Risk-based Audit

Basic Concepts & Applications

Eko Yulianto
Reference

Auditing: A Risk-Based
Approach to Conducting
Quality Audits - 9th Edition
Karla Johnstone, Audrey Gramling, Larry E. Rittenberg

2
Lecture Method

❖ Lecture will be given for 150

minutes
❖ Students can ask questions at
any time during the lecture

3
 Prizes for Class Participations
For 2 most-active-students in this lecture (1 book each)

Available on www.tokopedia.com/bukuaudit
or Google Books https://bit.ly/ExcelGoPlay dan https://bit.ly/AccessGoPlay 4
What do you want to know?

5
Agenda

❖ Financial audit: definition,

objectives, and approaches
❖ Basic concepts in auditing -
revisited
❖ Risk-based financial audit
process

6
 Financial Audit
Definition, Objectives & Approaches

7
Financial Audit - Definition
...systematic process of objectively
obtaining and evaluating evidence
regarding assertions about economic actions
and events to ascertain the degree of
correspondence between those assertions
and established criteria; and communicating
the results to interested users

(Auditing Concepts Committee, “Report of the Committee

on Basic Auditing Concepts,” The Accounting Review, 47,
Supp. (1972), 18.

8
Financial Audit - Overall Objectives
The overall objective of an audit is to In completing such objectives, the auditor:
obtain reasonable assurance about ★ Complies with relevant ethical
whether the financial statements are requirements
free from material misstatement and ★ Plans and performs an audit with
to report on the financial statements professional skepticism
based on the auditor’s findings. ★ Exercises professional judgment
★ Obtains sufficient appropriate
Source of misstatement: evidence on which to base the auditor’s
opinion
❖ Error ★ Conducts the audit in accordance with
❖ Fraud professional auditing standards

9
 Substantive
procedures
Vestibulum congue
approach

Vestibulum congue
Vestibulum congue
Audit Approaches Balance sheet
approach
System-based
approach

Vestibulum congue
Risk-based
approach

10
Substantive Procedures Approach
● This approach is generally used where the financial reporting system or internal controls over financial
reporting are not reliable.
● Auditors will not perform their testing on the entity’s internal control on financial reporting. They will jump to
the substantive testing by focusing on the large or material transactions.
● This approach is also called a vouching approach which means auditors select the large and significant
amounts of transactions and then check whether the transactions selected have enough and reliable
supporting documents.
● Auditors will also check whether accounting recognition and classifications are complying with the
accounting standard and framework being used to prepare the audit financial statements.
● The disadvantages of this approach are that it’s required to test a large number of transactions where the
audit resources will require more than others.
● And the benefit of this approach is it could help auditors to minimize that risks that internal control over
financial reporting could not detect.

11
Balance Sheet Approach
● The concept of a balance sheet audit approach is that auditors believe that once the account balance in the
balance sheet correctly records, then the accounting transactions in the income statements will also be
correctly records.
● This approach, the auditor will focus their testing high values balance sheet items where the transaction in
the income statements will be less focus on.
● In this approach, auditors assessed that if the items or accounting balance in the statement of financial
position is correct, the transaction in the income statements is unlikely materially misstated.
● Existence, Valuation, Right, and Obligation are the main financial assertion in balance sheet items.
● And as long as these assertions are correct, their related assertion is highly likely correct as well.
● For example, if the right, valuation, existence of assets are confirmed to be correctly recorded in the
balance sheet for both periods. There is less changed than depreciation if incorrectly records.
● Balance Sheet Audit Approach is applicable to be used in the situation where the company has just started
its business with large balance sheet items and fewer transactions.

