Auditing - The Risk-Based Approach 

Auditing - The Risk-Based Approach Introduction 

Risk, plays a large part in the world of Auditing. Audit risk, represents risk to an auditor or an audit firm, as the risk of
paying damages to a client may arise out of negligent work when trying to show a true and fair view of a set of
company accounts. All audit work involves some level of risk; this may be because a set of company accounts have
been misstated due to error or fraud, or the auditor failed to detect the errors or fraud. In addition, these problems
may have occurred due to inadequate sample sizes when determining the level of risk or the auditor failed to use
proper auditing policies. 

To evaluate the level of risk related to specific areas of the audit, three components can help. The first is Inherent risk
were environmental factors, (background knowledge of the client and were past audits indicate no difficulties) are
concidered against whether or not they would lead to a material error, before considering the 'function of internal
controls'. Next is Control risks were the 'system of internal controls' is assessed against the possability of preventing
material error, or detecting it in time using internal controls. Last is Detection risk were the auditors procedures may
fail to detect a material error not picked up by the internal controls. 

This report explains why the risk-based approach has become popular with external auditors and how it has been
linked to materiality and sampling levels. 

Findings Risk Based Approach The role of an external audit, no matter what type of organisation it is, is to show a
true and fair view of the company accounts and to abide by the auditing standards. Recently the risk-based approach
has become as valued as auditing standards and adopted by most. The reason for it becoming so popular is that this
audit approach helps the auditor to evaluate the level of risk to a particular area of the audit, i.e. specific accounts and
transactions. Consequently, auditors can '...avoid both overauditing and underauditing and can distribute work more
evenly throughout the year.' Grobstein and others (1985 p29). 

Besides, focusing on the level of risk the risk-based method helps to evaluate and build value into the financial
reporting process and the clients company. In order to do this the auditor must have an up to date insight of the
clients business and activities. This knowledge is gained through the way the client operates their business,
management and internal and external environments. The knowledge gathered can help to design the audit program
that includes '...the most effective and efficient combination of tests responsive to each client's unique
circumstances.' Grobstein and others (1985 p29). For this reason, the risk-based approach is then superior to
traditional auditing methods. 

Although the new system of auditing has become more popular over the years there are obvious advantages and
disadvantages that need to be considered. For example, the aims of this risk-based approach are to assess and
identify the high-risk areas, while at the same time, the auditor is minimising the risk of negligence. Therefore, this
can speed the audit up and help to allocate specialists to specific areas of the audit. However, this process can cause
more time to be spent on the audit and raise costs, not making economic sense. Unfortunately, another problem
faced by auditors when adopting the risk-based approach is when identifying high-risk areas, auditors must decide
what evidence should be required and in how much detail. 

Materiality An auditor's duty is to give a fair and truthful view of a client's set of company accounts, but auditors
cannot guarantee that the company accounts are entirely free of errors and irregularities. Therefore, in their audit
planning auditors must identify and assess the risk that they have not discovered, or will not discover material items.
If an item is discovered, auditors must consider the context and presentation of the item and then decide whether it
affects the true and fair view of the company accounts. The Statements of Auditing Standards, SAS 220 states that
'Auditors should consider materiality and its relationship with audit risk when conducting an audit'. 

Millichamp (2002 p300) suggests, in order to avoid materiality, it should be taken into account at the planning stage of
an audit and re-evaluated if the outcomes of tests, enquiries or examinations differ from expectations. Millichamp
(2002 p300-1) also suggests that materiality is fundamental to accounting and is a matter of professional judgement
with both quality and quantity dimensions. 

Auditing materiality is also known as tolerable error. Tolerable error is considered the maximum error in a population
(sample size) that auditors are prepared to except and still conclude that the audit objectives have been achieved.
The level of tolerable error is normally determined at the planning stages. Throughout the audit, tests are then carried
out on these levels; they '...provide evidence that the actual errors in the population are less than the tolerable error'.
Millichamp (2002). 

Sampling The objective of any sampling method is to draw conclusions from a large set of data. The objective of audit
sampling is to establish with reasonable confidence that a number of factors are free from material misstatement.
This means drawing conclusions from an entire set of data that may be a set of account balances (population) and
then testing a representative sample of items (sampling units). Nonetheless, it is not required of auditors to check all
transactions and balances of a business, but they must be practical and be aware of materiality. It would take to long
to complete a check; because by the time they had reached the public they would be history. In some cases a 100%,
check is still necessary, for example high-risk areas. 

There are two methods of sampling the first is judgement sampling; the auditor selects an appropriate sample based
on what the auditor judges as desirable. Next is the more popular and objective of the two, statistical sampling. This
method of sampling is more commonly used as a scientifically and mathematically appropriate sample is selected. In
order for the auditor to reach a conclusion based on the sample, he or she must select a sample that is
'...representative of the underlying population'. Sherer & Turley (1998). Various methods can be used to select a
representative sample, but all have a basic need to select a random sample. 

