EXECUTIVE
SUMMARY | The new audit risk
standards require the auditor
to understand and respond to risks of
material misstatement, whether due to
errors or fraud. In reaching that
understanding, auditors should identify
risks to the entity’s business and the
controls in place to mitigate them.
These standards use
the more sharply defined
terms must, should and may from
SAS no. 102, Defining Professional
Requirements in Statements on Auditing
Standards.
Because these
standards address many issues
at the core of auditing, they may
significantly affect the formality of
the risk assessment process and
documentation of the assessment details,
depending on how this has been done in
the past.
Entities and
auditors will maximize their
effectiveness and efficiency if they
carefully plan their responses to the
new requirements. The documentation and
assessment of controls over financial
reporting is a good place for them to
begin such efforts.
The AICPA is
creating a number of
educational products designed to help
auditors implement the new standards.
John A. Fogarty,
CPA, Auditing Standards Board
chairman, is a partner of Deloitte and
Touche LLP and a member of the
International Auditing and Assurance
Standards Board. His e-mail address is
jfogarty@deloitte.com
.
Lynford Graham,
CPA, PhD, CFE, is a consultant,
recent former member of the ASB and
Risk Assessment Standards Task Force
and chair of the Risk Assessment and
Risk Response Audit Guide Task Force;
his e-mail address is
LgrahamCPA@verizon.net
.
Darrel R. Schubert,
CPA, is a partner in Ernst &
Young LLP’s national professional
practice and risk management group and
was chair of the Risk Assessment
Standards Task Force; his e-mail
address is
darrel.schubert@ey.com
.
|
his is the first of
two articles describing the requirements of—and
implementation suggestions for—new guidance from
the Auditing Standards Board (ASB). This article
discusses the process of assessing risks and
controls, leading to the concept of the risk of
material misstatement. A subsequent JofA
article will discuss how the auditor responds
to the risk of material misstatement.
These eight standards (see
exhibit 1 below, and “ The
New World of Auditing Standards, ” JofA
, May06, page 59) are designed to help
auditors plan and perform audit procedures that
will address assessed risks, enhance the auditor’s
response to audit risk and materiality, facilitate
planning and supervision and clarify the concept
of audit evidence.
|
The Audit Risk
Standards |
SAS no. 104,
Amendment to Statement
on Auditing Standards No. 1,
Codification of
Auditing Standards and
Procedures (“Due
Professional Care in the
Performance of Work”)
SAS no. 105,
Amendment to Statement
on Auditing Standards No.
95, Generally Accepted
Auditing Standards
SAS no. 106,
Audit Evidence
SAS no. 107,
Audit Risk and
Materiality in Conducting an
Audit
SAS no. 108,
Planning and Supervision
SAS no. 109,
Understanding the Entity
and Its Environment and
Assessing the Risks of
Material Misstatement
SAS no. 110,
Performing Audit
Procedures in Response to
Assessed Risks and
Evaluating the Audit
Evidence Obtained
SAS no. 111,
Amendment to Statement
on Auditing Standards No.
39, Audit Sampling
| |
E XPECTED B ENEFITS OF THE S TANDARDS The
standards are designed to result in more effective
audits as a result of better risk assessments and
improved design and performance of audit
procedures to respond to the risks. Auditors will
be able to focus on those areas where the risk of
misstatement is the greatest. The new
standards also clarify the phrase “sufficient
knowledge of internal control to plan the audit”
as used in the professional literature. A
resulting benefit is that the auditor will have a
better basis for determining the nature, timing
and extent of further procedures and assessing
potential fraud risks. In addition, the
standards emphasize the use of assertions to link
the risks, controls, audit procedures and
conclusions. Auditors can use this technique to
determine whether audit procedures are responsive
to identified risks SAS no. 107 makes it clear
that the overall objective of an audit is to
provide reasonable assurance that the financial
statements are free of material misstatement. The
term reasonable assurance has been
subject to varying interpretations, but has now
been clarified by the ASB as meaning a high,
although not absolute, level of audit assurance.
To ensure that management, those charged
with governance and the auditor agree on what the
audit will involve, SAS no. 108, Planning and
Supervision, says that the auditor should
have a written understanding with the client
regarding the terms of the engagement (see “ The Heart of the Matter, ”
below).
| The Heart
of the Matter
SAS no. 107, Audit Risk
and Materiality in
Conducting an Audit,
makes clear that the
overall objective of an audit
is to provide reasonable
assurance—a high, but not
absolute level of
assurance—that the financial
statements are free of
material misstatement.
