toolitem?usid=bc03cp1f2643 -...
TRANSCRIPT
Checkpoint Contents
Accounting, Audit & Corporate Finance Library
Editorial Materials
Audit and Attest
Audit Risk Assessment
Chapter 1 Introduction
100 Introduction and Background Information
100 Introduction and Background Information
Introduction
100.1 Auditing standards require the assessment of audit risk (the risk of material misstatement of the financial statements due to error or fraud) in
audit engagements. This Guide provides the comprehensive tools and guidance that auditors need to effectively and efficiently apply risk
assessment in their audit engagements. Risk assessment is an integral part of every audit and can significantly affect both audit efficiency and
audit effectiveness. This Guide provides a complete package of risk assessment tools to assist in that process, including:
• detailed analysis of the risk assessment process and related standards objectives and requirements;
• practice aids for performing and documenting risk assessment; and
• practical guidance on applying risk assessment, including case studies, illustrated practice aids, and training materials, all aligned with the
PPC audit approach.
100.2 Overall, risk assessment is focused towards ensuring the effectiveness of financial statement audits. In applying risk assessment, auditors
explicitly consider higher risk areas by focusing on what is most likely to go wrong that could affect the financial statements. Auditors assess the
risk that the financial statements are materially misstated due to error or fraud and design and perform audit procedures to respond to those
identified risks. The result is a targeted effort that considers the unique circumstances of each client.
What Is Risk Assessment?
100.3 The term risk assessment in this Guide refers to an audit approach in which the auditor:
• Obtains a sufficient understanding of the client and its environment, including internal control, to identify and assess the risks of material
misstatement of the financial statements, whether due to error or fraud, at the financial statement and relevant assertion levels.
• Concentrates audit effort in areas of the financial statements where there is a higher risk of material misstatement. Such areas may have a
high risk because either inherent or control risk, or both, is higher.
• Provides linkage between the identified risks and the resulting audit procedures.
• Identifies lower-risk areas in which to perform less extensive procedures.
An audit approach based on risk assessment provides methods to identify higher-risk areas and assertions so that audit effort can be focused on
those areas. By focusing efforts in higher-risk areas and limiting procedures in lower-risk areas, the auditor is performing a more effective and
focused audit. The risk assessment approach used in this Guide is illustrated in Exhibit 1-1.
Page 1 of 22Checkpoint | Document
5/23/2013https://checkpoint.riag.com/app/view/toolItem?usid=bc03cp1f2643&feature=ttoc&lastCpR...
Exhibit 1-1
The Risk Assessment Audit Approach
____________________
100.4 Planning Is the Key
The key to successful risk assessment is planning. In general, the risk assessment process requires significant time spent in up-front planning.
During the planning process, the auditor gains sufficient knowledge of the client to identify the risky audit areas and assertions and determine the
procedures necessary to address identified risks. For lower-risk areas, the auditor determines what limited procedures will be necessary in light of
the low assessed level of risk. The time spent during the planning process should ordinarily provide efficiencies from limiting procedures in lower-
risk areas. And because the auditor is focusing his or her efforts on higher-risk areas, the audit approach is more effective. Also, the auditor's
increased knowledge of the client's business and operations can add value to client service. The auditor may be able to provide the client with
more insightful and practical comments and recommendations about matters that might benefit the client's business. Because of the increased
emphasis on obtaining an understanding of the entity and the design and implementation of internal control as a basis for the auditor's assessment
of risks, the auditor may identify control deficiencies that are required to be reported to management and those charged with governance. Control
deficiencies are discussed in section 1814 of PPC's Guide to Audits of Nonpublic Companies.
100.5 Because risk assessments require significant judgment, auditing standards require that the engagement partner and other key members of
the engagement team be involved in planning the audit. Normally it is more effective and efficient to have an experienced auditor make the risk
assessments and prepare the planning documents. However, all levels of the engagement team ought to be involved in the risk assessment
process.
100.6 Integration of Fraud Risk Assessment
Auditing standards stress that the auditor's consideration of fraud is not separate from consideration of audit risk but is integrated into the overall
audit risk assessment process. Although the requirements and guidance presented for risk assessment may suggest a sequential process, the
audit is a continuous process of gathering, updating, and analyzing information about the fairness of presentation of amounts and disclosures in
the financial statements in conformity with the applicable financial reporting framework that is used by the entity. 1 Therefore, risk assessment
procedures are performed concurrently with other procedures, and the evaluation of risks, including fraud risks, occurs continuously throughout the
audit. This Guide integrates the requirements for fraud risk assessment within the overall risk assessment process by addressing those
requirements at relevant points throughout the Guide.
Risk Assessment Objectives
100.7 The overall objective of risk assessment is to understand the entity and its environment, including internal controls, to identify and assess the
risks of material misstatement at the financial statement and relevant assertion levels in order to provide a basis for designing and implementing
responses to those risks. Specific objectives related to the risk assessment procedures discussed in this Guide are summarized at the beginning of
each chapter.
Page 2 of 22Checkpoint | Document
5/23/2013https://checkpoint.riag.com/app/view/toolItem?usid=bc03cp1f2643&feature=ttoc&lastCpR...
100.8 Key Provisions of the Standards Relating to Risk Assessment
The following list presents some of the key elements of auditing standards with respect to risk assessment.
• Emphasis on the Quality and Depth of the Required Understanding of the Entity and Its Environment. In addition to the components of
internal control, auditing standards specify aspects of the entity and its environment about which the auditor should obtain an understanding to
identify and assess where material misstatements could occur.
• Requirement to Assess Risks. Auditing standards do not permit assessing control risk “at the maximum” without support. Risk assessment,
at whatever level, should be supported by the auditor's understanding of the entity and its environment, including internal control. Auditors are
required to identify significant risks that need special audit consideration, as well as other risks where the application of substantive
procedures alone will not sufficiently reduce detection risk.
• Emphasis on Evaluating and Testing Controls. Obtaining an understanding of internal control involves evaluating the design of a control and
determining whether it has been implemented. In addition, control risk cannot be assessed at the maximum level without documenting the
basis for that conclusion. As a result of the emphasis on understanding controls, testing of controls may frequently be considered. However,
testing of controls is not required unless the auditor intends to rely on the operating effectiveness of controls to alter the nature, timing, or
extent of substantive procedures, or the auditor concludes that substantive procedures alone will not sufficiently reduce detection risk.
• Emphasis on Linkage between Assessed Risks and Resulting Audit Procedures. Auditors are required to develop overall responses that
address risks of material misstatement at the financial statement level as well as procedures that are clearly linked to assessed risks of
material misstatement at the relevant assertion level. The risk assessment standards stress the importance of the nature of audit procedures
in responding to assessed risks.
• Guidance on Substantive Procedures. Auditing standards indicate that substantive procedures should be applied to all relevant assertions
related to each material class of transactions, account balance, and disclosure to detect material misstatements at the assertion level,
regardless of the assessed risk of material misstatement. The standards also require the auditor to reconcile financial statements (and the
accompanying notes) with supporting records, and to examine material journal entries and other adjustments that were made when preparing
financial statements.
• Emphasis on Testing of Disclosures. Assertions about presentation and disclosure include completeness and understandability to users.
Auditing standards emphasize that risks of material misstatement should be considered for disclosures.
• Documentation Requirements. Among other items, auditors are required to document overall responses to address the assessed risks of
material misstatement at the financial statement level; the risk assessment at the relevant assertion level; the nature, timing, and extent of the
further audit procedures; the linkage of audit procedures to assessed risks; and the results of the audit procedures.
