toolitem?usid=bc03cp1f2643 -...

Checkpoint Contents

Accounting, Audit & Corporate Finance Library

Editorial Materials

Audit and Attest

Audit Risk Assessment

Chapter 1 Introduction

100 Introduction and Background Information

100 Introduction and Background Information

Introduction

100.1 Auditing standards require the assessment of audit risk (the risk of material misstatement of the financial statements due to error or fraud) in

audit engagements. This Guide provides the comprehensive tools and guidance that auditors need to effectively and efficiently apply risk

assessment in their audit engagements. Risk assessment is an integral part of every audit and can significantly affect both audit efficiency and

audit effectiveness. This Guide provides a complete package of risk assessment tools to assist in that process, including:

• detailed analysis of the risk assessment process and related standards objectives and requirements;

• practice aids for performing and documenting risk assessment; and

• practical guidance on applying risk assessment, including case studies, illustrated practice aids, and training materials, all aligned with the

PPC audit approach.

100.2 Overall, risk assessment is focused towards ensuring the effectiveness of financial statement audits. In applying risk assessment, auditors

explicitly consider higher risk areas by focusing on what is most likely to go wrong that could affect the financial statements. Auditors assess the

risk that the financial statements are materially misstated due to error or fraud and design and perform audit procedures to respond to those

identified risks. The result is a targeted effort that considers the unique circumstances of each client.

What Is Risk Assessment?

100.3 The term risk assessment in this Guide refers to an audit approach in which the auditor:

• Obtains a sufficient understanding of the client and its environment, including internal control, to identify and assess the risks of material

misstatement of the financial statements, whether due to error or fraud, at the financial statement and relevant assertion levels.

• Concentrates audit effort in areas of the financial statements where there is a higher risk of material misstatement. Such areas may have a

high risk because either inherent or control risk, or both, is higher.

• Provides linkage between the identified risks and the resulting audit procedures.

• Identifies lower-risk areas in which to perform less extensive procedures.

An audit approach based on risk assessment provides methods to identify higher-risk areas and assertions so that audit effort can be focused on

those areas. By focusing efforts in higher-risk areas and limiting procedures in lower-risk areas, the auditor is performing a more effective and

focused audit. The risk assessment approach used in this Guide is illustrated in Exhibit 1-1.

of 22Checkpoint | Document

5/23/2013https://checkpoint.riag.com/app/view/toolItem?usid=bc03cp1f2643&feature=ttoc&lastCpR...

Exhibit 1-1

The Risk Assessment Audit Approach

____________________

100.4 Planning Is the Key

The key to successful risk assessment is planning. In general, the risk assessment process requires significant time spent in up-front planning.

During the planning process, the auditor gains sufficient knowledge of the client to identify the risky audit areas and assertions and determine the

procedures necessary to address identified risks. For lower-risk areas, the auditor determines what limited procedures will be necessary in light of

the low assessed level of risk. The time spent during the planning process should ordinarily provide efficiencies from limiting procedures in lower-

risk areas. And because the auditor is focusing his or her efforts on higher-risk areas, the audit approach is more effective. Also, the auditor's

increased knowledge of the client's business and operations can add value to client service. The auditor may be able to provide the client with

more insightful and practical comments and recommendations about matters that might benefit the client's business. Because of the increased

emphasis on obtaining an understanding of the entity and the design and implementation of internal control as a basis for the auditor's assessment

of risks, the auditor may identify control deficiencies that are required to be reported to management and those charged with governance. Control

deficiencies are discussed in section 1814 of PPC's Guide to Audits of Nonpublic Companies.

100.5 Because risk assessments require significant judgment, auditing standards require that the engagement partner and other key members of

the engagement team be involved in planning the audit. Normally it is more effective and efficient to have an experienced auditor make the risk

assessments and prepare the planning documents. However, all levels of the engagement team ought to be involved in the risk assessment

process.

100.6 Integration of Fraud Risk Assessment

Auditing standards stress that the auditor's consideration of fraud is not separate from consideration of audit risk but is integrated into the overall

audit risk assessment process. Although the requirements and guidance presented for risk assessment may suggest a sequential process, the

audit is a continuous process of gathering, updating, and analyzing information about the fairness of presentation of amounts and disclosures in

the financial statements in conformity with the applicable financial reporting framework that is used by the entity. 1 Therefore, risk assessment

procedures are performed concurrently with other procedures, and the evaluation of risks, including fraud risks, occurs continuously throughout the

audit. This Guide integrates the requirements for fraud risk assessment within the overall risk assessment process by addressing those

requirements at relevant points throughout the Guide.

Risk Assessment Objectives

100.7 The overall objective of risk assessment is to understand the entity and its environment, including internal controls, to identify and assess the

risks of material misstatement at the financial statement and relevant assertion levels in order to provide a basis for designing and implementing

responses to those risks. Specific objectives related to the risk assessment procedures discussed in this Guide are summarized at the beginning of

each chapter.



100.8 Key Provisions of the Standards Relating to Risk Assessment

The following list presents some of the key elements of auditing standards with respect to risk assessment.

• Emphasis on the Quality and Depth of the Required Understanding of the Entity and Its Environment. In addition to the components of

internal control, auditing standards specify aspects of the entity and its environment about which the auditor should obtain an understanding to

identify and assess where material misstatements could occur.

• Requirement to Assess Risks. Auditing standards do not permit assessing control risk “at the maximum” without support. Risk assessment,

at whatever level, should be supported by the auditor's understanding of the entity and its environment, including internal control. Auditors are

required to identify significant risks that need special audit consideration, as well as other risks where the application of substantive

procedures alone will not sufficiently reduce detection risk.

• Emphasis on Evaluating and Testing Controls. Obtaining an understanding of internal control involves evaluating the design of a control and

determining whether it has been implemented. In addition, control risk cannot be assessed at the maximum level without documenting the

basis for that conclusion. As a result of the emphasis on understanding controls, testing of controls may frequently be considered. However,

testing of controls is not required unless the auditor intends to rely on the operating effectiveness of controls to alter the nature, timing, or

extent of substantive procedures, or the auditor concludes that substantive procedures alone will not sufficiently reduce detection risk.

• Emphasis on Linkage between Assessed Risks and Resulting Audit Procedures. Auditors are required to develop overall responses that

address risks of material misstatement at the financial statement level as well as procedures that are clearly linked to assessed risks of

material misstatement at the relevant assertion level. The risk assessment standards stress the importance of the nature of audit procedures

in responding to assessed risks.

• Guidance on Substantive Procedures. Auditing standards indicate that substantive procedures should be applied to all relevant assertions

related to each material class of transactions, account balance, and disclosure to detect material misstatements at the assertion level,

regardless of the assessed risk of material misstatement. The standards also require the auditor to reconcile financial statements (and the

accompanying notes) with supporting records, and to examine material journal entries and other adjustments that were made when preparing

financial statements.

• Emphasis on Testing of Disclosures. Assertions about presentation and disclosure include completeness and understandability to users.

Auditing standards emphasize that risks of material misstatement should be considered for disclosures.

• Documentation Requirements. Among other items, auditors are required to document overall responses to address the assessed risks of

material misstatement at the financial statement level; the risk assessment at the relevant assertion level; the nature, timing, and extent of the

further audit procedures; the linkage of audit procedures to assessed risks; and the results of the audit procedures.

100.9 Appendix 1A presents key questions and answers on risk assessment. Appendix 1B is a diagnostic questionnaire that can be used to

consider whether the requirements of the standards are being met, and how to meet the requirements effectively and efficiently, in an audit.

