Conducting a risk-based internal audit is not easy, A risk-based audit approach begins with a risk universe as the foundation for the audit plan. In a risk-based audit, the department aims to address management’s most critical risks.
There have been debates about the applicability and practicability nature, with most audit practitioners and risk professionals clashing on the key risks and the risks descriptions.
Audit professionals blame risk professionals for having generic risks and not having specific risk descriptions.
Risk management is about getting an organization’s key risks in a general manner, and auditors need to test controls in a specific manner; maybe that is the context of blame.
All of the audits on the plan are designed to address those risks and provide insights back to senior management.
This can be done with the right knowledge and preparation, considering the distinction between audit and risk management. It’s about finding the best practices for conducting a risk-based internal audit.
There are many different steps that must be taken to go about doing this properly, which we will explore in more detail below. How do you start?
Organizations should devise a plan of action or what they want to accomplish during the audit, get their work team together, get their equipment ready, and make sure everyone knows their part in the process.
Once you’ve got all these things squared away, it’s time to begin!
Internal Control Evaluation in Risk-Based Audit
The older auditing standards permitted auditors, at their option, to categorize the client’s internal control as a high risk, allowing them to substantially decrease the amount of effort needed to comprehend and document internal controls.
The auditing standards now in place limit the extent to which internal controls can be considered low risk. The definition of internal controls according to US GAAS includes the company’s operating policies and procedures and its accounting system.
Auditors perform sufficient tests on an entity’s internal control over the financial reports to support a reduced level of audit evidence for low-risk conditions.
Auditors can perform less extensive procedures if there are low risks that the financial statements are materially misstated because of a lack of proper internal controls.
The auditor cannot “default to the maximum” control risk in the risk assessment criteria. The internal control design and implementation should be evaluated during all audits to identify and assess risk correctly.
Many businesses have trouble integrating their internal control efforts into the actual activities and other deal elements, finding enough benefit to justify the additional audit expenditures .
It might also result from compliance with this standard and determining how to measure the effectiveness of internal control design in practice.
Follow the COSO guidelines in risk-based approach audit
The key to success is the auditor’s superior knowledge of the COSO integrated control framework. Because internal control is linked to the financial statements in COSO, it addresses the problems that businesses and their employees confront worldwide.
The COSO framework defines internal controls as being three things: A process that provides reasonable assurance that the following objectives are being achieved
- Effectiveness and efficiency of operations.
- Reliability of financial reporting; and
- Compliance with applicable laws and regulations.
The accountant begins with the company’s financial statements. The auditor then moves through a series of more detailed examinations until he or she evaluates those control activities individually.
The evaluation involves a test, such as reviewing supporting documentation, performing analytical procedures, and assessing the control.
A good auditor knows that his or her most important function is proving these controls are effective.
To be successful, the auditor must learn COSO’s systematic process for evaluating internal controls and then apply it to each business and industry. COSO recognizes the need for this discipline and provides tools in its framework to comply with auditing requirements and standards worldwide, such as:
- The internal control questionnaire.
- The flowcharting process.
- Defining internal controls using control families.
- Understanding how individual control activities add up to company-wide controls;
Understanding the COSO methodology
The auditing process begins with the “top” of the chart and works “down.” The first step is to identify the material accounts and significant classes of transactions and the relevant assertions connected to them.
The flip side of the assertion is the risk of material misrepresentation or “what can go wrong?” This includes concerns such as incorrect database and/or system information.
One example of a risk associated with an accuracy assertion is that one or more genuine transactions are not recorded in the system. The auditor may interpret control objectives like.”
The auditor next searches for controls that meet the defined control objective. As a result, there is an unbroken connection between the financial statements and internal controls.
It also allows the auditing expert to perceive how one control action may impact a quantity shown in the financial reports. In this example, the control objective is that transactions are recorded as they occur. If a transaction is not recorded, it cannot impact financial reports.
Controls can be classified as being either general controls or application controls. General controls exist independent of application systems and typically include physical security of assets and personnel policies.
Application controls function within specific software programs to ensure transactions are posted as they occur. The auditor needs general controls to confirm that application controls can operate effectively and efficiently.
The last step of the top-down methodology is determining whether the control environment within which these controls reside is effective and efficient.
Take a top-down approach to define the scope of your internal control efforts.
Because top-down COSO audit methods allow the auditor to scope the internal control test work properly, they are highly efficient. The COSO Internal Control-Integrated Framework has five components that are related to each other.
The first four are the components of internal control that have been defined for many years.
The top-down method instead encourages the auditor to progressively eliminate immaterial accounts and transactions, non-pertinent assertions, and overly redundant controls from consideration.
These steps allow the auditor to complete a preliminary assessment of inherent risk and account for the most material accounts and transactions with the least effort.
The end result is a tightly focused group of controls for the auditor to comprehend, evaluate, and document, allowing the audit to be as productive as possible.
This approach is most effective when the auditor utilizes a systematic inquiry to ask probing questions about each account and transaction.
In addition, the top-down method emphasizes performing analytical procedures as a primary technique for evaluating internal control effectiveness.
Because of this, the auditor needs a strong understanding of how to use analytical procedures properly to understand important relationships.
Concentrating on internal control aims to determine the effectiveness of control design.
Before the risk assessment standards, there was no requirement for auditors to evaluate the design of their client’s internal controls, leaving most auditors with only a grasp of how the control worked rather than assessing whether it was properly designed.
Some auditors have found evaluating control design difficult under the new risk assessment standards’ call for assessing control design.
