Risk Assessment: A Critical Part of the Audit Process

Audit season is right around the corner for calendar-year entities. Here’s what your auditor is doing behind the scenes during the risk assessment process — and how you can help facilitate the planning process.

What Is Audit Risk?

Every audit starts with assessing “audit risk.” This refers to the likelihood that the auditor will issue an adverse opinion when the financial statements are actually in accordance with U.S. Generally Accepted Accounting Principles (GAAP) or (more likely) an unqualified opinion when the opinion should be either modified or adverse.

Auditors can’t test every transaction, recalculate every estimate, or examine every external document. Instead, they tailor their audit procedures and assign audit personnel to keep audit risk as low as possible.

The Role of an Auditor

The auditor’s role is to attest to your company’s financial statements. Specifically, your audit firm assures that your financial statements are “fairly presented in all material respects, compliant with GAAP, and free from material misstatement.”

Unqualified (or clean) audit opinions require detailed substantive procedures, such as confirming accounts receivable balances with customers and conducting test counts of inventory in the company’s warehouse. Generally, the more rigorous the auditor’s substantive procedures, the lower the likelihood of the audit team failing to detect a material misstatement.

Inherent Risk vs. Control Risk

Auditors evaluate two types of risk:

  1. Inherent risk. This is the risk that material departures could occur in the financial statements. Examples of inherent risk factors include complexity, volume of transactions, competence of the accounting personnel, company size, and use of estimates.
  2. Control risk. This is the risk that the entity’s internal controls won’t prevent or correct material misstatements in the financial statements.

Separate risk assessments are done at the financial statement level and then for each major account — such as cash, receivables, inventory, fixed assets, other assets, payables, accrued expenses, long-term debt, equity, and revenue and expenses. A high-risk account (say, inventory) might warrant more extensive audit procedures and be assigned to more experienced audit team members than one with lower risk (say, equity).

How Auditors Assess Risk

New risk assessments must be done yearly, even if the company has had the same auditor for many years. That’s because internal and external factors may change over time. For example, new government or accounting regulations may be implemented, and company personnel or accounting software may change, causing the company’s risk assessment to change. As a result, audit procedures may vary yearly or from one audit firm to the next.

The risk assessment process starts with an auditing checklist and, for existing audit clients, last year’s work papers. However, auditors must dig deeper to determine current risk levels. In addition to researching public sources of information, including your company’s website, your auditor may call you with a list of open-ended questions (inquiries) and request a walk-through to evaluate whether your internal controls are operating as designed. Timely responses can help auditors plan their procedures to minimize audit risk.

Your Role During the Audit Process

Audit fieldwork is only as effective as the risk assessment. Evidence obtained from further audit procedures may be ineffective if it’s not properly linked to the assessed risks. So, it’s important for you to help the audit team understand the risks your business is currently facing and the challenges you’ve experienced reporting financial performance, especially as companies implement updated accounting rules in the coming years.

Contact us to get help with your risk assessment process.

Identifying and Reporting Critical Audit Matters

In July, the (PCAOB) published two guides to help clarify a new rule that requires auditors of public companies to disclose critical audit matters (CAMs) in their audit reports. The rule represents a major change to the brief pass-fail auditor reports that have been in place for decades. One PCAOB guide is intended for investors, the other for audit committees. Both provide answers to frequently asked questions about CAMs.

What is a critical audit matter?

CAMs are the sole responsibility of the auditor, not the audit committee or the company’s management. The PCAOB defines CAMs as issues that:

  • Have been communicated to the audit committee,
  • Are related to accounts or disclosures that are material to the financial statements, and
  • Involve especially challenging, subjective or complex judgments from the auditor.

Examples might include complex valuations of indefinite-lived intangible assets, uncertain tax positions and goodwill impairment.

Does reporting a CAM indicate a misstatement or deficiency?

Critical audit matters aren’t intended to reflect negatively on the company or indicate that the auditor found a misstatement or deficiencies in internal control over financial reporting. They don’t alter the auditor’s opinion on the financial statements.

