Assessing and responding to risks in a financial statement audit: auditors must leave a clear record in private company audits.EXECUTIVE SUMMARY * The new audit risk standards require the auditor auditor n. an accountant who conducts an audit to verify the accuracy of the financial records and accounting practices of a business or government. A proper audit will point out deficiencies in accounting and other financial operations. to understand and respond to risks of material misstatement mis·state tr.v. mis·stat·ed, mis·stat·ing, mis·states To state wrongly or falsely. mis·state  ment n. , whether due to errors or
fraud. In reaching that understanding, auditors AUDITORS, practice. Persons lawfully appointed to examine and digest accounts referred to them, take down the evidence in writing, which may be lawfully offered in relation to such accounts, and prepare materials on which a decree or judgment may be made; and to report the whole, together should identify risks to
the entity's business and the controls in place to mitigate mit·i·gatev. To moderate in force or intensity. mit  i·gation n. them.* These standards use the more sharply defined terms must, should and may from SAS (1) (SAS Institute Inc., Cary, NC, www.sas.com) A software company that specializes in data warehousing and decision support software based on the SAS System. Founded in 1976, SAS is one of the world's largest privately held software companies. See SAS System. no. 102, Defining Professional Requirements in Statements on Auditing Standards Statements on Auditing Standards, commonly abbreviated as SAS, provide guidance to external auditors on generally accepted auditing standards (abbreviated as GAAS) in regards to auditing an entity and issuing a report. . * Because these standards address many issues at the core of auditing, they may significantly affect the formality formality, in chemistry: see chemical equilibrium; concentration. of the risk assessment process and documentation of the assessment details, depending on how this has been done in the past. * Entities and auditors will maximize their effectiveness and efficiency if they carefully plan their responses to the new requirements. The documentation and assessment of controls over financial reporting is a good place for them to begin such efforts, * The AICPA AICPA See American Institute of Certified Public Accountants (AICPA). is creating a number of educational products designed to help auditors implement the new standards. ********** This is the first of two articles describing the requirements of--and implementation suggestions for--new guidance from the Auditing Standards Board In the United States, the Auditing Standards Board (ASB) is the senior technical committee designated by the American Institute of Certified Public Accountants (AICPA) to issue auditing, attestation, and quality control statements, standards and guidance to certified public (ASB ASB Asbestos ASB Arbeiter Samariter Bund (German medical help organisation) ASB Anti-Social Behaviour ASB Accounting Standards Board (UK FRC) ASB Aarhus School of Business ). This article discusses the process of assessing risks and controls, leading to the concept of the risk of material misstatement. A subsequent JofA article will discuss how the auditor responds to the risk of material misstatement. These eight standards (see exhibit 1, and "The New World of Auditing Standards," JofA, May05,) are designed to help auditors plan and perform audit procedures that will address assessed risks, enhance the auditor's response to audit risk and materiality MATERIALITY. That which is important; that which is not merely of form but of substance. 2. When a bill for discovery has been filed, for example, the defendant must answer every material fact which is charged in the bill, and the test in these cases seems to , facilitate planning and supervision and clarify the concept of audit evidence.
Exhibit 1
The Audit Risk
Standards
* SAS no. 104, Amendment to
Statement on Auditing Standards No.
1, Codification of Auditing
Standards and Procedures ("Due
Professional Care in the Performance
of Work")
* SAS no. 105, Amendment to
Statement on Auditing Standards No.
95. Generally Accepted Auditing
Standards
* SAS no. 106, Audit Evidence
* SAS no. 107, Audit Risk and
Materiality in Conducting an Audit
* SAS no. 108. Planning and
Supervision
* SAS no. 109, Understanding the
Entity and Its Environment and
Assessing the Risks of Material
Misstatement
* SAS no. 110, Performing Audit
Procedures in Response to Assessed
Risks and Evaluating the Audit
Evidence Obtained
* SAS no. 111, Amendment to
Statement on Auditing Standards No.
