Risk of Material Misstatement at the Assertion Level

By Charles Hall | Accounting and Auditing

In this post, I address whether auditors should assess the risk of material misstatement at the assertion level. 

Assertion Level or Transaction Level Assessments

Should auditors assess the risk of material misstatement at the assertion level? Or is it better assess risk at the transaction level (for example, all cash assertions are assigned a moderate level of risk)? Those who assess risk at the transaction level think they are saving time. But are they? It might be more effective and economical to assess risk for each individual assertion. 

Assess the Risk of Material Misstatement at the Assertion Level

Why should you assess the risk of material misstatement at the assertion level? In two words: effectiveness and efficiency. 

We know the purpose of risk assessment is to design responsive audit procedures. When the auditor identifies risk at the assertion level, that person is better able to build effective responses. Therefore, it is wise to avoid assessing risk at the transaction level.

Why? 

• Assessing risk at the transaction level may lead to unnecessary work
• Assessing risk at the transaction level results in assessing irrelevant assertions

Risk Assessment for Accounts Payable — An Example

Suppose, for example, the auditor assesses risk at the transaction level, assessing all accounts payable assertions with a high risk of material misstatement. What does this mean? It means the auditor should perform further audit procedures to respond to the high risk assessments for all assertions. Why? The risk assessment for valuation, existence, rights and obligations, completeness, and all other assertions is high. Logically, substantive procedures must now address all of those risks. And, obviously, this is not efficient. Moreover, some of the assertions might not be relevant such as valuation. So why create audit steps for irrelevant assertions?

Alternatively, what if the accounts payable completeness assertion is assessed at high and all other assertions are at low to moderate? How does this impact the audit plan? Now the auditor will create substantive procedures that respond to the risk that payables are not complete such as conducting a search for unrecorded liabilities. (This is normally appropriate since the directional risk for liabilities is an understatement.) Additionally, the auditor may not perform some existence procedures such as sending vendor confirmations. Why? The existence assertion deals with potential overstatement issues, not understatement. 

Do you see the advantage? Rather than using a scattered approach—let’s audit everything—the auditor pinpoints his audit procedures. Assertion level risk leads you to assertion level procedures. This is more effective and efficient. 

Assertion Level Risk

Before we delve deeper, let’s answer two questions: What is the definition of assertion level risk? And what is a relevant assertion?

Assertion level risk is the probability that a risk of material misstatement is present for a particular assertion. The risks are the result of the nature of the account balance, transaction balance, and disclosure (inherent risk) and the related controls (control risk). Complex transaction areas without appropriate controls, for example, are more likely to be misstated. 

A relevant assertion is one that has a meaningful bearing upon whether the account balance, transaction balance, and disclosure is appropriately stated or communicated. The existence assertion for cash has a meaningful bearing upon whether the balance is properly stated. It is therefore, relevant. The valuation assertion, by contrast, is normally not relevant when a company has no foreign currencies.  

Now, let’s examine assertion level risk in light of a receivables example. 

Assessing Risk at Assertion Level for Receivables — An Example

Each financial statement account balance, transaction cycle, and disclosure has relevant assertions. For example, a company asserts that its accounts receivable balance is correctly stated at $2,105,012. This means the company asserts at least two things: the existence of the balance is real and the valuation of the balance is correct. Thus, we have at least two assertions in play: existence and valuation. Since these two assertions are relevant, we need to define the assertion level risk for each. 

The assertion level risk for existence is that not all of the receivable balance is real. Maybe $300,000 of the total is an intentional overstatement by management. This is a fraud risk, and it affects the assertion level risk assessment for existence. 

The assertion level risk for valuation is that the allowance for uncollectible is improperly stated. Maybe the valuation is intentionally understated at $100,000 but the true amount is $350,000. This is a fraud risk, and it affects the assertion level risk assessment for valuation. 

The risk of material misstatement for each assertion is made up of two risks: inherent risk and control risk. Let’s pretend, in this receivables example, that control risk is assessed at high. Based on the fraud risks mentioned in the previous two paragraphs, the auditor would assess inherent risk at high. So control risk and inherent risk are assessed at high, resulting in a high risk of material misstatement for the existence and valuation assertions. This is an example of assessing risk at the assertion level.

But, as we are about to see, some auditors bypass risk assessment, thinking it a waste of time.

Planners or Doers

Some auditors are planners. Some are doers. 

The planners like to perform risk assessment procedures—such as reviewing internal controls and preliminary analytics. They want to know where the risks are before they plan and perform substantive procedures. 

