Design Your Audit to Achieve a Low Assessed Level of Control Risk

Thanks, again, AICPA for your wacky legalistic language. When I hit this sentence in the standards, I get so annoyed… October 1, 2009 Audit Guide Government Auditing Standards and Circular A-133 Audits section 9.22… the auditor should plan the test of internal control over compliance for major programs to support a low assessed level of control risk for the assertions relevant to compliance requirements for each major program. “

Why don’t you just say that on a Single Audit you must gain an understanding of controls and you must determine if they are well designed and implemented. Why don’t you just say: “Document and test controls. PERIOD”? Why do you have to be so vague and legalistic?

Are you trying to hide something? Trying to keep the average person from becoming an auditor? Look, you really don’t have to worry, AICPA. Not many people dream of being an auditor when they are in fifth grade. Most auditors don’t even want to be auditors. It isn’t exactly like we couldn’t use more help here!

That turned around language makes auditing seem like some sort of science – and it isn’t. All that low, high, moderate hoo-hah and that crazy formula AR=DRxCRxIRxFR is making our work seem like it involves algebra. And it soooo doesn’t.

I do appreciate how the terms inside of that formula let us articulate our gut reaction to areas that deserve our attention. IR (inherent risk) and FR (fraud risk) help us articulate how headline worthy a particular issue is. And CR (control risk) lets us articulate how good of a handle we feel the client has on the area. IR,FR, and CR combine to tell us how messy the client is and then DR says how we respond to that mess as auditors. In more messed up the client is, the more we have to work it to get assurance that everything is OK.

But when the standards say “Design your audit to achieve a low assessed level of control risk” they are taking away the auditor’s ability to assess, on their own, where the clients controls lie in the spectrum of strong to weak. We don’t get to rate the controls – we get to hit the controls hard, period. So the formula becomes useful only when it comes to inherent and fraud risk.

Does the AICPA talk like this to make up for past mistakes – like the disastrous SAS 55 that caused most auditors to bypass control testing and get right on to substantive testing in the sake of efficiency? Is the AICPA sort of like Toyota – adding a safety package to all of their cars but still unable to admit any wrong doing? Does the AICPA refuse to speak English because they also refuse to have their Tylenol moment where they recall their products?

Even though it sort of negates a significant component of the risk formula, I am glad that the Single Audit doesn’t let auditors get away with bypassing controls. Have you ever paid for a horrible meal in a restaurant that got good reviews? The reviewer obviously did a substantive test on the restaurant – announcing before the meal that they were with the paper and were there to review the restaurant. Anyone can get their act together given enough warning. But controls make sure they are able to get their act together over and over and over. McDonalds, while bland, is also unbelievably consistent. Why? Super-duper controls! The feds, understandably, want good controls in place over their programs so that things work well most of the time, not just when the auditor visits.

So, bottom line – “designing your audit to achieve a low assessed level of control risk” – means work those controls. Work ‘em, baby!