Nakenov B.

Kazakh Economic University named after T.Ryskulov, Kazakhstan

 

Risk-based Internal Audit

Risk-oriented approach to audit has been formed within the frames of International Auditing Standards (IAS). Auditor working in accordance with the IAS should be reasonably assured in the fact that the financial statement being analyzed as a whole does not contain significant misstatements. Reasonable assurance of the auditor is based on the accumulation of audit evidence which is necessary for the auditor in order to make conclusion that the financial statement was prepared in compliance with the applied principles.

In this respect, there are certain limitations influencing the opportunity of identifying significant misstatements, which in turn might hinder the auditor to get absolute assurance. The given limitations are connected with the following factors:

1.     application of sample test;

2.     limitations inherent in the systems of accounting and internal control (for example, conspiracy, abuse, fraud);

3.     convincing (but not exhaustive) character of audit evidence.

In addition, audit conclusion considers professional judgment with regards to collection of audit evidence (such as duration, nature, and scope of the audit procedures).

Accordingly, auditor can not ensure that the financial statement does not contain significant misstatements since it is impossible to get absolute assurance. Auditor’s opinion can not ensure neither future survivability of the organization nor management effectiveness in the organization.    

When performing risk-based audit the auditor’s concern is to get reasonable assurance in the fact that the financial statement does not contain significant misstatements caused by unfair practice or inaccuracy. The given challenge is performed in three stages:

1.     to assess the risk of significant misstatements in the financial statements;

2.     to develop and perform the audit procedures directed to minimizing the assessed risks of misstatements;

3.     prepare auditor’s conclusion based on the audit results. 

The concept of reasonable assurance assumes existence of risk which is associated with the unqualified audit opinion. In case the financial statement is significantly misstated the risk of performing unqualified audit opinion is considered as the audit risk.

IAS considers the risk of significant misstatement (RSM) as the component part of audit risk (AR). In its turn, the risk of significant misstatement consists of the two components:

1.     inherent risk (IR) – the risk which is natural for any type of activity (or business process);

2.     control risk (CR) – risk of ineffective internal control system.

So the risk of significant misstatements can be described by the following formula:

(1) RSM = IR*CR

Inherent risk and control risk are deemed to be the risks of audit subject; i.e. they exist regardless of financial statement’s audit. Auditor should assess the risk of significant misstatements at the assertion level as the basis for the further audit procedures.

Another component part of the audit risk is the detection risk (DR), which refers to the risk that the auditor would not detect misstatements on the basis of the audit procedures. Detection risk depends on the effectiveness of audit procedures and auditor’s professionalism. Detection risk cannot be reduced to zero since the auditor usually does not perform detailed test. However selection of inappropriate audit procedure or improper interpretation of audit results increases the detection risk.  

Thus, it follows that audit risk can be expressed by the below formulas:

(2) AR = IR*CR*DR

or (3) AR = RSM*DR

Audit risk components are demonstrated in the following scheme:

 

According to the risk-based audit concept auditor should assess the risks of significant misstatements and limit the detection risk in order to cut down the audit risk exposure to acceptable level. For this purpose auditor needs to understand the organization’s business activity, assess the risks and perform the audit procedures with regards to the following:

1.     potential misstatements, discrepancies, lack of information in the financial statements of the company;

2.     probable failure of the management to comply with the control means and manipulations with the financial statement;

3.     effectiveness of control means.

Detection risk exposure can be reduced by improving the audit procedures, constantly controlling and monitoring the quality of audit engagements’ fulfillment, developing the auditor’s professional skills.

References:

 

1.           International Auditing Standards 200 / International Auditing and Assurance Standards Board;

2.           International Standards for the Professional Practice of Internal Auditing / Institute of Internal Audit (IIA);

3.           Regarding the last changes in auditing standards / “Audit”, No 3, 2009.