Risk assessment is foremost a planning device whereby the focus of the audit work is brought to bear on the highest risk areas.
Items identified as risk in any part of the file such as governance checklist, internal controls questionnaire, etc. Risks may also be assigned to specific accounts or categories.
Items in the trial balance identified as potential risk areas are be flagged as risks by clicking on the yellow star icon to the right of each line. Risk flags may also be added from Analytical Review pages if preferred:
- Flagged items may either be analysed when flagging the item or left to complete later in the job
- If "Complete later" is selected, it will appear on the page in the E section: risk analysis, strategy and plan
-
The star icon opens a dialogue that includes the following:
- A description of the risk identified is entered - this includes the observation (which may also be used for a management point)
- Specific assertions are identified and rated (none, low, medium, high or significant)
- Whether the risk is at the financial statement level (pervasive) or assertion level (non-pervasive)
- Whether the risk is inherent or control (if elements of both indicate in the text and mark the risk type as "audit" in the dropdown)
- The likelihood of occurrence and potential financial impact are rated
- Based on the above the total risk level is then identified: low, medium, high or significant - a medium, high or significant risk opens a further level of analysis
- Possible tests to reduce or eliminate the risk are proposed, based on controls if applicable, but may also involve analytical review and substantive tests of details and sampling
- If the risk is generated from a page other than the TB the risk data may be sent to any other work paper (shown at the top of the target page) using "select target work paper."
- Individual accounts and/or subtotals may be flagged as risk items
- A completed risk in the TB looks like this (in this case added to a total):
- Items tagged in this way are sent to the risk analysis, strategy and plan page with other risks identified
Risks may also be flagged from a comment made on any work item (for instance a systems note or an internal controls checklist where a risk issue is identified) – for example from the Governance Checklist as below:
- Sometimes new risks may be identified after planning is completed - this will mean that planning must be revisited and perhaps revised, and the risk analysis, strategy and plan page may need to be unconcluded and updated
- This information will be visible wherever the data is displayed along with any other work done on the item (say in the analytical review section) – on lead schedules or other pages where the data is referenced:
- Data on lead schedules may be reduced to show just flagged items by clicking the star flag at the top of the table.
Filtering risk items on lead schedules
Once risks have been added and lead scedules are created, lead scedules can be filtered to just show risk items only. To do this click the star at the top right of the table:
This will hide all items not flagged as risks:
This may be toggled on and off as required. This is applied on a page by page basis.
Audit Summary page
All risks identified as more than low are also carried onto the audit summary information page in the reporting section of the audit file:
- Here the auditor must summarise the outcome of the response made to the risk, so that the partner may assess this as part of their overall review:
NOTE: If a risk needs to be edited, this can only be done from the Risk Analysis page in the E section.