Guide to Using International Standards on Auditing in - IFAC

44
<strong>Guide</strong> <strong>to</strong> <strong>Using</strong> <strong>International</strong> <strong>Standards</strong> on Auditing in the Audits of Small- and Medium-Sized Entities Volume 1—Core Concepts
4.4 Firm Risk Assessment
Risk management is an ongoing process that helps a firm <strong>to</strong> anticipate negative events, develop a framework
for effective decision-making, and profitably deploy the firm’s resources.
Some form of risk management occurs in most firms, and it is often informal and undocumented. Individual
partners typically identify risks and respond <strong>to</strong> them based on their direct involvement with the firm and
with their clients. Formalizing and documenting the process for the firm as a whole is a proactive and
more effective approach <strong>to</strong> risk assessment. This does not have <strong>to</strong> be time-consuming or cumbersome <strong>to</strong>
implement. Notably, effectively managing the firm’s risk assessment can result in less stress for partners and
staff, savings in time and costs, and improved chances of achieving the firm’s goals.
A simple risk assessment process can be used in any size of firm, even a sole proprie<strong>to</strong>rship. It consists of the
activities set out below.
Exhibit 4.4-1
Activity
Establish the Risk
Tolerances for the
Firm
Identify What Can
Go Wrong
Prioritize Risks
What is the
Response
Needed?
Assign
Responsibility
Moni<strong>to</strong>r Progress
Description
These <strong>to</strong>lerances could be quantitative amounts, such as allowable write-offs of
work in process, or qualitative fac<strong>to</strong>rs, such as characteristics of clients that would
not be acceptable <strong>to</strong> the firm. Once established, these <strong>to</strong>lerances provide partners
and staff with a useful reference point for decision-making (e.g., write-offs and client
acceptance, etc.).
Identify the events (that is, the risk fac<strong>to</strong>rs or exposures) that could prevent the firm
from achieving its stated goals. This step implies that the firm has already established
clear objectives and a commitment <strong>to</strong> performing quality work.
<strong>Using</strong> the risk <strong>to</strong>lerances established above, prioritize the events identified based on
an assessment of likelihood and impact.
Develop an appropriate response <strong>to</strong> the assessed risks <strong>to</strong> reduce the potential impact
<strong>to</strong> within the firm’s acceptable <strong>to</strong>lerances. Potential events (risks) with the highest
priority would be addressed first.
For all risks that require action or moni<strong>to</strong>ring, assign someone with the responsibility
<strong>to</strong> take the appropriate action and <strong>to</strong> manage the risk on a day-<strong>to</strong>-day basis.
Require periodic (simple) reports from each person assigned <strong>to</strong> manage risks on
behalf of the firm (this could address matters such as compliance with the firm’s
quality control procedures, training requirements, staff appraisals, and independence
issues addressed).
A sample of a firm’s risk assessment worksheet could be as shown in the following exhibit.