100.9 Appendix 1A presents key questions and answers on risk assessment. Appendix 1B is a diagnostic questionnaire that can be used to
consider whether the requirements of the standards are being met, and how to meet the requirements effectively and efficiently, in an audit.
Terminology
100.10 Auditing standards use specific terminology to describe the auditor's responsibility for planning and performing an audit. Some of those
terms, which are significant in the risk assessment process, are discussed in the following paragraphs.
100.11 Audit Strategy
Page 3 of 22Checkpoint | Document
5/23/2013https://checkpoint.riag.com/app/view/toolItem?usid=bc03cp1f2643&feature=ttoc&lastCpR...
The audit strategy is the auditor's operational approach to achieving the objectives of the audit. It is a high-level determination of the audit
approach by audit area. It includes the identification of audit areas with a higher risk of material misstatement, the overall responses to those
higher risks, and the general approach to each audit area as being substantive procedures or a combined approach of substantive procedures and
tests of controls. As part of risk assessment, the auditor should establish an overall strategy for the audit. Audit strategy is discussed beginning at
paragraph 206.35.
100.12 Audit Plan
The audit plan is more detailed than the audit strategy and includes the nature, timing, and extent of audit procedures to be performed by audit
team members to obtain sufficient appropriate evidence. The audit plan is commonly referred to as the audit program. The audit plan is discussed
in section 305.
100.13 Relevant Assertions
One of the terms of central importance in risk assessment is relevant assertions. The assertions that are relevant for a particular class of
transactions, account balance, or disclosure are those that have a reasonable possibility of containing a misstatement or misstatements that would
cause the financial statements to be materially misstated. A routine example is that the valuation assertion is usually not relevant to the cash
account unless currency translation is involved. Another example is that the valuation assertion is usually not relevant to the gross amount of the
accounts receivable balance, but is usually relevant to the related allowance for doubtful accounts.
100.14 Auditing standards related to risk assessment give prominent recognition to the idea of relevant assertions. References to “decisions made
at the relevant assertion level” mean decisions made about the relevant assertions within a class of transactions, account balance, or disclosure.
As discussed in Chapter 3, the auditor assesses risks of material misstatement at the relevant assertion level and designs audit procedures to
mitigate those assessed risks.
100.15 Significant Risk
Another term of importance in risk assessment is significant risk. A significant risk is an identified and assessed risk of material misstatement that,
in the auditor's professional judgment, requires special audit consideration. The reference to “requires special audit consideration” indicates the
basic idea. A risk is a significant risk if an analysis of inherent risk indicates that the likely magnitude of the potential misstatement and the
likelihood of the misstatement occurring are such that they require special audit consideration. The determination of whether a risk requires special
audit consideration is based on an assessment of inherent risk and does not include consideration of controls. Significant risks generally relate to
nonroutine transactions (i.e., transactions that are unusual due to their size or nature) and complex or judgmental matters. Transactions that are
routine, noncomplex, and subject to systematic processing have lower inherent risks and are less likely to involve significant risks. Identified fraud
risks are always significant risks. Significant risks are discussed further in Chapter 3.
100.16 Risk Assessment Procedures
Risk assessment procedures are a defined category of audit procedures performed near the beginning of an audit to obtain an understanding of
the entity and its environment, including its internal control, for the purpose of identifying and assessing the risks of material misstatement, whether
due to error or fraud, at the financial statement and relevant assertion levels. The risk assessment is used to determine the nature, timing, and
extent of further audit procedures. Risk assessment procedures consist of inquiry, observation, inspection, and analytical procedures. Risk
assessment procedures are discussed in section 201.
100.17 Risk of Material Misstatement
The risk of material misstatement is the likelihood of having a misstatement in the financial statements of a material amount prior to the audit.
When considering audit risk at the overall financial statement level, the auditor should consider risks of material misstatement that relate
pervasively to the financial statements taken as a whole and that potentially affect many relevant assertions. The auditor should also assess the
risk of material misstatement at the relevant assertion level for classes of transactions, account balances, and disclosures. At the relevant
assertion level, the assessment of risk of material misstatement is the combination of the auditor's assessment of inherent risk and control risk.
Inherent risk is the susceptibility of an assertion about a class of transactions, account balance, or disclosure to a material misstatement before
consideration of any related controls. Control risk is the risk that a material misstatement that could occur in an assertion about a class of
transactions, account balance, or disclosure will not be prevented, or detected and corrected, on a timely basis by the entity's internal control. The
auditor can make a combined assessment of inherent and control risk or assess the component risks separately and then combine them.
Considering the overall risk assessment at the financial statement level is discussed in section 206. Assessing the risk of material misstatement at
the relevant assertion level is discussed in section 304.
100.18 Further Audit Procedures
Page 4 of 22Checkpoint | Document
5/23/2013https://checkpoint.riag.com/app/view/toolItem?usid=bc03cp1f2643&feature=ttoc&lastCpR...
Further audit procedures are procedures an auditor performs in response to the assessed risks to reduce the overall audit risk to an appropriately
low level. They consist of substantive procedures, tests of controls, and other procedures, sometimes referred to as general procedures. Further
audit procedures are discussed in Chapter 4.
100.19 Other Terms
Some other terminology relevant to risk assessment that is worth noting includes—
• Audit evidence.
• Reasonable assurance.
100.20 Audit Evidence.
AU-C 500.05 states:
Audit evidence is all the information used by the auditor in arriving at the conclusions on which the auditor's opinion is based. Audit
evidence includes both the information contained in the accounting records underlying the financial statements and other
information.
The results of the auditor's risk assessment procedures provide evidence that contributes to forming an opinion on the financial statements.
100.21 Reasonable Assurance.
The auditor's report includes a statement that generally accepted auditing standards (GAAS) require audits to be planned and performed to obtain
reasonable assurance about whether the financial statements are free from material misstatement. That statement introduces the concept of
materiality to the audit report and the auditor's responsibility for detecting errors or fraud. AU-C 200.13 clarifies that reasonable assurance is a
high, but not absolute, level of audit assurance.
100.22 In addition, the clarified standard AU-C 240, Consideration of Fraud in a Financial Statement Audit, includes a revised definition of fraud to
converge with the ISAs, and AU-C 320, Materiality in Planning and Performing an Audit, introduces the term performance materiality. Performance
materiality is an amount, set by the auditor, less than materiality for the financial statements as a whole to reduce to an appropriately low level the
probability that the aggregate of uncorrected and undetected misstatements exceeds materiality for the financial statements as a whole. If
applicable, performance materiality also refers to the amount or amounts set by the auditor at less than the materiality level or levels for particular
classes of transactions, account balances, or disclosures. Performance materiality is to be distinguished from tolerable misstatement, which is
reserved for audit sampling. These changes are not expected to have a significant effect on audit practice.
Unconditional and Presumptively Mandatory Requirements
100.23 AU-C 200.25 clarifies the meaning of certain terms used in the auditing standards and defines the terminology that the Auditing Standards
Board uses to describe the degrees of responsibility that professional requirements impose on auditors and practitioners.
100.24 The contents of the auditing standards contain professional requirements along with explanatory material. The auditor's degree of
responsibility in complying with professional requirements can be identified through two categories.
• Unconditional Requirements. Unconditional requirements are those that an auditor must follow in all cases in which the requirement is
relevant. Those requirements are noted in the SASs by use of the words “must” or “is required.”
