AUDITING
Rísk'Based
Audit Best
Practices
by Michael Ramos. CPA
T
he aim of the risk assessment auditing
standards was to improve the quality and
effectiveness of audits by substantially
changing audit practice. Statements on Auditing Standards nos. 104-111 provide increased
rigor to the audit process in a number of key
areas including the assessments of inherent and
control risks and the linking of these risk assessments to further audit procedures.
This year marks the third anniversary of the standards' effective dale. Across the profession much progress has been
made toward the uUimale goal of a more reliable audit
process, but even more is possible as we continue to leai n
about the standards' practical application.
This article captures some of the most important lessons
learned and besi practices that have emerged during the
extended implementation of ihe risk assessment standards
(see sidebar, "Methodology Behind Application Suggestions").
IMPLEMENTATION ISSUE NO. 1 :
EVALUATING INTERNAL CONTROL
Previous auditing standards allowed audittirs, at their discretion, to simply designate the client's internal control as
32 Journal of Accountancy December 2009
www,ioumalofaccountartcy.com
AUDITING
Exhibit 1 The COSO Process
Starting with the financial statements,
the auditor identifies...
Financial Statements
1
'
Financial
Statements
i
i
A/R
Cash
I
\
A/P
1 1
Complete
Assertions
1
Ri; ks
Risk#1
Ris ecause auditors would leverage their
ated without judging whether ihe control knowledge of ihe client obtained in prior
was properly designed. The requirement audits. In practice, realizing these savings
in the risk assessment standards to eval- has been difficult as auditors have stmguate control design has been difficuli for gled to determine the nature and extent ol
some auditors.
Lhe procedures they should perform on an
Firms that have rigorously applied the ongoing basis.
COSO process in their audit methodology have been able to perform a meaning- APPUCATION SUGGESTION:
ful evaluation of internal control design, IDENTIFY AND EVALUATE
which ultimately improves audit quality CHANGE
As shown in Exhibit 1, the COSO For years, auditors have fought a SALY
process requires the auditor lo define rel- mentality, the tendency to implicitly asevant control objectives and then deter- sume that everything on the audit is
mine the control acti\ities or combination "Same As Last Year." an assumption that
of control activities that meet ihe objective. invariably leads to diminished audit
A control system that meets the stated con- quality. The risk assessment standards
trol objectives is designed effectively A sys- give audit firms an opportunity to elimtem that leaves important control objec- inate the SALY mindset by reframing the
tives unmet is ineffective. Identifying these issue. Instead of considering how to "upcontrol weaknesses allows the auditor to date" last year's audit, start wiih lhe
better assess risks and respond by de- premise that something has changed,
signing the right mix of further audit pro- and the first priority of the current year's
cedures.
audu is to identify those changes and
stand, assess and document, which allows
the audit to be as efficient as possible.
EXECUTIVE SUMMARY
• On all audits the auditor must
evaluate the design and implementation of internal control to
properly identify and assess risk
Implementing and applying this
standard in practice has proven to
be a challenge for many firms.
• The key to implementing the
internal control evaluation requirement is "Ihe COSO
process." The auditor starts at the
highest level of aggregation, the fi-
nancial statemenls, then proceeds
through a sequence of analyses
that grow increasingly granular
until the auditor ultimately assesses individual control activities.
• Auditors have struggled to
determine the nature and extent of the procedures they
should perform on an ongoing
basis, instead of considering how
to update the prior year's audit,
make identifying changes in the
34 Journal of Accountancy December 2009
organization your first priority.
• The broad scope of the risk
assessnnent standards made it
difficult for audit firms to optimize
implementation of the standards
by developing firm policies and
practice aids. The temptation is to
use policies and practice aids developed by others, but by developing and owning their own approaoh, firms gain more in-depth
knowledge of the standards and
of their clients' businesses that
will help them truly optimize
processes and maintain quality.
