Risk assessment continues to garner much attention and focus in the audit world. You may have seen the special report and FAQ documents Thomson Reuters recently published on the topic. In the AICPA Peer Review Board’s (PRB) most recent review cycle, approximately 10% of firms had engagements that didn’t comply with the auditing risk assessment requirements.
Those requirements can be found in Checkpoint’s AU-C 315, Understanding the Entity and Its Environment and Assessing the Risks of Material Misstatement, and AU-C 330, Performing Audit Procedures in Response to Assessed Risks and Evaluating the Audit Evidence Obtained.
In response to the deficiencies in this area, the PRB made risk assessment a major focus for current and upcoming reviews. As a result, they’ve made some significant changes to peer reviewers’ audit engagement checklists. Make sure your firm is prepared for these changes!
Peer Review Checklist Changes
These new changes to the audit engagement checklist are effective for reviews beginning on or after May 1, 2019. The first general question in the checklists on audit engagement risk assessment has been expanded to cover more specific risk assessment requirements, as follows:
- Obtaining an understanding of the entity and its environment.
- Obtaining an understanding of relevant internal controls, including the design and implementation of the controls.
- Identifying and assessing risk of material misstatement at the financial statement and relevant assertion levels.
- Determining whether identified risks are significant risks.
- Evaluating the design and implementation of relevant controls.
- Documenting linkage between the assessed risks of material misstatement and the audit responses at the relevant assertion level.
- Identifying IT risks and linkage to related testing.
The checklists also now ask for identification of the three areas with the highest assessed risk of material misstatement. (It used to ask for “two to three.”)
Risk Assessment Procedures and Related Activities
The “Internal Control and Control Risks” section of the checklists has been renamed “Risk Assessment Procedures and Related Activities.” Existing questions have been changed and new questions have been added. Those new and revised questions focus on the following:
- Performing risk assessment procedures to provide a basis for identification and assessment of risk of material misstatement at the financial statement and relevant assertion levels.
- Documenting details of the auditor’s understanding of the entity and its environment.
- Obtaining an understanding of internal controls relevant to the audit.
- Identifying and assessing risk of material misstatement sufficient to provide a basis for designing and performing further audit procedures.
- Identifying fraud risks.
- Performing substantive procedures specifically responsive to the identified significant risks.
- Designing and performing further audit procedures based on, and responsive to, the assessed risks of material misstatement at the relevant assertion level.
- Updating the audit strategy and plan in response to risks identified over the course of the audit.
A question in the “Inherent Risk” section, at the beginning of Part II the checklists, was changed to clarify that the auditor’s rationale for the level of assessed risk needs to be evident in the working papers. Other wording tweaks have been made throughout the checklists to emphasize the need to assess the risk of material misstatement at the relevant assertion level. Reviewers are reminded when evaluating any “no” responses on the checklist to consider whether the errors or omissions noted are because of noncompliance with risk assessment standards or due to improper testing procedures.
Consider these changes as you prepare your firm for the next peer review cycle.
Documentation is Important
And remember, if procedures or explanations aren’t documented in your workpapers, your peer reviewers will assume that they didn’t happen. Reviewers can’t accept additional oral explanations as evidence for undocumented procedures. So, whatever you do, document, document, document!
Practical Consideration: Like this? Want more? Check out PPC’s Accounting and Auditing Update, a monthly newsletter available on Checkpoint, for our upcoming series on risk assessment issues. Contact your Thomson Reuters representative at (800) 431-9025 today to subscribe!