CHAPTER ONE: INTRODUCTION AND OVER-ALL VIEW

DEFINITION AND MEANING OF RISK-BASED AUDITING

Risk based Audit is a methodology which is primarily focused on the inherent risk involved in
the activities or system and provide assurance that risk is being managed by the management
within the defined risk appetite level.

Risk based auditing in its simplest form is a relatively new way of independently and objectively
obtaining evidence regarding assertions about a process for the purpose of forming an opinion
about the process and subsequently reporting on shop the degree to which the assertions are
implemented. Auditors literally start the audit process by equipping themselves with knowledge
of the nature of the business of the entity and its business environment. Auditors arm themselves
with sufficient information about a business and its environment so as to assess risk
before making a decision of either performing a compliance test or a substantive test.

COMPLIANCE TESTING Vs. SUBSTANTIVE TESTING

Compliance test: this is simply an act of gathering evidence for the purpose of testing an
organization’s compliance with control procedures and processes in relation to external rules,
legal requirements, and regulations. Compliance gives the auditor an insight into the level of
compliance with policies and procedures by the management. The aim of a compliance test is to
give the auditor reasonable assurance that the internal control structure which the auditor plans to
rely on is in fact operating as the auditor had already perceived it to be from the preliminary
stage of the audit process.

Substantive test: this is the process of gathering evidence in order to evaluate the integrity of
individual transactions, processes, data, and other information. This is to say that a substantive
test lives up to its name by substantiating the integrity of actual processing. For example,
auditors through substantive test, gathers evidence regarding the validity and integrity of the
balances found in the financial statements of a company and the balances that supports them.

Auditors perform substantive test when control testing (compliance test) indicate that there is no
control or the presence of weak controls. Make sure you take home the difference between
compliance and substantive testing.

The sole aim of this comprehensive process is to ensure that company objectives are met. Risk-
based approach is used to develop and continually improve the continuous audit process. It is
worth stressing that risk based approach to auditing helps auditors determine the nature and
extent of auditing that needs to be done in an efficient manner. In business valuation, this process
is similar to the fundamental analysis process that an equity analyst perform in order to help him
or her come up with an intrinsic value of a company. 
Key Points!
 Risk-based audits are becoming more popular
 The risk-based audit can help the auditor to determine the nature and extent of needed
testing
 Within risk-based auditing, inherent risk, control risk, or detection risk should not be a
major concern
 Auditors don’t rely just on risk, they also should rely on the internal and operational
controls as well as their knowledge of the companies operation. This type of assessment
can help later in the cost benefit analysis of the control to the known risk.

Business Risks should include the probable effects of an uncertain event. The nature of the risk
may be (1) financial (2) regulatory (3) operational or (4) risks from technology

RISK MODEL ASSESSMENT

 A methodology used to identify the audit strategy to be followed

 Could be as simple as creating weights for the types of risks identified
 Risk assessment can be a scheme where risks have an elaborate weight-based rating
depending on the significance of the risk and the asset being protected

AUDIT RISK AND MATERIALITY

This is defined as the risk that information may contain a material error that you go undetected
during the audit

 Inherent risk: The risk that an error exists that can be material or significant when
combined with other errors during the course of the audit
  Control risk: A risk that a material error may exist and may not be prevented or detected
in a timely manner by the internal control system
 Detection risk: The risk that the auditor is using inadequate test procedures
 Overall audit risk: A combination of the above categories used in the audit to assess each
specific control

Audit risk can describe the level of risk an auditor is prepared to accept during an audit
engagement

 In fact, the auditor might set a target level of risk and adjust the amount of detailed work
to minimize this risk
 Material – refers to an error that should be considered significant to any party concerned
with the audit
 Materiality is a matter of professional judgement that should include a consideration of
the effect on the organization being audited

Auditors should have a good understanding of the audit risks when planning the audit.

