Question

1. Explain the link between risk analysis and audit plan
2. Compare different stage of audit

Answer 1

1)

RISK ANAlYSIS

Risk analysis is the review of the risks associated with a particular event or action. It is applied to projects, information technology, security issues and any action where risks may be analyzed on a quantitative and qualitative basis.Risk analysis can be used across a broad range of circumstances and can lead to effective management strategies even when the available data are limited. The framework used in Australia and New Zealand is based on the general framework endorsed by the Codex Alimentarius Commission (Codex, 2004). As discussed briefly below, the risk analysis framework is comprised of three distinct but interrelated components, namely risk assessment, risk management and risk communication.Risk assessment involves a science-based approach that utilizes experimental and other available data to characterize the risk and arrive at a conclusion regarding the potential risk associated with a food or food ingredient.Risk management assists in defining the risk assessment scope and questions to be addressed. It also considers options for managing identified food risks in the broader context, taking into account the potential benefits of the food as well as relevant policy, consumer behaviors and economic issues associated with use of the food.Risk communication is the interactive exchange of information and opinions regarding risks, risk-related factors, and risk perceptions among all concerned parties, or stakeholders, throughout the entire risk analysis process. It is an ongoing process that engages stakeholders and the public in decision making to the maximum extent possible. Risk communication is also important in bridging the gap which sometimes exists between the scientific assessment and consumers' perception of the health risk. Risk analysis is a component of risk management.Risks are part of every IT project and business endeavor. As such, risk analysis should occur on a recurring basis and be updated to accommodate new potential threats. Strategic risk analysis minimizes future risk probability and damage.Risk analysis is the review of the risks associated with a particular event or action. It is applied to projects, information technology, security issues and any action where risks may be analyzed on a quantitative and qualitative basis. Risk analysis is a component of risk management.Risks are part of every IT project and business endeavor. As such, risk analysis should occur on a recurring basis and be updated to accommodate new potential threats. Strategic risk analysis minimizes future risk probability and damage.

The risk management process involves a few key steps. First, potential threats are identified. For example, risks are associated with individuals using a computer either incorrectly or inappropriately, which creates security risks. Risks are also related to projects that are not completed in a timely manner, resulting in significant costs. Next, quantitative and/or qualitative risk analysis is applied to study identified risks. Quantitative risk analysis measures expected risk probability to forecast estimated financial losses from potential risks. Qualitative risk analysis does not use numbers but reviews threats, and determines and establishes risk mitigation methods and solutions.A contingency plan may be used during risk analysis. If a risk is presented, contingency plans help minimize damage.

AUDIT PLAN

An audit plan, is an action plan that documents what procedures an auditor will follow to validate that an organization is in conformance with compliance regulations.The goal of an audit program is to create a framework that is detailed enough for any outside auditor to understand what official examinations have been completed, what conclusions have been reached and what the reasoning is behind each conclusion. The framework should explain the audit's objectives, its scope and its timeline. The audit program should also describe how working papers,the documented evidence of the audit, will be collected, reviewed and reported.The main objctive of the audit plan or udit program are, when developing an audit program, the internal auditor and its associated audit team should start with outlining the audit's objectives, goals and obligations.Audit program objectives help direct planning of the audit report and are based on the policies, procedures and guidelines unique to the company. These objectives may relate to and outline how the auditors will maintain efficiency, professionalism and a specific code of conduct during audit procedure.

In addition to relevant regulatory compliance mandates, objectives for audit programs should consider aspects such as management priorities, business intentions, system requirements, business structure, legal and contractual mandates, the expectations of customers and other interested parties, potential risk management vulnerabilities, and any corrective action taken based on previous audits.Audit plan preparation will consider the audit's relevant regulatory deadlines, staff requirements and reporting structure, and overall goals. In particular, these goals will consider how the company will maintain regulatory compliance via risk assessment and management procedures. The audit program should also include a timeline detailing when specific aspects of the audit program should take place and how they should be prioritized.Audit program planning is usually a continual and iterative process. During audit planning and development, companies can build on lessons learned from previous audits by implementing newly learned best practices that alleviate risk and maintain compliance. Audit development guidelines and best practices vary by industry, but local and regional auditing certifications are available, as are internationally recognized audit certifications. These certifications include Certified Internal Auditor and Certified Information Systems Auditor, and membership in the International Register of Certificated Auditors.

