Detecting Misstatements: Integrating SAS 99 and the Risk Assessment Standards

Taking an integrated audit approach to understanding material misstatements arising from both fraud and unintentional errors is essential to improving the overall quality and effectiveness of an audit. This course combines SAS 99 (fraud) with SASs 104-111 (the Risk Assessment Standards) which require audit team brainstorming sessions to be conducted and documented. Too often, auditors fail to read the warning signs that require a unique response to the risk of material misstatement arising from fraud or unintentional errors. In either event, the consequence is the same: another audit failure! Learn how to integrate your audit approach for assessing the risks of material misstatements arising from fraud with those arising from unintentional errors.

OBJECTIVES

• Conduct more effective brainstorming sessions
• Utilize a top-down approach, starting with those charged with governance
• Recognize warning signs
• Develop an overall approach for assessing and responding to risks
• Design procedures for responding to specific assessed risks
• Improve documentation quality
• Understand the requirements of the related standards
• Apply the standards to specific situations

PREREQUISITE: Basic understanding of accounting and auditing principles

Chapter 1

Overview

Learning Objectives
After completing this chapter

• You should have an overall understanding of the audit risk assessment standards (SAS Nos. 104-111) and the fraud risk assessment standard (SAS No. 99) to enable you to integrate the requirements of those standards into the typical audit process.
• You should also be able to describe the key activities in the typical process for auditing an entity’s financial statements in accordance with generally accepted auditing standards.

Introduction
Statement on Auditing Standards Nos. 104 through 111 became effective for audits of financial statements for periods beginning on or after December 15, 2006 with earlier application permitted. These standards are referred to as the “Risk Assessment Standards” in this course. The individual standards include the following:

• SAS No. 104, Amendment to Statement on Auditing Standards No. 1, Codification of Auditing Standards and Procedures (“Due Professional Care in the Performance of Work”)
• SAS No. 105, Amendment to Statement on Auditing Standards No. 95, Generally Accepted Auditing Standards
• SAS No. 106, Audit Evidence
• SAS No. 107, Audit Risk and Materiality in Conducting an Audit
• SAS No. 108, Planning and Supervision
• SAS No. 109, Understanding the Entity and Its Environment and Assessing the Risks of Material Misstatement
• SAS No. 110, Performing Audit Procedures in Response to Assessed Risks and Evaluating the Audit Evidence Obtained
• SAS No. 111, Amendment to Statement on Auditing Standards No. 39, Audit Sampling

SAS No. 99, Consideration of Fraud in a Financial Statement Audit has been in effect for audits of financial statements for periods that began on or after December 15, 2002. This course starts with an overview of the Risk Assessment Standards and SAS No. 99, followed by an overview of the typical audit process. The program then examines how to integrate the Audit Risk Standards and SAS No. 99 into the audit process to gain efficiency and effectiveness. The goal of the program is to enable the auditor to discharge his or her responsibility to plan and perform the audit to obtain reasonable assurance that material misstatements, whether caused by error or fraud, are detected. The program also partially addresses SAS No. 103, Audit Documentation, SAS No. 112, Communicating Internal Control Related Matters Identified in an Audit and SAS No. 114, The Auditor’s Communication With Those Charged With Governance.

Overview of the Risk Assessment Standards

In general, the Audit Risk Standards:

• Expand the quality and depth of the auditor’s required understanding of the entity and its environment, including its internal control – The standards require the auditor to obtain an understanding of a significantly expanded set of information about specific elements of the entity and its environment. The purpose of the required understanding of this broadened set of information about the entity and its environment is to enhance the auditor’s ability to identify and assess risks that may lead to material misstatements in the financial statements. The auditor is required to perform risk assessment procedures on all audits to obtain an understanding of the entity and its control environment, including its internal control. Risk assessment procedures include updating information obtained in prior audits that the auditor intends to use in the current audit. The expanded understanding about the entity and its environment should also be helpful to the auditor throughout the audit when making judgments about materiality and when critically evaluating audit evidence.
• Require the auditor to assess the risks of material misstatements at the financial statement level and at the assertion level on all audits based on the understanding obtained – The standards note that assessing risks of material misstatements encompasses an assessment of inherent risk, control risk and combined risk. The auditor may no longer assess “risk at the maximum” without support for that assessment. Thus, auditors are required to support all risk assessments at whatever level, including risks at the maximum, based on their understanding of the entity and its environment, including its internal control. In addition, the auditor is required to identify “significant risks” (described later) that require special audit consideration, and risks for which substantive procedures alone will not reduce audit risk to an appropriate level.
• Encourage tests of controls – The auditor is required to understand internal control on every audit. Such understanding includes a requirement to evaluate the internal control design, including whether the controls have been implemented for significant processes and controls. Since auditors may no longer assess control risk “at the maximum” without support for that assessment, at least some auditors have changed their audit approach to include testing of controls. These auditors are benefiting by shifting more audit work to interim periods instead of after year-end.
• Emphasize the importance of the entity’s risk assessment process – When the auditor identifies potential risks of material misstatements in the financial statements, it is important for the auditor to consider the entity’s risk assessment process and how it fits in with the entity’s process of setting objectives and strategies and assessing related business risks. Generally new customers, products, locations, accounting standards, events, etc. create the potential for risks of material misstatements. When the auditor identifies risks of material misstatements that the entity’s risk assessment processes failed to detect, he or she is required to consider why the process failed and whether the process is appropriate in the circumstance.
• Strengthen the linkage between assessed risks and the auditor’s responses to those risks – Additional guidance is provided to help auditors provide more effective responses to identified risks. An overall response addresses risks of material misstatement at the financial statement level while a response to address risks at the financial statement assertion level is more specific with respect to the nature, timing, and extent of procedures. The auditor is required to perform substantive procedures for “significant risks.” These substantive procedures consist of tests of details alone or tests of details combined with substantive analytical procedures that are specifically responsive to the identified risks. If the auditor plans to rely on the operating effectiveness of controls to mitigate a significant risk, he or she is required to obtain evidence about the operating effectiveness of those controls from tests of controls. The auditor cannot conclude that controls to mitigate significant risks are operating effectively based on tests of controls performed in prior audits even when the auditor has also determined that the controls did not change since that testing.
• Clarify the auditor’s ability to rely on audit evidence gathered in prior audits – Except for controls related to significant risks, the auditor, who plans to rely on controls that have not changed since they were last tested, should perform tests of the operating effectiveness of those controls at least every third audit.
• Strengthen guidance for testing disclosures – The auditor is required to test the “completeness” of disclosures and their understandability.
• Clarify and expand guidance on evaluating audit findings – When evaluating audit findings, auditors should consider the effect of uncorrected misstatements related to prior periods on the current-period financial statements.
• Expand documentation requirements – Auditors are required to document, among other things, the following items:

  – Results of risk assessments both at the financial statement level and assertion level;
  – The nature, timing, and extent of audit procedures performed;
  – The linkage of auditor responses with the assessed risks at the assertion level; and,
  – Results of the audit procedures.

733790