A Small Comparison of Old and New Risk-Based Audit Models

Traditional Risk-Based Audit and Modern Risk-Based Audit Meaning (a) Traditional Risk-Based Audit

Traditional Risk-Based Audit refers to the auditor's integration of risk analysis, evaluation, and control into traditional auditing methodology (account-oriented audit and system-oriented audit) in the auditing process, and then obtaining audit evidence to form the conclusion of the audit of an audit evidence model. The basic procedures of traditional risk-based audit are not separated from the system-oriented audit model, but it pays more attention to risk assessment and risk management on the basis of the system-oriented audit model. (B) Modern Risk-Based Auditing

Modern risk-based auditing is a major innovation in auditing techniques based on system theory and strategic management theory, which is oriented to the strategic business risks of the audited entity, through "strategic analysis - process analysis - business performance evaluation - financial statement residual risk analysis". It is oriented to the strategic business risk of the audited entity, through the basic idea of "strategy analysis - process analysis - business performance evaluation - financial statement residual risk analysis", which links the risk of material misstatement of accounting statements and business risk, and thus puts forward the concept of the auditor to analyze and discover the misstatement of accounting statements from the source. Second, the comparison of theoretical assumptions (a) the theoretical assumptions of traditional risk-based auditing

The traditional risk-based auditing model is based on two assumptions: "reflect" and "confirm". The so-called "reflecting" assumption is "assuming that significant information obtained after compliance and substantive testing will be appropriately reflected in the audit opinion", that is to say, based on the audit evidence obtained, the auditor is able to accurately and appropriately express an audit opinion. In other words, based on the audit evidence obtained, the auditor can accurately and correctly express an appropriate audit opinion. There are three prerequisites for this: first, the quality management system of the accounting firm is such that the information obtained is symmetrical among the project teams and each auditor, i.e., there is no asymmetry of information, and the audit information is fully available; second, the auditor has the competence in practice that enables the auditor to arrive at the correct audit conclusions based on the information available; and third, the auditor who conducts the audit and expresses the opinion complies with the Code of Ethics. Third, the auditor conducts the audit and expresses the audit opinion in compliance with the professional code of ethics. On the premise that the above three points are satisfied, the "reflection" assumption can be established, and the audit information obtained or should have been obtained during the inspection process can be appropriately reflected in the final audit report. However, the reality is that in many cases the above three requirements are not met and the "reflection" assumption is difficult to establish. The "confirm" assumption is "the assumption that an inappropriate audit opinion will be recognized with 100 percent probability and in some form in the foreseeable future". However, not all inappropriate audit opinions will be recognized in the audit practice, and when the information provided by various sources can corroborate each other or there is no conflict, the information users will not be able to judge false financial reports, and of course, they will not be able to judge the appropriateness of the audit report or not. On the other hand, precisely because the "confirmation" assumption does not hold in practice, the application of risk-based auditing can go to an extreme - inducing moral hazard for the auditor: as long as the auditor believes that the risk is acceptable, and because inappropriate audit opinions are not necessarily disclosed, the auditor may not be able to make a judgment even if he or she knows that the audit report is inappropriate, but the auditor may be able to make a judgment even if the audit report is inappropriate. As long as the auditor believes that the risk is acceptable, and because inappropriate audit opinions are not necessarily revealed, the auditor can issue an unqualified audit report even if he or she knows that the audited entity's financial statements contain false information. （The theoretical assumption of modern risk-based auditing is that a decline in the operating performance of the audited entity in a complex and competitive market environment will affect the realization of its strategic objectives. In the face of strict market regulation and social pressure, the management of the audited entity is likely to have the motivation to use financial reporting fraud to cover up the unfavorable operation. Based on this assumption, the audit risk is closely related to the auditee's business risk and corporate strategy, and the business risk always affects the audit risk directly or indirectly. Therefore, an effective audit requires the auditor to stand high and look far, to find out the possible root causes of fraud from the source, so as to evaluate the risk of material misstatement of financial reports more effectively.