Terminology

100.10 Auditing standards use specific terminology to describe the auditor's responsibility for planning and performing an audit. Some of those

terms, which are significant in the risk assessment process, are discussed in the following paragraphs.

100.11 Audit Strategy



The audit strategy is the auditor's operational approach to achieving the objectives of the audit. It is a high-level determination of the audit

approach by audit area. It includes the identification of audit areas with a higher risk of material misstatement, the overall responses to those

higher risks, and the general approach to each audit area as being substantive procedures or a combined approach of substantive procedures and

tests of controls. As part of risk assessment, the auditor should establish an overall strategy for the audit. Audit strategy is discussed beginning at

paragraph 206.35.

100.12 Audit Plan

The audit plan is more detailed than the audit strategy and includes the nature, timing, and extent of audit procedures to be performed by audit

team members to obtain sufficient appropriate evidence. The audit plan is commonly referred to as the audit program. The audit plan is discussed

in section 305.

100.13 Relevant Assertions

One of the terms of central importance in risk assessment is relevant assertions. The assertions that are relevant for a particular class of

transactions, account balance, or disclosure are those that have a reasonable possibility of containing a misstatement or misstatements that would

cause the financial statements to be materially misstated. A routine example is that the valuation assertion is usually not relevant to the cash

account unless currency translation is involved. Another example is that the valuation assertion is usually not relevant to the gross amount of the

accounts receivable balance, but is usually relevant to the related allowance for doubtful accounts.

100.14 Auditing standards related to risk assessment give prominent recognition to the idea of relevant assertions. References to “decisions made

at the relevant assertion level” mean decisions made about the relevant assertions within a class of transactions, account balance, or disclosure.

As discussed in Chapter 3, the auditor assesses risks of material misstatement at the relevant assertion level and designs audit procedures to

mitigate those assessed risks.

100.15 Significant Risk

Another term of importance in risk assessment is significant risk. A significant risk is an identified and assessed risk of material misstatement that,

in the auditor's professional judgment, requires special audit consideration. The reference to “requires special audit consideration” indicates the

basic idea. A risk is a significant risk if an analysis of inherent risk indicates that the likely magnitude of the potential misstatement and the

likelihood of the misstatement occurring are such that they require special audit consideration. The determination of whether a risk requires special

audit consideration is based on an assessment of inherent risk and does not include consideration of controls. Significant risks generally relate to

nonroutine transactions (i.e., transactions that are unusual due to their size or nature) and complex or judgmental matters. Transactions that are

routine, noncomplex, and subject to systematic processing have lower inherent risks and are less likely to involve significant risks. Identified fraud

risks are always significant risks. Significant risks are discussed further in Chapter 3.

100.16 Risk Assessment Procedures

Risk assessment procedures are a defined category of audit procedures performed near the beginning of an audit to obtain an understanding of

the entity and its environment, including its internal control, for the purpose of identifying and assessing the risks of material misstatement, whether

due to error or fraud, at the financial statement and relevant assertion levels. The risk assessment is used to determine the nature, timing, and

extent of further audit procedures. Risk assessment procedures consist of inquiry, observation, inspection, and analytical procedures. Risk

assessment procedures are discussed in section 201.

100.17 Risk of Material Misstatement

The risk of material misstatement is the likelihood of having a misstatement in the financial statements of a material amount prior to the audit.

When considering audit risk at the overall financial statement level, the auditor should consider risks of material misstatement that relate

pervasively to the financial statements taken as a whole and that potentially affect many relevant assertions. The auditor should also assess the

risk of material misstatement at the relevant assertion level for classes of transactions, account balances, and disclosures. At the relevant

assertion level, the assessment of risk of material misstatement is the combination of the auditor's assessment of inherent risk and control risk.

Inherent risk is the susceptibility of an assertion about a class of transactions, account balance, or disclosure to a material misstatement before

consideration of any related controls. Control risk is the risk that a material misstatement that could occur in an assertion about a class of

transactions, account balance, or disclosure will not be prevented, or detected and corrected, on a timely basis by the entity's internal control. The

auditor can make a combined assessment of inherent and control risk or assess the component risks separately and then combine them.

Considering the overall risk assessment at the financial statement level is discussed in section 206. Assessing the risk of material misstatement at

the relevant assertion level is discussed in section 304.

100.18 Further Audit Procedures



Further audit procedures are procedures an auditor performs in response to the assessed risks to reduce the overall audit risk to an appropriately

low level. They consist of substantive procedures, tests of controls, and other procedures, sometimes referred to as general procedures. Further

audit procedures are discussed in Chapter 4.

100.19 Other Terms

Some other terminology relevant to risk assessment that is worth noting includes—

• Audit evidence.

• Reasonable assurance.

100.20 Audit Evidence.

AU-C 500.05 states:

Audit evidence is all the information used by the auditor in arriving at the conclusions on which the auditor's opinion is based. Audit

evidence includes both the information contained in the accounting records underlying the financial statements and other

information.

The results of the auditor's risk assessment procedures provide evidence that contributes to forming an opinion on the financial statements.

100.21 Reasonable Assurance.

The auditor's report includes a statement that generally accepted auditing standards (GAAS) require audits to be planned and performed to obtain

reasonable assurance about whether the financial statements are free from material misstatement. That statement introduces the concept of

materiality to the audit report and the auditor's responsibility for detecting errors or fraud. AU-C 200.13 clarifies that reasonable assurance is a

high, but not absolute, level of audit assurance.

100.22 In addition, the clarified standard AU-C 240, Consideration of Fraud in a Financial Statement Audit, includes a revised definition of fraud to

converge with the ISAs, and AU-C 320, Materiality in Planning and Performing an Audit, introduces the term performance materiality. Performance

materiality is an amount, set by the auditor, less than materiality for the financial statements as a whole to reduce to an appropriately low level the

probability that the aggregate of uncorrected and undetected misstatements exceeds materiality for the financial statements as a whole. If

applicable, performance materiality also refers to the amount or amounts set by the auditor at less than the materiality level or levels for particular

classes of transactions, account balances, or disclosures. Performance materiality is to be distinguished from tolerable misstatement, which is

reserved for audit sampling. These changes are not expected to have a significant effect on audit practice.

Unconditional and Presumptively Mandatory Requirements

100.23 AU-C 200.25 clarifies the meaning of certain terms used in the auditing standards and defines the terminology that the Auditing Standards

Board uses to describe the degrees of responsibility that professional requirements impose on auditors and practitioners.

100.24 The contents of the auditing standards contain professional requirements along with explanatory material. The auditor's degree of

responsibility in complying with professional requirements can be identified through two categories.

• Unconditional Requirements. Unconditional requirements are those that an auditor must follow in all cases in which the requirement is

relevant. Those requirements are noted in the SASs by use of the words “must” or “is required.”

• Presumptively Mandatory Requirements. Auditors are also expected to comply with presumptively mandatory requirements if the

circumstances are relevant to the requirement; however, in rare situations, the auditor may judge a departure from the requirement as

necessary and document the justification and how alternative procedures that were performed were sufficient to achieve the objectives of the

requirement. Presumptively mandatory requirements are identified by the word “should.” The requirements related to the risk assessment

procedures discussed of this Guide are summarized at the beginning of each chapter.



