“The aim of risk assessment in auditing standards is to improve the
quantity and effectiveness of audits by substantially changing the audit
practice” (Ramos, 2009). Statements on auditing standards nos. 104-111
provide increased rigor to the audit process in a number of key areas,
including the assessments of inherent and control risks and the linking
of these risk assessments to further audit procedures. After reading
Ramos, M. (2009) and Lamoreaux, M.G. (2011) and watching the videos for
Module 2, discuss the importance of inherent and control risk assessment
prior to an audit.#action=share#action=share#action=share#action=share#action=share#action=share
Unformatted Attachment Preview
by Michael Ramos. CPA
he aim of the risk assessment auditing
standards was to improve the quality and
effectiveness of audits by substantially
changing audit practice. Statements on Auditing Standards nos. 104-111 provide increased
rigor to the audit process in a number of key
areas including the assessments of inherent and
control risks and the linking of these risk assessments to further audit procedures.
This year marks the third anniversary of the standards’ effective dale. Across the profession much progress has been
made toward the uUimale goal of a more reliable audit
process, but even more is possible as we continue to leai n
about the standards’ practical application.
This article captures some of the most important lessons
learned and besi practices that have emerged during the
extended implementation of ihe risk assessment standards
(see sidebar, “Methodology Behind Application Suggestions”).
IMPLEMENTATION ISSUE NO. 1 :
EVALUATING INTERNAL CONTROL
Previous auditing standards allowed audittirs, at their discretion, to simply designate the client’s internal control as
32 Journal of Accountancy December 2009
Exhibit 1 The COSO Process
Starting with the financial statements,
the auditor identifies…
Ris <#2 Cortrol Objectives Ob) A ObjB Exist •• Revenue material accounts and significant classes of transactionsand... Valuation for each account, the relevant assertions, wtiich describe... 1 what can go wrong, which detern- Ines... Risk #3 1 1 1 Control a ObjC Control b control objectives to mitigate the risk, which... 1 Control c Controls .1 high nsk. which allowed them to greatly reduce the effort required to understand and document internal control. The risk assessment standards prohibit the auditor from "defaulting to the maximum" control risk. On all audits the auditor should evaluate the design and impleint-niation of internal control to properly identify and assess risk. Impleinendng and applying this standard in practice has proven lo be a challenge for manyfirms,which have difficuliy linking their ititernal control work lo the substantive procedures and olher aspects of the engagement,findingsufficient benefit tojustify the increased audit costs that result from the stricter standard and determining how to evaluate the effectiveness of internal control design. www.journalofaccountancy.com APPLICATION SUGGESTION: FOLLOW THE COSO PROCESS Karen Kerber. a shareholder with Kerber, Rose &r Associates, sums up ihe fundamental dilemma her firm's auditors face. "Our staff struggles with understanding how iniemal control is relevant," she says. "They need to relate it to something." The secret is for the auditor to gain a deeper understanding ofthe COSO integrated framework of internal control, according 10 Charles Landes, AICPA vice president-Professional Standards and Services. "COSO addnîsses the issues faced by Karen and the staff at many other firms because it relates internal control to the financial statements," he says. To apply what Landes refers to as "the COSO process," the auditor starts at ihe determine controls necessary to meet the contro objectives. highest level of aggregation, the financial statements. The auditor then proceeds through a sequence of analyses that become increasingly granular until be or she ultimately assesses individual control activities (see Exhibit 1). UNDERSTANDING THE COSO PROCESS The auditor starts with tbefinancialstatements at the 'top" ol ihe diagram and works "dovm" to the individual controls. Tbe first step is to Identify tbe material accounts and significant classes of transactions and the relevant assertions related to those accounts. Risk of material misstatement—"what can go wrong?"