The Definition of Risk-Based Auditing (RBA) and Its Importance
Internal auditing has several important functions, one of them being the ensuring of appropriate governance, control, and risk management. Risk-based auditing (RBA), as one of the types of the internal auditing process, involves the thorough analysis and management of threats that can undermine the organization’s successful work. RBA is becoming more and more popular with auditing companies (Chou, 2015).
Faser defines RBA as “designed to be used throughout the audit to efficiently and effectively focus the nature, timing, and extent of audit procedures to those areas that have the most potential for causing material misstatement(s) in the financial report” (as cited in Chou, 2015, p. 140). RBA eliminates the possibility of threats that may occur in operations performed by the company.
One of the spheres on which RBA has a particularly positive effect is the internal control systems implementation. According to Nyarombe, Musau, Kavai, and Kipyegon (2015), RBA has the potential to enhance the financial statement reporting process and assurance. RBA concentrates both on recorded and unrecorded problematic issues, so it aims to identify business risks and taking control of them. The time needed for RBA depends on the level of the risk area (Nyarombe et al., 2015).
The higher the risk level, the more substantial control is needed. Except for the establishment of the risk level, RBA allows assessing and adding value to the process of financial reporting. To be able to perform these functions, the auditor should have the advanced vision of the customer’s business and activities (Nyarombe et al., 2015). The required knowledge can be obtained through the company’s approaches to managing, operating their business, and arranging the internal and external environments. With the help of the gathered data, the auditor can create a program consisting of the most efficient and productive combinations of responses to critical situations.
Internal auditing is a valuable method of measuring the effectiveness of the internal control of the company. To prepare such a report, the manager needs to assess the control’s design and effectiveness. As Johnstone, Gramling, and Rittenberg (2014) remark, the internal risk-based audit can play an important role in this process. The risk-based method of the internal control evaluation over financial reporting incorporates the following steps:
- the identification of financial reporting risks and measures to eliminate these threats (the establishment of financial reporting risks; the identification of controls reducing the risks; the evaluation of the effectiveness);
- the assessment of the operating effectiveness of internal control (the selection and testing the measures taken to evaluate the operating power);
- the provision of a report on the validity of internal control (the assessment of control shortcomings; the administration of public disclosure of the report) (Johnstone et al., 2014).
RBA is an integral component of the risk-based safety management system. As McKinnon (2017) notes, this system should be coordinated with the risks originating at the workplace. Various types of businesses have different risks, so there is no unified system for all industries. However, implementing RBA in the organization enables the management team to decrease the likelihood of risks happening due to their timely identification and prevention.
Therefore, it is possible to conclude that the significance of RBA cannot be overestimated. Internal control systems benefit from RBA greatly since it enables these systems to improve the reporting process of financial statements. The identification of risks makes it possible to mitigate them (Griffiths, 2016). The role of RBA in key risk mitigation is continuously increasing (Coetzee & Lubbe, 2013). The decision of managers to report to RBA when evaluating threats to their organizations testifies the effectiveness of this approach.
Challenges of the RBA Implementation
External Issues
- The application of the audit control system is too broad. RBA is a good idea, but sometimes, it may involve too many tasks and cover too many areas. If the management of the company does not eliminate the number of these spheres, the process of implementation may be problematic.
- RBA may be time-consuming. Depending on the firm’s size, the number of employees, and the variety of processes, the introduction of RBA may take up much time. Frequently, companies neglect this issue when considering their audits, which results in spending additional resources and extra time.
- Some technical aspects of RBA may be too complicated for the company to understand. Not all firms have specialists that can cope with RBA independently. At the same time, these organizations may not have additional financial means to hire someone to perform this job for them. As a result, the needed solutions are not found, and the employees may feel disorganized and upset.
- The internal control system in the firm may have serious weaknesses. Whether it is a current problem or some deficiency left from the previous financial manager, there may be some obstacles in the internal control system that can hinder the successful RBA implementation. Such faults may include the insufficient amount of data, documentation filled incorrectly, or lacking sources of financial information.
- The cost of the procedure may be considered unjustified. One of the major external challenges in the process of deciding whether to perform RBA is the issue of its cost. For a small company, the whole process may seem too expensive, and the manager may find it irrational to launch RBA.
Internal Issues
- The lack of management support. In some firms, the employees may understand the significance of RBA, but the manager may not see it. Such a paradox may happen if the manager is new to the company or if their sphere of knowledge does not correspond to the organization’s goals. The lack of support from the manager may result in their refusal to implement RBA, which may lead to adverse outcomes.
- The insufficient number of team members. Sometimes, a company may be too small to allocate several employees or even one for RBA processes. In such cases, the responsibilities are shared among several people, and it may be difficult to collect a sufficient database. Additionally, such a division of duties may result in numerous misunderstandings and arguments, which will not do the company any good.
- The lack of willingness to study and develop. Frequently, employees are resistant to change, and they may feel opposed to RBA implementation. This factor is particularly pertinent to old companies with conservative views. Sometimes, even the manager of such an organization may not feel positive about RBA. This issue may result in overlooking serious drawbacks in the firm’s processes.
- Fraudulent schemes or corruption. If there is some illegal activity going on in the firm, it is possible, or even expected, that the person or people engaged in that activity will be opposed to RBA implementation. Such employees will do everything possible to interfere with audit processes.
- The lack of business knowledge. On some occasions, RBA is performed by employees that are willing to assess their company’s weaknesses but, unfortunately, they do not have enough skills and experience to do that. These may be either the individuals that have worked in the company for only a short period of time or the people whose area of expertise does not include the performance of financial assessments.
Recommendations to Solve the Challenges
- It is necessary to explain to the employees that internal controls and RBA are highly significant for the company’s successful functioning;
- To reduce the resistance of workers, it is necessary to inform them in advance that the audit will be performed;
- Every employee should be given enough time to prepare and understand the goals of RBA, as well as be allowed to ask questions in case they do not understand something;
- To avoid a broad audit system, the manager should review the processes taking place in the organization thoroughly and focus on those that have the greatest value;
- Employees should be allowed to participate in the decision-making process: this will empower them and may offer some insights for the manager that he or she could have overlooked;
- If the number of employees is too small, it is necessary to prepare a plan of actions, where every team member will be allocated to specific functions;
- To overcome the lack of knowledge and resistance to obtain it, the management should come up with a step-by-step program of employee education that will gradually prepare people to changes.
References
Chou, C. D. (2015). Cloud computing risk and audit issues. Computer Standards & Interfaces, 42, 137-142.
Coetzee, P., & Lubbe, D. (2013). Improving the efficiency and effectiveness of risk-based internal audit engagements. International Journal of Auditing, 18(2), 115-125.
Griffiths, P. (2016). Risk-based auditing. New York, NY: Routledge.
Johnstone, K. M., Gramling, A. A., & Rittenberg, L. E. (2014). Auditing: A risk-based approach to conducting a quality audit (9th ed.). Mason, OH: South-Western Cengage Learning.
McKinnon, R. (2017). Risk-based, management-led, audit-driven, safety management systems. Boca Raton, FL: CRC Press.
Nyarombe, F., Musau, E. G., Kavai, I., & Kipyegon, K. (2015). The effect of risk based audit approach on the implementation of internal control systems: A case of Uasin Gishu County. International Journal of Business and Management Invention 4(1), 12-32.