Instead, CAMs provide information to stakeholders about issues that came up during the audit that required especially challenging, subjective or complex auditor judgment. Auditors also must describe how the CAMs were addressed in the audit and identify relevant financial statement accounts or disclosures that relate to the CAM.

CAMs vary depending on the nature and complexity of the audit. Auditors for companies within the same industry may report different CAMs. And auditors may encounter different CAMs for the same company from year to year.

For example, as a company is implementing a new accounting standard, the issue may be reported as a CAM, because it requires complex auditor judgment. This issue may not require the same level of auditor judgment the next year, or it might be a CAM for different reasons than in the year of implementation.

When does the rule go into effect?

Disclosure of CAMs in audit reports will be required for audits of fiscal years ending on or after June 30, 2019, for large accelerated filers, and for fiscal years ending on or after December 15, 2020, for all other companies to which the requirement applies.

The new rule doesn’t apply to audits of emerging growth companies (EGCs), which are companies that have less than $1 billion in revenue and meet certain other requirements. This class of companies gets a host of regulatory breaks for five years after becoming public, under the Jumpstart Our Business Startups (JOBS) Act.

Moving target

Critical audit matters may change from year to year, based on audit complexity, changing risk environments and new accounting standards. Each year, auditors determine and communicate CAMs in connection with the audit of the company’s financial statements for the current period.

A significant event — such as a cybersecurity breach, a hurricane or the COVID-19 pandemic — may cause the auditor to report new CAMs. Though such an event itself may not be a CAM, it may be a principal consideration in the auditor’s determination of whether a CAM exists. And such events may affect how CAMs were addressed in the audit.

More information on critical audit matters

For more information on critical audit matter reporting contact us.

Internal Control Testing

Auditors must test the effectiveness of internal controls before signing off on your financial statements. But it’s impossible to analyze every transaction that’s posted to the general ledger, due to time and budget constraints. Instead, auditors select and analyze a representative sample of transactions to make assertions about the entire population. Here’s more on how sampling works — along with the pros and cons of using it during internal control testing.

Picking a sample

Auditors may use statistical techniques to develop a sample of transactions to test. For example, an auditor might select enough transactions to represent a specific percentage of 1) the total transactions in an account, or 2) the company’s total assets or revenue. Alternatively, a sample of transactions may be pulled randomly using statistical sampling software.

Auditors also can use nonstatistical sampling techniques based on a dollar threshold or professional judgment. These techniques tend to be more effective when the CPA has many years of audit experience to ensure that the sample chosen is representative of the population of transactions.

Unexpected outcomes

Before analyzing a sample, your auditor has expectations about the number of “exceptions” (such as errors and omissions) that will appear in the sample. If the actual exceptions exceed the auditor’s expectation, he or she may need to perform additional procedures. For instance, your auditor might expand the sample and conduct more testing to assess the degree of noncompliance.

Ultimately, your auditor might conclude that your internal controls are ineffective. If so, he or she will perform more work to estimate the magnitude of the control failure.

Pros vs. cons

Sampling helps keep audit costs down by streamlining the internal control testing process. It also reduces disruptions to business operations during audit fieldwork. When applied correctly, the results of sampling are theoretically as accurate as if the audit team had analyzed every transaction posted to the general ledger. But, in practice, sampling can sometimes cause problems during internal controls testing.

For example, sampling presumes that controls function consistently across the whole population of transactions. If an exception doesn’t appear in the sample — because the sample was too small or otherwise unrepresentative of the entire population — your audit team could reach the wrong conclusion about the effectiveness of your internal controls.

There’s also a risk that your internal audit team could rely too heavily on nonstatistical sampling. Relying more on judgment than statistical methods could result in errors, especially if an auditor lacks professional experience.

A collaborative process

You can help maximize the benefits of sampling by providing the audit team with document requests in a timely manner and following up on your auditor’s management points at the end of each year’s audit. It’s frustrating to both auditors and business owners when internal control weaknesses recur year after year. Our auditors have extensive experience testing internal controls, and we’d be happy to answer any questions you have on testing and sampling techniques. Contact us to get started.