• Presumptively Mandatory Requirements. Auditors are also expected to comply with presumptively mandatory requirements if the
circumstances are relevant to the requirement; however, in rare situations, the auditor may judge a departure from the requirement as
necessary and document the justification and how alternative procedures that were performed were sufficient to achieve the objectives of the
requirement. Presumptively mandatory requirements are identified by the word “should.” The requirements related to the risk assessment
procedures discussed of this Guide are summarized at the beginning of each chapter.
Page 5 of 22Checkpoint | Document
5/23/2013https://checkpoint.riag.com/app/view/toolItem?usid=bc03cp1f2643&feature=ttoc&lastCpR...
100.25 Application and other explanatory material represents material that provides additional guidance on professional requirements or identifies
other procedures or actions. An auditor is not required to perform other procedures or actions that are identified through application and other
explanatory material. Those items require understanding and professional judgment regarding their applicability. Application and other explanatory
material is identified through the words “may,” “might,” and “could.”
Authoritative Literature
100.26 The following standards establish requirements and provide guidance related to risk assessment:
a. AU-C 200, Overall Objectives of the Independent Auditor and the Conduct of an Audit in Accordance with Generally Accepted Auditing
Standards, defines audit risk and the related risks of which it is a function, that is, the audit risk model. (Formerly included in AU 110-230)
b. AU-C 240, Consideration of Fraud in a Financial Statement Audit, establishes requirements for identifying and assessing the risks of
material misstatement due to fraud and determining the overall and specific responses to those risks, and for designing the audit to provide
reasonable assurance of detecting fraud that results in the financial statements being materially misstated. [Formerly SAS No. 99 (AU 316)]
c. AU-C 250, Consideration of Laws and Regulations in an Audit of Financial Statements, establishes requirements for obtaining an
understanding of the legal and regulatory framework relevant to the industry or sector in which the entity operates and how the entity complies
with that framework. [Formerly SAS No. 54 (AU 317)]
d. AU-C 260, The Auditor's Communication With Those Charged With Governance, establishes requirements for the auditor to communicate
with those charged with governance about the planned scope and timing of the audit. [Formerly SAS No. 114 (AU 380)]
e. AU-C 300, Planning an Audit, establishes requirements for audit planning, including development of an overall strategy and audit plan,
involvement of the engagement partner and team members, and consideration of whether specialized skills are needed. [Formerly SAS No.
108 (AU 311)]
f. AU-C 315, Understanding the Entity and Its Environment and Assessing the Risks of Material Misstatement, establishes requirements for
performing risk assessment procedures to provide a basis for identifying and assessing risks of material misstatement and requires obtaining
an understanding of various specific matters, including the aspects of internal control relevant to the audit and, if there is one, the internal audit
function. It explains the concept of assertions; provides guidance on identifying, assessing, and revising the risks of material misstatement at
the assertion level; and discusses how the results of tests of controls may affect the preliminary risk assessment and planned audit
procedures, and the use of analytical procedures in audit planning. [Formerly SAS No. 59 (AU 329) and No. 109 (AU 314)]
g. AU-C 320, Materiality in Planning and Performing an Audit, establishes requirements for determining materiality for the financial statements
as a whole and performance materiality for assessing the risks of material misstatement at the assertion level, and determining the nature,
timing, and extent of further audit procedures. [Formerly SAS No. 107 (AU 312)]
h. AU-C 330, Performing Audit Procedures in Response to Assessed Risks and Evaluating Evidence Obtained, addresses designing and
performing audit procedures that are responsive to risks at the relevant assertion level and establishes requirements for determining the
nature, timing, and extent of further audit procedures (both tests of controls and substantive procedures) in response to the assessed risks of
material misstatement. It provides guidance on (1) how the preliminary risk assessment affects the design of further audit procedures,
including tests of controls, (2) determining when tests of controls may be appropriate, (3) the nature, timing, and extent of control tests, (4)
selecting items for testing, (5) evaluating the sufficiency and appropriateness of audit evidence collected, and (6) documentation requirements.
[Formerly SAS No. 110 (AU 318)]
Page 6 of 22Checkpoint | Document
5/23/2013https://checkpoint.riag.com/app/view/toolItem?usid=bc03cp1f2643&feature=ttoc&lastCpR...
i. AU-C 402, Audit Considerations Relating to an Entity Using a Service Organization, provides guidance on obtaining an understanding of
internal control of a client that uses a service organization. [Formerly SAS No. 70 (AU 324)]
j. AU-C 500, Audit Evidence, establishes requirements for designing audit procedures that are appropriate for obtaining sufficient, appropriate
evidence and describes audit procedures used to obtain audit evidence. [Formerly SAS No. 106 (AU 326)]
k. AU-C 501, Audit Evidence—Specific Considerations for Selected Items, establishes requirements for determining the completeness of
litigation, claims, and assessments. It provides that the auditor's decision about whether to send a letter of inquiry to the client's lawyer is
based on the auditor's risk assessment. [Formerly SAS No. 12 (AU 337)]
l. AU-C 520, Analytical Procedures, explains the use of analytical procedures as substantive tests to obtain sufficient appropriate audit
evidence. [Formerly SAS No. 56 (AU 329)]
m. AU-C 540, Auditing Accounting Estimates, Including Fair Value Accounting Estimates, and Related Disclosures, establishes requirements
relating to identifying, assessing, and responding to risks arising from accounting estimates. [Formerly SAS No. 57 (AU 342)]
n. AU-C 550, Related Parties, establishes specific additional audit requirements relating to identifying, assessing, and responding to risks
arising from related-party relationships and transactions. [Formerly SAS No. 45 (AU 334)]
Related AICPA Guidance and Projects
100.27 Audit Risk Alerts
The AICPA Audit Risk Alert, Understanding the New Auditing Standards Relating to Risk Assessment, provides a summary of the risk assessment
standards that were issued in 2006 as SAS Nos. 104-111 and guidance on the standards' provisions. Those SASs have been superseded by the
clarified auditing standards (see paragraph 100.31). However, the clarified auditing standards do not result in significant new requirements related
to risk assessment. Thus, the guidance in the Risk Alert remains useful in understanding risk assessment.
100.28 The Audit Risk Alert, General Accounting and Auditing Considerations—2011/12, was issued to help identify and respond to accounting
and auditing issues related to the current economic environment. Financial and economic instability may affect the entity's operations, risks, and
financial reporting, which may in turn may affect the auditor's risk assessment and responsibilities in providing auditing services.
100.29 Audit Guide
The AICPA Audit Guide, Assessing and Responding to Audit Risk in a Financial Statements Audit, Revised Edition as of October 1, 2009 (the
AICPA Risk Assessment Audit Guide), provides implementation guidance and case studies illustrating the implementation of the risk assessment
process. It includes guidance on performing further audit procedures, including tests of controls. Although issued prior to the clarified auditing
standards (see paragraph 100.31), guidance from the AICPA Risk Assessment Audit Guide remains relevant and is incorporated in this Guide.
100.30 Technical Practice Aids
The AICPA periodically issues guidance in the form of questions and answers on selected practice matters. The Technical Practice Aids are not
approved by any senior technical committee of the AICPA and are, therefore, nonauthoritative. A number of technical practice aids, which are
discussed at relevant points throughout this Guide, address risk assessment matters.