12
System-based Approach
● The system-based approach is different from the substantive based approach. In the substantive based
approach, the auditor is not relying on the client’s internal control over financial reporting so they don’t test.
They go to vouching for all material transactions.
● However, in the system based audit approach, auditors first understand that there is a strong internal
control system being used based on their understanding from the entity’s management team.
● Yet, before relying on the system or internal control, auditors will need to perform a full understanding of the
client’s internal control over financial reporting.
● Once they performed an understanding of internal control, auditors will then need to perform testing and
validating those internal controls. This is to ensure that they are strong enough to produce the correct
financial reporting.
● If auditors concluded that the internal control over financial reporting is strong, they also need to perform
substantive testing but the volume of transactions is not that large as the substantive approach.

13
Risk-based Approach
● Risk-based on the audit approach is probably the one that you heard the most and also the most use of the
approach.
● The main concept of risks based approach is: reduce audit risks, do fewer works, and meet the
objectives. That is why this approach is mostly used by auditors.
● Risks based approach principally performs by understanding the client’s business, environments, and
internal control. Auditors will then need to assess the possible risks areas and material misstatement
that could possibly happen to the financial statements.
● Once the risk areas are identified, the auditors will design the auditor’s program and resources to detect
those risks.
● Doing so, auditors will not spend so much time to test the areas that have fewer risks and still meet the
objective.

14
Basic Concepts

15
Important Concepts related to Risk-based Auditing

★ Misstatement
★ Materiality
★ Internal control
★ Risks relevant to audit
★ Evidence
★ Fraud risk

16
 Misstatement
● A difference between the amount, classification, presentation, or
disclosure of a reported financial statement item and the amount,
classification, presentation, or disclosure that is required for the item to
be in accordance with the applicable financial reporting framework.
● Misstatements can arise from error or fraud.

17
• amount, • amount,
classification, difference classification,
presentation and presentation
disclosure of and disclosure
items of items
Misstatement
Financial Applicable financial
statements reporting framework

18
Sources of misstatement
ERROR - FRAUD

INACCURACY OMISSION INCORRECT JUDGMENT

• in gathering or • of amount or • accounting • of management
concerning accounting
processing data disclosure estimate arising estimates that the
from which the from overlooking, auditor considers
financial or clear unreasonable or the
selection and application
statements are misinterpretation of accounting policies
prepared of, facts that the auditor
considers inappropriate.

19
 Materiality
Materiality is applied in evaluating the effect of identified misstatements on the audit and of
uncorrected misstatements, if any, on the financial statements.
Misstatements, including omissions, are considered to be material if they, individually or in
the aggregate, could reasonably be expected to influence the economic decisions of users
taken on the basis of the financial statements;
Judgments about materiality are made in light of surrounding circumstances, and are
affected by the size or nature of a misstatement, or a combination of both; and
Judgments about matters that are material to users of the financial statements are based
on a consideration of the common financial information needs of users as a group. The
possible effect of misstatements on specific individual users, whose needs may vary widely, is
not considered.

20
Determination of materiality
The auditor’s determination of materiality:

● is a matter of professional judgment, and

● is affected by the auditor’s perception of the financial information
needs of users of the financial statements

21
When to apply materiality?
The concept of materiality is applied by the auditor both:

● in planning and performing the audit,

● in evaluating the effect of identified misstatements on the audit and of
uncorrected misstatements, if any, on the financial statements and in
forming the opinion in the auditor’s report.

22
Materiality consideration
● Quantitative ● Qualitative
○ Size of misstatement ○ Nature of misstatement
○ Based on percentage of ○ Take factors, such as
financial statement internal control and
component (assets, compliance with regulations,
revenues, expenditures etc.) into consideration
○ Example 2% of revenues

23
Internal Control

24
Internal Control Components and Principles

25
Risks relevant to Audit

26
Inherent Risk
The susceptibility of an assertion about a class of transaction, account
balance, or disclosure to a misstatement that could be material, either
individually or when aggregated with other misstatements, before
consideration of any related controls.

27
Control Risk
The risk that a misstatement that could occur in an assertion about a class of
transaction, account balance, or disclosure and that could be material, either
individually or when aggregated with other misstatements, will not be
prevented, or detected and corrected, on a timely basis by the entity’s
internal control.

