Discuss about the Risk Based Auditing for Business Accounts.
Auditing refers to the inspection of the accounts of the companies (Zu 2013). A business organization has a lot of different accounts to maintain. Thus, it is natural to make some errors while maintaining those business accounts. Here comes the part of the auditors. The main responsibility of the audit process is to officially inspect those various accounts of the organization and makes it sure that there is not any kind of errors in those accounts (Kinney 2016). There is a lot of importance of the audit process. A true annual report of an organization reflects the financial and overall position of the company. Annual reports are one of the most crucial medium to the investors by which they can judge the actual financial position of the company and they can decide whether they will invest in the company or not. Hence, it is the utmost responsibility of the auditors to make the annual reports of the company’s error free. The audit process is done by the independence body of auditors who has no connection with the organization. It is mandatory for the companies to conduct audit so that the various accounts of the business can be verified (Cao, Chychyla and Stewart 2015).
Traditional Auditing vs. Risk-Based Auditing
As per the above discussion, the main aim of the audit process is to inspect the various accounts of a business organization. However, there are different processes to conduct an audit. Traditional audit process is the process that has been adopted by a large number of auditors all over the world. There are certain criteria which have been followed by the auditors while doing an audit. The aim of the traditional audit process is to conduct tests and reviews on the various issues of the financial statements of the companies. The objective behind this process is to verify the truth and fairness of the financial statements (Wan and Li 2016). The conducted tests includes the test on the internal controls used by the companies to procure various figures in the financial statements, the tests on the amounts shown in the various accounts and the tests on the several accounting posting systems of the business. After the verification of these above aspects, the auditors issue his/her certificate stating the truthfulness of the financial statements of that company (Jones and Smith 2014). However, the risk based approach of audit, commonly known as the RBA audit approach, applies totally different measures to verify the financial position of any company (Griffiths 2012). RBA is an audit approach which deals with all the risk factors of the companies related to the financial position. RBA approach uses risks to develop the strategies for the management system of an organization. RBA audit provides the mechanism to assess various risks involve achieving the long term objectives of the organization. RBA also provides the mechanism to monitor and perform the internal audit system of the organization. It has been considered that RBA audit system has been an evolution in the audit process all over the world as RBA audit system has totally changed the way audit system thing and talk about risks (Pitt 2014).
Origin of Risk-Based Audit
RBA audit system is a unique process of auditing that focused on the management and analysis of the risk in an organization (Johnstone, Gramling and Rittenberg 2013). There is an existence of a history about the origin of the risk base audit system. There was an incident in the United Kingdom about an audit issue. In the year 1999, the Turnbull Report on the corporate governance matters demands a risk assessment statement about the shareholders of the company. This process has been considered as the main encouragement about the introduction of the risk based audit system. This incident encouraged to give emphasis on the risk involved rather than just checking the various accounts of the organization (Messier 2014). The risk based audit system includes the guidelines of the Committee of Sponsoring Organization (COSO), the guidelines of AS/NZ3 and others (López Gavira, Pérez López and Romero García 2014). After this incident, the whole audit world felt and understood the need of risk assessment at the time of the auditing process. There are some controversies around the risk assessment procedures of the RBA audit system. Some people consider RBA audit system as an ineffective tool in the audit process. However, this particular risk based audit system has become more popular all over the world.
Steps in Risk-Based Auditing
The risk based audit process is designed to increase the efficiency and effectiveness of the audit process in an organization. Thus, it is the duty of the RBA audit system to focus on the timing, nature and extent of the audit areas where there is a high possibility of occurring the material mistakes. There are certain steps involved in the RBA audit system as this is a systematic process. The auditors need to follow these particular steps to bring efficiency and effectiveness in the audit process of the organizations. The steps of the RBA audit system are discussed below:
The first step in the RBA audit system is to have the understanding about the organizations. In order to get the idea about the risks, the auditor needs to have the proper understanding about the entity organization and the environment in which the organization operates. Understanding the entity requires a lot of things which includes the understanding about the nature of the business, industry, the specific structure of the ownership of the business, environmental regulations, competitors of the company, internal structure of the company, the process of financial reporting and the process of internal control. To know all this above mentioned aspects is not any easy job for the auditors. Confusion often works among the auditors about the selection of the type of information and how much information needs to be obtained for the purpose. However, it is the responsibility of the auditors to recognize the control system that would be relevant for the audit process. In this case, the internal control is divided into five parts to assist the auditor. They are:
- The control environment
- The risk assessment process of the entity
- The information system used for the financial reporting
- The audit related control activities, and
- Monitoring the control activities
These steps should be followed by the auditors at the time of performing the RBA audit system (Ward and Peppard 2016).
The very next step after the understanding about the various aspects of the entity is the identification and the assessment of the risks involved with the organization. The auditor understands about the business environment of the entity helps to identify those relevant risks that can cause damage to the financial reporting of the company. In this area, skills and professional judgments of the auditor are needed to not only identify those risks but also evaluate how they will affect the recognition, measurement, presentation and the disclosure of the financial reports of the company. The risk assessment is done by the auditors at the planning stage of the audit program. The risks are reassessed in the case of identification of the new risks relating to the audit process. There are two type of risk in the risk classification process and they are the normal risks and the greater than normal risks. Normal risks are the kind of risks that has a probability occurring. On the other hand, greater than normal risks are the risks which have less probability of occurring. The determination of the nature, time and extend of the various audit procedures depends on the process of risk assessment. As per the general rule of the RBA audit system, more persuasive evidences are required to reduce the level of the risks in case of the greater than normal risks. Hence, one simply cannot ignore the importance of risk assessment. In this case, it has to be noted that risk assessment of an organization demands a greater level of skill and expertise of the auditors as it is a complicated process (Sawyer and Bright 2014).
