From Audit Risk to Tailored Audit Procedures
In SAS No. 107, audit risk at the account balance or transaction class level has three components.
- Inherent risk. It is the susceptibility of a financial statement assertion to a material misstatement assuming there are no related internal controls.
- Control risk. It is the risk that a material misstatement, which could occur in a financial statement assertion, will not be prevented or detected on a timely basis by the entity's internal controls.
- Detection risk. It is the risk that the auditor will not detect a material misstatement that exists in an assertion.
The combination of inherent and control risk comprises the risk of material misstatement. As discussed in previous blogs, risk of material misstatement is assessed and both the financial statement and assertions levels. The risk of misstatement must be assessed for relevant assertions in material financial statement classifications.
In our practices, we ordinarily would not make a complex analysis that would consider inherent and control risk by financial statement assertion. We usually will consider certain relevant assertions as we plan auditing procedures for financial statement classifications. For example, existence and valuation are most important when auditing accounts receivable; completeness is most important for accounts payable.
Various forms provided by major providers of practice aids include guidance to aid in assessing inherent risk and for determining if control risk can be assessed at less than maximum. It is important for auditors to remember, however, that forms created by providers of quality control materials are not the only means for complying with the requirements of the risk assessment standards. A CPA firm may elect in its quality control document to omit certain practice aids from a provider's audit manuals and substitute other more efficient documentation.
Some firms, with the approval of its engagement executives, are creating proprietary risk assessment procedures and documentation that may be more suited to the firm's audit clients, particularly smaller entities. In establishing policies for incorporation in the firm's quality control document, it is very important to make sure firm proprietary documentation meets all the applicable requirements of the risk assessment and other professional standards.
Post a comment and share your approach to modifying procedures and documentation on small audits.