Category: Archive

Audit Risk Description

Audit risk is defined by standard setters, including the American Institute of Certified Public Accountants (AICPA), the Public Company Accounting Oversight Board (PCAOB), and others, as the risk that an auditor will express an inappropriate opinion on a subject matter. 

As I understand it, historically, a certified public accountant (CPA) in the audit of financial statements should perform an audit risk assessment, but lately, given the changes in attestation standards from the AICPA, and changes in continuing professional education (CPE) requirements from States such as Florida, audit risk assessment requirement has expanded to include other subject matters beyond financial statements.

Audit risk is the product of inherent risk, control risk, and detection risk (audit risk = Inherent risk x control risk x detection risk).  A CPA, in following the protocol of the standards that govern the profession performs an “acceptance and continuance” evaluation that allows the CPA to decide whether to accept a new client or continue a relationship with an existing client.  An integral part of the evaluation is the audit risk assessment. 

The audit risk assessment, which factors into the CPA’s decision on accepting a new client or continuing engaging with an existing client, is important to clients of a CPA, or prospective clients of a CPA because, most companies when deciding on maintaining a relationship with an existing partner (subservice organization) that performs functions essential to their operations, or engaging a new partner company to perform functions essential to operations, will make those decisions based on a premise made famous by the words of President Ronald Reagan: “Trust but verify.” 

If a company suspects that an existing subservice organization or a prospective subservice organization is not being transparent in dealings it may (should in my opinion) disengage from the existing relationship or not engage with the prospect.

Inherent Risk

In my opinion, based on my education and experience, the inherent risk associated with company operations, compliance efforts, and financial reporting are those risk that justify a higher level of scrutiny given their nature.  For example, when workflow policies and procedures are too cumbersome employees will tend to circumvent them in company operations.  That is an inherent risk of overly complex operations. 

When compliance is treated as “in addition to” and not as “a part of” operations, the likelihood of noncompliance is increased.  That is an inherent risk of the failure to incorporate compliance measures into operations. 

Certain items reported on the financial statements because of their nature, such as items associated with managements’ bonuses, accruals, and cash that will allow the company to obtain lucrative loans are inherent risks to financial reporting. 

Companies would be wise to identify and control for the inherent risk in their environment.  CPAs must consider inherent risk in their determination on whether to continue existing relationships and accepting new clients.

Control risk

To prevent or detect-and-correct the risk associated with the achievement of an objective, controls should be put in place to ensure at best, and assure as reasonable, the achievement of the objective.  Control risk is the risk that the measures put in place to prevent or detect-and-correct the risk associated with the achievement of the objective were or were not effective.  The CPA must consider control risk given the standards of the profession.  Companies are responsible for designing, implementing, and performing the needed controls.

Detection risk

The CPA after considering several factors must determine the nature, timing, and extent of the testing needed to be performed to support the opinion expressed on the subject matter.  Detection risk is the risk that the testing performed by the CPA were not enough to provide for a reasonable basis for the opinion expressed.  The nature, timing, and extent of the testing needed to address detection risk is solely the responsibility of the CPA.

Conclusion

Organizations should not assume that audit risk has implications only for the CPA.  The audit risk assessment, which factors into the CPA’s decision on accepting a new client or continuing engaging with an existing client is considered by companies when deciding on maintaining a relationship with an existing partner that performs functions essential to their operations, or engaging a new partner company to perform functions essential to their operations.  Trust but verify. 

Contact CompVisory at the website listed below and we will guide you through the SOC 1, SOC 2, ISO 27001 or other agreed upon procedures engagements seamlessly so you can demonstrate that your company’s internal controls have been verified (COSO, SOC, ISO 27001).

Dean Brown, CEO

www.compvisory.com

Power Structure & Internal Controls

“You can delegate the activity but you cannot delegate the responsibility” is an old saying in the auditing field. The idea of internal controls, after outsourcing, may seem complex but is not as insurmountable as it seems. There are only a handful of key considerations that you face if you are a company contemplating engaging another company, or a company that has already engaged another company to perform a service for you. One of the most important consideration is the topic of this piece.

The power structure of the organization that you plan to engage, or have already engaged, is the determining factor in its reliability. I believe that the structure of the arrangement of responsibility, authority, and accountability drives the behavior, and ultimately, the quality of the outputs from an organization.

None-without-the-other (NWTO) is what you need to look for in an organization that you plan to entrust with valuable/important processes. There should be no person in an organization that has authority and no accountability, and there should be no person in an organization that has responsibility and no authority, as it is the recipe for dysfunction.

Responsibility for a process must be given with consideration for the resources, commitment, and time needed for the quality envisioned for that process to be achieved. I believe that anything other than that show of consideration is a ploy to distract. Basically, responsibility must be given to the right person, the right infrastructure, and the right applications to afford the task a chance at success. I believe that anything other than that show of consideration is a ploy to distract.

Authority for a process must be given with the consideration for decision making agility, the consideration for allocation of resources, and the consideration for quality controls. Namely, the ability to make prompt and appropriate decisions must be evident, the ability to influence decision makers must be evident, and the ability to sufficiently assess the quality of the outputs of a process must be evident, in the authority figure. When authority is appropriately dispensed, it presents itself as a team operating seamlessly.

Accountability must be rigidly transparent, unmoving, and consistently applied without hesitation. If that is baked into the culture of the organization, it is a great signal of its trustworthiness. The way an organization responds to a routine request for information is an indication of its level of trustworthiness.

In short, the arrangement of responsibility, authority, and accountability in an organization is a testament to its trustworthiness. Smart outsourcers look to see if an independent and objective practitioner has audited an organization before entrusting to its care valuable/important processes.

Contact CompVisory to learn more if you plan to outsource to a third party, if you have already outsourced to a third party, or if you are a third party that has been entrusted with the valuable/important processes of another entity. Keep in mind that NWTO should shape the culture of an organization, otherwise inefficiencies, or worse things, could raise their ugly heads.