Risk assessment matters demystified

December 1, 2018

By Laura Hay

Data gathered from 2016 AICPA Peer Review Matters for Further Consideration show that more than one in 10 audits reviewed failed to comply with AU-C section 315, Understanding the Entity and Its Environment and Assessing the Risks of Material Misstatement, or AU-C section 330, Performing Audit Procedures in Response to Assessed Risks and Evaluating the Audit Evidence Obtained.

More than 12 years after the issuance of what are commonly referred to as the Risk Assessment Standards, Ohio Society of CPAs’s technical reviewers are skeptical that one in 10 practitioners do not understand how to conduct a risk assessment in the audit. Instead, they believe the violations are most frequently a matter of practical implementation and documentation, for which reviewers can be helpful in providing guidance in application.

Peer reviews conducted in Ohio indicate that many firms still believe documentation is not required, that an audit program sign-off is adequate documentation, or that documentation can be supplemented by verbal explanation or addition.

Understanding the value

Let’s presume the core steps in a risk assessment are functions the experienced auditor has likely always performed (but might not have demonstrated in the workpapers). How can we bridge documentation requirements to a value-added process rather than a compliance burden? Gaining an understanding of the client’s business, its internal control systems, and threats to accurate accounting and reporting are essential quality audit practices, but they might not be adequately linked to a volume of checklists that staff prepare.

In fact, over-reliance on staff (who often have only a rudimentary knowledge of the COSO framework), almost guarantees that they will improperly handle the risk assessment and poorly document it. Without good leadership and involvement of engagement managers and partners during this process, the assessment is almost certain to be inadequate. Involvement of experienced personnel cannot consist only of pre-issuance reviews; it must extend into the planning process.

Increasing the risk assessment’s effectiveness requires connecting the work to the basic objectives of the standards:

Identifying risks of material misstatement

This section includes:

  • Performing risk assessment procedures, including inquiries of management
  • Considering the risk of material misstatement from fraud
  • Having a discussion with the engagement team about the potential for material misstatement of the entity’s financial statements


If the workpapers do not capture a conversation with management or the audit team engaged in brainstorming or a conversation with management regarding the potential for fraud or the significant risks they identified during the engagement, it’s presumed that the team never had those conversations. Not documented? Not done.

Excerpted from the article published in the December 2018 / January 2019 edition of The Accountant, reprinted with permission from the September/October 2018 issue of CPA Voice, a publication of the Ohio Society of CPAs. Read the full story: Risk assessment matters demystified (PDF)

View all News