risk assessment procedures audit

Audit risk and risk assessment procedures   //

Audit risk and risk assessment procedures, definitions, audit risk and assurance, components of audit risk.

  • inherent risk , relating to the nature of the entity;
  • control risk , concerning the entity's controls; and
  • detection risk - the risk that the auditor does not detect deviations.

Audit risk model

When to consider audit risk.

  • planning the audit, including the design of audit procedures;
  • carrying out audit procedures; and
  • evaluating the results of the audit tests carried out.


Procedures to identify and assess risk.

  • the entity and its environment , thereby identifying the inherent risks in the area under consideration, including risks as regards related parties and fraud;
  • the internal control arrangements at each relevant level (Commission, member state, intermediary, beneficiary), to help identify the control risks .

The entity’s own risk-assessment

  • the Directorate-General’s [link new-window title="annual%20management%20plan" link="https%3A%2F%2Fec.europa.eu%2Finfo%2Fpublications%2Fmanagement-plans_en" icon="external-link" /]  (MP) contains objectives, indicators and the critical risks identified for the Directorate-General (DG) concerned;
  • the information in the Commission's [link new-window title="annual%20management%20reports" link="https%3A%2F%2Fec.europa.eu%2Finfo%2Fpublications%2Fannual-management-and-performance-reports_en" icon="external-link" /]  (AMPR) and the [link new-window title="annual%20activity%20reports" link="https%3A%2F%2Fec.europa.eu%2Finfo%2Fpublications%2Fannual-activity-reports_en" icon="external-link" /]  (AAR) including declarations by the Directors-General for the preceding financial year(s) (the AAR provides an overview of critical risks encountered and their impact on the achievement of the DG's objectives);
  • relevant reports by the various control bodies of the Commission (including the internal audit service ) and member states, or other auditors;

Stay up-to-date with the latest business and accountancy news: Sign up for daily news alerts

  • Benefits of membership

Gain access to world-leading information resources, guidance and local networks.

  • Visit Benefits of membership

Becoming a member

98% of the best global brands rely on ICAEW Chartered Accountants.

  • Visit Becoming a member
  • Pay fees and subscriptions

Your membership subscription enables ICAEW to provide support to members.

Fees and subscriptions

Member rewards.

Take advantage of the range of value added or discounted member benefits.

  • Member rewards – More from your membership
  • Technical and ethics support
  • Support throughout your career

Information and resources for every stage of your career.

Member Insights Survey

Let us know about the issues affecting you, your business and your clients.

  • Complete the survey

From software start-ups to high-flying airlines and high street banks, 98% of the best global brands rely on ICAEW Chartered Accountants. A career as an ICAEW Chartered Accountant means the opportunity to work in any organisation, in any sector, whatever your ambitions.

Everything you need to know about ICAEW annual membership fees, community and faculty subscriptions, eligibility for reduced rates and details of how you can pay.

Membership administration

Welcome to the ICAEW members area: your portal to members'-only content, offers, discounts, regulations and membership information.

  • Continuing Professional Development (CPD)

Continuing Professional Development (CPD) is an integral part of being a successful ICAEW Chartered Accountant.

The ICAEW Chartered Accountant qualification, the ACA, is one of the most advanced learning and professional development programmes available. It is valued around the world in business, practice and the public sector.

3 people huddled at desk

ACA for employers

Train the next generation of chartered accountants in your business or organisation. Discover how your organisation can attract, train and retain the best accountancy talent, how to become authorised to offer ACA training and the support and guidance on offer if you are already providing training.

Digital learning materials via BibliU

All ACA, ICAEW CFAB and Level 4 apprenticeship learning materials are now digital only. Read our guide on how to access your learning materials on the ICAEW Bookshelf using the BibliU app or through your browser.

  • Find out more

Take a look at ICAEW training films

Focusing on professional scepticism, ethics and everyday business challenges, our training films are used by firms and companies around the world to support their in-house training and business development teams.

Discover how ACA training with ICAEW can help your business retain the best accountancy talent. Become authorised to offer ACA training.

CPD guidance and help

Continuing Professional Development (CPD) is an integral part of being a successful ICAEW Chartered Accountant. Find support on ICAEW's CPD requirements and access resources to help your professional development.

Leadership Development Programmes

ICAEW Academy’s in-depth leadership development programmes take a holistic approach to combine insightful mentoring or coaching, to exclusive events, peer learning groups and workshops. Catering for those significant transitions in your career, these leadership development programmes are instrumental to achieving your ambitions or fulfilling your succession planning goals.

Specialist Finance Qualifications & Programmes

Whatever future path you choose, ICAEW will support the development and acceleration of your career at each stage to enhance your career.

 Young people

Why a career in chartered accountancy?

If you think chartered accountants spend their lives confined to their desks, then think again. They are sitting on the boards of multinational companies, testifying in court and advising governments, as well as supporting charities and businesses from every industry all over the world.

  • Why chartered accountancy?


Search for qualified ACA jobs

Matching highly skilled ICAEW members with attractive organisations seeking talented accountancy and finance professionals.

Volunteering roles

Helping skilled and in-demand chartered accountants give back and strengthen not-for-profit sector with currently over 2,300 organisations posting a variety of volunteering roles with ICAEW.

  • Search for volunteer roles
  • Get ahead by volunteering

Advertise with ICAEW

From as little as £495, access to a pool of highly qualified and ambitious ACA qualified members with searchable CVs.

Early careers and training

Start your ACA training with ICAEW. Find out why a career in chartered accountancy could be for you and how to become a chartered accountant.

Qualified ACA careers

Find Accountancy and Finance Jobs

Voluntary roles

Find Voluntary roles

While you pursue the most interesting and rewarding opportunities at every stage of your career, we’re here to offer you support whatever stage you are or wherever you are in the world and in whichever sector you have chosen to work.

ACA students

"how to guides" for aca students.

  • ACA student guide
  • How to book an exam
  • How to apply for credit for prior learning (CPL)
  • ACA student induction webinar

Exam resources

Here are some resources you will find useful while you study for the ACA qualification.

  • Certificate Level
  • Professional Level
  • Advanced Level

Digital learning materials

All ACA learning materials are now digital only. Read our guide on how to access your learning materials on the ICAEW Bookshelf via the BibliU app, or through your browser.

  • Read the guide

My online training file

Once you are registered as an ACA student, you'll be able to access your training file to log your progress throughout ACA training.

  • Access your training file
  • Student Insights

Fresh insights, innovative ideas and an inside look at the lives and careers of our ICAEW students and members.

  • Read the latest articles

System status checks

Getting started.

Welcome to ICAEW! We have pulled together a selection of resources to help you get started with your ACA training, including our popular 'How To' series, which offers step-by-step guidance on everything from registering as an ACA student and applying for CPL, to using your online training file.

Credit for prior learning (CPL)

Credit for prior learning or CPL is our term for exemptions. High quality learning and assessment in other relevant qualifications is appropriately recognised by the award of CPL.

Apply for exams

What you need to know in order to apply for the ACA exams.

The ACA qualification has 15 modules over three levels. They are designed to complement the practical experience you will be gaining in the workplace. They will also enable you to gain in-depth knowledge across a broad range of topics in accountancy, finance and business. Here are some useful resources while you study.

  • Exam results

You will receive your results for all Certificate Level exams, the day after you take the exam and usually five weeks after a Professional and Advanced Level exam session has taken place. Access your latest and archived exam results here.

Training agreement

Putting your theory work into practice is essential to complete your ACA training.

Student support and benefits

We are here to support you throughout your ACA journey. We have a range of resources and services on offer for you to unwrap, from exam resources, to student events and discount cards. Make sure you take advantage of the wealth of exclusive benefits available to you, all year round.

  • Applying for membership

The ACA will open doors to limitless opportunities in all areas of accountancy, business and finance anywhere in the world. ICAEW Chartered Accountants work at the highest levels as finance directors, CEOs and partners of some of the world’s largest organisations.

ACA training FAQs

Do you have a question about the ACA training? Then look no further. Here, you can find answers to frequently asked questions relating to the ACA qualification and training. Find out more about each of the integrated components of the ACA, as well as more information on the syllabus, your training agreement, ICAEW’s rules and regulations and much more.

  • Anti-money laundering

Guidance and resources to help members comply with their legal and professional responsibilities around AML.

Technical releases

ICAEW Technical Releases are a source of good practice guidance on technical and practice issues relevant to ICAEW Chartered Accountants and other finance professionals.

