There may be errors in spelling, grammar, and accuracy in this machine-generated transcript.
Abdullah Mansour: Hi everyone. Welcome back to the show. I'm your host, Abdullah Mansoor, and today we're unpacking one of the most critical audit phases risk assessment. Our expert guests as always is Sam Monsour, CPA. Sam, I want to kick this off with a bold question. How serious are the consequences of poor risk assessment? [00:00:30]
Sam Mansour: Yeah, well, thanks for having me again. Um, you know, the the consequences I would say are are pretty significant because a lot of our audits are driven by risk. And so if we don't get the the risk assessment right, it can lead to a lot of issues, you know, throughout the audit process. And even at the end when you issue your final audit report. Um, it might not be up to standards. You might have missed some critical things. And it all starts with the risk assessment process. So [00:01:00] the risk assessment really drives the entire audit approach. And if you misidentify or overlook specific audit risks, your your testing could be misaligned and you could waste time. But even more concerning, you might miss material misstatements. And especially if your engagements are subject to peer review. Uh, that could be a big problem because the foundation of your audit is now not sound. And there's different [00:01:30] procedures you perform throughout the engagement that could be compromised because of an incorrect risk assessment.
Abdullah Mansour: Yeah, that totally makes sense. And you said before that some audits are doomed before the fieldwork even begins. Is that what you're referring to?
Sam Mansour: Basically, yeah. I mean, because you haven't you haven't started the audit process completely, right? You haven't jumped into selecting samples and testing and inquiries and, you know, so you're kind of in that preliminary Leary stage. And so when we say, you know, the audit could be [00:02:00] doomed, um, because there's this, there's this seed pre pre field work. Right. And you're in your planning stage. There's a seed that if it doesn't get planted properly, if it's not cared for properly which is the risk assessment. Um yeah it does set you up for failure. And so you know the risk assessment phase, as I mentioned before, does set the foundation. So, you know, if you're rushed or if you, you know, have superficial planning, [00:02:30] that foundation becomes weaker, the audit foundation becomes weaker. And it becomes very difficult then to do proper testing throughout your engagement. So many teams view planning just as a compliance step and not as a strategic one. And I find that, you know, especially when we're up against budget constraints, time constraints, um, sometimes at the higher levels of the firm. There's going to be this pressure on the team to kind [00:03:00] of hurry up through the audit process. Right. So maybe they don't push the team to to to speed up through the planning stage, field work stage. But they might push the team to be efficient, uh, in the planning and risk assessment phase, which then could result in some rushing. And I've seen that in my career where we we devalue the risk assessment phase. We think of it as, oh, you [00:03:30] know, it's risk assessment. It it's a textbook thing. Let's just check some boxes and move on.
Abdullah Mansour: But really it's a good foundation for for an audit. Is that kind of what you're referring to 100%.
Sam Mansour: Yeah. Yeah. And I think if you look at it in terms of just being a check box, a compliance thing, uh, then you're, you know, the way you're treating it, uh, from that lens could have a very either positive or negative impact on your audit. And unfortunately, I think a lot of [00:04:00] teams tend to kind of devalue the risk assessment phase of things.
Abdullah Mansour: Kind of pencil whip it where it's something that's actually extremely important to, I guess, again, the foundation of the of any audit, which totally makes sense.
Sam Mansour: Exactly. Yeah. And that's actually the term that I have. You kind of jog my memory probably about ten, 12 years ago. You know, I had heard that term pencil whipping because people are just so quick to just to just get through them.
Abdullah Mansour: Just get it over.
Sam Mansour: With. Kind of a mindless activity. Yeah. But but they're, they're, you know, the [00:04:30] risk assessment process is there for a reason.
Abdullah Mansour: Yeah. That totally makes sense. If you don't mind, let's kind of break that down a little bit more. Um, and I'd like to ask, what are the most common mistakes, uh, you see during, like, risk assessments?
Sam Mansour: So if the risk assessments are generic, you know, we use templates. Um. They're not customized or specific to that client. That's when we can really start to get into trouble, because when we're performing our walkthroughs, [00:05:00] we're we're not tailoring them to that, that client, that's a kind of a big issue. Um, another one would be simple, uh, simply copying the prior year risk assessments. A lot of auditors tend to get into this habit to become more efficient with their time. Right. You go look at the prior audit file. You say, what do we do last year? You copy it over this year with some minor adjustments, and you almost become a little complacent. A little lazy, to be honest, in that rollover from the prior [00:05:30] year to the to the new year. Whereas if it was a brand new client, maybe you. Well, actually you're gonna have to start from scratch, right? So you're not going to have any.
Abdullah Mansour: Yeah. Oh yeah. Of course. Yeah.
Sam Mansour: But if but if a file existed in the past, it's easy to roll it over into the current year and just.
Abdullah Mansour: Copy and just copy and paste essentially.
