Auditors Risk Assessment Process:

1
Auditors Risk Assessment Process

• The New Risk Assessment Standards
• (based on the AIPCAs Instruction for Group Study
  Sessions)
• AGA Regional Fall Seminar
• October 19, 2006

2
Overview

• New SASs dealing with audit risk assessment
• Reissued standards 104 through 111
• The new standards are referred to as the audit
  risk standards.
• Effective for years starting after December 15,
  2006
• Implemented to improve quality effectiveness of
  audits

3
Effects of Audit Risk Standards

• How audit is planned
• How audit is conducted
• How audit procedures are executed
• How audit results are evaluated
• It will require critical thinking
• Will add significant time cost to audit

4
Hierarchy of Auditing Standards Current
Standards
AU Section 110 Responsibilities of the Auditor
Responsibilities
Audit Evidence
Audit Risk Materiality
Audit Documentation
Key Concepts
Audit Risk Materiality
Considering Fraud
Methodology
Specific Instructions
Planning
Analytical Procedures
Estimates
Etc.
Internal Controls
5
Hierarchy of Auditing Standards After New Risk
Assessment Standards
Changed Standard
AU Section 110 Responsibilities of the Auditor
New Standard
Responsibilities
Audit Evidence
Audit Risk Materiality
Audit Documentation
Key Concepts
Understanding Entity and Assess Risks
Perform Procedures
Considering Fraud
Methodology
Internal Controls
Specific Instructions
Planning
Analytical Procedures
Estimates
Etc.
6
SAS No. 104

• Amendment to Statement on Auditing Standards No.
  1, Codification of Auditing Standards and
  Procedures (Due Professional Care in the
  Performance of Work)
• Differs from the current standard in that it
  clarifies the meaning of reasonable assurance

7
Reasonable Assurance

• Under SAS No. 104, the term reasonable
  assurance is defined as a high level of
  assurance
• A high level of assurance does not increase the
  auditors responsibilities (the publics
  perception may be different)
• Reasonable assurance is high but not absolute

8
SAS No. 105

• Amendment to Statement on Auditing Standards No.
  95, Generally Accepted Auditing Standards.
• SAS No. 105 amends the 2nd 3rd standards of
  fieldwork

9

• Generally Accepted Auditing Standards, or GAAS,
  are ten auditing standards, developed by the
  AICPA, consisting of general standards, standards
  of field work, and standards of reporting, along
  with interpretations. They were developed by the
  AICPA in 1947.

10
GAAS

• General Standards
• Standards of Field Work
• The work is to be adequately planned and
  assistants, if any, are to be properly
  supervised.
• A sufficient understanding of internal control is
  to be obtained to plan the audit and to determine
  the nature, timing, and extent of tests to be
  performed.
• Sufficient competent evidential matter is to be
  obtained through inspection, observation,
  inquiries, and confirmations to afford a
  reasonable basis for an opinion regarding the
  financial statements under audit.
• Standards of Reporting

11
New SAS No.105 Requirement

• Must understand the audited entity and its
  environment, including internal control, to
  assess risk and appropriately respond
• This understanding is more in-depth than that
  previously required
• Previously, the understanding of the audited
  entity was part of audit planning now it is to
  assess risk of material misstatement
• The term further audit procedures (consists of
  tests of controls substantive tests) replaces
  the term test to be performed in recognition
  that risk assessment procedures are also
  performed
• The term evidence replaces the term evidential
  matter

12
Result of Change

• Will need to replace generic audit programs with
  tailored audit programs
• Steer away from relying on the canned programs
  without individualizing
• Tailor program to connect with risks of a
  particular client

13
SAS No. 106

• Audit Evidence
• Supersedes the guidance in SAS No. 31, Evidential
  Matter
• SAS No. 106 defines the term audit evidence and
  provides guidance on its reliability (relating to
  the 3rd standard of field work)

14
Higher Evidentiary Standard

• Replacement of competent evidence by
  appropriate evidence
• Still goes back to professional judgment proper
  documentation
• Appropriate is considered a higher-level when
  compared to competent
• A new terms, sufficient appropriate audit
  evidence replaces sufficient competent evidence

15
Other SAS No. 106 Differences

• SAS No. 106 recategorizes assertions to add
  clarity
• The term, relevant assertions is new and used
  repeatedly throughout SAS No. 106.

16
Categories of Assertions

• Classes of transactions
• Occurrence - Cutoff
• Completeness - Classification
• Accuracy
• Account balances at report date
• Existence - Completeness
• Rights obligations - Valuation allocation
• Presentation and disclosure
• Occurrence rights obligations
• Completeness
• Classification understandability
• Accuracy valuation
• Coves Completeness, rights obligations,
  valuation or allocation, existence or occurrence,
  stmt presentation disclosure.

