Of all the day-to-day priorities and to-do’s, worrying about audit risk probably has not risen to the top of your list. Should it? Maybe “out of sight, out of mind” is a better approach? It seems like a boring thing to think about, and you probably have more pressing matters on your mind. While this post may not convince you to make it your top priority, I think it’s important to be aware of audit risk because, if nothing else, you will understand why proper audit planning is so important and learn about some basic measures you can take to set your audit up for success.
What is the Meaning of Audit Risk?
Companies are facing increased risk every day, often arising from economic, financial, technology and security threats, and other uncertainties. A common measure companies use to mitigate against such risks is to engage an audit firm to conduct an independent audit, such as a SOX/financial statement audit, security audit, SOC 1 or SOC 2 audit, etc. While audits are a great countermeasure to risk, is there also a concept of audit risk? Specifically, is there a risk that your SOC 1 or SOC 2 auditor did not express a fair or accurate opinion? Is there a risk of material misstatement?
According to the American Institute of Certified Public Accountants (AICPA), audit risk is defined as follows:
The existence of audit risk is recognized in the description of the responsibilities and functions of the independent auditor that states, “Because of the nature of audit evidence and the characteristics of fraud, the auditor is able to obtain reasonable, but not absolute, assurance that material misstatements are detected.”
Previously, we have discussed the concept of reasonable assurance in auditing, which means that even the best auditors are unable to 100% certify that internal controls at the service organization were designed and operated effectively to achieve the stated control objectives (SOC 1) or service commitments and system requirements based on the applicable Trust Services Criteria (SOC 2). Enter audit risk.
How is Audit Risk Defined?
Audit risk can be defined by the audit risk model (see image below). Simply put, audit risk is a function of inherent risk, control risk, and detection risk. Inherent risk is the risk of misstatement if no controls are applied, whereas control risk is the risk that an organization’s controls will not prevent or detect a misstatement. Detection risk is the risk that the auditor will not identify a material misstatement.
Image Source: aicpa.org
Inherent risk, control risk, and detection risk are the components that make up audit risk. Risk is inherent in every business, process, and transaction; it’s the reason internal controls must be established. However, there is a risk that the right controls were not identified or sufficiently applied to mitigate against the inherent risk in your business, processes, and transactions, which is your control risk. Further, there is a risk that even once the proper controls are applied, the auditor did not perform sufficient control testing to determine the adequacy of the design and operating effectiveness of controls (detection risk). This combination of factors is the basis of audit risk.
What are the Types of Audit Risks?
In the case of a SOC 1 audit or a SOC 2 audit, audit risk is typically the result of one of two types of misstatements, defined as follows:
- Known misstatements: these are fact-based misstatements, due to factors such as incorrect data selection, errors in the information obtained/processed, or a misinterpretation of the data.
- Likely misstatements: these are judgment-based misstatements that are the result of a discrepancy between management’s and the auditor’s perception of the data or evidence obtained as part of the audit.
The AICPA has identified common scenarios from which audit risk arises. Many of the identified scenarios relate to financial statement audits, but in the case of SOC 1 and SOC 2 audits, the following are common contributing factors to a misstatement:
- An inaccuracy or error in gathering or processing data,
- The omission of relevant evidence or data elements,
- The omission of information required to be disclosed as it relates to the relevant SOC 1 control objectives or SOC 2 criteria,
- Management or auditor oversight or misinterpretation of facts, and
- Management or auditor judgments related to the evidence or data gathered in support of the audit.
How Do You Identify & Reduce Audit Risk?
Can audit risk be zero? While it’s not realistic to think you can eliminate all risk, with proper audit planning you can effectively reduce and mitigate against audit risk. Here are some recommendations to keep on hand in order to set your next audit up for success.
- Engage a reputable auditor: It’s easy to fall into the trap of choosing an auditor based on fees alone, or to rely too heavily on a “SOC Checklist”, one-size-fits-all approach to your audit. You should evaluate the credentials of any audit firm you are considering engaging, such as whether they are a registered CPA firm, the experience of the firm’s partners and staff, including their experience with similar clients in similar industries, and the firm’s review processes, including independent review protocols.
- Conduct a risk assessment: A proper risk assessment should already be a key element of your company’s strategy and internal control framework, but it’s also critical in supporting an effective audit. A proper risk assessment will help to ensure that your SOC audit is properly scoped – that the suitable criteria (i.e., control objectives, controls, policies, procedures, laws, and regulations, etc.) selected in the audit are appropriate and will meet the broad needs of the users of your report (a.k.a., your clients). Likewise, assuming you completed task #1 above, your auditor should also conduct their own risk assessment to facilitate proper audit planning. SOC 1 and SOC 2 audits should always be tailored to the client’s industry and business, and a risk assessment is key in identifying which systems, processes, and controls should be included in the audit. Again, avoid the checklist/one-size-fits-all approach.
- Ensure adequate audit planning: Building off #2, sufficient time should be allocated to properly plan the audit. Have the proper control objectives/criteria been included in the audit plan? Have all the relevant systems been identified? Are the right processes and controls in place to achieve the stated control objectives and criteria? What evidence will be presented to determine the design and operating effectiveness of controls? What external and industry factors are present that may impact the audit approach? The risk of misstatement can often be attributed to errors or omissions relative to the identified systems, controls, and audit evidence, so it’s worth the time spent upfront to adequately scope and plan the audit.
- Foster audit transparency: Being audited is never fun, and it’s natural to want to do whatever it takes to get through the audit as quickly as possible with no findings, issues, or problems. However, it’s important to be transparent throughout the audit process by not only describing the controls and processes that are in fact adequately designed and effective, but also alerting your auditor where errors may be present. A worse scenario than disclosing known findings to your auditor during the audit (a requirement in management’s representations and assertions) is an undisclosed error that turns into a misstatement, breach, adverse or qualified opinion, or other issue that causes harm to your clients.
What is Acceptable Audit Risk?
The key to determining an acceptable level of risk is to apply the concepts of the audit risk model. Striking an appropriate balance of inherent risk, control risk, and detection risk will result in a suitable audit plan that reduces the risk of material misstatement. Proper planning, an adequate risk assessment, and an appropriate mix of preventative and detective controls will help to design an audit plan that allows the auditor to form a reasonable basis for their audit opinion. It’s important to remember that there is a certain degree of judgment involved on both the part of management and the auditor. The end result is not black and white, which is why choosing a quality auditor is so important!
Are you concerned your audit has not been properly planned or scoped? Do you fear your audit risk is at an unacceptable level? Does it concern you that even with proper planning, a fair amount of judgment is involved? Contact the team of audit professionals at Linford & Company and we can answer your SOC 1 / SOC 2, audit, and risk-related questions to get you on the right track.
Maggie spent nearly 10 years in KPMG’s IT Advisory and Attestation practice before joining a financial technology company as the Risk and Compliance Director. She has overseen numerous SOC 1 / SOC 2 audits and other IT Compliance audits and has vast experience implementing risk management and IT compliance solutions. She is Certified in Risk and Information Systems Control (CRISC) and obtained a Bachelor of Science in Business Administration, Finance, from the University of Colorado at Boulder.