Modern audits are risk-based, auditors do more testing where the risks are higher and less where they are lower. Understanding the methodology helps you predict what will be tested heavily and prepare accordingly.
What you'll learn
→ How auditors assess risk → What drives high inherent risk → What drives high control risk → What you can doHow auditors assess risk
Audit risk = inherent risk × control risk × detection risk. Inherent risk is the susceptibility of an account to misstatement before considering controls (revenue is high inherent risk because management has incentives to overstate). Control risk is the risk that controls fail to prevent or detect misstatement.
Detection risk is what the audit procedures are designed to manage. If inherent risk and control risk are high, detection risk must be low, meaning more testing. If both are low, less testing is acceptable.
What drives high inherent risk
Revenue (cut-off risk, recognition timing), inventory (existence and valuation), fixed assets (capitalisation vs expense), tax (calculation complexity), and related-party transactions (pricing and disclosure). These are the perennial high-risk areas.
Industry factors: e-commerce has high return-and-refund complexity, construction has long-term contract recognition risk, financial services have valuation and impairment risk. Auditors tailor procedures to your specific industry risks.
What drives high control risk
Lack of segregation of duties, no documented approval matrix, no monthly close, no bank reconciliation. Each of these elevates control risk. Auditors increase substantive testing to compensate, translating to higher fees and more management time during fieldwork.
Conversely, well-documented controls with evidence of operation reduce control risk. The auditor can rely on controls (with limited testing) rather than testing every transaction. The fee differential between weak and strong control environments can be 30-50%.
What you can do
At planning, ask the auditor for the risk assessment summary. They should share the high-risk areas and the planned procedures. Knowing this in advance lets you prepare the documentation and explanations they will need.
Mid-year, test your own controls. Run a sample bank reconciliation back through procurement: was the right approval obtained? Was the three-way match performed? Self-tested controls reveal weaknesses before the auditor does.
This guide is general information, not professional advice. For situations that involve specific facts, talk to your accountant, or hire one of ours from the marketplace.