Risk-Based Audit Best Practices


The aim of the risk assessment auditing standards was to improve the quality and effectiveness of audits by substantially changing audit practice. Statements on Auditing Standards nos. 104–111 provide increased rigor to the audit process in a number of key areas including the assessments of inherent and control risks and the linking of these risk assessments to further audit procedures.


This year marks the third anniversary of the standards’ effective date. Across the profession much progress has been made toward the ultimate goal of a more reliable audit process, but even more is possible as we continue to learn about the standards’ practical application.


This article captures some of the most important lessons learned and best practices that have emerged during the extended implementation of the risk assessment standards (see sidebar, “Methodology Behind Application Suggestions,” at bottom of page).



Previous auditing standards allowed auditors, at their discretion, to simply designate the client’s internal control as a high risk, which allowed them to greatly reduce the effort required to understand and document internal control.


The risk assessment standards prohibit the auditor from “defaulting to the maximum” control risk. On all audits the auditor should evaluate the design and implementation of internal control to properly identify and assess risk.


Implementing and applying this standard in practice has proven to be a challenge for many firms, which have difficulty linking their internal control work to the substantive procedures and other aspects of the engagement, finding sufficient benefit to justify the increased audit costs that result from the stricter standard and determining how to evaluate the effectiveness of internal control design.



Karen Kerber, a shareholder with Kerber, Rose & Associates, sums up the fundamental dilemma her firm’s auditors face. “Our staff struggles with understanding how internal control is relevant,” she says. “They need to relate it to something.”


The secret is for the auditor to gain a deeper understanding of the COSO integrated framework of internal control, according to Charles Landes, AICPA vice president–Professional Standards and Services. “COSO addresses the issues faced by Karen and the staff at many other firms because it relates internal control to the financial statements,” he says.


To apply what Landes refers to as “the COSO process,” the auditor starts at the highest level of aggregation, the financial statements. The auditor then proceeds through a sequence of analyses that become increasingly granular until he or she ultimately assesses individual control activities (see Exhibit 1).



The auditor starts with the financial statements at the “top” of the diagram and works “down” to the individual controls. The first step is to identify the material accounts and significant classes of transactions and the relevant assertions related to those accounts.


Risk of material misstatement—“what can go wrong?”—is the flip side of the assertion. For example, the “what can go wrong?” related to the completeness assertion is that one or more valid transactions are not recorded in the system. Identifying what can go wrong allows the auditor to understand control objectives, for example, “to ensure that all valid transactions are recorded.”


The auditor then identifies those controls that meet the stated control objective. In this way, there is an unbroken link between the financial statements and internal control, and the auditor can easily understand the effect that a particular control activity can have on an amount reported in the financial statements.



Audit methodologies built around the top-down COSO process have proven highly efficient because they allow the auditor to properly scope the internal control test work to include only the controls relevant to the audit.


Rather than gaining an understanding of all controls used by the client, the top-down approach drives the auditor to progressively eliminate from consideration controls related to immaterial accounts and transactions, controls related to nonrelevant assertions, and controls that are overly redundant.


The result is a tightly focused population of controls for the auditor to understand, assess and document, which allows the audit to be as efficient as possible.



Prior to the risk assessment standards, there was no explicit requirement for auditors to evaluate the design of their client’s internal control, and consequently, most auditors merely documented their understanding of how the control operated without judging whether the control was properly designed. The requirement in the risk assessment standards to evaluate control design has been difficult for some auditors.


Firms that have rigorously applied the COSO process in their audit methodology have been able to perform a meaningful evaluation of internal control design, which ultimately improves audit quality.


As shown in Exhibit 1, the COSO process requires the auditor to define relevant control objectives and then determine the control activities or combination of control activities that meet the objective. A control system that meets the stated control objectives is designed effectively. A system that leaves important control objectives unmet is ineffective. Identifying these control weaknesses allows the auditor to better assess risks and respond by designing the right mix of further audit procedures.



Most auditors understood that the risk assessment standards would require them to perform more audit procedures than in the past, and they were prepared to incur significantly higher costs during the first year of implementation. The expectation was that in subsequent years, costs would decline because auditors would leverage their knowledge of the client obtained in prior audits. In practice, realizing these savings has been difficult as auditors have struggled to determine the nature and extent of the procedures they should perform on an ongoing basis.



For years, auditors have fought a SALY mentality, the tendency to implicitly assume that everything on the audit is “Same As Last Year,” an assumption that invariably leads to diminished audit quality. The risk assessment standards give audit firms an opportunity to eliminate the SALY mindset by reframing the issue. Instead of considering how to “update” last year’s audit, start with the premise that something has changed, and the first priority of the current year’s audit is to identify those changes and determine their effect on risk by asking questions such as:


  • What has changed at the entity and in its operating environment since our last audit?
  • As a result of these changes, how have inherent risks at the client changed since our last audit?
  • Were changes to internal control necessary to address these changes to inherent risk?


