Accounting and Auditing





Audit Risk Assessment in the Light

of Current European Regulations



Ciprian-Costel Munteanu1



Abstract: Recent European reforms on audit regulations have been motivated by efforts to increase audit quality, functioning and performance. We believe the adoption of Directive 2014/56 and Regulation 537/2014 strengthened the role of independent audit and risk committees, which will positively contribute towards audit quality. This paper aims to critically assess the status quo of audit risk assessment in current European standards and regulations, by conducting a theoretical analysis of different aspects of audit risk. Our main objective is to stress the importance of detecting inherent and control risk, which lead to material misstatement at the assertion level. They need to be assessed so as to determine the nature, timing and extent of further audit procedures necessary to obtain sufficient appropriate audit evidence. These pieces of evidence enable the auditor to express an opinion on the financial statements at an acceptably low level of audit risk. Therefore, we point to the fact that researchers as well as practitioners and policymakers have to be careful when using audit tools and assessing risk levels, as their conclusions continuously shape the regulations.

Key words: audit opinion; material misstatement; financial statements.

JEL Classification: M42



1. Introduction

The Global Financial Crisis in 2008 triggered a series of regulatory responses from EU Member States and the need for a consistent supervision of the European financial markets. All EU reforms were meant to reinforce the independence and the quality of the external auditors in their work in certifying the financial statements. On 3 April 2014, the European Parliament adopted the revised Directive as well as the Regulation, published in the Official Journal of the EU on 27 May 2014 and now known as Directive 2014/56 and Regulation 537/2014.

There is a two year transition period which means that the legislation will become applicable in the 28 Member States of the EU in 2016 and the changes that this new legislation will bring about are significant. This is a substantial modification of the original text as there is a shift of focus to external audit and the certification of the financial statements. It is important to be aware of that the amendments made in the Directive 2014/56 and Regulation 537/2014 are focused on the consequences for audit committees of new legislation for external auditors.

Compared to the existent specialized literature on the subject, it is important to stress that Directive 2014/56 and Regulation 537/2014 set a series of principles that enhance the importance of audit risk assessment, therefore this paper is set to be one of the first on this subject matter, under the new European regulations. The specialized literature on the subject of audit risk is quite extensive, as audit risk assessment has a significant influence on the auditor in expressing an appropriate audit opinion on the financial statements.

First of all, all studies on this subject are to start from the contents of the International Standard on Auditing 315 - Identifying and Assessing the Risks of Material Misstatement through Understanding the Entity and its Environment, which should be read in conjunction with ISA 200, Overall Objectives of the Independent Auditor and the Conduct of an Audit in Accordance with International Standards on Auditing. As set by ISA 315, the objective of the auditor is to identify and assess the risks of material misstatement, whether due to fraud or error, at the financial statement and assertion levels, through understanding the entity and its environment, including the entity’s internal control, thereby providing a basis for designing and implementing responses to the assessed risks of material misstatement.

Key terms and examples of test of controls are presented by Arens, Alvin A. and Loebbecke James K. in their famous Auditing: an Integrated Approach, published by Pearson Education Inc. for the first time in the year 1980 and already reaching its 8th edition. A high-esteemed Romanian specialist is the late Professor Mircea Boulescu, whose contribution to the studying of audit risk can be inferred from his many papers in several Romanian accounting journals. He is also remembered for his Auditing Fundamentals, written in collaboration with Ghiță, M. and Mareș, V., and published in 2001.

Furthermore, the existing international journals provide a lot of support on this subject matter. Specialized articles on auditing and audit risk are to be found in the European Accounting Review, in Issues in American Education and in Current Issues in Auditing, published by the American Accounting Association, as well as many other international journals. Another resource that we hold important is the ACCA Paper F8, Audit and Assurance which helps explain the components of audit risk and the risks of material misstatement in the financial statements.

All these considered, this paper is set to discuss audit risk in terms of identifying, analyzing, clarifying and concluding on different possible errors and deviations, in order to achieve a correct audit opinion. It is this particular subject that we intend to examine and we shall focus on current issues concerning types of audit risk and their impact on the certification of the financial statements.

