In recent years, a constant mantra of the AICPA’s peer review and technical staff has been that auditors are struggling with the risk assessment standards (primarily AU-C sections 315 and 330). Common deficiencies cited by the AICPA include: [1] auditors failing to gain an understanding of internal control when identifying the client’s risks; [2] incomplete or nonexistent risk assessment; [3] auditors not linking their risk assessment to their responses; [4] auditors assessing control risk as less than high/maximum without appropriate tests of controls; and [5] auditors failing to address significant risks (i.e., those risks requiring special consideration like the risk of management override of controls).
Part of the difficulty in applying the risk assessment standards is that they are more concepts driven than checklist driven and therefore require a great deal of professional judgment. A critical concept in applying the risk assessment standards is not losing sight of the big picture of what the auditor is trying to achieve with this process. Essentially, the auditor is trying keep audit risk at an acceptable level by: [1] sizing up the risk factors at the client that are outside of the auditor’s control (i.e., the risk of material misstatement); and [2] responding with audit procedures that are within the auditor’s control (i.e., adjusting detection risk for the risk of material misstatement observed at the client).
Interested in learning more? Sign up for The Most Dangerous Elements of a GAAS Audit.
Charlie Blanton, CPA is the Senior Director of Governmental and Nonprofit Content for Surgent CPE, where he authors Surgent’s government and not-for-profit CPE courses and is a frequent webinar instructor.