Eight standards
rolled out in 2006 by the Auditing Standards Board
are sparking a cultural shift for auditors.
The standards—Statement on Auditing Standards
nos. 104–111—are designed to enhance auditors’
responses to audit risk and materiality and
encourage them to focus on areas with the greatest
risk of misstatement. The standards are effective
for audits of private company financial statements
for periods beginning on or after Dec. 15, 2006.
The JofA asked partners at three
accounting firms to write about how the new
guidance has affected their work. In their
first-person accounts, beginning below, the
partners share their experience with putting the
guidance into action and offer practical advice
for tackling some of the common challenges of
implementation.
by Paul Kiel
McGladrey & Pullen LLP In
response to the risk assessment standards—the most
significant change to GAAS in more than two
decades—McGladrey & Pullen LLP revised its
risk-based audit methodology and leveraged
technology to develop an automated system that
standardizes audit processes and workpaper
documentation, allowing the auditor to focus on
identifying, assessing and responding to risks of
material misstatement. In the process of
working with approximately 200 firms using
McGladrey & Pullen’s audit approach, either
through membership in the RSM McGladrey Network or
as subscribers to AdvanceCPA, we have found that
many experienced auditors believe the new
standards are simply a codification of what were
previously considered “standard” audit procedures.
Thus, the standards, theoretically, are not
difficult for many auditors. However, most
firms we have worked with are experiencing some
common challenges implementing the standards. The
first set of challenges is documenting the
auditor’s understanding of internal controls,
evaluating the design of controls, and determining
whether such controls have been implemented. Many
auditors we work with struggle with these
requirements in situations in which they know they
will not rely on the operating effectiveness of
internal controls as part of their audit evidence.
This is especially true when auditing small, less
sophisticated clients with limited internal
controls that lack segregation of duties and
formal policies. Firms need to stress to
staff members that the purpose of understanding a
client’s internal controls goes beyond meeting the
requirements of the guidance and is more than a
starting point for the testing of internal
controls. Ultimately, this enhanced understanding
helps point the auditor toward the client’s risks
of material misstatement. While previous
standards required auditors to gain an
understanding of and document their clients’
internal controls, the new requirement to evaluate
the design of the internal controls raises the bar
for most auditors, especially those that have not
been involved with audits of internal control over
financial reporting. Most firms recognize that
this is an area in which their staff members need
additional training, particularly in the areas of
entity-level and key activity-level controls.
Implementing the new standards also has led to
administrative challenges. Most RSM McGladrey
Network firms and AdvanceCPA subscribers are
realizing that the new risk assessment process
demands significantly more time from managers and
partners. Combine that with the learning curve
associated with first-year implementation of the
new standards and audit tools, and firms face not
only scheduling challenges, but client billing
decisions as well. Evaluating how much
additional time the new standards will require in
an engagement, how to communicate this to clients,
and whether to pass along the additional cost to
clients are issues virtually all of our Network
and AdvanceCPA firms are facing. Most firms have
determined that such decisions must be made on a
client-by-client basis. Most of the additional
time is incurred early in engagements, resulting
in a greater investment in work-in-process during
interim periods. Although the new
standards require considerable attention, firms
also need to focus on managing their
business—particularly their cash flow. They should
discuss appropriate, timely billing arrangements
with their clients and incorporate such
arrangements into audit engagement letters.
Along with the challenges, most firms we work
with are also experiencing some benefits from
implementing the new standards. One is a better,
deeper understanding of their clients’ businesses
and industries. This results in a more
knowledgeable audit team and better client
service. It also provides the ability to perform
more meaningful risk assessment procedures.
When combined with performing such procedures
early in an engagement, auditors are able to
identify significant issues more quickly and
properly plan and approve appropriate audit
responses. As a result, many firms are developing
more focused, tailored audit approaches with more
effective and efficient audit procedures.