Further research should be focused on methods to improve the detection of audit risk and therefore the functioning of risk committees. The new and broader view of risk and the need for improved risk management after the financial crisis has resulted in boards considering the need to create risk committees. The main purpose of the risk committee is to assist the board in ensuring that the company has an effective risk management process, which includes the management of the key risks the company is facing and the follow up of risk appetite, risk tolerance, risk framework and risk strategy.



2. Audit Risk according to ISAs

In order to correctly stress the potential risks inherent to the financial auditor's work, we will take into account the International Standards on Auditing (hereinafter, ISA), which delineate three main categories of risk: inherent risk [IR], control risk [CR] and detection risk[DR]. Their product is the audit risk [AR], as in this risk model: AR = IR x CR x DR.

The ISAs include objectives, requirements, along with applications and other explanatory material that are designed to assist the auditor in obtaining reasonable assurance. ISAs require the auditor to exercise professional judgment and keep their professional skepticism throughout the audit planning and conducting, among other things:

to identify and assess the risks of material misstatement, whether due to fraud or error, based on understanding the entity and its environment, including the entity's internal control;

to obtain sufficient appropriate audit evidence whether material misstatements exist, through the development and implementation of appropriate responses to the assessed risks;

to form an opinion on the financial statements on conclusions drawn on the basis of audit evidence.

The standards define audit risk as the risk that the auditor expresses an inappropriate audit opinion when the financial statements are materially misstated. Audit risk is a function of the risks of material misstatement (which may be inherent risk or control risk) and of detection risk.

Detecting any errors would not be possible without the exercise of professional judgment, which is essential for appropriate auditing. This is because of the interpretation of relevant ethical requirements and of the ISAs, while the informed decisions required in the course of the audit cannot be taken without applying the relevant knowledge and expertise on facts and circumstances.

Professional judgment is required especially in connection with decisions related to:

materiality and audit risk;

the nature, timing and extent of audit procedures used to meet the ISAs requirements and gather audit evidence;

assessing the extent to which sufficient appropriate audit evidence was obtained and the extent to which further actions are necessary in order to achieve ISAs objectives and, through them, the auditor's general objectives;

assessing the management's judgment in applying the applicable financial reporting framework;

drawing conclusions on the obtained audit evidence, for example, assessing the reasonableness of accounting estimates made by the management in preparing financial statements.

The auditor should use professional judgment to assess audit risk and to set audit procedures, so as to ensure that risk is reduced to an acceptably low level. Audit risk is maximum 10%.



3. The Risks of Material Misstatement

The risks of material misstatement may exist at two levels:

in the financial statements in general; and

in the assertion level of the classes of transactions and account balances.

The risks of material misstatement in the financial statements generally refers to risks of material misstatement which in turn are related strictly to the financial statements as a whole and have a potential effect on the assertions.

The risks of material misstatement at the assertion level are assessed to determine the nature, timing and extent of further audit procedures necessary to obtain sufficient appropriate audit evidence. These pieces of evidence enable the auditor to express an opinion on the financial statements at an acceptably low level of audit risk.

Auditors use various approaches to achieve the objective of assessing the risks of material misstatement. For example, the auditor could use a model that expresses the general relationship between the components of audit risk in mathematical terms to arrive at an acceptable level of the detection risk. Some auditors consider such a model to be useful when planning audit procedures.

The risks of material misstatement at the assertion level consist of two components: inherent risk and control risk; they exist independently of the financial statements auditing.

Inherent risk is the susceptibility that an account balance or class of transactions contains a misstatement that could be material, individually or together with misstatements in other balances or classes, assuming that there were no related internal controls.

Control risk is the risk that a misstatement, which could occur in an account balance or class of transactions that could be material individually or together with misstatements in other balances or classes, will not be prevented or detected and corrected on a timely basis by the accounting and internal control systems.



3.1. Inherent Risk

In the general development of an audit plan, the auditors assess inherent risk.

Inherent risk is the extent to which auditors assess the likelihood that some erroneous financial statements will occur in practice, as a result of weaknesses of the internal controls. If the auditor concludes that there is a high probability that errors in the financial statements may not be detected by internal controls, it means that he or she considers a high inherent risk.

Including the level of inherent risk in the audit risk model assumes that auditors will try to predict segments of the financial statements showing the lowest and highest probability of being erroneous. This information affects the size of audit evidence needed to be collected by the auditor and influences the auditors' efforts in the work assigned to the collection of audit evidence.