Sam Mansour: Exactly. And as a, you know, in my my role reviewing work papers, you can definitely tell when they've been copied from the prior year, because you can see work paper references that don't make [00:06:00] any sense. You're referring to the incorrect year. You're referring. You're referring to people that that aren't even there anymore.
Abdullah Mansour: So yeah.
Sam Mansour: It's pretty clear that it's been rolled forward. And it's also very clear that that no one read through it. So they just kind of roll forward and maybe update a couple, you know, easy to catch dates and some names and then they just move on. But they forget that, you know, it's littered with information that's outdated.
Abdullah Mansour: It's another form of pencil whipping essentially.
Sam Mansour: Exactly, exactly. [00:06:30] And and it's a big danger and risk if you have some kind of an oversight of your audits by an external party. So like, again, let's just say peer review. Let's say they're peer reviewed and they come in there. So let's say you're a peer reviewer. You come in there, you open up the audit file and you look at some of these risk assessments. And you're like, it's crystal clear that they just rolled this from last year and they didn't even look at it. Yeah, I mean as a peer reviewer or you know, if you were to think if you're listening to this, this episode as an auditor, if you're looking at [00:07:00] documentation where it's clearly rolled from the prior year, minimal to no thinking has gone into it as an auditor or as a peer reviewer auditing another audit firm. You're probably going to be pretty strict when you're looking at the rest of that file because you're like, clearly these guys are just rolling from the prior year and they're not doing they're not even looking at it.
Abdullah Mansour: Yeah, that makes sense. And I've seen that before too, in my career in global supply chain, where they just copy and paste and it doesn't quite work out as well as they would hope. Um, [00:07:30] but teams sometimes just copy the prior year. We just discussed what's a better approach, uh, to your walkthroughs, would you say?
Sam Mansour: Uh, you know, I think you could definitely utilize the prior year's information as a great guide and tool for this year, because when you start from scratch, you're having to learn everything about the client. And so. So in that case, you are at a little bit of a disadvantage because you're having to learn everything from new. So [00:08:00] having that prior year documentation is really nice, but you have to be careful. You have to be thoughtful and mindful about what you're working with. And so when you're when you're rolling that information forward, roll it forward. Fine. Right. But try to kind of take a little bit of a fresh perspective on this year. Right. So so so kind of do a little bit of mental reset and say, okay, um, I roll the documentation forward so I'm not having to retype everything now. [00:08:30] What are some of the critical areas in these walkthroughs. Right. That I should be paying attention to or asking about this year? So you have a leg up because you have all the documentation, but also you're highlighting some of those critical areas. And another big thing too is, you know, you want to make sure that you're including some of the key team members, okay, because they might have information about the client from the prior year about some of the changes in the [00:09:00] current year. So sometimes if you just kind of get in the habit of rolling the file from the prior year yourself, updating everything, thinking that you have a, you might have a general idea of what's going on, but maybe you don't have a detailed idea. So sometimes bringing in the team could help you. So you're not just updating this yourself, right? Maybe assign out different sections of that. The risk assessment.
Abdullah Mansour: Sure. Okay.
Sam Mansour: File and say, hey, could you guys take a look at this. Could you read this. So so that way it actually gets care and attention not just by one person but by different people on [00:09:30] the team. Uh, another big issue would be failing to identify, uh, sorry, failing to directly link identified risks to targeted audit procedures. So once we've identified some of those risks, now we're going to link them to the procedures that we're going to perform in the field. And maybe last year we identified some risks and we linked them to procedures that might not necessarily be the case this year. Maybe we did that last year. And we found, hey, when we link them to those procedures and we went out and did that testing, there was nothing [00:10:00] there. It was a low risk area. It wasn't there wasn't anything wrong there. You don't want to just copy paste that into this year and then just identify those risks and then do those same procedures. Right. Unless they're required by some kind of standards. Yeah. Make some adjustments to that.
Abdullah Mansour: So you're saying you can copy and paste it. You just have as a skeleton, but you just have to walk through it kind of. It's almost like copying pasting it and then walking through it in detail again to make sure that you are covering all the aspects and you actually covered them before you walk into your [00:10:30] walkthroughs, essentially. Is that kind of what you're getting at? Kind of the, I guess the recap?
Sam Mansour: Yeah. And kind of maybe a little pro tip, uh, I would always recommend or advise the team. Our audit teams to have you know, we talked about this a little bit in the last episode, but standardized documentation as much as possible because.
Abdullah Mansour: Oh yeah.