17
Warning!

• Inquiry alone is not sufficient to determine
  whether a control has been implemented

18
Audit Evidence Disclosures

• SAS No. 106 requires that disclosures should be
  expressed clearly
• Third parties should be able to understand

19
SAS No. 107

• Audit Risk and Materiality in Conducting an Audit
• Differs from previous standards in that must
  consider audit risk instead of should consider
  audit risk

20
Materiality

• The auditor during the planning stage must
  determine materiality
• Materiality is set based on the auditors
  perception of the perspective of a reasonable
  user of the financial statements

21
Risk

• The auditor must assess risk
• The auditor must assess
• Inherent risk
• Control risk
• Combined risk
• Combined assessment of inherent and control risk
  reflect the RMM

22
Question?

• What if you have an account with a complex nature
  but it has never had an error. Can you say low
  inherent risk?
• Answer No, still say that it is still an
  inherently riskier account. But, its a judgment
  call.
• Its the potential for a problem!

23
Control Risk

• Control risk deals with the underlying process
  routine, non-routine, and estimation transactions
• Controls are identified and their design
  effectiveness evaluated
• For now, the auditor may presume controls are
  operating effectively and test them later (for
  planning purposes)

24
Combined Risk

• The combined risk is the assessment of the
• (1) inherent risk and the (2) control risk
• Trying to have an assessment of the operating
  effectiveness of the company

25
Significant Risks Requiring Special Consideration

• Complex transactions (e.g. debt with beneficial
  conversion) or calculations (stock compensation
  expense)
• Related-party transactions
• Fraud
• Highly subjective estimates related assumptions
  (e.g. asset impairments)
• Significant non-routine transactions (e.g.
  discontinuing operations)
• Manual intervention

26
Responses to High Risk

• Assign more experienced staff
• Increase professional skepticism
• Increase supervision and review
• Use specialists (if applicable)
• Perform procedures nearer to year-end
• Increase sample sizes
• Perform more extensive procedures
• For unexpected error, revise the risk assessment

27
No Default to Maximum Risk!

• It is no longer permissible for an auditor to
  default to a maximum control risk

28
Errors

• The auditor must identify known and likely
  errors, communicate them to management, and
  request an appropriate response
• Need to identify trivial errors, but not
  communicate them to management
• Evaluating errors requires experience and
  exercise of professional judgment

29
SAS No. 108

• Planning and Supervision
• Recodification
• SAS No. 108 mostly is a consolidation from
  existing standards combines SAS No. 1 22
• Engagement Letter
• The auditor should obtain an engagement letter
• The term should indicates a presumptively
  mandatory requirement
• Emphasis is on engagement letter and continued
  planning supervision throughout the audit.

30
SAS No. 109

• Understanding the Entity and Its Environment
  and Assessing the Risks of Material Misstatement

31
Understanding and Assessing

• SAS No. 109 describes the procedures the auditor
  should perform to understand the entity and its
  environment, including internal control
• Understanding the entity is absolutely required

32
Procedures to Gather an Understanding

• Inquiries
• Observation
• Inspection
• Analytical procedures
• Note that the previous standards did not describe
  the procedures that should be performed to gain
  an understanding of the client.
• SAS No. 109 also requires a brainstorming
  session to discuss the risk of material
  misstatements (along with the risk of detecting
  fraud).

33
Risk of Material Misstatement (RMM)

• RMM is assessed at the financial statement level
  and at the assertion level
• Evaluation Guidance
• SAS No. 109 provides guidance on evaluating
  control design implementation
• Control Implementation
• The auditor is required to determine that
  controls are implemented . . . . Walk-throughs
  are required!

34
Other SAS No. 109 Differences

• The auditor should gain an understanding on all
  significant risks
• Previous standard did not include concept of
  significant risks and significant risks exist
  on most engagements

35
SAS No. 110

• Performing Audit Procedures in Response to
  Assessed Risks and Evaluating the Audit Evidence
  Obtained
• SAS No. 110 provides guidance on the
• Overall response to RMM at the financial
  statement level
• Response to RMM at the assertion level

36
Clear Link Requirement

• The auditor is required to provide a clear link
  between understanding the entity, how the risk
  was assessed, and the design of the tailored
  procedures
• Document the linkage between audit risks
  further audit procedures (not previously required)

37
Substantive Procedures

• The auditor should perform substantive procedures
  to test
• Classes of transactions
• Account balances
• Disclosures
• Nature, timing, and extent of tests of controls
  and substantive tests has been expanded greatly
• States that you should perform certain
  substantive procedures on ALL engagements
  regardless of material misstatement risk
  assessment. These include
• Each material class of transactions
• Each material account balance (previously
  listed)
• Disclosure
• Agreeing financial statements including notes to
  the underlying accounting records
• Examining material journal entries and other
  adjustment made during the course of preparing
  the financial statements.

