In this special episode of THE SAMPLE, Leita Hart-Fanta, CPA talks to Charles Hall, CPA about risk assessment in audits.
Welcome to The Sample, a quick discussion of auditing concepts and terms that will help you do your work. Conducting an audit in accordance with auditing standards is no small feat and I want to support you. We’ll be referring to the GAO, IIA and AICPA literature to bolster our conversations. Let’s get started.
Transcript
In this special episode of The Sample, Leita talks to Charles Hall, CPA. Charles Hall has worked in CPA firms for most of his career and is an expert on AICPA standards. He is a clear and entertaining writer and offers several self-study courses through YellowBook-CPE.com. Charles has his own podcast and allowed us to use this footage on our side as well. In this session, Charles and Leita talk about risk assessment.
Charles Hall:
Hi, I’m Charles Hall and I’m with Leita Fanta. And we’re going to be talking about risk assessment today. She’ll be talking about performance audits and risk assessment, and I’ll be talking about risk assessment on financial statement audits.
I told Leita I’m going to start out with a little story from my childhood. When I was a little kid, we had a fallout shelter in the backyard. We had potential nuclear bombs, that kind of thing. So, my dad built a fallout shelter and, bright me, I take a half a gallon of gasoline and put it in a milk jug. And I’m standing on top of the fallout shelter and I’m with my twin brother Harry. I strike a match and I tell Harry, “I’m going to drop this match in this jug of gasoline to see what happens.” I needed some excitement in my life. And so sure enough, I dropped the match in the gasoline, and it just explodes.
And when it did, I freaked out! I took my arm and I hit the milk jug with the remaining gas in it, and it was like a Molotov cocktail. I’m throwing fire, I’m kicking the jug through the backyard, setting the whole backyard on fire. I did not do risk assessment very well that day. So, in a simple form, of course, the fire that came after my dad got home was worse than the one that had happened in the backyard.
Today we’re talking about risk assessment. Leita, tell us just simply what is risk assessment. Then I want you to get into how you apply this idea of risk assessment and performance audits. And if you will, for the uninitiated like me, just tell me what a performance audit is before you do that.
Leita Hart-Fanta:
Alright, sure. A performance audit looks at or can answer questions not financial in nature only. This story will probably ball everything all up into one piece.
So, I’m working with a legislative auditor in another state, and they audit a sheriff’s department, right? Now, they could do a financial audit. They could look whether the sheriff’s department’s financial statements are accurate. They could look at whether budget transfers are approved. Or they could look at whether the prisoners who have recently been incarcerated are surviving the first three days of incarceration. That’s actually a problem occurring around the country where prisoners are dying within three days of incarceration because they don’t receive the appropriate medical care.
A performance auditor can look at things that are more… I don’t know if the word is compelling. I’m going to use the word compelling. Because when a performance auditor looks at risk assessment, they ask, “Could this audit subject trigger death, injury, shame, loss of money, not achieving our goals?” They could look at whether the prisoners are cared for or at whether foster children are safe. They could look at whether the police are using force inappropriately. But they use the same process and methodologies that you use on a financial audit. They just have a different subject matter and different criteria.
Because there are laws around what happens to foster children. There are laws around what happens to police use of force. And so, the auditor doesn’t use GAAP as their criteria. They use these laws as their criteria. But it’s the same process. I used to be a financial auditor and my skill set just transferred right into performance auditing. It’s the same skill set.
Charles Hall:
Yeah, if you just give us an example using risk assessment in regard to one of these that you just listed.
Leita Hart-Fanta:
Sure. We could take foster care, for example, and what you might do, there’s a lot of different ways to approach the subject. I actually am a CPA, and so I’ve got the same financial picture in my mind that you do of how to take the elements of the finding and the notes and divide the subject up and then decide where the risk is, what’s the highest risk account, and where are we going to have a problem? So, I can do that in my sleep, because of the training I had for so many years.
