The Risk Assessment Standards A High Level Overview by Chuck Landes, CPA AICPA VP Professional Stand

1
The Risk Assessment Standards A High Level
Overviewby Chuck Landes, CPAAICPA VP
Professional Standards

2
Presentation Objectives

• Discuss the background and the reasons why the
  SASs were issued.
• Discuss how the SASs affect existing practice.
• Provide an overview of the SASs.

3
Risk Assessment Standards

• The risk assessment standards consist of
• SAS No. 104, Amendment to Statement on Auditing
  Standards No. 1
• SAS No. 105, Amendment to Statement on Auditing
  Standards No. 95, Generally Accepted Auditing
  Standards
• SAS No. 106, Audit Evidence
• SAS No. 107, Audit Risk and Materiality in
  Conducting an Audit (Audit Risk and Materiality)
• SAS, No. 108, Planning and Supervision
• SAS No. 109, Understanding the Entity and Its
  Environment and Assessing the Risks of Material
  Misstatement (Assessing Risks)
• SAS No. 110, Performing Audit Procedures in
  Response to Assessed Risks and Evaluating the
  Audit Evidence Obtained (Performing Procedures)
• SAS No. 111, Amendment to Statement on Auditing
  Standards No. 39, Audit Sampling

4
Risk Assessment Standards

• Why issued? The ASB believes that the SASs
  represent a significant strengthening of auditing
  standards which in turn will improve the quality
  of audits conducted under these standards
• Much of SAS 99 theory originated in our
  deliberations over risk assessment standards

5
Background

• The objectives of the SASs are to improve audit
  effectiveness by requiring
• A more in-depth understanding of the entity and
  its environment, including its internal control.
• More rigorous assessment of the risks of material
  misstatement (whether caused by error or fraud)
  of the financial statements.
• A linkage between the assessed risks and the
  nature, timing, and extent of audit procedures
  performed in response to those risks.

6
Risk Assessment Standards

• Enhances the auditors application of the audit
  risk model in practice by requiring
• More in-depth understanding of the entity and its
  environment, including its internal control to
  better understand where risks of misstatements
  are higher
• May require greater understanding of internal
  control design and implementation of controls
• Ability to default to maximum control risk
  assessment removed
• Improved linkage between the assessed risks and
  the nature, timing, and extent of audit
  procedures performed

7
Risk Assessment Standards

• Enhances the auditors application of the audit
  risk model
• AR CR x IR x DR
• CR x IR RMM
• AR Audit Risk
• CR Control Risk
• IR Inherent Risk
• DR Detection Risk
• RMM risk of material misstatement

8
Risk Assessment Standards

• Internal Control Framework is unchanged

9
Risk Assessment Standards

• New requirement auditors should obtain a
  sufficient understanding of internal control over
  financial reporting to
• Assess strength of design of controls
• Determine whether controls were placed in
  operation

10
Risk Assessment Standards

• The auditor should assess the risks of material
  misstatement at the financial statement level and
  at the relevant assertion level on all audits
  based on the understanding obtained

11
Risk Assessment Standards

• New Assertion Framework

12
Risk Assessment Standards

• Identifying risks through considering
• The entity and its environment, including its
  internal control
• Classes of transactions, account balances, and
  disclosures
• Relating the identified risks to what could go
  wrong at the relevant assertion level
• Significant risks1
• 1SAS 109, Assessing Risks, paragraphs 102-121

13
Risk Assessment Standards
14
Risk Assessment Standards

• Testing of controls is encouraged
• The requirement to link assessed risks and the
  audit procedures responsive to those risks is
  improved
• Risk assessment is a continuous process, not a
  series of discrete stages

15
Risk Assessment Standards

• Perform further audit procedures that are clearly
  linked to risks at the relevant assertion level
  by
• Performing tests of the operating effectiveness
  of controls
• Performing substantive procedures
• Evaluating the adequacy of presentation and
  disclosure1
• 1SAS 110, Performing Procedures SAS, paragraphs
  23-68
• Evaluate whether sufficient competent audit
  evidence has been obtained2
• 2SAS 110, Performing Procedures, paragraphs 70-76

16
Risk Assessment Standards

• Greater emphasis is placed on testing of
  disclosures
• Guidance on evaluating audit findings is
  clarified and expanded
• Documentation requirements are significantly
  expanded

17
Significant Changes to Existing Practices

• Identifying and assessing the risks of material
  misstatements at both the financial statement
  level and the relevant assertion level by
  performing risk assessment procedures.
• Designing and performing tailored further audit
  procedures responsive to assessed risks at the
  relevant assertion level
• Linkage of audit procedures to the risk of
  material misstatement.

