of 13
All materials on our website are shared by users. If you have any questions about copyright issues, please report us to resolve them. We are always happy to assist you.
Related Documents
220 ISSN (online) VERSLO SISTEMOS ir EKONOMIKA BUSINESS SYSTEMS and ECONOMICS INSIGHTS ON RISK ASSESSMENT IN PERFORMANCE AUDIT Dalia DAUJOTAITĖ Mykolas Romeris University Ateities str. 20, LT Vilnius, Lithuania doi: /vse Abstract. This paper analyses the most significant developments in the audit methodology since 1990 that are related to the transition from the audit methodology based on the risk of financial statements to the methodology based on the performance process risk. Such developments in the audit methodology are presented as a result of a new approach towards risk assessment or an outcome of the new paradigm. On the other hand, the risk factors related to the performance assessment are examined and analysed as an inherent part of a performance audit. The article also deals with the general risk factors of economy, efficiency and effectiveness, introduces the performance audit efficiency model that identifies significant areas to be audited and possible research aspects. Keywords: risk assessment, risk factors, performance audit, economy, efficiency, effectiveness. JEL classification: M400; M420; M480. Introduction In Lithuania and likewise throughout the world, risk assessment issues have become an object of exceptional attention in terms of expanding the scope of the risks being assessed and developing the cognition methodologies. This has been caused by a number of factors. The ever increasing complexity of activities and the environment cause a growing uncertainty that every organisation in one way or another faces in its activities. Such uncertainties arise from limited or inaccurate information, (yet) unknown factors and other sources of uncertainties both inside the organisation and due to external factors. Such uncertainties are a source for both dangers and possibilities. In this study, the author argues that modernizing the framework of the public administration system and seeking to ensure the effectiveness and efficiency of the system, risk assessment and identification of priorities have become an indispensable precondition. The paradigm of the most recent trends in public administration placing a focus upon resultbased management also presupposes a risk-based management: only after having assessed all material risks it is possible to efficiently manage them and achieve the best results. On the other hand, the limited resources of the institutions in charge of performance supervision Dalia DAUJOTAITĖ. INSIGHTS ON RISK ASSESSMENT IN PERFORMANCE AUDIT 221 and evaluation are most efficiently used when they are focused on the areas deemed most important and at the same time risky. The analysis of regulatory documents showed that risk assessment and management is increasingly frequently highlighted in different European Union documents, e.g., Directive 2009/138/EC of the European Parliament indicates that all EU Member States reorganize the insurance supervision carried out thereby from the rules based supervision to the supervision focusing upon the risk of an insurer (reinsurer) and its management (risk based supervision), etc. Risk assessment is also required according to the provisions of Lithuanian regulations, such as Risk evaluation based guidelines on the supervision of activities of economic entities approved in 2012 and designed for business oversight institutions in relation to the implementation of risk assessment systems, and demonstrating that risk assessment is also considered increasingly important in the public sector. Thus, the risk-assessment based approach is becoming increasingly important both in carrying out the supervision of institutional performance and also their valuation and audit. Audit and auditors play an important role in the life of the society. The statutory audit is in essence perceived as performing the functions of a supervisory authority. As stated in the Green paper Audit policy of the European Commission (2010), Audit, alongside supervision and corporate governance, should be a key contributor to financial stability as it provides assurance on the veracity of the financial health of all companies. This assurance should reduce the risks of misstatement, and in doing so, reduce the costs of failure that would otherwise be suffered by the company s stakeholders as well as by the broader society. Researches on interrelation between risk assessment and management have attracted considerable attention of Lithuanian and foreign researchers and practitioners. The audit risk assessment problem has been addressed by a number of foreign (Eilifsen et al., 2001; Curtis and Turley, 2007; Robson et al., 2007; Waring and Morgan, 2007; Bourn, 2007; Knechel et al., 2007; Morgan, 2009) and Lithuanian authors. The value-at-risk methodology has been the subject matter of the research carried out by Kabašinskas and Toliatienė (1994, 1997); Mackevičius (2001, 2005); Puškorius (2004, 2012); Lakis (2007). Risk management issues have been addressed by Tamošiūnienė and Savčuk (2007), Linartas and Staliūnienė (2012), Klimaitienė and Kanapickienė (2009), and others. As it is evident from the analysis of the references, the issues of risk are characterised by a vast diversity of the subjects researched; the issue is significant in a number of aspects, therefore, the results of any research in the area have a wide applicability spectrum; however, risk assessment in relation to performance audit still has been investigated to only a very limited extent. Until now, no integrated research on the subject of the Lithuanian performance audit risk assessment has been carried out. The range of problems as identified above presupposes the objective of the present article, which is to examine the dynamics of the evaluation of audit risk and identify the general performance audit risk evaluation factors. Specific tasks were prescribed for the purpose of attainment of the objective defined: to discuss the general characteristics of risks and performance audit risks; to establish the relevant performance evaluation models reflecting the essence of performance audit and risk evaluation directions; to investigate the general performance audit risk factors. Methods applied included logical analysis of research works of foreign and Lithuanian researchers, comparison, specification and generalisation of information, conceptual modelling and generalisation. 222 BUSINESS SYSTEMS and ECONOMICS Risk assessment: changes in the audit methodology The analysis of economic and legal sources showed that the concept of risk has been presented in a number of different ways. COSO, 2012; Stankevičius, 2005; Robson, Humphrey, Khalifa and Jones, 2007, etc. enabled the author of the present paper to specify the concept of risk and identify its principal elements. Risk is a future event or situation with a realistic likelihood of occurring and an unfavourable consequence or impact on the successful accomplishment of well-defined goals if it occurs (COSO, 2012). According to Charette (1989), the following characteristic features of risk, as a concept, may be distinguished: 1) risk refers to the future (we are not concerned about what was happening in the past, or is happening now since we cannot change it. However, by changing our current behaviour we may expect better results in the future); 2) anticipated changes; 3) risk is inevitably related to a possibility of a choice, and at the same time with an uncertainty that is a reason for that possibility. Certain risk is inherent to any activity, and likewise to audit. For some period of time, audit companies were treating risk assessment as a separate area of activities. Some material developments in the audit methodology started becoming apparent in the eighties of the past century: the examination of financial statements prevailing at the time developed into a risk-based method. Such developments in majority of cases were related to the transition from an audit methodology based on financial statements risk to the methodology based on the performance process risk. The analysis of scientific literature (Eilifsen et al., (2001); Robson et al., (2007)) showed that the previously existing methodology did not require the auditor to acquire any high-level understanding about the strategy of the activities (business) of the auditee; though it is specifically the strategy that causes the appearance of the activity (business) risks. The knowledge about the business of the client was used to alleviate the risk potentially arising from incorrect decisions made by the auditor. A number of audit techniques have been developed for the purpose and used to obtain a required level of assurance to substantiate the auditor s opinion. The new methodology was based on the approach that anything that increases the performance (business) risk at the same increases the audit risk. This approach may be considered to represent a new paradigm that caused the appearance of new audit methodologies in research literature sources referred to in a number of ways, e.g., business risk auditing. Conventionally, most audit companies have been viewing risk assessment as a specialised area of activities. The new approach is specific in the sense that the process of risk management involves managers and employees of all levels. Table 1 summarises the principal aspects of the transformation of the approach towards risk based on the results of the research carried out by Robson et al., 2007, on the analysis of the risk management methods (COSO, 2012; Risk Management Standard ISO 31000; Risk Management guidelines, 2004). Dalia DAUJOTAITĖ. INSIGHTS ON RISK ASSESSMENT IN PERFORMANCE AUDIT 223 Table 1. Comparison of the traditional and the new performance risk assessment paradigms The traditional paradigm The new paradigm Risk assessment is carried out periodically ad Risk assessment is a continuous and permanent hoc (for cause). process. Risk identification and management of controls is Risk identification and management is a responsibility of