ASSESSMENT OF AUDIT RISK

Risk-Based Approach in Audit

Risk-based approach is the technique that auditors use in performing the

audit, in which they focus on analyzing and managing different types of risks that
could lead to material mis-statement.

Using this approach, auditors need to perform risk assessment of material

misstatement on financial statements based on their understanding of the client’s
business and control environment.

This is also known as “top-down” approach of identifying risks, in which “top”

refers to the client’s day-to-day operations and “down” refers to the client’s
financial statements.

Once auditors have identified and assessed the risks of material misstatement in
financial statements, they can plan the audit procedures to respond to the assessed
risks so that they can minimize their audit risk to an acceptably low level.

In short, in risk-based audit approach auditors need to:

 Identify key risks in day-to-day business operation

 Assess the impacts that those risks can have on financial statements
 Plan audit procedures according to the assessed risks.

3 Types of Audit Risk

Audit risk is the risk that auditors give a clean opinion on financial
statements that contain material misstatement. There are three types of audit risk
that lead to auditors providing an inappropriate opinion.

These three types of audit risk include:

 Inherent risk
 Control risk
 Detection risk
1. Inherent Risk

Inherent risk is the risk that financial statements contain material misstatement
before consideration of any related controls. This is the first type of audit risk as it
occurs before putting any internal control in place and already exist before any
audit work performed.

Inherent risk is the susceptibility of transaction or account balance to misstatement.

It comes with the business’s transactions and its environment.

Among the three types of audit risk, inherent risk comes directly from the business
nature itself. For example, if the business is in a high-risk area, the level of
inherent risk is also high.

For example, the company in the financial service sector that provides derivative
products is inherently riskier than the trading company that does not provide such
products. This is due to the derivative is the type of financial instrument that is
generally considered complex in the accounting field.

2. Control Risk

Control risk is the risk that the internal control fails to prevent or detect material
misstatements in the financial statements. Among the three types of audit risk,
control risk is in the middle as the control is usually put in place to reduce the
chance of error or fraud that inherits from the business and its environment.

In this case, once auditors have assessed that the inherent risk is high, the level of
risk of material misstatement can only be reduced if the control risk is low. On the
other hand, if both inherent and control risks are high, auditors can only lower
detection risk to have an acceptable audit risk.

For example, if a restaurant allows its cashier to perform both receiving cash from
customers and recording it into the accounting system, there is a risk that the
cashier forgets to record the transactions into the system or record the incorrect
amount into the system which leads to misstatement. This means that the control
risk is high.
Detection Risk

Detection risk is the risk that auditors fail to detect the material misstatement that
exists in the financial statements. This type of audit risk occurs when audit
procedures performed by the audit team could not locate the existed material
misstatement.

Detection risk could occur due to many factors such as:

 Not proper audit planning

 Not appropriated audit procedures
 Not proper allocate of staff based on their skills and experiences
 Not proper monitoring and supervision of work
 Not proper documenting and dealing with problem arose
 Not performing regular review neither hot review nor cold review
 Staff’s not competent enough to perform the tasks etc.
 Lack of professional skepticism when performing the audit work

Audit Risk = Inherent Risk * Control Risk * Detection Risk

AUDIT RISK
ASSESSMENT
 Audit risk assessment is the process that we perform in the planning stage of
the audit. As auditors, we perform audit risk assessment by identifying the risks of
material misstatement and responding to such risks with suitable procedures.

1. Risk of Material Misstatement

Risk of material misstatement is the risk that financial statements contain material
misstatement but the internal control cannot prevent or detect such misstatement.
In an audit, it is the combination of inherent risk and control risk.

Likewise, the risk of material misstatement has a great effect on the overall audit
strategy that auditors form in the audit. That includes the allocation of resources
and the direction of an entire audit process.

Auditors have the responsibility to design suitable audit procedures that can
appropriately respond to the assessed risk of material misstatement. In this case,
the level of detection risk as well as the amount of audit works that auditors need
to perform will depend on the level of risk of material misstatement.
Audit Risk Assessment Procedures

Identify Risk of Material Misstatement

Respond to Risk of Material Misstatement

INTERNAL CONTROLS

Definition and purposes of internal control

The Turnbull Report, first published in 1999, defined internal control and its
scope as follows:

‘The policies, processes, tasks, behaviors and other aspects of an organization

that taken together:

Facilitate effective operation by enabling it to respond in an appropriate

manner to significant business, operational, financial, compliance and other risks to
achieve its objectives. This includes safeguarding of assets and ensuring that
liabilities are identified and managed.

