Assessing and Responding to Risks in a Financial Statement Audit

Auditors must leave a clear record in private company audits.

The new audit risk standards require the auditor to understand and respond to risks of material misstatement, whether due to errors or fraud. In reaching that understanding, auditors should identify risks to the entity’s business and the controls in place to mitigate them.

These standards use the more sharply defined terms must, should and may from SAS no. 102, Defining Professional Requirements in Statements on Auditing Standards.

Because these standards address many issues at the core of auditing, they may significantly affect the formality of the risk assessment process and documentation of the assessment details, depending on how this has been done in the past.

Entities and auditors will maximize their effectiveness and efficiency if they carefully plan their responses to the new requirements. The documentation and assessment of controls over financial reporting is a good place for them to begin such efforts.

The AICPA is creating a number of educational products designed to help auditors implement the new standards.

John A. Fogarty, CPA, Auditing Standards Board chairman, is a partner of Deloitte and Touche LLP and a member of the International Auditing and Assurance Standards Board. His e-mail address is . Lynford Graham, CPA, PhD, CFE, is a consultant, recent former member of the ASB and Risk Assessment Standards Task Force and chair of the Risk Assessment and Risk Response Audit Guide Task Force; his e-mail address is . Darrel R. Schubert, CPA, is a partner in Ernst & Young LLP’s national professional practice and risk management group and was chair of the Risk Assessment Standards Task Force; his e-mail address is .

his is the first of two articles describing the requirements of—and implementation suggestions for—new guidance from the Auditing Standards Board (ASB). This article discusses the process of assessing risks and controls, leading to the concept of the risk of material misstatement. A subsequent JofA article will discuss how the auditor responds to the risk of material misstatement.

These eight standards (see exhibit 1 below, and “ The New World of Auditing Standards, JofA , May06, page 59) are designed to help auditors plan and perform audit procedures that will address assessed risks, enhance the auditor’s response to audit risk and materiality, facilitate planning and supervision and clarify the concept of audit evidence.

  The Audit Risk Standards

SAS no. 104, Amendment to Statement on Auditing Standards No. 1, Codification of Auditing Standards and Procedures (“Due Professional Care in the Performance of Work”)

SAS no. 105, Amendment to Statement on Auditing Standards No. 95, Generally Accepted Auditing Standards

SAS no. 106, Audit Evidence

SAS no. 107, Audit Risk and Materiality in Conducting an Audit

SAS no. 108, Planning and Supervision

SAS no. 109, Understanding the Entity and Its Environment and Assessing the Risks of Material Misstatement

SAS no. 110, Performing Audit Procedures in Response to Assessed Risks and Evaluating the Audit Evidence Obtained

SAS no. 111, Amendment to Statement on Auditing Standards No. 39, Audit Sampling

The standards are designed to result in more effective audits as a result of better risk assessments and improved design and performance of audit procedures to respond to the risks. Auditors will be able to focus on those areas where the risk of misstatement is the greatest.

The new standards also clarify the phrase “sufficient knowledge of internal control to plan the audit” as used in the professional literature. A resulting benefit is that the auditor will have a better basis for determining the nature, timing and extent of further procedures and assessing potential fraud risks.

In addition, the standards emphasize the use of assertions to link the risks, controls, audit procedures and conclusions. Auditors can use this technique to determine whether audit procedures are responsive to identified risks SAS no. 107 makes it clear that the overall objective of an audit is to provide reasonable assurance that the financial statements are free of material misstatement. The term reasonable assurance has been subject to varying interpretations, but has now been clarified by the ASB as meaning a high, although not absolute, level of audit assurance.

To ensure that management, those charged with governance and the auditor agree on what the audit will involve, SAS no. 108, Planning and Supervision, says that the auditor should have a written understanding with the client regarding the terms of the engagement (see “ The Heart of the Matter, ” below).

  The Heart of the Matter

SAS no. 107, Audit Risk and Materiality in Conducting an Audit, makes clear that the overall objective of an audit is to provide reasonable assurance—a high, but not absolute level of assurance—that the financial statements are free of material misstatement.

SAS no. 108, Planning and Supervision, says that the auditor should have a written understanding with the client regarding the terms of the engagement.

