Iris ORHAND's avatarIris ORHAND

Risk-based Audit : From Risks to Assertions to Audit Procedures

by
Iris ORHAND

In this article, Iris ORHAND (ESSEC Business School, Global Bachelor in Business Administration (GBBA), 2021-2026) shares a technical article about risk-based audit.

Introduction

Financial statements are not audited by “checking everything”. In practice, auditors use a risk-based approach: they identify what could materially go wrong, link those risks to specific financial statement assertions, and then design the right audit procedures to obtain sufficient and appropriate evidence. “Materially” means that an error or omission is significant enough to influence the decisions of users of the financial statements, meaning it has a real impact on how the financial information is interpreted.

This article explains a simple but powerful framework widely used in audit: Risks→Assertions→Procedures. It’s the logic I applied during my experience in financial audit at EY, where this methodology helps teams prioritize work, structure fieldwork, and produce clear conclusions.

The audit risk model: why “risk-based” makes sense

At a high level, auditors aim to reduce the risk of issuing an inappropriate opinion. A classic way to express this is:

Audit Risk (AR) = Inherent Risk (IR) × Control Risk (CR) × Detection Risk (DR)

  • Inherent risk (IR): the risk a material misstatement exists before considering controls (complexity, estimates, judgment, volatile business, etc.).
  • Control risk (CR): the risk that internal controls fail to prevent or detect a misstatement.
  • Detection risk (DR): the risk that audit procedures fail to detect a misstatement that exists.

In practice, when IR and/or CR are high, auditors respond by lowering DR through stronger procedures: more evidence, better targeting, larger samples, more reliable sources, and more experienced review.

Materiality: focusing on what matters

Because financial statement users care about decisions, audit planning relies on materiality (and performance materiality) to size the work. Materiality helps answer:

  • What could influence users’ decisions?
  • Which line items/disclosures require deeper work?
  • What magnitude of error becomes unacceptable?

This is also why “risk-based” is essential: the audit effort is scaled to what is material and risky, not what is merely easy to test.

Assertions: translating accounting lines into “what could be wrong”

Assertions are management’s implicit claims behind each number. Auditors use them to define the nature of possible misstatements. The most common are:

  • Existence / Occurrence: the asset/revenue is real and actually happened
  • Completeness: nothing important is missing
  • Rights & obligations: the entity truly owns/owes it
  • Valuation / Accuracy: amounts are measured correctly (estimates, provisions…)
  • Cut-off: recorded in the correct period
  • Presentation & disclosure: correctly described and disclosed

This is a key step: a “risk” becomes actionable only when you connect it to one (or several) assertions.

From risk to procedures: the core workflow

A practical “risk-based audit” workflow looks like this:

  • Firstly : Identify significant risks (business model, incentives, complexity, unusual transactions, estimates, prior year issues).
  • Secondly : Map each risk to assertions (e.g. : revenue fraud risk → occurrence, cut-off).
  • Thirdly : Choose the response: 1) Tests of controls (TOC) if relying on internal controls; 2) Substantive tests (analytical procedures + tests of details)
  • Finally : Execute, document, conclude: evidence must be sufficient, appropriate, and consistent.

Concrete examples: what we do in practice

Example 1: Revenue recognition

Typical risks : overstated revenue, early recognition, fictitious sales, side agreements. Key assertions : occurrence, cut-off, accuracy, presentation.

Common procedures:

  • Analytical review (trends, margins, monthly patterns) to spot anomalies
  • Cut-off testing around year-end (invoices, delivery notes, contracts)
  • Tests of details on samples (supporting documents, customer confirmations when relevant)
  • Review of revenue recognition policy and contract terms (IFRS 15 logic, performance obligations)

Example 2: Inventory (valuation and existence)

Typical risks : obsolete stock, wrong costing, missing inventory, poor count controls. Key assertions : existence, valuation, completeness, rights.

Common procedures:

  • Attendance/observation of physical inventory count
  • Reconciliation count-to-ERP, and ERP-to-FS
  • Price testing, cost build-up testing, NRV/obsolescence analysis
  • Movement testing and cut-off around receiving/shipping

Example 3: Provisions & estimates (judgment-heavy)

Provisions and estimates refer to amounts recorded in the accounts for obligations or future events that are uncertain but likely enough to require recognition, which means management must use judgment to estimate their value based on the best information available.

