The objective of an audit is the expression of an opinion as to whether the financial statements give a true and fair view in accordance with the International Accounting Standards and in compliance with the local statutory requirements.

The phrase “expression of an opinion” has following implications.

Management is responsible for preparing financial statements. The auditor expresses his opinion on such financial statements.

Differences between the management and the auditor on accounting issues have been satisfactorily resolved.

Correctness of the amounts in the financial statements is not “certified” or “guaranteed.”

An absolute assurance is not provided by the auditors.

Reasonable assurance of detecting immaterial errors and irregularities is not provided.

There is an unavoidable risk that even some material errors may remain undiscovered.

Future viability of the entity is not assured.

Efficiency and effectiveness with which resources have been used are not reported.


Three basic principles governing an audit are:

  1. Compliance of code of ethics
  2. Compliance of Auditing Standards
  3. Attitude of professional skepticism.


Skepticism means “critical attitude.” The auditor should not assume management to be honest nor dishonest. Professional skepticism implies that the auditor should not accept management representations without obtaining evidences.


ope refers to the auditor’s ability to perform audit procedures deemed necessary. If the auditor is unable to perform audit procedures which he Insiders necessary he cannot issue an unqualified opinion. Scope limitations may be due to client’s restrictions or general circumstances, for example when auditor’s appointment is made after year-end and consequently he is unable to attend physical inventory count.


  1. Time, distance and cost make it impracticable for all users, even if they are knowledgeable, to have direct access to the underlying accounting records and perform themselves verification of financial statements. They place much reliance on auditors for verification of financial statements.
  2. An audit provides a moral check on employees of an entity. When the employees know that their work is to be verified by an independent auditor they take care to minimize errors. The chances of fraud are also reduced, The management personnel know that their assertions will be subject to verification. They would therefore be inclined not to deviate substantially from recognized accounting policies.
  3. Section 233 of the Companies Ordinance, 1984 requires that the financial statements should be audited by the auditors of the company, and copy of auditor’s report should be sent to every shareholder at least 21 days before annual general meeting.
  4. An audit requires in depth knowledge of the business from view point of the owners. This may enable the auditor to give useful recommendations for improving the operations of the client.


Agency theory implies that the agent should work in the best interest of the principal.

Auditors are the agents of shareholders and it is expected that in case of conflict of interest, they should consider their duties to the users.

In the absence of agency relationship, the users will not have enough confidence in the audited accounts.


  1. The objective of an audit is to express an opinion whether or not financial statements give a true and fair view.
  2. The risk that the auditor may give an opinion that financial statements give a true and fair view when financial statements are materially misstated, is called audit risk.
  3. Audit risk has three components.
    a) Inherent risk
    b) Control risk
    c) Detection risk.
  4. Inherent risk is the susceptibility (prone to error) of an account
    balance or financial statements as a whole.
  5.  Inherent risk may exist at two levels.
    • Financial statement level
    • Account balance level.
  6. Risks at financial statement level.
    i) Integrity of management Inherent risk for manipulation of financial statements is greater where management integrity is questionable than in those entities where management is honest and straight forward.
    ii) Management experience and knowledge Financial statements are more susceptible to misstatement where personnel in finance department lack adequate knowledge and skills than in those entities where staff is qualified and experienced.
    iii) Unusual pressures on management Unusual pressures on management may affect the fairness of financial statements.

    Pressures from banks for maintaining required current ratio and debt to equity ratio may lead to deliberate misstatement of financial statements if the entity is short of working capital.iv) Factors affecting the industry in which the entity operates and nature of entity’s business. Following factors may increase risk of material misstatements.
    • High technology
    • Declining demand of industry products
    • Frequent changes in product technology and fashions
    • Many business failures.

  7. In order to reduce the impact of such risk, the auditor may decide to assign to the engagement staff with better knowledge, skills, more close supervision and if required using work of experts, and consideration of validity of going concern assumption.
  8. Risk of material misstatement may also exist at the account balance level, class of transactions and disclosures. Such considerations directly assist in determining nature, timing and extent of further audit procedures at assertion level.
  9. Inherent risk relating to account balance.

    Account balance refers to specific balance sheet or income statement account. For example, account receivable, inventories and sales.

    Class of transaction refers to a group of transactions with similar characteristics, for example, cash receipts and cash payments are classes of transactions.

    i) Accounts which involve high degree of estimation.

