Auditing - The Risk-Based Approach Auditing - The Risk-Based Approach Introduction Risk, plays a large part
in the world of Auditing. Audit risk, represents risk to an auditor or an audit firm, as the risk of paying damages to a client may arise out of negligent work when trying to show a true and fair view of a set of company accounts. All audit work involves some level of risk; this may be because a set of company accounts have been misstated due to error or fraud, or the auditor failed to detect the errors or fraud. In addition, these problems may have occurred due to inadequate sample sizes when determining the level of risk or the auditor failed to use proper auditing policies. To evaluate the level of risk related to specific areas of the audit, three components can help. The first is Inherent risk were environmental factors, (background knowledge of the client and were past audits indicate no difficulties) are concidered against whether or not they would lead to a material error, before considering the 'function of internal controls'. Next is Control risks were the 'system of internal controls' is assessed against the possability of preventing material error, or detecting it in time using internal controls. Last is Detection risk were the auditors procedures may fail to detect a material error not picked up by the internal controls. This report explains why the risk-based approach has become popular with external auditors and how it has been linked to materiality and sampling levels. Findings Risk Based Approach The role of an external audit, no matter what type of organisation it is, is to show a true and fair view of the company accounts and to abide by the auditing standards. Recently the risk-based approach has become as valued as auditing standards and adopted by most. The reason for it becoming so popular is that this audit approach helps the auditor to evaluate the level of risk to a particular area of the audit, i.e. specific accounts and transactions. Consequently, auditors can '...avoid both overauditing and underauditing and can distribute work more evenly throughout the year.' Grobstein and others (1985 p29). Besides, focusing on the level of risk the risk-based method helps to evaluate and build value into the financial reporting process and the clients company. In order to do this the auditor must have an up to date insight of the clients business and activities. This knowledge is gained through the way the client operates their business, management and internal and external environments. The knowledge gathered can help to design the audit program that includes '...the most effective and efficient combination of tests responsive to each client's unique circumstances.' Grobstein and others (1985 p29). For this reason, the risk-based approach is then superior to traditional auditing methods. Although the new system of auditing has become more popular over the years there are obvious advantages and disadvantages that need to be considered. For example, the aims of this risk-based approach are to assess and identify the high-risk areas, while at the same time, the auditor is minimising the risk of negligence. Therefore, this can speed the audit up and help to allocate specialists to specific areas of the audit. However, this process can cause more time to be spent on the audit and raise costs, not making economic sense. Unfortunately, another problem faced by auditors when adopting the risk-based approach is when identifying high-risk areas, auditors must decide what evidence should be required and in how much detail. Materiality An auditor's duty is to give a fair and truthful view of a client's set of company accounts, but auditors cannot guarantee that the company accounts are entirely free of errors and irregularities. Therefore, in their audit planning auditors must identify and assess the risk that they have not discovered, or will not discover material items. If an item is discovered, auditors must consider the context and presentation of the item and then decide whether it affects the true and fair view of the company accounts. The Statements of Auditing Standards, SAS 220 states that 'Auditors should consider materiality and its relationship with audit risk when conducting an audit'. Millichamp (2002 p300) suggests, in order to avoid materiality, it should be taken into account at the planning stage of an audit and re-evaluated if the outcomes of tests, enquiries or examinations differ from expectations. Millichamp (2002 p300-1) also suggests that materiality is fundamental to accounting and is a matter of professional judgement with both quality and quantity dimensions. Auditing materiality is also known as tolerable error. Tolerable error is considered the maximum error in a population (sample size) that auditors are prepared to except and still conclude that the audit objectives have been achieved. The level of tolerable error is normally determined at the planning stages. Throughout the audit, tests are then carried out on these levels; they '...provide evidence that the actual errors in the population are less than the tolerable error'. Millichamp (2002). Sampling The objective of any sampling method is to draw conclusions from a large set of data. The objective of audit
Turley S. statistical sampling. It would take to long to complete a check. analytical control risk). Irwin.extent to which the auditor is justified in believing that the sample drawn at random reflects (with a stipulated range) the attributes of the population from which it was taken'. Richard D. in addition this means that the auditor can never be 100% certain and confidence levels are seen to be complimentary to risk. Prentice Hall
Compliance Approach: After evaluating general controls. but remains an important part of auditor's substantive procedures '. ways must be identified '. we can see that confidence levels and precision are strongly interconnected. REFERENCES Grobstein M. because by the time they had reached the public they would be history.R. Assessing the risk of material misstatement at the financial statement level as well as at the planning stage. The Statement