 This is certainly a possibility that an audit sample may not detect every potential error in
the sample population
 Using proper statistical sampling, or string quality control process, can reduce the amount
of audit risk

The materiality of audit risk could come about from not detecting a minor error

 Of course one minor error by itself may not be enough, but when combined with many
other minor errors, can cascade into a larger problem
 Materiality should be considered in terms of the total potential impact to an organization
that could be realized through a series of minor errors

IMPORTANCE OF RISK BASED AUDIT

The fact that risk based auditing encourages auditors to have integrated knowledge of businesses
makes the whole process of auditing less daunting as it used to be. By understanding the
fundamentals of the business models of a company, auditors can easily identify and categorise
risks which will in turn help better determine the risk model or approach that would be most
suitable for the audit. Other benefits of following the risk based approach of auditing are listed
below:

 Better understanding of business and its environment

 Increased chance of achieving audit objective
  Saves resources
 Makes audit planning easier

THE AUDITOR’S REPONSES TO ASSESSED RISK

CHAPTER TWO: IDENTIFYING & ASSESSING THE RISKS OF MATERIAL

MISTATEMENTS THROUGH UNDERSTANDING THE ENTITY AND ITS
ENVIRONMENT (PSA 315)

High
Inherent
Risk
Probability

Residual
Risk

Impact
High

SCOPE
This Philippine Standard on Auditing (PSA) deals with the auditor’s responsibility to identify
and assess the risks of material misstatement in the financial statements, through understanding
the entity and its environment, including the entity’s internal control.

OBJECTIVE
The objective of the auditor is to identify and assess the risks of material misstatement, whether
due to fraud or error, at the financial statement and assertion levels, through understanding the
entity and its environment, including the entity’s internal control, thereby providing a basis for
designing and implementing responses to the assessed risks of material misstatement.

DEFINITIONS
 Assertions - Representations by management, explicit or otherwise, that are embodied in
the financial statements, as used by the auditor to consider the different types of potential
misstatements that may occur.

 Business Risk - A risk resulting from significant conditions, events, circumstances,

actions or inactions that could adversely affect an entity’s ability to achieve its objectives
and execute its strategies, or from the setting of inappropriate objectives and strategies.

 Internal Control - The process designed, implemented and maintained by those charged
with governance, management and other personnel to provide reasonable assurance about
the achievement of an entity’s objectives with regard to reliability of financial reporting,
effectiveness and efficiency of operations, and compliance with applicable laws and
regulations. The term “controls” refers to any aspects of one or more of the components
of internal control.

 Risk Assessment Procedures - The audit procedures performed to obtain an

understanding of the entity and its environment, including the entity’s internal control, to
identify and assess the risks of material misstatement, whether due to fraud or error, at
the financial statement and assertion levels.

 Significant Risk - An identified and assessed risk of material misstatement that, in the
auditor’s judgment, requires special audit consideration.

RISK ASSESSMENT PROCEDURE AND RELATED ACTIVITIES

The auditor shall perform risk assessment procedures to provide a basis for the identification and
assessment of risks of material misstatement at the financial statement and assertion levels. Risk
assessment procedures by themselves, however, do not provide sufficient appropriate audit
evidence on which to base the audit opinion.

The risk assessment procedures shall include the following:

(a) Inquiries of management, and of others within the entity who in the auditor’s
judgment may have information that is likely to assist (relevant) in identifying risks of
material misstatement due to fraud or error.

(b) Analytical procedures.

 (c) Observation and inspection.

THE REQUIRED UNDERSTANDING OF THE ENTITY AND ITS ENVIRONMENT,

INCLUDING THE ENTITY’S INTERNAL CONTROL

The Entity and Its Environment

The auditor shall obtain an understanding of the following:

a) Relevant industry, regulatory, and other external factors including the applicable financial
reporting framework.

b) The nature of the entity (its operations, ownership and governance structures, types of
investments that the entity is making and plans to make, the way that the entity is
structured and how it is financed, to enable the auditor to understand the classes of
transactions, account balances, and disclosures to be expected in the financial statements)

c) The entity’s selection and application of accounting policies, including the reasons for
changes thereto. The auditor shall evaluate whether the entity’s accounting policies are
appropriate for its business and consistent with the applicable financial reporting
framework and accounting policies used in the relevant industry.

d) The entity’s objectives and strategies, and those related business risks that may result in
risks of material misstatement.

e) The measurement and review of the entity’s financial performance.

The Entity’s Internal Control

The auditor shall obtain an understanding of internal control relevant to the audit. Although most
controls relevant to the audit are likely to relate to financial reporting, not all controls that relate
to financial reporting are relevant to the audit. It is a matter of the auditor’s professional
judgment whether a control, individually or in combination with others, is relevant to the audit.

