Overview of the ASB Risk Assessment Standards Indexed to



Overview of the ASB Risk Assessment Standards Indexed to

Auditing and Assurance Services: An Integrated Approach 11th Edition

In March 2006 the AICPA’s Auditing Standards Board issued SAS Nos. 104-111, eight standards relating to the assessment of risks in a financial statement audit. The ASB also issued SAS No. 112 in May 2006 on communication of internal control related matters. The Risk Assessment Standards and SAS No. 112 are effective for audits of financial statements for periods beginning on or after December 15, 2006, with early application permissible.

The Risk Assessment Standards establish standards and provide guidance in financial statement audits for private companies concerning the auditor’s assessment of the risks of material misstatements (whether caused by error or fraud), and the design and performance of audit procedures that are responsive to those risks. In addition, these Statements establish standards and provide guidance on planning and supervision, the nature of audit evidence, and evaluating whether the audit evidence affords a reasonable basis for the auditor’s opinion on the financial statements under audit.

The primary objective of the Statements is to enhance auditor’s application of the risk model, including specifying:

• More in-depth understanding of the entity and its environment, including its internal control, to identify the risks of material misstatement in the financial statements and entity actions to mitigate those risks.

• More rigorous assessment of the risks of material misstatement of the financial statements based on that understanding.

• Improved linkage between the assessed risks and the nature, timing and extent of audit procedures performed in response to those risks.

These standards introduce many changes in terminology. However, these standards were first exposed in 2002 and the audit methodology presented in Auditing and Assurance Services: An Integrated Approach 11th Edition is largely consistent with these standards. We first provide an analysis of how these standards affect individual chapters in the 11th Edition. This is followed by a summary of the key provisions of each individual standard.

Chapter 2 – The CPA Profession

SAS No. 105 includes revisions to the 10 auditing standards in Table 2-3 on p. 34 of the 11th edition. A comparison of the revised and original standards is included below:

|Original Standard |Revised Standard |

|General Standards |General Standards |

|The audit is to be performed by a person or persons having |The audit must be performed by a person or persons having |

|adequate technical training and proficiency as an auditor. |adequate technical training and proficiency as an auditor. |

|Standards of Field Work |Standards of Field Work |

|The work is to be adequately planned and assistants, if any, |The auditor must adequately plan the work and must properly |

|are to be properly supervised. |supervise any assistants. |

|A sufficient understanding of internal control is to be |The auditor must obtain a sufficient understanding of the |

|obtained to plan the audit and determine the nature, timing, |entity and its environment, including its internal control, to|

|and extent of tests to be performed. |assess the risk of material misstatement whether due to error |

|Sufficient competent evidential matter is to be obtained |or fraud, and to design the nature, timing, and extent of |

|through inspection, observation, inquiries, and confirmations|further audit procedures. |

|to afford a reasonable basis for an opinion regarding the |The auditor must obtain sufficient appropriate audit evidence |

|financial statements under audit. |by performing audit procedures to afford a reasonable basis |

| |for an opinion regarding the financial statements under audit.|

The effects of the changes to the three standards of field work are included in the discussion of the impact of the standards on other chapters.

Chapter 6 – Audit Responsibilities and Objectives

1. SAS No. 104 expands the definition of reasonable assurance to indicate that it is a high, but not absolute level of assurance.

2. SAS No. 106, Audit Evidence expands the five management assertions included on p. 145 of the 11th edition into three categories: 1) assertions about classes of transactions and events; 2) assertions about account balances at the period end; and 3) assertions about presentation and disclosure. The assertions in each category are included in Table 1; the assertions are presented so that related assertions are included in each table row.

3. Table 2 indicates how the transaction objectives in Table 6-2 (p. 147) relate to the assertions about transactions and events.

