How do you assess the risk of material misstatement? How do you know when to assess inherent risk at high (or low)? Can you assess control risk at high for all assertions? What are significant risks? These are common questions about the risk assessment process.
Today we’ll discuss how auditors assess and document risk. We’ll cover:
Understanding these concepts will put money in your pocket and will result in higher quality audits.
Before picking our audit team, we need a general understanding of the entity.
We must understand the business and its control environment to determine risks at the financial statement level (I think of this as the overall risk). The overall risk will dictate our broader responses such as who the audit team will be.
Consider whether the entity has:
We also need to consider the risk of management override. This threat is always a possibility. If management is playing on the edges, consider how you will add muscle and insight to your audit team—or whether you should even perform the engagement.
Keep this thought in mind when considering financial statement level risk assessment: greater overall threats call for a stronger audit team.
In a previous post, we discussed risk assessment procedures such as walkthroughs, fraud inquiries, and planning analytics. The information gained from those steps is the basis for assessing risk at the transaction level.
Should the transaction risk assessment be performed at the assertion level or for the transaction cycle as a whole? Let’s answer this question by looking at how accounts payable risk might be documented.
If we assess our risk of material misstatement at high for payables (as a whole), what are we saying? That further audit procedures are necessary for all assertions. If we assess risk at high for all payable assertions, and we don’t perform audit procedures in response to the (high) risk assessment, we create an incongruity. We are saying that risk is high for all assertions, but our responses don’t agree.
Wouldn’t it be better to assess risk at the assertion level? For example, if we’ve historically proposed significant journal entries to record additional payables, maybe the risk of material misstatement for the completeness assertion is high. Our audit procedures will include a search for unrecorded liabilities. Now we have an appropriate risk assessment and response (what the audit standards refer to as linkage). The remaining accounts payable assertions could possibly be assessed at low.
We can express the risk of material misstatement (RMM) as:
RMM = Inherent Risk X Control Risk
While audit standards don’t require that we assess inherent risk and control risk separately, it’s helpful to do so. In a moment, we’ll see that inherent risk often drives our audit responses.
So what is inherent risk? My simple definition is the risk that exists when no controls are present. (We are not saying controls don’t exist, just that we are disregarding them as we measure inherent risk.)
Inherent risk can be a function of:
As we assess inherent risk, we ask, “what’s the chance that material misstatement will occur assuming there are no related controls?”
Some areas are so risky that the audit standards refer to them as significant risks. These areas require special audit consideration. Significant risks relate to transactions that are complex, nonroutine, or involve judgment. For example, a bank’s allowance for loan losses—due to complexity—demands extra scrutiny. The inherent risk in such areas will always be high.
Now, let’s marry inherent risk with control risk so we can determine our risk of material misstatement.
For audits of smaller entities, control risk is often assessed at high—across the board. Why? To save time. While control risk can’t be assessed at high before performing our risk assessment procedures, we can do so afterward.
Assessing control risk at high is permissible as an efficiency decision. (Risk assessment procedures are still required.)
If control risk is assessed at less than high, the auditor is required to test controls to support the lower risk assessment. It may be more economical to perform substantive procedures rather than testing controls. We might, for example, be able to vouch all of the additions to property and equipment in less time than it takes to test the related controls. If this is true, we will opt to use a substantive approach (vouching all significant additions to invoices), and we will assess control risk at high.
Also, it is possible to have a low to moderate risk of material misstatement if your inherent risk is low—even if your control risk is high. How? Consider the following equation.
IR (low) X CR (high) = RMM (low or moderate)
What does this mean? Well, you can get to a low or moderate RMM without testing controls. Also, you may not need to perform much in the way of substantive procedures–depending on your final RMM for the area.
As an example of how this works, think about a low inherent risk assessment regarding plant, property, and equipment.
Consider reviewing your risk assessments, and see if some of the inherent risk assessments will allow you to assess your RMMs at low to moderate–even if control risk is assessed at high.
This is the last in our series of posts about audit risk assessment. Thanks for joining in the journey.
If you have suggestions for other posts, please leave a comment with your idea. Thanks.
Get my free weekly accounting and auditing digest with the latest content.
Charles Hall is a practicing CPA and Certified Fraud Examiner. For the last thirty years, he has primarily audited governments, nonprofits, and small businesses.He is the author of The Little Book of Local Government Fraud Prevention and Preparation of Financial Statements & Compilation Engagements. He frequently speaks at continuing education events.Charles is the quality control partner for McNair, McLemore, Middlebrooks & Co. where he provides daily audit and accounting assistance to over 65 CPAs. In addition, he consults with other CPA firms, assisting them with auditing and accounting issues.
Please log in again. The login page will open in a new tab. After logging in you can close it and return to this page.