EXECUTIVE
SUMMARY | The Auditing
Standards Board issued eight
standards with new guidance for auditors
assessing risks and controls in financial
statement audits. Auditors must consider
risk and also determine a materiality
level for the financial statements taken
as a whole.
Auditors are
required to obtain a
sufficient understanding of the entity
and its environment, including its
internal control, to assess the risk of
material misstatement.
Auditors must
develop audit plans in which
they document the audit procedures that
are expected to reduce the audit risks
to acceptably low levels.
To rely on the
effectiveness of company
internal controls, the auditor should
test the controls, but only after
assessing that the design is effective.
The auditor may
rely on control tests and
other evidence from prior audits when
the audit evidence and related subject
matter have not changed.
At the end of an
audit, the auditor must
evaluate whether the financial
statements taken as a whole are free of
material misstatements. The auditor must
accumulate all the known and likely
misstatements, other than trivial ones,
and communicate them to the appropriate
level of management.
In assessing
deficiencies of internal
controls to identify the severity, the
auditor should focus on issues such as
inadequate documentation and unqualified
employees who lack the skills to make
the required GAAP accounting
computations, accruals or estimates, or
to prepare the company financial
statements.
John A. Fogarty
, CPA, is a partner of Deloitte and
Touche, LLP, a past chairman of the
Auditing Standards Board (ASB) and a
member of the International Auditing
and Assurance Standards Board. His
e-mail address is
jfogarty@deloitte.com
.
Lynford Graham,
CPA, PhD, CFE, is a consultant,
recent former member of the ASB and
Risk Assessment Standards Task Force
and chair of the Risk Assessment and
Risk Response Audit Guide Task Force.
His e-mail address is
lgrahamcpa@verizon.net
.
Darrel R. Schubert,
CPA, current member of the ASB, is a
partner in Ernst & Young LLP’s
national professional practice and
risk management group and was chair of
the Risk Assessment Standards Task
Force. His e-mail address is
darrel.schubert@ey.com
.
|
This is the second of two articles
describing the requirements of new guidance from
the Auditing Standards Board (ASB). The first
article discussed the process of assessing risks
and controls leading to the concept of the risk of
material misstatement (see “Assessing and
Responding to Risks in a Financial Statement
Audit,” JofA, Jul.06, page 43). This
article discusses how the auditor responds to the
risk of material misstatement in designing and
performing audit procedures. The eight
standards listed here are designed to help
auditors plan and perform audit procedures that
will address assessed risks, enhance the auditor’s
response to audit risk and materiality, facilitate
planning and supervision and clarify the concept
of audit evidence. As noted in the new
standards, “auditors must consider audit risk and
must determine a materiality level for the
financial statements taken as a whole.” Auditors
also “must obtain a sufficient understanding of
the entity and its environment, including its
internal control, to assess the risk of material
misstatement.”
|
The Audit Risk Standards
SAS no. 104, Amendment to
Statement on Auditing Standards No. 1,
Codification of Auditing Standards
and Procedures (“Due Professional Care
in the Performance of Work”)
SAS no. 105, Amendment
to Statement on Auditing Standards No.
95, Generally Accepted Auditing
Standards
SAS no. 106, Audit
Evidence
SAS no. 107, Audit Risk
and Materiality in Conducting an Audit
SAS no. 108, Planning
and Supervision
SAS no. 109,
Understanding the Entity and Its
Environment and Assessing the Risks of
Material Misstatement
SAS no. 110, Performing
Audit Procedures in Response to
Assessed Risks and Evaluating the
Audit Evidence Obtained
SAS no. 111, Amendment
to Statement on Auditing Standards No.
39, Audit Sampling
|
DESIGNING FURTHER AUDIT PROCEDURES
Once the risk of material misstatement has
been assessed for major accounts, transaction
streams and disclosures, the auditor must develop
an audit plan in which he or she documents the
audit procedures that, when performed, are
expected to reduce audit risk to an acceptably low
level. As the auditor is assessing risk and the
design and implementation of internal controls, he
or she should determine any overall responses to
address risks of material misstatement at the
financial statement level, and tailor audit plans
(that is, audit programs) to be responsive to the
identified risks of material misstatement at the
relevant assertion level. The application of a
“standard” audit program of procedures on all
engagements will generally not be responsive to
the risks of material misstatement, and is not an
appropriate response under the new standards.
