Assessing risk during an audit
Published October 25, 2020
Risks abound in today’s challenging business environment. Business owners and their advisors must constantly be on the lookout for emerging risks that threaten business operations and financial reporting. In light of these changes, on August 27, the Auditing Standards Board (ASB) issued a proposal that would revise its audit standards related to risk assessment.
Keeping up with the times
The ASB is the part of the American Institute of Certified Public Accountants (AICPA) that sets standards for audits of private companies. In recent years, the business environment has changed dramatically, so the ASB is considering updates to the risk assessment standards. Auditors use risk assessment to determine the nature and scope of confirmation, testing, inquiry and analytical procedures that are appropriate during your company’s external audit.
If finalized, Proposed Statement on Auditing Standards (SAS), Understanding the Entity and Its Environment and Assessing the Risks of Material Misstatement, would supersede SAS No. 122, Statements on Auditing Standards: Clarification and Recodification, and AU-C Section 315, Identifying and Assessing the Risks of Material Misstatement Through Understanding the Entity and its Environment. The proposal would also revise various other AU-C sections.
“The way business is conducted and the manner in which entities record, process and summarize financial information has evolved rapidly,” said AICPA Chief Auditor Bob Dohrer. “This evolution affects the auditor’s assessment of the risks of material misstatement. This proposed SAS, which reflects this ongoing transformation, improves audit quality by enhancing the auditor’s process for identifying and responding to the risks of material misstatement in an entity’s financial statements.”
If approved, the proposed SAS would enhance the guidance on identifying and assessing risks of material misstatement. In particular, the guidance addresses a company’s system of internal controls and information technology (IT).
The proposal includes new guidance aimed at enhancing the auditor’s professional skepticism. It also revises the definition of “significant risk” so that auditors will be focused on where the risks lie on a spectrum of inherent risk.
Specifically, the proposed definition is an identified risk of material misstatement “for which the assessment of inherent risk is close to the upper end of the spectrum of inherent risk due to the degree to which inherent risk factors affect the combination of the likelihood of a misstatement occurring and the magnitude of the potential misstatement should that misstatement occur; or that is to be treated as a significant risk in accordance with the requirements of other AU-C sections.”
Currently, the definition focuses on risks that require special audit considerations. But inspection findings show that there has been a lack of consistency when determining significant risks.
The ASB believes that one of the main reasons for this inconsistency lies in the definition of “significant risk.” The proposal notes that the current definition focuses the auditor on the response to the risk, rather than the nature of the risk.
The AICPA says the proposed SAS is based on the International Standard on Auditing (ISA) No. 315, Identifying and Assessing the Risks of Material Misstatement, issued by the International Auditing and Assurance Standards Board (IAASB). The ASB’s proposal strives to converge U.S. auditing standards with international auditing standards while considering the unique circumstances of U.S. business environment.
Comments on the ASB’s proposal are due by November 25. If issued as final, the proposed SAS will be effective for audits of financial statements for periods ending on or after December 15, 2023.
The effective date of the proposed SAS would be several years away, if it’s approved. But auditors are keenly aware of today’s volatile market conditions, and they recognize that prior years’ risk assessments may need to be updated to maintain audit quality. During the upcoming audit season, be ready for more audit procedures (including testing and inquiry) related to your company’s internal controls, cyberthreats and other risk factors as your auditors assess your current situation.