Professional Documents
Culture Documents
Definition and Meaning of Risk-Based Auditing: Chapter One: Introduction and Over-All View
Definition and Meaning of Risk-Based Auditing: Chapter One: Introduction and Over-All View
Risk based Audit is a methodology which is primarily focused on the inherent risk involved in
the activities or system and provide assurance that risk is being managed by the management
within the defined risk appetite level.
Risk based auditing in its simplest form is a relatively new way of independently and objectively
obtaining evidence regarding assertions about a process for the purpose of forming an opinion
about the process and subsequently reporting on shop the degree to which the assertions are
implemented. Auditors literally start the audit process by equipping themselves with knowledge
of the nature of the business of the entity and its business environment. Auditors arm themselves
with sufficient information about a business and its environment so as to assess risk
before making a decision of either performing a compliance test or a substantive test.
Compliance test: this is simply an act of gathering evidence for the purpose of testing an
organization’s compliance with control procedures and processes in relation to external rules,
legal requirements, and regulations. Compliance gives the auditor an insight into the level of
compliance with policies and procedures by the management. The aim of a compliance test is to
give the auditor reasonable assurance that the internal control structure which the auditor plans to
rely on is in fact operating as the auditor had already perceived it to be from the preliminary
stage of the audit process.
Substantive test: this is the process of gathering evidence in order to evaluate the integrity of
individual transactions, processes, data, and other information. This is to say that a substantive
test lives up to its name by substantiating the integrity of actual processing. For example,
auditors through substantive test, gathers evidence regarding the validity and integrity of the
balances found in the financial statements of a company and the balances that supports them.
Auditors perform substantive test when control testing (compliance test) indicate that there is no
control or the presence of weak controls. Make sure you take home the difference between
compliance and substantive testing.
The sole aim of this comprehensive process is to ensure that company objectives are met. Risk-
based approach is used to develop and continually improve the continuous audit process. It is
worth stressing that risk based approach to auditing helps auditors determine the nature and
extent of auditing that needs to be done in an efficient manner. In business valuation, this process
is similar to the fundamental analysis process that an equity analyst perform in order to help him
or her come up with an intrinsic value of a company.
Key Points!
Risk-based audits are becoming more popular
The risk-based audit can help the auditor to determine the nature and extent of needed
testing
Within risk-based auditing, inherent risk, control risk, or detection risk should not be a
major concern
Auditors don’t rely just on risk, they also should rely on the internal and operational
controls as well as their knowledge of the companies operation. This type of assessment
can help later in the cost benefit analysis of the control to the known risk.
Business Risks should include the probable effects of an uncertain event. The nature of the risk
may be (1) financial (2) regulatory (3) operational or (4) risks from technology
This is defined as the risk that information may contain a material error that you go undetected
during the audit
Inherent risk: The risk that an error exists that can be material or significant when
combined with other errors during the course of the audit
Control risk: A risk that a material error may exist and may not be prevented or detected
in a timely manner by the internal control system
Detection risk: The risk that the auditor is using inadequate test procedures
Overall audit risk: A combination of the above categories used in the audit to assess each
specific control
Audit risk can describe the level of risk an auditor is prepared to accept during an audit
engagement
In fact, the auditor might set a target level of risk and adjust the amount of detailed work
to minimize this risk
Material – refers to an error that should be considered significant to any party concerned
with the audit
Materiality is a matter of professional judgement that should include a consideration of
the effect on the organization being audited
Auditors should have a good understanding of the audit risks when planning the audit.
This is certainly a possibility that an audit sample may not detect every potential error in
the sample population
Using proper statistical sampling, or string quality control process, can reduce the amount
of audit risk
The materiality of audit risk could come about from not detecting a minor error
Of course one minor error by itself may not be enough, but when combined with many
other minor errors, can cascade into a larger problem
Materiality should be considered in terms of the total potential impact to an organization
that could be realized through a series of minor errors
The fact that risk based auditing encourages auditors to have integrated knowledge of businesses
makes the whole process of auditing less daunting as it used to be. By understanding the
fundamentals of the business models of a company, auditors can easily identify and categorise
risks which will in turn help better determine the risk model or approach that would be most
suitable for the audit. Other benefits of following the risk based approach of auditing are listed
below:
High
Inherent
Risk
Probability
Residual
Risk
Impact
High
SCOPE
This Philippine Standard on Auditing (PSA) deals with the auditor’s responsibility to identify
and assess the risks of material misstatement in the financial statements, through understanding
the entity and its environment, including the entity’s internal control.
OBJECTIVE
The objective of the auditor is to identify and assess the risks of material misstatement, whether
due to fraud or error, at the financial statement and assertion levels, through understanding the
entity and its environment, including the entity’s internal control, thereby providing a basis for
designing and implementing responses to the assessed risks of material misstatement.
DEFINITIONS
Assertions - Representations by management, explicit or otherwise, that are embodied in
the financial statements, as used by the auditor to consider the different types of potential
misstatements that may occur.
Internal Control - The process designed, implemented and maintained by those charged
with governance, management and other personnel to provide reasonable assurance about
the achievement of an entity’s objectives with regard to reliability of financial reporting,
effectiveness and efficiency of operations, and compliance with applicable laws and
regulations. The term “controls” refers to any aspects of one or more of the components
of internal control.
Significant Risk - An identified and assessed risk of material misstatement that, in the
auditor’s judgment, requires special audit consideration.
The auditor shall perform risk assessment procedures to provide a basis for the identification and
assessment of risks of material misstatement at the financial statement and assertion levels. Risk
assessment procedures by themselves, however, do not provide sufficient appropriate audit
evidence on which to base the audit opinion.
(a) Inquiries of management, and of others within the entity who in the auditor’s
judgment may have information that is likely to assist (relevant) in identifying risks of
material misstatement due to fraud or error.
a) Relevant industry, regulatory, and other external factors including the applicable financial
reporting framework.
b) The nature of the entity (its operations, ownership and governance structures, types of
investments that the entity is making and plans to make, the way that the entity is
structured and how it is financed, to enable the auditor to understand the classes of
transactions, account balances, and disclosures to be expected in the financial statements)
c) The entity’s selection and application of accounting policies, including the reasons for
changes thereto. The auditor shall evaluate whether the entity’s accounting policies are
appropriate for its business and consistent with the applicable financial reporting
framework and accounting policies used in the relevant industry.
d) The entity’s objectives and strategies, and those related business risks that may result in
risks of material misstatement.
If the entity has established such a process (referred to hereafter as the ‘entity’s risk
assessment process’), the auditor shall obtain an understanding of it, and the results
thereof. Where the auditor identifies risks of material misstatement that management
failed to identify, the auditor shall evaluate whether there was an underlying risk of a
kind that the auditor expects would have been identified by the entity’s risk assessment
process. If there is such a risk, the auditor shall obtain an understanding of why that
process failed to identify it, and evaluate whether the process is appropriate to its
circumstances or if there is a material weakness in the entity’s risk assessment process.
If the entity has not established such a process or has an ad hoc process, the auditor shall
discuss with management whether business risks relevant to financial reporting objectives
have been identified and how they have been addressed. The auditor shall evaluate
whether the absence of a documented risk assessment process is appropriate in the
circumstances, or represents a material weakness in the entity’s internal control.
When the auditor has determined that a significant risk exists, the auditor shall obtain an
understanding of the entity’s controls, including control activities, relevant to that risk.
Risk for Which Substantive Procedures Alone Do Not Provide Sufficient Appropriate
Audit Evidence
In respect of some risks, the auditor may judge that it is not possible or practicable to obtain
sufficient appropriate audit evidence only from substantive procedures. Such risks may relate to
the inaccurate or incomplete recording of routine and significant classes of transactions or
account balances, the characteristics of which often permit highly automated processing with
little or no manual intervention. In such cases, the entity’s controls over such risks are relevant to
the audit and the auditor shall obtain an understanding of them.
The auditor shall communicate material weaknesses in internal control identified during the
audit on a timely basis to management at an appropriate level of responsibility, and, as
required by PSA 260 (Revised), “Communication with Those Charged with Governance,”1
with those charged with governance (unless all of those charged with governance are
involved in managing the entity).