4. Table 3 indicates how the balance objectives in Table 6-3 (p. 150) relate to assertions about account balances. These are substantially unchanged from the 11th edition.

|TABLE 1 |Management Assertions for Each Category of Assertions |

|Assertions About Classes of Transactions and |Assertions About Account Balances |Assertions About Presentation and Disclosure |

|Events | | |

|Occurrence – Transactions and events that have |Existence – Assets, liabilities, and equity |Occurrence and rights and obligations – Disclosed |

|been recorded have occurred and pertain to the |interests exist. |events and transactions have occurred and pertain |

|entity. | |to the entity. |

|Completeness – All transactions and events that |Completeness – All assets, liabilities, and |Completeness – All disclosures that should have |

|should have been recorded have been recorded. |equity interests that should have been |been included in the financial statements have |

| |recorded have been recorded. |been included. |

|Accuracy – Amounts and other data relating to |Valuation and allocation – Assets, |Accuracy and valuation – Financial and other |

|recorded transactions and events have been |liabilities, and equity interests are included|information are disclosed fairly and at |

|recorded appropriately. |in the financial statements at appropriate |appropriate amounts. |

| |amounts and any resulting valuation | |

| |adjustments are appropriately recorded. | |

|Classification – Transactions and events have | |Classification and understandability – Financial |

|been recorded in the proper accounts. | |and other information is appropriately presented |

| | |and described and disclosures are clearly |

| | |expressed. |

|Cutoff – Transactions and events have been | | |

|recorded in the correct accounting period. | | |

| |Rights and obligations – The entity holds or | |

| |controls the rights to assets, and liabilities| |

| |are the obligation of the entity. | |

|TABLE 2 |Transaction-Related Audit Objectives and Management Assertions for Sales Transactions |

|Management Assertions About Classes of | | |

|Transactions and Events |General Transaction-Related Audit |Specific Sales Transaction-Related Audit Objectives |

| |Objectives | |

|Occurrence |Occurrence |Recorded sales are for shipments made to |

| | |nonfictitious customers. |

|Completeness |Completeness |Existing sales transactions are recorded. |

|Accuracy |Accuracy |Recorded sales are for the amount of goods shipped |

| | |and are correctly recorded. |

| | |Sales transactions are properly included in the |

| |Posting and summarization |master file and are correctly summarized. |

|Classification |Classification |Sales transactions are properly classified. |

|Cutoff |Timing |Sales are recorded on the correct dates. |

|TABLE 3 |Hillsburg Hardware Co.: Balance-Related Audit Objectives and Management Assertions Applied|

| |to Inventory |

|Management Assertions About Account |General Balance-Related Audit |Specific Balance-Related Audit Objectives Applied |

|Balances |Objectives |to Inventory |

|Existence |Existence |All recorded inventory exists at the balance sheet|

| | |date. |

|Completeness |Completeness |All existing inventory has been counted and |

| | |included in the inventory summary. |

|Valuation and allocation |Accuracy |Inventory quantities on the client’s perpetual |

| | |records agree with items physically on hand. |

| | |Prices used to value inventories are materially |

| | |correct. |

| | |Extensions of price times quantity are correct and|

| | |details are correctly added. |

| | |Inventory items are properly classified as to raw |

| | |materials, work in process, and finished goods. |

| |Classification |Purchase cutoff at year-end is proper. |

| | |Sales cutoff at year-end is proper. |

| | |Total of inventory items agrees with general |

| |Cutoff |ledger. |

| | |Inventories have been written down where net |

| |Detail tie-in |realizable value is impaired. |

| | | |

| |Net realizable value | |

|Rights and obligations |Rights and obligations |The company has title to all inventory items |

| | |listed. |

| | |Inventories are not pledged as collateral. |

Chapter 7 – Audit Evidence

1. The term “sufficient competent evidential matter” is replaced with the term “sufficient appropriate audit evidence” in SAS No. 106.

2. The standard also defines audit procedures for obtaining audit evidence in the following categories:

• Inspection of records or documents

• Inspection of tangible assets

• Observation

• Inquiry

• Confirmation

• Recalculation

• Reperformance

• Analytical procedures

Chapter 8 – Audit Planning and Analytical Procedures

SAS No. 109 requires the auditor to perform risk assessment procedures to obtain an understanding of the entity and its environment, including its internal control. This requirement is consistent with the audit approach to gaining an understanding of the client’s business and industry in the 11th edition.

