Why assess audit risk? So you don’t get lost in the woods
Picture this: You’ve finally made it through busy season. You’ve booked a family trip to a remote cabin in the mountains to unplug and relax. Your out-of-office message has been turned on and you’ve planned plenty of outdoorsy activities for you and your family. You’ve written out a packing list and checked off every item: Clothes? Check. Hiking boots? Check. Bug spray? Check. Snacks and entertainment to ward off your kids’ boredom- and hunger-related complaints during the long car ride? Check.
The car’s all packed, everyone’s buckled in and your GPS is set up on the dashboard. Now that you’re ready to embark on a journey to the middle of nowhere, you reach for your GPS…
…and throw it out the window.
Probably not the best way to get where you need to go, right?
Even if you’re too proud to ask for directions when you’re on a road trip, when planning your audit, it should be a different story.
Why does risk assessment matter?
The goals of identifying, assessing and responding to risk are at the core of every audit. Identifying and assessing a client’s specific risks drives the audit procedures you should perform and helps you avoid inefficient over-auditing. Even more seriously, this process helps you avoid a failure to obtain sufficient appropriate audit evidence to support your opinion. Put plainly: Risk assessment is crucial for a quality audit.
However, data collected by the AICPA Peer Review Program in 2016 show that many firms need to improve compliance with AU-C Section 315, Understanding the Entity and Its Environment and Assessing the Risks of Material Misstatement or AU-C Section 330, Performing Audit Procedures in Response to Assessed Risks and Evaluating the Audit Evidence Obtained.
Many auditors believe they can perform a quality audit without properly considering their client’s risks of material misstatement, but that’s simply not true – and it’s leading to violations of professional standards.
The audit risk model
To understand why risk assessment is so important, we have to start with the audit risk model, displayed below:
Audit risk is the risk that the firm will issue the wrong audit opinion when the financial statements are materially misstated. Our objective as auditors is to reduce audit risk to an acceptably low level. Audit risk is composed of:
- Inherent risk, which is the risk of material misstatement assuming there are no related controls;
- Control risk, which is the risk that the client’s controls will not prevent or detect a material misstatement; and
- Detection risk, which is the risk that the auditor will not detect a material misstatement.
Inherent and control risk combine to form the risk of material misstatement, or RMM. These risks exist independent of the auditor and cannot be reduced through substantive procedures. So, if RMM is moderate or high, how do we reduce audit risk to an acceptably low level? We do this by manipulating the only risk that we can control: detection risk.
Detection risk is influenced by the nature, timing and extent of your audit procedures. For example, if you wanted to reduce detection risk, you might:
- Change the nature of your procedures by vouching transactions instead of performing analytics;
- Alter the timing of your procedures, performing them after year-end instead of during the interim; or
- Increase the extent of your procedures by selecting a larger sample of items for testing.
Without first properly assessing inherent and control risk, you would have no basis for assessing detection risk and no way to plan the nature, timing and extent of your procedures. You might as well be throwing darts blindfolded – or driving aimlessly through the mountains with no map or GPS.
Regardless of the amount of testing you perform, if you don’t identify and assess your client’s specific risks, you’ll fail to comply with Generally Accepted Auditing Standards (GAAS). The result will be what the Peer Review Program calls a “materially non-conforming engagement.”
Peer reviewers are in the process of being retrained on this concept. That means even if your reviewer took a different stance in the past, going forward, engagements that are not built around identifying, assessing and responding to the client’s risks will be considered non-conforming.
Resources to help
Keep an eye out for future blog posts in which we’ll discuss risk assessment and response in further detail. Additionally, the AICPA has a free toolkit at aicpa.org/riskassessment to help you perform more effective risk assessments, appropriately link your risk assessments to your audit procedures and comply with the standards. The toolkit includes resources such as an audit risk assessment tool with accompanying video guides, a staff training workshop, an internal inspection aid and an aid for identifying controls at smaller entities.
Proper risk assessment drives your audit procedures, so it’s crucial to get it right. And when you’re literally driving on your next road trip, don’t toss your GPS out the window when you leave.
Carl R. Mayes Jr., CPA, AICPA Senior Manager—Special Projects, Association of International Certified Professional Accountants