The development and evaluation of risk-based audit approaches
MetadataShow full item record
English: The purpose of the study is to trace the development of risk-based audit approaches, in order to understand the complexities and difficulties of these approaches, as well as to evaluate these risk-based audit approaches, with the objective of assisting in the process of improving the risk-based audit approach followed by the audit profession. The only defence auditors have against the anger (or frustration) of stakeholders in instances of corporate failures is sufficient, appropriate audit evidence that proves their innocence. This audit evidence will be the result of a well-planned and performed audit. An audit approach, currently a risk-based audit approach, is therefore a crucial component in the performance of an audit. Changing the risk-based audit approach is a normal consequence of the striving for the improvement and development of the services that the auditing profession provides. In developing the risk-based audit approach, there are certain complexities surrounding an audit that should be considered. The major complexities in the performance of an audit are: first, the expectation gap; second, the uncertainties surrounding the responsibilities of the auditor; third, the provision of reasonable assurance, and fourth, the practical implementation of audit standards. The auditing profession should, during this continuous process of changing the auditing standards and guidance, consider and evaluate changes against the theoretical foundations of auditing to support the credibility of the audit process. The theoretical framework that formed the background of this study is discussed in the second chapter, including the meaning of “risk-based audit approaches”. Audit approaches are discussed that developed before the acceptance of the risk-based audit approach, together with audit approaches that were never followed or accepted by practitioners, and which influenced the development of risk-based audit approaches. The development of the first risk-based audit approach, the statistical audit risk approach (audit risk model) that originated from the Elliott and Rogers model is discussed in the third chapter. The critique on the statistical audit risk approach is summarised and consists mainly of the following: that the audit risk model’s event structure is ill-defined and that the risk components lack independence, which is a basic assumption for the use of the multiplicative formula. The risk components are complex and interdependent and are difficult to assess therefore, practitioners prefer to assess these risk components in linguistic terms e.g. low, medium and high. The multiplicative rule does not provide protection against an understatement of audit risk if the audit outcome space is not completely specified and when a revision of the audit plan is needed. The aggregation of the individual risks is problematic and therefore the audit risk model should be used only for planning purposes. The development of the inherent risk audit approach (audit risk model from a conceptual perspective) is discussed in the fourth chapter. The critique against the inherent risk audit approach includes the unsuccessful decomposition structure of audit risk, due to the interdependency of inherent risk and control risk. The concept of “inherent risk” is also too broad and vague. The business risk audit approach is also discussed in the fourth chapter. This approach was developed by audit firms as an intended improvement on the inherent risk audit approach and is still widely used. The main critique against the business risk audit approach is the lack of a clear link between business risks and possible risks of material misstatement. The “risk-process audit approach” is addressed in the fifth chapter. For the purposes of this study, the name of the current risk-based audit approach is the risk-process audit approach. The reason for this formulation is the emphasis in the audit risk standards on the risk management tasks. The concept of “risk” in the performance of the task of identification of risks is, in essence, a choice in which the auditor has the freedom to choose an approach, and is referred to as “risk of material misstatement”. The concept of “risk of material misstatement” is much broader and different from the suggested definition in the auditing standards, and includes the consideration of potential misstatements according to the assertions on the assertion level (assertion-focus), and lacks conceptual clarity. The criteria for the task of “assessment of identified risks” are as follows: the different types of assertions are used as the criteria for assessing risks of material misstatements through the identification of possible misstatements. The concept of “misstatements” is the criterion used to consider the likelihood of misstatement(s), and the concept of “planning materiality” is used to consider the magnitude of misstatement(s). In the sixth and final chapter of this study, the development of risk-based audit approaches is summarised through a comparison of the risk-based audit approaches. In the future development of the current risk-process audit approach it is suggested that a fourth aspect, the significance of audit procedures, additional to the current nature, timing and extent of audit procedures maybe considered in respect of aspects that influence the response to risks of material misstatement included in the audit plan. Furthermore, the definition of the concept of “risk of material misstatement” could include the assertionfocus. The importance and possibilities of the division of audit planning in the financial statement level and the assertion level is also not yet fully considered. In conclusion, the author believes that the history of risk-based audit approaches has repeated itself and that the development of the risk-based audit approach and changes thereto were not considered against, and based on a sound foundation of auditing theory.