39, Audit Sampling
EXPECTED BENEFITS OF THE STANDARDS The standards are designed to result in more effective audits as a result of better risk assessments and improved design and performance of audit procedures to respond to the risks. Auditors will be able to focus on those areas where the risk of misstatement is the greatest. The new standards also clarify the phrase "sufficient knowledge of internal control to plan the audit" as used in the professional literature. A resulting benefit is that the auditor will have a better basis for determining the nature, timing and extent of further procedures and assessing potential fraud risks. In addition, the standards emphasize the use of assertions to link the risks, controls, audit procedures and conclusions. Auditors can use this technique to determine whether audit procedures are responsive to identified risks SAS no. 107 makes it clear that the overall objective of an audit is to provide reasonable assurance that the financial statements are free of material misstatement. The term reasonable assurance has been subject to varying interpretations, but has now been clarified by the ASB as meaning a high, although not absolute, level of audit assurance. To ensure that management, those charged with governance Governance makes decisions that define expectations, grant power, or verify performance. It consists either of a separate process or of a specific part of management or leadership processes. Sometimes people set up a government to administer these processes and systems. and the auditor agree on what the audit will involve, SAS no. 108, Planning and Supervision, says that the auditor should have a written understanding with the client regarding the terms of the engagement (see "The Heart of the Matter,"). MATERIALITY In the performance of a GAAS See gallium arsenide. audit, the auditor must assess materiality and audit risk. Although the concept of materiality relates to auditing, it is rooted in accounting and user needs. SAS no. 107, Audit Risk and Materiality in Conducting an Audit, identifies the user as having, among other attributes, a knowledge of business activities and of the limitations that materiality and estimation estimation In mathematics, use of a function or formula to derive a solution or make a prediction. Unlike approximation, it has precise connotations. In statistics, for example, it connotes the careful selection and testing of a function called an estimator. place on an audit and a willingness to study the financial statements. SAS no. 107 clarifies that when auditors assess materiality, they should consider the needs of users as a group, not just those of specific individuals. While the standards do not suggest specific materiality benchmark percentages, they do suggest the common benchmarks of income, revenues and assets. For example, profit-oriented entities may use an income-based materiality. Forthcoming AICPA audit guides on risk assessment and audit sampling will provide more detailed information regarding the establishment of appropriate benchmarks. Due to the possible aggregating effects of immaterial Not essential or necessary; not important or pertinent; not decisive; of no substantial consequence; without weight; of no material significance. immaterial adj. misstatements and the need to opine at a low risk, auditors should design procedures at the account- or stream-of-transactions level, using a test threshold that is lower than the overall materiality level. RISK ASSESSMENT This phase of the audit process is not just a planning tool, but an integral part of evidence gathering. Since risk assessment directs the auditor's attention to issues that merit further consideration, it should be based on the inquiries, observations and audit evidence gathered by the auditor; this gathering and documentation of evidence is important. Generally, simple inquiries of management are an insufficient basis for this assessment. In addition, according to according to prep. 1. As stated or indicated by; on the authority of: according to historians. 2. In keeping with: according to instructions. 3. SAS no. 109, Understanding the Entity and Its Environment and Assessing the Risks of Material Misstatement, risk assessment procedures alone are not a sufficient basis for rendering See render. (graphics, text) rendering - The conversion of a high-level object-based description into a graphical image for display. For example, ray-tracing takes a mathematical model of a three-dimensional object or scene and converts it into a bitmap image. the audit opinion. As part of the risk assessment process, the engagement team should hold a brainstorming session to consider the nature and magnitude of possible misstatement risks. This session may be combined with the brainstorming session on fraud risks required by SAS no. 99, Consideration of Fraud in a Financial Statement