What is Risk Based Audit ?
Its old theory of module. It has concepts similar to risk assessment. See highlighted words, first to get the flow.
Risk-based audit (RBA) is an approach to audit that analyzes audit risks, sets materiality thresholds based on audit risk analysis and develops audit programs that allocate a larger portion of audit resources to high-risk areas.
The risk based audit is superior to traditional audit approaches for two reasons. First, it focuses on risks, the underlying causes of financial surprises, not just the accounting records. Secondly, the risk based audit shifts the focus from inspecting the quality of the financial information that is recorded in the financial statements to building quality into the financial reporting process and adding value to the organisation’s operations.
General Steps in the Conduct of RBA – RBA consists of four main phases starting with the identification and prioritization of risks, to the determination of residual risk, reduction of residual risk to acceptable level and the reporting to auditee of audit results. These are achieved through the following:
Understand Business and its inherent risks
(i) Understand auditee operations to identify and prioritize risks : Understanding auditee operations involves processes for reviewing and understanding the audited organization’s risk management processes for its strategies, framework of operations, operational performance and information process framework, in order to identify and prioritize the error and fraud risks that impact the audit of financial statements. The environment in which the auditee operates, the
information required to monitor changes in the environment, and the process or activities integral to the audited entity’s success in meeting its objectives are the key factors to an understanding of agency risks. Likewise, a performance review
of the audited entity’s delivery of service by comparing expectations against actual results may also aid in understanding agency operations.
How management is compensating risks
(ii) Assess auditee management strategies and controls to determine residual audit risk : Assessment of management risk strategies and controls is the determination as to how controls within the auditee are designed. The role of internal audit in promoting a sound accounting system and internal control is recognized, thus the SAI should evaluate the effectiveness of internal audit to determine the extent to which reliance can be placed upon it in the conduct of substantive tests.
Auditor should adjust his procedures accordingly
(iii) Manage residual risk to reduce it to acceptable level : Management of residual risk requires the design and execution of a risk reduction approach that is efficient and effective to bring down residual audit risk to an acceptable level.
This includes the design and execution of necessary audit procedures and substantive testing to obtain evidence in support of transactions and balances.
More resources should be allocated to areas of high audit risks, which were earlier known through the analytical procedures undertaken.
Inform management about misstatements and other important items
(iv) Inform auditee of audit results through appropriate report : The results of audit shall be communicated by the auditor to the audited entity. The auditor must immediately communicate to the auditee reportable conditions that have been observed even before completion of the audit, such as weaknesses in the internal control system, deficiencies in the design and operation of internal controls that affect the organization’s ability to record, process, summarize and report financial data.