—is the flip side of tbe assertion. For example, tbe "what can go December 2009 Journal of Accountancy 33 AUDITING wrong?" related lo the completeness assertion is ihat one or more valid transactions are not recorded in the system. Identifying what can go wrong allows the auditor to understand control objectives. for example, "to ensure that all valid transactions are recorded." The auditor then identifies those controls ihai meeî the stated control objective. In this way, there is an unbroken link between the financial statements and internal control, and ihe auditor can easily understand ihe effect ihat a particular control activity can have on an amount reported in the financial statements. APPLICATION SUGGESTION: USE ATOP-DOWN APPROACH TO SET TI m SCOPE OF Yotm lN"rERN AL CONTROL WORK Audit methodologies bulk around the topdown COSO process have proven highly elficienl because they allow the auditor to properly scope the internal control lesi work to include only the controls relevant to the audit. Rather than gaining an understanding of ali controls used by the client, the topdown approach drives the auditor to progressively eliminate from consideration controls related to immaterial accounts and transactions, controls related to nonrelevant assenions, and controls that are overly redundant, The result is a tightly focused population of controls for the auditor to under- IMPLEMENTATION ISSUE NO. 2: DETERMINING THE NATURE AND EXTENT OF TESTS AFTER INITIAL APPLICATION SUGGF^TION: IMPLEMENTATION Focus ON INTERNAL CONTROL OBJECIIVES TO Most auditors understood that the risk asASSESS CONTROL DESIGN sessment standards would require thetn to Prior to the risk assessment standards, perform more audit procedures than in the there was no explicit requirement for au- past, and they were prepared lo incur sigditors to evaluate the design of their nificantly higher costs during the first year clients internal control, and consequent- of implementation. The expectation was ly, most auditors merely documented their that in subsequent years, costs would deunderstanding of how the com rol oper- cline I>ecause auditors would leverage their
ated without judging whether ihe control knowledge of ihe client obtained in prior
was properly designed. The requirement audits. In practice, realizing these savings
in the risk assessment standards to eval- has been difficult as auditors have stmguate control design has been difficuli for gled to determine the nature and extent ol
Lhe procedures they should perform on an
Firms that have rigorously applied the ongoing basis.
COSO process in their audit methodology have been able to perform a meaning- APPUCATION SUGGESTION:
ful evaluation of internal control design, IDENTIFY AND EVALUATE
which ultimately improves audit quality CHANGE
As shown in Exhibit 1, the COSO For years, auditors have fought a SALY
process requires the auditor lo define rel- mentality, the tendency to implicitly asevant control objectives and then deter- sume that everything on the audit is
mine the control actiities or combination “Same As Last Year.” an assumption that
of control activities that meet ihe objective. invariably leads to diminished audit
A control system that meets the stated con- quality. The risk assessment standards
trol objectives is designed effectively A sys- give audit firms an opportunity to elimtem that leaves important control objec- inate the SALY mindset by reframing the
tives unmet is ineffective. Identifying these issue. Instead of considering how to “upcontrol weaknesses allows the auditor to date” last year’s audit, start wiih lhe
better assess risks and respond by de- premise that something has changed,
signing the right mix of further audit pro- and the first priority of the current year’s
audu is to identify those changes and
stand, assess and document, which allows
the audit to be as efficient as possible.
• On all audits the auditor must
evaluate the design and implementation of internal control to
properly identify and assess risk
Implementing and applying this
standard in practice has proven to
be a challenge for many firms.
• The key to implementing the
internal control evaluation requirement is “Ihe COSO
process.” The auditor starts at the
highest level of aggregation, the fi-
nancial statemenls, then proceeds
through a sequence of analyses
that grow increasingly granular
until the auditor ultimately assesses individual control activities.
• Auditors have struggled to
determine the nature and extent of the procedures they
should perform on an ongoing
basis, instead of considering how
to update the prior year’s audit,
make identifying changes in the
34 Journal of Accountancy December 2009
organization your first priority.
• The broad scope of the risk
assessnnent standards made it
difficult for audit firms to optimize
implementation of the standards
by developing firm policies and
practice aids. The temptation is to
use policies and practice aids developed by others, but by developing and owning their own approaoh, firms gain more in-depth
knowledge of the standards and
of their clients’ businesses that
will help them truly optimize
processes and maintain quality.
Michael Ramos (micfiaeljramos®
mac.com) is a consu/ia/i/ and
writer who specializes in auditor
To comment on this artide or to
suggest an idea far another artide.
contact Matthew G. Lamorvaux,
senk»- &iHor. at mlamorvaux®
alcpa.org or 919-402-4435.
