The Four Basic Food Groups of Audits: Satisfying Your Audit Risk Appetite
Audit risk is defined by AU-C Section 200 as the risk that the auditor expresses an inappropriate audit opinion when the financial statements are materially misstated. In other words, the auditor messed up and missed something big. Obviously, auditors do not want this to happen. A critical concept for high-quality audits is to be able to discern what an appropriate risk appetite should be – and then eat just enough from the four basic food groups to not over- or under-audit. Audit risk is mitigated to an acceptably low level by properly assessing the risk of material misstatement (defining your risk appetite) and then correctly satisfying the remaining detection risk (pulling from the four basic food groups).
Let’s start with a broad overview of determining your risk appetite. Auditors are required to perform risk assessment procedures to provide a reasonable basis for the proper identification and assessment of risks of material misstatement. Example procedures include inquiries of management, preliminary analytic procedures and evaluating the design and implementation of relevant internal control.
Risk of material misstatement is defined as the risk that the financial statements are materially misstated prior to the audit. It is comprised of inherent risk and control risk considerations at both the overall financial statement and relevant assertion level for all quantitatively or qualitatively significant accounts, classes of transactions, and disclosures (we call them significant audit areas). Assertions are explicit or implied representations by management embodied in the financial statements, such as the existence of an asset or the completeness of a liability.
Inherent risk is the auditor’s “gut instinct” about the susceptibility of an assertion to material misstatement. It is generally assessed in terms of the auditor’s professional judgments of high, moderate or low.
Control risk is the risk that a misstatement will not be prevented or detected and corrected on a timely basis by the audited entity’s internal control. Reducing control risk requires performing tests of the operating effectiveness of internal controls to justify a control reliance strategy. In many small or mid-size audits, it is not deemed effective nor efficient to take a control reliance strategy, so control risk is left at high at the discretion of the auditor. In other cases, control risk is appropriately reduced to moderate or low to justify reducing the overall risk of material misstatement. In situations where the audited entity is subject to regulatory oversight, a control reliance strategy may be presumed by law or regulation.
Upon completion of risk assessment activities, auditors are then required to develop an audit plan that is commensurate with the assessed risk of material misstatement. Detection risk is the risk that the procedures performed by the auditor will not detect a misstatement that exists, and that could be material, either individually or when aggregated with other misstatements. Detection risk is inverse to the assessed risk of material misstatement. In other words, the auditor can accept a lot of risks that he/she fails to detect material misstatement because there is a low risk that there is a material misstatement to start with. Or, the auditor may need to gather more persuasive audit evidence because there is a high risk of material misstatement, and the auditor should accept less risk that he/she fails to detect a material misstatement.
Every significant audit area merits some level of substantive audit effort. Substantive audit procedures are designed to detect material misstatements at the relevant assertion level and are comprised of tests of details and/or substantive analytical procedures. While the exact nature, timing and extent of audit procedures should vary with the assessed risk of material misstatement, the detailed audit plan always pulls something from each of the four basic food groups.
Food Group #1
Ensure there is a supporting schedule or reconciliation to the underlying accounting records. For example, a bank reconciliation, fixed asset roll-forward, accounts receivable subsidiary record, debt amortization schedule, YTD general ledger, or other appropriate records.
Food Group #2
Perform substantive analytical procedures. In some situations, a simple comparison to a prior period at the lead sheet level may be adequate. In other cases, ratios or inter-relationships between accounts might be needed. Or, a projection of an amount based on financial or nonfinancial information might be the best approach.
Food Group #3
Ask questions. An inquiry is needed to identify significant, unusual transactions such as related party relationships. It is also necessary to gather the information that could impact presentation and disclosure, such as restrictions on cash, inventory pledged as collateral against debt, loss contingencies and more. Plus, the auditor should continually ask questions related to known or potential fraud, which could result in a material misstatement.
Food Group #4
Perform tests of details, as deemed necessary. For areas of low risk of material misstatement, a simple scan for any individually significant items may be adequate (even if none are found). In other cases, a scope approach, pre-determined desired coverage of the population, or sampling methodology may be needed to satisfy detection risk properly.
An auditor’s professional judgment is critical for determining when sufficient and appropriate audit evidence has been obtained. In the end, it is up to the auditor to decide how much of a risk appetite exists – and then to decide further how to effectively and efficiently satisfy that appetite by pulling the right mix of substantive procedures from the four basic food groups.
Jennifer F. Louis, CPA, has over 25 years of experience in designing and instructing high-quality training programs in a wide variety of technical and “soft skills” topics needed for professional and organization success. In 2003, she founded Emergent Solutions Group, LLC, where she focuses her energy on designing and delivering high-quality, practical, and engaging accounting and auditing training.