28
Audit Risk
The risk that the auditor expresses an inappropriate audit opinion when
the financial statements are materially misstated.

29
Detection Risk
The risk that the procedures performed by the auditor to reduce audit risk to
an acceptably low level will not detect a misstatement that exists and that
could be material, either individually or when aggregated with other
misstatements.

30
Risks Model

AR = IR x CR x DR
or
❖ Audit risk
❖ Detection risk
❖ Control risk
❖ Inherent risk
DR = (IRxCR)/AR

31
 The interrelationship between
Risks and Evidence

Arens, et al. 2012, p.269

32
 Audit Evidence
❖ ...all the information, whether obtained from audit procedures or other
sources, that is used by the auditor in arriving at the conclusions on which
the auditor’s opinion is based.
❖ Audit evidence consists of both information that supports and corroborates
management’s assertions regarding the financial statements or internal
control over financial reporting and information that contradicts such
assertions.
❖ The auditor’s job is to obtain sufficient appropriate audit evidence on which
to base the audit opinion. The auditor wants to reduce the risk of issuing an
unqualified opinion on financial statements containing a material
misstatement or on internal control that has a material weakness

33
 The Interrelationship of Risk, Evidence
Appropriateness and Sufficiency

34
Appropriateness of Evidence
Appropriateness of audit evidence is a measure of its quality, including the
relevance of the evidence, that is, whether it provides insight on the validity
of the assertion being tested, and the reliability of the evidence, that is,
whether it is convincing.

● The relevance of evidence relates to the connection between the audit

procedure being performed and the assertion being audited.
● The reliability of evidence is influenced by its source and nature and
depends on the circumstances under which it is obtained.

35
Relevance

36
Reliability

37
 Audit Procedures

38
Sufficiency of Evidence
Sufficiency of evidence is the measure of the quantity of audit evidence.
The quantity of audit evidence needed is affected:
● by the auditor’s assessment of the risks of material misstatement (the
higher the assessed risks, the more audit evidence is likely to be required) and
also
● by the quality of such audit evidence (the higher the evidence quality, the
less evidence may be required).
The amount of evidence must be of sufficient quantity to convince the audit
team of the effectiveness of internal control or the accuracy of an account
balance or assertion.

39
Sampling: Obtaining Sufficient Audit Evidence
...The application of audit procedures to less than 100% of items within a
population of audit relevance such that all sampling units have a chance of
selection in order to provide the auditor with a reasonable basis on which to
draw conclusions about the entire population.

Sampling approach:

● Statistical sampling
● Nonstatistical (judgmental) sampling

40
 Fraud
...is an intentional act involving the use of deception that results in a
material misstatement of the financial statements.

Two types of misstatements are relevant to auditors’ consideration of fraud:

(a) misstatements arising from misappropriation of assets

(b) misstatements arising from fraudulent financial reporting.

Intent to deceive is what distinguishes fraud from errors. Auditors

routinely find financial errors in their clients’ books, but those errors are not
intentional.

41
Fraud Types
Misappropriation of assets Fraudulent financial reporting

● Gain access to cash and ● Manipulation, falsification, or

manipulate accounts to cover up alteration of accounting records or
cash thefts supporting documents
● Manipulate cash disbursements ● Misrepresentation or omission of
through fake companies events, transactions, or other
● Steal inventory or other assets significant information
and manipulate the financial ● Intentional misapplication of
records to cover up the fraud accounting principles

42
The Fraud Triangle
The term fraud triangle was introduced by career
criminologist Don Cressey more than 30 years ago.
Cressey started by identifying patterns in fraud
cases, and he identified three factors that were
consistently present in all frauds. Research over the
past two decades has reinforced the validity of the
fraud triangle.