Exhibit 2 Identify and Evaluate Change
Knowledge from prior year
Changes in entity arxl
“^ H itsenvironi—*^
Knowledge from prior year
Knowledge from prior year
Do changes ‘ ^ indicate new inherent
^ ^ risks?
– Current-year judgment
Should prioryear controls change to
address new risks?
Knowledge from prior year
n I/C design or
Assess risk of material
Assess design eftectiveness and
of material misstatemen^
determine their effect on risk by asking
questions such as:
• What has changed at the entity and
in its operating environmeni since our last
• As a result of these changes, how
have inherent risks at ihe client changed
since our last audil?
• Were changes lo internal control necessary to address these changes to inherenl risk?
Oniy Lit’tcr the auditor has adequately
answered ihese questions will he or she be
able to determine ihe nature and extent of
Gain understanding of I/C. assess design
etfectiveness and risk ot material misstatement
addilional risk assessment procedures.
Exhibit 2 describes a structured process
for applying tliis approach.
In Exhibit 2:
• The blue diamonds describe the key
audit judgments ihai should be made in
the current year,
• The blue rectangles summarize the
risk assessment procedures that should be
performed in the current year.
• The green ovals summarize ihe
knowledge that is catTied forward from
prior-year audits and how il factors into
current-year audit judgments.
Read this decision tree from top to bottom;
• Begin by considering the nalure of
the changes to the entity and its environment since the previous audit. It is key to
ask whether those changes have resulled
in changes to inherent risks. For example,
the current recession may create inherent
risks for your client ihai were not present
before (he economic downturn.
assuming ihai the prior year’s controls
December 2009 Journal of Accoumancy
were effectively designed and implemented) the auditor will need to verify the implemeniation of controls to detenniiie
whether there have been any changes in
their design or implementation.
• tí changes in the entity or its environment create new or modified inherent risks, then the auditor will need to
determine whether changes in internal
control were necessary to address ihose
new risks. For exatnple, the recession
may create risks related to asset valuation
that were not material in the past. In
prior years, the client did very little to
evaluate asset impairment. But m the
current environment, the auditor should
detemime whether the client has changed
its control procedures in response to the
heightened level of risk.
The bottom of ihe diagram describes
three possible scenarios:
• If the controls in place during the
prior year would have been effective in addressing the current year’s risks and [he auditor has determined that there have been
no changes to those controls, then the auditor is prepared to assess the risk of material misslaiement.
• if the prior year’s controls would
have been effective in addressing the current, yeafs risks but the auditor discovers
that the design or implcmentaLion of those
controls has changed, then the auditor will
need to assess the design of those new controls belore assessing the risk of material
• For all new or significantly changed
inherent risks that could not be effectively addressed by the prior year’s controls,
the process will be similar to that undertaken in the initial Implementation. The
auditor will have to perform risk assessment procedures to gain an understanding of the design and implementation of
controls to ser’e as a basis for assessing
risk of material misstatement.
IMPLEMENTATION ISSUE NO. 3:
The sweeping scope of the risk assessment
• “Assessing and Responding to Risks in a Financial Statement Audit:
Part li; Jan. 07, page 59
• “Assessing and Responding to Risks in a Financial Statement
Atidit,” July 06, page 43
Use ioumalofaccountancy.com to find past articles. In the search
box, click “Open Advanced Search” and then search by title.
standards made it difficult tor even [he
most resource-rich audit firms to optimize
implementation of the standards. Mosl
firms continue to refine their audit approaches and set firm policy [o deal with
issues that arise as a result of applying ihe
The ongoing implementation Issues for
audits of smaller businesses will require
even more attention. Audits of smaller, less
complex businesses pose many challenges
ihat may not exist in audits of larger
clients. For example, auditors of smaller,
less complex businesses frequently encounter:
• Accounting records that require significant adjustments pnor to the slart of
significant auditing procedures.
• Significant transactions with unaudited related parties.
• Less sophisticated or formal internal
controls characterized by minimal documentation, lack of segregation of duties,
and an overall lack of in-house accounting expertise.