It is apparent that the new risk assessment
standards require a higher level of technical
competency from audit professionals. Many auditors
we work with are experiencing greater job
satisfaction and a renewed interest in auditing as
a result of the more challenging work that
accompanies the new standards. As the need for
highly competent auditors continues to grow, there
will likely be new career paths for talented
professionals who want to specialize in the field
of auditing. Firms will continue to need
strong leadership, as it will play a vital role in
the long-term success of this implementation. It’s
imperative that leaders of audit practices
understand the effect their involvement or lack
thereof can have during this time of major change.
We’ve observed that firms that leave the
implementation to individual engagement teams are
experiencing much greater increases in time
requirements for audits and a far less coordinated
and consistent approach. The increase in workload
for those firms has been as much as 60% over the
time required prior to the risk assessment
standards, rather than the 20% to 30% increase
most firms expect. The firms most successful in
managing the transition to the new standards are
those with leaders who have taken ownership of the
process.
Paul Kiel, CPA, is an assurance
partner with McGladrey & Pullen in
Springfield, Ill. He is director of audit and
accounting and continuing professional education
for the RSM McGladrey Network and AdvanceCPA.
His e-mail address is
paul.kiel@rsmi.com.
by Jennifer Carney
Grant Thornton LLP When the
international and U.S. auditing standards boards
were debating the risk assessment standards, Grant
Thornton participated in the process. We
recognized the major changes that would be
required to our audit methodology and, in 2003, we
began evaluating how to implement them. In doing
so, we identified and encountered a number of
challenges that we can share. For example,
auditors previously were not required to
specifically consider the assertions underlying
the financial statements. Assertions were taught
in school and included on the CPA exam, but often
they were taken for granted in execution—it was
assumed that assertions were addressed by those
responsible for creating audit programs (often a
firm’s national office or a third-party provider).
The new standards require risk assessment at
the assertion level. Therefore, auditors must now
focus on the assertions and the risks associated
with them. Similarly, the new standards require
auditors to develop appropriate responses to
identified risks. These responses typically take
the form of the procedures performed—the audit
program. Before the new standards went into
effect, practitioners may have tried to use the
same audit program for all audits. Under the new
standards, one size does not fit all because it is
unlikely that any two audits will share exactly
the same risks or that those same risks would
warrant exactly the same responses. Now auditors
will have to rethink existing audit programs and
approaches, as our auditors did. That
raises another important point. Historically, many
new auditing standards were additive. Auditors
could simply bolt on additional requirements to
existing audit processes or add new steps to the
audit program. If such an approach is taken with
the risk standards, auditors will find themselves
conducting risk meetings, documenting internal
controls and identifying risks, only to execute
the same pre-risk standards audit program.
Clearly, such an approach will add significant
hours to the audit, and auditors will not realize
the benefits of focusing attention on risk areas,
nor will they reduce time and attention on
low-risk areas.
INTERNAL CONTROL
Traditionally, many auditors,
including some of ours, substantively tested
balance sheet accounts, analytically tested income
statement accounts and assumed high control risk.
Moving from this approach to the new risk-based
approach represents a huge cultural shift,
especially as it relates to documenting and
testing internal control. For example, it
may be tempting merely to increase controls
documentation to comply with the standards—again,
bolting on new procedures to the existing audit.
To be efficient and effective, however, auditors
must remain open to the possibility that controls
that are designed effectively can be tested. If
such controls are tested and found to be operating
effectively, the auditor should be able to reduce
the extent of substantive testing. Remember,
defaulting to a maximum control risk is no longer
permitted. Likewise, if controls are not
designed effectively, auditors must recognize that
additional substantive testing will be required to
address the risks presented by a lack of controls.
