Today we look at one of most misunderstood parts of auditing: audit risk assessment.
Are auditors leaving money on the table by avoiding risk assessment? Can inadequate risk assessment lead to peer review findings? This article shows you how to make more money and create higher quality audit documentation.
Audit risk assessment can be our best friend, particularly if we desire efficiency, effectiveness, and profit—and who doesn’t?
This step, when properly performed, tells us what to do—and what can be omitted. In other words, risk assessment creates efficiency.
So, why do some auditors (intentionally) avoid audit risk assessment? Here are two reasons:
Too often auditors continue doing the same as last year (commonly referred to as SALY)--no matter what. It’s more comfortable than using risk assessment.
But what if SALY is faulty or inefficient?
Maybe it’s better to assess risk annually and to plan our work accordingly (based on current conditions).
The old maxim “Plan your work, work your plan” is true in audits. Audits—according to standards—should flow as follows:
Auditors sometimes go directly to step 3. and use the prior year audit programs to satisfy step 2. Later, before the opinion is issued, the documentation for step 1. is created “because we have to.”
In other words, we work backwards.
So, is there a better way?
Audit standards—in the risk assessment process—call us to do the following:
While we may not complete these steps in this order, we do need to perform our risk assessment first (1.-4.) and then assess risk.
Okay, so what procedures should we use?
AU-C 315.06 states:
The risk assessment procedures should include the following:
I like to think of risk assessment procedures as detective tools used to sift through information and identify risk.
Just as a good detective uses fingerprints, lab results, and photographs to paint a picture, we are doing the same.
First, we need to understand the entity and its environment.
The audit standards require that we understand the entity and its environment.
I like to start by asking management this question: "If you had a magic wand that you could wave over the business and fix one problem, what would it be?"
The answer tells me a great deal about the entity's risk.
I want to know what the owners and management think and feel. Every business leader worries about something. And understanding fear illuminates risk.
Think of risks as threats to objectives. Your client's fears tell you what the objectives are--and the threats.
To understand the entity and its related threats, ask questions such as:
As with all risks, we respond based on severity. The higher the risk, the greater the response.
Audit standards require that we respond to risks at these levels:
Responses to risk at the financial statement level are general, such as appointing more experienced staff for complex engagements.
Responses to risk at the transaction level are more specific such as a search for unrecorded liabilities.
But before we determine responses, we must first understand the entity's controls.
We must do more than just understand transaction flows (e.g., receipts are deposited in a particular bank account). We need to understand the related controls (e.g., Who enters the receipt in the general ledger? Who reviews receipting activity?).
So, as we perform walkthroughs or other risk assessment procedures, we gain an understanding of the transaction cycle, but—more importantly—we gain an understanding of controls. Without appropriate controls, the risk of material misstatement increases.
AU-C 315.14 requires that auditors evaluate the design of their client's controls and to determine whether they have been implemented. However, AICPA Peer Review Program statistics indicate that many auditors do not meet this requirement. In fact, noncompliance in this area is nearly twice as high as any other requirement of AU-C 315 - Understanding the Entity and Its Environment and Assessing the Risk of Material Misstatement.
Some auditors excuse themselves from this audit requirement saying, "the entity has no controls."
All entities have some level of controls. For example, signatures on checks are restricted to certain person. Additionally, someone usually reviews the financial statements. And we could go on.
The AICPA has developed a practice audit that you'll find handy in identifying internal controls in small entities.
The use of walkthroughs is probably the best way to understand internal controls.
As you perform your walkthroughs, ask questions such as:
Understanding the company’s controls illuminates risk. The company’s goal is to create financial statements without material misstatement. And a lack of controls threatens this objective.
So, as we perform walkthroughs, we ask the payables clerk (for example) certain questions. And—as we do—we are also making observations about the segregation of duties. Also, we are inspecting certain documents such as purchase orders.
This combination of inquiries, observations, and inspections allows us to understand where the risk of material misstatement is highest.
Another significant risk identification tool is the use of planning analytics.
Use planning analytics to shine the light on risks. How? I like to use:
In creating planning analytics, use management’s metrics. If certain numbers are important to the company, they should be to us (the auditors) as well—there’s a reason the board or the owners are reviewing particular numbers so closely. (When you read the minutes, ask for a sample monthly financial report; then you’ll know what is most important to management and those charged with governance.)
You may wonder if you can create planning analytics for first-year businesses. Yes, you can. Compare monthly or quarterly numbers. Or you might compute and compare ratios (e.g., gross profit margin) with industry benchmarks. (For more information about first-year planning analytics, see my planning analytics post.)
Sometimes, unexplained variations in the numbers are fraud signals.
In every audit, inquire about the existence of theft. In performing walkthroughs, look for control weaknesses that might allow fraud to occur. Ask if any theft has occurred. If yes, how?
Also, we should plan procedures related to:
My next post—in The Why and How of Auditing series—addresses fraud, so this is all I will say about theft, for now. Sometimes the greater risk is not fraud but errors.
Have you ever noticed that some clients make the same mistakes—every year? (Johnny--the controller--has worked there for the last twenty years, and he makes the same mistakes every year. Sound familiar?) In the risk assessment process, we are looking for the risk of material misstatement whether by intention (fraud) or by error (accident).
One way to identify potential misstatements due to error is to maintain a summary of the larger audit entries you’ve made over the last three years. If your client tends to make the same mistakes, you’ll know where to look.
Now it’s time to pull the above together.
Once all of the risk assessment procedures are completed, we synthesize the disparate pieces of information into a composite image.
What are we bringing together? Here are examples:
Armed with this risk picture, we can now create our audit strategy and audit plan (also called an audit program). Focus these plans on the higher risk areas.
How can we determine where risk is highest? Use the risk of material misstatement (RMM) formula.
Understanding the RMM formula is key to identifying high-risk areas.
What is the RMM formula?
Put simply, it is:
Risk of Material Misstatement = Inherent Risk X Control Risk
Using the RMM formula, we are assessing risk at the assertion level. While audit standards don’t require a separate assessment of inherent risk and control risk, consider doing so anyway. I think it provides a better representation of your risk of material misstatement.
Once you have completed the risk assessment process, control risk can be assessed at high--simply as an efficiency decision. See my article Assessing Audit Control Risk at High and Saving Time.
The inputs in audit planning include all of the above audit risk assessment procedures.
The outputs (sometimes called linkage) of the audit risk assessment process are:
We tailor the strategy and plan based on the risks..
In a nutshell, we identify risks and respond to them.
(In a future post in this series, I will provide a full article concerning the creation of audit strategy and plans.)
In my next post, we’ll take a look at the Why and How of Fraud Auditing. So, stay tuned.
If you haven’t subscribed to my blog, do so now. See below.
Charles Hall is a practicing CPA and Certified Fraud Examiner. For the last thirty years, he has primarily audited governments, nonprofits, and small businesses. He is the author of The Little Book of Local Government Fraud Prevention and Preparation of Financial Statements & Compilation Engagements. He frequently speaks at continuing education events. Charles is the quality control partner for McNair, McLemore, Middlebrooks & Co. where he provides daily audit and accounting assistance to over 65 CPAs. In addition, he consults with other CPA firms, assisting them with auditing and accounting issues.
Please log in again. The login page will open in a new window. After logging in you can close it and return to this page.
CPA Hall Talk
Sign up for my