Armanino Blog
Evaluate Your Risk of Material Misstatement
by Jeremy Sucharski
June 15, 2012

You will be hearing from your external auditor about one of the regulations The Public Company Accounting Oversight Board (PCAOB) has enacted: Auditing Standard Number 12 (AS 12). The title of AS 12 is “Identifying and Assessing Risks of Material Misstatement.” It greatly expands on brief information included in Audit Standard Number 5. The standard establishes the requirements and expands guidance for your external auditors to identify and assess risks of material misstatements in your financial statements. External auditors of public companies are responsible for performing the risk assessment procedures outlined in the standard.

Key Points from AS 12

  • AS 12 is a 74-paragraph standard that discusses six specific risk assessment procedures your external auditor must follow as part of an integrated audit. They are:
  • Obtaining an understanding of the company and its environment;
  • Obtaining an understanding of internal control over financial reporting;
  • Considering information from the client acceptance and retention evaluation; audit planning activities, past audits and other engagements performed for the company;
  • Performing analytical procedures;
  • Conducting a discussion among engagement team members regarding the risks of material misstatement; and
  • Inquiring of the audit committee, management and others within the company about the risks of material misstatement.i

Impact to Your Company
If you are a public company, then you already conduct some level of risk assessment to support your SOX compliance and you may already be evaluating the six items noted in AS 12. Regardless, your external auditor will perform the six procedures to assess your company’s risk of material misstatements. Ideally, the auditor can leverage the work your internal audit has produced related to internal controls. By optimizing your risk assessment program internally, you can drive value for your company by seeking discounts when your external auditor relies more completely on your internal audit.

If any risks are identified, AS 12 directs that they be further evaluated to determine if any qualify as a significant risk. Some examples of significant risk include:

  • The likelihood and potential magnitude of misstatements;
  • Fraud risk, which is a significant risk;
  • Risk related to recent significant economic, accounting or other developments;
  • The complexity of transactions;
  • Significant transactions with related parties;
  • The degree of complexity or judgment in the recognition or measurement of financial information related to the risk, especially those measurements involving a wide range of measurement uncertainty; and
  • Significant transactions that are outside the normal course of business for the company or that otherwise appear to be unusual due to their timing, size or nature.ii

Be Proactive in Assessing Risk—and Save Money
One of the benefits of having AS 12 and similar standards published is that you now have better guidance for the performance of risk assessment and the steps you can take to prepare. If your company incorporates the six risk assessment procedures outlined in AS 12 into your internal audit process, you can get ahead of the curve. How?

By identifying risks for material misstatements on your own, you can take corrective actions prior to an external audit. And, by making your internal audit information available to your external auditor, you can save time and money. AS5 allows for external auditor reliance in the planning and execution of their audit procedures, including risk assessment. The external auditor should be able to leverage your internal audits and therefore won’t have to spend as much time going through their own risk assessments. The percentage of your work that can be relied on varies, so check with your auditor.

Getting Started
You most likely have some level of risk assessment in place, so begin by comparing your existing process to AS 12. Review the content of AS 12 in detail. Leverage the knowledge of your internal audit team or your external auditor to understand AS 12 and integrate its processes into your risk assessment procedure.

Be in touch with your external auditor early and often. You are probably already in contact on a regular basis, but be sure you ask questions and listen to the advice offered. Your external auditor can’t give you all the answers because of independence requirements, but their guidance, when applied, can help maximize their reliance on your internal audit work.

And don’t be afraid to talk with your external auditor about how much of your audit work they can rely on in their work. The more professional and thorough your audit work, controls and documentation, the more likely your external auditor can reduce the amount of work they must do. That saves you money and time, because you are paying for less of their time and spending less time working with them on your audit.

Risk assessment and mitigation are ongoing processes. Businesses are evolving; marketplaces are evolving; and standards and regulations are evolving. By looking closely at your company’s processes in your internal auditing or internal control evaluation work, you can save time and money, protect business and investor interests and ensure your company’s solid reputation well into the future.

Developing an Internal Risk Assessment Procedure

If your business does not have a formal risk assessment procedure in place, it would be beneficial to develop and implement one. Risk assessment has many benefits for companies, including helping with future planning, saving money and gaining operational benefits. Take a top-down approach, beginning with business strategies and drilling down to track an individual transaction through your system. The resulting internal audit report should be shared with executive leadership.

Some things to consider including in your risk assessment procedure are:

  • Understanding of your company and its environment
  • Understanding of the nature of the company Selection and application of accounting principles, including related disclosures
  • Understanding of company objectives, strategies and related business risks
  • Understanding of company performance measures Understanding of internal control over financial reporting (ICFR)
  • Assessment of fraud risk
  • Assessment of risk of material misstatement.

Consult your internal audit team or your external auditor if you have questions or need assistance developing a risk assessment procedure.

i Auditing Standard No. 12, Identifying and Assessing Risks of Material Misstatement. Public Company Accounting Oversight Board
ii Auditing Standard No. 12, Identifying and Assessing Risks of Material Misstatement, 71: a-g. Public Company Accounting Oversight Board

Stay In Touch

Sign up to stay up-to-date with the latest accounting regulations, best practices, industry news and technology insights to run your business.

Related News and Insights
How the 7 New SEC Private Fund Rules Create a Need for Innovation
What’s the impact of the new rules and what opportunities do they offer for investment advisors?

November 29, 2023
Data Governance: A Guide for Managing Enterprise Risk
Learn why proper data governance is a critical component of managing enterprise risk.

August 03, 2023
How the NIST Frameworks Can Benefit Your Privacy and Cybersecurity Programs
Maintain regulatory compliance, reassure stakeholders and safeguard your organization against evolving risks.

May 16, 2023