100.25 Application and other explanatory material represents material that provides additional guidance on professional requirements or identifies

other procedures or actions. An auditor is not required to perform other procedures or actions that are identified through application and other

explanatory material. Those items require understanding and professional judgment regarding their applicability. Application and other explanatory

material is identified through the words “may,” “might,” and “could.”

Authoritative Literature

100.26 The following standards establish requirements and provide guidance related to risk assessment:

a. AU-C 200, Overall Objectives of the Independent Auditor and the Conduct of an Audit in Accordance with Generally Accepted Auditing

Standards, defines audit risk and the related risks of which it is a function, that is, the audit risk model. (Formerly included in AU 110-230)

b. AU-C 240, Consideration of Fraud in a Financial Statement Audit, establishes requirements for identifying and assessing the risks of

material misstatement due to fraud and determining the overall and specific responses to those risks, and for designing the audit to provide

reasonable assurance of detecting fraud that results in the financial statements being materially misstated. [Formerly SAS No. 99 (AU 316)]

c. AU-C 250, Consideration of Laws and Regulations in an Audit of Financial Statements, establishes requirements for obtaining an

understanding of the legal and regulatory framework relevant to the industry or sector in which the entity operates and how the entity complies

with that framework. [Formerly SAS No. 54 (AU 317)]

d. AU-C 260, The Auditor's Communication With Those Charged With Governance, establishes requirements for the auditor to communicate

with those charged with governance about the planned scope and timing of the audit. [Formerly SAS No. 114 (AU 380)]

e. AU-C 300, Planning an Audit, establishes requirements for audit planning, including development of an overall strategy and audit plan,

involvement of the engagement partner and team members, and consideration of whether specialized skills are needed. [Formerly SAS No.

108 (AU 311)]

f. AU-C 315, Understanding the Entity and Its Environment and Assessing the Risks of Material Misstatement, establishes requirements for

performing risk assessment procedures to provide a basis for identifying and assessing risks of material misstatement and requires obtaining

an understanding of various specific matters, including the aspects of internal control relevant to the audit and, if there is one, the internal audit

function. It explains the concept of assertions; provides guidance on identifying, assessing, and revising the risks of material misstatement at

the assertion level; and discusses how the results of tests of controls may affect the preliminary risk assessment and planned audit

procedures, and the use of analytical procedures in audit planning. [Formerly SAS No. 59 (AU 329) and No. 109 (AU 314)]

g. AU-C 320, Materiality in Planning and Performing an Audit, establishes requirements for determining materiality for the financial statements

as a whole and performance materiality for assessing the risks of material misstatement at the assertion level, and determining the nature,

timing, and extent of further audit procedures. [Formerly SAS No. 107 (AU 312)]

h. AU-C 330, Performing Audit Procedures in Response to Assessed Risks and Evaluating Evidence Obtained, addresses designing and

performing audit procedures that are responsive to risks at the relevant assertion level and establishes requirements for determining the

nature, timing, and extent of further audit procedures (both tests of controls and substantive procedures) in response to the assessed risks of

material misstatement. It provides guidance on (1) how the preliminary risk assessment affects the design of further audit procedures,

including tests of controls, (2) determining when tests of controls may be appropriate, (3) the nature, timing, and extent of control tests, (4)

selecting items for testing, (5) evaluating the sufficiency and appropriateness of audit evidence collected, and (6) documentation requirements.

[Formerly SAS No. 110 (AU 318)]



i. AU-C 402, Audit Considerations Relating to an Entity Using a Service Organization, provides guidance on obtaining an understanding of

internal control of a client that uses a service organization. [Formerly SAS No. 70 (AU 324)]

j. AU-C 500, Audit Evidence, establishes requirements for designing audit procedures that are appropriate for obtaining sufficient, appropriate

evidence and describes audit procedures used to obtain audit evidence. [Formerly SAS No. 106 (AU 326)]

k. AU-C 501, Audit Evidence—Specific Considerations for Selected Items, establishes requirements for determining the completeness of

litigation, claims, and assessments. It provides that the auditor's decision about whether to send a letter of inquiry to the client's lawyer is

based on the auditor's risk assessment. [Formerly SAS No. 12 (AU 337)]

l. AU-C 520, Analytical Procedures, explains the use of analytical procedures as substantive tests to obtain sufficient appropriate audit

evidence. [Formerly SAS No. 56 (AU 329)]

m. AU-C 540, Auditing Accounting Estimates, Including Fair Value Accounting Estimates, and Related Disclosures, establishes requirements

relating to identifying, assessing, and responding to risks arising from accounting estimates. [Formerly SAS No. 57 (AU 342)]

n. AU-C 550, Related Parties, establishes specific additional audit requirements relating to identifying, assessing, and responding to risks

arising from related-party relationships and transactions. [Formerly SAS No. 45 (AU 334)]

Related AICPA Guidance and Projects

100.27 Audit Risk Alerts

The AICPA Audit Risk Alert, Understanding the New Auditing Standards Relating to Risk Assessment, provides a summary of the risk assessment

standards that were issued in 2006 as SAS Nos. 104-111 and guidance on the standards' provisions. Those SASs have been superseded by the

clarified auditing standards (see paragraph 100.31). However, the clarified auditing standards do not result in significant new requirements related

to risk assessment. Thus, the guidance in the Risk Alert remains useful in understanding risk assessment.

100.28 The Audit Risk Alert, General Accounting and Auditing Considerations—2011/12, was issued to help identify and respond to accounting

and auditing issues related to the current economic environment. Financial and economic instability may affect the entity's operations, risks, and

financial reporting, which may in turn may affect the auditor's risk assessment and responsibilities in providing auditing services.

100.29 Audit Guide

The AICPA Audit Guide, Assessing and Responding to Audit Risk in a Financial Statements Audit, Revised Edition as of October 1, 2009 (the

AICPA Risk Assessment Audit Guide), provides implementation guidance and case studies illustrating the implementation of the risk assessment

process. It includes guidance on performing further audit procedures, including tests of controls. Although issued prior to the clarified auditing

standards (see paragraph 100.31), guidance from the AICPA Risk Assessment Audit Guide remains relevant and is incorporated in this Guide.

100.30 Technical Practice Aids

The AICPA periodically issues guidance in the form of questions and answers on selected practice matters. The Technical Practice Aids are not

approved by any senior technical committee of the AICPA and are, therefore, nonauthoritative. A number of technical practice aids, which are

discussed at relevant points throughout this Guide, address risk assessment matters.

100.31 Clarified Auditing Standards

In response to growing concerns about the complexity of auditing standards and to converge U.S. generally accepted auditing standards with

International Standards on Auditing (ISAs), the Auditing Standards Board (ASB) undertook the Clarity Project to revise all existing standards and to

design a format under which all new standards will be issued. In October 2011, the ASB issued SAS No.122, Statements on Auditing Standards:

Clarification and Recodification. SAS No. 122 represents a completely new set of auditing standards revised in format, structure, style, and content



from the existing standards. It supersedes almost all existing SASs through SAS No. 121, including the risk assessment standards that were

issued in 2006 as SAS Nos. 104-111. (Paragraphs 100.35 and 100.37 discuss some of the changes in organization and requirements made by

SAS No. 122.) In addition, the AICPA has issued SAS No. 123, Omnibus Statement on Auditing Standards—2011, which amends SAS No. 122 to

address matters that arose after the clarified standards were finalized.

100.32 Effective Date.

With a few exceptions, all of the clarified standards are effective for audits of financial statements for periods ending on or after December 15,

2012. Generally early adoption of SAS No. 122 is not permitted. However, an auditor may implement aspects of SAS No. 122 early as long as he

or she continues to comply with existing standards.