    Work in process
    Inventory obsolescence
    Doubtful accounts
    Growing crops.

    ii) Complexity of transactions or other events which may require using the work of an expert.
    • Provision for pensions
    • Revaluation of assets
    • Petroleum reserves
    • Quantities of underground minerals.

    iii) The degree of judgment involved in determining account
    Following accounts may have a high degree of inherent risk:

    Measuring of work completed and estimating costs to complete on construction work in progress.

    Provision for contingencies.

    iv) Susceptibility of assets to loss or misappropriation.
    Some assets are more susceptible to theft than others. For example, cash is more vulnerable to theft and misappropriation than machinery.

    v) Completion of complex and unusual transactions, particularly at near period end.

    Complex transactions and adjustments made at year-end which are difficult to audit will increase inherent risk.
    Significant year-end adjustments for inter company transactions, the validity of which may be difficult to establish.

    vi) Transactions not subject to ordinary processing.
    • Loss by fire
    • Assets revaluation.

  10. Control risk is the risk that the entity’s internal controls will not
    prevent, detect and correct material misstatement. Some control risk always exists because of the inherent limitation of internal controls.
  11. Inherent limitations of internal controls:
    a) Cost vs. benefit consideration.
    Assume the management would like to control inventory levels.The inventory of the entity comprises:


    It would be more cost effective to control only 155 items comprising 20% of total items but covering 80% of value. Costs associated with establishing re order levels, maximum / minimum levels, economic order quantities, and perpetual records for 620 items may exceed the benefits that accrue from controls. 80% of inventory items will therefore not be object to same controls as the remaining 20% items.

    (b) Most internal controls tend to be directed at routine transactions rather than non-routine transactions.
    Management will normally establish policies and procedures relating to sales of the products and receivable. However, control policies may not exist for transactions of exceptional nature for example sale of scrap. In the absence of adequate controls over scrap, the proceeds of sale may be misappropriated.

    (c) The potential for human error due to carelessness, distraction, mistakes due to judgment and the misunderstanding of instructions .

    (d) The possibility of circumvention of internal control through the collusion of member of management or an employee with parties outside or inside the entity. Circumvention means evasion; collusion is fraudulent understanding. It involves collaboration between two or more persons for fraudulent purposes.

    Entity’s internal control provides that no suppliers invoice will be paid unless it is matched with the goods received note and purchase order. A supplier invoiced 100 units in accordance with purchase order but delivered only 80 units. As a result of collusion with store keeper only 80 units were supplied. The fraud may not be detected on a timely basis.

    (e) The possibility that a person responsible for exercising an internal control could abuse that responsibility.

    (f) The possibility that procedures may become inadequate due to changes in the conditions, and compliance with procedures may deteriorate.

  12. 12. Inherent and control risks are entity’s risks. The auditor is required to make an assessment of such risk. ISA’s describe combined level of inherent and control risks as “risk of material misstatement”. Such risks assessments m~y be expressed in percentages or in non quantitative terms such as low, medium or high.
  13. Detection risk is the risk that auditor’s procedures will not detect material misstatement in an assertion.
  14. There is an inverse relationship between detection risk and the combined level of inherent and control risk. For example, when inherent and controls risks are high, acceptable detection risk need to be low to reduce audit risk to an acceptable low level. On the other hand, when inherent and control risks are low, the auditor can accept a higher detection risk and still reduce audit risk to an acceptably low level.


The audit risk model is used in preparing audit program.

Three components of the audit risk are expressed in the form of audit risk model:

                               AR = IR x CR x DR

Where —–

AR is audit risk; IR is inherent risk; CR is
control risk and DR is detection risk.

For example, the auditor has to evaluate inventory pricing assertion. His assessment of inherent risk is high (say 80%); the controls over inventory pricing are quite weak with the consequent high control risk (say 70%), the detection risk is estimated at say 20%. The audit risk works out 11% as follows:


If the 11% audit risk for the assertion is considered to be too high and the auditor desires to restrict the audit risk say to 2%, the only way to attain the lower risk is to make an appropriate reduction in detection risk. This is because the auditor can only assess inherent and control risk but cannot reduce such risks. (Except where the client subsequently implements auditor’s recommendations on improvement of internal control, the control risk may be reduced subsequently.)

Since, we have determined the level of acceptable audit risk, it is possible to as certain detection risk using the audit risk model.

