Assessing and responding to the risk of material misstatement continues to be one of the top audit deficiencies noted by inspectors based on our review of recent PCAOB inspection reports. This post takes a closer look at the risk assessment standards causing the problem, provides examples of where engagement teams are getting it wrong, and provides practice guidance to improve audit quality in this area.

Based on our review of the 2015 PCAOB inspections of the annually inspected firms, one-quarter of the audit deficiencies noted related to engagement teams failing to properly assess and respond to the risk of material misstatement in accordance with the risk assessment standards. Of the 439 total audit deficiencies noted during their 2015 inspection cycle, 110 were attributed to the following PCAOB’s risk assessment standards (number of audit deficiencies noted):

• AS 9, Audit Planning (10)
• AS 13, The Auditor’s Responses to the Risks of Material Misstatement (56)
• AS 14, Evaluating Audit Results (34)
• AS 15, Audit Evidence (10)

Top 5 Specific Audit Areas with Deficiencies Related to Risk Assessment

Based on our review of the 2015 PCAOB inspection reports, the following audit areas had the most deficiencies noted attributed to the risk assessment standards (in order of frequency):

1. Revenue, including accounts receivable, deferred revenue, and allowances
2. Inventory and related reserves
3. Loans, including the allowance for loan losses
4. Investment securities, including derivatives and equity method investments
5. Business combinations, including contingent consideration

Example Finding

Let’s review an actual finding noted in an inspection report related to the most noted deficiency, AS 13, The Auditor’s Responses to the Risk of Material Misstatement.

The Firm designed its substantive procedures to test the reasonableness of the ALL – including sample sizes – based on a level of control reliance that was not supported due the deficiencies in the Firm’s testing of controls over the reasonableness of the loan risk grades and the accuracy and completeness of problem loans that are discussed above. As a result, the sample size the Firm used to test the reasonableness of loan risk grades and the accuracy and completeness of problem loans was too small to provide sufficient evidence.

This finding relates to deficiencies in applying the following paragraphs of PCAOB AS 13:

Controls to be Tested

AS 13, paragraph 16 states:

If the auditor plans to assess control risk at less than the maximum by relying on controls, and the nature, timing, and extent of planned substantive procedures are based on that lower assessment, the auditor must obtain evidence that the controls selected for testing are designed effectively and operated efficiently during the entire period of reliance. However, the auditor is not required to assess control risk at less than the maximum for all relevant assertions and, for a variety of reasons, the auditor may choose not to do so.

Evidence about the Effectiveness of Controls in the Audit of Financial Statements

AS 13, paragraph 18 states:

In designing and performing tests of controls for the audit of financial statements, the evidence necessary to support the auditor’s control risk assessment depends on the degree of reliance the auditor plans to place on the effectiveness of a control. The auditor should obtain more persuasive audit evidence from tests of controls the greater the reliance the auditor places on the effectiveness of a control. The auditor also should obtain more persuasive evidence about the effectiveness of controls for each relevant assertion for which the audit approach consists primarily of tests of controls, including situations in which substantive procedures alone cannot provide sufficient appropriate audit evidence.

Substantive Procedures

AS 13, paragraph 37 states:

As the assessed risk of material misstatement increases, the evidence from substantive procedures that the auditor should obtain also increases. The evidence provided by the auditor’s substantive procedures depends upon the mix of the nature, timing, and extent of those procedures. Further, for an individual assertion, different combinations of the nature, timing, and extent of testing might provide sufficient appropriate evidence to respond to the assessed risk of material misstatement.

Preview of 2016 Inspection Results

According to a speech by Helen Munter, Director, Division of Registration and Inspections, at the 2016 AICPA Conference on SEC and PCAOB Development, preliminary 2016 inspection results indicate some improvement over 2015, especially related to auditors’ procedures to test controls over system-generated data and reports. However, Ms. Munter noted “inspections staff continue to observe deficiencies in the area of responding to the risk of material misstatement.” She warned, “auditors should continue to focus on whether the procedures that have been designed and performed are specifically responsive to significant risks, including fraud risks.”

Improving Audit Quality – Risk Assessment

The images above are slides taken from our Improving Audit Quality: Learning from Inspection Findings course that we’ve developed to help firms improve audit quality. We hope it helps you too! Remember, the risk assessment process is cumulative and iterative, including the development and performance of audit procedures. As you design and begin to implement your audit plan, you may realize that more or different procedures are necessary, depending on the quality and quantity of audit evidence obtained, as well as any additional risks that may arise. Finally, don’t forget to document your rationale and findings in the audit documentation! Without it, you might get dinged during inspection even though you did the work!

Disclaimer
This post is published to spread the love of GAAP and provided for informational purposes only. Although we are CPAs and have made every effort to ensure the factual accuracy of the post as of the date it was published, we are not responsible for your ultimate compliance with accounting or auditing standards and you agree not to hold us responsible for such. In addition, we take no responsibility for updating old posts, but may do so from time to time.