Performing a risk assessment is a crucial step in the internal audit of the revenue cycle. The focus is on identifying and evaluating the inherent risk—the susceptibility of an account or assertion to material misstatement assuming no related controls. Revenue-related accounts often carry high inherent risk due to pressures to meet financial targets and the complexity of revenue recognition rules.
-
Several factors influence the inherent risk of revenue-related misstatements:
-
Business Dynamics – High growth, aggressive sales strategies, or expansion into new markets can increase risk.
-
Revenue Recognition Complexity – Multi-element contracts, subscription models, or long-term projects often involve complex accounting judgments.
-
Volume and Nature of Transactions – High-volume environments (e.g., retail or e-commerce) increase the chance of errors and oversight.
-
Past Misstatements or Control Failures – History of errors or audit adjustments indicates higher risk.
-
Manual Processes and System Limitations – Reliance on spreadsheets or disconnected systems can create weak points in revenue recording.
-
-
Example: An internal auditor at a SaaS (Software as a Service) company reviews revenue risks and notes high complexity in recognizing revenue from bundled services and licenses. The company had a prior finding where all revenue was recognized upfront, violating ASC 606 guidelines. In addition, rapid international expansion led to inconsistent application of policies across regions. These factors elevated the inherent risk significantly.
-
The auditor evaluates the design and effectiveness of internal controls and determines the need for more extensive substantive testing. Risk indicators led to increased sample sizes and transaction-level testing of revenue recognition timing and classification.
-
Through effective risk assessment, the internal auditor focuses audit efforts where the likelihood and impact of misstatement are highest, thereby improving audit quality and protecting financial integrity.