Risk and reward

By Joy Keenan

The revised audit risk standards are a major undertaking, so guidance is vital for a timely and appropriate adoption

Events of the past few years have not just undermined the public’s confidence in the effectiveness of audits and led to an intense scrutiny of the work of auditors, but they have also influenced the revised audit risk standards (see Impact of the audit risk standards) of the Auditing and Assurance Standards Board (AASB). The main objective of the standards is to enhance how auditors assess and respond to material risks of error and fraud in financial statements by introducing new and revised requirements to the existing audit risk approach and more clearly linking the standards in the audit risk framework.

IMPACT OF THE AUDIT RISK STANDARDS New sections  Reasonable Assurance and Audit Risk, Section 5095 Understanding the Entity and Its Environment and Assessing the Risks of Material Misstatement, Section 5141 The Auditor’s Procedures in Response to Assessed Risks, Section 5143 Substantially revised sections Materiality in Conducting an Audit, Section 5142 (replaces 5130) Audit Evidence, Section 5300 Assurance and Related Services Guideline AuG-41, Applying the Concept of Materiality (replaces AuG-31) Deleted sections Knowledge of the Entity’s Business, Section 5140 Internal Control in the Context of an Audit — Scope and Introduction, Section 5200 Understanding Internal Control for Audit Planning Purposes, Section 5205 Assessing Control Risk, Section 5210 Assurance and Related Services Guideline AuG-35, Risk Assessments and Internal Control — CIS Characteristics and Considerations

In developing the Canadian standards — which are harmonized with the audit risk standards of the International Auditing and Assurance Standards Board — the AASB followed an extensive consultation process. It concluded that:

• the general principles underpinning an audit of financial statements apply to all engagements, regardless of size or jurisdiction;
• the revised standards reflect the current accepted practice in Canada and internationally;
• the revised methodology appropriately adapts the former audit methodology to the changing business environment.

In general, respondents to the Canadian exposure draft agreed with the approach taken in the revised audit risk standards. However respondents also emphasized that the implementation of these standards could be a major undertaking, particularly for practitioners in smaller practices, and therefore guidance on how to implement the standards  is vital to their timely and appropriate adoption.

Practice implications
The main features of the new and revised standards, and their implications for audit practice, are as follows.

Understanding the entity and its environment, including internal control. Section 5141 expands what auditors should understand about the entity. Auditors are required to obtain an understanding of the entity’s business risks to the extent that the risks are relevant to the financial statements. Business risks result from significant conditions, events, circumstances or actions that could adversely affect the entity’s ability to achieve its objectives and execute its strategies. The auditor needs to have a broader understanding of these risks and other elements of the entity and its environment, including internal control, to have a sound basis for identifying and assessing where material errors or fraud may occur. This understanding also assists in making judgments about materiality and in evaluating audit evidence.

Sources of information for obtaining the understanding of the entity and its environment, and procedures for obtaining such information. The procedures to obtain the necessary understanding are referred to as “risk assessment procedures.” Auditors must perform risk assessment procedures in all audits. The standards emphasize the need to have a broader understanding of how aspects of an entity’s operations may affect the risk of misstatement of the financial statements. For example, the auditor is expected to obtain relevant information from those having operational roles within the entity in addition to those directly involved in the financial reporting process. The standards emphasize, however, that while risk assessment procedures provide audit evidence that contributes to the audit opinion they are not sufficient, alone, to support the opinion.

Significant risk. The standards define a new concept: significant risk. It requires special audit consideration, including meeting the following requirements:

• Auditors must evaluate the design of controls over significant risks and determine the implementation of controls that address significant risks.
• When a significant risk is identified and reliance is planned on the operating effectiveness of controls intended to mitigate the risk, audit evidence must be obtained about the operating effectiveness of relevant controls in every period audited.
• When the approach to significant risks consists just of substantive procedures, audit procedures must include tests of details.

Internal control. The standards contain a new definition of internal control derived from the Internal Control — Integrated Framework published by the Committee of Sponsoring Organizations of the Treadway Commission. Internal control includes the control environment, the entity’s risk assessment process, the information system and related business processes relevant to financial reporting and communication, control procedures and monitoring of controls.

Section 5141 requires auditors, for all audits, to evaluate the design of internal control and to determine whether controls have been implemented, even when a substantive audit approach is anticipated. In doing so, auditors focus on controls that are relevant to the audit, particularly those that relate to assertions for which substantive procedures alone are not sufficient. Auditors are required to test the operating effectiveness of such controls. They are also encouraged to test controls for which their risk assessment includes an expectation of the controls’ operating effectiveness.

Because of the pervasiveness of the entity’s risk assessment process and its monitoring of controls, the standards require an understanding of such controls regardless of whether reliance is planned on their operating effectiveness. For example, if the auditor identifies risks of material misstatement not identified by the entity’s risk assessment process, the auditor would consider why the process failed to do so and whether the process is appropriate in the circumstances.

This guidance, along with increased guidance on the entity’s control environment, is intended to assist in understanding the role of management and those charged with governance in the entity’s overall internal control, and how such controls may affect audit procedures.

Supporting the assessment of the risks of material misstatement at the financial statement level and at the assertion level. The standards described risk assessment as a combined assessment of inherent risk and control risk, and permit auditors to perform combined or separate assessments. Auditors are required to assess the risks of material misstatement at the financial statement level and at the assertion lev-el, identify risks that are significant and identify assertions for which substantive procedures alone will not be sufficient. In addition, auditors are required to support risk assessments, at whatever level, based on their understanding of the entity and its environment, including internal control.

Linking assessed risks to audit procedures responsive to those risks. Auditors are required to determine overall responses to address the risks of material misstatement at the financial statement level and to design and perform audit procedures whose nature, timing and extent are clearly linked to the assessed risks of material misstatement at the assertion level. Responses to risks at the financial statement level include, for example, giving audit staff assignments appropriate to their levels of skill and experience and incorporating elements of unpredictability in the selection of audit procedures.

Reliance on evidence from prior periods. Section 5143 clarifies and strengthens the guidance on the ability to rely on audit evidence pertaining to the effectiveness of controls obtained in previous audits. When auditors intend to rely on controls that have not changed since they were last tested (based on evaluation of the control design and whether the controls are implemented in the current period), auditors are required to test the operating effectiveness of such controls at least every third audit. In doing so, they need to take into account that the longer the elapsed time since a control has been tested, the less audit evidence the control may provide about its effectiveness in the current year.

In addition, the new standards place a greater emphasis on obtaining evidence about disclosures and introduce documentation requirements to demonstrate compliance with the standards.
 
Implementation
The new standards are effective for periods beginning on or after January 1, 2006. However, auditors are advised to begin planning for their adoption as early as possible.

The impact of the new and revised standards on practice depends on the current audit methodology. Some practitioners may need to make significant changes to their current approach (for example, changes to supporting materials such as audit programs and checklists).

In some cases, this may result in a change to the audit approach or a change in the nature, timing or extent of audit procedures performed on particular engagements. In many cases, implementation of the standards may require increased or different work effort by the audit team, particularly for new engagements and when first implemented on continuing engagements.

To respond to practitioners’ concerns with the need to ease the transition from the existing audit approach to the new standards, the CICA has initiated development of implementation guidance, particularly for audits of small entities. Initiatives include updating the Practice Engagement Manual and the audit technique study Audit of a Small Business.
 
Reaping the rewards
Although the new standards will undoubtedly require some degree of change in virtually all financial statement audits, the AASB is confident that they represent a significant strengthening of auditing standards that will serve the public interest by promoting audit quality.