Risk

Examples of non-sampling risk include use of inappropriate audit procedures, or

misinterpretation of audit evidence and failure to recognize a misstatement or deviation.

Sampling Unit

The sampling units might be physical items (for example, cheques listed on deposit slips, credit
entries on bank statements, sales invoices or debtors' balances) or monetary units.

Tolerable Misstatement
When designing a sample, the auditor determines tolerable misstatement in order to address the
risk that the aggregate of individually immaterial misstatements may cause the financial
statements to be materially misstated and provide a margin for possible undetected
misstatements. Tolerable misstatement is the application of performance materiality as defined in
SA 320 (Revised), 3 to a particular sampling procedure. Tolerable misstatement may be the same
amount or an amount lower than performance materiality.

Sample Design, Size and Selection of Items for Testing

Sample Design

Audit sampling enables the auditor to obtain and evaluate audit evidence about some
characteristic of the items selected in order to form or assist in forming a conclusion concerning
the population from which the sample is drawn. Audit sampling can be applied using either non-
statistical or statistical sampling approaches.

When designing an audit sample, the auditor's consideration includes the specific purpose to be
achieved and the combination of audit procedures that is likely to best achieve that purpose.
Consideration of the nature of the audit evidence sought and possible deviation or misstatement
conditions or other characteristics relating to that audit evidence will assist the auditor in
defining what constitutes a deviation or misstatement and what population to use for sampling.
In fulfilling the requirement of paragraph 8 of SA 500 (Revised), when performing audit
sampling, the auditor performs audit procedures to obtain evidence that the population from
which the audit sample is drawn is complete.

The auditor's consideration of the purpose of the audit procedure, as required by paragraph 6,
includes a clear understanding of what constitutes a deviation or misstatement so that all, and
only, those conditions that are relevant to the purpose of the audit procedure are included in the
evaluation of deviations or projection of misstatements. For example, in a test of details relating
to the existence of accounts receivable, such as confirmation, payments made by the customer
before the confirmation date but received shortly after that date by the client, are not considered
a misstatement. In addition, a mis-posting between customer accounts does not affect the total
accounts receivable balance. Therefore, it may not be appropriate to consider this a misstatement
in evaluating the sample results of this particular audit procedure, even though it may have an
important effect on other areas of the audit, such as the assessment of the risk of fraud or the
adequacy of the allowance for doubtful accounts.

In considering the characteristics of a population, for tests of controls, the auditor makes an
assessment of the expected rate of deviation based on the auditor's understanding of the relevant
controls or on the examination of a small number of items from the population. This assessment
is made in order to design an audit sample and to determine sample size. For example, if the
expected rate of deviation is unacceptably high, the auditor will normally decide not to perform
tests of controls. Similarly, for tests of details, the auditor makes an assessment of the expected
misstatement in the population. If the expected misstatement is high, 100% examination or use of
a large sample size may be appropriate when performing tests of details.

In considering the characteristics of the population from which the sample will be drawn, the
auditor may determine that stratification or value weighted selection is appropriate. Appendix I
provides further discussion on stratification and value weighted selection.

The decision whether to use a statistical or non-statistical sampling approach is a matter for the
auditor's judgment, however, sample size is not a valid criterion to distinguish between statistical
and non-statistical approaches.

Sample Size

The level of sampling risk that the auditor is willing to accept affects the sample size required.
The lower the risk the auditor is willing to accept, the greater the sample size will need to be.

The sample size can be determined by the application of a statistically-based formula or through
the exercise of professional judgment. Appendices 2 and 3 indicate the influences that various
factors typically have on the determination of sample size. When circumstances are similar, the
effect on sample size of factors such as those identified in Appendices 2 and 3 will be similar
regardless of whether a statistical or non-statistical approach is chosen.

Selection of Items for Testing

With statistical sampling, sample items are selected in a way that each sampling unit has a
known probability of being selected. With non-statistical sampling, judgment is used to select
sample items. Because the purpose of sampling is to provide a reasonable basis for the auditor to
draw conclusions about the population from which the sample is selected, it is important that the
auditor selects a representative sample, so that bias is avoided, by choosing sample items which
have characteristics typical of the population.

