Risk Based Auditing

7/18/2019 Risk Based Auditing

http://slidepdf.com/reader/full/risk-based-auditing-56919454d8d0f 1/16

Risk-Based

Auditing:

A New

Approach



opponents in a chess match, each seeing the playing field (in this case, the business) from his

or her particular point of view.

In a risk-based audit, the auditor sits on the same side of the desk as the client. Now the clienthas a partner, an ally, since both are viewing the business from the same perspective.

The Limitations of the Traditional Approach

Now, let’s get specific about the business of construction. In a traditional audit, auditors

typically make all of their audit decisions on the basis of materiality, which is a percentage (or

a fraction of a percentage) of a contractor’s volume. The inter nal controls established by the

contractor are not extensively evaluated for audit-efficiency purposes because the focus is on

verifying the numbers presented in the financial statements. In the end, the auditor verifies

what the contractor already knows – the company made money on some jobs and lost some on

others. Then, the contractor gets a bill and the process repeats itself again next year.

In some situations, this is the only approach auditors can take because of the weak control

environment present in the company. Generally, when weak internal controls exist, manage-

ment has made a conscious decision that internal controls are not as important as other aspects

of the business. However, a weak control environment is a glaring risk in and of itself, and is

something which should be brought to the attention of management. While the traditional

audit approach works within a weak control environment, a risk-based audit identifies these

weaknesses so that management can take the proper steps to strengthen internal controls.

September/October 2006

The Advantages of the Risk-Based Approach

While a risk-based audit focuses on the numbers, it also focuses on understanding the business

activity that drives those numbers. It involves “getting into the heads” of key personnel and

understanding how they think and what information they use to make their decisions. Here are

some of the issues typically addressed in a risk-based audit:

. • How is this particular construction business distinguished from its competition – what

is its competitive edge?



. • Strategically, what are the contractor’s short-

and long-term goals?

. • What are the short- and long-term obstacles (such as labor or material shortages) the

company must overcome to reach its goals, and how does it plan to do so?

.

• What are the day-to-day operational problems encountered by key management?

. • How has management addressed any opera

tional weaknesses?

. • What operational controls are in place to

ensure that contracts are being executed, and

that work is being performed in accordance

with internal policies and procedures?

. • What internal controls are in place to ensure

that the financial accounting and reporting

function is without error or fraud?

. • How does management ensure the accuracy of the financial information used to make

important decisions?. • Historically, what personnel within the company are inexperienced or have performed

at a lower level than their peers?

In other words, in a risk-based audit, it is incumbent upon the auditor to understand all the

particulars of the construction business being audited.

The Steps in a Risk-Based Audit

Providing this new level of service requires new ways of preparing for and conducting the audit

itself. When adopting the risk-based audit approach, we auditors find ourselves doing more up-

front planning and preliminary analysis. We spend more time understanding the company’s

operational controls, as well as the internal controls as they relate to the financial reporting

function. From an auditor’s standpoint, this preliminary work is very rewarding; by the time we



actually get into the fieldwork, we often know the answers to many of these questions before we

ask.

Here are the three basic steps of a risk-based audit:

Step 1: Question Al l Key Players

As soon as possible, the auditor sits down with the President/CEO/owner – the person who can

talk about the short- and long-term risks and goals for the company. We want to know:

. • What is the biggest risk facing the company in the next year? The next 5 years?

. • Are there plans to mitigate those risks?

. • What problems has the business encountered this year?

. • Are there any specific concerns which we should be aware of as we conduct this audit?

. • What should we expect to see in the numbers?

In addition, we follow up on issues from the prior year’s audit. Then, we go down the line,

talking to key members of management, starting with the CFO, asking similar questions relating

to their area of responsibility. It can also be helpful at this stage to talk with the bonding agent

and other professional su pport providers. Even the client’s attorney can provide useful

information in the planning stage.

From an auditor’s standpoint, this initial process helps in for mulating the audit procedures. At

this stage, we are developing audit expectations and, hopefully, getting corroborating audit

evidence to use when performing the actual audit. We’re also learning what’s new in the

company and assessing how we can be of the most value to our client.