When assessing inherent risk, the auditor will consider the following factors:

To assess inherent risk, auditors should conduct an analysis of the environment of the audited entity, as well as of the features of audited operations by taking interviews with the management so as to acquire knowledge of its business, gathered also from previous audit reports.

The auditors assess the above factors to determine inherent risk specific to each cycle of transactions, account and audit objective. Some factors are likely to influence many or probably all classes of accounts, while other factors, such as unusual transactions, will affect only certain classes of accounts (specific). For each entity or class of accounts, the decision to properly assess inherent risk mainly depends on the auditor's judgment. Most auditors establish an inherent risk of 50%, even in the best circumstances and of 100% when the likelihood of material error is high.

Typically, auditors resort to the preparation and completion of a list of questions and after that, based on the responses received and on professional judgment, they assess inherent risk as high, medium or low. Inherent risk may be expressed in quantifiable terms (as percentage) or non-quantifiable terms (as high, medium, low).

In developing the overall audit plan, the auditors assess the inherent risk of the financial statements. For the audit program, the auditor must make the connection between such an assessment and the account balances and significant classes of transactions at the assertion level, or assume that inherent risk is high for a certain assertion.

To assess inherent risk, the auditor uses professional judgment to evaluate numerous factors, examples of which are:

- in the financial statements:

- in account balances and transaction categories:

Inherent risk is higher for some assertions and related classes of transactions, account balances and presentations, than for others. For example, inherent risk may be higher for complex calculations or for accounts consisting of amounts resulting from accounting estimates that are likely to have a significant degree of uncertainty about the estimate. External circumstances that give rise to business risks may also influence inherent risk. For example, technological developments might make a particular product to become obsolete, thus creating the possibility that stocks are subject to an overestimation.

Factors in the entity and in the environment that are related to some or to all of the classes of transactions, account balances or presentations may also influence the inherent risk related to a specific assertion. Such factors may include, for example, a lack of sufficient working capital to continue operations or an industry in decline characterized by a large number of business failures.

3.2. Control Risk

After obtaining an understanding of the accounting and internal control systems, the auditor should make a preliminary assessment of control risk, at the assertion level, for each material account balance or class of transactions.

The auditor should gather audit evidence through tests of controls so as to support any assessment of control risk is at a level less than high. The lower the assessment of control risk, the more evidence the auditor has to gather so as to support the fact that accounting and internal control systems are suitably designed and operate efficiently.

The auditor should make management aware, as soon as possible and at the appropriate level of responsibility, of material weaknesses in the design or operation of the accounting and internal control systems that have been detected. After assessing the internal control system, the auditor communicates in a letter addressed to the management or to the internal audit committee, indicating the discovered deficiencies that may affect the financial statements or allow fraud.

The preliminary assessment of control risk is the process of assessing the effectiveness of the entity's accounting and internal control systems in preventing and detecting material misstatements. There will always be some control risk because of the inherent limitations of any accounting and internal control system.

The preliminary assessment of control risk for a financial statement assertion should be high, unless the auditor:

- is able to identify internal controls relevant to the assertion which could prevent or detect and correct a material misstatement;

- plans to perform tests of controls to support the assessment.

Various techniques can be used to document information relating to accounting and internal control systems. Selection of a particular technique is a matter of the auditor's professional judgment. Common techniques, used alone or in combination, are: narrative descriptions, questionnaires, checklists and diagrams of information flows. The form and extent of this documentation is influenced by the size and complexity of the entity and by the nature of the accounting and internal control systems of the entity. Generally, the more complex the accounting and internal control systems and the auditor's control procedures, the more extensive the documentation will need to be.

Management often reacts to inherent risk situations by developing accounting and internal control systems able to prevent or detect and correct misstatements and, therefore, in many cases, inherent risk and control risk are highly interrelated. In such situations, if the auditor attempts to assess separately the inherent risk and control risk, there is a possibility of inappropriate risk assessment. As a result, in such situations audit risk may be more appropriately determined by making a combined assessment.

