Audit Risk

Dean

Audit Risk Description

Audit risk is defined by standard setters, including the American Institute of Certified Public Accountants (AICPA), the Public Company Accounting Oversight Board (PCAOB), and others, as the risk that an auditor will express an inappropriate opinion on a subject matter. 

As I understand it, historically, a certified public accountant (CPA) in the audit of financial statements should perform an audit risk assessment, but lately, given the changes in attestation standards from the AICPA, and changes in continuing professional education (CPE) requirements from States such as Florida, audit risk assessment requirement has expanded to include other subject matters beyond financial statements.

Audit risk is the product of inherent risk, control risk, and detection risk (audit risk = Inherent risk x control risk x detection risk).  A CPA, in following the protocol of the standards that govern the profession performs an “acceptance and continuance” evaluation that allows the CPA to decide whether to accept a new client or continue a relationship with an existing client.  An integral part of the evaluation is the audit risk assessment. 

The audit risk assessment, which factors into the CPA’s decision on accepting a new client or continuing engaging with an existing client, is important to clients of a CPA, or prospective clients of a CPA because, most companies when deciding on maintaining a relationship with an existing partner (subservice organization) that performs functions essential to their operations, or engaging a new partner company to perform functions essential to operations, will make those decisions based on a premise made famous by the words of President Ronald Reagan: “Trust but verify.” 

If a company suspects that an existing subservice organization or a prospective subservice organization is not being transparent in dealings it may (should in my opinion) disengage from the existing relationship or not engage with the prospect.

Inherent Risk

In my opinion, based on my education and experience, the inherent risk associated with company operations, compliance efforts, and financial reporting are those risk that justify a higher level of scrutiny given their nature.  For example, when workflow policies and procedures are too cumbersome employees will tend to circumvent them in company operations.  That is an inherent risk of overly complex operations. 

When compliance is treated as “in addition to” and not as “a part of” operations, the likelihood of noncompliance is increased.  That is an inherent risk of the failure to incorporate compliance measures into operations. 

Certain items reported on the financial statements because of their nature, such as items associated with managements’ bonuses, accruals, and cash that will allow the company to obtain lucrative loans are inherent risks to financial reporting. 

Companies would be wise to identify and control for the inherent risk in their environment.  CPAs must consider inherent risk in their determination on whether to continue existing relationships and accepting new clients.

Control risk

To prevent or detect-and-correct the risk associated with the achievement of an objective, controls should be put in place to ensure at best, and assure as reasonable, the achievement of the objective.  Control risk is the risk that the measures put in place to prevent or detect-and-correct the risk associated with the achievement of the objective were or were not effective.  The CPA must consider control risk given the standards of the profession.  Companies are responsible for designing, implementing, and performing the needed controls.

Detection risk

The CPA after considering several factors must determine the nature, timing, and extent of the testing needed to be performed to support the opinion expressed on the subject matter.  Detection risk is the risk that the testing performed by the CPA were not enough to provide for a reasonable basis for the opinion expressed.  The nature, timing, and extent of the testing needed to address detection risk is solely the responsibility of the CPA.

Conclusion

Organizations should not assume that audit risk has implications only for the CPA.  The audit risk assessment, which factors into the CPA’s decision on accepting a new client or continuing engaging with an existing client is considered by companies when deciding on maintaining a relationship with an existing partner that performs functions essential to their operations, or engaging a new partner company to perform functions essential to their operations.  Trust but verify. 

Contact CompVisory at the website listed below and we will guide you through the SOC 1, SOC 2, ISO 27001 or other agreed upon procedures engagements seamlessly so you can demonstrate that your company’s internal controls have been verified (COSO, SOC, ISO 27001).

Dean Brown, CEO

www.compvisory.com

Written by 

Dean Brown is a seasoned business professional with 20 years of audit experience. Dean specializes in System and Organization Controls (SOC) audits, which he has been conducting as the principal auditor since 2014. Dean has also conducted numerous controls, IT, operations, compliance and forensic audits over the duration of his career. His experience involves financial, IT, SOC (SOC 1, SOC 2, SOC 3 and SOC for Cybersecurity), operations and compliance audits, examinations, review and consulting engagements. Dean is a subject matter expert in SSAE18/SOC 1, SOC 2 audits, ISO 27001, enterprise risk management, internal controls, information security management systems, and IT governance models. Dean began his career as an auditor at a Big 4 public accounting firm where he audited multiple fortune 500 companies. Later in his role as a lead auditor at a fortune 500 company he managed teams in the United States and Canada and was instrumental in the management and successful completion of a company-wide project that successfully transition the company to a new operating business model. Dean is responsible for crafting, communicating, and reinforcing CompVisory’s vision and mission, and empowering the CompVisory team with the guidance and resources necessary for their achievement.

Visit Website