Audit risk is the ‘risk that the auditor expresses an inappropriate audit opinion when the procurement records are materially misstated’. Risks affecting the procurement system should be taken into account at the time of planning of the audit and may be considered as elements of inherited risk, risk of controls and detection risk. Each of these elements directly influences the scope of general audit risk, which may be defined as the risk that information on procurement might contain material errors that might remain unnoticed during the audit.
Audit risk = Inherent risk * Control risk * Detection risk
Types of Procurement Audit Risks
The following are the types of procurement audit risks
a) Inherent risk is the risk that resources controlled by the procurement system are compromised as a result of misappropriation of material values, destruction, disclosure, unauthorized changes, etc., subject to the availability of appropriate internal controls. Inherent risk could increase as a result of:
• An adverse attitude of managers to internal control matters;
• The type of business carried out;
• The environment within which the entity carries out its business;
• Where there is a high degree of estimation or judgement associated with the transaction;
• The entity is involved in very complex transactions;
• The assets involved are especially susceptible to loss or theft.
• An assessment of inherent risk can be made by the auditor carrying out a review of these factors
b) Control risk is the risk that an error which might occur in the audit and which might be material alone or in combination with other errors will not be timely prevented or detected and corrected by the internal control system. To assess control risk auditors should:
• Investigate and document internal control systems;
• Confirm their understanding of the systems by performing walk through tests. These are performed to ensure that the auditor’s understanding of the client’s accounting system is correct;
• Make an initial assessment of control risk based upon their understanding;
• Perform tests of controls to confirm their assessment;
• Reassess the level of control risk if controls are found to be ineffective.
c) Detection risk is the risk that the auditor’s procedures will not detect a misstatement that exists in an assertion that could be material either individually or when aggregated with other misstatements. Detection risk is a function of the effectiveness of an audit procedure and of its application by the auditor. It is primarily the consequence of the fact that the auditor does not, and cannot, examine all available evidence (sampling risk).
d) Non sampling risk is audit risk not due to sampling. An auditor may apply a procedure to all transactions or balances and fail to detect a material misstatement. Non sampling risk includes he possibility of selecting audit procedures that are not appropriate to achieve a specific objective.
Factors affecting non-sampling risk are
• Auditor’s experience
• Time pressure
• Financial constraints
• Poor planning
• New client
• Industry knowledge
In order to mitigate the overall risk, key policies, procedures, practices and organizational structures in the area of public procurement should be clearly determined in the entity. The level of internal control determines the overall risk level in the entity, since only the availability of an adequate internal control system would minimize the risk of errors and abuse. If the internal control system is weak and operates ineffectively, the number and scale of audit procedures virtually increase and testing is implemented in more detail.
Risk Based Audit Approach
Risk based audit approach is whereby the auditor identifies risks that could result in material misstatements in the procurement records of the client. It involves the analysis of overall audit risk into inherent risk, control risk and detection risk. The auditor formulates appropriate audit procedures that aim to address the identified risks. The auditor investigates the categories of audit risk so that more time is spent on risky areas and less on less risky areas.
Advantages of the Risk based audit approach
• It provides a framework for the conduct of the audit, it focuses auditor’s
attention on risk;
• The approach allows the development of effective and efficient audit programs and it develops an enquiring attitude of mind;
• The approach links into the concept of materiality, and the techniques of statistical sampling;
• The approach is helpful in identifying the areas where most work should be performed. It allows the auditor to spend more time in the areas of highest risk and less time in low risk areas, thus reducing the overall time for the audit or reducing overall audit risk. It avoids excessive time being spent on low risk areas. For instance, in many businesses petty cash expenditure is small. Although the risk of errors and fraud in petty cash is relatively high, it is most unlikely that they will be material so audit work in this areas can be limited;
• By examining each significant item in the profit and loss account and the balance sheet the auditor is able to evaluate the level of inherent and control risk and consequently the amount of substantive testing required. This will ensure that only the required level of testing will be carried out.
• The audit is more effective because the auditor concentrates on key areas only;
• The approach enables the auditor to provide management with valuable feed back on the overall effectiveness of the design and operation of controls in managing the risks identified.
Disadvantages of Risk based approach
• One major limitation of this approach is that frequently it is impossible to estimate the values of inherent risk, and to a lesser extent, control risk with any degree of certainty. If these elements cannot be determined accurately, then one cannot accurately determine the value of detection risk, which is required to achieve the overall level of audit risk;
• A further problem is that the auditor may assume that his assessment of control risk may apply to the whole system e.g. a sales system. However,there may be little or no controls over some parts of accounting system, so the control risk for these aspects of the system could be as high as 100%. For example in the valuation of the year -end stock and determining the doubtful debt provision, which may be carried out by one person. If there is no internal check over such items, it will mean that the control risk is high and so the auditor should perform more checks to reduce the level of detection risk and hence achieve the required level of audit risk;
• For the model to be useful the populations (i.e., numbers of items) involved need to be sufficiently large to allow for valid statistical conclusions to be drawn. This rules out the use of the model in many smaller audits;
• As is always the case with such models, there is a danger of adapting an overly mechanistic approach and that the auditor will lose his ‘feel’ for the assignment.
It can be seen that the audit risk approach is helpful in achieving an efficient and low risk audit. However, it is difficult to quantify accurately each of the risk elements.