Documentation
The auditor shall document
a) The discussion among the engagement team and the significant decisions reached;
b) Key elements of the understanding obtained regarding each of the aspects of the entity
and its environment and of each of the internal control components; the sources of
information from which the understanding was obtained; and the risk assessment
procedures performed;
c) The identified and assessed risks of material misstatement at the financial statement level
and at the assertion level; and
d) The risks identified, and related controls about which the auditor has obtained an
understanding.
Analytical Procedures
Analytical procedures may help identify the existence of unusual transactions or events, and
amounts, ratios, and trends that might indicate matters that have audit implications. Unusual or
unexpected relationships that are identified may assist the auditor in identifying risks of material
misstatement, especially risks of material misstatement due to fraud.
However, when such analytical procedures use data aggregated at a high level (which may be the
situation with analytical procedures performed as risk assessment procedures), the results of
those analytical procedures only provide a broad initial indication about whether a material
misstatement may exist. Accordingly, in such cases, consideration of other information that has
been gathered when identifying the risks of material misstatement together with the results of
such analytical procedures may assist the auditor in understanding and evaluating the results of
the analytical procedures. PSA 520, “Analytical Procedures,” establishes requirements and
provides guidance on the use of analytical procedures.
SCOPE
This Philippine Standard on Auditing (PSA) deals with the auditor’s responsibility to design and
implement responses to the risks of material misstatement identified and assessed by the auditor
in accordance with PSA 315, “Identifying and Assessing Risks of Material Misstatement
Through Understanding the Entity and Its Environment” in a financial statement audit.
OBJECTIVE
The objective of the auditor is to obtain sufficient appropriate audit evidence about the assessed
risks of material misstatement, through designing and implementing appropriate responses to
those risks.
DEFINITIONS
Substantive Procedure - An audit procedure designed to detect material misstatements at the
assertion level. Substantive procedures comprise:
Tests of details (of classes of transactions, account balances, and disclosures), and
Substantive analytical procedures.
Test of Controls - An audit procedure designed to evaluate the operating effectiveness of controls
in preventing, or detecting and correcting, material misstatements at the assertion level.
OVERALL RESPONSES
The auditor shall design and implement overall responses to address the assessed risks of
material misstatement at the financial statement level.
(a) Inquiries of management, and of others within the entity who in the auditor’s
judgment may have information that is likely to assist (relevant) in identifying risks of
material misstatement due to fraud or error.
a) Relevant industry, regulatory, and other external factors including the applicable financial
reporting framework.
b) The nature of the entity (its operations, ownership and governance structures, types of
investments that the entity is making and plans to make, the way that the entity is
structured and how it is financed, to enable the auditor to understand the classes of
transactions, account balances, and disclosures to be expected in the financial statements)
c) The entity’s selection and application of accounting policies, including the reasons for
changes thereto. The auditor shall evaluate whether the entity’s accounting policies are
appropriate for its business and consistent with the applicable financial reporting
framework and accounting policies used in the relevant industry.
d) The entity’s objectives and strategies, and those related business risks that may result in
risks of material misstatement.
INTRODUCTION
During recent years, managements are increasingly getting risk focused.
Expectations from internal auditors are hence shifting from providing an assurance on
the adequacy and effectiveness of internal controls to an assurance on whether risks are
being managed within acceptable limits as laid down by the Board of Directors. This
shift in assurance from a control based focus to a risk based focus requires that the
internal audit activity be carried out by an experienced multidisciplinary team using
risk-based internal audit (RBIA) methodology.
Assurance and consulting activities undertaken by internal auditors in the above four areas
have normally taken the shape of the following activities:
Examination and evaluation of the adequacy and effectiveness of the internal control
system.
Undertaking risk assessments in focus areas, either as a consulting activity or as an
input to the internal audit plan.
Review of financial information system, Management Information System (MIS) and
the underlying technology platform that delivers this electronic data.
Review of the accuracy and reliability of accounting records and financial reports.
Review of safeguarding of assets.
Appraisal of the economy and efficiency of activities in operational areas.
Carrying out process improvement activities through business process audits.
Carrying out performance reviews of functions through operational audits.
Review of the systems established to ensure compliance with legal and regulatory
requirements, code(s) of conduct and the implementation review of policies and procedures.
Testing the reliability and timeliness of legal compliance.
Using the internal audit department as a training ground for developing finance and accounts
managers.