But the doers say, “Let’s get on with it.” These folks like a balance sheet audit approach. They see value in procedures such as sending debt confirmations, searching for unrecorded liabilities, and vouching additions to fixed assets. 

If I, on the first day of the audit, perform substantive procedures such as reviewing year-end bank reconciliations or sending receivable confirmations, then I am a doer. The audit standards do not smile upon this disposition. Why? Because those standards call for the following (and in this order):

1. Perform risk assessment procedures
2. Assess risks of material misstatement
3. Create an audit plan
4. Perform the audit plan
5. Consider whether the initial risk assessment and audit plan is appropriate (if not, amend it)

Many auditors start with step 4. Why? Because we think we already know what the risks are. Or worse yet, we are just doing the same as last year without considering current-year risk.

And some of the hurry to perform substantive procedures leads to a lack of regard for risk assessment. 

Linkage with Further Audit Procedures

So why do auditors assess risk at the transaction level and not the assertion level? Sometimes, it’s because we plan to do the same as last year without considering risks. And we think it’s a waste of time to document risk assessments. Such thinking is dangerous and not in the spirit of the audit standards.

Some firms say to me, “I know I over-audit, but I’m not sure how to lessen what I do.” And then they say, “How can I reduce my time and still perform a quality audit?” 

My answer: “Perform real risk assessments and document the risk of material misstatement at the assertion level. Then tailor—yes, change the audit program—to address the risks. And slap yourself every time you even think about same as last year.”

After your risk assessment is complete, link it to your further audit procedures.

A good auditor does the following: identify, assess, plan, perform. First, we identify risk with risk assessment procedures. Second, we assess the risks, whether they are high or low, so we can see what needs attention. Third, we plan our response by preparing our audit program and linking it to our risk assessment. And fourth, we perform the planned procedures. That’s auditing in a nutshell.

Part of risk assessment is assessing risks at the assertion level (the focus of this article) so we can properly plan the audit.

And what are the benefits of assessing risk at the assertion level? 

• We think more and work less
• We make higher profits in our engagements
• We audit in conformity with professional standards

In addition to assertion level risks, consider financial statement level risks. 

Risks at the Financial Statement Level

Financial statements have financial statement level risks such as management override or the intentional overstatement of revenues. These sometimes affect assertion level risk. For example, the intentional overstatement of revenues has a direct effect upon the existence assertion for receivables and the occurrence assertion for revenues. Therefore, even when you identify financial statement level risks, consider whether they might affect assertion level risks as well. 

Your Files

Look at two or three of your audit files and review your risk assessments. Are you assessing risk at the transaction level or at the assertion level? Plan to spend more time in performing risk assessment procedures and documenting risks at the assertion level. The payoff: potentially less time performing substantive procedures, but, at a minimum, you are auditing in conformity with professional standards. 

Five Books for CPAs to Read in 2021

By Charles Hall | Accounting and Auditing

Are you looking for books to read in 2021? Here are five suggestions. Each will make you a better CPA—and person.

Digital Minimalism – Want to stop wasting time on Facebook, Twitter, LinkedIn and other social media platforms? Read this book. Full of helpful tips to help you regain your life.

Ultralearning – This book provides practical steps to increase your ability to learn new skills and rapidly gain knowledge. Lifetime learning is a necessary skill for CPAs.

The Bullet Journal Method – Bullet journaling is a blend of planning, journaling and project management. I have read dozens of time management books, and this is the best. All you need is a blank notebook, and you can plan your days, weeks, months and years. Of my five suggested books, this is the one that has helped me most. 

The Coaching Habit – Do you want to make your employees better? Do so with questions, not answers. This short read is chock full of simple but effective questions to ask those you work with. It will make you wise (or at least, wiser). 

Essentialism – Are you trying to master too many things? So many that you aren’t effective in any. Greg McKeown’s book will help you focus on the important and forget the rest. This is a classic.

Enterprise Risk Management: Empowering Your Clients

By Harry Hall | Accounting and Auditing

Today’s article comes from my twin brother, Harry Hall. He is a certified PMP®, PMI-RMP®, and has his Associate in Risk Management (ARM-E).

Many organizations do not have an enterprise risk management (ERM) program. Therefore, these entities lack the policies and procedures to manage enterprise risks (i.e., threats and opportunities) and achieve their objectives. In this article, we’ll look at how CPAs can suggest an ERM program to their clients.

