Audit risk assessment is often the third stage of an audit plan. At this point, auditors review and analyze the potential risks that may be in a client’s financial statements. The two common risk types are inherent and business risk, although other types may certainly arise upon review of the business. Inherent risks relate to the material misstatement found in financial information or statements; these risks can also be part of the company’s internal controls. Business risk includes issues relating to management, including the possibility of fraud.
Auditors must answer three questions during audit risk assessment in an audit plan. These include what could go wrong, how likely it is that it can go wrong, and what the likely amounts affected in financial data are. It is difficult for auditors to pinpoint specific areas that are always an increased risk during an audit. Auditors must conduct initial interviews and review statements to determine the possibility of misstatement or fraud. After basic interviews, the auditors may have an idea of specific information needing further review.
A company’s internal controls are commonly a review area during audit risk assessment. Controls that are too lax or nonexistent are often red flags for increased audit risk. For example, a company that allows one person to complete multiple accounting tasks is a problem. Companies may have higher incidences of inappropriate behavior, embezzlement, or fraud due to the lack of segregating duties. Few or no internal controls are both an inherent and business risk that auditors must consider.
Another issue related to the review of internal controls is control risk. This risk is an indicator that weak internal controls lead to the higher probability of material financial misstatements. Analyzing internal controls include interviewing employees, walking through the company’s facilities, and reviewing paperwork prepared by the client. Each part of this audit risk assessment process allows auditors to determine the increasing risk of an audit’s potential risk. From this information, auditors can design further tests to analyze risk.
Business risk may be a bit easier to review. Auditors can simply look at the background of each executive and his or her ability to work in the company. Comparing the client to other businesses in the current market is another part of audit risk assessment. Clients with weak financial positions may need assessment in terms of strength to remain a going concern. Limitations that arise from excessive business risk may lead the auditors to reconsider taking on the business as a client.