Tracy Harding, CPA, was on his way to work and looking forward to completing an audit he was working on. But on the way in, he heard a news report that changed the objective of his day.
A local business was unexpectedly closing its doors and happened to be a significant customer of Harding's audit client. The plans for Harding's day had changed — he would be revisiting risks associated with receivables and reassessing the allowance for bad debts.
"I recognized we'd have to assess the impact on the audit," recalled Harding, a principal with BerryDunn in Bangor, Maine, who is chair of the AICPA Auditing Standards Board (ASB).
The last-minute change in plans illustrates that from the beginning of the audit until the very end, auditors need to be evaluating the risks in an engagement. A robust risk assessment is the key to creating an audit plan that guides the direction and procedures performed during the audit, prompting practitioners to spend their time in the right areas in the engagement. It also provides the impetus to pivot when necessary, even when confronted with new information on the day that an auditor's report is to be issued.
In recognition of the foundational role of risk assessments in the pursuit of quality in engagements, the ASB in October issued Statement on Auditing Standards (SAS) No. 145, Understanding the Entity and Its Environment and Assessing the Risks of Material Misstatement (see the sidebar "New Risk Assessment Standard Has Focus on Clarity"). The new standard is designed to address an area that the peer review program has identified as challenging for auditors and has been a focus of the AICPA's Enhancing Audit Quality initiative. SAS 145 does not fundamentally change the key concepts underpinning audit risk. Rather it clarifies and enhances certain aspects of the identification and assessment of the risks of material misstatement to drive better risk assessment and, therefore, enhance audit quality.
"I like to call it spending your time where you need to spend it, looking at and taking time to make sure that you put more audit effort in the areas that have greater risk, and reducing the time spent in areas that you don't have a lot of risk in," said Maria Manasses, CPA, deputy chief auditor at Grant Thornton LLP in Downers Grove, Ill., and chair of the ASB Risk Assessment Task Force. "And it's important to do that because an audit is performed within a reasonable period of time and at a reasonable cost for the benefit of timely financial reporting to users."
The following considerations can help audit firms succeed in their risk assessment processes as a new standard comes into force and a pandemic-fueled shift in risks takes hold.
INTERNAL CONTROL PROVIDES INSIGHT
SAS 145 clarifies that the overall understanding of the entity's system of internal control is achieved through understanding, and evaluating certain aspects of, each of the following components of the system of internal control (and performing the related requirements to obtain such an understanding):
- The control environment.
- The entity's risk assessment process.
- The entity's process to monitor the system of internal control.
- The information system and communication.
- Control activities.
SAS 145 requires a deeper understanding and clearer articulation of the auditor's evaluation of the design of controls.
An understanding of controls — and the system of internal control — can provide a window into potential fraud risks and gaps in internal control that could lead to the risk of a material misstatement. Therefore, this understanding can inform the audit response.
"One of the legs of the fraud risk triangle is opportunity," Harding said, "and one of the ways you can learn about opportunities is to understand where there may be inappropriate segregation of duties, for example, and you can only do that if you get in there and get an understanding of controls."
NEW SIGNIFICANT RISK DEFINITION
Auditors will hopefully better understand which risks should be flagged as significant risks thanks to a new definition that's included in SAS 145. Under previous standards, the definition of significant risk focused on risks that require special audit considerations (see the sidebar "6 High-Risk Areas That May Merit Extra Auditor Attention").
Under SAS 145, significant risk is defined to encompass identified risks that lie on the upper end of the spectrum of inherent risks. Although the new definition provides more clarity for practitioners to help them identify significant risks, one thing does not change: Significant risks still require special audit considerations.
"I'm not sure if the standard will result in new significant risks being identified or fewer significant risks being identified by some firms," Manasses said. "I believe that it's just clarifying the definition in the context of what it's intended to be, linking it to some of the new terminology like inherent risk factors, and then giving a bit more comfort to audit teams so they know if they are identifying them as intended."