100.31 Clarified Auditing Standards
In response to growing concerns about the complexity of auditing standards and to converge U.S. generally accepted auditing standards with
International Standards on Auditing (ISAs), the Auditing Standards Board (ASB) undertook the Clarity Project to revise all existing standards and to
design a format under which all new standards will be issued. In October 2011, the ASB issued SAS No.122, Statements on Auditing Standards:
Clarification and Recodification. SAS No. 122 represents a completely new set of auditing standards revised in format, structure, style, and content
Page 7 of 22Checkpoint | Document
5/23/2013https://checkpoint.riag.com/app/view/toolItem?usid=bc03cp1f2643&feature=ttoc&lastCpR...
from the existing standards. It supersedes almost all existing SASs through SAS No. 121, including the risk assessment standards that were
issued in 2006 as SAS Nos. 104-111. (Paragraphs 100.35 and 100.37 discuss some of the changes in organization and requirements made by
SAS No. 122.) In addition, the AICPA has issued SAS No. 123, Omnibus Statement on Auditing Standards—2011, which amends SAS No. 122 to
address matters that arose after the clarified standards were finalized.
100.32 Effective Date.
With a few exceptions, all of the clarified standards are effective for audits of financial statements for periods ending on or after December 15,
2012. Generally early adoption of SAS No. 122 is not permitted. However, an auditor may implement aspects of SAS No. 122 early as long as he
or she continues to comply with existing standards.
100.33 Form and Structure of the Standards.
The clarified standards were developed using formatting techniques, such as bulleted lists, that make them easier to read and understand. In
addition, each clarified standard is divided into the following topics:
• Introduction. Includes matters such as the purpose and scope of the guidance, subject matter, effective date, and other relevant
introductory material.
• Objectives. Establishes objectives that allow the auditor to understand what he or she should achieve under the standards. The auditor
uses the objectives to determine whether additional procedures are necessary for their achievement and evaluate whether sufficient
appropriate audit evidence has been obtained. The objectives related to the risk assessment procedures discussed in this Guide are
summarized at the beginning of each chapter.
• Definitions. Provides key definitions that are relevant to the standard.
• Requirements. States the requirements that the auditor is to follow to achieve the objectives unless the standard is not relevant or the
requirement is conditional and the condition does not exist. The requirements related to the risk assessment procedures discussed in this
Guide are summarized at the beginning of each chapter.
• Application and Other Explanatory Material. Provides further guidance to the auditor in applying or understanding the requirements. While
this material does not in itself impose a requirement, auditors should understand this guidance. How it is applied will depend on professional
judgment in the circumstances considering the objectives of the standard. The requirements section references the applicable application and
explanatory material. Also, when appropriate, considerations relating to smaller and less complex entities are included in this section.
100.34 New AU Section Organization.
Within the AICPA Professional Standards, the clarified standards (SAS No. 122) use “AU-C” section numbers instead of “AU” section numbers.
“AU-C” is being used temporarily to avoid confusion with references to existing “AU” sections, which are still effective through 2013. The “AU-C”
identifier will revert to “AU” in 2014, when the clarified standards are fully effective for all engagements. Exhibit 1-2 presents a cross reference
between the AU sections of the risk assessment standards and several other standards discussed in this Guide and the AU-C sections of the
clarified standards.
Exhibit 1-2
Cross Reference between SASs and Clarified Standards
Pre-Clarity Standard Clarified Standard
SAS AU Title AU-C Title
Risk Assessment SASs
Page 8 of 22Checkpoint | Document
5/23/2013https://checkpoint.riag.com/app/view/toolItem?usid=bc03cp1f2643&feature=ttoc&lastCpR...
104 AU 230.10 Amendment to Statement on Auditing
Standards No. 1, Codification of Auditing
Standards and Procedures (“Due
Professional Care in the Performance of
Work”)
AU-C 200 Overall Objectives of
the Independent
Auditor and the
Conduct of an Audit in
Accordance With
Generally Accepted
Auditing Standards
105 AU 150 Amendment to Statement on Auditing
Standards No. 95, Generally Accepted
Auditing Standards
AU-C 200 Overall Objectives of
the Independent
Auditor and the
Conduct of an Audit in
Accordance With
Generally Accepted
Auditing Standards
106 AU 326 Audit Evidence AU-C 500 Audit Evidence
107 AU 312 Audit Risk and Materiality in Conducting
an Audit
AU-C 200 Overall Objectives of
the Independent
Auditor and the
Conduct of an Audit in
Accordance With
Generally Accepted
Auditing Standards
AU-C 320 Materiality in Planning
and Performing an
Audit
108 AU 311 Planning and Supervision AU-C 210 Terms of Engagement
AU-C 300 Planning an Audit
109 AU 314 Understanding the Entity and Its
Environment and Assessing the Risks of
Material Misstatement
AU-C 315 Understanding the
Entity and Its
Environment and
Assessing the Risks of
Material Misstatement
110 AU 318 Performing Audit Procedures in
Response to Assessed Risks and
Evaluating the Audit Evidence Obtained
AU-C 330 Performing Audit
Procedures in
Response to Assessed
Risks and Evaluating
the Audit Evidence
Obtained
Other SASs
12 AU 337 Inquiry of a Client's Lawyer Concerning
Litigation, Claims, and Assessments
AU-C 501 Audit Evidence—
Specific Considerations
for Selected Items
45 AU 334 Related Parties AU-C 550 Related Parties
54 AU 317 Illegal Acts by Clients AU-C 250 Consideration of Laws
and Regulations in an
Audit of Financial
Statements
56 AU 329 Analytical Procedures AU-C 520 Analytical Procedures
57 AU 342 Auditing Accounting Estimates AU-C 540 Auditing Accounting
Estimates, Including
Fair Value Accounting
Estimates, and Related
Disclosures
65 AU 322 The Auditor's Consideration of the
Internal Audit Function in an Audit of
Financial Statements
AU-C 315 Understanding the
Entity and Its
Environment and
Assessing the Risks of
Material Misstatement
(includes guidance
related to
understanding the
internal audit function
Page 9 of 22Checkpoint | Document
5/23/2013https://checkpoint.riag.com/app/view/toolItem?usid=bc03cp1f2643&feature=ttoc&lastCpR...
as part of risk
assessment)
AU-C 610 The Auditor's
Consideration of the
Internal Audit Function
in an Audit of Financial
Statements (presents
guidance on
considerations when
using internal auditors
to reduce the work
required on the audit—
not discussed in this
Guide)
70 AU 324 Service Organizations AU-C 402 Audit Considerations
Relating to an Entity
Using a Service
Organization
99 AU 316 Consideration of Fraud in a Financial
Statement Audit
AU-C 240 Consideration of Fraud
in a Financial
Statement Audit
114 AU 380 The Auditor's Communication with Those
Charged with Governance
AU-C 260 The Auditor's
Communication with
Those Charged with
Governance
____________________
100.35 In addition to addressing the objectives of the Clarity Project and converging with comparable ISAs, the clarified standards make certain
organizational changes to existing risk assessment standards such as:
a. Transfer the guidance on the auditor's use of assertions from AU 326, Audit Evidence, to AU-C 315, Understanding the Entity and Its
Environment and Assessing the Risks of Material Misstatement.
b. Separate AU 312, Audit Risk and Materiality in Conducting an Audit, into two separate clarified standards. AU-C 320, Materiality in Planning
and Performing an Audit, addresses materiality when planning and performing the audit. Guidance on the evaluation of misstatements
identified in the audit is in a separate clarified standard, AU-C 450, Evaluation of Misstatements Identified During the Audit, which is not
addressed in this Guide.
c. Move the definition of audit risk and its components to the clarified standard, AU-C 200, Overall Objectives of the Independent Auditor and
the Conduct of an Audit in Accordance With Generally Accepted Auditing Standards.
d. Eliminate the unconditional requirement to consider audit risk in an audit since the ASB believes that the consideration is fundamental to the
audit process making an explicit requirement unnecessary.
e. Transfer the guidance on auditor's responsibilities for evaluating the overall effect of audit findings on the auditor's report to the clarified
standards AU-C 700, Forming an Opinion and Reporting on Financial Statements, AU-C 705, Modifications to the Opinion in the Independent
Auditor's Report, and AU-C 706, Emphasis-of-Matter Paragraphs and Other-Matter Paragraphs in the Independent Auditor's Report, which are
not discussed in this Guide.
f. Move guidance on the auditor's responsibilities regarding the early appointment of the auditor and establishing the terms of the engagement
to the clarified standard, AU-C 210, Terms of Engagement.