The three elements of the fraud triangle include:

● Incentive to commit fraud

● Opportunity to commit and conceal the
fraud
● Rationalization—the mindset of the
fraudster to justify committing the fraud

Factors associated with these elements are referred to as fraud risk factors or red flags
43
 Fraud Cases - Examples

44
Risk-based Financial Audit Process

45
 Making Client Obtaining Evidence Completing the Audit and
Acceptance and about Internal Control Making Reporting
Continuance Decisions Operating Effectiveness Decisions

Phase 2 Phase 4

Phase 1 Phase 3 Phase 5

Performing Risks Obtaining Substantive
Assessment Evidence about
Accounts, Disclosures,
and Assertions

46

Risk-based Financial Audit Process

Activities within the phase

47
Activities within the phase

48
Auditing the Revenue Cycle

49
 Revenue Cycle Accounts

50
 Overview of the Sales Process

51
Identify & assess risk of material misstatement
Steps:
1. Assessing Factors Affecting Inherent Risk
2. Assessing Factors Affecting Control Risk
3. Assessing the Risks of Material Misstatement using Analytical Procedures
and Brainstorming Activities

52
Identifying Inherent Risk - Revenues
An important inherent risk related to revenue transactions is the timing of
revenue recognition.
Auditor must understand:
❖ The organization’s principal business, that is, what is the organization in the business of selling?
❖ The earnings process and the nature of the obligations that extent beyond the normal shipment of
goods. For example, after goods are shipped, does the seller have any ongoing service requirements
to the purchaser?
❖ The impact of unusual terms, and when title has passed to the customer.
❖ The right of the customer to return a product, as well as the returns history.
❖ Contracts that are combinations of leases and sales.
❖ The proper treatment of sales transactions made with recourse or that have an abnormal or
unpredictable amount of returns.

53
Identifying Inherent Risk - Receivables
The primary inherent risk associated with receivables is that the net amount is not
collectible, either because the receivables recorded do not represent genuine claims or an
insufficient allowance exists for uncollectible accounts.

Other inherent risks related to receivables:

❖ Receivables are pledged as collateral against specific loans with restricted use (disclosures of such restrictions are
required).
❖ Receivables are incorrectly classified as current when the likelihood of collection during the next year is low.
❖ Collection of a receivable is contingent on specific events that cannot currently be estimated.
❖ Payment is not required until the purchaser sells the product to its end customers.
❖ Accounts receivable are aged incorrectly, and potentially uncollectible amounts are not recognized.
❖ Orders are accepted from customers with poor credit, but the allowance for doubtful accounts is not increased
accordingly.

54
Performing Brainstorming Activities and Identifying Fraud Risk Factors

Auditing standards state that auditors should ordinarily presume there is a

risk of material misstatement caused by fraud relating to revenue
recognition.

A recent research study sponsored by the Committee of Sponsoring

Organizations (COSO), “Fraudulent Financial Reporting: 1998–2007—An
Analysis of U.S. Public Companies,” reviewed over 300 cases of fraudulent
financial statements issued between 1988 and 2007 and documented that
over 60% of the frauds involved inappropriate recording of revenue.

55
Fraud Scheme Revenue Cycle
● Recognition of revenue on shipments ● Shipment of more product than the
that never occurred customer ordered
● Hidden side letters, agreements ● Recording shipments to the company’s
containing contract terms that are not
own warehouse as sales
part of the formal contract, giving
● Shipping goods that had been returned
customers an irrevocable right to return
the product and recording the reshipment as a sale of
● Recording consignment sales as final new goods before issuing credit for the
sales returned sale
● Early recognition of sales that occurred ● Incorrect aging of accounts receivable and
after the end of the fiscal period not recording write-downs of potentially
● Shipment of unfinished product uncollectible amounts
● Shipment of product before customers ● Recording purchase orders as completed
wanted or agreed to delivery
sales
● Creation of fictitious invoices
● Lapping

56
Examples of Fraud Scheme in the Revenues Cycle

57
Identifying Fraud Risk Factors
● Assessing motivation to enhance revenue because of either internal or external
pressures
● Reviewing the financial statements through preliminary analytical procedures to
identify account balances that differ from expectations or general trends in the economy
● Recognizing that not all of the fraud will be instigated by management; for example,
a CFO or accounting staff person may engage in misappropriation of assets for his or her
own use
● Becoming aware of representations made by management to analysts and the
potential effect of those expectations on stock prices
● Determining whether the company’s performance is significantly different from that
of the rest of the industry or the economy
● Etc.

