Are auditors who see audit risk assessment as a waste of time leaving money on the table? Could this be a cause of lower profit realizations?
Audit risk assessment can be our best friend, particularly if we desire efficiency, effectiveness, and profit—and who doesn’t? This step, when properly performed, tells us what to do—and what can be omitted. In other words, risk assessment is the doorway to maximum impact with minimal effort.
So, why do some auditors avoid audit risk assessment? Here are two reasons:
Too often auditors keep doing the same as last year (commonly referred to as SALY), no matter what. It’s more comfortable than using risk assessment. But what if SALY is faulty or inefficient? Or what if the “tried and true” has blind spots. Maybe it’s better to assess risk annually and to plan our work based on present conditions.
The old maxim “Plan your work, work your plan” is true in audits. Audits—according to standards—should flow as follows:
Auditors sometimes go directly to step 3. and use the prior year audit programs to satisfy step 2. Later, before the opinion is issued, the documentation for step 1. is created “because we have to.” In other words, we work backward. So, how can we work appropriately?
Audit standards—in the risk assessment process—call us to do the following:
While we may not complete these steps in order, we do need to perform our risk assessment first (1.-4.) and then assess risk as a result. Okay, so what procedures should we use to carry out the risk assessment process?
AU-C 315.06 states:
The risk assessment procedures should include the following:
a. Inquiries of management, appropriate individuals within the internal audit function (if such function exists), others within the entity who, in the auditor’s professional judgment, may have information that is likely to assist in identifying risks of material misstatement due to fraud or error
b. Analytical procedures
c. Observation and inspection
I like to think of risk assessment procedures as tools, all used to sift through information and aid in the identification of risk.
Just as a good detective uses fingerprints, lab results, and photographs to paint a picture, we are doing the same. First, we need to understand the entity and its environment.
The audit standards require that we understand the entity and its environment.
I like to start by asking management the question, “If you had a magic wand that you could wave over the business and remove one problem, what would it be?” The answer tells us a great deal about the entity’s risk.
I want to know what the owners and management think and feel. The visceral is a flashing light saying, “Important!” Every business leader worries about something. And understanding the source of those worries illuminates risk.
Think of risks as threats to objectives. Your client’s fears tell you what the objectives and threats are. Worries shine the light on threats to objectives.
To understand the entity and its related threats, ask questions such as:
As with all risks, we respond based on their severity. The higher the risk, the greater the response. We’ll respond to risks at these levels:
Responses to risk at the financial statement level are general, such as appointing more experienced staff for complex engagements. Specific responses to risk occur at the transaction level, such as a search for unrecorded liabilities.
We must do more than just understand transaction flows; we need to understand the related controls. So, as we perform walkthroughs or other risk assessment procedures, we gain an understanding of the transaction cycle, but—more importantly—we gain an understanding of controls. Without appropriate controls, the risk of material misstatement increases.
The use of walkthroughs is probably the best way to understand internal controls. As you perform your walkthroughs, you are asking questions such as:
Understanding the company’s controls illuminates risk. The company’s goal is to create financial statements without material misstatement. A lack of controls threatens this objective.
So, as we perform walkthroughs, we ask the payables clerk (for example) certain questions; and—as we do—we are also making observations about the segregation of duties. Also, we are inspecting certain documents such as purchase orders. This combination of inquiries, observations, and inspections allows us to understand where the risk of material misstatement is highest.
Another significant risk identification tool is the use of planning analytics.
Use planning analytics to shine the light on risks. How? I like to use:
In creating planning analytics, use management’s metrics. If certain numbers are important to the company, they should be to us (the auditors) as well—there’s a reason they are reviewing particular numbers so closely. (When you read the minutes, ask for a sample monthly financial report; then you’ll know what is most important to management and those charged with governance.)
You may wonder if you can create planning analytics for first-year businesses. Yes, you can. Compare monthly or quarterly numbers. Or you might compute and compare ratios (e.g., gross profit margin) with industry benchmarks.
Sometimes, unexplained variations in the numbers are fraud signals.
In every audit, inquire about the existence of theft. In performing walkthroughs, look for control weaknesses that might allow fraud to occur. Ask if any theft has occurred. If yes, how?
Also, we should plan procedures related to:
My next blog post—in this series—addresses fraud risk, so this is all I will say about theft for now. Sometimes the greater risk is not fraud but errors.
Have you ever noticed that some clients make the same mistakes—every year? They are usually smaller clients. In the risk assessment process, we are looking for the risk of material misstatement whether by intention (fraud) or by error (accident).
One way to identify potential misstatements due to error is to maintain a summary of the larger audit entries you’ve made over the last three years. If your client tends to make the same mistakes, you’ll know where to look for potential errors.
Now it’s time to pull all of the above information together.
Once all of the risk assessment procedures are completed, we synthesize the disparate pieces of information into a composite image. We are—at this point—bringing the information into one distilled risk snapshot. What are we bringing together? Here are examples:
Armed with this risk picture, we can now create our audit strategy and audit plan (also called an audit program). We are focusing these plans on the areas where the risk of material misstatement is highest.
How can we determine where risk is highest? Use the risk of material misstatement (RMM) formula.
Understanding the RMM formula is key to identifying high-risk areas.
What is the RMM formula?
Put simply, it is:
Risk of Material Misstatement = Inherent Risk X Control Risk
Using the RMM formula, we are assessing risk at the assertion level. While audit standards don’t require a separate assessment of inherent risk and control risk, consider doing so anyway. I think it provides a better representation of your risk of material misstatement.
Once we have completed our risk assessment process, control risk can be assessed at high–simply as an efficiency decision.
The inputs in audit planning include all of the above audit risk assessment procedures.
The outputs (sometimes called linkage) of the audit risk assessment process are:
We tailor the strategy and plan according to the risk assessment.
In a nutshell, we identify risks and then respond to them.
In my next post in this series, we’ll take a look at the why and how of fraud auditing. So, stay tuned. If you haven’t subscribed to my blog, consider doing so.
Get my free weekly accounting and auditing digest with the latest content.
Charles Hall is a practicing CPA and Certified Fraud Examiner. For the last thirty years, he has primarily audited governments, nonprofits, and small businesses.He is the author of The Little Book of Local Government Fraud Prevention and Preparation of Financial Statements & Compilation Engagements. He frequently speaks at continuing education events.Charles is the quality control partner for McNair, McLemore, Middlebrooks & Co. where he provides daily audit and accounting assistance to over 65 CPAs. In addition, he consults with other CPA firms, assisting them with auditing and accounting issues.
Please log in again. The login page will open in a new window. After logging in you can close it and return to this page.
CPA Hall Talk
Sign up for my