  • ICAEW Technical Releases
  • Thought leadership

ICAEW's Thought Leadership reports provide clarity and insight on the current and future challenges to the accountancy profession. Our charitable trusts also provide funding for academic research into accountancy.

  • Academic research funding

Technical Advisory Services helpsheets

Practical, technical and ethical guidance highlighting the most important issues for members, whether in practice or in business.

  • ICAEW Technical Advisory Services helpsheets

Bloomsbury – free for eligible firms

In partnership with Bloomsbury Professional, ICAEW have provided eligible firms with free access to Bloomsbury’s comprehensive online library of over 60 titles from leading tax and accounting subject matter experts.

  • Bloomsbury Accounting and Tax Service

Country resources

Our resources by country provide access to intelligence on over 170 countries and territories including economic forecasts, guides to doing business and information on the tax climate in each jurisdiction.

Industries and sectors

Thought leadership, technical resources and professional guidance to support the professional development of members working in specific industries and sectors.

  • Audit and Assurance

The audit, assurance and internal audit area has information and guidance on technical and practical matters in relation to these three areas of practice. There are links to events, publications, technical help and audit representations.

The most up-to-date thought leadership, insights, technical resources and professional guidance to support ICAEW members working in and with industry with their professional development.

  • Corporate Finance

Companies, advisers and investors making decisions about creating, developing and acquiring businesses – and the wide range of advisory careers that require this specialist professional expertise.

  • Corporate governance

Corporate governance is the system by which companies are directed and controlled. Find out more about corporate governance principles, codes and reports, Board subcommittees, roles and responsibilities and shareholder relations. Corporate governance involves balancing the interests of a company’s many stakeholders, such as shareholders, employees, management, customers, suppliers, financiers and the community. Getting governance right is essential to build public trust in companies.

  • Corporate reporting

View a range of practical resources on UK GAAP, IFRS, UK regulation for company accounts and non-financial reporting. Plus find out more about the ICAEW Corporate Reporting Faculty.

Expert analysis on the latest national and international economic issues and trends, and interviews with prominent voices across the finance industry, alongside data on the state of the economy.

  • Financial Services

View articles and resources on the financial services sector.

  • Practice resources

For ICAEW's members in practice, this area brings together the most up-to-date thought leadership, technical resources and professional guidance to help you in your professional life.

Public Sector

Many ICAEW members work in or with the public sector to deliver public priorities and strong public finances. ICAEW acts in the public interest to support strong financial leadership and better financial management across the public sector – featuring transparency, accountability, governance and ethics – to ensure that public money is spent wisely and that public finances are sustainable.

Sustainability and climate change

Sustainability describes a world that does not live by eating into its capital, whether natural, economic or social. Members in practice, in business and private individuals all have a role to play if sustainability goals are to be met. The work being undertaken by ICAEW in this area is to change behaviour to drive sustainable outcomes.

The Tax area has information and guidance on technical and practical tax matters. There are links to events, the latest tax news and the Tax Faculty’s publications, including helpsheets, webinars and Tax representations.

Keep up-to-date with tech issues and developments, including artificial intelligence (AI), blockchain, big data, and cyber security.

Trust & Ethics

Guidance and resources on key issues, including economic crime, business law, better regulation and ethics. Read through ICAEW’s Code of Ethics and supporting information.


Polaroids on pinboard

ICAEW Communities

Information, insights, guidance and networking opportunities on a range of industry sectors, professional specialisms and at various stages throughout your career.

  • Discover a new community


ICAEW Faculties

The accountancy profession is facing change and uncertainty. The ICAEW Faculties can help by providing you with timely and relevant support.

  • Choose to join any of the faculties

UK groups and societies

We have teams on the ground in: East of England, the Midlands, London and South East, Northern, South West, Yorkshire and Humberside, Wales and Scotland.

  • Access your UK region

Worldwide support and services

Support and services we offer our members in Africa, America, Canada, the Caribbean, Europe, Greater China, the Middle East, Oceania and South East Asia.

  • Discover our services

ICAEW Faculties are 'centres of technical excellence', strongly committed to enhancing your professional development and helping you to meet your CPD requirements every year. They offer exclusive content, events and webinars, customised for your sector - which you should be able to easily record, when the time comes for the completion of your CPD declaration. Our offering isn't exclusive to Institute members. As a faculty member, the same resources are available to you to ensure you stay ahead of the competition.

Communities by industry / sector

Communities by life stage and workplace, communities by professional specialism, local groups and societies.

We aim to support you wherever in the world you work. Our regional offices and network of volunteers run events and provide access to local accounting updates in major finance centres around the globe.

  • Ukraine crisis: central resource hub

Learn about the actions that ICAEW members are taking to ensure that their clients comply with sanctions imposed by different countries and jurisdictions, and read about the support available from ICAEW.

Insights pulls together the best opinion, analysis, interviews, videos and podcasts on the key issues affecting accountancy and business.

  • See the latest insights

Future of tax and public spending

A look at the future of tax and public spending in light of the changing nature of work, the digital economy, the climate crisis and a reappraisal of the state's role.

  • Visit the hub

Restoring trust in audit and corporate governance

This is where we share ICAEW’s views on the BEIS white paper, explore what restoring trust means, and share information on the reform agenda.

When Chartered Accountants Save The World

Find out how chartered accountants are helping to tackle some of the most urgent social challenges within the UN Sustainable Development Goals, and explore how the profession could do even more.

  • Read our major series

Insights specials

A listing of one-off Insights specials that focus on a particular subject, interviewing the key people, identifying developing trends and examining the underlying issues.

Top podcasts

Insights by topic.

Regulation graphic

ICAEW Regulation

Regulation graphic

  • Regulatory News

View the latest regulatory updates and guidance and subscribe to our monthly newsletter, Regulatory & Conduct News.

  • Regulatory Consultations

Strengthening trust in the profession

Our role as a world-leading improvement regulator is to strengthen trust and protect the public. We do this by enabling, evaluating and enforcing the highest standards in the profession. 

Regulatory applications

Find out how you can become authorised by ICAEW as a regulated firm. 

ICAEW codes and regulations

Professional conduct and complaints, statutory regulated services overseen by icaew, regulations for icaew practice members and firms, additional guidance and support, popular search results.

