Note: This article is the second in a series about the AICPA’s new standard on auditor’s risk assessment. An overview of the new standard can be found here. This article summarizes new concepts and requirements related to the auditor’s assessment of inherent risk and determination of significant risks.
As mentioned in the first article in this series, the AICPA’s new risk assessment standards [Statement on Auditing Standards (SAS) No. 145] do not fundamentally change the key concepts behind the auditor’s risk assessment process. Rather, it clarifies and enhances certain aspects of the identification and assessment of the risk that the financial statements are materially misstated. These enhancements include changes to the concepts of inherent risk and significant risks.
For some, a set of financial statements may be just a bunch of numbers and some notes about those numbers.
However, financial statements are comprised of assertions about those numbers and notes. Assertions, also referred to as management’s assertions, are representations or claims made by an entity’s management about the accuracy of the information in the entity’s financial statements. These claims may be explicit or implicit. For example, when an entity reports an amount for cash on its balance sheet, management is asserting that the cash exists, whether held by the entity or deposited with a bank or other financial institution; that all of the entity’s cash is reported; and that the cash belongs to the entity. Other assertions made by management may include that the transactions recorded in the financial statements have occurred; that the transactions have been recorded in the correct accounting period; and that assets, liabilities, and equity interests have been recorded at the proper amounts. Assertions are used by auditors to consider the different types of potential misstatements that may occur when identifying, assessing, and responding to the risks of material misstatement.
Inherent Risk, Inherent Risk Factors, and the Spectrum of Inherent Risk
Inherent risk is one of the components of the risk of material misstatement at the assertion level and is defined as “the susceptibility of an assertion about a class of transactions, account balance, or disclosure to a misstatement that could be material, either individually or when aggregated with other misstatements, before consideration of any related controls.” Simply put, inherent risks are the risks that exist due to the nature of the transaction class, account balance, or disclosure. For example, a transaction class or account balance comprised of a large volume of items may have a higher inherent risk than a transaction class or account balance comprised of a small volume of items. A lack of uniformity in the composition of the items may indicate additional inherent risk.
SAS No. 145 did not change the definition of inherent risk; however, SAS No. 145 introduces the definition of inherent risk factors and within that concept, the spectrum of inherent risk. Inherent risk factors are “characteristics of events or conditions that affect the susceptibility to misstatement, whether due to fraud or error, of an assertion about a class of transactions, account balance, or disclosure, before consideration of controls.” Such factors may be quantitative or qualitative and include complexity, subjectivity, change, uncertainty, and susceptibility to misstatement due to management bias or other fraud risk factors insofar as they affect inherent risk.
Inherent risk factors are intended to assist auditors in focusing on those aspects of events or conditions that affect an assertion’s susceptibility to misstatement, which, in turn, facilitates a more focused identification of risks of material misstatement. Depending on the degree to which the inherent risk factors affect the susceptibility of an assertion to misstatement, the level of inherent risk varies on a scale that SAS No. 145 refers to as the spectrum of inherent risk. The spectrum of inherent risk provides a frame of reference in determining the significance of a risk of material misstatement.
Pre-SAS No. 145 guidance generally defined a significant risk as a risk of material misstatement “that requires special audit consideration.” In other words, the auditor’s planned response to a risk determined whether it was considered a significant risk. However, the AICPA noted a lack of consistency with which significant risks were determined and believed one of the main reasons for this inconsistency was in the definition of significant risk.
To promote a more consistent approach to determining significant risks, SAS No. 145 revised the definition of significant risk to focus not on the response but on the inherent risk assessment. The definition in SAS No. 145 includes risks “for which the assessment of inherent risk is close to the upper end of the spectrum of inherent risk due to the degree to which inherent risk factors affect the combination of the likelihood of a misstatement occurring and the magnitude of the potential misstatement should that misstatement occur.”
Under SAS No. 145, it is the combination of likelihood (that is, the possibility that a misstatement may occur) and magnitude (that is, the qualitative and quantitative aspects of the possible misstatement) that matters. Auditors assess the likelihood and magnitude of a misstatement based on their understanding of inherent risk factors. The intersection of the likelihood and magnitude of a possible misstatement on the spectrum of inherent risk ultimately determines where on the spectrum inherent risk is assessed and whether a risk should be considered a significant risk.
Changes in SAS No. 145 are meant to enhance auditors’ performance
Properly assessing inherent risk, through the consideration of the newly included inherent risk factors, and understanding the revised concept of significant risk allows the auditor to more effectively and efficiently perform further audit procedures in response to identified risks.