LINK BETWEEN RISK ANALYSIS AND AUDIT PLAN

There are three main benefits from planning audits, it helps the auditor obtain sufficient appropriate evidence for the circumstances, helps keep audit costs at a reasonable level, and helps avoid misunderstandings with the client. ISA 300 Planning an Audit of Financial Statements requires that the planning stage of the audit should be used to establish an overall strategy for the audit, develop an audit plan, and reduce audit risk to an acceptably low level. The standard also requires that, "Auditors should plan the audit work so that the engagement is performed in an effective manner.‟ It is important to clarify what are meant by the terms “overall audit strategy” and “audit plan” as per ISA 300. The overall “audit strategy” describes in general terms how the audit is to be carried out and the “audit plan” details the specific procedures to be carried out to implement the strategy and complete the audit. It is also important for students to understand the precise meaning of the risk terms: “audit risk” and “inherent risk” as both risks influence how the audit is carried out and the costs involved. The auditor will spend quite a bit of time at the early planning stages obtaining information to assess these risks so that “the engagement is performed in an effective manner”. “Audit risk” is the risk that an auditor may give an inappropriate audit opinion on financial statements that are materially misstated. To reduce the audit risk to an acceptably low level means the auditor needs to be more than certain that the financial statements are not materially misstated. This is reiterated by ISA 200, which states, “The auditor should plan and perform the audit to reduce audit risk to an acceptably low level that is consistent with the objective of an audit.” “Inherent Risk” as per ISA 400 is “the susceptibility of an account balance or class of transactions to misstatements that could be material, individually or when aggregated with misstatements in other balances or classes, assuming that there are no related internal controls”. Assessing audit risk and inherent risk is an essential part of audit planning because it determines the quantity and quality of evidence that will need to be gathered and the staff that need to be assigned to the particular audit. If for example there were valuation issues with property inherent risk would then be assessed as high, therefore meaning more evidence would have to be gathered and staff that are more experienced assigned to perform testing on this account.An organization's internal audit activity incorporates management's risk assessments in its risk-based audit plan. Risk-based audit plans utilize a systematic process to evaluate, identify, and prioritize potential audits based on the level of risk.We can normally understand the connection or link between the risk analysis and audit planning ,that is when we are prepaing audit plan, in that document we are clearly mentioning that, in coming year what,which types risk assesments or analysis are we are going to use.

2)

THE AUDIT PROCESS

Audit planning is important because auditors should plan the audit so as to reduce audit risk to an acceptably low level that is consistent with the objective of the process. The auditor should plan the nature, timing, the extent of direction and supervision of the engagement team members, and review of the work. The four main reasons for audit planning include,

1- To identify areas of risk of material misstatements

2- To design audit procedures to address those risks and to obtain sufficient appropriate evidence

3- To help keep audit costs reasonable

4- To avoid misunderstandings with the client

The whole auditing process can generally be divided into three different phases. The audit planning stage includes procedures such as gaining an understanding of the client and its business, making risk and materiality assessments, determining an audit strategy, and determining the type of evidence to collect, based on the risk levels.

Performing the audit refers to the process of collecting evidence. Finally, the reporting stage deals with making conclusions, reporting any necessary adjustments to management, and issuing the independent auditor’s report.

There are five stages of audit process: Selection, Planning, Execution, Reporting, and Follow-Up.

Selection

Internal Audit conducts a University-wide risk assessment near the end of each calendar year. We develop the audit plan for the subsequent year based on the results of this assessment and the department’s available resources. The Chancellor and the Fiscal Affairs and Audit Committee of the Kansas Board of Regents review the audit plan before it is executed.

Planning

During the planning phase of each project, the Internal Audit staff gather relevant background information and initiate contact with the client. Auditors meet with University leadership and clients to identify risks and determine the objectives and scope of the audit as well as the timing of fieldwork and the report distribution.

Execution

Once the audit is planned, fieldwork is executed by the Internal Audit staff. Clients are kept informed of the audit process through regular status meetings. We discuss audit observations, potential findings, and recommendations with the client as they are identified.

Reporting

A summary of the audit findings, conclusions, and specific recommendations are officially communicated to the client through a draft report. Clients have the opportunity to respond to the report and submit an action plan and time frame. These responses become part of the final report which is distributed to the appropriate level of administration.

Follow-Up

Internal Audit follows up on all audit findings within one year of when the report was issued