Define the Concept of Project Risk Audit
Audit can be defined as an evaluation of a person, organisation, system, process, enterprise, project or product. Quality risk audit is a systematic, independent and documented process of examining an activity of an organisation and this is based on objective evidence. Internal risk auditing helps an organisation achieve its targets by developing an orderly, closely controlled approach to calculate and improve the effectiveness of risk management, administration, and authorised processes Now let us analyse why we need to perform a Project Risk audit.
Project risk Audits are performed to monitor if the project is on track and is defect free. It ensures the correct functioning of the processes. These audits should be objective because the project?s wellbeing is at stake. It examines and documents the effectiveness of risk responses in dealing with identified risks and their root causes, as well as the effectiveness of the risk management process. The task of the Project Manager is to certify that the risk audits are performed at a correct frequency, as defined in the risk management plan. The layout for the audit and its objectives should be clearly defined before the audit is conducted. To conduct a Project risk Audit, risk auditors are required. Let us study the role of risk auditors.
Deciding the risk auditor
The initial step in project risk audits is to allocate someone to take on the role of project auditor. Ideally, the project manager would be in charge of this. If this person is not objective, or if the stakeholders are relying on this project, an external auditor is hired or approaches an audit organisation.
Components of audit risk Audit Risk: It refers to the auditor?s readiness to accept that the financial statements which may be materially misstated after the audit is completed and a clear opinion is given. If the auditor decides to lower audit risk, he has to ensure that the financial statements are not materially misstated.
AR = IR x CR x DR
Where, IR is inherent risk, CR is control risk and DR, detection risk is the conditional possibility that the auditor does not detect a material misstatement in the project.
Inherent risk: It refers to the auditor?s assessment that there may be a material misstatement related to the assertion in the financial statements under audit. The evaluation of inherent risk (and also control risk) is an exercise that requires professional judgement on the part of the auditor. Hence, two auditors evaluating the same organisation may assess the inherent and control risks differently, but it is to be expected that their assessments should be in the same area.
Control risk: It refers to the risk that the client?s internal control policies and actions fail to distinguish or prevent a material misstatement from occurring, control risk is out of the hands of the auditor; however, its extent can be assessed.
Detection risk: In this if the detection risk is high then the auditor is willing to accept a high risk detection risk and will do less substantive testing as compared to a situation where the detection risk is lower. It is important that while detection risk can be modified at the auditor's discretion, inherent risk and control risk exist independently in the audit.