What is the role of audit in risk assessment?
|
Show Risk assessment is a recurring, systematic process for identifying and evaluating events (i.e., possible risks and opportunities) that could affect the achievement of strategic objectives, positively or negatively. An Internal Audit risk assessment is an evaluation of risks related to the value drivers of the organization, covering strategic, financial, operational, and compliance objectives. The assessment considers the impact of risks to stakeholder value as a basis to define the audit plan and monitor key risks. This enables the coverage of Internal Audit activities to be driven by issues that directly impact stakeholder value, with clear and explicit linkage to strategic drivers for the organization. Leading organizations will:
While many public and private organizations under $400 million in annual revenues do not have an Internal Audit department, it is no longer feasible for these organizations to fly blind. It is critical to have a systematic process to identify risks and evaluate the severity of these risks to the business. By John Fiebig, President and Co-Founder of ADIGEO Consulting There is no activity more critical to the overall success of an audit than risk assessment. The risk assessment process should initially be performed in the planning of the audit, then continually challenged and reevaluated as procedures are performed and more evidence is gained. This is truly what can drive a quality audit. Sadly, it can also doom those who fail to focus appropriate attention and thoughtfulness on risk assessment, leading to a less effective audit that could be subject to significant challenge by regulators. PCAOB inspectors continue to identify concerns with firms’ identification and assessment of risks of material misstatement. In fact, just last month the PCAOB reported that one firm had failed to support its opinion because it failed to appropriately assess the risk of material misstatement associated with the allocation of revenue. In the past, deficiencies in identifying and assessing risks were generally only a contributing factor to other audit deficiencies. The idea that a poorly performed risk assessment could in and of itself result in an audit failure should send shockwaves through firms of all sizes. Assessing Risk at the Appropriate LevelGiven the PCAOB’s apparent focus on challenging a firm’s risk assessment procedures, it’s important to understand one of the key risk assessment activities – Performing Walkthroughs. In performing a walkthrough, the auditor follows a transaction from origination through the company's processes, including information systems, until it is reflected in the company's financial records. PCAOB standards and guidance tend to focus on the role of the walkthrough in evaluating the design and implementation of key controls. What is often lost on auditors is that one of the key objectives of understanding each component of internal control over financial reporting is to identify the types of potential misstatements that could occur. This is an important understanding for an auditor to have in order to be able to identify the key controls to test. Too often, we see auditors perform walkthroughs only to identify key controls, and then they assess risks in another section of the work papers. This results in a high-level risk assessment that doesn’t identify how the risks could manifest themselves at each client. An example of a risk assessment that is too high level is one where the auditor simply states that there is a risk of material misstatement of revenue and then identifies the relevant assertions related to revenue. Such a risk assessment does not identify where and how such a risk could occur. This disconnect between the walkthrough and the risk assessment results in a less effective, and oftentimes less efficient audit. It also leaves the auditor at risk for criticisms by the PCAOB like the one identified above. To rectify this situation, auditors should perform their walkthroughs to first identify all of the risks of material misstatements and then to identify the controls that address those risks. This will likely result in the identification of numerous risks, which some firms call “what could go wrongs”, throughout each transaction process. There also might be multiple risks throughout the process that affect the same assertion, but in different ways. Controls that don’t address an identified risk should not be considered key controls. Alternatively, if there is not a control to address an identified risk, the auditor should discuss this with its client and determine if a control exists or if there is a control deficiency. Assessing Fraud RisksAnother area where risk assessments are often deficient is in determining fraud risks. PCAOB standards state that auditors should presume that there is a fraud risk involving improper revenue recognition. Too often, auditors stop at the presumption that there is a fraud risk without further evaluating where and how management could fraudulently misstate revenue. Since a fraud risk is also a significant risk, this approach can cause auditors to apply a more extensive testing approach to all aspects of revenue recognition when the fraud risk only applies to one aspect. As an example, assume the client is a manufacturing company with a straightforward ship and bill revenue stream. If the auditor just stops at the presumption that there is a fraud risk in revenue recognition, it would have to increase its sample size for testing revenue transactions throughout the year to address the significant risk. If, however, the auditor determined that the fraud risk existed only in the period-end cut off of revenue, and the rest of revenue recognition only presented a normal risk of material misstatement, it could focus its efforts on determining that an appropriate cut off occurred and use a sample size associated with a normal risk for the rest of the revenue transactions tested. The key to this approach is a thoughtful and meaningful assessment of how management could fraudulently misstate revenues. Concluding RemarksFirms should be focused on how they can improve the quality and extent of their risk assessments. One way they can improve is to implement focused team discussions into their risk assessment process. Involving senior engagement team leadership in the risk assessment process, including in the performance of walkthroughs, will result in a more rigorous assessment of the types of potential misstatements that could occur. A more rigorous risk assessment, along with appropriately designed and executed audit procedures to address the assessed risks, will result in improved audit quality.  We at ADIGEO Consulting hope you found this thought piece helpful in preparing your 2019 audits. John Fiebig, our President and Co-Founder authored this piece. As a former Senior Deputy Director at the PCAOB, leading the inspections of the Global Network Firms around the world, he enjoys sharing his insights, experience, and perspectives with our clients and friends. If you would like to discuss risk assessment – or any other audit related topics – please contact John at Disclaimer This post is published to spread the love of GAAP and provided for informational purposes only. Although we are CPAs and have made every effort to ensure the factual accuracy of the post as of the date it was published, we are not responsible for your ultimate compliance with accounting or auditing standards and you agree not to hold us responsible for such. In addition, we take no responsibility for updating old posts, but may do so from time to time. What is an auditors role with risk?In general, an auditor's role is to identify risks and evaluate management's controls and procedures to manage those risks.
Why is auditing important in risk management?It allows an auditor to review the business and its processes to determine where risk is likely to exist. An audit risk assessment should involve questions about management and the team involved in procuring financial statements, along with the likelihood of material misstatement or fraud.
What is the role of the audit?The role of the auditor or reviewer is to give a professional and independent on these financial statements. The review or audit of an association's financial report can ensure greater accountability to the members and provide an assurance that all funds received by the organisation have been correctly accounted for.
How do you perform risk assessment in audit?Determine the risks of material misstatements (plan our work) Develop a plan to address those risks (plan our work) Perform substantive procedures (work our plan) and tests controls for effectiveness (if planned) Issue an opinion (the result of planning and working)
|
