Title: The Risk Assessment Standards A High Level Overview by Chuck Landes, CPA AICPA VP Professional Stand
1The Risk Assessment Standards A High Level
Overviewby Chuck Landes, CPAAICPA VP
Professional Standards
2Presentation Objectives
- Discuss the background and the reasons why the
SASs were issued. - Discuss how the SASs affect existing practice.
- Provide an overview of the SASs.
3Risk Assessment Standards
- The risk assessment standards consist of
- SAS No. 104, Amendment to Statement on Auditing
Standards No. 1 - SAS No. 105, Amendment to Statement on Auditing
Standards No. 95, Generally Accepted Auditing
Standards - SAS No. 106, Audit Evidence
- SAS No. 107, Audit Risk and Materiality in
Conducting an Audit (Audit Risk and Materiality) - SAS, No. 108, Planning and Supervision
- SAS No. 109, Understanding the Entity and Its
Environment and Assessing the Risks of Material
Misstatement (Assessing Risks) - SAS No. 110, Performing Audit Procedures in
Response to Assessed Risks and Evaluating the
Audit Evidence Obtained (Performing Procedures) - SAS No. 111, Amendment to Statement on Auditing
Standards No. 39, Audit Sampling
4Risk Assessment Standards
-
- Why issued? The ASB believes that the SASs
represent a significant strengthening of auditing
standards which in turn will improve the quality
of audits conducted under these standards - Much of SAS 99 theory originated in our
deliberations over risk assessment standards
5Background
- The objectives of the SASs are to improve audit
effectiveness by requiring - A more in-depth understanding of the entity and
its environment, including its internal control. - More rigorous assessment of the risks of material
misstatement (whether caused by error or fraud)
of the financial statements. - A linkage between the assessed risks and the
nature, timing, and extent of audit procedures
performed in response to those risks.
6Risk Assessment Standards
- Enhances the auditors application of the audit
risk model in practice by requiring - More in-depth understanding of the entity and its
environment, including its internal control to
better understand where risks of misstatements
are higher - May require greater understanding of internal
control design and implementation of controls - Ability to default to maximum control risk
assessment removed - Improved linkage between the assessed risks and
the nature, timing, and extent of audit
procedures performed
7Risk Assessment Standards
- Enhances the auditors application of the audit
risk model - AR CR x IR x DR
- CR x IR RMM
- AR Audit Risk
- CR Control Risk
- IR Inherent Risk
- DR Detection Risk
- RMM risk of material misstatement
8Risk Assessment Standards
- Internal Control Framework is unchanged
9Risk Assessment Standards
- New requirement auditors should obtain a
sufficient understanding of internal control over
financial reporting to - Assess strength of design of controls
- Determine whether controls were placed in
operation
10Risk Assessment Standards
- The auditor should assess the risks of material
misstatement at the financial statement level and
at the relevant assertion level on all audits
based on the understanding obtained
11Risk Assessment Standards
12Risk Assessment Standards
- Identifying risks through considering
- The entity and its environment, including its
internal control - Classes of transactions, account balances, and
disclosures - Relating the identified risks to what could go
wrong at the relevant assertion level - Significant risks1
- 1SAS 109, Assessing Risks, paragraphs 102-121
13Risk Assessment Standards
14Risk Assessment Standards
- Testing of controls is encouraged
- The requirement to link assessed risks and the
audit procedures responsive to those risks is
improved - Risk assessment is a continuous process, not a
series of discrete stages
15Risk Assessment Standards
- Perform further audit procedures that are clearly
linked to risks at the relevant assertion level
by - Performing tests of the operating effectiveness
of controls - Performing substantive procedures
- Evaluating the adequacy of presentation and
disclosure1 - 1SAS 110, Performing Procedures SAS, paragraphs
23-68 - Evaluate whether sufficient competent audit
evidence has been obtained2 - 2SAS 110, Performing Procedures, paragraphs 70-76
16Risk Assessment Standards
- Greater emphasis is placed on testing of
disclosures - Guidance on evaluating audit findings is
clarified and expanded - Documentation requirements are significantly
expanded
17Significant Changes to Existing Practices
- Identifying and assessing the risks of material
misstatements at both the financial statement
level and the relevant assertion level by
performing risk assessment procedures. - Designing and performing tailored further audit
procedures responsive to assessed risks at the
relevant assertion level - Linkage of audit procedures to the risk of
material misstatement.