1. SAS No. 108, Planning and Supervision, clarifies that the auditor should establish an understanding with the client through a written communication with the client. The new standard requires the communication to be in the form of an engagement letter.

2. SAS No. 108 also requires the auditor to establish an overall strategy for the audit, and develop an audit plan that includes:

• A description of the nature, timing, and extent of planned risk assessment procedures sufficient to assess the risks of material misstatement as determined under SAS No. 109.

• A description of the nature, timing, and extent of planned further audit procedures at the relevant assertion level for each material class of transactions, account balance, and presentation and disclosure as determined under SAS No. 110.

3. SAS No. 109 indicates that the members of the audit team should discuss the susceptibility of the entity’s financial statements to material misstatements. This discussion can be held concurrently with the discussion of the susceptibility of the entity’s financial statements to fraud required by SAS No. 99.

Chapter 9 – Materiality and Risk

The risk assessment process in Chapter 9 of the 11th edition is consistent with the risk assessment standards.

1. SAS No. 107, Audit Risk and Materiality in Conducting an Audit, identifies two types of misstatements: known and likely. Likely misstatements include projections of misstatements based on a sample, and differences between management’s and the auditor’s judgments for accounting estimates that the auditor considers unreasonable or inappropriate.

2. SAS No. 107 also notes that “closest reasonable estimate” for estimated amounts such as inventory obsolescence may be a range of acceptable amounts or a point estimate. If management’s estimate falls outside the auditor’s range of acceptable amounts, the difference between the client’s recorded amounts and the amount at the closest end of the auditor’s range should be aggregated as a likely misstatement. For example, if the auditor determines that an allowance for doubtful accounts of $120,000 to $150,000 is reasonable and the client’s recorded allowance is $100,000, then $20,000, the difference between the lower end of the auditor’s range and the client’s estimate should be aggregated as a likely misstatement. In addition, the auditor should consider whether the differences between the estimates best supported by audit evidence and the client’s evidence, which may be individually reasonable, indicate a possible bias by the entity’s management.

3. The auditor should request management to record an adjustment for all known misstatements except for those considered “trivial.” Trivial amounts are amounts below the auditor’s threshold for accumulating misstatements. The auditor should request management to examine the class of transactions or account balance to identify and correct likely misstatements, and review the assumptions for estimates where the auditor has identified a likely misstatement.

4. SAS No. 109 notes that in assessing risks, the auditor should assess whether they are at the overall financial statement level or pertain to relevant assertions related to classes of transactions, account balances, and disclosures.

5. The auditor should also consider whether any of the identified risks represent significant risks that require special audit attention. In making this determination, the auditor should consider:

• Whether the risk is a risk of fraud

• Whether the risk is related to recent significant economic, accounting, or other developments requiring specific attention

• The complexity of the transactions

• Whether the risk involves significant transactions with related parties

• The degree of subjectivity in the measurement of financial information related to the risks, especially those involving a wide range of measurement uncertainty

• Whether the risk involves significant nonroutine transactions that are outside the normal course of business for the entity, or that otherwise appear to be unusual.

6. SAS No. 110, Performing Audit Procedures in Response to Assessed Risks and Evaluating the Audit Evidence Obtained is also consistent with Chapter 9. Page 248 in the 11th edition discusses two overall responses to risk – use of more experienced staff and a more careful review. SAS No. 110 includes additional overall responses, including the need for professional skepticism and incorporating more elements of unpredictability in testing.

7. SAS No. 109 notes that the auditor may assess inherent risk and control risk on a separate or combined basis, which was also allowed under existing standards. However, the auditor can no longer default to control risk at maximum and perform a substantive audit. Instead, auditors must obtain an understanding of internal controls and then assess control risk based on that understanding.

Chapter 10 – Section 404 Audits of Internal Control and Control Risk

SAS No. 109 and SAS No. 110 together supersede SAS No. 55, Consideration of Internal Control in a Financial Statement Audit, but do not significantly alter the approach to understanding internal control in Ch. 10. Similarly, the reporting of significant deficiencies and material weaknesses for nonpublic companies discussed in Ch. 10 is consistent with SAS No. 112.

