Audit risk and risk assessment procedures

Audit risk and risk assessment procedures

Audit risk and risk assessment procedures

The objective of the auditor is to identify and assess the risks to the audited entity not meeting its objectives, thereby providing a basis for designing and implementing audit procedures.
Compliance audit Financial audit
Planning
Ref: 14.110

Definitions

Audit risk and assurance

It is not normally practical or cost-effective for auditors to collect evidence in order to have absolute (100%) assurance or confidence of detecting all material deviations. Instead, auditors try to ensure that their conclusions and opinions are based on reasonable assurance, which is obtained from the audit work. Audit risk is the inverse of audit assurance. It is the risk that the auditor is willing to tolerate coming to a wrong conclusion. In practice, audit risk is unavoidable.

Principles

Components of audit risk

The components of audit risk are: Components of audit risk Assessment of risks is a judgement rather than a precise measurement. The level attributed to each component is estimated by the auditor on the basis of his/her professional judgement, informed by the procedures outlined below.

Audit risk model

The audit risk model, as shown below, helps auditors to determine how comprehensive the audit work must be so as to attain the desired assurance for their conclusions. Audit risk (AR)= Inherent risk (IR) x Control risk (CR) x Detection risk (DR) This equation must always be in balance. The higher the auditor assesses the level of inherent and/or control risk to be, the lower the detection risk must be. This requires more substantive audit work (larger sample sizes). Equally, the lower the combined inherent and control risk is assessed to be, the higher the detection risk will be. This in turn means less substantive work and more systems work. More systems and controls need to be tested as the planning assumption must be verified and because the systems work also contributes to the overall assurance. Fraud risk is an element of both inherent and control risk.

When to consider audit risk

Audit risk should be considered when:
  • planning the audit, including the design of audit procedures;
  • carrying out audit procedures; and
  • evaluating the results of the audit tests carried out.

Instructions

Procedures to identify and assess risk

The risk-assessment procedures are employed in order to gain an understanding of the following: The nature and extent of planned audit tests will vary, depending on the auditor's assessment of both inherent and control risk (see Assurance model). The auditor should perform risk assessment procedures as early in the audit as possible, based on various sources of information.
Risk assessment procedures Sources of information
Analysis of relationships in and between financial and non-financial information, through a study of plausible relationships, including trends and ratios. Examples include comparison of actual information against budget, licence income to number of licences, and import duties to physical import data.
  • Financial and non-financial information, in order to provide a broad initial indication of unusual or unexpected relationships.
Inspection consists of examining records or documents, whether internal or external, in paper form, electronic form, or other media, or tangible assets.
  • Visits to the entity's premises and facilities
  • Internal documents - management plans, records, manuals
  • Other information - the auditee's budget; AAR
  • External information- economic journals; regulatory and financial publications
  • Findings from previous audits by the ECA, the Internal Audit Service (IAS), the Supreme Audit Institutions (SAI), the Commission’s anti-fraud office (OLAF), or the European public prosecutor’s office (EPPO)
Observation consists of looking at a process or procedure being performed by others. It provides information about the performance of the process or procedure, but is limited to the point in time at which the observation takes place.
  • Observation of entity activities and operations being carried out
Inquiry consists of seeking information of knowledgeable persons, inside or outside the audited entity.
  • Those charged with governance, management and others within the entity

The entity’s own risk-assessment

The entity's own risk-assessment process can be a source of information. The following important information should be considered as part of the risk assessment for compliance audits:
  • the Directorate-General’s annual management plan (MP) contains objectives, indicators and the critical risks identified for the Directorate-General (DG) concerned;
  • the information in the Commission's annual management reports (AMPR) and the annual activity reports (AAR) including declarations by the Directors-General for the preceding financial year(s) (the AAR provides an overview of critical risks encountered and their impact on the achievement of the DG's objectives);
  • relevant reports by the various control bodies of the Commission (including the internal audit service ) and member states, or other auditors;
At the Commission, the DGs establish their own accounting risk analysis per process and per audit assertion. This represents a substantial input to the risk-assessment process for financial audits. However, the auditor should exercise
professional scepticism
, as risks identified by the auditee may not address those that are of importance for audit purposes, and such information may be biased.
The ECA's previous work, and the knowledge and experience of the audit chambers should always be considered for both, financial and compliance audits. Where the auditor intends to use such information he or she should determine whether changes have occurred since the previous audit that may affect its relevance to the current audit. This is because changes in the control environment, for example, may affect the relevance of information obtained in the prior year.
Last Modified: 15/03/2022 15:30   Tags: