Do you know someone who suffers from risk assessment averseness? Patients with this illness possess an extreme dislike for thinking before acting. They live in the land of the objective–bank confirmations, vouching, and searching for unrecorded liabilities. They disdain the subjective–inquiring about processes, observing segregation of duties, thinking about inherent risk. To them, auditing is science, not art. It’s concrete. You hear them say “that front-of-file stuff is just to make peer reviewers happy.” After all, “there’s work to do.” And they know what to do. It’s all there in the prior year file.
There is only one cure for this thought-borne disease. It’s understanding the advantages of risk assessment and planning.
Audit Risk Model
Let’s start with the audit risk model. How is it defined?
Put simply, it is:
Risk of Material Misstatement = Inherent Risk X Control Risk
This is the framework for gaining an understanding of:
- The entity
- Transaction cycles and account balances
Do I Need to Understand the Entity?
The audit standards require that we understand the entity and its environment. I like to start by asking management the question, “If you had a magic wand that you could wave over the business and remove one problem, what would it be?” The answer tells us a great deal about the entity’s risk. I want to know what they think and feel. The visceral is a flashing light saying, “Important!” And believe me, every business owner or manager worries about something. Your clients understand their businesses. This is where they live. The wise auditor taps into that knowledge.
Risks can be thought of as threats to objectives. Your client’s fears tell you what the objectives are.
Other questions that can be entertained include:
- How is the industry faring?
- Are there any new competitive pressures?
- Are there any new opportunities?
- Are there any changes in key vendor relationships? Can the company still obtain necessary products?
- Are there pricing pressures?
Now let’s delve into accounting controls.
Do I Have to Understand Controls?
In every audit, we must understand the client’s internal controls. “But my client has no controls.” Really? It is doubtful that a client has no controls. They may have few, but almost every entity has some controls. Here are a few questions to consider:
- Who signs checks?
- Who has access to checks (or electronic payment ability)?
- Who approves payments?
- Who initiates purchases?
- Who can open and close bank accounts?
- Who posts payments?
- What software is used? Does it provide an adequate audit trail? Is the data protected? Are passwords used?
- Who receives bank statements? Who opens them? Who has online access? Does anyone review cleared checks for appropriateness?
- Who reconciles the bank statement? How quickly? Does a second person review the bank reconciliation?
- Who creates expense reports? Who reviews them?
- Who bills clients? In what form (paper or electronic)?
- Who opens the mail?
- Who receipts monies?
- Are there electronic payments?
- Who receives cash onsite and where?
- Who has credit cards? What are the spending limits?
- Who makes deposits (and how)?
- Who keys the receipts into the software?
- What revenue reports are created and reviewed? Who reviews them?
- Who creates the monthly financial statements? Who receives them?
- Are there any outside parties that receive financial statements? Who are they?
These are examples of what we need to understand before we plan the audit. Why? Because risk is a function of processes. Understanding informs us. It directs us.
Remember this: Numbers are the narrative.
And this: To change the story, change the figures.
And for auditors: See if the story is true–or if it changed (whether by accident or intentionally).
How do we do this?
We look for indicators of false numbers (false stories). Do the accounting processes allow for false numbers?
As a kid, I once stole five dollars from my father. His internal control of laying his billfold down on his dresser every night did not work well. When he asked who took the money, I changed the story from one of fact to fiction (also known as a white lie). I tried to change the narrative.
My father inquired, but he also observed, and my reaction gave me away.
Auditors are to use the following in performing risk assessments:
Inquiry alone is never sufficient. Combine observation and inspection with inquiries.
And what is the purpose? To know where risks lie.
We’ll pick up here in my next post about risk assessment. Feel free to share this article with those you know who suffer from audit risk assessment averseness. Friends don’t let friends audit without thinking.
What unique risk assessment procedures do you use? Since this is an art, there are myriad ways to gain an understanding of clients and their processes–and I’m always looking to learn more.