Peer reviews find that many CPA firms don't identify significant risks in audits, and that's a problem. Why? Because they are the seedbed of many material misstatements. And when material misstatements are not identified, audit failure often occurs.
Below, I will tell you how to identify, assess, and respond to significant risks.
I also explain the new requirement to communicate significant risks to those charged with governance.
Defining Significant Risk
The Auditing Standards Board previously defined significant risks as those deserving special audit consideration. They've amended this definition in SAS 145 to focus on the inherent risk characteristics rather than the response.
For example, a highly complex receivable allowance is inherently risky because it's subjective and complicated. Yes, we will give it special audit consideration. But it's a significant risk because of its nature (subjective and complex), not because of our response (re-computing the estimate and comparing it with prior periods, for example).
How Many Significant Risks?
At least one significant risk exists in most audits, and frequently there are more. The number depends on the entity, its environment, the types of services it provides or goods it sells, the complexity of its accounts, the subjectivity of determining balances, the susceptibility of accounts to bias or fraud, and the level of change.
Defined in SAS 145
SAS 145, Understanding the Entity and Its Environment and Assessing the Risk of Material Misstatement, defines significant risk in terms of likelihood and magnitude. The threat must be likely, and the result must be material. (See my SAS 145 article.)
The audit standard defines the risk as one close to the upper end of the spectrum of inherent risk without regard for controls. In other words, we consider the inherent risk factors, and we disregard internal controls as we identify these risks.
Align Inherent Risk with Significant Risk
Notice that significant risks are based solely upon inherent risk. So don’t make the mistake of identifying such a risk and then assessing inherent risk below high. After all, the definition says close to the upper end of the spectrum of inherent risk.
Suppose, for example, you identify a significant risk for the allowance for uncollectible receivables, an estimate, due the concerns about the valuation assertion (because it's complex and subjective; see inherent risk factors below). Then the inherent risk for the valuation assertion must be high (or max).
It's useful to think of inherent risk on a scale of 1 to 10, with 10 being high risk. If you believe the inherent risk is a 9 or a 10 (close to the upper end of the spectrum of inherent risk), then a significant risk is present. Though auditors commonly use low, moderate, high to measure inherent risk, the audit standards don't specify how this is to be done. I'm not saying don't use low, moderate, high, only that thinking of inherent risks on scale of 1 to 10 helps me evaluate risk and to determine whether a significant risk is present.
Inherent Risk Factors
And what are the inherent risk factors?
- Susceptibility to misstatement due to management bias or other fraud risk factors (in terms of how they affect inherent risk)
Two Questions to Consider
So the auditor reviews an assertion and asks, "In light of these risk factors, what is the probability of misstatement without regard for controls?" The auditor also asks, "Would a material misstatement occur?" So we consider two things:
- Is it highly likely that a misstatement will occur for the assertion (without regard for controls)?
- Will the misstatement be material?
If both answers are yes, it's a significant risk.
Responses to Significant Risks
Peer reviews find that auditors sometimes identify these risks but plan inadequate responses. If the risk is significant, then a strong response is necessary.
For example, if inventory obsolescence is an issue, the auditor should plan procedures to identify the impaired items and test for appropriate valuation. You may need a specialist in such a situation. So, what would be an inadequate response? Performing basic inventory procedures. Additional procedures, sometimes referred to as extended steps, are necessary to address the inventory valuation assertion.
As you plan the additional audit procedures, link them from the identified risk (usually on your summary risk assessment form) to your responses (usually on your audit program). In the inventory example, you would link the risk for the valuation assertion to the inventory audit steps (the extended steps to identify and value the impaired items).
You must also communicate these risks to those charged with governance.
Communicating Significant Risks
Communicate the significant risks to those charged with governance as you implement SAS 134, Auditor Reporting and Amendments, Including Amendments Addressing Disclosures in the Audit of Financial Statements (required for December 31, 2021 year-end engagements and after).
(See my SAS 134 article to understand the types of audit opinions.)
Present guidance states that significant risks are those that deserve special audit consideration, so you'll use that definition until SAS 145 is implemented. (Even so SAS 145 will help you understand these risks now.)
How to Communicate
You can communicate significant risks in one of three ways:
- Engagement letter
- Planning letter to those charged with governance
- Verbally to the board with documentation of that communication in the audit file--this could be a separate Word document that says who you talked with, when, and the significant risk areas communicated.
The Communication Change
SAS 134 amended AU-C 260.11 (AU-C 260 The Auditor's Communication with Those Charged with Governance) as follows (amended language is underlined):
The auditor should communicate with those charged with governance an overview of the planned scope and timing of the audit, which includes communicating about the significant risks identified by the auditor.
Sample Significant Risk Language
Here's an example of the language to be used in any of the three options above:
The anticipated significant risk areas in the audit are:
- the allowance for uncollectibles
- the pension liability and disclosure.
Aligning the Communication with Workpapers
The significant risk areas communicated to the board during planning should align with those identified in your workpapers. You could, however, not know all of the risk areas when you create your initial communication. It's even possible you might not identify a these risks until you are well into the engagement. So the initial significant risk communication and the identified risks in the audit file could be different. You can communicate any additional risks in your final communication to those charged with governance.
Why are we making this communication the board? Well the board governs the entity, so they need to be aware of areas with a higher risk of potential misstatements.
The explanatory information that accompanies AU-C 260 (specifically .A21) states you may include in the governance communication how you (as the auditor) are going to address the significant risks, but this is optional.
Audit Risk Assessment Book on Amazon
See my book on Amazon: Audit Risk Assessment Made Easy, Seeing What Others Miss.
Though asking how many significant risks, could we also ask how many relevant assertions should we find in the audit, i.e., RMM? In many audits, I don’t recognize any; I haven’t found any materially wrong numbers during the years.
In that case, the [AU-C] 330.18 (Irrespective of the assessed risks…) take over. Also then I have to find a (potential) assertion to direct my procedures.
What is the best way;
a) “try hard” to find a relevant assertion but assess it at a very low level of RMM – or
b) proceed according to 330.18 (after the stand back moment)?