Top 40 Questions to Ask Your Accountant

Whether you’re a business owner or an individual planning for the future, knowing the right questions to ask your accountant gives you a powerful advantage. Having a list of both current and future questions to discuss during your time together will help keep you efficient, prepared, and on track to meet your financial goals. Here is our list of Top 40 Questions to Ask your Accountant.

20 Questions for a Business to Ask Their Accountant

1. How does the legal structure of my business affect my taxes?

2. Am I on track for my growth goals?

3. What are the industry-specific tax regulations that I should know about?

4. What can I cut down for better cash flow?

5. Do you have any recommendations on collection policies for faster sales?

6. Should I consider seeking equity or debt financing?

7. Do I need an employee benefit plan audit?

8. Do you have referrals for lenders and investors?

9. Do I need a financial statement audit?

10. Do I qualify for R&D credits?

11. How can I avoid red flags or mishaps with my returns or audit?

12. What are my best choices for valuing inventory for tax purposes?

13. When do I need to start paying estimated taxes?

14. What accounting software do you recommend?

15. What is my breakeven point?

16. How can I be prepared for the upcoming tax season?

17. How long do I need to keep my business records?

18. What qualifies as a business deduction?

19. How is my business impacted by the 2017 Tax Reform Act?

20. Am I required to collect sales tax?

20 Questions for an Individual to Ask Their Accountant

1. What information and/or records should I keep, what can I toss, and how long should I hold on to the retained documents?

2. How will the 2017 Tax Reform Act affect me?

3. Can I deduct my car for any of my business purposes?

4. What direct business expenses can I deduct and are there any limitations?

5. How much of my household bills and/or equipment is deductible as a business expense?

6. When should I set up my estate and trust?

7. Should I consider charitable donations as a transfer of wealth?

8. How many dependents can I claim?

9. Are there any deductions that I am not currently claiming that I should?

10. How often should I consult with you about my taxes?

11. Can you help me estimate my taxes for the upcoming year?

12. Should I increase my 401(k) contributions?

13. Should I change my tax withholding?

14. Do you have recommendations for a financial advisor?

15. Am I on track for my retirement goals?

16. What is the best way to pass my wealth to my children?

17. What can I do to protect my dependents from tax implications upon my death?

18. What sort of events in my life are important for you to know?

19. I own my business, what steps should I take to separate my business and personal expenses?

20. What can I do to maximize my deductions better?

Have questions for us? Contact us for help.

Internal Audit vs External Audit

What’s the difference between internal and external audit?

Here is a simplified comparison:

External Audit:

  • Greater focus is on financial records
  • Goal is to determine if the financial accounts give a fair reflection of the company’s financial position
  • Selection is done by management or audit committee/board of directors.  Shareholder approval is required
  • Audit report is primarily used by stakeholders such as investors and creditors
  • Performed by outside audit firm
  • Point-in-time audit, usually annually
  • Opinion is based on historical data
  • Usually mandated by a statute

Internal Audit:

  • Greater focus is on business processes
  • Goal is to determine if business processes are helping the company to manage its risks and meet its objectives
  • Selection is done by management or audit committee/board of directors.  Shareholder approval is not required
  • Audit report is primarily used by management
  • Performed by company employees or outsourced
  • Usually conducted year-round or ad hoc
  • Opinion is based on current controls.  Also forward-looking improvement opportunities are usually communicated
  • Usually discretionary

While the list above displays their differences, there are also similarities. The first similarity is that both plan their audit effort around the areas that pose the highest risk to the achievement of company objectives. The second similarity is that both types of audits assess internal controls to determine if they are in place and working to ensure the reliability of financial data. Internal audits, which have a heavier focus on controls, usually add coverage of controls that help ensure effectiveness and efficiency of operations, compliance with laws and regulation, and safeguarding of assets. A third similarity is that both types of audits are performed in accordance to certain professional standards — such as the Statement on Auditing Standards for external audits and the International Standards for the Professional Practice of Internal Auditing for internal audits.

With all their similarities and differences, both types of audit services can play an important role in creating an effective governance structure and can help contribute to the company’s success. If you have questions about the internal or external audit process, please contact us.