When deciding on the appropriate sample sizes for any given population there are several factors to consider.
Confidence levels must be taken into consideration when looking at the '...extent to which the auditor is justified in
believing that the sample drawn at random reflects (with a stipulated range) the attributes of the population from
which it was taken'. Woolf (1988). Therefore, from the sample results and a given level of confidence we can be
reasonably be assured that the error rate lies within certain boundaries, in addition this means that the auditor can
never be 100% certain and confidence levels are seen to be complimentary to risk. Furthermore, because an auditor
cannot be 100% certain, there must be a measure for the potential error rate in the population. Determining the
precision area depends on the auditor's own assessment of the situation, we can see that confidence levels and
precision are strongly interconnected. 

Conclusion The audit risk approach has grown significantly in recent years. This is a result of auditing firms making
their audit work more cost effective, whilst still maintaining audit quality. Compared to the older substantive testing
and system based auditing, risk based auditing takes account of substantive test risks and includes, inherent risk,
control risk, detection risk and sampling risk as well as other risk tests not mentioned in this report (i.e. analytical
control risk). This system of assessing risk and focusing the audit on the high-risk areas minimises the auditor's risk
against paying damages to a client through negligent work. 

Assessing the risk of material misstatement at the financial statement level as well as at the planning stage, adds to
and clarifies the direction on performing a combined assessment of inherent, and control risk, leaving the ability for
the auditor to assess other risk factors in an audit. This approach to auditing has also changed the view of
substantive procedures performed by auditors. For example, the use of statistical sampling has significantly reduced,
but remains an important part of auditor's substantive procedures '...and one they wish to ensure is efficient and
effective'. Sherer & Turley (1998) Sherer & Turley (1998 p251) suggest that in order to improve the risk-based
approach, ways must be identified '...in which auditors' judgement of inherent risk and control risk can become more
accurate and consistent'. 

REFERENCES Grobstein M, Loeb S, Neary R, (1985) Auditing: A Risk Analysis Approach, Richard D. Irwin, Inc
Millichamp A (2002) Auditing, 8th Edition, Continuum Sherer M, Turley S, (1998) Current Issues in Auditing, 3rd
Edition, Paul Chapman Venables J.S.R, Impey K.M, (1991) Internal Audit, 3rd Edition, Butterworth & Co Woolf E
(1988) Auditing Today, 4th Edition, Prentice Hall

Compliance Approach: After evaluating general

controls, the reviewer conducts review of records of the

practice unit either by compliance approach or substantive approach or a combination of both. The
Statement
requires the reviewer to assess key controls as to whether

proper control procedures have been established by the

practice unit to ensure that attestation services are being

performed in accordance with the Technical Standards.

It requires the assessment of following six key controls:

◆ Audit Record Administration

◆ Financial Statements Presentation

◆ Review and Evaluation of System of Internal Controls

◆ Substantive Tests

◆ Audit Conclusion

◆ Audit Report

The key controls listed above are analogous to different stages in performing an attestation
engagement.

A key control is one whose failure could lead to a material misstatement in the financial statements and
is not

compensated by another control. At this stage, as far as

the reviewer is concerned, the documentation aspect

shall be critical. The Statement, however, makes it amply

clear that "members in smaller practices may find some

of the documentation too elaborate for most of their

clients and should tailor their attestation services documentation to suit their particular circumstances
with justification for doing so provided to the reviewer".

Reviewers are expected to take note of this while reviewing records of smaller-sized practice units.

The administration aspect of audit records of a practice unit would involve as to whether such records
contain engagement letter, a copy of audit plan or programme, proper documentation in terms of AAS 3
and

the same are easily retrievable. Further, such records

would also provide evidence that the practice unit did

evaluate internal controls and make an assessment of

audit risk. Subsequently, the reviewer would like to

ensure documentation of results of compliance procedures followed by substantive testing. Before

arriving at

audit conclusion and reporting thereof, the records must

also provide evidence in respect of complying with key

control of financial statements presentation by ensuring

compliance with relevant disclosure requirements laid

down by the governing Statutes and ICAI pronouncements.

Substantive Approach: A substantive approach will be

employed if the reviewer chooses not to place reliance on

the practice unit's specific controls on attestation

engagements or is of the opinion that the standard of

compliance is not satisfactory. This approach requires a

review of the attestation working papers in order to

establish whether the attestation work has been carried

out as per norms of Technical Standards. It may cover

the following areas:

◆ Terms of Engagement

◆ Understanding Client's Business

◆ Internal Control System

◆ Analytical Procedures

◆ Materiality and Sampling

◆ Transactions Testing

◆ Balance Verification
◆ Review of Financial Statement

Substantive approach

The substantive approach is used when this is the most efficient way of gathering sufficient,

appropriate evidence to support the financial statement assertions or if the system of internal

control is inadequate to support the systems approach. When the substantive approach is used,

every program and/or line item must be tested.

During any audit, high-value and key items are subjected to substantive testing methods.

These items are normally identified during the determination of the population to be tested

using a systems approach. The auditor may also identify some expenses that are easily

verified using a substantive approach rather than with a systems approach. For instance, it is a

simple matter to verify rent expense by obtaining the rental agreement and multiplying the

monthly rent by 12, and then comparing it to the rent expense recorded in the general ledger.

