So long, traditional audit: no more "same as last year" with risk-based approach - internal controls assessed - Cover Story

There's an old saying in our business: CPAs love change, just not yet. Maybe that's why many have trouble embracing the changes proposed in 1990's SAS 55, Consideration of the Internal Control Structure in a Financial Statement Audit and its successor, SAS 82, Consideration of Fraud in a Financial Statement Audit. Both standards attempted to change the auditing industry by requiring auditors to consider inherent and control risk in audits and to rely less on a checklist approach.

Unfortunately, both of these statements allow auditors to continue ignoring internal controls by choosing not to rely on them. Auditors remain in the comfort zone of the historical approach of assessing risk at maximum and doing across-the-board substantive tests.

Twelve years after SAS 55, peer review results show that few auditors are performing risk-based audits. Instead, they are auditing areas with good internal controls because the controls are not documented, even though standards allow auditors to rely on undocumented internal controls.

Now auditors will have no choice but to change. Newly released SAS 96 provides specific guidelines on audit documentation. And the proposed SAS addressing fraud will provide specific guidelines on auditor consideration of programs and controls designed to address identified risks. Auditors will be required to document specific procedures to respond to identified fraud risk and discussions among engagement personnel.

Both of these pronouncements are a result of an ongoing AICPA risk-assessment project, the objective of which is a more robust understanding of the entity and its environment, including its internal controls, to identify and assess risks of material misstatement.

IDENTIFY THE RISK

Risk-based auditing identifies inherently risky areas in a company and focuses only on those areas for the audit, rather than scrutinizing every area with the same vigor--regardless of risk.

Risk-based audits are not only more effective, but are more efficient because they reduce the problem of over-auditing. Your clients will be happier with risk-based audits because they get you away from the frustrating practice of not relying on internal controls that the client already knows will work to prevent material misstatements. It also enables you to set up or tighten controls in the client's risky areas.

While it's true that risk-based audits are more complicated, requiring greater expertise and experience than historical audits, the payoff is that they are far more interesting to perform. Furthermore, they allow you to differentiate your firm from other firms.

The following steps give a general overview of how to approach a risk-based audit.

TOSS THE CHECKLIST

The first step involves an attitude shift. As auditors, we are comfortable with the SALY theory--you know, haul out the checklist and do the audit "same as last year." You can get away from this by identifying and analyzing the most important issues on the audit.

This means learning where inherent risk lurks in a given industry and for the particular client. For example, in the restaurant industry, theft of product and cash is very common. Inherently, you have the likelihood of a misstatement, so you know this is an area for more intense scrutiny.

Or, if you're auditing a company with two sales each year, it's unlikely that a sale will be recorded incorrectly. Inherent in that business, material misstatement of sales is very low so you won't need to spend much time and effort on it.

SO LONG SALY

Under a risk-based approach, every single year you should start with a blank piece of paper and a fresh perspective, even with companies you have been auditing for years. Did a personnel change affect controls? Did the company's bias change?

For instance, you might have an audit client whose bias is to keep net income as low as possible to minimize tax liability. It might be that way for years, until one day the client decides to merge with another company. Now the client's bias is to make his net income look bigger. In this case, assuming that your client's bias is the same as last year hampers your ability to discover possible material misstatement.

DETERMINE BIAS

A company's bias comes down to this: Are they more inclined to overstate or understate their revenue? The previous example shows how a company's bias can change from year-to-year. It's important to understand a company's bias before beginning your audit so that you can tailor the audit to their current-year bias.

A good way to assess a company's bias is to determine what is important to the financial statement users. All industries possess certain information that is sensitive to the financial statement user. A gross profit percentage is important with a restaurant. A bank may have loan covenants that say they can have only a certain kind of working-capital ratio or debt-to-equity ratio.

For publicly traded companies, it's almost strictly earnings per share. What drives earnings per share? Net income. What drives net income? In most cases it is revenue. That's why revenue recognition is one of the biggest problems in our profession.

Or, your client might not care about earnings or assets that a bank requires before granting a loan--they just don't want to pay taxes. So they might be hiding income. Or, complicating matters, your client might not want to pay taxes, but wants to secure a loan and needs to show good earnings.

When determining bias, ask yourself, "If they are going to fudge, which direction are they most likely going to go in: an overstatement of net income or an understatement?"