Typical risks : management bias, under/over provisioning, inconsistent assumptions. Key assertions: valuation, completeness, presentation.

Common procedures:

  • Understanding process + key assumptions and governance
  • Back-testing prior-year estimates vs actual outcomes
  • Sensitivity analysis on assumptions (rates, volumes, timelines)
  • Lawyer letters / review of claims, contracts, contingencies

Conclusion

Risk-based audit is more than a buzzword: it’s the method that turns financial statement complexity into a structured plan. By linking risks to specific assertions, auditors can design procedures that are both efficient and defensible, especially under time pressure and tight deadlines.

Why should I be interested in this post?

If you are interested in audit, accounting, corporate finance, or risk, understanding the risk-based approach is foundational. It explains how auditors prioritize, how they challenge information, and why audit work is ultimately about building confidence in financial reporting through evidence.

Related posts on the SimTrade blog

Professional experiences

   ▶ Posts about Professional experiences

   ▶ Iris ORHAND My apprenticeship experience as a Junior Financial Auditor at EY

   ▶ Iris ORHAND My apprenticeship experience as an Executive Assistant in Internal Audit (Inspection Générale) at Bpifrance

   ▶ Annie Yeung My Audit Summer Internship experience at KPMG

   ▶ Mahe Ferret My internship at NAOS – Internal Audit and Control

Useful resources

Site economie.gouv Méthodologie de conduite d’une mission d’audit interne

Site L-expert-comptable.com (25/02/2025) La méthodologie d’audit : Les assertions

Corcentric Les étapes clefs d’un processus d’audit comptable et financier

Cabinet Narquin & Associés Les méthodes d’audit utilisées par les commissaires aux comptes

About the author

The article was written in December 2025 by Iris ORHAND (ESSEC Business School, Global Bachelor in Business Administration (GBBA), 2021-2026).

   ▶ Read all articles by Iris ORHAND

My apprenticeship experience as a Junior Financial Auditor at EY

by
Iris ORHAND

In this article, Iris ORHAND (ESSEC Business School, Global Bachelor in Business Administration (GBBA), 2021-2026) shares her professional experience as a Junior Financial Auditor at Ernst & Young.

About the company

EY (Ernst & Young) is one of the “Big Four” professional services firms, supporting companies across audit, consulting, strategy, tax, and transactions. In audit, EY’s mission is to provide reasonable assurance on financial statements, bringing together financial analysis, an understanding of risks, internal control review, and clear, structured documentation to back audit opinions and reinforce stakeholder trust. Today, the firm brings together nearly 400,000 professionals across more than 150 countries and generated around USD 51.2 billion in revenue in its 2024 fiscal year.

Logo of EY
Logo of EY
Source: the company.

My internship

In 2024, I joined EY in Paris La Défense as a Junior Financial Auditor on a 12-month apprenticeship. This experience gave me hands-on exposure to the audit cycle, from planning to fieldwork to final deliverables, and helped me understand how auditors balance technical rigor, deadlines, and client interaction.

My missions

Over the year, I worked on the financial analysis of seven companies, ranging from €10 million to €1.5 billion in revenue. I was part of a business unit focused on associations and the public sector, which allowed me to discover organizations with very different missions and financial setups. My largest and longest engagement was with Universal, where I really had the chance to follow a full audit cycle and understand how such a large structure operates. On a daily basis, I reviewed financial statements like the P&L, balance sheet and cash flow, identified unusual trends, dug into variances, and tried to understand the story behind the numbers. I also prepared financial analyses and draft audit conclusions for internal teams as well as for client discussions.

Even though my main focus was on the non-profit and public sector, EY gives motivated juniors the chance to work with other business units from time to time, and I really wanted to take advantage of that. Thanks to this, I was able to join a mission in the defense sector for Thalès, which was a completely different environment and pushed me to adapt quickly and broaden my understanding of industry specific risks.