58
Identifying Control Risks
Once the auditor has obtained an understanding of the inherent and fraud risks of material
misstatement in the revenue and accounts receivable accounts, the auditor needs to
understand the controls that the client has designed and implemented to address those
risks.
Remember, the auditor is required to gain an overall understanding of internal controls
for both integrated audits and financial statement only audits. Such understanding is
normally gained by means of a walkthrough of the process, inquiry, observation, and
review of the client’s documentation.
The auditor considers both entity-wide controls and transaction controls at the account
and assertion levels. This understanding provides the auditor with a basis for making an
initial control risk assessment.

59
Controls Related to Existence/Occurance
Controls for existence should provide reasonable assurance that a sale and accounts
receivable are recorded only when shipment has occurred and the primary revenue
producing activity has been performed. Recall that sales transactions should be recorded only
when title has passed and the company has received cash or a collectible receivable.

A control to mitigate the risk that unearned revenues are recorded is to distribute
monthly statements to customers. However, the control should be such that the statements
are prepared and mailed by someone independent of the department who initially processed
he transactions.

Further, customer inquiries about their balances should be channeled to a department or

individual that is independent of the original recording of the transactions.

60
Controls Related to Completeness
Controls related to completeness are intended to provide reasonable assurance that all valid sales
transactions are recorded. For example, transactions may not be recorded because of sloppy procedures.

In some cases, companies may choose to omit transactions because they want to minimize taxable
income. Thus, the auditor needs to consider completeness controls, which might include the following:

● Use of prenumbered shipping documents and sales invoices and the subsequent accounting for all
numbers
● Immediate online entry into the computer system and immediate assignment of unique
identification number by the computer application
● Reconciliation of shipping records with billing records
● Supervisory review, such as review of transactions at a fast-food franchise
● Reconciliation of inventory with sales, such as the reconciliation o liquor at a bar at the end of the
night with recorded sales

61
Controls Related to Valuation
Implementing controls related to proper valuation of routine sales transactions should be
relatively straightforward. Sales should be made from authorized price lists—for example,
the price read by a scanner at Wal-Mart or the price accessed by a salesperson from a laptop.
In these situations, the control procedures should provide reasonable assurance the correct
input of authorized price changes into the computer files and limit access to those files,
including the following:
● Limiting access to the files to authorized individuals
● Printing a list of changed prices for review by the department that authorized the
changes
● Reconciling input with printed output reports to assure that all changes were made
and no unauthorized ones were added
● Limiting authorization privileges to those individuals with the responsibility for pricing

62
 Documenting Controls
Control Risk Assessment Questionnaire:
Sales and Receivables

63
 Documenting Controls
Control Risk Assessment Questionnaire:
Sales and Receivables

64
Perform Preliminary Analytical Procedures
When planning the audit, the auditor is required to perform preliminary analytical procedures. These
procedures can help auditors identify areas of potential misstatements.

Four steps:

1. Develop an expectation
2. Determine when a difference between expectation and recorded amount is considered as significant
3. Compute the difference between auditor’s expectation and client’s recorded amount
4. Follow up significance differences that highlight areas where there is a heightened risk of material
misstatement requiring further investigation by the auditor.

The auditor’s response to identified risks of material misstatement needs to address these heightened
areas of risk. The auditor plans the nature, timing, and extent of audit procedures in a way that will
most effectively address those risks.