Sam Mansour: What you could do now is when you go into those risk assessments, there are some areas that probably going to change. Um, you know, like people [00:11:00] in their positions that, you know, they're a good chance that might change from year to year. There are some things that are absolutely going to change, like dates, right. When we're conducting inquiries and things like that. So I like to highlight those things so that they're not just buried in pages and paragraphs of information. Um, there's some other areas that like for example, if you're describing okay, this business is in the farming industry. Okay. Well that's most likely not going to change, right. So that's pretty safe to leave that the way it [00:11:30] is. But then back to the example of, um, you know, a certain position, a person in a certain position. Well, we want to keep those easy to find so that when we're going through our documentation, we can easily pick them out. But if we're burying their name in paragraphs of information, it's really difficult to find and update. So what I, what I like to do is say, hey, I interviewed XYZ person and this is their position in the documentation. I don't like to then refer back to that person's name again, [00:12:00] because then it's like, oh, I find that person's name throughout the documentation now, right? But if I refer to a specific position, I could just keep that position, maybe go and update my inquiries this year and say, yeah, you know what? Basically they said, what was the procedures that were in place last year are essentially the procedures that are in place this year. But but the person that's in that position has changed. So I can for the most part, keep my inquiries the same. But then just note that I talked to a different person this year. So, so [00:12:30] keeping it easy to update, uh, even if you are reading it in detail, sometimes we miss things, so that that helps a lot.
Abdullah Mansour: Okay. We talked and we touched on this a little bit about, uh, risks to procedures kind of linking them together. But how how else do audit do auditors typically fall short there? Is there anything else you have on that topic you want to touch on?
Sam Mansour: Um, from identifying the risks of the procedures. Yeah, I would say that if we are um, [00:13:00] maybe general or vague in or generic in our identification of risks, it then will result a lot of times in, in generic, uh, general audit procedures. Right. So, uh, that just kind of comes back to the customization to the specific client, uh, you know, in identifying those risks, because then it then it then dictates what procedures we're going to perform.
Abdullah Mansour: Okay. That totally makes sense. So [00:13:30] we talked about the documentation side of it and maybe more the technical piece of it. But what about the I'm curious about the human side of things. Sometimes juniors are assigned a walk through. Is that is that a mistake in your opinion?
Sam Mansour: Um, not necessarily. You know, this is kind of an interesting question to ask, because audit teams want to try to be efficient and budget conscious, and that means you can't send the partner out to do all things [00:14:00] on all jobs. Right? You're gonna have to leverage cheaper, to be honest, cheaper junior level team members. And so you're going to have to send them out to help out with some of these things. Right? You're gonna have to train them and then you have to send them out to do that. Definitely the issues can come in in the place that they sometimes will maybe see something or hear something, and it won't raise a red flag in their mind because they're just not used to seeing [00:14:30] that. Like they haven't seen it as a, as a as a problem in the past. So they don't know that it could turn into a problem.
Abdullah Mansour: How they know it's an issue now. I see okay. That makes sense.
Sam Mansour: Yeah. I mean, what they're relying on is their own logic, their own, you know, education, their background, what we've trained them on. Sure. So where if they look at something, they say this is a problem. Right. But but sometimes you need experience to tell you, you know, you're looking at ten different things [00:15:00] and eight of them are going to be a problem and two of them are not. Sometimes experience is needed because, uh, a junior person might say of the ten, three are going to be a problem and you're like, dude, you're missing five of these, right?
Abdullah Mansour: Yeah, yeah.
Sam Mansour: So when it comes to that.
Abdullah Mansour: Yeah. How do you kind of connect those two then with having wanting a junior person to do it? Maybe. But they don't have the experience required to do it properly. How do you kind of bridge that gap?
Sam Mansour: It's good to pair them up with someone that [00:15:30] has the experience. And so someone that can kind of operate as a guide, as a mentor, as a, you know, ultimately responsible for what's happening. That's what we want. Uh, so, like, let's say you're sending out an audit team and you have a staff entry level person, pair them up with someone that's maybe a senior level person that has at least a couple of years of experience doing this work. And so then maybe that junior person goes out and does the inquiries. Maybe they go out alongside the senior person. They watch them ask the questions. [00:16:00] Then the next time you go out into the field, the junior person, now they take the lead in asking the questions, and the senior person kind of fills in the gaps, you know, so, so kind of more of a slow approach. And then once that senior person feels, hey, you know, I think this junior person kind of they got it. This is easy. They know they're really good at this. They know what they're doing. Maybe pair them up with another senior person to kind of get a different perspective. Yeah. Because sometimes people say, hey, you know, they're good, but they're not.
Abdullah Mansour: So kind of like a mentorship [00:16:30] program, if you will.