Step 2: Document the Contr ols

Next, the contractor’s internal and operational controls are documented in detail. For a

construction company, the controls at the jobsite and the flow of information from the job-site to

the office (and vice versa) can be as important as the internal controls within the office. At this

stage in the process, we auditors are constantly asking, “Why?” Why is this policy in place?

Why is that superintendent not held to the same deadlines as the others? What risk has

management unknowingly accepted and why?

All of this questioning may seem very painful from manage-ment’s perspective. No one likes to

talk about policies, procedures, and internal controls. However, internal controls aren’t limited



to ensuring that the company has adequately segregated the duties in the accounting department;

there are other controls occurring well outside the accounting area that must also be evaluated.

In order to properly conduct a risk-based audit, we must have a thorough understanding of the

standard operating procedures of the business. By asking the hard questions, significant

weaknesses can be identified. Some of the questions an auditor might ask include:

.

• What kind of monitoring or oversight is in place for the estimating process?

. • Do estimators submit bids without a second

review of their take-offs?

. • How does management ensure that equipment charges are fairly allocated to the jobs

where the equipment is being used?. • Is the company relinquishing profits on a

T&M or cost-plus contract by not providing

for equipment rental charges?

These types of questions, and the answers received, are critical to the success of the risk-based

audit.

CFMA Building Profits • September/October 2006

Step 3: Analyze the I nformati on

In the third phase of a risk-based audit, the financial information undergoes an initial analytical

review, and audit procedures are developed. The goal here is to perform as much of the audit as

possible using an analytical approach, instead of tests of details. If we, as your auditors, believe

that internal controls are operating effectively, we may do a test of controls and limit some other

detail tests. If risks and controls have been adequately identified and evaluated, we can then

develop our analytical procedures based on expectations about what the financial information

should indicate.

Because we have already made inquiries and accumulated information from the key members of



management, we can base our analytical procedures on this information. I f the numbers don’t

meet our expectations, we would then have an obligation to perform further procedures.

As an example, the job schedule for standard contractors is a key piece of information and one

that we need early in the audit for risk analysis. In fact, we may have this information in front of

us before we do Steps 1 and 2 above. No matter what our analysis of risk in the preliminary

stages of the audit reveals, estimates of management (which are in the job schedule) always become the focal point when we talk about risk. So, the job schedule is analyzed separately to

determine which jobs represent the most risk. The following are some of the factors used in

making these decisions:

. • Percent complete at balance sheet date

. • Size of contract

. • Type of contract (fixed-price, T&M, cost-plus)

.

• Experience of contractor in type of contract

. • Key personnel on contract (superintendent, project manager)

. • Estimated profit margin

. • Amount of labor costs in contract

. • Presence of contract stipulations, such as penalties for late completion

. •

Presence of overruns or other problems noted

from other inquiries

Our analytical procedures usually allow us to reduce the more time-consuming detail tests to a

minimum. Since analytical procedures provide more valuable audit evidence than many other

audit procedures, we are not only being more effective, we are also being more efficient. The

risk-based audit is truly an example of a win-win situation – something you’re not likely to hear

being said about a traditional audit!

Conclusion

A properly performed risk-based audit allows everyone to walk away at the end of the process

feeling good about what was accomplished. The auditors feel they have provided a service of



real value to the client. The clients feel (and rightly so) that they have received valuable

information they can use to strengthen their companies. Ultimately, I believe that risk-based

auditing can transform the entire audit process into a rewarding experience for all parties.

Thomas E. Bayer, CPA, is a Manager for Sikich, Gardner & Co., LLP in Springfield,

Illinois (e-mail: tomb@sikich gardner.com or phone: 217-793-3363). Tom has seven years

of experience in construction accounting.

He holds a BS from Eastern Illinois University and obtained his CPA in2006. Tom has also

been published in the “CICPAC Quarterly Newsletter” and the Journal of Construction

Accounting and Taxation.

Builders Association.

