The American Institute of Certified Public Accountants (AICPA) issues, as necessary, Statements on Auditing Standards, also called “SASs.” Of the current total of 130+ SASs, numbers 104-to-111, are collectively referred to as the “Risk Assessment Standards” (RAS) and have been in effect since December 2006.
Of course, levels of risk vary among businesses. Example: A mostly cash business vs. a corporation. But here, following RAS standards, we will outline steps to take when determining risk assessment in a financial statement audit. They are: Existence/Occurrence, Completeness, Rights/Obligations, Classification, Valuation, Cut Off, and Overall Risk.
Existence/Occurrence: Simply put, this is an “assertion” that assets are real and the transaction actually happened. Example: An apartment building listed as an asset does exist.
Completeness: Do the records being audited represent a “complete” listing of all assets. Example: All stocks in a portfolio are included.
Rights/Obligations: Does the company have full rights to own an asset, or does someone else. Example: Obligations may have to be fulfilled by the firm to secure full ownership of the patent.
Classification: As it implies, this is a system for assigning assets into groups based on common characteristics. That is, cash, receivables, inventory, or fixed assets.
Valuation: Simply put, is an asset worth what the owner thinks it is? Values of assets can change, sometimes drastically, from one year to the next.
Cut off: Refers to a date an asset was acquired. Example: An audit is for December 2019, but an owner wants to include an asset purchased in 2020.
Overall Risk—Management Override of Controls: The risk here is that even if a company has all its controls in place, management can circumvent the controls and change the outcome.
And finally, IT risk: As hacking proliferates, assessing a company’s vulnerability has become part of an auditor’s job. Example: Is there a backup system and is procedure followed?