18Overview of SASs
- SAS No. 104, Amendment to SAS No. 1
- SAS No. 104 expands the definition of reasonable
assurance as a high level of assurance
19Overview of SASs
- SAS No. 105, Amendment to SAS 95, Generally
Accepted Auditing Standards - Internal control is replaced by the entity and
its environment, including its internal control - Further audit procedures replaces tests to be
performed - Audit evidence replaces evidential matter
- Reflects new usage of terms required by SAS No.
102.
20Overview of SASs
- SAS No. 106, Audit Evidence
- (Amends SAS 31)
- The auditor must obtain sufficient audit
evidence by performing audit procedures to afford
a reasonable basis for an opinion regarding the
financial statements under audit.
21Overview of SASs
- SAS No. 106, Audit Evidence
- Audit evidence is all the information used by the
auditor in arriving at the conclusions on which
the audit opinion is based and includes - Entitys accounting records,
- Confirmations,
- Minutes,
- Industry reports,
- Audit procedures such as inquiries, observations,
inspections, etc.
22Overview of SASs
- SAS No. 106, Audit Evidence
- Audit Procedures
- Risk Assessment Procedures
- Inquiries
- Analytical procedures
- Inspection and observation
- Further Audit Procedures
- Test of controls
- Substantive procedures
- Test of details
- Substantive analytical procedures
23Overview of SASs
- SAS No. 106, Audit Evidence
- The use of assertions in obtaining audit evidence
these are managements implicit or explicit
assertions regarding the recognition,
measurement, presentation and disclosure of
information in the financial statements and
related disclosures.
24Overview of SASs
- SAS No. 106, Audit Evidence (continued)
- Categories of Assertions
- Classes of transactions
- Account balances
- Presentation and disclosure
25Overview of SASs
- SAS No. 107, Audit Risk and Materiality
- (Amends SAS 47)
-
- The auditors should perform the audit to reduce
audit risk to a low level that is (in his or her
judgment) appropriate for expressing an opinion
on the financial statements.
26Overview of SASs
- SAS No. 107, Audit Risk and Materiality
(continued) - The auditor should consider audit risk at both
- Overall financial statement level
- Assertion level
27Overview of SASs
- SAS No. 107, Audit Risk and Materiality
(continued) - Financial statement level risks include, for
example - Fraud
- Incompetent management
- Related party transactions
28Overview of SASs
- SAS No. 107, Audit Risk and Materiality
(continued) - At the account balance, class of transactions, or
disclosure level, audit risk consists of - Combined risk assessment, which consists of
- Inherent risk
- Control risk
- Detection risk
29Overview of SASs
- SAS No. 107, Audit Risk and Materiality
(continued) - The auditor should assess the risk of material
misstatement at the relevant assertion level as a
basis for further audit procedures. - The auditor should have an appropriate basis for
this assessment.
30Overview of SASs
- SAS No. 107, Audit Risk and Materiality
(continued) - The determination of materiality is a matter of
professional judgment.
31Overview of SASs
- SAS No. 107, Audit Risk and Materiality
(continued) - The auditor determines materiality to
- Perform risk assessment procedures,
- Identify and assess the risks of material
misstatement, - Design and perform further audit procedures,
- Evaluate whether the financial statements taken
as a whole are presented fairly.
32Overview of SASs
- SAS No. 107, Audit Risk and Materiality
(continued) - An auditor uses benchmarks to determine
materiality. Examples are - Total revenues
- Profit before taxes
- Total assets
- Net assets
33Overview of SASs
- SAS No. 107, Audit Risk and Materiality
(continued) - Tolerable Misstatement (or error)is the maximum
error in a population (e.g., the class of
transactions or account balance) that the auditor
is willing to accept. - Tolerable misstatement is used to design
substantive procedures.
34Overview of SASs
- SAS No. 107, Audit Risk and Materiality
(continued) - Example of the use of tolerable misstatement in
designing substantive procedures
35Overview of SASs
- Example of the use of tolerable misstatement
(continued)
36Overview of SASs
- SAS No. 107, Audit Risk and Materiality
(continued) - The auditor should reassess the materiality
determined during the planning process. Failure
to do so may result in inadequate audit
procedures.
