At the AICPA Not-for-Profit Industry Conference this year, among the many great sessions, there were two that focused on audit planning: Risky Business: Properly Assessing and Responding to Risk and Best Practices in Documenting Internal Controls for Risk Assessments. The reason? Audit risk assessment continues to be misunderstood by many CPA firms.
It’s been more than a decade since the AICPA’s Auditing Standards Board issued a series of new auditing standards commonly referred to as the Risk Assessment Standards. Risk assessment is a fundamental concept in planning an audit.
An auditor is required to:
Respond to risk
A recent study of peer reviewers found that over half of the 400 audits they reviewed failed to comply with AU-C section 315 and/or 330. AU-C section 315 requires an auditor to obtain an understanding of the entity and its environment to assess risk and AU-C section 330 requires audit procedures to be designed to address significant risks identified. If an auditor fails to perform any one of the above bullet points, the audit engagement will be considered non-conforming. This is true regardless of the amount and type of substantive testing performed.
In the not-for-profit world, an audit is required for many small organizations, perhaps by a state regulatory agency or a major funder. A common misperception about small not-for-profits is that they don’t have any controls. Because of this, an auditor of a small not-for-profit may incorrectly feel a quality audit can be performed without properly considering the client’s risks.
It may appear a small not-for-profit has no controls, but every organization has them. They just might not be formally documented. Common controls with small not-for-profit organizations include the following:
Strong “tone at the top”
Monthly bank reconciliations
Line-by-line budgeting to meet funding requirements
Regular review of financial statements by the board and/or audit committee
Limits on check signing
This risk assessment required under AU-C section 315 provides “a basis for designing and implementing responses to the assessed risk of material misstatement.” Without the assessment, there is no basis for the audit plans.
The performance of substantive procedures should be linked with the risk assessment. Not properly designing tests based on assessments could lead to two negative outcomes:
Over-auditing, which results in an inefficient audit
Under-auditing, which results in non-compliance with professional standards
As previously noted, AU-C section 330 requires that audit procedures be designed to address significant risks identified. Third-party practice aids are valuable resources for small firms who typically audit small not-for-profits, but if these aids are not tailored or adjusted based on an entity’s risk assessment, it’s possible the audit is not in compliance with the standard.
Performing the following will help auditors conform with AU-C sections 315 and 330:
Obtain an understanding of the client and its environment
Obtain an understanding of the client’s relevant internal controls
Identify the risks that the statements could be materially misstated
Document the linkage between risks and planned responses
Design and perform procedures in accordance with the identified risks
Following the above procedures will not only keep not-for-profit auditors in compliance with auditing standards, but it also will provide them with a deeper understanding of their clients, their clients’ environments, and the not-for-profit industry in which those clients operate.