How to Perform a Risk-Based Audit

Share the Post:

A risk-based audit has three key steps, as illustrated below.

Risk Assessment

Description: Performing risk assessment procedures to identify and assess the risks of material misstatement in the financial statements.

This includes the assessment of significant risks, control deficiencies and identified or suspected non-compliance with laws and regulations that will be addressed in the audit and communicated to Those charged with governance (TCWG).

The auditor would also select Key Audit Matters (KAM) for inclusion in the auditor’s report for listed entities and for all audits where ISA 701, related to key audit matters, is to be applied as required by local law, regulation or voluntarily.

Risk Response

Description: Designing and performing further audit procedures that respond to identified and assessed risks of material misstatement, at both the financial statement and assertion levels.


Description: This involves:

  • Forming an opinion based on the audit evidence obtained and the evaluation of the financial statement presentation and disclosures; and
  • Preparing and issuing a report that is appropriate to the conclusions reached.





审计师还将选择关键审计事项 [Key Audit Matters (KAM)] 纳入上市实体的审计报告,以及根据当地法律、法规的要求或自愿采用与关键审计事项相关的 ISA 701 的所有审计。





  • 根据所获得的审计证据以及对财务报表列报和披露的评价形成意见;以及
  • 编制并发布一份与所得出的结论相适应的报告。

A simple way of describing the three elements is illustrated below.


* an “event” is simply a business or fraud risk factor. This would also include risks resulting from the absence of internal control to mitigate the potential for material misstatements in the financial statements.

* 一个 “事件 “只是一个商业或欺诈风险因素。这也包括因缺乏内部控制以减少财务报表中重大错报的可能性而导致的风险。

The various tasks involved in each of these three phases are outlined below.


Risk Assessment | 风险评估

  1. Refer to ISA 230 for a more complete list of documentation required.
  2. Planning (ISA 300) is a continual and iterative process throughout the audit.
  3. RMM = Risks of material misstatement.
  1. 关于所需文件的更完整清单,请参考《国际审计准则》第230条。
  2. 规划(ISA 300)是整个审计过程中一个持续的、反复的过程。
  3. RMM = 重大错报的风险。

An effective risk assessment phase would include the following.

Up-Front Involvement of Senior Team Members

The engagement partner and other key members of the engagement team need to be actively involved in planning the audit, and in planning and participating in the discussion among engagement team members.

This will ensure the audit plan takes advantage of their experience and insight.

Note that ISAs usually refer to the term “auditor” as the person(s) performing the engagement.

Where an ISA intends a requirement or responsibility be fulfilled by the engagement partner, the term “engagement partner” rather than “auditor” is used.

An Emphasis on “Professional Skepticism”

The auditor cannot be expected to disregard past experience of the honesty and integrity of the entity’s management and those charged with governance.

Nevertheless, a belief that management and those charged with governance are honest and have integrity does not relieve the auditor of the need to maintain professional skepticism, or allow the auditor to be satisfied with less-than-persuasive audit evidence when obtaining reasonable assurance.


The time spent in audit planning (developing the overall audit strategy and audit plan) will ensure that audit objectives are properly met, and that the work of audit staff is always focused on gathering evidence on the most critical areas of potential misstatement.

Team Discussions and Ongoing Communication

A team planning discussion/meeting with the engagement partner present provides an excellent forum for:

  • Informing staff about the client in general and discussing potential risk areas;
  • Discussing the effectiveness of the overall audit strategy and the audit plan and then making changes as necessary;
  • Brainstorming how fraud could occur and then designing an appropriate response;
  • Discussing disclosures where there are higher risks of material misstatement; and
  • Allocating audit responsibilities and setting time frames.

Ongoing communication among the audit team throughout the engagement is also important, for example discussing and addressing audit issues, unusual activities or possible indicators of fraud.

This will enable timely communications to management and, where necessary, changes to the audit strategy and audit procedures.

Focus on Risk Identification

The most important step in a risk assessment process is to identify all the relevant risks.

If business and fraud risk factors are not identified by the auditor, they will not be assessed or documented, and an appropriate audit response will not be designed.

This is why well-designed risk assessment procedures are so important to the effectiveness of the audit.

