Inherent Risk Factors
In assessing inherent risk factors, the reviewer should consider:
- circumstances arising within the firm (for example, the firm or individual partners have engagements in several specialized industries);
- circumstances outside the firm that impact the firm’s clients (for example, new professional standards or those being applied initially for one or more clients, changes in regulatory requirements, adverse economic developments in an industry in which one or more of the firm’s clients operate, or significant developments in the client’s organization); and
- variances that may occur from year to year, engagement to engagement or, perhaps, from partner to partner, within the firm (for example, inherent risk will always be higher for an audit of a company or organization operating in a high-risk industry than for a compilation of financial statements without disclosure for a company operating in a noncomplex industry; and there are many situations between these two extremes).
Control Risk Factors
Assessing control risk requires reviewers to evaluate the effectiveness of the reviewed firm’s quality control policies and procedures in preventing the performance of engagements that do not comply with professional standards.
When assessing control risk, the review team should evaluate the reviewed firm’s quality control policies and procedures and discuss with the firm if it considered the guidance in AICPA Accounting and Auditing Practice Aid Establishing and Maintaining A System of Quality Control for a CPA Firm’s Accounting and Auditing Practice. The reviewer should evaluate whether the reviewed firm has adopted appropriately comprehensive and suitably designed policies and procedures for each of the elements of quality control in the context of the firm’s overall control environment and the inherent risk embodied in its accounting and auditing practice.
The assessed levels of risk are the key considerations in deciding the number and types of engagements to review and, where necessary, offices to visit. Through the assessment of risk, the reviewer determines the coverage of the firm’s accounting and auditing practice that will result in an acceptably low peer review risk. Engagements selected should provide a reasonable cross-section of the firm’s accounting and auditing practice, with a greater emphasis on those engagements in the practice with higher assessed levels of peer review risk.
Reviewers must document, as part of the Summary Review Memorandum (SRM), the risk assessment of the firm’s accounting and auditing practice and its system of quality control, the number of offices and engagements selected for review, and the basis for that selection in relation to the risk assessment. To effectively assess risk of the firm’s accounting and auditing practice and its quality control policies, risk assessment documentation should not only address the engagements selected and the reasoning behind that selection, but also the environment of the firm and its system of quality controls. Some factors that should be considered in assessing risk include the following:
- The relationship of the firm’s audit hours to total accounting and auditing hours
- Size of the firm’s major engagement(s), relative to the firm’s practice as a whole
- Initial engagements and their impact on the firm’s practice
- The industries in which the firm’s clients operate, especially the firm’s industry concentrations
- The results of the prior peer review
- Owners’ CPE policies and the firm’s philosophy toward continuing education (Accumulate the necessary hours or maintain the needed skills and improve delivery of professional services.)
- The firm’s monitoring policies
- Adequacy of the firm’s professional library
- Risk level of the engagements performed (For example, does the firm perform audits of employee benefit plans, entities subject to Circular A-133, and others under Government Auditing Standards, HUD-regulated entities, and others with high-risk features or complex accounting or auditing applications?)
- Have there been any major changes in the firm’s structure or personnel since the prior peer review?
Inherent risk and control risk directly relate to the firm’s accounting and auditing practice and its system of quality control, respectively, and should be assessed in planning the review. Based on the combined assessment, the reviewer selects engagements for review and determines the scope of other procedures to reduce the peer review risk to an acceptable level. The lower the combined inherent and control risk, the higher the detection risk that can be tolerated. Conversely, a high combined inherent and control risk assessment results in a low detection risk and the resulting increase in the scope of review procedures.
See Section 3100 Supplemental Guidance for an example of an appropriately documented risk assessment in the SRM.