Page 10 of 22Checkpoint | Document
5/23/2013https://checkpoint.riag.com/app/view/toolItem?usid=bc03cp1f2643&feature=ttoc&lastCpR...
g. Move guidance on supervision in an audit to the clarified standard, AU-C 220, Quality Control for an Engagement Conducted in Accordance
with Generally Accepted Auditing Standards, or SQCS No. 8, A Firm's System of Quality Control, which are not discussed in this Guide.
h. Move the requirement to perform the audit with professional skepticism to the clarified standard, AU-C 220, Overall Objectives of the
Independent Auditor and the Conduct of an Audit in Accordance with Generally Accepted Auditing Standards.
100.36 Implementation of the Clarified Standards in this Guide.
The majority of the requirements in the clarified standards are consistent with the requirements in the pre-clarified standards. Thus, the changes to
the standards, although extensive, do not create many substantive changes in practice. Therefore, the discussions throughout this Guide,
references to authoritative literature, and practice aids have been updated for the clarified standards.
100.37 Changes in Practice.
However, implementation of the clarified auditing standards could result in some changes in practice. The changes in practice may result from new
requirements or from changes in existing requirements. In addition, depending on how auditors apply existing requirements, changes in practice
may occur as a result of added emphasis in the clarified standards that makes existing requirements more explicit. The following changes related
to risk assessment are noted throughout the Guide and in the practice aids, as appropriate:
• AU-C 240, Consideration of Fraud in a Financial Statement Audit, amends the definition of fraud. However, the revised definition is not
expected to change audit practice.
• AU-C 250, Consideration of Laws and Regulations in an Audit of Financial Statements, contains a requirement to understand how the entity
is complying with the legal and regulatory framework to which it is subject, inquire about compliance specifically with those charged with
governance, and inspect correspondence with licensing or regulatory authorities. See section 207.
• AU-C 300, Planning an Audit, contains an explicit requirement that the engagement partner be involved in planning the audit and that the
auditor document the audit strategy and the reasons for changes to the strategy or the audit plan. See section 206.
• AU-C 315, Understanding the Entity and Its Environment and Assessing the Risks of Material Misstatement, requires the auditor to
specifically consider whether the control environment promotes a culture of honesty. See section 204.
• AU-C 320, Materiality in Planning and Performing an Audit, introduces the term performance materiality. See section 301.
• AU-C 330, Performing Audit Procedures in Response to Assessed Risks and Evaluating the Audit Evidence Obtained, explicitly requires the
auditor to make inquiries to understand the consequences of deviations in tests of controls and determine whether there is a basis for reliance,
whether additional tests are necessary, and whether the risk of material misstatement needs to be addressed through substantive procedures.
See section 402.
• AU-C 402, Audit Considerations Relating to an Entity Using a Service Organization, requires inquiries of management about its awareness of
fraud, noncompliance with laws or regulations, or uncorrected misstatements at the service organization that affect the user entity's financial
statements. See section 201.
Page 11 of 22Checkpoint | Document
5/23/2013https://checkpoint.riag.com/app/view/toolItem?usid=bc03cp1f2643&feature=ttoc&lastCpR...
• AU-C 501, Audit Evidence—Specific Considerations for Selected Items, establishes requirements for determining the completeness of
litigation, claims, and assessments. It provides that the auditor's decision about whether to send a letter of inquiry to the client's lawyer is
based on the auditor's risk assessment. Thus, the inquiry is only required when potential items have been identified that could result in a
material misstatement. See section 207.
• AU-C 540, Auditing Accounting Estimates, Including Fair Value Accounting Estimates and Related Disclosures, makes explicit the need to
obtain an understanding of accounting estimates, including related controls, during risk assessment. The clarified standard also requires a
retrospective review of estimates during risk assessment, provides specific procedures for estimates that give rise to significant risks, and
includes specific documentation requirements. See sections 201 and 207.
• AU-C 550, Related Parties, makes explicit the need to obtain an understanding of related party relationships and transactions, including
related controls, during risk assessment, adds a specific requirement to discuss related parties during the engagement team discussion,
requires treating significant related party transactions outside the normal course of business as significant risks, and requires additional
procedures (a) for significant related party transactions outside the normal course of business, and (b) if related parties not disclosed by
management are identified. See section 201.
PPC Guide on Clarified Auditing Standards
100.38 PPC's Guide to the Clarified Auditing Standards presents an in-depth discussion of SAS Nos. 122-125. It summarizes the objectives and
requirements of the clarified standards as well as the changes in format, terminology, and requirements. It can be ordered by calling (800) 431-
9025 or by visiting ppc.thomsonreuters.com.
1 The applicable financial reporting framework is the set of accounting principles used by the entity to prepare its financial statements. This Guide
assumes that entities are following U.S. generally accepted accounting principles (GAAP).
© 2012 Thomson Reuters/PPC. All rights reserved.
END OF DOCUMENT -
© 2013 Thomson Reuters/RIA. All rights reserved.
Page 12 of 22Checkpoint | Document
5/23/2013https://checkpoint.riag.com/app/view/toolItem?usid=bc03cp1f2643&feature=ttoc&lastCpR...
Checkpoint Contents
Accounting, Audit & Corporate Finance Library
Editorial Materials
Audit and Attest
Audit Risk Assessment
Chapter 1 Introduction
101 The PPC Audit Process
101 The PPC Audit Process
101.1 Risk assessment requires auditors to use information gathered about the entity and its environment (including internal control) to identify and
assess the risks of material misstatement at both the overall financial statement and relevant assertion levels, and to determine the nature, timing,
and extent of further audit procedures needed to respond to those risks. Further audit procedures are performed to obtain audit evidence to
support the auditor's opinion on the financial statements.
The PPC Audit Process
101.2 The authors have developed a practical approach to the audit process to address the requirements for risk assessment and have designed
practice aids to assist auditors in meeting those requirements. PPC's audit approach is designed to be flexible and adaptable, allowing auditors to
better leverage their knowledge of the client to tailor their audit procedures. The audit approach has been divided into the broad steps illustrated in
Exhibit 1-3.
Exhibit 1-3
The PPC Audit Process
____________________
Page 13 of 22Checkpoint | Document
5/23/2013https://checkpoint.riag.com/app/view/toolItem?usid=bc03cp1f2643&feature=ttoc&lastCpR...
101.3 Although the requirements and guidance may suggest a sequential process, the audit is a continuous process of gathering, updating, and
analyzing information about the fairness of presentation of amounts and disclosures in the client's financial statements. Therefore, the audit
process is an iterative, nonlinear process, whereby the required procedures may be performed concurrently with other procedures. In addition,
risks should be evaluated continuously throughout the audit.
101.4 The PPC audit process outlined in Exhibit 1-3 is incorporated in all of PPC's audit guides, including specialized industry audit guides. This
Guide focuses on Steps 2-6 of that process. Under the approach illustrated in this Guide, the auditor generally spends additional time on planning
and risk assessment procedures to identify specific risks and develop targeted audit procedures. However, the efficiencies obtained by using this
approach should offset the additional planning time required.