خطر

مبن ي

ح رس ر

خذذ

سيؽ

.ػا

ذؿ

سيآشگ

ثبش

بع

ػ

وبف وش و صا سبود سبو سو ا س ( صبث ص ؼ ش شبن س ثبص ؿشح

.ثىذ

ؽ



و

وض

ب

آن

اؼذ

شـ

ض

ش

بن

س

ؼبثشػبن

ش

بىج

ثش

ػشثبؼ

س

. اىن ـش ش سا ثب ث بس دبس ؼبن اػ.اؼىذ ب اس ن ذ آن

:ذ

سيؽ

ب

يذ

ثب

ؼبثشػواىن

س

.وسيآ

وػذث

سا

سبود

وبس

بس

ػوب

ث

ثش

لف

سا

ثب

و ب ابر شذ جىخ بىج شث اس نبؿ ػشثبؼ بل مب اي ؼبثشػبن ذ

ػو پبوبسآن س كذ و وه ا بو شوى . بس پببس و ثبؿوذ )ب ؼش اص سكذ

وشاس

ثبصسا

س

شؼگ

س

ث

ثذ

ػىذ

ثبس

ػشثبؼ

اذ

ا

اشث

شگ

سك

بو بو و س كوس ؼوبة وث اذوا ي مبسا ش يس شث خ ن گشىذ

و آنگضاسؽ ؿذ ا و شو وؼا سببپ ج . ي س پببن ؼبثشػ ض سا ذ

. سب ىوذ ب سا ؿ صا ث ى ػشب گزاس ىذ ي ؿ ث يس شث شؿ ث ا

ثوذ

بوػ

سبوثي

سا

وؽ

و

سيآ

و

ػذث

سب

خشبن

ي

ؼبة

سك

پببس

پغ

. ش ساش

شوى شبو وث ثشوذ ذ ؼبثشػبن اىذ ثش ػا ؿيس بى ا ب ث س

وخي وه ا و بو شى و بص ه س ث ؿ ئاسا شؿ س

صاذوا

وث

ه

ا

ب

ىش

ش

ابر

ا

اسبؿ

ل

شذ

ػا

بش

ا

ث

.سا

وش

و

و

و

وث

و

و

شوى

ب

ش

ث

.ؼىذ

سبد

بس

ش

ا

شذو بو وث او آن سا ( ا ساشو شذو خ س ذبث ػا ض ي ػ سبؿآ



ػشثبؼ

ذ

سيؽ

ب

س

سيآسبو

و

شوى

ثوب

ب

س

شو

و

شث ػشثبؼوؼبؿ بو ذش ثاذ گبم ا ب ا قـ اس ب ا ش بىج

.ثجـذ

سا

ه

ا

ب

شى

ب

ساشث

ا

ش

بىج

ثش

سيؽ

ب

ذب

وى وش وب آن ث اب ؿ خ اذا ي اسبم ث ش بىج شث ػشثبؼ س ب س

ب د ب سنآ . اوذ ذوؿ وشگ وب و ب وا صا مبسا ي اذا ن سا خ بس ض

اص

لبـوبن

س

ي

ىىذ

ش

ب

آن

ث

ي

ؿ

هكا

ىػشپ

يس

ثش

هؼ

بؿ

وش بوىج شوث وػشثبؼ س وػبػا و ذؿ . س اىدب اس رش ىىذ بػا با

خ س. شگ ساش

وش اػو ي و ؼوبع اي سا س سبث دوضا ػا ا ػب بس دبس لف

ؼ

اؽ

ثبس

ؼىذ ب ذ پببس اذا ثهىذ ذ ي ظاشػا ب اص

ؿش ثوش ؼىذ جب ا ي بس ذ(بىذ ب ثوا ثهىذ ذ ي سػوذن

ؿش ا بس سا شا ىذ هج ىذ ي ب ذاؾ ثبذ ثش آن

ا

ؼىذ

ؿ

خا

ب

آن

ثب

اسؿذ

شذ

بس

ث

ثش

شصيس

ـ

.ذ

شاس

خ

س

سا

بس

ث

ثش

