Uploaded by saqib.mahmud


Risk Based Auditing
Risk based internal auditing in PRIMACO
Audit Inspection of organizational operations and internal controls with respect to
predefined criteria and give opinion to concerns based upon auditor observations.
Risk is the potential for uncontrolled loss of something of value (such as physical health or
financial wealth)
Audit Risk The risk of issuing an unqualified opinion due to the auditors failure to detect
material misstatement(an error or omission in a financial statement due to factor other then
internal control failure)
The risk that the auditor expresses an inappropriate audit opinion when the financial
statements are materially misstated. Audit risk is a function of material misstatement and
detection risk
Audit Risk
Control Risk * Detection Risk * Inherent Risk
Components of audit risk are
Control Risk
The risk that potential material
misstatements would not be
detected or prevented by a
client's control systems.
Example: Mostly in smaller
firms financial statements
are prepared by the unskilled
workforce, it is possible that
prevented or not corrected, if
detected, due to lack of internal
Detection risk
The risk that
procedure used is not
capable of detecting a
material Misstatement.
Example: An example of
detection risk during a
common audit procedure
might involve investigating
whether invoices listed in the
accounts payable actually
haven't yet been paid. You
implement the procedure
and accurately determine
that the accounts payable
Inherent Risk
This is the risk that cannot
be identified by internal
financial officer of the
Example: To reduce the
risk of fraud, errors
duties in between multiple
stakeholders. This is a
kind of internal control. If
employees collude with
chances of control lapse
increases and leads to
fraud, error, misstatement
in the financial statement.
Risk Based Auditing (RBA) Is a style of auditing which focus upon analysis and
management of risk.
Risk Analysis
Identification of threat
e.g Procedural
* Cost of Event
Failures of accountability,
Internal systems, or controls,
or from fraud
Risk Value = Probability of Event
Risk Management
Avoid the risk no advantage to your organization, or when the cost of addressing the
effects is not worthwhile.
Share the Risk You could also opt to share the risk – and the potential gain – with other
people, teams, organizations, or third parties. For instance, you share risk when you insure
your office building and your inventory with a third-party insurance company, or when you
partner with another organization in a joint product development initiative.
Accept the Risk This option is usually best when there's nothing you can do to prevent or
mitigate a risk, when the potential loss is less than the cost of insuring against the risk, or
when the potential gain is worth accepting the risk. For example, you might accept the risk of
a project launching late if the potential sales will still cover your costs. Before you decide to
accept a risk, conduct an Impact Analysis to see the full consequences of the risk.
Control Risk If you choose to accept the risk, there are a number of ways in which you can
reduce its impact.
Business Experiments are an effective way to reduce risk. You can use experiments to
observe where problems occur, and to find ways to introduce preventative and detective
actions before you introduce the activity on a larger scale.
Preventative action involves aiming to prevent a high-risk situation from happening. It
includes health and safety training, firewall protection on corporate servers, and crosstraining your team.
Detective action involves identifying the points in a process where something could go
wrong, and then putting steps in place to fix the problems promptly if they occur.
Risk Based Auditing
Risk analysis and management
Identification of audit universe
Breaking up into processes
Risk Identification
Risk Scoring and heat map
Execution of RBIA
Conventional Auditing
Prime Objective
Assurance Provider
Examinations /Inspection
Computer assisted audit Technique
 Accountability is answerability of any responsibility, task or duty assigned.
As we know in RBIA approach the auditor observes the effectiveness and efficiency of
internal controls and addresses the weakness or any other deficiency in the system he
Chances of malafied intentions and activities can be minimized by making internal control
system more effective and efficient When all employees of the organization knows their
activities and decision are under observation they will try to give their best and will stay away
from offenseable activities.
Main purpose of any audit is to get reasonable assurance overall reasonable assurance for
organization means governance of the organization is in right hands, risk is properly
managed and sufficient internal controls are in operations.
Assurance =
Governance + Risk Management + Internal Control