  • Training File
  • Exam Results
  • Practice Exam Software
  • Routes to the ACA
  • ACA students membership application
  • Join as a member of another body
  • How much are membership fees?
  • How to pay your fees
  • Receipts and invoices
  • What if my circumstances have changed?
  • Difficulties in making changes to your membership
  • Faculty and community subscription fees
  • Updating your details
  • Complete annual return
  • Promoting myself as an ICAEW member
  • Verification of ICAEW membership
  • Become a life member
  • Become a fellow
  • Request a new certificate
  • Report the death of a member
  • Membership regulations
  • New members
  • Career progression
  • Career Breakers
  • Volunteering at schools and universities
  • ICAEW Member App
  • Working internationally
  • Self employment
  • Support Members Scheme
  • CPD is changing
  • CPD learning resources
  • Your guide to CPD
  • Online CPD record
  • How to become a chartered accountant
  • Register as a student
  • Train as a member of another body
  • More about the ACA and chartered accountancy
  • Why choose the ACA
  • How to become authorised to train
  • How ACA training works
  • Resources for existing ACA employers
  • ACA Employers home
  • Apprenticeships with ICAEW
  • A-Z of CPD courses by topic
  • ICAEW Business and Finance Professional (BFP)
  • ICAEW flagship events
  • Financial Talent Executive Network (F-TEN®)
  • Developing Leadership in Practice (DLiP™)
  • Network of Finance Leaders (NFL)
  • Women in Leadership (WiL)
  • Mentoring and coaching
  • Partners in Learning
  • Board Director's Programme e-learning
  • Corporate Finance Qualification
  • Diploma in Charity Accounting
  • ICAEW Certificate in Insolvency
  • ICAEW Data Analytics Certificate
  • ICAEW Sustainability Certificate for Finance Professionals
  • ICAEW Finance in a Digital World Programme
  • All specialist qualifications
  • Team training
  • Start your training
  • Improve your employability
  • Search employers
  • Find a role
  • Role alerts
  • Organisations
  • Practice support – 11 ways ICAEW and CABA can help you
  • News and advice
  • ICAEW Volunteering Hub
  • Support in becoming a chartered accountant
  • Vacancies at ICAEW
  • ICAEW Boards and Committees
  • Exam system status
  • ICAEW systems: status update
  • Changes to our qualifications
  • How-to guides for ACA students
  • ACA induction presentation
  • Apply for credits - Academic qualification
  • Apply for credits - Professional qualification
  • Credit for prior learning (CPL)/exemptions FAQs
  • Applications for Professional and Advanced Level exams
  • Applications for Certificate Level exams
  • Tuition providers
  • Latest exam results
  • Archived exam results
  • Getting your results
  • Marks feedback service
  • Marks review service
  • Training agreement: overview
  • Professional development
  • Ethics and professional scepticism
  • Practical work experience
  • Access my online training file
  • How training works in your country
  • Student rewards
  • TOTUM PRO Card
  • Student events and volunteering
  • Xero cloud accounting certifications
  • Student support
  • Join a community
  • Wellbeing support from caba
  • Code of ethics
  • Fit and proper
  • Level 4 Accounting Technician Apprenticeship
  • Level 7 Accountancy Professional Apprenticeship
  • AAT-ACA Fast Track FAQs
  • ACA rules and regulations FAQs
  • ACA syllabus FAQs
  • ACA training agreement FAQs
  • Audit experience and the Audit Qualification FAQs
  • Independent student FAQs
  • Practical work experience FAQs
  • Professional development FAQs
  • Six-monthly reviews FAQs
  • Ethics and professional scepticism FAQS
  • Greater China
  • Latin America
  • Middle East
  • North America
  • Australasia
  • Russia and Eurasia
  • South East Asia
  • Charity Community
  • Construction & Real Estate
  • Energy & Natural Resources Community
  • Farming & Rural Business Community
  • Forensic & Expert Witness
  • Global Trade Community
  • Healthcare Community
  • Internal Audit Community
  • Manufacturing Community
  • Media & Leisure
  • Portfolio Careers Community
  • Practitioner Business Advisers
  • Small and Micro Business Community
  • Small Practitioners Community
  • Travel, Tourism & Hospitality Community
  • Valuation Community
  • Audit and corporate governance reform
  • Audit & Assurance Faculty
  • Professional judgement
  • Regulation and working in audit
  • Internal audit resource centre
  • Everything business
  • Latest Business news from Insights
  • Strategy, risk and innovation
  • Business performance management
  • Financial management
  • Finance transformation
  • Economy and business environment
  • Leadership, personal development and HR
  • Webinars and publications
  • Business restructuring
  • The Business Finance Guide
  • Capital markets and investment
  • Corporate finance careers
  • Corporate Finance Faculty
  • Debt advisory and growth finance
  • Mergers and acquisitions
  • Private equity
  • Start-ups, scale-ups and venture capital
  • Transaction services
  • Board committees
  • Corporate governance codes and reports
  • Corporate Governance Community
  • Connect and Reflect
  • Principles of corporate governance
  • Roles, duties and responsibilities of Board members
  • Shareholder relations
  • Accounting for specific sectors
  • Accessing IFRS accounting standards
  • UK Regulation for Company Accounts
  • Non-financial reporting
  • Improving Corporate Reporting
  • Corporate reporting news and insights
  • Corporate reporting resources
  • Economy home
  • ICAEW Business Confidence Monitor
  • Energy crisis
  • Levelling up: rebalancing the UK’s economy
  • Resilience and Renewal: Building an economy fit for the future
  • Social mobility and inclusion
  • Autumn Statement 2023
  • Spring Budget 2023
  • Autumn Statement 2022
  • Investment management
  • Inspiring confidence
  • Setting up in practice
  • Running your practice
  • Supporting your clients
  • Practice technology
  • TAS helpsheets
  • Practitioner Business Advisers Community
  • Join ICAEW BAS
  • Public Sector hub
  • Public Sector Audit and Assurance
  • Public Sector Finances
  • Public Sector Financial Management
  • Public Sector Financial Reporting
  • Public Sector Learning & Development
  • Public Sector Community
  • Latest public sector articles from Insights
  • Climate hub
  • Sustainable Development Goals
  • Accountability
  • Modern slavery
  • Resources collection
  • Sustainability Committee
  • Sustainability & Climate Change community
  • Sustainability and climate change home
  • Tax Faculty
  • Budgets and legislation
  • Business tax
  • Devolved taxes
  • Employment taxes
  • International taxes
  • Making Tax Digital
  • Personal tax
  • Property tax
  • Stamp duty land tax
  • Tax administration
  • Tax compliance and investigation
  • UK tax rates, allowances and reliefs
  • Artificial intelligence
  • Blockchain and cryptoassets
  • Cyber security
  • Data Analytics Community
  • Digital skills
  • Excel community
  • Finance in a Digital World
  • IT management
  • Technology and the profession
  • Trust & Ethics home
  • Better regulation
  • Business Law
  • Company law
  • Data protection and privacy
  • Economic crime
  • Help with ethical problems
  • ICAEW Code of Ethics
  • ICAEW Trust and Ethics team.....
  • Solicitors Community
  • Forensic & Expert Witness Community
  • Latest articles on business law, trust and ethics
  • Audit and Assurance Faculty
  • Corporate Reporting Faculty
  • Financial Services Faculty
  • Academia & Education Community
  • Construction & Real Estate Community
  • Entertainment, Sport & Media Community
  • Retail Community
  • Career Breakers Community
  • Black Members Community
  • ICAEW Careers+
  • Diversity & Inclusion Community
  • Women in Finance Community
  • Personal Financial Planning Community
  • Restructuring & Insolvency Community
  • Sustainability and Climate Change Community
  • London and East
  • South Wales
  • Yorkshire and Humberside
  • European public policy activities
  • ICAEW Middle East, Africa and South Asia
  • Latest news
  • Access to finance special
  • Attractiveness of the profession
  • Audit and Fraud
  • Audit and technology
  • Adopting non-financial reporting standards
  • Cost of doing business
  • Future of insolvency
  • Mental health and wellbeing
  • Pensions and Personal Finance
  • Public sector financial and non-financial reporting
  • Striking a new balance: The future of tax and public spending
  • More specials ...
  • When Chartered Accountants Save the World
  • The economics of biodiversity
  • How chartered accountants can help to safeguard trust in society
  • Video: The financial controller who stole £20,000 from her company
  • It’s time for chartered accountants to save the world
  • Video: The CFO who tried to trick the market
  • Video: Could invoice fraud affect your business?
  • ICAEW/CIPFA dual membership, cyber security trends, and economic renewal
  • How to build a workforce of the future
  • VAT exemptions for private schools and final CPD update
  • The PM’s pledges: where are we now?
  • Commercial property: economic bellwether or laggard?
  • Digitalisation and gender bias in tax, plus CPD update
  • Can SMEs keep up with ESG?
  • How can tax design better deliver tax policy?
  • Managing talent in a hybrid world
  • Cyber security, taxing green travel and public finances
  • Top charts of the week
  • EU and international trade
  • CEO and President's insights
  • Diversity and Inclusion
  • Sponsored content
  • Insights index
  • Charter and Bye-laws
  • Complaints, disciplinary and fitness processes and regulations
  • Qualifications regulations
  • Training and education regulations
  • How to make a complaint
  • Guidance on your duty to report misconduct
  • Public hearings
  • What to do if you receive a complaint against you
  • Anti-money laundering supervision
  • Working in the regulated area of audit
  • Local public audit in England
  • Probate services
  • Designated Professional Body (Investment Business) licence
  • Consumer credit
  • Quality Assurance Monitoring: view from the firms
  • The ICAEW Practice Assurance scheme
  • Licensed Practice scheme
  • Professional Indemnity Insurance (PII)
  • Clients' Money Regulations
  • Taxation (PCRT) Regulations
  • ICAEW training films
  • Helpsheets and guidance by topic
  • ICAEW's regulatory expertise and history
  • ICAEW Regulatory Board
  • Risk assessment internal control and response
  • Risk assessment and response to risks in external audits understanding and applying the requirements

The auditor’s risk assessment and response: understanding and applying the requirements

International Standard on Auditing (ISA) 315 (Revised) Identifying and assessing the risks of material misstatement through understanding the entity and its environment explains auditors’ responsibilities in relation to risk assessment and internal control.

The identification and assessment of the risks of material misstatement by the auditor provide the basis for designing and implementing responses to them, which is addressed by ISA 330 The Auditor’s responses to assessed risks. ISA 315 is the ISA from which all other ISAs flow, and all ISAs are risk-based. Many auditors struggle to apply ISAs to small, less complex audits. This maybe due to a lack of understanding or because of the requirements in the ISAs themselves.

Risk assessment challenges for auditors

Risk assessment is critical to the performance of all financial statement audits. The idea of a “risk-based” approach to auditing has been around for many years, and it is not a difficult concept: the approach focuses audit effort on those areas that are most at risk of material misstatement. So, when planning an audit, the audit team would therefore be asking themselves:

  • What are the areas of risk? 
  • How big is the threat of material misstatement associated with these risks? 
  • What audit procedures need to be performed to respond to the levels of risk assessed?

