Generally accepted auditing standards (GAAS) require the auditor to identify and assess risks of material misstatement (AU-C §315, Understanding the Entity and Its Environment and Assessing the Risks of Material Misstatement) and to perform audit procedures designed to respond to those identified risks (AU-C §330, Performing Audit Procedures in Response to Assessed Risks and Evaluating the Audit Evidence Obtained). Following these risk assessment standards is not only necessary to comply with GAAS but also likely to result in more effective and efficient audits.
Even so, the findings of the 2016 AICPA Peer Review Program suggest that more than 10% of auditors are falling short of meeting the risk assessment standards (AICPA Peer Review Board, Supplemental Guidance of the AICPA Standards for Performing and Reporting on Peer Reviews, April 2019; "Taking the Risk Out of Risk Assessment," JofA, Aug. 2018).
Moreover, this is a topic of focus for peer reviewers, so auditors will need to improve their performance in this area. It is therefore likely that, going forward, peer reviewers will identify when auditors fall short of compliance with the risk assessment standards. In sum, it is more critical than ever for auditors to understand the risk assessment standards and, specifically, how to identify and respond to risks.
This article serves two objectives. The first is to alert auditors to the increased emphasis of the AICPA Peer Review Program on compliance with the risk assessment standards and to alert them to some of the examples of noncompliance that, according to the AICPA Peer Review Board, result in nonconforming engagements. The second is to show auditors, through an example, how conducting audits in accordance with the risk assessment standards results in more effective and more efficient audits.
RISK ASSESSMENT STANDARDS AND THE AUDIT OPINION
AU-C Section 200, Overall Objectives of the Independent Auditor and the Conduct of an Audit in Accordance With Generally Accepted Auditing Standards, paragraph .06, states:
As the basis for the auditor's opinion, GAAS require the auditor to obtain reasonable assurance about whether the financial statements as a whole are free from material misstatement, whether due to fraud or error. Reasonable assurance is a high, but not absolute, level of assurance. It is obtained when the auditor has obtained sufficient appropriate audit evidence to reduce audit risk ... to an acceptably low level.
At this point, it is helpful to remember the audit risk model:
Audit risk = Risk of material misstatement x Detection risk
Recall that the auditor reduces audit risk, that is, "[t]he risk that the auditor expresses an inappropriate audit opinion when the financial statements are materially misstated" (AU-C §200, ¶.14) by reducing detection risk, that is, "[t]he risk that the procedures performed by the auditor ... will not detect a misstatement that exists and that could be material" (AU-C §200, ¶.14). The auditor reduces detection risk by performing audit procedures in response to the identified and assessed risks of material misstatement. As a result, audit procedures, no matter how extensive, that do not respond to risks of material misstatement, no matter how perfectly identified and assessed, fail to reduce detection risk and thus audit risk to an acceptably low level. In other words, if the auditor fails to comply with the risk assessment standards, the auditor fails to obtain sufficient appropriate evidence to support his or her opinion.
NONCOMPLIANCE AND NONCONFORMING ENGAGEMENTS
The AICPA Peer Review Board (April 2019, pages 36—37) provides several examples of noncompliance with the risk assessment standards that result in nonconforming engagements. Below are some of the more general examples:
- Failure to evaluate the design and implementation of controls relevant to the audit.
- Failure to identify or document the identified risks of material misstatement, including any significant risks.
- Failure to assess or document the assessment of risk at both the relevant assertion level and financial statement level.
- Failure to properly document the firm's identification and assessment of the risks of material misstatement and response thereto.
It is incumbent upon auditors to be aware of and take steps to prevent instances of noncompliance, such as those failures noted above.
AUDIT EFFECTIVENESS AND EFFICIENCY
That compliance with the risk assessment standards is necessary to support an audit opinion should provide, in and of itself, sufficient reason for auditors to follow the standards. It is, however, important to note that compliance also allows auditors to conduct more effective and more efficient audits. To illustrate this concept, consider the following example:
An auditor has two clients: Client A and Client B. For both clients, the risk of material misstatement for the valuation of allowance for bad debts is assessed as high. For Client A, the risk is high due to poor controls over the credit-granting function. For Client B, the risk is high due to economic turmoil in an industry that includes several of the client's customers.
Though the risks of material misstatement are assessed at the same level for both clients, the audit procedures in response to those risks should differ between clients. For Client A, the auditor might determine that it is best to use a simple sampling approach, examining the collectibility of a broad, random sample of accounts. Alternatively, for Client B, the auditor might determine that it is best to use a stratified sampling approach, examining the collectibility of a specific, targeted sample of accounts in the struggling industry as well as a disproportionately smaller random sample of all other accounts.
Of course, some audit procedures (such as examining the collectibility of accounts that have been outstanding for a long period of time) will be similar between clients. Note, however, that by performing some procedures that specifically respond to the identified and assessed risks of each client, the auditor is increasing both the effectiveness and efficiency of the audit. For example, consider the approach for Client B. If the auditor takes a simple sampling approach, the auditor is taking an approach that is not only less effective but also less efficient. The simple sampling approach, as opposed to the stratified sampling approach, is less effective in that the auditor is likely to overlook a greater number of accounts that are of concern (that is, accounts in the struggling industry) and less efficient in that the auditor is likely to examine a greater number of accounts that are not of concern.
The AICPA, through its Peer Review Program, is seeking to identify where firms misunderstand the risk assessment standards and provide remediation. This almost always includes education, but often additional actions are taken to see whether lessons are learned and applied. Accordingly, now, more than ever, it is essential that auditors properly assess the risk of material misstatement and respond with appropriate audit procedures. Auditors should not be anchored to their initial risk assessment, as the risk may change as more audit evidence is obtained. Auditors should be diligent in identifying significant risks such as the risk from fraud, deteriorating economic conditions, complex transactions, material related-party transactions, accounting estimates with a high degree of measurement uncertainty, and transactions outside the normal course of business for the entity being audited. By properly assessing the risk of material misstatement and documenting their assessment of risk and how it links to the audit procedures performed, the auditor will not only comply with GAAS and be able to withstand the scrutiny of a peer review but also save time and money in the process by conducting more effective and more efficient audits.
About the authors
Tristan B. Johnson, Ph.D., and James Rich, CPA, DBA, are assistant professors in the Department of Accounting at the Mitchell College of Business at the University of South Alabama in Mobile, Ala. Thomas G. Noland, CPA, Ph.D., is a professor and chair of the Department of Accounting and Finance at the University of Southern Indiana in Evansville, Ind.
To comment on this article or to suggest an idea for another article, contact Ken Tysiac, the JofA's editorial director, at Kenneth.Tysiac@aicpa-cima.com.
- "Professional Liability Spotlight: The Risk Suite: This Teenager Can Mitigate Liability Angst," JofA, Aug. 2019
- "5 Missteps to Avoid When Evaluating Internal Controls," JofA, July 2019
- "Taking the Risk Out of Risk Assessment," JofA, Aug. 2018
- AICPA Internal Inspection Practice Aid: Addressing Non-Compliance With AU-C 315 and 330
- AICPA Peer Review Program Section 3100, Supplemental Guidance
- Experienced Staff/New In-Charge — Risk Assessment (#161212, online access)
- Risk Assessment and Internal Controls: Not-for-Profit Governance and Assurance (#165152, online access)
- Risk Assessment Deep Dive: How to Avoid Common Missteps (#157000, online access)
- Risk Assessment: Not-for-Profit Governance and Assurance (#165436, online access)
For more information or to make a purchase, go to future.aicpa.org/cpe-learning or call the Institute at 888-777-7077.