What is entitys risk assessment process?

[toc-this]

Nội dung chính Show

Definitions
Audit risk and assurance
Principles
Components of audit risk
Audit risk model
When to consider audit risk
Instructions
Procedures to identify and assess risk
The entity’s own risk-assessment
What are the steps in the risk assessment process?
What are the 5 steps to undertaking a risk assessment?
What are the 3 process of risk assessment?
What are the four 4 main elements in the risk assessment process?

Definitions

Audit risk and assurance

It is not normally practical or cost-effective for auditors to collect evidence in order to have absolute (100%) assurance or confidence of detecting all material deviations. Instead, auditors try to ensure that their conclusions and opinions are based on reasonable assurance, which is obtained from the audit work. Audit risk is the inverse of audit assurance. It is the risk that the auditor is willing to tolerate coming to a wrong conclusion. In practice, audit risk is unavoidable.

Principles

Components of audit risk

The components of audit risk are:

inherent risk, relating to the nature of the entity;
control risk, concerning the entity's controls; and
detection risk - the risk that the auditor does not detect deviations.

Assessment of risks is a judgement rather than a precise measurement. The level attributed to each component is estimated by the auditor on the basis of his/her professional judgement, informed by the procedures outlined below.

Audit risk model

The audit risk model, as shown below, helps auditors to determine how comprehensive the audit work must be so as to attain the desired assurance for their conclusions.

[label stroke="true"]Audit risk (AR)= Inherent risk (IR) x Control risk (CR) x Detection risk (DR)[/label]

This equation must always be in balance. The higher the auditor assesses the level of inherent and/or control risk to be, the lower the detection risk must be. This requires more substantive audit work (larger sample sizes). Equally, the lower the combined inherent and control risk is assessed to be, the higher the detection risk will be. This in turn means less substantive work and more systems work. More systems and controls need to be tested as the planning assumption must be verified and because the systems work also contributes to the overall assurance. Fraud risk is an element of both inherent and control risk.

When to consider audit risk

Audit risk should be considered when:

planning the audit, including the design of audit procedures;
carrying out audit procedures; and
evaluating the results of the audit tests carried out.

Instructions

Procedures to identify and assess risk

The risk-assessment procedures are employed in order to gain an understanding of the following:

the entity and its environment, thereby identifying the inherent risks in the area under consideration, including risks as regards related parties and fraud;
the internal control arrangements at each relevant level (Commission, member state, intermediary, beneficiary), to help identify the control risks.

The nature and extent of planned audit tests will vary, depending on the auditor's assessment of both inherent and control risk (see Assurance model). The auditor should perform risk assessment procedures as early in the audit as possible, based on various sources of information.

Risk assessment procedures	Sources of information
Analysis of relationships in and between financial and non-financial information, through a study of plausible relationships, including trends and ratios. Examples include comparison of actual information against budget, licence income to number of licences, and import duties to physical import data.	Financial and non-financial information, in order to provide a broad initial indication of unusual or unexpected relationships.
Inspection consists of examining records or documents, whether internal or external, in paper form, electronic form, or other media, or tangible assets.	Visits to the entity's premises and facilities Internal documents - management plans, records, manuals Other information - the auditee's budget; AAR External information- economic journals; regulatory and financial publications Findings from previous audits by the ECA, the Internal Audit Service (IAS), the Supreme Audit Institutions (SAI), the Commission’s anti-fraud office (OLAF), or the European public prosecutor’s office (EPPO)
Observation consists of looking at a process or procedure being performed by others. It provides information about the performance of the process or procedure, but is limited to the point in time at which the observation takes place.	Observation of entity activities and operations being carried out
Inquiry consists of seeking information of knowledgeable persons, inside or outside the audited entity.	Those charged with governance, management and others within the entity

The entity’s own risk-assessment

The entity's own risk-assessment process can be a source of information. The following important information should be considered as part of the risk assessment for compliance audits:

the Directorate-General’s
[link new-window title="annual%20management%20plan" link="https%3A%2F%2Fec.europa.eu%2Finfo%2Fpublications%2Fmanagement-plans_en" icon="external-link" /]
(MP) contains objectives, indicators and the critical risks identified for the Directorate-General (DG) concerned;
the information in the Commission's
[link new-window title="annual%20management%20reports" link="https%3A%2F%2Fec.europa.eu%2Finfo%2Fpublications%2Fannual-management-and-performance-reports_en" icon="external-link" /]
(AMPR) and the
[link new-window title="annual%20activity%20reports" link="https%3A%2F%2Fec.europa.eu%2Finfo%2Fpublications%2Fannual-activity-reports_en" icon="external-link" /]
(AAR) including declarations by the Directors-General for the preceding financial year(s) (the AAR provides an overview of critical risks encountered and their impact on the achievement of the DG's objectives);
relevant reports by the various control bodies of the Commission (including the internal audit service ) and member states, or other auditors;

At the Commission, the DGs establish their own accounting risk analysis per process and per audit assertion. This represents a substantial input to the risk-assessment process for financial audits. However, the auditor should exercise

[a-glossary term="professional%20scepticism"]professional scepticism[/a-glossary]

, as risks identified by the auditee may not address those that are of importance for audit purposes, and such information may be biased. The ECA's previous work, and the knowledge and experience of the audit chambers should always be considered for both, financial and compliance audits. Where the auditor intends to use such information he or she should determine whether changes have occurred since the previous audit that may affect its relevance to the current audit. This is because changes in the control environment, for example, may affect the relevance of information obtained in the prior year. [/toc-this]