But both auditors and regulators report problems in applying the relevant auditing standards consistently. Key risk assessment issues include:

  • The quality of linkages between risk assessment and response;
  • The need to demonstrate and document how professional judgement was applied; and
  • The definition, determination and understanding of ‘significant risk’ under the ISAs.
  • Visit our guide on risk assessment challenges for auditors

Understanding, documenting and testing internal control

Internal control is an area in which auditors often need to improve their risk assessment processes. In particular, auditors need to remember that internal controls are still relevant where a fully substantive audit approach is adopted. Understanding internal control and documenting that understanding is a challenge for all audits, irrespective of the client’s size or complexity. In smaller, less complex entities controls are typically informal and undocumented, and potentially compromised by a lack of segregation of duties. The involvement of the owner-manager in the day-to-day running of the business can have a positive and a negative effect on the evaluation of risk.

Even where auditors adopt a fully substantive approach, they should ask themselves whether they have:

  • identified those controls that are relevant to the audit, such as those relating to the key transaction streams;
  • checked whether those controls are designed appropriately to achieve their objectives; and
  • obtained evidence that these controls have been implemented, eg, by walkthrough tests.
  • Visit our guide on understanding, documenting and testing internal controls and implications for smaller entity audits.
  • Visit our guide on practical considerations and examples of the types of work to be performed when obtaining an understanding of the design and implementation of internal control components.

The new ISA 315 (Revised): changes for 2022 

The International Audit and Assurance Standards Board (IAASB) approved major changes to ISA 315 in September 2019. The changes will be effective for audits of financial statements for periods beginning on or after 15 December 2021. The effects of the revisions will be far-reaching and will require firms of all sizes to revise their approach to risk assessments.

Determining and applying materiality

The concept of materiality is fundamental to the audit. As the basis for the auditor’s opinion, ISAs require auditors to obtain reasonable assurance about whether the financial statements as a whole are free from material misstatement. Materiality is applied by auditors at the planning stage, and when performing the audit and evaluating the effect of identified misstatements on the audit and of uncorrected misstatements, if any, on the financial statements.

ISA 320 Materiality in planning and performing an audit does not include a definition for materiality. This is because the principle of materiality is first and foremost a financial reporting, rather than an auditing, concept. Also, the interpretation may differ in different parts of the world.

Financial reporting frameworks often discuss the concept of materiality in the context of the preparation and presentation of financial statements. It is important therefore that auditors refer to any discussion of materiality in the financial reporting framework when determining materiality for the audit. Such a discussion, if present, provides auditors with a frame of reference.

  • Visit our guide to the ISA requirements.

Using data analytics in external audit

Auditor data analytics is about enhancing audit quality. Data analytics consists of tools that extract, validate and analyse large volumes of data, quickly. The tools are applied to complete populations, 100% of the transactions, ie,  “full data sets”, and they can be used to support judgements, draw conclusions or provide direction for further investigation. Auditing standards do not specifically address the use of data analytics in external audit.

Data analytics may be more commonly used in larger firms and the mid-tier, but smaller firms need to be aware of the potential for data analytics to transform smaller audits. 

  • Visit our guide on developments in this area and the opportunities and challenges for auditors.

Addressing the risk of management override

Management override refers to the ability of management and/or those charged with governance to manipulate accounting records and prepare fraudulent financial statements by overriding controls, even where the controls might otherwise appear to be operating effectively.

Under ISA 240 The auditor’s responsibilities relating to fraud in an audit of financial statements auditors are required to assess the risk of material misstatement from management override of controls as significant, which requires specific documentation and affects the response of the auditor to risk.

Although the level of risk of management override of controls will vary from entity to entity it is, nevertheless, present in all entities.

  • Visit our ISA (UK) guide to the auditor’s assessment of the risk of management override
  • Visit our ISA (international) guide to the auditor’s assessment of the risk of management override

Communications with those charged with governance

Identifying who is charged with governance, ensuring appropriate communication takes place and demonstrating this on the audit file are vital to the success of the audit of financial statements. ISA 260 (Revised) Communication with those charged with governance provides an overarching framework for the auditor’s communication with those charged with governance and includes specific matters that need to be communicated to them. In addition, a further standard, ISA 265 Communicating deficiencies in internal control to those charged with governance and management includes specific requirements regarding communicating significant deficiencies in internal controls identified by the auditor in the course of the audit.

Communicating effectively throughout the audit can improve its technical quality and cost effectiveness for entities of all shapes and sizes. Communication is not something you just have to do because International Standards on Auditing (ISAs) require it; it is something you should want to do in order to improve the audit.

Many audit files give good evidence of communication with management at the completion stage, but ISA 260 requires the audit team to establish effective two-way communication throughout the audit process. This means that the audit file should demonstrate a consistent level of communication throughout the audit.

  • Visit our guide to the ISA (UK) requirements on communicating with those charged with governance and how to apply them to small entity audits.
  • Visit our guide to the ISA (international) requirements on communicating with those charged with governance and how to apply them to small entity audits .

Read out this code to the operator.

The global body for professional accountants

  • Search jobs
  • Find an accountant
  • Technical activities
  • Help & support

Can't find your location/region listed? Please visit our global website instead

  • Middle East
  • Cayman Islands
  • Trinidad & Tobago
  • Virgin Islands (British)
  • United Kingdom
  • Czech Republic
  • United Arab Emirates
  • Saudi Arabia
  • State of Palestine
  • Syrian Arab Republic
  • South Africa
  • Africa (other)
  • Hong Kong SAR of China
  • New Zealand
  • Apply to become an ACCA student
  • Why choose to study ACCA?
  • ACCA accountancy qualifications
  • Getting started with ACCA
  • Careers in accountancy
  • ACCA Learning
  • Register your interest in ACCA
  • Learn why you should hire ACCA members
  • Why train your staff with ACCA?
  • Recruit finance staff
  • Train and develop finance talent
  • Approved Employer programme
  • Employer support
  • Resources to help your organisation stay one step ahead
  • Support for Approved Learning Partners
  • Becoming an ACCA Approved Learning Partner
  • Tutor support
  • Computer-Based Exam (CBE) centres
  • Content providers
  • Registered Learning Partner
  • Exemption accreditation
  • University partnerships
  • Find tuition
  • Virtual classroom support for learning partners
  • Find CPD resources
  • Your membership
  • Member networks
  • AB magazine
  • Sectors and industries
  • Regulation and standards
  • Advocacy and mentoring
  • Council, elections and AGM
  • Tuition and study options
  • Your study options
  • Study support resources
  • Practical experience
  • Our ethics modules
  • Student Accountant
  • Regulation and standards for students
  • Completing your EPSM
  • Completing your PER
  • Apply for membership
  • Skills webinars
  • Finding a great supervisor
  • Choosing the right objectives for you
  • Regularly recording your PER
  • The next phase of your journey
  • Your future once qualified
  • Mentoring and networks
  • Advance e-magazine
  • An introduction to professional insights
  • Meet the team
  • Global economics
  • Professional accountants - the future
  • Supporting the global profession
  • Download the insights app

Can't find your location listed? Please visit our global website instead

  • Study resources
  • Advanced Audit and Assurance (AAA)
  • Technical articles and topic explainers
  • Back to Advanced Audit and Assurance (AAA)
  • How to approach Advanced Audit and Assurance

Relevant to FAU, AA and AAA

This article outlines and explains the concept of audit risk, making reference to the key auditing standards which give guidance to auditors about risk assessment

Identifying and assessing audit risk is a key part of the audit process, and ISA 315, Identifying and Assessing the Risks of Material Misstatement Through Understanding the Entity and Its Environment , gives extensive guidance to auditors about audit risk assessment. The purpose of this article is to give summary guidance to FAU, AA and AAA students about the concept of audit risk. All subsequent references in this article to the standard will be stated simply as ISA 315, although ISA 315 is a ‘redrafted’ standard, in accordance with the International Auditing and Assurance Standards Board (IAASB) Clarity Project. For further details on the IAASB Clarity Project, read the article 'The IAASB Clarity Project' (see 'Related links').

What is audit risk?

According to the IAASB Glossary of Terms (1), audit risk is defined as follows:

‘The risk that the auditor expresses an inappropriate audit opinion when the financial statements are materially misstated. Audit risk is a function of material misstatement and detection risk.’

Why is audit risk so important to auditors? 