• Auditor’s Risk Assessment Process: Tackling the Risk Assessment
• Detecting Misstatements: Integrating SAS 99 and the Risk
Assessment Standards (#DEMI)
To access courses, go to aicpalearning.org and click on “On-Site
Training” then search by “Acronym Index.” If you need assistance,
please contact a training representative at 800-634-6780 (option 1).
iT Center and CUP credentiai
Information Technology (IT) Oenter provides a venue for CPAs,
Risk Assessment Standards-Understanding the Entity and Assessing
their clients, employers and customers to research, monitor, assess,
Risk, a CPE self-study course (#738801)
educate and communicate the impact of technology developments on
business solutions. Visit the IT Center at aicpa.org/INFOTECH.
• Risk Assessment Suite of Standards (#060704)
Members who v/ant to maximize information technology to increase
• Understanding the New Auditing Standards Related to Risk Asefficiency and boost profits may be interested in joining the IT Memsessment-Audit Risk Alert (#022526)
ber Section or pursuing the Certified Information Technology Profes• Assessing and Responding to Audit Risk in a Financial Statement
sional (CITP) credential. For more information about Ihe IT Member
Audit-AICPA Audit Guide. Revised Edition as of Oct. 1, 2009
Section or the CITP credential, visit aicpa.org/IToffers.
(#012459) (Available Januaiy 2010)
• The above three publications can be purchased as a bundle
• IT Center Assurance Services resources, tinyurl.com/ybntmjn
• The AICPA Audit and Accounting Manual has been updated to in• IT Section’s “Risk-Based Auditing” podcast, tinyurl.com/ycm273h
clude the risk assessment standards (#0051309).
• IT Section’s “CAATTs’ podcast, tinyurl.com/yclkkmx
• “CAATTs Ideal for Efficient Audits” (article), tinyurl.com/ybb5b3m
For more iniomnation or to make a purchase, go to cpa2biz.com or
• “Frequenlly Asked Questions: IT Considerations tn Risk-Based Aucall the Institute at 888-777-7077.
• “IT Considerations in Risk Based Auditing,” a two-part webcast
• Applying the Risk Assessment Standards Using a Case Study
slide presentation, tinyurl.com/ybxlru6
36 loumal of Accountancv Decetuber 2(X)9
Meíhodology Behind Application Suggestions
During the summer of 2009, the AICPA significantly revised the audit guide that
was originally published concurrently with the risk assessment standards. To
make these revisions, the Audii and Accounting Publications team formed an
online, collaborative work group of more than 50 auditors who worked to identify and discuss technical issues, provide suggestions and vet new content.
The issues and suggesiions described in this article were generated from the
input received from this online working group. The revised audii guide, Assessing
and Responding to Audit Risk in a Financial Statement Audit—AICPA Audit Guide,
Revised Edition as of Oct. 1, 2009 (#012459), will be available January 2010 at
• The need lo adapt standardized
audit practice aids developed for audits
of larger entities to the conditions that
exist on an audit of a smaller, less complex business.
” O W N ” YOUR METHODOLOGY
Most firms build their audit methodologies
around a set of standardized practice aids.
These forms and checklists help auditors
comply with the requirements of the standards, but they should not be confused
with the standards themselves. An auditor
can comply with the standards and prepare audit documentation in many ways.
“Forms and guidance only cover a percentage (hopefully high) of the requirements,” says Lyn Graham, chair of the
AICPA task force that drafted the risk as-
firm-specific set of audit practice aids by
creatmg their own fonns or checklists for
highly judgmental areas such as the documentation of intemal controls.
“We wanted a workpaper set thai we
could continue to build on and customize,” says Andrew Prather, shareholder at Clark Nuber. “For example, we work
with a lot of not-for-profit organizations.
so we wanted a format that would allow
us to build a library of templates specific
to our clients.”
Like many firms, Averett, Warmus,
Durkee (AWD) formed a committee of
five to six experienced auditors to evaluate the requirements of the standards and
develop a firm-specific set of practice
aids. “We did the project during our slower time in the summer and fall and did
some practice runs with clients in differ-
Firms that make the commitment to”own”their audit
methodology do so with the expectation that it will
lead to more effective and efficient audits.
sessment audit guide, “They should not be
a substitute for training or understanding
or consulting the literature for unusual situations. From what 1 have seen, one needs
to denate (probably more often than auditors would like to) from the forms to
comply with GAAS.”
Once thought to be the purview of only
the largestfir …
Purchase answer to see full