FOCUS ON RISK ASSESSMENT PROCEDURES AND
PROCESSES To implement the risk
standards at the engagement level, we found that
to be effective, the auditors most familiar with
the client’s business and related risks should
take the lead in retooling programs and approaches
early in the audit process. This approach ensures
that the requisite level of experience, knowledge
and skills are brought to bear in the risk
assessment process. It also ensures that risk
assessment procedures are completed and that
relevant information is available at the audit
team meeting to discuss risks. Moving up
the timing of risk assessment procedures will
require a change in mind-set for auditors who are
not disciplined about completing planning
procedures before performing substantive audit
procedures, such as sending confirmations and
observing inventories. The standards now require
this level of discipline—a level that ensures that
audit procedures performed are responsive to
identified risks. Specifically, completing
the following steps before the risk meeting can
facilitate the discussion:
Obtain an understanding of the
entity, and use that understanding to identify
risks. Appendix A of SAS no. 109 provides
additional guidance on matters that can help
auditors focus on areas of risk. Examples include
the entity’s regulatory environment, nature of
revenue sources and financing, as well as new
accounting requirements faced by the entity.
Obtain an understanding of the
entity’s internal control.
Perform preliminary analytical
procedures to identify risk areas and identify
areas that can be de-emphasized.
Make inquiries of management and
others, keeping the renewed focus on risk.
Combining the audit team meeting to discuss fraud
(SAS no. 99) with the meeting of the audit team to
discuss all risks of material misstatement (SAS
no. 109) increases the likelihood that auditors
will meet the requirements of the standards and
focus their attention and related documentation on
all risks of material misstatement, rather than
focusing solely on fraud. Combining the
audit team meeting to discuss fraud (SAS no. 99)
with the meeting of the audit team to discuss all
risks of material misstatement (SAS no. 109)
increases the likelihood that auditors will meet
the requirements of the standards and focus their
attention and related documentation on all risks
of material misstatement, rather than focusing
solely on fraud. Appendix C of SAS no. 109
includes a list of conditions and events that may
indicate risks of material misstatement. The list
includes items such as expansion into new
locations, changes in the supply chain and a
significant amount of “nonroutine or
nonsystematic” transactions. Referring to this
list during the risk assessment meeting may help
auditors through the process the first time.
Re-evaluating this list annually will help keep
the risk assessment process fresh.
Auditors should recognize that they may not
execute these new risk assessment standards
flawlessly in the first year. We have found that
it is important to take lessons learned and apply
them to subsequent audits in order to make better
risk assessments and develop more effective
responses to identified risks. It is also
important to recognize that with such a
significant change in culture and standards, the
training process should continue well into 2008
and 2009 to reinforce application. In the end,
auditors will have developed a deeper
understanding of their clients’ businesses and
internal controls, as well as a greater comfort
level with applying the new standards.
Jennifer Carney, CPA, is
national office assurance partner for Grant
Thornton LLP. Her e-mail address is
Jennifer.Carney@GT.com.
Risk Assessment Standards
SAS no. 104, Amendment to
Statement on Auditing Standards no.
1, Codification of Auditing Standards
and Procedures (“Due Professional Care
in the Performance of Work”)
SAS no. 105, Amendment to
Statement on Auditing Standards no.
95, Generally Accepted Auditing
Standards
SAS no. 106, Audit
Evidence
SAS no. 107, Audit Risk
and Materiality in Conducting an Audit
SAS no. 108, Planning and
Supervision
SAS no. 109,
Understanding the Entity and Its
Environment and Assessing the Risks of
Material Misstatement
SAS no. 110, Performing
Audit Procedures in Response to Assessed
Risks and Evaluating the Audit Evidence
Obtained
SAS no. 111, Amendment to
Statement on Auditing Standards no. 39
, Audit Sampling
|
by Carla A. Gogin and David A. Johnson
Virchow, Krause & Co. LLP
To prepare for the new risk assessment
standards, our firm selected 25 audit engagements
during fall 2006 for a pilot program that involved
the early implementation of the standards. The
clients involved in the voluntary program were
private companies with December 2006 fiscal
year-ends. During our pilot program we
learned many valuable lessons regarding the
successful implementation of the new standards.
The most important of these lessons was to stay
focused on the true intent of the standards.
