By John Fiebig, President and Co-Founder of ADIGEO Consulting
There is no activity more critical to the overall success of an audit than risk assessment. The risk assessment process should initially be performed in the planning of the audit, then continually challenged and reevaluated as procedures are performed and more evidence is gained. This is truly what can drive a quality audit. Sadly, it can also doom those who fail to focus appropriate attention and thoughtfulness on risk assessment, leading to a less effective audit that could be subject to significant challenge by regulators.
PCAOB inspectors continue to identify concerns with firms’ identification and assessment of risks of material misstatement. In fact, just last month the PCAOB reported that one firm had failed to support its opinion because it failed to appropriately assess the risk of material misstatement associated with the allocation of revenue. In the past, deficiencies in identifying and assessing risks were generally only a contributing factor to other audit deficiencies. The idea that a poorly performed risk assessment could in and of itself result in an audit failure should send shockwaves through firms of all sizes.
Assessing Risk at the Appropriate Level
Given the PCAOB’s apparent focus on challenging a firm’s risk assessment procedures, it’s important to understand one of the key risk assessment activities – Performing Walkthroughs. In performing a walkthrough, the auditor follows a transaction from origination through the company's processes, including information systems, until it is reflected in the company's financial records. PCAOB standards and guidance tend to focus on the role of the walkthrough in evaluating the design and implementation of key controls. What is often lost on auditors is that one of the key objectives of understanding each component of internal control over financial reporting is to identify the types of potential misstatements that could occur. This is an important understanding for an auditor to have in order to be able to identify the key controls to test.
Too often, we see auditors perform walkthroughs only to identify key controls, and then they assess risks in another section of the work papers. This results in a high-level risk assessment that doesn’t identify how the risks could manifest themselves at each client. An example of a risk assessment that is too high level is one where the auditor simply states that there is a risk of material misstatement of revenue and then identifies the relevant assertions related to revenue. Such a risk assessment does not identify where and how such a risk could occur. This disconnect between the walkthrough and the risk assessment results in a less effective, and oftentimes less efficient audit. It also leaves the auditor at risk for criticisms by the PCAOB like the one identified above.
To rectify this situation, auditors should perform their walkthroughs to first identify all of the risks of material misstatements and then to identify the controls that address those risks. This will likely result in the identification of numerous risks, which some firms call “what could go wrongs”, throughout each transaction process. There also might be multiple risks throughout the process that affect the same assertion, but in different ways. Controls that don’t address an identified risk should not be considered key controls. Alternatively, if there is not a control to address an identified risk, the auditor should discuss this with its client and determine if a control exists or if there is a control deficiency.
Assessing Fraud Risks
Another area where risk assessments are often deficient is in determining fraud risks. PCAOB standards state that auditors should presume that there is a fraud risk involving improper revenue recognition. Too often, auditors stop at the presumption that there is a fraud risk without further evaluating where and how management could fraudulently misstate revenue. Since a fraud risk is also a significant risk, this approach can cause auditors to apply a more extensive testing approach to all aspects of revenue recognition when the fraud risk only applies to one aspect.
As an example, assume the client is a manufacturing company with a straightforward ship and bill revenue stream. If the auditor just stops at the presumption that there is a fraud risk in revenue recognition, it would have to increase its sample size for testing revenue transactions throughout the year to address the significant risk. If, however, the auditor determined that the fraud risk existed only in the period-end cut off of revenue, and the rest of revenue recognition only presented a normal risk of material misstatement, it could focus its efforts on determining that an appropriate cut off occurred and use a sample size associated with a normal risk for the rest of the revenue transactions tested. The key to this approach is a thoughtful and meaningful assessment of how management could fraudulently misstate revenues.
Firms should be focused on how they can improve the quality and extent of their risk assessments. One way they can improve is to implement focused team discussions into their risk assessment process. Involving senior engagement team leadership in the risk assessment process, including in the performance of walkthroughs, will result in a more rigorous assessment of the types of potential misstatements that could occur. A more rigorous risk assessment, along with appropriately designed and executed audit procedures to address the assessed risks, will result in improved audit quality.
We at ADIGEO Consulting hope you found this thought piece helpful in preparing your 2019 audits. John Fiebig, our President and Co-Founder authored this piece. As a former Senior Deputy Director at the PCAOB, leading the inspections of the Global Network Firms around the world, he enjoys sharing his insights, experience, and perspectives with our clients and friends.
If you would like to discuss risk assessment – or any other audit related topics – please contact John at firstname.lastname@example.org
This post is published to spread the love of GAAP and provided for informational purposes only. Although we are CPAs and have made every effort to ensure the factual accuracy of the post as of the date it was published, we are not responsible for your ultimate compliance with accounting or auditing standards and you agree not to hold us responsible for such. In addition, we take no responsibility for updating old posts, but may do so from time to time.