Guide to Using International Standards on Auditing in - IFAC
Guide to Using International Standards on Auditing in - IFAC
Guide to Using International Standards on Auditing in - IFAC
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
44<br />
<str<strong>on</strong>g>Guide</str<strong>on</strong>g> <str<strong>on</strong>g>to</str<strong>on</strong>g> <str<strong>on</strong>g>Us<strong>in</strong>g</str<strong>on</strong>g> <str<strong>on</strong>g>Internati<strong>on</strong>al</str<strong>on</strong>g> <str<strong>on</strong>g>Standards</str<strong>on</strong>g> <strong>on</strong> <strong>Audit<strong>in</strong>g</strong> <strong>in</strong> the Audits of Small- and Medium-Sized Entities Volume 1—Core C<strong>on</strong>cepts<br />
4.4 Firm Risk Assessment<br />
Risk management is an <strong>on</strong>go<strong>in</strong>g process that helps a firm <str<strong>on</strong>g>to</str<strong>on</strong>g> anticipate negative events, develop a framework<br />
for effective decisi<strong>on</strong>-mak<strong>in</strong>g, and profitably deploy the firm’s resources.<br />
Some form of risk management occurs <strong>in</strong> most firms, and it is often <strong>in</strong>formal and undocumented. Individual<br />
partners typically identify risks and resp<strong>on</strong>d <str<strong>on</strong>g>to</str<strong>on</strong>g> them based <strong>on</strong> their direct <strong>in</strong>volvement with the firm and<br />
with their clients. Formaliz<strong>in</strong>g and document<strong>in</strong>g the process for the firm as a whole is a proactive and<br />
more effective approach <str<strong>on</strong>g>to</str<strong>on</strong>g> risk assessment. This does not have <str<strong>on</strong>g>to</str<strong>on</strong>g> be time-c<strong>on</strong>sum<strong>in</strong>g or cumbersome <str<strong>on</strong>g>to</str<strong>on</strong>g><br />
implement. Notably, effectively manag<strong>in</strong>g the firm’s risk assessment can result <strong>in</strong> less stress for partners and<br />
staff, sav<strong>in</strong>gs <strong>in</strong> time and costs, and improved chances of achiev<strong>in</strong>g the firm’s goals.<br />
A simple risk assessment process can be used <strong>in</strong> any size of firm, even a sole proprie<str<strong>on</strong>g>to</str<strong>on</strong>g>rship. It c<strong>on</strong>sists of the<br />
activities set out below.<br />
Exhibit 4.4-1<br />
Activity<br />
Establish the Risk<br />
Tolerances for the<br />
Firm<br />
Identify What Can<br />
Go Wr<strong>on</strong>g<br />
Prioritize Risks<br />
What is the<br />
Resp<strong>on</strong>se<br />
Needed?<br />
Assign<br />
Resp<strong>on</strong>sibility<br />
M<strong>on</strong>i<str<strong>on</strong>g>to</str<strong>on</strong>g>r Progress<br />
Descripti<strong>on</strong><br />
These <str<strong>on</strong>g>to</str<strong>on</strong>g>lerances could be quantitative amounts, such as allowable write-offs of<br />
work <strong>in</strong> process, or qualitative fac<str<strong>on</strong>g>to</str<strong>on</strong>g>rs, such as characteristics of clients that would<br />
not be acceptable <str<strong>on</strong>g>to</str<strong>on</strong>g> the firm. Once established, these <str<strong>on</strong>g>to</str<strong>on</strong>g>lerances provide partners<br />
and staff with a useful reference po<strong>in</strong>t for decisi<strong>on</strong>-mak<strong>in</strong>g (e.g., write-offs and client<br />
acceptance, etc.).<br />
Identify the events (that is, the risk fac<str<strong>on</strong>g>to</str<strong>on</strong>g>rs or exposures) that could prevent the firm<br />
from achiev<strong>in</strong>g its stated goals. This step implies that the firm has already established<br />
clear objectives and a commitment <str<strong>on</strong>g>to</str<strong>on</strong>g> perform<strong>in</strong>g quality work.<br />
<str<strong>on</strong>g>Us<strong>in</strong>g</str<strong>on</strong>g> the risk <str<strong>on</strong>g>to</str<strong>on</strong>g>lerances established above, prioritize the events identified based <strong>on</strong><br />
an assessment of likelihood and impact.<br />
Develop an appropriate resp<strong>on</strong>se <str<strong>on</strong>g>to</str<strong>on</strong>g> the assessed risks <str<strong>on</strong>g>to</str<strong>on</strong>g> reduce the potential impact<br />
<str<strong>on</strong>g>to</str<strong>on</strong>g> with<strong>in</strong> the firm’s acceptable <str<strong>on</strong>g>to</str<strong>on</strong>g>lerances. Potential events (risks) with the highest<br />
priority would be addressed first.<br />
For all risks that require acti<strong>on</strong> or m<strong>on</strong>i<str<strong>on</strong>g>to</str<strong>on</strong>g>r<strong>in</strong>g, assign some<strong>on</strong>e with the resp<strong>on</strong>sibility<br />
<str<strong>on</strong>g>to</str<strong>on</strong>g> take the appropriate acti<strong>on</strong> and <str<strong>on</strong>g>to</str<strong>on</strong>g> manage the risk <strong>on</strong> a day-<str<strong>on</strong>g>to</str<strong>on</strong>g>-day basis.<br />
Require periodic (simple) reports from each pers<strong>on</strong> assigned <str<strong>on</strong>g>to</str<strong>on</strong>g> manage risks <strong>on</strong><br />
behalf of the firm (this could address matters such as compliance with the firm’s<br />
quality c<strong>on</strong>trol procedures, tra<strong>in</strong><strong>in</strong>g requirements, staff appraisals, and <strong>in</strong>dependence<br />
issues addressed).<br />
A sample of a firm’s risk assessment worksheet could be as shown <strong>in</strong> the follow<strong>in</strong>g exhibit.