Audit. To meet this requirement, a sole practitioner might challenge himself or herself to be objective and critical when updating past risk assessments and documenting changes in the business environment. While not intended as a checklist of all factors, appendix C to SAS no. 109 provides specific examples of risks for consideration. This list, plus other factors identified in the standards, may facilitate productive discussions during the brainstorming session. These factors have roots in business risks that in the past have led to audit issues. It is expected that on every audit the auditor will identify one or more significant risks before considering related controls. For example, a significant inventory of precious metals Precious Metals Valuable metals such as gold, iridium, palladium, platinum, and silver. Notes: Investing in precious metals can be done either by purchasing the physical asset, or by purchasing futures contracts for the particular metal. or gems might be a significant risk in an audit of a jewelry jewelry, personal adornments worn for ornament or utility, to show rank or wealth, or to follow superstitious custom or fashion. The most universal forms of jewelry are the necklace, bracelet, ring, pin, and earring. business. In other businesses, such risks may arise due to unique transactions, adjustments or critical accruals Accruals Accounts on a balance sheet that represent liabilities and non-cash-based assets used in accrual-based accounting. These accounts include, among many others, accounts payable, accounts receivable, goodwill, future tax liability and future interest expense. , such as the estimation of highly subjective allowances. For significant risks, the auditor should (1) consider the design and implementation of related controls, (2) avoid reliance on analytical procedures Analytical Procedures is one of financial audit skill which help an auditor understand the client's business and changes in the business, to identify potential risk areas and to plan other audit procedures. alone and (3) rely on evidence gathered only in the current period for controls assurance. By their nature, some risks may have especially pervasive pervasive, adj indicates that a condition permeates the entire development of the individual. effects on financial reporting. For example, one risk may be associated with the weak business background of those charged with governance (that is, the owners or a group such as the board of directors). This type of overall risk can affect many accounts and measures, but others relate more to specific accounts and assertions. For example, a risk of misstatement of inventory amounts due to obsolescence ob·so·les·cent adj. 1. Being in the process of passing out of use or usefulness; becoming obsolete. 2. Biology Gradually disappearing; imperfectly or only slightly developed. risk in a line of inventory products would be related to the valuation assertion for that account. Both these types of risks--overall and assertion-based--may affect auditors' actions and procedures, but in different ways. An overall audit risk might require a more experienced engagement team, while the obsolescence risk in inventory may require specific, directed procedures, such as a more detailed analysis of product demands and inventory turnover. LINKING RISKS AND PROCEDURES An important requirement in these standards is the need to link identified risks to relevant controls and to the audit actions designed to respond to these risks. Such a linkage linkage In mechanical engineering, a system of solid, usually metallic, links (bars) connected to two or more other links by pin joints (hinges), sliding joints, or ball-and-socket joints to form a closed chain or a series of closed chains. helps the audit team determine whether the risks are addressed, assists in communication on the audit and helps reviewers, including peer reviewers, follow the implementation of the audit strategy. In practice, simpler audits may accomplish this linkage through careful cross-referencing of audit documentation. For more complex situations, this linkage may be supplemented by a planning or engagement strategy memo or matrix. In heightening height·en v. height·ened, height·en·ing, height·ens v.tr. 1. To raise or increase the quantity or degree of; intensify. 2. To make high or higher; raise. v.intr. the importance of using assertions to link risks, the standards also have revisited the assertions in the literature and expanded them to articulate articulate /ar·tic·u·late/ (ahr-tik´u-lat) 1. to pronounce clearly and distinctly. 2. to make speech sounds by manipulation of the vocal organs. 3. to express in coherent verbal form. 4. presentation and disclosure issues. The specific assertions listed in SAS no. 106, Audit Evidence (see exhibit 2), do not have to be used if auditors employ assertions that are essentially equivalent.
