How auditors assess and respond to risks of material misstatement in the financial statements, including the risk of fraud, is a critical component of audit quality.
New research supported by the AICPA’s Assurance Research Advisory Group provides analysis about auditor risk assessment and response processes based on engagement teams’ real-world experiences with their clients.
The research was performed by:
Susan Albring, Ph.D., an associate professor at the Joseph I. Lubin School of Accounting at Syracuse University; Mark Beasley, CPA, Ph.D., a professor of accounting at North Carolina State University; and Omar Watts, Ph.D., an assistant professor of accounting at St. John Fisher College.
Using anonymous surveys, data was collected from 21 audit firms on their risk assessment process and related audit responses. There were 41 participants from national firms and 42 participants from regional firms. All were experienced audit professionals at various levels within their firms, and the audit engagements covered by their results were for-profit entities that varied in size and industry.
The survey participants were first asked about their process for conducting engagement team discussions about fraud risks and other risks of material misstatements. Process questions covered timing, frequency, whether the risk discussions were held separately or on a combined basis, and the participants.
The results showed that most of those surveyed combined their risk discussions, and most spent about 90 minutes on the combined discussion. Almost all the firms met only once or twice. Most of the discussions were led by engagement team managers or partners and did not include specialists. Ninety percent of fraud risks and 87% of the other risks of material misstatement were identified during the initial planning phase of the audit.
The participants were asked to recall in detail up to two risks identified in a recently completed audit engagement, including a fraud risk or other significant risk. They provided detailed information about each of the risks and the engagement team’s responses to those risks.
The study included an analysis of 81 fraud risks and 76 other risks of material misstatement. The risk areas most reported were revenue recognition (42), management override (30), investment valuation (17), and inventory valuation (16). Almost all the risks identified were previously identified in the prior-year audit.
Just 41% of the respondents changed their overall audit approach in response to risks noted. The survey also addressed linkage of internal controls to identified risks, substantive procedures performed in response to the risks, and the impact of identified risks on the financial statements.
The researchers answered questions about their research and findings in a Q&A session with the JofA. This is an edited version of that conversation.
Why did you decide to focus on the auditor’s risk assessment for your research?
Watts: We were motivated by the opportunity to provide new and relevant real-world insights into the risk assessment process, which is a key component of audit quality. Although risk assessment is a critical component of audit planning, we do not have a lot of deep insights into what actually takes place other than as it relates to fraud risk. Previous research has been largely focused on fraud risk, and significant risks other than fraud have been largely ignored. A lot of the prior research we do have is based on experimental evidence, which may not fully align with what actually happens in the real world. We hope our work will facilitate a more informed understanding of the risk assessment process.
Beasley: This study gave us some real audit engagement data on how auditors respond to risks at a much more granular level. Some of the other research that was done was before the risk assessment standards had the concept of significant risks, so this brings our analysis into the current environment.
How did you define audit quality so you’d know what the goal was?
Beasley: In the context of this study, we looked at it in two ways. First, we looked at what auditors did and benchmarked it against whether they were in compliance with professional standards. Second, we looked at the risk assessment process and whether it ultimately results in detection of material misstatements and significant audit adjustments.
Can you describe the phases of your research?
Albring: There were three phases. Phase I gathered data about the risk assessment process in practice, based on partners and managers from 21 accounting firms (nine national and 12 regional firms) taking part in an anonymous survey, resulting in 83 responses. Phase II analyzed how risks were identified and assessed in the planning phase, looking at the nature of the risks identified. And Phase III analyzed auditors’ responses to particular risks in recent engagements.
Beasley: We were interested to learn about the input to the process. The level of engagement came from senior levels of the engagement team, the majority being partners followed by senior managers. Each of the 83 responses represented an individual engagement, coming from both national and regional firms. The input included a mixture of industries. Most of the auditees were small to medium-size businesses, under $500 million in revenues, which, although not Fortune 100 companies, are good-size, complex engagements.
What did you learn in terms of the results?
