A previous article discussed several of the new terms that the new risk assessment standards have introduced to the audit process (Sept. 4-17, 2006, page 36). The following discussion expands on that by addressing in more detail some of the more significant differences between the requirements of the new risk assessment standards and past audit practice.* Audit plans and programs. The audit program is now called the audit plan, but it is still required. The auditor must develop an audit plan in which the auditor documents the audit procedures to be used. The audit plan is more detailed than the audit strategy, and includes the nature, timing and extent of audit procedures to be performed, including risk assessment procedures and planned further audit procedures.
A standard program that can be tailored to the circumstances will meet the requirement, provided that it demonstrates the linkage of the nature, timing and extent of further audit procedures with the assessed risk at the relevant assertion level.
* Documentation of audit strategy. The auditor is required to establish the overall strategy for the audit, and to document any changes in the strategy, but a separate memorandum is not required. Various aspects of the overall strategy could be documented throughout the workpapers.
On the other hand, a simple memorandum might be convenient in an audit of a smaller, non-complex entity.
* Materiality in planning and evaluation. During audit planning, the auditor must determine, and should document, a materiality level for the financial statements taken as a whole. This has been a common practice, but not explicitly required. The auditor is also required to determine and document tolerable misstatement levels - materiality at the account balance, class of transactions, or disclosure level.
For both tolerable misstatement and materiality for the financial statements taken as a whole, the auditor is required by the new standards to document the basis on which those materiality levels were determined, as well as any changes made to them as the audit progresses.
Also, the auditor is required to consider materiality for particular items of lesser amounts than the materiality level determined for the financial statements taken as a whole. In other words, the auditor might need to use lower materiality levels for particular items if, in the auditor's judgment, lesser amounts could reasonably be expected to influence the economic decisions of financial statement users.
For example, financial statement users' expectations regarding the disclosures in related-party transactions might cause the auditor to regard lesser amounts as material in planning procedures and evaluating disclosures with regard to related-party transactions.
* New requirements for dealing with detected misstatements. The auditor is still required to accumulate all known and likely misstatements identified during the audit, other than those that the auditor believes are trivial.
However, the risk assessment standards impose the following explicit requirements in communicating them to management:
1. The auditor must request that management record the adjustments needed to correct all known misstatements;
2. The auditor must request that management examine, identify and correct misstatements in all areas in which the auditor evaluates the amount of likely misstatement as material based on a sample; and,
3. The auditor must request that management review assumptions and methods used in developing estimates in all areas in which the auditor has identified a likely misstatement involving differences in estimates.
After management has responded to the auditor's requests, the auditor should re-evaluate the amount of likely misstatement, including performing additional further audit procedures, if necessary.
* Use of "qualitative" factors in establishing materiality. The risk assessment standards retain the concept from previous standards that it ordinarily is not practical to design audit procedures to detect misstatements that could be qualitatively material. The auditor must perform the audit to obtain reasonable assurance of detecting misstatements that are large enough, individually or in the aggregate, to be quantitatively material to the financial statements.
In evaluating audit findings, qualitative considerations influence the auditor in reaching a conclusion about whether misstatements are material. The auditor might conclude that identified misstatements are material, even if they are below the materiality level determined when establishing the overall audit strategy.
The risk assessment standards include an extensive explanation and examples of qualitative factors, such as misstatements that have the effect of increasing management's compensation, and the implications of misstatements involving fraud and possible illegal acts, violations of contractual provisions, and conflicts of interest.
* Use of a summary of uncorrected misstatements. The auditor should document a summary of uncorrected misstatements - other than those that are trivial - related to known and likely misstatements. The summary should provide for separate consideration of known and likely misstatements, the aggregate effect of misstatements, and consideration of qualitative factors. The auditor also should document all known and likely misstatements identified during the audit that have been corrected by management, other than those that are trivial.
* Evaluating prior-period waived adjustments the risk assessment standards do not change existing standards in this respect. The auditor is required to consider adjustments that were waived in the prior period, but has flexibility in deciding how to do that. Either the "iron-curtain" or "rollover" approaches that were acceptable in the past continue to be appropriate.
* Approach to materiality based on the degree of inherent uncertainty. In some situations, financial statements include large provisions with a high degree of estimation uncertainty, such as the provision for insurance claims in the case of an insurance company.
The risk assessment standards make clear that once materiality is established, the auditor should consider materiality the same way, regardless of the inherent business characteristics of the entity being audited. For audit purposes, the inherent uncertainty of financial statement items does not cause the auditor to follow different procedures for planning or evaluating misstatements.
* Tests of controls. The auditor can still decide for a particular audit area to rely solely on substantive procedures and perform no tests of controls. What is different is that before making this decision, the auditor has to obtain and document an understanding of relevant control activities sufficient to understand what could go wrong in a particular audit area, and then plan and perform substantive procedures in response to that assessment.
* Understanding control activities. The risk assessment standards carry forward the idea from prior standards that the auditor does not need to understand all control activities (specific control policies and procedures, such as reviews and approvals). As in the past, the auditor should first consider the knowledge about control activities obtained from understanding the other components of internal control, such as the control environment and the information and communication system.
The auditor should focus on identifying and obtaining an understanding of control activities that address areas in which the auditor believes material misstatements are more likely to occur. For example, the auditor is specifically required to obtain an understanding of the process of reconciling detail to the general ledger for significant accounts.
* Rotation of tests of controls. The risk assessment standards explicitly permit rotation of tests of controls over a three-year cycle in specified circumstances. The auditor has to obtain persuasive evidence that the controls have not changed in the current period, and evaluate the appropriateness of rotation in the particular circumstance. Rotation of testing is not permitted if the auditor plans to rely on the controls to mitigate a significant risk.
* Mandatory testing of controls. The risk assessment standards carry forward an existing requirement that the auditor should identify those risks for which it is not possible or practicable to reduce detection risk at the relevant assertion level to an acceptably low level with audit evidence obtained only from substantive procedures.
In other words, in some cases, substantive procedures alone are not enough, and the audit approach will need to include primarily tests of controls. This tends to occur in highly automated processing environments in which a significant amount of information is initiated, authorized, recorded, processed or reported electronically.
Douglas R. Carmichael, Ph.D, CPA, CFE, was formerly the chief auditor and director of professional standards at the Public Company Accounting Oversight Board. He was also the founding director of the Center for Financial Integrity at Baruch College, and served for 13 years as vice president of auditing at the American Institute of CPAs.