Michael Ramos (micfiaeljramos®
mac.com) is a consu/ia/i/ and
writer who specializes in auditor
training.
To comment on this artide or to
suggest an idea far another artide.
contact Matthew G. Lamorvaux,
senk»- &iHor. at mlamorvaux®
alcpa.org or 919-402-4435.
www.journalofaccountancy.com
AUDITING
Exhibit 2 Identify and Evaluate Change
Knowledge from prior year
environment, excluding
internai control
Current-year procedures
'^
Changes in entity arxl
"^ H itsenvironi—*^
,
Knowledge from prior year
^, I
Knowledge from prior year
i
Current-year judgment
Inherent risks
Internal control
Do changes ' ^ indicate new inherent
^ ^ risks?
Yes
- Current-year judgment
Should prioryear controls change to
address new risks?
Knowledge from prior year
control
design
Changes
Yes
n I/C design or
plenientation?
No
Yes
t
Current-year procedures
Assess risk of material
misstater
Current-year procedures
Assess design eftectiveness and
of material misstatemen^
determine their effect on risk by asking
questions such as:
• What has changed at the entity and
in its operating environmeni since our last
audit?
• As a result of these changes, how
have inherent risks at ihe client changed
since our last audil?
• Were changes lo internal control necessary to address these changes to inherenl risk?
Oniy Lit'tcr the auditor has adequately
answered ihese questions will he or she be
able to determine ihe nature and extent of
www.iournalofaccountancy.com
Current-year procedures
Gain understanding of I/C. assess design
etfectiveness and risk ot material misstatement
addilional risk assessment procedures.
Exhibit 2 describes a structured process
for applying tliis approach.
UNDERSTANDING AND
EVALUATING CHANGE
In Exhibit 2:
• The blue diamonds describe the key
audit judgments ihai should be made in
the current year,
• The blue rectangles summarize the
risk assessment procedures that should be
performed in the current year.
• The green ovals summarize ihe
knowledge that is catTied forward from
prior-year audits and how il factors into
current-year audit judgments.
Read this decision tree from top to bottom;
• Begin by considering the nalure of
the changes to the entity and its environment since the previous audit. It is key to
ask whether those changes have resulled
in changes to inherent risks. For example,
the current recession may create inherent
risks for your client ihai were not present
before (he economic downturn.
• lfinherenlrisksareunchanged,(and
assuming ihai the prior year's controls
December 2009 Journal of Accoumancy
35
AUDITING
were effectively designed and implemented) the auditor will need to verify the implemeniation of controls to detenniiie
whether there have been any changes in
their design or implementation.
• tí changes in the entity or its environment create new or modified inherent risks, then the auditor will need to
determine whether changes in internal
control were necessary to address ihose
new risks. For exatnple, the recession
may create risks related to asset valuation
that were not material in the past. In
prior years, the client did very little to
evaluate asset impairment. But m the
current environment, the auditor should
detemime whether the client has changed
its control procedures in response to the
heightened level of risk.
The bottom of ihe diagram describes
three possible scenarios:
• If the controls in place during the
prior year would have been effective in addressing the current year's risks and [he auditor has determined that there have been
no changes to those controls, then the auditor is prepared to assess the risk of material misslaiement.
• if the prior year's controls would
have been effective in addressing the current, yeafs risks but the auditor discovers
that the design or implcmentaLion of those
controls has changed, then the auditor will
need to assess the design of those new controls belore assessing the risk of material
misstatement,
• For all new or significantly changed
inherent risks that could not be effectively addressed by the prior year's controls,
the process will be similar to that undertaken in the initial Implementation. The
auditor will have to perform risk assessment procedures to gain an understanding of the design and implementation of
controls to ser\'e as a basis for assessing
risk of material misstatement.
