The auditor must plan and conduct the audit to ensure their audit risk (the risk of reaching an incorrect conclusion based on the audit findings) will be limited to an acceptable level. To eliminate the possibility of assessing audit risk too low the auditor should perform the following steps:
1. Obtain an Understanding of the Organization and its Environment: The understanding of the organization and its environment is used to assess the risk of material misstatement/weakness and to set the scope of the audit. The auditor’s understanding should include information on the nature of the entity, management, governance, objectives and strategies, and business processes.
2. Identify Risks that May Result in Material Misstatements: The auditor must evaluate an organization’s business risks (threats to the organization’s ability to achieve its objectives). An organization’s business risks can arise or change due to new personnel, new or restructured information systems, corporate restructuring, and rapid growth to name a few.
3. Evaluate the Organization’s Response to those Risks: Once the auditor has evaluated the organization’s response to the assessed risks, the auditor should then obtain evidence of management’s actions toward those risks. The organization’s response (or lack thereof) to any business risks will impact the auditor’s assessed level of audit risk.
4. Assess the Risk of Material Misstatement: Based on the knowledge obtained in evaluating the organization’s responses to business risks, the auditor then assesses the risk of material misstatements and determines specific audit procedures that are necessary based on that risk assessment.
5. Evaluate Results and Issue Audit Report: At this level, the auditor should determine if the assessments of risks were appropriate and whether sufficient evidence was obtained. The auditor will issue either an unqualified or qualified audit report based on their findings.
