Auditing - The Risk-Based Approach Introduction

Risk, plays a large part in the world of Auditing. Audit risk, represents risk to an auditor or an audit firm,
as the risk of paying damages to a client may arise out of negligent work when trying to show a true and
fair view of a set of company accounts. All audit work involves some level of risk; this may be because a
set of company accounts have been misstated due to error or fraud, or the auditor failed to detect the
errors or fraud. In addition, these problems may have occurred due to inadequate sample sizes when
determining the level of risk or the auditor failed to use proper auditing policies.

To evaluate the level of risk related to specific areas of the audit, three components can help. The first is
Inherent risk were environmental factors, (background knowledge of the client and were past audits
indicate no difficulties) are concidered against whether or not they would lead to a material error, before
considering the 'function of internal controls'. Next is Control risks were the 'system of internal controls' is
assessed against the possability of preventing material error, or detecting it in time using internal
controls. Last is Detection risk were the auditors procedures may fail to detect a material error not picked
up by the internal controls.

This report explains why the risk-based approach has become popular with external auditors and how it
has been linked to materiality and sampling levels.

Findings Risk Based Approach The role of an external audit, no matter what type of organisation it is, is to
show a true and fair view of the company accounts and to abide by the auditing standards. Recently the
risk-based approach has become as valued as auditing standards and adopted by most. The reason for it
becoming so popular is that this audit approach helps the auditor to evaluate the level of risk to a
particular area of the audit, i.e. specific accounts and transactions. Consequently, auditors can '...avoid
both overauditing and underauditing and can distribute work more evenly throughout the year.' Grobstein
and others (1985 p29).

Besides, focusing on the level of risk the risk-based method helps to evaluate and build value into the
financial reporting process and the clients company. In order to do this the auditor must have an up to
date insight of the clients business and activities

The Audit Quality Forum (2005) thus concluded than a simple agency model involves that, “ as a result
of information asymmetries and self-interest, principals lack reasons to trust their agents and will seek to
resolve these concerns by putting in place mechanisms to align the interests of agents with principals and
to reduce the scope for information asymmetries and opportunistic behaviour ”.

Assessing audit risk follows a sequential step that will lead auditor to arrive at proper audit
assessment conclusion for better decision making for the target organization. The first of
these steps is an adequate understanding of the client and its environment. While not
limited to immediate working space we also talk of the atmosphere that the competitors
create, the government policies and well as the demographical set up of the environment.
These factors have a direct impact on the business. Secondly, the auditor should be in the
position to understand the internal factors that mitigate the risk of not achieving the set
objectives. The auditor should be able to analyze the controls set within the business and
their direct impact on the operations of the business. The third step to undertake in the audit
process is setting up a meeting with stakeholders or the audit team where you will be
brainstorming on the analysis done in the above two steps. By analyzing every risk and
exhaustively discussing it, the team should arrive at resolutions that will be implemented for
business prosperity. The final step would be concluding all the work that has been done.

Analytical procedures are significant as it helps in evaluating financial information by

pointing out the relationship between the economic data and the non-financial data which
will translate to what is expected against what is achieved. Ratio Analysis is used by the
auditor to find the comparison between the current year rations and previous year rations,
for example, dividing current assets by current liabilities which is compared with that of past
years. Secondly, using the diagnostic approach Trend Analysis is used best to calculate
and compare current year balances with that of previous years and analyzing the
deviations. The bad debts, for example, should be checked concerning sales of current and
prior years.

Risks in accounting and audit firms are most often described by the audit risk model. This
model describes how the responsibilities of management and auditors combine to determine
the risk of the auditor proclaiming the financial statements are free of material misstatement
when that is not the case. Understanding the components of the audit risk model can help you
understand how your auditor determines the extent of testing that she performs at your
company.

Inherent risk is the risk that, without considering internal controls, an account is
materially misstated due to fraud or error. Inherent risk is affected by events external
and internal to the company. For example, a tough economy, the availability of
financing or a new competitor all increase inherent risk due to factors outside the
company's control. The competency of the company's accounting staff is an inherent
risk factor that is in the company's control. If the company has complex accounting
issues, but accounting staff do not have the expertise and experience needed to
account for these issues correctly, then the risk of misstatement increases greatly.

Control Risk
Control risk is the chance that a misstatement in the company's accounting records
would not be prevented or detected in a timely enough manner by the company's
internal control system to be corrected before the end of the accounting period.
Keeping control risk at an acceptably low level is the responsibility of management.
The combination of control risk and inherent risk is sometimes called the risk of
material misstatement. The risk of material misstatement is the portion of audit risk
that is not the responsibility of the auditor.