18
Overview of SASs

• SAS No. 104, Amendment to SAS No. 1
• SAS No. 104 expands the definition of reasonable
  assurance as a high level of assurance

19
Overview of SASs

• SAS No. 105, Amendment to SAS 95, Generally
  Accepted Auditing Standards
• Internal control is replaced by the entity and
  its environment, including its internal control
• Further audit procedures replaces tests to be
  performed
• Audit evidence replaces evidential matter
• Reflects new usage of terms required by SAS No.
  102.

20
Overview of SASs

• SAS No. 106, Audit Evidence
• (Amends SAS 31)
• The auditor must obtain sufficient audit
  evidence by performing audit procedures to afford
  a reasonable basis for an opinion regarding the
  financial statements under audit.

21
Overview of SASs

• SAS No. 106, Audit Evidence
• Audit evidence is all the information used by the
  auditor in arriving at the conclusions on which
  the audit opinion is based and includes
• Entitys accounting records,
• Confirmations,
• Minutes,
• Industry reports,
• Audit procedures such as inquiries, observations,
  inspections, etc.

22
Overview of SASs

• SAS No. 106, Audit Evidence
• Audit Procedures
• Risk Assessment Procedures
• Inquiries
• Analytical procedures
• Inspection and observation
• Further Audit Procedures
• Test of controls
• Substantive procedures
• Test of details
• Substantive analytical procedures

23
Overview of SASs

• SAS No. 106, Audit Evidence
• The use of assertions in obtaining audit evidence
  these are managements implicit or explicit
  assertions regarding the recognition,
  measurement, presentation and disclosure of
  information in the financial statements and
  related disclosures.

24
Overview of SASs

• SAS No. 106, Audit Evidence (continued)
• Categories of Assertions
• Classes of transactions
• Account balances
• Presentation and disclosure

25
Overview of SASs

• SAS No. 107, Audit Risk and Materiality
• (Amends SAS 47)
• The auditors should perform the audit to reduce
  audit risk to a low level that is (in his or her
  judgment) appropriate for expressing an opinion
  on the financial statements.

26
Overview of SASs

• SAS No. 107, Audit Risk and Materiality
  (continued)
• The auditor should consider audit risk at both
• Overall financial statement level
• Assertion level

27
Overview of SASs

• SAS No. 107, Audit Risk and Materiality
  (continued)
• Financial statement level risks include, for
  example
• Fraud
• Incompetent management
• Related party transactions

28
Overview of SASs

• SAS No. 107, Audit Risk and Materiality
  (continued)
• At the account balance, class of transactions, or
  disclosure level, audit risk consists of
• Combined risk assessment, which consists of
• Inherent risk
• Control risk
• Detection risk

29
Overview of SASs

• SAS No. 107, Audit Risk and Materiality
  (continued)
• The auditor should assess the risk of material
  misstatement at the relevant assertion level as a
  basis for further audit procedures.
• The auditor should have an appropriate basis for
  this assessment.

30
Overview of SASs

• SAS No. 107, Audit Risk and Materiality
  (continued)
• The determination of materiality is a matter of
  professional judgment.

31
Overview of SASs

• SAS No. 107, Audit Risk and Materiality
  (continued)
• The auditor determines materiality to
• Perform risk assessment procedures,
• Identify and assess the risks of material
  misstatement,
• Design and perform further audit procedures,
• Evaluate whether the financial statements taken
  as a whole are presented fairly.

32
Overview of SASs

• SAS No. 107, Audit Risk and Materiality
  (continued)
• An auditor uses benchmarks to determine
  materiality. Examples are
• Total revenues
• Profit before taxes
• Total assets
• Net assets

33
Overview of SASs

• SAS No. 107, Audit Risk and Materiality
  (continued)
• Tolerable Misstatement (or error)is the maximum
  error in a population (e.g., the class of
  transactions or account balance) that the auditor
  is willing to accept.
• Tolerable misstatement is used to design
  substantive procedures.

34
Overview of SASs

• SAS No. 107, Audit Risk and Materiality
  (continued)
• Example of the use of tolerable misstatement in
  designing substantive procedures

35
Overview of SASs

• Example of the use of tolerable misstatement
  (continued)

36
Overview of SASs

• SAS No. 107, Audit Risk and Materiality
  (continued)
• The auditor should reassess the materiality
  determined during the planning process. Failure
  to do so may result in inadequate audit
  procedures.

