Risk Assessment Standards in Action

Eight standards rolled out in 2006 by the Auditing Standards Board are sparking a cultural shift for auditors.

The standards—Statement on Auditing Standards nos. 104–111—are designed to enhance auditors’ responses to audit risk and materiality and encourage them to focus on areas with the greatest risk of misstatement. The standards are effective for audits of private company financial statements for periods beginning on or after Dec. 15, 2006.

The JofA asked partners at three accounting firms to write about how the new guidance has affected their work. In their first-person accounts, beginning below, the partners share their experience with putting the guidance into action and offer practical advice for tackling some of the common challenges of implementation.

by Paul Kiel
McGladrey & Pullen LLP

In response to the risk assessment standards—the most significant change to GAAS in more than two decades—McGladrey & Pullen LLP revised its risk-based audit methodology and leveraged technology to develop an automated system that standardizes audit processes and workpaper documentation, allowing the auditor to focus on identifying, assessing and responding to risks of material misstatement.

In the process of working with approximately 200 firms using McGladrey & Pullen’s audit approach, either through membership in the RSM McGladrey Network or as subscribers to AdvanceCPA, we have found that many experienced auditors believe the new standards are simply a codification of what were previously considered “standard” audit procedures. Thus, the standards, theoretically, are not difficult for many auditors.

However, most firms we have worked with are experiencing some common challenges implementing the standards. The first set of challenges is documenting the auditor’s understanding of internal controls, evaluating the design of controls, and determining whether such controls have been implemented. Many auditors we work with struggle with these requirements in situations in which they know they will not rely on the operating effectiveness of internal controls as part of their audit evidence. This is especially true when auditing small, less sophisticated clients with limited internal controls that lack segregation of duties and formal policies.

Firms need to stress to staff members that the purpose of understanding a client’s internal controls goes beyond meeting the requirements of the guidance and is more than a starting point for the testing of internal controls. Ultimately, this enhanced understanding helps point the auditor toward the client’s risks of material misstatement.

While previous standards required auditors to gain an understanding of and document their clients’ internal controls, the new requirement to evaluate the design of the internal controls raises the bar for most auditors, especially those that have not been involved with audits of internal control over financial reporting. Most firms recognize that this is an area in which their staff members need additional training, particularly in the areas of entity-level and key activity-level controls.

Implementing the new standards also has led to administrative challenges. Most RSM McGladrey Network firms and AdvanceCPA subscribers are realizing that the new risk assessment process demands significantly more time from managers and partners. Combine that with the learning curve associated with first-year implementation of the new standards and audit tools, and firms face not only scheduling challenges, but client billing decisions as well.

Evaluating how much additional time the new standards will require in an engagement, how to communicate this to clients, and whether to pass along the additional cost to clients are issues virtually all of our Network and AdvanceCPA firms are facing. Most firms have determined that such decisions must be made on a client-by-client basis. Most of the additional time is incurred early in engagements, resulting in a greater investment in work-in-process during interim periods.

Although the new standards require considerable attention, firms also need to focus on managing their business—particularly their cash flow. They should discuss appropriate, timely billing arrangements with their clients and incorporate such arrangements into audit engagement letters.

Along with the challenges, most firms we work with are also experiencing some benefits from implementing the new standards. One is a better, deeper understanding of their clients’ businesses and industries. This results in a more knowledgeable audit team and better client service. It also provides the ability to perform more meaningful risk assessment procedures.

When combined with performing such procedures early in an engagement, auditors are able to identify significant issues more quickly and properly plan and approve appropriate audit responses. As a result, many firms are developing more focused, tailored audit approaches with more effective and efficient audit procedures.

It is apparent that the new risk assessment standards require a higher level of technical competency from audit professionals. Many auditors we work with are experiencing greater job satisfaction and a renewed interest in auditing as a result of the more challenging work that accompanies the new standards. As the need for highly competent auditors continues to grow, there will likely be new career paths for talented professionals who want to specialize in the field of auditing.

Firms will continue to need strong leadership, as it will play a vital role in the long-term success of this implementation. It’s imperative that leaders of audit practices understand the effect their involvement or lack thereof can have during this time of major change. We’ve observed that firms that leave the implementation to individual engagement teams are experiencing much greater increases in time requirements for audits and a far less coordinated and consistent approach. The increase in workload for those firms has been as much as 60% over the time required prior to the risk assessment standards, rather than the 20% to 30% increase most firms expect. The firms most successful in managing the transition to the new standards are those with leaders who have taken ownership of the process.

Paul Kiel, CPA, is an assurance partner with McGladrey & Pullen in Springfield, Ill. He is director of audit and accounting and continuing professional education for the RSM McGladrey Network and AdvanceCPA. His e-mail address is paul.kiel@rsmi.com.

by Jennifer Carney
Grant Thornton LLP

When the international and U.S. auditing standards boards were debating the risk assessment standards, Grant Thornton participated in the process. We recognized the major changes that would be required to our audit methodology and, in 2003, we began evaluating how to implement them. In doing so, we identified and encountered a number of challenges that we can share.

