GROUP NUMBER: 10

PRESENTATION QUESTION: RISK BASED APPROACH

NAME REG NUMBER

ANNYMARY MUTUKWA C21144822Y
VICTOR CHEKA C21144430K
BRIDGET R GARISE C21144320X
JOSEPH MUSONZA C21144415R
PAULINE KASIMA C21144334S
MELODY MUNDIRA C20143461W
ELVIS CHIKAKA C21143910A
SHARON MAGEDE C21143719P
MARTHA T MUNYUKI C21143719P
CHIDO F USHAMBA C20141711L
TINOTENDA BENE C20141164S
CALVIN T MASHE C20141731J
Risk Based Auditing

What is Risk-based Auditing?

Risk-based auditing is an approach to auditing that focuses on identifying and prioritizing

areas of risk within an organization, and designing an audit plan to address those risks
(Ranganayakulu Boyapati,2023). It is a method of auditing that is driven by the level of risk
associated with a particular area or process within the organization.

This conventional audit approach is focused on transactions to create financial statements

such as the statement of financial position. This auditing approach is used to identify risks
with the greatest impact.

For example, the auditor would use data analytics to look for patterns or anomalies in the
organization's financial data. Therefore, the auditor might look for unusual spikes in sales or
expense transactions, or for unusual suppliers or customers. If any suspicious transactions are
identified, the auditor would then investigate further to determine whether fraud has occurred.
This type of audit can be more efficient and effective than traditional auditing methods,
because it focuses on the areas of greatest risk.

In using this approach, the auditor will therefore probably cover a broad range of issues that
confront management.

Methodology (how it is done)

1. Understanding the Business & risks

The risk-based audit demands that you understand the strategies, goals, and objectives of the
company. As an auditor, you or the audit committee must have deep knowledge about the
business, such as its strength, weaknesses, and challenges so that the auditors could focus on
the most crucial risk areas.

ISA 315, Identifying and Assessing the Risks of Material Misstatement Through
Understanding the Entity and its Environment (Redrafted)1, compels auditors to adopt a risk-
based approach to audits. In so doing, it requires auditors to make risk assessments of
material misstatements at the financial statement and assertion levels, based on an appropriate
understanding of the entity and its environment, including internal controls.

A thorough understanding of risk both global and specific to a business process allows the
internal auditor to focus on an area’s risk factors.

2. Involve the management

As an auditor, you should work closely with the senior management to organize business
strategy and risks with your auditing and monitoring plan. The management could then help
auditors conduct risk assessments more accurately for various business areas.

One of the vital factors that make risk-based auditing different from the traditional approach
is the involvement of the management. Audit team knows the business risks better than
anybody else, and with this knowledge, could develop an effective auditing system that suits
every business area.

3. Preliminary Risk Assessment

The purpose of the preliminary risk assessment is to determine the level of risk and adequacy
of controls in the various functional processes of a business unit. The assessment focuses on
the business profile, management structure, organizational changes, and specific concerns of
management and the audit committee to determine the areas of greatest risk. It also serves to
aid the internal auditor in evaluating the control design to determine the desired audit scope

As the auditor is required to focus on the entity and its environment when making risk
assessments, this is known as the ‘top down’ approach to identifying risks. The word ‘top’
refers to the day-to-day operations of the entity and the environment in which it operates;
‘down’ refers to the financial statements of the entity.

The risk assessment determines how well each function's control design mitigates inherent
risk. At the conclusion of this assessment, the internal auditor evaluates the results and
assigns a low, moderate, or high-risk rating to the individual business processes.

4. Develop an Audit Plan

Based on the preliminary risk assessment that places the auditable business processes within
a risk matrix based on low to high risk, a three-year audit plan is established. With certain
adjustments based on management and audit committee input or regulatory requirements, low
risk areas would be audited every three years, moderate risk areas audited every other year,
and high-risk areas audited every year.

The three-year audit plan should be revisited each year during the update phase of the risk
assessment process and adjustments should be made based on new or changed risk factors.
This methodology allows the internal auditor flexibility in a changing risk environment

5. Assess your risk maturity

Risk appetite describes how much risk exposure your company would accept. Risk tolerance
refers to the degree to which your company could change from the existing risk appetite.

Through in-depth interviews, walk-throughs and other observations, the internal auditor
determines if the controls established by management in the control design are in fact
operating as designed. The secondary risk assessment allows the internal auditor to more
accurately tailor the audit approach to current risks by providing for alteration of the audit
plan.

6. Execution of Internal Audit Program

Once the audit plan is finalized, the audit fieldwork can begin. The audit process is guided by
a standard audit program, which establishes which audit procedures should be done
depending on the risk assessment level.

