How to Perform Audit Risk Assessments

Part 1: Practical steps to performing audit risk assessments

Do you know someone who suffers from risk assessment averseness? Patients with this illness possess an extreme dislike for thinking before acting. They live in the land of the objective–bank confirmations, vouching, and searching for unrecorded liabilities. They disdain the subjective–inquiring about processes, observing segregation of duties, thinking about inherent risk. To them, auditing is science, not art. It’s concrete. You hear them say “that front-of-file stuff is just to make peer reviewers happy.” After all, “there’s work to do.” And they know what to do. It’s all there in the prior year file.

There is only one cure for this thought-borne disease. It’s understanding the advantages of risk assessment and planning.

Picture is courtesy of DollarPhoto.com

Picture is courtesy of DollarPhotoClub.com

Audit Risk Model

Let’s start with the audit risk model. How is it defined?

Put simply, it is:

Risk of Material Misstatement = Inherent Risk X Control Risk

This is the framework for gaining an understanding of:

  • The entity
  • Transaction cycles and account balances

Do I Need to Understand the Entity?

The audit standards require that we understand the entity and its environment. I like to start by asking management the question, “If you had a magic wand that you could wave over the business and remove one problem, what would it be?” The answer tells us a great deal about the entity’s risk. I want to know what they think and feel. The visceral is a flashing light saying, “Important!” And believe me, every business owner or manager worries about something. Your clients understand their businesses. This is where they live. The wise auditor taps into that knowledge.

Risks can be thought of as threats to objectives. Your client’s fears tell you what the objectives are.

Other questions that can be entertained include:

  • How is the industry faring?
  • Are there any new competitive pressures?
  • Are there any new opportunities?
  • Are there any changes in key vendor relationships? Can the company still obtain necessary products?
  • Are there pricing pressures?

Now let’s delve into accounting controls.

Do I Have to Understand Controls?

In every audit, we must understand the client’s internal controls. “But my client has no controls.” Really? It is doubtful that a client has no controls. They may have few, but almost every entity has some controls. Here are a few questions to consider:

  • Who signs checks?
  • Who has access to checks (or electronic payment ability)?
  • Who approves payments?
  • Who initiates purchases?
  • Who can open and close bank accounts?
  • Who posts payments?
  • What software is used? Does it provide an adequate audit trail? Is the data protected? Are passwords used?
  • Who receives bank statements? Who opens them? Who has online access? Does anyone review cleared checks for appropriateness?
  • Who reconciles the bank statement? How quickly? Does a second person review the bank reconciliation?
  • Who creates expense reports? Who reviews them?
  • Who bills clients? In what form (paper or electronic)?
  • Who opens the mail?
  • Who receipts monies?
  • Are there electronic payments?
  • Who receives cash onsite and where?
  • Who has credit cards? What are the spending limits?
  • Who makes deposits (and how)?
  • Who keys the receipts into the software?
  • What revenue reports are created and reviewed? Who reviews them?
  • Who creates the monthly financial statements? Who receives them?
  • Are there any outside parties that receive financial statements? Who are they?

These are examples of what we need to understand before we plan the audit. Why? Because risk is a function of processes. Understanding informs us. It directs us.

Remember this: Numbers are the narrative.

And this: To change the story, change the figures.

And for auditors: See if the story is true–or if it changed (whether by accident or intentionally).

How do we do this?

We look for indicators of false numbers (false stories). Do the accounting processes allow for false numbers?

As a kid, I once stole five dollars from my father. His internal control of laying his billfold down on his dresser every night did not work well. When he asked who took the money, I changed the story from one of fact to fiction (also known as a white lie). I tried to change the narrative.

My father inquired, but he also observed, and my reaction gave me away.

Auditors are to use the following in performing risk assessments:

1. Inquiry

2. Observation

3. Inspection

Inquiry alone is never sufficient. Combine observation and inspection with inquiries.

And what is the purpose? To know where risks lie.

Your Thoughts?

We’ll pick up here in my next post about risk assessment. Feel free to share this article with those you know who suffer from audit risk assessment averseness. Friends don’t let friends audit without thinking.

What unique risk assessment procedures do you use? Since this is an art, there are myriad ways to gain an understanding of clients and their processes–and I’m always looking to learn more.

Learn from the CPA Scribo newsletter!

Get my free weekly accounting and auditing digest with the latest content.

Powered by ConvertKit

Please note: I reserve the right to delete comments that are offensive or off-topic.

Leave a Reply

Your email address will not be published. Required fields are marked *

6 thoughts on “How to Perform Audit Risk Assessments

  1. This isn’t unique per se, but we rely heavily on our preliminary analytical review. Especially for more sophisticated clients (clients who actually close their books on a monthly basis), this procedure really helps narrow down possible RMMs, and allows us to tailor our audit procedures in advance, rather than on the fly.

    • John, wise choice. I think many auditors don’t give analytical reviews their due. There much valuable information that can be mined here. Thanks for your comment.

  2. Fraud risk inherently lies in businesses that lack proper segregation of duties. 90% of your control questions border around the “who” of the various business processes. I believe forensic auditors must seek not only to inquire, observe and inspect but additionally to exercise high levels of professional skepticism in performing their audits. I particularly like your note on “Risks can be thought of as threats to objectives. Your client’s fears tell you what the objectives are”. Subtle…yet an important note to sell during client consultations. 😉

    • Onyinye, thanks for your comment. I met with a potential client today and asked him, “if you could wave a magic wand over your business and change one thing, what would it be?” His answer revealed a great deal about the business and their “objectives.” If we get this audit, I will keep his words in mind. Here I can not only consider the implications for the audit, but I can look for ways to solve his problem.

  3. A nice trio of articles. I think the AICPA is woefully behind the times in terms of addressing fraud, and I think they give only cursory attention to the subject. They do the public a disservice with this attitude. They continue to reference Cressey’s very limited work over half a century ago. I actually read Cressey’s book and wrote a fairly damming critique, much of which I shared with the AICPA. I’t posted on my blog if anyone is interested.

    • Dana, I do think it’s time for the AICPA to review the audit standards in reference to fraud. I don’t think we (auditors) are doing enough in this area. Thanks much for your comment and the sharing of your post.