37
Overview of SASs

• SAS No. 107, Audit Risk and Materiality
  (continued)
• The auditor must accumulate
• Known misstatements - these are specific
  misstatements arising from the incorrect
  selection or misapplication of accounting
  principles or misstatements of facts identified
  during the audit.
• Likely misstatements these are misstatements
  that include
• Audit differences involving auditing estimates
  and
• Projected misstatements based on extrapolation of
  audit evidence.

38
Overview of SASs

• SAS No. 107, Audit Risk and Materiality
  (continued)
• Auditors responses to identified misstatements

39
Overview of SASs

• SAS No. 107, Audit Risk and Materiality
  (continued)
• Evaluating audit findings the auditor must
  consider the effect (individually and in the
  aggregate) of misstatements (known and likely)
  identified by the auditor that are not corrected
  by management.

40
Overview of SASs

• SAS No. 107, Audit Risk and Materiality
  (continued)
• Iron Curtain vs. Rollover
• The SEC has undertaken a project to study this
  issue and its findings are expected soon.
• Guidance in SAS No. 107 is neutral until
  accounting is settled.

41
Overview of SASs

• SAS No. 107, Audit Risk and Materiality
  (continued)
• Qualitative considerations. Examples are
• Potential effect on trends
• Changes bottom line
• Potential effect on loan covenants
• Increases managements compensation
• Likelihood that misstatement may become material
  in future periods

42
Overview of SASs

• SAS No. 107, Audit Risk and Materiality
  (continued)
• Other considerations
• Managements bias
• Undetected misstatements

43
Overview of SASs

• SAS No. 107, Audit Risk and Materiality
  (continued)
• Documentation
• Levels of materiality and tolerable
  misstatements, including changes thereto, and the
  basis used.
• Uncorrected misstatements (known and likely)
• Conclusion on uncorrected misstatements
• Misstatements identified by auditor and corrected
  by management
• Uncorrected misstatements should be documented in
  a manner that
• identifies known and likely, including
  misstatements identified in prior periods
• aggregates effect of misstatements
• demonstrates qualitative considerations.

44
Overview of SASs

• SAS No. 108, Planning and Supervision
• (Amends SAS 1 and SAS 22)
• The auditor must adequately plan the work and
  must properly supervise any assistants.

45
Overview of SASs

• SAS No. 108, Planning and Supervision (continued)
• SAS No. 108 discusses
• Appointment of the independent auditor,
• Establishing a written understanding with the
  client,
• Preliminary engagement activities,
• The overall audit strategy,
• The audit plan,
• Determining the extent of involvement of
  specialists,
• Additional considerations in initial audit
  engagements.

46
Overview of SASs

• SAS No. 109, Assessing Risks
• The auditor must obtain a sufficient
  understanding of the entity and its environment,
  including its internal control, to assess the
  risk of material misstatement of the financial
  statements whether due to error or fraud, and to
  design the nature, timing, and extent of further
  audit procedures.

47
Risk Assessment Overview
New Process
Inquiries
Analytical Procedures
Brainstorming
Fraud Risk Factors
Other
Risk Assessment
Respond
48
Overview of SASs

• SAS No. 109, Assessing Risks (continued)
• Risk assessment procedures and sources of
  information about the entity and its internal
  control are
• Inquiries
• Analytical procedures
• Observation and inspection
• Discussion among audit team

49
Overview of SASs

• SAS No. 109, Assessing Risks (continued)
• Inquiries of management may be directed toward
• External parties for example, legal counsel,
  bankers, valuation experts, etc.
• Internal for example those charged with
  governance, internal audit, employees other than
  accounting personnel, in-house counsel, etc.

50
Overview of SASs

• SAS No. 109, Assessing Risks (continued)
• Analytical Procedures
• Use guidance of SAS 56, Analytical Procedures
• Helpful In identifying unusual transactions or
  events
• Assist in determining amounts, ratios, trends in
  the financial statements

51
Overview of SASs

• SAS No. 109, Assessing Risks (continued)
• Observation and inspection include
• Inspection of documents and manuals (for example
  accounting or internal control)
• Reading internal reports and minutes
• Visit premises and plant facilities
• Tracing transactions through systems

52
Overview of SASs

• SAS No. 109, Assessing Risks (continued)
• The auditor should consider the results of the
  fraud risk assessment performed during planning
  along with other information gathered in
  identifying the risks of material misstatements.

