This paper not only outlines the basis for risk based approach to auditing but also its implications for carrying out audit work in the context of accounting information systems is discussed here below.
Businesses typically identify the risks which are facing their operations and auditors can base their evidence collection and validation of information process on the assessment of risks by businesses. Internal audit function of a business needs to ascertain the overall audit risk which refers to the likelihood of financial statements being misstated. The audit risk is a combination of three types of risks which are namely inherent risk, control risk and detection risk. Inherent risk implies the threat of material error or omission pertaining to an account or a class of transactions. Control risk covers the inability of the internal controls to detect and prevent material errors. Detection risk is the failure of audit procedures to unveil any material error, misstatement or even fraud in reporting. Both inherent and control risks determine the extent of detection risk. It is suggested that the higher the control risk is the lower is detection risk set by the auditors which may require greater substantive testing by them (Romney & Steinbart, 2005).
The risk based approach allows assessing the weaknesses in the accounting information systems and controls over such systems for determining the nature, extent, scope and timing of audit procedures. This allows auditors to assess the threats and opportunities in order to deliver better opinion on the information processed by their clients. The audit procedures not only restrict to the information manually prepared by different businesses but also extend to the accounting informational systems which are maintained by companies for data recording and reporting (Romney & Steinbart, 2005).