Re-Writing the Canon: A First Look at the Risk Assessment Auditing Standards

Presented By:
The year 2005 should go down as a water-shed in the auditing profession.
That was when the Auditing Standards Board issued ten new standards that not only revised the fundamental building blocks of auditing but also introduced a comprehensive audit methodology that differs in subtle but powerful ways from the methodology used for the past three decades by the majority of audit firms. These new standards include the eight collectively referred to as the risk assessment standards, plus one on audit documentation and another that redefines internal control deficiencies.

The Hierarchy of Standards

To understand the magnitude of the changes required by the new standards, its helpful to draw a map of the auditing literature. We view the auditing standards as hierarchical, as indicated in Figure 1. At the top of the hierarchy is the description of the auditors overall responsibilities. This seems like the most logical starting pointif we were given a new job, the first question wed ask would be what do you want me to do? For auditors, the answer is in AU Section 110, which weve paraphrased as: Auditors should gather evidence to support an opinion on whether the financial statements are free of material misstatements.

Copyright AuditWatch, 2005. We encourage you to freely copy and distribute this article both within and outside your firm. We only ask that: 1) it be reproduced without modification, 2) authorship of the article be attributed to AuditWatch, and 3) the article be distributed free of charge to your readers. For additional information, please contact Michael Ramos at newstandards@auditwatch.com.

s sibilitie Respon Key pts Conce ology Method

AU Section 110 Responsibilities of the Auditor

What do you want me to do? Gather evidence to support an opinion on whether the financial statements are free of material misstatement What do you mean by evidence support, and materiality?

Audit Risk & Materiality

Audit Evidence

Audit Documentation

Audit Risk & Materiality

Considering Fraud

How should I do my job?

Specific ions Instruct

Planning

Analytical Procedures

Estimates

Etc.

Internal Control

Figure 1. Hierarchy of Auditing Standards: Current Standards. The auditors overall responsibilities are supported by definitions of key concepts. One of these concepts, the audit risk model, has been interpreted by practitioners to define their de facto audit methodology.

Weve highlighted some words in this description because for someone trying to understand their job responsibilities, these words prompt further questions, namely What constitutes evidence? How do I support my opinion? What do you mean by material?

how should I do my job? The answer to this question defines what we call the audit methodologya structured process for gathering audit evidence to support an opinion on the financial statements. Until now, the auditing literature did not define a methodology but left that decision up to individual firms. As a practical matter, the profession by and large adopted a methodology based on a literal reading of the audit risk model.

The answers to these questions form the fundamental building blocks of auditing. They are the conceptual underpinning for all the standards related to audit fieldwork. Within these standards youll find the definition of key concepts such as: audit risk and the audit risk model, materiality, financial statement assertions, and the requirements for audit documentation. In Figure 1, the standards that define these concepts comprise the second tier of our hierarchy. Once you lay the conceptual foundation for auditing, the next questions are more practical, beginning with

AR = IR x CR x DR
That is, Audit Risk = Inherent Risk x Control Risk x Detection Risk. SAS No. 99 provided a methodology for considering a material misstatement related to fraud, but the process for considering misstatements due to error was a matter of firm choice, so long as the firm complied with the broad requirements of the audit risk model. In Figure 1, weve included the audit risk model

AU Section 110 Responsibilities of the Auditor

s sibilitie Respon Key pts Conce ology Method

Audit Risk & Materiality

Audit Evidence

Audit Documentation

Understand Entity and Assess Risks Internal

Control

Perform Procedures

Considering Fraud

Planning

Analytical Procedures

Estimates

Etc.