Based on numerous conversations with auditors,
both internal and external, we realized that many
auditors were focusing solely on the internal
control requirements of the new standards and
losing sight of the true intent of the standards,
which is to identify the risks of material
misstatement and develop and perform audit
procedures to appropriately respond to those
risks. While the evaluation of internal control is
necessary to identify and appropriately respond to
the risks of material misstatement, it is only one
element of the new standards. With this in
mind, we instructed our auditors that if at any
point during the implementation process they found
themselves performing procedures that were not
designed to help identify the risks of material
misstatement and appropriately respond to those
risks, then it was time to take a step back and
assess whether there was a better way to
accomplish their audit objectives. Based
on other lessons learned during the pilot program,
our firm developed the following list of
implementation initiatives. These initiatives can
help firms improve audit quality, effectiveness
and efficiency as they enter the final stage of
the risk assessment standards implementation
process.
1. Ensure that the proper “tone at the top”
has been established at your firm.
Successfully implementing the new
risk assessment standards will be challenging and
will require a significant commitment of firm
resources. To ensure success, this commitment of
resources must be supported by your firm’s top
management.
2. Verify that all members of the engagement
team understand the purpose of the audit
procedures assigned to them.
This is particularly important as it
relates to engagement teams that are completing
certain audit procedures for the first time under
the new standards.
3. Ensure there is meaningful partner
and manager involvement, especially during the
planning and risk assessment stages.
Encouraging active participation by
partners and managers who have a complete
understanding of the implementation process will
result in more effective, efficient and higher
quality audits. Our firm has developed
standard metrics based on external and internal
feedback that offer our engagement teams
guidelines on the amount and type of partner
involvement to be expected during the first year
of implementation. The goal of this guidance is to
stress to our engagement teams that partners will
need to devote more time to their audit
engagements this year.
4. Don’t think it is too late in the
implementation process to benefit from
tailoring. At our firm, we have
formed industry teams that have customized
internal control tools and templates and audit
area work programs for their industries. Industry
tailoring can be as simple as providing good
implementation examples to other engagement teams
within your firm. We have also conducted
specialized risk assessment standards training at
the industry level. See Exhibit 1 for the types of
tools and templates for which industry tailoring
can be most beneficial.
5. Employ a top-down, risk-based approach
during the internal control evaluation
process. This process involves
identifying those controls that have a reasonable
likelihood of preventing or detecting a material
misstatement, and only performing an evaluation of
those controls. Starting from the top-down instead
of the bottom-up will keep the focus of the audit
on the true risks of material misstatement.
6. Utilize information technology and
internal control specialists.
The information technology
consulting group at our firm has helped develop
tools, templates and training to assist our
auditors with the implementation of the
information technology requirements of the risk
assessment standards. Our consultants have also
assisted with IT control evaluations on many of
our larger, more complex audit engagements.
7. Facilitate regular industry team meetings
to promote the sharing of questions, ideas and
best practices. Identify a point
person within each industry group and encourage
communication between these individuals to further
support the sharing of information across the
firm.
8. Utilize auditors experienced in
risk-based auditing to further train audit
teams and review in-process and completed
audit engagements. Provide these
auditors with a mechanism to communicate the
initial results, both positive and negative, to
all firm auditors. Implementing
significant change is always challenging. The
success or failure of the risk assessment
standards implementation will depend significantly
on the personal commitment made by your auditors
to learn and understand the new requirements so
they can implement the standards as efficiently
and effectively as possible. It will also depend
on your firm’s willingness and ability to fully
understand and embrace the change as well as to
think creatively during the implementation
process.
Carla A. Gogin, CPA, is a
partner and the firm leader of quality, and
David A. Johnson, CPA, is
senior manager for Virchow, Krause & Co. LLP
in Madison, Wis. Their e-mail addresses are
cgogin@virchowkrause.com and dajohnson@virchowkrause.com
.
Exhibit 1 | Customized
Tools | | | |
Tools
and templates best suited for
tailoring: 1.
Internal control templates
pre-populated with common control
objectives, “what could go wrong?”
scenarios, and control examples.
These templates include the
following:
Entity-level control
assessment
Information
technology control assessment
Activity-level
control assessment 2.
Customized audit area work
programs 3.
Planning documents, such as
planning memos and risk assessment
summary forms
| |
|
|