Focus on the Auditor’s Risk Assessment
Monday, June 8, 2020
The COVID-19 pandemic and the related market conditions create many new uncertainties for public companies, auditors, and audit committees. As SEC Chair Jay Clayton recently recognized, the continuing operation of the US capital markets is an essential component of the US’s response to, and recovery from, COVID-19. This resource provides reminders for auditors related to their responsibilities to identify, assess, and respond to risks of material misstatement. In addition, these reminders also may be helpful to audit committee members in their oversight role of the external audit.
This resource is intended as general information and should not be relied upon as being authoritative or all-inclusive, or a substitute for PCAOB and SEC rules, standards, guidance, or other resources.
Technical Requirements (not all-inclusive)
The auditor is required to perform risk assessment procedures during audit planning.
PCAOB Auditing Standard 2110, Identifying and Assessing Risks of Material Misstatement (AS 2110), as amended states the auditor’s responsibilities as:
.04 The auditor should perform risk assessment procedures that are sufficient to provide a reasonable basis for identifying and assessing the risks of material misstatement, whether due to error or fraud, and designing further audit procedures.
.05 Risks of material misstatement can arise from a variety of sources, including external factors, such as conditions in the company’s industry and environment, and company-specific factors, such as the nature of the company, its activities, and internal control over financial reporting. For example, external or company-specific factors can affect the judgments involved in determining accounting estimates or create pressures to manipulate the financial statements to achieve certain financial targets. Also, risks of material misstatement may relate to, e.g., personnel who lack the necessary financial reporting competencies, information systems that fail to accurately capture business transactions, or financial reporting processes that are not adequately aligned with the requirements in the applicable financial reporting framework. Thus, the audit procedures that are necessary to identify and appropriately assess the risks of material misstatement include consideration of both external factors and company-specific factors.
AS 2110.05 further discusses various types of risk assessment procedures:
- Obtaining an understanding of the company and its environment;
- Obtaining an understanding of internal control over financial reporting;
- Considering information from the client acceptance and retention evaluation, audit planning activities, past audits, and other engagements performed for the company;
- Performing analytical procedures;
- Conducting a discussion among engagement team members regarding the risks of material misstatement; and
- Inquiring of the audit committee, management, and others within the company about the risks of material misstatement.
The auditor’s assessment of the risks of material misstatement, including fraud risks, continues throughout the audit.
When the auditor obtains audit evidence during the course of the audit that contradicts the audit evidence on which the auditor originally based his or her risk assessment, the auditor should revise the risk assessment and modify planned audit procedures or perform additional procedures in response to the revised risk assessments.
COVID – 19 Considerations
New risks may be identified compared with prior audits.
Many businesses are facing uncertainties as public health officials and business leaders grapple with understanding the COVID-19 virus, planning to re-open the economy, and understanding what getting back to normal will look like in different geographies and for different industries. Public companies are urged to provide as much information as is practicable to investors and others regarding their current financial and operating status, as well as their future operational and financial planning.
For auditors, identifying and assessing risks may be more challenging due to these uncertainties. New risks may emerge as responses to COVID-19 evolve. For example, companies may need to consider new or different risks related to:
- Liquidity, access to capital, debt covenant compliance
- Ability to continue as a going concern
- Cybersecurity, including data security in a virtual environment
- Changes in internal controls over financial reporting due to working in a virtual environment including information technology general controls
- Asset and goodwill impairment
- Fair value estimates
- Third-party vendor considerations
- Industry-specific regulatory and economic considerations, including concentration risk
- Geographic-specific regulatory and economic considerations, including concentration risk
- Business interruption
Heightened risk of fraud may exist due to the COVID-19 pandemic.
There may be heightened fraud risks given these uncertain times. For example, companies may have laid off key personnel and work forces are not operating in their typical office environment, such that there could be a breakdown in internal control over financial reporting.
Changing incentives or increased pressures on management, especially when taken together with changes in internal controls or increased opportunity for management override of controls, may result in new risks of material misstatement due to fraud or changes to the auditor’s previous assessment of risks of material misstatement due to fraud.
When performing certain risk assessment procedures, such as inquiring regarding fraud risks, if such inquiries cannot be performed in person, video conferencing may be preferable to audio-only conferencing as auditors would be able to see body language.
Initial risk assessments may require revision.
While the assessment of risks of material misstatement, including fraud risks, is required to continue throughout the audit, this may require more frequent consideration due to the rapidly changing COVID-19 environment. Throughout the year, external factors such as consumer behavior and retail re-opening may be unpredictable. Auditors may need to periodically update their understanding of management’s process for identifying risks relevant to financial reporting objectives, including risks of material misstatement due to fraud (“fraud risks”).
Initial responses to assessed risks may not be adequate.
If an auditor’s initial risk assessment is revised, the auditor is required to modify planned audit procedures or design new procedures.
The PCAOB released a staff Spotlight document, COVID-19: Reminders for Audits Nearing Completion (Spotlight) with reminders to auditors including the importance of requirements to identify, assess, and respond to risks of material misstatement.
The PCAOB’s Spotlight states auditors may consider the following matters in modifying procedures or designing new procedures:
- Enhancing direction and supervision of less experienced team members; and modifying the nature and extent of review of their work;
- Increasing the involvement of more senior or experienced members of the engagement team in performing procedures related to more complex issues;
- Involving – or increasing the involvement of – specialists or others with specialized skills and knowledge; and
- For engagements where other auditors are involved:
- Developing alternative approaches for direction and supervision where previous plans involved travel and in-person interactions (including considering use of technology); and
- Considering whether audit evidence may be gathered by alternative approaches, including new or extended procedures to be performed by the lead auditor.
Auditors are reminded to exercise professional skepticism when gathering audit evidence.
PCAOB auditing standards require the auditor to exercise professional skepticism, which is an attitude that includes a questioning mind and a critical assessment of audit evidence. Auditors are also required to emphasize the need to maintain a questioning mind throughout the audit and to exercise professional skepticism in gathering and evaluating evidence. With management and auditors alike working remotely, it is important to stay alert to whether evidence obtained is sufficient and appropriate to meet PCAOB auditing standards. Auditors may need to obtain audit evidence of a different nature or form than originally planned, which may affect the auditor’s consideration of its relevance and reliability.
More frequent engagement with the Audit Committee related to the auditor’s risk assessment may be warranted.
As part of the risk assessment process, auditors are required to inquire of various parties, including the audit committee, about risks of material misstatement. Further, among other required communications, auditors are required to communicate to the audit committee significant changes to the planned audit strategy or the significant risks initially identified, and the reasons for such changes. Robust oversight of and input from the audit committee is important to help ensure risks are appropriately identified, assessed, and responded to by the auditor. Given the potential for evolving risks, more frequent engagement with the audit committee related to the auditor’s risk assessment may be warranted.