all employees of the organisation. the responsibility of the accounting, treasury and the internal audit divisions. Fragmentation each function operates autonomously. Control is focused in order to avoid any financial risk. Concentration business/performance risk evaluation and management are concentrated and coordinated by higher level supervision bodies. Control is focused upon avoiding the unacceptable business/performance risks in order to reduce it to an acceptably low level. Business/performance risk management policy is A formal business/performance risk management not sufficiently supported on the part of the senior policy has been approved by the management of management of the company or sufficiently communicated inside the audit company internally. audit the organisation and is communicated inside the firm. Response to the risk source only after the business/ performance risk is identified. Incompetent staff is a primary source of business/ performance risk. Source: adapted from K. Robson et al. (2007) Business/performance risk is anticipated and prevented by regularly overseeing the relevant business/performance risk controls. Inefficient processes are a primary business risk source. The new approach towards risk assessment and management constitutes an integrated, strategic assessment and management of the organisation-wide risk. The concept of risk includes any event or a phenomenon that may adversely affect the ability of a company to attain the objectives of its activities and to successfully implement its strategy. Risk assessment embraces all risks, including internal and external that may prevent the organisation from achieving its objectives. An integrated organisation-wide risk management embraces the strategy, processes, technologies and knowledge with a view to evaluating and managing uncertainties that the organisation faces in its activities. In summary, it may be concluded that by focusing the attention upon the assessment and management of performance risk, the new paradigm enables the auditor not only to expediently understand the audit risk, but also to identify other potential risks or the areas in the organisation s operation cycle that should be improved and also to better understand the client s business risks and their impact upon the financial statements. The concept of performance audit risk Performance audit risk is a multidimensional concept; there is a variety of approaches, also significant differences in the definition of parameters and ratios describing it; there is no single universally recognised performance audit risk model suitable for all organisations, as the nature of operations of organisations is very different, as well as their objectives, structure and their circumstances. However, there are also some commonalities, which should be discussed more comprehensively. Comparisons between the practice of assessing performance audit risk in different countries (Lithuanian State Control, Austrian Court of Audit, National Audit Office of the UK) 224 BUSINESS SYSTEMS and ECONOMICS showed that performance auditing generally follows one of three approaches in examining the performance of the audited entity. The audit may take a result-oriented approach, which assesses whether pre-defined objectives have been achieved as intended; a problem oriented approach, which verifies and analyses the causes of a particular problem(s); or a system-oriented approach, which examines the proper functioning of management systems. Also, the audit may take a combination of the three approaches. But whichever approach is adopted, performance audit risk assessment aims are examining the economy, efficiency and effectiveness criteria of the audited entity in the performance of its functions, programmes, activities, etc. Performance audit risk is understood as an uncertainty related to the probability for the manifestation of unforeseen situations and the consequences associated thereto (Guidelines on Performance Audit Risk Analyses, 2007). Risk is a probability that under some circumstances an adverse event may actually occur and may occur at any stage of a performance audit (planning, examination phase or the follow-up monitoring, see Figure 1). Figure 1. Stages of a performance audit and the documents drawn up Source: Valstybės kontrolė (2010). Veiklos audito vadovas Risk assessment is one of actions and procedures of a performance audit process to be undertaken in a priority order. Risk assessment is undertaken in the planning stage that includes: 1) collection of information; 2) risk assessment; 3) assessment of the significant risk impacts upon the programme; 4) defining and (or) improvement of audit objectives; and 5) improvement of the audit scope, methodology, audit examination programme, audit budget and/or resources (Performance Audit Manual of the ECA, 2007; Waring and Morgan, 2007). Essentially, performance audit involves an identification of weaknesses of an entity s business that are inherent to its processes, inadequate management and weak internal controls. Also, other functions include