Watts: Most of the respondents (86%) discussed fraud risks in a combined way with other risks of material misstatements. When they held separate discussions, they spent more time discussing other risks of material misstatements. The engagement partner led the brainstorming meeting about 40% of the time, and these were usually larger clients. What was interesting is that when the partner led the discussion, the identified risks were slightly lower. This result might reflect partners being more grounded in what truly is a risk, along with engagement teams having potentially less willingness to brainstorm about risks when a partner is there.
Albring: The survey showed 41% of auditors changed their audit approach in response to identified risks, including increased supervision, adding more experienced staff, expanding substantive procedures, and increasing elements of unpredictability. When looking at the type of risks separately, we found that in response to fraud risks, engagement teams were more likely to add elements of unpredictability, and in response to other risks of material misstatement, they were more likely to add experienced personnel.
Beasley: The overwhelming primary response to risk was on the personnel side, more than changing procedures. Most of the risks were identified during the planning phase. A high percentage was identified in prior years, and the nature of the audit strategy did not change much.
It causes you to pause a little bit. You wonder if auditors are lulled into their routine approach and thinking, “It may be a risk, but since it’s never been a problem, keep moving,” versus keeping it fresh all the time. I encourage the practice to be creative in thinking about risks, implement technology, and consider new risks every year, particularly in the current COVID-19 environment.
Watts: There is a constant debate about risk response and increasing sample sizes to deal with extent, rather than nature and timing. The findings were that overall, most auditors added more personnel and expanded their substantive procedures in response to risks. But there was a difference in where they placed their emphasis based on the type of risk, with more substantive procedures added for fraud risks.
Beasley: In the area of internal controls and risks, almost all (90%) controls identified as relevant to the noted risks were manual controls. For each of the identified risks, we asked whether their concern was a specific assertion or at the overall financial statement level. Fifty-seven percent of the risks identified were assessed to have impact at the overall financial statement level. There were two primary reasons: revenue recognition affecting multiple accounts and management override.
I can see why manual controls are relevant to management override, but it also raises concerns because manual controls can be overridden. They are worried about management override but are planning to rely on manual controls. This creates a dilemma for the auditor when determining whether or not they should rely on the manual control as part of their audit strategy. For example, management review of budget versus actual results is a good detective manual control, but management can perpetrate fraud and manipulate the internal control.
Watts: While they identified controls for about 70% of the risks they identified, they only planned to rely on the controls for 30% of them. They are doing the process of linking controls to risks identified as called for by the standards, but once that linkage is made, they are not choosing to place reliance on those controls. Maybe it’s because of their concern about management override of controls.
For those controls relied on, it was usually for a repeat engagement or a risk that existed in the prior year, not for a new engagement or a new risk. They performed walk-throughs but only tested 18 out of 27 controls they planned to rely on. The information from the walk-through suggested to them they shouldn’t go any further. It’s something about the quality of the controls.
Beasley: And linking it back to the overarching concern about management override seems to be part of the filtering and explanation of their substantive approach.
Watts: Another thing I found interesting is that out of the 18 controls tested, 15 controls were concluded to be effective and for the other three the auditors failed to reach a conclusion, rather than that the controls failed. We don’t want to infer too much because we don’t have more information to suggest why those were their conclusions and didn’t ask them to justify their positions.
Beasley: There were a high number of risk findings relating to revenue and receivables. I link that to the fact that over time, the standards emphasize revenue recognition as a high fraud risk and auditors affirm they need to look at this area. I would have been surprised if this hadn’t been mentioned. The new revenue recognition standard could accelerate this.
Watts: It does show that standards can drive auditor focus. I also want to mention that analytics only as a test were performed for 11% of identified risks tested substantively. I know there is a focus on improving reliance on analytics in audits, so I wanted to mention this datapoint.