ب

شذ

آب



سك

بس

س

ه

ب

شى

ي

اوذ

ذؿ

اخشا

ب

اساش

ؿ

ب

شگ

ػا شگ سك ؽا ه ا ب ـ سيؿب ي بس بث ثب

ي

بوؿساضگ

ث

ثش

بس

ؿ

ب

شگ

سك

بس

س

ه

ا

ب

شى

شگ

سك

سبجش

ي

بجؿا

ثذين

ب

ب

ؼبة

بآ و بوػا ب ؾ اص آن

بل ربا س ب با ػس صا ذبث شذ

ؿ ذى

اشوا

وث

جوؼ

سا

بس

اص

ش

ػ

ب

ي

ؼىذ

ثشد

ث

شؿ

س

اشا

سب

ب

اص

ا اذ ج ادبم

ثوش ؼوبثشع ياخ جبس ش س ؼبثشػ ثش جىب ش ثنآ بو وگظي مبو و وػا ت

. ثذ ذ شاس اػ س ؼبثشػ شاس سبد سب بػ فب

:ؿ

ش

بىج

ثش

ػشثبؼ

س

ثبذ

هاش

وػشثبؼ و اذو ث سيؽ خذذ اص آبگ ي ػشثبؼ بذ س س ا ػ خذذ

.ػا صب

شث ػشثبؼ ؽيس بصوػسشث اشوث اس نبو پزشو و ؿو وب وض ثـوش وش بوىج

سا

شوؿ

وه

بو

ىش

وب

وى

شك

سا

ثـش

صبن

ب

.ى

بآ

اش

ي

بذ

وا

ؼبثشع

ش

اص

ؼىذ

ب

بؿساضگسب

ث

ثش

ب

آن

ن

ه

ا

ب

ىش

ث



اس

ثب

ثؼبس

بذ

خواةبس

ي

وؿ

و

وبس

خشوبن

ساي

صوبن

ا

س

اي

ب

ن

.ػا

صؽ

. ا اس ا ذػشپ ج اػ تها

.ػا

ذؿ

رش

ش

بىج

ثش

ػشثبؼ

هكا

هش

ػ

اىدب

س

هكا

بسىبن

بم

اص

اػ

:يا

هش

و /ب بLEO س كس ابن ؼبثشػ ثب سئغ/ وػا شو نآ ذى جك ش

و . پوغ وب ب وذ ؿوش كوج ىوذ اذا ثهىذ ذ ي شا ي سبثس اذ

ؼبثشع

(اذث

ا

ش س س ي ؼ ؿ خا ؿش ػب ثذ ثب آن ش شگسضث5و ػب ثوذ

ض

نشث ث صا اشث بش شا يخ اس آب ب س آن

ػا

ذؿ

خا

بؼا

سبد

بس

ـ

ثب

وبس و بوص فولث وؿ وه بو ب ثبوذ اص آن سا خي كل ب اش بآ

مبدا ػشثبؼ

ىجث مبسا ي اذا س سا سبا ب ض ي

س

سا

سا

ب

يث

وػ

وػ

وث

وب

پغ

.ى

بج

ض

ذؿ

ثبن

ج

بػ

ػشثبؼ

ثوب

سا

بسوبن

ي

وى

و

جوك

وض

وش

بپ

ػ

ب

شذ

ثب

ي

يس

شذ

ش

بپ

CFOصو وث و وػشپ و ذوؿسا شذو اوػ ثبوـ اوػ يا صا ي . وى يشؿ



ى

.ػا

ثش

اي

ؼصا

و

بوؼ

ي

اجوبس

گذىب

ثب

هش

ا

س

ػا

ػىذ

. ي ـش ض و اوذ اوب ػوىذ سا س ى جك ض ذىى ب سب

.سازث

ب

بس

ا

س

اش

هش

وب

سيؽ

وشن

وك

ي

وشن

ب

س

اي

بس

شاىذ

ا

ؼبثشع

ش

ؼبثشػواص

سوك وث و ي و وػ ب ابسا ؼبثشػ سا هش ا س . ش ذا بص