Only after the auditor has adequately answered these questions will he or she be able to determine the nature and extent of additional risk assessment procedures.


Exhibit 2 describes a structured process for applying this approach.



In Exhibit 2:


  • The blue diamonds describe the key audit judgments that should be made in the current year.
  • The blue rectangles summarize the risk assessment procedures that should be performed in the current year.
  • The green ovals summarize the knowledge that is carried forward from prior-year audits and how it factors into current-year audit judgments.


Read this decision tree from top to bottom:


  • Begin by considering the nature of the changes to the entity and its environment since the previous audit. It is key to ask whether those changes have resulted in changes to inherent risks. For example, the current recession may create inherent risks for your client that were not present before the economic downturn.
  • If inherent risks are unchanged, (and assuming that the prior year’s controls were effectively designed and implemented) the auditor will need to verify the implementation of controls to determine whether there have been any changes in their design or implementation.
  • If changes in the entity or its environment create new or modified inherent risks, then the auditor will need to determine whether changes in internal control were necessary to address those new risks. For example, the recession may create risks related to asset valuation that were not material in the past. In prior years, the client did very little to evaluate asset impairment. But in the current environment, the auditor should determine whether the client has changed its control procedures in response to the heightened level of risk.


The bottom of the diagram describes three possible scenarios:


  • If the controls in place during the prior year would have been effective in addressing the current year’s risks and the auditor has determined that there have been no changes to those controls, then the auditor is prepared to assess the risk of material misstatement.
  • If the prior year’s controls would have been effective in addressing the current year’s risks but the auditor discovers that the design or implementation of those controls has changed, then the auditor will need to assess the design of those new controls before assessing the risk of material misstatement.
  • For all new or significantly changed inherent risks that could not be effectively addressed by the prior year’s controls, the process will be similar to that undertaken in the initial implementation. The auditor will have to perform risk assessment procedures to gain an understanding of the design and implementation of controls to serve as a basis for assessing risk of material misstatement.



The sweeping scope of the risk assessment standards made it difficult for even the most resource-rich audit firms to optimize implementation of the standards. Most firms continue to refine their audit approaches and set firm policy to deal with issues that arise as a result of applying the standards.


The ongoing implementation issues for audits of smaller businesses will require even more attention. Audits of smaller, less complex businesses pose many challenges that may not exist in audits of larger clients. For example, auditors of smaller, less complex businesses frequently encounter:


  • Accounting records that require significant adjustments prior to the start of significant auditing procedures.
  • Significant transactions with unaudited related parties.
  • Less sophisticated or formal internal controls characterized by minimal documentation, lack of segregation of duties, and an overall lack of in-house accounting expertise.
  • The need to adapt standardized audit practice aids developed for audits of larger entities to the conditions that exist on an audit of a smaller, less complex business.



Most firms build their audit methodologies around a set of standardized practice aids. These forms and checklists help auditors comply with the requirements of the standards, but they should not be confused with the standards themselves. An auditor can comply with the standards and prepare audit documentation in many ways.


“Forms and guidance only cover a percentage (hopefully high) of the requirements,” says Lyn Graham, chair of the AICPA task force that drafted the risk assessment audit guide. “They should not be a substitute for training or understanding or consulting the literature for unusual situations. From what I have seen, one needs to deviate (probably more often than auditors would like to) from the forms to comply with GAAS.”


Once thought to be the purview of only the largest firms, growing numbers of audit firms are developing a more customized, firm-specific set of audit practice aids by creating their own forms or checklists for highly judgmental areas such as the documentation of internal controls.


“We wanted a workpaper set that we could continue to build on and customize,” says Andrew Prather, shareholder at Clark Nuber. “For example, we work with a lot of not-for-profit organizations, so we wanted a format that would allow us to build a library of templates specific to our clients.”


Like many firms, Averett, Warmus, Durkee (AWD) formed a committee of five to six experienced auditors to evaluate the requirements of the standards and develop a firm-specific set of practice aids. “We did the project during our slower time in the summer and fall and did some practice runs with clients in different industries to work out some of the kinks,” said AWD audit partner Lena Combs. “We made some templates from these trials and made some samples, too, including a sample audit binder, and then we held in-house CPE to train everyone on how we were going to implement the standards. It saved us time when busy season hit.”


When asked whether she was concerned that the firm’s peer reviewers would take exception to some of their practice aids, Combs was confident that the AWD methodology would not be found lacking. “I have no doubts that peer review will pass with little disruption.”


It’s not just about the forms—there is tremendous value in the process itself. To create practice aids, firm personnel must obtain an in-depth understanding of the requirements of the standards and how they should be applied. This technical expertise becomes invaluable not only for performing audits but also for other critical activities such as training. Firms that make the commitment to “own” their audit methodology do so with the expectation that ultimately it will lead to more effective and efficient audits.



