Exam technique for Advanced Audit and Assurance

Part 2 – Risk

Risk is examined in several ways within the Advanced Audit and Assurance syllabus and understanding the difference between these can be key to scoring good marks in the exam. Quite often, risk forms part of a planning question but it is also examined with respect to financial reporting issues elsewhere in the exam.

The key to attaining good marks for risk comes from understanding the types of risk you are looking for and explaining them in the correct context. As with many areas of the exam, good exam technique can be used to increase the marks attained without having to rote learn much additional information. It is application and understanding that is important at the Professional level.

This article will demonstrate how to maximise marks on these areas using effective exam technique. It is, however, specific to the context of auditing and assurance and will therefore have a different focus and application to the way risks are examined in other areas of the ACCA Qualification.

What you need to know

The three main types of risk you might be asked to evaluate in the exam are business risk, risk of material misstatement and audit risk. These are defined as follows:

Business risk
A risk resulting from significant conditions, events, circumstances, actions or inactions that could adversely affect an entity’s ability to achieve its objectives and execute its strategies, or from the setting of inappropriate objectives and strategies (ISA 315)

Risk of material misstatement (RoMM)
‘The risk that a material misstatement exists in figures or disclosures within the financial statements prior to audit’ (IAASB – glossary of terms)

Audit risk
‘The risk that the auditor expresses an inappropriate audit opinion when the financial statements are materially misstated. Audit risk is a function of material misstatement and detection risk’ (IAASB – glossary of terms)

How they interact
You should know from your study of Audit and Assurance that the audit risk model is comprised of:

Audit risk = RoMM x detection risk

For a risk of misstatement to occur there must be an inherent risk of an item being misstated and a risk that the client’s controls did not identify and correct this misstatement. When you are asked to evaluate RoMM in an exam, the examiner is looking for those inherent and control risks and, in many cases, these arise from underlying business risks.

For something to be an audit risk, there must be either a RoMM or a detection risk, the risk that the auditor’s procedures do not identify a material misstatement in the financial statements.

How to apply the knowledge

Knowing these definitions will help you to remember which type of risk is which or to categorise risks into these sub types but it is not something you will be awarded direct credit for in an Advanced Audit and Assurance exam.

Remember that you are often being asked to prepare an answer for the attention of the audit engagement partner, who will certainly not need these terms explained. Therefore, these definitions are so that you know what type of risk you are looking for in a question but the marks will be awarded for your evaluation of these risks.

Let’s consider an example of information that may be provided in the exam and how your answer would differ for each of the risk types you might be asked to evaluate. The following is an extract from the published September/December 2015 sample questions:

Dali Co was established 20 years ago and has become known as a leading supplier of machinery used in the quarrying industry, with its customers operating quarries which extract stone used mainly for construction.

The machines and equipment made by Dali Co are mostly made to order in the company’s three manufacturing sites. Customers approach Dali Co to design and develop a machine or piece of equipment specific to their needs. Where management considers that the design work will be significant, the customer is required to pay a 30% payment in advance, which is used to fund the design work. The remaining 70% is paid on delivery of the machine to the customer. Typically, a machine takes three months to build, and a smaller piece of equipment takes on average six weeks. The design and manufacture of bespoke machinery involving payments in advance has increased during the year. Dali Co also manufactures a range of generic products which are offered for sale to all customers, including drills, conveyors and crushing equipment.

Business risk
For the purpose of the exam, these risks can usually be thought of in terms of conditions that may prevent a business from meeting its objectives and might include risks to achieving future profits or cashflows or to business survival. This is a simplified explanation, but will help you describe the implications of most risks you come across in the exam. There will be some risks whose explanation is more involved and you can find examples of these in past exams.

In general, you are looking for risks in the information that the examiner has presented to you within the scenario. You will be asked to evaluate those risks. At this level you will not be credited for defining business risk, nor will you receive credit for describing what a client could do to mitigate those business risks.

As set out in the ISAs, the focus of business risk evaluation as part of the audit process is identifying matters that could impact on audit planning, in particular matters that could give risk to risks of material misstatement or audit risks.

The focus in the Advanced Audit and Assurance exam is therefore quite different from other strategic level exams where you might be expected to consider risks from a business perspective and to describe methods the business may use to manage those risks. If you stray into risk mitigation from a business perspective rather than an auditor’s perspective you are wasting valuable time on making points that cannot score marks.

As such, you need to consider how to frame the information which is provided as a business risk. As a general rule, marks for business risks will be awarded along the following lines:

  • For identifying only without meaningful explanation, ½ mark
  • For a briefly explained business risk, 1 mark will be awarded, and
  • Full marks will only be awarded where a well explained business risk is presented.

Marks will not be awarded for points that are purely speculative – ie not based on specific information provided in the question scenario – nor will marks be awarded for business risks that do not impact on the audit.

Let’s now apply that logic to the example provided above:

Identification only – worth ½ mark

The company manufactures bespoke machines for clients which may take six months to complete.

In an exam, an answer that merely repeats facts from the question is unlikely to attain many marks – in a business risk question it can score ½ mark for identification only as the implications for the company have not been considered.

Identified and briefly explained – worth 1 mark

The company manufactures bespoke machines for clients which may take six months to complete. During this time the company has funds tied up in work in progress.

This point cannot score full marks as there is no development of why this is a risk; how does it impact on the business or the audit?

Identified and well explained – worth full marks

The company manufactures bespoke machines for clients which may take six months to complete. During this time the company has funds tied up in work in progress, which could give rise to cashflow problems, especially as the 30% deposit may not cover all the upfront costs. This service has increased in the year putting further strains on cash flow.

