Implementing the New ASB Risk Assessment Audit Standards

By Donald K. McConnell, Jr., and Charles H. (Chip) Schweiger

E-mail Story Print Story

The following is an overview of the new risk assessment standards, focusing on the new provisions of SAS 109, Understanding the Entity and Its Environment and Assessing the Risks of Material Misstatement, and SAS 110, Performing Audit Procedures in Response to Assessed Risks and Evaluating the Audit Evidence Obtained.

Overview of the New Provisions

The new standards bring myriad changes in terminology, materiality considerations, evidence concepts, the audit assertions framework, and audit planning issues. Even the focus of the audit process has changed, based upon revisions to the second standard of fieldwork. The following are some of the more significant changes and revisions.

A number of changes in terminology are intended to resolve differences between the standards of the ASB, the International Auditing and Assurance Standards Board’s International Standards on Auditing (ISA), and the Public Company Accounting Oversight Board (PCAOB). Audit evidence is the new term for evidential matter. The term audit procedures replaces auditing procedures; substantive tests are now called substantive procedures; and reliability replaces validity in the context of audit evidence. The term reduce replaces limit or restrict in the context of the audit risk model, while implemented replaces placed in operation in the context of internal controls analysis. The term significant deficiencies replaces reportable conditions. The new standards also clarify that the auditor addresses relevant assertions (those having meaningful bearing on transactions, accounts, and disclosures), as opposed to just assertions. For example, valuation assertion would ordinarily not be relevant to the audit of cash, absent foreign currency translation circumstances.

SAS 106 replaces the term sufficient, competent evidence with sufficient, appropriate audit evidence. The five management assertions are now replaced by 13 assertions (see Exhibit 1) in three categories: assertions about classes of transactions and events for the period under audit, assertions about account balances at period end, and assertions about presentation and disclosure. Audit procedures have been reclassified as follows:

• Inspection of records or documents
• Inspection of tangible assets
• Observation
• Inquiry
• Confirmation
• Recalculation
• Reperformance
• Analytical procedures.

SAS 107 makes the consideration of audit risk and materiality for financial statement purposes an unconditional requirement, as that term is newly defined in SAS 102, rather than merely presumptively mandatory. An auditor must consider audit risk and materiality for the purposes of:

• Determining the nature and extent of risk assessment procedures;
• Identifying and assessing the risks of material misstatement;
• Determining the nature, timing, and extent of further audit procedures; and
• Evaluating whether the financial statements are fairly presented.

SAS 107 also introduces the phrase risk of material misstatement as an auditor’s combined assessment of inherent risk and control risk; however, the auditor may still make separate assessments of inherent and control risk. The standard provides additional requirements for evaluating audit findings, including important new guidance on evaluating uncorrected misstatements individually before considering the aggregate effect of such uncorrected misstatements. Furthermore, SAS 107 expands guidance for communicating misstatements to management, including requesting management to examine areas where substantive analytical procedures indicate a misstatement might exist (but not its approximate amount), or where a likely misstatement from a sample appears to be material, either individually or in the aggregate.

SAS 108 expands previous guidance on audit planning to include preliminary engagement activities that should be performed, and additional considerations in initial audit engagements. The standard greatly expands matters to be considered in establishing the overall audit strategy, as well in establishing the audit plan (the audit program), which is much more detailed than the audit strategy.

Risk Assessment Procedures in an Audit

Prior to the new risk assessment standards, many auditors had often followed a practice of assessing control risk at maximum by default, without much understanding of the underlying system. To paraphrase the words of one member of the ASB: Not to understand the system is not to understand the company is to miss the material misstatement. Consequently, the concept of defaulting to a controls-ineffective audit without support has been eliminated.

The revised second standard of fieldwork now states that auditors must obtain a sufficient understanding of the entity and its environment (in addition to its internal controls) to assess the risk of material misstatement of the financial statements, whether due to error or fraud (rather than to plan the audit), and to design the nature, timing, and extent of further audit procedures in response to that risk assessment. Hence the audit focus has shifted from a controls understanding for planning the audit to an understanding of sufficient quality and depth to better assess risks of material misstatement.