Specific ions Instruct

Changed Standard New Standard

Figure 2. Hierarchy of Auditing Standards: After New Risk Assessment Standards. All of the key concepts underlying auditing standards have changes. Two new standards provide definitive guidance on a required audit methodology. Internal control is no longer a subset of audit planning, but an integral part of the main audit process.

in the third tier of the hierarchy, but weve shaded it lightly to indicate that the standard is designed to be more of a conceptual document, not a how to on the conduct of an audit. SAS No. 99, on the other hand, has its conceptual moments, but in general it is much more definitive of the process auditors should follow to detect material misstatements caused by fraud. Finally, at the lowest level of the hierarchy weve depicted the standards related to specific fieldwork matters, such as performing analytical procedures, or how to audit an estimate. Most new auditing standards operate at this level.

have been confined to isolated, specific matters, such as auditing fair value, the content of a representation letter, or confirmations. (The Standards relating to fraud are the main exception.) Figure 2 illustrates how the new standards affect the auditing literature. Immediately you can see that the standards make revisions to the conceptual underpinnings of the audit process, the most significant revisions to these standards since their introduction over twenty years ago. Additionally, the new standards introduce a new methodology for considering misstatements caused by error. This new methodology is based on the audit risk model, but it contains many requirements that are different from the current methodology used by most audit firms. The hoped for result is a more rigorous audit process that is more consistent across firms and, within firms, across engagements.

Changing the Fundamental Building Blocks

As you would expect, very few changes are made to the more conceptual, top three levels of the hierarchy. In fact, the bulk of the conceptual framework is at least 20 years old. Since the early 1980s, the vast majority of new auditing standards

One of the key changes made by the new standards is the way in which they consider internal control. Under previous standards, understanding internal control was merely a subset of audit planning (see Figure 1). The new standards not only change the specific requirements for understanding internal control, they also give internal control a new prominence, elevating the auditors understanding to an integral component of the main audit process.

Depth
How well you know it

New Current
Breadth
What you know

Implementation A comprehensive Challenges

new audit methodology differs in subtle but powerful ways from methodology used for the past three decades
The Auditing Standards Boards cover letter that accompanies the Exposure Drafts of the risk assessment standards highlights the major changes the new standards will bring to current audit practice. We encourage you to take a look at the changes described in that letter. We wont re-hash those here. Instead, wed like to highlight a couple of changes that we think will be the most challenging to implement.

Figure 3. Breadth and Depth of Understanding of Internal Control. The new standards require auditors to understand more things about their clients and to understand them better. Of the two, meeting the requirements relating to greater depth of understanding will be more difficult to implement.

the depth. The breadth of your knowledge describes its span, that is, what youre required to know. The depth of your understanding of these matters describes how well you know them. The auditing standards provide guidance on both the breadth and depth of your understanding. For example, auditors are required to understand things such as the companys capital structure, how it is affected by governmental regulations, and the information processing stream for significant transactions. These items are examples of the breadth of your required knowledge. The standards also state that your understanding of the clients business should be sufficient to allow you to obtain an understanding of the events, transactions, and practices that may have a significant affect on the financial statements. For internal control, your understanding should be sufficient to allow you to assess the effectiveness of the design of controls and to determine whether company personnel are using them. This guidance describes the depth of your required understanding.

A Better Understanding of the Entity and Its Internal Control

With the adoption of the new auditing standards, auditors will be required to gain a more in-depth understanding of the entity and its environment, including the companys internal control. Auditors already are required to gain an understanding of the entity, its environment and internal control. So what does the ASB mean when it says that the new standards will require a more in-depth understanding?

Breadth and Depth of Understanding

There are two dimensions to your required understanding of the entity, its environment and internal control: the breadth of understanding and

The Effect of the New Standards

The new standards definitely increase the required span of your understanding of the client, its business environment and its internal control. Auditors will have to learn about more things than they did in the past, which will add some time and cost to the audit. However, we believe that, for the most part, the addition of these few items will be relatively straightforward and easy to implement. Most auditors will be able to perform the same procedures they always have, but just add a few more lines to their already bulky standard checklists. For example, the new standards require you to understand how your client reconciles its significant accounts and the procedures followed to resolve improperly processed transactions. If you dont already know this about your client, then you will have to expand the scope of your existing procedures related to internal control. We believe that the expansion of the breadth of the auditors required understanding is important and will lead to more effective audits. But we also believe that most audit practices will be able to easily accommodate these changes into their existing audit methodology. Far more problematic for firms will be in adapting their current audit methodology to comply with the requirements related to the depth of the auditors understanding, particularly for internal control.

