Printer Friendly

The risk suite: This teenager can mitigate liability angst.

Issued in 2006, AICPA Statements on Auditing Standards Nos. 104-111 introduced a new approach to audit planning. This set of standards, collectively referred to as the "risk assessment standards" or "risk suite," requires auditors to identify, assess, and document the risks of material misstatement in the client's financial statements through gaining an understanding of the client, its environment, and its internal controls. The risk assessment standards also require auditors to design the nature, timing, and extent of audit procedures in response to these risks.

Now 13 years old, like most teenagers, the risk assessment standards struggle to be understood. Failure to appropriately apply the risk assessment standards can lead to insufficient or inappropriate audit procedures, which may result in undetected, material financial statement errors. Investors, shareholders, lenders, or others relying upon the misstated financial statements could bring a professional liability claim against the auditors. Further, lack of compliance with professional standards may weaken the CPAs credibility in the defense of a claim. Consider the following:
   A governmental agency that had been audited
   by the same CPA firm for many years uncovered
   an employee embezzlement of more than
   $1 million during a five-year period. The agency
   brought a claim against the firm asserting it
   should have detected the theft and alerted the
   agency. Upon review of the firm's workpapers, it
   became apparent the CPA knew the embezzler
   had full access to bank accounts, blank checks,
   check-writing software, a check printer, and
   the requisite signature stamps. The embezzler
   also controlled the general ledger and had bank
   statements delivered directly to his desk. While
   the firm's planning documentation identified a
   lack of segregation of duties as an internal control
   deficiency, it did not correlate the deficiency
   to the increased risk of material misstatement
   and related audit procedures performed. It also
   appeared the firm's audit programs, from a third-party
   practice aid provider, were not tailored to
   the client engagement. This fact was highlighted
   by the plaintiff's attorney to demonstrate a lack
   of critical thinking. Ultimately, the firm settled
   the claim, learning an expensive lesson in how
   not to apply the risk assessment standards.


The introduction of the risk assessment standards represented a significant shift for many auditors. While many may wish that this opinionated, independent teenager would just go away, the risk assessment standards are here to stay. So what can CPAs do to prevent sleepless nights and gray hair caused by unwanted risk assessment standards stress? The most common issues in professional liability claims relate to a misunderstanding of the risk assessment standards, lack of follow-through in their application, and poor documentation.

UNDERSTANDING THE RISK ASSESSMENT STANDARDS: ASSESSING THE RISK OF MATERIAL MISSTATEMENT

The fundamental purpose of an audit of financial statements is to provide an opinion as to whether the financial statements as a whole are free of material misstatement. Audit procedures are performed to reduce audit risk--the risk that the financial statements contain a material misstatement, or the risk of material misstatement (RMM)--to an acceptable level. Recall that:

Audit risk = RMM x Detection risk, where RMM = Inherent risk x Control risk

Detection risk, the risk that an auditor fails to detect a material misstatement, is the only part of the equation affected by the auditor and is a direct function of the assessed control risk. If control risk is improperly assessed, the auditor's detection risk also may be improper, thus affecting the auditor's ability to detect an error or omission. The result of the failure to evaluate vulnerabilities is increased professional liability risk.

Just like a teenager, an entity needs boundaries. Those boundaries take the form of internal controls. All entities have them, irrespective of their size or complexity. For example, a business owner monitors company results, a controller may reconcile cash, or login credentials may be required to access the organizations system. Understanding relevant controls and evaluating their design and implementation is required by generally accepted auditing standards (AU-C [section]315, Understanding the Entity and Its Environment and Assessing the Risks of Material Misstatement, [paragraph] .14). At a high level, this understanding begins with an assessment of inherent risk, or what could go wrong in the entity's financial statements. Next, auditors identify existing controls and their potential effectiveness in mitigating those risks. Finally, auditors evaluate whether the identified controls are capable of effectively preventing or detecting and correcting material misstatements. If control risk is not assessed properly, neither is RMM. In addition, a deficiency in or lack of internal controls, especially those related to cash handling and payment processing, should be communicated to the client, annually if necessary. Professional liability claim experience has demonstrated that clients tend to direct blame toward auditors who failed to point out an internal control weakness that may have enabled an employee theft to occur.