Audit risk is fundamental to the audit process because auditors cannot and do not attempt to check all transactions. Students should refer to any published accounts of large companies and think about the vast number of transactions in a statement of comprehensive income and a statement of financial position. It would be impossible to check all of these transactions, and no one would be prepared to pay for the auditors to do so, hence the importance of the risk‑based approach toward auditing. Traditionally, auditors have used a risk-based approach in order to minimise the chance of giving an inappropriate audit opinion, and audits conducted in accordance with ISAs must follow the risk‑based approach, which should also help to ensure that audit work is carried out efficiently, using the most effective tests based on the audit risk assessment. Auditors should direct audit work to the key risks (sometimes also described as significant risks), where it is more likely that errors in transactions and balances will lead to a material misstatement in the financial statements. It would be inefficient to address insignificant risks in a high level of detail, and whether a risk is classified as a key risk or not is a matter of judgment for the auditor.

Relevant ISAs

There are many references throughout the ISAs to audit risk, but perhaps the two most important audit risk-related ISAs are as follows:

ISA 200, Overall Objectives of the Independent Auditor and the Conduct of an Audit in Accordance with ISAs ISA 200 sets out the overall objectives of the auditor, and the standard explains the nature and scope of an audit designed to enable an auditor to meet those objectives. References to audit risk are frequently made by ISA 200, and the standard also requires that the auditor shall plan and perform an audit with professional scepticism, recognising that circumstances might exist that may cause the financial statements to be materially misstated. Professional scepticism is defined as an attitude that includes a questioning mind and a critical assessment of evidence.

ISA 315, Identifying and Assessing the Risks of Material Misstatement Through Understanding the Entity and Its Environment ISA 315 deals with the auditor’s responsibility to identify and assess the risks of material misstatement in the financial statements through an understanding of the entity and its environment, including the entity’s internal controls and risk assessment process. The first version of ISA 315 was originally published in 2003 after a joint audit risk project had been carried out between the IAASB, and the United States Auditing Standards Board. Changes in the audit risk standards have arguably been the single biggest change in auditing standards in recent years, so the significance of ISA 315, and the topic of audit risk, should not be underestimated by auditing students.

The requirements of ISA 315 are summarised in the following table.

Let us consider each of these four stages in more detail.

1. Risk assessment procedures ISA 315 gives an overview of the procedures that the auditor should follow in order to obtain an understanding sufficient to assess audit risks, and these risks must then be considered when designing the audit plan. ISA 315 goes on to require that the auditor shall perform risk assessment procedures to provide a basis for the identification and assessment of risks of material misstatement at the financial statement and assertion levels. ISA 315 goes on to identify the following three risk assessment procedures:

Making inquiries of management and others within the entity Auditors must have discussions with the client’s management about its objectives and expectations, and its plans for achieving those goals.

Analytical procedures Analytical procedures performed as risk assessment procedures should help the auditor in identifying unusual transactions or positions. They may identify aspects of the entity of which the auditor was unaware, and may assist in assessing the risks of material misstatement in order to provide a basis for designing and implementing responses to the assessed risks.

Observation and inspection Observation and inspection may also provide information about the entity and its environment. Examples of such audit procedures can potentially cover a very broad area, including observation or inspection of the entity’s operations, documents, and reports prepared by management, and also of the entity’s premises and plant facilities.

ISA 315 requires that risk assessment procedures should, at a minimum, comprise a combination of the above three procedures, and the standard also requires that the engagement partner and other key engagement team members should discuss the susceptibility of the entity’s financial statements to material misstatement. Key risks can be identified at any stage of the audit process, and ISA 315 requires that the engagement partner should also determine which matters are to be communicated to those engagement team members not involved in the discussion.

2. Understanding an entity ISA 315 gives detailed guidance about the understanding required of the entity and its environment by auditors, including the entity’s internal control systems. Understanding of the entity and its environment is important for the auditor in order to help identify the risks of material misstatement, to provide a basis for designing and implementing responses to assessed risk (see reference below to ISA 330, The Auditor’s Responses to Assessed Risks ), and to ensure that sufficient appropriate audit evidence is collected. Given that the focus of this article is audit risk, however, students should ensure that they also make themselves familiar with the concept of internal control, and the components of internal control systems.

3. Identification and assessment of significant risks and the risks of material misstatement In exercising judgement as to which risks are significant risks, the auditor is required to consider the following:

  • Whether the risk is a risk of fraud.
  • Whether the risk is related to recent significant economic, accounting or other developments, and therefore requires specific attention.
  • The complexity of transactions.
  • Whether the risk involves significant transactions with related parties.
  • The degree of subjectivity in the measurement of financial information related to the risk, especially those measurements involving a wide range of measurement uncertainty.
  • Whether the risk involves significant transactions that are outside the normal course of business for the entity, or that otherwise appear to be unusual.

4. ISA 330 and responses to assessed risks The requirements of ISA 330, The Auditor’s Responses to Assessed Risks , will be covered in a future article, but essentially ISA 330 gives guidance about the nature and extent of the testing required, based on the risk assessment findings.

Audit risk and business risk

For the purposes of the F8 exam, it is important to make a distinction between audit risk and business risk (which is not examinable in F8), even though ISA 315 itself does not make such a distinction clear. ISA 315(2) defines business risk as follows:

‘A risk resulting from significant conditions, events, circumstances, actions or inactions that could adversely affect an entity’s ability to achieve its objectives and execute its strategies, or from the setting of inappropriate objectives and strategies.’

Hence, business risk is a much broader concept than audit risk. Students are reminded that business risk is excluded from the FAU and F8 syllabus, although it is examinable in P7.

The audit risk model

Finally, it is important to make reference to the so called traditional audit risk model, which pre-dates ISA 315, but continues to remain important to the audit process. The audit risk model breaks audit risk down into the following three components:

Inherent risk This is the susceptibility of an assertion about a class of transaction, account balance, or disclosure to a misstatement that could be material, either individually or when aggregated with other misstatements, before consideration of any related controls.

Control risk This is the risk that a misstatement could occur in an assertion about a class of transaction, account balance or disclosure, and that the misstatement could be material, either individually or when aggregated with other misstatements, and will not be prevented or detected and corrected, on a timely basis, by the entity’s internal control.

Detection risk This is the risk that the procedures performed by the auditor to reduce audit risk to an acceptably low level will not detect a misstatement that exists and that could be material, either individually or when aggregated with other misstatements. The interrelationship of the three components of audit risk is outside the scope of this current article. F8 students, however, will typically be expected to have a good understanding of the concept of audit risk, and to be able to apply this understanding to questions in order to identify and describe appropriate risk assessment procedures.

The UK and Ireland perspective

The UK Auditing Practices Board announced in March 2009 that it would update its auditing standards according to the clarified ISAs, and that these standards would apply for audits of accounting periods ending on or after 15 December 2010. UK and Irish students should note that there are no significant differences on audit risk between ISA 315 and the UK and Ireland version of the standard.


The concept of audit risk is of key importance to the audit process and F8 students are required to have a good understanding of what audit risk is, and why it is so important. For the purposes of the F8 exam, it is important to understand that audit risk is a very practical topic and is therefore examined in a very practical context. Any definition or explanation of the audit risk model itself will usually only be allocated a small number of marks, but many students still include such definitions in answers to case study and scenario questions which require a practical application of audit risk assessment procedures. Students must also be prepared to apply their understanding of audit risk to questions and come up with appropriate risk assessment procedures.

Written by a member of the F8 examining team

  • IAASB Handbook 2009, Glossary of Terms.
  • ISA 315, Identifying and Assessing the Risks of Material Misstatement Through Understanding the Entity and Its Environment , paragraph 4 (b).

Related Links

  • The IAASB Clarity Project
  • Student Accountant hub


  • ACCA Careers
  • ACCA Career Navigator
  • ACCA Learning Community
  • Your Future

Useful links

  • Make a payment
  • ACCA-X online courses
  • ACCA Rulebook
  • Work for us

Most popular

  • Professional insights
  • ACCA Qualification
  • Member events and CPD
  • Supporting Ukraine
  • Past exam papers

Connect with us

Planned system updates.

  • Accessibility
  • Legal policies
  • Data protection & cookies
  • Advertising
  • Parents & Families
  • International Students
  • Course Offerings
  • WesternOnline
  • Leatherneck Link
  • Password & Account Self-Service

risk assessment procedures audit

Western Illinois University

  • Your potential. Our purpose.
  • Quad Cities
  • Student Life

risk assessment procedures audit

Internal Auditing

WIU Home > Internal Auditing > Value Added Audit Services

  • Risk Assessment Process

Risk assessment is the identification and analysis of relevant risks to the achievement of an organization's objectives, for the purpose of determining how those risks should be managed.