Exhibit 2 SAS No. 106 Financial
Statement Assertions
Presentation
Transaction Balance and disclosure
Occurrence Existence Occurrence and
rights and
obligations
Completeness Rights and Completeness
obligations
Accuracy Completeness Classification and
understandability
Cutoff Valuation and Accuracy and
allocation valuation
Classification - -
INTERNAL CONTROLS The auditor should have a basis for his or her assessment of controls, such as a review of the design of controls over significant accounts and assertions, and a confirmation they are in operation by a walk-through or observation. The auditor cannot default to a high control-risk assumption without performing the required elements of a controls assessment. Additionally, with. out some assurance that the information in the accounting system is being generated properly, there is no basis to rely on analytical analytical, analytic pertaining to or emanating from analysis. analytical control control of confounding by analysis of the results of a trial or test. relationships of accounts or other financial data that are stored within the system. Auditors should assess how all five components of internal control over financial reporting relate to the entity being audited (see the Committee on Sponsoring Organizations of the Treadway Commission's [COSO COSO Committee of Sponsoring Organizations of the Treadway Commission COSO Church of Spiral Oak COSO Corporate South COSO Class of Service Override COSO Combat Oriented Supply Operations (USAF) ] framework; www. coso.org/key.htm). This does not mean that auditors are required to test or rely on controls as part of their audit strategy, formerly referred to as the audit approach. But the auditor should assess the design of the controls and examine some evidence that the controls have been properly implemented on all audits. Auditing standards focus on the controls over financial reporting, but COSO's 1992 Internal Control Integrated Framework (www.coso.org/publications/executive_summary_integrated_framework. htm) also discusses regulation and operations. These other elements are relevant only if they affect financial reporting. For example, a failure to comply with regulatory requirements Regulatory requirements are part of the process of drug discovery and drug development. Regulatory requirements describe what is necessary for a new drug to be approved for marketing in any particular country. could affect contingencies Contingencies (ISSN 1048-9851) is the bimonthly magazine of the American Academy of Actuaries, providing a large and diverse readership with general interest and technical articles on a wide range of issues related to the actuarial profession. or even the going concern assumption (see "COSO Framework--The Five Components,"). [ILLUSTRATION OMITTED] How this requirement is implemented can have a significant effect on the entity's costs, particularly in the first year. For example, an auditor might evaluate whether the internal controls achieve the COSO control objectives and consider the risks of what could go wrong if the controls were ineffective. This evaluation should relate objectives, risks and controls by assertion to determine that all these elements are synchronized syn·chro·nize v. syn·chro·nized, syn·chro·niz·ing, syn·chro·niz·es v.intr. 1. To occur at the same time; be simultaneous. 2. To operate in unison. v.tr. 1. . Only significant accounts and processes would generally be addressed using this analysis. For example, controls over major revenue and expense streams would be assessed for most entities, but those over treasury transactions might not be assessed in an entity where such transactions are infrequent in·fre·quent adj. 1. Not occurring regularly; occasional or rare: an infrequent guest. 2. , not material, and will be fully validated val·i·date tr.v. val·i·dat·ed, val·i·dat·ing, val·i·dates 1. To declare or make legally valid. 2. To mark with an indication of official sanction. 3. by substantive procedures. Evidence that a control has been implemented can be obtained in a walkthrough that follows transactions from their inception through the aggregation process in the ledger The principal book of accounts of a business enterprise in which all the daily transactions are entered under appropriate headings to reflect the debits and credits of each account. . Alternatively, such evidence of implementation can be obtained by observing the operation of a control at the various stages of the control process--for example, at a specific time or over one or more specific documents, or by examining the sign-off of a control operation that verifies the agreement of an invoice An itemized statement or written account of goods sent to a purchaser or consignee by a vendor that indicates the quantity and price of each piece of merchandise shipped. A consular invoice is one used in foreign trade. with a list of approved vendors. Smaller entities often have less formally documented controls. Also, in smaller entities it is easy