Risk-based auditing

Risk-based auditing is a style of auditing which focuses upon the analysis and management of risk.

In the UK, the 1999 Turnbull Report on corporate governance required directors to provide a statement to shareholders of the significant risks to the business. This then encouraged the audit activity of studying these risks rather than just checking compliance with existing controls.

Standards for risk management have included the COSO guidelines and the first international standard, AS/NZS 4360. The latter is now the basis for a family of international standards for risk management — ISO 31000.

A traditional audit would focus upon the transactions which would make up financial statements such as the balance sheet. A risk-based approach will seek to identify risks with the greatest potential impact. Strategic risk analysis will then include political and social risks such as the potential effect of legislation and demographic change.

An experiment suggested that managers might respond to risk-based auditing by transferring activity to accounts which are ostensibly low risk. Auditors would need to anticipate such attempts to game the process.