وػشثبؼ سبو نبوص س سيآ ػذث اس ػشثبؼ ذب س ذاؿ ذاس ي اسايذا

ي

وػا

خذوذ

شوؿ

س

ض

ى

ب

.ى

بػا

ب

آن

اص

ايو

ثبوصس

. ؿبث ش ؽصسا بث نب شـ اشث ا ب ى

ب شى نش ذىػ( ب شى نش ذىؼ : شه يم

ث كس خضئ يخؿوبن اجوب ؿوذ ه ا ب شى ي شه ث ثش ب شى ىا ثذ اص

ا

گشؽ

ي

ؿ

بػ

س

ب

شى

شؿ

بس

ػب

اشثغو

ثش

ي

ساا

ث

ؿ

بػ

اص

ب

وث وب ؼبثشػوبن س خشبن بس هش ا س . ثبؿذ ساا ب ا ه س شى ث اذ

. ؿ با بدىا س ػبػ ا اش ب ناى ث گ ا ىا سػذم شا

ب ـق بن صبن ػشپشػ ي سب بآ اششو ساو ذوىب شث سك ذبث سب

شا

ي

شزپ

ؼاذ

ذش

آب

سا

ش

ىذ

سبوثس

ساذو

ػي

غ

چ

ن

.ثبؿىذ

بس

ثؼبس

شذ

ش

اص

ى

اػ

ا

بم

. ب ا ه اؽ كج ىذ شى ي ب بؾ سيؽ

ػبػ



ىش

ب

ش

ثصاذوا

وث

شوؿ

ؿ

ؿ

يذ

هت

ا

ث

ه

ا

ب

و سا وخي ضو ش ب شى .ػا ش ساذثبؼ ؾث س اس ؾبي ب

ا

وگ

وث

وىا

اشوث

.ؿ

ثبصسا

ثبذ

ى

شگ

سك

ساذثبؼ

ص

اص

سب

ثش

ػشثبؼ

ؼبؿ

ث

سا

سبد

بس

ساذبػا

آن

سيؽ

ثبذ

ب

ى

اذ

سا

ش

بىج

. ث اص ػا سا ض ـق ؿذ ب آن ػ اػ نذػشپ بث

: ى ثشػذ جبسىذ اص ؼبثشع

اب

ب

سياشث

(بى

شاىذ

اشث

شؿ

س

ب

خ

ب

ب

شى

.ؿ

اساش يس شث بػ T,Mآب ؿش اص ش شك اضد ا سبخا بج ب نش بآ ثب

ىذ

وخ بو وؿ اشث ؿيس بجؼ اضد ث ثش بج ب ؿ شذ بآ

اذ

ذؿ

بػا

اض

د

بخ

اذ

ذؿ

سيآ

ذىى سيآشث بآوىا اص شصبث نيذث اس ب ذش اشث بىـپ ) صىذگبن ب

ذ

ئاسا ىذ ؾ

ب ب ذي سا

و وش بوىج شوث وػشثبؼ و اشث ذؿ بس ب ا ػا ي خاة

.ؼىذ

ػب

ب

ػ

CFMAاجش

/ػبجش

2002

هش:با ػسشث ي ه : ػم



ي

ىىوذ

و

و

سا

و

اي

وهه

شصبوث

وب

بوا

ش

بىج

ثش

ػشثبؼ

ػم

ؿ

س

ؼبثشػ صب سا بذ ابن ػا ا بدىا س ذ . بثىذ ػ ػشثبؼ بؿيس

ىا

بخ

ث

.ذ

ادبم

بػا

هه

سيؽ

وشاساص

آصوبؾ

ي

ؼ

س

سا

بئضخ

ىىذ

ذ

ا

گ

ث

ه

ا

ب

ىش

ؿبث

ذ

ؿب

ؼبثشػبن

بىذ

ب

اگش

.ذ

وشا ي . اگوش وى و اس شو شو وئضخ بو وؼ ي ىش سا س ؼ شاس ى

ؿ ثبصسا ي ذؿ قـ ب صاذا ث ب شىشوث اس نبو وه بوؿيس ب ا پوغ ذ

.