The overall audit process is presented in Exhibit 2. The intent is that the auditor obtain an in-depth understanding of the entity and its environment, including its internal controls, in order to assess the risk that the financial statements might be materially misstated. Exhibit 3 indicates that the auditor must obtain an understanding of five aspects of the client’s circumstances through the application of these risk assessment procedures: inquiries, analytical procedures, observation, and document inspection. The auditor is not required to perform all the risk assessment procedures for each aspect of the understanding; however, all the risk assessment procedures should be performed in the course of obtaining the required understanding. Additionally, the auditor might perform other procedures to identify risks, including inquiring of others outside the entity (external legal counsel or valuation experts) and examining information obtained from external reports provided by analysts, banks, or rating agencies. Additionally, the auditor should obtain an understanding of the entity’s selection and application of accounting policies and consider whether those are appropriate for its business and consistent with GAAP and relevant industry accounting policies. This resultant understanding of the entity and its environment then provides a basis for the following:

• Establishing materiality for planning purposes and evaluating whether that judgment remains appropriate throughout the audit;
• Considering the appropriateness of the accounting policies and adequacy of disclosures;
• Identifying areas where special audit consideration may be necessary, such as related-party transactions, going-concern issues, and the business purpose of transactions;
• Developing expectations for use in performing analytical procedures;
• Designing and performing audit procedures to reduce audit risk to appropriately low levels; and
• Evaluating the sufficiency and appropriateness of the audit evidence that is obtained.

Exhibit 4 shows that the auditor must then identify risks (and any related controls), determine what could go wrong at the relevant assertion level, and then consider the potential magnitude and probability that the financial statements could be materially misstated. (Appendix C of SAS 109 presents extensive examples of conditions and events that may indicate the existence of risks of material misstatement.) Based on this assessment, an auditor should determine whether identified risks of material misstatement are related to specific relevant assertions (e.g., classes of transactions, account balances, and disclosures), or more pervasively to the financial statements as a whole. Higher levels of financial statement risk often derive from a weak control environment (e.g., incompetent management). The resultant risk assessment may then establish a link to responsive audit procedures.

To reduce audit risk to an acceptably low level, an auditor should determine overall responses that address assessed risks at the financial statement level and should design and perform further audit procedures that respond to assessed risks of material misstatement at the relevant assertion level. Overall responses to address assessed risks of material misstatement at the financial statement level might include the following:

• Emphasizing to the audit team the need to maintain professional skepticism in gathering and evaluating audit evidence;
• Assigning more-experienced staff;
• Assigning staff with specialized skills or using specialists;
• Providing greater supervision;
• Incorporating elements of unpredictability in audit procedures; and
• Performing substantive procedures at period end instead of at interims.

Conversely, an effective control environment and the reliability of internally generated audit evidence may allow the auditor to perform some audit procedures at an interim date.

A new key element in SAS 109 is the requirement that members of the audit team, including the auditor with final responsibility, hold brainstorming sessions to discuss the susceptibility of the financial statements to material misstatement. These discussions may include specialists assigned to the audit, and can be held concurrently with discussions concerning fraud risks, as required by SAS 99. The objective of these discussions is to communicate a better understanding of the potential for material misstatements in different areas, and for staff to understand how the results of audit procedures they perform may affect other aspects of the audit.

Internal Control Considerations in Assessing Risk

The auditor must obtain an understanding of the five COSO components of internal control sufficient to assess risk of material misstatement of the financial statements, whether due to error or to fraud, and to design the nature, timing, and extent of further audit procedures. Ordinarily, the controls relevant to an audit are those that pertain to the entity’s objective of preparing reliable financial statements. The controls related to operations and compliance objectives can be relevant if they pertain to information the auditor uses or evaluates in applying audit procedures (e.g., analytical procedures using nonfinancial production statistics). The auditor should gather information by performing risk assessment procedures, including obtaining evidence in evaluating the design and implementation of controls, as audit evidence to support the risk assessment. Risk assessment procedures to obtain evidence about control design and implementation may include making inquiries, observing application of specific controls, inspecting documents and reports, and tracing transactions through the system. Inquiry alone, however, is not sufficient to evaluate the design of a control, or to determine whether it has been implemented.

Obtaining an understanding of internal controls involves evaluating the design of controls and determining whether those controls have been implemented. Evaluating the design and implementation of controls allows an auditor to identify types of potential misstatements and the factors affecting the risk thereof, and to design tests of controls (if applicable) and substantive procedures. Evaluating design involves considering whether a control, either individually or in combination with other controls, is capable of effectively preventing or detecting and correcting material misstatements. Implementation means that the control exists and the entity is using it. Obviously, an auditor would not want to verify implementation of a poorly designed control. An auditor should emphasize understanding controls in areas where material misstatements are more likely to arise. It is unnecessary, however, to obtain an understanding of multiple control activities when each achieves the same objective.

