In this post, I address whether auditors should assess the risk of material misstatement at the assertion level.
Assertion Level or Transaction Level Assessments
Should auditors assess the risk of material misstatement at the assertion level? Or is it better assess risk at the transaction level (for example, all cash assertions are assigned a moderate level of risk)? Those who assess risk at the transaction level think they are saving time. But are they? It might be more effective and economical to assess risk for each individual assertion.
Assess the Risk of Material Misstatement at the Assertion Level
Why should you assess the risk of material misstatement at the assertion level? In two words: effectiveness and efficiency.
We know the purpose of risk assessment is to design responsive audit procedures. When the auditor identifies risk at the assertion level, that person is better able to build effective responses. Therefore, it is wise to avoid assessing risk at the transaction level.
- Assessing risk at the transaction level may lead to unnecessary work
- Assessing risk at the transaction level results in assessing irrelevant assertions
Risk Assessment for Accounts Payable — An Example
Suppose, for example, the auditor assesses risk at the transaction level, assessing all accounts payable assertions with a high risk of material misstatement. What does this mean? It means the auditor should perform further audit procedures to respond to the high risk assessments for all assertions. Why? The risk assessment for valuation, existence, rights and obligations, completeness, and all other assertions is high. Logically, substantive procedures must now address all of those risks. And, obviously, this is not efficient. Moreover, some of the assertions might not be relevant such as valuation. So why create audit steps for irrelevant assertions?
Alternatively, what if the accounts payable completeness assertion is assessed at high and all other assertions are at low to moderate? How does this impact the audit plan? Now the auditor will create substantive procedures that respond to the risk that payables are not complete such as conducting a search for unrecorded liabilities. (This is normally appropriate since the directional risk for liabilities is an understatement.) Additionally, the auditor may not perform some existence procedures such as sending vendor confirmations. Why? The existence assertion deals with potential overstatement issues, not understatement.
Do you see the advantage? Rather than using a scattered approach—let’s audit everything—the auditor pinpoints his audit procedures. Assertion level risk leads you to assertion level procedures. This is more effective and efficient.
Assertion Level Risk
Before we delve deeper, let’s answer two questions: What is the definition of assertion level risk? And what is a relevant assertion?
Assertion level risk is the probability that a risk of material misstatement is present for a particular assertion. The risks are the result of the nature of the account balance, transaction balance, and disclosure (inherent risk) and the related controls (control risk). Complex transaction areas without appropriate controls, for example, are more likely to be misstated.
A relevant assertion is one that has a meaningful bearing upon whether the account balance, transaction balance, and disclosure is appropriately stated or communicated. The existence assertion for cash has a meaningful bearing upon whether the balance is properly stated. It is therefore, relevant. The valuation assertion, by contrast, is normally not relevant when a company has no foreign currencies.
Now, let’s examine assertion level risk in light of a receivables example.
Assessing Risk at Assertion Level for Receivables — An Example
Each financial statement account balance, transaction cycle, and disclosure has relevant assertions. For example, a company asserts that its accounts receivable balance is correctly stated at $2,105,012. This means the company asserts at least two things: the existence of the balance is real and the valuation of the balance is correct. Thus, we have at least two assertions in play: existence and valuation. Since these two assertions are relevant, we need to define the assertion level risk for each.
The assertion level risk for existence is that not all of the receivable balance is real. Maybe $300,000 of the total is an intentional overstatement by management. This is a fraud risk, and it affects the assertion level risk assessment for existence.
The assertion level risk for valuation is that the allowance for uncollectible is improperly stated. Maybe the valuation is intentionally understated at $100,000 but the true amount is $350,000. This is a fraud risk, and it affects the assertion level risk assessment for valuation.
The risk of material misstatement for each assertion is made up of two risks: inherent risk and control risk. Let’s pretend, in this receivables example, that control risk is assessed at high. Based on the fraud risks mentioned in the previous two paragraphs, the auditor would assess inherent risk at high. So control risk and inherent risk are assessed at high, resulting in a high risk of material misstatement for the existence and valuation assertions. This is an example of assessing risk at the assertion level.
But, as we are about to see, some auditors bypass risk assessment, thinking it a waste of time.
Planners or Doers
Some auditors are planners. Some are doers.
The planners like to perform risk assessment procedures—such as reviewing internal controls and preliminary analytics. They want to know where the risks are before they plan and perform substantive procedures.
But the doers say, “Let’s get on with it.” These folks like a balance sheet audit approach. They see value in procedures such as sending debt confirmations, searching for unrecorded liabilities, and vouching additions to fixed assets.
If I, on the first day of the audit, perform substantive procedures such as reviewing year-end bank reconciliations or sending receivable confirmations, then I am a doer. The audit standards do not smile upon this disposition. Why? Because those standards call for the following (and in this order):
- Perform risk assessment procedures
- Assess risks of material misstatement
- Create an audit plan
- Perform the audit plan
- Consider whether the initial risk assessment and audit plan is appropriate (if not, amend it)
Many auditors start with step 4. Why? Because we think we already know what the risks are. Or worse yet, we are just doing the same as last year without considering current-year risk.
And some of the hurry to perform substantive procedures leads to a lack of regard for risk assessment.
Linkage with Further Audit Procedures
So why do auditors assess risk at the transaction level and not the assertion level? Sometimes, it’s because we plan to do the same as last year without considering risks. And we think it’s a waste of time to document risk assessments. Such thinking is dangerous and not in the spirit of the audit standards.
Some firms say to me, “I know I over-audit, but I’m not sure how to lessen what I do.” And then they say, “How can I reduce my time and still perform a quality audit?”
My answer: “Perform real risk assessments and document the risk of material misstatement at the assertion level. Then tailor—yes, change the audit program—to address the risks. And slap yourself every time you even think about same as last year.”
After your risk assessment is complete, link it to your further audit procedures.
A good auditor does the following: identify, assess, plan, perform. First, we identify risk with risk assessment procedures. Second, we assess the risks, whether they are high or low, so we can see what needs attention. Third, we plan our response by preparing our audit program and linking it to our risk assessment. And fourth, we perform the planned procedures. That’s auditing in a nutshell.
Part of risk assessment is assessing risks at the assertion level (the focus of this article) so we can properly plan the audit.
And what are the benefits of assessing risk at the assertion level?
- We think more and work less
- We make higher profits in our engagements
- We audit in conformity with professional standards
In addition to assertion level risks, consider financial statement level risks.
Risks at the Financial Statement Level
Financial statements have financial statement level risks such as management override or the intentional overstatement of revenues. These sometimes affect assertion level risk. For example, the intentional overstatement of revenues has a direct effect upon the existence assertion for receivables and the occurrence assertion for revenues. Therefore, even when you identify financial statement level risks, consider whether they might affect assertion level risks as well.
Look at two or three of your audit files and review your risk assessments. Are you assessing risk at the transaction level or at the assertion level? Plan to spend more time in performing risk assessment procedures and documenting risks at the assertion level. The payoff: potentially less time performing substantive procedures, but, at a minimum, you are auditing in conformity with professional standards.