During the risk assessment process, Internal Auditing identifies and assesses both the likelihood and potential impact of various risks to the organization.    Internal controls are then identified and evaluated to determine how adequate they are in reducing risk to ensure that residual risk is at manageable levels.  Residual risk is the risk that something will occur after controls or procedures are implemented to prevent it.  In addition to audits required by state regulations, those activities or functions with higher levels of residual risk are typically selected for audits.

Developing the Audit Plan:

The WIU Office of Internal Auditing develops the annual audit plan using a risk-based approach.  The annual risk assessment process occurs in late spring or early summer to facilitate the development of a two-year audit plan.  Internal Auditing conducts the risk assessment process through discussions with management; review and analysis of budgets and proposed programs; and a systematic evaluation of risk factors covering the functional and organizational units of the University.  Based upon the results of the risk analysis, a proposed audit plan is presented to the Senior Executive Cabinet for their review and approval.  Upon consensus by the Cabinet, the audit plan is submitted to the University President for approval.  Next, the audit plan is presented to the University Board of Trustees Audit Committee for their review and approval.  The two-year plan is updated annually and may be modified as unplanned issues of potential risk are identified throughout the year.  The plan is required to be completed before June 30 th of each year for the next two fiscal year periods. 

  • Staff Directory
  • Organizational Chart
  • Mission, Vision & Values
  • Audit Charter
  • Types of Audit Services
  • Audit Process
  • Control Self-Assessment
  • Internship Opportunities
  • Internal Auditing Home

News & Events

  • News Releases
  • Academic Calendar
  • Events Calendar
  • Ask a Librarian / Get Help
  • Branches & Units

Campus Safety

  • Office of Public Safety
  • Emergency Alert System
  • Timely Warnings
  • Mental Health Resources
  • Campus Crime Stats
  • Risk Management & Emergency Preparedness
  • Environmental Health, Safety and Sustainability

Technology Resources

  • Computer Labs
  • Electronic Classrooms
  • Password Assistance
  • Technology Support Center
  • University Technology

University Communications & Marketing

  • University Printing & Mailing Center
  • Design and Publications
  • University Television
  • Photography & Design Production
  • Higher Education Act

Policies & Procedures

  • University Policies
  • Board of Trustees Regulations
  • Faculty Policy Manual
  • Administrative Procedures Handbook
  • Civil Service Handbook
  • Student Rights & Responsibilities

Finance and Administration

  • Business and Financial Services
  • Equal Opportunity and Access
  • Human Resources

Campus Directory

  • Find an Employee or Student
  • Find an Office
  • Deans & Directors
  • University Administration

risk assessment procedures audit

Connect with us:

  • Accessibility
  • Sustainability

Internal Auditing Department Western Illinois University

Sherman Hall 310 1 University Circle Macomb, IL 61455 USA

Phone: (309) 298-1664 [email protected]

© 2015 Western Illinois University. All Rights Reserved.

risk assessment procedures audit

  • Audit Risk Assessment: The Why and the How

By Charles Hall | Auditing

  • You are here:

Today we look at one of most misunderstood parts of auditing: audit risk assessment.

Are auditors leaving money on the table by avoiding risk assessment? Can inadequate risk assessment lead to peer review findings? This article shows you how to make more money and create higher quality audit documentation . Below you’ll see how to use risk assessment procedures to identify risks of material misstatement. You’ll also learn about the risk of material misstatement formula and how you can use it to plan your engagements.

Audit risk assessment

Audit Risk Assessment as a Friend

Audit risk assessment can be our best friend, particularly if we desire efficiency, effectiveness, and profit —and who doesn’t?

This step, when properly performed, tells us what to do—and what can be omitted. In other words, risk assessment creates efficiency.

So, why do some auditors (intentionally) avoid audit risk assessment? Here are two reasons:

  • We don’t understand it
  • We’re creatures of habit

Too often auditors continue doing the same as last year (commonly referred to as SALY)–no matter what. It’s more comfortable than using risk assessment.

But what if SALY is faulty or inefficient?

Maybe it’s better to assess risk annually and to plan our work accordingly (based on current conditions).

Are We Working Backwards?

The old maxim “Plan your work, work your plan” is true in audits. Audits—according to standards—should flow as follows:

  • Determine the risks of material misstatements (plan our work)
  • Develop a plan to address those risks (plan our work)
  • Perform substantive procedures (work our plan) and tests controls for effectiveness (if planned)
  • Issue an opinion (the result of planning and working)

Auditors sometimes go directly to step 3. and use the prior year audit programs to satisfy step 2. Later, before the opinion is issued, the documentation for step 1. is created “because we have to.”

In other words, we work backwards .

So, is there a better way?

A Better Way to Audit

During the initial planning phase of an audit, an auditor should do the following:

  • Understand the entity and its environment
  • Understand entity-level controls
  • Understand the transaction level controls
  • Use preliminary analytical procedures to identify risk
  • Perform fraud risk analysis
  • Assess risk

While we may not complete these steps in this order, we do need to perform our risk assessment first (1.-4.) and then assess risk .

Okay, so what procedures should we use?

Audit Risk Assessment Procedures

AU-C 315.06 states:

The risk assessment procedures should include the following:

  • Inquiries of management, appropriate individuals within the internal audit function (if such function exists), others within the entity who, in the auditor’s professional judgment, may have information that is likely to assist in identifying risks of material misstatement due to fraud or error
  • Analytical procedures
  • Observation and inspection

I like to think of risk assessment procedures as detective tools  used to sift through information and identify risk.

Audit risk assessment

Just as a good detective uses fingerprints, lab results, and photographs to paint a picture, we are doing the same.

First, we need to understand the entity and its environment.

Understand the Entity and Its Environment

The audit standards require that we understand the entity and its environment.

I like to start by asking management this question: “If you had a magic wand that you could wave over the business and fix one problem, what would it be?”

The answer tells me a great deal about the entity’s risk.

I want to know what the owners and management think and  feel . Every business leader worries about something . And understanding fear illuminates risk.

Think of risks as threats to objectives. Your client’s fears tell you what the objectives are–and the threats. 

To understand the entity and its related threats, ask questions such as:

  • How is the industry faring?
  • Are there any new competitive pressures or opportunities?
  • Have key vendor relationships changed?
  • Can the company obtain necessary knowledge or products?
  • Are there pricing pressures?
  • How strong is the company’s cash flow?
  • Has the company met its debt obligations?
  • Is the company increasing in market share?
  • Who are your key personnel and why are they important?
  • What is the company’s strategy?
  • Does the company have any related party transactions?

As with all risks, we respond based on severity . The higher the risk, the greater the response.

Audit standards require that we respond to risks at these levels:

  • Financial statement level
  • Transaction level

Responses to risk at the financial statement level are general, such as appointing more experienced staff for complex engagements.

Responses to risk at the transaction level are more specific such as a search for unrecorded liabilities.

But before we determine responses, we must first understand the entity’s controls.

risk assessment procedures audit

Understand Transaction Level Controls

We must do more than just understand transaction flows (e.g., receipts are deposited in a particular bank account). We need to understand the related controls (e.g., Who enters the receipt in the general ledger? Who reviews receipting activity?).

So, as we perform walkthroughs or other risk assessment procedures, we gain an understanding of the transaction cycle , but—more importantly—we gain an understanding of controls. Without appropriate controls, the risk of material misstatement increases.

AU-C 315.14 requires that auditors evaluate the design of their client’s controls and to determine whether they have been implemented . However, AICPA Peer Review Program statistics indicate that many auditors do not meet this requirement. In fact, noncompliance in this area is nearly twice as high as any other requirement of AU-C 315 – Understanding the Entity and Its Environment and Assessing the Risk of Material Misstatement .

Some auditors excuse themselves from this audit requirement saying, “the entity has no controls.”  

All entities have some level of controls. For example, signatures on checks are restricted to certain person. Additionally, someone usually reviews the financial statements. And we could go on.

The AICPA has developed a practice aid that you’ll find handy in identifying internal controls in small entities.

The use of walkthroughs is probably the best way to understand internal controls.

