The Audit Commission (2001) defined "risk" as an event or action which will adversely affect an organization's ability to achieve its objectives and to successfully execute its strategies. Risk based auditing is a process, an approach, a methodology and an attitude of mind rolled into one. Besides, risk based auditing is a methodology or audit process that provide assurance to managed risks that may occur in an organization. The risk based auditing starts by determining which area of the organization that have the higher risk of material misstatement that caused by either high inherent or control risk and then suggests the most effective internal controls and management treatment in order to reduce or eliminate that risk. The area which have lower risk also have to identify as well to make sure that the auditor have the idea on which area to perform risk based auditing less.
In the other hand, the simplest way to think about risk-based audit conceptually is to put more audit effort in the things that really matter in an organization. In the point of view of management in an organization, risk management is all about managing the threats and opportunities within the organization. They were thinking that by managing the threats effectively the organization will be in a stronger position in the industry. Additionally, if the organization manages their opportunities well, the organization will be in a better position to provide improved services and better value for money.
Get your grade
or your money back
using our Essay Writing Service!
However, there is problem that may arise in doing the risk based auditing which is when some of the top management do not really understand the concept of controls so that since they don't understand the nature of controls, they tend to consider the need for more controls as an unnecessary additional burden. Therefore, risk based auditing is an evolution rather than a revolution, although the results obtained can be revolutionary in their magnitude.
Risk based auditing was always refer to risk assessment auditing standards whereby the objective of those standards is to improve the quality and effectiveness of audits by substantially changing audit practice. Statements on Auditing Standards no. 104-111 provide increased rigor to the audit process in a number of key areas including the assessments of inherent and control risks and the linking of these risk assessments to further audit procedures. However, the standards also stated that the auditor was prohibited "defaulting to the maximum" control risk. OnÂ allÂ audits work, the auditor should evaluate the design and implementation of internal control to identify and assess risk effectively.
2.0 Risk Management Framework
In order to ensure that the risk management becomes the concern of management and everyone in an organization and that risk management practices within the particular organization, the top management with the help of internal auditors should prepare a better framework to guide them. Below are some examples of excellent risk management framework comprised of four key elements that may use in an organization:
All operating activities and business transactions within an organization either existing or new operations should be assess in order to identify material misstatements as well as emerging risks, which may threaten the organization in the stability in the industry.
Any risks that may occur in each of the new operation that proposed by an organization shall be evaluate consistently in order to reduce and eliminate any potential exposure to the organization. Besides, all the material risks shall be evaluated either in quantitative or qualitative basis.
If the management can manage the risk well, it will automatically minimize the losses and optimize the opportunities. The identification and monitoring the risks is the responsibilities of both top managements and accounting officers in an organization.
All the detected high risks that may occur in an organization and any material changes to the existing risk profile must be reported to the Account in-charge so that he can make the change and reduce the risks immediately.
If an organization have a efficient and good risk management framework as their guidance in managing the risk in the organization, it will help the auditors to audit and the risk based auditing by looking at the risk management framework and whether the whole organization was practicing it or not. Auditors play an oversight role on the risk management whereby the auditors have the responsibilities to:
Always on Time
Marked to Standard
Advise the management on the development, implementation and review of the risk management framework
Review of the Annual Financial Statements
Respond to any issues that raised by Auditor General
Carry out any investigations into the financial affairs if there is any material misstatements of fraud detected
3.0 Role of audit committee in risk based auditing
The Audit Committee will act as the board that will ensure whether effective internal control arrangements are in place and provide a form of independent checks from time to time on behalf by the top management. The following lists are the lists on what can the audit committee can do in order to make sure that the internal control was in place:
Concluding upon the establishment and maintenance of an effective risk management and internal control across the whole of the organisation's activities that contribute to the organization's objectives achievement.
Reviewing the adequacy of all risk and control related disclosure statements such as statement of internal control, external audit opinion or any relevant independent assurance prior to endorsement by the board of directors.
Reviewing the adequacy of assurance processes that indicate the degree of the achievement of strategic objectives, the effectiveness of the risks management and the reliability of the above disclosure statements.
Ensure that the strategic risks and operational risks is reviewed at least four times in a year to maintain the effectiveness of risk management.
4.0 The risk-based approach, ISA 200 states:
6. The auditor should conduct an audit in accordance with International Standards on Auditing.
11. In determining the audit procedures to be performed in conducting an audit in accordance with International Standards on Auditing, the auditor should comply with each of the International Standards on Auditing relevant to the audit.
