NEW RISK ASSESMENT STANDARDS

The AICPA Auditing Standards Board has issued a series of eight new Statements on Auditing Standards relating to the auditor’s risk assessment process, which will bring significant changes to existing audit practice. As a result of these Standards, the audit process will start with a more robust understanding of the client and its environment, its business risk assessment process and its internal control. The auditor then will need to perform a more rigorous assessment of the risks of where and how the financial statements could be materially misstated. Most importantly, the auditor must be able to design further audit procedures responsive to the identified risks and document the linkage between the assessed risks and the design of further audit procedures.

 

 


Under the new standards, the auditor will be required to:

  • Gain (and document) a more in-depth understanding of the client’s business risk assessment process at the front-end of the audit, including an understanding of how the client responds to identified risks. The auditor will then need to decide which of those risks directly impact the financial statements.
  • Determine the accounts, transactions and assertions that are impacted by these identified risks. The auditor then focuses on understanding the internal controls designed to mitigate the identified risk(s) at the significant account and relevant assertion level. In today’s environment, many of the controls designed to mitigate such risks are automated or technology-driven, and thus, enhanced IT skills will be required of all auditors, not just internal control specialists. Although the auditor can document a basis for assessing control risk at the maximum, we can no longer default to that conclusion without a documented basis for that assessment.
  • Determine which further audit procedures would be appropriate given the risks identified and the controls as we understand them. The auditor should design and perform substantive procedures for all relevant assertions related to each material class of transactions, account balance, and disclosure to detect material misstatements at the relevant assertion level. The auditor must document the linkage between the assessed risks at the assertion level and the design of further audit procedures.
  • Perform tests of controls when the auditor’s risk assessment includes an expectation of the operating effectiveness of controls or when substantive procedures alone do not provide sufficient appropriate evidence at the relevant assertion level.
  • Consider the risk of misstatement not only at the level of the financial statements taken as a whole, and at individual account balance or class of transactions, but also at the disclosure level as well.

The standards are effective for audits of financial statement for periods beginning on or after
December 15, 2006.

The industry believes the new standards will cost 20% to 30% more in audit fees in the first year but will in the long run provide more useful information and more reliable results. After the initial ramp-up the fees should stabilize and come down.

Give us a call or send us an email if you would like to discuss how these rules may impact your audit.