The unique demands of an audit of a smaller, less complex business typically require significant involvement of the most experienced auditors during the audit planning process. More experienced auditors will be able to make important judgments about audit strategy, including:


  • The nature, timing and extent of risk assessment procedures designed to gather information about the client and its environment.
  • The assessment of risks of material misstatement.
  • The nature and extent of the auditor’s documentation of assessed risks.
  • The nature and extent of the documentation of the client’s internal control.
  • The choice of further audit procedures that are clearly linked to assessed risks.
  • The allocation of audit resources to those areas of the audit that present the most risk.


The significant involvement of the most experienced auditors early in the audit process should improve both audit quality and efficiency.



Methodology Behind Application Suggestions

During the summer of 2009, the AICPA significantly revised the audit guide that was originally published concurrently with the risk assessment standards. To make these revisions, the Audit and Accounting Publications team formed an online, collaborative work group of more than 50 auditors who worked to identify and discuss technical issues, provide suggestions and vet new content.


The issues and suggestions described in this article were generated from the input received from this online working group. The revised audit guide, Assessing and Responding to Audit Risk in a Financial Statement Audit—AICPA Audit Guide, Revised Edition as of Oct. 1, 2009 (#012459), will be available January 2010 at cpa2biz.com.





 On all audits the auditor must evaluate the design and implementation of internal control to properly identify and assess risk. Implementing and applying this standard in practice has proven to be a challenge for many firms.


 The key to implementing the internal control evaluation requirement is “the COSO process.” The auditor starts at the highest level of aggregation, the financial statements, then proceeds through a sequence of analyses that grow increasingly granular until the auditor ultimately assesses individual control activities.


 Auditors have struggled to determine the nature and extent of the procedures they should perform on an ongoing basis. Instead of considering how to update the prior year’s audit, make identifying changes in the organization your first priority.


 The broad scope of the risk assessment standards made it difficult for audit firms to optimize implementation of the standards by developing firm policies and practice aids. The temptation is to use policies and practice aids developed by others, but by developing and owning their own approach, firms gain more in-depth knowledge of the standards and of their clients’ businesses that will help them truly optimize processes and maintain quality.


Michael Ramos (michaeljramos@mac.com) is a consultant and writer who specializes in auditor training.


To comment on this article or to suggest an idea for another article, contact Matthew G. Lamoreaux, senior editor, at mlamoreaux@aicpa.org or 919-402-4435.






JofA articles


Use journalofaccountancy.com to find past articles. In the search box, click “Open Advanced Search” and then search by title.



Risk Assessment Standards—Understanding the Entity and Assessing Risk , a CPE self-study course (#738801)



  • Risk Assessment Suite of Standards (#060704)
  • Understanding the New Auditing Standards Related to Risk Assessment— Audit Risk Alert (#022526)
  • Assessing and Responding to Audit Risk in a Financial Statement Audit—AICPA Audit Guide, Revised Edition as of Oct. 1, 2009 (#012459) (Available January 2010)
  • The above three publications can be purchased as a bundle (#990104HI).
  • The AICPA Audit and Accounting Manual has been updated to include the risk assessment standards (#0051309).


For more information or to make a purchase, go to cpa2biz.com or call the Institute at 888-777-7077.


On-Site Training

  • Applying the Risk Assessment Standards Using a Case Study Approach (#RCSA)
  • Auditor’s Risk Assessment Process: Tackling the Risk Assessment SASs (#ARAP)
  • Detecting Misstatements: Integrating SAS 99 and the Risk Assessment Standards (#DEMI)


To access courses, go to aicpalearning.org and click on “On-Site Training” then search by “Acronym Index.” If you need assistance, please contact a training representative at 800-634-6780 (option 1).


IT Center and CITP credential

The Information Technology (IT) Center provides a venue for CPAs, their clients, employers and customers to research, monitor, assess, educate and communicate the impact of technology developments on business solutions. Visit the IT Center at aicpa.org/INFOTECH. Members who want to maximize information technology to increase efficiency and boost profits may be interested in joining the IT Member Section or pursuing the Certified Information Technology Professional (CITP) credential. For more information about the IT Member Section or the CITP credential, visit aicpa.org/IToffers.


Web sites

Where to find February’s flipbook issue

The Journal of Accountancy is now completely digital. 





Get Clients Ready for Tax Season

This comprehensive report looks at the changes to the child tax credit, earned income tax credit, and child and dependent care credit caused by the expiration of provisions in the American Rescue Plan Act; the ability e-file more returns in the Form 1040 series; automobile mileage deductions; the alternative minimum tax; gift tax exemptions; strategies for accelerating or postponing income and deductions; and retirement and estate planning.