14. The auditor should not represent compliance with International Standards on Auditing unless the auditor has complied fully with all of the International Standards on Auditing relevant to the audit. The auditor may, in exceptional circumstances, judge it necessary to depart from a basic principle or an essential procedure that is relevant in the circumstances of the audit, in order to achieve the objective of the audit. In such a case, the auditor is not precluded from representing compliance with ISAs, provided the departure is appropriately document as required by ISA 230, "Documentation".
15. The auditor should plan and perform an audit with an attitude of professional scepticism recognising that circumstances may exist that cause the financial statements to be materially misstated.
37. The auditor should determine whether the financial reporting framework adopted by management in preparing the financial statements is acceptable.
Risk-based audits require practitioners to understand the entity and its environment including internal control. The purpose is to identify and assess the risks of material misstatement of the financial statements. Because risk assessments require considerable professional judgment, this phase will likely require the time of the audit partner and senior audit personnel in identifying and assessing the various types of risk and thus developing the appropriate audit response.
The risk-based audit (RBA) approach seeks to improve audit effectiveness and efficiency by shifting the function from a policing activity to one that contributes effectively to managing risk and achieving wider organizational goals. The approach aims to increase the accountability by ensuring transparency, validating key systems of internal control, and committing resources against key risks.
Some of the benefits of this approach are summarised as follows:
4.1 Time flexibility for audit work
Risk assessment procedures can often be performed earlier in the entity's fiscal period than was possible before. Because risk assessment procedures do not involve the detailed testing of transactions and balances, they can be performed well before the year end, assuming no major operational changes are anticipated. This can help in balancing the workload of staff more evenly throughout the year. It may also provide the client with time to respond to identified and communicated weaknesses in internal control and other requests for assistance before the commencement of year-end audit fieldwork.
4.2 Audit team's effort focused on key areas
By understanding where the risks of material misstatement can occur in financial statements, the auditor can direct the audit team's effort toward high-risk areas and away from lower-risk areas. This will also help to ensure audit staff resources are used effectively.
4.3 Audit procedures focused on specific risks
This Essay is
a Student's Work
This essay has been submitted by a student. This is not an example of the work written by our professional essay writers.Examples of our work
Further audit procedures are designed to respond to assessed risks. Consequently, tests of details that only address risks in general terms may be significantly reduced or even eliminated. The required understanding of internal control enables the auditor to make informed decisions on whether to test the operating effectiveness of internal control. Tests of controls for which some controls may only require testing every three years will often result in much less work being required than performing extensive tests of details.
4.4 Communication of matters of interest to management
The improved understanding of internal control may enable the auditor to identify weaknesses in internal control such as in the control environment and general IT controls that were not previously recognised. Communicating these weaknesses to management on a timely basis will enable them to take appropriate action, which is to their benefit.
4.5 Save time on audit task
Also, this may in turn save time in performing the audit because the auditor spend time only on the higher risk and perform audit procedures tailored for the identified risks of each individual audit job.
4.6 Improved audit file documentation
The ISAs place a lot of emphasis on the need to carefully document each step of the audit process. Although this may add some additional cost at first, careful documentation will ensure that an audit file can stand by itself without the need for any oral explanations of what was done, why it was done, or how the audit conclusions were reached.
4.6 Leverage auditor's knowledge
Besides that, Risk Based Auditing able to leverage the experienced auditor's knowledge of the client's operations and experience in prior audits to determine the level of assurance needed in significant audit areas.
4.7 Management's Audit Plan
It results in appropriate audit coverage plan, which provide a road map for the management of internal audit staff skill so that they are available to carry out audits of appropriate scope when they are needed the most.The risk based internal audit result in a process oriented audit with a risk management perspective, which gives advice to management on the step to be taken for effective risk management.
So, the benefit of risk based auditing is that if the auditor had the knowledge of client's operations and experience in prior audits to determine the level of assurance needed in significant audit areas, the auditor will perform more efficient and effective audit that specially focused on the high risk areas.