IMPLEMENTATION ISSUE NO. 3:
ONGOING IMPLEMENTATION
The sweeping scope of the risk assessment
AICPA RESOURCES
JofA articles
• "Assessing and Responding to Risks in a Financial Statement Audit:
Part li; Jan. 07, page 59
• "Assessing and Responding to Risks in a Financial Statement
Atidit," July 06, page 43
Use ioumalofaccountancy.com to find past articles. In the search
box, click "Open Advanced Search" and then search by title.
standards made it difficult tor even [he
most resource-rich audit firms to optimize
implementation of the standards. Mosl
firms continue to refine their audit approaches and set firm policy [o deal with
issues that arise as a result of applying ihe
standards.
The ongoing implementation Issues for
audits of smaller businesses will require
even more attention. Audits of smaller, less
complex businesses pose many challenges
ihat may not exist in audits of larger
clients. For example, auditors of smaller,
less complex businesses frequently encounter:
• Accounting records that require significant adjustments pnor to the slart of
significant auditing procedures.
• Significant transactions with unaudited related parties.
• Less sophisticated or formal internal
controls characterized by minimal documentation, lack of segregation of duties,
and an overall lack of in-house accounting expertise.
Approach (#RCSA)
• Auditor's Risk Assessment Process: Tackling the Risk Assessment
SASs (#ARAP)
• Detecting Misstatements: Integrating SAS 99 and the Risk
Assessment Standards (#DEMI)
To access courses, go to aicpalearning.org and click on "On-Site
Training" then search by "Acronym Index." If you need assistance,
please contact a training representative at 800-634-6780 (option 1).
iT Center and CUP credentiai
CPE
The
Information Technology (IT) Oenter provides a venue for CPAs,
Risk Assessment Standards-Understanding the Entity and Assessing
their clients, employers and customers to research, monitor, assess,
Risk, a CPE self-study course (#738801)
educate and communicate the impact of technology developments on
Publications
business solutions. Visit the IT Center at aicpa.org/INFOTECH.
• Risk Assessment Suite of Standards (#060704)
Members who v/ant to maximize information technology to increase
• Understanding the New Auditing Standards Related to Risk Asefficiency and boost profits may be interested in joining the IT Memsessment-Audit Risk Alert (#022526)
ber Section or pursuing the Certified Information Technology Profes• Assessing and Responding to Audit Risk in a Financial Statement
sional (CITP) credential. For more information about Ihe IT Member
Audit-AICPA Audit Guide. Revised Edition as of Oct. 1, 2009
Section or the CITP credential, visit aicpa.org/IToffers.
(#012459) (Available Januaiy 2010)
• The above three publications can be purchased as a bundle
Web sites
(#990104HI).
• IT Center Assurance Services resources, tinyurl.com/ybntmjn
• The AICPA Audit and Accounting Manual has been updated to in• IT Section's "Risk-Based Auditing" podcast, tinyurl.com/ycm273h
clude the risk assessment standards (#0051309).
• IT Section's "CAATTs' podcast, tinyurl.com/yclkkmx
• "CAATTs Ideal for Efficient Audits" (article), tinyurl.com/ybb5b3m
For more iniomnation or to make a purchase, go to cpa2biz.com or
• "Frequenlly Asked Questions: IT Considerations tn Risk-Based Aucall the Institute at 888-777-7077.
diting," tinyurl.com/ye6loty
On-Site Training
• "IT Considerations in Risk Based Auditing," a two-part webcast
• Applying the Risk Assessment Standards Using a Case Study
slide presentation, tinyurl.com/ybxlru6
36 loumal of Accountancv Decetuber 2(X)9
www.journalofaccountancy.com
AUDITING
Meíhodology Behind Application Suggestions
During the summer of 2009, the AICPA significantly revised the audit guide that
was originally published concurrently with the risk assessment standards. To
make these revisions, the Audii and Accounting Publications team formed an
online, collaborative work group of more than 50 auditors who worked to identify and discuss technical issues, provide suggestions and vet new content.
