Taking the risk out of risk assessment

Risk assessment is at the core of every audit. The goals of identifying, assessing, and responding to risks of material misstatement (“risks”) drive every audit procedure, from gaining an understanding of the entity and its internal control to vouching transactions back to vendor invoices.

However, more than a decade after the 2006 Risk Assessment Standards (Statements on Auditing Standards Nos. 104—111) provided a new road map for executing the audit, some auditors continue to struggle with implementing these standards.

Data collected by the AICPA Peer Review Program in 2016 show that more than 1 in 10 firms failed to comply with AU-C Section 315, Understanding the Entity and Its Environment and Assessing the Risks of Material Misstatement, or AU-C Section 330, Performing Audit Procedures in Response to Assessed Risks and Evaluating the Audit Evidence Obtained.

By analyzing the data, the Peer Review team uncovered a misconception in practice that is having a major impact on audit quality: Many auditors, especially those auditing small- to medium-size entities, believe they can perform a quality audit without properly considering their client’s risks.

This thinking is fundamentally inaccurate and is leading to violations of professional standards. This article walks through a few examples of what the Peer Review team has found, along with some tips to help promote compliance.

RISK ASSESSMENT IS VERY LIMITED OR NONEXISTENT

The risk of material misstatement is the risk that the financial statements are materially misstated prior to the audit. This consists of two components, inherent risk and control risk, which are defined in AU-C Section 200, Overall Objectives of the Independent Auditor and the Conduct of an Audit in Accordance With Generally Accepted Auditing Standards.

Paragraph .03 of AU-C Section 315 indicates that risk assessment provides “a basis for designing and implementing responses to the assessed risks of material misstatement.”

If auditors do not assess their clients’ risks, they will have no basis for designing audit plans that respond to those risks. Regardless of the amount and type of substantive testing they perform, the auditors will have no way of knowing whether their procedures reduced audit risk to an appropriately low level.

As such, a failure to comply with AU-C Section 315 represents a failure to obtain sufficient appropriate audit evidence to support the opinion.

NO LINKAGE BETWEEN ASSESSED RISKS AND PLANNED RESPONSES

Performing substantive procedures without linking them to a risk assessment is like throwing darts while blindfolded. You might occasionally hit the bull’s-eye and properly respond to a client’s specific risks, but more often, you’ll miss the board entirely.

The Peer Review team has noted numerous instances where auditors appear to be “going through the motions,” assessing risks because the standards require it but ignoring the risk assessment when selecting or designing their substantive procedures.

This approach can lead to over-auditing and can have a significant impact on an auditor’s efficiency. By completing standardized audit programs without considering the client’s specific risks, the auditor may be performing more work than is necessary in areas of low risk.

The more important concern with this approach is that it can lead to under-auditing, such that the auditor fails to perform procedures that are responsive to a client’s specific risks. When this occurs, the auditor fails to obtain sufficient appropriate audit evidence to support the opinion.

IMPROPER USE OF THIRD-PARTY PRACTICE AIDS

Standardized, third-party practice aids can be valuable tools that provide auditors with useful insights when planning and conducting an audit. However, to be effective, these tools must be used as intended.

Even if auditors use standardized practice aids, they are still required to perform a risk assessment and show the linkage between that assessment and their procedures. Auditors should not assume that the recommended procedures in their standardized practice aids will always address a particular client’s risks.

Auditors should thoughtfully consider whether the procedures recommended in their practice aid are responsive to a client’s account- and assertion-level risks. Modification of those procedures or the addition of new procedures may be required, especially if an auditor is responding to a significant risk, according to AU-C Section 315, paragraphs .28—.30

FAILURE TO PROPERLY RESPOND TO SIGNIFICANT RISKS

The Peer Review team has noted varying interpretations of the term “significant risk.” Some practitioners believe significant risks are limited to fraud risks, while others believe any assertion with a high risk of material misstatement should be considered a significant risk.

Neither is accurate. A significant risk is any risk that, in the auditor’s professional judgment, requires special audit consideration. These risks often relate to nonroutine transactions that require significant judgment on the part of the client.

