Risk Assessment in Auditing: 5 Essential Gaps in Small Firm Practice

Risk Assessment in Auditing: Where Small Firm Audit Quality Is Actually Won or Lost

Risk assessment in auditing is the phase that determines everything downstream , what you test, how much you test it, and whether your final opinion is defensible. At BusAcTa Advisors, we support audit documentation and workpaper preparation for your CPA firm's small and mid-size private-company audit engagements, and the quality gaps we see most consistently in your files don't appear in sampling selections or confirmations. They appear in the risk assessment. Specifically, they appear in five areas that small firm auditors systematically underweight, either because of time pressure, client familiarity, or an incomplete absorption of SAS 145's changes to how risk must now be identified and documented.

The SAS 145 audit risk assessment requirements changed the documentation standard significantly. This isn't a critique of small firm auditors. The risk assessment phase under AU-C 315 (as revised by SAS 145, effective for periods ending on or after December 15, 2023 (see the AICPA AU-C 315 revised standard)) is genuinely more demanding than the prior version. The spectrum of inherent risk concept alone changes how auditors must think about and document risk at the assertion level. The firms doing this well have built the AU-C 315 risk assessment into their structured intake and planning process. The ones doing it inconsistently are treating it as something that happens after their fieldwork planning is already done.

1. Underestimating the Spectrum of Inherent Risk Under SAS 145

The most consequential change in SAS 145 is the inherent risk assessment audit requirement called the spectrum of inherent risk , the requirement that auditors assess not just whether a risk of material misstatement exists, but where on a continuum from low to high that risk sits, and why. This replaces the binary significant/not-significant framing that many small firm auditors used under the prior standard.

What this means in practice:

• Assertion-level risk must be documented at greater granularity. SAS 145 requires auditors to assess inherent risk factors (complexity, subjectivity, change, uncertainty, susceptibility to management bias or fraud) for each significant class of transactions, account balance, and disclosure. The assessment must be documented, not simply carried forward from last year's file.

• Significant risks now require explicit identification of why they are significant. Auditors can no longer document a risk as significant without identifying which inherent risk factors drive that conclusion. The factor-to-risk linkage needs to be in the workpapers.

• Controls cannot compensate for a higher inherent risk assessment without documented testing. If your team assesses inherent risk in the higher range of the spectrum and also plans to rely on controls, the reliance must be supported by controls testing. A high-spectrum inherent risk with a planned low detection risk based on assumed control effectiveness , without testing , is a documentation gap SAS 145 was designed to close.

Most small firm auditors understand the direction of SAS 145's changes. Fewer have rebuilt their audit programs to reflect them at the workpaper level. Does your firm's risk assessment template explicitly capture your team's inherent risk factor ratings by assertion, or does it still use a binary significant/not-significant checkbox?

2. Treating Management Override as a Checkbox Rather Than an Active Threat

AU-C 240 identifies the management override risk audit obligation as a presumed significant risk on every audit , meaning it requires a response regardless of the auditor's assessment of inherent or control risk at the entity level. Small firms auditing owner-managed businesses often treat this as a form checkbox rather than a genuine inquiry into where the financial statements are most susceptible to management-directed misstatement.

In your client's owner-managed private company, the concentration of authority in a single person or a small group creates a specific set of management override risk patterns your team should be evaluating actively:

• Journal entry review for unusual entries near period-end. The fraud risk assessment AU-C 240 requires includes testing of journal entries, with particular attention to entries that lack standard descriptions, are posted by individuals who don't normally post, or are made near period-end to accounts that affect revenue or key ratios. Many small firm audit programs include this step, but the population is often defined too narrowly , excluding adjusting entries, reversing entries, or entries posted directly to retained earnings.

• Estimates with high subjectivity in owner-managed contexts. Accounting estimates (useful lives, allowances, fair values) are the most common vehicle for management-influenced misstatement in private companies. Your team's assessment of estimate bias should explicitly ask whether their estimate has moved in a direction that benefits the owner, whether that direction is consistent with the underlying business conditions, and whether prior-period estimates were accurate.

• Related-party transactions initiated, authorized, and recorded by the same person. In an owner-managed entity, a single individual may initiate a loan from a related party, approve the terms, and record the liability. No segregation of duties exists between their initiation and recording. This concentration of control over your client's related-party transactions is a specific management override risk your team needs to document , not absorb into the general control environment assessment.

Management override risk doesn't correlate with client size or industry. It correlates with the concentration of authority over financial reporting. A $3 million revenue owner-managed distributor carries the same categorical management override risk as a $50 million revenue company. Small firm auditors who calibrate their management override procedures based on client size are systematically under-responding to AU-C 240.

3. Underassessing IT General Controls in Cloud-Accounting Environments

SAS 145 introduced specific requirements around the understanding and documentation of IT general controls (ITGCs) that many small firm auditors haven't fully worked through for clients using cloud-based accounting platforms like QuickBooks Online, Xero, or Sage Intacct. The standard requires auditors to understand the IT environment, including automated controls and the IT general controls that affect those automated controls.

