The American Institute of CPAs' Auditing Standards Board is poised to issue an exposure draft of five proposed statements and amendments to statements relating to auditors' risk assessment.
If adopted, the changes will result in more in-depth understanding of companies, their internal controls and their risks of material misstatements. They will also strengthen the link between assessed risks and the audit process. Depending on public comments on the exposure drafts, the final issuance of new standards - which could number as many as seven, depending on how the board decides to delineate the statements - is expected by the end of 2005.
Brian Ballou, an associate professor at Miami [Ohio] University and a member of the AICPA Risk Assessment Task Force, said that the standards will cover a broad range of risk assessment, including assertions, evidence and procedures.
"These exposure drafts propose a change, at a minimum, in how auditors document and approach their audits," Ballou said. "Assertions will be broken into three categories: transactions, accounts, and presentation and disclosure. They will be reorganized that way."
One proposal deals with understanding the client entity and its environment. It will look at all the types of risk assessments that an auditor will look at in an engagement.
The theory and methodology behind the expected proposals are similar to those of SAS 99, which deals with fraud. They require an auditor to assess the risk to controls and the risks inherent in the company to be audited. Under earlier standards, such an assessment would normally be preceded by evidence of risk.
"This is going to require more thinking up front, where risk may occur," said AICPA vice president of professional standards and services Chuck Landes. "SAS 99 requires the same kind of brainstorming for fraud ... and the new standards will require brainstorming to look for any place that material misstatement could occur, whether it's fraud or error."
That similarity, Landes said, should facilitate adoption of the prescribed practices.
Landes explained that the changes were made in response to a report issued by the Public Oversight Board Panel on Audit Effectiveness, which included recommendations to the ASB. The report noted that the public's confidence in audits is too low, and that auditors should do more to identify, assess and react to risk.
The suite of proposed changes was first issued in 2002, after the signing of the Sarbanes-Oxley Act but before it was determined whether the ASB or the Public Company Accounting Oversight Board would be setting standards for auditors. The ASB stopped work on the project pending a decision on jurisdiction.
At roughly the same time, the International Auditing and Assurance Standards Board of the International Federation of Accountants continued work on similar risk assessment standards.
The two boards are working together to converge U.S. and international standards, so when the ASB continued its work, it chose to adapt its proposal to more closely resemble that of the IAASB.
"Our goal is to have substantially equivalent auditing standards between the IAASB and the ASB," Landes said.
Landes explained that the decision to re-expose came about because the board felt that most practitioners had lost track of the project and needed another opportunity to review it. The IAASB has already exposed and approved its set of standards. The only significant differences are those in the ASB proposal that relate only to U.S. regulations.
"The ASB decided that, yes, we do believe that these standards will improve the effectiveness of auditing," Landes said. "We believe that they will be an improvement to the existing way that auditors go about assessing risk, planning their engagement, designing the nature, timing and extent of their auditing procedures. So, yes, we do want to go forward."
The statements are expected to resolve the fundamental issue of the "rollover" method versus the "iron curtain" method. The rollover method considers the aggregate effect of prior-period and current-period uncorrected misstatements. The iron curtain method only considers the effect of the current period's uncorrected misstatements. The IAASB standard is interpreted to require considering misstatements of prior periods; therefore, the ASB standard is likely to require auditors to consider both methods.
Landes characterized the suite of proposed standards as a lot of relatively small, nuanced rules that, considered together, constitute a sweeping reform that will make a real difference in the audits of practitioners large and small. He said that these changes will result in a more effective audit.
"These standards get back, in a certain way, to the blocking and tackling basics of good auditing," he explained. "They say you can't use a canned audit program. For every client, you have to think where there is risk of material misstatement, control risk and inherent risk. These are part of the formula that all of us grew up with. Now we have to sit back and say, 'How do I need to design my audit program - the timing, nature and extent of what I do - to be responsive to those risks?'"
Ballou said that the proposed standard on understanding the entity and its environment may give auditors something new to learn.
"The standard will include things like business risk, strategy and objectives - for some auditors, these may be some new assessments they did not do in the past," Ballou explained. "This will help lead them to a better understanding of the organization, which in turn should lead to better assessments of the risk of material misstatement."
The AICPA plans to develop an educational training program to help practitioners understand and use the new standards. The ASB also expects to issue authoritative and non-authoritative guidance to accompany the statements.
The international standards are effective for years beginning after Dec. 15, 2004. Landes expected the ASB standards to be effective a year or more after that.
