Gaps in Audit Risk guidance: Materiality and Audit Risk
Internal audit plays a key role in the oversight of a host of risks across the enterprise for many organizations. The role of risk management is largely defined by each organization; however, today’s regulatory environment has raised demand for more assurance that controls are in place and adequate to the task. Likewise, the importance of risk management has become a critical skill set in audit as well. One challenge to implementing an effective risk assessment however is a lack of clear guidance on “how” to conduct risk management for auditors.
The AICPA website defers to whitepapers largely from COSO’s ERM framework. The COSO ERM framework is designed to guide organizations on the elements of a risk program but doesn’t provide guidance to measure differences in risk programs or provide evidence-based outcomes if put in place. Regulation of financial statement reporting of risks and risk processes is scant and not informative. Nonetheless the risk of over regulation is real and has already created Sarbanes-Oxley with few benefits to attribute to its passage. However, current guidance on risk for auditors should account for the new digital environment and data centric models that have emerged.
In my search for risk guidance in the American Institute of Certified Public Accountants’ standards only two references to risk were identified. Materiality and Audit Risk
Both references are related to the risks in financial statement reporting.
Materiality
“Misstatements, including omissions, are considered to be material if there is a substantial likelihood that, individually or in the aggregate, they would influence the judgment made by a reasonable user based on the financial statements.”
Audit Risk
“The identification and assessment of risks of material misstatement are at the core of every audit, particularly obtaining an understanding of the entity’s system of internal control and assessing control risk. Performing an appropriate risk assessment enables the auditor to design and perform responsive procedures. This is your source of news, resources and learning relative to the audit risk assessment standards to enhance audit quality.”
The Audit Risk Model — RMM
· Understand your client’s environment
· Understand your client’s internal controls
· Use RMM to drive detection risk
· Use the AICPA Audit Risk Assessment Tool
Materiality is a very important concept in the assignment of risk yet there exists no ex ante for the behavior or behaviors that would result in a material event. As a result, materiality is a judgment call with varying degrees of accuracy. Misstatements are important but determining the case for the omission is even more important. Getting this right is critical but the question here is is this enough guidance for the myriad of risks that organizations face?
If the tools of assessment are largely subjective evaluations of complex risk the true value of those judgments are only determined after the fact during a failure in controls or processes. Auditors, risk professionals, compliance officers and cybersecurity professionals are all attempting to leverage a risk methodology that relies on subjective assessments of increasingly complex risks. It is not likely these tools are optimal.
Even the language used in the guidance is self-limiting (see RMM model above). The range of divergent views that emerge from a subjective assessment of risks will create a cacophony of inherent risks, control risks, and detection risks resulting in divergent audit risk outcomes. How are other risks accounted for such as cyber risk? Operational risk? Fraud? Should the same tools used in audit risk be the same tools for advanced risk assessment? Surely not, but alas they are for the most part (subject-matter experts — SMEs).
The state of risk oversight is mixed and in transition according to a recent report from North Carolina State University. ERM is struggling to gain acceptance and bumping up against cultural push-back for good reason. The tension in ERM is a product of a lack of tangible benefits after implementing ERM as defined by COSO. That is understandable given the lack of clear guidance and no effective way to measure the contribution risk management makes to an organization’s performance. However, there are ways to address both concerns but not with COSO’s framework.
The AICPA should engage with regulators and standards organizations such as the International Organizations for Standardization (ISO) to provide more specific risk guidance for auditors by working with industry and the latest technology. In this way, the allocation of oversight resources can be leveraged more efficiently. The North Carolina State report suggests customers are not happy and the results of ERM are perceived to be costly at a time when the speed and flexibility of organizations is critical.
If auditors want to become the influencers of strategy and risk culture they aspire to be the profession must adopt more advanced skills in risk analysis and understand the difference in the noise they create by using outdated risk practices that do not account for the risks that really matter. AICPA updated the definition of materiality to align with a definition the courts use and other legal guidance however the law, like audit, has not kept pace with the emergence of complex, asymmetric risks.
Risks are not selected through a popularity contest where the risks with the most votes win? Risks have a shape, and the shape of risk says a lot about the behavior of the firm. Auditors must become conversant on the shapes of risk and how to address them adequately.
James Bone is a cognitive risk consultant and risk researcher for the Cognitive Risk Institute (GRCIndex), founder of the first cognitive risk framework for ERM and cybersecurity and author of Cognitive Hack: The New Battleground In Cybersecurity and ERM. jbone@grc-index.org. www.grc-index.org.
