Assessing risk: AICPA's new risk assessment standards present a sea change for auditors.
The panel's recommendations were principally directed to three groups able to influence audit conduct: the Auditing Standards Board, auditing firms and the former SEC Practice Section of the AICPA.
The recommendations addressed to the ASB in part represented a call for auditing standards that provide "more specific and definitive guidance containing imperatives," such as SAS No. 67, The Confirmation Process.
The panel recommended that auditors should be required to possess a "far deeper understanding" of the client's business, risks and controls, in addition to designing and performing substantive tests to detect fraud.
The development and issuance of the new Statements on Auditing Standards Nos. 104-111, discussed below, were primarily in response to the panel's report but also conform to the PCAOB's views.
Issued in March 2006, the new standards are effective for audits of financial statements for periods beginning on or after Dec. 15, 2006, with earlier application permitted. The new standards are expected to enhance the application of the long-standing audit risk model and improve the quality of audits because they specifically require auditors to:
* have a more comprehensive understanding of the client's business and its environment, including its internal control;
* perform a more exacting assessment of the risk of material misstatement resulting from such understanding; and
* perform procedures that more clearly link the risk assessment to the decision of what audit procedures to perform, and when.
Also, the new standards redefine longstanding concepts, such as "reasonable assurance," "financial statement assertions" and "audit evidence." They also set forth provisions that emphasize the planning phase, setting the stage for a more efficient audit engagement while reminding the auditor "planning and supervision continue throughout the audit."
SAS NO. 104
SAS No. 104 amends SAS No. 1 (AU 230 of AICPA Professional Standards) by expanding on what "due professional care" entails and defining "reasonable assurance" to mean "high" level of assurance.
The old version of AU 230, paragraph 10, states, "... due professional care allows the auditor to obtain reasonable assurance that the financial statements are free of material misstatement, whether caused by error or fraud."
SAS 104 replaces the above with "while exercising due professional care, the auditor must plan and perform the audit to obtain sufficient appropriate evidence so that audit risk will be limited to a low level...." (emphasis added). The phrase "appropriate evidence" is also added.
SAS 104 appears to have conformed to the PCAOB's Auditing Statement No. 2's concept of "reasonable assurance" by stating its use of that phrase in the audit report means a "high" level of assurance was intended to be obtained by the auditor. SAS No. 104 did not, however, quantify when "high" is reached or what circumstances would define such level.
SAS NO. 105
SAS No. 105, Generally Accepted Auditing Standards, amends SAS No. 95. The predominant change is the addition of the term "must." SAS No. 102 describes "must" as an "unconditional requirement," meaning the auditor is required to comply with it in all cases in which the circumstances exist to which the unconditional requirement applies. This description mirrors the PCAOB's Rule 3100.
General Standard No. 1 now states, "The audit must be performed by a person or persons having adequate technical training."
The three Standards of Fieldwork have been revised and are now in the active voice, as in "The auditor must," removing any doubt as to who's responsible. Also, the second standard of fieldwork is more encompassing, stating the auditor must obtain a sufficient understanding of the client's entity and its environment, including its internal control. Further, the risk assessment of material misstatement resulting from such understanding is no longer limited to the planning phase, as "further audit procedures" may be necessary.
The third standard of fieldwork requires the auditor to obtain sufficient "appropriate audit evidence" as further discussed in SAS No. 106. Lastly, rather than enumerating specific types of procedures, thus appearing to limit what the auditor should perform, the standard calls for the performance of "audit procedures" in the gathering of "appropriate audit evidence."
SAS NO. 108
SAS No. 108, Planning and Supervision, supersedes SAS No. 22 and re-emphasizes that planning is not an isolated phase at the beginning of the audit, but rather continues throughout the engagement as the audit evidence accumulates.