Throughout the year, I relied a lot on audit tools and automation, using audit software, macros and advanced Excel to structure testing, make our work more traceable, and gain efficiency during busy periods. I was also involved in internal control assessments and risk management topics, which helped me understand how processes and day to day workflows can directly impact the reliability of financial reporting. I also participated in reviewing management forecasts, comparing them with historical results, challenging assumptions and pointing out areas where further evidence was needed. Overall, this experience helped me build a strong analytical mindset and gave me a much clearer view of how different types of organizations operate behind their financial statements.

Required skills and knowledge

This role required a combination of both hard and soft skills, and I quickly realized how important it was to balance the two. On the technical side, I relied a lot on advanced Excel, basic automation and macro logic, and a structured approach to financial analysis. A solid understanding of accounting fundamentals was essential, as well as developing strong documentation habits to keep our work clear, traceable, and easy for reviewers to follow. But beyond the technical knowledge, soft skills mattered just as much, if not more. Attention to detail was key, as was maintaining a sense of professional skepticism without falling into mistrust. Clear and calm communication helped a lot, especially when dealing with tight deadlines or last-minute requests during busy periods. I also learned how important it is to be pedagogical and professional with clients. Sometimes, audit questions can make clients feel like they are being challenged or judged, even when that’s not the intention. Taking the time to explain why we need certain information, reassuring them, and keeping the conversation constructive made the whole process smoother and helped build trust. Overall, this mix of technical rigor and human sensitivity was at the core of the role.

What I learned

This apprenticeship strengthened my ability to turn raw financial data into meaningful audit insights. Over time, I became much more comfortable linking business reality to accounting outcomes, understanding why a number moved, what it implied, and what kind of evidence was needed to support it. I also learned to think with a risk-based mindset, focusing my attention on the areas that had the greatest impact on the reliability of the financial statements. Finally, working under tight deadlines taught me how to stay organized and efficient while still maintaining high quality standards and keeping my work clear and ready for review. This combination of technical understanding, prioritization, and discipline is something I really developed throughout the year.

Financial concepts related to my internship

I present below three financial concepts related to my internship: financial statement analysis, internal control and audit risk, and forecasts, assumptions and professional skepticism.

Financial statement analysis

Audit work involves understanding not only the numbers, but also the story behind them and the operational reality that drives financial performance. Financial statement analysis played a central role throughout my apprenticeship. Trend analysis, ratio analysis, and variance explanations were essential tools to detect anomalies, identify risks, and guide the direction of our testing. By comparing periods, analyzing shifts in key indicators, and questioning unusual movements, I learned to form a more accurate picture of how an organisation truly operates.

This analytical process goes far beyond reading figures. It requires understanding the client’s business model, the context behind certain decisions, and the internal processes that ultimately shape the financial statements. Through this approach, I learned to prioritize the most sensitive areas, challenge assumptions that did not align with expectations, and connect accounting outcomes to the real functioning of the organisation. This ability to translate raw numbers into meaningful insights became one of the most valuable skills I developed during the apprenticeship.

Internal control and audit risk

Internal control quality plays a key role in shaping audit strategy. Throughout my apprenticeship, I saw how understanding a client’s processes, identifying where the risks lie, and evaluating the controls in place helps determine the likelihood of misstatements. When controls are strong and consistently applied, the risk is lower, which allows auditors to adjust their testing. When controls are weak or not operating as intended, the audit must be more detailed and rely on additional evidence.

In practice, this involved mapping processes, speaking with client teams, and observing how transactions were handled on a daily basis. It also required professional judgment to identify the areas where real vulnerabilities might exist. This experience helped me understand how internal control and audit risk are linked, and how this relationship influences the entire audit approach.

Forecasts, assumptions and professional skepticism

Comparing forecasts with historical figures is a practical way to assess the reasonableness of management’s assumptions, whether they relate to growth, margins, or cash generation. This exercise helps identify when projections are aligned with past performance and market dynamics, and when they seem overly optimistic or require stronger supporting evidence. It is also a direct application of professional skepticism, since the auditor must question the logic behind the assumptions without falling into mistrust. Over time, this analysis strengthens judgment and helps determine what is reasonable, what needs to be challenged, and where additional documentation or explanations are necessary.

Why should I be interested in this post?