5.0 RISK BASED AUDIT PLAN
The auditor should properly plan the audit of internal control over financial reporting and properly supervise the engagement team members. When planning an integrated audit, the auditor should evaluate whether the following matters are important to the company's financial statements and internal control over financial reporting and, if so, how they will affect the auditor's procedures -
Knowledge of the company's internal control over financial reporting obtained during other engagements performed by the auditor;
Matters affecting the industry in which the company operates, such as financial reporting practices, economic conditions, laws and regulations, and technological changes;
Matters relating to the company's business, including its organization, operating characteristics, and capital structure;
The extent of recent changes, if any, in the company, its operations, or its internal control over financial reporting;
The auditor's preliminary judgments about materiality, risk, and other factors relating to the determination of material weaknesses;
Control deficiencies previously communicated to the audit committeeÂ 8/Â or management;
Legal or regulatory matters of which the company is aware;
The type and extent of available evidence related to the effectiveness of the company's internal control over financial reporting;
Preliminary judgments about the effectiveness of internal control over financial reporting;
Public information about the company relevant to the evaluation of the likelihood of material financial statement misstatements and the effectiveness of the company's internal control over financial reporting;
Knowledge about risks related to the company evaluated as part of the auditor's client acceptance and retention evaluation; and
The relative complexity of the company's operations.
Risk assessment underlies the entire audit process described by this standard, including the determination of significant accounts and disclosuresÂ andÂ relevant assertions, the selection of controls to test, and the determination of the evidence necessary for a given control.
A direct relationship exists between the degree of risk that a material weakness could exist in a particular area of the company's internal control over financial reporting and the amount of audit attention that should be devoted to that area. In addition, the risk that a company's internal control over financial reporting will fail to prevent or detect misstatement caused by fraud usually is higher than the risk of failure to prevent or detect error. The auditor should focus more of his or her attention on the areas of highest risk. On the other hand, it is not necessary to test controls that, even if deficient, would not present a reasonable possibility of material misstatement to the financial statements.
The complexity of the organization, business unit, or process, will play an important role in the auditor's risk assessment and the determination of the necessary procedures.
Â For purposes of the audit of internal control, however, the auditor may use the work performed by, or receive direct assistance from, internal auditors, company personnel (in addition to internal auditors), and third parties working under the direction of management or the audit committee that provides evidence about the effectiveness of internal control over financial reporting. In an integrated audit of internal control over financial reporting and the financial statements, the auditor also may use this work to obtain evidence supporting the auditor's assessment of control risk for purposes of the audit of the financial statements.
The auditor should assess the competence and objectivity of the persons whose work the auditor plans to use to determine the extent to which the auditor may use their work. The higher the degree of competence and objectivity, the greater use the auditor may make of the work. The auditor should apply the principles underlying those paragraphs to assess the competence and objectivity of persons other than internal auditors whose work the auditor plans to use.
For purposes of using the work of others, competence means the attainment and maintenance of a level of understanding and knowledge that enables that person to perform ably the tasks assigned to them, and objectivity means the ability to perform those tasks impartially and with intellectual honesty. To assess competence, the auditor should evaluate factors about the person's qualifications and ability to perform the work the auditor plans to use.Â To assess objectivity, the auditor should evaluate whether factors are present that either inhibit or promote a person's ability to perform with the necessary degree of objectivity the work the auditor plans to use.
The auditor should not use the work of persons who have a low degree of objectivity, regardless of their level of competence. Likewise, the auditor should not use the work of persons who have a low level of competence regardless of their degree of objectivity. Personnel whose core function is to serve as a testing or compliance authority at the company, such as internal auditors, normally are expected to have greater competence and objectivity in performing the type of work that will be useful to the auditor.
The extent to which the auditor may use the work of others in an audit of internal control also depends on the risk associated with the control being tested. As the risk associated with a control increases, the need for the auditor to perform his or her own work on the control increases. In planning the audit of internal control over financial reporting, the auditor should use the same materiality considerations he or she would use in planning the audit of the company's annual financial statements.
Auditing standards such as ISA, 315 and 330 require that planned auditor effort be in response to the auditor's assessment of client risks. Furthermore, country may indirectly impact audit planning decisions by moderating the relationship between the auditor's client risk assessments and planned auditor effort. For example, an auditor in a more litigious environment might respond by planning for more hours at higher client risk assessments. Alternatively, an auditor of a private sector client could place more weight on certain risks (e.g. solvency risk) compared to an auditor of a public sector client (e.g. a government department that receives a guaranteed parliamentary appropriation).
Furthermore, in order to implementing and applying this standard in practice was a great challenge for many firms since that they have the difficulty linking their internal control work to the substantive procedures and other aspects of the engagement, finding sufficient benefit to justify the increased audit costs that result from the stricter standard and determining how to evaluate the effectiveness of internal control design.