Part 2 – Risk
Risk is examined in several ways within the Advanced Audit and Assurance syllabus and understanding the difference between these can be key to scoring good marks in the exam. Quite often, risk forms part of a planning question but it is also examined with respect to financial reporting issues elsewhere in the exam.
The key to attaining good marks for risk comes from understanding the types of risk you are looking for and explaining them in the correct context. As with many areas of the exam, good exam technique can be used to increase the marks attained without having to rote learn much additional information. It is application and understanding that is important at the Professional level.
This article will demonstrate how to maximise marks on these areas using effective exam technique. It is, however, specific to the context of auditing and assurance and will therefore have a different focus and application to the way risks are examined in other areas of the ACCA Qualification.
The three main types of risk you might be asked to evaluate in the exam are business risk, risk of material misstatement and audit risk. These are defined as follows:
A risk resulting from significant conditions, events, circumstances, actions or inactions that could adversely affect an entity’s ability to achieve its objectives and execute its strategies, or from the setting of inappropriate objectives and strategies (ISA 315)
Risk of material misstatement (RoMM)
‘The risk that a material misstatement exists in figures or disclosures within the financial statements prior to audit’ (IAASB – glossary of terms)
‘The risk that the auditor expresses an inappropriate audit opinion when the financial statements are materially misstated. Audit risk is a function of material misstatement and detection risk’ (IAASB – glossary of terms)
How they interact
You should know from your study of Audit and Assurance that the audit risk model is comprised of:
Audit risk = RoMM x detection risk
For a risk of misstatement to occur there must be an inherent risk of an item being misstated and a risk that the client’s controls did not identify and correct this misstatement. When you are asked to evaluate RoMM in an exam, the examiner is looking for those inherent and control risks and, in many cases, these arise from underlying business risks.
For something to be an audit risk, there must be either a RoMM or a detection risk, the risk that the auditor’s procedures do not identify a material misstatement in the financial statements.
Knowing these definitions will help you to remember which type of risk is which or to categorise risks into these sub types but it is not something you will be awarded direct credit for in an Advanced Audit and Assurance exam.
Remember that you are often being asked to prepare an answer for the attention of the audit engagement partner, who will certainly not need these terms explained. Therefore, these definitions are so that you know what type of risk you are looking for in a question but the marks will be awarded for your evaluation of these risks.
Let’s consider an example of information that may be provided in the exam and how your answer would differ for each of the risk types you might be asked to evaluate. The following is an extract from the published September/December 2015 sample questions:
Dali Co was established 20 years ago and has become known as a leading supplier of machinery used in the quarrying industry, with its customers operating quarries which extract stone used mainly for construction.
For the purpose of the exam, these risks can usually be thought of in terms of conditions that may prevent a business from meeting its objectives and might include risks to achieving future profits or cashflows or to business survival. This is a simplified explanation, but will help you describe the implications of most risks you come across in the exam. There will be some risks whose explanation is more involved and you can find examples of these in past exams.
In general, you are looking for risks in the information that the examiner has presented to you within the scenario. You will be asked to evaluate those risks. At this level you will not be credited for defining business risk, nor will you receive credit for describing what a client could do to mitigate those business risks.
As set out in the ISAs, the focus of business risk evaluation as part of the audit process is identifying matters that could impact on audit planning, in particular matters that could give risk to risks of material misstatement or audit risks.
The focus in the Advanced Audit and Assurance exam is therefore quite different from other strategic level exams where you might be expected to consider risks from a business perspective and to describe methods the business may use to manage those risks. If you stray into risk mitigation from a business perspective rather than an auditor’s perspective you are wasting valuable time on making points that cannot score marks.
As such, you need to consider how to frame the information which is provided as a business risk. As a general rule, marks for business risks will be awarded along the following lines:
Marks will not be awarded for points that are purely speculative – ie not based on specific information provided in the question scenario – nor will marks be awarded for business risks that do not impact on the audit.
