When it comes to “delivering quality audits that result in successful peer review”, there are strategies that firms should consider. We made that statement at the beginning of our “Successful Peer Reviews – Part 1” blog, and it’s worth making again. As mentioned there, this 4-part series is based on a recent Wolters Kluwer panel discussion webinar about successful peer reviews. Industry-expert panelists included:
- Carl Mayes – Senior Technical Manager of Special Projects at the AICPA, and Project Manager for the AICPA’s Enhancing Audit Quality Initiative
- Vincent Gaudiuso – Peer Reviewer and Quality Control Partner at Buchbinder
- Mona Dickerson – National Assurance Director at CohnReznick
In summary, the webinar covered four important issues firms must address regarding peer review. This Part 2 covers “identification of significant risks & responding to significant risks”.
So, let ‘s dive in.
Q: What are the issues most common around assessing significant risk?
Carl: “Significant risk” is the second of the four major areas where we’re seeing problems around:
- AU-C Section 315: Understanding the Entity and Its Environment and Assessing the Risks of Material Misstatement
- AU-C Section 330: Performing Audit Procedures in Response to Assessed Risks and Evaluating the Audit Evidence Obtained
Specifically, the problems are identification of significant risks and properly responding to them once they are identified.
Identification of significant risks:
First, “identification of significant risks” is a pervasive common misstep. Let’s take someone I spoke to recently who is unquestionably an expert in the audit space. In her firm, about 50% of their engagements have NO significant risk identified. Notably, that is an indicator of the gravity of the challenges being detected.
Bottom line, every audit should have at least one significant risk!
Furthermore, in terms of identifying significant risks – referencing AU-C 240 paragraph 31 – the AICPA’s stance is that every audit engagement should have a fraud-risk associated with management override. Therefore, you must have at least one significant risk identified on every audit engagement you perform. Otherwise, you have not complied with that requirement.
|AU-C Section 240: Consideration of Fraud in a Financial Statement Audit, paragraph 31
.31 Management is in a unique position to perpetrate fraud because of management’s ability to manipulate accounting records and prepare fraudulent financial statements by overriding controls that otherwise appear to be operating effectively. Although the level of risk of management override of controls will vary from entity to entity, the risk is, nevertheless, present in all entities. Due to the unpredictable way in which such override could occur, it is a risk of material misstatement due to fraud and, thus, a significant risk.
Additionally, AU-C 240 includes a requirement in virtually every engagement for a significant risk around revenue recognition.
So, what is a significant risk?
To continue, it is important to step back and look at what significant risk means to the standard. It means “a risk that requires special audit considerations”. Our former Vice President of Professional Standards at the AICPA, Chuck Landes, uses a good analogy to explain it.
Just imagine. You are buying a house and an inspection is required. So, the inspector comes out and performs a certain set of procedures that inspectors always do. For example, they always check the crawl space, age of the roof, etc. However, if he/she finds a crack in the foundation, then that is a special consideration. At that point, the inspector will perform additional tasks, or do certain tasks in a different way, that are not necessarily done on other inspected houses.
That analogy is the same kind of thing when it comes to significant risks for auditing. We must think about it in THAT same way.
Is it okay to perform similar procedures for similar clients?
Second, regarding “responding to significant risks”, we see folks performing the same procedures that they perform for any other engagement. Again, keeping that “house inspection” analogy in your mind, same-as-any-other is not good enough. This one also requires “special audit consideration”.
Here is the former Vice President of Professional Standard’s perspective. “Responding to significant risks” always requires procedures above and beyond what you would ordinarily perform for a client of that size and industry.
Ultimately, to get peace of mind in this area you need the right technology. Given that point, CCH ProSystem fx Knowledge Coach helps in 3 ways:
- There is always a “significant risk for management override” present that you need to address.
- Knowledge Coach contains an extensive series of diagnostics related to risk assessment. So, when you identify a risk, you are prompted to ensure you respond to it adequately.
- You can add a risk at any point throughout the engagement. Simply do so as you proceed through the audit and further your understanding of the client. Additionally, the methodology prompts you throughout to consider if a risk should be added. The solution adds all risks to a central communication hub, which ensures the entire audit team is aware. That way everyone adjusts as necessary, and in real-time.
In closing, let’s reiterate what Mona states in the Part 1 blog. She says, “It is important to verify you have the proper tools in your audit bag. Additionally, those tools must be sufficient to help you make sure you apply the standards correctly and fully. So, ask yourself two things. First, are your tools designed effectively to address the objectives of the standards? Second, have you implemented these tools consistently and appropriately on your engagements?”.
Keep an eye out next week for Part 3 of this blog series. That will cover “assessing risk at the assertion level”.
Until then, continue your education.