Audit risk management, important considerations

InsuranceHubPortal
6 Min Read

The international standards of the Institute of Internal Auditors define audit risk as: “the possibility that an event will occur that hinders the achievement of objectives”; and they can be present at any time and circumstance, as well as constitute both internal and external threats. 

This is any situation that generates the possibility of an auditor issuing erroneous information, generally due to not having detected some significant failure that could completely modify the result given in a report. 

The possibility of issuing erroneous information can occur at different levels, so the implication of each one must be observed and analyzed in a manner appropriate to the corresponding audit. 

Three types of audit risks can be determined, which we will delve into below: 

  • Inherent risk.
  • Control risk. 
  • Detection risk.

Inherent audit risk

It is the risk that any statement about a transaction, accounting balance, or other type of reported information contains significant errors, before even taking into account the possible corresponding controls.

In other words, inherent risk is a risk that always exists, even if internal controls are effective. Inherent risk can be classified into two types:

  • Business risk: The risk that arises from an entity’s operations, policies, and procedures.
  • Fraud Risk: As such, it is the risk that fraud will occur, that is, an intentional act of deception or omission to obtain an improper benefit.

Some techniques that can be used to evaluate this type of risk are:

  • Industry analysis: Inherent risk can be assessed by comparing the entity with other entities in the same sector.
  • Analysis of the entity: Consider the organizational structure, the culture of the entity, and its policies and procedures.
  • Analysis of transactions: Also considering the nature of the entity’s transactions, the inherent risk can be evaluated.

Inherent risk is an important factor that the auditor must consider when planning and performing an audit. Assessing inherent risk helps the auditor determine the nature, scope, and timing of the audit procedures needed to obtain reasonable assurance about the financial statements.

Control audit risk

It is the risk that an entity’s internal controls will not detect or correct significant errors or irregularities in the financial statements in a timely manner.

In other words, control audit risk is the risk that internal controls will not function as expected.

Control audit risk can be calculated using the following formula:

Control audit risk = inherent risk X effectiveness of controls.

Control audit risk must be assessed for each area of ​​the financial statements to be audited. To do this, knowledge of the entity’s internal controls must be obtained. Techniques for assessing control audit risk include:

  • Document analysis: analyze the documents that describe internal controls.
  • Observation: observe how the entity implements its internal controls.
  • Inspection: Inspect records documenting transactions.

This type of risk is significantly influenced by internal control systems, since, in certain circumstances, they may become insufficient or inadequate for the timely detection of irregularities or threats that may represent a risk. 

The main factors that can determine the existence of this type of risk are the information, accounting, and control systems.

This aspect is precisely where the importance of implementing and maintaining internal control systems under constant evaluation lies, in order to remedy errors in a timely and precise manner, and thus avoid the materialization of the risk.

Detection Audit Risk

It occurs when the audit does not detect the existence of errors in the process carried out, generally resulting from inadequate procedures on the part of the audit group.

Appropriate procedures to reduce this type of risk can help minimize control audit risk and the organization’s inherent audit risk.

One of the main functions of internal audit is to ensure that risks have been appropriately managed, to do this a risk-based internal audit must be carried out. 

The Institute of Internal Auditors defines this type of risk-based audit as “a methodology that links the audit function to an organization’s overall risk management framework.”

That is, the audit must be carried out in association with the managers of each area of ​​your company to ensure that all risks are identified and are relevant to the organization. 

5 benefits of audit risk management

Following international standards, we identify some benefits of a correct application of audit risk management processes, among them we can find that:

  1. It ensures that the company’s senior management is able to evaluate and respond to risks that are above and below the organization’s risk appetite.
  2. In addition, it ensures that the risk response is effective
  3. An additional benefit is the company’s ability to take additional control measures when residual risk is not aligned with risk appetite.
  4. Risks, responses, and actions are identified, classified, and communicated appropriately.
  5. Continuous improvement of the system is promoted.

Although the need and benefits of audit risk management are evident, it is also good to note that within most organizations there is a clear conflict of interest between both areas.

While internal audit and risk management need to work together, it is essential to ensure that neither role is compromised. Therefore, it is advisable to report separately and maintain the independence of functions.

If you want to know more about risk controls, click on the image below and learn about our strategic audit automation solution.

Share This Article
Leave a comment