This experience is especially valuable for anyone interested in audit, accounting, corporate finance, risk, or advisory. It gave me a strong understanding of financial statements, but also taught me discipline, structure, and a more analytical way of thinking. Throughout the year, I learned how to interpret numbers in a real-life context, how to stay organised under pressure, and how to communicate clearly with both clients and team members. What I liked is that these skills are not limited to audit. They can be applied in many areas such as transaction services, FP&A, or even banking. Being able to analyze financial data, understand risks, and form a well-reasoned judgment is useful in almost any finance role, which makes this apprenticeship a great foundation for whatever comes next in a finance-related career.

Related posts on the SimTrade blog

Professional experiences

   ▶ Posts about Professional experiences

   ▶ Iris ORHAND My apprenticeship experience as an Executive Assistant in Internal Audit (Inspection Générale) at Bpifrance

   ▶ Annie YEUNG My Audit Summer Internship experience at KPMG

   ▶ Mahé FERRET My internship at NAOS – Internal Audit and Control

Financial techniques

   ▶ Federico MARTINETTO Automation in Audit

Useful resources

EY Official website

L’Expert-comptable.com La méthodologie d’audit : Les assertions

Wikipedia EY (entreprise)

Wikipedia Big Four (audit et conseil)

About the author

The article was written in December 2025 by Iris ORHAND (ESSEC Business School, Global Bachelor in Business Administration (GBBA), 2021-2026).

   ▶ Read all articles by Iris ORHAND

My apprenticeship experience as an Executive Assistant in Internal Audit (Inspection Générale) at Bpifrance

by
Iris ORHAND

In this article, Iris ORHAND (ESSEC Business School, Global Bachelor in Business Administration (GBBA), 2021-2026) shares her professional experience as an Executive Assistant in Internal Audit (Inspection Générale) at Bpifrance (January – December 2025).

About the company

Bpifrance is France’s public investment bank, created in 2012 through the merger of several state-backed institutions, and today it plays a central role in financing and supporting French companies at every stage of their development. With around €60 billion deployed in 2024 and a workforce of roughly 2,300 employees, Bpifrance combines public policy objectives with financial expertise to help businesses innovate, grow, and expand internationally. Its mission goes far beyond lending, as it also provides guarantees, equity investments, innovation funding, export support, and advisory services, making it a one-stop partner for entrepreneurs. Because it operates at the intersection of public funds and financial markets, strong governance and a solid control environment are essential, which is why functions such as Risk, Compliance, Internal Control and Internal Audit play a crucial role in ensuring responsible decision-making, transparency and the long-term protection of public interests.

Logo of Bpifrance
Logo of Bpifrance
Source: the company.

My internship

In 2025, I completed a 12-month apprenticeship as an Executive Assistant in the Internal Audit Department, known at Bpifrance as “Inspection Générale”. This department is responsible for independently assessing the quality of the bank’s processes, controls and risk management, and for providing recommendations to strengthen the organization’s overall governance. My role combined operational coordination, process improvement and analytical support, which gave me practical exposure to how an internal audit function prepares and delivers missions, follows strict methodologies and ensures the consistency and quality of its work. Through this experience, I had the opportunity to see how internal auditors challenge processes, analyze risks, and help the organization operate more securely and efficiently.

My missions

During my apprenticeship, I contributed to the strategic optimization of internal audit processes, participated in internal audit missions, developed indicators and reporting tools, and implemented and executed a new internal audit quality review process, which is now used to assess the work of more than 30 internal auditors at each end-of-mission review period.

Required skills and knowledge

This role required a combination of both hard and soft skills, and I quickly realized how important it was to balance the two. On the technical side, I relied a lot on advanced Excel, basic automation and macro logic, and a structured approach to financial analysis. A solid understanding of accounting fundamentals was essential, as well as developing strong documentation habits to keep our work clear, traceable, and easy for reviewers to follow. But beyond the technical knowledge, soft skills mattered just as much, if not more. Attention to detail was key, as was maintaining a sense of professional skepticism without falling into mistrust. Clear and calm communication helped a lot, especially when dealing with tight deadlines or last-minute requests during busy periods. I also learned how important it is to be pedagogical and professional with clients. Sometimes, audit questions can make clients feel like they are being challenged or judged, even when that’s not the intention. Taking the time to explain why we need certain information, reassuring them, and keeping the conversation constructive made the whole process smoother and helped build trust. Overall, this mix of technical rigor and human sensitivity was at the core of the role.