But, on a performance audit, you have to approach the subject matter and have a fresh take on how to divide it into little pieces so that you can run it through the inherent risk assessment part. So, on the foster care system, that’s a big subject matter, right? Lots of different parties involved.
Risk Assessment Steps
First, you have to map who’s who. Then you have to understand the process, the basic process. Then you take those steps of the process, and you take each step and you ask, “What could go wrong?” and “So what?” in this step.
Let’s say the steps sounds something like determine which child, and I’m kind of making this up. I haven’t looked at foster care in a long time. But determine which child needs to be in custody. The second step would be work through the courts to take custody of the child. Step three is find a family who’s appropriate for taking care of the child. The fourth step: place the child. Step five, go visit, make sure the child’s okay. Step six, provide resources, make sure the kid graduates from high school. Whatever those steps are, right?
So, you take each of those steps and you go, “What could go wrong?” Now let’s take that family bit, assign it to a family. What could go wrong is a family is not appropriate. The family’s criminal, they’re abusive. So, you ask, okay, so what are the controls that make sure, just like you do on a financial audit, what are the controls that make sure the family’s appropriate? Well, we do a background check is what they’re supposed to do. And then you audit to see if the background check is actually happening.
What risk assessment does is it takes all the possible places you could go as an auditor, and it hones in on what’s important, the most significant part. Because you can’t, as an auditor, you cannot look at everything. You just don’t have the resources or the time. And so, what risk assessment does on a financial audit and on a performance audit is it just helps you focus on, what do you mean they’re not getting background checks like that. And then you write a finding and test to support it.
Charles Hall:
What does a performance report look like? Once you do the risk assessment you go through, do the steps, what does a performance report look like, and who do you give that to?
Leita Hart-Fanta:
Yeah, so if you’re working for the state, I used to work for the state legislative auditor of Texas, you give it to the legislature.
And it could have a little bit of background on what is the foster care system, but then it will have findings for you all familiar with the single audit. You have the findings. Okay, we’re using the five elements. It’s the same five elements that you use on a performance audit. And it could be super short. Or if you’re working with a performance audit team that likes to tell a little bit more of a story and add a few more details, it could be a little bit longer. But it’s the same five elements. It’s the same. You have an objective and a conclusion. Okay.
So, on a financial audit, your objective is presented in accordance with GAAP, and you conclude, yes, they are. On a performance audit, it’s like, are the foster, are we getting background checks for the children? No, we’re not. Here’s the finding. Here’s why it’s happening. It’s basically a similar format. You just don’t have financial statements in there.
Charles Hall:
And that’s almost weird to me as an audit. I’m a financial statement guy. So, after you do a performance audit in the first year, I guess would you do it a subsequent year and see that these things got corrected?
Leita Hart-Fanta:
You do not have to, under Yellow Book standards, have to follow up. Now under IIA Standards, Institute of Internal Audit Standards, which a lot of performance auditors follow those standards in tandem with the Yellow Book. Yes, you do have to follow up.
Charles Hall:
I see.
Leita Hart-Fanta:
But really, it’s the responsibility of management to do something about it or the legislature, city council, the county commissioner, the school boards. It’s really their gig to make sure the foster kids are fine.
Charles Hall:
Are you seeing more and more CPAs do performance audits? I mean, I myself, I’ve never done a performance audit, but it sounds like an evolving area. Yes?
Leita Hart-Fanta:
Well, I don’t think it is common for CPAs to do it. I do think it is common for internal auditors and government entities, for regulators, for inspector general functions. At the federal level, it is what they do. They don’t do financial audits. They do this kind of work. So, the two don’t cross.
Charles Hall:
I see. Yep. So, it sounds like this is mainly done by people within the government. Yes?
Leita Hart-Fanta:
Yes. Okay. Yes.
Charles Hall:
Okay. But I guess you could go outside the government. It just sounds like it’s more done by people inside the government.