STUDY THE CONTROLS

Assessing your client's internal controls is a good place to begin designing your audit focus. All financial statements potentially contain material misstatement due to error or fraud. Misstatements only will be prevented or detected given an appropriate internal control environment. Further, your client's control environment may be insufficient because of their industry, or a weaknesses specific to the client.

It is a good idea to sit down with your client, look at a number in the financial statement, and ask, "Tell me why this number's not wrong." If your client cannot describe adequate controls to ensure that the number is correct, you have a great opportunity to either implement or enhance their controls by bringing in a fresh perspective.

If you're skeptical about the control environment, professional standards allow you to not rely on the controls and instead perform substantive tests to detect misstatements. SAS 82 requires you to decide if the controls are sufficient to prevent fraud.

Remember, your client's situation can change from year to year. In the past, you might have tested their controls and they looked great. This year, you may find that they have gotten rid of the controller in a cost-cutting move. Now you must reevaluate the controls.

DON'T AUTOMATICALLY SET RISK AT MAXIMUM

Many auditors feel that it is easier to assess risk across the board at maximum and perform substantive tests. Putting risk at maximum basically means that you can't rely on any of your client's internal controls--which might not be an accurate picture of the company's controls.

To the extent that you've assessed risk below maximum, you have determined that the client has controls that will reduce the risk of material misstatement. While this is a more complicated audit, one that forces you to use your professional judgment, it is a more efficient audit because you may not be performing substantive tests in all areas.

REPLACE SUBSTANTIVE TESTS WITH ANALYTICAL TESTS

By setting risk below maximum, you can use more analytical procedures as substantive tests when risks are properly identified.

Say something that should change, doesn't. Take this basic example: Your client's PG&E bill didn't change despite PG&E's across-the-board increases. This should alert you that there is something wrong with the financial statement, whether due to error or fraud.

Often your client has instituted good controls to prevent or detect misstatements. Professional standards now allow you to rely on the design and function of your client's controls.

To do this you still need to assess key elements of the business environment, control environment and control-monitoring process. Determine which assertions in which key areas (for balance-sheet accounts or classes of transactions) you feel the client's controls are reliable. Then test the controls. This does not necessarily mean that you test transactions. Often, you can do this by observation or inquiry.

For example, say you have a manufacturing client with inventory in several different states. To complete your audit, you need an accurate count of the inventory. Traditionally, this would involve either traveling to the other states yourself to count inventory-both time-consuming and expensive-or hiring CPAs in those states to do the count for you.

If your client rents inventory space, find out how the client is billed for inventory storage. If you discover that they are billed according to the amount of inventory, you essentially can assess inventory by examining storage rental invoices. The storage company is kept from overstating the amount of inventory-thereby falsely inflating the rent-by your client, who will know something is amiss if they try to ship something that suddenly isn't in stock.

INVOLVE SENIOR AUDITORS

Linking your material misstatement risk assessment to your understanding of the entity's business and environment requires a great deal more business savvy than most junior auditors can provide. Five to seven years of solid audit experience is a bare minimum.

This means that more experienced people will need to work on the audit engagement. With a risk-based approach, you have to make the kind of judgment calls less-experienced CPAs are not ready to make.

In a typical audit, the most experienced person comes in to make the risk assessment, then they disappear and leave the staff to themselves. The engagement partner may have been told that there was strength in the controls and less experienced people may not recognize weaknesses or potential new problems because they don't have the background or the experience. If the senior auditor is not involved on a continuous basis, misstatements may not be caught.

MORE CHALLENGING WORK, MORE MONEY

If you think this sounds like extra work and catch-up classes, you're probably right. But the bottom line is this: You can make a lot more money with risk-based auditing because your realization rates should increase dramatically. You'll also find the audit more challenging and interesting to perform.

A risk-based audit is worth more because you have made suggestions, taken that second look at risky areas and worked with the client to improve their controls. As auditors we are supposed to be finding ways to make our product unique and to tailor it to each individual client.

And, a little change never hurt anybody-even a CPA.

Thad Scott, CPA, CFE, (top) a sole practitioner in Fresno, is a member of Ca/CPA's Peer Review Committee and an Education Foundation instructor.

Tom Noce, CPA, CFE (bottom) is a shareholder in the firm of Maryanov, Madsen, Gordon & Campbell in Palm Springs.

Noce and Scott co-teach a two-day course on risk-based auditing for the California CPA Education Foundation. For more information, go to www.educationfoundation.org.

COPYRIGHT 2002 California Society of Certified Public Accountants
COPYRIGHT 2002 Gale Group