Sample Walkthrough Questions 

As you perform your walkthroughs, ask questions such as:

  • Who signs checks?
  • Who has access to checks (or electronic payment ability)?
  • Who approves payments?
  • Who initiates purchases?
  • Who can open and close bank accounts?
  • Who posts payments?
  • What software is used? Does it provide an adequate audit trail? Is the data protected? Are passwords used?
  • Who receives and opens bank statements? Does anyone have online access? Are cleared checks reviewed for appropriateness?
  • Who reconciles the bank statement? How quickly? Does a second person review the bank reconciliation?
  • Who creates expense reports and who reviews them?
  • Who bills clients? In what form (paper or electronic)?
  • Who opens the mail?
  • Who receipts monies?
  • Are there electronic payments?
  • Who receives cash onsite and where?
  • Who has credit cards? What are the spending limits?
  • Who makes deposits (and how)?
  • Who keys the receipts into the software?
  • What revenue reports are created and reviewed? Who reviews them?
  • Who creates the monthly financial statements? Who receives them?
  • Are there any outside parties that receive financial statements? Who are they?

Understanding the company’s controls illuminates risk. The company’s goal is to create financial statements without material misstatement. And a lack of controls threatens this objective.

So, as we perform walkthroughs, we ask the payables clerk (for example) certain questions. And—as we do—we are also making observations about the segregation of duties. Also, we are inspecting certain documents such as purchase orders.

This combination of inquiries, observations, and inspections allows us to understand where the risk of material misstatement is highest.

Audit risk assessment

In a AICPA study regarding risk assessment deficiencies, 40% of the identified violations related to a failure to gain an understanding of internal controls.

Need help with risk assessment walkthroughs?

See my article Audit Walkthroughs: The What, Why, How, and When .

Get my new book:

Audit risk assessment made easy.

Click here to see it on Amazon.

Another significant risk identification tool is the use of planning analytics.

Preliminary Analytical Procedures

Use planning analytics to shine the light on risks. How? I like to use:

  • Multiple-year comparisons of key numbers (at least three years, if possible)

In creating preliminary analytics, use management’s metrics. If certain numbers are important to the company, they should be to us (the auditors) as well— there’s a reason the board or the owners are reviewing particular numbers so closely . (When you read the minutes, ask for a sample monthly financial report; then you’ll know what is most important to management and those charged with governance.)

You may wonder if you can create planning analytics for first-year businesses. Yes, you can. Compare monthly or quarterly numbers. Or you might compute and compare ratios (e.g., gross profit margin) with industry benchmarks. (For more information about, see my preliminary analytics post.)

Sometimes, unexplained variations in the numbers are fraud signals.

Identify Fraud Risks

In every audit, inquire about the existence of theft. In performing walkthroughs, look for control weaknesses that might allow fraud to occur. Ask if any theft has occurred. If yes, how?

Also, we should plan procedures related to:

  • Management override of controls, and
  • The intentional overstatement of revenues

My next post —in The Why and How of Auditing series—addresses fraud, so this is all I will say about theft, for now. Sometimes the greater risk is not fraud but errors.

Same Old Errors

Have you ever noticed that some clients make the same mistakes—every year? (Johnny–the controller–has worked there for the last twenty years, and he makes the same mistakes every year. Sound familiar?) In the risk assessment process, we are looking for the risk of material misstatement whether by intention (fraud) or by error (accident).

One way to identify potential misstatements due to error is to maintain a summary of the larger audit entries you’ve made over the last three years. If your client tends to make the same mistakes, you’ll know where to look.

Now it’s time to pull the above together.

Creating the Risk Picture

Once all of the risk assessment procedures are completed, we synthesize the disparate pieces of information into a composite image .

Synthesis of risks

What are we bringing together? Here are examples:

  • Control weaknesses
  • Unexpected variances in significant numbers
  • Entity risk characteristics (e.g., level of competition)
  • Large related-party transactions
  • Occurrences of theft

Armed with this risk picture, we can now create our audit strategy and audit plan (also called an audit program).  F ocus these plans on the higher risk areas.

How can we determine where risk is highest? Use the risk of material misstatement (RMM) formula.

Assess the Risk of Material Misstatement

Understanding the risk of material misstatement formula is key to identifying high-risk areas.

What is the risk of material misstatement formula?

Put simply, it is:

Risk of Material Misstatement = Inherent Risk X Control Risk

Using the RMM formula, we are assessing risk at the assertion level. While audit standards don’t require a separate assessment of inherent risk and control risk, consider doing so anyway. I think it provides a better representation of your risk of material misstatement.

Here’s a short video about assessing inherent risk.

And another video regarding control risk assessment.

Once you have completed the risk assessment process,  control risk can be assessed at high–simply as an efficiency decision . See my article  Assessing Audit Control Risk at High and Saving Time .

The Input and Output

The inputs in audit planning include all of the above audit risk assessment procedures.

The outputs (sometimes called linkage) of the audit risk assessment process are:

  • Audit strategy
  • Audit plan (audit programs)

Linking risk assessment to audit planning

We tailor the strategy and plan based on the risks..

In a nutshell,  we identify risks and respond to them.

Next in the Audit Series

In my next post, we’ll take a look at Auditing for Fraud: The Why and How .

Audit Risk Assessment Made Easy – My New Book

My new book titled Audit Risk Assessment Made Easy is now available on Amazon. I’ve been working on this for over a year and a half. I think you’ll find it to be a valuable resource in understanding, documenting, planning, and performing risk assessment procedures.

Audit risk assessment

Success! Now check your email to confirm your subscription.

There was an error submitting your subscription. Please try again.

About the Author

Charles Hall is a practicing CPA and Certified Fraud Examiner. For the last thirty years, he has primarily audited governments, nonprofits, and small businesses. He is the author of The Little Book of Local Government Fraud Prevention and Preparation of Financial Statements & Compilation Engagements. He frequently speaks at continuing education events. Charles is the quality control partner for McNair, McLemore, Middlebrooks & Co. where he provides daily audit and accounting assistance to over 65 CPAs. In addition, he consults with other CPA firms, assisting them with auditing and accounting issues.

[…] detect control weaknesses while examining the entity-level controls, consider how they affect your risk assessment. Bring those weaknesses into your risk assessment summary along with any others you detect in your […]

[…] Risk assessment of property at the assertion level […]

[…] do I mean? We don’t know what has changed. Why? Because we have not performed real risk assessment such as current year walkthroughs. We have not (really) thought about current year risks of […]

[…] previously provided you with information about the first three risk assessment procedures. Today, I provide you with the fourth, analytical […]

' src=

Bobby, We still use the summary risk assessment form from PPC. Not sure about the peer review comment. Significant risks are those that require special attention; they are usually complex estimates. Significant risks always result in high inherent risk.

Any control risks assessed at below high must be supported by a test of controls (e.g., test of 40 transactions to see if the control is working).

All significant accounts (those with a high volume of transactions such as cash) or significant balances require some type of substantive procedures, even if the risk of material misstatement is low.

Hope this helps.

' src=

I summarize all risks of material misstatements on my summary risk assessment form. This form was no longer available. Any way you can email? I use the PPC form and interested in your design. If the control environment is strong – low risk and control risk is low from strong controls the risk of material misstatement would not be considered Significant. However, if the account balance was material it could still be considered a Sig Risk with expanded audit procedures? Just had a peer review remark a while ago that questioned why we indicated a sig risk for the aforementioned scenario.

Appreciate your input

Session expired

Please log in again. The login page will open in a new tab. After logging in you can close it and return to this page.

Saudi Arabia

What is Audit Risk & How to do Risk Assessment?

The audit is the inspection of an organization's accounts, followed by a physical inventory check to ensure all departments maintain a documented system of documenting transactions.

It is done to make sure the organization's financial accounts are accurate. Let us see in detail about Audit Risk assessment Procedures and Auditor approach to Risk assessment .

What is Audit risk? 

Audit risk is when the Auditor fails to detect errors while examining the financial statements of a company and can be solved with a good risk assessment. Audit risk can be managed by auditors through appropriate risk assessment and audit planning. This includes identifying and evaluating inherent and control risks and developing appropriate audit procedures to address those risks. Furthermore, Auditing firms should have malpractice insurance to manage the legal liability due to the audit risk.  

Audit risk exposes auditors to legal liability and penalties if they provide an unqualified opinion on financial statements that include a substantial misrepresentation that breaches laws or regulations. For example, Amazon was recently penalized $886 million for suspected GDPR violations.

Understanding Material Misstatements

Material misstatements arise in two forms. One is a fraud, and the other is due to an internal error. When the company's internal audit team intentionally issued the wrong financial statement to cover their fraudulent act, it is considered fraudulent financial reporting. 

When the company fails to follow the accounting standard , primarily due to the carelessness of the management, it leads to errors while maintaining the financial statements. The negligence of the company's internal team caused this error. To reduce Audit risk, Auditing firms must apply appropriate audit procedures in many ways.