Detection Risk
Detection risk is the risk that the audit procedures conducted by the auditor will not
detect material misstatements in the financial statements. Detection risk is the portion
of audit risk that is the responsibility of the auditor. Auditors can lower detection risk by
increasing the amount of audit procedures. This is known an increasing the extent of
testing. In addition, auditors can lower detection risk by tolerating less misstatement.
For example, auditors may determine that errors less than $5,000 are immaterial to
the financial statements. However, if the audit determines that detection risk needs to
be lowered further, he may reduce materiality to $3,000. In that case, management
would need to adjust the financial statements for any errors of $3,000 or greater.

Audit Risk
Audit risk is the chance that the auditor will issue a clean audit opinion, stating that the
financial statements are free of material misstatement, when, in fact, they are not.
Audit risk is a combination of inherent risk, control risk and detection risk and the
combination of the four types of risk are known as the audit risk model. This model
has an important implication for auditors. Because auditors can only control detection
risk, because inherent risk and control risk are the responsibilities of management, the
audit risk models shows that as an auditor wishes to keep audit risk low, his only
recourse is to reduce detection risk by increasing audit procedures or reducing
tolerable misstatement.

Risk assessment is the foundation of an audit. For auditors, it is how

we come to understand your company and plan our audit procedures
to provide the most reliable information for you and the users of your
financial statements. What is risk assessment? I will help you
understand what is involved and make the audit risk assessment
procedures run as parallel as possible with your daily responsibilities.
Audit risk assessment procedures are performed to obtain an
understanding of your company and its environment, including your
company’s internal control, to identify and assess the risks of material
misstatement of the financial statements, whether due to fraud or
error. These procedures usually take place before your fiscal year has
been completed and include various procedures, such as inquiries
with management and other selected employees, analytical
procedures, observations of controls in operation and inspection of
documents to show controls have been implemented.
While obtaining an understanding of your company is self-explanatory,
our goal in understanding your company’s internal control is to
evaluate whether you (management), with the oversight of those
charged with governance, have created and maintained a culture of
honest and ethical behavior, as well as assessing whether the control
environment contains any deficiencies in established processes. We
also look to identify company risks relevant to financial reporting, in
addition to estimating the significance of those risks and their
likelihood of occurring, to help decide what audit procedures need to
take place to address those risks.
While our inquiries with management help us get an understanding of
internal controls, we also need to see examples of these being
performed. Walkthroughs are performed, with the help of your
company personnel, to observe segregation of duties along with
inspecting certain documents (invoices, purchase orders, etc.) that are
used as supporting evidence for the operation of key controls that
impact financial reporting. Analytical procedures are also performed,
which are comparisons (usually multiple-year) of significant financial
statement line items (revenues, payables, etc.), and financial ratios
derived from those line items. These are compared to our
expectations based upon discussions with key management
personnel and other available industry information to identify any other
areas of risk related to the financial statements that may impact the
audit.
In summary, if an audit is the main course, then risk assessment is the
appetizer. It provides us with information that is used not only for the
year under audit, but future years to come. Audit risk assessment
procedures are a vital part to any audit and treated as such by us and,
hopefully, your company as well

Understanding audit risk assessment

procedures
https://www.hhcpa.com/blogs/audit-accounting/audit-risk-assessment-procedures/

Inviting in an impartial third party to gain a better understanding of the organization is an

invaluable asset that companies of all shapes and sizes utilize. External audits achieve
a variety of objectives: identifying and preventing material misstatement, evaluating
business operations and finding improvements, assessing your procedures and
procedures to determine compliance with industry regulations and standards, detecting
issues relating to information systems and security, analyzing issues related to payroll
and wages. The list goes on. No matter the objective, in order to develop a strong audit
plan and strategy moving forward, external auditors need to take the time to evaluate
risk from the get-go.

An external audit risk assessment, when conducted properly, helps you do your job
better. It gives auditors insights into what the most effective use of your time will be.
From the results, you can determine in a general sense what you need to do and what
you can skip, helping your audit to be more efficient and effective. Risk assessments
bring several other far-reaching benefits to your audit process, as well.

Through an external audit risk assessment, an auditor can engage people with valuable
knowledge at a company. Those in management, those that handle internal auditing procedures
and anyone else that you feel have knowledge of the inner workings of a company are at your
fingertips. These individuals work every day in the environment your auditing and can help you
identify risk in a number of ways, whether that risk is in the form of fraud, errors or operational
weaknesses.

Before the audit even begins, you can gain a sense of where personnel feel risk exists, how the
company functions and what the situation is regarding revenue and expenses. You can also
uncover more specific information from assessing the right people such as who the key vendors,
suppliers and partners for the company are, what resources the company needs and how they
obtain them and how overall industry performance is affecting the organization specifically.