SAS no. 108, Planning and
Supervision, says that
the auditor should have a
written understanding with the
client regarding the terms of
the engagement.
| |
M ATERIALITY In the performance of a GAAS
audit, the auditor must assess materiality and
audit risk. Although the concept of materiality
relates to auditing, it is rooted in accounting
and user needs. SAS no. 107, Audit Risk and
Materiality in Conducting an Audit,
identifies the user as having, among other
attributes, a knowledge of business activities and
of the limitations that materiality and estimation
place on an audit and a willingness to study the
financial statements. SAS no. 107 clarifies that
when auditors assess materiality, they should
consider the needs of users as a group, not just
those of specific individuals. While the
standards do not suggest specific materiality
benchmark percentages, they do suggest the common
benchmarks of income, revenues and assets. For
example, profit-oriented entities may use an
income-based materiality. Forthcoming AICPA audit
guides on risk assessment and audit sampling will
provide more detailed information regarding the
establishment of appropriate benchmarks.
Due to the possible aggregating effects of
immaterial misstatements and the need to opine at
a low risk, auditors should design procedures at
the account- or stream-of-transactions level,
using a test threshold that is lower than the
overall materiality level.
RISK ASSESSMENT
This phase of the audit process is not just
a planning tool, but an integral part of evidence
gathering. Since risk assessment directs the
auditor’s attention to issues that merit further
consideration, it should be based on the
inquiries, observations and audit evidence
gathered by the auditor; this gathering and
documentation of evidence is important. Generally,
simple inquiries of management are an insufficient
basis for this assessment. In addition, according
to SAS no. 109, Understanding the Entity and
Its Environment and Assessing the Risks of
Material Misstatement, risk assessment
procedures alone are not a sufficient basis for
rendering the audit opinion. As part of
the risk assessment process, the engagement team
should hold a brainstorming session to consider
the nature and magnitude of possible misstatement
risks. This session may be combined with the
brainstorming session on fraud risks required by
SAS no. 99, Consideration of Fraud in a
Financial Statement Audit. To meet this
requirement, a sole practitioner might challenge
himself or herself to be objective and critical
when updating past risk assessments and
documenting changes in the business environment.
While not intended as a checklist of all
factors, appendix C to SAS no. 109 provides
specific examples of risks for consideration. This
list, plus other factors identified in the
standards, may facilitate productive discussions
during the brainstorming session. These factors
have roots in business risks that in the past have
led to audit issues. It is expected that
on every audit the auditor will identify one or
more significant risks before considering related
controls. For example, a significant inventory of
precious metals or gems might be a significant
risk in an audit of a jewelry business. In other
businesses, such risks may arise due to unique
transactions, adjustments or critical accruals,
such as the estimation of highly subjective
allowances. For significant risks, the auditor
should (1) consider the design and implementation
of related controls, (2) avoid reliance on
analytical procedures alone and (3) rely on
evidence gathered only in the current period for
controls assurance. By their nature, some
risks may have especially pervasive effects on
financial reporting. For example, one risk may be
associated with the weak business background of
those charged with governance (that is, the owners
or a group such as the board of directors). This
type of overall risk can affect many accounts and
measures, but others relate more to specific
accounts and assertions. For example, a risk of
misstatement of inventory amounts due to
obsolescence risk in a line of inventory products
would be related to the valuation assertion for
that account. Both these types of
risks—overall and assertion-based—may affect
auditors’ actions and procedures, but in different
ways. An overall audit risk might require a more
experienced engagement team, while the
obsolescence risk in inventory may require
specific, directed procedures, such as a more
detailed analysis of product demands and inventory
turnover.
LINKING RISKS AND PROCEDURES
An important requirement in these standards
is the need to link identified risks to relevant
controls and to the audit actions designed to
respond to these risks. Such a linkage helps the
audit team determine whether the risks are
addressed, assists in communication on the audit
and helps reviewers, including peer reviewers,
follow the implementation of the audit strategy.
