Assessing and Responding to Risks in a Financial Statement Audit:

Part II

Guidance for audit standards for nonissuers that took effect on or after December 15, 2006.

by John A. Fogarty, Lynford Graham and Darrel R. Schubert

EXECUTIVE SUMMARY

The Auditing Standards Board issued eight standards with new guidance for auditors assessing risks and controls in financial statement audits. Auditors must consider risk and also determine a materiality level for the financial statements taken as a whole. Auditors are required to obtain a sufficient understanding of the entity and its environment, including its internal control, to assess the risk of material misstatement. Auditors must develop audit plans in which they document the audit procedures that are expected to reduce the audit risks to acceptably low levels. To rely on the effectiveness of company internal controls, the auditor should test the controls, but only after assessing that the design is effective. The auditor may rely on control tests and other evidence from prior audits when the audit evidence and related subject matter have not changed. At the end of an audit, the auditor must evaluate whether the financial statements taken as a whole are free of material misstatements. The auditor must accumulate all the known and likely misstatements, other than trivial ones, and communicate them to the appropriate level of management. In assessing deficiencies of internal controls to identify the severity, the auditor should focus on issues such as inadequate documentation and unqualified employees who lack the skills to make the required GAAP accounting computations, accruals or estimates, or to prepare the company financial statements. John A. Fogarty, CPA, is a partner of Deloitte and Touche, LLP, a past chairman of the Auditing Standards Board (ASB) and a member of the International Auditing and Assurance Standards Board. His e-mail address is jfogarty@deloitte.com. Lynford Graham, CPA, PhD, CFE, is a consultant, recent former member of the ASB and Risk Assessment Standards Task Force and chair of the Risk Assessment and Risk Response Audit Guide Task Force. His e-mail address is lgrahamcpa@verizon.net. Darrel R. Schubert, CPA, current member of the ASB, is a partner in Ernst & Young LLP’s national professional practice and risk management group and was chair of the Risk Assessment Standards Task Force. His e-mail address is darrel.schubert@ey.com.

his is the second of two articles describing the requirements of new guidance from the Auditing Standards Board (ASB). The first article discussed the process of assessing risks and controls leading to the concept of the risk of material misstatement (see “Assessing and Responding to Risks in a Financial Statement Audit,” JofA, Jul.06, page 43). This article discusses how the auditor responds to the risk of material misstatement in designing and performing audit procedures.

The eight standards listed here are designed to help auditors plan and perform audit procedures that will address assessed risks, enhance the auditor’s response to audit risk and materiality, facilitate planning and supervision and clarify the concept of audit evidence.

As noted in the new standards, “auditors must consider audit risk and must determine a materiality level for the financial statements taken as a whole.” Auditors also “must obtain a sufficient understanding of the entity and its environment, including its internal control, to assess the risk of material misstatement.”

The Audit Risk Standards SAS no. 104, Amendment to Statement on Auditing Standards No. 1, Codification of Auditing Standards and Procedures (“Due Professional Care in the Performance of Work”) SAS no. 105, Amendment to Statement on Auditing Standards No. 95, Generally Accepted Auditing Standards SAS no. 106, Audit Evidence SAS no. 107, Audit Risk and Materiality in Conducting an Audit SAS no. 108, Planning and Supervision SAS no. 109, Understanding the Entity and Its Environment and Assessing the Risks of Material Misstatement SAS no. 110, Performing Audit Procedures in Response to Assessed Risks and Evaluating the Audit Evidence Obtained SAS no. 111, Amendment to Statement on Auditing Standards No. 39, Audit Sampling

DESIGNING FURTHER AUDIT PROCEDURES
Once the risk of material misstatement has been assessed for major accounts, transaction streams and disclosures, the auditor must develop an audit plan in which he or she documents the audit procedures that, when performed, are expected to reduce audit risk to an acceptably low level. As the auditor is assessing risk and the design and implementation of internal controls, he or she should determine any overall responses to address risks of material misstatement at the financial statement level, and tailor audit plans (that is, audit programs) to be responsive to the identified risks of material misstatement at the relevant assertion level. The application of a “standard” audit program of procedures on all engagements will generally not be responsive to the risks of material misstatement, and is not an appropriate response under the new standards.

Because the auditor should document the linkage of the risks, controls and further audit procedures by assertion, the audit plan also should consider the risk of material misstatement at the assertion level. The auditor should design auditing procedures to achieve the objective of a high level of assurance that the financial statements are free of material misstatement. Those further auditing procedures consist of either tests of controls or substantive procedures.

