In this article, Iris ORHAND (ESSEC Business School, Global Bachelor in Business Administration (GBBA), 2021-2026) shares a technical article about risk-based audit.
Introduction
Financial statements are not audited by “checking everything”. In practice, auditors use a risk-based approach: they identify what could materially go wrong, link those risks to specific financial statement assertions, and then design the right audit procedures to obtain sufficient and appropriate evidence. “Materially” means that an error or omission is significant enough to influence the decisions of users of the financial statements, meaning it has a real impact on how the financial information is interpreted.
This article explains a simple but powerful framework widely used in audit: Risks→Assertions→Procedures. It’s the logic I applied during my experience in financial audit at EY, where this methodology helps teams prioritize work, structure fieldwork, and produce clear conclusions.
The audit risk model: why “risk-based” makes sense
At a high level, auditors aim to reduce the risk of issuing an inappropriate opinion. A classic way to express this is:
Audit Risk (AR) = Inherent Risk (IR) × Control Risk (CR) × Detection Risk (DR)
- Inherent risk (IR): the risk a material misstatement exists before considering controls (complexity, estimates, judgment, volatile business, etc.).
- Control risk (CR): the risk that internal controls fail to prevent or detect a misstatement.
- Detection risk (DR): the risk that audit procedures fail to detect a misstatement that exists.
In practice, when IR and/or CR are high, auditors respond by lowering DR through stronger procedures: more evidence, better targeting, larger samples, more reliable sources, and more experienced review.
Materiality: focusing on what matters
Because financial statement users care about decisions, audit planning relies on materiality (and performance materiality) to size the work. Materiality helps answer:
- What could influence users’ decisions?
- Which line items/disclosures require deeper work?
- What magnitude of error becomes unacceptable?
This is also why “risk-based” is essential: the audit effort is scaled to what is material and risky, not what is merely easy to test.
Assertions: translating accounting lines into “what could be wrong”
Assertions are management’s implicit claims behind each number. Auditors use them to define the nature of possible misstatements. The most common are:
- Existence / Occurrence: the asset/revenue is real and actually happened
- Completeness: nothing important is missing
- Rights & obligations: the entity truly owns/owes it
- Valuation / Accuracy: amounts are measured correctly (estimates, provisions…)
- Cut-off: recorded in the correct period
- Presentation & disclosure: correctly described and disclosed
This is a key step: a “risk” becomes actionable only when you connect it to one (or several) assertions.
From risk to procedures: the core workflow
A practical “risk-based audit” workflow looks like this:
- Firstly : Identify significant risks (business model, incentives, complexity, unusual transactions, estimates, prior year issues).
- Secondly : Map each risk to assertions (e.g. : revenue fraud risk → occurrence, cut-off).
- Thirdly : Choose the response: 1) Tests of controls (TOC) if relying on internal controls; 2) Substantive tests (analytical procedures + tests of details)
- Finally : Execute, document, conclude: evidence must be sufficient, appropriate, and consistent.
Concrete examples: what we do in practice
Example 1: Revenue recognition
Typical risks : overstated revenue, early recognition, fictitious sales, side agreements. Key assertions : occurrence, cut-off, accuracy, presentation.
Common procedures:
- Analytical review (trends, margins, monthly patterns) to spot anomalies
- Cut-off testing around year-end (invoices, delivery notes, contracts)
- Tests of details on samples (supporting documents, customer confirmations when relevant)
- Review of revenue recognition policy and contract terms (IFRS 15 logic, performance obligations)
Example 2: Inventory (valuation and existence)
Typical risks : obsolete stock, wrong costing, missing inventory, poor count controls. Key assertions : existence, valuation, completeness, rights.
Common procedures:
- Attendance/observation of physical inventory count
- Reconciliation count-to-ERP, and ERP-to-FS
- Price testing, cost build-up testing, NRV/obsolescence analysis
- Movement testing and cut-off around receiving/shipping
Example 3: Provisions & estimates (judgment-heavy)
Provisions and estimates refer to amounts recorded in the accounts for obligations or future events that are uncertain but likely enough to require recognition, which means management must use judgment to estimate their value based on the best information available.
Typical risks : management bias, under/over provisioning, inconsistent assumptions. Key assertions: valuation, completeness, presentation.
Common procedures:
- Understanding process + key assumptions and governance
- Back-testing prior-year estimates vs actual outcomes
- Sensitivity analysis on assumptions (rates, volumes, timelines)
- Lawyer letters / review of claims, contracts, contingencies
Conclusion
Risk-based audit is more than a buzzword: it’s the method that turns financial statement complexity into a structured plan. By linking risks to specific assertions, auditors can design procedures that are both efficient and defensible, especially under time pressure and tight deadlines.
Why should I be interested in this post?
If you are interested in audit, accounting, corporate finance, or risk, understanding the risk-based approach is foundational. It explains how auditors prioritize, how they challenge information, and why audit work is ultimately about building confidence in financial reporting through evidence.
Related posts on the SimTrade blog
Professional experiences
▶ Posts about Professional experiences
▶ Iris ORHAND My apprenticeship experience as a Junior Financial Auditor at EY
▶ Iris ORHAND My apprenticeship experience as an Executive Assistant in Internal Audit (Inspection Générale) at Bpifrance
▶ Annie Yeung My Audit Summer Internship experience at KPMG
▶ Mahe Ferret My internship at NAOS – Internal Audit and Control
Useful resources
Site economie.gouv Méthodologie de conduite d’une mission d’audit interne
Site L-expert-comptable.com (25/02/2025) La méthodologie d’audit : Les assertions
Corcentric Les étapes clefs d’un processus d’audit comptable et financier
Cabinet Narquin & Associés Les méthodes d’audit utilisées par les commissaires aux comptes
About the author
The article was written in December 2025 by Iris ORHAND (ESSEC Business School, Global Bachelor in Business Administration (GBBA), 2021-2026).
▶ Read all articles by Iris ORHAND