During audit fieldwork and prior to the exit meeting, all potential audit issues should be fully
discussed with operating personnel and line management. This “exiting as you go” process
serves three valuable purposes. Firstly, it allows the internal auditor to ensure the facts are
accurate, which prevents unnecessary audit work and strengthens the internal auditor’s
credibility. Secondly, operating personnel and line management can begin correcting
problems, which will positively demonstrate to senior management their ability to address
issues. Lastly, if there are disagreements to items other than facts, such as the overall risk or
the recommended solution, the internal auditor is aware before the formal exit and can react
accordingly

7. Report and Communication

A report draft is issued to operating management to solicit corrective action plans. The draft
report should include findings and recommendations ranked as high, moderate, or low risk.
High risk indicates management should immediately remedy the situation to prevent
significant risk of loss; moderate risk indicates that timely remedy by management is
suggested; and low risk indicates that there does not appear to represent an immediate risk
but improvements are still possible

A final report is issued to include the internal auditor’s findings and recommendations, as
well as management’s action plans which should document specific actions to address the
findings, with management assignments of who is responsible for the plan and a date when
the actions should be concluded.

The internal auditor will periodically provide a monitoring report that management and the
audit committee can utilize to track critical internal audit findings, follow up on the results,
and review at a glance the effectiveness of risk management and the resolution of all
significant findings.

EVALUATION OF RISK BASED APPROACH

SUCCESSES

What are the benefits of a risk-based approach in auditing?

1. Consistency: Having a consistent and extensive approach, an organization can easily adjust
to changing situations. Modifying the audit schedule according to the risk framework helps
you change the techniques quickly based on the business objectives.

2. Clarity: A risk-based audit approach helps auditors to detect the risks correctly and enables
management to put suitable internal controls rightly for optimum performance, thus resulting
in a better understanding of the risks, and allowing the organization to manage the better way.

3. Accuracy: Grading and aligning the risks with the risk-based audit approach allow the
auditor to allocate business activity and funds to critical areas requiring utmost attention,
developing a unique risk management audit schedule rather than depending on external plans
and suggestions.

4. Efficient use of resources as it allows auditors to focus on high-risk areas, leading to better
resource allocation and auditors can recommend process changes that reduce the likelihood of
errors and enhance operational efficiency.
5. Improved risk management as organisations can strengthen their risk management
practices and reduce the likelihood of future problems
6. Increased confidence by providing stakeholders with greater assurance that risks are being
properly managed with the awareness of their regulatory obligations and take necessary
actions to comply with the requirements.
7. Fraud Detection as RBA can help auditors in detecting and preventing fraud within an
organization. By focusing on areas with a higher risk of fraud, such as revenue recognition or
procurement, auditors can identify control weaknesses and implement measures to mitigate
the risk of fraud.

8. Cost saving by identifying and addressing risks early as organisations can potentially avoid
costly incidents or mitigate their impact.

An example of RBA success in 2008, HSBC implemented an RBA approach to auditing its
global operations. As a result of this initiative, HSBC was able to reduce the number of audit
hours required by 20%, while still maintaining the quality of its audit work.

FAILURES

1. Inaccurate Risk Assessment if the risk assessment is not conducted effectively or is based
on incomplete or inaccurate information, the RBA approach may lead to misallocation of
audit resources. Auditors may prioritize low-risk areas or miss high-risk areas, compromising
the effectiveness of the audit.
2. Lack of understanding and support from management and staff as RBA requires
collaboration among audit teams, management, and other stakeholders. If there is a lack of
cooperation or communication between these parties, the RBA approach may fail to achieve
its objectives. It is essential to involve all relevant stakeholders in the risk assessment and
audit planning process.
3. Overemphasis on high-risk areas may result in neglecting lower-risk areas that still require
attention.
4. Ineffective audit planning can result in insufficient coverage of high-risk areas, leading to a
failure in identifying material misstatements or control weaknesses. Auditors need to ensure
that the audit plan is comprehensive and addresses the organization's significant risk areas.
According to Reserve bank of Zimbabwe, 2021 risk based approach is said to be the most
effective way to combat money laundering. According to Financial Action Task Force (FATF)
guidance published in October 2014 ‘RBA to Anti-money Laundering/combating Financing
terrorism means that countries, competent authorities and financial institutions are expected
to recognise or identify, assess and understand the risks to which they are exposed and takes
anti money laundering measures commensurate to those risks in order to mitigate them
effectively. RBZ through its National payment systems is issued an Anti-money Laundering
Risk based Oversight and supervision guideline to ensure that the payment service providers
or financial institutions that fall under its regulation comply with the Anti-Money Laundering
frameworks that are commensurate with their size, complexity and risk profile.

CONCLUSION

Conclusively a risk-based auditing approach is a valuable method for identifying and

addressing potential risk in an organisation. It allows auditors to prioritise their efforts based
on the level of risk which can lead to more effective audits and a better allocation of
resources. Adding on, RBA approach can help organisations achieve greater transparency,
accountability and financial stability.

REFERENCES

Anti-money Laundering to Risk Based Approach Oversight guidelines January 2021

E. Michael Thomas, The Seven-Step Process to Risk Based Auditing.

Griffiths (P) (2016) taylorfrancis.com

KHS Pickett (2013) books.google.com -

ISA 315, Identifying and Assessing the Risks of Material Misstatement Through
Understanding the Entity and its Environment.

McNamee (D) (1997 Aug) Internal Auditor (Vol. 54, Issue 4) Institute of Internal Auditors,
Inc.