Risks-based Audit Approach – How Does It Work?


Risks based audit approach is one of the well-known audit approaches used by the auditor to perform an audit of financial statements and also used by the internal auditors for their internal audit purpose. The principle of this approach requires the auditor to put their effort into the high risks areas rather than spend a lot of time on the areas that are low risks.

Risks based audit approach comes from the international standard on auditing ISA 315, Identifying and Assessing the Risks of Material Misstatement through Understanding the Entity and its Environment.

This standard requires an auditor to obtain an understanding of entity key internal control, internal environment, and the effect of the external environment that could potentially affect to entity’s business as well as financial reporting. Once the risks are assessed and identified, audit procedures are tailored.

For example, a high turnover of key staff in the finance department can be the factor that the financial reporting system might not run appropriately and risks of material misstatement on the financial statements are likely to increase.

The audit procedures to detect the likelihood of incorrect accounting treatments as well as over right the level of authorization should be established.


If you are familiar with ISA 315, Identifying and Assessing the Risks of Material Misstatement through Understanding the Entity and its Environment, you might understand the principle audit approach on auditing financial statements.

This standard required the risk assessment to be performed at the planning stage through internal and external factors that influence client internal control.

Related article  [Updated 2022] ISA 210 Summary: Agreeing on the Terms of Audit Engagements

This approach starts with the planning stage of an audit. Normally, the auditor obtains an understanding of the client’s key internal control and its environments before they perform risks assessment.

And once the risks related to financial statements are assessed and identified, the audit procedures are tailored to detect those risks.

There are many kinds of risks that might influence the misstatement of financial statements such as Financial Risks, Compliance Risks, and Operational Risks. If auditors could identify these risks and then execute the right audit procedure to detect all of those risks, then audit risks will be minimized.

It is good to note that risks contain three important risks include inherent risks, control risks, and detection risks. Inherent risks involve risks outside the scope of management and auditors.

Control risks; in addition, refer to the risks resulting from management internal control over financial reporting could not detect the material misstatements due form both error and fraud.

Detection risk is the risk that auditors could not design the right audit procedures to detect the material misstatements that contain in the financial statements.

Risks base internal audit approach:

Risks based audit approach is also used by internal auditors to perform internal audit activities. This approach requires the internal auditor to understand and assess the entity’s risks.

For example, let classify those risks into three simple areas include operational risks, compliant risks, and financial risks.

Why risk-based audit approach important?

Risks based approach helps the auditor to achieve its objective by focusing on those areas that are defined by them as high risks. That means auditors do not work on the areas that are considered low risks. It does not only help audit to use their resources effectively, but it also helps auditee (those that are auditing) not spend a lot of time dealing with autitor. Therefore, this approach helps the company to save costs as well.