Because the auditor should document the linkage
of the risks, controls and further audit
procedures by assertion, the audit plan also
should consider the risk of material misstatement
at the assertion level. The auditor should design
auditing procedures to achieve the objective of a
high level of assurance that the financial
statements are free of material misstatement.
Those further auditing procedures consist of
either tests of controls or substantive
procedures. For example, say the auditor
identifies a moderate risk of inventory
obsolescence (valuation) and the company monitors
this risk through two procedures: one control that
performs monthly analyses of inventory turnover by
inventory line item looking for risks of
obsolescence and another that monitors market
price fluctuations. In addition, the company takes
periodic inventories to ensure the accuracy of its
perpetual inventory records. In this circumstance
the auditor may assess the risk of material
misstatement as low. If the client controls are
tested and found effective, the auditor may need
to design only a low level of independent
lower-of-cost or market tests on the slower-moving
and specific inventory items that have a high
volatility in cost, and design some independent
analytical procedures to address the obsolescence
(valuation) risk. That may be enough to satisfy
the auditor that risk of financial statement
misstatement is low for this assertion as it
relates to inventory.
TESTING INTERNAL CONTROLS
To rely on the effectiveness of company
internal controls, the auditor should test the
controls—but only after assessing that the design
is effective; otherwise there is no sense in
testing it. If the auditor’s strategy is to rely
on the control, its operating effectiveness is
assessed through appropriate levels of testing.
Tests of implementation may provide some minimal
evidence of operating effectiveness. The auditor’s
reliance on the control is a continuum from “no”
reliance (for example, the design may be
ineffective or there may be no control) to “high”
reliance on the control. The basic
principles of the testing controls in the current
section AU 319 are not changed:
Automated controls can be tested once
or a few times to conclude they operated
effectively throughout the period when information
technology (IT) general controls were assessed as
effective.
Manual controls tests should cover
the period of the examination. The extent of
testing should respond to the desired level of
reliance on the control. Additional
guidance on establishing sample sizes is contained
in the revised AICPA Audit Guide, Audit
Sampling, (CPA2Biz.com product no.
012536JA) released in January. Auditors
should test controls when sufficient evidence may
not be obtainable from traditional substantive
procedures, such as when the business makes
extensive use of IT in its sales or purchases
interfaces such as Internet or EDI (electronic
data interchange) transactions, and the systems do
not create paper trails and historical documents
supporting the transactions.
EVIDENCE FROM PRIOR AUDITS
The new standards clarify when control tests
and other evidence from a prior audit may be used
in the current engagement. For the auditor to
place reliance on that evidence, the audit
evidence and the related subject matter must not
fundamentally change. The auditor confirms that
changes have not occurred by annual inquiry and
performing another procedure that confirms the
control remains implemented and is effective, such
as a walk-through, observation or examination of
some evidence. In any case, the controls should be
retested at least every third year, even when
there have been no perceived changes in them.
An exception to this guidance on evidence from
prior audits is in the case of significant
risks. One or more significant risks
generally are found on most audit
engagements. For these risks
Substantive procedures, or
substantive and controls procedures, specifically
directed at the risk should be applied.
Analytics alone are insufficient to
provide the needed assurance.
Controls assurance from prior
engagements cannot be considered in the current
engagement; the controls need to be tested every
year to rely on them.
PERFORMING AUDITING PROCEDURES
In performing audit procedures, auditors
should apply certain substantive audit procedures
on each engagement. They should
Apply substantive procedures for all
relevant assertions related to each material class
of transactions, account balance and disclosure,
regardless of the assessed risk of material
misstatement.
Examine material journal entries and
other adjustments.