In the performance of a GAAS audit, the auditor must assess materiality and audit risk. Although the concept of materiality relates to auditing, it is rooted in accounting and user needs. SAS no. 107, Audit Risk and Materiality in Conducting an Audit, identifies the user as having, among other attributes, a knowledge of business activities and of the limitations that materiality and estimation place on an audit and a willingness to study the financial statements. SAS no. 107 clarifies that when auditors assess materiality, they should consider the needs of users as a group, not just those of specific individuals.

While the standards do not suggest specific materiality benchmark percentages, they do suggest the common benchmarks of income, revenues and assets. For example, profit-oriented entities may use an income-based materiality. Forthcoming AICPA audit guides on risk assessment and audit sampling will provide more detailed information regarding the establishment of appropriate benchmarks.

Due to the possible aggregating effects of immaterial misstatements and the need to opine at a low risk, auditors should design procedures at the account- or stream-of-transactions level, using a test threshold that is lower than the overall materiality level.

This phase of the audit process is not just a planning tool, but an integral part of evidence gathering. Since risk assessment directs the auditor’s attention to issues that merit further consideration, it should be based on the inquiries, observations and audit evidence gathered by the auditor; this gathering and documentation of evidence is important. Generally, simple inquiries of management are an insufficient basis for this assessment. In addition, according to SAS no. 109, Understanding the Entity and Its Environment and Assessing the Risks of Material Misstatement, risk assessment procedures alone are not a sufficient basis for rendering the audit opinion.

As part of the risk assessment process, the engagement team should hold a brainstorming session to consider the nature and magnitude of possible misstatement risks. This session may be combined with the brainstorming session on fraud risks required by SAS no. 99, Consideration of Fraud in a Financial Statement Audit. To meet this requirement, a sole practitioner might challenge himself or herself to be objective and critical when updating past risk assessments and documenting changes in the business environment.

While not intended as a checklist of all factors, appendix C to SAS no. 109 provides specific examples of risks for consideration. This list, plus other factors identified in the standards, may facilitate productive discussions during the brainstorming session. These factors have roots in business risks that in the past have led to audit issues.

It is expected that on every audit the auditor will identify one or more significant risks before considering related controls. For example, a significant inventory of precious metals or gems might be a significant risk in an audit of a jewelry business. In other businesses, such risks may arise due to unique transactions, adjustments or critical accruals, such as the estimation of highly subjective allowances. For significant risks, the auditor should (1) consider the design and implementation of related controls, (2) avoid reliance on analytical procedures alone and (3) rely on evidence gathered only in the current period for controls assurance.

By their nature, some risks may have especially pervasive effects on financial reporting. For example, one risk may be associated with the weak business background of those charged with governance (that is, the owners or a group such as the board of directors). This type of overall risk can affect many accounts and measures, but others relate more to specific accounts and assertions. For example, a risk of misstatement of inventory amounts due to obsolescence risk in a line of inventory products would be related to the valuation assertion for that account.

Both these types of risks—overall and assertion-based—may affect auditors’ actions and procedures, but in different ways. An overall audit risk might require a more experienced engagement team, while the obsolescence risk in inventory may require specific, directed procedures, such as a more detailed analysis of product demands and inventory turnover.

An important requirement in these standards is the need to link identified risks to relevant controls and to the audit actions designed to respond to these risks. Such a linkage helps the audit team determine whether the risks are addressed, assists in communication on the audit and helps reviewers, including peer reviewers, follow the implementation of the audit strategy.

In practice, simpler audits may accomplish this linkage through careful cross-referencing of audit documentation. For more complex situations, this linkage may be supplemented by a planning or engagement strategy memo or matrix.

In heightening the importance of using assertions to link risks, the standards also have revisited the assertions in the literature and expanded them to articulate presentation and disclosure issues. The specific assertions listed in SAS no. 106, Audit Evidence (see exhibit 2 , below), do not have to be used if auditors employ assertions that are essentially equivalent.

