« The Cloud: Just One SOC Opportunity | Main | 6 Things Not-For-Profits Need to Know about Non-Cash Contributions »

What We’ve Uncovered… About the Risk Assessment Standards

When performing peer reviews, reviewers document the areas in which firms struggle to comply with professional standards. The AICPA Peer Review Team compiles and periodically communicates these common areas of noncompliance so that other firms won’t make the same mistakes. This is just one of the many ways in which peer review benefits the profession.

Over the past few months, peer reviewers have reported that firms failed to properly assess risk and properly document IT risk assessments. Some of the most common areas of noncompliance with the risk assessment standards are listed below, along with some advice to help your firm prevent the same mistakes.

Risk Assessment Standards

The purpose of the risk assessment standards is to identify and assess the risks of material misstatement—due to fraud or error—at the financial statement and relevant assertion levels. The risk assessment should provide an understanding of the entity and its environment, including the entity’s internal controls. It should also act as a basis for designing and implementing substantive audit procedures.

Common Areas of Noncompliance

Peer reviewers have identified the following as the most common areas of noncompliance with the risk assessment standards:

  • Failure to assess risk at the assertion level. A relevant assertion is a financial statement assertion that has a reasonable possibility of containing a misstatement or misstatements that would cause the financial statements to be materially misstated.
  • Failure to obtain an understanding of the internal control environment. Peer reviewers have noted instances where reviewed firms are assessing control risk, and thereby the risk of material misstatement, at the maximum level in order to avoid documenting the auditee’s internal controls.
  • Failure to complete or document an IT risk assessment. Peer reviewers continue to find either incomplete IT risk assessment documentation or an entire lack of documentation. This finding usually coincides with failure to document the auditee’s control environment and internal controls.

While these areas of noncompliance are the most common, others include failure to update language in engagement letters, failure to identify revenue recognition as a fraud risk and failure to document client acceptance and continuance procedures.

Ways to Help Prevent the Same Mistakes

Peer reviewers say your firm should:

  • focus on recently issued standards;
  • assign experienced staff to educate newer staff about the risk assessment standards; and
  • adopt a memorandum template to more effectively document risk assessment procedures

For an in-depth explanation of the most common areas of noncompliance and how your firm can avoid the same mistakes, check out this video that features LaShaun King, CPA, Technical Manager with the AICPA Peer Review Team.

In addition, you may find that the AICPA’s award-winning Audit Risk Assessment Tool to be a helpful resource when performing risk assessments. It is designed to walk an experienced auditor through the risk assessment procedures and document those decisions necessary to prepare an effective and efficient audit program.

What methods does your firm use to assess risks?

James Brackens, CPA, CGMA, Vice President – Ethics and Practice Quality, American Institute of CPAs.


Comments are moderated. Please review our Comment Policy before posting.


Subscribe in a reader

Enter your Email:

CPA Letter Daily