Tag: Audit risk assessment
SAS 145 Audit Risk Assessment
All Together Now
Now that our firm has been through a few months of audit risk assessment under SAS 145, we felt it beneficial to identify key takeaways to keep in mind as we go forward. To give a frame of reference for our outline below, our clientele is concentrated in the construction industry, and we use Checkpoint Engage for our risk analysis. Hopefully, this outline will help bring the various pieces of the risk assessment process together.
- Risk of material misstatements (RMM). Remember that we, as auditors, are searching for areas of the financial statements that may be materially misstated.
- We tailor the audit program to address the identified risks, especially those we identified as significant risks.
- Checkpoint Engage is the tool we use to tailor the audit program.
- Not all risks are created equal. To be a RMM, there must be:
- A reasonable possibility of a misstatement occurring and
- If a misstatement were to occur, there must be a reasonable possibility it would be material.
- Reasonable possibility means there is more than a remote chance (a very low threshold.)
- Remember the formula: RMM = Occurrence + Magnitude
The two types of risk are:
- At the financial statement level,
- At the assertion level
- We tailor the audit program to address the identified risks, especially those we identified as significant risks.
- Risks at the financial statement level. Risks of a material misstatement at the financial statement level are pervasive to the financial statements as a whole.
- All audit engagements have the overall financial statement risk of management overriding controls. This risk and the audit response are automatically populated in Part I of the Risk Assessment Summary Form.
- Some companies may have additional overall risks at the financial statement level, such as:
- Going concern issues
- Pressure to meet or exceed debt covenants and
- Lack of qualified accounting personnel.
- These risks and the audit responses should also be included in Part I of the Risk Assessment Summary Form.
- Risks at the assertion level. A risk of material misstatement at the assertion level is a risk that is not pervasive at the financial statement level. It’s a risk at the assertion level for a particular class of transactions (such as revenue), account balance (such as accounts payable), or disclosure (such as those provided for financial loan covenants.)
- Every engagement is presumed to identify improper revenue recognition as a fraud and significant risk at the assertion level in Part II of the Risk Assessment Summary Form.
- The peer review expectation is that almost all engagements will have at least one or more additional risks (in addition to improper revenue recognition) that are identified as significant risks (those on the upper end of the spectrum in inherent risk), which should be added to Part II of the Risk Assessment Summary Form.
- Inherent risk (IR). Inherent risk is assessed as LOW, MODERATE, HIGH, or NOT RELEVANT.
- IR is the susceptibility of an assertion to a material misstatement, ignoring any controls the company has in place.
- An assertion is NOT RELEVANT if the risk of a material misstatement is remote or there is no risk because, due to the nature of the assertion, it does not apply to the class of transactions, account balance, or disclosure. For example, due to the nature of cash, the valuation assertion is NOT RELEVANT.
- Inherent risk factors include: Size, volume, and composition of items; Susceptibility to theft or fraud, management bias, and obsolescence; Complexity; Subjectivity; Uncertainty; Changes in business environment, operations, and personnel.
- CON-CX-7.2 Inherent Risk Assessment Form is an excellent way to document your reasoning for IR assessment.
- Relevant assertion. A relevant assertion (for IR) has one or more identified risks of material misstatement (an identified RMM.)
- Rarely are all assertions relevant to an account balance, class of transactions, or disclosures. Usually, one or more assertions are relevant (i.e., have an identified RMM), but not all.
- The IR for assertions that do not have an identified RMM are assessed as NOT RELEVANT when:
- The risk of misstatement is remote, or
- The assertion is not applicable due to the nature of the audit area.
NOTE: See # 12 below for a further description of LOW inherent risk as it relates to the spectrum of IR.
- The assertions used by PPC are:
- Existence or occurrence
- Completeness
- Rights or obligations
- Accuracy, classification, or presentation
- Valuation or allocation
- Cutoff
- The IR for assertions that do not have an identified RMM are assessed as NOT RELEVANT when:
- Rarely are all assertions relevant to an account balance, class of transactions, or disclosures. Usually, one or more assertions are relevant (i.e., have an identified RMM), but not all.
- Identified risk (a.k.a. Identified RMM). If the inherent risk for an assertion is assessed as either MODERATE or HIGH, you must specifically identify the risk (“identified risk”) on Part II of the Risk Assessment Summary Form (or elsewhere in the risk assessment workpapers.) If done elsewhere in the workpapers, you must link it to the Risk Assessment Summary Form. This specific identification of the risk is required under the new standard.
- Scalability. SAS 145 requires auditors to document the identified risk for all relevant assertions. Under PPC methodology, an identified risk can be LOW, MODERATE, or HIGH RMMs. However, relying on the standard’s concept of scalability, we only need to clearly document the identified risks for MODERATE AND HIGH risks of material misstatements.
- Significant risk. A significant risk is an identified risk of material misstatement at the higher end of the spectrum of inherent risk. It’s a RMM on steroids.
- What you are looking to dig out are the significant risks.
- Significant risks are high-end risks (the upper end of the spectrum of inherent risk) whose related controls must be tested for design and implementation.
- Control risk. Remember that we assess all control risks at the assertion level as HIGH unless the IR assertion is NOT RELEVANT. In that case, the CR will also automatically be assessed as NOT RELEVANT.
- Combined risk. Since we assess all control risks as HIGH, then, per SAS 145, the combined risk MUST be assessed the same as the inherent risk. For example, if IR is LOW and CR is HIGH, the assessment for the combined risk must be LOW. In that case, by definition, it cannot be MODERATE.
