1 / 17

Evolution of Risk Assessment Standards: Impact on Future Practice

This article discusses the evolution of risk assessment standards in auditing, from minimal guidance in the 1970s to more structured requirements in the 1980s. It explores the possible effects of the current standards on future auditing practices.

xaviere
Download Presentation

Evolution of Risk Assessment Standards: Impact on Future Practice

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. AUDITORS MOVING FROM GUIDANCE TO REQUIREMENTS:ARRIVING AT THE RISK ASSESSMENT STANDARDS Brian Patrick Green, CPA, Ph.D. University of Michigan-Dearborn bpgreen@umd.umich.edu Alan Reinstein, CPA, D.B.A. Wayne State University a.reinstein@wayne.edu

  2. PURPOSE • 1970’s audit standards offered minimal guidance for risk-based audit planning. • Practitioners did not apply standards consistently. • 1980’s standards provide more structured guidance for auditor’s • assessment of identified risks • audit planning focus on internal control environment • plan respond to risks • Evolved into auditing risk assessment standards. • Purpose: • describe the evolution of risk assessment • discuss the possible effect of the current standards on future practice. INT

  3. INTRODUCTION • ASB did not exist 35 years ago • Statements on Auditing Procedures provided limited audit guidance • 1972: auditor would assert that audit procedures selected were based on evaluation of internal control. However, would hard pressed to provide evidence. • ASB 1973, audit standard focus relating audit procedures to the strengths and weaknesses of internal control environment. • ASB’s 2006 Risk Assessment Standards (RAS) (SAS Nos. 104-111) issuing standards and guidance on matching audit risk with audit effort. INT

  4. Foundation Standards • Early ASB’s focus: • guide auditors plan for timing, nature and extent of audit procedures • evaluate the procedure’s results • Auditor professional judgment • Standards combine good/leading practice • General guidance vs specific rules • Review IC as audit by-product INT

  5. Trend Towards Assessing Risk • SAS No. 31, Evidential Matter (1980) • Planned evidence followed the link between management objective, specific audit objectives, and substantive procedures • consider the accounting system’s internal consistency • used professional judgment to assess inherent and control risk FS

  6. “Guidance” versus “Requirements,” • SAS No. 39 (1981), Audit Sampling • factors that should anchor the quantitative decision to meet the sufficient evidence criteria • consider item’s dollar amount, risk created by the item under audit, and expected frequency of misstatement • linked sample size directly to the auditor’s plan to rely on internal control FS

  7. Supporting Auditor Judgment • SAS No 41 (1982), Working Papers • Content based on judgment of sufficient • Described what auditor “should” do • Document internal control, but not required to test • Listed factors that might affect judgment • SAS No 47 (1983), Audit Risk and Materiality • Too theoretical/no definitive method • Should gain an understanding of controls…judgment to test FS

  8. Expectation Gap Standards • Sustained SAS No. 47’s distinction between control and inherent risks • Moved from guidance to some requirements • Began to require specific audit documentation EGS

  9. Internal Control & Fraud • SAS No 53 (1988) • Must plan the audit to provide reasonable assurance • Must report discovered fraud • Documentation requirements • Still conceptual • SAS No 55 (1988) • Must gain an understanding • Should document understanding • Few specifics/not required to test controls EGS

  10. Fraud Risks Affect on Requirements • SAS No 82 (1997) • Move from guidance to requirements • Required to assess and documentrisk of fraud, develop and document specific response, and communicate potential fraud • SAS No 99 (2002) • Added more requirements • What is risk of fraud (revenue, management IC) • Brain storm EGS

  11. Redefining Due Professional Care • RAS, SAS No. 104-111 (2006) for Private companies • Required in-depth understanding of statements, operations, and control environment • Anchored on IC and ability to mitigate risk • Link assessed risk to timing, nature, and extent • Adds consistency to “due professional care” • Increased use of must and should RAS

  12. Must vs Should: Intent of Standards • PCAOB defined the terminology to state expressly the auditor’s “degree of responsibility” in complying with professional standards. • Public Company Accounting Oversight Board defined in Rule 3101 (PCAOB 2004). Certain Terms Used in Auditing and Related Professional Practice Standards and an Amendment to Rule 1001: • “Must,” …indicate unconditional responsibilities. The auditor must fulfill responsibilities of this type in all cases… • “Should” indicates responsibilities that are presumptively mandatory… comply with requirements unless the auditor demonstrates that alternative actions… were sufficient RAS

  13. Added Requirements to Achieve Due Professional Care • SAS No 103 (2005) Audit Documentation • Lists required audit documentation for risk, response, evidence, procedures, 5 year rule • SAS No 105 (2006) Amendment GAAS • Links risk, IC, audit procedures…document • SAS No 107 (2006) Risk and Materiality • Must obtain an understanding, • Should consider analytics RAS

  14. Added Requirements to Achieve Due Professional Care • SAS No 109 (2006), Understanding the Entity • Must gain an understanding of entity, environment, and IC • Audit Risk = Risk of Misstatement * Detection Risk • Should collect and document nature of client evidence • Should obtain an understanding of external risks • Control risk is not 1.0 • Audit team should discuss understanding and risks • Team must consider significance and likelihood of risks RAS

  15. RAS Requirements: Examples of “Must” “Must” involves critical steps in the audit process. RAS

  16. RAS Requirements: Examples of “Should”“Should” describes audit procedures that are used to help satisfy the critical steps

  17. Impact on Practice • Move from guidance to requirements • Specific use of “must” “should” “should consider” • Lessened professional judgment in key areas: • Risk • Planning • Internal control • Documentation • Due professional care is supported by increasing requirements and less professional judgment • Other thoughts • ASB and PCAOB are becoming consistent • Big GAAS, Little GAAS Consistent practice RAS

More Related