RISK BASED

AUDIT APPROACH
S M Soral Retd. SAO
9785475137
 Contents
• Risk Based Audit Approach
• Identification and Assessment of various risks
• Inherent Risk, Control Risk and Detection risk
• Risk Model:
 • Risk is the possibility that an event
WHAT will occur and adversely affect
the achievement of objectives
IS
RISK?
 KEY DEFINITIONS

• Event–an incident or occurrence, from sources internal or

external to an organization, which may affect the
achievement of objectives.
• Opportunity is the possibility that an event will occur and
positively affect the achievement of objectives.
 • risk management is an integral
part of internal control system and
RISK is the responsibility of
MANAGEMEN
T management.
V/S • Audit risk assessment is part of
RISK planning and a process where
ASSESSMENT auditor consider both individual
risk and generic risk factors.
THE BASIC CONCEPTUAL FRAMEWORK FOR RISK BASED
AUDIT PLANNING

• 1. Determining and categorizing the audit universe.

• 2. Identifying individual events that may give rise to risks and
opportunities across the audit universe.
• 3. Scoring events in terms of probability and impact (taking into account
management actions to mitigate risk) to identify the level of residual risk.
• 4. Building risk-based audit plans by using generic risk factors and
scoring criteria for each factor to determine the audit priority of all audit
objects within the audit universe.
• 5. Presenting the results of risk-based planning by writing and updating
strategic and annual work plans.
 DETERMINING AND
CATEGORIZING THE AUDIT
UNIVERSE
• What is the “audit universe”?
• The phrase “audit universe” is a simple way of referring to all
the totality of all things that an internal auditor could
separately examine.
•The universe consists of the totality of “auditable objects” which
is a way of identifying and describing discrete part of the
business, system or process, which can be separately audited.
Auditable objects need to be large enough to justify an audit and
small enough to be manageable.
 POSSIBLE INFORMATION
SOURCES FOR
CATEGORIZING
• Management information giving a breakdown of goals, objectives and
targets;
• Guides to the organization services ;
• Organizational charts or office directory;
• Annual reports and any performance targets for the organization;
• Corporate and department plans ,business plans ;
• Development plans for IIT ,other infrastructure and buildings budget ;
• External audit and consultancy, inspection and review reports;
• Existing operational and strategic audit plans.
IDENTIFY INDIVIDUAL RISKS

• The events that may give rise to risks should be identified

.
• The events give rise to the opportunities across the audit
universe should also be identified.
IDENTIFYING RISKS AND ASSESSING THEIR
IMPACT AND PROBABILITY [SCORING]

Criteria for assessing impact

•Financial impact.
•Impact on reputation.
•Regulatory impact
•Impact on mission/achievement of objectives/operations.
•Impact on people
BUILDIN • The objective of this stage of the
G RISK- process is to determine what
needs to be audited from within
BASED the audit universe. To identify the
building blocks for the audit
STRATEGI strategy in terms of the types and
cycles of audits that need to be
C AND undertaken. This is why this
ANNUAL process is also referred to as an
“audit needs assessment”.
PLANS
 PRESENTING RISK BASED
PLANNING
• The result of risk based planning can be presented in
writing .
• This may update strategic and annual work plans.
 The most commonly used risk
factors:
• Financial materiality.
• Complexity of activities.
• Control environment

IDENTIFYING • Reputational sensitivity.

RISK • Inherent risk.
FACTORS • Extent of change.
• Confidence in management.
• Fraud potential.
• Political sensitivity.
• Time since last audit.
 WRITING AND UPDATING STRATEGIC AND ANNUAL
PLANS

• The purpose of the strategic plan is to document the

judgments made about “audit needs” – the internal
auditor’s judgment of the systems, activities and
programs that should be subject to audit to provide
reasonable assurance to management about risks and the
effectiveness of internal control
 IT MUST CONTAIN…..
• Clearly expressed objectives and performance
indicators
• The methodology
• How to address areas?
• The resources required and available
• An internal risk assessment
• Plans for the coordination
• The approach for following up
• The higher or longer-term goals
 TYPES OF RISKS
• Key risks
• Residual risks
• Inherent risks
• Control risks
• Detection risks
 KEY AND RESIDUAL

• Key risks are those risks that, if properly managed,

will make the organization successful in the
achievement of its objectives or, if not well managed,
it (the organization) will not achieve its objectives
• Residual risk is the level of risk after taking into
account risk mitigation actions such as control
activities.
 AUDIT RISK
• Audit Risk is the risk that an auditor expresses an inappropriate opinion on
the financial statements
• Examples of inappropriate audit opinion include the following
• 1. issuing an unqualified audit report where a qualification is reasonably
justified ;
• 2.issuing a qualified audit opinion where no qualification is necessary;
• 3.failing to emphasize a significant matter in the audit report ;
• 4.providing an opinion on financial statement where no such opinion may be
reasonably given due to significant limitation of scope in the performance of
the audit.
 AUDIT RISK (contd..)
• Audit risk may be considered as the product of the various
risks which may be encountered in the performance of the
audit. In order to keep the overall audit risk of
engagements below acceptable limit, the auditor must
assess the level of risk pertaining to each component of
audit risk.
• Audit Risk = Inherent Risk* Control Risk*Detection Risk
•  AR = IRxCRxDR
 INHERENT RISK

• Inherent Risk is the risk of a material misstatement in the financial

statements arising due to error or omission as a result of factors other
than the failure of controls.

• Inherent risk is generally considered to be higher where a high degree of

judgement and estimation is involved or where transactions of entity are
highly complex.
 CONTROL RISK
• Control Risk is the risk of a material misstatement in the financial statements
arising due to absence or failure in the operation of relevant controls of the
entity.
• Organizations must have adequate internal controls in place to prevent and
detect instances of fraud and error.
• Assessment of control risk may be higher for example in case of a small sized
entity in which segregation of duties is not well defined and the financial
statement are prepared by individuals who do not have the necessary
technical knowledge of accounting and finance .
 DETECTION RISK
• Detection Risk is the risk that the auditors fail to detect a material
misstatement in the financial statements.
• An auditor must apply audit procedures to detect material
misstatements in the financial statement whether due to fraud or error.
misapplication or omission of critical audit procedures may results in
material misstatement remaining undetected by the auditor . Some
detection risk is always present due to the inherent limitation of the
audit such as the use of sampling for the selection of transactions.
 ASSESSMENT
• Assessing inherent risk ---factors to consider, such as the
economy, the industry and previously known misstatements --
level of inherent risk for each audit area.
• Assessing control risk--Segregation of duties, Adequate
documents and records, Physical control of assets and records,
• Assessing detection risk--Misapplying an audit procedure,
Misinterpreting audit results, Selecting the wrong audit testing
method.