ACCOUNTING, AUDITING & ATTEST
5 Risk Assessment Challenges for Audits BY MICHAEL CARO, JR., CPA, BEDERSON LLP
2. SUFFICIENTLY TEST THE CONTROLS To be able to assess control risk at less than high, an auditor must have performed a test of controls on the audit areas and relevant assertions. Preparing a narrative or memorandum on the internal controls that are in place in the respective audit areas without performing any test of controls on the audit areas is not sufficient to assess control risk at less than high. Testing of the actual controls that are in place must be performed, and the details of those tests must be documented to support the control risk assessment.
Risk assessments establish the audit approach and procedures that need to be performed on an audit. As auditors plan an audit, they assess the risk of material misstatement of a company or organization at the assertion level so that they can determine the level of substantive audit testing that needs to be performed. The assessed risk of material misstatement is determined by assessing the inherent and control risk at the relevant assertion level of a company by its significant audit areas. These risk assessments and conclusions in audits can be challenging, but they are necessary and important to perform an efficient and effective audit. These risk assessments also need to be documented appropriately, and that is where auditors commonly run into some issues with the audits. Common pitfalls in the documenting of risk assessments include the following: 1. Not documenting the inherent risk assessment considerations 2. Assessing control risk at less than high without sufficiently testing controls 3. Not documenting risk at the relevant assertion level 4. Not assessing risk on all significant audit areas
14
FALL 2021 | NEW JERSEY CPA
5. Not properly documenting the linkage between risk assessment and procedures performed 1. DOCUMENT INHERIT RISK Inherent risk is the susceptibility of an assertion about a class of transaction, account balance or disclosure to a misstatement that could be material without considering any internal controls. Although auditors are always able to explain the reasons for the determination of the inherent risks assessed on a company or organization being audited, those considerations are not always documented appropriately. It is important to document the reasons for the inherent risk assessment determination for each significant audit area and relevant assertion. Some audit areas and assertions might have inherent risk assessment set at high, for example, due to transactions being difficult to audit or containing complex calculations. Others might be set at low or moderate because the calculations are simple and the transactions are not difficult to audit. Documenting these considerations is important to determine an auditor’s reasons for their assessments, their audit approach and to properly design the audit procedures being performed.
3. USE THE RELEVANT ASSERTION LEVEL There are six categories of assertions when an auditor makes their risk assessments: y y y y y y
Existence or occurrence Completeness Rights or obligations Accuracy or classification Valuation or allocation Cutoff
When documenting risk assessments, an auditor needs to make an assessment for each relevant assertion, regardless of whether an auditor has identified any specific risks related to that assertion. Risk assessment can no longer be performed by the audit area and must be performed by the assertion level. 4. ASSESS ALL SIGNIFICANT AUDIT AREAS An audit area is considered significant if it contains significant transaction class, material account balance, fraud risk or other significant risk, or if it requires significant disclosures. It is important to perform a risk assessment on all the audit areas considered significant in order to be able to develop an appropriate audit approach and procedures for that area. If a significant area is missed, the audit can be ineffective. Additionally, assessing risk on
