You’ve performed your risk assessment procedures, and now it’s time to consider the information you’ve obtained. What are your walkthroughs telling you? Are any variances in your planning analytics begging for attention? What about your fraud inquiries? Are they pointing you in a particular direction?
Now that you see the weaknesses in controls, and you know where your client is most likely to make mistakes, you can plan to address those areas where the risk of material misstatement is most likely to occur.
But before we plan, we need to brainstorm.
Section 315 of the audit standards requires a discussion among the key engagement team members, including the engagement partner. This discussion is to include an exchange of ideas, often referred to as brainstorming, about where the financial statements might possess a risk of material misstatement due to fraud.
So when should the brainstorming session occur? Logically the “exchange of ideas” follows your risk assessment procedures.
The overall audit sequence is as follows:
- We gather information using risk assessment procedures
- We discuss the identified risk
- We plan our responses
In military battles, soldiers do this same thing. The army sends reconnaissance troops to check the lay of the land and to see where the enemy might lie. Why? To determine how the infantry can move forward most effectively and with the least risk. So soldiers gather information (risk assessment) prior to discussing how to respond (brainstorming). The discussion leads to a battle plan (in our world, the audit plan)
Can you imagine soldiers going into battle without surveying the land and discussing the plan of attack? Yet this what auditors do when we default to a standard audit program. Continuing with the battle analogy, does it make sense to use the same battle plan for every encounter? (We have met the enemy, and he is us.)
Once we discuss the entity’s risks, we know what our greatest threats are.
In my last post, I provided an example internal control weakness identified in a walkthrough of accounts payable:
Control weakness: The accounts payable clerk (Judy Jones) can add new vendors and can print checks with digital signatures. In effect, she can create a new vendor and have checks sent to that vendor without anyone else’s involvement.
What’s the threat? Judy can create a fictitious vendor and send checks to herself or an accomplice.
And what can we do about the risk?
We can print a list of vendors added during the last year and have another person review the list for appropriateness. That other person might be the owner of a small business, a board member in a nonprofit, or the purchasing director in a government. We want a person in the know to review the list for improprieties. Alternatively, we can data mine the vendor addresses for a match with Judy’s home address. There are many ways to address this threat, but my point here is that we need to link our procedures with our identified risk.
Think of the risk assessment process in the following manner:
- We perform risk assessment procedures
- We assess our risks
- We create responses to the identified risks
If we don’t perform risk assessment procedures such as walkthroughs, we may not be aware of risks. If we don’t assess our risks, we may not know what threats are most important. And if we don’t create responses (alter our standard audit plan), then what’s the point of risk assessment? (Surely not to please our peer reviewer.)
Auditing is a holistic art, not a science. Are there formulas? Yes, but if we audit in a formulaic manner (alone), we will miss critical pieces in developing our audit plan. Practice aids (forms) can’t think for us. So I encourage you to use your audit forms, but at some stage, it is good to push them aside and ask:
- Am I connecting the dots (understanding the client and the risks inherent in their accounting system)?
- Am I determining which risks are most threatening?
- Am I creating responses that sufficiently reduce the risk of material misstatement?
My Next Post
Well, we’ve covered much of the risk assessment process, but I still want to take a deeper dive concerning assessing risk at the assertion level and the financial statement level. I’ll do that in my next post in this series.
What can you take away from the above post? Think about your last three audits. After you performed your risk assessment procedures, consider how you altered your audit plan. Do you feel like there is an appropriate linkage between your risk assessment procedures and your audit plan? Are there ways to improve the process?
Learn from the CPA Scribo newsletter!
Get my free weekly accounting and auditing digest with the latest content.