Risk Assessment involves:
- Understanding the account balance or entity.
- Deciding what could go wrong.
- Designing the controls and substantive procedures to address those risks.
How is Risk Assessment performed ?
Before deep diving into this concept, lets focus on understanding the risk assessment definition.
Risk assessment is an iterative process that occurs throughout the audit period. So, this process is dynamic. It’s an ongoing process during the period under audit. Based on audit findings, risk assessment procedures are revised and revisited.
For instance, if the auditor believes the risk is lower for accounts payable based on the facts and their analysis. However, the audit team found long outstanding balances in this account during the audit. This results in the auditor moving the risk from lower to higher (or) risk at the same level, but the extent of performing substantive procedures can be altered.
Therefore, performing a risk assessment is not confined to the planning stage. That’s a continuing process throughout the audit. So, the audit team shall revisit the earlier steps performed while assessing the risk.
Table of contents
- How is Risk Assessment performed ?
- Risk assessment Checklist/Factors
- 1) Performing Analytical Procedures:
- 2) Understanding the entity and its environment:
- 3) History of Errors:
- 4) How to use Knowledge obtained from the previous year for risk assessment?
- 5) Audit team
- 6) Professional Judgement
- 7) Inherent Risk associated with each account balance
- 8) Consider if the balances comprise foreign currency amounts
- 9) Existence of transactions where related parties are involved
- 10) Understanding context of Materiality for performing risk assessment procedures
Risk assessment Checklist/Factors
1) Performing Analytical Procedures:
Each account balance is analyzed by performing analytical procedures.
These procedures are done by comparison of the
- Current year’s quarterly balances with the previous year’s quarterly balances.
- Half-yearly balances with the respective previous year’s half-yearly balance.
- Previous year-end balances with the current year interim balances.
This comparison is to understand why there is a change in the account balances on both the balance sheet and income statement.
Note: The comparison periods listed above are not exclusive. Comparatives can be customized and performed for various periods to gain more knowledge and understanding of variances.
How about an example here?
Let’s understand this with an example:
Assume the audit period is from 01/01/20XX to 12/31/20XX, and risk assessment is performed for the debt account balance. The details of the analytical procedures performed are as follows:
- 03/31/20XX vs. 03/31/20XY (Q1 Quarterly balances analysis)
- 06/30/20XX vs. 06/30/20XY (Half-yearly balance analysis)
- 12/31/20XX (Previous year) Year-end balance vs. 06/30/20XY
Based on the above analysis, the audit team will inquire with the management to understand the reasons for the increase or decrease in the account balance.
For suppose, if the debt balance increased, the responses for inquiries might be new borrowings, the nature of those borrowings, and the tenure of the debt.
Alternatively, if the balance decreases, repayments are the reason.
Further, the inquiries are corroborated by obtaining support such as a debt agreement (for new borrowings) and notice of repayment from banks (for repayments done). The auditor shall not believe the response unless accompanied by the relevant support. So, the auditor shall follow professional skepticism throughout the audit.
Auditor needs support his work through Audit documentation the contain the reasons for adopting a particular approach in testing, choosing a specific risk and rationale behind each and every aspect.
2) Understanding the entity and its environment:
The following aspects are to be understood to get a clear picture of understanding the entity and its environment.
- Nature of Entity
- Industry in which the entity operates
- Environment and legal factors
- Entities accounting policies
- Internal Controls
For example, suppose the entity has an accounting policy that deviates from the generally accepted accounting pronouncements. In that case, the auditor shall consider its implications and determine the risk level.
For example, if the entity is in the business of trading shares, then the auditor shall consider the volatility of the business and decide upon the risk (which might be higher risk in most cases)
3) History of Errors:
Errors are the mistakes found as part of an audit performed. These could be during the previous year or current years of the audit. For example, if an expenditure relating to the prior year is not recorded in the books of accounts, it constitutes an error irrespective of the amount.
Amount plays a crucial role in considering whether it’s a significant error.
The auditor shall give due weight to any errors identified regarding the account balance as part of the audit findings. If the account balance has no errors in the previous year, the auditor tends to place the risk to be lower.
If any errors are identified, then the auditor shall understand the nature of the error and quantitative significance and check if this impacts any other financial transaction or the financial statements as a whole.
Also, we shall see if this error, individually or in aggregate with other errors, affects the user’s decision on financial statements. This is because the audit is performed so that the investors and other stakeholders
- Can rely on the financial statements and
- Make decisions of either investing or divesting in the capital based on the financials
4) How to use Knowledge obtained from the previous year for risk assessment?
