The Risk Based Audit
The Risk Based Audit
The Risk Based Audit
The risk-based approach requires the auditor to first understand the entity and
its environment in order to identify risks that may result in material misstatement
of the financial report. Next, the auditor performs an assessment of those risks at
both the financial report and assertion levels. The assessment involves considering
a number of factors such as the nature of the risks, relevant internal controls and
the required level of audit evidence.
The result of the assessment effectively categorises the audit into a) areas of
significant risk of material misstatement that require specific responses and b)
areas of normal risk that can be addressed by standard audit work programs.
Having assessed risks, the auditor then designs appropriate audit responses to
those risks in order to obtain sufficient appropriate audit evidence on which to
conclude. Risk assessment continues throughout the audit and the audit plan and
procedures are amended where a reassessment is necessary. So lets work through
these key steps in more detail.
risk that is likely to occur. Where no significant risk(s) has been identified, a
normal level of risk exists. The auditor may identify circumstances that lead the
auditor to believe the risk has a probability (likelihood) of occurring. Any such
circumstances are particular to each entity and may be identified through the
auditors prior experience with the entity, the knowledge that inexperienced entity
staff are working in a complex area or the auditors knowledge of known
difficulties in obtaining or verifying particular information required for the audit.
Significant risks, by their very nature, require the auditor to design
specific/tailored audit procedures to address them those included in a standard
audit work program are usually not appropriate.
The risk assessment determines the nature, timing and extent of audit procedures
to respond to identified risk appropriately the general rule of thumb being the
greater the level of risk, the more persuasive the audit evidence required to reduce
its potential to an acceptable level. It is therefore critical to properly assess risks
so that audit time and effort is spent efficiently and effectively in testing
significant risks.
Step 3: Responding to identified risk
Responding to risk requires the auditor to obtain sufficient appropriate audit
evidence regarding the assessed risks of material misstatement, through designing
and implementing appropriate responses to those risks (ASA 330, paragraph 3).
The auditor needs to relate (and document) each identified risk directly to the
assertion level and the overall financial report impact, with the response planned
to gain sufficient appropriate audit evidence on which to base the auditors
opinion.
The experienced auditor designs responses to assessed risks based on the
following:
The overall effect the identified risk may have on the financial report (for
example, overstatement or understatement of certain material account balances)
The effect that the identified risk has at the assertion level for each class of
transactions, account balance or disclosure
The expected test results in terms of whether they will meet the test
objectives.
The design of the audit program to address identified risks involves:
Setting the test objectives (what assertions are to be tested and why)
Identifying whether the use of experts/ specialists is required