Why Risk Assessment Anchors Effective, Efficient Audits

High-quality risk assessment goes beyond compliance—it’s what turns an ordinary audit into a well-coordinated, insight-driven engagement. Building habits that connect early decisions to later findings ensures quality, efficiency, and lasting improvement.

Q: Is it possible to overstate the importance of risk assessment in performing an efficient, effective audit?

A: Probably not!

Even before the significant standards updates in SAS 145 (now officially AU-C 315), it would have been difficult to overstate the importance of risk assessment. So why do peer review and internal inspection results continue to reveal deficiencies in risk assessment as a common issue?

The answer includes many factors. Consider these explanations:

• Auditors feel unsure about how to perform high-quality risk assessment procedures, due to limited training, ineffective feedback, or knowledge gaps stemming from the pandemic.
• Auditors may be unfamiliar with risk assessment documentation requirements—unsure of what “good” looks like. Firm templates help, but newer auditors may over-rely on them instead of tailoring to the industry and the client.
• With talent pressures and increased scrutiny on assurance services, many auditors argue they lack time for a deeper dive into risk assessment, questioning whether the benefits will outweigh the costs.
• Teams adopt a “set-it-and-forget-it” approach. All risk assessment effort is concentrated at the beginning of the engagement. New information emerges as the audit progresses, but those valuable insights never make it back to the risk assessment section.

The solutions

Avoid the “set-it-and-forget-it” approach

Risk assessment isn’t a one-and-done planning task. Instead, it’s an iterative process. Decisions made early must be revisited and re-evaluated as new information is obtained. Many missteps in risk assessment arise when information discovered later is not carried back to earlier decisions made about assessed risk and tailored risk response.

In 20-20 Services Audit Level Training, we emphasize strong linkage between assessed risks and risk response, reinforcing the mindset that “all roads lead home to risk assessment.”

We discuss that risk assessment should be re-visited whenever the auditor:

• Learns new information about a significant, unusual transaction
• Finds exceptions in a substantive sample
• Discovers unexpected results in an analytical procedure
• Identifies a misstatement
• Identifies a deficiency

Through training, methodology design, and effective supervision and review, auditors should ensure all relevant information cycles back to the risk assessment process—from planning all the way to issuance.

Practically apply the guidance from SAS 145

SAS 145 offers guidance to drive better decision-making and documentation, including:

The spectrum of inherent risk: When depicted graphically and used in training—especially alongside the updated inherent risk factors—this concept provides a helpful framework for making decisions about inherent risk. For auditors who found High/Moderate/Low hard to justify or explain, the spectrum of inherent risk clarifies the thought process.

Updated inherent risk factors: Auditors often mix up inherent and control risk. The updated factors clearly segregate the information that should be considered when assessing inherent risk – and the information that should be excluded from consideration. Under SAS 145, the list is shorter—five factors—easier to recall and useful for planning meeting discussions.

When training on these concepts at 20-20 Services, we aim to provide an overview and dive more deeply into practical examples that link the concepts to workpapers used and decisions made by auditors on-the-job.

Create a culture of celebrating unusually good risk assessment

Find ways to publicly celebrate success to 1) set the tone that high-quality risk assessment matters and 2) teach specific techniques for effective risk assessment. Use internal recognition programs or intranet sites to share examples of great risk assessment documentation, including snippets of workpapers or passages of well-written documentation. Find multiple communication formats, such as webinars, email newsletters, annual training, and one-on-one discussions with engagement teams. If you feel like you’re talking about risk assessment too often, that’s likely the right frequency!

Why it all comes back to risk assessment

High-quality risk assessment leads to more effective, efficient audits—but improving decision-making and documentation requires behavior change and a concerted effort to show auditors what good looks like. We’d be excited to consult with you on making it happen.

At 20-20 Services, we’re CPAs passionate about changing behavior through learning and development. If you’re ready to take a fresh look at your approach to risk assessment, reach out to Bethanne Chapman (Director of Audit Learning) at bethanne.chapman@20-20services.com.

Our updated, CPE-eligible workshop—The 20-20 Audit Lab—helps auditors at all experience levels re-center on the value of risk-based auditing and its impact on audit quality and efficiency. The content and length can be tailored to your team.

Unlock the power of risk assessment and tailored risk response with Audit Planning Meeting Facilitation. Led by experienced facilitators and highlighting risk assessment best practices, this day-long session helps your professionals reassess a real engagement, including:

• An in-depth understanding of the entity
• Expanded consideration of the IT environment
• Extensive discussion of risk assessment concepts in the context of the selected audit
• Critical assessment of designed responses to risk for specific audit areas
• Identification of project management challenges and potential solutions

If you’re interested in strengthening your team’s audit efficiency and decision-making through stronger risk assessment practices, explore 20-20’s Risk-Based Auditing course.