These risk assessment procedures also need to be performed by the appropriate level of staff.

Financial Statement Disclosures

In assessing risks, disclosures in the financial statements are also taken into account.

Disclosures in the financial statements of SMEs may be less detailed or less complex (for example, some financial reporting frameworks allow smaller entities to provide fewer disclosures in their financial statements).

However this does not relieve the auditor of the responsibility to obtain an understanding of disclosures and assess the risks of material misstatement in disclosures that are required.

Ability to Evaluate Management’s Response(s) to Risk

A key step in the risk assessment process is to evaluate the effectiveness of management’s responses (that is, management’s control design/implementation), if any, to mitigate the identified risks of material misstatement in the financial statements.

In smaller entities, more reliance will likely be placed on the control environment (such as the competence and integrity of managements, etc.) and less on the traditional control activities (such as segregation of duties, etc.).

Use of Professional Judgment

The ISA audit requirements require the use and then documentation of significant judgments made by the auditor throughout the audit.

Typical examples of tasks throughout the risk assessment process include:

  • Deciding to accept or continue with the client;
  • Developing the overall audit strategy;
  • Establishing materiality;
  • Assessing risks of material misstatement, including the identification of significant risks and other areas where special audit consideration may be necessary; and
  • Developing expectations for use when performing analytical procedures.





请注意,《国际审计准则》中的 “审计师 “通常指的是执行审计工作的人。

如果《国际审计准则》打算由参与伙伴履行一项要求或责任,则使用 “项目合伙人” (“engagement partner”) 而不是 “审计师 “一词。

强调 “专业怀疑精神”







  • 让员工了解客户的总体情况并讨论潜在的风险领域。
  • 讨论整体审计策略和审计计划的有效性,然后根据需要进行修改。
  • 集思广益,探讨欺诈如何发生,然后设计适当的应对措施。
  • 讨论存在较高重大错报风险的披露事项;以及
  • 分配审计责任并设定时间框架。


















  • 决定是否接受或继续与客户合作。
  • 制定整体的审计策略。
  • 确定重要性。
  • 评估重大错报的风险,包括识别重大风险和其他可能需要特别审计考虑的领域;以及
  • 制定预期,以便在执行分析程序时使用。

Risk Response | 风险应对


  1. Refer to ISA 230 for a more complete list of documentation required.
  2. Planning (ISA 300) is a continual and iterative process throughout the audit.
  3. RMM = Risks of material misstatement.
  1. 关于所需文件的更完整清单,请参考《国际审计准则》第230条。
  2. 规划(ISA 300)是整个审计过程中一个持续的、反复的过程。
  3. RMM = 重大错报的风险。

In this phase, the auditor considers the reasons (inherent and control risks) for the risk assessments at the financial statement level and at the assertion level (for each class of transactions, event, account balance, and disclosure), and develops responsive audit procedures.

The auditor’s response to the assessed risks of material misstatement is documented in an audit plan that:

  • Contains an overall response to the risks identified at the financial statement level;
  • Identifies the material financial statement areas and significant disclosures; and
  • Contains the nature, extent, and timing of specific audit procedures tailored to respond to the assessed risks of material misstatement at the assertion level.

The overall responses address assessed risks of material misstatement at the financial statement level.

Such responses would include the assignment and supervision of appropriate personnel, need for professional skepticism, the extent of corroboration required for management’s explanations/representations, consideration of the type of audit procedures to be performed, and what documentation would be examined in support of material transactions.

Further audit procedures generally consist of substantive procedures such as tests of details, analytical procedures, and tests of controls (where there is an expectation that such controls have been operating effectively during the period).



  • 包含对财务报表层面所确定的风险的总体回应。
  • 确定重大财务报表领域和重要披露;以及
  • 包含具体审计程序的性质、范围和时间,以应对评估的认定层面的重大错报风险。
  • 总体应对措施涉及财务报表层面的评估的重大错报风险。



Some of the matters the auditor should consider when planning the appropriate mix of audit procedures to respond to identified risks include the following:


Use of tests of controls

  • Identify relevant internal controls that, if tested, would reduce the need/scope for other substantive procedures.
    • As a general rule, the sample size for testing controls is often significantly less than that of a substantive test of a transaction stream.
    • Assuming that the relevant controls operate consistently and control deviations are unlikely, the use of tests of controls can often result in less work being performed.
    • However, there is no requirement that the operating effectiveness of internal controls (direct or indirect) be tested.
  • Identify any assertions that cannot be addressed by substantive procedures alone. For example, this can often apply to completeness of sales in a small entity, and situations where there is highly automated processing of transactions (such as Internet sales) with little or no manual intervention.


