Introduction


Whilst I am writing these blogs, my mind is constantly drawn back to the start of my accountancy studies, specifically to the concept of the ‘Expectations Gap’ and so much so that it is on this that I have based the name of this series of blogs. I think that it is fair to say that while professional accountants understand the expectations gap, most would agree that more could and should be done to help our clients, Directors of businesses and others who rely on accounts to help them understand exactly what this is as much as feasibly possible.


In this series of blogs, I will aim to provide greater clarity around some key areas where differences in the expectations of auditors and businesses commonly arise, with a hope that this will help address some common issues prior to them arising and hopefully lead to some potentially significant questions which can form a starting point for further conversations.




Part 4 - A Risky Business?


All businesses are subject to a certain degree of risk, which is usually undesired but unavoidable. Risks, whether minor and significant, can arise from the activity of a business directly, the market sectors or geographical locations it operates in, laws & regulations, or any number of other sources.


One of the key responsibilities of Directors is to therefore assess where these risks exist, to determine their significance and likelihood, and to take actions to reduce these to an acceptable level. It is here where the independent, expert opinion provided by a statutory audit can be relied upon by management to help address some of these risks. It is however, important for the Directors to not solely rely on an audit to cover all business risks and there is usually a need for other measures and policies to ensure all risks are being properly controlled.


How risky can a risk be?


In order to effectively control risks, management need to undertake a risk assessment and there are numerous ways of doing this. It should however in essence result in a comprehensive list of all risks the business is exposed to, which can then form the basis for further assessment.


These risks should then be divided into those that would have a significant or minor impact, and those that are likely or unlikely to occur, which will then help management focus their attention and decide on what action if any is needed. Where risks are minor and occur infrequently, it may be decided that the business will simply accept the risk and any associated costs, but where risks are significant yet infrequent then obtaining insurance coverage for these may be a suitable course of action. Where risks are considered likely to occur, a business can establish policies and procedures to reduce their likelihood, but where even a single occurrence could be significant there should be a full and robust response which may include the use of external specialists.


Most established businesses will already have many existing procedures and subsequent actions being taken to mitigate their main risks. A number of these will usually be in the form of internal controls which can broadly be split into; prevention to stop errors arising, such as dual authorisation for bank payments, and detection to identify errors made in a timely manner so they can be rectified - such as a monthly bank reconciliation.


There are a wide variety of different procedures and actions that can be used, and selecting the best approach will be based on the individual business and circumstances. The key consideration however, is that all aspects of the risk are being addressed in some way. As discussed in other blogs within this series, the statutory audit provides a high degree of assurance but is limited to an extent in its scope and detail. It is therefore important that management understand if and to what extent it is addressing certain business risks if they are intending to rely on it as a mitigating factor.


In Summary


The first question to ask when thinking about business risk is ‘Do you know what the businesses risks are?’, Where directors are actively involved in the day to day running of a company, the answer will usually be ‘yes’. However it is far rarer to find that these have actually been recorded and fully assessed. For all businesses undertaking a formal risk assessment is a worthwhile exercise, if only to document how risks are being controlled in order to provide management with some level of peace of mind.


There is also the possibility that a review highlights previously unknown risks, or perhaps risks that are known but which are not as well controlled as first thought. This knowledge can allow management to take action to mitigate these prior to any issues arising.


As mentioned above, there are many ways of conducting a risk assessment and it may be useful to seek professional support in assisting management. Where the company has appointed auditors who have existing knowledge of the business and its systems, it is always worth seeking their external insight into the process.



If you have any questions concerning the above, or anything relating to auditing, please get in touch with your usual Rickard Luckin contact or speak to Shaun Labbett directly at shaun.labbett@rickardluckin.co.uk

Parts in this series

• Part 1: “I thought you were doing that” – A consideration of the responsibilities of both parties and importance of communication.

• Part 2: The Limitations of Statutory Audits – Highlighting the limitations of statutory audits and some areas that may not be covered by them.

• Part 3: One Size Doesn’t Fit All – A look at alternatives to statutory audit and when they may be of use to both businesses subject and not subject to audit.

• Part 4: A Risky Business – A review of the importance of identifying and mitigating business risks and how these can link with audit risks.

Still to come:

• Part 5: Materiality – An explanation of the principal of materiality, how this is calculated and why it may differ from management’s expectation.

• Part 6: Watchdogs or Bloodhounds – A discussion on the role auditors play in identifying criminal activity, fraud and deliberate errors.