Chapter Three

Materiality and Risk Assessment

3.1.Audit Risk
Audit risk is the risk that the auditor may unknowingly fail to appropriately modify the opinion
on a set of financial statements that are materially misstated. Engagement risk is the exposure
to loss or injury to professional practice from litigation, adverse publicity, or other events
arising in connection with financial statements audited and reported on. In simple terms, audit
risk is the risk that an auditor will issue an unqualified opinion on materially misstated financial
statements, while engagement risk relates to the auditor's exposure to financial loss and damage
to his or her professional reputation.
Audit risk is the risk that auditors issued the incorrect audit opinion to the audited financial
statements. In other words, the material misstatements of financial statements fail to identify or
detect by auditors.
It is not normally practical or cost-effective for auditors to collect evidence in order to have
absolute (100%) assurance or confidence of detecting all material deviations. Instead,
auditors try to ensure that their conclusions and opinions are based on reasonable assurance,
which is obtained from the audit work. The level of Assurance that can be provided to the
intended users should be communicated in transparency way.
Audit risk is the inverse of audit assurance. It is the risk that the auditor is willing to tolerate
coming to a wrong conclusion. In practice, audit risk is unavoidable.
Types of Audit Risk
Audit risks come from two main different sources: Clients and Auditors themselves. The
risks are classified into three different types: Inherent Risks, Control Risks, and Detection
Risks.
Inherent Risk
Inherent risk refers to the risk that could not be protected or detected by the entity’s internal
control. It is related to entity’s nature. This risk could happen due to the complexity of the
client’s nature of business or transactions.
Sometimes, that nature of business could link to the complexity of financial transactions and
require high involvement with judgment. The risk is normally high if the transaction or even
involves highly human judgment—for example, the exposure in the complex derivative
instrument.

1|Page
This kind of risk could also be affected by the external environment, such as climate change,
political problems, or other PESTEL effects. Auditors are required to assess those kinds of
risks and set up audit procedures to address inherent risks properly.

For example, the auditor needs to set up a proper audit plan, audit approach, and audit
strategy. All relevant inherent risks that might affect the financial statements are identified
and rectified on time.
Those include sufficient time for the audit team to work on the significant areas or have a
member who has a deep understanding of the business and accounting transactions of the
auditing financial statements.
If the auditor is aware that the potential client has high exposure to inherent risks, and the
auditor also knows that the current resources are not capable of handling such client, the audit
should not accept the engagement.
Control Risks:
Control risk or internal control risk is the risk that current internal control could not detect or
fail to protect against significant error or misstatement in the financial statements.This risk
concerning entity’s controls.
Basically, management is required to set up and assess the effectiveness and efficiency of
internal control over financial reporting to make sure that financial statements are free from
material misstatements.
Why is the weakness of internal control leads bring risk to the auditor?
Basically, if the control is weak, there is a high chance that financial statements are materially
misstated, and there is subsequently a high chance that auditors could not detect all kinds of
those misstatements.
That means to control risk could lead to audit risk. Don’t be confused that it is the detection
risk.The auditor needs to understand and assess the client’s internal control over financial
reporting conclude whether those control could be relied on or not.
If the client’s internal control seems to be strong, the audit needs to confirm if the control is
worked by testing internal control. There are certain ways that auditors could use to help
them to minimize the control risks that result from poor internal control. For example,
auditors should have a proper risk assessment at the planning stages.
These risks assessment required auditors to understand the nature of the business and internal
control activities that link to financial reporting.

2|Page
Once the internal over financial statements and risks are properly assessed, the audit
programs are properly tailored, then Control Risks are minimized.
Detection Risk:
Detection risk is the risk that the auditor fails to detect the material misstatement in the
financial statements and then issued an incorrect opinion to the audited financial statements.
The common cause of detection risk is improper audit planning, poor engagement
management, wrong audit methodology, low competency, and lack of understanding of audit
clients. Detection risk is occurred because of the auditor part rather than the client part.
As mentioned, detection risk could be the result of poor audit planning. For example, if audit
planning is poor, not all kinds of risks are defined, and the audit program used to detect those
risks is deploy incorrectly. Then, the result is the material misstates are not detected.
Certain guidelines could help auditors minimize detection risks so that the audit risks are also
subsequently minimized.
At the time of planning, auditors should set the right audit strategy, employed the right audit
approach, and having a strong strategic audit plan.
These include having a good understanding of the nature of the business, the complexity of
the business operation, the complexity of the client’s financial statements, and a deep
understanding of the client’s internal control over financial reporting.
A clear understanding of audit objectives and audit scope could help auditors set audit
approaches and tailor the right audit program
Having a strong audit team could also help auditors to minimize detection risks.
For example, having enough team members and those team members have good experiences
and knowledge related to clients’ business and financial statements.
Why do auditors need to perform a risk assessment?
Auditors must perform risk assessments to ensure that all possible risks of misstatements that
might happen to the financial statements are identified.
This is normally performed during and after the audit plan. If certain risks are identified
during the cause of the audit, the auditor should perform additional assessments to figure out
the real size of the risks.
The auditor should assess audit risks before accepting the audit engagements by
understanding the nature of its client’s business and the complexity of financial reporting in
that sector.
This might help them understand more about the audit risks and let them detect them. The
different industries might face different challenges in financial reporting.