37Overview of SASs
- SAS No. 107, Audit Risk and Materiality
(continued) - The auditor must accumulate
- Known misstatements - these are specific
misstatements arising from the incorrect
selection or misapplication of accounting
principles or misstatements of facts identified
during the audit. - Likely misstatements these are misstatements
that include - Audit differences involving auditing estimates
and - Projected misstatements based on extrapolation of
audit evidence.
38Overview of SASs
- SAS No. 107, Audit Risk and Materiality
(continued) - Auditors responses to identified misstatements
39Overview of SASs
- SAS No. 107, Audit Risk and Materiality
(continued) - Evaluating audit findings the auditor must
consider the effect (individually and in the
aggregate) of misstatements (known and likely)
identified by the auditor that are not corrected
by management. -
40Overview of SASs
- SAS No. 107, Audit Risk and Materiality
(continued) - Iron Curtain vs. Rollover
- The SEC has undertaken a project to study this
issue and its findings are expected soon. - Guidance in SAS No. 107 is neutral until
accounting is settled. -
41Overview of SASs
- SAS No. 107, Audit Risk and Materiality
(continued) - Qualitative considerations. Examples are
- Potential effect on trends
- Changes bottom line
- Potential effect on loan covenants
- Increases managements compensation
- Likelihood that misstatement may become material
in future periods -
42Overview of SASs
- SAS No. 107, Audit Risk and Materiality
(continued) - Other considerations
- Managements bias
- Undetected misstatements
-
43Overview of SASs
- SAS No. 107, Audit Risk and Materiality
(continued) - Documentation
- Levels of materiality and tolerable
misstatements, including changes thereto, and the
basis used. - Uncorrected misstatements (known and likely)
- Conclusion on uncorrected misstatements
- Misstatements identified by auditor and corrected
by management - Uncorrected misstatements should be documented in
a manner that - identifies known and likely, including
misstatements identified in prior periods - aggregates effect of misstatements
- demonstrates qualitative considerations.
-
44Overview of SASs
- SAS No. 108, Planning and Supervision
- (Amends SAS 1 and SAS 22)
- The auditor must adequately plan the work and
must properly supervise any assistants.
45Overview of SASs
- SAS No. 108, Planning and Supervision (continued)
- SAS No. 108 discusses
- Appointment of the independent auditor,
- Establishing a written understanding with the
client, - Preliminary engagement activities,
- The overall audit strategy,
- The audit plan,
- Determining the extent of involvement of
specialists, - Additional considerations in initial audit
engagements.
46Overview of SASs
- SAS No. 109, Assessing Risks
- The auditor must obtain a sufficient
understanding of the entity and its environment,
including its internal control, to assess the
risk of material misstatement of the financial
statements whether due to error or fraud, and to
design the nature, timing, and extent of further
audit procedures.
47Risk Assessment Overview
New Process
Inquiries
Analytical Procedures
Brainstorming
Fraud Risk Factors
Other
Risk Assessment
Respond
48Overview of SASs
- SAS No. 109, Assessing Risks (continued)
- Risk assessment procedures and sources of
information about the entity and its internal
control are - Inquiries
- Analytical procedures
- Observation and inspection
- Discussion among audit team
49Overview of SASs
- SAS No. 109, Assessing Risks (continued)
- Inquiries of management may be directed toward
- External parties for example, legal counsel,
bankers, valuation experts, etc. - Internal for example those charged with
governance, internal audit, employees other than
accounting personnel, in-house counsel, etc.
50Overview of SASs
- SAS No. 109, Assessing Risks (continued)
- Analytical Procedures
- Use guidance of SAS 56, Analytical Procedures
- Helpful In identifying unusual transactions or
events - Assist in determining amounts, ratios, trends in
the financial statements
51Overview of SASs
- SAS No. 109, Assessing Risks (continued)
- Observation and inspection include
- Inspection of documents and manuals (for example
accounting or internal control) - Reading internal reports and minutes
- Visit premises and plant facilities
- Tracing transactions through systems
52Overview of SASs
- SAS No. 109, Assessing Risks (continued)
- The auditor should consider the results of the
fraud risk assessment performed during planning
along with other information gathered in
identifying the risks of material misstatements. -
53Overview of SASs
- SAS No. 109, Assessing Risks (continued)
- Discussion among audit team
- Can be held at the same time as the discussion
specified in SAS 99. - Objective is for members to gain a better
understanding of the potential for material
misstatements. - An opportunity for more experienced members to
share their insights.
