- Risk-based auditing calls for a deep understanding of the entity to identify key audit risks
- Thorough audit planning is essential to determine where the auditor’s time is best spent
- The revision of ISA 315 is a reminder that good plans are at the heart of a quality audit
The expectation gap between what an audit actually delivers and what people think an audit delivers has never been wider. Darby Healey, who leads the risk and audit quality team at KPMG New Zealand, says this is putting auditors under tremendous pressure.
Identifying and assessing audit risk has always played a fundamental role in the audit process, and while the concept of "risk-based" auditing is not new, the revision of the auditing standard on risk assessment, ISA 315, has thrust the issue back into the spotlight.
Good planning is all about identifying where your time is best spent. A quality audit is not about going through the motions.
Healey describes a risk-based audit as being the sum of three key elements: "First, the auditor needs to develop a thorough understanding of the entity and the risks involved. This is followed by "developing the appropriate audit response." The third element, according to Healey, is to constantly revisit that response based on observations throughout the audit.
Having a well-rounded knowledge of the business as a whole – including the regulatory space in which it operates – is fundamental to a risk-based approach. Armed with an integrated understanding of the business, auditors are better able to determine the most suitable approach to the audit. Healey acknowledges that this level of understanding is a critical characteristic of a strong audit, and says the revision of ISA 315 is designed to encourage auditors to refocus on risk. “It is fundamentally aimed at improving audit quality,” she says.
Does a risk-based approach increase costs?
Concerns have been raised in the profession that a risk-based audit methodology demands more time in audit planning, more time spent on high-risk areas, and inevitably, a higher cost of engagement. However, Healey is not convinced. “The revision of ISA 315 is a reminder of why audit planning is so important," she observes. "And good planning is all about identifying where your time is best spent. A quality audit is not about going through the motions."
Healey argues that time invested in a rigorous planning process has the potential to deliver cost savings. She notes though, "It's about improving your output as an auditor. If the audit does take more time than anticipated, it is probably because additional time was required in high-risk areas."
The fundamentals haven't changed
Interestingly, the revised ISA 315 provides an early attempt to address how data analytics fit into risk assessment. "Data analytics has a place in audit, and undoubtedly the way auditors do their job is changing," says Healey. "But what ISA 315 is trying to achieve is getting the auditor to gain a deeper understanding of the entity – and that’s something that won't change even as technology evolves."
Will a risk-based approach add value for clients? “First we need to establish who we’re serving – and in a typical audit that is the shareholder,” Healey notes. “The deliverable is the audit report. So if a risk-based approach produces a higher-quality audit report, then yes, it is good for clients.”
Healey believes the revised standard is not about trying to fix something that is broken. “It is the standard-setter’s response to the questions that are being raised around audit quality, and aiming to ensure that auditors are doing the right thing,” she explains. Ultimately, that should benefit the profession as a whole.
Anthony O'Brien is a business journalist based on the NSW Central Coast
Audit Conference 2018 | Auckland
Darby Healey is a speaker at Audit Conference 2018 in Auckland.Discover more on risk-based auditing