Risk Assessment

Assessing Peer Review Risk (Standards)

.41 In planning the review, the review team should use the understanding it has obtained of the reviewed firm’s accounting and auditing practice and its system of quality control to assess the peer review risk associated with those areas. The higher the assessed levels of peer review risk, the greater the number of offices or engagements that need to be reviewed. The assessed level of peer review risk may be affected by circumstances arising within the firm (for example, individual owners have engagements in numerous specialized industries or the firm has a few engagements constituting a significant portion of the firm’s accounting and auditing practice) or outside the firm (for example, new professional standards being applied for the first time or adverse economic development in an industry.

.42 When assessing risk, the review team should evaluate the reviewed firm’s quality control policies and procedures over its accounting and auditing practice in relation to the requirements contained in SQCS No.2. This evaluation provides a basis for the review team to determine whether the reviewed firm has adopted appropriately comprehensive and suitable designed policies and procedures that are relevant to the size and nature of its practice. When making the evaluation, the review team should discuss with the firm how it considered the guidance provided in the AICPA's Guide for Establishing and Maintaining a System of Quality Control for a CPA firm’s accounting and Auditing Practice.

Risk-Based Approach to Selecting Offices and Engagements on an Engagement Review

(1997 AICPA Peer Review Administrator Conference material)

Just as the performance of an audit includes audit risk, the performance of a peer review includes peer review risk. The revised AICPA Peer Review Program Standards require a risk-based approach to selecting offices and engagements for review. This approach requires the reviewer to assess the levels of inherent and control risk as the key considerations in deciding on the number and characteristics of offices to visit and engagements to review. Peer review risk is the risk that the peer review team will:

• Fail to identify significant weaknesses in the reviewed firm’s quality control system or compliance with it;
• Issue an inappropriate opinion; or
• Reach an inappropriate decision about whether to issue a letter of comments or about the findings to be included in or excluded from the letter of comments.

Peer review risk consists of the following two parts:
The risk (consisting of inherent risk and control risk) that an engagement will fail to comply with professional standards and/or the reviewed firm’s quality control system will not prevent such failure.

Inherent risk is the likelihood that an accounting or auditing engagement will fail to comply with professional standards, assuming the firm does not have a quality control system.

Control risk is the risk that a firm’s quality control system will not prevent the performance of an engagement that does not comply with professional standards. Control risk includes the quality control system as well as factors that establish, enhance or mitigate the effectiveness of the system including management’s attitude and the message it sends to staff concerning the importance of quality work and the firm’s emphasis on quality.

The risk (detection risk) that the review team will fail to detect the design or compliance deficiencies in the reviewed firms quality control system that either result in the firm having less than reasonable assurance of conforming with professional standards or constitute conditions whereby there is more than a remote possibility that the firm will not conform with professional standards on accounting and auditing engagements.

To properly assess risk a reviewer must:

• Obtain a sufficient understanding of the nature and extent of the firm’s accounting and auditing practice to plan the peer review.
• Obtain a sufficient understanding of the design of the firm’s quality control system, including an understanding of the monitoring procedures performed since the prior peer review.
• Assess the peer review risk.
• Use the knowledge obtained to select offices and engagements to be reviewed and to determine the nature and extent of tests to be applied to the functional areas.

The offices and engagements selected using the risk-based approach must still represent a reasonable cross section of the reviewed firm’s accounting and auditing practice with greater emphasis on those offices and engagements in the practice with higher assessed levels of peer review risk.

Engagements selected for review should be those with periods ending during the year under review. If the current year’s engagement is not completed and a comparable engagement within the peer review year is not available, the prior year’s engagement should be reviewed. If the subsequent year’s engagement has been completed, then consideration of whether the more recently completed engagement should be reviewed instead should be based on the assessment of peer review risk. (Team Captain Checklist – AICPA Peer Review Program Manual – page 4800.05)

Documenting Risk Assessment
(1998 Reviewers letter)

Risk assessment should be documented in, or included as an attachment to the Summary Review Memorandum (SRM.) Documentation of the risk assessment should demonstrate that:

• Appropriate judgment was exercised when assessing the inherent and control risks associated with the reviewed firm’s accounting and auditing practice and its system of quality control.
• Appropriate consideration was given to the combined assessed levels of inherent and control risk and the firm’s current year’s inspection or monitoring procedures, if applicable, as well as other selection considerations, when selecting offices and engagements to be reviewed.
• The offices and engagements to be reviewed, inspected, or both cover a reasonable cross section of the firm’s accounting and auditing practice, with greater emphasis on offices and engagements that contribute to a higher assessed level of inherent and control risk to the firm.

The Standards do not require any specific format for documenting risk assessment. Below is a sample form.   To download the form click here. You will need Adobe Acrobat Reader to view and print this document.

*Indicate Level of Risk Assessment - Low, Moderate, High