Practice Aids
101.5 This Guide reproduces practice aids from PPC's Guide to Audits of Nonpublic Companies, which guide the auditor through the risk
assessment process. The auditor completes the risk identification process using the practice aids CX-3.1, “Understanding the Entity and Identifying
Risks,” CX-3.2, “Engagement Team Discussion,” CX-3.3, “Fraud Risk Inquiries Form,” CX-4.1, “Understanding the Design and Implementation of
Internal Control,” and CX-4.2, “Financial Reporting System Documentation Forms.” The practice aids at CX-6.1, “Entity Risk Factors,” and CX-6.2,
“Fraud Risk Factors,” provide examples of risk factors to consider when identifying financial statement risks using the practice aids at CX-3.1 and
CX-3.3. Another practice aid, CX-7.1, “Risk Assessment Summary Form,” is then used to summarize the auditor's risk assessments and document
the auditor's response to those assessments. Practice aids are also included that assist the auditor in efficiently documenting control testing
procedures if the auditor chooses or needs to test controls.
101.6 Because the audit process requires significant judgment on the part of the auditor when making risk assessments and determining the
nature of audit procedures to be performed, the practice aids are designed to be flexible. For example, “Understanding the Entity and Identifying
Risks” (CX-3.1) consists of open-ended questions supplemented by “factors to consider” listed on “Entity Risk Factors” (CX-6.1) versus a “checklist
approach.” Also, the “Risk Assessment Summary Form” (CX-7.1) provides a snapshot of the auditor's risk assessments and the effect on the audit
approach. Checklists and practice aids used in risk assessment are discussed in Chapters 2 and 3 and illustrated in the case studies at
Appendixes A through C.
101.7 PPC's Industry Audit Guides
All of PPC's industry audit guides contain similar forms. A common numbering scheme is used so that the practice aids in all of PPC's audit guides
have similar references. However, the prefix to the practice aid reference differs among the guides. For example, the practice aid referred to in this
Guide as CX-3.1, “Understanding the Entity and Identifying Risks,” can be found at ASB-CX-3.1 in PPC's Guide to Audits of Nonpublic Companies.
The equivalent practice aid can be found at NPO-CX-3.1 in PPC's Guide to Audits of Nonprofit Organizations for a nonprofit organization, at ALG-
CX-3.1 in PPC's Guide to Audits of Local Governments for a governmental entity, and similarly for other industry audit guides. The practice aids in
the industry guides are tailored for specific industry requirements.
101.8 All of the practice aids mentioned in paragraph 101.5 are discussed and illustrated throughout this Guide. In addition, blank copies of those
practice aids are included in the appendixes to Chapters 2, 3, and 4. PPC's SMART Practice Aids—Risk Assessment is an innovative audit tool
that automatically generates audit programs based on the auditor's risk assessments. Also, PPC's SMART Practice Aids—Internal Control
provides a top-down, risk-based approach for efficiently and effectively evaluating internal control over financial reporting.
Applying the PPC Audit Process in Continuing Engagements
101.9 The PPC audit process illustrated in this Guide is based on practitioner input and is designed to help simplify the auditor's documentation
and continued application of risk assessment. Firms should have already applied the risk assessment standards on (SAS Nos. 104-111) their audit
engagements; nevertheless, auditors will need to modify some procedures on continuing engagements to implement the clarified standards (AU-C)
and to achieve greater efficiency or effectiveness.
101.10 Auditors ought to carefully assess the results of their risk assessment efforts and determine how the firm's audit process might be
improved. The following paragraphs provide the authors' suggestions for improving the efficiency and effectiveness of applying risk assessment on
continuing engagements.
101.11 As more fully discussed in Chapter 2, the auditor performs risk assessment procedures to gain an understanding of the entity and its
environment, including internal control, to assess the risks of material misstatement. In many cases, considerable effort may have been spent in
performing risk assessment procedures to obtain and document the necessary understanding during the initial year of implementation. In
subsequent engagements, the auditor still performs risk assessment procedures to understand the entity and its environment; however, the focus
shifts slightly to determining whether changes have occurred that may affect the relevance of the information obtained in prior audits. Thus,
Page 14 of 22Checkpoint | Document
5/23/2013https://checkpoint.riag.com/app/view/toolItem?usid=bc03cp1f2643&feature=ttoc&lastCpR...
auditors often focus their efforts in continuing engagements on inquiries and walkthroughs to determine the extent of changes to prior year
information and the impact of those changes on their risk assessment.
101.12 The authors suggest the following when planning for continuing engagements:
• Consider best practices.
• Focus on changes in the entity and its environment since the prior engagement.
• Consider final risk assessments and the results of further audit procedures performed during the prior audit.
• Reconsider internal control testing.
• Look for efficiency opportunities.
101.13 Consider Best Practices
If the firm has formed a best practices team to assess practice issues and improvement opportunities, the team should consider where the firm's
audit processes might be modified for both initial and recurring engagements. If a best practices team has not been formed, firm leadership may
consider assigning key audit personnel to perform an assessment to determine where improvements could be made.
101.14 The team may want to consider matters such as the following:
• What inefficiencies were encountered? How can those inefficiencies be eliminated? Were extensive risk assessment or further audit
procedures performed and documented in areas that were not significant or had a relatively low level of inherent risk? Did teams have to
modify initial risk assessments based on the results of further audit procedures? If so, why?
• What improvements can be made in the firm's documentation process? If PPC practice aids are used by the firm without modification, do
they need to be further modified to reflect firm policies?
• Did the firm take a primarily substantive approach in many of its engagements? Is that the most effective approach? Is it possible to design
efficient tests of controls that can increase overall audit effectiveness while reducing substantive procedures?
• What efficiencies were gained using a risk-based approach? Which of the approaches and methods used by different engagement teams
could be considered best practices for others to follow?
101.15 In addition, auditors may want to consider best risk assessment practices of other audit firms, for example, by enrolling in best practices
training opportunities. Thomson Reuters Tax & Accounting offers a number of in-house training courses and conferences that focus on best
practices. For more information, contact Thomson Reuters at (800) 231-1860 or visit the website at www.trainingcpe.thomson.com.
101.16 Focus on Changes in the Entity and Its Environment
In subsequent audits where the auditor uses information about the entity and its environment obtained during the previous audit, the auditor's
focus when performing risk assessment procedures is on determining whether changes have occurred that may affect the relevance of the prior
information. Therefore, the auditor ought to consider whether the nature and extent of risk assessment procedures need to change in the
subsequent period. Usually, the auditor will make inquiries of relevant and knowledgeable key personnel and perform walkthroughs to identify and
evaluate changes. In some cases, the auditor may determine that the extent of inquiries needed in a subsequent engagement might be less than
Page 15 of 22Checkpoint | Document
5/23/2013https://checkpoint.riag.com/app/view/toolItem?usid=bc03cp1f2643&feature=ttoc&lastCpR...
what was needed during a prior engagement. However, the auditor needs to use care in determining the nature and extent of risk assessment
procedures in subsequent audits. There may be new information or factors that suggest an element of change necessitating performance of more
robust risk assessment procedures to obtain a sufficient understanding.
101.17 Consider Final Risk Assessments and the Results of Further Audit Procedures from the Prior Audit
If the auditor's assessment of the risk of material misstatement was revised during the previous audit as additional audit evidence was obtained,
the auditor ought to determine what impact that may have on risk assessment procedures in the current audit. For example, if an assertion for an
audit area was deemed to have a higher level of risk of material misstatement based on the results of substantive procedures, and the initial risk
assessment was consequently revised (and documented), it may be appropriate to modify the risk assessment procedures relating to that
assertion during the planning phase of the subsequent audit to ensure an appropriate understanding of the risks. Likewise, if the final assessed
risk in the prior audit was lower than initially planned, the auditor might consider reducing the extent or changing the nature of risk assessment
procedures in the current year. In other words, the extent and nature of procedures will generally go hand-in-hand with the degree of risk for an
audit area or assertion.
101.18 Reconsider Internal Control Testing
In continuing engagements, auditors need to take a fresh look at the selection of further audit procedures applied in the previous audit. In some
cases, the auditor might have decided that performing substantive procedures alone was effective and more efficient than a combined approach
consisting of tests of controls and substantive procedures. For the subsequent audit, as part of the planning process, the auditor will reevaluate
that decision considering both the current year risk assessment and the efficiency and effectiveness of the procedures performed in the prior audit.
In some cases, as the auditor gains more experience in understanding controls, designing efficient and effective control tests, and reducing
substantive procedures based on the results of those tests, he or she may decide that internal control testing is the most effective and efficient
strategy. Chapter 4 discusses internal control testing.
101.19 Look for Efficiency Opportunities
When appropriate, some auditors ask clients to review and update the documented understanding of the entity and its environment, including
internal control, from the previous audit. When doing this, auditors normally only provide the client with those portions of the workpapers that reflect
the documented understanding. Typically, auditors ought not provide the client with sections of the workpapers that describe the auditor's risk
assessment procedures and conclusions. If the auditor decides that certain of the “Activity and Entity-level Control Forms” at CX-5 will be used in
the current engagement, the client might be asked to perform a self-assessment regarding the existence and implementation of the controls listed
on one or more of those forms. Chapter 2 discusses those forms in further detail.
101.20 Auditors may wish to emphasize to their clients the importance of self-assessing their financial reporting risks and internal control systems.
As discussed in Chapter 2, management's risk assessment is a key component of internal control. Appendix 2B provides a PowerPoint client
presentation that can be used to educate clients on how they can identify and assess risks related to financial reporting and their internal control
systems. Also, Appendix 2C provides a PowerPoint client presentation that emphasizes the importance of entity-level controls, which are
discussed in Chapter 2. A documented client self-assessment of risks and internal control procedures can jump-start the auditor's risk assessment
process, contribute to audit efficiency, and help minimize audit fees for the client.
101.21 If the client is asked to review and update the documentation of the auditor's understanding of the entity and its environment, including
internal control, or performs and documents a self-assessment of financial reporting risks and the internal control system, the auditor still needs to
perform sufficient risk assessment procedures, based on his or her judgment, to confirm any changes and to evaluate the design and
implementation of controls that the client indicates are in place.
© 2012 Thomson Reuters/PPC. All rights reserved.
END OF DOCUMENT -
© 2013 Thomson Reuters/RIA. All rights reserved.
Page 16 of 22Checkpoint | Document
5/23/2013https://checkpoint.riag.com/app/view/toolItem?usid=bc03cp1f2643&feature=ttoc&lastCpR...
Checkpoint Contents
Accounting, Audit & Corporate Finance Library
Editorial Materials
Audit and Attest
Audit Risk Assessment
Chapter 1 Introduction
102 Scope of This Guide
102 Scope of This Guide
102.1 This Guide is designed for audits of nonpublic companies and is not intended to provide guidance for audits of public companies. Auditors of
public companies should use PPC's Guide to PCAOB Audits. PPC's Guide to PCAOB Audits may be ordered by calling (800) 431-9025 or by
visiting ppc.thomsonreuters.com. The text discussion and practice aids illustrated in this Guide are designed for audits of commercial business
entities. However, the guidance may also be applied to an industry-specific audit engagement.
Generally Accepted Auditing Standards
102.2 This Guide assumes that the auditor has an understanding of the professional audit standards, and it therefore does not provide a
comprehensive discussion of those requirements.
How to Use This Guide
102.3 This Guide can be used in a variety of ways. For example, a firm may use the Guide as a quick reference tool to address questions about
specific topics. For example, Appendix 1A presents key questions and answers on risk assessment and references to the Guide's discussion of
the topics. This Guide is also designed as a package of tools—technical guidance, best practices, and workflow tools—developed to give firms
everything necessary to effectively apply risk assessment. This Guide illustrates completion of the related practice aids and, with its detailed
guidance on every aspect of risk assessment, provides an excellent source of reference material when questions arise. Also, some firms might use
portions of the Guide as a training resource for staff. For example, Appendix 1B is a diagnostic questionnaire on audit risk assessment that can be
used to determine whether the risk assessment procedures required by professional standards were performed in a particular audit engagement.
Appendixes A through C provide case studies that illustrate the use of PPC practice aids in the risk assessment process. Appendix 1C presents a
PowerPoint presentation on Understanding Audit Risk Assessment, which can be used as the basis for an in-house training session. These
materials can assist new staff in understanding the risk assessment process and how various risk assessment forms can be used and completed.
Overview of This Guide
102.4 Chapter 2 discusses risk assessment procedures, which include obtaining an understanding of the entity and its environment, including
internal control, and planning decisions and judgments made by the auditor. Chapter 3 discuses assessing and responding to identified risks. That
chapter includes a discussion of performance materiality, risks of material misstatement at the relevant assertion level, and preparing the detailed
audit plan. Chapter 4 discusses further audit procedures and other matters, and focuses on tests of controls, making a control risk assessment,
and substantive procedures. Appendixes A through C of this Guide include three case studies that illustrate completed practice aids and walk the
auditor through various aspects of the risk assessment process for different types and sizes of entities. Appendixes 2B and 2C provide PowerPoint
presentations, along with scripts, that explain how clients can self-assess their financial reporting risks and internal control systems, including
maintaining an effective control environment.
102.5 Appendix A
Appendix A presents a case study of a midsized nonpublic manufacturing entity in the technology sector. The auditors document their risk
assessment (and other audit matters) by completing the PPC forms illustrated in this Guide (as well as certain other forms used in the PPC audit
process). The auditors use a combined approach consisting of tests of the operating effectiveness of internal controls and substantive procedures.
This case study illustrates the PPC checklists that are required in every audit to comply with professional standards. A completed audit program for
accounts receivable and sales is also illustrated in Appendix A.
102.6 Appendix B
Page 17 of 22Checkpoint | Document
5/23/2013https://checkpoint.riag.com/app/view/toolItem?usid=bc03cp1f2643&feature=ttoc&lastCpR...
Appendix B presents a case study of a small, privately-held manufacturing entity. The auditors document their risk assessment by completing
some of the PPC forms illustrated in this Guide and writing memos. A primarily substantive audit is performed (that is, a further understanding of
internal controls is not obtained and controls are not tested for operating effectiveness). Completed audit programs for inventory and accounts
payable are illustrated in Appendix B.
102.7 Appendix C
Appendix C presents a case study of a privately held employment services entity. The objective of this case study is to illustrate the use of various
PPC forms for documenting the understanding of internal control. Furthermore, the case study illustrates how the “Activity and Entity-level Control
Forms” at CX-5 (as discussed in section 203 and in Chapter 4) might be used when documenting internal control.
© 2012 Thomson Reuters/PPC. All rights reserved.
END OF DOCUMENT -
© 2013 Thomson Reuters/RIA. All rights reserved.