The next step in RBA audit system to respond to the risks identified. The auditor needs to have proper evidence about the assessment risk regarding materiality and other financial issues so that he/she can start the audit campaign. There are some factors that are considered by the experienced auditors at the time of the development risk response design. They are as follows:
- The financial report may have the overall effects of the identified risks.
- The effects of the identified risks at the level of assertion.
- The expected result of the tests whether they can meet the objectives of the tests
There are various aspects as well of the audit report. They are:
- The setting up of the test objectives
- It has to be identified whether there is any need for the use of the experts or specialists
- The identification of the time of the assessment of risk
- It needs to be determined that whether there is any need for the use of the precious audit reports
- The controls that need test needs to be identified
- Determination of the testing areas where normal risk will be applicable and the areas where above normal risk will be applicable
- The extent of reliance on the test results needs to be determined
- It needs to be specified that whether there is any need for the further audit process or not
In the case of the normal risk assessment, there is a need for the control testing when the substantive testing fails to provide enough audit evidence to carry on the audit process. On the other hand, in case of above normal risks or high risks, the auditor must include the substantive audit testing to get enough audit evidence to carry on the audit process (Leung 2016).
The last step in the risk based audit process is the drawing of the conclusion about the respective auditors. After the performance of the audit process by the auditors to address the assessed risks, the obtained evidence needs to be evaluated by the auditor to determine whether the initial risk assessment is appropriate or there is any need for a further risk assessment. The auditor needs to be assured that there is no material mistakes are there in the financial statements of the business organization and to prove this, there has to be sufficient evidence. Further audit needs to be performed in case of the absence of concrete audit evidence. The auditor will be able make a conclusion on the overall risk assessment of the financial reports of the company with the help of sufficient and appropriate audit evidences (Epstein and Ramamoorti 2016).
From the above overall discussion, it can be said that the importance of risk based audit approach is more than that of the traditional audit approach. The traditional audit approach sometimes omits the risk factor involved with the financial report of any organization. The foundation of the entire audit program can be provided by the rightly timed and performance of the risk assessment by the experienced auditors. The differences between the traditional audit and risk based audit are given below:
Traditional Audit Approach
Risk-Based Audit Approach
Risk assessment happens periodically
Risk assessment is a continuous process
Internal audit and accounting is responsible for the identification of risk and the management of control
All members of the organization are responsible for the identification of the risks involved
After the inspection and detection of the risks, it takes action against them
Anticipation and prevention of the business risks and continuous monitoring of the risks are the main functions of this audit process.
The primary source of the business risks are the inefficient people
The primary source of the business risks are the inefficient processes and operations
Financial risk avoidance is the function of the control process
To avoid the unacceptable risks is the function of the control process (Buckley et al. 2013)
The above table clearly shows that risk based audit is much more effective than the traditional audit process. The most crucial advantage of risk based audit is that it provides a continuous surveillance on the financial risk factor in an organization which includes in the financial statements. This is the reason most of the companies and auditors are adapting the risk based audit approach as the audit process (Collings 2013).
Buckley, J.P., Furze, G., Doherty, P., Speck, L., Connolly, S., Hinton, S. and Jones, J.L., 2013. BACPR scientific statement: British standards and core components for cardiovascular disease prevention and rehabilitation. Heart, pp.heartjnl-2012.
Cao, M., Chychyla, R. and Stewart, T., 2015. Big Data analytics in financial statement audits. Accounting Horizons, 29(2), pp.423-429.
Collings, S., 2013. Frequently Asked Questions in IFRS. John Wiley & Sons.
Epstein, B.J. and Ramamoorti, S., 2016. Today's Fraud Risk Models Lack Personality. The CPA Journal, 86(3), p.14.
Griffiths, M.P., 2012. Risk-based auditing. Gower Publishing, Ltd..
Johnstone, K., Gramling, A. and Rittenberg, L.E., 2013. Auditing: A Risk-Based Approach to Conducting a Quality Audit. Cengage Learning.
Jones, M. and Smith, M., 2014. Traditional and alternative methods of measuring the understandability of accounting narratives. Accounting, Auditing & Accountability Journal, 27(1), pp.183-208.
Kinney, W.R., 2016. GAAS 1963-2012: The Global Foundations of Independent Audits and Research in Auditing. In OSU Accounting Research Conference.
Leung, D., 2016. Inside Accounting: The Sociology of Financial Reporting and Auditing. Routledge.
López Gavira, R., Pérez López, J.Á. and Romero García, J.E., 2014. Positions on Regulations Affecting Auditing and Nonauditing Activities. Journal of CENTRUM Cathedra: The Business and Economics Research Journal, 7(1), pp.75-90.
Messier, W.F., 2014. An approach to learning risk-based auditing. Journal of Accounting Education, 32(3), pp.276-287.
Pitt, S.A., 2014. International standards for the professional practice of internal auditing.
Sawyer, A. and Bright, K., 2014. The Access Manual: Designing, Auditing and Managing Inclusive Built Environments. John Wiley & Sons.
Wan, J.G. and Li, T.L., 2016, January. An applicable approach for performance auditing in ERP. In MATEC Web of Conferences (Vol. 44). EDP Sciences.
Ward, J. and Peppard, J., 2016. The Strategic Management of Information Systems: Building a Digital Strategy. John Wiley & Sons.
Zu, L., 2013. Social Auditing. In Encyclopedia of Corporate Social Responsibility (pp. 2179-2188). Springer Berlin Heidelberg.