Nature and Extent of the Understanding of Relevant Controls

When obtaining an understanding of controls that are relevant to the audit, the auditor shall
evaluate the design of those controls and determine whether they have been implemented, by
performing procedures in addition to inquiry of the entity’s personnel.

Components of Internal Control (C-R-I-M-E)

 Control Environment
 Risk Assessment Process
 Control Activities
 Monitoring of Controls
 Information and Communication

Risk Assessment Process

The auditor shall obtain an understanding of whether the entity has a process for:
a) Identifying business risks relevant to financial reporting objectives;
b) Estimating the significance of the risks;
c) Assessing the likelihood of their occurrence; and
d) Deciding about actions to address those risks.

 If the entity has established such a process (referred to hereafter as the ‘entity’s risk
assessment process’), the auditor shall obtain an understanding of it, and the results
thereof. Where the auditor identifies risks of material misstatement that management
failed to identify, the auditor shall evaluate whether there was an underlying risk of a
kind that the auditor expects would have been identified by the entity’s risk assessment
process. If there is such a risk, the auditor shall obtain an understanding of why that
process failed to identify it, and evaluate whether the process is appropriate to its
circumstances or if there is a material weakness in the entity’s risk assessment process.
 If the entity has not established such a process or has an ad hoc process, the auditor shall
discuss with management whether business risks relevant to financial reporting objectives
have been identified and how they have been addressed. The auditor shall evaluate
whether the absence of a documented risk assessment process is appropriate in the
circumstances, or represents a material weakness in the entity’s internal control.

Identifying and Assessing the Risks of Material Misstatement

The auditor shall obtain an understanding of whether the entity has a process for:
a) The financial statement level
b) The assertion level for classes of transactions, account balances, and disclosures to
provide a basis for designing and performing further audit procedures

For this purpose, the auditor shall:

a) Identify risks throughout the process of obtaining an understanding of the entity and its
environment, including relevant controls that relate to the risks, and by considering the
classes of transactions, account balances, and disclosures in the financial statements;
b) Assess the identified risks, and evaluate whether they relate more pervasively to the
financial statements as a whole and potentially affect many assertions;
c) Relate the identified risks to what can go wrong at the assertion level, taking account of
relevant controls that the auditor intends to test; and
d) Consider the likelihood of misstatement, including the possibility of multiple
misstatements, and whether the potential misstatement is of a magnitude that could result
in a material misstatement.

Identifying and Assessing the Risks of Material Misstatement

As part of the risk assessment, the auditor shall determine whether any of the risks identified are,
in the auditor’s judgment, a significant risk. In exercising this judgment, the auditor shall exclude
the effects of identified controls related to the risk.
In exercising judgment as to which risks are significant risks, the auditor shall consider at least
the following:
a) Whether the risk is a risk of fraud
b) Whether the risk is related to recent significant economic, accounting or other
developments and, therefore, requires specific attention;
c) The complexity of transactions;
d) Whether the risk involves significant transactions with related parties;
e) The degree of subjectivity in the measurement of financial information related to the risk,
especially those measurements involving a wide range of measurement uncertainty; and
f) Whether the risk involves significant transactions that are outside the normal course of
business for the entity, or that otherwise appear to be unusual.

When the auditor has determined that a significant risk exists, the auditor shall obtain an
understanding of the entity’s controls, including control activities, relevant to that risk.

Risk for Which Substantive Procedures Alone Do Not Provide Sufficient Appropriate
Audit Evidence
In respect of some risks, the auditor may judge that it is not possible or practicable to obtain
sufficient appropriate audit evidence only from substantive procedures. Such risks may relate to
the inaccurate or incomplete recording of routine and significant classes of transactions or
account balances, the characteristics of which often permit highly automated processing with
little or no manual intervention. In such cases, the entity’s controls over such risks are relevant to
the audit and the auditor shall obtain an understanding of them.

Revision of Risk Assessment

The auditor’s assessment of the risks of material misstatement at the assertion level may change
during the course of the audit as additional audit evidence is obtained. In circumstances where
the auditor obtains audit evidence from performing further audit procedures, or if new
information is obtained, either of which is inconsistent with the audit evidence on which the
auditor originally based the assessment, the auditor shall revise the assessment and modify the
further planned audit procedures accordingly

Material Weakness in Internal Control

 The auditor shall evaluate whether, on the basis of the audit work performed, the auditor has
identified a material weakness in the design, implementation or maintenance of internal
control.