It is also possible that a risk can have other implications or alternative descriptions that are valid and, if the answer was developed in one of these directions, that would still attract credit. For example, the following would also be an appropriate way to fully explain the same risk:

Identified and well explained – worth full marks

The company manufactures bespoke machines for clients which may take six months to complete. There is a risk that the customer cancels the order after the company has spent significant funds on the design and manufacture of the machine. This will have put strain on the company cash flow and it is unlikely that the machine can be sold to a different customer for the same price due to its bespoke nature. This may mean that the company makes a loss on the sale of the inventory or cannot sell it at all.

In an exam such as this, it’s reasonable to assume that the examiner has given you each piece of information for a reason. It is likely to be relevant to one of the requirements and the examiner will often flag if there are areas which you should not consider. A good technique is to try and identify risks in each paragraph – there could be more than one but there is unlikely to be a section of text that does not flag something relevant for at least one requirement.

Another thing to watch for is describing risks that are speculative or insignificant in the context of the scenario you are given. There will be sufficient risk areas described in the scenario to score maximum credit if they are well described. If you find yourself hypothesising about potential issues that may affect the client, but you don’t have enough information to know if it’s a risk or not, then you are likely to be making irrelevant or marginal points. While it is true that valid risks – beyond those on the marking guide – can attract credit, it is much easier and less risky to use those that are flagged by the examiner.

Risks of Material Misstatement (RoMM)
RoMM often follow from business risks and are the impact that those risks might have on the financial statements. It can be good practice during preparation for the exam to try and think of how a business risk might affect the financial statements every time you are analysing them. You are looking to convert that business risk into an impact on the calculation or disclosure of items within the financial statements.

When describing RoMMs, an effective approach is to use the following steps to construct your answer

  1. Calculate and conclude on the materiality of the issue where sufficient information is available – a mark will be given for a correct and relevant calculation of materiality with an appropriate conclusion – this will only be awarded once per issue and materiality marks may be capped in an exam question.
  2. Briefly describe the relevant financial reporting requirement – note that no credit is awarded for the accounting standard names or numbers, only the accounting treatment.
  3. Relate the risk in the scenario to the accounting treatment.
  4. Illustrate the impact of the risk on the financial statements

In general, there will be credit available for each of these processes and you should recall this approach every time you tackle a question requirement on evaluating RoMM.

Let’s consider the business risk we looked at above. The issue of bespoke machinery with an upfront payment can affect the financial statements in terms of revenue recognition, when dealing with the upfront payments, and inventory valuation. For the purposes of the exam, these two accounting issues are likely to be assessed as two separate RoMMs.

Applying this to the scenario we have above, the following illustrates a possible answer that could be written under exam conditions and would score full marks for each of the addressed risks.

Revenue recognition
The company receives a 30% deposit for the design of bespoke machinery.

Revenue should be recognised over time or at a point in time when control is passed. Such points will be determined by the contractual terms. Payments received in advance of control passing should be recognised as deferred income.

There is a risk that revenue might be recognised early when payment is received rather than being deferred.

This would result in an overstatement of revenue and an understatement of liabilities for deferred revenue.

Inventory valuation
The company manufactures machines over a period of up to three months. This gives rise to work in progress.

Work in progress is valued at the lower of cost and NRV where cost includes all the costs of purchase and conversion including overheads of getting the item to its present location and condition.

There is a risk that an order for bespoke machinery is cancelled and the inventory NRV falls below the net costs incurred.

This would result in an overstatement of inventory (or assets) in the statement of financial position and an understatement of cost of sales, therefore an overstatement of profit.

Note that we did not have sufficient information to calculate materiality in these examples.

Audit risks
Where you are asked to evaluate audit risks in an exam, much of your answer would be the same as for a requirement asking for risks of material misstatements as these form the major part of audit risk. The difference here is that detection risk is now also relevant. Examples of detection risk could include a recent appointment as the auditor, inexperience in a client’s new market or time pressure for the audit.

If the information provided in the example we have been using included the following information:

You are the audit manager of Dali Co, a new audit client of your firm. The partner has asked you to plan the audit for 31 December 2015 and has provided you with the following information after a discussion with the client.

Then, in addition to the RoMMs we have discussed, there would be an additional audit risk.

We are newly appointed auditors of the client and, as such, do not have the same level of understanding of the client’s business and controls as we would for an existing client. As such, we may fail to recognise certain RoMMs or may apply inappropriate procedures due to this lack of understanding

In addition, we have not audited the opening balances, so there is a risk that the opening balances may be incorrect or inappropriate accounting policies have been used. 

There are two common errors candidates make in the exam around the issue of a new client. First, some candidates consider that a new auditor is a business risk or gives rise to a RoMM. This is incorrect. The underlying business is the same regardless and it is only detection risk that alters.

The second is to assume that a new manager on an assignment is the same as having a new client. The audit partner and the knowledge of the client within the firm is unaltered, so the discussion of a new manager to the audit resulting in a significant audit risk does not attract credit.

It is also important to note that, from an exam point of view, none of these examples require a definition to be given of risk types nor do they require any explanation of theories as part of the answer – if the examiner asks you to evaluate risks, then presenting your answer using the approach of a subheading for each risk and answers like those shown in the examples above is sufficient.


This article has focused on planning type questions where there is a specific requirement to describe one or more of business risk, RoMM and audit risk, and has laid out an effective approach for how you can tackle these questions to maximise your marks.

Note that RoMM is also relevant for matters and evidence questions where the structure of the answer in those questions may be broader but the basic thought process is similar. This will be addressed further in a separate article on accounting issues for Advanced Audit and Assurance.

Written by a member of the P7 examining team