Sam Mansour: Exactly. Yeah. Instead of just throwing them out there, which a lot of people, a lot of firms will tend to do that instead of just throwing them out there, having it be a slow guided process so that you can leverage the, you know, those lower level team members, not lower level in the sense of like a bad term, but just they're, they're they're, you know, again, you can't have the partner out on every job. So you can leverage those junior team members, but you just have to make sure you're spending the proper [00:17:00] time to train them, to have them observe on site how a more experienced person would do it. Uh, and then have them, you know, continue to be monitored and guided by a senior level person so that, you know, down the road something doesn't get missed. And a good example of this would be, let's say, a junior and a senior person are talking about an approach. The junior goes out and collects information. They come back. They should then have a quick conversation with the senior. The senior should say, hey, did you check on this? Hey, did you hear this? Hey, how did this go? And [00:17:30] then maybe the junior person says, oh, shoot, I missed a couple questions. Well, they could just go back and ask. But if you wait until you're reviewing the work papers after field work and you're like, why didn't they ask about this, this, this and that, which commonly happens when when a higher level, more experienced auditor is reviewing work papers? It's like gut wrenching when a question is asked when we're back in the office, that should have been asked in the field. And we can cure that by pairing up the senior and junior level people in [00:18:00] the field and have them talk about it in the field.
Abdullah Mansour: Yeah, that that totally makes sense. The more we talk about this, I'm kind of, uh, putting together this should be a very collaborative effort then. Is that is that what is that right?
Sam Mansour: For sure. Yeah. I mean, all the way from the partners, all the way down to, you know, the entry level staff. We have a variety of experience levels, education Levels. And so to think that you're going to send one person to do one thing and just leave them alone and, [00:18:30] and say goodbye. That's very kind of more of an individualistic perspective, which, yeah, that siloing of people on the audit team and then having them just worry about their sections and move on. What typically happens, as I just mentioned, is you get back to the office, you have a technical review, or you have a partner, someone looking at the audit file, and then they're just asking so many questions that should have been asked in the field. And that comes back to that collaborative approach. A collaborative approach really brings richer discussions and often [00:19:00] uncovers overlooked areas, because when you start talking to each other in that collaborative environment, especially when you're sitting across the table from each other, sharing ideas, asking questions, lots of stuff gets flushed out. Now, you know, after Covid, there's a lot of these audits that are being done virtually, or at least a good chunk of them are being done virtually, and so you don't have the sit around the table in the client's conference room going through documentation, asking [00:19:30] questions of each other. You have people in their own offices doing work, and you're communicating, you know, via the internet primarily, or people are at home doing it. And so even though we're years past Covid, we've just kind of learned that we don't need to be out in the field 100% of the time. We could do a lot of this remotely. And so that collaborative approach has been a little bit reshaped and redefined virtually, you know, because it now is kind of more that way.
Abdullah Mansour: Oh, sure. Yeah.
Sam Mansour: But but I think sometimes we, you know, we do lose [00:20:00] a little bit of that collaborative nature because we're not sitting across the table looking at each other. And what I have found is that there's it's really hard to make up for the lack of that face to face sit down a whole week in, in a client conference room, looking at each other, reviewing documents. I mean, that is the best environment for a collaborative setting, in my opinion. Uh, so virtually, I think a lot of teams have suffered because collaboration has died or [00:20:30] broken down a little bit. Now that we're kind of more of a virtual in a virtual setting.
Abdullah Mansour: That makes sense. So just like anything else, it sounds like collaboration. Uh, the more collaboration would reduce risks or sorry, mistakes overall. Which totally makes sense.
Sam Mansour: Yeah, because people are talking and you're overlapping and you're sharing ideas. Of course. Yeah. I mean, when you're when you're individualized and in your little silos, it is more difficult.
Abdullah Mansour: Cool. Well, Sam, let's dig into, uh, control environments, [00:21:00] if you don't mind. How often do firms really assess them properly, would you say?
Sam Mansour: I mean, it really just depends on on the firm. Um, control environments can be, uh, more difficult, especially, I'd say, for more entry level team members, Because I found that, uh, you know, even though internal controls is not really, like, a super complicated subject, it's just an area where a lot of people aren't really experts [00:21:30] in or don't really don't really feel very confident with. Um, so when we're looking at control environments, there's a lot of nuances to it that you have to have. Either you have to have a really good understanding of the client's environment to be able to assess that control environment properly. Um, and so, so unfortunately, I think, you know, teams can struggle because again, if you're rushing through the the planning stage, you know, you're you're considering it more of a compliance [00:22:00] activity rather than a value add to your engagement.
Abdullah Mansour: Those yeah.
Sam Mansour: Control environments can suffer because you are using more of a generic approach and you're not really thinking deeply about what's going on.
Abdullah Mansour: And that kind of goes back to not pencil whipping anything, right? You don't want to just assume they're all the same. One size fits all. You want to make sure that each client is different and that you tailor to that client. Is that. Would you say that's correct?