to overlook the hands-on role some senior members of management may play in internal control, either in monitoring controls or in performing controls directly. The use of control objectives or an equivalent, along with simple flowcharts that can be related to the objectives, often may provide more efficient documentation than narratives or complex flowcharts. Phasing in the development of efficient documentation today, prior to the effective date of the standards, can save audit time and expense (see "Control Objective Based Documentation,"). COSO's October 2005 draft report, Guidance for Smaller Public Companies: Reporting on Internal Controls over Financial Reporting, suggested that using control principles in conjunction with other sub-attributes can be an efficient documentation framework for smaller companies. Whether companies or auditors use the original COSO control objectives, or some variation at a higher level of aggregation of the objectives, the end result should be the same. The auditor should be able to identify control design gaps that could have significant consequences for the entity. Simply using checklists of possible controls to identify design deficiencies or missing controls may be inefficient because they may incorrectly lead to the expectation that all controls on the list are needed to achieve the entity control objectives. Explaining how the entity achieves the relevant control objective and mitigates the related risk can make the documentation more effective and efficient. Identified significant deficiencies and material weaknesses must be reported to management and those charged with governance. The ASB recently approved SAS no. 112, Communicating Internal Control Related Matters Identified in an Audit (see Official Releases,), a revision of SAS no. 60, Communication of Internal Control Related Matters Noted in an Audit, to define the auditor's responsibility to do this. Because of the need to assess controls, including information technology (IT) general controls, some auditors may need to engage a specialist to assist in the assessment process, especially when the IT environment is complex or the auditor expects to rely on automated au·to·mate v. au·to·mat·ed, au·to·mat·ing, au·to·mates v.tr. 1. To convert to automatic operation: automate a factory. 2. controls and has limited resources to address the issues. When the auditor's strategy is to significantly rely on some or all of the entity's controls, they should be tested. The next article on this topic will discuss testing controls more fully. The minimum design and implementation work can provide some basis for varying the nature, timing and extent of the procedures planned. That is because the procedures that confirm implementation also may provide some evidence of operating effectiveness at the time the test is conducted. For example, some auditors refer to a walk-through as a test of one that--if it is the only evidence gathered--is a minimal basis for any reliance. However, the assurance that can be placed on controls is a continuum Continuum (pl. -tinua or -tinuums) can refer to:
The requirement to assess controls for audit purposes should not be confused with the attest To solemnly declare verbally or in writing that a particular document or testimony about an event is a true and accurate representation of the facts; to bear witness to. To formally certify by a signature that the signer has been present at the execution of a particular writing so as service of reporting on internal controls. Such engagements would likely involve the assessment of controls over more processes and accounts, assume a significantly greater amount of documentation of controls by the entity and require testing by the auditor when opining o·pine v. o·pined, o·pin·ing, o·pines v.tr. To state as an opinion. v.intr. To express an opinion: opined on the defendant's testimony. on effectiveness. RISK OF MATERIAL MISSTATEMENT This is the combination of the assessments of risks and related controls. Auditors may assess these two risks together or separately, although, for practical reasons, the components often are assessed separately The risk of material misstatement forms the theoretical starting point Noun 1. starting point - earliest limiting point terminus a quo commencement, get-go, offset, outset, showtime, starting time, beginning, start, kickoff, first - the time at which something is supposed to begin; "they got an early start"; "she knew from the for designing further audit procedures including tests of controls, analytical procedures and tests of details. WHAT'S NEXT The AICPA is creating a number of educational products to help auditors implement the new standards, including a recently issued audit risk alert, Understanding the New Auditing Standards Related to Risk Assessment, and an audit guide, as well as presentations and discussions on the topic at a number of AICPA conferences and new CPE (Customer Premises Equipment) Communications equipment that resides on the