The process within an audit of financial statements involves a number of crucial steps that must be undertaken to enable the auditor to obtain reasonable assurance about whether the financial statements, as a whole, are free from material misstatement.
To be in a position to obtain reasonable assurance that the financial statements are free from material misstatement, the auditor needs to ensure audit risk is reduced to an acceptably low level. This therefore enables the auditor to draw conclusions on which to base the audit opinion.
Audit risk can be defined as the risk that the auditor expresses an inappropriate audit opinion when the financial statements are indeed materially misstated.
The first step within an audit of financial statements involves the planning stage. Once the auditor has planned the audit and carried out the necessary steps to understand the entity and its environment and the entity’s system of internal control, the auditor will need to assess the risk of material misstatement and identify any significant risks pertaining to the entity.
The identification of risks will include the assessment of the severity of such risk, with significant risks being the most severe risks identified by the auditor.
A significant risk can be defined as an identified risk of material misstatement for which the assessment of inherent risk is higher, due to the degree to which the inherent risk factors affect both the likelihood of the misstatement occurring, as well as the magnitude of the potential misstatement, should that misstatement occur. Therefore, should a risk factor be in place that is likely to result in a misstatement within the financial statements of a greater magnitude, then that risk factor should be considered to be significant.
Examples of risk factors could include the following:
- Complex regulation by which the company must abide, including but not limited to capital requirements, liquidity requirements;
- Tight loan covenants;
- Complex transactions within the entity’s book-keeping;
- Wide range of possible accounting estimates;
- Volatility in the market in which the entity operates;
- Transactions with related parties;
- Performance based bonuses and commissions.
Usual, routine, non-complex transactions would be less likely to give rise to significant risks. Alternatively, unusual, complex and judgemental transactions are more likely to bring about significant risk.
The compilation of analytical procedures will assist the auditor to identify and assess risks of material misstatement. Such procedures will involve the analysis of relationships within entity balances to identify inconsistencies and unexpected relationships. Such procedures should be carried out at both risk assessment stage, as well as at the final stages of the audit. Analytical procedures at the risk assessment stage would assist the auditor to identify any aspects within the entity that the auditor may not have known about. They will further assist the auditor to assess the risks of material misstatement to be able to determine the nature, timing and extent of further audit procedures.
The process for determining the level of audit risk within an entity’s transactions requires the auditor to exercise professional judgment.
Once the auditor has identified and assessed the risks of material misstatement within an audit, the auditor must then respond to such audit risks accordingly. This will involve the process of designing and implementing procedures and responses to obtain sufficient and appropriate audit evidence about such risks. It is imperative that audit testing is directed to identified risky areas, to ensure that the audit is carried out in the most efficient and effective manner possible.
The following risks are usually deemed to be significant risks in an audit of financial statements, and would therefore require increased focus from the auditor in terms of testing:
- The risk of management override of controls
- The risk of revenue being recognised improperly
- The use of related party transactions for fraud purposes
In a case where the auditor does not deem revenue recognition to be a significant risk, then such risk should be rebutted and documented accordingly.
Documentation, in an audit of financial statements, enables reviewers and others outside of the engagement team, to assess and review relevant audit evidence obtained and the audit conclusions reached. In light of the above, it is imperative that the risk assessment process undertaken by the auditor is documented in sufficient detail and in line with the requirements of ISA 230.