Agree the financial statements to the
underlying accounting records (this is also noted
in SAS no. 103, Audit Documentation,
which is effective for audits of financial
statements for periods ending on or after December
15, 2006). While some auditors already use
audit methodologies that integrate assertions into
identifying risks, assessing controls and
performing procedures, some do not. The appendix
to SAS no. 110 (see “Official Releases,” JofA
, May06, page 152) provides a helpful list of
account balances, related assertions and common
auditing procedures that address these assertions
for a manufacturing company. SAS no. 110
also provides significantly more guidance than
past standards in designing the nature, timing and
extent of audit procedures. In determining sample
sizes, SAS no. 111 amends SAS no. 39, Audit
Sampling, by adding a concept from a
previous AICPA Audit Guide: “An auditor
who applies statistical sampling uses tables or
formulas to compute sample size based on these
judgments. An auditor who applies nonstatistical
sampling uses professional judgment to relate
these factors in determining the appropriate
sample size. Ordinarily, this would result in a
sample size comparable to the sample size
resulting from an efficient and effectively
designed statistical sample considering the same
sampling parameters.” While this guidance
shows a relationship between nonstatistical and
statistical sample sizes, the auditor is not
required to compute or document a comparable
statistical sample size. However, familiarity with
sampling concepts of the level of assurance
obtainable from certain size samples can help
auditors make more informed judgments regarding
appropriate sample sizes. The AICPA Audit Guide,
Audit Sampling, provides illustrations
of designing appropriate sample sizes using tables
and simple formulas. Some commercial
computer-assisted audit technique programs such as
IDEA and ACL also include easy-to-use statistical
sample-size-determination programs.
SUMMARIZING THE RESULTS OF AUDITING
PROCEDURES
The auditor must accumulate all known and
likely misstatements other than those he or she
believes to be trivial. Consistent with prior
standards, differences between auditor and company
estimates are treated as likely misstatements only
if the company estimate is considered
unreasonable. In such a case the amount of likely
misstatement is measured by the difference between
the company estimate and the closest auditor
estimate that is considered to be reasonable.
Auditors should propose known misstatements to
management for adjustment. If they are not
adjusted, the auditor should be alert to the risk
there may be an underlying reason behind the lack
of management response, such as might occur if the
correction would trigger the violation of a loan
covenant or change the direction of an important
trend measure. Known and likely
misstatements that remain unadjusted, including
the effects of prior-period misstatements, should
be compared individually and in the aggregate with
various totals or subtotals (or key relationships)
in the financial statement to ensure they do not
misstate the financial statements as a whole. Be
aware that offsetting material misstatements could
show failed internal controls as well as show that
careful estimation of these amounts (beyond the
tests performed thus far) is necessary to be able
to conclude on the amounts to be adjusted in the
financial statements. If the financial
statement and other information available to the
auditor as the audit progresses and at the end of
the engagement differ from what was anticipated
when materiality was first assessed, a change in
materiality may be appropriate. The auditor should
be careful if the materiality measure at yearend
declines, as this may have implications for
concluding on the adequacy of the procedures
performed to achieve a high assurance that the
financial statements are free of material
misstatement. The auditor should document the
materiality levels and the basis for any changes
as the audit progresses. When assessing
the implications of known and likely
misstatements, auditors also should consider
qualitative factors. For example, a fraud of
less-than-a-material amount still may have
significant implications for assessing the
adequacy of the procedures performed and the risk
assessment that directed the nature, timing and
extent of audit procedures. An illegal payment
might also give rise to concerns about a
contingent liability, and permitting a
misstatement to remain unadjusted may alter user
perceptions about a trend or important measure.
An Illustration of
Prior-Year Uncorrected Misstatements
As a simple example, a
school district may not accrue $20,000 of
unused sick pay each year. That sick pay
will accumulate until it is paid or used
at or near the employee’s retirement date,
as determined by an employment contract.
Assume materiality to be $40,000. The
misstatement of annual income is $20,000,
which may not require an adjustment when
viewed solely from an income perspective.
However, the balance sheet is missing an
annual accrual for $20,000 each year. By
year two and beyond, some companies and
auditors, focusing on the year-end balance
sheet, would cap the balance sheet
misstatement at or below $40,000 and
require the accrual be recognized each
year thereafter. Those focusing only on
the income statement might not require any
adjustment in year two or beyond, since
the income statement is not materially
misstated in any one year. Because some
types of uncorrected misstatements will
predictably “reverse” in future periods
(that is, misstatements of ending
inventory) and some may continue to accrue
on the balance sheet for many periods
(that is, as in this example), a careful
analysis of the nature of the uncorrected
misstatement is necessary.