The issues and suggesiions described in this article were generated from the
input received from this online working group. The revised audii guide, Assessing
and Responding to Audit Risk in a Financial Statement Audit—AICPA Audit Guide,
Revised Edition as of Oct. 1, 2009 (#012459), will be available January 2010 at
cpa2biz.com.
• The need lo adapt standardized
audit practice aids developed for audits
of larger entities to the conditions that
exist on an audit of a smaller, less complex business.
APPUCATION SUGGESTION:
" O W N " YOUR METHODOLOGY
Most firms build their audit methodologies
around a set of standardized practice aids.
These forms and checklists help auditors
comply with the requirements of the standards, but they should not be confused
with the standards themselves. An auditor
can comply with the standards and prepare audit documentation in many ways.
"Forms and guidance only cover a percentage (hopefully high) of the requirements," says Lyn Graham, chair of the
AICPA task force that drafted the risk as-
firm-specific set of audit practice aids by
creatmg their own fonns or checklists for
highly judgmental areas such as the documentation of intemal controls.
"We wanted a workpaper set thai we
could continue to build on and customize," says Andrew Prather, shareholder at Clark Nuber. "For example, we work
with a lot of not-for-profit organizations.
so we wanted a format that would allow
us to build a library of templates specific
to our clients."
Like many firms, Averett, Warmus,
Durkee (AWD) formed a committee of
five to six experienced auditors to evaluate the requirements of the standards and
develop a firm-specific set of practice
aids. "We did the project during our slower time in the summer and fall and did
some practice runs with clients in differ-
Firms that make the commitment to"own"their audit
methodology do so with the expectation that it will
lead to more effective and efficient audits.
sessment audit guide, "They should not be
a substitute for training or understanding
or consulting the literature for unusual situations. From what 1 have seen, one needs
to de\nate (probably more often than auditors would like to) from the forms to
comply with GAAS."
Once thought to be the purview of only
the largestfirms,growing numbers of audit
firms are developing a more customized,
www4ournalofaccountancy.com
ent industries to work out some of the
kinks," said AWD audit partner Lena
Combs. "We made some templates from
these trials and made some samples, too,
including a sample audit binder, and then
we held in-house CPE to train everyone
on how we were going to implement the
standards. It saved us time when busy
season hit."
When asked whether she was con-
cerned that thefirm'speer reviewers would
take exception to some of their practice
aids. Combs was confident that the AWD
methodology would not be found lacking.
"1 have no doubts that peer review will
pass with little disruption."
It's not just about the forms—there is
tremendous value in the process itself. To
create practice aids, firm personnel must
obtain an in-depih understanding of the
requirements of the standards and how
they should be applied. This technical expertise becomes invaluable not only for
performing audits but also for other critical activities such as training. Firms that
make the commitment to "own" their audit
methodology do so with the expectation
that ultimately it will lead to more effective and efficient audits.
APPUCATION SUGGESTION:
EARLY PARTNER INVOLVEMENT
ON AUDITS OF SM ALLF.R.LF5S
CcnviPLEX BUSINESSES
The unique demands of an audit of a
smaller, less complex business typically
require significant involvement of the
most experienced auditors during the
audit planning process. More experienced auditors will be able to make imponant judgments about audit strategy,
including:
• Thenature, timing and extent of risk
assessment procedures designed to gather information about the client and its envirormient.
• The assessment of risks of material
misstat ement.
• The nature and extent of the auditor's documentation of assessed risks.
• The nature and extent of the documentation of the client's intemal control.
• The choice of fiarther audit procedures that are clearly linked to assessed
risks.
• The allocation of audit resources to
those areas of the audit that present the
most risk.
The significant involvement of the most
experienced auditors early in the audit
process should improve both audit quality and efficiency.
•
December 2009 Journal of Accountancy 37
Copyright of Journal of Accountancy is the property of American Institute of Ceritified Public Accountants and
its content may not be copied or emailed to multiple sites or posted to a listserv without the copyright holder's
express written permission. However, users may print, download, or email articles for individual use.
Purchase answer to see full
attachment