customer's premises. CPE - Customer Premises Equipment courses. A second article on this topic will discuss designing further audit procedures, the process of summarizing audit results and drawing conclusions. AICPA RESOURCES CPE Auditor's Risk Assessment Process: Tackling the New Risk Assessment SASs (text, # 732990JA; DVD/manual #182990JA). Publications * Risk Assessment Suite of Standards (paperback, # 060704JA). * Codification The collection and systematic arrangement, usually by subject, of the laws of a state or country, or the statutory provisions, rules, and regulations that govern a specific area or subject of law or practice. of Statements on Auditing Standards (paperback, # 057200JA). * Audit Risk Alert, Understanding the New Auditing Standards Related to Risk Assessment (paperback, # 022526JA). * Risk Assessment Standards & Guidance Set (paperback, # 990103HIJA). For more information or to place an order, go to www.cpa2biz biz n. Informal Business. biz Noun Informal business Noun 1. .com or call 800-777-7077. Web site * Summary of the eight audit risk assessment standards, SAS nos. 104-111, www.aicpa.org/risk. Practical Tips * Study the concepts of the COSO internal control framework now and be familiar with its components and how it applies to clients. * If you have another audit cycle between now and the effective date of these standards, consider control risks more thoroughly and the documentation that will be necessary to support your audit under the new standards. * Be alert for the "smaller companies" guidance expected to be forthcoming from the COSO project in the second quarter of this year. Identify cost-and effort-saving opportunities to apply this guidance and assist clients in strengthening controls. * Consider whether the audit has addressed all of the relevant assertions for all important accounts and transaction streams. Pay attention to any practice aids that employ assertions, and learn how they can be used to build a link between the risks and audit procedures. * Start now to build "assertions-based" terminology into engagement team discussions to generate familiarity. RELATED ARTICLE: The heart of the matter. * SAS no. 107, Audit Risk and Materiality in Conducting an Audit, makes clear that the overall objective of an audit is to provide reasonable assurance--a high, but not absolute level of assurance--that the financial statements are free of material misstatement. * SAS no. 108, Planning and Supervision, says that the auditor should have a written understanding with the client regarding the terms of the engagement. RELATED ARTICLE: Why and how guidance has changed. The eight audit risk standards, SAS nos. 104-111, respond to the conclusions of the Joint Risk Assessments Task Force of the ASB and the International Auditing and Assurance Standards Board and to recommendations of the August 2000 report of the Panel on Audit Effectiveness of the Public Oversight
Oversight may refer to:
These standards, originally exposed in December 2002, were re-exposed in 2005 after further refinement. They use the more sharply defined terms must, should and may from SAS no. 102, Defining Professional Requirements in Statements on Auditing Standards (see "Official Releases," JofA, Mar.06,). The eight standards were published in "Official Releases," JofA, May06. RELATED ARTICLE: Control objective based documentation. * Control objective Sales are valid. * Risks Because of credit-card fraud, the transaction may not produce revenue. * Assertions Occurrence: Did a valid sale occur? * Company controls * Pre-sale credit card validation See validate. validation - The stage in the software life-cycle at the end of the development process where software is evaluated to ensure that it complies with the requirements. is in place. * Close monitoring of past defaults. * Assessment * The control design is effective. * A walk-through of procedures confirmed these controls are in place. * Reference to other supporting workpapers (not illustrated). John A. Fogarty, CPA, Auditing Standards Board chairman, is a partner of Deloitte and Touche LLP LLP - Lower Layer Protocol and a member of the International Auditing and Assurance Standards Board. His e-mail address See Internet address. e-mail address - electronic mail address is jfogarty@deloitte.com. Lynford Graham, CPA, PhD, CFE CFE Conventional Forces in Europe (treaty) CFE Cash Flow to Equity (finance/accounting) CFE Comisión Federal de Electricidad (México) CFE Certified Fraud Examiner , is a consultant, recent former member of the ASB and Risk Assessment Standards Task Force and chair of the Risk Assessment and Risk Response Audit Guide Task Force; his e-mail address is LgrahamCPA@ verizon.net. Darrel R. Schubert, CPA, is a partner in Ernst & Young LLP's national professional practice and risk management group and was chair of the Risk Assessment Standards Task Force; his e-mail address is darrel.schubert@ey.com. |
|
||||||||||||||||
Printer friendly
Cite/link
Email
Feedback
Reader Opinion