For example, say the auditor identifies a moderate risk of inventory obsolescence (valuation) and the company monitors this risk through two procedures: one control that performs monthly analyses of inventory turnover by inventory line item looking for risks of obsolescence and another that monitors market price fluctuations. In addition, the company takes periodic inventories to ensure the accuracy of its perpetual inventory records. In this circumstance the auditor may assess the risk of material misstatement as low. If the client controls are tested and found effective, the auditor may need to design only a low level of independent lower-of-cost or market tests on the slower-moving and specific inventory items that have a high volatility in cost, and design some independent analytical procedures to address the obsolescence (valuation) risk. That may be enough to satisfy the auditor that risk of financial statement misstatement is low for this assertion as it relates to inventory.

TESTING INTERNAL CONTROLS
To rely on the effectiveness of company internal controls, the auditor should test the controls—but only after assessing that the design is effective; otherwise there is no sense in testing it. If the auditor’s strategy is to rely on the control, its operating effectiveness is assessed through appropriate levels of testing. Tests of implementation may provide some minimal evidence of operating effectiveness. The auditor’s reliance on the control is a continuum from “no” reliance (for example, the design may be ineffective or there may be no control) to “high” reliance on the control.

The basic principles of the testing controls in the current section AU 319 are not changed:

Automated controls can be tested once or a few times to conclude they operated effectively throughout the period when information technology (IT) general controls were assessed as effective.

Manual controls tests should cover the period of the examination. The extent of testing should respond to the desired level of reliance on the control.

Additional guidance on establishing sample sizes is contained in the revised AICPA Audit Guide, Audit Sampling, (CPA2Biz.com product no. 012536JA) released in January.

Auditors should test controls when sufficient evidence may not be obtainable from traditional substantive procedures, such as when the business makes extensive use of IT in its sales or purchases interfaces such as Internet or EDI (electronic data interchange) transactions, and the systems do not create paper trails and historical documents supporting the transactions.

EVIDENCE FROM PRIOR AUDITS
The new standards clarify when control tests and other evidence from a prior audit may be used in the current engagement. For the auditor to place reliance on that evidence, the audit evidence and the related subject matter must not fundamentally change. The auditor confirms that changes have not occurred by annual inquiry and performing another procedure that confirms the control remains implemented and is effective, such as a walk-through, observation or examination of some evidence. In any case, the controls should be retested at least every third year, even when there have been no perceived changes in them.

An exception to this guidance on evidence from prior audits is in the case of significant risks. One or more significant risks generally are found on most audit engagements. For these risks

Substantive procedures, or substantive and controls procedures, specifically directed at the risk should be applied.

Analytics alone are insufficient to provide the needed assurance.

Controls assurance from prior engagements cannot be considered in the current engagement; the controls need to be tested every year to rely on them.

PERFORMING AUDITING PROCEDURES
In performing audit procedures, auditors should apply certain substantive audit procedures on each engagement. They should

Apply substantive procedures for all relevant assertions related to each material class of transactions, account balance and disclosure, regardless of the assessed risk of material misstatement.

Examine material journal entries and other adjustments.

Agree the financial statements to the underlying accounting records (this is also noted in SAS no. 103, Audit Documentation, which is effective for audits of financial statements for periods ending on or after December 15, 2006).

While some auditors already use audit methodologies that integrate assertions into identifying risks, assessing controls and performing procedures, some do not. The appendix to SAS no. 110 (see “Official Releases,” JofA, May06, page 152) provides a helpful list of account balances, related assertions and common auditing procedures that address these assertions for a manufacturing company.

SAS no. 110 also provides significantly more guidance than past standards in designing the nature, timing and extent of audit procedures. In determining sample sizes, SAS no. 111 amends SAS no. 39, Audit Sampling, by adding a concept from a previous AICPA Audit Guide:

“An auditor who applies statistical sampling uses tables or formulas to compute sample size based on these judgments. An auditor who applies nonstatistical sampling uses professional judgment to relate these factors in determining the appropriate sample size. Ordinarily, this would result in a sample size comparable to the sample size resulting from an efficient and effectively designed statistical sample considering the same sampling parameters.”

While this guidance shows a relationship between nonstatistical and statistical sample sizes, the auditor is not required to compute or document a comparable statistical sample size. However, familiarity with sampling concepts of the level of assurance obtainable from certain size samples can help auditors make more informed judgments regarding appropriate sample sizes. The AICPA Audit Guide, Audit Sampling, provides illustrations of designing appropriate sample sizes using tables and simple formulas. Some commercial computer-assisted audit technique programs such as IDEA and ACL also include easy-to-use statistical sample-size-determination programs.