Leveraging internal risk experts, department managers, directors and those who have a vested
interest in ensuring compliance helps you see the risk landscape as they see it. This insider’s
point of view will make your eventual audit report more effective in addressing the highest
priority concerns.

Understand Internal Procedures and Controls

To effectively initiate an audit and uncover areas of breakdown of processes, an external audit
risk assessment can be used to help you determine the procedures, policies and controls that
govern operations on a daily, weekly and monthly basis. Before you ever step foot on the
premises or perform any onsite walkthroughs, you’ll understand the segregation of duties and the
basic work processes employees follow to complete these duties.

During financial audits, for instance, an external audit risk assessment is a necessary step to
illuminate where fraud or errors could be occurring. Unknowns such as who approves the
payments, who signs the checks, who has the authorization to open and close bank accounts and
what the spending limits are for credit cards can be determined. You can figure out very quickly
through a risk assessment if an organization has strong financial controls in place and if
employees know and follow procedures in place.
You can also use this tool to evaluate the systems a company has in place. In this era, it’s a rarity
to come across a business that doesn’t rely on software at least to some degree, and these online
tools can be an area of significant risk. While forming your audit strategy, it’s important to know
what software systems are being used, how data is recorded and stored with them, how secure
they are and who has access to them. With this information, you can determine if it’s even
possible to find an audit trail, if this information could have been potentially compromised and
which employees you need to talk to.

There are also more general processes you can learn about through an external audit risk
assessment. These can include daily operations many have overlooked such as who has access to
company mail and if any outside parties work within the company frequently. Understanding
these internal controls – or the lack of controls – will lead you to the places where risk is most
likely to exist.

Observe and Analyze the Environment

If a risk is defined as anything that affects the goals and objectives of the company – fraud,
mistakes, organizational shortfalls – then it’s important to understand what those objectives are.
Through a risk assessment, auditors can determine those objectives and goals that motivate every
process throughout an organization.With this information, the observation and analysis they
conduct will be informed.

Analyzing the environment in which a company exists reveals information that can lead to the
identification of threats to objectives. An external audit risk assessment can uncover information
such as the presence of any outside pressures from competitors, changes in important
relationships with company partners, issues related to pricing or cash flow and other economic
pressures that could make the environment more risky.

On a more micro level, close observation and analysis of assessments over time will also help
auditors document recurring accidents, errors or mistakes more accurately. People tend to make
the same mistakes over and over again, especially when they may be unaware their actions even
need to be corrected. Keeping a summary of your risk assessments over a given period will help
you identify these patterns and make the company aware of where they need to give their
attention.

Determine the Highest Priority Risks

Most important to your audit plan, performing a risk assessment helps you identify the risks that
are going to be the highest priority. Through thorough inquiries with key organizational
members, gaining an understanding of policies and procedures and inspection of the
environment, you are able to zero in on the areas you believe will present the greatest degree of
risk throughout your audit.

An external audit risk assessment can give you many of the pieces to the puzzle that is any audit.
Yet, many auditors will overlook this initial step altogether or perform an abbreviated version of
it. Usually, that’s because risk assessments can easily become a time-consuming, tedious aspect
of the process that seems to hold you back from conducting the actual audit. Taking the time to
do it correctly saves you a lot of time and energy down the road, though.

Automate the Risk Assessment Process

Moving away from spreadsheets to a more advanced, streamlined risk management platform will
save you time and improve your risk analysis for every audit. For each client, the external audit
risk assessment process can be maintained in one location along with other auditing materials,
making you both more organized and provide more consistent auditing services.

By using TotalCompliance Risk from ComplianceBridge, you can build risk assessments quickly
in a matter of minutes and use a variety of question types to make your assessments as powerful
as possible. Multiple choice, risk rating, yes/no and fill-in questions help you gain a clear picture
into the risk of the entity your assessing. Weighting certain answers and providing conditional
questions gives you a more precise analysis.

Easily create, approve and distribute assessments through automated workflows. Reminders and
notifications will keep you and those you’re assessing up to date throughout the process. As
answers start coming in, you can view them in real-time. Analytical and reporting features give
you insights into your data down to a granular level. All data you collect with TotalCompliance
Risk can be exported for use in audit reports and presentations.

An external audit is a reliable way for companies and organizations to learn more about their
own internal processes and potential improvements. Increase the efficacy and efficiency of your
audits by employing a software built to handle the complexity of audit and risk management.
Request a demo with ComplianceBridge today and learn more about the benefits of managing
risk in your external audits.

Watch a 2 Minute Demo of TotalCompliance

Find out more about TotalCompliance’s Policy & Procedure Software, as well as its Risk Management
Software by watching a two-minute demo.