100.33 Form and Structure of the Standards.

The clarified standards were developed using formatting techniques, such as bulleted lists, that make them easier to read and understand. In

addition, each clarified standard is divided into the following topics:

• Introduction. Includes matters such as the purpose and scope of the guidance, subject matter, effective date, and other relevant

introductory material.

• Objectives. Establishes objectives that allow the auditor to understand what he or she should achieve under the standards. The auditor

uses the objectives to determine whether additional procedures are necessary for their achievement and evaluate whether sufficient

appropriate audit evidence has been obtained. The objectives related to the risk assessment procedures discussed in this Guide are

summarized at the beginning of each chapter.

• Definitions. Provides key definitions that are relevant to the standard.

• Requirements. States the requirements that the auditor is to follow to achieve the objectives unless the standard is not relevant or the

requirement is conditional and the condition does not exist. The requirements related to the risk assessment procedures discussed in this

Guide are summarized at the beginning of each chapter.

• Application and Other Explanatory Material. Provides further guidance to the auditor in applying or understanding the requirements. While

this material does not in itself impose a requirement, auditors should understand this guidance. How it is applied will depend on professional

judgment in the circumstances considering the objectives of the standard. The requirements section references the applicable application and

explanatory material. Also, when appropriate, considerations relating to smaller and less complex entities are included in this section.

100.34 New AU Section Organization.

Within the AICPA Professional Standards, the clarified standards (SAS No. 122) use “AU-C” section numbers instead of “AU” section numbers.

“AU-C” is being used temporarily to avoid confusion with references to existing “AU” sections, which are still effective through 2013. The “AU-C”

identifier will revert to “AU” in 2014, when the clarified standards are fully effective for all engagements. Exhibit 1-2 presents a cross reference

between the AU sections of the risk assessment standards and several other standards discussed in this Guide and the AU-C sections of the

clarified standards.

Exhibit 1-2

Cross Reference between SASs and Clarified Standards

Pre-Clarity Standard Clarified Standard

SAS AU Title AU-C Title

Risk Assessment SASs



104 AU 230.10 Amendment to Statement on Auditing

Standards No. 1, Codification of Auditing

Standards and Procedures (“Due

Professional Care in the Performance of

Work”)

AU-C 200 Overall Objectives of

the Independent

Auditor and the

Conduct of an Audit in

Accordance With

Generally Accepted

Auditing Standards

105 AU 150 Amendment to Statement on Auditing

Standards No. 95, Generally Accepted

Auditing Standards


the Independent

Auditor and the


Accordance With

Generally Accepted

Auditing Standards

106 AU 326 Audit Evidence AU-C 500 Audit Evidence

107 AU 312 Audit Risk and Materiality in Conducting

an Audit


the Independent

Auditor and the


Accordance With

Generally Accepted

Auditing Standards

AU-C 320 Materiality in Planning

and Performing an

Audit

108 AU 311 Planning and Supervision AU-C 210 Terms of Engagement

AU-C 300 Planning an Audit

109 AU 314 Understanding the Entity and Its

Environment and Assessing the Risks of

Material Misstatement

AU-C 315 Understanding the

Entity and Its

Environment and

Assessing the Risks of


110 AU 318 Performing Audit Procedures in

Response to Assessed Risks and

Evaluating the Audit Evidence Obtained

AU-C 330 Performing Audit

Procedures in

Response to Assessed

Risks and Evaluating

the Audit Evidence

Obtained

Other SASs

12 AU 337 Inquiry of a Client's Lawyer Concerning

Litigation, Claims, and Assessments

AU-C 501 Audit Evidence—

Specific Considerations

for Selected Items

45 AU 334 Related Parties AU-C 550 Related Parties

54 AU 317 Illegal Acts by Clients AU-C 250 Consideration of Laws

and Regulations in an

Audit of Financial

Statements

56 AU 329 Analytical Procedures AU-C 520 Analytical Procedures

57 AU 342 Auditing Accounting Estimates AU-C 540 Auditing Accounting

Estimates, Including

Fair Value Accounting

Estimates, and Related

Disclosures

65 AU 322 The Auditor's Consideration of the

Internal Audit Function in an Audit of

Financial Statements

AU-C 315 Understanding the

Entity and Its

Environment and

Assessing the Risks of


(includes guidance

related to

understanding the

internal audit function



as part of risk

assessment)

AU-C 610 The Auditor's

Consideration of the

Internal Audit Function

in an Audit of Financial

Statements (presents

guidance on

considerations when

using internal auditors

to reduce the work

required on the audit—

not discussed in this

Guide)

70 AU 324 Service Organizations AU-C 402 Audit Considerations

Relating to an Entity

Using a Service

Organization

99 AU 316 Consideration of Fraud in a Financial

Statement Audit

AU-C 240 Consideration of Fraud

in a Financial

Statement Audit

114 AU 380 The Auditor's Communication with Those

Charged with Governance

AU-C 260 The Auditor's

Communication with

Those Charged with

Governance

____________________

100.35 In addition to addressing the objectives of the Clarity Project and converging with comparable ISAs, the clarified standards make certain

organizational changes to existing risk assessment standards such as:

a. Transfer the guidance on the auditor's use of assertions from AU 326, Audit Evidence, to AU-C 315, Understanding the Entity and Its

Environment and Assessing the Risks of Material Misstatement.

b. Separate AU 312, Audit Risk and Materiality in Conducting an Audit, into two separate clarified standards. AU-C 320, Materiality in Planning

and Performing an Audit, addresses materiality when planning and performing the audit. Guidance on the evaluation of misstatements

identified in the audit is in a separate clarified standard, AU-C 450, Evaluation of Misstatements Identified During the Audit, which is not

addressed in this Guide.

c. Move the definition of audit risk and its components to the clarified standard, AU-C 200, Overall Objectives of the Independent Auditor and

the Conduct of an Audit in Accordance With Generally Accepted Auditing Standards.

d. Eliminate the unconditional requirement to consider audit risk in an audit since the ASB believes that the consideration is fundamental to the

audit process making an explicit requirement unnecessary.

e. Transfer the guidance on auditor's responsibilities for evaluating the overall effect of audit findings on the auditor's report to the clarified

standards AU-C 700, Forming an Opinion and Reporting on Financial Statements, AU-C 705, Modifications to the Opinion in the Independent

Auditor's Report, and AU-C 706, Emphasis-of-Matter Paragraphs and Other-Matter Paragraphs in the Independent Auditor's Report, which are

not discussed in this Guide.

f. Move guidance on the auditor's responsibilities regarding the early appointment of the auditor and establishing the terms of the engagement

to the clarified standard, AU-C 210, Terms of Engagement.



g. Move guidance on supervision in an audit to the clarified standard, AU-C 220, Quality Control for an Engagement Conducted in Accordance

with Generally Accepted Auditing Standards, or SQCS No. 8, A Firm's System of Quality Control, which are not discussed in this Guide.

h. Move the requirement to perform the audit with professional skepticism to the clarified standard, AU-C 220, Overall Objectives of the

Independent Auditor and the Conduct of an Audit in Accordance with Generally Accepted Auditing Standards.

100.36 Implementation of the Clarified Standards in this Guide.

The majority of the requirements in the clarified standards are consistent with the requirements in the pre-clarified standards. Thus, the changes to

the standards, although extensive, do not create many substantive changes in practice. Therefore, the discussions throughout this Guide,

references to authoritative literature, and practice aids have been updated for the clarified standards.

