Planning, Evidence, and Risk
A U D I T I N G
Assessing and Responding to
Risks in a Financial Statement Audit Auditors must leave a clear record in private company audits.
by John A.Fogarty, Lynford Graham and Darrel R. Schubert
This is the first of two articles describing the requirements of—and implementation suggestions for—new guidance from theAuditing Standards Board (ASB). This article discusses theprocess of assessing risks and controls, leading to the concept of the risk of material misstatement. A subsequent Jo/A article will dis- cuss how lhe auditor responds to the risk of material misstatement.
These eight standards (see exhibit 1 at right, and "The New World of Auditing Slandards,"JojA, MayO5, page 59) are de- signed to help auditors plan and perform audit procedures that will address assessed risks, enhance the auditor's response to audit risk and matenality, facilitate plan- ning and supervision and clarify the con- cept of audit evidence.
EXPECTED BENEFITS OF THE STANDARDS The standards are designed to result in more effective audits as a result of better risk assessments and improved design and performance of audit procedures to re- spond to the risks. Auditors will be able to focus on those areas where the risk of misstatement is the greatest.
Exhibit 1
The Audit Risk Standards • SAS no. 104, Amendment to Statement on Auditing Standards No. 1, Codification of Auditing Standards and Procedures ("Due Professional Care in the Performance ojWork")
m SAS no. 105, Amendment to Statement on Auditing Standards No. 95, Generally Accepted Auditing Standards • SAS no. 106, Audit Evidence m SAS no. 107, Audit Risk and Materiality in Conducting an Audit
• SAS no. 108, Planning and Supervision
u SAS no. 109, L/nderslanding the Entity and Its Environment and Assessing the Risks of Material Misstatement
m SAS no. 110, Performing Audit Procedures in Response (o Assessed Risks and Evaluating the Audit Evidence Obtained
m SAS no. I l l , Amendment to Statement on Auditing Standards No. 39, Audit Sampling
The new standards also clarify the phrase "sufficient knowledge of mtemal control to plan the audit" as used in the professional hterature. A resulting benefit is that the auditor will have a better basis for determining the nature, timing and ex- tent of further procedures and assessing potential fraud risks-
In addition, the standards emphasize the use of assertions to link the risks, con- trols, audit procedures and conclusions. Auditors can use this technique to deter- mine whether audit procedures are re- sponsive to identified risks
SAS no. 107 makes it clear that the overall objective of an audit is to provide reasonable assurance that the financial
July 2006 Joumal of Accountancy 43
A U D I T I N G
statements are free of materiai misstate- ment. The term reasonable assurance has been subject to varying interpretations, but has now been clarified by the ASB as meaning a high, although not absolute, level of audit assurance.
To ensure that management, those charged with governance and the auditor agree on what the audit will involve, SAS no. 108, Planning and Supervision, says that the auditor should have a written under- standing with the client regarding the terms of the engagement (see "The Heart of the Matter," at right).
MATERIALITY In the performance of a GAAS audit, the auditor must assess materiality and audit risk. Although the concept of materiahty relates to auditing, it is rooted in ac- counting and user needs. SAS no. 107, Audit Risk and Matenality in Conducting an Audit, identifies the user as having, among other attributes, a knowledge of business activities and ofthe limitations that mate- riality and estimation place on an audit and a willingness to study the financial statements. SAS no. 107 clarifies that when auditors assess materiahty, they should consider the needs of users as a group, not just those of specific individuals.
While the standards do not suggest spe- cific materiality benchmark percentages, they do suggest the common benchmarks of income, revenues and assets. For ex- ample, profit-oriented entities may use an income-based materiality Forthcoming
The Heart ofthe Matter • SAS no. 107, Audit Risk and Materi- ality in Conducting an Audit, makes clear that the overaii objective of an audit is to provide reasonable assur- ance—a high, but not absolute level of assurance—that the financial state- ments are free of material misstatement. • SAS no. 108, Planning and Supervi- sion., says that the auditor shouid have a written understanding with the client regarding the terms ofthe engagement.
