A refreshed focus on risk assessment Audit firms may have to change some processes in response to a new standard and pandemic-fueled changes to the environment. By Ken Tysiac January 1, 2022

aden     2022-01-09 10:30     199

Tracy Harding, CPA, was on his way to work and looking forward to completing an audit he was working on. But on the way in, he heard a news report that changed the objective of his day. A local business was unexpectedly closing its doors and happened to be a significant customer of Harding's audit client. The plans for Harding's day had changed — he would be revisiting risks associated with receivables and reassessing the allowance for bad debts. "I recognized we'd have to assess the impact on the audit," recalled Harding, a principal with BerryDunn in Bangor, Maine, who is chair of the AICPA Auditing Standards Board (ASB). The last-minute change in plans illustrates that from the beginning of the audit until the very end, auditors need to be evaluating the risks in an engagement. A robust risk assessment is the key to creating an audit plan that guides the direction and procedures performed during the audit, prompting practitioners to spend their time in the right areas in the engagement. It also provides the impetus to pivot when necessary, even when confronted with new information on the day that an auditor's report is to be issued. In recognition of the foundational role of risk assessments in the pursuit of quality in engagements, the ASB in October issued Statement on Auditing Standards (SAS) No. 145, Understanding the Entity and Its Environment and Assessing the Risks of Material Misstatement (see the sidebar "New Risk Assessment Standard Has Focus on Clarity"). The new standard is designed to address an area that the peer review program has identified as challenging for auditors and has been a focus of the AICPA's Enhancing Audit Quality initiative. SAS 145 does not fundamentally change the key concepts underpinning audit risk. Rather it clarifies and enhances certain aspects of the identification and assessment of the risks of material misstatement to drive better risk assessment and, therefore, enhance audit quality. "I like to call it spending your time where you need to spend it, looking at and taking time to make sure that you put more audit effort in the areas that have greater risk, and reducing the time spent in areas that you don't have a lot of risk in," said Maria Manasses, CPA, deputy chief auditor at Grant Thornton LLP in Downers Grove, Ill., and chair of the ASB Risk Assessment Task Force. "And it's important to do that because an audit is performed within a reasonable period of time and at a reasonable cost for the benefit of timely financial reporting to users." The following considerations can help audit firms succeed in their risk assessment processes as a new standard comes into force and a pandemic-fueled shift in risks takes hold. INTERNAL CONTROL PROVIDES INSIGHT SAS 145 clarifies that the overall understanding of the entity's system of internal control is achieved through understanding, and evaluating certain aspects of, each of the following components of the system of internal control (and performing the related requirements to obtain such an understanding): The control environment. The entity's risk assessment process. The entity's process to monitor the system of internal control. The information system and communication. Control activities. SAS 145 requires a deeper understanding and clearer articulation of the auditor's evaluation of the design of controls. An understanding of controls — and the system of internal control — can provide a window into potential fraud risks and gaps in internal control that could lead to the risk of a material misstatement. Therefore, this understanding can inform the audit response. "One of the legs of the fraud risk triangle is opportunity," Harding said, "and one of the ways you can learn about opportunities is to understand where there may be inappropriate segregation of duties, for example, and you can only do that if you get in there and get an understanding of controls." NEW SIGNIFICANT RISK DEFINITION Auditors will hopefully better understand which risks should be flagged as significant risks thanks to a new definition that's included in SAS 145. Under previous standards, the definition of significant risk focused on risks that require special audit considerations (see the sidebar "6 High-Risk Areas That May Merit Extra Auditor Attention"). Under SAS 145, significant risk is defined to encompass identified risks that lie on the upper end of the spectrum of inherent risks. Although the new definition provides more clarity for practitioners to help them identify significant risks, one thing does not change: Significant risks still require special audit considerations. "I'm not sure if the standard will result in new significant risks being identified or fewer significant risks being identified by some firms," Manasses said. "I believe that it's just clarifying the definition in the context of what it's intended to be, linking it to some of the new terminology like inherent risk factors, and then giving a bit more comfort to audit teams so they know if they are identifying them as intended." PANDEMIC CONSIDERATIONS There's a lot to consider in risk assessment related to the pandemic. Client-focused concerns include going concern evaluations; changes to processes and controls related to the pandemic due to personnel working from home; availability of skilled labor; and an altered business environment and new customer demands that may create hazards but also can provide opportunities. Auditors also need to be conscious of the changes to their own processes that have occurred as a result of the pandemic, especially with regard to remote auditing. Interviews by videoconference, video inventory checks, and remote document verification processes may all work to provide sufficient appropriate audit evidence. But these methods need to be considered carefully for potential risks. Harding said SAS 145 emphasizes the link between risk assessment and the design and performance of audit procedures. This link means that auditors might need to modify audit procedures to consider additional risks in the pandemic-related environment. For example, junior audit staff who traditionally perform inventory counts may need to be supervised more closely by a more senior manager if inventory is being counted remotely rather than in person, particularly if clients are operating the cameras. AUTOMATION DRIVES INNOVATION Risk assessment is an area that's well suited for improvements in processes, completeness, and quality offered by the use of audit data analytics. "Being able to gather all the underlying data and run it through various analytical routines really provides a lot of insight into where you want to focus your attention in the audit and where there may be likely sources of misstatement," Manasses said. "You can even bifurcate your population in response to a risk by directing your attention to notable items." Visualization tools can play an important role in improving risk assessment. They can help transform a series of otherwise unnoticed numbers into a vibrant picture that tells a story about risks that merit further analysis and audit procedures. FINANCIAL REPORTING FRAMEWORK IS A KEY SAS 145 requires the auditor to understand how the financial reporting framework relates to a particular client and its internal control. FASB's new revenue recognition standard, for example, is leading auditors to pay close attention to controls that exist around contracts. "We're learning a lot more about our clients, and I knew we would, as we really get into that revenue standard," Harding said. "Better understanding of a particular client and what its controls are, how it handles contracts, and how the contracts work could affect our assessment of whether revenue is being properly recognized under the new accounting rules." This gives auditors a better understanding of a client's customers and how they provide services or products to those customers, which provides additional information on risks that can be considered in the risk assessment process. USE PRACTICE AIDS PROPERLY Third-party audit practice aids typically include language stating that they are tools to be used within the context of a broad understanding of an audit engagement. Auditors can't just sign the engagement letter, check off all the boxes on a checklist, and then issue their report. "Service providers develop material for a broad set of users, and those materials are being developed so auditors can comply with the professional standards," Manasses said. "You need to be able to take those materials and understand the methodology that's embedded within them to be able to appropriately apply them in your particular circumstances." IMPACT DEPENDS ON EXISTING METHODOLOGY SAS 145 is principles-based and agnostic with respect to methodology because there are different, perfectly valid ways to assess risks and respond to them. Nonetheless, the number of changes that SAS 145 will require a given firm to make may vary depending on the audit methodology the firm already is using. "Audit methodologies may already encompass some of the aspects within the standard," Manasses said. "And there are definitions and requirements that have been clarified through SAS 145 that may result in some differences in methodologies. But it may have a greater impact on some audit firms and a lesser impact on some others."