1. SAS No. 109 discusses manual and IT controls and notes that because of the inherent consistency of IT controls, audit procedures to test whether an automated control has been implemented may serve as a test of the control’s operating effectiveness, depending on the auditor’s assessment and testing of IT general controls.

2. SAS No. 110 indicates that the auditor should perform tests of controls when the auditor’s risk assessment includes an expectation of the operating effectiveness of controls or when substantive procedures alone do not provide sufficient audit evidence at the relevant assertion level. Substantive procedures alone may not be sufficient when the entity relies on IT and no documentation of transactions is maintained, other than through the IT system.

3. Auditors may test controls that have not changed on a rotational basis. The operating effectiveness of such controls should be tested at least every third audit. The decision to rely on evidence on the effectiveness of controls obtained in prior audits depends on the overall effectiveness of other elements of internal control, the effectiveness of the control being relied upon, and the risks arising from characteristics of the control, including whether it is manual or automated.

Chapter 13 – Overall Audit Plan and Audit Program

1. One of the five types of tests in Chapter 13 is procedures to obtain an understanding of internal control. These procedures should also include procedures to obtain an understanding of the entity and its environment and risk assessment procedures, consistent with the changes to the second standard of field work.

2. In designing the audit program, the auditor should document the linkages of procedures with identified specific risks.

Overview of Risk Assessment Standards

SAS No. 104, Amendment to Statement on Auditing Standards No. 1, Codification of Auditing Standards and Procedures (“Due Professional Care in the Performance of Work”) – Amends paragraph 10 to expand the definition of the term reasonable assurance to indicate that it is a high, but not absolute level of assurance.

SAS No. 105, Amendment to Statement on Auditing Standards No. 95, Generally Accepted Auditing Standards

1. Expands the scope of the second standard of field work from “internal control” to “the entity and its environment, including its internal control” and extends its purpose from “planning the audit” to assessing the risk of material misstatement in the financial statements, whether due to error or fraud.”

2. Revises the third standard of field work to eliminate references to specific audit procedures which might imply that they encompass all audit procedures. Replaces the term “evidential matter” with “audit evidence.”

The amended standards are as follows:

General Standards

1. The audit must is to be performed by a person or persons having adequate technical training and proficiency as an auditor.

Standards of Field Work

1. The auditor must The work is to be adequately planned the work and must properly supervise any assistants, if any, are to be properly supervised.

2. The auditor must obtain a A sufficient understanding of the entity and its environment, including its internal control is to be obtained to assess the risk of material misstatement of the financial statements whether due to error or fraud, plan the audit and to design determine the nature, timing, and extent of further audit procedures tests to be performed.

3. The auditor must obtain sSufficient appropriate audit evidence competent evidential matter is to be obtained by performing audit procedures inspection, observation, inquiries, and confirmations to afford a reasonable basis for an opinion regarding the financial statements under audit.

SAS No. 106, Audit Evidence (Supersedes Statement on Auditing Standards No. 31, Evidential Matter)

1. Replaces the term “sufficient competent evidential matter” with “sufficient appropriate audit evidence.”

2. Defines management assertions as falling into three categories: 1) assertions about classes of transactions and events; 2) assertions about account balances at period end; and 3) assertions about presentation and disclosure.

SAS No. 107, Audit Risk and Materiality in Conducting an Audit (Supersedes Statement on Auditing Standards No. 47, Audit Risk and Materiality in Conducting an Audit)

1. Identifies two types of misstatements: known and likely. Likely misstatements include projections of misstatements based on a sample, and differences between management’s and the auditor’s judgments for accounting estimates that the auditor considers unreasonable or inappropriate.

2. Indicates that the “closest reasonable estimate” for estimated amounts such as inventory obsolescence may be a range of acceptable amounts or a point estimate. If management’s estimate falls outside the auditor’s range of acceptable amounts, the difference between the client’s recorded amounts and the amount at the closest end of the auditor’s range should be aggregated as a likely misstatement. In addition, the auditor should consider whether the differences between the estimates best supported by audit evidence and the client’s evidence, which may be individually reasonable, indicate a possible bias by the entity’s management.

