The risk suite: This teenager can mitigate liability angst
By Matt Mitzen, CPA
Issued in 2006, AICPA Statements on Auditing Standards Nos. 104—111 introduced a new approach to audit planning. This set of standards, collectively referred to as the "risk assessment standards" or "risk suite," requires auditors to identify, assess, and document the risks of material misstatement in the client's financial statements through gaining an understanding of the client, its environment, and its internal controls. The risk assessment standards also require auditors to design the nature, timing, and extent of audit procedures in response to these risks.
Now 13 years old, like most teenagers, the risk assessment standards struggle to be understood. Failure to appropriately apply the risk assessment standards can lead to insufficient or inappropriate audit procedures, which may result in undetected, material financial statement errors. Investors, shareholders, lenders, or others relying upon the misstated financial statements could bring a professional liability claim against the auditors. Further, lack of compliance with professional standards may weaken the CPA's credibility in the defense of a claim. Consider the following:
A governmental agency that had been audited by the same CPA firm for many years uncovered an employee embezzlement of more than $1 million during a five-year period. The agency brought a claim against the firm asserting it should have detected the theft and alerted the agency. Upon review of the firm's work papers, it became apparent the CPA knew the embezzler had full access to bank accounts, blank checks, check-writing software, a check printer, and the requisite signature stamps. The embezzler also controlled the general ledger and had bank statements delivered directly to his desk. While the firm's planning documentation identified a lack of segregation of duties as an internal control deficiency, it did not correlate the deficiency to the increased risk of material misstatement and related audit procedures performed. It also appeared the firm's audit programs, from a third-party practice aid provider, were not tailored to the client engagement. This fact was highlighted by the plaintiff's attorney to demonstrate a lack of critical thinking. Ultimately, the firm settled the claim, learning an expensive lesson in how not to apply the risk assessment standards.
The introduction of the risk assessment standards represented a significant shift for many auditors. While many may wish that this opinionated, independent teenager would just go away, the risk assessment standards are here to stay. So what can CPAs do to prevent sleepless nights and gray hair caused by unwanted risk assessment standards stress? The most common issues in professional liability claims relate to a misunderstanding of the risk assessment standards, lack of follow-through in their application, and poor documentation.
UNDERSTANDING THE RISK ASSESSMENT STANDARDS: ASSESSING THE RISK OF MATERIAL MISSTATEMENT
The fundamental purpose of an audit of financial statements is to provide an opinion as to whether the financial statements as a whole are free of material misstatement. Audit procedures are performed to reduce audit risk — the risk that the financial statements contain a material misstatement, or the risk of material misstatement (RMM) — to an acceptable level. Recall that:
Audit risk = RMM × Detection risk, where
RMM = Inherent risk × Control risk
Detection risk, the risk that an auditor fails to detect a material misstatement, is the only part of the equation affected by the auditor and is a direct function of the assessed control risk. If control risk is improperly assessed, the auditor's detection risk also may be improper, thus affecting the auditor's ability to detect an error or omission. The result of the failure to evaluate vulnerabilities is increased professional liability risk.
Just like a teenager, an entity needs boundaries. Those boundaries take the form of internal controls. All entities have them, irrespective of their size or complexity. For example, a business owner monitors company results, a controller may reconcile cash, or login credentials may be required to access the organization's system. Understanding relevant controls and evaluating their design and implementation is required by generally accepted auditing standards (AU-C §315, Understanding the Entity and Its Environment and Assessing the Risks of Material Misstatement, ¶.14). At a high level, this understanding begins with an assessment of inherent risk, or what could go wrong in the entity's financial statements. Next, auditors identify existing controls and their potential effectiveness in mitigating those risks. Finally, auditors evaluate whether the identified controls are capable of effectively preventing or detecting and correcting material misstatements. If control risk is not assessed properly, neither is RMM. In addition, a deficiency in or lack of internal controls, especially those related to cash handling and payment processing, should be communicated to the client, annually if necessary. Professional liability claim experience has demonstrated that clients tend to direct blame toward auditors who failed to point out an internal control weakness that may have enabled an employee theft to occur.
APPLICATION OF RISK ASSESSMENT STANDARDS: EVALUATING AND TESTING CONTROLS
Anton Chekhov said, "Knowledge is of no value unless you put it into practice." Knowledge about a client's significant risks, internal control operation, and areas of higher RMM is important. If it is not used by auditors to tailor their audit programs, the knowledge loses its value. Many firms conduct risk assessment and internal control evaluation procedures but do not appropriately respond to their findings. Audit programs should be tailored to respond to the assessed level of risk. This involves more than the selection of a set of programs from a practice aid; a sound protocol also includes an evaluation of whether the selected procedures actually address the level of risk identified in the risk assessment process.
In addition to information gleaned during the audit planning and risk assessment process, auditors are required to react to and evaluate other information that comes to their attention, regardless of timing during the audit. If information arises that may change the level of risk, the nature, timing, or extent of audit procedures should be revisited. This helps maintain detection risk at an acceptable level. Examples of such additional information include a failed compliance test, significant unexpected adjusting journal entries, or sudden economic changes. Consequently, constant vigilance throughout the engagement is necessary. You may give your teens some freedom, but you still need to monitor them closely.
Peer reviewers and defense experts who opine on the standard of care cite numerous examples wherein a lack of documentation led to a failed peer review or a professional liability claim that proved difficult to defend. Indeed, "documentation deficiency" is a concept older than the risk assessment standards. In the absence of documentation, it is easy to argue that a required auditing standard was not followed. Audit documentation of risk assessment procedures should follow a trail that begins with initially assessing risks, to identifying and assessing controls that could mitigate those risks, and finally to designing and performing audit procedures based upon the identified risks. The AICPA Risk Assessment Resources page (available at aicpa.org) is a good place to begin your journey toward tightening your procedures and documentation.
To quote Warren Buffett: "Risk comes from not knowing what you are doing." Auditors should use the skills, knowledge, and experience they have accumulated over years of practice to reduce professional liability exposure. For example:
Study the relevant auditing standards to know what is required.
Know how to use the information you accumulate.
Execute your plan.
Take a big-picture look at the firm's methodology. Are there opportunities to tighten up audit planning and performance to enable a prudent third party to conclude that the procedures performed produced adequate evidence to reduce audit risk to an acceptably low level? This process leads to a more compliant audit that often has the added benefit of being more efficient. Notably, you also will have a much better idea of what you are doing in your audits.