a disclosure of possibilities for further improvement and submission of recommendations. In the business sector, services of the type are undoubtedly beneficial for each company seeking optimisation of its business processes, strengthening its controls, minimising costs and increasing its profit margins. The risk identification stage includes an evaluation of the financial significance of an item, as well as of risk factors inherent to financially relevant areas. In assessing the financial significance and the risk, an expedient approach is to assess the impact of the factors in a longer term. A financial significance of an item means its impact upon the organization: revenues, expenditures, assets and liabilities. It is an item that may produce a direct or indirect impact upon the organization. Overall, risk depends on: 1) probability of factors that may produce a negative impact upon the performance outcome; 2) impact upon the performance results. Thus, it is of utmost importance that the assessment of risk and its significance are perceived as the basis for the assessment of the each sector. Dalia DAUJOTAITĖ. INSIGHTS ON RISK ASSESSMENT IN PERFORMANCE AUDIT 225 In performing an audit and following the COSO ERM methodology (2012), a task of priority importance is to identify the risk factors related to the business of the entity. This enables the auditor to formulate his opinion of the audited entity, the areas to be audited and come up with a preliminary audit risk assessment. Risk factors include the nature and the complexity of the policy, programme and operations; diversity of the entity s objectives and tasks, consistency, clarity; appropriate operating means and their use; availability of resources; complexity of organisational structure and clear accountability structure; control systems and their quality; complexity and quality of management information, etc. (Waring and Morgan, 2007). Risk assessment is important to all functions of the performance, where it involves the use of public funds for the attainment of certain objectives. Lost opportunities to attain certain objectives may also be considered to constitute a risk factor, e.g., opportunities to improve the performance or policy efficiency. Risk factors in performance audit Performance audit always starts with an analysis of the activity risk factors according to each audit assessment criterion (economy, efficiency and/or effectiveness). While gathering and analysing the information, different questions are raised and the answers to such questions make it possible to identify the general risk factors in relation to the audit subject and the object (see Tables 2, 3 and 4). The checklist questionnaires as instruments of audit activity may be general and/or specific depending on the nature of risk or the activities carried out. An analysis of the resource risk factors from the point of view of economy requires the focus to be placed upon financial and physical resources. An indication of the economy risk is a conclusion that the costs of the resources (financial, human, material and others) used to achieve the volumes of products (services) and the level of their quality and of the overall results could have been much less than actually incurred; see Table 2. Table 2. Risk factors related to economy Objectives of economy General risk factors Minimising the cost of resources used for an activity Achieving more output (in terms of quantity) for the input 1) waste usage of resources that are not necessary for the attainment of the expected outcomes or results; 2) overpayments resources are acquired disregarding the principle of economy; 3) luxury expenses the acquired resources are of much better quality than required for the attainment of expected outcomes or results. Issues to be addressed in audit 1) does the institution acquire the required volume of resources of the required quality at a lowest price (e.g., the examination shall include the procedure for publishing public procurement calls, selection of proposals, and the assessment of the entity s possibilities to acquire the resources); 2) are the financial and physical resources used efficiently; 3) does the management activity meet the sound administration principles and advanced management practice; 4) does the institution manage its resources seeking to minimise the general costs; 5) was it possible to prepare and implement the intervention in a different way by reducing its costs; 6) are the resources procured used rather than stored; 7) is the staff used in all cases to a full extent; 8) does the organisation apply optimisation methods. Source: prepared according to Performance Audit Manual, 2007; Guidelines on Performing Performance Audit, 2004; Waring and Morgan, 2007; Daujotaitė and Mačerinskienė, 2008 22
We Need Your Support
Thank you for visiting our website and your interest in our free products and services. We are nonprofit website to share and download documents. To the running of this website, we need your help to support us.

Thanks to everyone for your continued support.

No, Thanks