Auditor's Risk Assessment Process: Tackling the New Risk Assessment SASs

Chapter 1

Overview

Learning Objectives

After completing this chapter you should be able to describe the key activities in the typical process for auditing an entity’s financial statements in accordance with generally accepted auditing standards. This knowledge should, in turn, enable you to recognize changes in activities resulting from several new auditing standards.

Introduction

This program starts with an overview of the typical audit process and then examines how the newly issued auditing standards may affect it. The new standards reflected in this course include the following:

• SAS No. 104, Amendment to Statement on Auditing Standards No. 1, Codification of Auditing Standards and Procedures ("Due Professional Care in the Performance of Work")
• SAS No. 105, Amendment to Statement on Auditing Standards No. 95, Generally Accepted Auditing Standards
• Understand the organizational structure of the Financial Accounting Foundation (FAF), the Financial Accounting Standards Board (FASB), and the Governmental Accounting Standards Board (GASB).
• SAS No. 106, Audit Evidence
• SAS No. 107, Audit Risk and Materiality in Conducting an Audit
• SAS No. 108, Planning and Supervision
• SAS No. 109, Understanding the Entity and Its Environment and Assessing the Risks of Material Misstatement
• SAS No. 110, Performing Audit Procedures in Response to Assessed Risks and Evaluating the Audit Evidence Obtained
• SAS No. 111, Amendment to Statement on Auditing Standards No. 39, Audit Sampling

These newly issued standards are being referred to as the "risk assessment standards."

The ASB believes that the requirements and guidance provided in the Risk Assessment SASs will result in a substantial change in audit practice and in more effective audits. Overall the new SASs change the audit process as follows:

• Expand the quality and depth of the auditor’s required understanding of the entity and its environment, including its internal control - The standards require the auditor to obtain an understanding of a significantly expanded set of information about specific elements of the entity and its environment. The purpose of the required understanding of this broadened set of information about the client and its environment is to enhance the auditor’s ability to identify and assess risks that may lead to material misstatements in the financial statements. The auditor is required to perform risk assessment procedures in all audits to obtain an understanding, including updated information obtained in prior audits that the auditor intends to use in the current audit. The expanded understanding about the entity and its environment should also be helpful to the auditor throughout the audit when making judgments about materiality and when critically evaluating audit evidence.
• Requires the auditor to assess the risks of material misstatements at the financial statement level and at the assertion level on all audits based on the understanding obtained - The new SASs note that assessing risks of material misstatements encompasses a combined assessment of inherent risk and control risk. The new SASs eliminate the auditor’s ability to assess "risk at the maximum" without support for that assessment. Thus, auditors will be required to support all risk assessments at whatever level, including risks at the maximum, based on their understanding of the entity and its environment. In addition, the new SASs require the auditor to identify "significant risks" (defined later in this chapter) that require special audit consideration, and risks for which substantive procedures alone will not reduce audit risk to an appropriate level.
• Eliminates the "default to maximum" for control risk, which should encourage testing of controls - Auditors will no longer be able to assess control risk "at the maximum" without support for that assessment. Thus, that kind of audit approach can no longer be used as a default audit strategy. Instead, auditors should document the basis for a control risk at maximum assessment. The ASB believes this will encourage the testing of controls in all audits. In addition, the new SASs expand the auditor’s requirement to understand internal controls in every audit by also requiring the auditor to evaluate the design of controls, including relevant control procedures over "significant risks," and to determine whether those control procedures have been implemented.
• Emphasizes importance of the entity’s risk assessment process - The new SASs emphasize that when the auditor identifies potential risks of material misstatements in the financial statements, it is important for the auditor to consider the entity’s risk assessment process. To assist the auditor with this consideration, the new SASs discuss how the entity’s risk assessment process fits in with the entity’s process of setting objectives and strategies and assessing related business risks. When the auditor identifies risks of material misstatements that the entity’s risk assessment processes failed to detect, the new SASs require the auditor to consider why the process failed and whether the process is appropriate in the circumstance.
• Strengthens the linkage between assessed risks and the auditor’s responses to those risks - Because auditors frequently struggle with designing an appropriate audit response to risks identified, the new SASs contain expanded guidance designed to significantly improve the auditor’s ability to effectively address the identified risks. Auditors are required to determine both an overall response to address the risks of material misstatements at the financial statement level and a response to assess risks of material misstatements at the assertion level. The new guidance emphasizes the importance of the nature of the audit procedures in responding to assessed risks. The new SASs also require the auditor to perform substantive procedures for "significant risks." These substantive procedures consist of tests of details alone or tests of details combined with substantive analytical procedures that are specifically responsive to the identified risks. If the auditor plans to rely on the operating effectiveness of controls to mitigate a significant risk, the auditor is required to obtain all evidence about the operating effectiveness of those controls from tests of controls performed in the current period (i.e., cannot conclude that they are operating effectively based on tests of controls performed in prior audits when the auditor also determined the controls did not change since that testing).
• Clarifies the auditor’s ability to rely on audit evidence gathered in prior audits - Except for controls related to significant risks, the auditor who plans to rely on controls that have not changed since they were last tested should perform tests of the operating effectiveness of those controls at least every third audit. As noted elsewhere, the auditor should test controls designed to address significant risks in the current audit.
• Strengthens guidance for testing disclosures - The new SASs include expanded guidance to specifically address the importance of considering the "completeness" of disclosures and their understandability. The assertions related to presentation and disclosure have been significantly revised to provide this emphasis.
• Clarifies and expands guidance on evaluating audit findings - When evaluating audit findings, auditors should now consider the effect of uncorrected misstatements related to prior periods on the current-period financial statements.
• Expands documentation requirements - Because the ASB believes that documentation requirements can drive behavior, the new SASs require the auditor to document, among other things, the following items:
  • Results of the risk assessments both at the financial statement level and the assertion levels;
  • The nature, timing, and extent of audit procedures performed;
  • The linkage of auditor responses with the assessed risks at the assertion level; and
  • Results of the audit procedures.