RELEVANT TO ACCA QUALIFICATION PAPER F8 AND
PERFORMANCE OBJECTIVES 17 AND 18
Audit risk
Candidates studying Paper F8, Audit and Assurance, are required under the
syllabus to: ‘Explain the components of audit risk and explain the risks of
material misstatement in the financial statements’.
This element of the syllabus has been examined in the last three sessions of
Paper F8 – in June 2010, December 2010 and June 2011. However, the
performance of candidates has on the whole been unsatisfactory. This article
aims to identify the most common mistakes made by candidates as well as
clarifying how audit risk questions should be tackled in order to maximise
marks.
An example question requirement relating to audit risks is as follows:
Describe the audit risks and explain the auditor’s response to each risk in planning
the audit of XYZ Co.
Previously examined risk questions have carried a mark allocation of 10 marks.
However, a significant majority of candidates have not passed this part of the
question. Common mistakes made include:
? providing definitions of the audit risk model, even though this was not
part of the question requirement
? a lack of understanding of what audit risk is and providing business risks
instead
? not providing an adequate response to the risk. This needs to be from
the perspective of the auditor and not from management’s perspective
? a limited range of risks identified, often just focusing on one area such
as going concern.
Audit risk definitions
Audit risk is defined as ‘the risk that the auditor expresses an inappropriate
audit opinion when the financial statements are materially misstated. Audit
risk is a function of the risks of material misstatement and detection risk’.
Hence, audit risk is made up of two components – risks of material
misstatement and detection risk.
Risk of material misstatement is defined as ‘the risk that the financial
statements are materially misstated prior to audit. This consists of two
components… inherent risk … control risk.’
Inherent risk is ‘the susceptibility of an assertion about a class of transaction,
account balance or disclosure to a misstatement that could be material, either
2
AUDIT RISK
NOVEMBER 2011
individually or when aggregated with other misstatements, before
consideration of any related controls.’
Control risk is ‘the risk that a misstatement that could occur in an assertion
about a class of transaction, account balance or disclosure and that could be
material, either individually or when aggregated with other misstatements, will
not be prevented, or detected and corrected, on a timely basis by the entity’s
internal control.’
Detection risk is defined as ‘the risk that the procedures performed by the
auditor to reduce audit risk to an acceptably low level will not detect a
misstatement that exists and that could be material, either individually or when
aggregated with other misstatements.’
Audit risk questions require candidates to identify risks of material
misstatements, which include inherent and control risks as well as detection
risks.
Audit risk model
In all three sessions a number of candidates have wasted valuable time by
describing the audit risk model along with definitions of audit risk, inherent
risk, control and detection risk. Unless the question requirement specifically
asks for the ‘components of audit risk’ or ‘a description of the audit risk
model’, candidates should not provide definitions of audit risk, inherent risk,
control risk or detection risk as no marks are available.
Audit risk versus business risk
The main area where candidates continue to lose marks is that they do not
actually understand what audit risk relates to. Hence, they frequently provide
answers that consider the risks the business would face or ‘business risks’,
which are outside the scope of the syllabus. There are no marks available for
business risks.
Business risks are defined as ‘a risk resulting from significant conditions,
events, circumstances, actions or inactions that could adversely affect an
entity’s ability to achieve its objectives and execute its strategies, or from the
setting of inappropriate objectives and strategies’.
Risks must be related to the risk arising in the audit of the financial statements
and should include the financial statement assertion impacted. Therefore,
audit risks should be related back to relevant assertions.