Tests of Controls Considerations

The new auditing standards encourage testing of controls by eliminating the ability to arbitrarily default to maximum control risk and avoid documenting that decision. Auditors must perform tests of
controls in two cases: First, when an auditor’s risk assessment is based on an expectation that controls are operating effectively, the auditor should perform tests of the controls that have been determined to be suitably designed to prevent or detect material misstatements in relevant assertions. Second, an auditor should test controls when substantive procedures alone do not provide sufficient, appropriate audit evidence at the relevant assertion level. For example, in highly integrated IT systems, the characteristics of routine daily business transactions often permit highly automated processing with little or no management intervention. In such cases, evidence may be available only in electronic form, and its appropriateness and sufficiency will depend on the effectiveness of controls over accuracy and completeness, as well as the control environment.

Testing the operating effectiveness of controls ordinarily differs from obtaining evidence that controls have been implemented. Nonetheless, risk assessment procedures to evaluate the design and implementation of IT processing controls, though not specifically intended as tests of controls, may provide evidence about operating effectiveness. It depends upon the auditor’s assessment and testing of IT general controls, including computer security and program-change controls.

An auditor cannot use inquiry alone to test the operating effectiveness of controls, and should combine inquiry with document inspection or reperformance to provide more assurance. Because an observation is relevant only at the point in time at which it is made, the auditor should make inquiries of entity personnel and perhaps inspect documentation about operations at other times during the audit period. Documentation may not exist for some factors in the control environment, however, such as an assignment of authority or control activities performed by a computer. Therefore, evidence about operating effectiveness must be obtained through inquiry, in combination with observation or the use of computer-assisted audit techniques.

Evidence pertaining to only a point in time may be adequate when testing controls over, for example, annual client physical inventory counting procedures. If an auditor needs evidence of effectiveness over a period, however, this may be inadequate. Consequently, the auditor should apply additional tests of controls to provide evidence that the control operated effectively at relevant times during the audit period. Furthermore, if substantially different controls were in place at different times during the audit period, the auditor should consider each separately.

The extent of controls testing depends upon a number of factors, including the control’s frequency, the relevance and reliability of supporting evidence, corroborating evidence from testing of other controls, and the extent of anticipated reliance on controls as well as the deviation from them. Generally, an auditor should increase tests of controls when seeking greater reliance on the operating effectiveness of controls in the assessment of risk. When a control is frequently applied on a transaction basis, an auditor should consider using audit sampling to obtain assurances about its effectiveness. When the control is applied on a periodic basis (e.g., monthly reconciliations), however, an auditor should consider appropriate guidance for testing smaller populations, such as testing the controls application for two months and reviewing further evidence of effective operation in other months, or reviewing other months for unusual items. If an auditor anticipates extensive deviations from a control, tests of controls for particular assertions may be inappropriate.

Projecting an interim controls risk assessment to year-end. Auditors frequently test controls as of an interim date and project that assessment of control risk to the end of the period. When an auditor obtains evidence about operating effectiveness of controls at an interim date, the auditor should determine what additional evidence is needed for the remainder of the period. In so doing, the auditor should consider the following factors:

• The significance of the assessed risks of material misstatement at the relevant assertion level;
• The specific controls tested during the interim period;
• The length of the remaining period;
• The extent to which the auditor intends to reduce substantive procedures based on controls reliance; and
• The control environment.

This guidance is very similar to that previously provided in SAS 55, as amended, except for the added consideration of the control environment. Additional evidence about the remaining period may be obtained by extending test controls over the remaining period or by testing the entity’s monitoring of controls. An auditor should also obtain evidence about the nature and extent of any significant changes in controls or any changes to the information systems and personnel that occurred subsequent to interim testing.

Projecting a controls risk assessment to a subsequent period. In some cases, auditors can use audit evidence about the operating effectiveness of controls obtained in prior audits. This had typically been done by testing controls in several of an entity’s transaction cycles, while performing a transaction “walk-through” to confirm there had not been changes to controls in the remaining transaction cycles. While SAS 55 made only passing reference to this practice, SAS 110 provides extensive guidance. If an auditor plans to rely on audit evidence about the operating effectiveness of controls obtained in prior audits (cycle-rotation testing of controls), inquiry, observation, and inspection (a transaction walk-through) are needed to determine whether changes in those specific controls have subsequently occurred. (Auditors can also use information obtained in prior audits to evaluate transactions that begin in one period and end in a subsequent period.) If the controls have not changed, an auditor should test operating effectiveness of the controls at least once every three years for an annual audit, because evidence from prior audits becomes less relevant as time passes. An auditor should, however, test the operating effectiveness of some controls in each year. An auditor planning to rely on controls that have changed since they were last tested should test operating effectiveness in the current audit.

