I am home from a trip that included visiting two CPA firms in the southeast. At both, we talked about risk assessment and how to plan an audit - yellow book style. We looked at the tools they were using to comply with the risk assessment SASs. I presented a technique that would help them stop using the shot-gun approach to auditing (you know - throw as many methodologies on a subject as possible) and they liked it.
Problem is - their tools aren't flexible enough to pull it off. The PPC e-tool went way overboard - throwing 30 methodologies at simple questions! I was amazed at how much work it recommended. Of course, the auditor was supposed to cut back on these suggested methodologies using their judgment - but unseasoned auditors (sounds like I"m talking about a frying pan!) were scared to cut anything out. Even seasoned auditors were reluctant.
The McGladry tool was a little more flexible - but required - as the PPC tool did - way too much work on the front end. I must say - I appreciated how the McGladry tool didn't just throw 30 methodologies at you - but asked you to build a relant program from a list of possibilities. That at least discouraged the auditors from throwing every possible methodology at the problem.
But both are throwing you a buffet when all you want is a sandwich. Most auditors I encounter love a good checklist and don't want to be left to their own devices and brain. I can appreciate the comfort that comes from using a checklist. But, the creators of the checklists and tools overdo. Way overdo.
One of the key pieces missing from the approach is a clear audit objective. The yellowbook encourages objectives - the AICPA doesn't. And given a clear, finite objective - you will end up with a minimum of targeted - dart like methodologies. Not a dozen methodologies - where maybe ONE hits the target.
If you have a tool you like for risk assessment, please share it with me. I'd love to see a lazy - get that potato salad off my plate! - approach to risk assessment.