Understanding the entity and environment - Risk of material ...

Learning Outcomes

After reading this article, you will be able to explain the meaning of risk of material misstatement, distinguish inherent from control risk, and describe how auditors obtain understanding of the entity and its environment to assess risk. You will be able to identify risk factors, categorise misstatements, and apply risk assessment concepts to practical scenarios, including audit planning.

ACCA Audit and Assurance (AA) Syllabus

For ACCA Audit and Assurance (AA), you are required to understand audit risk and methods for risk assessment. Particular areas of focus in this article include:

• The components of audit risk: risk of material misstatement (inherent and control risk) and detection risk
• The definition and causes of inherent and control risk
• How auditors obtain an understanding of the entity and its environment, including internal control and the applicable financial reporting framework
• Procedures for identifying and assessing risk of material misstatement at the financial statement and assertion levels
• How understanding risk informs audit planning and procedures
• The use of analytical procedures to identify areas of increased risk
• The importance of professional scepticism and judgement in risk assessment

Test Your Knowledge

Attempt these questions before reading this article. If you find some difficult or cannot remember the answers, remember to look more closely at that area during your revision.

1. Which two elements make up the auditor’s assessment of the risk of material misstatement?
2. State and briefly describe three procedures an auditor carries out to gain an understanding of a company’s business environment.
3. Give an example scenario of inherent risk and one of control risk in an audit context.
4. How do analytical procedures help in identifying potential areas of misstatement?
5. Which risks are determined by the auditor, and which by the client’s circumstances?

Introduction

Audit risk is the risk that the auditor expresses an inappropriate opinion when the financial statements are materially misstated. Audit risk has three components: inherent risk, control risk, and detection risk. The first two combine to form the risk of material misstatement, which exists independently of the audit. Understanding these risks and their sources is essential for planning an effective audit and designing procedures to respond.

Key Term: audit risk
The risk that the auditor expresses an inappropriate audit opinion when the financial statements are materially misstated.

The risk of material misstatement

Risk of material misstatement (RMM) is assessed at both overall financial statement level and at the assertion level for classes of transactions, account balances, and disclosures. RMM exists prior to the auditor’s work and is the combination of inherent and control risk.

Key Term: risk of material misstatement
The risk that the financial statements are materially misstated prior to audit, due to error or fraud, comprising inherent and control risk.

Key Term: inherent risk
The susceptibility of an assertion about a class of transaction, account balance, or disclosure to misstatement that could be material, before considering related controls.

Key Term: control risk
The risk that a misstatement that could occur and be material will not be prevented, or detected and corrected on a timely basis by the entity’s controls.

Inherent risk

Inherent risk arises from the nature of the entity, its business environment, or the specific item to be audited. Factors influencing inherent risk include complexity of transactions, subjectivity in estimates, rapid change, susceptibility to fraud, and management’s incentives or bias.

Examples:

• Estimation of warranty provisions (subjective judgement)
• Revenue recognition in a business with complex contracts (complexity)
• Inventory obsolescence risk in technology industries

Control risk

Control risk results when a client’s internal controls do not prevent or detect material errors or fraud. It is affected by factors such as weaknesses in control environment, lack of segregation of duties, or absence of approval processes.

Examples:

• Sales invoices issued without approval
• Inventory counts conducted without adequate supervision

Relationship of risks within audit risk

Audit risk = Inherent risk × Control risk × Detection risk

• Inherent and control risk arise from the client and its environment.
• Detection risk is influenced by the auditor's procedures and can be reduced by more extensive or improved evidence.

Worked Example 1.1

A retail company operates in a highly competitive fast-fashion sector where styles and stock change rapidly. What inherent risks might the auditor identify for inventory, and how could control risk increase the chance of a material misstatement?

Answer:
The inherent risk is high because technology and trends cause inventory to become obsolete quickly, increasing the likelihood that it is overstated. Control risk may be high if there are no regular inventory counts or weak controls over write-downs for unsellable stock.

Obtaining understanding of the entity and environment

Obtaining sufficient understanding of the entity and its environment, including its system of internal control and applicable financial reporting framework, is a planned procedure under ISA 315. Auditors must identify relevant business risks, how the entity responds, and how these could result in material misstatements.

Key areas to understand:

• Industry, regulatory, and economic environment
• Nature of the entity (operations, ownership, governance, investments)
• Selection and application of accounting policies
• Objectives, strategies, and business risks
• Entity’s measurement and review of financial performance

Procedures the auditor performs include:

• Enquiry of management and staff
• Observation and inspection of processes or documents
• Analytical procedures (comparison of results, ratios, trends, and expectations)

Key Term: analytical procedures
Evaluations of financial information through analysis of plausible relationships among financial and non-financial data, and investigation of unexpected variances.

Assessing risks at assertion level

Assertions are representations about classes of transactions, account balances, and disclosures, such as occurrence, completeness, accuracy, valuation, rights and obligations, and cut-off.

The auditor must assess RMM for each relevant assertion and plan audit procedures accordingly.

Worked Example 1.2

During planning, a client’s trade receivables collection period increases significantly from prior years with no change in credit policy or customer mix. What risk may this indicate, and what assertion does it relate to?

Answer:
There is an increased risk of overstatement of receivables due to potential irrecoverable debts. This relates to the valuation assertion for trade receivables.

Analytical procedures and risk identification

Analytical procedures help auditors identify unexpected variances, trends, or relationships, which may signal areas of greater RMM. For example, a gross profit margin significantly higher than industry average, or an operating expense ratio lower than previous periods, could indicate possible misstatement or error.

Categories of misstatements

Misstatements identified can be:

• Factual: Errors with no judgement or subjectivity
• Judgemental: Arise from different estimates or policies
• Projected: Errors identified in a sample extrapolated to the population

The auditor’s response to assessed risk

A higher risk of material misstatement leads to lower tolerable detection risk, more substantive procedures, modified nature and timing of testing, or increased supervision and experienced staff.

Worked Example 1.3

A company with a weak segregation of duties in its purchasing department relies on a single individual to authorise, record, and approve purchases. What is the main risk and which risk category does this impact?

Answer:
The main risk is that fraudulent or erroneous purchases go undetected, resulting in possible understatement or overstatement of expenses or payables. This primarily increases control risk, and thus RMM.

Exam Warning

Always distinguish between inherent and control risk in exam scenarios. Failing to explain whether a risk arises from the nature of the item or from poor controls is a frequent cause of lost marks.

Summary

Risk of material misstatement combines inherent and control risk—both set before audit procedures begin. Auditors must gain robust understanding of the business, identify and assess RMM at all relevant levels, and design appropriate audit responses. Analytical procedures and scepticism are essential in this process.

Key Point Checklist

This article has covered the following key knowledge points:

• Define audit risk and the components of risk of material misstatement
• Differentiate inherent risk (arising from item/nature) and control risk (arising from weak controls)
• List factors that affect inherent and control risk in practice
• State procedures used to obtain understanding of the entity and its environment
• Explain how analytical procedures and assertion-specific assessments help identify misstatements
• Describe how auditors respond to high RMM with audit procedures

Key Terms and Concepts

• audit risk
• risk of material misstatement
• inherent risk
• control risk
• analytical procedures