A COSO review of internal control design may be beneficial in several ways. Firms that have strictly implemented the COSO procedure have been able to conduct a comprehensive evaluation of internal control design, resulting in improved audit quality.
The COSO framework mandates that the auditor define control objectives, followed by the execution of control activities to verify these goals.
A properly designed control system satisfies the stated control objectives. An ineffective system fails to satisfy any of the required controls.
Identifying these flaws enables the auditor to effectively assess risks and develop the appropriate sequence of further audit procedures.
Determine the Type and Extent of tests
Most auditors recognized that the risk assessment criteria would necessitate more audit procedures than in the past, and they were prepared to invest significantly higher costs during the first year of implementation.
The expectation was that expenses would go down over time as a result of auditors leveraging their experience with clients acquired in prior audits. In reality, realizing these savings.
Recognize and assess changes
For years, auditors have struggled against a SALY mentality, the inclination to subconsciously believe that everything on the audit is “Same As Last Year,” which almost always results in lower audit quality.
The risk assessment standards allow audit firms to eliminate a SALY mindset by refocusing the problem. Instead of considering how to “update” last:
- Since our last audit, has anything significant occurred at the entity or its operating environment?
- As a result of these modifications, what has happened to the client’s inherent risks since our previous audit?
- Were any modifications to internal control required to address these changes in inherent risk?
After the auditor has addressed these concerns, he or she will be able to assess the nature and amount of any further risk assessment procedures. A full set of tests is necessary when the following conditions are met.
The auditor concludes that there have been significant changes since the period covered by his or her last audit, which will likely have a material effect on at least one balance sheet account.
The nature of these changes is not adequately addressed in an existing audit program.
Understanding and evaluating change
Begin by considering the nature of the changes to the entity and its environment since the previous audit. It is key to ask whether those changes have resulted in changes to inherent risks. For example, the COVID-19 pandemic recession may create inherent risks for organizations not present before the pandemic.
If the overall risks have not changed, the auditor must confirm that controls have been implemented properly to ensure they are still effective.
If the entity’s or its environment’s inherent risks change, the auditor must inquire whether modifications to internal controls were required to address these new perils.
For example, a recession may generate hazards relating to asset value that was not previously significant. The client did not conduct any substantial analysis of asset impairment in the past.
However, in the current, more austere times, management may have enhanced its asset impairment testing. Consequently, the auditor needs to be aware of relevant changes that could have been introduced into internal controls and evaluate whether they are appropriate and effective in mitigating potential risks.
If the overall risks or their severity change (e.g., as a result of new technology), the auditor needs to understand the controls and how they function in order to assess whether or not they will address these new risks.
Continuous Implementation of Internal Audit
It was tough for even the most well-resourced audit businesses to implement the standards fully, according to one source.
Most firms continue to develop their auditing methods and establish firm rules in response to issues that result from implementing the standards.
The continuing audit problems for smaller firms will demand even more focus. Smaller, less complex businesses present a variety of difficulties that larger clients do not.
Auditing small, less complicated enterprises are frequently difficult because:
- Adjustments to the accounting records need to be made before beginning major auditing procedures.
- Unaudited transactions with unknown related parties.
- Internal controls that are simple or traditional, with little documentation, no separation of duties, and a lack of in-house accounting knowledge.
- The need for standardized audit practice is aided by tools developed for audits of bigger businesses to the problems that arise in auditing a smaller, less complex company.
- The idea that it is impractical to audit smaller companies is being questioned by many, however. The Big Four have begun demonstrating the validity of audits of businesses with smaller turnovers.
- The result has been a greater focus on client service and better training programs for auditors who are expected to spend more time studying small company clients.
Create your own methodology.
Many organizations use a predetermined set of standardized practice tools to develop their audit methods.
These forms and checklists assist auditors in fulfilling the standards’ criteria, but they should not be confused with the standards themselves. An auditor may follow the guidelines and create audit evidence in various ways.
Until recently, bespoke audit practice aids for highly judgmental areas, such as documentation of internal controls, had been considered the domain of only the largest businesses.
Developing their own forms or checklists for highly subjective topics such as internal control documentation, growing numbers of audit firms are producing a more personalized, firm-specific set of audit practices.
Participation in audits of smaller, less complicated business units
During the audit planning process, the unique needs of evaluating a smaller, less complicated firm typically necessitate the involvement of the most seasoned auditors.
More experienced auditors will be able to make significant judgments about audit strategy, such as:
- The parameters, procedures, and techniques used to gather information about the client and its surroundings.
- The analysis of risks of material misrepresentation.
- The auditor’s documentation of assessed risks, both general and specific.
- The client’s internal control documentation will be expected and/or determined.
- The selection of additional audit processes that are directly linked to evaluated threats.
- Define audit priorities. Audit resources are assigned to those aspects of the audit that pose the greatest risk based on your defined objectives.
The most important risks to your organization depend on what you do, who you serve, and how much risk is tolerable. To determine this for yourself, ask yourself, “What am I trying to protect?”.
And “How much risk can my company tolerate?” If you have a clear answer to both of those questions, then it will be easier for you or your team to take steps to mitigate threats.
What do you think of risk-based audits? Are they effective or not? Why or why not, and what tips would you give for conducting your own audit with a risk-focused approach? Share your thoughts in the comments below.
Chris Ekai is a Risk Management expert with over 10 years of experience in the field. He has a Master’s(MSc) degree in Risk Management from University of Portsmouth and is a CPA and Finance professional. He currently works as a Content Manager at Risk Publishing, writing about Enterprise Risk Management, Business Continuity Management and Project Management.