Three IT general controls audit small firm teams consistently underassess , and documenting , on every private-company audit engagement:

• User access and privilege management in the client's accounting platform. Who has full administrative access in your client's QBO or Xero? Are terminated employees still active in the system? Do multiple individuals share login credentials? These are IT general control weaknesses that affect the reliability of every automated control and report generated from the platform. If your client's IT environment has significant user-access weaknesses, your team's reliance on their system-generated data as audit evidence needs to be reconsidered.

• Change management over system configurations. When your client's chart of accounts, revenue recognition rules, or period-close settings are changed in the accounting software, who authorizes those changes and who implements them? In many small businesses, the same person does both. Your team should document who controls your client's system configuration and whether changes to financially significant settings are logged and reviewed.

• Data integrity between the accounting system and source documents. If your client uploads bank transactions via feed or imports data from a point-of-sale system, your team needs to understand how that data is validated before it enters the general ledger. Data integrity failures between source and system are an underrecognized risk in cloud-accounting environments.

4. Scoping Related-Party Transactions Too Narrowly

Related-party transactions are a known audit risk under AU-C 550, which requires auditors to obtain an understanding of the entity's related-party relationships and transactions sufficient to be able to identify, assess, and respond to the risks of material misstatement. In practice, your team may scope this to the entities identified on your client's representation letter and the disclosures from the prior year. That's not sufficient.

The most significant related-party misstatements in private-company audits arise from transactions with parties that aren't on the standard representation letter , entities controlled by family members of the owner, informal arrangements with former employees who are now vendors, or real estate held in a separate LLC that leases to the operating company. Your team needs to approach their related-party identification as active inquiry, not passive receipt of management's list.

Two steps your team should build into every risk assessment for a private-company audit:

1. Cross-reference significant vendors and payees against owner, family, and officer registrations. A quick check of state business registration databases for significant vendor names against the names of your client's owners, family members listed in their tax return, and key officers is a low-cost way to surface undisclosed related parties. Most small firm teams skip this because it's not in their standard planning program.

2. Ask specifically about beneficial ownership and side arrangements. Your risk assessment should include a specific inquiry into whether any vendor, customer, or lender has a beneficial ownership connection to the entity's owners or management , even if the legal entity relationship doesn't show up in a standard related-party search. The best related-party frauds are structured to avoid obvious detection.

5. Letting Familiarity Erode Professional Skepticism on Recurring Engagements

The familiarity threat is one of the most well-documented quality risks in auditing and one of the least well-managed in small firm practice. When your team has audited your client for five or ten years, the risk assessment tends to get shorter, the documentation more templated, and the risk conclusions more likely to match their prior-year file.

Professional skepticism requires that auditors neither assume management is honest nor assume they are dishonest. On a recurring engagement, the operational tendency is to assume last year's conclusions were correct and this year's audit is primarily about confirming that nothing changed. That assumption is a skepticism failure, not a planning efficiency. The risk assessment on year eight of a recurring engagement should be substantively reconsidered, not rolled forward.

Three disciplines your firm should enforce to protect skepticism on recurring engagements:

• Mandatory reconsideration of significant risks at every planning meeting. Require your engagement team to articulate, in the planning workpapers, why each prior-year significant risk is still significant, and whether any new risks have emerged. "Same as prior year" is not a documented reconsideration , it's a rollforward.

• Rotation of inquiry recipients. If your team always gets management representations from the same controller who has been there for eight years, consider whether those inquiries are genuinely probing for new information or are simply confirming what both parties already expect to hear. Directing inquiries to operational personnel, board members, or accounts payable staff on a rotating basis surfaces information the standard planning inquiries miss.

• Engagement partner challenge of assessment conclusions. A brief partner-level challenge session , asking the engagement manager to defend the risk assessment conclusions against a skeptical reviewer , is the most direct corrective to familiarity-driven risk underassessment. Your firm doesn't need a formal cold review to get most of the quality benefit; a 30-minute structured challenge before fieldwork begins is sufficient for most small-company engagements.

You can see how we support audit documentation and risk assessment workpaper preparation on the how it works page. Our offshore accounting service includes audit support workflows covering planning documentation, risk assessment templates aligned to SAS 145, and workpaper cross-referencing for small firm engagements. Our quality control framework applies the same reconsideration discipline to every engagement we support. For firms building or rebuilding their risk assessment process under SAS 145, our advisory service can run a gap analysis of your current audit programs against the AU-C 315 revised requirements.

Building Risk Assessment That Holds Up Under Review

Audit quality, including risk assessment in auditing specifically, isn't primarily a staffing problem or a technology problem at small CPA firms. It's a risk assessment problem. The five areas above , the SAS 145 spectrum of inherent risk, management override on owner-managed engagements, IT general controls in cloud environments, related-party transaction scoping, and familiarity erosion on recurring files , are where the quality gaps consistently appear, and where the investment in better process pays off most directly in defensible workpapers and reduced review findings.

If you'd like to discuss how we support risk assessment in auditing documentation for CPA partners' private-company audit engagements, book a scoping call with BusAcTa Advisors, and we'll walk through the planning workflow before you commit to anything.