Audit2: Risk-Based Approach

Objectives of the Topic


 * Suggest why risk-based approaches have become more important.
 * Define audit risk and business risk and show how auditors approach risk.
 * Understand the objective of each phase in the audit process and the evidence that has to be collected at each audit stage.

Definition
An audit is a complete and careful examination of selected financial records of a business or person.

At the end of an audit, auditors prepare a report of their findings, where they express their opinions on the truthfulness and fairness of the financial statements, as well as whether the statements comply with the required regulations and accounting standards.

Risk-based Approach
RBA helps financial institutions to allocate their resources in the most efficient way, meaning that the institution is able to prioritize and focus on essential risks and apply preventive measures that are commensurate to the nature of risks. Domains of risks with less importance could apply lighter measures.

What Are the Benefits of Risk-Based Approaches in Internal Audit? A risk-based audit approach allows internal auditors to respond to organizational risks more timely and provide insights to management to help solve problems on a regular cadence. To enhance those insights, the use of data is critical.

Business Risk
A risk resulting from significant conditions, events, circumstances, actions and inactions that could adversely affect an entity's ability to achieve its objectives and execute its strategies, or from the setting of inappropriate objectives and strategies.

ISA 315 is concerned with those business risks that may cause material misstatement (para. 11 (d) of ISA 315), reflecting the fact that not all business risks will cause material misstatement and heighten audit risk.

Business Risk Assessment and Risk Assessment Procedure
 * Risk-based approach to auditing:
 * Develop an understanding of management’s risk management and control processes
 * Develop understanding of the business and the risks it faces
 * Use the identified risks to develop expectations about account balances and financial results
 * Assess the quality of control systems to manage risks
 * Determine residual risks, and update expectations about account balances
 * Manage remaining risk of account balance misstatement by determining the direct tests of account balances (detection risk) that are necessary


 * There are a number of information sources (including electronic sources) that auditors use to develop an understanding:
 * Knowledge management systems
 * Online searches
 * Review SEC filings
 * Company websites
 * Economic statistics
 * Professional practice bulletins
 * Stock analysts’ reports

Audit Risk

 * Audit Risk
 * The risk that the auditor may provide an unqualified opinion on materially misstated financial statements.
 * The auditor assesses engagement risk first, then sets audit risk.


 * What is the primary objectives of the audit risk
 * The auditors can identify and assess the risks of material misstatement at the financial statement level and at the assertion level for classes of transactions, account balances and disclosures.
 * Risk of material misstatement at the financial statement level
 * Risk of material misstatement at the assertion level.


 * Audit risk is inversely related to engagement risk:
 * If the auditor accepts a client with high engagement risk
 * The auditor must conduct a more rigorous audit
 * The auditor does this is by setting audit risk at a low level
 * If the auditor accepts a client with low engagement risk then the auditor will set audit risk at a higher level


 * The audit risk model allows the auditor to consider the following:
 * Complex or unusual transactions are more likely to recorded in
 * error than simple or recurring transactions.
 * Management may be motivated to misstate earnings or assets, and
 * Better internal controls mean a lesser likelihood of misstatement

AR = IR x CR x DR AR = Audit risk IR = Inherent risk CR = Control risk DR = Detection risk


 * Inherent Risk (IR)
 * Is the susceptibility of an assertion to a misstatement that could be material, assuming that there are no related controls.
 * Inherent risk is higher for some items:
 * Complex transactions, which are more likely to be misstated than simple transactions.
 * Estimated balances which are more likely to be misstated than fact based balances.


 * Control Risk (CR)
 * Risk that a misstatement that could occur in an assertion and that could be material will not be prevented or detected and corrected on a timely basis by the entity’s internal controls.
 * This risk highlights the following:
 * The quality of controls often varies between classes of transactions.
 * The more effective the internal controls, the lower the risk factor that could be assigned to control risk.
 * The auditor assesses control risk (inversely related to detection risk & directly related to evidence)

material.
 * Detection risk (DR)
 * risk that the auditor will not detect a misstatement that exists in an assertion that could be
 * Is a function of the effectiveness of an audit procedure and of its application by the auditor.
 * Detection risk is controlled by the auditor and is an integral part of audit planning.


 * Audit risk is set inversely to the assessed level of engagement risk.
 * After audit risk is set, the auditor assesses inherent and control (environment) risks.
 * The auditor sets detection risk inversely to environment risk.
 * For example, if the auditor is examining transactions with high inherent risk, or weak controls, the auditor will set a low detection risk.


 * Low detection risk means a low probability of not detecting material misstatements.
 * In order to achieve low detection risk, the auditor will have to perform more rigorous substantive testing
 * For example, larger sample sizes, more reliable forms of evidence, assign more experienced auditors, closer supervision, greater year-end (rather than interim) testing.
 * The audit risk model shows that the amount, nature, and timing of audit procedures depends on the level of audit risk an auditor assumes, and the level of client-related risks.


 * The auditor manages audit risk by:
 * Adjusting audit staff to reflect risk associated with a client.
 * Developing substantive tests of account balances consistent with detection risk.
 * Anticipating potential misstatements likely associated with account balances.
 * Adjusting the timing of audit tests to minimize overall audit risk.

Management's Assertions

 * Management’s assertions are claims made by members of management regarding certain aspects of a business.
 * The auditors test the validity of these assertions by conducting a number of audit tests. Assertions are evaluated within three categories:

Transaction-level assertions

 * Accuracy: Full amounts of all transactions were recorded, without error.
 * Classification: All transactions have been recorded within the correct accounts in the general ledger.
 * Completeness: All business events to which the company was subjected were recorded.
 * Cut-off: All transactions were recorded within the correct reporting period.
 * Occurrence: Recorded business transactions actually took place.

Account balance assertions

 * Completeness: All reported asset, liability, and equity balances have been fully reported.
 * Existence: All account balances exist for assets, liabilities, and equity
 * Rights and obligations: The entity has the rights to the assets it owns and is obligated under its reported liabilities.
 * Valuation: All asset, liability, and equity balances have been recorded at their proper valuations.

Presentation and disclosure assertions

 * Accuracy: All information disclosed is in the correct amounts, and which reflect their proper values.
 * Completeness: All transactions that should be disclosed have been disclosed.
 * Occurrence: Disclosed transactions have indeed occurred.
 * Rights and obligations: Disclosed rights and obligations actually relate to the reporting entity.
 * Understand ability: Information included in the financial statements has been appropriately presented and is clearly understandable.

Audit Evidence

 * Evidence is important for an auditor to draw conclusion as to whether the financial statements, as a whole, are free from material misstatement.


 * ISA 500 – Audit Evidence
 * Enable the auditor to obtain sufficient appropriate audit evidence to be able to draw reasonable conclusions on which to base the auditor’s opinion.