Sam Mansour: Yeah for sure, for sure. I mean, and [00:22:30] there are other factors like for example, um, you know, understanding the tone at the top inside the organization, we hear that it's almost like a textbook statement, you know, what's the control at the top of the organization? But that has a huge impact. Impact. Because if at the client in their environment, if the tone at the top and I've seen this a lot, it's like we don't really. Yeah. Internal controls I mean what's that? Uh who cares? It's just a lot of extra documentation. That's what the auditors care about. We don't care about it. Then [00:23:00] when you go look at how people are doing things, you know, on a daily basis, they're not following controls because it is extra documentation. It is a lot of work. And if it's not at the top, they just don't care about it. Then it does get get neglected. There are other clients that I've been to where the you know, the tone at the top is this is really important. And sometimes I found that the tone at the top is coming from people who have audit experience or some kind of, you know, they maybe were an auditor at one point [00:23:30] in time. And so they really push push on the organization. We need good controls. We need good documentation. We need.
Abdullah Mansour: Oh, interesting.
Sam Mansour: Yeah. And so then it shapes how everybody in the organization, whether it's in accounting or outside of it, how they, you know, interact with, create and maintain those internal control environments. So then taking it back to the kind of the earlier part of our conversation, things [00:24:00] like understanding the tone at the top might seem like a textbook thing, might seem like a compliance question to ask and to document in your work papers. But in reality, it's a really critical thing for you to intimately understand, because that one thing could dictate what that client environment looks like.
Abdullah Mansour: Oh, sure. That totally makes sense. That's really interesting. Do you do you mind giving me an example of a [00:24:30] risk that's often overlooked or mis assessed?
Sam Mansour: Yeah. So like, for example, uh, related parties. Related party transactions. You know, you have a related party to the organization. Um, they're not they're not like like they're not, uh, the meat and potatoes of what you're auditing, right? Uh, a really a related party is someone that you might have some key critical transactions with your organization. They might be connected with the organization somehow. But, you know, we might just kind of hear about them [00:25:00] on the side, you know, but but we don't really spend too much time thinking about them any more than that. Okay.
Abdullah Mansour: Okay.
Sam Mansour: Yeah. We don't ask enough questions there. We don't get to understand what's the relationship like? Who are these related parties? How are they related? What's the nature of some of the transactions that are going on? Because this can be a higher risk area that maybe we just don't really think about too much. Um, instead of accepting a verbal, you know, we [00:25:30] have none. Uh, auditors should dig into board minutes, uh, vendor relationships and, uh, ownership records. You know, a lot of times, uh, especially junior level staff members will say, well, I went out and asked the client, you know, do they have related party transactions? Do they have this? Do they have that? And they just say, no, you know, either because they don't know, like maybe you're asking the wrong person or maybe they are asking the right person, but but they don't think of it in the moment. Or maybe they don't [00:26:00] care. Or maybe, um, it's not a priority to them. So they so, so that then they pass that lack of care onto you and you document that. And then later on, when the workpapers are being reviewed by upper level auditor, the question will be, we know of related parties, why didn't.
Abdullah Mansour: You.
Sam Mansour: Uh, document that? And then the team member says, well, I asked them and the client says we have none, but that's not sufficient.
Abdullah Mansour: Yeah, that makes sense. Yeah.
Sam Mansour: And that's a huge [00:26:30] now gap in your audit file that that you might have to go back to the client. And even though now we're in the review stage of this engagement and the client wants our audit release ASAP, and now you're having to go back and do additional audit work because you overlook something like that. But related parties can be a very critical area. So again, review board minutes, vendor relationships, uh, and ownership records to truly understand do we have [00:27:00] related parties and what's going on. Um, you know, these areas are ripe, I would say ripe from, uh, from a statement, uh, if not properly vetted, documented, looked at, tested and discussed with the client on.
Abdullah Mansour: Okay. And that. Yeah, that makes sense to me. Um, if you don't mind, let's jump into, like, practical tools, I guess, uh, what confirms use to strengthen their risk assessments?
Sam Mansour: Yeah. I mean, I would say implementing dynamic checklists that [00:27:30] focus on deeper thinking, um, you know, like, you know, kind of getting away from the boilerplate answers and language, right? Maybe pushing the team a little bit more to to think, to go out and ask questions. Uh, so like, for example, let's say you had a checklist and it was just like all you had to do was go check the box. Check the box, check the box, check the box, check the box. You know, I think.
Abdullah Mansour: There's some.
Sam Mansour: People that would tend to do that, you know? I mean.
Abdullah Mansour: Yeah, yeah.