65
Respond to identified material misstatement
Steps:

1. Determining Detection Risk and Audit Risk

2. Planning Audit Procedures to Respond to the Assessed Risks of Material
Misstatement

66
Nature, Timing, and Extent of Risk Response Procedures
The nature, timing, and extent of the auditor’s risk response depend on the auditor’s
assessment of the risk of material misstatement.

● The nature of risk response refers to the types of audit procedures to be performed,
with a focus on the appropriateness (relevance and reliability) of those procedures.
● The timing of risk response refers to when audit procedures are conducted and
whether those procedures are conducted at announced or predictable times.
● The extent of risk response refers to the sufficiency of evidence that is necessary
given the client’s assessed risks, materiality, and the level of acceptable audit risk. When
the risk of material misstatement is heightened, the auditor increases the extent of audit
procedures and demands more evidence.

67
The Interrelationship Between Risks

Remember the Risks Model: AR = IR x CR x DR 68

69
Select controls to test and perform test of control
The auditor selects controls that are important to the auditor’s conclusion
about whether the organization’s controls adequately address the assessed risk of
material misstatement in the cycle being audited, e.g. revenue cycle.
The auditor will select both entity-wide and transaction controls for testing. Typical
tests of transaction controls include:
● inquiry of personnel performing the control
● observation of the control being performed
● inspection of documentation confirming that the control has been
performed, and
● reperformance of the control by the individual testing the control

70
 Test of Control in Revenue Cycle

71
Consider the results of test of controls
The auditor will analyze the results of the tests of controls to determine
additional appropriate procedures. There are two potential outcomes:
1. If control deficiencies are identified, the auditor will assess those deficiencies to determine
their severity (are they significant deficiencies or material weaknesses?). The auditor would
then modify the preliminary control risk assessment (possibly from low to moderate or high)
and document the implications of the control deficiencies.
2. If no control deficiencies are identified, the auditor will likely determine that the preliminary
assessment of control risk as low is still appropriate. The auditor will then determine the
extent that controls can provide evidence on the correctness of account balances, and
determine planned substantive audit procedures. The level of substantive testing in this
situation will be less than what is required in circumstances where deficiencies in internal
control were identified.

72
 Effect of Risk Assessment on
Risk Response

73
Perform substantive procedures
In performing substantive procedures, the auditor wants reasonable assurance that the client’s
revenue recognition approaches are appropriate, and that revenue transactions are in accordance
with GAAP.
Substantive procedures (substantive analytical procedures, tests of details, or both) should be
performed for all relevant assertions related to significant revenue cycle accounts and disclosures.
Even if the auditor has evidence indicating that controls are operating effectively, the auditor cannot
rely solely on control testing to provide evidence on the reliability of these accounts and assertions.
Substantive tests in the revenue cycle are typically performed to provide evidence that:
● Sales transactions do exist and are properly valued.
● Accounts receivable exist.
● The balance in the allowance account is reasonable.
● Fraudulent transactions are not included in the financial statements.

74
 Management Assertions and Substantive
Procedures in the Revenue Cycle

75
 Education

★ S3 - Akuntansi, UGM (2018)

★ S2 - IT & Management, Lancaster University (2003)
★ S1 - Akuntansi, UGM (1999)
★ D3 - Akuntansi, STAN (1995)

Short Courses

★ International Auditor Fellowship Program, USA, 2009

★ Audit on Public Works, Netherland, 2006
★ Advanced IT Audit, Kuala Lumpur, 1999
★ EDP Audit, Jakarta, 1997

Eko Yulianto Experience

★
★
Auditor KAP Arthur Andersen (2000)
Auditor BPK RI (1996 - sekarang)
Email: eko.yulianto@bpk.go.id
Books
Website: https://ugm.academia.edu/ekoyulianto ★ Menggunakan Ms. Excel sebagai Software Audit
★ Menggunakan Ms. Access sebagai Software Audit
Phone/Whatsapp: 0812 98989 218

76