For example, auditors previously were not required to specifically consider the assertions underlying the financial statements. Assertions were taught in school and included on the CPA exam, but often they were taken for granted in execution—it was assumed that assertions were addressed by those responsible for creating audit programs (often a firm’s national office or a third-party provider).

The new standards require risk assessment at the assertion level. Therefore, auditors must now focus on the assertions and the risks associated with them. Similarly, the new standards require auditors to develop appropriate responses to identified risks. These responses typically take the form of the procedures performed—the audit program. Before the new standards went into effect, practitioners may have tried to use the same audit program for all audits. Under the new standards, one size does not fit all because it is unlikely that any two audits will share exactly the same risks or that those same risks would warrant exactly the same responses. Now auditors will have to rethink existing audit programs and approaches, as our auditors did.

That raises another important point. Historically, many new auditing standards were additive. Auditors could simply bolt on additional requirements to existing audit processes or add new steps to the audit program. If such an approach is taken with the risk standards, auditors will find themselves conducting risk meetings, documenting internal controls and identifying risks, only to execute the same pre-risk standards audit program. Clearly, such an approach will add significant hours to the audit, and auditors will not realize the benefits of focusing attention on risk areas, nor will they reduce time and attention on low-risk areas.

INTERNAL CONTROL
Traditionally, many auditors, including some of ours, substantively tested balance sheet accounts, analytically tested income statement accounts and assumed high control risk. Moving from this approach to the new risk-based approach represents a huge cultural shift, especially as it relates to documenting and testing internal control.

For example, it may be tempting merely to increase controls documentation to comply with the standards—again, bolting on new procedures to the existing audit. To be efficient and effective, however, auditors must remain open to the possibility that controls that are designed effectively can be tested. If such controls are tested and found to be operating effectively, the auditor should be able to reduce the extent of substantive testing. Remember, defaulting to a maximum control risk is no longer permitted.

Likewise, if controls are not designed effectively, auditors must recognize that additional substantive testing will be required to address the risks presented by a lack of controls.

FOCUS ON RISK ASSESSMENT PROCEDURES AND PROCESSES
To implement the risk standards at the engagement level, we found that to be effective, the auditors most familiar with the client’s business and related risks should take the lead in retooling programs and approaches early in the audit process. This approach ensures that the requisite level of experience, knowledge and skills are brought to bear in the risk assessment process. It also ensures that risk assessment procedures are completed and that relevant information is available at the audit team meeting to discuss risks.

Moving up the timing of risk assessment procedures will require a change in mind-set for auditors who are not disciplined about completing planning procedures before performing substantive audit procedures, such as sending confirmations and observing inventories. The standards now require this level of discipline—a level that ensures that audit procedures performed are responsive to identified risks.

Specifically, completing the following steps before the risk meeting can facilitate the discussion:

Obtain an understanding of the entity, and use that understanding to identify risks. Appendix A of SAS no. 109 provides additional guidance on matters that can help auditors focus on areas of risk. Examples include the entity’s regulatory environment, nature of revenue sources and financing, as well as new accounting requirements faced by the entity.

Obtain an understanding of the entity’s internal control.

Perform preliminary analytical procedures to identify risk areas and identify areas that can be de-emphasized.

Make inquiries of management and others, keeping the renewed focus on risk. Combining the audit team meeting to discuss fraud (SAS no. 99) with the meeting of the audit team to discuss all risks of material misstatement (SAS no. 109) increases the likelihood that auditors will meet the requirements of the standards and focus their attention and related documentation on all risks of material misstatement, rather than focusing solely on fraud.

Combining the audit team meeting to discuss fraud (SAS no. 99) with the meeting of the audit team to discuss all risks of material misstatement (SAS no. 109) increases the likelihood that auditors will meet the requirements of the standards and focus their attention and related documentation on all risks of material misstatement, rather than focusing solely on fraud.

Appendix C of SAS no. 109 includes a list of conditions and events that may indicate risks of material misstatement. The list includes items such as expansion into new locations, changes in the supply chain and a significant amount of “nonroutine or nonsystematic” transactions. Referring to this list during the risk assessment meeting may help auditors through the process the first time. Re-evaluating this list annually will help keep the risk assessment process fresh.

Auditors should recognize that they may not execute these new risk assessment standards flawlessly in the first year. We have found that it is important to take lessons learned and apply them to subsequent audits in order to make better risk assessments and develop more effective responses to identified risks.

It is also important to recognize that with such a significant change in culture and standards, the training process should continue well into 2008 and 2009 to reinforce application. In the end, auditors will have developed a deeper understanding of their clients’ businesses and internal controls, as well as a greater comfort level with applying the new standards.

Jennifer Carney, CPA, is national office assurance partner for Grant Thornton LLP. Her e-mail address is Jennifer.Carney@GT.com.

by Carla A. Gogin and David A. Johnson
Virchow, Krause & Co. LLP

To prepare for the new risk assessment standards, our firm selected 25 audit engagements during fall 2006 for a pilot program that involved the early implementation of the standards. The clients involved in the voluntary program were private companies with December 2006 fiscal year-ends.

