Risk Based Auditing
Risk based internal auditing in PRIMACO
Audit Inspection of organizational operations and internal controls with respect to
predefined criteria and give opinion to concerns based upon auditor observations.
Risk is the potential for uncontrolled loss of something of value (such as physical health or
financial wealth)
Audit Risk The risk of issuing an unqualified opinion due to the auditors failure to detect
material misstatement(an error or omission in a financial statement due to factor other then
internal control failure)
The risk that the auditor expresses an inappropriate audit opinion when the financial
statements are materially misstated. Audit risk is a function of material misstatement and
detection risk
Audit Risk
=
Control Risk * Detection Risk * Inherent Risk
Components of audit risk are
Control Risk
The risk that potential material
misstatements would not be
detected or prevented by a
client's control systems.
Example: Mostly in smaller
firms financial statements
are prepared by the unskilled
workforce, it is possible that
misstatements
are
not
prevented or not corrected, if
detected, due to lack of internal
control.
Detection risk
The risk that
the
audit
procedure used is not
capable of detecting a
material Misstatement.
Example: An example of
detection risk during a
common audit procedure
might involve investigating
whether invoices listed in the
accounts payable actually
haven't yet been paid. You
implement the procedure
and accurately determine
that the accounts payable
balance
contains
no
misstatements.
Inherent Risk
This is the risk that cannot
be identified by internal
auditors
and
other
financial officer of the
organization.
Example: To reduce the
risk of fraud, errors
organization
segregates
duties in between multiple
employees
or
other
stakeholders. This is a
kind of internal control. If
employees collude with
mala
fide
intentions,
chances of control lapse
increases and leads to
fraud, error, misstatement
in the financial statement.
Risk Based Auditing (RBA) Is a style of auditing which focus upon analysis and
management of risk.
Risk Analysis
Identification of threat
Risk
Estimation
e.g Procedural
* Cost of Event
Failures of accountability,
Internal systems, or controls,
or from fraud
Risk Value = Probability of Event
Risk Management
Avoid the risk no advantage to your organization, or when the cost of addressing the
effects is not worthwhile.
Share the Risk You could also opt to share the risk – and the potential gain – with other
people, teams, organizations, or third parties. For instance, you share risk when you insure
your office building and your inventory with a third-party insurance company, or when you
partner with another organization in a joint product development initiative.
Accept the Risk This option is usually best when there's nothing you can do to prevent or
mitigate a risk, when the potential loss is less than the cost of insuring against the risk, or
when the potential gain is worth accepting the risk. For example, you might accept the risk of
a project launching late if the potential sales will still cover your costs. Before you decide to
accept a risk, conduct an Impact Analysis to see the full consequences of the risk.
Control Risk If you choose to accept the risk, there are a number of ways in which you can
reduce its impact.
Business Experiments are an effective way to reduce risk. You can use experiments to
observe where problems occur, and to find ways to introduce preventative and detective
actions before you introduce the activity on a larger scale.
Preventative action involves aiming to prevent a high-risk situation from happening. It
includes health and safety training, firewall protection on corporate servers, and crosstraining your team.
Detective action involves identifying the points in a process where something could go
wrong, and then putting steps in place to fix the problems promptly if they occur.
Risk Based Auditing
Prospective
Risk analysis and management
Identification of audit universe
Breaking up into processes
Risk Identification
Risk Scoring and heat map
RBIA Plan
Execution of RBIA
Conventional Auditing
Approach
Retroactive
Prime Objective
Assurance Provider
Methodology
Inquiry
Observations
Examinations /Inspection
Re-performance
Computer assisted audit Technique
 Accountability is answerability of any responsibility, task or duty assigned.
As we know in RBIA approach the auditor observes the effectiveness and efficiency of
internal controls and addresses the weakness or any other deficiency in the system he
founds.
Chances of malafied intentions and activities can be minimized by making internal control
system more effective and efficient When all employees of the organization knows their
activities and decision are under observation they will try to give their best and will stay away
from offenseable activities.
Main purpose of any audit is to get reasonable assurance overall reasonable assurance for
organization means governance of the organization is in right hands, risk is properly
managed and sufficient internal controls are in operations.
Assurance =
Governance + Risk Management + Internal Control