Audit Risk Types

The types of Audit risk are Inherent Risk, Control risk and detection risk. The inherent and controlled Risk together is called risks of Material misstatements. A balanced audit risk model is comprised of all three audit risks. By balancing it, an auditor can determine how comprehensive the audit work is.

1. Inherent Risk

Inherent Risk is the possibility of material misstatements on the client's financial statement. The incorrect information may be an error or omission in a financial statement, primarily due to a factor other than an error missed to correct by the internal audit team.

The inherent Risk occurs when the financial transactions are complex and have a complicated company's business model. This Risk is a worst-case scenario only when the internal team fails to find the error. The companies must have an internal audit team with high financial qualifications to reduce the occurrence of inherent Risk. 

2. Control risk

The control risk is when the client's internal audit department fails to detect the potential material misstatement. The client's internal audit team or internal controls use accounting and auditing processes in their financial department to reduce the control risk. 

The internal audit department uses the internal auditing processes the company's finance department insists on. These processes ensure the correct financial reporting, reducing miscalculations and errors. The internal team assists clients in adhering to rules and regulations and guards against employee fraud and asset theft. They help to maintain efficiency by identifying problems and correcting the errors before they are detected in an external audit firm.

3. Detection risk

The detection risk is that the Auditor fails to detect the existing material misstatement in the client's financial statements. These material misstatements may be due to either fraud or error. Auditors use audit processes to find these inaccuracies. The detection risk can be avoided with correct audit procedures.

The detection risk presence is unavoidable, and Auditor's goal must be to reduce the Risk to a greater extent. The auditors should do the various procedures to limit the detection risk and maintain it to an acceptable level in overall performance.

Risk Assessments Procedure

A risk assessment identifies and evaluates risks to use that information to guide the audit procedures required to justify the amounts stated in the financial statements.

A risk serves as the foundation for the audit plan in a risk assessment audit approach. However, the audit plan is typically constructed from an audit universe consisting of departments or procedures, despite many audit departments believing they are risk-based. 

An accurate risk-based audit approach begins with evaluating the most significant risks to management. All plan audits are created to address such risks and give senior management information.  

Let us see the approaches to Risk Assessment by Auditors.

1. Quick Assurance

Rapid Assurance entails conducting all elements of a typical assurance engagement in a condensed period with a commitment to just one week of fieldwork to reduce audit exhaustion in processes where documentation is vital. Typically, Rapid Assurance is broken down into three steps, each lasting 3-5 weeks:

  • Planning and research for the auditor (1-2 Weeks)
  • Fieldwork on-site (1 week)
  • Finish testing and writing reports (1-2 weeks) 

The auditor should possess good project management discipline and an in-depth understanding of the processes being audited due to the compressed period.

2. Real-Time Feedback

In Project Assurance, the auditor assesses the project team's governance, risk management, and control ability to immediately recognize and address project-related hazards. They also assume the facilitator position by encouraging the discussion of risk and control throughout a project.

A subject matter expert or guest auditor who can help spot hazards would be an excellent choice to execute a Project Assurance method, as would an auditor with past expertise in project or program execution.

3. Facilitated Self-Assessment

Using this workshop-style method, a department can review and commit to enhancing governance, risk management, and internal controls for a process or function. After all, someone is more motivated to solve a problem if they are part of its identification.

An auditor must be adept at facilitating small groups and flexible to change course midstream. A department assists in identifying and committing to improving its response to the particular issues encountered with the support of an external mentality and the capacity to encourage effective risk management and control behaviors.

4. Framing Assurance

A method based on maturity models enables auditors and audit clients to evaluate a process's efficacy while identifying the skills required to enhance the process to achieve goals. Both options are Capability Maturity Model Integration (CMMI) or creating customized models.

The auditor must feel at ease describing standard maturity models, like CMMI, and their technique for developing a unique model.

5. Data Analytics

Audit engagements can include data analysis tools to deliver deeper insights, improved risk management, and operational efficiency.

Data analytics will be more accessible if database administrators and reporting teams work together. The ideal auditor will be able to create scripts and be analytical, technical, and logical in their thinking. It would be best not to let a lack of technical expertise keep you from using data analytics.

Risk Audit and Assessment Services

With the proper risk audit and risk assessment procedures , the Auditors can improve their performances and provide good results to the clients. The Auditor's correct mindset to tackle risks and using their collection of risk-based approaches make it possible to have accurate results and a positive impact on their organization.

In case you are concerned about risks in your audit statement, you can always reach out to us! BMS Auditing is a global audit firm that provides risk audit and assessment services to businesses around the world. We conduct a comprehensive review of the business's operations, financial statements, and internal controls. Based on the findings of the review, BMS Auditing creates a risk assessment report that outlines the identified risks and how to improve its internal controls and risk management processes.

Latest Blogs

Corporate tax in the uae, best accounting firm in dubai, due diligence services in uae, vat deregistration services in uae, latest news, oman: tax authority urges to submit tax returns by end of this month, oman signs double tax treaty with russia, uae clarifies corporate tax on residents undertaking a business or business activity, uae clarifies corporate tax registration and application for exemption.

  • Corporate Tax (26)
  • Finance Management (11)
  • Abu Dhabi (9)
  • VAT in KSA (7)
  • Tax Agent (7)
  • Business Setup (5)
  • Bahrain (4)
  • Free Zones (4)
  • VAT in Oman (4)
  • Excise Tax (3)
  • VAT in Bahrain (1)
  • Income Tax in Oman (1)
  • Feasibility Study in Qatar (1)


  1. Audit Risk Assessment

    risk assessment procedures audit

  2. A Complete Guide to the Risk Assessment Process

    risk assessment procedures audit

  3. Audit Risk Assessment: The Why and the How

    risk assessment procedures audit

  4. The Importance of Risk Assessment to a Quality Audit

    risk assessment procedures audit

  5. Risk Assessment For Internal Auditors

    risk assessment procedures audit

  6. Risk Assessment Process

    risk assessment procedures audit


  1. Audit: Concept of Detection Risk

  2. Audit 15.00: Risk Report [8 of 10]

  3. AA (5) Risk

  4. Audit & Risk Assessment #auditing #shorts

  5. 14. Risk Management

  6. Risk assessment and application tool part 2


  1. What Is a Personal Skills Audit?

    A personal skills audit is an inventory people take to assess the competencies and skills they have already, want to develop and will need in the future.

  2. What Is the Purpose of an Audit Report?

    The purpose of an audit report is to inform external stakeholders of an auditor’s objective opinion of a company’s financial health. An auditor’s job is to collect information and assess the finances of a company.

  3. What Are Some Basic Accounting Procedures?

    Basic accounting procedures include collecting financial documents, posting transactions and reconciling accounts. Other procedures include auditing accounts payable and accounts receivable, and conducting internal and external reporting, a...

  4. Audit risk and risk assessment procedures

    When to consider audit risk. Audit risk should be considered when: planning the audit, including the design of audit procedures;; carrying out

  5. Risk Assessment as it pertains to Audit Planning

    Risk assessment is a key requirement of the planning phase of an audit. •We perform risk assessment procedures to obtain an understanding of the entity and its

  6. Audit Risk Assessment

    The identification and assessment of risks of material misstatement are at the core of every audit, particularly obtaining an understanding of the entity's

  7. Understanding the requirements in risk assessment

    Risk assessment is critical to the performance of all financial statement audits. The idea of a “risk-based” approach to auditing has been around for many years


    • Audit risk assessment is part of planning and a process where auditors consider both (i) individual events and the risks and opportunities these represent

  9. Audit risk

    Relevant ISAs · (1). The auditor shall perform risk assessment procedures in order to provide a basis for the identification and assessment of the risks of

  10. Risk Assessment Process

    During the risk assessment process, Internal Auditing identifies and assesses both the likelihood and potential impact of various risks to the organization.

  11. Audit Risk Assessment: The Why and the How

    The inputs in audit planning include all of the above audit risk assessment procedures. The outputs (sometimes called linkage) of the audit risk assessment

  12. What is Audit Risk & How to do Risk Assessment?

    A risk assessment identifies and evaluates risks to use that information to guide the audit procedures required to justify the amounts stated in the financial

  13. Risk Assessment Study and Audit Plan

    A1, this internal audit plan is based on a documented risk assessment and input from Internal Audits. Figure 1.0 below depicts the general process MGO undertook.

  14. international standard on auditing 315

    The term “controls” refers to any aspects of one or more of the components of internal control. (d) Risk assessment procedures – The audit