Beasley: When you look at the audit standards, auditors must do substantive procedures for every significant risk at the assertion level, but the literature is somewhat silent if there is an overarching financial statement risk. At the assertion level, AU-C 330 [Performing Audit Procedures in Response to Assessed Risks and Evaluating the Audit Evidence Obtained] states you must at least do tests of details and not just analytics. For the 11% that only did substantive analytics and not tests of details, it is possible that some of the risks were at the financial statement level where tests of details were not required.
If I were trying to coach practitioners, I’d say when you think about the response to a significant risk, ideally you’d find if there is a control to address it. We didn’t see them relying on those kinds of controls much. If you need to do a substantive procedure and if it’s at the assertion level, it should be designed as a test of detail and not just analytics. There is an emphasis now on data analytics and that world is changing, but I’m not so sure that is happening here.
Do you envision that the results of your research will have an impact on standards? Is it something that standard setters should be looking at?
Beasley: The overarching results of the data is that those surveyed are following the standards, which is a good story. Compliance is there and having an impact. My take is that I’m not seeing the need for a drastic change in requirements of standards, but instead adding more in the way of application guidance and reminders of things to be thinking about. The survey results’ theme was the vast majority of risks were being identified in prior years and there was not much change in strategy or audit approach from prior-year engagements. This makes some sense, and it’s not wrong. But there should be more reminders and encouragement from standard setters to think critically about risks, keep thinking fresh, and not quickly default to what you feel comfortable with.
Watts: I would agree. In those surveyed, most of the risks were identified in the planning phase. It’s possible they planned really well and figured it out early. But the standards do require auditors to be vigilant throughout the audit. So is this what we should see? Perhaps, but if I’m a standard setter, these results would serve as a basis to remind engagement teams to remain vigilant.
We also saw auditors identify controls because they were supposed to but not plan to rely on them. We did not see noncompliance, but there is an opportunity to place emphasis on some key areas.
Beasley: In 2020, technology impacts everything, including the financial reporting process. It is a little surprising we are not seeing more strategies linked to the reliance and testing of controls. There could be a missed opportunity for audit effectiveness and efficiency. They are getting an understanding of controls for most of the risks, but then the number they plan to rely on drops way down. Are they really not relying on those controls? There is a little fuzziness in the standards on linking risks to controls that we can spotlight to enhance the process. On the positive side, for 154 out of 156 risks, they performed substantive procedures in response to risks identified.
Watts: If you think about it from the perspective of the standards, if you identify a control and test it alone but don’t perform substantive tests, you wouldn’t be done. So are we surprised to see what we see? An observation could be that auditors could be bypassing the test of controls and going right to substantive procedures.
What would your advice be to firm leaders after going through your research and finding what you found?
Beasley: I’ve always been an advocate of brainstorming conversations at the engagement team level. The majority of those surveyed combined fraud risk and other risk discussions into one session, but they are covered by different standards. This may be more efficient, but there is real value in explicitly drawing attention to fraud risks separately and setting a mindset of skepticism.
Brainstorming meetings are really important for 2020 audits because there is so much risk potential. If we conducted this survey in March next year, I would like to believe a whole new set of risks would be identified.
Watts: If the majority of a client’s controls are manual and subject to override, shouldn’t auditors be discussing with clients the maturity of their internal controls? Even if they are not relying on them, controls can manage the risk of material misstatements if working effectively. It is surprising to see so many manual controls because getting technology into controls and more automated controls or IT-dependent manual controls was started a long time ago. Auditors can push this, and standard setters can help move this forward in their communications.
How can your findings affect audit quality going forward?
Beasley: The profession has an opportunity to rethink the risk assessment process, which is so critical and should not be taken lightly. The message is that the profession seems to be doing what it should be based on the existing audit standards, but there is value in going beyond what the standards require. We encourage firms to invest in a more thorough and robust risk assessment process to improve audit quality.
— Maria L. Murphy, CPA, is a freelance writer based in North Carolina. To comment on this article or to submit an idea for another article, contact Kenneth Tysiac, the JofA’s editorial director, at Kenneth.Tysiac@aicpa-cima.com.