Leita Hart-Fanta:
Well, I also work with corporate internal auditors and corporate internal auditors call them operational audits, but it’s the same thing. So, what does Walmart want to know? I worked with Walmart for many years. Walmart wants to know that the food it sells is safe and doesn’t make people sick. That’s not a financial audit, that’s a performance audit, that’s an operational audit. So internal auditors do that kind of work as well.
Charles Hall:
That’s really interesting. It sounds like you could do this on almost anything.
Leita Hart-Fanta:
You could, as long as you’ve got some criteria to go off of like a law or regulation, a policy, a standard. Something that you could evaluate your subject matter against, you’re golden. You can do it on any subject matter you want.
Charles Hall:
Sounds good. Any last thoughts about performance audits? We’re going to shift gears here in a minute and talk about financial risk assessment in the financial statement audits. Any other comments about performance audits?
Leita Hart-Fanta:
No, I think I have said enough. Why don’t you take the wheel.
Charles Hall:
Let’s shift gears and we’ll talk a little about financial statement risk assessment. And Leita and I, we were talking earlier, we’re both kind of geeky people. So, we get into this kind of stuff for some strange reason, but I love risk assessment.
Now, on the financial statement side, what are we looking for? Well, we want to know whether or not there’s any material misstatements in the financial statements. And that could be in the numbers, or it could be in the disclosures. So, we determine what materiality is, and quite often that’s in relation to a number. Your materiality might be, say, $200,000. So, we’re looking for error or intentional misstatements greater than the $200,000. Doing risk assessment rather than walking out, dropping a match in the gallon of gasoline.
I’m going to step back and I’m going to look at the financials and I’ll ask myself, where might material misstatement occur?
And there are certain places when you do governmental audits, as long as Leita and I have, there are certain places where misstatement might occur. One of those places that I’ve seen throughout my career is in accounts payable. So often accounts payable is understated. The risk is that accounts payable would be understated. And because of that risk of understatement, I’m going to plan a response.
So, in the performance audits, Leita was talking about certain responses to the risk. You’re doing the same thing on the financial statement. So, on accounts payable, well now I’m going to do a search for unrecorded liabilities to make sure that that misstatement is not present.
SAS 145 is effective NOW
We have SAS 145, which the AICPA is issued. And let me ask you the question, when is this effective? Well, it’s effective now. So, December 31, 2023 audits, you’re in the soup. You need to be applying SAS 145, which is a new risk assessment standard. And it has some new definitions. You want to look at those definitions in relation to relevant assertions, significant risk, significant classes. And look at the standard. If you’ll look at SAS 145, there’s actually a definition section in the front side. Look at those definitions. If you need more information, you can go check out my article on CPA Hall Talk at cpahalltalk.com, and just do a search for 145. That article will give you a lot more information about this.
So, if you want to know more about risk assessment, you can contact Leita or me. We’d be glad to try to help you. Any other words, Leita, before we go?
Leita Hart-Fanta:
I do want to say that AICPA is far, far ahead of the Yellow Book when it comes to risk assessment. And so if you do want to study more about risk assessment, I would recommend looking at the AICPA standards versus the Yellow Book for sure.
Want to learn more about risk assessment in audits?
Want to learn more about this topic and earn some NASBA qualifying CPE at the same time? Try the Essential Auditing Skills and Techniques for the Government Auditor course where Leita walks you through a risk assessment for the financial audit, a compliance audit, and a performance audit.
And that wraps it up for another episode of the Sample. True to the nature of a sample, we didn’t talk about everything, so you’ve probably got questions. Write to me at leita@yellowbook-cpe.com and I’ll do my best to fill in the blanks. Thanks for playing.
Yellowbook-CPE.com is registered with the National Association of State Boards of Accountancy (NASBA) as a sponsor of continuing professional education on the National Registry of CPE Sponsors. State boards of accountancy have final authority on the acceptance of individual courses for CPE credit. Complaints regarding registered sponsors may be submitted to the National Registry of CPE Sponsors through its website: