Enough for curhatannya, let's move on to Risk-based Audit. I took these explanation from "Guide to Using International Standards on Auditing in the Audits of Small- and Mediumsized Entities"
The auditor’s objective in a risk-based audit is to obtain reasonable assurance that no material misstatements whether caused by fraud or errors exist in the financial statements. This involves three key steps:
• Assessing the risks of material misstatement in the financial statements;
• Designing and performing further audit procedures that respond to assessed risks and reduce the risks of material misstatements in the financial statements to an acceptably low level; and
• Issuing a suitably worded audit report based on the audit findings.
Reasonable Assurance
Reasonable assurance relates to the whole audit process. It is a high level of assurance but it is not absolute. The auditor cannot provide absolute assurance due to the inherent limitations in the work carried out, the human judgments required, and the nature of evidence examined. The following exhibit outlines some of the limitations in an audit.
Audit Risk
Audit risk contains two key elements:
• The risk that the financial statements contain a material misstatement (inherent and control risk); and
• The risk that the auditor will not detect such a misstatement (detection or engagement risk).
To reduce audit risk to an acceptably low level, the auditor has to:
• Assess the risks of material misstatement; and
• Limit detection risk. This may be achieved by performing procedures that respond to the assessed risks at the financial statement, class of transactions, account balance and assertion levels.
The Audit Process
The risk-based audit requires auditors to first understand the entity and then to identify/assess the risks of material misstatement in the financial statements. This enables auditors to identify and respond to:
• Possible account balances, classes of transactions or financial statement disclosures that may be incomplete, inaccurately stated or missing altogether from the financial statements. Examples might include:
– Understated liabilities;
– Unrecorded assets;
– Assets such as cash/inventory that may have been misappropriated; and
– Missing/incomplete disclosures.
• Areas of vulnerability where management override and manipulation of the financial statements could take place. Examples could include:
– Preparation of journal entries;
– Revenue recognition policies; and
– Management estimates.
• Other control weaknesses that if not corrected could lead to material misstatements in the financial statements.
Some of the benefits of this approach are summarized as follows:
• Time flexibility for audit work
Risk assessment procedures can often be performed earlier in the entity’s fiscal period than was possible before. Because risk assessment procedures do not involve the detailed testing of transactions and balances, they can be performed well before the year end, assuming no major operational changes are anticipated. This can help in balancing the workload of staff more evenly throughout the year. It may also provide the client with time to respond to identified (and communicated) weaknesses in internal control and other requests for assistance before the commencement of year-end audit fieldwork.
• Audit team’s effort focused on key areas By understanding where the risks of material misstatement can occur in financial statements, the auditor can direct the audit team’s effort toward high-risk areas and away from lower-risk areas.
This will also help to ensure audit staff resources are used effectively.
• Audit procedures focused on specific risks
Further audit procedures are designed to respond to assessed risks. Consequently, tests of details that only address risks in general terms may be significantly reduced or even eliminated. The required understanding of internal control enables the auditor to make informed decisions on whether to test the operating effectiveness of internal control. Tests of controls (for which some controls may only require testing every three years) will often result in much less work being
required than performing extensive tests of details.
• Communication of matters of interest to management
The improved understanding of internal control may enable the auditor to identify weaknesses in internal control (such as in the control environment and general IT controls) that were not previously recognized. Communicating these weaknesses to management on a timely basis will enable them to take appropriate action, which is to their benefit. Also, this may in turn save time in performing the audit.
• Improved audit file documentation
The ISAs place a lot of emphasis on the need to carefully document each step of the audit process. Although this may add some additional cost at first, careful documentation will ensure that an audit file can stand by itself without the need for any oral explanations of what was done, why it was done, or how the audit conclusions were reached.
