By Jessica Wu
Caporicci & Larson, Certified Public Accountants

During 2005 and 2006, the American Institute of Certified Public Accountants issued several new standards to improve and clarify auditing standards in general.

There were two statements that were issued and became effective upon issuance:

Statement on Auditing Standards (SAS) Numbers 102 and 103.

SAS No.102, Defining Professional Requirements in Statement on Auditing Standards, clarifies steps in auditing standards that are “unconditional requirements” defined by works such as “must” and “is required to”; and steps that are “presumptively mandatory requirements” defined by words such as “should”.

SAS No. 103, Audit Documentation, provides guidance on audit documentation as an essential element of audit quality. This standard also gives guidance on the date of the audit report which cannot be earlier than the date on which the auditor has obtained sufficient appropriate audit evidence to support the opinion. As a result, the audit report date will need to be close to the date the reports are released

The American Institute of Certified Public Accountants also issued the Risk Assessment standard in March 2006. The project originated as a joint project with SAS No. 99, Consideration of Fraud in a Financial Statement Audit. These standards were issued because the Accounting Standards Board believes that they will strengthen auditing standards and provide a more in depth understanding of the entity and its environment, a more rigorous assessment of material misstatements and improved linkage between assessed risk and the nature, timing and extent of audit procedures performed.

The following standards are in the suite of SASs issued in connection with the Risk Assessment standards:

  • SAS No. 104 – Amendment to SAS No.1- Codification of Auditing Standards and Procedures
  • SAS No. 105 – Amendment to SAS No.95 – Generally Accepted Auditing Standards
  • SAS No. 106 – Audit Evidence
  • SAS No. 107 – Audit Risk and Materiality in Conducting and Audit
  • SAS No. 108 – Planning and Supervision
  • SAS No. 109 – Understanding the Entity and Its Environment and Assessing the Risks of Material Misstatement
  • SAS No. 110 – Performing Audit Procedures in Response to Assessed Risks and Evaluating the Audit Evidence Obtained
  • SAS No. 111- Amendment to SAS No. 39 - Audit Sampling

In general, these standards enhance the auditor’s application of the audit risk model in practice. They require a more in-depth understanding of the entity and its environment and a more rigorous assessment of risks and the linkage between assessed risks and the nature, timing and extent of audit procedures.

A greater understanding of the entity is required. Auditors are no longer able to assess control risk at maximum without a basis for that determination. Although tests of controls are not absolutely required they are strongly encouraged. The recommendation of the standards is to test controls on a rotational basis with the intention that all systems be tested at minimum every three years. In addition, a greater emphasis is placed on testing of disclosures, while documentation requirements are significantly expanded. The statements provide more clear and expanded guidance on evaluating audit findings.

There are several steps auditors must take in applying the Risk Assessment Standards.

Gathering Information - The auditors must begin with gathering information about the entity and its environment, including its internal control. Information gathering should include at minimum information obtained from external factors; information about the nature of the client; information in connection with the objectives and strategies and related business risks of the client; information regarding the client’s measurement parameters including a review of the client’s financial performance; and information in connection with the client’s internal controls.

Understand the Entity - The auditor must also understand the entity and its environment, including its internal control. The auditor must anticipate and evaluate what could go wrong, and be able to synthesize the information gathered to determine how it might affect the financial statements. The auditor must also evaluate the design of the client’s controls and determine if those controls have been implemented (which is different than test of controls). In evaluating whether controls have been implemented, the auditor should determine if there is an awareness of the existence of the procedure in question and if the staff implementing the control have a working knowledge of how the procedure should be performed.

Assess Risk - The auditor must assess the risk of material misstatement by identifying risks throughout the process, relate the identified risks to what can go wrong at the relevant assertion level and consider whether the risks could result in a material misstatement to the financial statements. Once “significant risks” have been identified, the auditor can then design audit procedures accordingly.

Design Audit Procedures - The auditor should design overall responses and further audit procedures at both the financial statement level, and the relevant assertion level. In designing audit procedures, the auditor must provide and document a clear linkage between the assessment of the risk of material misstatement and the nature, timing and extent of the further audit procedures.

The Standards enhance the requirements for audit documentation. The more complex the entity, the more extensive the required audit procedures and therefore the more extensive the documentation requirements.

Throughout the Standards it is emphasized that an audit is a cumulative and iterative process. Assessed risk can change as audit evidence is gathered and the auditor must reevaluate the planned audit procedures based on the revised consideration of assessed risks. Risk assessment and therefore audit procedures should be fluid and flexible at all phases of the audit.

The implementation of these standards will primarily change the methods used by auditors in determining the nature, timing and extent of audit procedures to be performed. Clients will need to communicate with their auditors on their processes in more detail, and should expect more testing of their systems rather than validation of their accounts.

The most recent standard issued by the AICPA is SAS No. 112, Communicating Internal Control Related Matters Identified in an Audit, which is effective for period sending on or after December 15, 2006. This standard provides guidance on communicating matters related to an entity’s internal control over financial reporting identified in an audit of financial statements.

Auditors were not required to perform procedures to identify deficiencies in internal control or to express an opinion on the effectiveness of the entity’s internal control. This Standard provides that the auditor must evaluate identified control deficiencies and determine whether these deficiencies, individually or in combination, are significant deficiencies or material weaknesses. The significance of a control deficiency depends on the potential for misstatements, not on whether a misstatement actually has occurred. Accordingly, the absence of identified misstatement does not provide evidence that identified control deficiencies are not significant deficiencies or material weaknesses.

Auditors should consider multiple factors that may affect the likelihood that a control, or combination of controls, could fail to prevent or detect a misstatement. Examples of factors are as follows:

  • The nature of the financial statement accounts, disclosures, and assertions involved
  • The susceptibility of the related assets or liabilities to loss or fraud
  • The interaction or relationship of the control with other controls
  • The possible future consequences of the deficiency

Several factors affect the magnitude of a misstatement that could result from a deficiency or deficiencies in controls. The factors include, but are not limited to, the following:

  • The financial statement amounts or total of transactions exposed to the deficiency
  • The volume of activity in the account balance or class of transactions exposed to the deficiency in the current period or expected in future periods

The existence of significant deficiencies or material weaknesses may already be known to management and may represent a conscious decision by management to accept that degree of risk because of cost or other considerations. Management is responsible for making decisions concerning costs to be incurred and related benefits. The auditor’s responsibility to communicate significant deficiencies and material weaknesses in accordance with the standard exists regardless of management’s decisions.

Communication to management may be done orally or in writing. Oral communication requires further audit documentation. Written communication is limited to the use of management and is not intended to be and should not be used by anyone other than these specified parties.

Clients should expect more communication of deficiencies and weaknesses in internal control from their auditor. The implementation of this standard will primarily enhance the internal control phase of the audit and require auditors to inquire in more detail about the entity’s environment.

Toll Free Tel:  (877) 862-2200        Toll Free Fax:  (866) 436-0927

Orange County
9 Corporate Park,
Suite 100
Irvine, CA.   92606 

Oakland
180 Grand Ave.,
Suite 1365
 Oakland, CA.   94612 

Sacramento
777 Campus Commons Rd.,
Suite 200
 Sacramento, CA.   95825 

San Diego
4858 Mercury St.,
Suite 106
 San Diego, CA.   92111
       

Copyright © 2003-2007 Caporicci & Larson, CPAs. All rights reserved.
Please report problems / questions to the The Brookman Company