Sam Mansour: Uh, not everyone is going to be [00:28:00] thought out. Um, maybe, you know, asking different types of questions that challenge them to go to the client and collect information year over year that maybe they wouldn't have collected. They could have changed last year, or they wouldn't have collected. Or maybe introducing some new questions this year that that didn't exist last year. Even though some of these templates will be updated from year to year. But software is pretty cool now, where it'll roll forward a lot of the answers for you to make your life easier, and it'll say, hey, here are the ones that you haven't [00:28:30] answered. Um, conduct brainstorming sessions with the team at the planning stage. Brainstorming sessions. It's interesting because I've seen them very frequently not done, and I've actually had some more of the kind of nitpicky auditors say, hey, you know, we really should be doing these brainstorming sessions. But what a lot of teams will do is they'll say, okay, you know what? Look, uh, we're going out. We're out and audit this this week fieldwork. We're going to go out next week and do field work between audit and audit and the next audit [00:29:00] and the next audit. They're like, where are we going to find time to sit down and have a brainstorming session. Okay.
Abdullah Mansour: Yeah.
Sam Mansour: But these brainstorming sessions are really important because it gets the team to talk about the upcoming engagement, what's going on. So I would I would encourage like as a firm practice, you know, um, go out and have, you know, that engage the team that's on that engagement the week before the audit, go out and have lunch and you'll see the firm buys lunch. And and you kind of consider that part of your brainstorming activity, forcing people, hey, [00:29:30] look, firm's going to buy lunch, but we want you to go out there and we want you to make sure that you're checking the box on this brainstorming session. If you don't, if you're not familiar with how it should be run properly, go look it up. Go, you know, get it kind of an agenda. Make sure you're hitting on some, some specific things. It might kind of seem like a formal check the box kind of activity, but brainstorming sessions are really great. And if you had it as a firm policy, we'll do lunch before we go out to an audit fieldwork, and we're going to do the brainstorming session there. It [00:30:00] kind of sets like that.
Abdullah Mansour: So that happens before the audit at the end of the risk assessment or during the risk assessment phase. When would you say that that should happen.
Sam Mansour: The brainstorming session.
Abdullah Mansour: Yeah, yeah.
Sam Mansour: I mean, for me personally, I like to kind of pepper it throughout, like not just have it be a one time thing. Yeah.
Abdullah Mansour: Oh, that makes sense.
Sam Mansour: For me personally. And you know, I think maybe there's some audit literature out there about how it should be done. Exactly. [00:30:30] For me personally, I like to do it as a, hey, we're going to go out and we're going to go out and, uh, you know, audit this client in a few weeks. What's going on? You know, have we heard anything from them? You know, has there been any changes of the client? Like just talk about it as a team. Then once we collect a bunch of information from the client, I like to revisit with the team and say, okay, like, what have we learned? You know, um, uh, you know, oh, this person was here last year. They left. It's a key role in and AP. Uh, [00:31:00] why did they leave? They committed fraud. Uh oh. Okay. You know, so I like to kind of keep that conversation going.
Abdullah Mansour: And it kind of goes back to collaboration, right? It's another tool to increase collaboration. Right. So I I've noticed throughout this conversation we keep bringing up, uh, collaboration keeps coming up. And so it sounds like that's another tool you can use to be more collaborative throughout the risk assessment, essentially. And the audit.
Sam Mansour: Yeah. I mean, brainstorming sessions obviously are great for that. For the collaborative side. Um, I would also add [00:31:30] to that like review prior audit findings, industry changes and client updates. So ideally, you know, we're looking through the audit file from last year. We're maybe even like just doing a quick Google of the client seeing you know is there any news about them. I mean it's interesting because a lot of auditors won't even do that. Right? Just just go type in the client name into Google. I've actually I haven't seen that very often where the auditor will go in and just type the name into Google. I mean, you'd be shocked at some of the stuff.
Abdullah Mansour: Oh, really? That's [00:32:00] interesting. I didn't expect that. Wow.
Sam Mansour: I mean, at least I'm aware of it's not on any formal checklist. Google the client, you know. But but it's kind of a no brainer. Why not?
Abdullah Mansour: Yeah. Why not? Get more information. Yeah, that's totally makes sense. What about data analytics keeps kind of coming up in our conversation today. How early should you bring it into an audit.
Sam Mansour: I mean data analytics is becoming more and more and more of a a thing that's being done, I would say, especially with like, you [00:32:30] know, getting to the point of, I mean, imagine what I can do with data analytics.
Abdullah Mansour: Um, oh, gosh.
Sam Mansour: Back in the day, everything used to be on pen and paper. So data analytics can be difficult. Um, you know, when you're, when you're just combing through like hundreds of pages of audit documentation in a physical binder. And then we went to more of the Excel digital format, and now we have AI and AI tools that can do that data analytics. And so for me, you know, being kind of in the space for about 15 [00:33:00] years, data analytics was kind of more of a manual activity, I would say. You know, we put it into Excel. We would run some formulas, um, run some ratios, uh, you know, do some things like that, which I would say is pretty limited. But now it's like, oh my gosh, like the stuff that you could do with that. Data analytics is incredible. And a lot of audit packages now are starting to integrate that. But the issue I found with AI and data analytics is that sometimes, again, it can still be generic. You know, if you use [00:33:30] ChatGPT or any of these AI softwares, if you ask it the right questions, it it'll give you answers. I was talking with, uh, with a group of actually professors at a college here, and they were joking because they said that they were doing some research. And it was a few months ago, and they plugged in their inquiries into AI, and it actually provided them with answers and references. Uh, you know, web links out to the support that was provided. [00:34:00] And so they thought, okay, great. They clicked on the links and they actually went nowhere. And someone else who, uh, this guy actually is interesting. He is the co one of the co-founders of uh, Google Chrome. He said, yeah, you know, the issue with that is that if you ask AI to give you an answer and it must give you an answer, it's going to give you an answer, right.
