The AICPA Auditing Standards Board’s (ASB’s) plans to finalize a new risk assessment standard at its August meeting should be welcome news for many practitioners.
Risk assessment is a fundamental process for every audit, but it’s been clear for years that some auditors could improve the way they consider risks when they approach an engagement.
Elizabeth Gantnier, CPA, CGMA, a professional practice partner with Dixon Hughes Goodman LLP in Charlotte, N.C., and a member of the AICPA Peer Review Board, said it’s important for practitioners to complete the analysis and thought-provoking discussion that’s needed for risk assessment. The discussion and risk assessment then inform all the planning and audit procedures that will be performed.
Gantnier and Maria Manasses, CPA, a partner in Chicago with Grant Thornton LLP’s Audit Methodology & Standards Group, plan to explain how the new guidance is intended to address the proper application of the risk assessment standard during a session at July’s AICPA & CIMA ENGAGE 2021 conference.
The standard offers a good deal of guidance specific to internal control as it relates to risk assessment, said Manasses, who chairs the ASB task force writing the new standard.
“That is part of what is being addressed in the new standard, in terms of what you do within each of the components of internal control,” Manasses said. She added that, based on her review of the comment letters submitted in response to the August 2020 exposure draft, many auditors desire a better understanding of the importance of understanding internal control in risk assessment.
“There’s a lack of clarity as to how the understanding of controls influences your audit engagement,” Manasses said.
The amended standard’s focus on internal control arises from the extent to which peer reviews have uncovered audit deficiencies with controls. The deficiencies are also an international issue and have been addressed by the International Auditing and Assurance Standards Board (IAASB) in its update to International Standard on Auditing (ISA) 315, Identifying and Assessing the Risks of Material Misstatement (Revised). The international guidance will be effective for audits of financial statements for periods beginning on or after Dec. 15, 2021.
The ASB intends to have the updated guidance codified in AU-C 315, Understanding the Entity and Its Environment and Assessing the Risks of Material Misstatement, converge with the IAASB’s standards.
“You may have auditors around the globe that are going straight into substantive procedures without really considering the internal control aspects and the processes of the entity to make an appropriate risk assessment,” Manasses said. The new standard is “introducing an evaluation of certain components that are more pervasive, for example, the control environment, the entity’s risk assessment process, and the monitoring component.”
Manasses said the proposed risk assessment standard would also connect the auditor’s responsibility related to individual controls to specific risks.
“That’s where you’re going to be evaluating the design of controls and determining their implementation,” Manasses said.
The proposed standard also would guide auditors to understand and evaluate clients’ information systems and how they process transactions from the moment transactions are initiated until they are recorded.
“That’s where you can identify the likely sources of potential misstatement,” Manasses said.
She said the proposal would update definitions for some key risk assessment terminology, such as relevant assertions, and introduces definitions for related terms, like inherent risk factors and the spectrum of inherent risk.
The proposed standard also would clarify an auditor’s responsibility for evaluating the client’s controls and how the evaluation may affect the rest of the audit.
The project to update the risk assessment standard predates the COVID-19 pandemic, and, although the pandemic clouds almost every aspect of the economy, there’s no need for the new standard to specifically address it, Gantnier said. The existing standard was sufficient for addressing the issues raised by the pandemic.
“For example, working from home creates its own unique risks and may, therefore, require changes to controls,” Gantnier said. “An auditor would want to understand how processes have changed and how controls have evolved to compensate for the changes in risk. The [current] risk assessment standards would have contemplated that.”
In addition, the AICPA’s Enhancing Audit Quality initiative has been examining the pandemic’s effect on audit work.
Gantnier said practitioners need to recognize their responsibility to properly apply the risk assessment standards, and that may require them to set aside the perception that the standard, because it’s long, is unnecessarily complicated.
“It’s not really complicated, and the simpler your client’s situation is, the simpler the approach will be,” Gantnier said. “But because it’s not a boilerplate/checklist approach and because the choices are almost infinite in how people and processes come together in any one client, it takes a lot of pages to talk through the elements that you need to be thinking about.”
A sound risk assessment for any audit requires a good deal of preparation that includes developing a proper understanding of the client and its operations, systems, financial reporting employees, and culture, Gantnier said. That knowledge, coupled with robust planning, will allow the engagement team to adequately address the client’s risks and challenges to proper financial reporting.
“If you don’t ever understand what those challenges are, how do you know you’ve overcome them?” Gantnier said.
AICPA & CIMA ENGAGE 2021, the premier event for accounting and finance professionals, will be a hybrid event this year. Join us at the Aria Resort and Casino in Las Vegas or online July 26–29 for keynotes and sessions on accounting and auditing, tax, technology, leadership, personal financial planning, diversity, equity, inclusion, and more. Keynotes with Sir Richard Branson and NASA’s Adam Steltzner will be held online on June 8.
— Joseph Radigan is a financial writer based in New York. To comment on this article or to suggest an idea for another article, contact Ken Tysiac, the JofA’s editorial director, at Kenneth.Tysiac@aicpa-cima.com.