language related to internal control will look very familiar. So whats the big deal? Why are we making such a fuss about the new internal control standards? Lets be honest. Most auditors we know (including ourselves in our former lives) have done a lousy job of understanding internal control for the past 25 years. We hear this constantly from our clients, and we agree. Heres a quick reality check. Pick up the AICPAs Internal Control Audit Guide and look at the example documentation in the back of the guide. Compare the documentation in one of your typical engagements to the examples in the guide and see how it stacks up. Weve looked at a lot of workpapers over the years, and weve seen very few that compare favorably to these recommended examples. The new standards will force auditors to obtain a more in-depth understanding of internal control because of three main provisions. 1. No Default to Maximum Control Risk. Under current standards, you are required to gain an understanding of internal control to plan the audit. Once you gain that basic understanding, you may then either test controls or simply deem control risk to be high, and perform a purely substantive audit. In theory, this makes sense, but in practice, many auditors misunderstand the directions provided by the standards. At the start of the audit, many auditors simply deem control risk to be maximum. Since they are then locked in to performing a purely substantive audit in all areas, they see no real point to gaining an understanding of internal control. This

For all practical purposes, walkthroughs will be required of all significant transactions. Inquiry alone is no longer sufficient for understanding internal controls.

Achieving the Required Depth of Understanding Will Not Be Easy

With regard to internal control, under current auditing standards, you are required to obtain an understanding of internal control sufficient to plan the audit. Sufficient to plan the audit includes assessing design effectiveness and determining that the controls are in use. In fact, the new standards do not change this threshold. When you read the new standards, the

attitudedriven by defaulting to maximum control riskresults in an understanding of controls that is either superficial, poorly documented, or non-existent. The new standards put the kibosh on defaulting to maximum control risk. Now, you will have to justify and document this justificationfor your control risk assessment. Can you still perform a substantive audit? Yes. But you can no longer just declare control risk to be maximum and move to the rest of the audit. If you really do believe that control risk is high, you have to

It will no longer suffice to just ask the client about managements operating philosophy or their commitment to competence or ethical behavior. You will need to corroborate their responses by performing other procedures. 3. Describe the Procedures Performed to Obtain Your Understanding. Over the years, weve seen many internal control workpapers that include a control environment checklist that consists of a few dozen yes or no questions, all marked yes, with the last page of the form initialed by the auditors. Sometimes these checklists get carried forward three, four, or five years. Heres the question we ask. How do the people signing off on these forms know that the answers to all questions are yes? What procedures did the auditor perform to come to that yes conclusion? Were afraid that the answer, in many cases, is not very much. To curb this practice, the new standards require you to describe the procedures you performed that support your decision to check all the boxes yes. The procedures performed in subsequent years to determine that yes remains the right answer also will have to be documented.

Complying with the linkage requirement will require auditors to do one of the most difficult and time consuming tasks: Thinking

explain why. The idea is that if you really do have a good understanding of controls and you take a minute to seriously consider the risk, youll find out that on most of your clients, control risk probably is not maximum. 2. Per Bob, Control Environment is Strong Will No Longer Cut It. To obtain your understanding of internal control, the new standards say quite bluntly that inquiry alone is not sufficient. Going forward, inquiry of

the client must be combined with other procedures such as observation, inspection of documentation and reperformance of the control. Does that mean that walkthroughs of all significant transactions are required? For all practical purposes, we believe the answer is yes, even though the standards do not explicitly say so. Some firms already perform walkthroughs as a matter for firm policy, and for them, the new requirements will not be that big of a change. However, if your procedures for understanding internal control consist solely of asking the controller how information is processed and controlled, the new standards will significantly increase the amount of time you spend on your audits. The biggest change for all firms will be in applying the inquiry alone is not sufficient standard to the control environment and other entity-level controls.