For example, if a small manufacturing company purchases a business and records goodwill, assessing goodwill for impairment may occur infrequently and require professional judgment. Depending on the materiality of the account balance, goodwill valuation may represent a significant risk.

“Special audit consideration” means the auditors go above and beyond what they would ordinarily do in auditing that account or assertion for a similar client. When a significant risk has been identified, the auditor should obtain an understanding of the client’s controls relevant to the significant risk, evaluate the design of the controls, and determine whether they have been implemented.

Additionally, the auditor should perform substantive procedures that are specifically responsive to the risk. In most cases, this would require the auditor to modify or add procedures to standardized audit programs.

Virtually every audit, including audits of small- and medium-size entities, involves at least one significant risk. Accordingly, if you are not modifying your standardized audit programs to address significant risks on your audit engagements, it is likely that you are not complying with AU-C Section 330.

REPEATING THE SAME APPROACH FOR CLIENTS IN THE SAME INDUSTRY

Auditors should thoughtfully consider the procedures that would best respond to their client’s risks and should not simply perform the same procedures that were required for another client in the same industry.

To illustrate, consider two clients in the manufacturing industry, both of which have a high risk of material misstatement associated with inventory existence.

• Client A’s risk relates to concerns about theft, which spiked during the year under audit.
• Client B’s risk relates to receiving processes, which have affected the accuracy of inventory counts in the past.

While these clients operate in the same industry, and both have a high risk of material misstatement for inventory existence, they may require two very different audit responses. During a physical inventory count, Client A’s auditor may determine that the best way to lower detection risk would be to make a targeted selection of high-dollar items that would be easy to liquidate. Conversely, Client B’s auditor may consider a random sample to be more appropriate, with more time dedicated to observing the receiving process at fiscal year end.

In this example, if the auditors of Client A took a random sample, they could spend hours counting inventory that is not at risk of theft, ultimately devoting time and effort to procedures that do not reduce the detection risk associated with inventory existence to an appropriate level.

TIPS TO HELP YOUR FIRM COMPLY WITH AU-C SECTIONS 315 AND 330

When performing your next audit engagement, be sure to:

• Obtain a strong understanding of your client and its environment, including the system of internal control.
• Identify the client’s risks, including any significant risks.
• Document the linkage between your risk assessment and the procedures on your audit programs.
• Design and perform procedures that specifically address any significant risks.
• Revisit your risk assessment and audit plan throughout the engagement.

Following these tips and avoiding common pitfalls can help practitioners deliver high-quality audits and provide an important service to clients and the public. Free tools available at aicpa.org/riskassessment can be used to document your risk assessment, train your staff, help you perform an effective internal inspection, and start improving the quality of your audits.

---

About the authors

Carl R. Mayes Jr., CPA, is an AICPA senior manager; Charles E. Landes, CPA, is vice president—Professional Standards & Services at the AICPA; Hiram Hasty, CPA, CGMA, is an AICPA senior technical manager.

To comment on this article or to suggest an idea for another article, contact Ken Tysiac, a JofA editorial director, at Kenneth.Tysiac@aicpa-cima.com or 919-402-2112.

---

AICPA resources

Articles

• “Quiz: Is Your Audit Addressing Your Client’s Risks?” JofA, May 9, 2018
• “Audit Documentation: Tips for Getting It Right,” JofA, June 2017
• “4 Strategies for Efficient, Effective Audit Documentation,” JofA, Nov. 2017

Publication

• Assessing and Responding to Audit Risk in a Financial Statement Audit (#AAGARR16P, paperback; #AAGARR16E, ebook; #WRA-XX, online access)

CPE self-study

• Applying the Risk Assessment Standards to Ensure a Quality Audit (#164780, online access; #GT-CL4ICRA, group pricing)
• Internal Control and Risk Assessment: Key Factors in a Successful Audit (#164222, online access; #GT-ICRA, group pricing)

For more information or to make a purchase, go to aicpastore.com or call the Institute at 888-777-7077.

Web resources

• AICPA Risk Assessment Resources, aicpa.org/riskassessment