Risk Assessment
Risk assessment
Many audit failures are caused by bad planning and incorrect risk assessment. Unidentified significant risks could lead to material misstatements. This article addresses common pitfalls and how to address them.
Common findings: Revenue
The IRBA Public Inspections Report, 2018 identified the following common risk assessment issues relating to revenue:
• Findings related to incorrect justification for risk assessment, i.e. insufficient justification documented on the audit file regarding the assertions identified as significant risks
• Work performed did not always agree with risk assessment performed, e.g. sample size was not justified, in terms of the risk assessment performed
• Rebuttal of presumed fraud risk in revenue has become the default practice, which is an indication of a lack of professional skepticism in ensuring that sufficient appropriate audit evidence is obtained for a significant risk
• No evidence documented of assessment of internal control environment and walk-throughs performed, despite relying on controls.
Revenue is one of the most significant areas in the financial statements and auditors need to make a concerted effort to audit revenue thoroughly to avoid these common pitfalls.
Common findings: Planning
Further findings on risk assessment are included in the IRBA Public Inspections Report, 2018 relating to planning:
• Reasoning not sufficiently documented for concluding a risk rating of significant or normal
• Risk not assessed for account balances, classes of transactions and disclosures at assertion level
• No/insufficient documentation on considerations in concluding risk assessment at assertion level
• Audit work did not adequately respond to risk identified
• Risk relating to fraud in related parties, management override of controls and revenue were not appropriately addressed as significant, with no considerations on file on how this was reduced/rebutted.
Incorrect or unjustified risk assessment leads to inappropriate audit work and conclusions, and points to a lack of professional scepticism applied during the audit.
Solutions to common pitfalls
The following recommendations can help to address these common problem areas:
• Document the following:
o Reasoning for risk assessment at financial statement- and assertion level
o Rebuttal of presumed significant risks – rebuttal of the presumed fraud risk in revenue recognition should be justified at both the revenue stream and assertion level
o Professional judgment applied during risk assessment
o How professional skepticism was applied
o Assessment of control environment and design & implementation of controls
o Specific responses to significant risks
o Impact of risk assessment on sample sizes
o Clear link between risk assessment and procedures performed.
• Throughout the audit evaluate whether:
o Work performed responds to risks identified
o Testing agrees to risk assessment performed.
The risk assessment process, planned risk responses and actual work performed should be evaluated, and revised as necessary, throughout the audit. Thorough planning, supervision and review can make all the difference.
Conclusion
Risk assessment may seem very complex and daunting. Get it right by sticking to the basics and applying your common sense. If you have any questions, or need a helping hand, you are welcome to contact LEAF for expert audit and technical advice, and practical guidance.
References
1. IRBA: Public Inspections Report, 2018
2. IAASB: ISA 315 (Revised) Identifying and assessing the risks of material misstatement through understanding the entity and its environment. Effective for audits of financial statements for periods ending on or after 15 December 2013.
Need help?
If you need advice, guidance, assistance or training, our experienced specialists at LEAF are ready to help your firm to push above and beyond the norm.