How do you perform risk assessment in audit?

What is risk assessment?

Risk Assessment is management's process of identifying risks and rating the likelihood and impact of a risk event.  An internal control assessment can be performed at the same time.  This takes the risk assessment and maps internal controls to the risks to determine if there are gaps between risks and controls.

A Risk Event is a potential event or missed opportunity that may negatively impact your ability to meet your business objectives.

Likelihood is how likely it is for a Risk Event to occur.  

Impact is how much impact a Risk Event may have on your operations.

Inherent Risk is the risk to an organization in the absence of any actions management might take to alter the risk's likelihood or impact.

Control is an activity that helps ensure that management directives to mitigate risk are carried out.  

Internal Controls are control activities including policies that establish what should and should not be done and procedures that are the actions to implement the policies.  Control activities either deter undesirable acts or prevent errors from occurring (preventative) or find undesirable acts or errors after they've occurred and provide evidence as to whether the preventative controls are effective (detective).  Internal controls are either automated by software or manually performed.

Residual Risk is the risk remaining after management has taken actions to alter the risk's Likelihood or Impact.

Process Maps are graphical representations of your program's key processes including internal control activities.

Performance Measures identify your program's true measures of success.

A Risk Score is a mathematical equation where Impact, Likelihood and other risk measurement factors are assigned weights and calculated in a manner to create a stack ranking or heat map of risks.

A Risk Control Matrix shows how internal controls address each of your program's risks.

Risk Appetite is the amount of risk, on a broad level, that an organization is willing to accept in pursuit of value; it reflects the enterprise's risk management philosophy and in turn influence's the entity's culture and operating style.

Risk Tolerance is the acceptable level of variation relative to the achievement of a specific objective, and often is best measured in the same units as those used to measure the related objective.

ICAEW.com works better with JavaScript enabled.

International Standard on Auditing (ISA) 315 (Revised) Identifying and assessing the risks of material misstatement through understanding the entity and its environment explains auditors’ responsibilities in relation to risk assessment and internal control.

The identification and assessment of the risks of material misstatement by the auditor provide the basis for designing and implementing responses to them, which is addressed by ISA 330 The Auditor’s responses to assessed risks. ISA 315 is the ISA from which all other ISAs flow, and all ISAs are risk-based. Many auditors struggle to apply ISAs to small, less complex audits. This maybe due to a lack of understanding or because of the requirements in the ISAs themselves.

Risk assessment challenges for auditors

Risk assessment is critical to the performance of all financial statement audits. The idea of a “risk-based” approach to auditing has been around for many years, and it is not a difficult concept: the approach focuses audit effort on those areas that are most at risk of material misstatement. So, when planning an audit, the audit team would therefore be asking themselves:

• What are the areas of risk? 
• How big is the threat of material misstatement associated with these risks? 
• What audit procedures need to be performed to respond to the levels of risk assessed?

But both auditors and regulators report problems in applying the relevant auditing standards consistently. Key risk assessment issues include:

• The quality of linkages between risk assessment and response;
• The need to demonstrate and document how professional judgement was applied; and
• The definition, determination and understanding of ‘significant risk’ under the ISAs.

• Visit our guide on risk assessment challenges for auditors

Understanding, documenting and testing internal control

Internal control is an area in which auditors often need to improve their risk assessment processes. In particular, auditors need to remember that internal controls are still relevant where a fully substantive audit approach is adopted. Understanding internal control and documenting that understanding is a challenge for all audits, irrespective of the client’s size or complexity. In smaller, less complex entities controls are typically informal and undocumented, and potentially compromised by a lack of segregation of duties. The involvement of the owner-manager in the day-to-day running of the business can have a positive and a negative effect on the evaluation of risk.

Even where auditors adopt a fully substantive approach, they should ask themselves whether they have:

• identified those controls that are relevant to the audit, such as those relating to the key transaction streams;
• checked whether those controls are designed appropriately to achieve their objectives; and
• obtained evidence that these controls have been implemented, eg, by walkthrough tests.

