Technical Reviewer Tips: Risk Assessment Procedures and Documentation

By Robert Moore, Jr., CPA
Technical Reviewer, VSCPA Peer Review Committee

Risk assessment procedures and documentation are current points of emphasis for the AICPA and will be emphasized in peer review over the next few years. Examples that would lead to non-conforming engagements are:

Failure to identify or document the identified risks of material misstatement (RMM), including any significant risks
- Virtually every audit, including audits of small- and medium-sized entities, has at least one significant risk.
Failure to assess or document the assessment of risk at both the relevant assertion level and financial statement level
- A reviewer may encounter audits where the risks of material misstatement are assessed at the account level only rather than at the relevant assertion level.
- Some practitioners confuse account-level risk with financial statement-level risk. Financial statement-level risks are not risks limited to one account balance, but rather risks that are pervasive to the financial statements.
Failure to perform or document the performance of procedures that address identified significant risks, or failure to perform anything beyond “basic” procedures when the basic procedures don’t address the RMM.
- Significant risks require special audit consideration, which means consideration above and beyond what a standardized audit program would address.
Failure to properly document the firm’s identification and assessment of the RMMs and response thereto.
- Reviewers should consider the linkage between the risk assessment and the auditor’s procedures, and they should determine whether the procedures are responsive to the client’s financial statement- and assertion-level risks.
Failure to evaluate the design and implementation of controls relevant to the audit
- Auditors are expected to:
  - Consider what could go wrong as the client prepares their financial statements
  - Identify the controls meant to mitigate those financial reporting risks
Evaluate the likelihood that the controls are capable of effectively preventing or detecting and correcting material misstatements

Documentation of Inherent Risk Assessment

The assessment of inherent risk at less than high may be substantiated through the use of memo documentation or the optional Inherent Risk Assessment Form. The assessment of control risk at less than high is substantiated through testing of controls. A review of the relationship of inherent risk and control risk to the risk of material misstatement (RMM) generally places a greater emphasis on inherent risk.

Non-attest Services Consideration and Documentation

A current point of emphasis is the evaluation of non-attest services performed by firms on behalf of clients. It is important that these services be identified and documented in the working papers of all engagements, including:

Non-attest services to be performed
Objectives of non-attest services
Client acceptance of it responsibilities for non-attest services
The accountants’ responsibilities related to non-attest services
Limitations of the non-attest service engagements

Please review the requirements of ET section 1.295.040–.050 for more information about these matters.

Typical non-attest services performed by firms for clients include:

Preparation of financial statements
Tax return preparation
Maintenance of depreciation schedules
Cash-to-accrual calculations
Proposal of adjusting journal entries

Skills, Knowledge and Experience of Client Personnel Evaluating Non-attest Services

In addition to the non-attest services addressed above, the engagement files should document the skills, knowledge and experience of client personnel overseeing non-attest services performed by the firm. These attributes are not clearly addressed in the Non-attest Services Documentation Form. Documentation of these matters is required for audits subject to Government Audit Standards, and is considered best practice for other audits.