In practice, simpler audits may accomplish
this linkage through careful cross-referencing of
audit documentation. For more complex situations,
this linkage may be supplemented by a planning or
engagement strategy memo or matrix. In
heightening the importance of using assertions to
link risks, the standards also have revisited the
assertions in the literature and expanded them to
articulate presentation and disclosure issues. The
specific assertions listed in SAS no. 106,
Audit Evidence (see
exhibit 2 , below), do not have to be used
if auditors employ assertions that are essentially
equivalent.
|
SAS No. 106 Financial
Statement Assertions |
Transaction
|
Balance
|
Presentation
and disclosure
|
Occurrence
|
Existence
|
Occurrence
and rights and
obligations
|
Completeness
|
Rights
and obligations
|
Completeness
|
Accuracy
|
Completeness
|
Classification
and
understandability
|
Cutoff
|
Valuation
and allocation
|
Accuracy
and valuation
|
Classification
|
—
|
—
| | |
INTERNAL CONTROLS
The auditor should have a basis for his or
her assessment of controls, such as a review of
the design of controls over significant accounts
and assertions, and a confirmation they are in
operation by a walk-through or observation. The
auditor cannot default to a high control-risk
assumption without performing the required
elements of a controls assessment.
Additionally, without some assurance that the
information in the accounting system is being
generated properly, there is no basis to rely on
analytical relationships of accounts or other
financial data that are stored within the system.
Auditors should assess how all five
components of internal control over financial
reporting relate to the entity being audited (see
the Committee on Sponsoring Organizations of the
Treadway Commission’s [COSO] framework;
www.coso.org/key.htm ). This does not mean
that auditors are required to test or rely on
controls as part of their audit strategy, formerly
referred to as the audit approach . But
the auditor should assess the design of the
controls and examine some evidence that the
controls have been properly implemented on all
audits. Auditing standards focus on the
controls over financial reporting, but COSO’s 1992
Internal Control––Integrated Framework
(
www.coso.org/publications/executive_summary_integrated_framework.htm
) also discusses regulation and operations.
These other elements are relevant only if they
affect financial reporting. For example, a failure
to comply with regulatory requirements could
affect contingencies or even the going concern
assumption (see “ COSO
Framework—The Five Components ”).
COSO
Framework—
The Five Components
|
| How
this requirement is implemented can have a
significant effect on the entity’s costs,
particularly in the first year. For example, an
auditor might evaluate whether the internal
controls achieve the COSO control objectives and
consider the risks of what could go wrong if the
controls were ineffective. This evaluation should
relate objectives, risks and controls by assertion
to determine that all these elements are
synchronized. Only significant accounts and
processes would generally be addressed using this
analysis. For example, controls over major revenue
and expense streams would be assessed for most
entities, but those over treasury transactions
might not be assessed in an entity where such
transactions are infrequent, not material, and
will be fully validated by substantive procedures.
Evidence that a control has been implemented
can be obtained in a walk-through that follows
transactions from their inception through the
aggregation process in the ledger. Alternatively,
such evidence of implementation can be obtained by
observing the operation of a control at the
various stages of the control process—for example,
at a specific time or over one or more specific
documents, or by examining the sign-off of a
control operation that verifies the agreement of
an invoice with a list of approved vendors.
| Why and How
Guidance Has Changed The
eight audit risk standards,
SAS nos. 104–111, respond to
the conclusions of the Joint
Risk Assessments Task Force of
the ASB and the International
Auditing and Assurance
Standards Board and to
recommendations of the August
2000 report of the Panel on
Audit Effectiveness of the
Public Oversight Board and
consider the results of
“Developments in the Audit
Methodologies of Large
Accounting Firms,” a May 2000
study of audit practices in
three countries. These
standards, originally exposed
in December 2002, were
re-exposed in 2005 after
further refinement. They use
the more sharply defined terms
must , should
and may from SAS
no. 102, Defining
Professional Requirements in
Statements on Auditing
Standards (see
“Official Releases,” JofA
, Mar.06, page 94). The
eight standards were published
in “Official Releases,”
JofA , May06, page
112.
| |
Smaller entities often have less formally
documented controls. Also, in smaller entities it
is easy to overlook the hands-on role some senior
members of management may play in internal
control, either in monitoring controls or in
performing controls directly. The use of
control objectives or an equivalent, along with
simple flowcharts that can be related to the
objectives, often may provide more efficient
documentation than narratives or complex
flowcharts. Phasing in the development of
efficient documentation today, prior to the
effective date of the standards, can save audit
time and expense (see “
Control Objective Based Documentation, ”
below). COSO’s
October 2005 draft report, Guidance for
Smaller Public Companies: Reporting on Internal
Controls over Financial Reporting,
suggested that using control principles in
conjunction with other subattributes can be an
efficient documentation framework for smaller
companies. Whether companies or auditors use the
original COSO control objectives, or some
variation at a higher level of aggregation of the
objectives, the end result should be the same. The
auditor should be able to identify control design
gaps that could have significant consequences for
the entity. Simply using checklists of
possible controls to identify design deficiencies
or missing controls may be inefficient because
they may incorrectly lead to the expectation that
all controls on the list are needed to achieve the
entity control objectives. Explaining how the
entity achieves the relevant control objective and
mitigates the related risk can make the
documentation more effective and efficient.