SUMMARIZING THE RESULTS OF AUDITING PROCEDURES
The auditor must accumulate all known and likely misstatements other than those he or she believes to be trivial. Consistent with prior standards, differences between auditor and company estimates are treated as likely misstatements only if the company estimate is considered unreasonable. In such a case the amount of likely misstatement is measured by the difference between the company estimate and the closest auditor estimate that is considered to be reasonable.

Auditors should propose known misstatements to management for adjustment. If they are not adjusted, the auditor should be alert to the risk there may be an underlying reason behind the lack of management response, such as might occur if the correction would trigger the violation of a loan covenant or change the direction of an important trend measure.

Known and likely misstatements that remain unadjusted, including the effects of prior-period misstatements, should be compared individually and in the aggregate with various totals or subtotals (or key relationships) in the financial statement to ensure they do not misstate the financial statements as a whole. Be aware that offsetting material misstatements could show failed internal controls as well as show that careful estimation of these amounts (beyond the tests performed thus far) is necessary to be able to conclude on the amounts to be adjusted in the financial statements.

If the financial statement and other information available to the auditor as the audit progresses and at the end of the engagement differ from what was anticipated when materiality was first assessed, a change in materiality may be appropriate. The auditor should be careful if the materiality measure at yearend declines, as this may have implications for concluding on the adequacy of the procedures performed to achieve a high assurance that the financial statements are free of material misstatement. The auditor should document the materiality levels and the basis for any changes as the audit progresses.

When assessing the implications of known and likely misstatements, auditors also should consider qualitative factors. For example, a fraud of less-than-a-material amount still may have significant implications for assessing the adequacy of the procedures performed and the risk assessment that directed the nature, timing and extent of audit procedures. An illegal payment might also give rise to concerns about a contingent liability, and permitting a misstatement to remain unadjusted may alter user perceptions about a trend or important measure.

CONSIDERING THE EFFECTS OF PRIOR-PERIOD WAIVED ADJUSTMENTS
SAS no. 107 says the auditor should consider the effects of misstatements related to prior periods that were not previously corrected. Such amounts could affect the income in a period in which they were reflected in income or could accumulate on the balance sheet and aggregate to significant amounts. Three basic methods are used regarding these items. In the first method, the income effect of all current and prior-period misstatements flowing through current income is considered. In the second, auditors focus on the aggregate of the misstatements remaining in the ending balance sheet. In the third method, auditors apply both perspectives and require an adjustment if either method shows one is necessary.

The ASB did not intend to change audit practice in this area in SAS no. 107. Any of the methods for considering prior-period uncorrected misstatements are considered appropriate under the current wording of SAS no. 107. However, in September 2006 the SEC released Staff Accounting Bulletin (SAB) no. 108, showing that for public companies both the income statement and balance sheet methods should be applied, and an adjustment made, if either method shows that an adjustment is needed to avoid a misstatement of the income statement or the cumulative balance sheet. The SAB also provided accounting guidance necessary for companies to transition to the new approach. The SEC position is similar to the one proposed in the ED version of SAS no. 107, and auditors should be alert to possible changes in SAS no. 107 in this area.

BRINGING IT ALL TOGETHER
At the end of the audit, the auditor must evaluate whether the financial statements taken as a whole are free of material misstatement. Auditors seek a high (but not absolute) level of assurance concerning this before they issue a clean opinion.

If unadjusted misstatements remain, the auditor compares them with materiality. Even if the unadjusted misstatements do not exceed materiality, there is a risk that misstatements might exist in the company financial statements undetected by the audit procedures.

The auditor considers the relationship of individual and aggregate unadjusted misstatements and materiality, and considers whether the audit procedures applied still provide a high level of assurance that the financial statements are not materially misstated. For example, suppose that materiality is determined to be $40,000 and $1,000 of unadjusted misstatement remains at the end of the audit. The auditor knows the tolerable misstatement was set below materiality in each of the audit areas for determining the nature and extent of audit procedures to be performed, and may well conclude that a cushion of $39,000 is sufficient to provide a high level of assurance that material misstatement does not exist in the financial statements. In contrast, if $39,000 of unadjusted misstatement were to remain, the auditor might not be able to conclude with a high level of assurance that the audit procedures were sufficient to ensure that only $1,000 of misstatement might remain undetected. When the auditor is unable to conclude with a high level of assurance, he or she should plan additional procedures to gain additional evidence regarding the true extent of the misstatements and/or propose a further adjustment of the misstated amounts.

COMMUNICATING WITH THOSE CHARGED WITH GOVERNANCE
The auditor must accumulate all the known and likely misstatements, other than those the auditor believes to be trivial, and communicate them to the appropriate level of management.