100.37 Changes in Practice.

However, implementation of the clarified auditing standards could result in some changes in practice. The changes in practice may result from new

requirements or from changes in existing requirements. In addition, depending on how auditors apply existing requirements, changes in practice

may occur as a result of added emphasis in the clarified standards that makes existing requirements more explicit. The following changes related

to risk assessment are noted throughout the Guide and in the practice aids, as appropriate:

• AU-C 240, Consideration of Fraud in a Financial Statement Audit, amends the definition of fraud. However, the revised definition is not

expected to change audit practice.

• AU-C 250, Consideration of Laws and Regulations in an Audit of Financial Statements, contains a requirement to understand how the entity

is complying with the legal and regulatory framework to which it is subject, inquire about compliance specifically with those charged with

governance, and inspect correspondence with licensing or regulatory authorities. See section 207.

• AU-C 300, Planning an Audit, contains an explicit requirement that the engagement partner be involved in planning the audit and that the

auditor document the audit strategy and the reasons for changes to the strategy or the audit plan. See section 206.

• AU-C 315, Understanding the Entity and Its Environment and Assessing the Risks of Material Misstatement, requires the auditor to

specifically consider whether the control environment promotes a culture of honesty. See section 204.

• AU-C 320, Materiality in Planning and Performing an Audit, introduces the term performance materiality. See section 301.

• AU-C 330, Performing Audit Procedures in Response to Assessed Risks and Evaluating the Audit Evidence Obtained, explicitly requires the

auditor to make inquiries to understand the consequences of deviations in tests of controls and determine whether there is a basis for reliance,

whether additional tests are necessary, and whether the risk of material misstatement needs to be addressed through substantive procedures.

See section 402.

• AU-C 402, Audit Considerations Relating to an Entity Using a Service Organization, requires inquiries of management about its awareness of

fraud, noncompliance with laws or regulations, or uncorrected misstatements at the service organization that affect the user entity's financial

statements. See section 201.



• AU-C 501, Audit Evidence—Specific Considerations for Selected Items, establishes requirements for determining the completeness of

litigation, claims, and assessments. It provides that the auditor's decision about whether to send a letter of inquiry to the client's lawyer is

based on the auditor's risk assessment. Thus, the inquiry is only required when potential items have been identified that could result in a

material misstatement. See section 207.

• AU-C 540, Auditing Accounting Estimates, Including Fair Value Accounting Estimates and Related Disclosures, makes explicit the need to

obtain an understanding of accounting estimates, including related controls, during risk assessment. The clarified standard also requires a

retrospective review of estimates during risk assessment, provides specific procedures for estimates that give rise to significant risks, and

includes specific documentation requirements. See sections 201 and 207.

• AU-C 550, Related Parties, makes explicit the need to obtain an understanding of related party relationships and transactions, including

related controls, during risk assessment, adds a specific requirement to discuss related parties during the engagement team discussion,

requires treating significant related party transactions outside the normal course of business as significant risks, and requires additional

procedures (a) for significant related party transactions outside the normal course of business, and (b) if related parties not disclosed by

management are identified. See section 201.

PPC Guide on Clarified Auditing Standards

100.38 PPC's Guide to the Clarified Auditing Standards presents an in-depth discussion of SAS Nos. 122-125. It summarizes the objectives and

requirements of the clarified standards as well as the changes in format, terminology, and requirements. It can be ordered by calling (800) 431-

9025 or by visiting ppc.thomsonreuters.com.

1 The applicable financial reporting framework is the set of accounting principles used by the entity to prepare its financial statements. This Guide

assumes that entities are following U.S. generally accepted accounting principles (GAAP).

© 2012 Thomson Reuters/PPC. All rights reserved.

END OF DOCUMENT -

© 2013 Thomson Reuters/RIA. All rights reserved.



Checkpoint Contents


Editorial Materials

Audit and Attest



101 The PPC Audit Process

101 The PPC Audit Process

101.1 Risk assessment requires auditors to use information gathered about the entity and its environment (including internal control) to identify and

assess the risks of material misstatement at both the overall financial statement and relevant assertion levels, and to determine the nature, timing,

and extent of further audit procedures needed to respond to those risks. Further audit procedures are performed to obtain audit evidence to

support the auditor's opinion on the financial statements.

The PPC Audit Process

101.2 The authors have developed a practical approach to the audit process to address the requirements for risk assessment and have designed

practice aids to assist auditors in meeting those requirements. PPC's audit approach is designed to be flexible and adaptable, allowing auditors to

better leverage their knowledge of the client to tailor their audit procedures. The audit approach has been divided into the broad steps illustrated in

Exhibit 1-3.

Exhibit 1-3

The PPC Audit Process

____________________



101.3 Although the requirements and guidance may suggest a sequential process, the audit is a continuous process of gathering, updating, and

analyzing information about the fairness of presentation of amounts and disclosures in the client's financial statements. Therefore, the audit

process is an iterative, nonlinear process, whereby the required procedures may be performed concurrently with other procedures. In addition,

risks should be evaluated continuously throughout the audit.

101.4 The PPC audit process outlined in Exhibit 1-3 is incorporated in all of PPC's audit guides, including specialized industry audit guides. This

Guide focuses on Steps 2-6 of that process. Under the approach illustrated in this Guide, the auditor generally spends additional time on planning

and risk assessment procedures to identify specific risks and develop targeted audit procedures. However, the efficiencies obtained by using this

approach should offset the additional planning time required.

Practice Aids

101.5 This Guide reproduces practice aids from PPC's Guide to Audits of Nonpublic Companies, which guide the auditor through the risk

assessment process. The auditor completes the risk identification process using the practice aids CX-3.1, “Understanding the Entity and Identifying

Risks,” CX-3.2, “Engagement Team Discussion,” CX-3.3, “Fraud Risk Inquiries Form,” CX-4.1, “Understanding the Design and Implementation of

Internal Control,” and CX-4.2, “Financial Reporting System Documentation Forms.” The practice aids at CX-6.1, “Entity Risk Factors,” and CX-6.2,

“Fraud Risk Factors,” provide examples of risk factors to consider when identifying financial statement risks using the practice aids at CX-3.1 and

CX-3.3. Another practice aid, CX-7.1, “Risk Assessment Summary Form,” is then used to summarize the auditor's risk assessments and document

the auditor's response to those assessments. Practice aids are also included that assist the auditor in efficiently documenting control testing

procedures if the auditor chooses or needs to test controls.

101.6 Because the audit process requires significant judgment on the part of the auditor when making risk assessments and determining the

nature of audit procedures to be performed, the practice aids are designed to be flexible. For example, “Understanding the Entity and Identifying

Risks” (CX-3.1) consists of open-ended questions supplemented by “factors to consider” listed on “Entity Risk Factors” (CX-6.1) versus a “checklist

approach.” Also, the “Risk Assessment Summary Form” (CX-7.1) provides a snapshot of the auditor's risk assessments and the effect on the audit

approach. Checklists and practice aids used in risk assessment are discussed in Chapters 2 and 3 and illustrated in the case studies at

Appendixes A through C.

101.7 PPC's Industry Audit Guides

All of PPC's industry audit guides contain similar forms. A common numbering scheme is used so that the practice aids in all of PPC's audit guides

have similar references. However, the prefix to the practice aid reference differs among the guides. For example, the practice aid referred to in this

Guide as CX-3.1, “Understanding the Entity and Identifying Risks,” can be found at ASB-CX-3.1 in PPC's Guide to Audits of Nonpublic Companies.