Previous year audit experience helps the auditor in the following matters:
Understand the Significant changes in the operations of the entity from the previous year
To see if the misstatements and deficiencies identified are corrected by management on time
The auditor shall consider the previous year’s information and consider if that impacts the current year’s risk assessment.
The knowledge from the previous year alone isn’t sufficient in determining the risk assessment. That’s because of the entity’s complexity and rapidly changing business; the risk assessment shall be performed in detail.
For example, Historically, the audit team notes that management has never corrected the misstatements identified. Further, no valid reasons are explained. This might result in the auditor considering that balance as not a lower risk area. The audit team might perform extensive substantive procedures to mitigate the risks.
Increasing the extent of testing results with the auditor verifying the more significant number of transactions (or samples). It gives auditors more persuasive audit evidence.
5) Audit team
The audit team with appropriate knowledge, qualifications, and experience will be involved in this process. To obtain the required outputs, appropriate inputs shall be used. So, experienced personnel shall be engaged in this process. Experienced personnel can guide and train the new audit personnel. This is because new team members might not know how to perform all these procedures.
6) Professional Judgement
The auditor shall apply the knowledge and experience in current audit engagement and implement the appropriate audit procedures.
Another point which is noteworthy from the above risk assessment definition is that risk assessment is not a one time job. It’s done throughout the audit period.
7) Inherent Risk associated with each account balance
The word inherent means existing or its characteristics. It’s the risk that is inherent within the account balance. The classic example here is a Cash account. Cash is always susceptible to theft and misappropriation.
For instance, the inherent risk in respect of accounts payable is that fake vendors can be created by employees and funds are routed to them.
8) Consider if the balances comprise foreign currency amounts
If the balances consist of foreign currency, then it’s likely to have risks relating to translation.
Translation risk means:
- Risk of employing incorrect exchange rate.
- Risk of using exchange rate, not from standard/authorized sources.
The higher the value of transactions in foreign currency, the greater will be the translation risk.
9) Existence of transactions where related parties are involved
A transaction involving related parties has a higher chance of not occurring at an arm’s length price. Here, arm’s length price is the amount at which a transaction occurs in the normal course of business between unrelated parties.
For example, assume a company purchases land to construct an office building. Buying the land from unrelated parties or market price is Rs. 2 Crores. Instead of buying it from unrelated parties, if that’s purchased from the company’s CEO, then the transaction price might not be at market price. There is always the risk of transactions not happening at an arm’s length price.
Generally, Related parties consist of directors, employees at top management (CEO or CFO), holding companies, subsidiary companies, sister companies or affiliate companies.
The auditor shall obtain the related party listing from the entity. Additionally, the following are the best sources to find out the related parties:
- Previous year annual reports.
- Board Minutes or any other committee meeting minutes.
- Organization structure. This details the subsidiary, holding and affiliate entities.
- Employee listing. The audit team shall also obtain the listing periodically in the Planning stage, Interim and Final).
The auditor shall specifically design audit procedures to address the risk relating to these related parties. These would include comparing the contract price of related party transactions with other company creditors and understanding why the transaction occurred with a related party instead of outside parties.
10) Understanding context of Materiality for performing risk assessment procedures
A materiality is a number determined by an auditor based on benchmarks. This is the only factor considered for assessing the quantitative significance of account balance. In other words, the auditor compares an account balance with materiality to determine if it’s significant enough to perform a risk assessment.
For example, suppose the Wages General Ledger year-end balance is $1 Million and materiality is $10 Million. In that case, the auditor might not perform any risk assessment for the wages account balance. That’s because it’s an immaterial balance. In other words, even if there are any misstatements or errors in that balance, that will not concern the auditor or his opinion on the financial statements.
The above factors gives a sense of considerations that need to be evaluated for risk assessing. These factors are not exclusive. These are very general and needs customization for each account balance or disclosure. For example, consider the risk assessment of first year leases. As an auditor, we need to check if the discount rate used for calculating the present values of the lease liability is appropriate by performing sensitivity analysis. So, this sensitivity analysis might not be applicable for other GL accounts. Thus, these above factors serve as good start point for performing risk assessment.
The Audit Risk Assessment process is a critical step in ensuring the effectiveness of audit engagements. We need to focus on the risk assessment definition. That’s basically assessing the risk of something going wrong when performing an audit.
This process involves identifying and evaluating the risks that could impact an organization’s financial statements, and then determining the appropriate audit procedures. To assess the risks, auditors must gather information about the client’s business operations, accounting policies, and internal control systems. The information gathered enables auditors to determine the extent and nature of the audit procedures required to minimize the risk of material misstatement in the financial statements.
The Audit Risk Assessment process is essential in ensuring that the audit engagement is conducted with the necessary level of rigor to provide assurance to stakeholders on the accuracy and reliability of financial statements.