Nakenov B.
Kazakh
Economic University named after T.Ryskulov, Kazakhstan
Risk-based Internal
Audit
Risk-oriented approach to audit has been formed within the frames of
International Auditing Standards (IAS). Auditor working in accordance with the
IAS should be reasonably assured in the fact that the financial statement being
analyzed as a whole does not contain significant misstatements. Reasonable
assurance of the auditor is based on the accumulation of audit evidence which
is necessary for the auditor in order to make conclusion that the financial
statement was prepared in compliance with the applied principles.
In this respect, there are certain limitations influencing the
opportunity of identifying significant misstatements, which in turn might hinder
the auditor to get absolute assurance. The given limitations are connected with
the following factors:
1.
application of sample test;
2.
limitations inherent in the systems of accounting and internal control (for
example, conspiracy, abuse, fraud);
3.
convincing (but not exhaustive) character of audit evidence.
In addition, audit conclusion considers professional judgment with
regards to collection of audit evidence (such as duration, nature, and scope of
the audit procedures).
Accordingly, auditor can not ensure that the financial statement does
not contain significant misstatements since it is impossible to get absolute assurance.
Auditor’s opinion can not ensure neither future survivability of the
organization nor management effectiveness in the organization.
When performing risk-based audit the auditor’s concern is to get
reasonable assurance in the fact that the financial statement does not contain
significant misstatements caused by unfair practice or inaccuracy. The given
challenge is performed in three stages:
1.
to assess the risk of significant misstatements in the financial
statements;
2.
to develop and perform the audit procedures directed to minimizing the
assessed risks of misstatements;
3.
prepare auditor’s conclusion based on the audit results.
The concept of reasonable assurance assumes existence of risk which is
associated with the unqualified audit opinion. In case the financial statement
is significantly misstated the risk of performing unqualified audit opinion is
considered as the audit risk.
IAS considers the risk of significant misstatement (RSM) as the
component part of audit risk (AR). In its turn, the risk of significant
misstatement consists of the two components:
1.
inherent risk (IR) – the risk which is natural for any type of activity
(or business process);
2.
control risk (CR) – risk of ineffective internal control system.
So the risk of significant misstatements can be described by the
following formula:
(1) RSM = IR*CR
Inherent risk and control risk are deemed to be the risks of audit subject;
i.e. they exist regardless of financial statement’s audit. Auditor should
assess the risk of significant misstatements at the assertion level as the
basis for the further audit procedures.
Another component part of the audit risk is the detection risk (DR),
which refers to the risk that the auditor would not detect misstatements on the
basis of the audit procedures. Detection risk depends on the effectiveness of
audit procedures and auditor’s professionalism. Detection risk cannot be
reduced to zero since the auditor usually does not perform detailed test.
However selection of inappropriate audit procedure or improper interpretation
of audit results increases the detection risk.
Thus, it follows that audit risk can be expressed by the below formulas:
(2) AR = IR*CR*DR
or (3) AR = RSM*DR
Audit risk components are demonstrated in the following scheme:
According to the
risk-based audit concept auditor should assess the risks of significant
misstatements and limit the detection risk in order to cut down the audit risk
exposure to acceptable level. For this purpose auditor needs to understand the
organization’s business activity, assess the risks and perform the audit
procedures with regards to the following:
1. potential misstatements,
discrepancies, lack of information in the financial statements of the company;
2. probable failure of
the management to comply with the control means and manipulations with the
financial statement;
3. effectiveness of
control means.
Detection risk exposure
can be reduced by improving the audit procedures, constantly controlling and
monitoring the quality of audit engagements’ fulfillment, developing the
auditor’s professional skills.
References:
1.
International Auditing Standards 200 / International Auditing and
Assurance Standards Board;
2.
International Standards for the Professional Practice of Internal
Auditing / Institute of Internal Audit (IIA);
3.
Regarding the last changes in auditing standards / “Audit”, No 3, 2009.