The equivalent practice aid can be found at NPO-CX-3.1 in PPC's Guide to Audits of Nonprofit Organizations for a nonprofit organization, at ALG-

CX-3.1 in PPC's Guide to Audits of Local Governments for a governmental entity, and similarly for other industry audit guides. The practice aids in

the industry guides are tailored for specific industry requirements.

101.8 All of the practice aids mentioned in paragraph 101.5 are discussed and illustrated throughout this Guide. In addition, blank copies of those

practice aids are included in the appendixes to Chapters 2, 3, and 4. PPC's SMART Practice Aids—Risk Assessment is an innovative audit tool

that automatically generates audit programs based on the auditor's risk assessments. Also, PPC's SMART Practice Aids—Internal Control

provides a top-down, risk-based approach for efficiently and effectively evaluating internal control over financial reporting.

Applying the PPC Audit Process in Continuing Engagements

101.9 The PPC audit process illustrated in this Guide is based on practitioner input and is designed to help simplify the auditor's documentation

and continued application of risk assessment. Firms should have already applied the risk assessment standards on (SAS Nos. 104-111) their audit

engagements; nevertheless, auditors will need to modify some procedures on continuing engagements to implement the clarified standards (AU-C)

and to achieve greater efficiency or effectiveness.

101.10 Auditors ought to carefully assess the results of their risk assessment efforts and determine how the firm's audit process might be

improved. The following paragraphs provide the authors' suggestions for improving the efficiency and effectiveness of applying risk assessment on

continuing engagements.

101.11 As more fully discussed in Chapter 2, the auditor performs risk assessment procedures to gain an understanding of the entity and its

environment, including internal control, to assess the risks of material misstatement. In many cases, considerable effort may have been spent in

performing risk assessment procedures to obtain and document the necessary understanding during the initial year of implementation. In

subsequent engagements, the auditor still performs risk assessment procedures to understand the entity and its environment; however, the focus

shifts slightly to determining whether changes have occurred that may affect the relevance of the information obtained in prior audits. Thus,



auditors often focus their efforts in continuing engagements on inquiries and walkthroughs to determine the extent of changes to prior year

information and the impact of those changes on their risk assessment.

101.12 The authors suggest the following when planning for continuing engagements:

• Consider best practices.

• Focus on changes in the entity and its environment since the prior engagement.

• Consider final risk assessments and the results of further audit procedures performed during the prior audit.

• Reconsider internal control testing.

• Look for efficiency opportunities.

101.13 Consider Best Practices

If the firm has formed a best practices team to assess practice issues and improvement opportunities, the team should consider where the firm's

audit processes might be modified for both initial and recurring engagements. If a best practices team has not been formed, firm leadership may

consider assigning key audit personnel to perform an assessment to determine where improvements could be made.

101.14 The team may want to consider matters such as the following:

• What inefficiencies were encountered? How can those inefficiencies be eliminated? Were extensive risk assessment or further audit

procedures performed and documented in areas that were not significant or had a relatively low level of inherent risk? Did teams have to

modify initial risk assessments based on the results of further audit procedures? If so, why?

• What improvements can be made in the firm's documentation process? If PPC practice aids are used by the firm without modification, do

they need to be further modified to reflect firm policies?

• Did the firm take a primarily substantive approach in many of its engagements? Is that the most effective approach? Is it possible to design

efficient tests of controls that can increase overall audit effectiveness while reducing substantive procedures?

• What efficiencies were gained using a risk-based approach? Which of the approaches and methods used by different engagement teams

could be considered best practices for others to follow?

101.15 In addition, auditors may want to consider best risk assessment practices of other audit firms, for example, by enrolling in best practices

training opportunities. Thomson Reuters Tax & Accounting offers a number of in-house training courses and conferences that focus on best

practices. For more information, contact Thomson Reuters at (800) 231-1860 or visit the website at www.trainingcpe.thomson.com.

101.16 Focus on Changes in the Entity and Its Environment

In subsequent audits where the auditor uses information about the entity and its environment obtained during the previous audit, the auditor's

focus when performing risk assessment procedures is on determining whether changes have occurred that may affect the relevance of the prior

information. Therefore, the auditor ought to consider whether the nature and extent of risk assessment procedures need to change in the

subsequent period. Usually, the auditor will make inquiries of relevant and knowledgeable key personnel and perform walkthroughs to identify and

evaluate changes. In some cases, the auditor may determine that the extent of inquiries needed in a subsequent engagement might be less than



what was needed during a prior engagement. However, the auditor needs to use care in determining the nature and extent of risk assessment

procedures in subsequent audits. There may be new information or factors that suggest an element of change necessitating performance of more

robust risk assessment procedures to obtain a sufficient understanding.

101.17 Consider Final Risk Assessments and the Results of Further Audit Procedures from the Prior Audit

If the auditor's assessment of the risk of material misstatement was revised during the previous audit as additional audit evidence was obtained,

the auditor ought to determine what impact that may have on risk assessment procedures in the current audit. For example, if an assertion for an

audit area was deemed to have a higher level of risk of material misstatement based on the results of substantive procedures, and the initial risk

assessment was consequently revised (and documented), it may be appropriate to modify the risk assessment procedures relating to that

assertion during the planning phase of the subsequent audit to ensure an appropriate understanding of the risks. Likewise, if the final assessed

risk in the prior audit was lower than initially planned, the auditor might consider reducing the extent or changing the nature of risk assessment

procedures in the current year. In other words, the extent and nature of procedures will generally go hand-in-hand with the degree of risk for an

audit area or assertion.

101.18 Reconsider Internal Control Testing

In continuing engagements, auditors need to take a fresh look at the selection of further audit procedures applied in the previous audit. In some

cases, the auditor might have decided that performing substantive procedures alone was effective and more efficient than a combined approach

consisting of tests of controls and substantive procedures. For the subsequent audit, as part of the planning process, the auditor will reevaluate

that decision considering both the current year risk assessment and the efficiency and effectiveness of the procedures performed in the prior audit.

In some cases, as the auditor gains more experience in understanding controls, designing efficient and effective control tests, and reducing

substantive procedures based on the results of those tests, he or she may decide that internal control testing is the most effective and efficient

strategy. Chapter 4 discusses internal control testing.

101.19 Look for Efficiency Opportunities

When appropriate, some auditors ask clients to review and update the documented understanding of the entity and its environment, including

internal control, from the previous audit. When doing this, auditors normally only provide the client with those portions of the workpapers that reflect

the documented understanding. Typically, auditors ought not provide the client with sections of the workpapers that describe the auditor's risk

assessment procedures and conclusions. If the auditor decides that certain of the “Activity and Entity-level Control Forms” at CX-5 will be used in

the current engagement, the client might be asked to perform a self-assessment regarding the existence and implementation of the controls listed

on one or more of those forms. Chapter 2 discusses those forms in further detail.

101.20 Auditors may wish to emphasize to their clients the importance of self-assessing their financial reporting risks and internal control systems.

As discussed in Chapter 2, management's risk assessment is a key component of internal control. Appendix 2B provides a PowerPoint client

presentation that can be used to educate clients on how they can identify and assess risks related to financial reporting and their internal control

systems. Also, Appendix 2C provides a PowerPoint client presentation that emphasizes the importance of entity-level controls, which are

discussed in Chapter 2. A documented client self-assessment of risks and internal control procedures can jump-start the auditor's risk assessment

process, contribute to audit efficiency, and help minimize audit fees for the client.

