When it comes to “delivering quality audits that result in successful peer reviews”, there are strategies that firms should consider – including around risk assessment. This 4-part blog series is based on a Wolters Kluwer panel discussion webinar about successful peer reviews. Industry-expert on that webinar panel included:
- Carl Mayes – Senior Technical Manager of Special Projects at the AICPA, and Project Manager for the AICPA’s Enhancing Audit Quality Initiative
- Vincent Gaudiuso – Peer Reviewer and Quality Control Partner at Buchbinder
- Mona Dickerson – National Assurance Director at CohnReznick
If you haven’t read the previous blogs in the series yet, hi-level, this webinar covered four important issues firms must address regarding peer review. Today’s Part 3 blog addresses “assessing risk at the assertion level”.
So, with no further ado, here’s what the expert-panelists had to say about this important issue.
Q: Carl, what are the issues most common around assessing risk at the assertion level?
Carl: This is a big one. What we see a lot of times in practice is folks assessing risk at the account level. They’ll say, for example, “Oh, cash has low risk of material misstatement,” and then they simply move on. However, what’s required by the AU-C Section 315: Understanding the Entity and Its Environment and Assessing the Risks of Material Misstatement Standard is that you must assess risk at both the:
- Relevant assertion level -AND-
- Financial statement level
Additionally, it is equally important to understand what “financial statement level” means. It means “any risk that would impact multiple assertions”.
Why assess risk at the relevant assertion level?
To reiterate, assessing risk at the relevant assertion level is necessary because all audit procedures must tie back to assertions. For example, let’s say cash is low risk and you’re going to perform some procedures around it. Well, what is the real risk around cash? If you don’t have any international currencies, then you may have very low risk around cash valuation but there might be other concerns around cash existence. Perhaps RMM is moderate instead of low for that assertion.
Each one of those assertion level risks links to an assertion level response. Therefore, when considering what procedures to perform, in this example, each one must link back to whether cash exists and is properly valued. What I’m saying is they don’t JUST link to cash. Each risk also must link at the assertion level to remain clear, and not confusing.
What if you fail to assess risk at the relevant assertion level?
From a peer review perspective, and from a Standards perspective, if you fail to assess risk at the relevant assertion level, that’s an omitted procedure under AU-C Section 585: Consideration of Omitted Procedures After the Report Release Date . Frankly, doing so will require you to go back and perform more work. From a peer review perspective, that scenario results in a nonconforming engagement.
|AU-C Section 315: Understanding the Entity and Its Environment and Assessing the Risks of Material
.03 The objective of the auditor is to identify and assess the risks of material misstatement, whether due to fraud or error, at the financial statement and relevant assertion levels through understanding the entity and its environment, including the entity’s internal control, thereby providing a basis for designing and implementing responses to the assessed risks of material misstatement.
.06 If, subsequent to the report release date, the auditor becomes aware of an omitted procedure, the auditor should assess the effect of the omitted procedure on the auditor’s present ability to support the previously expressed opinion on the financial statements. (Ref: par. .A1–.A4)
Q: Mona, from a practical standpoint, what thoughts do you have about assessing risk at the assertion level?
Mona: First, I agree with Carl’s assessment. To add, sometimes there are misconceptions that low risk equals no risk, or low risk in an assertion equals not relevant. That is, unfortunately, a misconception that a lot of folks hold.
Typically, I give my team these points-of-instruction:
- Just because something is a low-risk doesn’t mean that it’s a no-risk and, therefore, doesn’t need auditing. Rather, audit that risk with lesser extent and a different nature.
- Also, in every instance, you must perform some procedures on every identified risk.
Additionally, I always recommend referring back to the definition of risk assessment procedures in the Standards, i.e. AU-C Section 315: Understanding the Entity and Its Environment and Assessing the Risks of Material.
Can you lower the extent of substantive testing when you are not relying on controls?
Interestingly, whether you can lower the extent of substantive testing when not relying on controls is another area of confusion. The Standards state that you cannot lower the extent of your substantive testing unless you ARE relying on the controls. To rely on the controls, though, you must test their operating effectiveness. This is where it gets sticky because some folks incorrectly think, “Oh, well, I don’t need to look at controls unless I’m relying on them and reducing my tests because of them.”
Bottomline, always refer back to the definition of risk assessment procedures, listed in AU-C 315 and required on all audits. The definition says, “audit procedures must be performed to obtain an understanding of the entity in its environment”. However, it doesn’t stop there. The Standard also:
- Specifically calls out the entity’s internal controls
- Tells you that you’re performing those procedures to identify and assess the risk of material misstatements
- Say that you must consider both fraud and error at the financial statement and relevant assertion levels
The Standards’ definition of what risk assessment means encompasses all four focus areas of the Enhancing Audit Quality Initiative. Moreover, it puts it in a single paragraph! Apparently, that can be easily misunderstood.
Ultimately, to get peace of mind in this area, you need the right technology. That’s exactly why you should consider CCH ProSystem fx Knowledge Coach. The solution:
- Prompts you to tailor the audit programs for both the relevant audit areas and the relevant assertions for those areas
- Contains an extensive series of diagnostics related to risk assessment, with prompts if you do not determine relevant assertions
- Further tailors the summary of risk assessment workpaper, and all audit programs, with the relevant assertions to help ensure you design the procedures accordingly
To conclude, in Part 1’s blog, Mona shared this. “It is important to verify you have the proper tools in your audit bag. Additionally, those tools must be sufficient to help you ensure you’ve apply the standards correctly and fully. So, ask yourself two things.
- Are your tools designed effectively to address the objectives of the standards?
- Have you implemented these tools consistently and appropriately on your engagements?”
Keep an eye out next week for Part 4, the final edition of this blog series. That will cover “linking procedures performed and assertion level risk”.
Until then, continue your education.
- Learn more about Knowledge Coach
- Listen to Garrett Stenhouse, from DiSanto Priest & Co, podcast on Audit Talks
- Gather strategies for delivering quality audits that result in successful peer reviews by reading/rereading the blog series. In full, this series addresses the four most problematic areas of risk assessment identified by the AICPA:
- “Understanding internal controls”, focus of Part 1
- “Identification of significant risk & responding to significant risk”, focus of Part 2
- This blog – “assessing risk at the assertion level”, focus of Part 3
- Coming next – “linking procedures performed and assertion level risk”, focus of Part 4