CPA firms may be struggling to properly assess risk and document IT risk assessments, according to information compiled by the American Institute of CPAs from recent peer reviews.

In a blog post, the AICPA Peer Review Team shared trends gleaned from recent peer reviews, including firms’ difficulties with risk assessment.

Among the most common areas of non-compliance noted by peer reviewers are:

  • Failure to assess risk at the assertion level. Does the financial statement assertion have a reasonable possibility of containing misstatements that would materially affect the statement?
  • Failure to obtain an understanding of the internal control environment. Some firms are avoiding documenting auditees’ internal controls by assessing control risk at the maximum level.
  • Failure to complete or document an IT risk assessment. IT risk assessments are often incomplete or completely lacking in documentation, often in conjunction with a failure to document internal controls.

“The purpose of the risk assessment standards is to identify and assess the risks of material misstatement -- due to fraud or error -- at the financial statement and relevant assertion levels,” institute vice president of ethics and practice quality James Brackens, CPA, CGMA, wrote in the blog. “The risk assessment should provide an understanding of the entity and its environment, including the entity’s internal controls. It should also act as a basis for designing and implementing substantive audit procedures.”