Should Auditors Assess the Risk of Material Misstatement at the Assertion Level?

Should auditors assess the risk of material misstatement at the assertion level? Or is it better assess risk at the transaction level (for all assertions at once)? Those who assess at the transaction level think they are saving time. But is it more efficient to assess the risk of material misstatement at the transaction level—or might it be more economical to do so at the assertion level?

Picture from AdobeStock.com

Why Assess the Risk of Material Misstatement at the Assertion Level?

If the goal of assessing risk is to quickly create a risk assessment document (and nothing else), then assessing risk at the transaction level makes sense. But we know the purpose of the risk assessment document is to design responsive audit procedures. Consequently, assessing risk at the assertion level is wiser. 

Why? Let’s answer that question with an accounts payable example. 

Accounts Payable Risk Assessment Example

Suppose the auditor assesses risk at the transaction level, assessing all accounts payable assertions as high risk. What does this mean? It means the auditor should perform rigorous substantive procedures to respond to the high-risk assessments for each assertion. Why? His risk assessment for valuation, existence, rights and obligations, completeness, and all other assertions are high. Logically, his substantive procedures must now address all of those (high) risks.

Alternatively, what if the accounts payable completeness assertion is assessed at high and all other assertions are at low to moderate? How does this impact the audit plan? Now the auditor will create substantive procedures that respond to the risk that payables are not complete such as conducting a search for unrecorded liabilities. Additionally, he may not perform existence-related procedures such as sending vendor confirmations. 

Do you see the advantage? Rather than using a scattered approach—let’s audit everything—the auditor pinpoints his audit procedures.

Planners or Doers

Some auditors are planners. Some are doers. 

The planners like to perform risk assessment procedures—such as reviewing internal controls.

But those focused on doing say, “Let’s get on with it.” Many such auditors focus on a balance sheet audit approach. 

If I, on the first day of the audit, immediately perform basic procedures such as reviewing year-end bank reconciliations or sending receivable confirmations, then I am a doer. The audit standards do not smile upon me. Those standards call for the following:

1. Perform risk assessment procedures
2. Assess risks of material misstatement
3. Create an audit plan
4. Perform the audit plan
5. Consider whether the initial risk assessment and audit plan is appropriate (if not amend them)

Many auditors start with step 4. Why? Because we think we already know what the risks are. Or worse yet, we are just doing the same as last year without considering risks.

Linkage with Further Audit Procedures

So why do auditors assess risk at the transaction level and not the assertion level? Sometimes, it’s because we plan to do the same as last year without considering risks. Such thinking is dangerous and not in the spirit of the audit standards—and it costs you money!

Picture from AdobeStock.com

As I perform peer reviews, firms say to me, “I know I over-audit, but I’m not sure how to lessen what I do.” And then they say, “How can I reduce my time and still perform a quality audit?” 

Here’s my answer: “Perform real risk assessments and document the risk of material misstatement at the assertion level. Then tailor—yes, change the audit program—to address the risks. Perform substantive procedures related to the identified risk areas—and slap yourself every time you even think about same as last year. Trust your judgment.”

And what are the benefits of assessing risk at the assertion level?

• Think more and work less
• Make higher profits
• Audit in conformity with standards
• Peer reviewers will like it

Your Files

Look at two or three of your audit files and review your risk assessments. Are you assessing risk at the transaction level or at the assertion level? Plan to spend more time in performing risk assessment procedures and documenting your risks at the assertion level–and less time performing your back-of-file (substantive) work.