There's a lot to consider in risk assessment related to the pandemic.
Client-focused concerns include going concern evaluations; changes to processes and controls related to the pandemic due to personnel working from home; availability of skilled labor; and an altered business environment and new customer demands that may create hazards but also can provide opportunities.
Auditors also need to be conscious of the changes to their own processes that have occurred as a result of the pandemic, especially with regard to remote auditing. Interviews by videoconference, video inventory checks, and remote document verification processes may all work to provide sufficient appropriate audit evidence. But these methods need to be considered carefully for potential risks.
Harding said SAS 145 emphasizes the link between risk assessment and the design and performance of audit procedures. This link means that auditors might need to modify audit procedures to consider additional risks in the pandemic-related environment. For example, junior audit staff who traditionally perform inventory counts may need to be supervised more closely by a more senior manager if inventory is being counted remotely rather than in person, particularly if clients are operating the cameras.
AUTOMATION DRIVES INNOVATION
Risk assessment is an area that's well suited for improvements in processes, completeness, and quality offered by the use of audit data analytics.
"Being able to gather all the underlying data and run it through various analytical routines really provides a lot of insight into where you want to focus your attention in the audit and where there may be likely sources of misstatement," Manasses said. "You can even bifurcate your population in response to a risk by directing your attention to notable items."
Visualization tools can play an important role in improving risk assessment. They can help transform a series of otherwise unnoticed numbers into a vibrant picture that tells a story about risks that merit further analysis and audit procedures.
FINANCIAL REPORTING FRAMEWORK IS A KEY
SAS 145 requires the auditor to understand how the financial reporting framework relates to a particular client and its internal control. FASB's new revenue recognition standard, for example, is leading auditors to pay close attention to controls that exist around contracts.
"We're learning a lot more about our clients, and I knew we would, as we really get into that revenue standard," Harding said. "Better understanding of a particular client and what its controls are, how it handles contracts, and how the contracts work could affect our assessment of whether revenue is being properly recognized under the new accounting rules."
This gives auditors a better understanding of a client's customers and how they provide services or products to those customers, which provides additional information on risks that can be considered in the risk assessment process.
USE PRACTICE AIDS PROPERLY
Third-party audit practice aids typically include language stating that they are tools to be used within the context of a broad understanding of an audit engagement. Auditors can't just sign the engagement letter, check off all the boxes on a checklist, and then issue their report.
"Service providers develop material for a broad set of users, and those materials are being developed so auditors can comply with the professional standards," Manasses said. "You need to be able to take those materials and understand the methodology that's embedded within them to be able to appropriately apply them in your particular circumstances."
IMPACT DEPENDS ON EXISTING METHODOLOGY
SAS 145 is principles-based and agnostic with respect to methodology because there are different, perfectly valid ways to assess risks and respond to them. Nonetheless, the number of changes that SAS 145 will require a given firm to make may vary depending on the audit methodology the firm already is using.
"Audit methodologies may already encompass some of the aspects within the standard," Manasses said. "And there are definitions and requirements that have been clarified through SAS 145 that may result in some differences in methodologies. But it may have a greater impact on some audit firms and a lesser impact on some others."
FOCUS ON QUALITY
Ultimately, the new risk assessment standard is intended to help auditors set the focus of their procedures properly while planning the engagement and keep them on track until the very end.
"You have to meet deadlines, but more importantly, you have to perform a quality audit," Manasses said. "And in order to do that you have to introduce a risk-based methodology to appropriately apply the timing and assign the resources necessary on the audit areas that require more audit effort. A risk-based methodology also facilitates effective supervision and review by adequately directing and reviewing areas of greater risk."
New risk assessment standard has focus on clarity
SAS 145 addresses definitions and internal control responsibilities
The critically important process of risk assessment in audits was changed in October when the AICPA Auditing Standards Board (ASB) issued Statement on Auditing Standards No. 145, Understanding the Entity and Its Environment and Assessing the Risks of Material Misstatement.
