Relevant Assertions in Financial Statement Audits

By Charles Hall | Auditing

Mar 07

In this article, I address audit assertions and why they are critical to the audit process. We'll look at assertion examples and how to you can leverage these in your audit plan. Do you desire to stop over auditing? Then read on. 

All businesses make assertions in their financial statements. For example, when a financial statement has a cash balance of $605,432, the business asserts that the cash exists. When the allowance for uncollectibles is $234,100, the entity asserts that the amount is properly valued. And when payables are shown at $58,980, the company asserts that the liability is complete

audit assertions

Reporting Frameworks

Of course assertions derive their meaning from the reporting framework. So before you consider assertions, make sure you know what the reporting framework is and the requirements therein. For example, the occurrence of $4 million in revenue means one thing under GAAP and quite another under the cash basis of accounting

What is a Relevant Assertion?

For an auditor, relevant assertions are those where a risk of material misstatement is reasonably possible. So, magnitude (is the risk related to a material amount?) and likelihood (is it reasonably possible?) are both considered. 

For cash, maybe you believe it could be stolen, so you are concerned about existence. Is the cash really there? Or with payables, you know the client has historically not recorded all invoices, so the recorded amount might not be complete. And the pension disclosure is possibly so complicated that you believe it may not be accurate. If you believe the risk of material misstatement is reasonably possible for these areas, then the assertions are relevant. 

Some auditors refer to auditing by assertions as an assertions audit. Regardless of the name, we need to know what the typical assertions are. 

Audit Assertions

Assertions include:

  • Existence or occurrence (E/O)
  • Completeness (C)
  • Accuracy, valuation, or allocation (A/V)
  • Rights and obligations (R/O)
  • Presentation, disclosure, and understandability (P/D)
  • Cutoff (CU)

Not all auditors use the same assertions. In other words, they might use assertions different from those listed above, or the auditor could list each assertion separately. Regardless, auditors need to make sure they address all possible areas of misstatement. 

Assertions as Scoping Tool

Think of assertions as a scoping tool that allows you to focus on the important. Not all assertions are relevant to all account balances or to all disclosures. Usually, one or more assertions are relevant to an account balance, but not all. For example, existence, rights, and cutoff might be relevant to cash, but not valuation (provided there is no foreign currency) or understandability. For the latter two, a reasonable possibility of material misstatement is not present.

As you consider the significant account balances, transaction areas, and disclosures, specify the relevant assertions. Why? So you can determine the risk of material misstatement for each and create responses. Here’s an example for accounts payable and expenses. 

AssertionInherent RiskControl RiskRisk of Material MisstatementResponse
E/OModerateHighModeratePerform substantive analytics comparing expenses to budget and prior year
CHighHighHighPerform search for unrecorded liabilities
CUModerate HighModerateSubstantive analytical comparison of the payable balance

Inherent Risk Support

Accounts payable is not complex and there are no new accounting standards related to it. There are no subjective judgments. Volume is moderate and directional risk is an understatement. Inherent risk is assessed at high for completeness (client has not fully recorded payables in prior years). Occurrence and cutoff have not been a problem areas in past years.

Inherent Risk as the Driver

Risk of material misstatement is the result of inherent risk and control risk. Auditors often assess control risk at high because they don’t plan to test for control effectiveness. If control risk is assessed at high, then inherent risk becomes the driver of the risk of material misstatement. In the table above, the auditor believes there is a reasonable possibility that a material misstatement might occur for occurrence, completeness, and cutoff. So responses are planned for each. 

Fraud risks and subjective estimates can be (and usually are) assessed at the upper end of the spectrum of inherent risk. They are, therefore, significant risks. When a significant risk is present, the auditor should perform procedures beyond his or her normal approach. As we previously said, when the client’s risk increases, the level of testing increases. 

Significant Risk 

The payables/expenses assessment below incorporates an additional response due to a significant risk, the risk that fictitious vendors might exist.