APPLICATION OF RISK ASSESSMENT STANDARDS: EVALUATING AND TESTING CONTROLS

Anton Chekhov said, "Knowledge is of no value unless you put it into practice." Knowledge about a client's significant risks, internal control operation, and areas of higher RMM is important. If it is not used by auditors to tailor their audit programs, the knowledge loses its value. Many firms conduct risk assessment and internal control evaluation procedures but do not appropriately respond to their findings. Audit programs should be tailored to respond to the assessed level of risk. This involves more than the selection of a set of programs from a practice aid; a sound protocol also includes an evaluation of whether the selected procedures actually address the level of risk identified in the risk assessment process.

In addition to information gleaned during the audit planning and risk assessment process, auditors are required to react to and evaluate other information that comes to their attention, regardless of timing during the audit. If information arises that may change the level of risk, the nature, timing, or extent of audit procedures should be revisited. This helps maintain detection risk at an acceptable level. Examples of such additional information include a failed compliance test, significant unexpected adjusting journal entries, or sudden economic changes. Consequently, constant vigilance throughout the engagement is necessary. You may give your teens some freedom, but you still need to monitor them closely.

DOCUMENTATION

Peer reviewers and defense experts who opine on the standard of care cite numerous examples wherein a lack of documentation led to a failed peer review or a professional liability claim that proved difficult to defend. Indeed, "documentation deficiency" is a concept older than the risk assessment standards. In the absence of documentation, it is easy to argue that a required auditing standard was not followed. Audit documentation of risk assessment procedures should follow a trail that begins with initially assessing risks, to identifying and assessing controls that could mitigate those risks, and finally to designing and performing audit procedures based upon the identified risks. The AICPA Risk Assessment Resources page (available at tinyurl.com/y23rbdnq) is a good place to begin your journey toward tightening your procedures and documentation.

FINAL NOTES

To quote Warren Buffett: "Risk comes from not knowing what you are doing." Auditors should use the skills, knowledge, and experience they have accumulated over years of practice to reduce professional liability exposure. For example:

* Study the relevant auditing standards to know what is required.

* Know how to use the information you accumulate.

* Execute your plan.

Take a big-picture look at the firm's methodology. Are there opportunities to tighten up audit planning and performance to enable a prudent third party to conclude that the procedures performed produced adequate evidence to reduce audit risk to an acceptably low level? This process leads to a more compliant audit that often has the added benefit of being more efficient. Notably, you also will have a much better idea of what you are doing in your audits.

Matt Mitzen, CPA, CFE, is a risk control consulting director at CNA. For more information about this article, please contact specialtyriskcontrol@cna.com.

Continental Casualty Company, one of the CNA insurance companies, is the underwriter of the AICPA Professional Liability Insurance Program. Aon Insurance Services, the National Program Administrator for the AICPA Professional Liability Program, is available at 800-221-3023 or visit cpai.com.

This article provides information, rather than advice or opinion. It is accurate to the best of the authors knowledge as of the article date. This article should not be viewed as a substitute for recommendations ofa retained professional. Such consultation is recommended in applying this material in any particular factual situations.

Examples are for illustrative purposes only and not intended to establish any standards of care, serve as legal advice, or acknowledge any given factual situation is covered under any CNA insurance policy. The relevant insurance policy provides actual terms, coverages, amounts, conditions, and exclusions for an insured. Allproducts and services may not be available in all states and may be subject to change without notice.

Risky business

1 in 10

The proportion of firms that failed to comply with AU-C Section 315 or AU-C Section 330, according to data collected by the AICPA Peer Review Program in 2016.

Source: "Taking the Risk Out of Risk Assessment," JofA, Aug. 2018, tinyurl.com/yaydfey5.
COPYRIGHT 2019 American Institute of CPA's
No portion of this article can be reproduced without the express written permission from the copyright holder.
Copyright 2019 Gale, Cengage Learning. All rights reserved.

Article Details
Printer friendly Cite/link Email Feedback
Author:Mitzen, Matt
Publication:Journal of Accountancy
Date:Aug 1, 2019
Words:1515
Previous Article:Family leave at small firms.
Next Article:Sales tax compliance post-Way fair: Here's how to help clients comply with the new sales tax collection requirements.
Topics:

Terms of use | Privacy policy | Copyright © 2019 Farlex, Inc. | Feedback | For webmasters