The principal methods of selecting samples are the use of random selection, systematic selection
and haphazard selection.

The Auditor's role with respect to detection of errors and fraud is to ensure the following:
1. The assessment and identification of residual and inherent risk, control measures and
mitigation of risk measures are in place (Compliance Assurance Program).
2. The effectiveness and relevance of Assurance, Detection and Monitoring management tools.
3. Suggest changing the processes in order to strengthen the controls to avoid errors and frauds.
4. Support the fraud and investigation team in identification, assessment, investigation and
monitoring of suspicious transactions.

“Audit sample is to be analysed to conclude that a misstatement or deviation is

an anomaly”
Types of error in sample

Statistical Sampling Technique

Non–Statistical Sampling Technique

Write a note on audit risk

Answer:
In very broad terms, audit risk is the risk of a material misstatement of a financial statement
item that is or should be included in the audited financial statements of an entity. In theory,
audit risk rangers anywhere from zero, where there is complete certainty of no material
misstatement, to one, where there is complete certainty of a material misstatement. In practice,
however, audit risk is always greater than zero. There is always some risk of material
misstatement as it is not possible, (except for the audit of the simplest of financial statements),
due to the limitations inherent in both accounting and auditing, to be absolutely certain that a
material misstatement will not exist.
―Audit risk‖ is the risk that the auditor gives an in appropriate audit opinion when the financial
statements are materially misstated. Such misstatements can result from either fraud or error.
SA 400 on ―Risk Assessments and internal controls‖ identifies the following three
components of audit risk:
a Inherent risk –it is the susceptibility of an account balance or class of transaction to
misstatements that could be material, either individually or when taken together with
misstatements in other balance or classes, assuming that there were no internal controls.

b Control risk –It is the risk that misstatement, that could occur in an account balance or
class of transactions and that could be material, either individually or where taken together
with misstatements in other balances or classes, will not be prevented/detected/corrected
on timely basis by the accounting and internal control systems.

c Detection risk -It is the risk that an auditor‘s substantive procedures (the procedures
designed to obtain evidence as to the completeness, accuracy and validity of the data
produced by the accounting system) will not detect a misstatement that exists in account
 balance or class of transaction that could be material, either individually or when taken
together with misstatements in other balances or classes.

What are the differences between internal control, internal check and internal audit?
Solution:
Differences between internal control, internal check and internal audit:
Internal Internal
S. Basis Audit Control Internal check
No
1 Meaning It is a continuous It consists of all the A system of allocation of
critical review of methods and responsibility, division of work
financial and procedures adopted and methods of recording
operating to assist in achieving transactions, whereby the
activities by a the objective of work of an employee is
staff member of efficient conduct of checked continuously by
the auditor. business. It includes another.
internal check and
internal audit.
2 Way of In an internal In internal controls It operates in routine to
checking audit system, systems, work of one doubly check every part of
each person is a transaction at the time of
component of automatically occurrence and recording
work is checked. checked by another. of the same.
3 Objective Its objective is to Its objective is to Its objective is to ensure that
evaluate the ensure adherence to no one employee has
internal control management exclusive control over any
system and to policies, transaction or group of
detect frauds safeguarding of transactions and their
and errors. assets, prevention recording in the books.
and detection of
frauds and errors,
accuracy and
completeness of
accounting records.
4 Point of time In an internal In an internal control Methods of recording
audit system, system, checking is transactions are devised
work is checked done simultaneously where work of an employee
after it is done. with the conduct of is checked continuously by
work. Every correlating it with the work
transaction is of others.
checked as soon as
it is entered.
5 Thrust of The thrust of The thrust of internal The thrust of internal control
system internal system is check system is to lies in fixing of responsibility
to detect errors prevent errors. and division of work to avoid
and frauds duplication.
6 Cost In an internal The system proves to It is a part of internal control
involvement audit system, be costly in case of and a method of division of
work is checked small businesses work, therefore does not
 specially because more add to the cost.
therefore cost is number of
involved in employees are
addition to engaged.
accounting.
7 Report The internal Internal controls The summary of day to day
auditor submits provide for built in transactions work as report
his report to the MIS reports. for the senior.
management.