AUDIT RISKS

Abdus Samad

Audit Risks
Audit risk can be defined as the risk that the information/financial report (or the area under review) may contain material error or that the auditor may not detect an error that has occurred

Types of Risk

Inherent risk Control risk Detection risk

Inherent Risk
A risk that an error exists which could be material or significant when combined with other errors, assuming that there are no related compensating controls

For example, cash is more likely to be stolen than an inventory of coal

Control Risk

The risk that a material error exists that will not be prevented or detected on a timely basis by the system of internal controls

Detection Risk

The risk that an auditor uses an inadequate test procedure and concludes that material errors do not exist when, in fact, they do

Business knowledge
Why business knowledge? Start point of any understanding phase Phase out most assumptions Even in business knowledge, you should almost always try to see the bird eye view and not just the niche This is specially helpful where business processes are changing Can you think of a most common example where business processes change?
7

Risk Assessment and Analysis

Risk Analysis

The basic risk analysis steps includes:

Identify Assets/Underlying Business Processes Identify Threats Conduct Threat Analysis Estimation of frequency of threat Determination of the Loss

Identify Assets
Information or data High Value Assets e.g. Cash etc Documents Services Personnel Reputation And above all the business processes that they are safeguarded by

10

Identify Threats
Errors Malicious damages / actions Fraud Theft Service outage The list may be unique for each asset or process

11

Controls
It is beneficial to understand the concepts of controls before we drill further into Risk assessment and Risk Management So what are control (s)? An action that circumvents a risk and /or its impacts Are they always counterpart of Risks in same area? Lets look at the possible counterpart of risks before we proceed further
12

CONTROLS

Preventive Detective Corrective Compensating

13

Preventive Controls
Any control that circumvents a risk from occurring is a preventive control

These are the best kinds of controls to put in place

Locking the door is a preventive control because it keeps the door from being opened

14

Detective Controls
Detective controls are controls put in place to detect or indicate that an error or an unwanted event has occurred

An alarm on the door is a detective control because it tells you when the door has been opened but does not prevent someone from coming through the door

Reports and audit logs of activities are common examples of detective controls

15

Corrective Controls
Corrective controls are those controls that enable a risk impact or deficiency to be corrected

A corrective control may be dependent upon a detective control to initially identify the error Contingency procedures are the best exapmles
16

Compensating Controls

One weak control may be compensated by presence of another control on the process. Thus the additional control is said to be acting as a compensating control

17

Risk management and assessment

What we observed before the controls slides was risk assessment Is risk management any different? Who is risk assessment for? Who is risk management for?

18

Risk management
The core of what you did in the last slide was risk management

19

Risk assessment vs.. management

An auditor may perform the risk assessment related to his/her audit work Managing the risk is the responsibility of the management not the auditor Auditor may audit the risk management process to see if it is effective

20

Elimination of risks
To what extent should be curtail the Risks? Shouldnt we try to eliminate them? This will make life simple In fact Too simple 0 risk means 0 what?

21

Audit risk (Recall)

Audit risk can be defined as the risk that the information/financial report (or the area under review) may contain material error or that the auditor may not detect an error that has occurred

22

Factors contributing to audit risks

Skill set of auditor Inadequate test procedure Wrong risk assessment Wrong understanding of controls We have still not discussed the most important one No or less understanding of business area Need more factors? Relate this to the changing role of IA that we discussed in the morning Will audit risks increase or decrease in future?
23

Internal Auditor Profile

This is where we discuss the gear needed to meet the challenging role Accounting is and has been the most widely accepted discipline for audit jobs but today it is not just accounts that are to be audited We need more
Management Business analysts skills Special area education like environmental sciences Special certification helps- CIA, CISA

Equip the auditor with modern tools-e.g. CAATs

24

Risk management Cycle

Risk Mitigation and Monitoring

Risk Analysis & Assessment

Planning and Implementation related to risk

25

Auditing Risk Management

Internal Auditors who adopt the risk based approach are ideal persons to perform this audit Why? They are already involved in first and second phase of the cycle Lets look at the cycle again

26

Conventional Risk management Cycle

IA-Performs M- Performs

M- Performs

Risk Mitigation and Monitoring

Risk Analysis & Assessment

Planning and Implementation IA-Recommends related to risk M- Performs

27

Auditing Risk management Cycle

IA-Performs+Assess M- Performs M- Performs
IA-Assess Risk Mitigation and Monitoring Risk Analysis & Assessment

Planning and Implementation IA-Recommends related to risk M- Performs

28

Controls test vs. substantive test

Now that we understood the concepts of risks and controls, we should be able to answer a simple question Suppose, during audit, we discover an area where controls are weak Do we need to perform substantive test (in depth analysis of data/transactions etc.) of this area ? Lets discuss this
29