53
Overview of SASs

• SAS No. 109, Assessing Risks (continued)
• Discussion among audit team
• Can be held at the same time as the discussion
  specified in SAS 99.
• Objective is for members to gain a better
  understanding of the potential for material
  misstatements.
• An opportunity for more experienced members to
  share their insights.

54
Overview of SASs

• SAS No. 109, Assessing Risks (continued)
• Understanding the entity and its environment,
  including its internal control.
• Industry, regulatory, and other external factors
• Nature of the entity
• Objectives and strategies and the related
  business risks that may result in a material
  misstatement of the financial statements
• Measurement and review of the entity's financial
  performance
• Internal control

55
Overview of SASs

• SAS No. 109, Assessing Risks (continued)
• Internal control (same as SAS 55)

56
Overview of SASs

• SAS No. 109, Assessing Risks (continued)
• The auditor should obtain a sufficient
  understanding of internal controls to
• Evaluate the design of controls relevant to the
  audit,
• Determine whether the controls have been
  implemented.

57
Overview of SASs

• SAS No. 109, Assessing Risks (continued)
• The auditor should perform risk assessment
  procedures to obtain an understanding of internal
  control. Procedures include observation,
  inspection, or performing walkthroughs.
• Inquiry alone is not sufficient to evaluate the
  design of controls and whether they have been
  implemented.

58
Overview of SASs

• SAS No. 109, Assessing Risks (continued)
• The auditor should identify and assess the risks
  of material misstatements at
• Financial statement level
• The relevant assertion level

59
Overview of SASs

• SAS No. 109, Assessing Risks (continued)
• Assessing the risk of material misstatements
• Identify risks throughout the process of
  obtaining an understanding of the entity and its
  environment,
• Relate the identified risks to what can go wrong
  at the relevant assertion level,

60
Overview of SASs

• SAS No. 109, Assessing Risks (continued)
• The auditor should use the risk assessment to
  determine the nature, timing and extent of the
  further audit procedures to be performed.
• When the risk assessment is based on an
  expectation that controls are operating
  effectively, the auditor should perform tests of
  controls.

61
Overview of SASs

• SAS No. 109, Assessing Risks (continued)
• Significant risks
• Require special audit consideration
• Different than high inherent risk
• Often relate to significant nonroutine
  transactions and judgmental matters

62
Overview of SASs

• SAS No. 109, Assessing Risks (continued)
• The initial assessment of the risks of material
  misstatement may change as additional audit
  evidence is obtained. For example
• The results of test of controls indicate that the
  controls may not be operating as expected.
• Substantive audit procedures detect misstatements
  greater or more frequent than the auditors risk
  assessment.

63
Overview of SASs

• SAS No. 109, Assessing Risks (continued)
• Documentation
• Discussion among audit team
• Key elements of the understanding obtained
• Assessment of the risks of material misstatements
• The risks identified and related controls

64
Overview of SASs

• SAS No. 110, Performing Procedures
• (together with Assessing Risks amend SAS 55)
• The auditor must obtain sufficient appropriate
  audit evidence through audit procedures performed
  to afford a reasonable basis for an opinion
  regarding the financial statements taken as a
  whole.

65
Overview of SASs

• SAS No. 110, Performing Procedures (continued)
• SAS No. 110 provides guidance on
• Determining overall responses
• Designing and performing further audit procedures

66
Overview of SASs

• SAS No. 110, Performing Procedures (continued)
• Overall responses may include
• Exercising professional skepticism
• Assigning more experienced personnel
• Changing the timing and extent of audit
  procedures
• Using specialists

67
Overview of SASs

• SAS No. 110, Performing Procedures (continued)
• The auditor should design and perform further
  audit procedures that are responsive to the
  assessed risk at the relevant assertion level.
• The purpose is to provide a clear linkage between
  the risk assessments and the further audit
  procedures.

68
Overview of SASs

• SAS No. 110, Performing Procedures (continued)
• Audit Approach
• The auditor should have an appropriate basis for
  the audit approach.
• Defaulting to a maximum control risk without an
  appropriate basis is no longer permitted.

69
Overview of SASs

• SAS No. 110, Performing Procedures (continued)
• Considering the nature, timing and extent of
  further audit procedures.

70
Overview of SASs

• SAS No. 110, Performing Procedures (continued)
• Nature
• Refers to the purpose of further audit procedures
  (test of controls or substantive procedures) and
  their type.
• The auditors selection of audit procedures is
  based on the risk of material misstatement at the
  relevant assertion level.
• The auditor should test the accuracy and
  completeness of information produced by the
  system when that information is used in
  performing audit procedures.