 The auditor shall communicate material weaknesses in internal control identified during the
audit on a timely basis to management at an appropriate level of responsibility, and, as
required by PSA 260 (Revised), “Communication with Those Charged with Governance,”1
with those charged with governance (unless all of those charged with governance are
involved in managing the entity).
Documentation
The auditor shall document
a) The discussion among the engagement team and the significant decisions reached;
b) Key elements of the understanding obtained regarding each of the aspects of the entity
and its environment and of each of the internal control components; the sources of
information from which the understanding was obtained; and the risk assessment
procedures performed;
c) The identified and assessed risks of material misstatement at the financial statement level
and at the assertion level; and
d) The risks identified, and related controls about which the auditor has obtained an
understanding.

Analytical Procedures
Analytical procedures may help identify the existence of unusual transactions or events, and
amounts, ratios, and trends that might indicate matters that have audit implications. Unusual or
unexpected relationships that are identified may assist the auditor in identifying risks of material
misstatement, especially risks of material misstatement due to fraud.

However, when such analytical procedures use data aggregated at a high level (which may be the
situation with analytical procedures performed as risk assessment procedures), the results of
those analytical procedures only provide a broad initial indication about whether a material
misstatement may exist. Accordingly, in such cases, consideration of other information that has
been gathered when identifying the risks of material misstatement together with the results of
such analytical procedures may assist the auditor in understanding and evaluating the results of
the analytical procedures. PSA 520, “Analytical Procedures,” establishes requirements and
provides guidance on the use of analytical procedures.

Observation and Inspection

Observation and inspection may support inquiries of management and others, and may also
provide information about the entity and its environment. Examples of such audit procedures
include observation or inspection of the following:
a) The entity’s operations.
b) Documents (such as business plans and strategies), records, and internal control manuals
c) Reports prepared by management (such as quarterly management reports and interim
financial statements) and those charged with governance (such as minutes of board of
directors’ meetings).
d) The entity’s premises and plant facilities.
 CHAPTER THREE: THE AUDITOR’S RESPONSES TO ASSESSED RISKS (PSA 330)

SCOPE
This Philippine Standard on Auditing (PSA) deals with the auditor’s responsibility to design and
implement responses to the risks of material misstatement identified and assessed by the auditor
in accordance with PSA 315, “Identifying and Assessing Risks of Material Misstatement
Through Understanding the Entity and Its Environment” in a financial statement audit.

OBJECTIVE
The objective of the auditor is to obtain sufficient appropriate audit evidence about the assessed
risks of material misstatement, through designing and implementing appropriate responses to
those risks.

DEFINITIONS
Substantive Procedure - An audit procedure designed to detect material misstatements at the
assertion level. Substantive procedures comprise:

 Tests of details (of classes of transactions, account balances, and disclosures), and
 Substantive analytical procedures.

Test of Controls - An audit procedure designed to evaluate the operating effectiveness of controls
in preventing, or detecting and correcting, material misstatements at the assertion level.

OVERALL RESPONSES
The auditor shall design and implement overall responses to address the assessed risks of
material misstatement at the financial statement level.

Audit Procedures Responsive to the Assessed Risks of Material Misstatement at the

Assertion Level
The auditor shall design and implement overall responses to address the assessed risks of
material misstatement
The risk assessment procedures shall include the following:

(a) Inquiries of management, and of others within the entity who in the auditor’s
judgment may have information that is likely to assist (relevant) in identifying risks of
material misstatement due to fraud or error.

(b) Analytical procedures.

 (c) Observation and inspection.

THE REQUIRED UNDERSTANDING OF THE ENTITY AND ITS ENVIRONMENT,

INCLUDING THE ENTITY’S INTERNAL CONTROL

The Entity and Its Environment

The auditor shall obtain an understanding of the following:

a) Relevant industry, regulatory, and other external factors including the applicable financial
reporting framework.

b) The nature of the entity (its operations, ownership and governance structures, types of
investments that the entity is making and plans to make, the way that the entity is
structured and how it is financed, to enable the auditor to understand the classes of
transactions, account balances, and disclosures to be expected in the financial statements)

c) The entity’s selection and application of accounting policies, including the reasons for
changes thereto. The auditor shall evaluate whether the entity’s accounting policies are
appropriate for its business and consistent with the applicable financial reporting
framework and accounting policies used in the relevant industry.

d) The entity’s objectives and strategies, and those related business risks that may result in
risks of material misstatement.

e) The measurement and review of the entity’s financial performance.

