Page 46 - Internal Auditing Standards
P. 46

Guide to Using International Standards on Auditing in the Audits of Small- and Medium-Sized Entities Volume 1—Core Concepts




        4.4    Firm Risk Assessment

        Risk management is an ongoing process that helps a firm to anticipate negative events, develop a framework



        for effective decision-making, and profitably deploy the fi rm’s resources.

        Some form of risk management occurs in most firms, and it is often informal and undocumented. Individual
        partners typically identify risks and respond to them based on their direct involvement with the fi rm and
        with their clients. Formalizing and documenting the process for the firm as a whole is a proactive and


        more effective approach to risk assessment. This does not have to be time-consuming or cumbersome to


        implement. Notably, effectively managing the firm’s risk assessment can result in less stress for partners and
        staff, savings in time and costs, and improved chances of achieving the fi rm’s goals.


        A simple risk assessment process can be used in any size of firm, even a sole proprietorship. It consists of the
        activities set out below.
        Exhibit 4.4-1

         Activity              Description
         Establish the Risk    These tolerances could be quantitative amounts, such as allowable write-off s of
         Tolerances for the    work in process, or qualitative factors, such as characteristics of clients that would
         Firm                  not be acceptable to the firm. Once established, these tolerances provide partners



                               and staff with a useful reference point for decision-making (e.g., write-offs and client
                               acceptance, etc.).
         Identify What Can     Identify the events (that is, the risk factors or exposures) that could prevent the fi rm
         Go Wrong              from achieving its stated goals. This step implies that the firm has already established

                               clear objectives and a commitment to performing quality work.
         Prioritize Risks      Using the risk tolerances established above, prioritize the events identified based on

                               an assessment of likelihood and impact.
         What is the           Develop an appropriate response to the assessed risks to reduce the potential impact
         Response              to within the firm’s acceptable tolerances. Potential events (risks) with the highest

         Needed?               priority would be addressed fi rst.
         Assign                For all risks that require action or monitoring, assign someone with the responsibility
         Responsibility        to take the appropriate action and to manage the risk on a day-to-day basis.
         Monitor Progress      Require periodic (simple) reports from each person assigned to manage risks on
                               behalf of the firm (this could address matters such as compliance with the fi rm’s


                               quality control procedures, training requirements, staff appraisals, and independence
                               issues addressed).

        A sample of a firm’s risk assessment worksheet could be as shown in the following exhibit.

















     44
   41   42   43   44   45   46   47   48   49   50   51