. Confidence levels must be taken into consideration when looking at the '. there must be a measure for the potential error rate in the population. 8th Edition. Compared to the older substantive testing and system based auditing.. inherent risk. This means drawing conclusions from an entire set of data that may be a set of account balances (population) and then testing a representative sample of items (sampling units). (1998) Current Issues in Auditing.in which auditors' judgement of inherent risk and control risk can become more accurate and consistent'. This method of sampling is more commonly used as a scientifically and mathematically appropriate sample is selected. There are two methods of sampling the first is judgement sampling. Impey K. This approach to auditing has also changed the view of substantive procedures performed by auditors. whilst still maintaining audit quality. but they must be practical and be aware of materiality. but all have a basic need to select a random sample. for example high-risk areas.S.representative of the underlying population'. Conclusion The audit risk approach has grown significantly in recent years.e.M. 3rd Edition. the use of statistical sampling has significantly reduced. check is still necessary. from the sample results and a given level of confidence we can be reasonably be assured that the error rate lies within certain boundaries. he or she must select a sample that is '. it is not required of auditors to check all transactions and balances of a business. Sherer & Turley (1998). Continuum Sherer M. Sherer & Turley (1998) Sherer & Turley (1998 p251) suggest that in order to improve the risk-based approach.. For example. and control risk.. risk based auditing takes account of substantive test risks and includes. Furthermore. Nonetheless. (1985) Auditing: A Risk Analysis Approach. In order for the auditor to reach a conclusion based on the sample. Determining the precision area depends on the auditor's own assessment of the situation. In some cases a 100%. the auditor selects an appropriate sample based on what the auditor judges as desirable. Next is the more popular and objective of the two. This is a result of auditing firms making their audit work more cost effective. Butterworth & Co Woolf E (1988) Auditing Today. 3rd Edition. Various methods can be used to select a representative sample. (1991) Internal Audit. because an auditor cannot be 100% certain.. the reviewer conducts review of records of the practice unit either by compliance approach or substantive approach or a combination of both. Neary R. Inc Millichamp A (2002) Auditing. This system of assessing risk and focusing the audit on the high-risk areas minimises the auditor's risk against paying damages to a client through negligent work.. When deciding on the appropriate sample sizes for any given population there are several factors to consider.sampling is to establish with reasonable confidence that a number of factors are free from material misstatement. Paul Chapman Venables J.. Therefore. detection risk and sampling risk as well as other risk tests not mentioned in this report (i. adds to and clarifies the direction on performing a combined assessment of inherent.and one they wish to ensure is efficient and effective'.. Loeb S. control risk. Woolf (1988).. 4th Edition. leaving the ability for the auditor to assess other risk factors in an audit.
requires the reviewer to assess key controls as to whether proper control procedures have been established by the practice unit to ensure that attestation services are being performed in accordance with the Technical Standards. The administration aspect of audit records of a practice unit would involve as to whether such records contain engagement letter. Reviewers are expected to take note of this while reviewing records of smaller-sized practice units. such records
. a copy of audit plan or programme. makes it amply clear that "members in smaller practices may find some of the documentation too elaborate for most of their clients and should tailor their attestation services documentation to suit their particular circumstances with justification for doing so provided to the reviewer". At this stage. The Statement. proper documentation in terms of AAS 3 and the same are easily retrievable. It requires the assessment of following six key controls: Audit Record Administration Financial Statements Presentation Review and Evaluation of System of Internal Controls Substantive Tests Audit Conclusion Audit Report The key controls listed above are analogous to different stages in performing an attestation engagement. Further. however. as far as the reviewer is concerned. A key control is one whose failure could lead to a material misstatement in the financial statements and is not compensated by another control. the documentation aspect shall be critical.
This approach requires a review of the attestation working papers in order to establish whether the attestation work has been carried out as per norms of Technical Standards. Substantive Approach: A substantive approach will be employed if the reviewer chooses not to place reliance on the practice unit's specific controls on attestation engagements or is of the opinion that the standard of compliance is not satisfactory. the records must also provide evidence in respect of complying with key control of financial statements presentation by ensuring compliance with relevant disclosure requirements laid down by the governing Statutes and ICAI pronouncements. It may cover the following areas: Terms of Engagement Understanding Client's Business Internal Control System Analytical Procedures Materiality and Sampling Transactions Testing Balance Verification
. Before arriving at audit conclusion and reporting thereof. the reviewer would like to ensure documentation of results of compliance procedures followed by substantive testing. Subsequently.would also provide evidence that the practice unit did evaluate internal controls and make an assessment of audit risk.
For instance. Part 2: Typical Fund Accounting Structure 6 Substantive procedures may also be mandated where the systems approach is unworkable due to a basic lack of internal controls. and other source documents. This adds efficiency to the year-end audit as the supporting documents needed for this audit will not have to be obtained and scrutinized again. In this instance. During any audit. These items are normally identified during the determination of the population to be tested using a systems approach.) When using the substantive approach. and then comparing it to the rent expense recorded in the general ledger. When the substantive approach is used.