3. The auditor should request management to record an adjustment for all known misstatements except for those considered “trivial.” The auditor should request management to examine the class of transactions or account balance to identify and correct likely misstatements, and review the assumptions for assumptions for estimates where the auditor has identified a likely misstatement.

SAS No. 108, Planning and Supervision (Supersedes “Appointment of the Independent Auditor” as amended of SAS No. 1, Codification of Auditing Standards and Procedures, and Statement on Auditing Standards No. 22, Planning and Supervision)

1. Indicates that the auditor should establish an understanding with the client and should document the understanding through a written communication with the client.

2. The auditor should first develop an overall audit strategy, including the scope of the engagement, preliminary identification of materiality levels and high-risk areas, and appropriate staffing levels.

3. Development of a more detailed audit plan that includes:

• A description of the nature, timing and extent of planned risk assessment procedures sufficient to assess the risk of material misstatement as determined under SAS No. 109.

• A description of the nature, timing, and extent of planned further audit procedures at the relevant assertion level for each material class of transactions, account balance, and disclosure as determined under SAS No. 110.

4. Provides guidance on supervision, including communication with members of the audit team regarding the susceptibility of the entity’s financial statements to material misstatements due to error or fraud, with special emphasis on fraud.

SAS No. 109, Understanding the Entity and Its Environment and Assessing the Risks of Material Misstatement (together with SAS No. 110, Supersedes SAS No. 55, Consideration of Internal Control in a Financial Statement Audit)

This standard establishes standards and provides guidance on implementing the second standard of fieldwork, which requires the auditor to obtain a sufficient understanding of the entity and its environment, including its internal control, to assess the risk of material misstatement of the financial statements whether due to error or fraud, and to design the nature, timing, and extent of further audit procedures.

1. The auditor should perform risk assessment procedures to obtain an understanding of the entity and its environment, including internal control. Risk assessment procedures include inquiries of management and others within the organization, analytical procedures, and observation and inspection.

2. The members of the audit team should discuss the susceptibility of the entity’s financial statements to material misstatements. This discussion can be held concurrently with the discussion of the susceptibility of the entity’s financial statements to fraud required by SAS No. 99.

3. The auditor should obtain an understanding of the following aspects of the entity and its environment, including its internal control:

• Industry, regulatory and other external factors

• Nature of the entity

• Objectives and strategies and related business risks that may result in a material misstatement of the financial statements

• Measurement and review of the entity’s financial performance

• Internal control, including the selection and application of accounting policies

4. The auditor should identify and assess the risk of material misstatements at the financial statement level and at the relevant assertion level related to classes of transactions, account balances, and disclosures. The auditor should:

• Identify risk throughout the process of obtaining an understanding of the entity and its environment, including relevant controls that relate to the risks.

• Relate the identified risks to what can go wrong at the relevant assertion level.

• Consider whether the risks are of sufficient magnitude that could result in a material misstatement of the financial statements.

• Consider the likelihood that the risks could result in a material misstatement of the financial statements.

5. The auditor should determine which of the risks are significant risks that require special audit attention. In making this determination, the auditor should consider:

• Whether the risk is a risk of fraud

• Whether the risk is related to recent significant economic, accounting, or other developments requiring specific attention

• The complexity of the transactions

• Whether the risk involves significant transactions with related parties

• The degree of subjectivity in the measurement of financial information related to the risks, especially those involving a wide range of measurement uncertainty

• Whether the risk involves significant nonroutine transactions that are outside the normal course of business for the entity, or that otherwise appear to be unusual.

6. SAS No. 109 notes that the auditor may assess inherent risk and control risk on a separate or combined basis, which has been allowed under existing standards. However, the auditor can no longer default to control risk at maximum and perform a substantive audit. Instead, auditors must obtain an understanding of internal controls and then assess control risk based on that understanding.