Abdullah Mansour: Oh sure. Yeah.
Sam Mansour: Depending on the type of AI you're using. And sometimes, you know, if you're forcing it to give an answer, you might not get the answer that [00:34:30] that it's capable of giving, but it's just going to give you something. Yeah.
Abdullah Mansour: Right. Yeah. That makes sense. Yeah. It gives you anything that it can. Yeah. It sounds like has come has come a long way since you've begun your career. Which is really cool to see.
Sam Mansour: Yeah. But see, here's the thing with data analytics, I think you, you have to kind of be mindful of, um, you know, what you're doing instead of just generically relying. I know we use the word generic a lot, but I think a lot of auditors tend to kind of be generic in their approach. And so when you're using data analytics, you want to [00:35:00] make sure that, yeah, let the software do its thing. But then you got to think about it. And you also have to ask yourself, are there other analytics that this AI or this software hasn't come up with that I should probably be thinking about? So, so using analytics during the planning phase, ideally right after the engagement acceptance. So the client says okay, let's go. I always tried to be thinking about data analytics, looking at patterns, looking at you know I think a lot of questions will come out of that. So if you wait to do data [00:35:30] analytics a little bit later on in the process, um, and, you know, I mean, it's still good to do it throughout the engagement, but I think it's really helpful to do it early on when I do.
Abdullah Mansour: Upfront, almost kind of. Right. Like, absolutely. Just start using. Absolutely. Yeah.
Sam Mansour: Yeah. When I do data analytics, uh, a lot of times, like when I'm working with a client, I will say, hey, give me some financial information, your trial balance specifically, and then I will do some data analytics on it, like right from the get go. I haven't [00:36:00] asked them any questions. I don't know really know much about them. Um, but I'll just say just give me your numbers, put it in and it'll flush out a list of things that it that it sees trends in the data. And I'll go look at that and say, wow, this is fascinating. And I'll have maybe like 10 or 15 things that really pop out. Then I'll go in and when I meet with a client, I have context now behind what's going on. And so I have the numbers and now I'm going to hear the story. And so I can now connect [00:36:30] connect them together.
Abdullah Mansour: Oh okay. That totally makes. Yeah. Yeah.
Sam Mansour: So like I said trends spikes missing data. You know it can really kind of point a lot of that out to you. And then this lets you be precise in testing and avoiding wasted time. Right. Because it's telling you where to go. As auditors, we don't look at everything, right. We select areas that we're going to go test and analyze and look at. And so data analytics is a really good tool to drive us [00:37:00] in specific directions. So the sooner you get that going the better.
Abdullah Mansour: Yeah it sounds like it'll make you more efficient too throughout the process, which is really cool.
Sam Mansour: Yeah.
Abdullah Mansour: Well, let's kind of shift gears a little bit. And, uh, let's imagine there's a firm that wants to level up immediately. What are the what would you say are three changes they should make to improve their risk assessment?
Sam Mansour: Yeah. I mean, I would definitely slow down in the planning process and allow for deeper team discussions. I mean, we've talked about this a lot during this conversation, [00:37:30] but spend a little bit of extra time at the onset of the engagement. I think that would help a lot with, you know, deficiencies in the auditors documentation in their own files. So slow down.
Abdullah Mansour: Okay.
Sam Mansour: Second, I would ensure that walkthroughs include a formal evaluation of control effectiveness. You know, make sure your documentation is appropriate. Make sure it's it's custom to the client. Not just the client, but the client. This year specifically, [00:38:00] especially if they're a repeat, uh, make sure that.
Abdullah Mansour: You reassess them essentially. We kind of touch on that at the beginning.
Sam Mansour: But yeah, yeah, yeah. You want to make sure that, you know, it's it's effective. It's documented properly. Um, as documented. Well. And so that would be a big step, right. That's so, so step one is slow down. Step two is ensure the walkthroughs include a formal evaluation of control effectiveness and is documented properly. And then third critically assess each risk and match it to the custom [00:38:30] procedure designed to address it. So so I think sometimes there's a disconnect. You know even though there shouldn't be there's a disconnect between risk assessment and then the procedures that are performed.
Abdullah Mansour: So oh sure.