AssertionInherent RiskControl RiskRisk of Material MisstatementResponse
E/OHighHighHighPerform substantive analytics comparing expenses to budget and prior year; Perform fictitious vendor test
CHighHighHighPerform search for unrecorded liabilities
CUModerate HighModerateSubstantive analytical comparison of the payable balance

Inherent Risk Support

Accounts payable is not complex and there are no new accounting standards related to it. There are no subjective judgments. The company suffered a fictitious vendor fraud during the year, so the occurrence assertion has uncertainty. Volume is moderate and directional risk is an understatement. Inherent risk is assessed at high for occurrence (significant risk) and completeness. Cutoff has not been a problem in past years. 

Significant Risk Example

In auditing expenses, the auditor knows that a risk of fictitious vendors exists. In this scheme the payables clerk adds and makes payments to a nonexistent vendor. Additionally, the payments are usually supported with fake invoices. What is the result? Yes, additional expenses. Those fraudulent payments appear as expenses in the income statement. So the occurrence assertion is suspect. 

If the auditor believes the risk of fictitious vendors is at the upper end of the inherent risk spectrum, then a significant risk is present in relation to the occurrence assertion. And such a risk deserves a fraud detection procedure. In this example, the auditor responds by adding a substantive test for detection of fictitious vendors. More risk, more work.  

Additionally, notice the inherent risk for occurrence is assessed at high. Why? Because it’s at the upper end of the inherent risk spectrum. A significant risk is, by definition, a high inherent risk, never low or moderate.

As you can tell, I am suggesting that risk be assessed at the assertion level. But is it ever acceptable to assess risk at the transaction level

Assessing Risk at the Transaction Level

Is it okay to assess audit risk in the following manner?

AssertionInherent RiskControl RiskRisk of Material Misstatement
E/O; CU; R/O; A/V; P/DHighHighHigh

Yes, but if all assertions are assessed at high, then a response is necessary for each. 

Those who assess risk at the transaction level think they are saving time. But is this a more efficient approach? Or might it be more economical to do so at the assertion level?

Assess the Risk of Material Misstatement at the Assertion Level

If the goal of assessing risk is to quickly complete a risk assessment document (and nothing else), then assessing risk at the transaction level makes sense. But the purpose of risk assessment is to provide planning direction. Therefore, we need to know the risk of material misstatement at the assertion level. 

Why? Let’s answer that question with an accounts payable example. 

Accounts Payable Risk Assessment Example

Suppose the auditor assesses risk at the transaction level, assessing all accounts payable assertions at high. What does this mean? It means the auditor should perform substantive procedures to respond to the high-risk assessments for each assertion. Why? The risk assessment for valuation, existence, rights and obligations, completeness, and all other assertions are high. Logically, the substantive procedures must now address all of these (high) risks.

Alternatively, what if the accounts payable completeness assertion is assessed at high and all other assertions are at low to moderate? How does this impact the audit plan? Now the auditor plans and performs a search for unrecorded liabilities. Additionally, he may not, for example, perform existence-related procedures such as sending vendor confirmations. The lower risk assertions require less work. So knowing the risk of material misstatement at the assertion level is critical. 

Do you see the advantage? Rather than using an inefficient approach—let’s audit everything—the auditor pinpoints audit procedures. 

Once assertions are assessed, it’s time to link them to further audit procedures.

Linkage with Further Audit Procedures

As a peer reviewer, firms say to me, “I know I over-audit, but I don’t know how to lessen my work.” And then they say, “How can I reduce my time without reducing quality?” 

Here’s my answer: Perform real risk assessments and document the risk of material misstatement at the assertion level. Then tailor—yes, change the audit program—to address the risks. Perform substantive procedures or a test of controls for effectiveness related to the identified risk areas—and slap yourself every time you even think about same as last year. (Your substantive procedures can be a test of details or substantive analytics.)

And what are the benefits of assessing risk at the assertion level?

  • Efficient work
  • Higher profits 
  • Conformity with standards

You may be wondering if financial statement level risk can affect assertion level assessments. Let's see. 

Risks at the Financial Statement Level

Financial statements have financial statement level risks such as management override or the intentional overstatement of revenues. These sometimes affect assertion level risk. For example, the intentional overstatement of revenues has a direct effect upon the existence assertion for receivables and the occurrence assertion for revenues. Therefore, even when you identify financial statement level risks, consider whether they might affect assertion level risks as well. 