SAS No. 110, Performing Audit Procedures in Response to Assessed Risks and Evaluating the Audit Evidence Obtained (Supersedes “Substantive Tests Prior to the Balance Sheet Date of SAS No. 45 and, together with SAS No. 110, Supersedes SAS No. 55, Consideration of Internal Control in a Financial Statement Audit)

The statement establishes standards and provides guidance on determining overall responses and designing and performing further audit procedures to respond to the assessed risks of material misstatement at the financial statement and relevant assertion levels in a financial statement audit. The standard also addresses evaluating the sufficiency and appropriateness of the audit evidence obtained, including guidance about implementing the third standard of field work.

1. Responses to the risk of significant misstatement include:

Overall responses – Addressing the risk of significant misstatement at the financial statement level may include:

• Emphasizing the need to maintain professional skepticism in gathering and evaluating audit evidence

• Assigning more experienced staff or those with specialized skills, or using specialists

• Providing more supervision

• Incorporating additional elements of unpredictability in the selection of further audit procedures to be performed

• General changes to the nature, timing, or extent of further audit procedures, such as performing substantive procedures at year-end rather than an interim date

Response to Risks of Material Misstatement at Relevant Assertion Level – the auditor should design and perform further audit procedures whose nature, timing, and extent are responsive to the assessed risks of material misstatement at the relevant assertion level.

2. The auditor must also evaluate the sufficiency and appropriateness of the audit evidence obtained and should document:

• The overall responses to address the assessed risks of misstatement at the financial statement level

• The nature, timing, and extent of the further audit procedures

• The linkages of those procedures with the assessed risks at the relevant assertion level

• The results of the audit procedures

• The conclusions reached with regard to the use in the current audit of audit evidence about the operating effectiveness of controls that was obtained in a prior audit

3. Auditors may test controls that have not changed on a rotational basis. The operating effectiveness of such controls should be tested at least every third audit. The decision to rely on evidence on the effectiveness of controls obtained in prior audits depends on the overall effectiveness of other elements of internal control, the effectiveness of the control being relied upon, and the risks arising from characteristics of the control, including whether it is manual or automated.

SAS No. 111, Amendment to Statement on Auditing Standards No. 39, Audit Sampling

The statement amends SAS No. 39, Audit Sampling to move guidance from the Appendix into SAS No. 107, Audit Risk and Materiality in Conducting an Audit and into the text of SAS No. 111. The Statement also incorporates guidance from SAS No. 99, Consideration of Fraud in a Financial Statement Audit, and from SAS No. 110, Performing Audit Procedures in Response to Assessed Risks and Evaluating the Audit Evidence Obtained. The statement also provides enhanced guidance about establishing tolerable misstatement for a specific audit procedure and on the application of sampling to tests of controls.

Specific provisions include the following:

1. Auditors should normally set tolerable misstatement for a specific audit procedure at less than financial statement materiality so that when the results of audit procedures are aggregated, the required overall assurance is attained.

2. Clarifies that in determining the sample size for a test of details, the auditor should consider tolerable misstatement and the expected misstatement, the audit risk, the characteristics of the population, the assessed risk of material misstatement (inherent risk and control risk), and the assessed risk for other substantive procedures related to the same assertion.

3. Indicates that the sample sizes for statistical and nonstatistical samples should be comparable, considering the same sampling parameters.

4. Clarifies that risk assessment procedures to obtain an understanding of internal control do not involve sampling. Sampling concepts also do not apply for some tests of controls. Tests of automated application controls are tested only once or a few times when effective IT general controls are present.

5. When performing a dual-purpose test of the effectiveness of a control and testing whether monetary misstatements are present, the absence of monetary misstatements does not necessarily imply that related controls are effective. However, misstatements that the auditor detects should be considered a possible indication of a control failure when assessing the operating effectiveness of controls.

SAS No. 112, Communicating Internal Control Related Matters Identified in an Audit

1. Defines the terms significant deficiency and material weakness.

2. Requires the auditor to communicate significant deficiencies and material weaknesses in writing to those charged with governance.

................
................

In order to avoid copyright disputes, this page is only a partial summary.

Google Online Preview   Download