Risk based audit approach is whereby the auditor identifies risks that could result in material misstatements in the financial statements of the client. It involves the analysis of overall audit risk into inherent risk, control risk and detection risk. The auditor formulates appropriate audit procedures that aim to address the identified risks. The auditor investigates the categories of audit risk so that more time is spent on risky areas and less on less risky areas.
Advantages of the approach
It provides a framework for the conduct of the audit, it focuses auditor‘s attention on risk;
The approach allows the development of effective and efficient audit programs and it develops an enquiring attitude of mind;
The approach links into the concept of materiality, and the techniques of statistical sampling;
The approach is helpful in identifying the areas where most work should be performed. It allows the auditor to spend more time in the areas of highest risk and less time in low risk areas, thus reducing the overall time for the audit or reducing overall audit risk. It
avoids excessive time being spent on low risk areas. For instance, in many businesses petty cash expenditure is small. Although the risk of errors and fraud in petty cash is relatively high, it is most unlikely that they will be material so audit work in this areas can be limited;
By examining each significant item in the profit and loss account and the balance sheet the auditor is able to evaluate the level of inherent and control risk and consequently the amount of substantive testing required. This will ensure that only the required level of testing will be carried out.
The audit is more effective because the auditor concentrates on key areas only;
The approach enables the auditor to provide management with valuable feed back on the overall effectiveness of the design and operation of controls in managing the risks identified.
One major limitation of this approach is that frequently it is impossible to estimate the values of inherent risk, and to a lesser extent, control risk with any degree of certainty. If these elements cannot be determined accurately, then one cannot accurately determine the value of detection risk, which is required to achieve the overall level of audit risk;
A further problem is that the auditor may assume that his assessment of control risk may apply to the whole system e.g. a sales system. However, there may be little or no controls over some parts of accounting system, so the control risk for these aspects of the system could be as high as 100%. For example in the valuation of the year -end stock and determining the doubtful debt provision, which may be carried out by one person. If there is no internal check over such items, it will mean that the control risk is high and so the auditor should perform more checks to reduce the level of detection risk and hence achieve the required level of audit risk;
For the model to be useful the populations (i.e., numbers of items) involved need to be sufficiently large to allow for valid statistical conclusions to be drawn. This rules out the use of the model in many smaller audits;
As is always the case with such models, there is a danger of adapting an overly mechanistic approach and that the auditor will lose his ‗feel‘ for the assignment.
From the discussion above, it can be seen that the audit risk approach is helpful in achieving an efficient and low risk audit. However, it is difficult to quantify accurately each of the risk elements.