Speaking plainly about risk assessment

To successfully perform a risk-based audit practitioner need to first ensure that they understand the risk assessment standards and the audit risk model. While many auditors think they understand this model our experience shows that most staff (and some partners) struggle to explain each element of the model and how they relate to selecting the nature, timing and extent of audit procedures. Since risk assessment is such a significant topic, we’ve broken it down into three separate reports.

In Part I of the series, we discuss the audit risk model itself. This foundational report aims to ensure that auditors can accurately describe the model in plain English as well as understand how it relates to being able to achieve reasonable assurance on an engagement.

In Part II of the series, we go deeper into assessing the risks of material misstatement through discussing the assessment of control risk and inherent risk. This report focuses on debunking some misconceptions and misunderstandings around these risks including if it is acceptable for auditors to default to a high control/inherent risk and if it is true that you can assume that smaller clients do not have adequate controls.

In Part III of the series, we conclude by discussing the auditor’s responsibilities and requirements as to the auditee’s system of internal control and controls relevant to the audit through the three layers of responsibility included within professional standards:

1. Obtain an understanding of internal control relevant to the audit

2. For controls relevant to the audit, the auditor should evaluate the design of those controls and determine whether they have been implemented by performing procedures in addition to inquiry of the entity’s personnel, and

3. Design and perform tests of controls to obtain sufficient appropriate audit evidence about the operating effectiveness of the relevant control if certain circumstances exist