Note: This article is the fourth and last in a series about the AICPA’s new standard on auditor’s risk assessment. Read an overview of the new standard in part one.. Part two contains more information about inherent risk and significant risks under the new standard. Part three investigates IT and other technology-related considerations in the new standard.
How the new standard may affect an audit of financial statements from the auditee’s perspective.
The previous articles in this series discussed how the AICPA’s new standard on auditor’s risk assessment [Statement on Auditing Standards (SAS) No. 145] clarifies and enhances the requirements and guidance for the auditor’s risk assessment process. Since the Statements on Standards for Auditing Services guide auditors on how to conduct their audit engagements, if you’re the auditee rather than the auditor, many of the changes made by SAS No. 145 will be “behind the scenes.” However, you may notice some changes in the auditor’s performance during your next audit engagement.
For instance, the second article in this series discussed changes to the concepts of inherent risk and significant risks. That article mentioned it is the combination of likelihood and magnitude that matters when assessing inherent risk. Under SAS No. 145, a risk of material misstatement exists when the auditor determines there is a reasonable possibility of a misstatement occurring (that is, its likelihood), and, if it were to occur, there is a reasonable possibility of the misstatement being material (that is, its magnitude). The auditor will use the combination of the likelihood and magnitude of a possible misstatement in making a professional judgment about where a specific inherent risk falls on the spectrum of inherent risk.
This revised approach to risk assessment may result in your auditor focusing on different, possibly fewer, transaction classes, account balances, or disclosures compared to previous audits. For example, property and equipment may be material to your financial statements simply because it is a large account balance. However, based on the results of the auditor’s risk assessment procedures and professional judgment, the auditor may assess inherent risk relating to property and equipment assertions as remote, that is, there is not a reasonable possibility of a misstatement occurring. By definition, because there is not a reasonable possibility of a misstatement occurring, none of the property and equipment assertions are relevant assertions, and property and equipment would not be a significant transaction class, account balance, or disclosure for purposes of the audit. The auditor may conclude that the risk assessment procedures already performed are sufficient and no further audit procedures for property and equipment are considered necessary.
Auditors are also required to obtain an understanding of certain aspects of the components of the auditee’s system of internal control. While pre-SAS No. 145 guidance required auditors to obtain this understanding, SAS No. 145 provides more specific guidance on which controls are required to be specifically identified for evaluation of the control’s appropriate design and implementation.
“Gaining an understanding” means the auditor will perform procedures to become knowledgeably aware of your controls (i.e., your policies and procedures). Gaining an understanding does not require the auditor to make a “good or bad” or “effective or not effective” evaluation or determination about your system of internal control or specific controls. For example, in obtaining an understanding of your controls over cash, the auditor may inquire about what policies and procedures you have to capture, account for, and record cash. The auditor may also inquire about what controls you have in place to mitigate the theft of cash. At this point, the auditor is not making any type of evaluation or determination about whether these policies and procedures are effective or not effective. The auditor is simply understanding what is or is not present.
SAS No. 145 then requires the auditor to evaluate the design and determine the implementation of certain controls. SAS No. 145 uses the term “identified controls” when referring to the controls that address risks of material misstatement and, therefore, require more work than merely gaining an understanding. These controls may also be referred to as “key controls” or “relevant controls” in certain audit methodologies. For these identified controls, the auditor is required to make a professional judgment about the effectiveness of the control’s design. For example, you might perform monthly reconciliations of all cash accounts. To evaluate whether those controls are effectively designed, the auditor may examine a few months’ reconciliations and see who prepared the reconciliations, who reviewed and approved them, and how exceptions, if any, were resolved. Finally, for each identified control, the auditor is required to determine whether the control has been implemented, that is, making a “yes or no” decision about whether the control has been placed in operation. In determining whether controls have been placed in operation, the auditor is not able to rely on inquiry alone. For example, to obtain evidence that cash reconciliation controls are being performed, the auditor could perform a “walkthrough,” which generally includes a combination of inquiry, observation, inspection of relevant documents, and reperformance of controls. To perform a thorough walkthrough, the auditor will want to make inquiries about people who perform the procedures, not just someone at a supervisory level.
Because SAS No. 145 guides when the auditor is required to evaluate the design and determine the implementation of controls, auditors may perform substantially less design and implementation work than in previous audits. However, the design and implementation work under SAS No. 145 is intended to be more purposeful, focusing on controls that address significant risks.
As mentioned in the third article in this series, SAS No. 145 includes extensive new guidance on information technology (IT) and the consideration of general IT controls. Thus, the auditor’s internal control work under SAS No. 145 will most likely have a greater focus on IT-related matters compared to previous audits. For example, the auditor may inquire about IT organizational controls such as IT staffing, roles, and responsibilities; controls to prevent unauthorized access to systems, applications, and data; operational controls such as activity logs and incident reports; and disaster recovery and contingency planning such as backup policies and plans to deal with the loss or interruption of the IT function. Likewise, the performance of walkthroughs may involve the auditor observing how IT applications are used to process or maintain data.
Finally, auditors of small- and medium-sized entities often perform non-audit services to assist these entities with closing their books and records and preparing their financial statements. For the auditor to perform efficient, effective risk assessment procedures, most non-audit services should be completed before performing risk assessment (i.e., audit) procedures. Otherwise, the auditor is essentially auditing a “moving target.” Thus, your auditor may request altering the timing of certain non-audit services or postponing risk assessment procedures until complete financial information is available.
As mentioned in previous articles in this series, SAS No. 145 does not fundamentally change the key concepts behind the auditor’s risk assessment. The changes in SAS No. 145 are meant to clarify and enhance certain aspects of the risk assessment process. While auditees might have numerous transactions, the auditor’s primary concern is whether material misstatements are present. SAS No. 145 is designed to help auditors determine which areas pose the greatest risks of material misstatement and spend more of their time performing procedures in those areas.