When significant or material misstatements are identified during the audit, such misstatements may imply a deficiency in controls. In determining the severity of the deficiency, the auditors should consider not just the misstatement amounts found, but also the potential misstatement that could result from the deficiency. Even a small misstatement could lead to an assessment that a material misstatement exists if it’s because of a missing or ineffective control.

SAS no. 112, Communicating Internal Control Related Matters Identified in an Audit, is effective for audits ending after December 15, 2006. While SAS no. 112 is not one of the standards included in the group of “audit risk standards,” it is closely associated with them.

Under SAS no. 112, the auditor must evaluate control deficiencies which he or she has detected while performing the audit of the financial statements, and determine whether they, individually or in combination, are significant deficiencies (SD) or material weaknesses (MW). If SDs or MWs are identified, they must be communicated in writing to management and those charged with governance. Unless remediated, these deficiencies are repeated in written communications every year. SAS no. 112 does not require auditors to discover internal control deficiencies. Whether they are remediated or not, these deficiencies should be reported in the year they are identified.

The appendix to SAS no. 112 provides additional examples of conditions and circumstances showing deficiencies of internal controls (see “Official Releases,” JofA, Jul.06, page 102). Auditors need to become familiar with this standard and prepare to implement it for calendar year 2006 audits.

Some sensitive issues that require the auditor to assess the severity of any deficiency include

Inadequate documentation of the components of internal control.

Employees who lack the qualifications to fulfill their assigned functions, which includes

• Making the required GAAP accounting computations, accruals or estimates.

• Preparing the company financial statements.

While auditors may be engaged to prepare the tax accrual or draft the financial statements under current AICPA independence guidelines, they still assess the severity of any deficiency in the company’s ability to perform these functions. For example, if the auditor evaluated that company personnel could not prepare the financial statements and the accompanying notes, a material weakness might be assessed.

» Practical Tips

Because new auditing standards are effective in both 2006 and 2007, it is advisable that companies and auditors discuss in advance the nature of the changes and ways to cost effectively implement the requirements. Because a more robust assessment of controls design and implementation may be performed under the new standards, and because the additional guidance permits prior audit tests of controls to be considered in the current engagement, it may be more efficient than before to use a controls-based audit strategy for some clients. Most engagements have at least one significant risk. If a large number of your engagements do not appear to have significant risks associated with them, then revisit the concept in SAS no. 109 and the guidance in the AICPA Audit Guide, Assessing and Responding to Audit Risk in a Financial Statement Audit. If your engagements appear to have many significant risks, reconsider the criteria you used in making these determinations. If many of your engagements still have numerous significant risks, you may want to reconsider your client acceptance and retention procedures. If SAS no. 107 is modified to reflect the guidance in Staff Accounting Bulletin no. 108, auditors following an income-focused (“rollover”) method of evaluating unadjusted misstatements may find that some client balance sheet items may need a one-time adjustment to transition to the new guidance. Auditors might wish to assess this issue for individual clients and request adjustments in the current year, if that would avoid the further accumulation of misstatements in the aggregate balance sheet. When proposing adjustments based on projections from samples or estimates, let the nature and extent of evidence leading to the proposed adjustment guide the auditor as to whether there is sufficient information to be comfortable adjusting some or all of the difference. When communicating significant deficiencies and material weakness to management and those charged with governance, practitioners may find it helpful to refer to prior written communications rather than repeat the details of any uncorrected deficiencies every year.

IMPLEMENTATION ISSUES AND CONCLUSION
Few of the concepts articulated in the audit risk standards are new to audit practice. How these standards will affect a firm’s audit approach and engagement costs will depend on the current approach and how efficiently the standards are implemented. Clearly, there are more “musts” and “shoulds” in the standards, but these requirements will help standardize audit practice and create greater consistency in audit performance. Users have expectations of what an audit delivers, and the auditor’s performance to better meet such expectations will continue to enhance the profession’s image.

Costs of implementation will vary, depending on the audit firm’s or practitioner’s current practices. The tasks associated with a more robust assessment of risk and controls design will account for significant elements of cost for some in the first year of implementation. Considering these requirements early in the process can help ease the implementation “crunch.” Some audit firms already have begun their planning and education in order to make the transition to the new requirements as smooth and efficient as possible. For example, some auditors took a more structured approach to gathering known key client risk characteristics in 2006, and will expand the number of factors assessed this year. Some auditors looked more closely at the controls surrounding key accounts such as sales or payments, and thus suggested controls changes where they had identified gaps. A quality implementation of the new requirements will pay back benefits in future years if the appropriate base has been established.

Current engagements may fall under the new requirements of SAS no.103 and SAS no. 112. Auditors will need to gain an understanding of these requirements and implement them as required. The AICPA has a variety of products and educational programs to help you understand the new requirements and to help you with the implementation issues.