AICPA audit guides on risk assessment and audit sampling will provide more detailed information regarding the establishment of appropriate benchmarks.
Due to the possible aggregating effects of immaterial misstatements and the need to opine at a low risk, auditors should design procedures at the account- or stream-of-transactions level, using a test threshold that is lower than the overall ma- teriahty level.
RISK ASSESSMENT This phase ofthe audit process is not just a planning tool, but an integral part of ev- idence gathering. Since risk assessment di- rects the auditor's attention to issues that merit further consideration, it should be based on the inquiries, observations and audit evidence gathered by the auditor; this gathering and documentation of evi-
dence is important. Generally, simple in- quiries of management are an insufficient basis for this assessment. In addition, ac- cording to SAS no. 109, L/ndersfanding the Entity and Its Envi ronment and Assessing the Risks of Material Misstatement, risk assess- ment procedures alone are not a sufficient basis for rendering the audit opinion.
As part of the risk assessment process, the engagement team should hold a brain- storming session to consider the nature and magnitude of possible misstatement risks. This session may be combined with the brainstorming session on fraud risks required by SAS no. 99, Consideration of Fraud in a Einancial Statement Audit. To meet this requirement, a sole practitioner migbt challenge himself or herself to be objective and critical when updating past risk assessments and documenting changes in the business environment,
Whiie not intended as a checklist of all factors, appendix C to SAS no. 109 pro- vides specific examples of risks for con- sideration. This list, plus other factors identified in the standards, may facilitate productive discussions during the brain- storming session. These factors have roots in business risks that in the past have led to audit issues.
It IS expected that on every audit the auditor will identify one or more signifi- cant risks before considering related con- trols. For example, a significant invento- ry of precious metals or gems might be a significant risk in an audit of a jewelry business. In other businesses, such risks
EXECUTIVE SUMMARY
• The new audit risk standards re- quire the auditor to understand and respond to risks of matwial mis- statement, whether due to errors or fraud. In reaching that understand- ing, auditors should identify risks to the entity's business and the con- trols in place to mitigate them. • These standards use the more sharply defined terms must, should and may from SAS no, 102, Defining Professional Requirements in Statements on Auditing Standards.
• Because these standards ad- dress many issues at the core of auditing, they may significantly af- fect the formality of the risk as- sessment process and documen- tation of the assessment details, depending on how this has been done in the past, • Entities and auditors will max- imize their effectiveness and effi- ciency if they carefully plan their responses to the new require- ments. The documentation and assessment of controls over fi-
nancial reporting is a good place for them to begin such efforts. • The AICPA is creating a num- ber of educational products de- signed to help auditors imple- ment the new standards,
John A. Fogarty, CPA, Auditing Standards Board chairman, is a partr^er oi Deloitte and Touche LLP and a member of the International Auditing and Assurance Standards Board. His e-mail address is [email protected]. Lynford
Graham, CPA, PhD, CFE, is a con- sultant, recent former member of the ASB and Risk Assessment Standards Task Force and chair of the Risk -'Assessment and Risk Re- sponse Audit Guide Task Force; his e-mail address is LgrahamCPA@ verizon.net. Darrel R. Schubert, CPA, is a partner in Ernst & Young LLP's national professional practice and risk management group and was chair of the Risk Assessment Standards Task Force; his e-mail address is [email protected].
44 Joumal of Accountancy July 2006
AU D I T I NG
may arise due to unique transactions, ad- justments or critical accruals, such as the estimation of highly subjective al- lowances. For significant risks, the audi- tor should (1) consider the design and im- plementation of related controls, (2) avoid reliance on analytical procedures alone and (3) rely on evidence gathered only in the current period for controls assurance.
By their nature, some risks may have especially pervasive effects on financial re- porting. For example, one risk may be as- sociated with the weak business back- ground of those charged with governance (that is, the ovraers or a group such as the board of directors). This type of overall risk can affect many ac- counts and measures, but others relate more to specific accounts and assertions. For example, a risk of misstatement of inventory amounts due to obsolescence risk in a line of inventory prod- ucts would be related to the valuation assertion for that account.
Both these types of risks—overall and assertion-based—may affect auditors' ac- tions and procedures, but in different ways. An overall audit risk might require a more experienced engagement team, while the obsolescence risk in inventory may require specific, directed procedures, such as a more detailed analysis of prod- uct demands and inventory turnover.
LINKING RISKS AND PROCEDURES An important requirement in these stan- dards is the need to link identified risks to relevant controls and to the audit actions designed to respond to these risks. Such a linkage helps the audit team determine whether the risks are addressed, assists in communication on the audit and helps re- viewers, including peer reviewers, follow the implementation of the audit strategy.
In practice, simpler audits may ac- complish this linkage through careful cross-referencing of audit documentation. For more complex situations, this linkage
As part of the risk assessment process, the engagement team should hold a brain- storming session to consider the nature and magnitude of possible misstatement risks.
may be supplemented by a planning or en- gagement strategy memo or matrix.
In heightening the importance of using assertions to link risks, the standards also have revisited the assertions in the litera- ture and expanded them to articulate pres- entation and disclosure issues. The specific assertions listed in SAS no. 106, Audit Ev- idence (see exhibit 2, below), do not have to be used if auditors employ assertions that are essentially equivalent.
INTERNAL CONTROLS The auditor should have a basis for his or her assessment of controls, such as a review of the design of controls over significant ac-
counts and assertions, and a confirmation they are in operation by a walk-through or obser- vation. The auditor cannot default to a high control-risk assump- tion without performing the required elements of a controls assessment.
Additionally, vtath- out some assurance
that the information in the accounting sys- tem is being generated properly, there is no basis to rely on analytical relationships of accounts or other financial data that are stored within the system.
Auditors should assess how all five components of internal control over fi-
nancial reporting relate to the entity being audited (see the Committee on Sponsor- ing Organizations of the Treadway Com- mission's [COSO] framework; www. coso.org/key.htm). This does not mean that auditors are required to test or rely on controls as part of their audit strategy, for- merly referred to as the audit approach. But the auditor should assess the design of the controls and examine some evidence that the controls have been properly imple- mented on all audits.
Auditing standards focus on the con- trols over financial reporting, but COSO's 1992 Internal Control—Integrated Frame- work (www.coso.org/publicadons/exec- utive_suminary_integrated_framework. htm) also discusses regulation and oper- ations. These other elements are relevant only if they affect financial reporting. For example, a failure to comply with regula- tory requirements could affect contingen- cies or even the going concern assumption (see "COSO Framework—The Five Com- ponents," page 46).
How this requirement is implemented can have a significant effect on the entity's costs, particularly in the first year. For ex- ample, an auditor might evaluate whether the internal controls achieve the COSO control objectives and consider the risks of what could go wrong if the controls were ineffective. This evaluation should re- late objectives, risks and controls by as- senion to determine that all these elements
Exhibit 2 SAS No. 106 Financial Statement Assertions
I1 Transaction Occurrence
Completeness
Accuracy
Cutoff
Classification
Balance Existence
Rights and obligations
Completeness
Valuation and allocation
—
Presentation • and disclosure 1 Occurrence and rights and obligations
Completeness Classification and m understandability ^
Accuracy and valuation
—
July 2006 Journal of Accounlancy 45
A U D I T I N G
are synchronized. Only significant ac- counts and processes would generally be addressed using this analysis. For exam- ple, controls over major revenue and ex- pense streams would be assessed for most entities, but those over treasury transac- tions might not be assessed in an entity where such transactions are infrequent, not material, and will be fully validated by substantive procedures.
Evidence that a control has been im- plemented can be obtained in a walk- through that follows transactions from their inception through the aggregation process in the ledger. Alternatively, such evidence of implementation can be ob- tained by observing the operation of a con- trol at the various stages of the control process—for example, at a specific time or over one or more specific documents, or by examining the sign-off of a control op- eration that verifies the agreement of an in- voice with a list of approved vendors.
Smaller entities often have less formal- ly documented controls. Also, in smaller entities it is easy to overlook the hands-on role some senior members of management may play in mtemal control, either in monitoring controls or in performing con- trols directly
The use of control objectives or an equivalent, along with simple flowcharts that can be related to the objectives, often may provide more efficient documentation than narratives or complex flowcharts. Phasing in the development of efficient
COSO Framework- The Five Components
IJi Monitorii
information & Communication
Control Activities
Risk Assessment
Envi
Why and How Guidance Has Changed
The eight audit risk standards, SAS nos. 104-111, respond to the conclusionsof the Joint Risk Assessments Task Force of the ASB and the International Au-diting and Assurance Standards Board and to recommendations of the August 2000 report of the Panel on Audit Effectiveness of the Public Oversight Board and con-
sider the results of "Developments in the Audit Methodologies of Large Accounting Firms," a May 2000 study of audit practices in three countries.
These standards, originally exposed in December 2002, were re-exposed in 2005 after further refinement. They use the more sharply defined terms must, should and may from SAS no, 102, Defining Professional Requirements in Statements on Auditing
Standards (see "Official Releases," Jo/A, Mar.O6, page 94), The eight standards were published in "Oflicial Releases," Jo/A, MayO6, page 112,
documentation today, prior to the effective date of the standards, can save audit time and expense (see "Control Objective Based Documentalion," below),
COSO's October 2005 draft report. Guidance for Smaller PubUc Companies: Re-
porting on Internal Controls over Financial
Reporting, suggested that using control principles in conjunction with other sub- attributes can be an efficient documenta- tion framework for smaller companies. Whether companies or auditors use the original COSO control objectives, or some variation at a higher level of aggregation of the objectives, the end result should be the same. The auditor should be able to iden- tify control design gaps that could have sig- nificant consequences for the entity
Simply using checklists of possible con- trols to identify design deficiencies or miss- ing controls may be inefficient because they may incorrectly lead to the expecta- tion that all controls on the list are need- ed to achieve the entity control objectives. Explaining how the entity achieves the rel- evant control objective and mitigates the related tisk can make the documentation more effective and efficient.
Identified significant deficiencies and material weaknesses must be reported to management and those charged with gov- ernance. The ASB recently approved SAS no. 112, Communicating Internal Control
Related Matters Identified in an Audit (see
Official Releases, page 97), a revision of
SAS no. 60, Communication of Internal Con-
trol Related Matters Noted in an Audit, to de-
fine the auditor's responsibility to do tbis.
Because of the need to assess controls, including information technology (IT) general controls, some auditors may need to engage a specialist to assist in the as- sessment process, especially when the IT environment is complex or the auditor ex- pects to rely on automated controls and has limited resources to address the issues. When the auditor's strategy is to signifi- cantly rely on some or all of the entity's controls, they should be tested. The next article on this topic will discuss testing controls more fully
The minimum design and implemen- tation work can provide some basis for varying the nature, timing and extent of the procedures planned. That is because the procedures that confirm implemen-
Control Objective Based Documentation
• Control objective Saies are valid, • Risks Because of credit-card fraud, the transaction may not produce revenue. • Assertions Occurrence: Did a valid sale occur? • Company controls
• Pre-sale credit card validation is in place.
• Close monitoring of past defaults. • Assessment
m The control design is effective. • A walk-through of procedures con-
firmed these controls are in place. • Reference to other supporting v/ork-
papers {not illustrated).
4 6 Journal of Accountancy July 2006
A U D I T I N G
tation also titay provide some evidence of operating effectiveness at the time the test is conducted. For example, some auditors refer to a walk-through as a test of one that—if it is ihe only evidence gathered— is a minimal basis for any reliance. How- ever, the assurance that can be placed on controls is a continuum based on the ev- idence that was gathered to support the assessment thaL controls are operating effectively.
The requirement to assess controls for audit purposes should not be confused with the attest service of reporting on in- ternal controls. Such engagements would likeiy involve the assessment of controls over more processes and accounts, assume a significantly greater amount of docu- mentation of controls by the entity and re- quire testing by tbe auditor when opining on effectiveness.
RISK OF MATERIAL MISSTATEMENT This is the combination of the assessments of risks and related controls. Auditors may assess these two risks together or sepa-
AICPA RESOURCES
CPE Auditor's Risk Assessment Process: Tackling the New Risk Assessment SASs (text, # 732990JA; DVD/manual #182990JA).
Publications • Risk Assessment Suite of Standards (paperback, # 060704JA). • Codification of Statements on Auditing Standards (paperback, # 057200JA). • Audit Risk Alert, Understanding the New Auditing Standards Related to Risk Assessment (paperback, # 022526JA}. • Risk Assessment Standards & Guidance Set (paperback, # 990103HIJA).
For more information or to place an order, go to www.cpa2biz.com or call 800-777- 7077,
Web site • Summary of the eight audit risk assessment standards, SAS nos. 104-111, www.aicpa.org/risk.
rately, although, for practical reasons, the components often are assessed separate- ly. The risk of material misstatement forms the theoretical starting point for design- ing further audit procedures including tests of controls, analytical procedures and tests of details.
WHAT'S NEXT The AICPA is creating a number of edu- cational products to help auditors im- plement the new standards, including a recently issued audit rtsk alert, Under- slanding the New Auditing Standards Relat- ed to Risk Assessment, and an audit guide, as well as presentations and discussions on the topic at a numher of AICPA confer- ences and new CPE courses.
A second article on this topic will dis- cuss designing further audit procedures, the process of summarizing audit results and drawing conclusions. •
Practical Tips
• Studythe concepts of the COSO internal control framework now and be familiar with its components and how it applies to clients,
• If you have another audit cycle between now and the effective date of these standards, consider control risks more thoroughly and the docutnenta- tion that will be necessary to support ,. your audit under the new standards,
• Be alert for the"smaller companies" guidance expected to be forthcoming from the COSO project in the second quarter ofthis year. Identify cost'and effort-saving opportunities to apply this guidance and assist clients in strengthening controls,
• Consider whether the audit has ad- dressed all of the relevant assertions for all important accounts and transaction streams. Pay attention to any practice aids that employ assertions, atid learn how they can be used to build a link be- tween the risks and audit procedures.
• Start now to btiiltl' 'assertions-based" terminology into engagement team discussions to generate familiarity.
Prescribe the NEW Peachtree
for your clients committed to
"getting the numbers right."
Call today for your FREE
Peachtree Evaluation Kit.
The more accuracy and control your clients' accounting software delivers- the better probability they'll have suc- cess. Why not help them get there by recommending the accounting soft- ware designed for clients who take their accounting seriously. The NEW Peachtree by Sage is based on double- entry accounting and includes atl the powerful tools your clients need to make better business decisions. And, now Peachtree has an improved user interface and easier navigation, so they can be more productive than ever.
Join the Sage Software Accountants
Network and get the software, support
and resources you need to support your
Peachtree clients and receive:
• The NEW Peachtree by Sage Quantum -Accountants' Edition. The Ultimate, High-Performance Peachtree Accounting Solution
• FREE upgrades and automatic updates
• FREE Payroll Tax Update Service
• FREE Unlimited* access to top-priority technical support
• Discounts on other Sage Software products
* Support speciaMsts resenn ttia right to limit calls to one hour or one incident per call.
For more details, just call 1-866-903-0002 or go to www.peachtree.com/kit.
software
Your business in mind.
KJ £006 Sage So^ware, Irtc All right logo tnd Sdgc Sofivrin piwluct tn6 Qftd TiBctofnviu «iradnnarks of
ge So^B f t Dtt Sage S i rnendarwd h«w i an
July 2006 Journal of Accountancy 49