Increasing Audit Profits Series No. 28—Getting Serious About Risk Assessment
Years ago I was taught that the most efficient way to approach smaller audits was to default to a high risk assessment for all account classifications, carry forward sketchy internal control documentation, and then substantively test the daylights out of account balances! This approach, in fact, was permitted under the auditing standards until new “risk assessment standards” were effective in 2007. “Balance sheet auditors” is what we called ourselves!
Here are a few assumptions about smaller audits that arose decades ago:
• Smaller entities don’t, or can’t, hire qualified personnel.
• Accounting records are always a mess.
• There is no segregation of incompatible duties; therefore there is no internal control system.
• Auditors will always have to propose numerous adjustments.
• Auditors always have to draft financial statements and footnotes.
To be honest, some auditors still approach smaller audits with these assumptions as the foundation for their audit strategies. I’ll admit that in the case of some smaller audits the assumptions are valid and detailed tests of balances may comprise the most effective and efficient audit strategy. The facts are, however, there are significant opportunities to save time on even the smallest audits by performing thorough risk assessment for all material account classifications. Unfortunately, the tests of balances audit strategy will likely remain a “default” audit strategy until we get serious about risk assessment on smaller audits.
Risk assessment procedures include all engagement activities from the planning phase up to the development of the audit plan (detailed audit program). Here is an outline of common risk assessment procedures:
1. Making and documenting client acceptance or continuance decisions.
2. Reviewing prior year working papers, considering findings and conclusions, adjusting journal entries, uncorrected audit differences and assessing their impact on the current year’s risk assessment.
3. Reading the current year’s general ledger activity and preparing a memo documenting parameters and findings.
4. Performing and documenting other preliminary analytical procedures (at least comparing the current year’s unadjusted account balances with prior year adjusted balances).
5. Preparing flowcharts or memos documenting the client’s accounting and internal control stems and the performance of systems walk-through procedures for major transactions cycles.
6. Calculating tolerable misstatement by financial statement classification based on risk.
7. Completing applicable practice aids and other documentation from the firm’s accounting and auditing manuals.
8. Preparing a linking working paper combining risk of misstatements due to error and fraud to determine the level of risk of material misstatement for relevant assertions in material financial statement classifications.
9. Designing a detailed audit plan (program) that links significant risks with appropriate procedures (tests of control, analytical procedures and/or detailed tests of balances).
In the next few blogs, I’ll explore how these risk assessment procedures can provide opportunities to increase audit profits, even on smaller audits. For more information, my live Small Audit Series of 15 webcasts begins October 17. You can download syllabuses and register by clicking the box on the left side of my home page, www.cpafirmsupport.com.