This blog post is the second in a series on risk assessment, a significant audit quality issue. View the first blog post here.
Anyone who owns a home has had some experience with lawn care. Maintaining a healthy lawn is easy when you have a lush field of bluegrass, but when things start to get patchy, that’s where the real work comes in. That’s when you have to get a good understanding of what is going on with your lawn and what might be causing the patches. Only then can you pick the right treatment.
Auditing a set of financial statements is no different. To perform an effective audit, you must first gain an understanding of your client and identify their specific financial reporting risks. Until these steps are complete, you have no basis for planning the rest of your audit procedures.
However, the AICPA Peer Review Program found that many auditors are performing their engagements without properly considering their client’s risks. In fact, the AICPA found that the most common audit deficiency in practice today is non-compliance with AU-C Section 315, Understanding the Entity and Its Environment and Assessing the Risks of Material Misstatement.
Here are some tips to help you comply with the standard and plan a successful audit.
Don’t be afraid to ask questions. To plan your audit, you need to identify your client’s specific risks. To identify the risks, you’ll need to gain an understanding of the entity, and that means asking lots of questions. It also means keeping your eyes and ears open, observing the client and getting a good feel for their environment. The last thing you want is for a risk to go undetected. So, if you are unsure of something or need clarification, don’t be shy — ask questions.
Know your client’s industry and their transaction cycles. In gaining an understanding of the entity, it’s important that you know their industry. It’s also important that you obtain a strong understanding of your client’s significant accounts and transaction cycles. The goal here is simple: the better you understand your client, the better you can identify their risks.
For example, consider a client in the software industry. If you have experience in that industry, you might come into the audit anticipating that the client has entered into multiple element sales contracts. By inquiring about the client’s revenue cycle, you confirm that your client enters into such agreements. Because there’s a risk that the sales price may not have been allocated to the contract elements appropriately, you might conclude that the risk of material misstatement (RMM) associated with revenue recognition should increase.
Identify your client’s controls. All entities have controls. Before you think, “He hasn’t seen some of my clients!”, consider the following definition: a control is any policy or procedure used by an entity to prevent, or detect and correct, a misstatement. Based on that definition, if you have a client where the owner reviews financial results, communicates the importance of quality or sets a strong “tone at the top” by demonstrating integrity, your client has controls.
When seeking to identify your client’s controls, the Committee of Sponsoring Organizations of the Treadway Commission (COSO) elements and principles can help you detect possible gaps. For example, when considering the principle “demonstrates commitment to competence,” you may note that your client’s majority owner hired their brother-in-law to serve in a key accounting position and that they lack the competence to fill that role. This is a financial statement level risk. Depending on the brother-in-law’s responsibilities, your assessment of RMM could be impacted for multiple relevant assertions.
Evaluate the design and implementation of your client’s controls. On every audit, you are required to a.) evaluate the design of controls relevant to the audit, and b.) determine whether these controls have been implemented. This isn’t the same thing as testing the operating effectiveness of controls.
To illustrate, you may find that a spreadsheet a client uses to track the quantity and value of inventory in their warehouse is unencrypted. It’s stored on a shared drive where any of the client’s employees could access and edit it. If that spreadsheet is used to compute the client’s inventory balance, their lack of access controls could lead to increased RMM for inventory existence and valuation, which could influence the nature, timing and extent of the substantive procedures you perform in that audit area.
Before diving into your next audit, be sure to gain an understanding of your client and their controls so you can identify their risks. Then, and only then, will you be able to plan your further audit procedures. Visit the AICPA’s risk assessment toolkit for valuable free resources including FAQs, a staff training PowerPoint presentation and an internal inspection aid.