Risk Assessment in Auditing Financial Statements - Research Paper Example

Risk Assessment in Auditing Financial Statements Abstract This paper discusses the more important provisions of and guidance provided by the Statement of Auditing Standards No. 109 (SAS 109), Understanding the Entity and Its Environment and Assessing the Risks of Material Misstatements, as codified under AU Section 314. It describes, to a certain extent, the background behind the formulation and implementation of such a standard. This paper also discusses an article published in the Journal of Accountancy in December 2009, Risk – Based Audit Best Practices, by Michael Ramos and relates SAS No. 109 relate to the contents of this article. SAS No. 109: Background SAS No. 109 was issued in 2006 along with seven other auditing standards. What’s important about these eight (8) auditing standards was their common theme – adherence to risk assessment and the audit response to such an assessment. These eight auditing standards were expected to bring about major changes and to give guidelines and guidance when auditing nonpublic entities (McConnell and Schweiger, 2007). The primary objective of these eight standards was to improve the conduct of audit by the external auditor through requiring the auditors to acquire a deeper understanding of a company’s internal controls so that the auditor is in a better position to “identify risks of material misstatement of financial statements” (McConnell and Schweiger, 2007). With this primary objective, the issuers hope that there will be better “linkages between assessed risks and the nature, timing and extent of audit procedures performed in response to those risks” (McConnell and Schweiger, 2007). SAS No. 109: Provisions and Guidance The first paragraph of SAS No. 109 established the provisions and guidelines for obtaining “an understanding of the entity and its environment…to assess the risk of material misstatement of the financial statements” (AICPA, AU Section 314, 2006). The second paragraph provides brief summaries of the specific sections of the standard. The subsequent paragraphs expound on the summaries provided in the second paragraph. Paragraph 3 lists “examples of considerations for establishing a sufficient understanding” of the entity (AICPA, AU Section 314, 2006). Paragraph 4 calls on external auditors to “use professional judgment to determine the extent of the understanding required of the entity and its environment” (AICPA, AU Section 314, 2006). Certain paragraphs of SAS No. 109 outline and explain the risk assessment procedures (i.e, inquiries, analytical procedures and observation) an auditor needs to perform to obtain such an understanding. The standard also provides more specific guidance on how the audit procedures can be undertaken, guidance such as to whom will the external auditor make inquiries from (Paragraph 8), how the external auditor can undertake his or her observations (Paragraph 10) and what should the auditor do if he or she intends to use the information obtained from prior audit years. Guidance are also provided on how the external auditor should obtain an understanding of the internal controls of the entity, the kinds and components of internal control, how the internal controls relate to the audit assertions and which internal controls are more critical in terms of the external audit procedures. Lastly, guidance on how the risk assessment should be made and addressed is also provided for in SAS No. 109. Perhaps the most relevant provisions in SAS No. 109 in terms of their impact to external auditors are Paragraphs 122 and 123 of SAS No. 109. These paragraphs basically require external auditors to document their risk assessment, the basis of such assessment, the assertions affected, how these were identified and what are the risks and related internal controls that need to be evaluated (or that were evaluated) to mitigate these risks. With these paragraphs, “external auditors are no longer able to default to maximum control risk without documenting the basis for that assessment” (Burke, 2009). Risk – Based Best Audit Practices In this article, M. Ramos enumerated and explained some of the best audit practices gleaned from the implementation of the eight (8) auditing standards, including SAS No. 109, and the issues in implementing the provisions of these auditing standards. Two of the best audit practices the author suggested auditors should follow is to “use a top – down approach to set the scope of…internal control work” and to “focus on internal control objectives to assess control design” (Ramos, 2009). These best practices arose from the issue on how to evaluate internal controls. According to the author, using a top – down approach may make the audit more efficient as auditors will be able to eliminate controls that are linked to accounts and transactions that are not material or to assertions that are not relevant and controls that are unnecessary. With a lot of the controls eliminated, external auditors will be able to focus their attention and procedures to controls that are highly relevant, thus, resulting to more efficient audit. Another best audit practice, which may be able to address the issue of determining the nature, timing and extent of audit tests, is the identification and evaluation of any changes. This is not only best audit practice but it also addresses a weakness of external auditors and that is to assume that everything is the “same as last year” (Ramos, 2009). The last issue M. Ramos addressed was the recurring implementation of the eight auditing standards. One best practice to address this issue is for auditors to “own their audit methodology”. Owning one’s audit methodology not only makes the auditor more flexible in customizing audit procedures based on the nature of the entity’s business, it may also result to more in – depth knowledge of the standards and their requirements and their application. Another best practice that may be used to address this last issue (and to improve the audit efficiency and quality) is for partners to involve themselves at the early stages of audit, particularly if the entity being audited is smaller and less complex. Conclusion SAS No. 109 was issued and implemented in the hopes of improving the quality of audit and providing relevant guidance on the risk assessment judgment and procedures of external auditors. However, this standard, along with the seven other standards issued, did not come without their corresponding issues and concerns. The article described in this paper enumerated some of these most pressing issues such as how to effectively evaluate internal controls, how to determine the nature, timing and extent of audit procedures and how to effectively carry out the ongoing implementation of the provisions of the said standard. All is not lost however, as the article also provided several best practices to address these issues. These best practices are not found or described in SAS No. 109; however, they proved to be effective in addressing the issues gleaned from the implementation of this auditing standard. With these best practices, the guidance provided for by SAS No. 109 will be easier to understand, to follow and to implement. References American Institute of Certified Public Accountants (AICPA, 2006). AU Section 314: Understanding the Entity and Its Environment and Assessing the Risks of Material Misstatements. Retrieved from: http://www.aicpa.org/Research/Standards/AuditAttest/ DownloadableDocuments/AU-00314.pdf. Burke, L. S. (2009). New Risk Assessment Standards – Lessons Learned. Florida CPA Today, May / June 2009. Retrieved from: http://www.sunera.com/fileadmin/user_upload/ Presentations/RiskAssessment.pdf. McConnell, D. K. Jr. and Schweiger, C. H. (June 2007). Implementing the New ASB Risk Assessment Audit Standards. The CPA Journal Online, June 2007. Retrieved from: http://www.nysscpa.org/cpajournal/2007/607/essentials/p20.htm. Ramos, M. (2009). Risk – Based Audit Best Practices. Journal of Accountancy, December 2009. Retrieved from: http://www.journalofaccountancy.com/Issues/2009/Dec/20091789.htm. Read More