  SAS No. 106 Financial Statement Assertions
Transaction Balance Presentation and disclosure
Occurrence Existence Occurrence and rights and obligations
Completeness Rights and obligations Completeness
Accuracy Completeness Classification and understandability
Cutoff Valuation and allocation Accuracy and valuation

The auditor should have a basis for his or her assessment of controls, such as a review of the design of controls over significant accounts and assertions, and a confirmation they are in operation by a walk-through or observation. The auditor cannot default to a high control-risk assumption without performing the required elements of a controls assessment.

Additionally, without some assurance that the information in the accounting system is being generated properly, there is no basis to rely on analytical relationships of accounts or other financial data that are stored within the system.

Auditors should assess how all five components of internal control over financial reporting relate to the entity being audited (see the Committee on Sponsoring Organizations of the Treadway Commission’s [COSO] framework; ). This does not mean that auditors are required to test or rely on controls as part of their audit strategy, formerly referred to as the audit approach . But the auditor should assess the design of the controls and examine some evidence that the controls have been properly implemented on all audits.

Auditing standards focus on the controls over financial reporting, but COSO’s 1992 Internal Control––Integrated Framework ( ) also discusses regulation and operations. These other elements are relevant only if they affect financial reporting. For example, a failure to comply with regulatory requirements could affect contingencies or even the going concern assumption (see “ COSO Framework—The Five Components ”).

COSO Framework—
The Five Components

How this requirement is implemented can have a significant effect on the entity’s costs, particularly in the first year. For example, an auditor might evaluate whether the internal controls achieve the COSO control objectives and consider the risks of what could go wrong if the controls were ineffective. This evaluation should relate objectives, risks and controls by assertion to determine that all these elements are synchronized. Only significant accounts and processes would generally be addressed using this analysis. For example, controls over major revenue and expense streams would be assessed for most entities, but those over treasury transactions might not be assessed in an entity where such transactions are infrequent, not material, and will be fully validated by substantive procedures.

Evidence that a control has been implemented can be obtained in a walk-through that follows transactions from their inception through the aggregation process in the ledger. Alternatively, such evidence of implementation can be obtained by observing the operation of a control at the various stages of the control process—for example, at a specific time or over one or more specific documents, or by examining the sign-off of a control operation that verifies the agreement of an invoice with a list of approved vendors.

  Why and How Guidance Has Changed

The eight audit risk standards, SAS nos. 104–111, respond to the conclusions of the Joint Risk Assessments Task Force of the ASB and the International Auditing and Assurance Standards Board and to recommendations of the August 2000 report of the Panel on Audit Effectiveness of the Public Oversight Board and consider the results of “Developments in the Audit Methodologies of Large Accounting Firms,” a May 2000 study of audit practices in three countries.

These standards, originally exposed in December 2002, were re-exposed in 2005 after further refinement. They use the more sharply defined terms must , should and may from SAS no. 102, Defining Professional Requirements in Statements on Auditing Standards (see “Official Releases,” JofA , Mar.06, page 94). The eight standards were published in “Official Releases,” JofA , May06, page 112.

Smaller entities often have less formally documented controls. Also, in smaller entities it is easy to overlook the hands-on role some senior members of management may play in internal control, either in monitoring controls or in performing controls directly.

The use of control objectives or an equivalent, along with simple flowcharts that can be related to the objectives, often may provide more efficient documentation than narratives or complex flowcharts. Phasing in the development of efficient documentation today, prior to the effective date of the standards, can save audit time and expense (see “ Control Objective Based Documentation, ” below).

Control Objective
Based Documentation

Control objective
Sales are valid.

Because of credit-card fraud, the transaction may not produce revenue.

Occurrence: Did a valid sale occur?

Company controls
Pre-sale credit card validation is in place.

Close monitoring of past defaults.

The control design is effective.
A walk-through of procedures confirmed these controls are in place.
Reference to other supporting workpapers (not illustrated).

COSO’s October 2005 draft report, Guidance for Smaller Public Companies: Reporting on Internal Controls over Financial Reporting, suggested that using control principles in conjunction with other subattributes can be an efficient documentation framework for smaller companies. Whether companies or auditors use the original COSO control objectives, or some variation at a higher level of aggregation of the objectives, the end result should be the same. The auditor should be able to identify control design gaps that could have significant consequences for the entity.