Imagine that you’ve completed an audit of an organization. One way you can help your client is to provide a management letter that provides ideas to make the organization better. And one of the suggestions you can make is for them to implement an ERM program, or you can provide ways to improve the existing program. (Of course, as the auditor, you can’t make management decisions, but you can make suggestions.)

Think about it. Has one of your clients encountered a surprise event or condition in the last few years? Imagine if the client had identified and managed the risk better. That single failure may have caused your client to miss their annual objectives, resulting in weaker financial and operating positions. It’s even possible they no longer exist.

A sound ERM program can improve–and even save–your client.

What is ERM?

First, let’s define ERM. It is a program whereby an organization identifies and manages all of its risks in order to achieve its objectives. 

How does ERM differ from traditional risk management? Well, traditional risk management focuses on pure risks. These are risks where there is the possibility of loss or no loss, but no chance of gain. Hazard or insurable risks are pure risks. 

ERM includes pure risks, but also includes speculative risks. Speculative risks are risks where there is a chance of loss, no loss, or gain. So, speculative risks have the potential for gain. Examples of speculative risks include financial risks, strategic risks, and some operational risks.

So, let’s see how ERM helps businesses.

Four Benefits of ERM

There are several ways that an organization may benefit from ERM. The benefits include, but are not limited to, the following:

First, an ERM Champion can help their organization implement strategic risk management, a component of ERM. Here, we can clarify enterprise objectives and improve strategic planning, analysis, and alignment.

Second, ERM helps organizations identify risks between departments. Many departments live in siloes. And most people think solely about their department’s risk. But the actions taken by one department may impact other parts of the organization.

Third, ERM can boost collaboration. As risk owners from different departments focus on enterprise objectives together, these individuals begin to better understand other departmental processes. And these can be analyzed and improved to realize greater enterprise benefits.

Fourth, organizations with ERM programs are in a better position to meet the demands from external parties such as investors, rating agencies, and regulators.

To make this work, your client needs to leverage an ERM framework.

ERM Framework

ERM programs include risk management processes that are used throughout the enterprise. Some organizations use a framework like COSO or the ISO 31000. Others develop their own framework. In general, here are the ERM processes, regardless of the framework.

1. Plan risk management. Define an ERM policy that guides the behavior of individuals in the organization. The ERM policy includes elements such as the risk governance structure, risk categories, ERM methodology, roles and responsibilities, risk appetite, risk tolerance, risk limits, ERM activities, ERM reports, and a glossary. This policy should be reviewed and updated each year. And the Board should approve the revisions.
2. Identify risks. Determine the risk identification tools and techniques that will be used. For example, these could include brainstorming, interviews, checklists, and cause-and-effect diagrams.
3. Evaluate risks. Once risks are identified, ERM stakeholders should assess the risks. Risk owners may perform qualitative and quantitative risk assessments. The risk assessments result in a prioritized risk list. The benefit: you know which risks matter most.
4. Respond to risks. Next, risk owners develop and implement risk response plans to lessen these risks.
5. Monitor risks. Of course, risks change over time. Threats and opportunities may (and probably will) increase or decrease. Therefore, client’s must monitor risks. Are the risks managed according to the risk appetite and risk tolerance? Are the ERM processes providing value? Are the processes economical and efficient?

As a CPA, have you ever wondered how ERM and Internal Audit differ?

ERM vs. Internal Audit

Organizations may have an ERM department or group led by an ERM Champion or Chief Risk Officer (CRO). This group facilitates the development of an ERM policy, trains employees on ERM processes, and facilitates periodic risk reviews. 

Internal Audit ensures that the risk controls are working as designed within the organization and makes recommendations for improvement where there are internal control deficiencies. (Traditionally, internal auditors have focused on accounting processes. Their role is expanding into other areas such as ERM.)

So, how does ERM and Internal Audit work together? First, the ERM Champion engages Internal Audit when developing the ERM policy. Second, Internal Audit uses the ERM risk register as input into the annual audit plan. Think about it – wouldn’t it be great to see the most significant enterprise threats and opportunities as Internal Audit develops the audit plan? Third, Internal Audit inspects the ERM processes, in addition to other organizational processes, to ensure they are efficient and economical.

Audit Management Letter Suggestion: ERM Program

In your next audit, think about the risk management practices in the organization.  

Does your client have a written ERM policy? Are the risk processes being performed consistently throughout the enterprise? How are risks being identified and assessed? Does the enterprise risk register include financial risks, strategic risks, operational risks, and other risks? Has the risk appetite and risk tolerance been defined and communicated to the Board, management, and risk owners?