During our pilot program we learned many valuable lessons regarding the successful implementation of the new standards. The most important of these lessons was to stay focused on the true intent of the standards.

Based on numerous conversations with auditors, both internal and external, we realized that many auditors were focusing solely on the internal control requirements of the new standards and losing sight of the true intent of the standards, which is to identify the risks of material misstatement and develop and perform audit procedures to appropriately respond to those risks. While the evaluation of internal control is necessary to identify and appropriately respond to the risks of material misstatement, it is only one element of the new standards.

With this in mind, we instructed our auditors that if at any point during the implementation process they found themselves performing procedures that were not designed to help identify the risks of material misstatement and appropriately respond to those risks, then it was time to take a step back and assess whether there was a better way to accomplish their audit objectives.

Based on other lessons learned during the pilot program, our firm developed the following list of implementation initiatives. These initiatives can help firms improve audit quality, effectiveness and efficiency as they enter the final stage of the risk assessment standards implementation process.

1. Ensure that the proper “tone at the top” has been established at your firm. Successfully implementing the new risk assessment standards will be challenging and will require a significant commitment of firm resources. To ensure success, this commitment of resources must be supported by your firm’s top management.

2. Verify that all members of the engagement team understand the purpose of the audit procedures assigned to them. This is particularly important as it relates to engagement teams that are completing certain audit procedures for the first time under the new standards.

3. Ensure there is meaningful partner and manager involvement, especially during the planning and risk assessment stages. Encouraging active participation by partners and managers who have a complete understanding of the implementation process will result in more effective, efficient and higher quality audits.

Our firm has developed standard metrics based on external and internal feedback that offer our engagement teams guidelines on the amount and type of partner involvement to be expected during the first year of implementation. The goal of this guidance is to stress to our engagement teams that partners will need to devote more time to their audit engagements this year.

4. Don’t think it is too late in the implementation process to benefit from tailoring. At our firm, we have formed industry teams that have customized internal control tools and templates and audit area work programs for their industries. Industry tailoring can be as simple as providing good implementation examples to other engagement teams within your firm. We have also conducted specialized risk assessment standards training at the industry level. See Exhibit 1 for the types of tools and templates for which industry tailoring can be most beneficial.

5. Employ a top-down, risk-based approach during the internal control evaluation process. This process involves identifying those controls that have a reasonable likelihood of preventing or detecting a material misstatement, and only performing an evaluation of those controls. Starting from the top-down instead of the bottom-up will keep the focus of the audit on the true risks of material misstatement.

6. Utilize information technology and internal control specialists. The information technology consulting group at our firm has helped develop tools, templates and training to assist our auditors with the implementation of the information technology requirements of the risk assessment standards. Our consultants have also assisted with IT control evaluations on many of our larger, more complex audit engagements.

7. Facilitate regular industry team meetings to promote the sharing of questions, ideas and best practices. Identify a point person within each industry group and encourage communication between these individuals to further support the sharing of information across the firm.

8. Utilize auditors experienced in risk-based auditing to further train audit teams and review in-process and completed audit engagements. Provide these auditors with a mechanism to communicate the initial results, both positive and negative, to all firm auditors.

Implementing significant change is always challenging. The success or failure of the risk assessment standards implementation will depend significantly on the personal commitment made by your auditors to learn and understand the new requirements so they can implement the standards as efficiently and effectively as possible. It will also depend on your firm’s willingness and ability to fully understand and embrace the change as well as to think creatively during the implementation process.

Carla A. Gogin, CPA, is a partner and the firm leader of quality, and David A. Johnson, CPA, is senior manager for Virchow, Krause & Co. LLP in Madison, Wis. Their e-mail addresses are cgogin@virchowkrause.com and dajohnson@virchowkrause.com .

Exhibit 1		Customized Tools
	Tools and templates best suited for tailoring: 1. Internal control templates pre-populated with common control objectives, “what could go wrong?” scenarios, and control examples. These templates include the following: Entity-level control assessment Information technology control assessment Activity-level control assessment 2. Customized audit area work programs 3. Planning documents, such as planning memos and risk assessment summary forms

AICPA RESOURCES JofA articles “ Assessing and Responding to Risks in a Financial Statement Audit: Part II,” Jan. 07, page 59 “Assessing and Responding to Risks in a Financial Statement Audit,” July 06, page 43 CPE Risk Assessment Standards—Understanding the Entity and Assessing Risk , a CPE self-study course (#738800HS) Publications Risk Assessment Suite of Standards (#060704) Understanding the New Auditing Standards Related to Risk Assessment—Audit Risk Alert (#022526) Assessing and Responding to Audit Risk in a Financial Statement Audit—AICPA Audit Guide (#012456) The above publications can be purchased as a bundle (#990104HI). The AICPA Audit and Accounting Manual has been updated to include the risk assessment standards (#005137). For more information or to make a purchase, go to www.cpa2biz.com or call the Institute at 888-777-7077. Web sites The AICPA Information Technology Center’s Risk-Based Auditing Content Suite AICPA PCPS Firm Practice Center, Risk Assessment Standards Implementation Resources