• Visit our guide on understanding, documenting and testing internal controls and implications for smaller entity audits.
• Visit our guide on practical considerations and examples of the types of work to be performed when obtaining an understanding of the design and implementation of internal control components.

The new ISA 315 (Revised): changes for 2022 

The International Audit and Assurance Standards Board (IAASB) approved major changes to ISA 315 in September 2019. The changes will be effective for audits of financial statements for periods beginning on or after 15 December 2021. The effects of the revisions will be far-reaching and will require firms of all sizes to revise their approach to risk assessments.

• Find out more

Determining and applying materiality

The concept of materiality is fundamental to the audit. As the basis for the auditor’s opinion, ISAs require auditors to obtain reasonable assurance about whether the financial statements as a whole are free from material misstatement. Materiality is applied by auditors at the planning stage, and when performing the audit and evaluating the effect of identified misstatements on the audit and of uncorrected misstatements, if any, on the financial statements.

ISA 320 Materiality in planning and performing an audit does not include a definition for materiality. This is because the principle of materiality is first and foremost a financial reporting, rather than an auditing, concept. Also, the interpretation may differ in different parts of the world.

Financial reporting frameworks often discuss the concept of materiality in the context of the preparation and presentation of financial statements. It is important therefore that auditors refer to any discussion of materiality in the financial reporting framework when determining materiality for the audit. Such a discussion, if present, provides auditors with a frame of reference.

• Visit our guide to the ISA requirements.

Using data analytics in external audit

Auditor data analytics is about enhancing audit quality. Data analytics consists of tools that extract, validate and analyse large volumes of data, quickly. The tools are applied to complete populations, 100% of the transactions, ie,  “full data sets”, and they can be used to support judgements, draw conclusions or provide direction for further investigation. Auditing standards do not specifically address the use of data analytics in external audit.

Data analytics may be more commonly used in larger firms and the mid-tier, but smaller firms need to be aware of the potential for data analytics to transform smaller audits. 

• Visit our guide on developments in this area and the opportunities and challenges for auditors.

Addressing the risk of management override

Management override refers to the ability of management and/or those charged with governance to manipulate accounting records and prepare fraudulent financial statements by overriding controls, even where the controls might otherwise appear to be operating effectively.

Under ISA 240 The auditor’s responsibilities relating to fraud in an audit of financial statements auditors are required to assess the risk of material misstatement from management override of controls as significant, which requires specific documentation and affects the response of the auditor to risk.

Although the level of risk of management override of controls will vary from entity to entity it is, nevertheless, present in all entities.

• Visit our ISA (UK) guide to the auditor’s assessment of the risk of management override

• Visit our ISA (international) guide to the auditor’s assessment of the risk of management override

Communications with those charged with governance

Identifying who is charged with governance, ensuring appropriate communication takes place and demonstrating this on the audit file are vital to the success of the audit of financial statements. ISA 260 (Revised) Communication with those charged with governance provides an overarching framework for the auditor’s communication with those charged with governance and includes specific matters that need to be communicated to them. In addition, a further standard, ISA 265 Communicating deficiencies in internal control to those charged with governance and management includes specific requirements regarding communicating significant deficiencies in internal controls identified by the auditor in the course of the audit.

Communicating effectively throughout the audit can improve its technical quality and cost effectiveness for entities of all shapes and sizes. Communication is not something you just have to do because International Standards on Auditing (ISAs) require it; it is something you should want to do in order to improve the audit.

Many audit files give good evidence of communication with management at the completion stage, but ISA 260 requires the audit team to establish effective two-way communication throughout the audit process. This means that the audit file should demonstrate a consistent level of communication throughout the audit.

• Visit our guide to the ISA (UK) requirements on communicating with those charged with governance and how to apply them to small entity audits.

• Visit our guide to the ISA (international) requirements on communicating with those charged with governance and how to apply them to small entity audits.

How is risk assessment done in audit?

What is risk assessment in audit planning?