Audit smarter by reassessing audit risk

Editor’s note: The author is technical director of the AICPA Center for Plain English Accounting.

Addressing audit risk in financial statements with high levels of substantive procedures toward the balance sheet has been informally passed down from generation to generation of private company auditors like a family heirloom.

Known as the “beat up the balance sheet” (BUBS) or “brute force” audit approach, it addresses audit risk by overauditing, even though there’s a better way to address audit risk. (See the sidebar, “Reasons to Not Beat Up the Balance Sheet.”)

About half (50.3%) of the firms that participated in a December 2023 webcast poll by the AICPA Center for Plain English Accounting (CPEA) said they apply the BUBS approach.

Poll results also suggest that these firms often see risk assessment procedures required by AU-C Section 315, Understanding the Entity and Its Environment and Assessing the Risks of Material Misstatement, as a back-end, form-driven compliance exercise. In these settings, risk assessment can be perceived as inefficient and not adding value. A 2022 survey of CPEA members conducted by the AICPA Auditing Standards Board (ASB) found that 75% of respondents believed the costs of an audit exceed the benefits for less complex entities (LCEs). Further, 73% of respondents reported that they are reluctant to scale or modify requirements in GAAS when auditing an LCE, primarily because of concerns related to peer review.

Concurrently, risk assessment compliance and audit quality concerns exist, including those noted by practitioners performing peer reviews and by the AICPA Enhancing Audit Quality initiative.

Standards are becoming increasingly complicated, in part reflecting the complexity of the business environment. Finally, the profession faces a workforce shortage that some have suggested is at a crisis level.

HOW TO REIMAGINE AUDIT RISK ASSESSMENT

To provide solutions, the CPEA developed Reimagining Risk Assessment (RRA) after multiple years of development, thought, and reflection. RRA provides concrete fundamental steps within a firm’s audit methodology to reimagine risk assessment in a more focused and efficient way while also reframing it as a strategic opportunity and potential competitive advantage.

RRA starts with reorienting a firm to the core audit objective to lower audit risk to an acceptably low level by identifying risks of material misstatement.

Risks of material misstatement exist under AU-C Section 315, “when (a) there is a reasonable possibility of a misstatement occurring (that is, its likelihood), and (b) if it were to occur, there is a reasonable possibility of the misstatement being material (that is, its magnitude).” (See the graphic, “Risks of Material Misstatement.”)

The firm starts its planning, before a client’s year end, by identifying risks of material misstatement (ROMMs) and then mapping those ROMMs to applicable assertions, which then become relevant assertions. From there, the auditor formally assesses the risk of material misstatement for all relevant assertions and then designs and performs further audit procedures based on the risks assessed. This process, also known as a “top-down approach,” has a ROMM-based focus with numerous benefits. These benefits include:

• Elimination of work related to assertions and/or areas that are not relevant.
• Tailoring audit procedures to specific ROMMs
• Alignment of engagement team members on audit procedures and processes.
• More purposeful and meaningful audit procedures related to internal control to impact the design of substantive procedures.
• Shifting of work hours outside of peak periods (for example, “busy season”).
• Reduced audit risk with increases in purposeful, intentional, and meaningful audit procedures.

The most important part of RRA, however, is not with the fundamental concepts outlined above, but rather the intangible change management process to gain trust and support for a new way of approaching risk assessment. Private company auditors may find the process outlined above inefficient and possibly intimidating. For example, highvolume, lower-fee engagements put a premium on efficiency, and the aforementioned process may seem non–value adding in these contexts. RRA works to ease these anxieties by showing that the cost-effective benefits to the process are achievable within the firm’s existing audit methodology.

Firms can streamline the process, bringing risk assessment ROMM identification into the firm’s philosophy, in a number of ways. Firms can segment their audit practice to identify areas where templates with appropriate tailoring memoranda can be used. Industry niches can be used to identify industry-level ROMMs for engagement teams to consider. Risk libraries for engagement teams to consider as potential ROMMs also serve as a convenient reference point.

Some private company auditors are tempted to downplay planning and risk assessment and just “start auditing” with BUBS. They tend to shift their focus away from ROMMS and toward filling out third-party practice aid forms “correctly.” One critique of this approach is that it frequently yields overauditing.

RRA provides examples, within a firm’s current audit methodology, to identify risks of material misstatement (based on a proper risk assessment) and relate those to assertions within audit areas (which then become “relevant”). This process also identifies areas and assertions that are “not relevant” — an important benefit. Properly supporting an audit area or assertion as “not relevant” justifies limited audit responses in an assertion/area. Showing a proper path to a more limited audit response can help break down cultural resistance and reframe thinking about the importance of risk assessment.