3|Page
For example, the merchandising company’s financial reporting might be easier to audit than
financial reporting in agriculture or oil.
The auditor should also assess audit risks at the time they prepare the audit plan.
At this stage, the auditor might understand the client nature of the business, major internal
control over financial reporting, financial reporting system, and many more.
Assessment of risks is a judgement rather than a precise measurement.
Audit risk model
The audit risk model, as shown below, helps auditors to determine how comprehensive the
audit work must be so as to attain the desired assurance for their conclusions.
Audit risk (AR)= Inherent risk (IR) x Control risk (CR) x Detection risk (DR)
This equation must always be in balance. The higher the auditor assesses the level of inherent
and/or control risk to be, the lower the detection risk must be. This requires more substantive
audit work (larger sample sizes). Equally, the lower the combined inherent and control risk is
assessed to be, the higher the detection risk will be. This in turn means less substantive work
and more systems work. More systems and controls need to be tested as the planning
assumption must be verified and because the systems work also contributes to the overall
assurance. Fraud risk is an element of both inherent and control risk. Auditor will also assess
the leadership of the management team as well as the entity’s culture.
Procedures to identify and assess risk
The risk-assessment procedures are employed in order to gain an understanding of the
following:
 the entity and its environment, thereby identifying the inherent risks in the area
under consideration, including risks as regards related parties and fraud;
 the internal control arrangements at each relevant level (Commission, member
state, intermediary, beneficiary), to help identify the control risks.
The nature and extent of planned audit tests will vary, depending on the auditor's assessment
of both inherent and control risk.
The auditor should perform risk assessment procedures as early in the
audit as possible, based on various sources of information.

4|Page
Risk assessment procedures Sources of information

 Financial and non-financial information, in

Analysis of relationships in and between order to provide a broad initial indication of
financial and non-financial information, unusual or unexpected relationships.
through a study of plausible relationships,
including trends and ratios. Examples include
comparison of actual information against
budget, licence income to number of licences,
and import duties to physical import data.

Inspection consists of examining records or  Visits to the entity's premises and facilities
documents, whether internal or external, in  Internal documents - management plans,
paper form, electronic form, or other media, or records, manuals
tangible assets.  Other information - the auditee's budget
 External information- economic journals;
regulatory and financial publications
 Findings from previous audits.

Observation consists of looking at a process or  Observation of entity activities and

procedure being performed by others. It operations being carried out
provides information about the performance of
the process or procedure, but is limited to the
point in time at which the observation takes
place.

Inquiry consists of seeking information of  Those charged with governance,

knowledgeable persons, inside or outside the management and others within the entity
audited entity.

3.2 Materiality
The concept of materiality is applied by the auditor in planning and
performing the audit, and in evaluating the effect of identified
misstatements or non-compliance on audit conclusions
Materiality is a fundamental concept in financial and compliance audit. It sets the level of
deviation that the auditor considers is likely to influence the decisions of the intended users.
In theory, deviations, or errors, are material if they, individually or aggregated with other
errors, would reasonably affect the underlying audit conclusions or the decisions of the
addressees of the audit report.
An item or group of items may be material due to their amount (quantitative
materiality), nature or the context in which the deviation occurs (qualitative
materiality).There is a relationship between materiality and the level of audit risk.
Furthermore, this threshold serves as a determining factor both in the calculation of

5|Page
sample sizes for substantive testing and in the interpretation of the audit results
achieved.Setting materiality limits helps the auditor to plan the audit so as to ensure
that material deviations are detected by audit tests and resources are employed
economically, efficiently and effectively. Auditing to a stricter (lower) materiality
threshold requires more audit testing; however, the auditor must avoid “over-
auditing" in areas that do not merit extensive work.
Materiality in different phases of audit
Materiality should be considered by the auditor during:
 planning, to help assess material risks and determine the nature, timing and extent of
audit procedures;
 examination, when considering new information that may require planned procedures
to be revised, and evaluating the effect of deviations;
 reporting, when reaching final conclusions and, where required, forming an audit
opinion.
The auditor should document the materiality levels and changes made thereto during the
audit.
Quantitative materiality
Quantitative materiality is determined by setting a numerical value. The numerical value is
achieved by taking a percentage of an appropriate base, which both reflect, in the auditor's
judgement, the measures that users of the information are most likely to consider important.
 When establishing the overall audit strategy, the auditor shall determine materiality
for the financial statements or the audited population as a whole (overall materiality).
 Performance materiality is established while performing audit procedures on certain
account balances and/or transactions and is deliberately settled lower than the overall
materiality so that overall misstatements are kept under the overall materiality level.
Qualitative materiality
Certain types of misstatements or non-compliance, while not quantitatively material, may -
because of their nature or because of the context in which they arise - be qualitatively
material and thus have an impact on the audit conclusion reached. Qualitative materiality
includes items that may be either:
 material by nature: this is related to inherent characteristics and concerns issues
where there may be specific disclosure requirements or high political or public
interest. It includes any suspicion of serious mismanagement, fraud, illegality or
irregularity or intentional misstatement or misrepresentation of results or information;

6|Page
  material by context: this concerns items that are material by their circumstance, so
that they change the impression given to users. It includes instances where a minor
error may have a significant effect, e.g. misclassification of expenditure as income, so
that an actual deficit is reported as a surplus in financial statements.

7|Page