Year
| Income
misstatement |
Balance
(liability) underaccrual
|
1 |
$20,000
| $20,000
|
2 |
20,000
| 40,000
|
3 |
20,000
| 60,000
| |
CONSIDERING THE EFFECTS OF PRIOR-PERIOD
WAIVED ADJUSTMENTS
SAS no. 107 says the auditor should consider
the effects of misstatements related to prior
periods that were not previously corrected. Such
amounts could affect the income in a period in
which they were reflected in income or could
accumulate on the balance sheet and aggregate to
significant amounts. Three basic methods are used
regarding these items. In the first method, the
income effect of all current and prior-period
misstatements flowing through current income is
considered. In the second, auditors focus on the
aggregate of the misstatements remaining in the
ending balance sheet. In the third method,
auditors apply both perspectives and require an
adjustment if either method shows one is
necessary. The ASB did not intend to
change audit practice in this area in SAS no. 107.
Any of the methods for considering prior-period
uncorrected misstatements are considered
appropriate under the current wording of SAS no.
107. However, in September 2006 the SEC released
Staff Accounting Bulletin (SAB) no. 108, showing
that for public companies both the income
statement and balance sheet methods should be
applied, and an adjustment made, if either method
shows that an adjustment is needed to avoid a
misstatement of the income statement or the
cumulative balance sheet. The SAB also provided
accounting guidance necessary for companies to
transition to the new approach. The SEC position
is similar to the one proposed in the ED version
of SAS no. 107, and auditors should be alert to
possible changes in SAS no. 107 in this area.
BRINGING IT ALL TOGETHER
At the end of the audit, the auditor must
evaluate whether the financial statements taken as
a whole are free of material misstatement.
Auditors seek a high (but not absolute) level of
assurance concerning this before they issue a
clean opinion. If unadjusted misstatements
remain, the auditor compares them with
materiality. Even if the unadjusted misstatements
do not exceed materiality, there is a risk that
misstatements might exist in the company financial
statements undetected by the audit procedures.
The auditor considers the relationship of
individual and aggregate unadjusted misstatements
and materiality, and considers whether the audit
procedures applied still provide a high level of
assurance that the financial statements are not
materially misstated. For example, suppose that
materiality is determined to be $40,000 and $1,000
of unadjusted misstatement remains at the end of
the audit. The auditor knows the tolerable
misstatement was set below materiality in each of
the audit areas for determining the nature and
extent of audit procedures to be performed, and
may well conclude that a cushion of $39,000 is
sufficient to provide a high level of assurance
that material misstatement does not exist in the
financial statements. In contrast, if $39,000 of
unadjusted misstatement were to remain, the
auditor might not be able to conclude with a high
level of assurance that the audit procedures were
sufficient to ensure that only $1,000 of
misstatement might remain undetected. When the
auditor is unable to conclude with a high level of
assurance, he or she should plan additional
procedures to gain additional evidence regarding
the true extent of the misstatements and/or
propose a further adjustment of the misstated
amounts.
COMMUNICATING WITH THOSE CHARGED WITH
GOVERNANCE
The auditor must accumulate all the known
and likely misstatements, other than those the
auditor believes to be trivial, and communicate
them to the appropriate level of management.
When significant or material misstatements are
identified during the audit, such misstatements
may imply a deficiency in controls. In determining
the severity of the deficiency, the auditors
should consider not just the misstatement amounts
found, but also the potential misstatement that
could result from the deficiency. Even a small
misstatement could lead to an assessment that a
material misstatement exists if it’s because of a
missing or ineffective control. SAS no.
112, Communicating Internal Control Related
Matters Identified in an Audit, is
effective for audits ending after December 15,
2006. While SAS no. 112 is not one of the
standards included in the group of “audit risk
standards,” it is closely associated with them.
Under SAS no. 112, the auditor must evaluate
control deficiencies which he or she has detected
while performing the audit of the financial
statements, and determine whether they,
individually or in combination, are significant
deficiencies (SD) or material weaknesses (MW). If
SDs or MWs are identified, they must be
communicated in writing to management and those
charged with governance. Unless remediated, these
deficiencies are repeated in written
communications every year. SAS no. 112 does not
require auditors to discover internal control
deficiencies. Whether they are remediated or not,
these deficiencies should be reported in the year
they are identified. The appendix to SAS
no. 112 provides additional examples of conditions
and circumstances showing deficiencies of internal
controls (see “Official Releases,” JofA ,
Jul.06, page 102). Auditors need to become
familiar with this standard and prepare to
implement it for calendar year 2006 audits.
