What is risk based auditing was one question that I had problem in answering for a very long time before I finally had my breakthrough in understanding what a risk-based approach to auditing is all about. It won’t be out of order if I make the assertion that many practicing accountants and auditors still have problem grasping what it means to take a risk-based stance in auditing as opposed to the control based approach to auditing.
This article as always here in accountant next door is a non technical approaching to explaining what it means to view auditing from the risk perspective. So, let’s get started by looking at the meaning of risk-based auditing.
DEFINITION AND MEANING OF RISK-BASED AUDITING
Risk based auditing in its simplest form is a relatively new way of independently and objectively obtaining evidence regarding assertions about a process for the purpose of forming an opinion about the process and subsequently reporting on the degree to which the assertions are implemented. Auditors literally start the audit process by equipping themselves with knowledge of the nature of the business of the entity and its business environment. Auditors arm themselves with sufficient information about a business and its environment so as to assess risk before making a decision of either performing a compliance test or a substantive test.
COMPLIANCE TESTING Vs. SUBSTANTIVE TESTING
Compliance test: this is simply an act of gathering evidence for the purpose of testing an organization’s compliance with control procedures and processes in relation to external rules, legal requirements, and regulations. Compliance gives the auditor an insight into the level of compliance with policies and procedures by the management. The aim of a compliance test is to give the auditor reasonable assurance that the internal control structure which the auditor plans to rely on is in fact operating as the auditor had already perceived it to be from the preliminary stage of the audit process.
Substantive test: this is the process of gathering evidence in order to evaluate the integrity of individual transactions, processes, data, and other information. This is to say that a substantive test lives up to its name by substantiating the integrity of actual processing. For example, auditors through substantive test, gathers evidence regarding the validity and integrity of the balances found in the financial statements of a company and the balances that supports them.
Auditors perform substantive test when control testing (compliance test) indicate that there is no control or the presence of weak controls. Make sure you take home the difference between compliance and substantive testing.
The sole aim of this comprehensive process is to ensure that company objectives are met. Risk-based approach is used to develop and continually improve the continuous audit process. It is worth stressing that risk based approach to auditing helps auditors determine the nature and extent of auditing that needs to be done in an efficient manner. In business valuation, this process is similar to the fundamental analysis process that an equity analyst perform in order to help him or her come up with an intrinsic value of a company. The next section of this article will take you through the process of effectively and efficiently performing a risk-based audit.
RISK-BASED AUDIT APPROACH OR PROCESS
Risk based auditing is generally composed of five broad stages. There is no hard and fast rule of what constitute each stage, but, the most importance facets of those stages are covered in this section.
FIVE (5) STAGES OF RISK BASED AUDIT
- INFORMATION GATHERING AND PLANNING STAGE
- MASTERY OF INTERNAL CONTROL STAGE
- COMPLIANCE TEST STAGE
- SUBSTANTIVE TEST STAGE
- CONCLUSION AND PRODUCTION OF REPORT STAGE
Risk Based Internal Audit
Risk based approach in internal audit is similar to applying risk based approach to auditing in other areas of auditing. Below are stages involved in conducting a risk based internal audit.
- Understand the business environment of the entity
- Build a risk register leveraging on your understanding of the business model of the entity and what the mission statement states.
- Develop a risk management plan documentation
- Draw up an audit plan based on the contents of the risk register
- Draw up audit timetable
- Perform all relevant audit procedures
- Report on findings and recommendations
- Perform follow up audit
IMPORTANCE OF RISK BASED AUDIT
The fact that risk based auditing encourages auditors to have integrated knowledge of businesses makes the whole process of auditing less daunting as it used to be. By understanding the fundamentals of the business models of a company, auditors can easily identify and categorise risks which will in turn help better determine the risk model or approach that would be most suitable for the audit. Other benefits of following the risk based approach of auditing are listed below:
- Better understanding of business and its environment
- Increased chance of achieving audit objective
- Saves resources
- Makes audit planning easier
TYPES OF AUDIT RISK
In as much as audit risks shouldn’t bother an auditor that approaches that audit procedure from the risk-based perspective (auditors are not just relying on risk when following the risk-based auditing, they also rely on internal and operational controls as well as the knowledge of the company), this article will not be complete without drawing your attention to the types of audit risks that an auditor might face and when such audit risks surfaces. Audit risk can be categorised as:
- Inherent risk
- Control risk
- Detection risk
- Overall risk