Page 62 - Internal Auditing Standards
P. 62
Guide to Using International Standards on Auditing in the Audits of Small- and Medium-Sized Entities Volume 1—Core Concepts
Risk
Assessment
A risk assessment process provides management with the information needed to determine what business/
fraud risks should be managed, and the actions (if any) to be taken. Management may initiate plans,
programs, or actions to address specific risks, or it may decide to accept a risk because of cost or other
considerations.
If the entity’s risk assessment process is appropriate to the circumstances, it will assist the auditor in identifying
risks of material misstatement. A risk assessment process would normally address such matters as:
• Changes in operating environment;
• New senior personnel;
• New or revamped information systems;
• Rapid growth;
• New technology;
• New business models, products, or activities;
• Corporate restructurings (including divestitures and acquisitions);
• Expanded foreign operations; and
• New accounting pronouncements.
In smaller entities where a formal risk assessment process is unlikely to exist, the auditor would discuss with
management how business risks are identified and how they are addressed.
Matters the auditor should consider are how management:
• Identifies risks relevant to financial reporting;
• Estimates the significance of the risks;
• Assesses the likelihood of their occurrence; and
• Decides upon actions to manage them.
If the auditor identifies risks of material misstatement that management failed to identify, he/she should
consider:
• Why did management’s processes fail?
• Are the processes appropriate to the circumstances?
If a signifi cant deficiency exists in the entity’s risk assessment process (or there is no process at all), it would be
communicated to management and those charged with governance.
60
