The AICPA Auditing Standards Board (ASB) recognizes that many auditors struggle to adapt risk assessment requirements to smaller, less-complex entities. To address auditors' concerns, the ASB has incorporated scalability options into Statement on Auditing Standards No. 145, Understanding the Entity and Its Environment and Assessing the Risks of Material Misstatement, as codified in AU-C Section 315.
Auditors understand that risk assessment procedures are critical to an audit. Efficiently, effectively, and appropriately applying the risk assessment requirements to smaller, less-complex entities allows the auditor to achieve the goals of the requirements.
Paragraph .09 of AU-C Section 315 states that the section "is intended for audits of all entities, regardless of size or complexity." But one size doesn't fit all clients. As such, the ASB explicitly included numerous discussions in the standard's implementation guidance, where appropriate, of how an auditor might scale procedures to less-complex entities.
Changing extant guidance: Size alone is not complexity
When considering the entity under audit, remember that size does not equal complexity. Extant risk assessment guidance provided guidance for smaller clients. But SAS No. 145 recognizes that size and complexity don't always correlate in performed procedures. The complexity of an entity's activities and its environment, including its system of internal control, is the primary driver of scalability. While some smaller entities are less complex, others are multifaceted and apply complex accounting. Likewise, while larger entities tend to be more complicated, auditors may find certain sizeable entities have basic operations and simpler accounting processes.
Also remember that in determining an auditee's complexity, the auditor considers the entity's industry, use of information technology, maturity of the accounting system, and system of internal control, among other factors that may increase or decrease the entity's overall complexity.
How does SAS No. 145 incorporate the concept of scalability?
SAS No. 145 is designed to be applicable to large, complex entities with a strong system of internal controls as well as to a smaller, less-complex entity with a more informal system. The standard counts on the auditor to use their judgment in applying the requirements and scaling the work performed to match the overall form of the entity.
AU-C Section 315 addresses a multitude of areas — nearly 15 topics — in which scalability can be applied. From the sources of audit evidence, addressed in paragraphs .A22–.A24, to the required documentation, addressed in paragraphs .A269–.A273, the ASB has included application guidance for auditors to scale procedures, as appropriate.
How might scalability be applied?
Recall that AU-C Section 315 requires auditors to perform risk assessment procedures that include "inquiries of management and of other appropriate individuals within the entity, including individuals within the internal audit function (if the function exists), analytical procedures, and observation and inspection."
Focusing on observation and inspection, recall that these procedures may "support, corroborate, or contradict inquiries of management and others and may also provide information about the entity and its environment." SAS No. 145 acknowledges that less-complex entities may lack formal documentation of policies and procedures or may not have robust, sophisticated, or formal controls.
To obtain audit evidence, then, auditors can observe procedures and controls in practice. A small manufacturer may not have documented controls for counting its inventory. However, the auditor may be able to establish that controls exist by observing a periodic inventory count and asking warehouse supervisors about standard procedures.
A less-complex entity with limited staff may only have a few individuals handle cash receipts and disbursements. Although formal documented policies about segregating review responsibilities may not exist, the auditor may be able to directly observe the safekeeping procedures.
These are just two practical examples specific to observation of procedures and controls. Because one entity may not be as sophisticated as another, SAS No. 145 provides auditors opportunities to adapt procedures while continuing to achieve a strong understanding and proper evaluation of the risk of material misstatement present.
A common scenario
Let's look at how an auditor might adapt procedures for one less- and one more-complex entity.
Paragraphs .17 and .18 of AU-C Section 315 require a discussion of risk assessment topics among key engagement members, including the engagement partner, which include the financial reporting framework and its application and how material misstatement could occur in the entity's financial statements. Further, AU-C Section 240, Consideration of Fraud in a Financial Statement Audit, provides a similar requirement focused on fraud in particular. That discussion would include topics covering the potential for fraud in the financial statements, how the entity and management might commit and hide fraud, or how assets might be misappropriated.
How might this engagement team meeting play out with a more-complex client, say a nationwide advertising entity with an external audit team of 15, and a less-complex local retail operation where the audit team includes just one professional?
At our more-complex client, the engagement partner calls a meeting of the partner, manager, and staff. The meeting lasts for several hours, and the team discusses notable changes that have occurred at the entity, the application of the financial reporting framework, and the susceptibility of the entity's financial statements to material misstatement. With respect to AU-C Section 240 requirements, the engagement team discusses how and where the entity's financial statements might be susceptible to material misstatement due to fraud. Further, the engagement team role-plays various scenarios thinking about how an owner or employee could inappropriately misstate accounts to achieve a certain financial result or how an owner or employee could commit a financial fraud. The engagement team also considers management biases and how those may affect financial results.
During the meeting, staff members took notes and compiled them for the working papers, including the considerations and conclusions reached.
For our less-complex entity, the audit engagement team consists only of the engagement partner. Although the requirements in AU-C Sections 315 and 240 related to holding an engagement team discussion and fraud brainstorming meeting may not be relevant, the topics of consideration remain required. Therefore, being the only team member, the engagement partner would consider the key topics and related guidance and document their conclusions.
In both scenarios, the engagement partner and team are able to satisfy the requirements of AU-C Section 315 (and AU-C Section 240) and include relevant documentation in the working papers, but the paths taken look very different.
SAS No. 145 directly addresses this situation, stating: "[W]hen the engagement is carried out by a single individual, such as a sole practitioner (that is, when an engagement team discussion would not be possible), consideration of the matters …, nonetheless, may assist the auditor in identifying where there may be risks of material misstatement."
Like in this scenario, again and again, SAS No. 145 provides application guidance on areas where an auditor can be efficient and effective in auditing entities of varying complexity.
Summary
In drafting SAS No. 145, the ASB understood practitioners' concerns about the scalability of the extant risk assessment standards. Scalability is an important and common thread throughout SAS No. 145. Properly applying the requirements regarding risk assessment is critical, and SAS No. 145 includes ways that the guidance can be applied to all of your clients, efficiently and effectively.
— Dave Arman, CPA, MBA, is the senior manager–Audit Quality at AICPA & CIMA, together as the Association of International Certified Professional Accountants. To comment on this article or to suggest an idea for another article, contact Courtney Vien at Courtney.Vien@aicpa-cima.com.
