Note: This article is the first in a series about the AICPA’s new standard on auditor’s risk assessment. This article provides an overview of the standard, highlighting significant (but not all) changes to the auditor’s risk assessment process. Future articles further discuss new concepts and requirements related to the auditor’s assessment and how they may affect future audits of your financial statements. The new standard is effective for audits of financial statements for periods ending on or after December 15, 2023.
Risk assessment. If I had to describe the practice of auditing financial statements in just a couple of words, those words would be risk assessment. Why? Let’s take the following passage from the auditor’s report:
In performing an audit in accordance with [auditing standards generally accepted in the United States of America], we…
Identify and assess the risks of material misstatement of the financial statements, whether due to fraud or error, and design and perform audit procedures responsive to those risks. Such procedures include examining, on a test basis, evidence regarding the amounts and disclosures in the financial statements.
What does this passage mean?
The phrase on a test basis basically means auditors do not look at everything. There’s not enough time for auditors to examine every transaction and consider every decision that goes into preparing a set of financial statements and still perform an efficient and effective audit. Since there’s not enough time to look at everything, auditors must use judgment to determine which transactions to test and where to focus their attention. The auditors’ process of determining where to focus their attention and which audit procedures to perform is risk assessment. Simply put, financial statement items such as transaction classes, account balances, or disclosures determined to have a higher risk of being misstated will get more attention.
The concept of risk assessment has been at the core of auditing since the issuance of the first Statement on Auditing Standards. However, from time to time, the AICPA’s Auditing Standards Board clarifies or enhances the requirements and guidance for the auditor’s risk assessment process. The latest revisions to this process are included in Statement on Auditing Standards (SAS) No. 145, Understanding the Entity and Its Environment and Assessing the Risks of Material Misstatement.
In a news release announcing the issuance of SAS No. 145, the AICPA’s Chief Auditor said, “The auditor’s risk assessment drives almost every part of the audit. As a result, the evaluation of risks sits at the core of audit quality. SAS No. 145 supports the performance of quality audits by providing additional clarity and guidance in identifying and evaluating risks of material misstatement, while considering the evolving nature of business.”
So, the revisions in SAS No. 145 do not change the key concepts behind risk assessment. Rather, according to the Executive Summary of the standard, the standard “clarifies and enhances certain aspects of the identification and assessment of the risks of material misstatement to drive better risk assessments and, therefore, enhance audit quality.” For example, SAS No. 145 enhances the requirements and guidance related to obtaining an understanding of an entity’s system of internal control and assessing control risk. SAS No. 145 also enhances the guidance that addresses the economic, technological, and regulatory aspects of the markets and environment in which entities and auditors operate.
SAS No. 145 also includes revised and new requirements and guidance, including, among other things, the following:
- A list of inherent risk factors, and new requirements to consider those factors, intended to assist the auditor in focusing on the factors that affect the susceptibility to misstatement, which, in turn, results in a more focused identification of risks of material misstatement. SAS No. 145 also introduces the concept of the spectrum of inherent risk, which is the degree to which the inherent risk factors affect the susceptibility to misstatement.
- A revised definition of and requirements relating to significant risks. A significant risk represents an identified risk of material misstatement at the higher end of the spectrum of inherent risk. Significant risks also include certain risks that are to be treated as a significant risk in accordance with the requirements of other sections of the auditing standards, such as fraud risks and related-party transactions that are also significant and unusual transactions.
- A new “stand-back” requirement intended to drive an evaluation of the completeness of the auditor’s identification of significant transaction classes, account balances, and disclosures.
- New guidance on scalability and complexity. SAS No. 145 recognizes that some smaller entities may be complex, and some larger entities may be less complex. Thus, complexity primarily drives the scale of the audit rather than the size of the entity. Scalability means an audit for a complex entity will be much different than an audit for a less complex entity.
- New guidance designed to enhance and emphasize the auditor’s professional skepticism, including an emphasis on the understanding of the entity and its environment as a foundation for maintaining professional skepticism throughout the audit.
Ultimately, the auditor’s risk assessment process can be viewed as an iterative process with multiple steps revisited throughout the audit as additional information is obtained. SAS No. 145 is intended to help auditors set the focus of their procedures properly when planning the audit and keep them on track until the very end.