Now let's talk about homework based on this article. Let's make this useful. 

Your Audit Assertion Documentation

Look at two or three of your audit files and review your risk assessments. Are you assessing risk at the transaction level or at the assertion level? Plan to spend more time in performing risk assessment procedures and documenting your risks at the assertion level—and possibly less time performing further audit procedures.

Follow

About the Author

Charles Hall is a practicing CPA and Certified Fraud Examiner. For the last thirty-five years, he has primarily audited governments, nonprofits, and small businesses. He is the author of The Little Book of Local Government Fraud Prevention, The Why and How of Auditing, Audit Risk Assessment Made Easy, and Preparation of Financial Statements & Compilation Engagements. He frequently speaks at continuing education events. Charles consults with other CPA firms, assisting them with auditing and accounting issues.

  • Charles Hall says:

    It’s fine to assess control risk below high as long as the controls are tested and found to be effective. Without the test of controls, there is no real support for the lower control risk assessment. That’s why many auditors assess control risk at high: they don’t desire to test controls for effectiveness. I think either is fine: (1) test controls and bring control risk below high, or (2) assess control risk at high and use a substantive approach.

  • Lasse Akerblad says:

    Is it so, that the smaller the entity is, the other IC components than control activities, are the drivers in the assessment of the inherent risk. Good tone at the top, good accounting systems and processes, ”good people” etc, as there are no formal controls.

    But still, assessing CR as High is confusing because this is what it is in ALL small entities. Possible deficiensies in IC are already taken in account in the assessment of the inherent risk, the risk of RoMM. – ”The CR High is not in the game?”

  • Lasse Akerblad says:

    👍

  • Charles Hall says:

    Yes, usually the smaller the entity is, the harder it is to create good controls. Good systems have lots of eyes on the processes.

  • Lasse Akerblad says:

    Thanks for the comment. I think that very few controls are ready for testing in a small entity (here in Finland v e r y small).

  • Charles Hall says:

    Lasse, auditors have the option to test controls if they are designed appropriately and they are in use. And the test of controls is required if control risk is assessed at less than high. Sometimes it’s quicker to use substantive procedures (and leave control risk at high) than to test controls for effectiveness. Other times it is not. So it’s a judgment call as to which is more economical. The decision about whether a substantive approach or a test of controls is purely about which takes less time. Overauditing can occur with a substantive approach, a test of controls approach or a mix of the two. Finding the right balance is all about determining where the risk are and responding appropriately, whether substantively or with a test of controls. Thanks for your comment.

  • Lasse Akerblad says:

    Control risk is actually always high in audits of SMPs. Is CR to be regarded as some sort of a ”background noise”?

    Is it ”fair”, that in spite of good components of internal controls at the entity level, good design and implementation of control activities at the transaction level – the CR is still high? Just because there is no testing of those control activities – in a small entity? Isn’t the result then over-auditing?

  • Charles Hall says:

    Andy, sorry, but I don’t know if Engage will do that or not. We’re using another audit product. But your thought process makes sense. Then you could, in your example, just test E/O and nothing else—the way it should be.

  • Charles Hall says:

    KT, thanks. Interesting that you are testing controls. You must have good clients! Good controls makes testing them a possibility. I think, in the future, you’ll see more and more auditors testing controls because of automation.

  • Charles Hall says:

    Wow. Thanks, Ed. I appreciate the kind words. 🙂

  • Ed says:

    The best explanation of the topic that I’ve ever seen!
    Thank you Charles

  • KT says:

    Thank you Charles for this article! Spend quite a bit of time on the risk assessment – especially the inherent risk area – typically most of my clients do have controls and I perform controls testing but assessing the inherent risk is very important and can change the testing even with controls testing.

  • Andy says:

    Do you know if Checkpoint Engage will modify audit procedures in their standard audit program based upon the risk assessment for each assertion for an audit area? For example, if E/O is high, but all of the others are low for an audit area, will the standard audit program focus on the E/O assertion and not the others?

  • >
    Tweet
    Share
    Share
    Flip
    Email