گؼشؽ

سا

ذ

ـبن

ب

با

ثبذ

ب

ض

ىا

سبثس

اسبا

بىج

شو سيآ وخ شذ ه ػ صا اس با ي ا ش ش اس اػ ج ب ن

ب هه بن س پغ ب ا سيؽ امبوسا ي اذوا شوگا . ا ثش سي ا اب شاس

بو ناوى وث . سيؿب ثـش سا ادبم ذ پغ ب ىىذ سيآشث ابسا ب سا

س

جو

وب

ػا

ؼ

ي

ػا

ذه

با

شػ

ساذبػا

پببسان

اشث

هؿ

بشث

ش ه اشث ػشثبؼ. ؿا صب

اش مبدا صا ج اس با ا ى . و12س ب ؿبث ؿا ثب س بث بن

شذو بوسيآشث ذ نبـ ػشثبؼ بذ اش س ش ه ب اص ؼ ا

ب

ى

بص

ؼىذ

ضش

ـ

ؼىذ

هؿ

بشثس

(.وى

و

جك

ش

سبثس

وؿ

ذام

ىذ

ـق

ب

شگ

شاس

ػسشث

ي

ه

س

دضا

ا

گ

ث

هؿ

بشث

اشثبىث



بول

اوبر

س

و

اوذ

ذوؿ

روش

ا

اص

اذ

صش

س

.ىذ

ئاسا

سا

ش ـث

ش

ب

. اػب ؿذ

ب

شاص

س

ذؿ

با

سكذ

اساش

صاذا

ا ساش

ا ساش س سببپ ثشد

طيشپ

ذش

ػشپشػ

(ا

شاس

س

هكا

بسىذان

ذؿ سيآشث ػ ل ب ب

ا ساش س سب ب ىض ضان

ب ثشا ب ش بس اصبد ذىب ا ساش س يشؿ خي

صبن

بص

شل

خينآ

پشػؾ

ث

خ

ثب

ش

ـ

ب

ؿا

ابس

ضان

اص

ثؾ

ىض

ب

. ش رش ؿذ

وث سثبس خضئب سا ب ؼ ث ب صبن ا لبف ىذ صبخا ب ث بهه بؿيس

ثو سيؿ جوؼ شو ؽصسا بوث ػشثبؼ سذ هه نآ بؿيس بص . بػشث اذب

وض

وش

آذ

بس

ى

ب

هث

ؼ

شش

ب

پغ

گزاسذ

ب

بس

ا

س

ش

ػشثبؼ

بوا

و

وػا

ضو

آوض

اص

ب

ػس

ث

ش

بىج

ثش

ػشثبؼ

.ؼ

. ـىذ اذ ذ ػشثبؼ سبثس ى هج سا ؿب



:بح

اوب شآىوذ وبساگش ؼبثشػ ث ب ذ صبخا ؼ ش ث ؿ مبدا ػسذث ش بىج ش

ىىذ

اؼبع

ؼبثشػبن

.ثبؿذ

ؿا

ث

اؼبع

ض

ذؿ

ادبم

ض

سبثس

ي

يشث

هخ

وب

آن

و

ىىوذ

و

اؼوبع

وض

ـوشبن

اوذ

شو

اشو

شوـ

اشث

اي

اسصؽ

ثب

بذ

باذوىسذ اس نبوـب شوؿ بو ذوىى بػا ب اىذ آن اذ ش بس ؽصسا بث

ش اذ شآىوذ ؼبثشػو سا وش بىج شث ػشثبؼ ا ب اسم ش بث ػبصذ

.ىذ

ذج

ب

ؼ

بم

اشث

ؿابپ

ثشد

ث

ي

ا

: ذىؼ سبثس ج ب

. سا ثشد ب بػ ساذثبؼ سب بػ ىص بع ثبش ذش اػچ اػ ي س

Risk Based Auditing

Documents