Some sensitive issues that require the auditor
to assess the severity of any deficiency include
Inadequate documentation of the
components of internal control.
Employees who lack the qualifications
to fulfill their assigned functions, which
includes -
Making the required
GAAP accounting computations, accruals or
estimates.
-
Preparing the company financial
statements. While auditors
may be engaged to prepare the tax accrual or draft
the financial statements under current AICPA
independence guidelines, they still assess the
severity of any deficiency in the company’s
ability to perform these functions. For example,
if the auditor evaluated that company personnel
could not prepare the financial statements and the
accompanying notes, a material weakness might be
assessed.
|
Because new
auditing standards are effective
in both 2006 and 2007, it is
advisable that companies and
auditors discuss in advance the
nature of the changes and ways
to cost effectively implement
the requirements.
Because a more
robust assessment of controls
design and implementation may
be performed under the new
standards, and because the
additional guidance permits
prior audit tests of controls
to be considered in the
current engagement, it may be
more efficient than before to
use a controls-based audit
strategy for some clients.
Most engagements
have at least one significant
risk. If a large number of
your engagements do not appear
to have significant risks
associated with them, then
revisit the concept in SAS no.
109 and the guidance in the
AICPA Audit Guide,
Assessing and Responding
to Audit Risk in a Financial
Statement Audit. If
your engagements appear to
have many significant risks,
reconsider the criteria you
used in making these
determinations. If many of
your engagements still have
numerous significant risks,
you may want to reconsider
your client acceptance and
retention procedures.
If SAS no. 107 is
modified to reflect the
guidance in Staff Accounting
Bulletin no. 108, auditors
following an income-focused
(“rollover”) method of
evaluating unadjusted
misstatements may find that
some client balance sheet
items may need a one-time
adjustment to transition to
the new guidance. Auditors
might wish to assess this
issue for individual clients
and request adjustments in the
current year, if that would
avoid the further accumulation
of misstatements in the
aggregate balance sheet.
When proposing
adjustments based on
projections from samples or
estimates, let the nature and
extent of evidence leading to
the proposed adjustment guide
the auditor as to whether
there is sufficient
information to be comfortable
adjusting some or all of the
difference.
When
communicating significant
deficiencies and material
weakness to management and
those charged with governance,
practitioners may find it
helpful to refer to prior
written communications rather
than repeat the details of any
uncorrected deficiencies every
year.
| |
IMPLEMENTATION ISSUES AND CONCLUSION
Few of the concepts articulated in the audit
risk standards are new to audit practice. How
these standards will affect a firm’s audit
approach and engagement costs will depend on the
current approach and how efficiently the standards
are implemented. Clearly, there are more “musts”
and “shoulds” in the standards, but these
requirements will help standardize audit practice
and create greater consistency in audit
performance. Users have expectations of what an
audit delivers, and the auditor’s performance to
better meet such expectations will continue to
enhance the profession’s image. Costs of
implementation will vary, depending on the audit
firm’s or practitioner’s current practices. The
tasks associated with a more robust assessment of
risk and controls design will account for
significant elements of cost for some in the first
year of implementation. Considering these
requirements early in the process can help ease
the implementation “crunch.” Some audit firms
already have begun their planning and education in
order to make the transition to the new
requirements as smooth and efficient as possible.
For example, some auditors took a more structured
approach to gathering known key client risk
characteristics in 2006, and will expand the
number of factors assessed this year. Some
auditors looked more closely at the controls
surrounding key accounts such as sales or
payments, and thus suggested controls changes
where they had identified gaps. A quality
implementation of the new requirements will pay
back benefits in future years if the appropriate
base has been established. Current
engagements may fall under the new requirements of
SAS no.103 and SAS no. 112. Auditors will need to
gain an understanding of these requirements and
implement them as required. The AICPA has a
variety of products and educational programs to
help you understand the new requirements and to
help you with the implementation issues. |