The Entity’s Internal Control

The auditor shall obtain an understanding of internal control relevant to the audit. Although most
controls relevant to the audit are likely to relate to financial reporting, not all controls that relate
to financial reporting are relevant to the audit. It is a matter of the auditor’s professional
judgment whether a control, individually or in combination with others, is relevant to the audit.

Nature and Extent of the Understanding of Relevant Controls

When obtaining an understanding of controls that are relevant to the audit, the auditor shall
evaluate the design of those controls and determine whether they have been implemented, by
performing procedures in addition to inquiry of the entity’s personnel.

GUIDE ON RISK-BASED INTERNAL AUDIT

Traditionally, the main focus of the internal audit was confined to the controls
and processes relating to financial transactions. Even in certain entities, internal audit
was more used as review and inspection.
With the passage of time and combined with the growth of organizations, the
managements view internal audit as a significant resource in evaluating entire
operations and achieve more effectiveness in day to day activities.
In today's era of globalization, the emergence of new models of governing the
enterprises, a subtle shift towards controls and strategic decision making, identification
and assessment of risk has become one focal point. In recent times, the risk-based
internal audit is being viewed by the management as an important tool to assess the
management of the risks that are barriers to the objectives and success of the
organization. Risk-based internal audit involves the assessment of the risks' maturity
level, expressing opinion on adequacy of the policies and processes established by the
management to manage the risks. Risk-based internal audit mainly report on the risk
management that includes identification, evaluation, control and monitoring of the risk.
A risk-based internal audit mainly focuses on the objectives rather than looking at the
controls and transactions. This demands the internal auditor to have the skills to provide
broad level of the assurance to the management.
This Guide is divided into four chapters with a view to provide the guidance
regarding the risk-based internal audit to all the readers. Chapter 1, Introduction, would
help the readers to understand the concept of the risk-based internal audit. Chapter 2,
Risk Management, deals with aspects such as understanding risk, basic concepts of risk
management, enterprise-wide risk management, risk maturity of an organization.
Chapter 3, Using Risk-based Internal Audit Methodology, covers the building blocks of
RBIA, stages in RBIA and a case study. Chapter 4, The Internal Audit Process explains
the phases of the internal audit process.

INTRODUCTION
During recent years, managements are increasingly getting risk focused.
Expectations from internal auditors are hence shifting from providing an assurance on
the adequacy and effectiveness of internal controls to an assurance on whether risks are
being managed within acceptable limits as laid down by the Board of Directors. This
shift in assurance from a control based focus to a risk based focus requires that the
internal audit activity be carried out by an experienced multidisciplinary team using
risk-based internal audit (RBIA) methodology.

“Internal audit is an independent management function, which involves a continuous and

critical appraisal of the functioning of an entity with a view to suggest improvements
there to and add value to and strengthen the overall governance mechanism of the entity,
including the entity's strategic risk management and internal control system.”

To achieve the objectives of appraising and suggesting improvements in the overall

governance mechanism of the organization, internal auditors have been carrying out
assurance and consulting activities in the following areas:
a. Internal policy compliance.
b. Regulatory policy compliance.
c. Process improvement.
d. Training and development.

Assurance and consulting activities undertaken by internal auditors in the above four areas
have normally taken the shape of the following activities:
 Examination and evaluation of the adequacy and effectiveness of the internal control
system.
 Undertaking risk assessments in focus areas, either as a consulting activity or as an
input to the internal audit plan.
 Review of financial information system, Management Information System (MIS) and
the underlying technology platform that delivers this electronic data.
 Review of the accuracy and reliability of accounting records and financial reports.
 Review of safeguarding of assets.
 Appraisal of the economy and efficiency of activities in operational areas.
 Carrying out process improvement activities through business process audits.
 Carrying out performance reviews of functions through operational audits.
 Review of the systems established to ensure compliance with legal and regulatory
requirements, code(s) of conduct and the implementation review of policies and procedures.
 Testing the reliability and timeliness of legal compliance.
 Using the internal audit department as a training ground for developing finance and accounts
managers.