Abstract: Auditors use risk assessment to determine the nature and scope of confirmation, testing, inquiry and analytical procedures that are appropriate during a company’s external audit. This article highlights key provisions of recently finalized audit standards on risk assessment that aim to improve audit quality. The final standard is expected to come out in October and go into effect for periods on or after December 15, 2023.
In recent years, the business environment has changed dramatically. The AICPA’s Auditing Standards Board (ASB) has responded by updating its risk assessment standards. Auditors use risk assessment to determine the nature and scope of confirmation, testing, inquiry and analytical procedures that are appropriate during your company’s external audit.
Assessing the risks
In August 2020, the ASB issued Proposed Statement on Auditing Standards (SAS), Understanding the Entity and Its Environment and Assessing the Risks of Material Misstatement. If approved, the proposal would supersede SAS No. 122, Statements on Auditing Standards: Clarification and Recodification, and AU-C Section 315, Identifying and Assessing the Risks of Material Misstatement Through Understanding the Entity and its Environment.
Over the last year, this proposal was revised to account for issues identified in public comment letters. In August 2021, the ASB unanimously voted to issue final audit standards on risk assessment. The final standard — SAS No. 145, Understanding the Entity and Its Environment and Assessing the Risks of Material Misstatement — is expected to come out in October and go into effect for periods on or after December 15, 2023.
The updated guidance will enhance the requirements for identifying and assessing risks of material misstatement. In particular, the guidance addresses a company’s system of internal control and information technology.
Updating a key definition
The final standard revises the definition of “significant risk” to help auditors focus on where the risks lie on a spectrum of inherent risk. Under the updated guidance, significant risk is an identified risk of material misstatement “for which the assessment of inherent risk is close to the upper end of the spectrum of inherent risk due to the degree to which inherent risk factors affect the combination of the likelihood of a misstatement occurring and the magnitude of the potential misstatement should that misstatement occur; or that is to be treated as a significant risk in accordance with the requirements of other AU-C sections.” Essentially, the higher on the spectrum of inherent risk that a risk is assessed, the more persuasive the audit evidence needs to be.
By contrast, the current definition focuses on risks that require special audit considerations. This definition has caused inconsistency when determining significant risks. It focuses on the auditor’s response to the risk, rather than the nature of the risk.
Other changes
An executive summary highlights other major changes to the auditing standard on risk assessment, including:
- Revised requirements to evaluate the design of certain controls within the control activities component and determine whether such controls have been implemented,
- A new requirement to separately assess inherent risk and control risk,
- A new requirement to assess control risk at the maximum level such that the assessment of the risk of material misstatement is the same as the assessment of inherent risk, if the auditor doesn’t plan to test the operating effectiveness of controls,
- New guidance on scalability,
- New guidance on maintaining professional skepticism,
- A “stand-back” requirement intended to drive an evaluation of the completeness of the auditor’s identification of significant classes of transactions, account balances and disclosures, and
- Revised audit documentation requirements.
SAS No. 145 also will require auditors to perform substantive procedures for each relevant assertion of each significant class of transactions, account balance and disclosure. This requirement must be followed regardless of the assessed level of control risk.
Bottom line
Although these changes might initially seem extensive, a draft summary of the final standard says it won’t fundamentally change the key concepts underpinning audit risk. Instead, “SAS No. 145 clarifies and enhances certain aspects of the identification and assessment of the risks of material misstatement to drive better risk assessments and, therefore, enhance audit quality.” For more information on how the updated guidance will affect future audit procedures, contact your auditor.
© 2021