What is risk assessment in audit planning?

 – September 16, 2021

Risk assessments establish the audit approach and procedures that need to be performed on an audit. As auditors plan an audit, they assess the risk of material misstatement of a company or organization at the assertion level so that they can determine the level of substantive audit testing that needs to be performed. The assessed risk of material misstatement is determined by assessing the inherent and control risk at the relevant assertion level of a company by its significant audit areas. These risk assessments and conclusions in audits can be challenging, but they are necessary and important to perform an efficient and effective audit. These risk assessments also need to be documented appropriately, and that is where auditors commonly run into some issues with the audits.

Common pitfalls in the documenting of risk assessments include the following:

1. Not documenting the inherent risk assessment considerations
2. Assessing control risk at less than high without sufficiently testing controls
3. Not documenting risk at the relevant assertion level
4. Not assessing risk on all significant audit areas
5. Not properly documenting the linkage between risk assessment and procedures performed

1. Document Inherent Risk

Inherent risk is the susceptibility of an assertion about a class of transaction, account balance or disclosure to a misstate­ment that could be material without considering any internal controls. Although auditors are always able to explain the reasons for the determination of the inherent risks assessed on a company or organization being audited, those considerations are not always documented appropriately.

It is important to document the reasons for the inherent risk assessment determination for each significant audit area and relevant assertion. Some audit areas and assertions might have inherent risk assessment set at high, for example, due to transactions being difficult to audit or containing complex calculations. Others might be set at low or moderate because the calculations are simple and the transactions are not difficult to audit. Documenting these considerations is important to determine an auditor’s reasons for their assessments, their audit approach and to properly design the audit procedures being performed.

2. Sufficiently Test the Controls

To be able to assess control risk at less than high, an auditor must have performed a test of controls on the audit areas and relevant assertions. Preparing a narrative or memorandum on the internal controls that are in place in the respective audit areas without performing any test of controls on the audit areas is not sufficient to assess control risk at less than high. Testing of the actual controls that are in place must be performed, and the details of those tests must be documented to support the control risk assessment.

3. Use the Relevant Assertion Level

There are six categories of assertions when an auditor makes their risk assessments:

• Existence or occurrence
• Completeness
• Rights or obligations
• Accuracy or classification
• Valuation or allocation
• Cutoff

When documenting risk assessments, an auditor needs to make an assessment for each relevant assertion, regardless of whether an auditor has identified any specific risks related to that assertion. Risk assessment can no longer be performed by the audit area and must be performed by the assertion level.

4. Assess All Significant Audit Areas

An audit area is considered significant if it contains significant transaction class, material account balance, fraud risk or other significant risk, or if it requires significant disclosures. It is important to perform a risk assessment on all the audit areas considered significant in order to be able to develop an appropriate audit approach and procedures for that area. If a significant area is missed, the audit can be ineffective. Additionally, assessing risk on a nonsignificant audit area can cause the audit to be inefficient.

5. Provide Proper Documentation

The risk assessed should link to the nature, timing and extent of audit procedures performed. The risk assessment documen­tation should reference — or comments should be made — linking the assessments to the audit work performed. Audit procedures might need to be tailored to do the risk assessments, or the risk assessments might need to be revised due to changes needed in the audit procedures being performed. The risk assessments are developed at planning but can change throughout the audit process. These changes should be documented, and the risk assessments should be updated during the audit.

Explaining the reasons why a certain audit approach and certain audit procedures were taken on an audit is not enough without any documentation for those decisions. Documentation of the risk assessments that lead to those audit approaches and audit procedures are necessary for an audit to be in compliance with the risk assessment standards.

Michael Caro

Michael Caro, Jr., CPA, CFE, PSA, is a partner at Bederson LLP. He is a member of the NJCPA.

This article appeared in the Fall 2021 issue of New Jersey CPA magazine. Read the full issue.

What is risk assessment planning?

What is the risk assessment?

What is risk assessment in internal audit?

How do you perform a risk assessment procedure in auditing?