54Overview of SASs
- SAS No. 109, Assessing Risks (continued)
- Understanding the entity and its environment,
including its internal control. - Industry, regulatory, and other external factors
- Nature of the entity
- Objectives and strategies and the related
business risks that may result in a material
misstatement of the financial statements - Measurement and review of the entity's financial
performance - Internal control
55Overview of SASs
- SAS No. 109, Assessing Risks (continued)
- Internal control (same as SAS 55)
56Overview of SASs
- SAS No. 109, Assessing Risks (continued)
- The auditor should obtain a sufficient
understanding of internal controls to - Evaluate the design of controls relevant to the
audit, - Determine whether the controls have been
implemented.
57Overview of SASs
- SAS No. 109, Assessing Risks (continued)
- The auditor should perform risk assessment
procedures to obtain an understanding of internal
control. Procedures include observation,
inspection, or performing walkthroughs. - Inquiry alone is not sufficient to evaluate the
design of controls and whether they have been
implemented.
58Overview of SASs
- SAS No. 109, Assessing Risks (continued)
- The auditor should identify and assess the risks
of material misstatements at - Financial statement level
- The relevant assertion level
59Overview of SASs
- SAS No. 109, Assessing Risks (continued)
- Assessing the risk of material misstatements
- Identify risks throughout the process of
obtaining an understanding of the entity and its
environment, - Relate the identified risks to what can go wrong
at the relevant assertion level,
60Overview of SASs
- SAS No. 109, Assessing Risks (continued)
- The auditor should use the risk assessment to
determine the nature, timing and extent of the
further audit procedures to be performed. - When the risk assessment is based on an
expectation that controls are operating
effectively, the auditor should perform tests of
controls.
61Overview of SASs
- SAS No. 109, Assessing Risks (continued)
- Significant risks
- Require special audit consideration
- Different than high inherent risk
- Often relate to significant nonroutine
transactions and judgmental matters
62Overview of SASs
- SAS No. 109, Assessing Risks (continued)
- The initial assessment of the risks of material
misstatement may change as additional audit
evidence is obtained. For example - The results of test of controls indicate that the
controls may not be operating as expected. - Substantive audit procedures detect misstatements
greater or more frequent than the auditors risk
assessment.
63Overview of SASs
- SAS No. 109, Assessing Risks (continued)
- Documentation
- Discussion among audit team
- Key elements of the understanding obtained
- Assessment of the risks of material misstatements
- The risks identified and related controls
64Overview of SASs
- SAS No. 110, Performing Procedures
- (together with Assessing Risks amend SAS 55)
- The auditor must obtain sufficient appropriate
audit evidence through audit procedures performed
to afford a reasonable basis for an opinion
regarding the financial statements taken as a
whole.
65Overview of SASs
- SAS No. 110, Performing Procedures (continued)
- SAS No. 110 provides guidance on
- Determining overall responses
- Designing and performing further audit procedures
-
66Overview of SASs
- SAS No. 110, Performing Procedures (continued)
- Overall responses may include
- Exercising professional skepticism
- Assigning more experienced personnel
- Changing the timing and extent of audit
procedures - Using specialists
67Overview of SASs
- SAS No. 110, Performing Procedures (continued)
- The auditor should design and perform further
audit procedures that are responsive to the
assessed risk at the relevant assertion level. - The purpose is to provide a clear linkage between
the risk assessments and the further audit
procedures.
68Overview of SASs
- SAS No. 110, Performing Procedures (continued)
- Audit Approach
- The auditor should have an appropriate basis for
the audit approach. - Defaulting to a maximum control risk without an
appropriate basis is no longer permitted. -
69Overview of SASs
- SAS No. 110, Performing Procedures (continued)
- Considering the nature, timing and extent of
further audit procedures.
70Overview of SASs
- SAS No. 110, Performing Procedures (continued)
- Nature
- Refers to the purpose of further audit procedures
(test of controls or substantive procedures) and
their type. - The auditors selection of audit procedures is
based on the risk of material misstatement at the
relevant assertion level. - The auditor should test the accuracy and
completeness of information produced by the
system when that information is used in
performing audit procedures.