In considering whether cycle-rotation testing of controls is appropriate, and when controls should be retested, an auditor should consider the following:

• The effectiveness of other internal control elements, including the control environment, entity controls monitoring, and the entity’s risk assessment processes;
• The risk characteristics of the control, including whether controls are manual or automated;
• The effectiveness of general IT controls;
• The nature and extent of deviations from the control found in prior audit tests of operating effectiveness;
• Whether an unchanged control poses a risk due to changed circumstances; and
• The risk of material misstatement and extent of reliance on the control.

Based upon these circumstances, an auditor might not perform cycle-rotation testing of controls, or might shorten the elapsed time in cases with higher risk of material misstatement or greater reliance on controls.

Substantive Procedures Considerations

The assessment and documentation of identified risks at the relevant assertion level may lead an auditor to conclude that performing substantive procedures is all that is needed to reduce detection risk to an acceptably low level. An auditor might exclude the effect of controls from the relevant risk assessment because there may be no effective controls or because testing the operating effectiveness of controls would be inefficient. However, the auditor often will determine that a combined approach of substantive procedures and tests of operating effectiveness may be effective. Regardless of the approach, an auditor should perform substantive procedures for all relevant assertions related to each material class of transactions, account balances, and disclosures. Even seemingly effective controls can be compromised due to the ever-present risk of management override and the inherent limitations of internal controls. Furthermore, the auditor’s assessment of risk is judgmental and may not be sufficiently precise to identify all material risks of misstatement.

The nature of further audit procedures in response to identified risks refers to their purpose (substantive procedures versus tests of controls) and type (inspection, inquiry, confirmation, etc.). The higher the auditor’s assessment of risk, the more reliable and relevant the audit evidence must be. The auditor’s substantive procedures related to the financial statement reporting process must include agreeing the financial statements and notes with the underlying accounting records, and examining material journal entries and other adjustments made in the course of preparing the financial statements.

The auditor may perform substantive procedures at an interim date or at the end of the period; however, the higher the risk of material misstatement, the more necessary it is to perform these procedures nearer to the period end, or unannounced, or at unpredictable times. Prior to applying audit procedures near the period end, an auditor should consider the necessary additional evidence needed for the remaining period. When substantive procedures are performed at an interim date, an auditor should perform additional substantive procedures or substantive procedures combined with tests of controls to cover the remaining period. The decision to consider performing substantive procedures is influenced by several factors:

• The control environment and other relevant controls;
• When relevant information is available (i.e., needed electronic files can be subsequently overwritten);
• The objective of the substantive procedures;
• The assessment of the risk of material misstatement (e.g., risk of inflated revenues resulting in false sales agreements);
• The nature of the class of transactions or account balances and relevant assertions; and
• The ability of the auditor to reduce the risk that misstatements might exist at the end of the period.

The extent of a specific audit procedure will usually increase as the risk of material misstatement increases. It is important to recognize, however, that the nature of the audit procedure is of paramount importance. Increasing the extent of a procedure is effective only if it is reliable and relevant to a specific risk. To reduce the extent of substantive procedures, an auditor’s tests of controls need to be sufficient to determine operating effectiveness at the relevant levels of assertion and reliance.

Audit evidence from substantive procedures performed in a prior audit is not sufficient to reduce detection risk to an acceptably low level in a current period audit. Ordinarily, evidence obtained from substantive procedures performed in a prior audit provides little or no evidence for a current period, unless the evidence and the related subject matter have not fundamentally changed (e.g., prior evidence substantiating the purchase cost of an asset).

Evaluating and auditing significant risks. SAS 109 introduces the concept of significant audit risks. Significant risks, which will exist in most audits, are defined as those risks the auditor identifies in the risk assessment as requiring special audit consideration, such as receipt of notice of a material lawsuit. In making this judgment, an auditor must consider the inherent risk, the magnitude of potential misstatement (including the possibility the risk might lead to multiple misstatements), and the likelihood of the risk occurring. Routine, noncomplex transactions are less likely to be a source of significant risks, as they typically reflect lower inherent risks. Significant risks often derive from business risks that may result in material misstatement. An auditor should consider the following in determining whether identified risks are significant:

• Whether the item is a fraud risk;
• Whether the risk is related to recent significant economic, accounting, or other developments requiring special attention;
• The complexity of the transaction;
• Whether significant related-party transactions are involved;
• The degree of subjectivity in measuring related financial information; and,
• Whether the risk involves significant transactions outside the normal course of business.

The risks of material misstatement may be greater for significant nonroutine transactions, where there is greater management intervention to specify accounting treatments, greater manual data collection and processing, complex calculations or accounting issues, difficulties implementing effective controls over risk, and significant related-party transactions. Similarly, risks of material misstatement may be greater where accounting estimates must be developed in areas subject to differing interpretations, or requiring subjective or complex judgments or assumptions about future events.

