Risk Assessment in Auditing

Existing approach to risk assessment in audits of financial statements

Auditing standards require accountants to obtain an understanding of the client’s business and assess the risks of material misstatements to properly design and execute substantive procedures and tests of the operating effectiveness of controls. The process of risk assessment continues throughout the audit. Generally, when changes in facts and circumstances are identified, risks should be reassessed, and the accumulated body of audit evidence should be re-evaluated in the context of the revised risk assessment.

Photo by Aron Visuals on Unsplash

The totality of all work performed by auditors must provide sufficient evidence for another qualified person to conclude that the remaining risks of material misstatements have been reduced to an acceptable level. Typically, auditors do not test the full population of journal entries, accounting objects, or instances of control execution; rather, they test selected samples. Sampling allows auditors to reduce the assessed risk of misstatements in the population by using statistical methods.

Substantive procedures, tests of operating effectiveness, and risk assessment procedures are all part of a process through which auditors enhance their understanding of the business. This knowledge is essential for disaggregating available information, articulating risks associated with each disaggregated component, and determining the work required to bring the overall risk level down to an acceptable threshold. Auditors iteratively analyze accounting data and continuously reassess risks until those risks become negligible.

The problem is that this approach treats the assessment of risks of material misstatement and the design of responses to those risks as two sequential phases. This approach does not recognize:

• The holistic nature of risk assessment,

• The non-pervasive nature of substantive testing, and

• The interaction between the two.

Until the 1980s, risk assessment procedures were not explicitly required by audit standards. When these requirements were first introduced in U.S. auditing standards, risk assessment procedures were expected to precede substantive tests rather than be integrated into them. The assessed risks were—and continue to be—viewed as factors influencing the nature, extent, and timing of audit tests. This approach has overemphasized the role of due effort in determining audit quality.

What is missing is:

• The impact introduced by the risk assessment activities themselves is ignored.

• The risk assessment work lacks continuity, leading to incomplete risk identification.

• Procedures performed by teams add very little value because they are not designed to integrate the reassessment of risks.

The thing is…

• Substantive procedures are part of the risk assessment phase of an audit.

• Substantive audit procedures as a separate phase of an audit engagement are an unnecessary, rudimentary requirement that does not enhance audit value but does reduce efficiency.

I would argue that the mere use of statistical methodologies and sampling techniques suggests that substantive audit tests, in essence, are the same as the risk assessment procedures executed during the audit planning stage.

Users of financial statements and auditors must understand that the purpose of audits is to ensure that the upper bound of potential misstatements—after all procedures have been performed—is not material. Much like risk assessment procedures, substantive tests are performed to gather evidence that, when evaluated in the context of other known information, may lead to a reduction in the assessed risks of material misstatements to an acceptable level. Auditors can never ensure that accounting is 100% accurate. Our goal is not to provide absolute assurance but rather reasonable assurance that financial statements contain only misstatements that are not material, whether individually or in aggregate.

We may be able to integrate substantive tests with risk assessment to ensure the continuity of risk assessment while simultaneously improving the efficiency of substantive testing procedures and enhancing audit quality. This is why I believe that reintroducing substantive tests as part of risk assessment can both increase the quality of risk assessment and reduce the scope of the remaining audit work.