Armanino Blog

Evaluate Your Risk of Material Misstatement

by Jeremy Sucharski
June 15, 2012

You will be hearing more this year from your external auditor about one of the newer regulations PCAOB has enacted: Auditing Standard Number 12 (AS 12).The title of AS 12 is “Identifying and Assessing Risks of Material Misstatement.” It greatly expands on brief information included in Audit Standard Number 5 and is effective for all audits of fiscal years beginning on or after December 15, 2010. The standard establishes the requirements and expands guidance for your external auditors to identify and assess risks of material misstatements in your financial statements. External auditors of public companies are responsible for performing the risk assessment procedures outlined in the standard. Even though AS 12 has been in place for a year, 2012 may be the first year it is highlighted in your external audit, due to the increased scrutiny on  audit firms during PCAOB inspections.

Key Points from AS 12

  • AS 12 is a 74-paragraph standard that discusses six specific risk assessment procedures your external auditor must follow as part of an integrated audit. They are:
  • Obtaining an understanding of the company and its environment;
  • Obtaining an understanding of internal control over financial reporting;
  • Considering information from the client acceptance and retention evaluation; audit planning activities, past audits and other engagements performed for the company;
  • Performing analytical procedures;
  • Conducting a discussion among engagement team members regarding the risks of material misstatement; and
  • Inquiring of the audit committee, management and others within the company about the risks of material misstatement.i

Impact to Your Company
If you are a public company, then you already conduct some level of risk assessment to support your SOX compliance and you may already be evaluating the six items noted in AS 12. Regardless, your external auditor will perform the six procedures to assess your company’s risk of material misstatements. Ideally, the auditor can leverage the work your internal audit has produced related to internal controls. By optimizing your risk assessment program internally, you can drive value for your company by seeking discounts when your external auditor relies more completely on your internal audit.

If any risks are identified, AS 12 directs that they be further evaluated to determine if any qualify as a significant risk. Some examples of significant risk include:

  • The likelihood and potential magnitude of misstatements;
  • Fraud risk, which is a significant risk;
  • Risk related to recent significant economic, accounting or other developments;
  • The complexity of transactions;
  • Significant transactions with related parties;
  • The degree of complexity or judgment in the recognition or measurement of financial information related to the risk, especially those measurements involving a wide range of measurement uncertainty; and
  • Significant transactions that are outside the normal course of business for the company or that otherwise appear to be unusual due to their timing, size or nature.ii

Be Proactive in Assessing Risk—and Save Money
One of the benefits of having AS 12 and similar standards published is that you now have better guidance for the performance of risk assessment and the steps you can take to prepare. If your company incorporates the six risk assessment procedures outlined in AS 12 into your internal audit process, you can get ahead of the curve. How?

By identifying risks for material misstatements on your own, you can take corrective actions prior to an external audit. And, by making your internal audit information available to your external auditor, you can save time and money. AS5 allows for external auditor reliance in the planning and execution of their audit procedures, including risk assessment. The external auditor should be able to leverage your internal audits and therefore won’t have to spend as much time going through their own risk assessments. The percentage of your work that can be relied on varies, so check with your auditor.

Getting Started
You most likely have some level of risk assessment in place, so begin by comparing your existing process to AS 12. Review the content of AS 12 in detail. Leverage the knowledge of your internal audit team or your external auditor to understand AS 12 and integrate its processes into your risk assessment procedure.

Be in touch with your external auditor early and often. You are probably already in contact on a regular basis, but be sure you ask questions and listen to the advice offered. Your external auditor can’t give you all the answers because of independence requirements, but their guidance, when applied, can help maximize their reliance on your internal audit work.

And don’t be afraid to talk with your external auditor about how much of your audit work they can rely on in their work. The more professional and thorough your audit work, controls and documentation, the more likely your external auditor can reduce the amount of work they must do. That saves you money and time, because you are paying for less of their time and spending less time working with them on your audit.

Risk assessment and mitigation are ongoing processes. Businesses are evolving; marketplaces are evolving; and standards and regulations are evolving. By looking closely at your company’s processes in your internal auditing or internal control evaluation work, you can save time and money, protect business and investor interests and ensure your company’s solid reputation well into the future.

Developing an Internal Risk Assessment Procedure

If your business does not have a formal risk assessment procedure in place, it would be beneficial to develop and implement one. Risk assessment has many benefits for companies, including helping with future planning, saving money and gaining operational benefits. Take a top-down approach, beginning with business strategies and drilling down to track an individual transaction through your system. The resulting internal audit report should be shared with executive leadership.

Some things to consider including in your risk assessment procedure are:

  • Understanding of your company and its environment
  • Understanding of the nature of the company Selection and application of accounting principles, including related disclosures
  • Understanding of company objectives, strategies and related business risks
  • Understanding of company performance measures Understanding of internal control over financial reporting (ICFR)
  • Assessment of fraud risk
  • Assessment of risk of material misstatement.

Consult your internal audit team or your external auditor if you have questions or need assistance developing a risk assessment procedure.

i Auditing Standard No. 12, Identifying and Assessing Risks of Material Misstatement. Public Company Accounting Oversight Board
ii Auditing Standard No. 12, Identifying and Assessing Risks of Material Misstatement, 71: a-g. Public Company Accounting Oversight Board


June 15, 2012

Stay In Touch

Sign up to stay up-to-date with the latest accounting regulations, best practices, industry news and technology insights to run your business.

Related News & Insights
Armaninos 10th Anniversary Reception in Chicago
Live Event
Rooftop reception to celebrate Armanino’s 10th anniversary with the firm’s supporters and friends.

September 29, 2022 | 02:30 PM - 05:30 PM PT
Nonprofit Symposium 2021
Live and Virtual Event
Nonprofits - Get Back to [Focusing on] the Future

September 29, 2022 | 08:00 AM - 12:00 PM PT
Workday Adaptive Planning 2022 R2 Release
Learn about Workday’s newest features and enhancements.

August 30, 2022 | 10:00 AM - 11:00 AM PT