An auditor should evaluate the design of entity controls related to significant risks and determine whether those have been implemented. Though management should be aware of all significant risks, those related to nonroutine or judgmental matters are often less likely to be subject to routine controls. In such areas, the auditor will be interested in how management responds and whether control activities (such as assumption reviews by senior management or experts, or approval by those charged with governance) have been implemented to address those risks.

Understanding entity controls related to significant risks should lead to the development of an effective audit approach. If an auditor plans to rely on controls related to significant risks, she must test the operating effectiveness of controls related to those significant risks in the current period, and cannot rely on evidence about operating effectiveness obtained in prior audits. In addition, an auditor should perform substantive procedures that are responsive to significant risks, meaning tests of details, or tests of details combined with substantive analytical procedures.

New guidance on substantive analytical procedures. SAS 110 provides additional guidance as to the applicability of substantive analytical procedures in responding to assessed risks. When determining necessary audit procedures, an auditor should consider the reasons for the assessment of risk of material misstatement at the relevant assertion level for each class of transactions, account balances, and disclosures. This would include considering the characteristics (inherent risks) of each class of transactions, account balances, and disclosures, as well as whether the risk assessment takes into account the entity’s controls.

Substantive analytical procedures may be sufficient to reduce the planned level of detection risk for a class of transactions where the auditor’s assessment of risk has been reduced by tests of operating effectiveness of controls. Substantive analytical procedures alone may, however, provide sufficient appropriate audit evidence, without tests of operating effectiveness of controls for classes of transactions for which there is a lower risk of material misstatement due to the class’ characteristics. In addition, substantive analytical procedures generally are more applicable to large volumes of transactions that tend to be predictable over time.

On the other hand, substantive tests of details are generally more appropriate when used to obtain evidence regarding relevant account balance assertions (e.g., existence and valuation). For example, substantive analytical procedures alone may not be adequate when auditing estimates such as the allowance for bad debts, where subsequent cash collection tests should be applied. Generally, substantive analytical procedures alone are not well suited for detecting fraud in cases where there is risk of management override, which could result in artificial changes to financial statement relationships being analyzed, leading to erroneous audit conclusions. Furthermore, an auditor may determine that tests of details alone, or tests of details combined with substantive analytical procedures, would be most responsive to assessed risks.

When an auditor applies substantive analytical procedures (or other audit procedures) to nonfinancial information or other data produced by the entity’s information system, he should obtain evidence about the accuracy and completeness of that information. That is, an auditor should consider testing any existing controls over entity information used in applying analytical procedures. In designing substantive analytical procedures, the auditor should consider the following:

• Their suitability, given the nature of the assertions;
• The reliability of the data utilized to develop expectations;
• Whether the expectation is sufficiently precise to identify material misstatements;
• The amount of acceptable difference in comparing record amounts to expectations.

Expanded Documentation Requirements

Both SAS 109 and 110 significantly expand auditors’ documentation requirements. SAS 109 requires the auditor to document the following:

• The audit team’s brainstorming sessions regarding potential material misstatements, including what was discussed, how and when the discussion occurred, who participated, and significant decisions on planned responses;
• Key elements of the understanding obtained regarding each of the five entity aspects, the risk assessment of material misstatement, sources of information, and the risk assessment procedures;
• The risk assessment of material misstatement at both the financial statement and relevant assertion levels, including the basis for the assessment; and
• The risks identified and related controls evaluated.

SAS 110 now requires an auditor to document the linkage between assessed risks and resultant audit procedures, as follows:

• Overall responses to address assessed risks of material misstatement at the financial statement level;
• The nature, timing, and extent of further audit procedures;
• Linkage of those procedures with assessed risks at the relevant assertion level;
• Results of those audit procedures; and
• Conclusions reached regarding use of evidence obtained about operating effectiveness of controls from a prior audit.

Change and Clarity

The assessment of risk in an audit is an iterative process. An auditor’s assessment of the risks of material misstatement at a relevant assertion level may change during the course of the audit as evidence is gathered and evaluated. In performing tests of operating effectiveness, an auditor may encounter evidence that controls are not operating effectively at relevant times, which may change the auditor’s assessment of risks related to those controls. Furthermore, an auditor’s substantive procedures may reveal misstatements greater than the auditor’s tolerable misstatement benchmarks or inconsistent with the auditor’s risk assessment. When an auditor obtains evidence contradicting the basis for the risk assessment, the auditor should revise the assessment and further modify planned audit procedures.

©2009 The New York State Society of CPAs. Legal Notices