Relevant Assertions in Financial Statement Audits
In this article, I address audit assertions and why they are critical to the audit process. We’ll look at assertion examples and how to you can leverage these in your audit plan. Do you desire to stop over auditing? Then read on.
All businesses make assertions in their financial statements. For example, when a financial statement has a cash balance of $605,432, the business asserts that the cash exists. When the allowance for uncollectibles is $234,100, the entity asserts that the amount is properly valued. And when payables are shown at $58,980, the company asserts that the liability is complete.
Reporting Frameworks
Of course assertions derive their meaning from the reporting framework. So before you consider assertions, make sure you know what the reporting framework is and the requirements therein. For example, the occurrence of $4 million in revenue means one thing under GAAP and quite another under the cash basis of accounting.
What is a Relevant Assertion?
For an auditor, relevant assertions are those where a risk of material misstatement is reasonably possible. So, magnitude (is the risk related to a material amount?) and likelihood (is it reasonably possible?) are both considered.
For cash, maybe you believe it could be stolen, so you are concerned about existence. Is the cash really there? Or with payables, you know the client has historically not recorded all invoices, so the recorded amount might not be complete. And the pension disclosure is possibly so complicated that you believe it may not be accurate. If you believe the risk of material misstatement is reasonably possible for these areas, then the assertions are relevant.
Some auditors refer to auditing by assertions as an assertions audit. Regardless of the name, we need to know what the typical assertions are.
Audit Assertions
Assertions include:
- Existence or occurrence (E/O)
- Completeness (C)
- Accuracy, valuation, or allocation (A/V)
- Rights and obligations (R/O)
- Presentation, disclosure, and understandability (P/D)
- Cutoff (CU)
Not all auditors use the same assertions. In other words, they might use assertions different from those listed above, or the auditor could list each assertion separately. Regardless, auditors need to make sure they address all possible areas of misstatement.
Assertions as Scoping Tool
Think of assertions as a scoping tool that allows you to focus on the important. Not all assertions are relevant to all account balances or to all disclosures. Usually, one or more assertions are relevant to an account balance, but not all. For example, existence, rights, and cutoff might be relevant to cash, but not valuation (provided there is no foreign currency) or understandability. For the latter two, a reasonable possibility of material misstatement is not present.
As you consider the significant account balances, transaction areas, and disclosures, specify the relevant assertions. Why? So you can determine the risk of material misstatement for each and create responses. Hereโs an example for accounts payable and expenses.
Assertion | Inherent Risk | Control Risk | Risk of Material Misstatement | Response |
E/O | Moderate | High | Moderate | Perform substantive analytics comparing expenses to budget and prior year |
C | High | High | High | Perform search for unrecorded liabilities |
CU | Moderate | High | Moderate | Substantive analytical comparison of the payable balance |
Inherent Risk Support
Accounts payable is not complex and there are no new accounting standards related to it. There are no subjective judgments. Volume is moderate and directional risk is an understatement. Inherent risk is assessed at high for completeness (client has not fully recorded payables in prior years). Occurrence and cutoff have not been a problem areas in past years.
Inherent Risk as the Driver
Risk of material misstatement is the result of inherent risk and control risk. Auditors often assess control risk at high because they donโt plan to test for control effectiveness. If control risk is assessed at high, then inherent risk becomes the driver of the risk of material misstatement. In the table above, the auditor believes there is a reasonable possibility that a material misstatement might occur for occurrence, completeness, and cutoff. So responses are planned for each.
Fraud risks and subjective estimates can be (and usually are) assessed at the upper end of the spectrum of inherent risk. They are, therefore, significant risks. When a significant risk is present, the auditor should perform procedures beyond his or her normal approach. As we previously said, when the clientโs risk increases, the level of testing increases.
Significant Risk
The payables/expenses assessment below incorporates an additional response due to a significant risk, the risk that fictitious vendors might exist.
Assertion | Inherent Risk | Control Risk | Risk of Material Misstatement | Response |
E/O | High | High | High | Perform substantive analytics comparing expenses to budget and prior year; Perform fictitious vendor test |
C | High | High | High | Perform search for unrecorded liabilities |
CU | Moderate | High | Moderate | Substantive analytical comparison of the payable balance |
Inherent Risk Support
Accounts payable is not complex and there are no new accounting standards related to it. There are no subjective judgments. The company suffered a fictitious vendor fraud during the year, so the occurrence assertion has uncertainty. Volume is moderate and directional risk is an understatement. Inherent risk is assessed at high for occurrence (significant risk) and completeness. Cutoff has not been a problem in past years.
Significant Risk Example
In auditing expenses, the auditor knows that a risk of fictitious vendors exists. In this scheme the payables clerk adds and makes payments to a nonexistent vendor. Additionally, the payments are usually supported with fake invoices. What is the result? Yes, additional expenses. Those fraudulent payments appear as expenses in the income statement. So the occurrence assertion is suspect.
If the auditor believes the risk of fictitious vendors is at the upper end of the inherent risk spectrum, then a significant risk is present in relation to the occurrence assertion. And such a risk deserves a fraud detection procedure. In this example, the auditor responds by adding a substantive test for detection of fictitious vendors. More risk, more work.
Additionally, notice the inherent risk for occurrence is assessed at high. Why? Because itโs at the upper end of the inherent risk spectrum. A significant risk is, by definition, a high inherent risk, never low or moderate.
As you can tell, I am suggesting that risk be assessed at the assertion level. But is it ever acceptable to assess risk at the transaction level?
Assessing Risk at the Transaction Level
Is it okay to assess audit risk in the following manner?
Assertion | Inherent Risk | Control Risk | Risk of Material Misstatement |
E/O; CU; R/O; A/V; P/D | High | High | High |
Yes, but if all assertions are assessed at high, then a response is necessary for each.