It is important to acknowledge that senior engagement team members will need to be involved more heavily earlier in the engagement — ideally well before a client’s year end. This may be an area of cultural change for firms. CPEA surveys of members have noted that risk assessment forms are frequently approved by engagement partners well after a client’s year end.

An enemy of reimagining risk assessment is the option inside many firm technologies to blanket roll forward all risk assessment and planning checklists and workpapers with an intention to make updates for changes. Despite good intentions, firms usually find these technological defaults difficult to overcome. This often leads to a “same as last year” result instead of reimagining the risk assessment audit process. RRA encourages firms to look at more limited roll-forward options (such as carrying forward only identified ROMMs from a prior audit as a starting point) to strike the right balance between efficiency and proper identification of ROMMs.

Globalization, technology, regulation, and a shallow talent pool are among the factors dramatically increasing the pace of change in business. Audit approaches need to evolve as well. The CPEA sees firms that embrace risk assessment as being well positioned to thrive in the dynamic business environment by focusing on ROMMs, while avoiding overauditing caused by BUBS. Further, audit firms that apply RRA will be well positioned to develop and attract talent, as those firms will be able to clearly align audit procedures and processes with ROMMs, providing staff with meaningful and purposeful work. Conversely, by continuing to cling to BUBS, in addition to standards compliance challenges, audit firms will likely perform procedures out of fear. This will drive staff frustration, monotony, and turnover.

Thriving in the future will require reframing risk assessment as a core strategic opportunity. Firms have abilities and options to reimagine risk assessment, using existing audit methodologies, where the will is present.

Reasons to not beat up the balance sheet

In many cases, a prerequisite to reimagining risk assessment is to shed engrained mindsets. The “beat up the balance sheet” (BUBS) audit approach is outdated for the following reasons:

• BUBS lacks definition, which causes inconsistency (and resulting staff frustration) in application.
• “We audit everything” is not sustainable in the long term, given increased business and accounting standards complexity.
• BUBS tends to promote a same-as-last-year (SALY) mentality, which can lead to overauditing for areas/assertions that are no longer relevant and also underauditing for new risks of material misstatement.
• GAAP has become too lengthy and complicated to audit with “brute force.”
• Risk assessment-based approaches better align engagement teams and drive more meaningful and purposeful audit work.
• The CPA talent shortage puts a premium on efficiency and avoiding overauditing.
• Business models have become too complex for BUBS.
• It is not clear how to “beat up” a liability that is not recognized (e.g., contract liability, embedded lease liability, contingency, derivative liability, etc.).
• Scalability options exist with common audit methodologies for risk assessment-based focuses.
• Audit standards presume a proper risk assessment.
• Back-end, form-driven contortions attempt to show compliance, but the trained eye is able to see inconsistencies between the forms and the way the audit is actually conducted (BUBS). For example, items such as significant risks are frequently not applied correctly.

About the author 

Thomas J. Groskopf, CPA, CVA, MBA, is service line leader of Barnes Dennig’s accounting and audit practice and is also technical director for the AICPA Center for Plain English Accounting. To comment on this article or to suggest an idea for another article, contact Jeff Drew at Jeff.Drew@aicpa-cima.com.

LEARNING RESOURCES

Risk Assessment Today

Review the risk assessment standard requirements and discuss the importance of risk assessment in the current environment. It will help you to improve audit quality by avoiding common challenges.

CPE SELF-STUDY

Risk Assessment Under SAS No. 145

Overcome the challenges commonly faced when conducting risk assessment in conjunction with SAS No. 145.

July 18 and Aug. 15

WEBCAST

Assessing and Responding to Audit Risk in a Financial Statement Audit: Audit Guide

This guide is the definitive source for guidance on applying the core principles of the risk-based audit methodology required for all financial statement audits.

EBOOK

For more information or to make a purchase, go to aicpa-cima.com/cpe-learning or call 888-777-7077.

AICPA & CIMA RESOURCES

Articles

“AI and Fraud: What CPAs Should Know,” JofA, May 1, 2024

“Using Technology to Boost Audit Quality,” JofA, Jan. 1, 2024

“Considering IT Risk During Audit Risk Assessment Procedures,” JofA, Nov. 1, 2023

“How to Implement the Risk-Based Quality Management Standards,” JofA, Oct. 1, 2023 

Website

Reimagining Risk Assessment (AICPA member exclusive)