This documentation of the procedures performed should be at a fairly high level of detail. For inquiries, you should document the person you spoke with, their title, the date you spoke with them, and the person from the audit team who conducted the inquiry. Similar detail is required for observation and other procedures.

Notice the link between the elements of our narrative. Identified risk begets the assessment of risk of material misstatement, begets the design of substantive procedures. Auditors get that. Or do they? There is a perception that on many audits, the design of substantive tests are disengaged from or not in sync with the other elements of the equation. Weve seen too many audits where the substantive auditing procedures are not completely responsive to the identified risk of what can go wrong in the processing of financial information. For example, we know that our client could fail to round up all the invoices at yearend, but our substantive procedures dont adequately address the possible understatement of payables. This type of disconnect happens more often than it should. There are a variety of reasons for this lack of synchronization, including an overreliance on canned audit programs and too much same as last year. To address this problem, the new standards require auditors to document a clear linkage between risk, your assessment of risk, and your substantive procedures.

Linking Together Assessed Risks, Your Understanding of Control, and Your Substantive Audit Procedures
The concept of linkage is fairly easy to understand. You understand the client and its business and identify a financial statement reporting risk. You figure out how the client manages that risk and what the chances are that the general ledger is materially misstated. The answer to that question drives the design of your substantive tests: the greater the risk of material misstatement, the more work you do; the lesser the risk, the less you do. For example, lets take accounts payable. Theres a risk that the client will fail to capture all the payables at the balance sheet date. How does the company manage that risk? Suppose that your client does not have a true payables system but instead keeps track of expenses pretty much on the cash basis and then, at year-end, rounds up all the outstanding payables and records an accrual. Given those circumstances, what are the chances that the accrual is materially incorrect? Your answer will vary depending on other facts and circumstances at the client, but most auditors will understand that the substantive tests they perform on payables must Be designed to detect the type of errors theyve identified at this specific client (for example, the controller has some unpaid invoices in her drawer that never make it to the accrual) Be commensurate with the level of the risk of misstatement, i.e., greater risk means more work.

As a practical matter, were not sure exactly how this requirement should best be implemented. Weve heard some suggest that the requirement means the end of canned audit programs and that we now have to customize audit programs for every audit. To some degree we agree with that. Certainly there always will be a set of typical audit procedures that we have performed for years and that we will continue to perform: confirming receivables, observing inventory, the search for unrecorded liabilities, etc. But we can no longer just round up the usual suspects, performing the same procedures on every job, yearafter-year. Clients are unique. Circumstances change over time. Our substantive tests need to reflect this reality.

13873 Park Center Road, Suite 104 Herndon, VA 20171

PRE-SORTED S TA N D A R D U S P O S TA G E PA I D P E R M I T # 5 19 D U L L E S , VA

Helping Auditors to Succeed

most difficult and time-consuming tasks: think. Theyll have to ask themselveson every job, in every audit area, each and every yearwhy am I performing this test? Does it make sense, given what I know about the risk of material misstatement at this client? Then they have to document their answers. Even firms that have done an excellent job with linkage (avoiding the SALY syndrome, for example) will need to carefully consider how they will implement the new standards in this area.

The concept of linkage is not new. We should have been linking our audit procedures all along. The new standards force us to connect the dots between our substantive procedures, risks and controls. They require auditors to document the linkage of audit procedures. It will be difficult to design a nice, tidy checklist to accomplish this linkage. We know; weve tried. New and improved audit management software may help, but we arent holding our breath on this one. Ultimately, we believe that complying with the linkage requirement will require auditors to do one of the

Building a Better Audit

The new auditing standards are long and complex. They contain many changes, some of which will be easily incorporated into your existing methodology. However, other changes will require significant and costly additions to your existing audit practice. Over the next year or so you will be exposed to a great deal of information about those standards, what they mean, and how they affect you. We encourage you to learn all you can about them and the implications for your practice. We think that youll find that it is not business as usual, but rather, the start of a new era in auditing.