Completing a risk assessment that conforms to audit standards is a critical foundation for delivering a quality audit for clients. Standards evolve constantly, and firms are challenged to adjust risk assessment processes to ensure audits conform.
According to the AICPA, problems with risk assessment continue to be a top reason for nonconforming engagements. In fact, 25% of peer review Matters for Further Consideration (MFCs) in the most recent cycle were related to AU-C 315, and another 16% of MFCs were related to AU-C 330.
Recently, Jason Miller, Partner at Anglin Reichman Armstrong, and Carl Mays, Senior Director of Audit and Accounting quality at the AICPA, presented a webinar with Wolters Kluwer’s Andrea Hearn. They discussed trends in audit quality revealed in peer reviews and gave advice to firms seeking to improve their risk assessment process.
Here are their tips to avoid common risk assessment errors.
1. Understand the client’s internal controls
Auditors need to understand both the design and implementation of internal controls. Yes, getting a process narrative from the client is good. However, auditors need to focus on the key controls and walk through a transaction to fully understand the implementation of those key controls. Make sure to document the transaction and what was observed.
Even if the client has not made changes to internal controls in the last year, obtaining an understanding of the design and implementation of internal controls must be part of the risk assessment and audit planning process. Auditors must document running a transaction through the existing key controls and confirming that the initial risk assessment is still valid. If the auditor notices differences in the controls, the controls must be reevaluated with updates to the risk assessment and plan.
2. Address significant risks in your audit plan
Firms can improve audit quality and peer review results by having a solid, risk-based methodology embedded into the audit planning process. When firms deploy integrated engagement management, audit planning, and analytics solutions, auditors can continuously update their understanding of clients and their risks.
For example, Wolters Kluwer’s Integrated Audit Approach empowers auditors to exercise their professional judgment throughout the audit by updating, editing, or adding risks throughout the entire engagement and then choosing program steps to address each risk. Audit diagnostics help ensure risks are addressed appropriately.
3. Link risks to further procedures
Use an audit tool that carefully documents good linkages between risks and procedures. Linkage is required at the relevant assertion level, and it needs to start from the planning document. Too often, peer reviewers see an auditor identify areas of significant risk but then fail to test large enough samples—leading to under auditing. Alternatively, auditors judge the risk as low, but then perform more procedures than necessary—lowering the realization on the audit through over-auditing.
When auditors reach their conclusions, it should be obvious to peer reviewers that auditors focused more testing on, and more deeply examined, areas of significant risk than areas of low risk.
4. Remember the re-performance standard
When completing the risk assessment, audit plan, and documentation, remain mindful of the re-performance standard. Peer reviewers must be capable of re-performing the audit and reaching the same conclusions, using the audit plan and documentation. When speaking with people, note the name and date on the workpaper or commentary. There should be no need to ask the original auditor questions—no relevant information should be missing from the audit.
Firms can implement audit best practices by having senior auditors or partners review audit documentation.
5. Start preparing early for SAS No. 145
Last fall, the AICPA’s Accounting Standards Board (ASB) issued SAS 145, Understanding the Entity and Its Environment and Assessing the Risks of Material Misstatement. SAS 145 supersedes SAS 122, Clarification and Recodification, section 315, Understanding the Entity and Its Environment and Assessing the Risks of Material Misstatement, and amends various AU-C sections in AICPA Professional Standards.
The new standard is designed to increase auditors’ focus on risk-based auditing. The ASB notes, “SAS No. 145 does not fundamentally change the key concepts underpinning audit risk, which is a function of the risks of material misstatement and detection risk. Rather, SAS No. 145 clarifies and enhances certain aspects of the identification and assessment of the risks of material misstatement to drive better risk assessments and, therefore, enhance audit quality.”
SAS 145 changes some terminology around risk assessment and brings additional clarification. For example, there is new guidance around the definition of relevant assertions and reasonable possibility of material misstatement. The standard uses the concept of a spectrum of inherent risk to shape auditors’ mindset during risk assessment. The standard introduces concepts such as inherent risk factors that include complexity, subjectivity, change, and uncertainty.
Many auditors have already approached risk assessment from a low-medium-high risk mentality. Now auditors will shift their mindset toward a risk spectrum, with the risk of material misstatement occurring when the assessment of inherent risk is close to the upper end of the spectrum, a very high risk. These significant risks require more work than risks lower on the spectrum. Learn more about the changes in SAS 145.
SAS 145 is effective for audits of financial statements for periods ending on or after December 15, 2023; however, early implementation is permitted.
Carl Mayes and Jason Miller both advise firms to begin learning and thinking about the new SAS 145 standard well ahead of the implementation deadline.
6. Use AICPA resources to double-check risk assessment conformity
The AICPA has created a number of excellent tools and aids for improving risk assessment available to members.
Jason Miller recommends firms run through the Peer Review Program Manuals’ Peer Review Checklists when new standards come out to ensure all conforming changes are built into the firm’s audit methodology. There are checklists addressing SAS 134 through 139 changes, Topic 606, and Leases.
Carl Mayes noted a new Audit Risk Assessment Guide is under development and will be available later this year. It will provide practical guidance about risk assessment, including how to apply the new SAS 145 standard in different scenarios. Check the AICPA’s Audit Risk Assessment resources for the guide.
Learn more about how Wolters Kluwer’s Integrated Audit Approach empowers auditors by helping them address significant risks in their audit plan.