Those who assess risk at the transaction level think they are saving time. But is this a more efficient approach? Or might it be more economical to do so at the assertion level?
Assess the Risk of Material Misstatement at the Assertion Level
If the goal of assessing risk is to quickly complete a risk assessment document (and nothing else), then assessing risk at the transaction level makes sense. But the purpose of risk assessment is to provide planning direction. Therefore, we need to know the risk of material misstatement at the assertion level.
Why? Letโs answer that question with an accounts payable example.
Accounts Payable Risk Assessment Example
Suppose the auditor assesses risk at the transaction level, assessing all accounts payable assertions at high. What does this mean? It means the auditor should perform substantive procedures to respond to the high-risk assessments for each assertion. Why? The risk assessment for valuation, existence, rights and obligations, completeness, and all other assertions are high. Logically, the substantive procedures must now address all of these (high) risks.
Alternatively, what if the accounts payable completeness assertion is assessed at high and all other assertions are at low to moderate? How does this impact the audit plan? Now the auditor plans and performs a search for unrecorded liabilities. Additionally, he may not, for example, perform existence-related procedures such as sending vendor confirmations. The lower risk assertions require less work. So knowing the risk of material misstatement at the assertion level is critical.
Do you see the advantage? Rather than using an inefficient approachโletโs audit everythingโthe auditor pinpoints audit procedures.
Once assertions are assessed, itโs time to link them to further audit procedures.
Linkage with Further Audit Procedures
As a peer reviewer, firms say to me, โI know I over-audit, but I donโt know how to lessen my work.โ And then they say, โHow can I reduce my time without reducing quality?โ
Hereโs my answer: Perform real risk assessments and document the risk of material misstatement at the assertion level. Then tailorโyes, change the audit programโto address the risks. Perform substantive procedures or a test of controls for effectiveness related to the identified risk areasโand slap yourself every time you even think about same as last year. (Your substantive procedures can be a test of details or substantive analytics.)
And what are the benefits of assessing risk at the assertion level?
- Efficient work
- Higher profits
- Conformity with standards
You may be wondering if financial statement level risk can affect assertion level assessments. Let’s see.
Risks at the Financial Statement Level
Financial statements have financial statement level risks such as management override or the intentional overstatement of revenues. These sometimes affect assertion level risk. For example, the intentional overstatement of revenues has a direct effect upon the existence assertion for receivables and the occurrence assertion for revenues. Therefore, even when you identify financial statement level risks, consider whether they might affect assertion level risks as well.
Now let’s talk about homework based on this article. Let’s make this useful.
Your Audit Assertion Documentation
Look at two or three of your audit files and review your risk assessments. Are you assessing risk at the transaction level or at the assertion level? Plan to spend more time in performing risk assessment procedures and documenting your risks at the assertion levelโand possibly less time performing further audit procedures.
Learn from my CPA Hall Talk newsletter!
Get my free accounting and auditing digest with the latest content.
Itโs fine to assess control risk below high as long as the controls are tested and found to be effective. Without the test of controls, there is no real support for the lower control risk assessment. Thatโs why many auditors assess control risk at high: they donโt desire to test controls for effectiveness. I think either is fine: (1) test controls and bring control risk below high, or (2) assess control risk at high and use a substantive approach.
Is it so, that the smaller the entity is, the other IC components than control activities, are the drivers in the assessment of the inherent risk. Good tone at the top, good accounting systems and processes, โgood peopleโ etc, as there are no formal controls.
But still, assessing CR as High is confusing because this is what it is in ALL small entities. Possible deficiensies in IC are already taken in account in the assessment of the inherent risk, the risk of RoMM. – โThe CR High is not in the game?โ
๐
Yes, usually the smaller the entity is, the harder it is to create good controls. Good systems have lots of eyes on the processes.
Thanks for the comment. I think that very few controls are ready for testing in a small entity (here in Finland v e r y small).
Lasse, auditors have the option to test controls if they are designed appropriately and they are in use. And the test of controls is required if control risk is assessed at less than high. Sometimes itโs quicker to use substantive procedures (and leave control risk at high) than to test controls for effectiveness. Other times it is not. So itโs a judgment call as to which is more economical. The decision about whether a substantive approach or a test of controls is purely about which takes less time. Overauditing can occur with a substantive approach, a test of controls approach or a mix of the two. Finding the right balance is all about determining where the risk are and responding appropriately, whether substantively or with a test of controls. Thanks for your comment.
Control risk is actually always high in audits of SMPs. Is CR to be regarded as some sort of a โbackground noiseโ?
Is it โfairโ, that in spite of good components of internal controls at the entity level, good design and implementation of control activities at the transaction level – the CR is still high? Just because there is no testing of those control activities – in a small entity? Isnโt the result then over-auditing?
Andy, sorry, but I donโt know if Engage will do that or not. Weโre using another audit product. But your thought process makes sense. Then you could, in your example, just test E/O and nothing elseโthe way it should be.
KT, thanks. Interesting that you are testing controls. You must have good clients! Good controls makes testing them a possibility. I think, in the future, youโll see more and more auditors testing controls because of automation.
Wow. Thanks, Ed. I appreciate the kind words. ๐
The best explanation of the topic that I’ve ever seen!
Thank you Charles
Thank you Charles for this article! Spend quite a bit of time on the risk assessment – especially the inherent risk area – typically most of my clients do have controls and I perform controls testing but assessing the inherent risk is very important and can change the testing even with controls testing.
Do you know if Checkpoint Engage will modify audit procedures in their standard audit program based upon the risk assessment for each assertion for an audit area? For example, if E/O is high, but all of the others are low for an audit area, will the standard audit program focus on the E/O assertion and not the others?