At the conclusion of your audit, consider including ERM recommendations in your management letter. Doing so might save your client a great deal of pain–and you’ll add value to your audit.

Harry Hall

Guest Author

Harry Hall, the Project Risk Coach, is a speaker, teacher, author, and blogger. He has implemented project management offices (PMOs) and enterprise risk management (ERM) programs in the financial, healthcare, and agricultural industries. Harry is a graduate of the University of Georgia and is a certified PMP®, PMI-RMP®, and has his Associate in Risk Management (ARM-E).

A List of Online Resources for CPAs

By Charles Hall | Accounting and Auditing

Are you looking for free online resources for CPAs? You’ve come to the right place.

Here’s a list of online resources that I commonly use:

• AICPA Technical Hotline
• AICPA Plain English Guide to Independence
• AICPA Developing a System of Quality Control
• AICPA Code of Ethics
• AICPA Illustrative Yellow Book Reports
• AICPA Illustrative Single Audit Reports
• AICPA Illustrative Compilation Reports
• AICPA Illustrative Accountant’s Review Reports
• AICPA Journal of Accountancy
• AICPA SASs (audit standards)
• AICPA SSARS (compilation and review standards)
• LinkedIn Governmental Not-For-Profit Group
• LinkedIn Sole Practitioners and CPA Small Firms Group
• Best Accounting Software (List of accounting new sites, associations, organizations)
• Nonprofit Update Blog
• FASB Codification
• GASB Pronouncements
• 2020 Report to the Nations (Fraud Resource)
• COSO Internal Control (Executive Summary)
• 2020 OMB Compliance Supplement
• OMB Uniform Guidance
• 2011 Version of Yellow Book
• 2018 Version of Yellow Book

Your Online References

What other online resources do you use as a CPA? Leave a comment.

Seven Excuses for Unnecessary Audit Work Papers

By Charles Hall | Auditing

Unnecessary audit work papers create clutter and potential legal problems.

I see two problems in most work paper files:

(1) Too much documentation, and
(2) Too little documentation

I have written an article titled: Audit Documentation: If It’s Not Documented, It’s Not Done. Since I’ve already addressed the too little documentation issue, I’ll now speak to the other problem: too much documentation.

Unnecessary Audit Work Papers

Over the last thirty-five years, I have reviewed audit files for CPA firms and have commonly asked this question: Why is this work paper in the file?

Here are a seven answers I’ve received.

1. It was there last year.

But is it relevant this year? Resist the temptation to mindlessly bring forward work papers from the prior year. Performing a proper audit entails risk assessment (e.g., walkthroughs, analytics), planning (i.e., creating an audit plan), and execution (i.e., carrying out the audit plan). Likewise, compilations and reviews should reflect current year planning and performance.

2. The client gave it to me.

Inexperienced auditors tend to put everything given to them in the file. Some auditors believe “if the client gave it to me, it must be important.” But this is not necessarily true. Every work paper needs a purpose.

3. I may need it next year.

Then save it for next year—somewhere other than in the current file. If the information does not provide current year engagement evidence, then it does not belong in the file.

Consider creating a file for next year and placing next year’s information in that file. Or create a folder in the current year file titled: Next year’s work papers. Then move this section to next year’s file as you close the engagement.

4. I might need it this year.

Before going paperless (back in the prehistoric days when we moved work papers with hand trucks ), I kept a manila folder titled: File 13. The physical folder was my hang-on-to-it-in-case-I-need-it repository.

Since my files are now paperless, I create an electronic folder titled Recycle Bin that sits at the bottom of my file. If I receive information that is not relevant to the current year (but there is a chance I will need it), I move it to the recycle bin, and when I am wrapping up the engagement, I dispose of the folder.

5. It’s an earlier version of a work paper.

Move earlier versions of work papers to your recycle bin—or delete them.

6. I need it for my tax work.

Then it belongs in the tax file (unless it’s related to your attest work – e.g., deferred taxes).

7. We always do this.

But why is it being done this year? Maybe a fraud was missed ten years ago and the partner said, from now on we will…

Are these procedures still relevant?

The test of details, substantive analytics, and test of controls should be in response to the current year audit risk assessment and planning.

Reducing Legal Exposure

The most important reason for minimizing work paper content is to reduce your legal exposure. Excess work papers may provide ammunition to an opposing attorney: “Mr. Hall, here’s a work paper from your own audit file that reveals fraud was occurring, and you didn’t see it?” (So don’t, for example, leave the full general ledger in your work papers.)

What are your thoughts about removing unnecessary audit work papers?