Ensure the quality of internal and external reporting, which in turn requires the
maintenance of proper records and processes that generate a flow of timely,
relevant and reliable information from both internal and external sources.

Ensure compliance with applicable laws and regulations and also with internal
policies.

Objectives of internal control

Internal control should have the following objectives:

1. Efficient conduct of business:

Controls should be in place to ensure that processes flow smoothly and operations
are free from disruptions. This mitigates against the risk of inefficiencies and
threats to the creation of value in the organization.
2. Safeguarding assets:
Controls should be in place to ensure that assets are deployed for their proper
purposes, and are not vulnerable to misuse or theft. A comprehensive approach to
his objective should consider all assets, including both tangible and intangible
assets.

3. Preventing and detecting fraud and other unlawful acts:

Even small businesses with simple organization structures may fall victim to these
violations, but as organizations increase in size and complexity, the nature of
fraudulent practices becomes more diverse, and controls must be capable of
addressing these.

4. Completeness and accuracy of financial records:

An organization cannot produce accurate financial statements if its financial
records are unreliable. Systems should be capable of recording transactions so that
the nature of business transacted is properly reflected in the financial accounts.

5. Timely preparation of financial statements:

Organizations should be able to fulfill their legal obligations to submit their
account, accurately and on time. They also have a duty to their shareholders to
produce meaningful statements. Internal controls may also be applied to
management accounting processes, which are necessary for effective strategic
planning, decision taking and monitoring of organizational performance.

Responsibilities for internal control

In many smaller, unincorporated businesses such as sole traders and

unlimited partnerships, the responsibility for internal controls often lies with the
owners themselves. In most cases, the owners are fully engaged in the business
itself, and if employees are engaged, it is usually within the capability of the
owners to remain fully aware of transactions and the overall state of the business.

Generic control categories

Controls can be categorized in many different ways.

Internal controls can be:

1. Mandatory or voluntary:
Mandatory controls are those which must be applied, irrespective of
circumstances. These are widely used to prevent breached of laws or policy, as
well as to minimize risks relating to health and safety. Voluntary controls are
applied according to the judgment of the organization and its managers.

2. Discretionary or non-discretionary:
Managers may be permitted discretion according to their interpretation or
judgment of risks in given circumstances. Non-discretionary controls must be
applied.

3. Manual or automated:
Manual controls are applied by the individual employee whereas automated
controls are programmed into the systems of the organization. Some systems
combine the two: for example, when deciding on whether a customer should be
permitted days on hand for payment, there could be automated ‘accept’ above a
specified credit rating or ‘decline’ or below a specified credit rating, and an
intermediate range in which a manager may be able to override the automated
system.
4. General controls or application controls:
This classification of controls applies specifically to information systems. General
controls help to ensure the reliability of data generated by systems, helping to
ascertain whether systems operate as intended and output is reliable. Application
controls are automated and designed to ensure the complete and accurate recording
of data from input to output.

Common control procedures

1. Physical controls:
These controls include restrictions on access to buildings, specified office or
factory areas or equipment, such as turnstiles at the entrance to the premises, swipe
cards and passwords. They also include physical restraints, such as fixing non-
current assets to prevent removal.

2. Authorization and approval limits:

Many employees must adhere to authorization limits, and these will usually be
specified in the terms of employment. For example, a junior manager may be
permitted to book business flights up to the value of $500, but for tickets costing
more than this, the purchase may have to be approved by someone more senior.

3. Segregation of duties:
To minimize the risk of errors and fraud, duties associated with cash handling are
often segregated. For example, in the post room of a company that received cash
by post, the employee recording the cash will be a different person to the one who
opens the post. Segregation is also relevant to other functions. At executive level, it
is now best practice to segregate the roles of chairman and chief executive officer,
and as an independent assurance function, internal audit should be totally
segregated from the finance department, with a reporting line direct to the board of
directors or the audit committee.

4. Management controls:
These controls are operated by managers themselves. An example is variance
analysis, through which a manager may be required as part of their job to consider
differences between planned outcomes and actual performance. Performance
management of subordinates is also an integral part of many managerial positions.
Further down the chain of command, supervision controls are exercised in respect
of day-to-day transactions. Organization controls operate according to the
configuration of the organization chart and line/staff responsibilities.
5. Arithmetic and accounting controls:
These controls are in place to ensure accurate recording and processing of
transactions. Procedures here include reconciliations and trial balances.

6. Human resources controls:

Controls are implemented for all aspects of human resources management.
Examples include qualifications verification, references and criminal record checks
on recruits, checks on staff who have to be attested for competence and training
effectiveness.