Simply using checklists of possible controls to identify design deficiencies or missing controls may be inefficient because they may incorrectly lead to the expectation that all controls on the list are needed to achieve the entity control objectives. Explaining how the entity achieves the relevant control objective and mitigates the related risk can make the documentation more effective and efficient.

Identified significant deficiencies and material weaknesses must be reported to management and those charged with governance. The ASB recently approved SAS no. 112, Communicating Internal Control Related Matters Identified in an Audit (see Official Releases, page 97), a revision of SAS no. 60, Communication of Internal Control Related Matters Noted in an Audit, to define the auditor’s responsibility to do this.

Because of the need to assess controls, including information technology (IT) general controls, some auditors may need to engage a specialist to assist in the assessment process, especially when the IT environment is complex or the auditor expects to rely on automated controls and has limited resources to address the issues. When the auditor’s strategy is to significantly rely on some or all of the entity’s controls, they should be tested. The next article on this topic will discuss testing controls more fully.

The minimum design and implementation work can provide some basis for varying the nature, timing and extent of the procedures planned. That is because the procedures that confirm implementation also may provide some evidence of operating effectiveness at the time the test is conducted. For example, some auditors refer to a walk-through as a test of one that—if it is the only evidence gathered—is a minimal basis for any reliance. However, the assurance that can be placed on controls is a continuum based on the evidence that was gathered to support the assessment that controls are operating effectively.

The requirement to assess controls for audit purposes should not be confused with the attest service of reporting on internal controls. Such engagements would likely involve the assessment of controls over more processes and accounts, assume a significantly greater amount of documentation of controls by the entity and require testing by the auditor when opining on effectiveness.

Practical Tips
Study the concepts of the COSO internal control framework now and be familiar with its components and how it applies to clients.

If you have another audit cycle between now and the effective date of these standards, consider control risks more thoroughly and the documentation that will be necessary to support your audit under the new standards.

Be alert for the “smaller companies” guidance expected to be forthcoming from the COSO project in the second quarter of this year. Identify cost- and effort-saving opportunities to apply this guidance and assist clients in strengthening controls.

Consider whether the audit has addressed all of the relevant assertions for all important accounts and transaction streams. Pay attention to any practice aids that employ assertions, and learn how they can be used to build a link between the risks and audit procedures.

Start now to build “assertions-based” terminology into engagement team discussions to generate familiarity.

This is the combination of the assessments of risks and related controls. Auditors may assess these two risks together or separately, although, for practical reasons, the components often are assessed separately. The risk of material misstatement forms the theoretical starting point for designing further audit procedures including tests of controls, analytical procedures and tests of details.

The AICPA is creating a number of educational products to help auditors implement the new standards, including a recently issued audit risk alert, Understanding the New Auditing Standards Related to Risk Assessment, and an audit guide, as well as presentations and discussions on the topic at a number of AICPA conferences and new CPE courses.

A second article on this topic will discuss designing further audit procedures, the process of summarizing audit results and drawing conclusions.

Auditor's Risk Assessment Process: Tackling the New Risk Assessment SASs (text, # 732990JA; DVD/manual #182990JA).

R isk Assessment Suite of Standards (paperback, # 060704JA).

Codification of Statements on Auditing Standards (paperback, # 057200JA).

Audit Risk Alert, Understanding the New Auditing Standards Related to Risk Assessment (paperback, # 022526JA).

Risk Assessment Standards & Guidance Set (paperback, # 990103HIJA).

For more information or to place an order, go to or call 888-777-7077.

Web site
Summary of the eight audit risk assessment standards, SAS nos. 104–111, .


Keeping client information safe in an age of scams and security threats

A look at the Dirty Dozen tax scams and ways to protect taxpayer information.


How to create maps in Excel 2016

Microsoft Excel 2016 has two new mapping capabilities. J. Carlton Collins, CPA, demonstrates how to make masterful 2D and 3D maps in Excel 2016.


News quiz: IRS enforcement, a hot job, and audit value

The IRS’s 2016 Data Book, a “hot job” of particular interest at this time of year, and insight into how executive and audit committees view the insights from financial statement audits received attention recently. See how much you know with this short quiz.