Risk assessment is the foundation of an audit. For auditors, it is how we come to understand your company and plan our audit procedures to provide the most reliable information for you and the users of your financial statements. What is risk assessment? I will help you understand what is involved and make the audit risk assessment procedures run as parallel as possible with your daily responsibilities.
Audit risk assessment procedures are performed to obtain an understanding of your company and its environment, including your company’s internal control, to identify and assess the risks of material misstatement of the financial statements, whether due to fraud or error. These procedures usually take place before your fiscal year has been completed and include various procedures, such as inquiries with management and other selected employees, analytical procedures, observations of controls in operation and inspection of documents to show controls have been implemented.
While obtaining an understanding of your company is self-explanatory, our goal in understanding your company’s internal control is to evaluate whether you (management), with the oversight of those charged with governance, have created and maintained a culture of honest and ethical behavior, as well as assessing whether the control environment contains any deficiencies in established processes. We also look to identify company risks relevant to financial reporting, in addition to estimating the significance of those risks and their likelihood of occurring, to help decide what audit procedures need to take place to address those risks.
While our inquiries with management help us get an understanding of internal controls, we also need to see examples of these being performed. Walkthroughs are performed, with the help of your company personnel, to observe segregation of duties along with inspecting certain documents (invoices, purchase orders, etc.) that are used as supporting evidence for the operation of key controls that impact financial reporting. Analytical procedures are also performed, which are comparisons (usually multiple-year) of significant financial statement line items (revenues, payables, etc.), and financial ratios derived from those line items. These are compared to our expectations based upon discussions with key management personnel and other available industry information to identify any other areas of risk related to the financial statements that may impact the audit.
In summary, if an audit is the main course, then risk assessment is the appetizer. It provides us with information that is used not only for the year under audit, but future years to come. Audit risk assessment procedures are a vital part to any audit and treated as such by us and, hopefully, your company as well.