Show We usually perform an audit risk assessment after obtaining an understanding of the client’s business and control environment. In this case, we usually try to identify the risks while gaining an understanding of the client’s business and control environment. Then, we assess how those risks could impact financial statements and make a proper response to such risks by designing suitable audit procedures. Risk assessment is performed in the risk-based approach of auditing, in which we focus our audit process on those high-risk areas. Audit Risk Assessment ProceduresAudit risk assessment procedures usually contain two steps process, including identifying and responding to risks of material misstatement. Identify Risk of Material MisstatementOur objective here is to identify the risk of material misstatement that can occur on the financial statements. In this case, we need to identify both inherent and control risks and properly assess their levels (high, moderate, or low). The procedures of audit risk assessment in this step may include:
Respond to Risk of Material MisstatementAfter identifying and assessing the level of risk of material misstatement, we need to properly respond to such risk based on their severity. In this case, we usually perform the following procedures:
It is useful to note that risk assessment procedures by themselves do not provide us sufficient appropriate audit evidence to form a basis of an opinion. Hence, we need to perform the next stage of the audit that may include the test of controls, substantive analytical procedures and tests of details. This is so that we can obtain sufficient appropriate audit evidence on which to base our audit opinion.
Risk assessment is the identification and analysis of relevant risks to the achievement of an organization's objectives, for the purpose of determining how those risks should be managed. During the risk assessment process, Internal Auditing identifies and assesses both the likelihood and potential impact of various risks to the organization. Internal controls are then identified and evaluated to determine how adequate they are in reducing risk to ensure that residual risk is at manageable levels. Residual risk is the risk that something will occur after controls or procedures are implemented to prevent it. In addition to audits required by state regulations, those activities or functions with higher levels of residual risk are typically selected for audits. Developing the Audit Plan:The WIU Office of Internal Auditing develops the annual audit plan using a risk-based approach. The annual risk assessment process occurs in late spring or early summer to facilitate the development of a two-year audit plan. Internal Auditing conducts the risk assessment process through discussions with management; review and analysis of budgets and proposed programs; and a systematic evaluation of risk factors covering the functional and organizational units of the University. Based upon the results of the risk analysis, a proposed audit plan is presented to the Senior Executive Cabinet for their review and approval. Upon consensus by the Cabinet, the audit plan is submitted to the University President for approval. Next, the audit plan is presented to the University Board of Trustees Audit Committee for their review and approval. The two-year plan is updated annually and may be modified as unplanned issues of potential risk are identified throughout the year. The plan is required to be completed before June 30th of each year for the next two fiscal year periods.
Let us consider each of these four stages in more detail. 1. Risk assessment procedures Making inquiries of management and others within the entity Analytical procedures Observation and inspection ISA 315 requires that risk assessment procedures should, at a minimum, comprise a combination of the above three procedures, and the standard also requires that the engagement partner and other key engagement team members should discuss the susceptibility of the entity’s financial statements to material misstatement. Key risks can be identified at any stage of the audit process, and ISA 315 requires that the engagement partner should also determine which matters are to be communicated to those engagement team members not involved in the discussion. 2. Understanding an entity 3. Identification and assessment of significant risks and the risks of material misstatement
|