101.21 If the client is asked to review and update the documentation of the auditor's understanding of the entity and its environment, including

internal control, or performs and documents a self-assessment of financial reporting risks and the internal control system, the auditor still needs to

perform sufficient risk assessment procedures, based on his or her judgment, to confirm any changes and to evaluate the design and

implementation of controls that the client indicates are in place.


END OF DOCUMENT -




Checkpoint Contents


Editorial Materials

Audit and Attest



102 Scope of This Guide

102 Scope of This Guide

102.1 This Guide is designed for audits of nonpublic companies and is not intended to provide guidance for audits of public companies. Auditors of

public companies should use PPC's Guide to PCAOB Audits. PPC's Guide to PCAOB Audits may be ordered by calling (800) 431-9025 or by

visiting ppc.thomsonreuters.com. The text discussion and practice aids illustrated in this Guide are designed for audits of commercial business

entities. However, the guidance may also be applied to an industry-specific audit engagement.

Generally Accepted Auditing Standards

102.2 This Guide assumes that the auditor has an understanding of the professional audit standards, and it therefore does not provide a

comprehensive discussion of those requirements.

How to Use This Guide

102.3 This Guide can be used in a variety of ways. For example, a firm may use the Guide as a quick reference tool to address questions about

specific topics. For example, Appendix 1A presents key questions and answers on risk assessment and references to the Guide's discussion of

the topics. This Guide is also designed as a package of tools—technical guidance, best practices, and workflow tools—developed to give firms

everything necessary to effectively apply risk assessment. This Guide illustrates completion of the related practice aids and, with its detailed

guidance on every aspect of risk assessment, provides an excellent source of reference material when questions arise. Also, some firms might use

portions of the Guide as a training resource for staff. For example, Appendix 1B is a diagnostic questionnaire on audit risk assessment that can be

used to determine whether the risk assessment procedures required by professional standards were performed in a particular audit engagement.

Appendixes A through C provide case studies that illustrate the use of PPC practice aids in the risk assessment process. Appendix 1C presents a

PowerPoint presentation on Understanding Audit Risk Assessment, which can be used as the basis for an in-house training session. These

materials can assist new staff in understanding the risk assessment process and how various risk assessment forms can be used and completed.

Overview of This Guide

102.4 Chapter 2 discusses risk assessment procedures, which include obtaining an understanding of the entity and its environment, including

internal control, and planning decisions and judgments made by the auditor. Chapter 3 discuses assessing and responding to identified risks. That

chapter includes a discussion of performance materiality, risks of material misstatement at the relevant assertion level, and preparing the detailed

audit plan. Chapter 4 discusses further audit procedures and other matters, and focuses on tests of controls, making a control risk assessment,

and substantive procedures. Appendixes A through C of this Guide include three case studies that illustrate completed practice aids and walk the

auditor through various aspects of the risk assessment process for different types and sizes of entities. Appendixes 2B and 2C provide PowerPoint

presentations, along with scripts, that explain how clients can self-assess their financial reporting risks and internal control systems, including

maintaining an effective control environment.

102.5 Appendix A

Appendix A presents a case study of a midsized nonpublic manufacturing entity in the technology sector. The auditors document their risk

assessment (and other audit matters) by completing the PPC forms illustrated in this Guide (as well as certain other forms used in the PPC audit

process). The auditors use a combined approach consisting of tests of the operating effectiveness of internal controls and substantive procedures.

This case study illustrates the PPC checklists that are required in every audit to comply with professional standards. A completed audit program for

accounts receivable and sales is also illustrated in Appendix A.

102.6 Appendix B



Appendix B presents a case study of a small, privately-held manufacturing entity. The auditors document their risk assessment by completing

some of the PPC forms illustrated in this Guide and writing memos. A primarily substantive audit is performed (that is, a further understanding of

internal controls is not obtained and controls are not tested for operating effectiveness). Completed audit programs for inventory and accounts

payable are illustrated in Appendix B.

102.7 Appendix C

Appendix C presents a case study of a privately held employment services entity. The objective of this case study is to illustrate the use of various

PPC forms for documenting the understanding of internal control. Furthermore, the case study illustrates how the “Activity and Entity-level Control

Forms” at CX-5 (as discussed in section 203 and in Chapter 4) might be used when documenting internal control.


END OF DOCUMENT -




Checkpoint Contents


Editorial Materials

Audit and Attest



Appendix 1A Key Questions and Answers on Risk Assessment

Appendix 1A

Key Questions and Answers on Risk Assessment

Question Answer Reference to Discussion

in Guide

General Terms and Concepts

What are “significant risks”? A risk is a “significant risk” if an analysis of inherent risk indicates the likely

magnitude of the potential misstatement and the likelihood of the misstatement

occurring are such that they require special audit consideration, that is, a specific

audit response. In determining the appropriate audit response to significant risks,

the auditor should obtain an understanding of related controls, including relevant

control activities. If the auditor plans to rely on the operating effectiveness of

controls to mitigate the significant risk, the auditor needs to test those controls in the

current period.

Beginning at paragraph 304.15

What are “relevant

assertions”?

Assertions are relevant for a particular class of transactions, account balance, or

disclosure if they have a meaningful bearing on whether the item is fairly stated. A

routine example is that the valuation assertion is usually not relevant to the cash

account unless currency translation is involved. The concept is a central feature of

the risk assessment standards.

Section 302

What are “risk assessment

procedures”?

Risk assessment procedures represent a defined category of audit procedures

performed near the beginning of the audit to obtain an understanding of the entity

and its environment (including its internal control) for the purpose of assessing the

risks of material misstatement. They consist of inquiry, observation, inspection, and

analytical procedures. The auditor's analysis of the results of these procedures is an

assessment of risk that in itself provides evidence that ultimately supports the

auditor's opinion on the financial statements.

Section 201

What is the “risk of material

misstatement”?

The risk of material misstatement is the likelihood of a misstatement of a material

amount. The auditor should assess this risk at both the financial statement level and

at the relevant assertion level. At the financial statement level, it is an overall

assessment. At the relevant assertion level, it is the combination of the auditor's

assessment of inherent risk and control risk. The auditor can make a combined

assessment of inherent and control risk or assess the component risks separately

and then combine them.


Does the risk assessment

need to be a specific

percentage?

No. The assessment may be in quantitative or nonquantitative terms, such as high,

moderate, or low.

Paragraph 304.9

Does the assessment need to

be documented?

Yes. The auditor should document the assessment of risks of material misstatement

both at the financial statement level and at the relevant assertion level, as well as

the basis for that assessment. Of particular significance is the requirement to

document the basis for the assessment. For example, this would mean

documenting the procedures performed, the results of those procedures, and the

related conclusions.


What are “further audit

procedures”?

The purpose of the risk assessment is to determine the “further audit procedures”

that are necessary to express an opinion. These procedures consist of substantive

procedures and tests of controls that are performed in response to the assessed

risks and are designed to reduce the overall audit risk to an appropriately low level.

Sections 401 and 403




in Guide

Audit Plans and Programs

Is a written audit program

required?

Yes. The auditor must develop an audit plan that documents the audit procedures to

be used. The audit plan is more detailed than the audit strategy and includes the

nature, timing, and extent of audit procedures to be performed, including risk

assessment procedures and planned further audit procedures.

