1

Risk Management&

Audit Risk

Dr. Gholamhossein DavaniDr. Gholamhossein DavaniMember of High council of Iranian Association of Member of High council of Iranian Association of Certifeid Public Accountants (IACPA )Certifeid Public Accountants (IACPA )IICA,IMA,AAA,CFE,IIA,BAA,EAA,CAAAIICA,IMA,AAA,CFE,IIA,BAA,EAA,CAAA

2

Generally, Risk Management is the process of measuring, or assessing risk and developing strategies to manage it. Strategies include transferring the risk to another party, avoiding the risk, reducing the negative effect of the risk, and accepting some or all of the consequences of a particular risk. Traditional risk management focuses on risks stemming from physical or legal causes (e.g. natural disasters or fires, accidents, death, and lawsuits).

3

The Risk Assessment and Management Summary should include:

A methodology section explaining the risk definition and process used;

The identification of the parties involved in the process ;

A Risk Matrix o explain the criteria and define the levels of impact and likelihood; Identification of sources of risk, assessment of the likelihood and impact of

those risks, including the underlying assumptions made and a discussion of risk

mitigation actions (including management controls) taken and planned; and A summary of the key risks and a discussion of how they will be used to inform decisions

on the nature and extent of monitoring (including performance measurement), recipient and internal

auditing and evaluation .

4

What is an RBAF?

• The Risk-Based Audit Framework (RBAF is a management document that explains how risk concepts are integrated into the strategies and approaches used for managing programs that are funded through transfer payments.

• The RBAF provides: • background and profile information on the transfer

payment program including the key inherent risk areas (internal and external) that the program faces;

• an explicit understanding of the specific risks which may influence the achievement of the transfer payment program objectives;

• a description of existing measures and proposed incremental strategies for managing specific risks; and

• an explanation of monitoring, recipient auditing, internal auditing, and reporting practices and procedures

5

Audit Process

• Understanding of the entity & its environment

• Assessing the entity’s business risks

• Evaluate how entity responds to these risks

• Assess the risk of material misstatement• due to error or fraud

6

SOX Audit OpinionManagements Report on International Control (IC)

IC Weakness:

Material Misstatements could occur

IC Weakness:

Misstatements

DID Occur

No Identified IC Weakness

Auditor’s Report on

Management’s Assessment of

IC

Auditor’s Report on IC Effectiveness

Financial Statement Audit

Opinion

Restate financial

statements

Audit

Audit Opinion # 1

Audit

Opinion # 2

Audit Opinion #3

7

Potential Audit Opinions

Audit Opinion #3Financial

Statement Audit Opinion

Audit Opinion # 1Auditor’s Report on Management’s Assessment of IC

Unqualified “Fairly Stated”

Not Unqualified*Audit Opinion #2Auditor’s Report on IC Effectiveness

“Fairly Stated”

No Deficiencies“Maintained Effective Controls”

“Not Fairly Stated”

No Opinion

“Fairly Stated”163 FirmsDeficiencies“Not Maintained Effective Controls”

“Not Fairly Stated”

No Opinion7 Firms

8

Risk Interrelated Factors

• Audit risk (AR) is the risk that the auditor may unknowingly fail to appropriately modify his or her opinion on financial statements that are materially misstated. Audit risk is the product of the following three interrelated factors:

• IR = Inherent risk (the risk that an assertion is susceptible to a material misstatement, assuming there are no related controls)

• CR = Control risk (the risk that a material misstatement that could occur in an assertion will not be prevented or detected on a timely basis by the entity's internal control)

• • DR = Detection risk (the risk that the auditor will

not detect a material misstatement that exists in an assertion)

9

Thus, the "mathematical" depiction of the audit risk model in simple terms is

AR = IR x CR x DR Despite the precision implied by

rendering the model in mathematical terms, in reality it

is highly judgmental. The objective in an audit is to limit audit risk (AR) to a low level, as judged by the auditor.

10

Audit Risk Model

AR = IR x CR x DR

Set a planned level of audit riskAssess inherent risk and control riskDetermine appropriate level of

detection risk

11

Types of Misstatements

– Difference between a reported Financial statement (F/S) element and what would have been reported under GAAP

– Omission of a F/S element– F/S disclosure that is not presented in

accordance with GAAP.– Omission of information required to

be disclosed in accordance with GAAP.