The document summarizes key concepts around risk assessment for internal audits. It defines risk and risk assessment according to COSO, and explains why risk assessment is important for internal audits to focus resources effectively and complete audits in a timely manner. It also defines engagement risk and outlines the audit risk model that is used to manage overall risk for an audit engagement. Finally, it lists some common risk assessment tools like understanding the client and internal controls, inquiries, analytical reviews, and brainstorming.
(PRIYA) Call Girls Rajgurunagar ( 7001035870 ) HI-Fi Pune Escorts Service
Internal Audit Training Risk Assessment
1. A paper presented at the internal audit training session of Audit
Division of the Controller’s Office, City of Houston.
Olaniyi Oyedele, CPA
Audit Manager
January 4, 2017
2. What is Risk and Risk Assessment
Why do we engage in Risk Assessment
What is Engagement Risk
Understand the Audit Risk Model
Understand the Risk Assessment Tools
3. COSO defines:
Risk – the possibility that an event will occur
and adversely affect the achievement of
objectives.
Risk Assessment – involves a dynamic and
iterative process for identifying and assessing
risks to the achievement of objectives.
4. To allow for efficiency and effectiveness of
audit by focusing on critical aspects of the
audit.
Assist in efficient allocation of resources
Enable audits be completed timely
Drives and enhances meaningful audits
Reduces audit costs and possible litigations
costs arising from audits.
5. Represents the overall risk associated with an
audit engagement.
Consists of three components:
- Entity Risk
- Audit risk
- Auditor’s risk
6. The risk that an auditor may issue an incorrect
opinion arising from:
- issue an unqualified report where a
qualification is reasonably justified
- Issuing a qualified opinion where no
qualification is necessary
- Failure to emphasize a significant matter in
the audit report
Audit Risk Model = Inherent risk (IR) x Control
Risk (CR) x Detection Risk (DR)
Used to manage the overall risk of an audit
engagement.
7. Obtain an understanding of the client and its
environment
Obtain an understanding of Internal Control
Perform additional inquiries of key
management personnel, staff, oversight
agencies, reports and relevant third party,
where applicable.
Analytical review
Brainstorming session
Summarization of the audit risk assessed.
Notes de l'éditeur
Entity Risk: Risk associated with the entity’s survival operations and profitability. It includes; recent changes in management, questions relating to management integrity, recent fraud involving management personnel, changes in IT Operations.
Audit Risk: Risk associated with the manner in which the audit process was performed, which may result in the auditor arriving at an incorrect opinion. For instance risk that the auditor may issue an unqualified opinion on materially misstated statement financial statements or reach a conclusion based on incomplete or wrong population or sample.
Auditor’s Risk: Risk arising as a result of the services provided by the auditors to his clients. Such risk include; litigation costs, loss of reputation, inability to recover audit fees. Auditor’s risk is controllable; therefore, if analyzed correctly, auditors can mitigate their own risk.
Inherent Risk: risk associated with the nature of the matter and/or unit under audit. For example risk involved in the audit of a Police Department would be different from that of the Department of Library or PWE.
Control Risk: Risk arising from the absence or failure in the operations of relevant internal controls. Organizations must have adequate internal controls in place to prevent and detect instances of fraud and error. Control risk is considered to be high where the audit entity does not have adequate internal control to prevent and detect instances of fraud or error.
Detection Risk: (Also known as residual risk) risk that the auditors fail to detect errors and material misstatement in the financial statements. Detection risk forms the residual risk after taking into consideration the inherent and control risks pertaining to the engagement and the overall audit risk that the auditor is willing to accept.
Where the auditor’s assessment of inherent and control risk is high, the detection risk is set at a lower level to keep the audit risk at an acceptable level. Lower detection risk may be achieved by increasing the sample size for audit testing. Conversely, where the auditor believes the inherent and control risk is low, detection risk is allowed to be set at a relatively higher level.