Risk based audit

INTRODUCTION

Many of us think that the job of an auditor is very fascinating and easy, but it is not so, the job of an auditor is very hectic and involves lot of hard work and commitment. It involves checking whether the financial statements of the entity are free from material  mis-statement, are in accordance with the applicable accounting standards, checking the internal controls of the entity which are relevant for the audit, and lastly to express an opinion on the financial statements

The work of an auditor is very time consuming and it is not possible to 100% check the Books of Accounts of the entity. So, the auditor adopts Sampling and judgement based on his past experience and knowledge. But there is always the risk of presence of the material mis-statement in the Books of Accounts that may remain undetected. So, the auditor needs to follow Risk Based Audit Approach.

DEFINITION

The Risk Based Audit Approach is designed and implemented by the auditor to focus the nature, timing and extent of the audit procedures on those areas which have high potential of material mis-statement. The auditor should focus on those areas where there is high risk of material mis-statements as compared to those where there is low possibility of risk.

SA 315 Identifying and Assessing the Risks of Material Misstatement through Understanding the Entity and its Environment and SA 330 The Auditors’ Responses To Assessed Risks are the two Standards on Auditing among others that concentrate on this topic.

The Risk Based Audit Approach first requires an auditor to understands the entity and its environment. By doing this he is able to identify the risks that may result in material mis-statement. Next, he performs assessment of the identified risks. It involves considering the nature of risks, areas which could be affected, considering whether it is pervasive or not, gathering audit evidence for the same.

NEED FOR RISK BASED AUDIT PLAN

Every audit assignment presents a different challenge to an auditor because two audit assignments  cannot be same. For example two entities differ from each other in the terms of their structure, ownership and nature. There is no specific approach to audit, but it is normally believed that the risk based approach to audit will minimize the chances of the risks that are present in the financial statements and will present the true and fair view. Since time is the limiting factor and it is not possible to review each and every account, transaction and balance, hence the auditor adopts risk based audit approach and plans his work accordingly.

AUDIT RISK

It is the risk that the auditor might express an wrong opinion on the financial statements. For example, the auditor might say that the financial statements gives an unqualified opinion without knowing that the financial statements are materially mis-stated. Three elements of the audit risk are as follows:-

a. Inherent Risk: It is the risk that there might be material mis-statements in the financial statements due to omission or the errors that are committed while preparing the financial statements. Inherent risk is generally considered to be higher where a high degree of judgment and estimation is involved or where transactions of the entity are highly complex.

b. Control Risk: It is the risk that arise due to the absence or not appropriate internal controls in the entity. It is the function of the effectiveness of the design, implementation and maintenance of the internal controls by management. Control risk is considered to be high where the audit entity does not have adequate internal controls to prevent and detect instances of fraud and error in the financial statements.

c. Detection Risk: It is the risk that the auditor might fail to detect the material mis-statements that are present in the financial statements. Some of the detection risk is always present due to the inherent limitations of the audit. Detection risk can be reduced by auditors by increasing the number of sampled transactions for detailed testing.

d. Objectives of an Auditor: An auditor should identify and assess the inherent and control risks in the entity. Accordingly he should design and perform appropriate compliance and substantive procedures that provide sufficient and appropriate evidences.

PROCESS

Generally the following steps are involved in the Risk Based Audit Approach:

1. Understanding: It means understanding the entity and its environment for identifying and assessment of the risks. An auditor should have the knowledge about the entity and its environment like the nature,  the structure, the ownership and the internal controls of the entity. This information can be obtained by observation, enquiry, inspection, documentation, and performing analytical procedures.

Understanding the entity’s internal control framework is often problematic for auditors, particularly in knowing what controls to focus on, and what type of information, and how much information, to obtain on the controls. Auditors need to understand those controls (individually or in combination) that are considered likely to be relevant to the audit (for example controls related to financial reporting) – not all the controls the entity employs in managing its business.

2. Risk Assessment: Understanding the entity and its environment helps the auditor to identify those areas where there can be risk of material mis-statements. With his skill, knowledge and experience he is able to detect those accounts, balances and transactions where the risks exist. After identifying the risks then he has to assess the risks ie evaluate the impact of the risks, whether they are material or not, whether they are pervasive or not. Then accordingly he plans his audit procedures ie Substantive and Compliance Procedures.

The initial risk assessment is performed at the audit planning stage, with it being reassessed and revised if new risks are identified during the audit. The auditor exercises professional judgement in evaluating and classifying each risk according to its potential to create a material misstatement in the financial report as a whole or at the account and assertion levels.

3. Response: Responding to risks involves obtaining Sufficient and Appropriate Audit Evidence regarding the assessed risks of material mis-statement. An auditors needs to design his response to the assessed risks after evaluating the following points:

a. The overall effect of the identified risk on the financial statements, and

b. The effect of the risk on the assertion level for each class of transaction, account and balances.

Conclusion: Once the audit procedures have been performed to the assessed risks the auditor now evaluates that whether the audit evidence that are obtained are sufficient and appropriate or not and if he thinks that appropriate evidences have not been obtained then he needs to revise his audit procedures and perform them again.

AUDIT PROGRAM

The design of the audit program to address identified risks involves:

i. Setting the test objectives (what assertions are to be tested and why)

ii. Identifying whether the use of experts/ specialists is required

iii. Identifying when to address the risk (interim and/or year-end)

iv. Determining, where applicable, whether previous audit evidence can be used (including how it can be updated for the current audit)

v. Identifying whether there are relevant controls to test

vi. Specifying the type of testing for areas with normal risk and those with significant risk – ie whether substantive testing alone or a combination of substantive and controls testing is required

vii. Determining the extent of reliance on the test results

viii. Specifying additional audit procedures to be followed if the testing identifies issues/problems.

DIFFERENCE: (Between Traditional Approach and Risk Based Approach of Audit)

1. In the traditional important risks might be neglected but in the risk based approach important risks are properly managed.

2. In the traditional approach audit plan is based on the time duration whereas in risk based approach it is based on the risks identification and evaluation.

3. In the traditional approach the focus is on the deficiencies in the control system of an entity whereas in the risk based audit approach it is on the risks which are not properly controlled.

4. In the risk based audit approach the auditor obtains the information about the entity and its environment well in advance whereas in the traditional approach he gradually understands the entity.

BENEFITS OF RISK BASED AUDIT

Following are the benefits of the risk based audit approach:-

1. In case there is any law suit against the auditor for the negligence, the auditor can easily provide the justification for the work carried by him,

2. More efficient way to conduct an audit. It helps to eliminate under or over auditing,

3. This approach helps an auditor to identify the high risk areas where more work is to be performed as compared to the low risk areas,

4. This approach saves time and efforts.

5. Improving the understanding and communication of the risks and how to prevent them in the future.

CONCLUSION

Lastly we can say that with the growing size of the entities and increase in the number of frauds and errors, Risk Based Audit Approach of auditing is really helpful for the auditors because it saves time, efforts and minimizes the risks that are present in the financial statements of an entity.

Contributed By: Deepika Agarwal (CA Final Student)