Risk Assessment

Auditors are required to perform a risk assessment. That assessment is to determine where the risk of material misstatement is higher. Account balances, transaction classes, and disclosures with a risk of material misstatement should be addressed by the auditor. Auditors create substantive tests and tests of controls (also known as further audit procedures) in response to the identified risk of material misstatement. These procedures are designed to lower the auditor’s detection risk (the risk the auditor will not detect material misstatement).

So risk assessment procedures are performed early in the audit. Those procedures include gaining an understanding of the entity and its environment, including its internal controls. The auditor inquires, inspects, and makes observations to understand the entity and where risks of material misstatements are most likely. Walkthroughs are performed to review the design and implementation of controls. Estimates are also reviewed to see if there is any management bias in those numbers. Additionally, the auditor performs preliminary analytical procedures to see if the numbers are in accord with the auditor’s expectations.

The risk assessment procedures, including walkthroughs, are performed to understand the accounting system and internal controls, not for the purpose of expressing an opinion on the internal control system.

All identified risks are brought together to create a complete picture of where misstatements might occur. This picture is then used to create the audit plan (also known as an audit program) and an audit strategy.

Risk assessment is iterative. So, if the auditor encounters unknown risks as he or she performs the planned audit procedures, the risk assessment should be revisited and reworked, if necessary.