RISK BASED AUDITING

JANNAATU ÁDNIN BT MASLAN

BAHAGIAN KEWANGAN 2
SEKTOR KEWANGAN
E-mel: adnin@audit.gov.my
Tel : 03-80911194
 • ISSAI 2315 requires the auditors to
UNDERSTANDING
ENTITY’S
obtain an understanding of the
INFORMATION information system, including the
FRAMEWORK business processes relevant to financial
reporting.
Understanding the Entity and Its Environment

Decisions may be initiated outside the entity as a result of political processes.

Such decisions influence management’s activities. Examples include:
 New geographic locations or closures of existing locations;
 Reorganizations, including transfer of activities to other entities;
 New program areas; and
 Budgetary constraints or cut backs.

Understanding the business operations may include

knowledge of the government activities carried out, including
relevant programs.

Governance structures are affected by the legal structure

of the entity, for example whether the entity is a ministry,
department, agency or other type of entity.
 Understanding the Entity’s Internal Control

(a) Any additional reporting responsibilities regarding internal controls;

(b) Relevant controls that relate to compliance with authorities;
(c) Controls related to monitoring performance against the budget;
(d) Controls related to transferring budgetary funds to other entities;
(e) Controls of classified data related to national security and sensitive personal
data, such as tax and health information;
(f) Supervision and other controls may be performed by parties outside the entity
and relate to areas such as:
• Compliance with procurement regulations;
• Execution of the budget;
• Other areas as defined by legislation or audit mandate;
• Management’s accountability.
SNAPSHOT OF UNDERSTANDING THE ENTITY AND ITS ENVIRONMENT
 NOTA PENTING
01 03
every audit assignment
presents a different
02 ‘TOP DOWN’
challenge to an audit firm, approach to identifying
There is no one single
with no two audit risks
approach
assignments being the to auditing which ensures
same. ‘top’ refers to the day-to-
the performance
For example, day operations
of a perfect audit.
no two entities are the of the entity and the
same in terms of environment in which
However, it is generally
business sector, location, it operates; ‘down’ refers
accepted that for most
size, employees, to the financial
entities of size, the
governance issues, ethos, statements of the entity
risk-based audit approach
and complexity of will minimise
operations the possibility of audit
objectives not being
met
 UNDERSTANDING THE ENTITY

The auditor’s understanding of the entity and its environment consists of an

understanding of the following aspects:

 Regulatory, policies and other external factors, including applicable financial

or/and other reporting requirements
 The people; especially those managing the operations of the entity and the
accounting/finance function
 Objectives and strategies and the related operations/business risks (i.e. the way
the entity’s operations is run) that may result in a misstatement, error or even fraud
 Measurement and review of the entity’s financial performance
 Internal controls
TYPES OF RISK
Inherent risk is the risk posed by an error or omission in a financial
statement due to a factor other than a failure of internal control.

In a financial audit, inherent risk is most likely to occur when

transactions are complex, or popular situations that require a high
degree of judgment in regard to financial estimates.

This type of risk represents a worst-case scenario because all

internal controls in place have nonetheless failed.
 INFLUENCE ON INHERENT RISK
FACTORS
High risk conditions Low risk conditions
Macroeconomic Performance is highly dependent Performance is little
impact for on external factors (inflation, influenced by external factors
consequences of unemployment, interest rates) (inflation, unemployment,
activities interest rates)

Structure of Domination of one person Management of the group of

management Individuals

Management Inadequate management, poor Management is reliable and

manager reputation, lack of Competent
experience and knowledge in
management

Distortions in Many common errors found during Not many common errors
previous audits previous audits found during previous audits
 INFLUENCE ON INHERENT RISK
FACTORS
High risk conditions
Results of prior-year Frequent errors found in prior-year
audits engagements
Low risk conditions
Few errors found in prior year
engagements

Nature of Unusual and complex Common transactions with

transactions transactions, automated input and efficient
with the lack of experience or lack operation
of registry system knowledge,
during the time of registration in
registry records

Susceptibility to Assets easily stolen or Assets that cannot be easily

defalcation misappropriated moved or misappropriated

Control system There is no system of internal Strong control system

control or it is weak
Control risk is the risk that material error will not be
prevented or detected on a timely basis by the
internal control structure
Control activities

Performance Information
Authorization
reviews processing

Physical Segregation
Reconciliation
controls of duties
 Detection Risk

Detection risk is the risk that the auditor’s procedures

will lead him to conclusion that material error does not
exist when in fact it does.
 Detection Risk
Low (Rendah)
• Menjadi tumpuan/focus audit
• Tidak boleh bergantung pada kawalan
• Ujian substantif yang teliti dan terperinci. Juruaudit boleh memilih sama ada
mengutamakan baki atau transaksi substantif, atau kedua-duanya, dengan
intensiti yang sama. Di bawah keadaan sedia ada, juruaudit juga boleh
memilih penekanan tertentu pada penegasan yang paling berpengaruh,
contohnya, kewujudan, atau kesempurnaan, berdasarkan keadaan.
• Menjadi keutamaan pertama untuk peruntukan sumber (kuantiti dan kualiti).
• Prosedur analisis dan ujian ketepatan masih perlu dilakukan.
 Detection Risk
Medium (Pertengahan)