Modern risk-based auditing is guided by strategic and systemic thinking in assessing the risk of material misstatement and the entire audit process, and is therefore also known as risk-based strategic-systems audit ap- proach www.bfblw.com. Its core idea can be summarized as follows: audit risk mainly comes from the risk of misstatement of enterprise's financial report, and the risk of misstatement mainly comes from the operational risk of the whole enterprise, therefore, effective audit should be based on the analysis of the macro environment, strategic objectives and key operational aspects of the enterprise's society and industry, and determine the scope, time and procedures of substantive testing by comprehensively evaluating the operational risk. Comparison of the audit purpose (a) the purpose of the traditional risk-oriented audit

The traditional audit model focuses on the review of the internal control system in all aspects of the audit, the purpose is to find out the weakness of the internal control system, to find out the root causes of the problem, and then expand the scope of the inspection of these links; on the effectiveness of the internal control system, the scope of the inspection can be narrowed or simplified its audit procedures. This model focuses on understanding and analyzing the internal control system as a whole and identifying systematic errors in accounting information related to certain internal controls, thus improving audit efficiency. Audit risk = inherent risk x control risk x inspection risk. In this model, under a certain estimation of audit risk, the inspection risk is controlled by assessing the combined level of inherent risk and control risk. However, since the inherent risk is difficult to assess, the CPA often recognizes it as a high level, and the starting point of the audit is the control test; if the internal control is not ready to be relied upon, the starting point of the audit is the substantive test. By ignoring the assessment of inherent risk, CPAs often do not focus on understanding the enterprise and its environment at the macro level, and do not analyze management's incentives to provide false accounting statements. If the management of the enterprise colludes with fraud or overrides the internal control and leads to the failure of internal control, if the CPA does not expand the perspective beyond the internal control, he or she will be easily deceived and deceived, and will not be able to detect the material misstatement caused by the failure of internal control. (II) Purpose of Modern Risk-Based Audit

Modern risk-based audit model bases its guiding ideology on "reasonable professional skepticism", and is based on systematic analysis and evaluation of audit risks, which is the starting point for the development of audit strategies and diversified audit plans that are appropriate to the situation of the enterprise, and integrates risk considerations throughout the audit. The audit risk model is based on a systematic analysis and evaluation of audit risks as a starting point for developing an audit strategy and a diversified audit program adapted to the company's situation, with risk considerations being applied throughout the audit process, and with a view to comprehensive control testing, rather than testing the effectiveness of the implementation of the internal control system (i.e., compliance testing). At this point, the audit risk model is revised to: audit risk = risk of material misstatement × inspection risk.

In this model, the main line of the CPA's audit is to identify, assess and respond to the risk of material misstatement, maintain professional skepticism, and give full consideration to the circumstances that may lead to material misstatement of the accounting statements, which requires the CPA must understand the audited entity and its environment (including internal control), in order to assess the risk of material misstatement, and at this time the starting point of the audit is the risk assessment process, followed by the risk assessment of material misstatement, and then the risk assessment process. The starting point of the audit is the risk assessment process, followed by further audit procedures (including control testing and substantive testing) to address the risk of material misstatement. In short, the CPA does not only rely on the inspection and evaluation of the internal control system designed and implemented by the management of the audited entity, but also maintains a reasonable professional vigilance on whether the management of the company is honest and whether there is a drive for fraud or falsification, and expands the auditing field of view to include the operating environment of the audited entity, captures potential risk points, and carries out risk assessment throughout the entire process of auditing work. In this way, the center of gravity of auditing has been shifted from simple evaluation of auditing risks and focusing on audit testing to risk assessment as the center and implementation of auditing procedures on the basis of maintaining reasonable doubt, which means that the modern risk-oriented auditing model puts more emphasis on the understanding of the audited entity and its environment, including internal control, from a macro point of view in order to adequately identify and assess the risk of material misstatement of accounting statements, and to assess the risk of material misstatement against the assessed risk of material misstatement.

Control testing and substantive procedures are designed and performed in response to the assessed risks of material misstatement.