How do you assess the risk of material misstatement? How do you know when to assess inherent risk at high (or low)? Can you assess control risk at high for all assertions? What are significant risks? These are common questions about the risk assessment process.
Today we’ll discuss how auditors assess and document risk. We’ll cover:
- Financial statement level risk
- Transaction level risk
- Risk of material misstatement
- Inherent risk
- Control risk
Understanding these concepts will put money in your pocket and will result in higher quality audits.
Financial Statement Level Risk
Before picking our audit team, we need a general understanding of the entity.
We must understand the business and its control environment to determine risks at the financial statement level (I think of this as the overall risk). The overall risk will dictate our broader responses such as who the audit team will be.
Consider whether the entity has:
- Complex transactions
- Related party transactions
- New accounting pronouncements
- Profit pressures
- Problem vendor relationships
- Going concern issues
- Potential debt covenants violations
- Cash flow problems
We also need to consider the risk of management override. This threat is always a possibility. If management is playing on the edges, consider how you will add muscle and insight to your audit team—or whether you should even perform the engagement.
Keep this thought in mind when considering financial statement level risk assessment: greater overall threats call for a stronger audit team.
Transaction Level Risks
In a previous post, we discussed risk assessment procedures such as walkthroughs, fraud inquiries, and planning analytics. The information gained from those steps is the basis for assessing risk at the transaction level.
Should the transaction risk assessment be performed at the assertion level or for the transaction cycle as a whole? Let’s answer this question by looking at how accounts payable risk might be documented.
If we assess our risk of material misstatement at high for payables (as a whole), what are we saying? That further audit procedures are necessary for all assertions. If we assess risk at high for all payable assertions, and we don’t perform audit procedures in response to the (high) risk assessment, we create an incongruity. We are saying that risk is high for all assertions, but our responses don’t agree.
Wouldn’t it be better to assess risk at the assertion level? For example, if we’ve historically proposed significant journal entries to record additional payables, maybe the risk of material misstatement for the completeness assertion is high. Our audit procedures will include a search for unrecorded liabilities. Now we have an appropriate risk assessment and response (what the audit standards refer to as linkage). The remaining accounts payable assertions could possibly be assessed at low.
Risk of Material Misstatement
We can express the risk of material misstatement (RMM) as:
RMM = Inherent Risk X Control Risk
While audit standards don’t require that we assess inherent risk and control risk separately, it’s helpful to do so. In a moment, we’ll see that inherent risk often drives our audit responses.
So what is inherent risk? My simple definition is the risk that exists when no controls are present. (We are not saying controls don’t exist, just that we are disregarding them as we measure inherent risk.)
Inherent risk can be a function of:
- The complexity of the transaction (e.g., derivatives are harder to understand)
- The nature of the financial statement item (e.g., cash is liquid and subject to theft)
- The experience and knowledge of the client’s accounting personnel
- Past audit issues in the area
- The volume of transactions
As we assess inherent risk, we ask, “what’s the chance that material misstatement will occur assuming there are no related controls?”
Some areas are so risky that the audit standards refer to them as significant risks. These areas require special audit consideration. Significant risks relate to transactions that are complex, nonroutine, or involve judgment. For example, a bank’s allowance for loan losses—due to complexity—demands extra scrutiny. The inherent risk in such areas will always be high.
Now, let’s marry inherent risk with control risk so we can determine our risk of material misstatement.
For audits of smaller entities, control risk is often assessed at high—across the board. Why? To save time. While control risk can’t be assessed at high before performing our risk assessment procedures, we can do so afterward.
Assessing control risk at high is permissible as an efficiency decision. (Risk assessment procedures are still required.)
If control risk is assessed at less than high, the auditor is required to test controls to support the lower risk assessment. It may be more economical to perform substantive procedures rather than testing controls. We might, for example, be able to vouch all of the additions to property and equipment in less time than it takes to test the related controls. If this is true, we will opt to use a substantive approach (vouching all significant additions to invoices), and we will assess control risk at high.
Also, it is possible to have a low to moderate risk of material misstatement if your inherent risk is low—even if your control risk is high. How? Consider the following equation.
Risk of Material Misstatement Formula
IR (low) X CR (high) = RMM (low or moderate)
What does this mean? Well, you can get to a low or moderate RMM without testing controls. Also, you may not need to perform any substantive procedures–depending on your final RMM for the area.
As an example of how this works, think about a low inherent risk assessment regarding plant, property, and equipment.
- What’s the inherent risk related to the existence of your client’s main office building? Low.
- If your client has no controls related to the existence of the building, would the lack of controls have any bearing on the overall RMM? No.
- Do you need to test any controls? No.
- Do you need to perform any substantive procedures? No.
- Do you need any substantive audit steps (concerning the building) in your audit program? Probably not. The RMM is low, so you don’t need to do anything (other than document your risk assessment).
Call to Action
Consider reviewing your risk assessments, and see if some of the inherent risk assessments will allow you to assess your RMMs at low to moderate–even if control risk is assessed at high.
This is the last in our series of posts about audit risk assessment. Thanks for joining in the journey.
If you have suggestions for other posts, please leave a comment with your idea. Thanks.
Learn from the CPA Scribo newsletter!
Get my free weekly accounting and auditing digest with the latest content.