The new standard, which takes effect for audits of financial statements for periods ending on or after Dec. 15, 2023, is designed to provide additional clarity for practitioners while considering changes in technology and other areas of the business environment. The new standard:
- Revises the definition of significant risk, indicating that those risks lie on the upper end of the spectrum of inherent risks.
- Provides guidance that is intended to enhance the auditor’s application of professional skepticism in performing risk assessment procedures.
- Includes a new requirement to separately assess inherent risk and control risk.
- Addresses the auditor’s responsibilities related to the entity’s system of internal control.
- Includes extensive new guidance on information technology (IT) and the consideration of general IT controls.
- Includes a new “stand-back” requirement that is intended to drive an evaluation of the completeness of the identification of significant classes of transactions, account balances, and disclosures by the auditor.
ASB Chair Tracy Harding said some firms may not see a major impact in their procedures as a result of the standard, but everyone can benefit from the improved clarity in the standard. “While drafting the standard, we kept coming back to, ‘This is how we do it at our firm, but some people may not take the current standard that way, so let’s improve the clarity,’” Harding said. “That was a big part of the effort.”
6 high-risk areas that may merit extra auditor attention
Items that require significant management judgment may need careful scrutiny.
Determining the significant risks in an audit requires substantial auditor judgment, and certain areas often merit close scrutiny in that evaluation. Here are a few:
Valuation of assets
Valuation requires a great deal of judgment, and auditors need to understand the methodology behind it. Challenging judgments include difficult-to-value financial instruments, long-lived assets with indicators of impairment, related-party receivables, and obsolete inventory.
This is another area in which the auditor needs to understand how management developed the information it is reporting. There are many ways to arrive at an estimate; is management's method reasonable?
"The ability to test the operating effectiveness of controls to reduce or otherwise modify substantive testing in response to a risk hasn't changed," said Maria Manasses, CPA, chair of the AICPA Auditing Standards Board's Risk Assessment Task Force. "Even when the auditor does not test controls, the [new risk assessment] standard guides an auditor's required understanding of processes and controls across all components of internal control to develop an effective and efficient audit approach."
For many clients, FASB's new standard requires changes in processes for measuring and recording one of the most important numbers in the financial statements.
The pandemic environment has increased going concern risk. Auditors need to consider the adequacy of management's going concern evaluation about whether substantial doubt has arisen and, if so, whether it has been alleviated, and determine whether to include in the auditor's report a communication about substantial doubt.
There's no "paper trail" anymore for many transactions, and that requires a different focus for auditors. "You have a highly automated environment," Manasses said. "Transactions might only exist in electronic form. In order to audit that, an auditor has to obtain a deeper understanding of the controls surrounding information processing."
About the author
Ken Tysiac is the JofA’s editorial director. To comment on this article or to suggest an idea for another article, contact him at Kenneth.Tysiac@aicpa-cima.com.
"New Standard Sharpens Focus on Risk-Based Auditing," JofA, Oct. 12, 2021
"Making Audits More Effective Through Data Visualization," JofA, May 2021
"Assessing Audit Risks During the Pandemic," JofA, Dec. 9, 2020
Note: The AICPA also is working to update the Audit Guide Assessing and Responding to Audit Risk in a Financial Statement Audit, with plans to focus the guide on applying risk assessment in audits of less complex entities.
For more information or to make a purchase, go to aicpa.org/cpe-learning or call the Institute at 888-777-7077.
The updated COSO Internal Control Certificate offers you a unique opportunity to develop your expertise in designing, implementing, and monitoring a system of internal control in today's technology-driven world. Nine self-paced modules provide you with the knowledge necessary to understand and apply COSO's Internal Control — Integrated Framework.
This course will review the risk assessment standard requirements and discuss the importance of risk assessment during the pandemic recovery period. It will help you to improve audit quality by avoiding common challenges.
In your next financial statement audit, apply the benefits of audit data analytics. We worked with the profession's leading experts to show you how.