More than ever before, financial statement users are relying on the judgement and opinion of auditors to make calculated decisions.
Audit, which has gone beyond mere substantive tests and risk assessment, requires auditors not only to assess the risk of material misstatement in the financial statement but also to evaluate the risk that the controls giving rise to the financial statements are weak and unreliable.
What is Audit Risk?
Audit risk is the risk that auditors give an incorrect opinion stating that material misstatements are non-existent meanwhile the financial statements are materially flawed. Auditors are responsible for developing the audit risk model, which should identify and assess the risk of material misstatement and address the risks by putting in place appropriate audit procedures to reduce the audit risk.
International Standards on Auditing (ISA), specifically ISA 315 elaborates on Identifying and Assessing the Risks of Material Misstatement Through Understanding the Entity and Its Environment. The essence of gaining an understanding of the entity and its environment cannot be overemphasized as it is instrumental to ensuring a quality audit work. How can one audit what one has no knowledge about? Quite absurd! As part of the requirements of the standard, auditors need to identify and assess the risk of material misstatements - inherent or control risks. Inherent risk is the susceptibility of an assertion about a class of transaction, account balance or disclosure to a misstatement due to the nature of the entity and its operations before considering controls, while control risk is the risk that the entity's internal control procedures do not prevent or correct the risk of misstatement of an assertion about a class of transaction, account balance or disclosure on a timely basis.
In the performance of audit work, auditors should pay attention to certain financial statement risks areas including fraud in revenue recognition, management override of controls, accounting estimates, and related party transactions. ISA 240.27 requires auditors to recognize fraud in revenue recognition as a significant risk when planning an audit. This risk is a rebuttable presumption, and it does not automatically allude to the notion that revenue as a financial statement area is a fraud risk. ISA 240.32 emphasizes the risk of management override of controls as a non-rebuttable presumption because management is in a unique position to commit fraud due to their ability to manipulate accounting records and override controls. Also, ISA 540.16 and ISA 540.17 require auditors to determine whether the risks associated with accounting estimates are significant. Finally, it is the requirement of ISA 550.18 to record identified significant related party transactions outside the entity's normal course of business as significant risk and design procedures to respond to this risk.
Key Success Factors for Effective Risk Assessment
Auditors' responses to these risks should be hinged on obtaining audit evidence to reduce the identified risks to an acceptable (standard/low) level. Failure to effectively assess and address risks during the planning phase of the audit leads to inappropriate audit opinion which endangers the auditor's goodwill, attracts fines, and in worse cases, loss of license.
Certain factors could ensure effective risk assessment during audit and they include but not limited to:
Apply Professional Scepticism
While it is important to take into consideration the experience with honesty and integrity of the entity's Management and those charged with governance (TCWG), it remains pivotal for auditors not to relieve themselves of their professional scepticism. Asking questions, seeking clarifications, and 'challenging' policies to attain reasonable conclusion are key activities.
Understand the Entity's Environment
One cannot underestimate the essence of getting a grasp of the entity's environment (internal and external), as this guides one in assessing the effectiveness of managements' control, design and implementation. Reliance (or non-reliance) on an entity's internal control is hinged on the results of the auditor's walkthrough test and test of effectiveness of internal control, and this sums up to achieve the reduction of the risk of material misstatement to a reasonably low (acceptable) level.
Use Professional Judgement
Professional judgment comes into play when deciding whether (or not) to accept or continue with an engagement, determining overall audit strategy, setting materiality, determining significant areas where additional audit procedures may be required, and so on. The auditor should remain objective and use his professional judgment in ensuring effective risk assessment.
Upfront Involvement of Senior Team Members
Drawing on the relevance of the wealth of experience of the engagement partners and managers in the planning phase of audit engagements is key. These senior members are usually efficient in identifying risks and guiding other team members in performing audit procedures to respond to the risks identified.
Plan, Plan, and Plan
There is no doubt that time is of the essence when performing audit engagements, most especially when faced with stringent deadlines from Management, those charged with governance, and Shareholders alike. However, would you rather face the consequences of a poor-quality audit than use appropriate time to thoroughly plan and assess risks and controls before putting your name to an audit work-paper or opinion?
Team Discussion and Ongoing Communication
In identifying and assessing these risks, ISA 240 recommends that even after initial planning, engagement team members should continue to discuss and share information obtained that may affect the assessment of risks of material misstatement due to fraud or the audit procedures performed to address these risks. Risk assessment should be performed at the initial stage and continuously monitored until engagement completion.
Conclusively, planning, professional skepticism and teamwork are deal-breakers in achieving the appropriate audit risk model and an effective risk assessment.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.