The business risk audit: Origins, obstacles and opportunities

Is the business risk audit a better way to assess risks leading to focused audit testing, or is it simply a tool for generating opportunities to sell nonaudit services? Many feel strongly that the latter is more representative of the manner in which business risk audits were implemented. In this paper, I argue that the development of the business risk audit methodology in the 1990s was a complex process that arose naturally from the need to compensate for the commoditization of audits that occurred in the 1980s. The contemporaneous growth of risk management theories and processes provided a powerful perspective on which to base the re-engineering of the audit. However, the process of developing and implementing business risk audits was extremely difficult and may have run up against a number of unforeseen and unmanaged obstacles, particularly in regards to the existing rituals of the traditional audit. Given that the sales culture of consulting was taking hold among auditors at about the same time, it is possible that the well-intentioned efforts to revitalize the audit process were derailed by these difficulties and then diverted to support revenue growth via nonaudit services. When Enron and ensuing scandals occurred, questions arose as to whether the business risk audit was effective, or even appropriate. Regulatory initiatives that followed from the aftermath of Enron, such as an increased focus on management incentives for fraudulent reporting and greater in-depth analysis of internal controls, may provide a viable foundation for reconsidering business risk methods and melding the best of traditional substantive audits with the best of business risk auditing.