• Walaupun ia bukan fokus utama, tetapi perlu ada perhatian yang

mencukupi.
• Boleh bergantung pada beberapa kawalan.
• Skop ujian substantif tidak terlalu mendalam (peringkat
sederhana).
• Sampel sederhana.
• Keutamaan kedua bagi peruntukan sumber
• Prosedur analisis dan ketepatan ujian masih perlu dilakukan.
 Detection Risk
High (Tinggi)
• Akaun tidak akan menjadi tumpuan audit.
• Boleh bergantung sepenuhnya pada kawalan dalaman entiti.
• Skop ujian substantif adalah terhad, contohnya: baki substantif
sahaja.
• Sampel kecil.
• Keutamaan ketiga untuk peruntukan sumber
• Prosedur analisis dan ujian ketepatan adalah prosedur utama
Inherent Risk Assessment

Assess
Inherent Risk

High Low
IDENTIFYING AND ASSESSING RISK OF
MATERIAL MISSTATEMENT

ISSAI 2315 requires the auditor to identify and assess the risk of
material misstatement at :
A) the financial statements level and
B) the assertion level for particular classes of transactions,
account balances or disclosures to provide a basis for
designing and performing further audit procedures.
What is risk of material misstatement?
• The risk that the financial statements are materially misstated prior to audit.
• financial statement level
• relate pervasively to the financial statements as a whole and potentially affect many
assertions
• assertion level
• relate to assertions on classes of transactions, account balances, and disclosures
MATERIALITY

ISSAI 2320 sets a framework of reference for auditors to use in determining materiality:

1. Information is material if its omission or misstatement could influence the economic

decisions of users, taken based on the financial statements.
2. Judgements about materiality are influenced by surrounding circumstances and the size
or nature of a misstatement, or both.
3. Judgements about matters that are material to users of the financial statements are
based on a consideration of the common financial information needs of users as an
identifiable group.
Materiality in Planning and Risk
Assessment
PENGURUSAN RISIKO
SEKTOR AWAM
 PELAKSANAAN PENGURUSAN RISIKO
SEKTOR AWAM

Ketua Setiausaha Negara (KSN) telah mengeluarkan surat arahan

bertarikh 9 Mac 2007 kepada semua Ketua Jabatan untuk memastikan
semua pegawai awam yang diamanahkan mengurus sumber,
melaksanakan tanggungjawab dengan penuh integriti, mengenal pasti
dan menangani risiko yang dihadapi dalam pelaksanaan pelbagai
program dan menguruskan projek.

setiap agensi sektor awam termasuklah sektor pendidikan perlu

mempunyai pelan pengurusan risiko masing-masing sebagai
panduan bagi mengelak atau meminimakan potensi risiko kepada
semua perkhidmatan yang diberikan kepada pelanggan
PROSES PENGURUSAN RISIKO
 PENETAPAN KONTEKS

• Menganalisis persekitaran dan latar belakang

KOMUNIKASI DAN • Menentukan definisi risiko dan pengurusan risiko PEMANTAUAN DAN
PERBINCANGAN • Tadbir urus Pengurusan Risiko SEMAKAN SEMULA
• Mengenalpasti Pemegang Taruh
Memantau dan
menguruskan semua
risiko yang telah
dipersetujui oleh
Melaksana komunikasi PENILAIAN RISIKO ditangani oleh pihak
berterusan dan berkala yang berkenaan
bagi memastikan daftar • MENGENALPASTI RISIKO
dan profail risiko • MENGANALISIS RISIKO
• MENGKATEGORIKAN RISIKO

STRATEGI KAWALAN

• Memilih Strategi Menguruskan Risiko:

• Mengelak - Avoid
• Memindah - Transfer
• Menerima - Accept
• Mengurang - Reduce
Sumber: MAMPU:(Adaptasi daripada MS ISO 31000:2018 Risk
Management -Principles and Guidelines)
 PENETAPAN KONTEKS

• Menganalisis persekitaran dan latar belakang

• Menentukan definisi risiko dan pengurusan risiko
• Tadbir urus Pengurusan Risiko
• Mengenalpasti Pemegang Taruh
 CIRI –CIRI ORGANISASI
Mencapai Objektif/ Hala Menggagalkan Objektif/
Tuju Hala Tuju

DALAMAN

LUARAN

Mencapai Objektif/ Hala Menggagalkan Objektif/

Tuju Hala Tuju

SITUASI LUARAN
 ANALISIS PEMEGANG TARUH
Nama Pemegang Tahap Pengaruh Kepada Peranan Dalam Tahap Impak Kepada
Taruh Organisasi Perancangan Strategik Organisasi

Tinggi
Sangat

Tinggi

Rendah

Tinggi
Sangat

Tinggi

Rendah
THANK YOU.