The level of detection risk relates directly to the auditor's substantive procedures. The auditor's assessment of control risk, along with the assessment of inherent risk, influences the nature, timing and extent of substantive procedures to be performed to reduce detection risk, and therefore audit risk to an acceptably low level. Some detection risks will always be present even if an auditor were to examine 100% of the account balance or class of transactions.

In this regard the auditor will consider:

There is an inverse relationship between detection risk and the combined level of inherent and control risk.

For example, when inherent and control risks are high, the acceptable detection risk needs to be low, so as to reduce audit risk to an acceptably low level. On the other hand, when inherent and control risks are low, the auditor may accept a higher detection risk and still reduce audit risk to an acceptably low level. While tests of controls and substantive procedures are distinguished by their purpose, the results of each type of procedure may contribute to the purpose of others. Misstatements discovered in conducting substantive procedures may cause the auditor to modify the previous assessment of control risk.

The assessed levels of inherent and control risk cannot be sufficiently low to eliminate the need for the auditor to perform any substantive procedures. No matter the assessed levels of inherent and control risks, the auditor will have to perform some substantive procedures for material account balances and classes of transactions. The assessment of the components of the inherent and control risks performed by the auditor may change during an audit, for example, while performing substantive procedures the auditor may receive information that differs significantly from the information on which he or she originally assessed the inherent and control risks. In such cases, the auditor would modify the planned substantive procedures, based on the revision of the assessed levels of control and inherent risk.

The higher the assessment of inherent and control risk, the more audit evidence the auditor must gather from the performance of substantive procedures. When both inherent risk and control risk are assessed as high, the auditor should consider whether substantive procedures can provide sufficient appropriate audit evidence to reduce detection risk, and therefore audit risk, to an acceptably low level. When the auditor determines that detection risk regarding a financial statement assertion for a significant balance of an account or class of transactions cannot be reduced to an acceptable level, the auditor should express a qualified opinion (with reservations) or declare that he or she is unable to express an opinion.

Control risk is a function of the effectiveness of designing, implementing and maintaining internal control, so that the management should consider the identified risks that threaten the achievement of entity objectives relevant to the preparation of its financial statements. However, internal control, no matter how well designed and applied, can only reduce, but not eliminate, the risk of material misstatement of the financial statements due to the inherent limitations of internal control. These include, for example, the possibility of human errors or mistakes, or that controls are adversely affected by plots or violations by the management. Consequently there will always be some degree of control risk.

The ISAs provide the conditions under which the auditor is required to, or may choose to test the operating effectiveness of controls in determining the nature, timing and extent of substantive procedures to be performed. The ISAs usually refer not to control risk and inherent risk separately, but rather to a combined assessment of the “risk of material misstatement”. However, the auditor will be able to separate or combine the inherent and control risk assessment depending on preferred audit techniques or methodologies and practical considerations.



4. Detection Risk

Detection risk is the risk that an auditor's substantive procedures will not detect a misstatement that exists in an account balance or class of transactions that could be material individually or together with misstatements in other balances or classes transactions.

In practice, the risk of detection cannot be reduced to zero because of the influence of factors such as:

- the auditor does not examine all the elements of a class of transactions or account balances and disclosures;

- the possibility that an auditor might select an inappropriate audit procedure, or misapply an appropriate audit procedure, or misinterpret the results of audit procedures.

Detection risk relates to the nature, timing and extent of the auditor's procedures that are determined by it in order to reduce audit risk to an acceptably low level. It depends therefore on the effectiveness of an audit procedure and on its application by the auditor. Issues such as: proper planning, correct distribution of staff in the mission team, application of professional skepticism and supervision and review of performed audit work may lead to increasing the effectiveness of audit procedures.

There is an inverse relationship between materiality and audit risk level, namely, the higher the materiality level, the lower the audit risk and vice versa. The auditor takes into consideration the inverse relationship between materiality and audit risk when determining the nature, timing and extent of audit procedures.

For a given level of audit risk, the acceptable level of detection risk implies an inversely proportional relationship with the assessed risks of material misstatement at the assertion level. For example, the higher the risk of material misstatement the auditor believes to exist, the less the risk of detection is acceptable and therefore the more persuasive the audit evidence necessary to the auditor.

