OUR LADY OF THE PILLAR COLLEGE CAUAYAN

COLLEGE OF ACCOUNTANCY
OPERATIONS AUDITING

MODULE 3D:
RISK ASSESSMENT IN AUDIT PLANNING- Building risk-based strategic and
annual plans
By this stage the auditor should have a good understanding of risks that may impact the organization. But how
important are these risks in relation to different elements of the audit universe? And how these risks can be
reflected in the audit strategy and annual work plan?

The objective of this stage of the process is to determine what needs to be audited from within the audit universe.
To identify the building blocks for the audit strategy in terms of the types and cycles of audits that need to be
undertaken. This is why this process is also referred to as an “audit needs assessment”.

Because there is likely to be a high number of possible audit objects and a large number of risks, most auditors use
a set of generic “risk factors” to review the importance of each element of the audit universe to determine the
priority that should be attached to each auditable object. While the term risk factors is used these could also be
described as selection factors, because the purpose of this stage of the process is to select the most appropriate
audits to undertake

Identifying risk factors

Most organizations use between five and eight risk factors. The most commonly used risk factors, with explanatory
comments as to why they are important, are:

Financial materiality. The volume of financial activity covered by an auditable object is a key risk factor. High-risk
audit objects that use a very small part of the budget may be of less priority for audit than medium risk audit objects
that deal with 50% of the budget.

Complexity of activities. Complex activities are more difficult to do well and therefore more likely to not achieve
their objectives e.g. construction projects often cost more than planned and take longer to complete than
expected.

Control environment. The control environment is sometimes referred to as the “tone at the top”. A strong control
environment is less susceptible to fraud and error. In a strong control environment there are: clear objectives,
organizational roles & responsibilities, clear ethical standards of behaviour, strong governance arrangements, and
effective people management policies and practices. A weak control environment is more susceptible to fraud an
error.

Reputational sensitivity. Some areas will have a higher media profile where problems can generate a high level of
risk to the reputation of the organization as a whole.

Inherent risk. Areas of high inherent risk will require effective control processes to reduce the risk involved. Such
important controls should be reviewed more regularly by IA.

Extent of change. Change is known to generate increased risk. For example: high turnover of staff is likely to reduce
the effectiveness of controls as staff are less experience; reorganization of functions or change of leadership/key
managers can also generate uncertainty for staff which limits their effectiveness.

Confidence in management. Good managers usually solve problems more efficiently and achieve better results
than poor managers and more experienced managers are more likely to be able to identify and deal with risks.
Remote units that are managed by lower grade staff may be of higher risk.

Fraud potential. Some systems and functions are more prone to fraud and corruption. For example, high levels of
cash receipts and delegated responsibility to impose fines.

Political sensitivity. Some subjects are may be more political sensitive than others and therefore of attract higher
interest from stake-holders.

1|Page
 OUR LADY OF THE PILLAR COLLEGE CAUAYAN
COLLEGE OF ACCOUNTANCY
OPERATIONS AUDITING

Time since last audit. There is a deterrence factor in every audit. Even auditable objects with low risk should be
audited from time to time. And those which have not been audited for a number of years may become high risk.

Develop criteria to assess the importance of each risk factor

Having identified a number of risk factors it is common practice to develop a set of criteria than can be used to
score and therefore rank the relative need to audit each of the possible audit objects within the audit universe.
Developing criteria can be relatively simple or quite complex. But many factors will use some degree of judgement
so it may be easier to define only the lowest or highest score and leave the rest to judgement. The example below
provides possible criteria for four common risk factors three of which are judgemental in nature (control
environment/vulnerability, sensitivity and management concerns).

2|Page
 OUR LADY OF THE PILLAR COLLEGE CAUAYAN
COLLEGE OF ACCOUNTANCY
OPERATIONS AUDITING

Consider adding a weighting to each risk factor to produce a risk index

Not all risk factors will be equally important. Many IA units therefore use some process of weighting risk factors to
give a higher score to those factors considered most important (for example materiality or management concerns).
Having added a weighting factor, which could be developed in a workshop with management, the score for risk
factors and weighting score need to be multiplied to produce a numeric risk index. The risk index can then be used
to identify audit objects with very high, high, medium and low priority. The following example shows how this
would apply in the example shown for risk factors.

All risk-scoring systems by definition produce exact numbers. This can add a false level of accuracy to the
assessment process. It is important to recognise that many risk factors are judgemental and are not based on
absolute values. A major exception is materiality, which is also one factor that will usually be highly weighted. (Note:
There are many ways of determining materiality but the simplest models usually use a percentage of total
expenditure or income.)

3|Page