Audit risk assessment continues to be misunderstood for several firms
April 2, 2019 | Faye Hayhurst, CPA
Effective Oct. 1, 2018, peer reviewers began applying new guidance approved in August by the AICPA Peer Review Board. This new guidance took aim at an area that has apparently been misunderstood by many CPAs for a very long time.
What is this area? Audit risk assessment.
In the past, peer reviewers may have noted some gaps in risk assessment documentation, but they often gave a firm credit if they could infer the firm’s assessment of risk by the audit procedures performed. However, audit standards require documentation of the consideration and assessment of risk, and peer reviewers are now holding firms to that standard. This means that missing required documentation will be identified as a matter, and possibly a finding or a deficiency, depending on whether the omission is isolated, systemic, or accompanied by other deficiencies.
Examples of common matters identified related to risk assessment are:
- Failure to identify or document the identified risks of material misstatement (RMM), including any significant risks.
- Failure to assess or document the assessment of risk at both the relevant assertion level and the financial statement level.
- Failure to perform or document the performance of procedures that address identified significant risks, or failure to perform anything beyond “basic” procedures when the basic procedures don’t address the RMM.
- Failure to properly document the firm’s identification and assessment of the RMMs and response thereto.
- Failure to evaluate the design and implementation of controls relevant to the audit.
So how have Minnesota and North Dakota firms been faring on risk assessment? Approximately 34 peer reviews subject to the new guidance have been presented to MNCPA Report Acceptance Bodies (RABs) through Feb. 15. Of those 34, ten were found to have findings or deficiencies related to risk assessment. That’s nearly 30 percent of reviews presented, which is worthy of a Scandinavian “Uff da!”
Of the ten:
- Two firms received a fail report.
- Three firms received a pass with deficiency report.
- Five firms received a pass report.
To help firms better understand the audit risk assessment requirements of AU-C 315 and 330, the AICPA has created a 3.5 credit online, on-demand course tailored to address the common misconceptions. This course is being assigned by RABs for firms where risk assessment gaps have been detected by the peer reviewer.
Any CPA who isn’t sure their firm’s audit risk assessment meets the standards should check out this course, Risk Assessment Deep Dive: How to Avoid Common Missteps,
before the next visit by a peer reviewer.
Topics: Peer Review, Regulation
Faye Hayhurst, CPA
Faye Hayhurst is the MNCPA director of finance and administration. She is committed to using numbers to tell relevant stories, although she also employs words, charts and occasionally clothing to communicate a message. While some have questioned her about the pressures of being the CPA for the MNCPA, Faye considers presenting financial information to fellow CPAs a dream job. Outside of storytelling with numbers, Faye enjoys directing her church's handbell choir, visiting national parks and other scenic places, and checking out the chocolate products at Trader Joe's. Faye can be reached at 952-885-5540 or email@example.com.
Posts by this author