Section 305

Is a canned audit program a

permissible way to meet this

requirement?

If a canned audit program means one that uses the same audit procedures for

every client, the answer is no—that is not permitted. On the other hand, a

standardized program that can be tailored to the circumstances will meet the

requirement, provided it demonstrates the linkage of the nature, timing, and extent

of further audit procedures with the assessed risk at the relevant assertion level.

Paragraph 305.78

Is a separate audit strategy

memo required?

No. The auditor is required to establish and document the overall strategy for the

audit and to document any changes in the strategy and the reasons, but a separate

memorandum is not required. Various aspects of the overall strategy could be

documented throughout the workpapers. On the other hand, a simple memo might

be convenient in an audit of a smaller, noncomplex entity.

Paragraph 206.49

Materiality in Planning and Evaluation

What planning decisions and

judgments are required about

materiality, and do they need

to be documented?

During audit planning, the auditor should determine and document a materiality

level for the financial statements taken as a whole. The auditor is also required to

determine and document performance materiality—materiality at the account

balance, class of transactions, or disclosure level.

For both performance materiality and materiality for the financial statements taken

as a whole, the auditor is required to document the basis on which those materiality

levels were determined as well as any changes made to them as the audit

progresses.

Also, the auditor is required to consider materiality for particular items of lesser

amounts than the materiality level determined for the financial statements taken as

a whole. In other words, the auditor might need to use lower materiality levels for

particular account balances, transaction classes, or disclosures if in the auditor's

judgment, lesser amounts could reasonably be expected to influence economic

decisions of financial statement users. For example, users' expectations regarding

the disclosures in related party transactions might cause the auditor to regard lesser

amounts as material in planning procedures and evaluating disclosures with regard

to related party transactions.

Sections 206 and 301

Does the auditor need to

include “qualitative” factors in

establishing materiality for

planning purposes?

No. It ordinarily is not practical to design audit procedures to detect misstatements

that could be qualitatively material. The auditor should perform the audit to obtain

reasonable assurance of detecting misstatements that are large enough,

individually or in the aggregate, to be quantitatively material to the financial

statements.


Does the degree of inherent

uncertainty associated with

measurement of particular

items in financial statements

change the auditor's approach

to materiality?

No. In some situations, financial statements include large provisions with a high

degree of estimation uncertainty, such as the provision for insurance claims in the

case of an insurance company. The standards make clear that once materiality is

established, the auditor should consider materiality the same way regardless of the

inherent business characteristics of the entity being audited. For audit purposes, the

inherent uncertainty of financial statement items does not cause the auditor to follow

different procedures for planning or evaluating misstatements.

Paragraph 206.8

Tests of Controls

Are tests of controls a

requirement of every audit?

No. The auditor can decide for a particular audit area to rely solely on substantive

procedures and perform no tests of controls. For example, this might be done for

purposes of audit efficiency. Before making this decision, the auditor has to obtain

and document an understanding of relevant controls and control activities sufficient

to understand what could go wrong in a particular audit area, and then plan and

perform substantive procedures responsive to that assessment. In other words, the

auditor needs to have a basis for this decision.






in Guide

What control activities does

the auditor have to

understand?

The auditor does not need to understand all control activities (specific control

policies and procedures, such as reviews and approvals). The auditor should first

consider the knowledge about control activities obtained from understanding the

other components of internal control, such as the control environment and the

information and communication system. The auditor should focus on identifying and

obtaining an understanding of control activities that address areas in which the

auditor believes material misstatements are more likely to occur. For example, the

auditor is specifically required to obtain an understanding of the process of

reconciling detail to the general ledger for significant accounts. The auditor is also

required to understand the controls, including relevant control activities, related to

significant risks and risks for which substantive procedures alone are not adequate.

Is rotation of tests of controls

permissible?

The standards explicitly permit rotation of tests of controls over a three year cycle in

specified circumstances. The auditor has to obtain persuasive evidence that the

controls have not changed in the current period and evaluate the appropriateness of

rotation in the particular circumstance. Rotation of testing is not permitted if the

auditor plans to rely on the controls to mitigate a significant risk (as previously

defined).


Is testing of controls ever

mandatory?

Yes. The auditor should identify those risks for which it is not possible or practicable

to reduce detection risk at the relevant assertion level to an acceptably low level

with audit evidence obtained only from substantive procedures. In other words, in

some cases, substantive procedures alone are not effective and the audit approach

will need to include tests of controls. This tends to occur in highly automated

processing environments in which a significant amount of information is initiated,

authorized, recorded, processed, or reported electronically.

Paragraph 401.9

Other Key Concepts

Are engagement letters

required?

Yes. The auditor is explicitly required to document the understanding with the client

in an engagement letter and to do so at the beginning of the current audit

engagement.

Paragraph 201.18

Are walkthroughs required in

all audits?

Walkthroughs are not explicitly required as a mandatory audit procedure in every

audit. However, walkthroughs can sometimes be an effective way to obtain audit

evidence, especially relating to internal control. The standards stress that inquiry

alone is not sufficient for obtaining the understanding of the entity and its

environment, particularly its internal control. (This effectively prohibits

“conversational auditing.”) The standards emphasize the need to corroborate

responses to inquiries by management and employees through observation and

inspection. Performing walkthroughs may be a way to obtain the in-depth

understanding of internal control that is required or, for subsequent audits, to

determine whether changes have occurred that affect the relevance of information

obtained in prior audits.


Is use of the more complex

categorization of assertions

under the risk assessment

standards required?

No. As long as all aspects of the assertions are covered, a more simplified

categorization is acceptable. The standards use thirteen categories of assertions

classified separately by transactions and events, account balances, and

presentation and disclosure. The assertions related to presentation and disclosure

are particularly important. Many things can go wrong in the financial reporting

process related to preparing financial statements from the trial balance and related

schedules. Thus, the audit work on the process of preparing financial statements,

especially related to the assertions of understandability and clarity of disclosure, is

very important. The authors use six categories of assertions in this Guide, as well

as other PPC audit guides that cover all of the categories of assertions used in the

auditing standards.

Section 302

Is it necessary to test every

assertion for every account

balance and transaction

class?

No. However, the auditor is required to design and perform substantive procedures

for all relevant assertions related to each material class of transactions, account

balance, and disclosure.

Paragraph 403.2

Are there any other

substantive procedures that

must be performed on all

engagements under the risk

assessment standards?

Yes. The standards require that the auditor perform the following substantive

procedures in every audit:

1. Agree the financial statements, including the accompanying notes, to the

underlying accounting records.

2. Examine material journal entries and other adjustments made during the

course of preparing the financial statements.






in Guide

What types of audit team

meetings need to be held?

There are two required meetings that can easily be combined into one. AU-C 240

requires a brainstorming meeting among audit team members about how and where

the financial statements might be susceptible to material misstatement due to fraud.

In addition, AU-C 315 requires members of the audit team to discuss the

susceptibility of the financial statements to material misstatements. One combined

meeting can be held to cover the susceptibility of the financial statements to

material misstatement from both error and fraud.

Can the auditor use

information about the entity

and its environment obtained

in prior audits as a basis for

the understanding in the

current audit?

Yes, however, the auditor is required to determine whether changes have occurred

that may affect the relevance of such information in the current audit. The auditor is

required to perform risk assessment procedures, such as inquiries and

walkthroughs to determine if changes have occurred.

Beginning at paragraph 201.6.


END OF DOCUMENT -




toolitem?usid=bc03cp1f2643 -...

Documents