Detection risk, however, can only be reduced, not eliminated, due to the inherent limitations of an audit. Detection risk can be reduced by auditors, for example, by increasing the number of sampled transactions for detailed testing. However, a certain detection risk will always exist.



5. Conclusions

In April 2014, the Council of Ministers adopted audit legislation that has been under debate since October 2010. With the passage of the legislation essentially complete, auditors will work to support its successful implementation and to help serve the needs of companies and investors, strengthen the capital markets and enhance confidence in financial reporting. There is a need for a clear overview of the company’s risk and control framework which will allow the audit committee to monitor and evaluate the effectiveness of the company’s internal control, risk management and reporting. When assessing audit risk, the objective of the auditor is to identify and appropriately assess the risks of material misstatement, thereby providing a basis for designing and implementing responses to the risks of material misstatement - inherent risk or control risk. Such risks may appear due to error or fraud, so the auditor should perform risk assessment procedures to make sure the financial statements are presented fairly, in all material respects, in conformity with the applicable financial reporting framework. Misapplication or omission of critical audit procedures may result in a material misstatement remaining undetected by the auditor. Some detection risk is always present due to the inherent limitations of the audit such as the use of sampling for the selection of transactions.

We continue to have questions, however, as to the legislation’s economic costs and its impact on audit quality and shareholder choice, especially in light of already existing national requirements. We look forward to the evolution of the role and relevance of audit and how the audit profession can continue to serve the public interest by contributing to enhanced investor confidence in the capital markets.



6. Acknowledgement

This paper has been financially supported within the project entitled “SOCERT. Knowledge society, dynamism through research”, contract number POSDRU/159/1.5/S/132406. This project is co-financed by European Social Fund through Sectoral Operational Programme for Human Resources Development 2007-2013. Investing in people!”



7. References

Arens, A.A. & Loebbecke J.K. (2003). Auditul. O abordare integrata / Auditing: an Integrated Approach, 8th Edition. Chisinau: Arc.

Boulescu, M. (2006). Proceduri analitice de audit / Analytical audit procedures. Finante, banci, asigurari / Finances, banks, insurance, No.11 (November 2006), 22-29.

Boulescu, M. (2006). Proceduri de evaluare a riscului / Risk Assessment Procedures Tribuna economica/ Economic Tribune, Vol.17, No.31 (August 2006), 57-63.

Boulescu, M. (2007). Evaluarea riscurilor de denaturare semnificativa / Assessing the risks of material misstatement, Tribuna economica/ Economic Tribune, Vol.18, No.35 (October 2007), 54-58.

Boulescu, M. (2007). Riscul de audit si pragul de semnificatie / Audit risk and materiality Finante, banci, asigurari / Finances, banks, insurance, Vol.10, No.6 (March 2007), 10-14.

Pendegraft, N., Stone R.W. & Kraut, M. (2014). Conceptually modelling the trade-offs between continuous and traditional auditing, International Journal of Auditing Technology, Vol.2, No.2, 153-166.

Gros, M. & and Worret, D. (2014). The challenge of measuring audit quality: some evidence, International Journal of Critical Accounting, Vol. 6, No.4, 345 - 374.

Boulescu, M., Ghiță, M. & Mareș, V. (2001). Fundamentele auditului / Audit Fundamentals, Bucharest: Editura Didactică și Pedagogică.

Dănescu, T. (2007). Audit financiar: convergențe între teorie și practică / Financial Auditing: convergences between theory and practice. Bucharest: Irecson.

Danescu, T. (2007). Proceduri si tehnici de audit financiar/ Procedures and Techniques of Financial Auditing. Bucharest: Irecson.

Paraschivescu, D.M. (2008). Riscul de audit financiar-contabil / Risk of Financial Audit, Tribuna economica/ Economic Tribune. Vol.19, No.14 (November 2008), 58-62.

Ryan, B., Scapens, R.W. & Theobald, M. (2002). Research Method & Methodology in Finance &Accounting, Edition II. London: Thomson.



1 PhD student, Valahia University from Târgoviște, Romania, Address Bd. Carol I, 2, Târgoviste, Dâmbovita, 130024, 130084, Tel.+40245 206 101, fax: +40335 883738, Corresponding author: ciprianmunteanu@auditexpertcont.ro.AUDŒ, Vol. 11, no. 3, pp. 94-105