Also notable is the provision relating to "preliminary engagement activities." According to the standard, the auditor "should" perform certain procedures that consider events or circumstances that may negatively impact the auditor's ability to plan the audit to reduce audit risk. Such procedures address client continuance considerations, such as management's integrity, and the auditor's compliance with ethics rules, like those relating to independence.
SAS No. 102 describes "should" as a "presumptively mandatory" requirement, meaning the auditor is required to comply with it in all cases in which the circumstances exist to which the presumptively mandatory requirement applies. In rare circumstances, the auditor may depart from such requirement so long as the auditor documents the justification for the departure and how the alternative procedure was sufficient to achieve the objective of the presumptively mandatory requirement. This is similar to the PCAOB's Rule 3100.
While the term "audit plan" has been used for many years, it was not fully discussed, nor required, in the standards until now. SAS No. 108 states the auditor "must develop an audit plan in which the auditor documents the audit procedures to be used that, when performed, are expected to reduce audit risk to an acceptable low level."
The audit plan replaces the concept of "audit program" discussed in SAS No. 22 and is expected to be tailored to the circumstances of the audit client, as the auditor "should document changes to the original audit plan" resulting from risk assessment procedures. The new SAS also provides guidance on the use of an information technology professional in understanding the effect of IT on the audit.
The new SAS expands on the responsibility of auditors to supervise lower level staff, emphasizing that the "auditor with final responsibility" communicate and discuss the susceptibility of the client's financial statements to fraud-related misstatements.
Unlike the old SAS, the exercise of professional skepticism and maintaining a questioning mind throughout the audit are explicit in the new SAS. In fact, the new SAS even states that the lower level staff have the "professional responsibility" to let their concerns and disagreements be known to the appropriate individuals relating to auditing and accounting issues they believe are significant to the audit.
SAS NO. 106
SAS No. 106, Audit Evidence, supersedes SAS No. 31. The phrase "sufficient, competent evidential matter" is now referred to as "sufficient, appropriate audit evidence." The new SAS defines audit evidence as "all the information used by the auditor in arriving at the conclusions on which the audit opinion is based and includes the information contained in the accounting records underlying the financial statements and other information."
While SAS No. 106 states that "auditors are not expected to examine all information that may exist," it does state that audit evidence is cumulative in nature, meaning a piece of information is not to be viewed just by itself, but in the context of all other information. Audit evidence includes information from previous audits.
"Sufficiency" relates to the quantity and "appropriateness" relates to the quality of the audit evidence, or its relevance and reliability in providing support for the financial statement assertions. Notable about SAS No. 106 is its in-depth discussion of financial statement assertions, now called "relevant assertions," and audit procedures for obtaining the related audit evidence.
Whereas the old SAS No. 31 briefly explained the five types of management assertions, SAS No. 106 has a new system with a slight variation of the five assertions and a sixth labeled "classification" (or "classification and understandability"). Assertions are assigned to at least one of three new categories: 1) assertions about classes of transactions (income statement); 2) assertions about account balances (balance sheet); and 3) assertions about presentation and disclosure (including footnotes).
The assertions assigned by categories are also called "relevant assertions." Not all assertions are in all categories.
SAS No. 106 also states the auditor should perform "risk assessment procedures," a new term, in addition to tests of controls and substantive procedures, collectively called "further audit procedures". It also describes the types of audit procedures the auditor should perform, which include inspection of records or documents, inspection of tangible assets, observation, inquiry, confirmation, recalculation, "reperformance" and analytical procedures.
The new SAS describes what an effective inquiry involves, including the subsequent consideration to be made after all the questions have been asked and apparently answered: evaluating the client's responses (or, "does that response make sense, given the other information I am aware of?").
SAS NO. 107
SAS No. 107, Audit Risk and Materiality in Conducting an Audit, supersedes SAS No. 47. The new SAS replaces "should" to "must," stating the auditor "must" consider audit risk and "must" consider a materiality level for the financial statements.
The new SAS clearly states that such consideration is to be used to identify and assess the risk of material misstatement, with four specific goals contemplated by the standard.
