The Auditing Standards Board recently issued eight new auditing standards, Nos. 104-111, collectively referred to as the risk assessment standards. The new standards will change many of the planning and risk assessment procedures performed during an audit (though most of the steps performed throughout the audit process remain largely the same).Implementation of the new standards should increase the effectiveness of financial statement audits, as auditors will now be required to:
* Obtain a greater understanding of the entity and its environment, including its internal control;
* Perform a more rigorous risk assessment;
* Provide clear linkage between assessed risks of material misstatement and the audit procedures that address those risks; and,
* Meet new and expanded documentation requirements.
Auditors must now explicitly consider higher-risk areas by focusing on what is most likely to go wrong that could affect a client's financial statements. Once they do this, they are required to link each of these high-risk areas to the related program steps that identify and quantify any material misstatements in those high-risk areas.
Also, auditors will find that they may need to spend more time (at least in the year of adoption) documenting their understanding of the clients' internal control systems, and determining if those systems have been implemented.
Although the new risk assessment standards are to be applied for all periods beginning Dec. 15, 2006, most auditors will want to start learning about the new requirements sooner rather than later. Many will start accumulating some of the new required information during their 2006 engagements. CPE providers already have courses about the new standards, and implementation guides will be available shortly for early adopters.
New terms and concepts
The new standards change some of the familiar terms that auditors have traditionally used. These changes were made largely to bring about compatibility with International Standards on Auditing issued by the International Auditing and Assurance Standards Board, and consistency across practice.
* What used to be called the "audit program" is now the "audit plan."
* The term "audit plan" has been replaced by "audit strategy," which can be defined as a high-level description of audit scope, including matters such as identification of material locations and account balances, areas with a higher risk of material misstatement, and the planned audit approach by area.
* "Substantive tests" are now uniformly called "substantive procedures;" "evidential matter" is now "audit evidence;" and "sufficient, competent evidence" is now referred to as "sufficient, appropriate evidence."
Some of the terminology changes in the standards broaden the meaning of previously used terms or introduce new concepts. For example:
* "Those charged with governance." In the new risk assessment standards, references to the audit committee are replaced by "those charged with governance" - broadening responsibility to include all persons with responsibility for overseeing the strategic direction and the accountability and obligations of the entity. This includes overseeing the financial reporting and disclosure process. The term includes a company's board of directors or audit committee.
* Significant risks. This term now has a more specific and narrower meaning than it has in past practice. Now, a risk is considered a "significant risk" if an analysis of inherent risk indicates the likely magnitude of the potential misstatement, and the likelihood of the misstatement occurring is such that it requires a specific audit response.
In determining the appropriate audit response to significant risks, the auditor should obtain an understanding of relevant control activities. If the auditor plans to rely on the operating effectiveness of controls to mitigate the significant risk, the auditor needs to test those controls in the current period.
* Relevant assertions. The concept of relevant assertions is now a central feature of the new risk assessment standards. Assertions are relevant for a particular class of transactions, account balance or disclosure if they have a meaningful bearing on whether the item is fairly stated. A routine example is that the valuation assertion is usually not relevant to the cash account unless currency translation is involved.
Other important terms
* Risk assessment procedures. Risk assessment procedures represent a defined category of audit procedures performed near the beginning of the audit to obtain an understanding of the entity and its environment (including its internal control) for the purpose of assessing the risks of material misstatement. They consist of inquiry, observation, inspection and analytical procedures. The auditor's analysis of the results of these procedures is an assessment of risk that in itself provides evidence that ultimately supports the auditor's opinion on the financial statements.
* Risk of material misstatement. The risk of material misstatement is simply the likelihood of a misstatement of a material amount. The auditor should assess this risk at both the overall financial statement level and at the relevant assertion level. At the financial statement level, it is an overall assessment. At the relevant assertion level, it is the combination of the auditor's assessment of inherent risk and control risk.
The auditor can make a combined assessment of inherent and control risk, or assess the component risks separately and then combine them.
* Risk assessment as a specific percentage. Consistent with past practice and standards, the assessment may be in quantitative or non-quantitative terms, such as high, medium or low.
* Documenting the assessment. The auditor should document the assessment of risks of material misstatement both at the financial statement level and at the relevant assertion level, as well as the basis for that assessment. Of particular significance is the requirement to document the basis for that assessment. For example, this would mean documenting the procedures performed, the results of those procedures, and the related conclusions.
* Further audit procedures. The purpose of the risk assessment is to determine the "further audit procedures" that are necessary to express an opinion. These procedures consist of substantive procedures and tests of controls that are performed in response to the assessed risks, and are designed to reduce the overall audit risk to an appropriately low level.
Douglas R. Carmichael, Ph.D., CPA, CFE, was formerly chief auditor and director of professional standards at the Public Company Accounting Oversight Board. He was also the founding director of the Center for Financial Integrity at Baruch College, in New York, and served as vice president of auditing at the American Institute of CPAs for 13 years. He is coauthor of several Thomson/ PPC audit guides, including PPC's Guide to Audit Risk Assessment (Implementing the Risk Assessment Standards), which will be available fall 2006.