What I learned

During the year, I contributed to several projects aimed at improving both efficiency and audit quality within the Internal Audit Department. I worked on initiatives that strengthened the organization and standardization of internal audit processes, which helped teams work more consistently across missions. I also took part in internal audit assignments, supporting the different steps of the mission lifecycle and helping prepare and structure the deliverables. Another part of my work involved developing indicators and reporting tools to give management better visibility over activity levels, deadlines and key metrics. Finally, I helped implement and run a new internal audit quality review process, now used by more than thirty internal auditors, which significantly improved consistency, clarity and review readiness across the department.

Financial concepts related to my internship

I present below three financial concepts related to my internship: credit risk and portfolio quality, liquidity risk, and market risk.

Credit risk and portfolio quality

Credit risk refers to the possibility that a borrower may be unable to meet its obligations, which makes it one of the core risks for any bank. In internal audit, the objective is not to take or challenge credit decisions, but to assess whether the credit process itself is robust and well controlled. This involves reviewing how credit approvals are granted, whether delegation levels are respected, and whether all required documentation is complete, coherent and properly justified. Internal Audit also examines how exposures are monitored over time, looking at the quality of follow-up procedures, the detection of early warning indicators and the responsiveness of teams when a situation starts to deteriorate. Together, these elements help determine whether the bank’s credit processes provide a reliable framework for managing risk and maintaining a healthy loan portfolio.

Liquidity risk

Liquidity risk refers to the possibility that a financial institution may not be able to meet its short-term obligations when they fall due. In traditional banks, this risk is often linked to customer deposits, which can fluctuate and create sudden funding pressures. At Bpifrance, liquidity risk exists as well, but in a different form. The organisation does not rely on retail deposits and instead operates with stable funding sources such as the State, the Caisse des Dépôts or long-term market issuances. This structure makes liquidity risk generally less acute than in commercial banks. However, it remains a critical area because Bpifrance must still manage significant cash outflows related to loans, guarantees and investment operations, and must ensure that its funding plans and liquidity buffers remain robust and aligned with its long-term missions.

Market risk

Market risk is the risk of losses arising from changes in market variables such as interest rates, exchange rates or the value of financial assets. In many banks, it is closely linked to trading activities and exposure to volatile financial markets. At Bpifrance, market risk is present but within a much narrower scope. The institution does not operate trading desks and does not take speculative positions. Instead, its exposure comes from treasury management, the valuation of certain financial instruments and, more importantly, the evolution of the value of its equity investments. For this reason, market risk at Bpifrance is less about short-term volatility and more about the prudent management of long-term financial assets and the stability of the institution’s balance sheet over time.

Why should I be interested in this post ?

This role is highly relevant for students interested in risk, governance, internal control, compliance, audit or operational excellence. It provides a concrete view of how financial institutions identify vulnerabilities, strengthen their control environment and improve resilience over time. Working at Bpifrance also adds a meaningful dimension to the experience, because the organisation supports the french economy and operates with a clear public mission. It is also known as a responsible employer with strong working conditions and a culture that values collaboration, learning and employee wellbeing. Altogether, this makes the experience both professionally valuable and personally rewarding.

Related posts on the SimTrade blog

Professional experiences

   ▶ Posts about Professional experiences

   ▶ Alexandre GANNE My apprenticeship as Depositary Control Auditor at CACEIS Bank

   ▶ Mahé FERRET My internship at NAOS – Internal Audit and Control

   ▶ Margaux DEVERGNE My experience as an apprentice student in internal audit at Atos SE, during the split of the company

   ▶ Julien MAUROY My internship experience at Bpifrance – Finance Export Analyst

Financial techniques

   ▶ Federico MARTINETTO Automation in Audit

Useful resources

Bpifrance Official website

About the author

The article was written in December 2025 by Iris ORHAND (ESSEC Business School, Global Bachelor in Business Administration (GBBA), 2021-2026).

   ▶ Read all articles by Iris ORHAND