1. Audit should be risk-based or focused on areas of greatest risk to the achievement of the audited entity’s objectives. Risk-based audit (RBA) is an approach to audit that analyzes audit risks, sets materiality thresholds based on audit risk analysis and develops audit programmes that allocate a larger portion of audit resources to high-risk areas
2. The auditor does not normally need to perform specific audit procedures on all areas of audit. He/She only needs to design audit programmes and procedures on areas earlier identified as major risks that could result in the financial statements being materially misstated. RBA is an essential element of financial audit- both in the attest audit of the financial statements and in the audit of financial systems and transactions including evaluation of internal controls. It focuses primarily on the identification and assessment of the financial statement misstatement risks and provides a framework to reduce the impact to the financial statement of these identified risks to an acceptable level before rendering an opinion on the financial statements. It also provides indicators of risks as a basis of opportunity for improvement of auditee risk management and control processes. This affords an opportunity to the auditee to improve its operations from recommendations on risks that do not have a current impact on the financial statements but impact the audited entity’s operational strategies and performance over the longer term.
3. In the context of performance audit, it is the risk to delivery of an activity or scheme or programme of the entity with economy, efficiency and effectiveness. Awareness of areas that puts the programme or resources at risk from the point of view of economy, efficiency and effectiveness helps focus audit attention on them. The risk analysis provides a framework for assurance in performance auditing.
4. The auditor should perform an analysis of the audit risks that impact on the auditee before undertaking specific audit procedures. Risk assessment is a subjective process. It is part of the professional judgment of the auditor and of the particular circumstances. Audit risk is the risk that the auditor may unknowingly fail to appropriately modify his opinion on financial statements that are materially misstated
5. Audit risks are brought about by error and fraud:
6. The auditor has the responsibility to plan and perform the audit to obtain reasonable assurance about whether the financial statements are free of material misstatements, whether caused by error or fraud.
7. An error risk may arise from an error in principle, estimate, critical information processing, financial reporting process or disclosure
8. Fraud risk involves manipulation, falsification of accounting records, or misrepresentation in the financial statements of events, transactions or other significant information, or misapplication of accounting principles or misappropriation of funds.
9. The risk model is an analytical tool for planning and execution. This approach detects high-risk areas where audit effort can be concentrated. Audit can thus focus on areas which are likely to generate better assurance instead of sampling and testing of larger but low risk areas. It structures the audit procedures and re-organizes the audit work in terms of risk perception.
10. Inherent Risk is the susceptibility of an account balance or class of transactions to misstatements that could be material individually or when aggregated with the misstatements in other balances or classes, assuming that there were no related internal controls. Inherent risk is assessed during the preliminary stage of the planning process
11. Control risk is the risk that a misstatement, that could occur in an account balance or class of transactions that could be material, individually or when aggregated with misstatements in other balances or classes, will not be prevented or detected and corrected by the accounting and internal control systems. Control risk is assessed during the evaluation of audited entity’s strategies and control.
12. Detection risk is the risk that an auditor’s substantive procedures will not detect a misstatement that exists in an account balance or class of transaction that could be material individually or when aggregated with misstatements in other balances or classes. The detection risks are assessed during the execution phase of the audit in the substantive tests of details
13. RBA consists of four main phases starting with the identification and prioritization of risks, to the determination of residual risk, reduction of residual risk to acceptable level and the reporting to auditee of audit results. These are achieved through the following:
14. Understanding auditee operations involves processes for reviewing and understanding the audited organisation’s risk management processes for its strategies, framework of operations, operational performance and information process framework, in order to identify and prioritize the error and fraud risks that impact the audit of financial statements. The environment in which the auditee operates, the information required to monitor changes in the environment, and the process or activities integral to the audited entity’s success in meeting its objectives are the key factors to an understanding of agency risks. Likewise, a performance review of the audited entity’s delivery of service by comparing expectations against actual results may also aid in understanding agency operations.
15. Assessment of management risk strategies and controls is the determination as to how controls within the auditee are designed. The role of internal audit in promoting a sound accounting system and internal control is recognized, thus the SAI should evaluate the effectiveness of internal audit to determine the extent to which reliance can be placed upon it in the conduct of substantive tests.
16. Management of residual risk requires the design and execution of a risk reduction approach that is efficient and effective to bring down residual audit risk to an acceptable level. This includes the design and execution of necessary audit procedures and substantive testing to obtain evidence in support of transactions and balances. More resources should be allocated to areas of high audit risks, which were earlier known through the analytical procedures undertaken.
17. The results of audit shall be communicated by the auditor to the audited entity. The auditor must immediately communicate to the auditee reportable conditions that have been observed even before completion of the audit, such as weaknesses in the internal control system, deficiencies in the design and operation of internal controls that affect the organization’s ability to record, process, summarize and report financial data.
18. Materiality is often considered in terms of value but the inherent nature or characteristics of an item or group of items may also render a matter material, as when the law or regulation requires it to be disclosed separately regardless of the amount involved. In addition to materiality by value and by nature, a matter may be material because of the context in which it occurs. For example, considering an item may be material in relation to:
19. In designing the audit plan, the auditor shall establish an acceptable materiality level so as to detect quantitatively material misstatements. This is the materiality threshold which is classified into individual item materiality and aggregate materiality. Individual item materiality concerns the impact of a single misstatement on the financial statements, while aggregate materiality considers the total effect of two or more misstatements, each of which is not material by itself
20. The auditor must consider materiality while planning the audit, conducting the audit and reporting the results of the audit although materiality thresholds may change between the three phases
21. The auditor must use his professional judgment in determining materiality since it is always relative. It is not possible to lay down specific rules or absolute numerical measurements that will be valid in every case. If, based on analytical procedures and fraud assessment, there are indications of fraud, individual item materiality thresholds should be decreased and the auditor should place more emphasis on external evidence