Also, the risk of material misstatement is to be assessed at the financial statement, account balance or class of transaction level, as well as at the disclosure level, including the notes to the financial statements, acknowledging that users of the financial statements do consider such notes in their decisions.
Notably, SAS No. 107 requires auditors to document their basis for assessing risk "at the maximum." Prior practice did not require a basis for such assessment. In addition, the new SAS provides more guidance to determine materiality, including examples of benchmarks and when such benchmarks are generally appropriate.
The new standard also states that the auditor should reconsider the appropriateness of the initial materiality and related planned procedures if, for example, the auditor becomes aware of additional quantitative and qualitative factors not initially considered. In evaluating audit findings, the auditor must include the effects of prior period misstatements not booked by the client due to immateriality, in addition to considering the qualitative aspects of the accumulated misstatements.
SAS No. 109, Understanding the Entity and Its Environment and Assessing the Risks of Material Misstatement, supersedes SAS No. 55, Consideration of the Internal Control in a Financial Statement Audit, as Amended.
Under the old standard, the purpose of gaining an understanding of the client's internal control was to plan the audit. Now, such understanding is part of the audit evidence and goes beyond the initial phase of the audit to assess the risk of material misstatement throughout the audit.
SAS No. 109 requires the auditor to perform "risk assessment procedures" (a new term) for the specific purpose of gathering information and gaining an understanding of the client and its environment. While the old standard required such understanding, it did not describe the procedures that should be performed. The new SAS lists the procedures with expanded discussion, including the limitations of client's responses to inquiry as an audit procedure.
More importantly, SAS No. 109 directly links the auditor's understanding of the client and its environment with risk assessment and design of tests of controls and substantive procedures by explicitly stating that the purpose of obtaining such understanding is to identify and assess the risk of material misstatement and design and perform further audit procedures responsive to the assessed risk. This is a notable improvement over the old standard.
Other improvements include the idea of "significant risks" requiring special consideration and the requirement to determine if internal controls have been implemented.
SAS No. 111, Audit Sampling, amends SAS No. 39, mainly by providing increased guidance on tolerable misstatement.
SAS No. 110 supersedes SAS No. 45, Substantive Tests Prior to the Balance-Sheet Date, and together with SAS No. 109, supersedes SAS No. 55.
SAS No. 110 relates to the risk of material misstatement at the financial statement level, focusing on "overall responses" by the auditor; further audit procedures responsive to assessed risk at relevant assertion levels; evaluating the sufficiency and appropriateness of the audit evidence obtained; and documentation. The new SAS provides guidance in implementing the third standard of fieldwork, signaling that this SAS goes beyond the initial phase of the audit.
This SAS provides examples of overall responses, such as assigning more experienced staff or retaining a professional with specialized skills. Additionally, there is to be a clear link between the auditor's understanding of the entity, the risk assessment and the design of further audit procedures.
More importantly, the linkage is to be documented in the working papers. For an identified risk, the working paper should show the audit procedures designed to respond to that specific risk.
SAS No. 110 states that the sufficiency and appropriateness of audit evidence are still a matter of professional judgment, but it re-emphasizes that if auditors are unable to obtain sufficient appropriate evidence, they should express a qualified opinion or a disclaimer of opinion.
The implementation of the new standards are expected to increase audit work and documentation, but in a more thoughtful risk assessment process supporting a stronger audit risk model.
A. Christine Davis, CPA is a director of litigation consulting and forensic accounting at Hemming Morse in San Francisco. You can reach her at email@example.com.
BY A. CHRISTINE DAVIS, CPA
|Printer friendly Cite/link Email Feedback|
|Author:||Davis, A. Christine|
|Date:||Jun 1, 2006|
|Previous Article:||Follow us: CPAs take lead in financial literacy.|
|Next Article:||Looking ahead: too often, CPAs ignore their own succession planning advice.|