OVERVIEW OF

RISK-BASED
AUDIT PROCESS
Risk-Based Audit Approach – is an audit approach that
begins with an assessment of the types and likelihood of
misstatements in account balance and then adjusts the
amount and type of audit work, to the likelihood of
material misstatements occurring in account balances.
Under this approach, the auditor performs the following:
1. Identification of the client’s strategy and the processes for developing
that strategy.
2. Examination of the core business process and resource management.
3. Identification for each of the key processes (as well as sub-processes)
that objectives, inputs, activities, outputs, systems and transactions.
4. Assessment of the risks that the processes will not meet the goals and
controls related to those risks.
Factors to consider in implementing the audit risk model:
1. High-risk activities
• This includes operations or events where a material misstatement could easily occur.
2. Existence of large non-routine transactions
• Identified significant related party transactions outside the entity’s normal course of
business are to be treated as giving rise to significant risks.
• Routine non-complex transactions that are subject to systematic processing are less
likely to give rise to significant risks.
3. Matters requiring judgement or management intervention.
4. Potential for fraud.
• The risk of not detecting a material misstatement resulting from fraud (which is
intentional and deliberately concealed) is HIGHER than the risk of not detecting one
resulting from error
• Significant fraud risks may be identified at any stage in the audit as a result of new
information being obtained.
Limitation of the Audit Risk Model:
a) Inherent risk is difficult to formally assess.
b) The model treats each risk component as separate and independent
when in fact the components are not independent.
c) Audit risk is judgmentally determined.
d) Audit technology is not so fully developed that each component of
the model can be accurately assessed.
Risk-based audit vs.
Account-based audit
 In account-based auditing, auditors first obtain an
understanding of control and assess control risk for
particular types of error and frauds in specific accounts
and cycle.
 In risk-based audit, the audit team views all activities in the
organization first in terms of risks to strategies and objectives
and then in terms of management’s plans and processes to
mitigate risk. The auditors obtain an understanding of the
client’s objectives. Then risks are identified and the auditors
determine how management plans to mitigate the risk and
whether those plans are in place and operating effectively.
 The Risk-based Audit Process

Phase I. Risk Assessment

Phase II. Risk Response
Phase III. Reporting
Reasonable Assurance is intended to inform the users
that Auditors do not guarantee or insure the fair
presentation of the financial statements.
Free of material misstatement is intended to inform the
users that the auditor’s responsibility is limited to
material financial information. Materiality is important
because it is impractical for auditors to provide
assurance on immaterial amounts.
Understanding the Audit
Risk Model
 Nature of risk

Risk is a concept used to express uncertainty about events and/or

their outcomes that could have a material effect on the organization.
 Four Critical Components of Risk
1. Audit Risk. The risk that an Auditor may give an unqualified opinion
on financial statements that are materially misstated.
2. Engagement Risk. The economic risk that a CPA Firm is exposed to
simply because it is associated with a particular client including loss of
reputation, inability of the client to pay the auditor, or financial loss
because management is not honest and inhibits the Audit process.
Engagement risk is controlled by careful selection and retention of client.
 Four Critical Components of Risk
3. Financial Reporting Risk. Those risks that relate directly to the
recording of transactions and the presentation of financial data in an
organization’s financial statements.
4. Business Risk. Those risks that affect the operations and potential
outcomes of organizational activities.
Audit Risk is defined as the risk that the auditor fails to
find material misstatements in the client’s financial
statements and thereby inappropriately issues an
unqualified opinion on the financial statements. The
auditor can control audit risk in two different ways:
Avoid audit risk by not accepting certain companies as client, i.e.
reduce engagement risk to zero.
Set audit risk at a level that the auditor believes will mitigate the
likelihood that the auditor will fail to identify material
misstatements.
 
Integration of Concepts of Materiality and Risk in a Risk-Based
Audit