Risk assessment is foremost a planning device whereby the focus of the audit work is brought to bear on the highest risk areas. Items in the trial balance identified as potential risk areas are be flagged as risks by clicking on the yellow star icon to the right of each line. Risk flags may also be added from Analytical Review pages if preferred:
- Individual accounts and/or subtotals may be flagged as risk items
- Items tagged in this way are sent to the risk analysis, strategy and plan page for risk analysis
Risks may also be flagged from a comment made on any work item (for instance a systems note or an internal controls checklist where a risk issue is identified) – for example from systems notes as below:
- Sometimes risks may be identified after planning is completed - this will mean that planning must be revisited and perhaps revised, and the risk analysis, strategy and plan page may need to be unconcluded and updated
Flagged items may either be analysed when flagging the item or left to complete later in the job. If "Complete later" is selected, it will appear on the page in the E section: risk analysis, strategy and plan.
Analysing a risk will require either a detailed analysis or a comment, depending on the seriousness and complexity of the risk - here we have a significant risk to analyse identified in the trial balance:
- A description of the risk identified is entered
- Specific assertions are identified and rated (none, low, medium, high or significant)
- The total risk level is then identified: low, medium, high or significant - a medium, high or significant risk opens a further level of analysis
- This total level should be at least as high as the highest assertion risk rating
- Possible tests to reduce or eliminate the risk are proposed
- Relevant internal controls are identified that may be considered for testing to see whether any reliance may be placed on them to reduce the risk level
- The risk data may also be sent to any other work paper (shown at the top of the target page) using select target work paper (optional) – for example, if a risk may impact on the audit report it could be sent to the top of the audit report work paper in the Z section
When saved the risk looks like this:
This information will be visible wherever the data is displayed along with any other work done on the item (say in the analytical review section) – on lead schedules or other pages where the data is referenced:
- Here on the G1 lead schedule, all the risk assessment work is shown to prompt the auditor to carry out the specific testing identified at the risk assessment:
- Data on lead schedules may be reduced to show just flagged items by clicking the star flag at the top of the table
All risks identified as high or significant are also carried onto the audit summary information page in the reporting section of the audit file:
- Here the auditor must summarise the outcome of the response made to the risk, so that the partner may assess this as part of their overall review: