Are auditors who see audit risk assessment as a waste of time leaving money on the table? Could this be a cause of lower profit realizations?
Picture is from AdobeStock.com
Audit Risk Assessment as a Friend
Audit risk assessment can be our best friend, particularly if we desire efficiency, effectiveness, and profit—and who doesn’t? This step, when properly performed, tells us what to do—and what can be omitted. In other words, risk assessment is the doorway to maximum impact with minimal effort.
So, why do some auditors avoid audit risk assessment? Here are two reasons:
- We don’t understand it
- We’d rather continue doing what we’ve always done
Too often auditors keep doing the same as last year (commonly referred to as SALY), no matter what. It’s more comfortable than using risk assessment. But what if SALY is faulty or inefficient? Or what if the “tried and true” has blind spots. Maybe it’s better to assess risk annually and to plan our work based on present conditions.
The old maxim “Plan your work, work your plan” is true in audits. Audits—according to standards—should flow as follows:
- Determine the risks of material misstatements (plan our work)
- Develop a plan to address those risks (plan our work)
- Perform substantive procedures (work our plan)
- Issue an opinion (the result of planning our work and working our plan)
Auditors sometimes go directly to step 3. and use the prior year audit programs to satisfy step 2. Later, before the opinion is issued, the documentation for step 1. is created “because we have to.” In other words, we work backward. So, how can we work appropriately?
A Better Way
Audit standards—in the risk assessment process—call us to do the following:
- Understand the entity and its environment
- Understand the transaction level controls
- Use planning analytics to identify risk
- Perform fraud risk analysis
- Assess risk
While we may not complete these steps in order, we do need to perform our risk assessment first (1.-4.) and then assess risk as a result. Okay, so what procedures should we use to carry out the risk assessment process?
Audit Risk Assessment Procedures
AU-C 315.06 states:
The risk assessment procedures should include the following:
a. Inquiries of management, appropriate individuals within the internal audit function (if such function exists), others within the entity who, in the auditor’s professional judgment, may have information that is likely to assist in identifying risks of material misstatement due to fraud or error
b. Analytical procedures
c. Observation and inspection
I like to think of risk assessment procedures as tools, all used to sift through information and aid in the identification of risk.
Picture from AdobeStock.com
Just as a good detective uses fingerprints, lab results, and photographs to paint a picture, we are doing the same. First, we need to understand the entity and its environment.
Understand the Entity and Its Environment
The audit standards require that we understand the entity and its environment.
I like to start by asking management the question, “If you had a magic wand that you could wave over the business and remove one problem, what would it be?” The answer tells us a great deal about the entity’s risk.
I want to know what the owners and management think and feel. The visceral is a flashing light saying, “Important!” Every business leader worries about something. And understanding the source of those worries illuminates risk.
Think of risks as threats to objectives. Your client’s fears tell you what the objectives and threats are. Worries shine the light on threats to objectives.
To understand the entity and its related threats, ask questions such as:
- How is the industry faring?
- Are there any new competitive pressures or opportunities?
- Have key vendor relationships changed?
- Can the company obtain necessary knowledge or products?
- Are there pricing pressures?
- How strong is the company’s cash flow?
- Has the company met its debt obligations?
- Is the company increasing in market share?
- Who are your key personnel and why are they important?
- What is the company’s strategy?
- Do you have any related party transactions?
As with all risks, we respond based on their severity. The higher the risk, the greater the response. We’ll respond to risks at these levels:
- Financial statement level
- Transaction level
Responses to risk at the financial statement level are general, such as appointing more experienced staff for complex engagements. Specific responses to risk occur at the transaction level, such as a search for unrecorded liabilities.
Understand the Transaction Level Controls
We must do more than just understand transaction flows; we need to understand the related controls. So, as we perform walkthroughs or other risk assessment procedures, we gain an understanding of the transaction cycle, but—more importantly—we gain an understanding of controls. Without appropriate controls, the risk of material misstatement increases.
The use of walkthroughs is probably the best way to understand internal controls. As you perform your walkthroughs, you are asking questions such as:
- Who signs checks?
- Who has access to checks (or electronic payment ability)?
- Who approves payments?
- Who initiates purchases?
- Who can open and close bank accounts?
- Who posts payments?
- What software is used? Does it provide an adequate audit trail? Is the data protected? Are passwords used?
- Who receives and opens bank statements? Does anyone have online access? Are cleared checks reviewed for appropriateness?
- Who reconciles the bank statement? How quickly? Does a second person review the bank reconciliation?
- Who creates expense reports and who reviews them?
- Who bills clients? In what form (paper or electronic)?
- Who opens the mail?
- Who receipts monies?
- Are there electronic payments?
- Who receives cash onsite and where?
- Who has credit cards? What are the spending limits?
- Who makes deposits (and how)?
- Who keys the receipts into the software?
- What revenue reports are created and reviewed? Who reviews them?
- Who creates the monthly financial statements? Who receives them?
- Are there any outside parties that receive financial statements? Who are they?
Understanding the company’s controls illuminates risk. The company’s goal is to create financial statements without material misstatement. A lack of controls threatens this objective.
So, as we perform walkthroughs, we ask the payables clerk (for example) certain questions; and—as we do—we are also making observations about the segregation of duties. Also, we are inspecting certain documents such as purchase orders. This combination of inquiries, observations, and inspections allows us to understand where the risk of material misstatement is highest.
Another significant risk identification tool is the use of planning analytics.
Use planning analytics to shine the light on risks. How? I like to use:
- Multiple-year comparisons of key numbers (at least three years, if possible)
- Key ratios
Picture from AdobeStock.com
In creating planning analytics, use management’s metrics. If certain numbers are important to the company, they should be to us (the auditors) as well—there’s a reason they are reviewing particular numbers so closely. (When you read the minutes, ask for a sample monthly financial report; then you’ll know what is most important to management and those charged with governance.)
Sometimes, unexplained variations in the numbers are evidence of fraud.
In every audit, inquire about the existence of theft. In performing walkthroughs, look for control weaknesses that might allow fraud to occur. Ask if any theft has occurred. If yes, how?
Also, we should plan procedures related to:
- Management override of controls, and
- The intentional overstatement of revenues
My next blog post—in this series—addresses fraud risk, so this is all I will say about theft for now. Sometimes the greater risk is not fraud but errors.
Same Old Errors
Have you ever noticed that some clients make the same mistakes—every year? They are usually smaller clients. In the risk assessment process, we are looking for the risk of material misstatement whether by intention (fraud) or by error (accident).
One way to identify potential misstatements due to error is to maintain a summary of the larger audit entries you’ve made over the last three years. If your client tends to make the same mistakes, you’ll know where to look for potential errors.
Now it’s time to pull all of the above information together.
Creating the Risk Picture
Once all of the risk assessment procedures are completed, we synthesize the disparate pieces of information into a composite image. We are—at this point—bringing the information into one distilled risk snapshot. What are we bringing together? Here are examples:
- Control weaknesses
- Unexpected variances in significant numbers
- Entity risk characteristics (e.g., level of competition)
- Large related-party transactions
- Occurrences of theft
Armed with this risk picture, we can now create our audit strategy and audit plan (also called an audit program). We are focusing these plans on the areas where the risk of material misstatement is highest.
How can we determine where risk is highest? Use the risk of material misstatement (RMM) formula.
Assess the Risk of Material Misstatement
Understanding the RMM formula is key to identifying high-risk areas.
What is the RMM formula?
Put simply, it is:
Risk of Material Misstatement = Inherent Risk X Control Risk
Using the RMM formula, we are assessing risk at the assertion level. While audit standards don’t require a separate assessment of inherent risk and control risk, consider doing so anyway. I think it provides a better representation of your risk of material misstatement.
Once we have completed our risk assessment process, control risk can be assessed at high–simply as an efficiency decision.
The Input and Output
The inputs in audit planning include all of the above audit risk assessment procedures.
The outputs (sometimes called linkage) of the audit risk assessment process are:
- Audit strategy
- Audit plan (audit programs)
We tailor the strategy and plan according to the risk assessment.
In a nutshell, we identify risks and then respond to them.
Next in the Series
In my next post in this series, we’ll take a look at the why and how of fraud auditing. So, stay tuned. If you haven’t subscribed to my blog, consider doing so.