Risk assessment matters demystified

Understanding the value

Let’s presume the core steps in a risk assessment are functions the experienced auditor has likely always performed (but might not have demonstrated in the workpapers). How can we bridge documentation requirements to a value-added process rather than a compliance burden? Gaining an understanding of the client’s business, its internal control systems, and threats to accurate accounting and reporting are essential quality audit practices, but might not be adequately linked to a volume of checklists that staff prepare.

In fact, over-reliance on staff (who often have only a rudimentary knowledge of the COSO framework), almost guarantees that they will improperly handle the risk assessment and poorly document it. Without good leadership and involvement of engagement managers and partners during this process, the assessment is almost certain to be inadequate. Involvement of experienced personnel cannot consist only of pre-issuance reviews; it must extend into the planning process.

Increasing the risk assessment’s effectiveness requires connecting the work to the basic objectives of the standards:

Identifying risks of material misstatement

This section includes:

• Performing risk assessment procedures, including inquiries of management
• Considering the risk of material misstatement from fraud
• Having a discussion with the engagement team about the potential for material misstatement of the entity's financial statements.

If the workpapers do not capture that a conversation with management or the audit team engaged in brainstorming or spoke with management regarding the potential for fraud or the significant risks they identified during the engagement, it's presumed that the team never had those conversations. Not documented? Not done.

Understanding the entity and its environment, including the entity’s system of internal control

• Obtaining an understanding of the entity, including its industry, regulatory environment, ownership and governance structure, investments, accounting policies, strategies and business risks
• Obtaining an understanding of the entity’s system of internal control

Forty percent of risk assessment issues that peer reviewers identified relate to the engagement team's failure to gain an understanding of the client's internal controls.

Auditors can no longer default to a maximum level of control risk and skip assessment of risk. Auditors may still decide to assess control risk at maximum for efficiency, but even then they are required to assess the strength of the client’s design of internal control, including the likelihood of whether the controls can mitigate financial reporting risks the audit identified. Auditors should document evidence of a "walkthrough" of the client's controls.

The COSO Internal Control Framework is the basis for understanding effective internal control design. Firms may wish to take a deeper look at staff CPE when conducting the annual firm inspection. Chances are most staff don’t have recent training in the current COSO framework, even though they may have audit risk assessment training.

The auditor may not assess that the client has no internal controls. All entities have some controls, even if the client has not documented them. Examples of internal controls for smaller entities include account reconciliations, monitoring of financial results by management, IT security procedures and tone at the top.

An AICPA practice aid, Examples of Controls in Small Entities, provides some examples of controls by material class of transaction, account balance or disclosure that might be present in smaller entities.

Assessing the risks of material misstatement

The audit team should assess the risks of material misstatement

• At the financial statement level, and
• At the relevant assertion level for classes of transactions, account balances and disclosures.

Fourteen percent of peer review risk assessment issues relate to insufficient risk assessment, particularly in assessing risks at the account, rather than the assertion level, or the audit team's failure to identify one or more significant risks.

At the AICPA Peer Review Conference in August 2018, experienced peer reviewers expressed concern that practice aids allow staff to short-cut proper risk assessment by allowing risk assessment at the account level. Practice aid providers indicated they would investigate this concern further and consider removing this option from the practice aids.

Examples of common significant risks at the smaller entity level would include revenue recognition or management override of controls.

Linking risks identified to audit procedures

The auditor should select or identify audit procedures in response to the risks identified.

Twenty-four percent of peer review risk assessment issues relate to not linking audit procedures to identified risks.

Workpapers should document how the audit has been tailored to the risks identified. This will require practice aid providers to modify procedures in response to the risk assessment. For significant risks, auditors should perform extended procedures. Where control risks are assessed at low, the workpapers should include evidence of testing that control.

Thirteen percent of peer review risk assessment issues relate to auditors assessing control risk as less than high without appropriately testing controls.

Control documentation does not equate to control testing. Also, a walkthrough is not sufficient to support an assessment of control risk below maximum. The engagement team should conduct and evaluate a full test of the control, using appropriate samples.

Another risk related to supervisory involvement is that staff will inappropriately conclude that procedures are “N/A” and fail to perform the tests that address one or more risks. This is often not detected until the final preissuance review of the workpapers, or fails to be detected.

If no one documented it, it didn't happen

AU-C 230, Audit Documentation, addresses the requirements for audit workpaper documentation. The base requirement is that if an experienced auditor reviewed the workpapers without being able to ask the team questions, would he or she be able to understand or replicate the work? How would an experienced auditor know that the engagement team performed a risk assessment if there is no documentation of it?

Failure to comply with AU-C 315 or 330 indicates that audit risk has not been reduced to an acceptably low level. Failure to comply with AU-C 230 must be evaluated as an indication that the firm did not comply with AU-C 315 or 330. Either way, the peer reviewer will be required to find that the auditor did not obtain sufficient appropriate audit evidence to support the audit opinion, resulting in a non-conforming engagement.

Circling back to value

Effective risk assessments help auditors work smarter, preventing over- as well as under-auditing, and reducing audit risk. Reasonable assurance for the auditor’s opinion requires the engagement team to obtain—and document—sufficient, appropriate audit evidence to reduce the risks of a material misstatement to an appropriately low level. Linking the theory to our practice drives the profession’s goal of the highest quality audits.

Laura Hay, CPA, CAE, is executive vice president of The Ohio Society of CPAs and staff liaison to the Accounting & Auditing Committee. She can be reached at Lhay@ohiocpa.com or 614.321.2241.