Identified significant deficiencies and
material weaknesses must be reported to management
and those charged with governance. The ASB
recently approved SAS no. 112, Communicating
Internal Control Related Matters Identified in
an Audit (see Official Releases, page 97),
a revision of SAS no. 60, Communication of
Internal Control Related Matters Noted in an
Audit, to define the auditor’s
responsibility to do this. Because of the
need to assess controls, including information
technology (IT) general controls, some auditors
may need to engage a specialist to assist in the
assessment process, especially when the IT
environment is complex or the auditor expects to
rely on automated controls and has limited
resources to address the issues. When the
auditor’s strategy is to significantly rely on
some or all of the entity’s controls, they should
be tested. The next article on this topic will
discuss testing controls more fully. The
minimum design and implementation work can provide
some basis for varying the nature, timing and
extent of the procedures planned. That is because
the procedures that confirm implementation also
may provide some evidence of operating
effectiveness at the time the test is conducted.
For example, some auditors refer to a walk-through
as a test of one that—if it is the only
evidence gathered—is a minimal basis for any
reliance. However, the assurance that can be
placed on controls is a continuum based on the
evidence that was gathered to support the
assessment that controls are operating
effectively. The requirement to assess
controls for audit purposes should not be confused
with the attest service of reporting on internal
controls. Such engagements would likely involve
the assessment of controls over more processes and
accounts, assume a significantly greater amount of
documentation of controls by the entity and
require testing by the auditor when opining on
effectiveness.
|
Study the concepts
of the COSO internal control
framework now and be familiar
with its components and how it
applies to clients.
If you have
another audit cycle between
now and the effective date of
these standards, consider
control risks more thoroughly
and the documentation that
will be necessary to support
your audit under the new
standards.
Be alert for the
“smaller companies” guidance
expected to be forthcoming
from the COSO project in the
second quarter of this year.
Identify cost- and
effort-saving opportunities to
apply this guidance and assist
clients in strengthening
controls.
Consider whether
the audit has addressed all of
the relevant assertions for
all important accounts and
transaction streams. Pay
attention to any practice aids
that employ assertions, and
learn how they can be used to
build a link between the risks
and audit procedures.
Start now to
build “assertions-based”
terminology into engagement
team discussions to generate
familiarity.
| |
RISK OF MATERIAL MISSTATEMENT
This is the combination of the assessments
of risks and related controls. Auditors may assess
these two risks together or separately, although,
for practical reasons, the components often are
assessed separately. The risk of material
misstatement forms the theoretical starting point
for designing further audit procedures including
tests of controls, analytical procedures and tests
of details.
WHAT'S NEXT
The AICPA is creating a number of
educational products to help auditors implement
the new standards, including a recently issued
audit risk alert, Understanding the New
Auditing Standards Related to Risk Assessment,
and an audit guide, as well as presentations
and discussions on the topic at a number of AICPA
conferences and new CPE courses. A second
article on this topic will discuss designing
further audit procedures, the process of
summarizing audit results and drawing conclusions.
|
AICPA
RESOURCES
| CPE
Auditor's Risk Assessment
Process: Tackling the New Risk
Assessment SASs (text, #
732990JA; DVD/manual #182990JA).
Publications
R isk Assessment Suite of
Standards (paperback, #
060704JA).
Codification of
Statements on Auditing
Standards (paperback, #
057200JA).
Audit Risk Alert,
Understanding the New
Auditing Standards Related
to Risk Assessment
(paperback, # 022526JA).
Risk Assessment
Standards & Guidance Set
(paperback, #
990103HIJA). For more
information or to place an
order, go to
www.cpa2biz.com or call
888-777-7077. Web site
Summary of the eight audit
risk assessment standards, SAS
nos. 104–111,
www.aicpa.org/risk . | | |