71Overview of SASs
- SAS No. 110, Performing Procedures (continued)
- Timing
- Auditors may perform procedures at an interim
period date.
72Overview of SASs
- SAS No. 110, Performing Procedures (continued)
- Extent
- This is matter for professional judgment.
- Factors include tolerable misstatement, assessed
risks of material misstatement and the degree of
assurance the auditor plans to obtain.
73Overview of SASs
- SAS No. 110, Performing Procedures (continued)
- Test of controls must be tested
- Auditors risk assessment includes an expectation
of the operating effectiveness of controls, or - Substantive procedures alone do not provide
sufficient audit evidence -
74Overview of SASs
- SAS No. 110, Performing Procedures (continued)
- Test of Controls may be rotated
- The auditor should test the operating
effectiveness of controls at least every three
years in an annual audit - The auditor should update his or her
understanding to ensure controls have not changed - If the auditor plans to rely on control that have
changed, the auditor should test the controls -
75Overview of SASs
- SAS No. 110, Performing Procedures (continued)
- If the auditor plans to rely on controls that
mitigate significant risks, the auditor needs to
test those controls in the current period, that
is, these controls cannot be rotated.
76Overview of SASs
- SAS No. 110, Performing Procedures (continued)
- Regardless of the assessed risk of material
misstatement, the auditor should design and
perform substantive procedures for all relevant
assertions related to each material class of
transactions, account balance and disclosure. -
77Overview of SASs
- SAS No. 110, Performing Procedures (continued)
- Substantive procedures should include
- agreeing financial statements to the underlying
records - examining material journal entries
-
78Overview of SASs
- SAS No. 110, Performing Procedures (continued)
- For significant risks, the auditor should design
and perform audit procedures responsive to that
risk. - Procedures may consist of test of details and
substantive analytical procedures. - Substantive analytical procedures alone are not
sufficient to respond to significant risks. -
79Overview of SASs
- SAS No. 110, Performing Procedures (continued)
- Timing of substantive procedures
- Performing procedures at an interim date
- When substantive procedures are performed at an
interim date, the auditor should perform further
audit procedures to cover the remaining period. -
80Overview of SASs
- SAS No. 110, Performing Procedures (continued)
- Extent of substantive procedures
- The greater the risk of material misstatement,
the less detection risk that can be accepted
consequently, the greater the extent of
substantive procedures. -
81Overview of SASs
- SAS No. 110, Performing Procedures (continued)
- Adequacy of presentation and disclosure
-
82Overview of SASs
- SAS No. 110, Performing Procedures (continued)
- Evaluating the sufficiency and appropriateness of
the audit evidence obtained - Auditors need to reassess the assessment of the
risk of material misstatement - Auditors need to determine whether the tests of
controls performed provide an adequate basis for
reliance. - Auditors should not assume that instances of
fraud or errors are isolated. -
83Overview of SASs
- SAS No. 110, Performing Procedures (continued)
- Documentation
- Overall responses,
- Nature, timing and extent of further audit
procedures, - Linkage,
- Results of the audit procedures,
- Conclusion reached with regard to the use of
audit evidence about the operating effectiveness
of controls obtained in a prior audit. -
84Overview of SASs
- SAS No. 111 provides enhanced guidance on
tolerable misstatement. In general, tolerable
misstatement in an account should be less than
materiality to allow for aggregation in final
assessment. - Ordinarily sample sizes for non-statistical
samples are comparable to sample sizes for an
efficient and effectively designed statistical
sample with the same sampling parameters.
85Risk Assessment Standards
- Resources available
- Audit Guide Assessing and Responding to Audit
Risk in a Financial Statement Audit - Audit Risk Alert Issued in March 2006
- CPE Courses
- Visit http//pcps.aicpa.org/Resources/KeepingUpW
ithStandards/RiskAssessmentStandardsImplementa
tionGuidance.htm for the PCPS Risk Assessment
Toolkit and links to other valuable resources.
86Concluding Remarks
- To keep abreast of other ASB projects, please
visit our website - http//www.aicpa.org/members/div/auditstd/index.h
tm - If you have a question about Audit and Attest
Standards, please call our Technical Hotline - (888) 777-7077
87Questions?