                              DR = AR / (IR x CR)
                            = 2% / (80 x 70%)

 The effect of high inherent and control risk has been offset by reducing the detection risk. An inverse relationship therefore exists between detection risk and combined level of inherent and control risk. That is, when inherent and control risks are high, acceptable detection risk needs to be low to reduce the audit risk to an acceptably low level. Likewise, when inherent and control risks are low, the auditor can increase detection risk and still attain an acceptably low audit risk.

The risk assessment also has the advantage of avoiding over- auditing in low risk areas. For example, if acceptable audit risk is 4%, inherent risk is assessed at 70% and control risk is assessed at 15% the detection risk would be:

                                     DR = AR / (IR x CR)
                                     =4% / (50 x 15%)

Thus, if the auditor’s substantive tests for not detecting material errors are even 38% the substantive procedures would be adequate to restrict audit risk to 4%.

Although the detection risk may be controlled by the auditor to ~ substantial extent, it is not possible to eliminate it entirely even if 100% transactions are verified.

Where inherent and centro 1 risks are high, an extremely high level of detection risk is an indication that the auditor has not obtained sufficient appropriate evidence to form his opinion.

For example, following would be an unsatisfactory audit coverage:

                                          IR 90%
                                          CR 80%
                                         DR 40%
                                 AR = IR x CR x DR
                               = 90% x 80% .x 40%
                                  = 29%

As stated earlier, the audit risk model serves as tool to minimize the risk of issuance of an unqualified opinion on a set of financial statements, which are materially misstated, and at the same time avoids over – auditing.

Following matters are to be considered in using the model:

  1. It is not practicable to exactly translate various risks into percentages. However, the model provides a useful guide for preparing audit program.
  2. The inherent or control risks may not be assessed to be zero. In case if control risk is assessed at zero, the model will result in revealing an audit risk to be zero. For example, if inherent risk is assessed at 80%, control risk is assessed at zero and detection risk is 90%, the equation will reflect audit risk to be zero. AR = IR x CR x DR
                                    = 80% x 0 x 0%
                                     = 0

    On this basis, however, it would be an absurdity to issue a clean audit opinion with 100% detection risk.

  3. A minimum amount of substantive procedures have to be applied, even if inherent risk is too low and controls are extremely effective.What constitutes an acceptably low audit risk depends upon professional judgement of the auditor. However, lowering audit risks at zero level is not practicable. Also reducing the audit risk to an extremely low level may not be feasible as the cost involved in reducing detection risk may be exorbitant and would exceed the value to the users of financial statements.

    In fact the whole objective of audit planning, controlling, using the work of an expert and internal auditors, detailed testing, analytical reviews, obtaining knowledge of the business and other audit procedures is to minimize audit risk to an acceptably low level.

    The auditor assesses the risks as low, moderate or high. Following guidance may be useful in determining the level of risk:

    Less Than 20%      Low
                       20 to 70%              Moderate
                       Over 70%               High

    The auditor should consider assessed level of inherent and control risks in determining nature, timing and extent of substantive procedures .

    How the auditor’s assessed level of inherent and control risk affects determining nature, timing and extent of substantive procedures can be explained with the following example:

    Assume that the control procedures in an entity as regards sales (occurance) require that sales invoices be matched with delivery notes before entering the invoices in sales journal. The tests of controls revealed that near year end many sales invoices were recorded without corresponding delivery notes. The auditor concluded that the control risk over sales (occurrence objective) is high. The non compliance over controI may indicate an overstatement of sales. The overstatement of sales will also affect reported balance of accounts receivable. The auditor will have to modify his substantive tests to verify year end valuation of accounts receivable (valuation assertion). One of the procedures would be to send positive confirmation to a large number of customers at year end. A comparison of effect on auditor’s substantive tests (confirmations) resulting from high or low inherent and control risks is as follows:


    Nature means which substantive test to perform.

    Timing means when to perform.

    Extent means how much testing to perform.

    There is an inverse relationship between detection risk and combined level of inherent and control risk.

    This does not mean that when combined level of inherent and control risk is high, the detection risk will be low. It rather means that when -16 combined level of inherent and control risk is high the detection risk needs to be low.

    Directors’ responsibility as regards financial statements.

    – Implementing system of internal controls relevant to preparation of financial statement
    – Selecting appropriate accounting policies
    – Making accounting estimates.

Posted on November 2, 2015 in Overall Objective of the Independent Auditor and the Conduct of an Audit in Accordance with International Standards on Auditing

Share the Story

Back to Top