38
SAS No. 111

• Amendment to Statement on Auditing Standards No.
  39, Audit Sampling

39
Tolerable Misstatement(TM)

• SAS No. 111 provides guidance on TM
• TM should be less than planning materiality, i.e.
  TM lt PM

40

• How do the new standards fit into
• the typical audit process?

41
The Audit Process

• Audit planning
• Internal control documentation
• Assessing risk and defining risk-specific
  procedures
• Interim and year-end testing
• The Audit wrap-up

42
1. Planning Activities Affected

• Estimating planning materiality and tolerable
  misstatement
• Conducting the audit team meetings on assessing
  risk and fraud-specific risk
• Assessing risk of material misstatement at the
  entity level
• Developing an overall audit strategy
• Establishing an understanding with the client

43
Procedures for Understanding Your Client

• Make inquiries of management others (accounting
  non-accounting personnel)
• Perform analytical review procedures
• Observe operations and activities
• Inspect documents
• Minutes
• Financial statements

44
Planning Materiality

• Planning materiality (PM) is the maximum
  misstatement of financial statements without
  causing a reasonable persons judgment about them
  to be significantly changed or influenced.

45
Factors to Consider

• Materiality is both qualitative quantitative
• Doesnt have to change a decision but a third
  party would want to know the information as part
  of decision-making process
• Use professional judgment to determine most
  likely user of the financial statements
• Still use sliding scales or percentages or ranges
• Consider significant and/or unusual changes (i.e.
  extraordinary items or discontinued items)

46
Tolerable Misstatement (TM)

• Planning materiality applies to financial
  statements taken as a whole
• Remember TM lt PM
• Sampling creates a risk of undetected errors
• TM is the maximum error in the population that
  the auditor is willing to accept
• TM affects sample sizes
• Test all items in a population that are gt TM
• Note ISI or individually significant items
  isnt a term that shows up in the new standards.
  Sort of talks around suggests lowering TM to
  capture potential ISIs.

47
2. Internal Control Documentation

• Predicted to add significantly to the cost of the
  audit
• Similar to that used by issuer entities under SOX
  requirements
• Documentation cannot be based on inquiry alone
• Still compelled to go through the 5 elements of
  IC but the method to do that is different now
• IC documentation relates to SAS Nos. 105, 106 109
  and 110

48
Documentation Process Allows

• the client to prepare the documentation to
  describe the IC processes.

49
Audit Program Best Practices

• Make audit program specific to the client
• Clearly describes the procedures to be performed
• Tailor it in plain English so that the individual
  can relate the requirement to what they just did
• Identify the sample size
• Set the timing of the audit or the period of time
  to be covered

50
3. Assess Risks and Design Procedures
51
Most Important

• The risk that we express an opinion that says the
  financial statements are fairly stated when in
  fact they are not!

52
4. Interim and Year-End Testing
53
Interim Testing Considerations

• The results of tests of controls
• Length of remaining period
• Results of substantive procedures
• Changes in processes and controls
• The nature of the account and the extent it is
  subject to estimates and assumptions

54
Sufficiency of Audit Evidence

• A matter of professional judgment
• The audit program specifies the extent of testing
• Relevance reliability

55
5. The Audit Wrap-Up
56

• The AICPA expects this to be one area that well
  do a better job because of the standards.

57

• Additional Standards

58
SAS No. 103

• Audit Documentation
• Report Release Date
• The date that the audit report is delivered or
  mailed to the client

59
SAS No. 112

• Communicating Internal Control Related Matters
  Identified in an Audit
• Supersedes SAS No. 60, Communication of Internal
  Control Related Matters Noted in an Audit
• SAS No. 112 is effective for periods ending on or
  after December 31, 2006

60

• The hope behind the new risk assessment standards
  is a more rigorous audit process that is more
  consistent
• across firms,
• within firms and
• across engagements

61
Recommendations for Auditors

• Conduct training sessions with the staff early
• Consider implementing some of the new standards
  early
• Discuss the new standards with clients, lenders,
  investors, sureties, bonding companies, and other
  interested third parties

62

• The End

63
(No Transcript)
64
(No Transcript)