A number of CPA firms, including Berry Dunn, have implemented audit approaches in recent years that come under the umbrella of “risk-based auditing.” This can mean different things to different people, but the basic concept is that audit plans should be tailored in a way that focuses more effort on the higher-risk areas at a company (that is, those that present greater risk that the financial statements are misstated), and less effort on lower-risk areas.
Sounds like basic common sense, but the fact is that the seemingly exponential increase in complexity of accounting rules, combined with an increase in reported accounting fraud, have led the auditing profession down the road of standardizing the audit process as much as possible. Standardization, often derided as a “checklist approach,” is designed to make sure all possible types of error or fraud are considered during the course of the audit. Also a noble goal, but since companies’ audit expense budgets aren’t unlimited, it can lead us to spend more time than we should in lower-risk areas, and less time than we should in higher-risk areas.
In an effort to get us all on the same page, the American Institute of CPAs has introduced new rules, effective this year, that require all audits to be conducted in a manner that considers where the greater risks are, and devotes more energy in those areas. One of the impacts of these new rules that will likely be apparent to our clients is an increased focus on understanding what internal checks and balances are (or aren’t) in place at the company. Improving this understanding can go a long ways toward helping us design a more effective and efficient approach to our testing.
I was fortunate to have the opportunity to serve on the AICPA task force that wrote the implementation guide for these new rules. The experience taught me that, while our firm has implemented most of these risk-based concepts in our audit approach for years, the new rules will require an incremental effort in terms of (a) understanding our clients’ internal controls and (b) documenting our analysis of the risks that exist and what we’re planning to do about them in our audit testing. We’ll make every effort to carry out these requirements in a manner that minimizes the impact on our clients and their busy staff, and I believe the benefits, in terms of audit quality, to be derived from improved risk assessment will significantly outweigh the costs.