  • 识别相关的内部控制,如果进行测试,将减少其他实质性程序的需要/范围。
    • 作为一般规则,测试控制的样本量往往大大低于对交易流的实质性测试。
    • 假设相关控制措施的运行是一致的,并且控制措施的偏差不太可能发生,使用控制措施的测试往往可以减少执行的工作。
    • 然而,没有要求对内部控制(直接或间接)的运行有效性进行测试。
  • 识别任何不能仅通过实质性程序解决的认定。例如,这往往适用于小型实体的销售完整性,以及交易的高度自动化处理(如互联网销售),很少或没有人工干预的情况。

Substantive Analytical Procedures

These are procedures for which the total amount of a transaction stream can be reliably predicted based on available evidence.

This expectation is compared to the actual amount in the accounting records, and the extent of any misstatement readily identified.

In some cases, if the assessed risk for a particular assertion is low (without considering related controls), the auditor may determine that substantive analytical procedures alone would provide sufficient appropriate audit evidence.






The need to incorporate an element of unpredictability in procedures performed, such as when responding to a risk of material misstatement due to possible fraud.

For example, visits to inventory count locations could be unannounced or certain procedures could be carried out prior to the year-end that are unannounced.

Unpredictability also needs to be considered in how much information is provided to management with regard to planned audit procedures and their timing.





Management override

The need for specific audit procedures to address the potential for management override.

Significant risks

The audit response to “significant risks” that have been identified.




对已确定的 “重大风险 “的审计反应。

Reporting | 报告


  1. Refer to ISA 230 for a more complete list of documentation required.
  2. Planning (ISA 300) is a continual and iterative process throughout the audit.
  1. 关于所需文件的更完整清单,请参考《国际审计准则》第230条。
  2. 规划(ISA 300)是整个审计过程中一个持续的、反复的过程。

The final phase of the audit is to assess the audit evidence obtained and determine whether it is sufficient and appropriate to reduce audit risk to an acceptably low level.

It is important during this phase of the audit to determine:

  • Any change in the assessed level of risk;
  • Whether conclusions drawn from the work performed are appropriate;
  • If any suspicious circumstances have been encountered; and
  • That additional risks (not previously identified) have been appropriately assessed and further audit procedures performed as required.

A team debriefing meeting (towards or at the end of the fieldwork) is not a specific requirement of the ISAs, but can be useful for staff to discuss the audit findings, identify any indications of fraud, and determine the need (if any) to perform any further audit procedures.

When all procedures have been performed and conclusions reached:

  • Audit findings should be reported to management and those charged with governance; and
  • An audit opinion should be formed and a decision made on the appropriate wording for the auditor’s report.



  • 评估的风险水平的任何变化。
  • 从所进行的工作中得出的结论是否适当。
  • 是否遇到了任何可疑的情况;以及
  • 额外的风险(以前没有确定)已经得到适当的评估,并根据需要执行进一步的审计程序。



  • 应将审计结果报告给管理层和负责管理的人;以及
  • 应形成审计意见,并就审计报告的适当措辞做出决定。
Our website's articles, templates, and material are solely for you to look over. Although we make every effort to keep the information up to date and accurate, we make no representations or warranties of any kind, either express or implied, regarding the website or the information, articles, templates, or related graphics that are contained on the website in terms of its completeness, accuracy, reliability, suitability, or availability. Therefore, any reliance on such information is strictly at your own risk.

Keep in touch with us so that you can receive timely updates |


1. Website ✍️ 2. Telegram ✍️ 3. Facebook ✍

4. Blog ✍ 5. Google ✍

6. LinkedIn ✍

Share the Post:

Related Posts