- Significant audit area. A significant audit area has nothing to do with materiality, as it did under the prior standard. Under SAS 145, a significant audit area has one or more assertions with an identified risk of a material misstatement (a.k.a “relevant assertion” – see #5 above.)
- Most audit areas will be marked as significant audit areas since the risk threshold is so low under the new standard. All it takes is one assertion with a low risk that is reasonably possible of materially misstating the financial statements. (See #11 directly below.)
- You must apply substantive procedures for each relevant assertion of significant audit areas.
- If the audit area is a significant audit area, you cannot only apply limited procedures. (Limited procedures are preliminary and final analytical, as well as other risk assessment procedures).
- Stand back requirements. Auditors are required, at some point during the audit, to “stand back” and consider if their original assessment of what is regarded as a significant audit area is still appropriate – or should additional areas also be deemed significant. You indicate that you did this by signing off on the appropriate step (generally step 13b) of Checkpoint Engage program AP-10:General Planning Procedures.
- Risk of material misstatement. A risk of a material misstatement is a risk that has more than a remote chance (i.e., “reasonably possible” chance) of occurring and, if it does happen, has more than a remote chance of being material.
- Low inherent risk vs. Not relevant. An assertion with a LOW inherent RMM is deemed a relevant assertion because, under PPC’s methodology, LOW-risk designation is one in which the risk of a material misstatement of the financial statements is reasonably possible (more than remote) but does not rise to the level of MODERATE or HIGH on the spectrum of inherent risk.
On the other hand, under PPC’s methodology, if the risk is remote or less, then inherent risk should be marked as NOT RELEVANT instead of LOW.
- Marking an assertion with a remote risk as NOT RELEVANT is important because PPC will only permit you to perform limited procedures when all assertions are marked as NOT RELEVANT. You cannot perform limited procedures if one or more assertions are marked as LOW, MODERATE, or HIGH inherent risk of material misstatement.
- High inherent risk. An assertion assessed as a HIGH inherent risk of material misstatement may or may not be a significant risk of material misstatement.
- If the risk is on the upper end of the spectrum of inherent risk, it is considered a significant risk of material misstatement, subject to design and implementation testing.
- PPC only provides three risk categories: LOW, MODERATE, and HIGH. So, an inherent risk can be assessed as a HIGH risk but not be on the upper end of the spectrum of IR and, therefore, not be considered a significant risk under the standard.
- If you have inherent risks assessed as HIGH but not identified as significant risks, it would be prudent to note in the comment section of the Risk Assessment Summary Form that IR is on the lower end of the high section of the spectrum of IR and, therefore, the risk is HIGH, but is not considered high enough on the spectrum of IR to be a significant risk.
- IMPORTANT! Identified controls (previously key controls). Identified controls must be tested for design and implementation. Identified controls are controls that address the following three high-end risk categories:
- Significant risks. As stated in 3b, 7b, & 13a above, significant risks are inherent risks on the upper end of the spectrum of inherent risks. Therefore, controls over significant risks are identified controls subject to design and implementation testing.
- Journal entries and adjustments. Controls over journal entries are identified controls and must be tested for design and implementation.
- Risks from the use of IT. General IT controls that address a significant risk of material misstatement arising from the use of IT are also a type of identified controls subject to design and implementation testing.
- For all identified controls, AU-C 315.28–.29 requires the auditor to identify related IT applications and other aspects of the IT environment subject to risks related to the use of IT, as well as general IT controls that address such risks.
- This identification may affect the testing of the design and implementation of the required identified control(s). It may have broader implications on the audit strategy, including the design of further audit procedures. For instance, if information-processing controls depend on general IT controls, and the auditor determines that general IT controls are expected to be ineffective, the related risks arising from the use of IT may need to be addressed through the design of substantive procedures.
- For example, the company’s use of Excel to calculate POC revenue presents a risk from the use of IT. General IT controls, such as the following, may be subject to design and implementation:
- Access control – Limit who can change formulas, cell protection, etc.
- Passwords
- Data backup and recovery
- Physical security
- Segregation of duties
- IT Governance
- Vulnerability management
- Security awareness training
- Another example may relate to the significant risk of cost shifting by a project manager. In this example, the risk from the use of IT relates to the job cost module and who uses and has IT rights to the module. The possible general IT controls subject to design and implementation testing are:
- Access control
- Passwords
- User authentication
- Segregation of duties
- Security awareness training
- Complete Checkpoint Engage form CON-CX-4.2.2: Internal Control Documentation—IT Environment and General IT Controls.
- e. Consider using Part 1 of Checkpoint Engage form CX-4.2.3:Internal Control Documentation –Evaluation of the Design and Implementation of Identified Controls to document the identified controls subject to design and implementation testing.
- Parts II & III can also be used to describe the design and implementation, but narratives and walkthroughs are probably the better and more efficient way to do each of those procedures.
- COSO internal control components. SAS 145 requires us to gain an understanding of the five components of the company’s system of internal controls
- “Gain an understanding” means becoming knowledgeably aware of the company’s policies and procedures for each of the five internal control components.
- The five COSO internal control components are:
- Control environment (tone at the top)
- Risk assessment (i.e., the assessment performed by the company.)
- Monitoring
- Information and communication
- Activity level controls and information processing
- However, as described above in #14, certain activity level controls and information processing require more than a mere understanding.
- For identified controls, the auditor is required to:
- Evaluate the design of the control,
- And to determine whether the control has been implemented.
- IMPORTANT. If identified controls are not properly designed, or controls have not been implemented, or both, then the auditor MUST consider the need to expand substantive testing for the assertions affected.
- For identified controls, the auditor is required to: