Does everyone agree on what “risk assessment” means?
The idea of a “risk-based” approach to auditing is not a difficult concept: it refers to the focus of the audit process on those areas that are most at risk of material misstatement. Nevertheless, both auditors and regulators report problems in determining what constitutes a “significant” risk, a “material” risk and a “high-risk area”.
The last major revision to the risk ISAs was in 2003 and triggered significant adjustments to many firms’ methodologies. Firms of all sizes initially struggled to apply the new requirements, and there was general agreement that while there was nothing inherently difficult about the new ISAs, they were unwieldy, not an easy read, and were particularly hard to apply to smaller, less complex audits.
While the changes made as a result of clarification in 2010 helped, and firms have become used to the language of the risk ISAs, problems applying them persist, and some problems pre-date all of these changes. The standards must accommodate very large audits in all their complexity, as well as the smallest of audits. For firms auditing smaller, less complex entities, one problem is the work required on internal controls as part of understanding the business, even when a wholly substantive approach is taken.
Why are those responsible for audit quality within firms concerned with risk assessment?
Those responsible for audit quality within firms are concerned with risk assessment for the following reasons:
- It is fundamental to all audits;
- there are many high-level qualitative terms (such as “significant”) used in ISAs to describe categories of risk and how they are to be dealt with, but it is down to audit firm methodologies to determine how these terms are to be applied;
- there are natural variations within firms in terms of how audit teams interpret the requirements of ISAs and methodologies when identifying risks and determining the response required; and
- even where the risk and response are clearly identified at the planning stage, there is sometimes an unwillingness to face up to difficult issues. This may result in auditors auditing “around” the issues, because they are too complex, difficult or time consuming to address head on.
Which aspects of risk assessment are considered most problematic?
Appropriate risk assessments should be efficient in terms of cost and effort. Auditors need to use their judgement, assess risk appropriately and make clear links between risk assessments and the procedures they perform.
Linkages
Regulators note that the links between risk assessment, response and audit opinion could be stronger. ICAEW’s Quality Assurance Department (QAD) have reported that they cannot always see how well the auditor understands the client’s business and activities and that they sometimes identify apparently significant risks not identified as such by the firm. It is not that auditors routinely fail to identify risks altogether, but rather that despite the fact that the risks are there for all to see on the file, their significance may not be understood, or they are not followed up.
Judgement
The extensive need for the exercise and documentation of judgement, challenges both audit regulators and those with responsibility for quality control within audit firms. Firms rightly defend the need for professional judgement, while emphasising the importance of consistency in the risk assessment, and the need to link risk to responses. But regulators seem to struggle with the fact that given the same set of criteria, different outcomes are often possible. Provided the different outcomes are within reasonable parameters, this should be acceptable. However, demarcating the parameters is a judgement in its own right requiring documentation in audit methodologies and on individual audits. Audit regulators, given their mandate, are likely to lean towards narrower parameters than auditors.
What is a “significant” risk?
Some difficulties in applying ISA requirements lie in the language used within the ISAs. For example, ISA 330 refers to assessments of risk as “significant”, and also uses terms such as “high” and “higher”. It is not clear whether a risk at an account or assertion level can be “significant” without also being “high”, or vice versa, and variations in approach are, therefore, likely.
Regulators are concerned about inconsistencies in auditor determination of what constitutes a significant risk. This lack of consistency may reflect misunderstandings among auditors or poor quality application of the ISAs, but it is also possible that ISA 315 is just not clear. ISA 315 defines a significant risk as one that, “...in the auditor’s judgment, requires special audit consideration”, and that in exercising that judgement, auditors take account of:
- whether the risk is of fraud;
- whether the risk relates to recent significant economic, accounting or other developments and therefore requires specific attention;
- the complexity of transactions;
- whether the risk involves significant transactions with related parties;
- unusual transactions including those outside the normal course of business; and
- subjectivity and the degree of measurement uncertainty.
While the factors to take into account may be helpful, the definition is both circular (a significant risk is one that needs to be treated as significant), and it focuses on how it is dealt with by auditors, rather than the substantive nature of the risk itself.
How should auditors balance the judgemental and quantitative aspects of risk assessment?
Auditors need to exercise judgement when assessing risk, but the use of judgement means that the outcome will vary. Audit regulators encourage standard-setters to develop guidance for auditors where they perceive that the exercise of judgement has led to inconsistencies. However, they sometimes treat guidance as if it is mandatory by questioning approaches that deviate from that guidance, while at the same time complaining that guidance intended to help contain the level of variation sometimes becomes a substitute for the exercise of judgement itself. It can be hard to strike a balance here.
In practice, risk assessment always involves more than quantitative assessments. Where quantitative elements are included in firm methodologies, such as the percentages applied in assessing risk as “high”, “medium” and “low” for the purposes of sample size calculation, they are often intended as high-level boundaries designed to aid decision-making in borderline cases. They are not meant to be used rigidly or without thought. Unfortunately, they are sometimes applied as if they were “bright lines” and audit teams may, for a variety of reasons, be distracted by the mechanics of the firm’s quantitative guidelines and focus on and document those, rather than the substance of the specific risk in hand.
For example, it is easy for auditors to get bogged down in the mechanical detail of a discounted cash flow exercise. They might not take the time to stand back and question the underlying assumptions and assess the cash flow in the context of the auditor’s knowledge about the past performance of the business and in terms of the quantum and timing of returns expected. The mechanics may work, but the growth assumptions may be unreasonably optimistic, or inconsistent with past performance.
Similarly, a firm’s risk assessment may have led a team to a small sample of items to be tested in a population of expenses, but the team may mechanically test that sample without recognising that there are significant or unusual items in the population which merit attention.
If auditors do not both address and document the substantive and judgemental aspects of the specific risks, as well as the quantitative elements of the firm’s methodology, it is very hard to show how the audit procedures chosen address the risks. More seriously, the nature of a risk may not be properly understood or assessed.
Reviewers considering the effectiveness of planning and team meetings sometimes find that a team has missed “the elephant in the room”, and has focused on the routine issues and overlooked the truly significant risks. These may relate to:
- fundamental threats arising from changes in the wider business and economic environment in which the entity operates;
- changes in technology or competition; or
- the way the business is being managed, especially if it is being mismanaged.
Auditors may want to avoid appearing to make business judgements because managing the business is not their affair, but business judgements sometimes affect the audit. Effective team planning meetings may involve all participants reflecting on these issues, so that they don’t miss something that might well be obvious to a bystander.
Are regulators right to be concerned about inconsistencies in risk assessments and what is being done about it?
The use of a quantitative framework for risk assessment together with judgemental assessments such as “high”, “medium” and “low” are intended to facilitate consistency. The ISAs are also intended to promote consistency but it is equally clear from regulatory reviews that regulators think that there is a problem. The ISAs themselves may be part of the problem as well as their application by auditors. Some of the concerns, however, may also reflect regulatory distrust of the natural variations in outcome that the use of judgement inevitably entails.
The key themes flagged include inconsistency in the nature and number of significant risks identified in practice, the linkage of assessed risks to responses and the fact that the requirements to obtain an understanding of internal control can be difficult to apply. There is also concern that IT risks are not sufficiently addressed in the standard.
IAASB concluded that ISA 315 therefore needed modernising to reflect these challenges and approved a revised standard in 2019.
