Can the Auditor exclude controls from the relevant risk assessment?

Peer Review results indicate that some auditors believe they can default control risk assessments to "maximum" without any consideration of their client's controls. But is this the right approach? Many will be shocked to learn that the answer is "no."

Auditors should not default to any level of control risk. An auditor should have a reasonable basis for his or her assessment of control risk, regardless of the assessment level. Defaulting to a control risk assessment of "maximum" without evaluating the design and implementation of relevant controls could lead an auditor to failing to identify risks that are relevant to the audit. The evaluation of the design of controls and the determination of whether the controls are implemented provide the basis for designing an effective response to the risk of material misstatement. The auditor's strategy may or may not include testing the operating effectiveness of controls. In other words, a substantive audit approach may be implemented as long as your audit procedures are responsive (and linked) to the assessed risks of material misstatement.

Peer Review results also indicate that some auditors believe they can lower their control risk assessment without testing whether the controls are operating as designed, but that's not true. If the auditor's response (i.e., substantive procedures) to the assessed risk of material misstatement is based on an expectation that controls are operating effectively, then the auditor is required to perform tests of the controls upon which reliance is placed.

Evaluating control design and implementation is not the same thing as testing the operating effectiveness of those controls. Many auditors confuse the terms "implementation" and "operating effectiveness," but as paragraph .A77 of AU-C Section 315 states, "obtaining audit evidence about the implementation of a manual control at a point in time does not provide audit evidence about the operating effectiveness of the control at other times during the period under audit."

Misstep No. 5: Failing to link further procedures to control-related risks

Once the auditor has assessed the risks of material misstatement including risk associated with the client's internal control, his or her next step will be to design and perform further audit procedures that are responsive to the client's risks. The auditor should not simply perform the same procedures that were required for another client in the same industry or even those audit procedures performed in the prior year.

To illustrate, consider two clients in the manufacturing industry. For both clients, the auditor has assessed the risks of material misstatement related to the rights and obligations assertion in the accounts payable balance as maximum.

Client A's bookkeeper records all invoices in the accounting system once the invoice is received. Because the invoices are not matched to a purchase order or otherwise reviewed to confirm their validity, the auditor determines that Client A's controls over the recording of accounts payable are ineffectively designed. A specific concern is the risk of recording fictitious invoices. Alternatively, Client B's bookkeeper records all invoices for authorized purchase orders in the accounting system when the invoice is paid. Because recording of invoices is delayed until payment occurs, the auditor determines that Client B's controls are ineffectively designed because a risk of unrecorded liabilities exists. While both clients are in the same industry and both have maximum risks of material misstatement related to the accounts payable rights and obligations assertion, they may require two very different audit responses.

Client A's auditor may determine that the best way to lower detection risk would be to compare invoices received from vendors with a listing of approved vendors and purchase orders. Conversely, Client B's auditor may lower the threshold amount in performing a search for unrecorded liabilities.

Tips to help comply with AU-C sections 315 and 330

When performing future audit engagements, auditors should be sure to:

• Obtain a robust understanding of the client's system of internal control;
• Identify controls relevant to the audit;
• Evaluate the design effectiveness of each relevant control and determine whether the controls have been implemented as designed;
• Identify and assess the client's risks of material misstatement (including control risk) at the assertion level;
• Design and perform audit procedures that are responsive to the assessed risks; and
• Document the linkage between the assessed risk and the audit procedures.

Following these tips will help drive high-quality, efficient audits that conform to the standards. For more help, visit aicpa.org/internalcontrol for free tools and resources on internal controls.

About the authors

Deana Thorps, CPA, is a manager; Hiram Hasty, CPA, CGMA, is a senior technical manager; and Bob Dohrer, CPA, CGMA, is chief auditor, all for the Association of International Certified Professional Accountants.

To comment on this article or to suggest an idea for another article, contact Ken Tysiac, the JofA's editorial director, at [email protected] or 919-402-2112.

AICPA resources

Articles

• "Taking the Risk Out of Risk Assessment," JofA, Aug. 2018
• "EBP Audits: Don't Let Your Guard Down," JofA, July 2018
• "4 Strategies for Efficient, Effective Audit Documentation," JofA, Nov. 2017

Publication

• Assessing and Responding to Audit Risk in a Financial Statement Audit: Audit Guide (#AAGARR16P, paperback; #AAGARR16E, ebook; #WRA-XX, online subscription)

CPE self-study

• Risk Assessment Deep Dive: How to Avoid Common Missteps (#157000, online access)
• Internal Control and Risk Assessment: Key Factors in a Successful Audit (#164222, online access)
• Internal Control: How Does It Impact an Audit? (#165800, online access)

For more information or to make a purchase, go to aicpastore.com or call the Institute at 888-777-7077.

What is the auditor's responsibility in connecting with control risk?

Can control risk be controlled by the auditor?

Why would an auditor not test controls?

How is control risk assessed by an auditor?