The risk assessment standards opened a door that was unexpected. Auditors were given permission, almost encouraged, to consider the affects of the prior period’s control risk assessment on the current period’s control risk assessment. Focusing on the performance of tests of controls, the standards indicated that if there was no significant change in policies, procedures or personnel, the prior year’s control risk assessment could be used in the current period.
To reach such a conclusion, the auditor must at least make inquiries of client management personnel. In fact, common sense would tell us that the best way to do this is by reviewing the prior year’s internal control documentation with client personnel. Often the reason for using flowcharts, this review should include a systems walk-though procedure with a handful of each type of transaction, probably at least 5. Once the flowchart (or an ICQ or memo) has been updated and the walk-through procedure documented with no significant change, the prior year’s control risk assessment can be use to develop cost-beneficial audit strategies and audit plans.
If there are significant risks of material misstatement found in updating internal control documentation, the prior year’s assessment can not be used to mitigate such misstatements. In this case, further substantive tests would be necessary to mitigate such risks and the control risk assessment may be higher than the prior year.
Being able to use the prior period's control risk assessment in the current period is an opportunity for HUGE time savings! This is another example of ways an auditor can comply with existing professional standards and, at the same time, increase small audits'