First Nation Audit Engagements, Part 2: Typical Fund Accounting Structure• 6 Substantive procedures
may also be mandated where the systems approach is unworkable due

to a basic lack of internal controls. In this instance, the auditor proceeds methodically through

each program and then verifies the disclosed amounts by referring to the funding agreement,

invoices, payroll, and other source documents. (See Appendix 2 for information about a

resource that shows a typical program audit.)

When using the substantive approach, the auditor should concurrently verify the balance sheet

amounts related to the program or account being audited. This adds efficiency to the year-end

audit as the supporting documents needed for this audit will not have to be obtained and

scrutinized again.

Compliance Testing
The purpose of compliance testing is to determine whether the expected strength of the system of working as
intended. A sample will be selected utilizing either statistical sampling methods or non-statistical depending on the
nature of the sample and objective of the compliance test. The purpose of using statistical sampling methods is to
quantify the results of our testing utilizing the minimum number of transactions. Non-statistical sampling carries with it
the uncertainty of performing either too little or too much audit work. Compliance tests are normally directed towards
common control systems.

Substantive Testing

These tests are designed to provide evidence related to the validity of the information produced by the financial
system. Substantive tests include: confirmations of balances with independent third parties, review of supporting
documentation for transactions, observation of assets, and comparison and evaluation of relationships between
financial statement items. Substantive tests are normally addressed to individual items on the financial statements.

6 The benefits

The benefits of risk-based auditing are considerable:

• Risk-based auditing is a simple concept. There is no need for a complex

definition of internal control, or internal auditing, and it involves the whole

organisation and its processes – so no need to define which functions internal

auditing should involve – all of them.

• Alongside this simplicity, there is a unity. The recommendations made can be

traced back through controls, risks and processes to the organisation's

objectives, using the RAU and audit databases. Similarly, we can easily

demonstrate what proportion of significant risks we have audited, and the

results, to provide assurance to the board about the “effectiveness of the

company’s system of internal control” (LSE Combined Code). RBIA ties all

aspects of internal auditing together; objectives, processes, risks, controls,

tests and reports (see diagram in section 4.4.4). The relevance of any test can

be seen in relation to the opinion on the entire risk management framework

because of the relationships set up in the risk and audit universe. This is not

always possible where audit programmes are used, as it is not always clear

why the test is being carried out; the significance if a control is found to be

defective; what risk the control is treating and what objective is being
threatened by that risk. RBIA provides an ‘audit trail’ from an individual audit

report back through tests, controls and risks to objectives, and forward to the

audit committee report on whether those objectives are threatened.

• The organisation buys in to the audit process. Because it has to be closely

involved in the process, and should be able to clearly see the benefits of our

output, it is far more likely to support the audit work, as opposed to treating it

like an unwanted imposition. (No-one does that – do they?).

• Resources can be justified. Because the audit plan is driven by the proportion

of risks on which the audit committee requires assurance, this determines the

resources required. This differs from the alternative approach, whereby the

resources available determine the audits which can be carried out. It also

ensures that resources are directed towards checking the management of the

most significant risks

• The work is more challenging and interesting to staff. They have to work in nonfinance areas, with staff
that may be seconded in for the audit. There is no

handle-turning of work programmes, without really understanding why the test

is being done.

• Risk-based auditing is more efficient, because it directs audits at the high-risk

areas, as opposed to financial areas, which may not represent such a great

risk.

• We can rank recommendations, to provide the greatest value added in terms of

the risks mitigated.

• RBIA should highlight risks which are over-controlled, and therefore improve

efficiency RBIA – The benefits

©David M Griffiths 30 January 2006

54
Fundamentally, the internal audit function is now much more part of the organisation

and less introspective. It involves the organisation more in the audit process and

produces recommendations which contribute to its objectives. At the same time it has

to be careful not to lose its independence and objectivity, as a result of getting closer

to the operations.

7.7 Disadvantages

With every advantage there are always some disadvantages:

• The closer relationship with the rest of the organisation may reduce the

independence of the internal audit function. We should prevent this by making

the responsibility of internal auditing clear and by adopting the ‘iron fist in a

velvet glove’ approach.

• It’s hard work! We have to sell the risk-based process to the organisation, get it

to tell us its risks, score them and then have to carry out some difficult audits

which we have never done before! Stakeholder management is vital, and takes

time.

• While the principles are simple, the delivery can be complex, as we can see

from the spreadsheets.

• Existing staff may need retraining.

• By concentrating on audits of inherent risks above the risk appetite, some

audits previously considered important by senior management might disappear.

These might include audits of small overseas subsidiaries, ‘petty cash’ and the

Staff Social Club.

0 Implementation of RBIA: difficulties

Some difficulties or disadvantages are associated with the

implementation of RBIA like, (a) auditor’s independence may

be compromised due to close relationship with management;

(b) existing staffs may be required to be retrained; (c)

stakeholder management is very important and takes time;

and (d) some of the audits previously considered important

like petty cash audit will disappear due to excessive

concentration on audit of inherent risk.