In recent years the broader concept of business risk have been developed by the larger firms. It was the subject of the ICAEW auditing road show ‘Tomorrow’s audit today’ in the late 1990s in the UK. The concept has not been fully refined but its main principles are now well established.
Business risk is the threat that an event or action will adversely affect a business’s ability to achieve its ongoing objective. It can be split between external and internal factors.
The business risk approach to auditing involves examining the business in it’s entirely and evaluating the various risks to which it is exposed. The business risks are factors which affect the company’s ability to meet its goals. The risks may be controllable (to some extent) or uncontrollable (for example, external factors). It may be possible to trade-off some risks (e.g. insurance). The auditor is concerned about those risks which may impact upon the financial statements and therefore needs a full understanding of the business and its risks in order to do this. The auditor will then plan the audit strategy with these business risks clearly focused in mind.
The Effects of the Business Risk Approach
There are some general points which can be made about the business risk approach and the effect it has had on the auditing process.
- This ‘top down’ approach to the audit, beginning with business risk and ending with the financial statements
- There is still a lack of clarity in the relationship between business risk and audit risk
- The ideas of inherent risk and control risk have tended to merge into the larger concept of business risk.
- The ideas of inherent risk and control risk can be called residual risk which has to be minimized by audit action. An audit action carries with it detection risk.
- The approach is very much a high level approach and should include consideration of all matters which are critical to the business. For example, ‘could the client lose the XYZ franchise and what would be the possible consequences for the company and its financial statements?’
- Because of the high level of understanding required of a client’s business it is possible to use analytical procedures more frequently as a procedure for verification of financial statement assertions
- It is an aid to the firm’s acceptance and continuation procedures for clients (do we want this client?)
- Business failure risk is an important aspect of overall business risk. The assessment of business failure risk will assist the auditor when considering the going concern status of the clients business.
- The audit needs to be tailor made and a generalized approach to audits is neither productive nor economical
- Auditors need more understanding of business and to that end the larger firms set up larger databases of information about the economy and the business world
- The concept implies a continuing relationship with the client rather than a oine off view with each year being separate.
As should be evident from this summary the business risk approach is a more holistic approach to the audit. The business risk approach starts at a stage back from the traditional audit risk model and offers more benefit to auditors and clients alike.
Business activity information financial statements
Whereas the audit risk model encompasses the last two aspects the business risk approach starts with examining the business activity and identifies the risk relating to it, before examining the risks of the information and subsequently the financial statements being misstated.
The consequences of the business risk approach should be a more efficient and focused performed by a more knowledgeable auditor resulting in a better auditor – client relationship. For example, the audit will have less emphasis on transactions. The auditor may well provide other benefit to the client given this greater understanding of the business and its risk profile.