. it is a simple matter to verify rent expense by obtaining the rental agreement and multiplying the monthly rent by 12. the auditor should concurrently verify the balance sheet amounts related to the program or account being audited. the auditor proceeds methodically through each program and then verifies the disclosed amounts by referring to the funding agreement. (See Appendix 2 for information about a resource that shows a typical program audit. First Nation Audit Engagements. every program and/or line item must be tested. appropriate evidence to support the financial statement assertions or if the system of internal control is inadequate to support the systems approach.Review of Financial Statement
Substantive approach The substantive approach is used when this is the most efficient way of gathering sufficient. high-value and key items are subjected to substantive testing methods. payroll. The auditor may also identify some expenses that are easily verified using a substantive approach rather than with a systems approach. invoices.
to provide assurance to the board about the effectiveness of the company s system of internal control (LSE Combined Code). The purpose of using statistical sampling methods is to quantify the results of our testing utilizing the minimum number of transactions. and comparison and evaluation of relationships between financial statement items. Substantive tests include: confirmations of balances with independent third parties. or internal auditing. and it involves the whole organisation and its processes so no need to define which functions internal auditing should involve all of them. there is a unity. objectives. Non-statistical sampling carries with it the uncertainty of performing either too little or too much audit work.The purpose of compliance testing is to determine whether the expected strength of the system of working as intended. and the results. RBIA ties all aspects of internal auditing together. The recommendations made can be traced back through controls. Similarly. review of supporting documentation for transactions.4. tests and reports (see diagram in section 4. Compliance tests are normally directed towards common control systems. The relevance of any test can be seen in relation to the opinion on the entire risk management framework because of the relationships set up in the risk and audit universe. controls. what risk the control is treating and what objective is being
. Substantive tests are normally addressed to individual items on the financial statements. A sample will be selected utilizing either statistical sampling methods or non-statistical depending on the nature of the sample and objective of the compliance test. Substantive Testing These tests are designed to provide evidence related to the validity of the information produced by the financial system. This is not always possible where audit programmes are used.4). observation of assets. Alongside this simplicity. as it is not always clear why the test is being carried out. risks and processes to the organisation's objectives.
6 The benefits The benefits of risk-based auditing are considerable: Risk-based auditing is a simple concept. processes. the significance if a control is found to be defective. There is no need for a complex definition of internal control. using the RAU and audit databases. we can easily demonstrate what proportion of significant risks we have audited. risks.
with staff that may be seconded in for the audit. Because it has to be closely involved in the process. Risk-based auditing is more efficient. and forward to the audit committee report on whether those objectives are threatened. it is far more likely to support the audit work. This differs from the alternative approach. to provide the greatest value added in terms of the risks mitigated. as opposed to treating it like an unwanted imposition. and therefore improve efficiency RBIA The benefits ©David M Griffiths 54 30 January 2006
. as opposed to financial areas. There is no handle-turning of work programmes. We can rank recommendations. because it directs audits at the high-risk areas. They have to work in nonfinance areas. RBIA should highlight risks which are over-controlled. RBIA provides an audit trail from an individual audit report back through tests. (No-one does that do they?). Because the audit plan is driven by the proportion of risks on which the audit committee requires assurance.threatened by that risk. The organisation buys in to the audit process. which may not represent such a great risk. this determines the resources required. Resources can be justified. and should be able to clearly see the benefits of our output. controls and risks to objectives. whereby the resources available determine the audits which can be carried out. without really understanding why the test is being done. It also ensures that resources are directed towards checking the management of the most significant risks The work is more challenging and interesting to staff.
and takes time. It s hard work! We have to sell the risk-based process to the organisation.
0 Implementation of RBIA: difficulties Some difficulties or disadvantages are associated with the
. While the principles are simple. At the same time it has to be careful not to lose its independence and objectivity. the delivery can be complex. the internal audit function is now much more part of the organisation and less introspective. score them and then have to carry out some difficult audits which we have never done before! Stakeholder management is vital. We should prevent this by making the responsibility of internal auditing clear and by adopting the iron fist in a velvet glove approach. petty cash and the Staff Social Club. as a result of getting closer to the operations. Existing staff may need retraining. These might include audits of small overseas subsidiaries. get it to tell us its risks. 7. It involves the organisation more in the audit process and produces recommendations which contribute to its objectives.Fundamentally. By concentrating on audits of inherent risks above the risk appetite.7 Disadvantages With every advantage there are always some disadvantages: The closer relationship with the rest of the organisation may reduce the independence of the internal audit function. as we can see from the spreadsheets. some audits previously considered important by senior management might disappear.
(b) existing staffs may be required to be retrained. and (d) some of the audits previously considered important like petty cash audit will disappear due to excessive concentration on audit of inherent risk.
.implementation of RBIA like. (a) auditor s independence may be compromised due to close relationship with management. (c) stakeholder management is very important and takes time.