RISK BASED AUDIT APPROACH for conducting the audit of institutions
Download as PPT, PDF0 likes7 views
RISK BASED AUDIT approach
![IDENTIFYING RISKS AND ASSESSING THEIR IMPACT
AND PROBABILITY [SCORING]
Criteria for assessing impact
•Financial impact.
•Impact on reputation.
•Regulatory impact
•Impact on mission/achievement of objectives/operations.
•Impact on people](https://image.slidesharecdn.com/0210-risk-based-audit-approach-new-20211020142926-250630050633-7752dffb/85/RISK-BASED-AUDIT-APPROACH-for-conducting-the-audit-of-institutions-10-320.jpg)
RISK BASED AUDIT APPROACH for conducting the audit of institutions
- 1. RISK BASED AUDIT RISK BASED AUDIT APPROACH APPROACH S M Soral Retd. SAO S M Soral Retd. SAO 9785475137 9785475137
- 2. Contents • Risk Based Audit Approach • Identification and Assessment of various risks • Inherent Risk, Control Risk and Detection risk • Risk Model:
- 3. WHAT IS RISK? • Risk is the possibility that an event will occur and adversely affect the achievement of objectives
- 4. KEY DEFINITIONS • Event–an incident or occurrence, from sources internal or external to an organization, which may affect the achievement of objectives. • Opportunity is the possibility that an event will occur and positively affect the achievement of objectives.
- 5. RISK MANAGEMENT V/S RISK ASSESSMENT • risk management is an integral part of internal control system and is the responsibility of management. • Audit risk assessment is part of planning and a process where auditor consider both individual risk and generic risk factors.
- 6. THE BASIC CONCEPTUAL FRAMEWORK FOR RISK BASED AUDIT PLANNING • 1. Determining and categorizing the audit universe. • 2. Identifying individual events that may give rise to risks and opportunities across the audit universe. • 3. Scoring events in terms of probability and impact (taking into account management actions to mitigate risk) to identify the level of residual risk. • 4. Building risk-based audit plans by using generic risk factors and scoring criteria for each factor to determine the audit priority of all audit objects within the audit universe. • 5. Presenting the results of risk-based planning by writing and updating strategic and annual work plans.
- 7. DETERMINING AND CATEGORIZING THE AUDIT UNIVERSE • What is the “audit universe”? • The phrase “audit universe” is a simple way of referring to all the totality of all things that an internal auditor could separately examine. • The universe consists of the totality of “auditable objects” which is a way of identifying and describing discrete part of the business, system or process, which can be separately audited. Auditable objects need to be large enough to justify an audit and small enough to be manageable.
- 8. POSSIBLE INFORMATION SOURCES FOR CATEGORIZING • Management information giving a breakdown of goals, objectives and targets; • Guides to the organization services ; • Organizational charts or office directory; • Annual reports and any performance targets for the organization; • Corporate and department plans ,business plans ; • Development plans for IIT ,other infrastructure and buildings budget ; • External audit and consultancy, inspection and review reports; • Existing operational and strategic audit plans.
- 9. IDENTIFY INDIVIDUAL RISKS • The events that may give rise to risks should be identified . • The events give rise to the opportunities across the audit universe should also be identified.
- 10. IDENTIFYING RISKS AND ASSESSING THEIR IMPACT AND PROBABILITY [SCORING] Criteria for assessing impact •Financial impact. •Impact on reputation. •Regulatory impact •Impact on mission/achievement of objectives/operations. •Impact on people
- 11. BUILDING RISK- BASED STRATEGIC AND ANNUAL PLANS • The objective of this stage of the process is to determine what needs to be audited from within the audit universe. To identify the building blocks for the audit strategy in terms of the types and cycles of audits that need to be undertaken. This is why this process is also referred to as an “audit needs assessment”.
- 12. PRESENTING RISK BASED PLANNING • The result of risk based planning can be presented in writing . • This may update strategic and annual work plans.
- 13. IDENTIFYING RISK FACTORS The most commonly used risk factors: • Financial materiality. • Complexity of activities. • Control environment • Reputational sensitivity. • Inherent risk. • Extent of change. • Confidence in management. • Fraud potential. • Political sensitivity. • Time since last audit.
- 14. WRITING AND UPDATING STRATEGIC AND ANNUAL PLANS • The purpose of the strategic plan is to document the judgments made about “audit needs” – the internal auditor’s judgment of the systems, activities and programs that should be subject to audit to provide reasonable assurance to management about risks and the effectiveness of internal control
- 15. IT MUST CONTAIN….. • Clearly expressed objectives and performance indicators • The methodology • How to address areas? • The resources required and available • An internal risk assessment • Plans for the coordination • The approach for following up • The higher or longer-term goals
- 16. TYPES OF RISKS • Key risks • Residual risks • Inherent risks • Control risks • Detection risks
- 17. KEY AND RESIDUAL • Key risks are those risks that, if properly managed, will make the organization successful in the achievement of its objectives or, if not well managed, it (the organization) will not achieve its objectives • Residual risk is the level of risk after taking into account risk mitigation actions such as control activities.
- 18. AUDIT RISK • Audit Risk is the risk that an auditor expresses an inappropriate opinion on the financial statements • Examples of inappropriate audit opinion include the following • 1. issuing an unqualified audit report where a qualification is reasonably justified ; • 2.issuing a qualified audit opinion where no qualification is necessary; • 3.failing to emphasize a significant matter in the audit report ; • 4.providing an opinion on financial statement where no such opinion may be reasonably given due to significant limitation of scope in the performance of the audit.
- 19. AUDIT RISK (contd..) • Audit risk may be considered as the product of the various risks which may be encountered in the performance of the audit. In order to keep the overall audit risk of engagements below acceptable limit, the auditor must assess the level of risk pertaining to each component of audit risk. • Audit Risk = Inherent Risk* Control Risk*Detection Risk • AR = IRxCRxDR
- 20. INHERENT RISK • Inherent Risk is the risk of a material misstatement in the financial statements arising due to error or omission as a result of factors other than the failure of controls. • Inherent risk is generally considered to be higher where a high degree of judgement and estimation is involved or where transactions of entity are highly complex.
- 21. CONTROL RISK • Control Risk is the risk of a material misstatement in the financial statements arising due to absence or failure in the operation of relevant controls of the entity. • Organizations must have adequate internal controls in place to prevent and detect instances of fraud and error. • Assessment of control risk may be higher for example in case of a small sized entity in which segregation of duties is not well defined and the financial statement are prepared by individuals who do not have the necessary technical knowledge of accounting and finance .
- 22. DETECTION RISK • Detection Risk is the risk that the auditors fail to detect a material misstatement in the financial statements. • An auditor must apply audit procedures to detect material misstatements in the financial statement whether due to fraud or error. misapplication or omission of critical audit procedures may results in material misstatement remaining undetected by the auditor . Some detection risk is always present due to the inherent limitation of the audit such as the use of sampling for the selection of transactions.
- 23. ASSESSMENT • Assessing inherent risk ---factors to consider, such as the economy, the industry and previously known misstatements -- level of inherent risk for each audit area. • Assessing control risk--Segregation of duties,Adequate documents and records, Physical control of assets and records, • Assessing detection risk--Misapplying an audit procedure, Misinterpreting audit results, Selecting the wrong audit testing method.