Let’s now apply that logic to the example provided above:
Identification only – worth ½ mark
Identified and briefly explained – worth 1 mark
Identified and well explained – worth full marks
It is also possible that a risk can have other implications or alternative descriptions that are valid and, if the answer was developed in one of these directions, that would still attract credit. For example, the following would also be an appropriate way to fully explain the same risk:
Identified and well explained – worth full marks
In an exam such as this, it’s reasonable to assume that the examiner has given you each piece of information for a reason. It is likely to be relevant to one of the requirements and the examiner will often flag if there are areas which you should not consider. A good technique is to try and identify risks in each paragraph – there could be more than one but there is unlikely to be a section of text that does not flag something relevant for at least one requirement.
Another thing to watch for is describing risks that are speculative or insignificant in the context of the scenario you are given. There will be sufficient risk areas described in the scenario to score maximum credit if they are well described. If you find yourself hypothesising about potential issues that may affect the client, but you don’t have enough information to know if it’s a risk or not, then you are likely to be making irrelevant or marginal points. While it is true that valid risks – beyond those on the marking guide – can attract credit, it is much easier and less risky to use those that are flagged by the examiner.
Risks of Material Misstatement (RoMM)
RoMM often follow from business risks and are the impact that those risks might have on the financial statements. It can be good practice during preparation for the exam to try and think of how a business risk might affect the financial statements every time you are analysing them. You are looking to convert that business risk into an impact on the calculation or disclosure of items within the financial statements.
When describing RoMMs, an effective approach is to use the following steps to construct your answer
In general, there will be credit available for each of these processes and you should recall this approach every time you tackle a question requirement on evaluating RoMM.
Let’s consider the business risk we looked at above. The issue of bespoke machinery with an upfront payment can affect the financial statements in terms of revenue recognition, when dealing with the upfront payments, and inventory valuation. For the purposes of the exam, these two accounting issues are likely to be assessed as two separate RoMMs.
Applying this to the scenario we have above, the following illustrates a possible answer that could be written under exam conditions and would score full marks for each of the addressed risks.
Where you are asked to evaluate audit risks in an exam, much of your answer would be the same as for a requirement asking for risks of material misstatements as these form the major part of audit risk. The difference here is that detection risk is now also relevant. Examples of detection risk could include a recent appointment as the auditor, inexperience in a client’s new market or time pressure for the audit.
If the information provided in the example we have been using included the following information:
|You are the audit manager of Dali Co, a new audit client of your firm. The partner has asked you to plan the audit for 31 December 2015 and has provided you with the following information after a discussion with the client.|
Then, in addition to the RoMMs we have discussed, there would be an additional audit risk.
We are newly appointed auditors of the client and, as such, do not have the same level of understanding of the client’s business and controls as we would for an existing client. As such, we may fail to recognise certain RoMMs or may apply inappropriate procedures due to this lack of understanding
There are two common errors candidates make in the exam around the issue of a new client. First, some candidates consider that a new auditor is a business risk or gives rise to a RoMM. This is incorrect. The underlying business is the same regardless and it is only detection risk that alters.
The second is to assume that a new manager on an assignment is the same as having a new client. The audit partner and the knowledge of the client within the firm is unaltered, so the discussion of a new manager to the audit resulting in a significant audit risk does not attract credit.
It is also important to note that, from an exam point of view, none of these examples require a definition to be given of risk types nor do they require any explanation of theories as part of the answer – if the examiner asks you to evaluate risks, then presenting your answer using the approach of a subheading for each risk and answers like those shown in the examples above is sufficient.
This article has focused on planning type questions where there is a specific requirement to describe one or more of business risk, RoMM and audit risk, and has laid out an effective approach for how you can tackle these questions to maximise your marks.
Note that RoMM is also relevant for matters and evidence questions where the structure of the answer in those questions may be broader but the basic thought process is similar. This will be addressed further in a separate article on accounting issues for Advanced Audit and Assurance.
Written by a member of the P7 examining team