71
Overview of SASs

• SAS No. 110, Performing Procedures (continued)
• Timing
• Auditors may perform procedures at an interim
  period date.

72
Overview of SASs

• SAS No. 110, Performing Procedures (continued)
• Extent
• This is matter for professional judgment.
• Factors include tolerable misstatement, assessed
  risks of material misstatement and the degree of
  assurance the auditor plans to obtain.

73
Overview of SASs

• SAS No. 110, Performing Procedures (continued)
• Test of controls must be tested
• Auditors risk assessment includes an expectation
  of the operating effectiveness of controls, or
• Substantive procedures alone do not provide
  sufficient audit evidence

74
Overview of SASs

• SAS No. 110, Performing Procedures (continued)
• Test of Controls may be rotated
• The auditor should test the operating
  effectiveness of controls at least every three
  years in an annual audit
• The auditor should update his or her
  understanding to ensure controls have not changed
• If the auditor plans to rely on control that have
  changed, the auditor should test the controls

75
Overview of SASs

• SAS No. 110, Performing Procedures (continued)
• If the auditor plans to rely on controls that
  mitigate significant risks, the auditor needs to
  test those controls in the current period, that
  is, these controls cannot be rotated.

76
Overview of SASs

• SAS No. 110, Performing Procedures (continued)
• Regardless of the assessed risk of material
  misstatement, the auditor should design and
  perform substantive procedures for all relevant
  assertions related to each material class of
  transactions, account balance and disclosure.

77
Overview of SASs

• SAS No. 110, Performing Procedures (continued)
• Substantive procedures should include
• agreeing financial statements to the underlying
  records
• examining material journal entries

78
Overview of SASs

• SAS No. 110, Performing Procedures (continued)
• For significant risks, the auditor should design
  and perform audit procedures responsive to that
  risk.
• Procedures may consist of test of details and
  substantive analytical procedures.
• Substantive analytical procedures alone are not
  sufficient to respond to significant risks.

79
Overview of SASs

• SAS No. 110, Performing Procedures (continued)
• Timing of substantive procedures
• Performing procedures at an interim date
• When substantive procedures are performed at an
  interim date, the auditor should perform further
  audit procedures to cover the remaining period.

80
Overview of SASs

• SAS No. 110, Performing Procedures (continued)
• Extent of substantive procedures
• The greater the risk of material misstatement,
  the less detection risk that can be accepted
  consequently, the greater the extent of
  substantive procedures.

81
Overview of SASs

• SAS No. 110, Performing Procedures (continued)
• Adequacy of presentation and disclosure

82
Overview of SASs

• SAS No. 110, Performing Procedures (continued)
• Evaluating the sufficiency and appropriateness of
  the audit evidence obtained
• Auditors need to reassess the assessment of the
  risk of material misstatement
• Auditors need to determine whether the tests of
  controls performed provide an adequate basis for
  reliance.
• Auditors should not assume that instances of
  fraud or errors are isolated.

83
Overview of SASs

• SAS No. 110, Performing Procedures (continued)
• Documentation
• Overall responses,
• Nature, timing and extent of further audit
  procedures,
• Linkage,
• Results of the audit procedures,
• Conclusion reached with regard to the use of
  audit evidence about the operating effectiveness
  of controls obtained in a prior audit.

84
Overview of SASs

• SAS No. 111 provides enhanced guidance on
  tolerable misstatement. In general, tolerable
  misstatement in an account should be less than
  materiality to allow for aggregation in final
  assessment.
• Ordinarily sample sizes for non-statistical
  samples are comparable to sample sizes for an
  efficient and effectively designed statistical
  sample with the same sampling parameters.

85
Risk Assessment Standards

• Resources available
• Audit Guide Assessing and Responding to Audit
  Risk in a Financial Statement Audit
• Audit Risk Alert Issued in March 2006
• CPE Courses
• Visit http//pcps.aicpa.org/Resources/KeepingUpW
  ithStandards/RiskAssessmentStandardsImplementa
  tionGuidance.htm for the PCPS Risk Assessment
  Toolkit and links to other valuable resources.

86
Concluding Remarks

• To keep abreast of other ASB projects, please
  visit our website
• http//www.aicpa.org/members/div/auditstd/index.h
  tm
• If you have a question about Audit and Attest
  Standards, please call our Technical Hotline
• (888) 777-7077

87
Questions?