Sam Mansour: We want to make sure that if we're assessing risk, like, for example, you don't want to have one person assess risk at the client and then another person design the procedures. You know, I mean, you can.
Abdullah Mansour: Yeah, yeah.
Sam Mansour: You can, you can. As long as there's a good communication and good [00:39:00] handoff. And especially if on some massive clients that are just huge, you know that's going to happen. But but there's sometimes there's a disconnect between what we assess as risk and what we what we perform as procedures. So imagine this. And it's also kind of gut wrenching. Uh, you come back after completing field work. Your your audit file is being reviewed and a risk is identified in a checklist, either because you're just pencil whipping it or or you weren't, [00:39:30] but you just just checked the box. And then a technical reviewer says, hey, you identified this risk, but what did you do about it? And that actually could be a very common issue in audit files because a lot throughout different sections we're identifying risks. And then when we identify a risk, we have to be able to address it somehow in our procedures. And that's actually kind of what I've seen over my career, kind of a frustrating area. There's so many [00:40:00] ways to to to identify risks. And you have to make sure that the procedures that you're performing are in sync with those identified risks, and they address them properly.
Abdullah Mansour: Okay. Yeah, that's really helpful. I know you've worked with hundreds of firms. Sam, what would you say separates top performers when it comes to risk assessment?
Sam Mansour: So top performers treat risk. Treat risk assessment as a mindset, not [00:40:30] just a task. Right. They understand that there's value in risk assessments. It's not just a check check box on their list. Their teams are, um, Intellectually curious and not robotic, right? So they genuinely want to know what's going on. Um, but here's the thing. You have to allow for a little bit of breathing room, right? If you say we have half an hour to complete this risk assessment, if you go over budget, you're in trouble. They're going to be robots.
Abdullah Mansour: Right? Yeah.
Sam Mansour: So the environment [00:41:00] at the firm is situated such that they can. And then they connect the dots between client goals, internal controls and audit processes with purpose. So what I mean by that is they're not just doing their one area and then considering it done and then doing the next area and then considering it done. No, they're actually thinking about okay, I'm seeing information here. How does that relate to this thing over here. Or let's say person A is testing something here or has identified [00:41:30] risks in a specific area. Well, how does that impact somebody else on the team.
Abdullah Mansour: Oh sure. Yeah.
Sam Mansour: So they're connecting everything together. They're talking. They're working together. They're collaborative. As we discussed. That's what really makes them effective. And I think it significantly reduces the risk to the firm as a whole, because if our risk assessments aren't proper, our procedures are not going to be proper. And then we as a firm are at risk of of deficient audits. And that's just not a good place to be.
Abdullah Mansour: Yeah, [00:42:00] it seems like an obvious thing to do, but it seems like that's what would set them apart from the rest of the auditing firms, is what it sounds like, which totally makes sense. So cool. Well, final question here, Sam. How do you know you got it right?
Sam Mansour: So if your audit plan is tailored and not generic okay, so if you have a custom audit plan, I think that helps a lot because it shows that there's thought put into it. That's really, really important. So you're off [00:42:30] to a good start right there. Okay. Anytime you're quote unquote pencil whipping through checklists you should be worried. Okay, so if it's specific, if it's nice and slow, if it's if it's if it's thawed out. And you know what if you have to increase the budget for it to make sense for you, then maybe that's just what you have to do. Some audit firms will shrink the budget, charge low fees, be crunched on time, and just rush through these things. Okay, so make sure they're tailored. Make sure they're specific. If your team can explain their logic clearly without [00:43:00] hesitation, you've also done a good job. Because when you ask the team, hey, why did you come up with this? Hey, why did you document this? Hey, why did you test this? If they know what they're doing and they can say, yeah, we're doing it for this reason. And you know, you're then you know, you're doing pretty good. But if they just say, well, it's because what I was told to do or it's what we did last year, which was a common, common answer that could be a problem because now they're just out there checking boxes and they're not thinking through it. And then finally, uh, if a partner [00:43:30] or regulator can read your risk assessment and understand the The rationale. You've done a good job. So, you know, if they're just reading it and they're just seeing checkboxes and, you know, it's just it's just it's just it's just very templated, very dry.
Abdullah Mansour: Sure.
Sam Mansour: You don't really understand what's going on because there's not really like a narrative there. Um, that could be an issue. So they should be able to comfortably come in, look at this and say, okay, I feel comfortable, based on what they're saying in this risk assessment, that that this [00:44:00] is a low risk, medium risk, high risk client based on what they're saying in here.
Abdullah Mansour: Yeah. Cool. Well powerful stuff. Sam, thank you for another insight packed episode. And to our listeners, remember, the smarter your risk assessment, the smoother your audit. Catch us next time on episode three where we dive into the checklist trap. Why auditors stop thinking and how to snap out of it.