Page 18 of 22Checkpoint | Document
5/23/2013https://checkpoint.riag.com/app/view/toolItem?usid=bc03cp1f2643&feature=ttoc&lastCpR...
Checkpoint Contents
Accounting, Audit & Corporate Finance Library
Editorial Materials
Audit and Attest
Audit Risk Assessment
Chapter 1 Introduction
Appendix 1A Key Questions and Answers on Risk Assessment
Appendix 1A
Key Questions and Answers on Risk Assessment
Question Answer Reference to Discussion
in Guide
General Terms and Concepts
What are “significant risks”? A risk is a “significant risk” if an analysis of inherent risk indicates the likely
magnitude of the potential misstatement and the likelihood of the misstatement
occurring are such that they require special audit consideration, that is, a specific
audit response. In determining the appropriate audit response to significant risks,
the auditor should obtain an understanding of related controls, including relevant
control activities. If the auditor plans to rely on the operating effectiveness of
controls to mitigate the significant risk, the auditor needs to test those controls in the
current period.
Beginning at paragraph 304.15
What are “relevant
assertions”?
Assertions are relevant for a particular class of transactions, account balance, or
disclosure if they have a meaningful bearing on whether the item is fairly stated. A
routine example is that the valuation assertion is usually not relevant to the cash
account unless currency translation is involved. The concept is a central feature of
the risk assessment standards.
Section 302
What are “risk assessment
procedures”?
Risk assessment procedures represent a defined category of audit procedures
performed near the beginning of the audit to obtain an understanding of the entity
and its environment (including its internal control) for the purpose of assessing the
risks of material misstatement. They consist of inquiry, observation, inspection, and
analytical procedures. The auditor's analysis of the results of these procedures is an
assessment of risk that in itself provides evidence that ultimately supports the
auditor's opinion on the financial statements.
Section 201
What is the “risk of material
misstatement”?
The risk of material misstatement is the likelihood of a misstatement of a material
amount. The auditor should assess this risk at both the financial statement level and
at the relevant assertion level. At the financial statement level, it is an overall
assessment. At the relevant assertion level, it is the combination of the auditor's
assessment of inherent risk and control risk. The auditor can make a combined
assessment of inherent and control risk or assess the component risks separately
and then combine them.
Beginning at paragraph 304.6
Does the risk assessment
need to be a specific
percentage?
No. The assessment may be in quantitative or nonquantitative terms, such as high,
moderate, or low.
Paragraph 304.9
Does the assessment need to
be documented?
Yes. The auditor should document the assessment of risks of material misstatement
both at the financial statement level and at the relevant assertion level, as well as
the basis for that assessment. Of particular significance is the requirement to
document the basis for the assessment. For example, this would mean
documenting the procedures performed, the results of those procedures, and the
related conclusions.
Beginning at paragraph 303.37
What are “further audit
procedures”?
The purpose of the risk assessment is to determine the “further audit procedures”
that are necessary to express an opinion. These procedures consist of substantive
procedures and tests of controls that are performed in response to the assessed
risks and are designed to reduce the overall audit risk to an appropriately low level.
Sections 401 and 403
Page 19 of 22Checkpoint | Document
5/23/2013https://checkpoint.riag.com/app/view/toolItem?usid=bc03cp1f2643&feature=ttoc&lastCpR...
Question Answer Reference to Discussion
in Guide
Audit Plans and Programs
Is a written audit program
required?
Yes. The auditor must develop an audit plan that documents the audit procedures to
be used. The audit plan is more detailed than the audit strategy and includes the
nature, timing, and extent of audit procedures to be performed, including risk
assessment procedures and planned further audit procedures.
Section 305
Is a canned audit program a
permissible way to meet this
requirement?
If a canned audit program means one that uses the same audit procedures for
every client, the answer is no—that is not permitted. On the other hand, a
standardized program that can be tailored to the circumstances will meet the
requirement, provided it demonstrates the linkage of the nature, timing, and extent
of further audit procedures with the assessed risk at the relevant assertion level.
Paragraph 305.78
Is a separate audit strategy
memo required?
No. The auditor is required to establish and document the overall strategy for the
audit and to document any changes in the strategy and the reasons, but a separate
memorandum is not required. Various aspects of the overall strategy could be
documented throughout the workpapers. On the other hand, a simple memo might
be convenient in an audit of a smaller, noncomplex entity.
Paragraph 206.49
Materiality in Planning and Evaluation
What planning decisions and
judgments are required about
materiality, and do they need
to be documented?
During audit planning, the auditor should determine and document a materiality
level for the financial statements taken as a whole. The auditor is also required to
determine and document performance materiality—materiality at the account
balance, class of transactions, or disclosure level.
For both performance materiality and materiality for the financial statements taken
as a whole, the auditor is required to document the basis on which those materiality
levels were determined as well as any changes made to them as the audit
progresses.
Also, the auditor is required to consider materiality for particular items of lesser
amounts than the materiality level determined for the financial statements taken as
a whole. In other words, the auditor might need to use lower materiality levels for
particular account balances, transaction classes, or disclosures if in the auditor's
judgment, lesser amounts could reasonably be expected to influence economic
decisions of financial statement users. For example, users' expectations regarding
the disclosures in related party transactions might cause the auditor to regard lesser
amounts as material in planning procedures and evaluating disclosures with regard
to related party transactions.
Sections 206 and 301
Does the auditor need to
include “qualitative” factors in
establishing materiality for
planning purposes?
No. It ordinarily is not practical to design audit procedures to detect misstatements
that could be qualitatively material. The auditor should perform the audit to obtain
reasonable assurance of detecting misstatements that are large enough,
individually or in the aggregate, to be quantitatively material to the financial
statements.
Beginning at paragraph 206.5
Does the degree of inherent
uncertainty associated with
measurement of particular
items in financial statements
change the auditor's approach
to materiality?
No. In some situations, financial statements include large provisions with a high
degree of estimation uncertainty, such as the provision for insurance claims in the
case of an insurance company. The standards make clear that once materiality is
established, the auditor should consider materiality the same way regardless of the
inherent business characteristics of the entity being audited. For audit purposes, the
inherent uncertainty of financial statement items does not cause the auditor to follow
different procedures for planning or evaluating misstatements.
Paragraph 206.8
Tests of Controls
Are tests of controls a
requirement of every audit?
No. The auditor can decide for a particular audit area to rely solely on substantive
procedures and perform no tests of controls. For example, this might be done for
purposes of audit efficiency. Before making this decision, the auditor has to obtain
and document an understanding of relevant controls and control activities sufficient
to understand what could go wrong in a particular audit area, and then plan and
perform substantive procedures responsive to that assessment. In other words, the
auditor needs to have a basis for this decision.
Beginning at paragraph 401.9
Beginning at paragraph 205.29
Page 20 of 22Checkpoint | Document
5/23/2013https://checkpoint.riag.com/app/view/toolItem?usid=bc03cp1f2643&feature=ttoc&lastCpR...
Question Answer Reference to Discussion
in Guide
What control activities does
the auditor have to
understand?
The auditor does not need to understand all control activities (specific control
policies and procedures, such as reviews and approvals). The auditor should first
consider the knowledge about control activities obtained from understanding the
other components of internal control, such as the control environment and the
information and communication system. The auditor should focus on identifying and
obtaining an understanding of control activities that address areas in which the
auditor believes material misstatements are more likely to occur. For example, the
auditor is specifically required to obtain an understanding of the process of
reconciling detail to the general ledger for significant accounts. The auditor is also
required to understand the controls, including relevant control activities, related to
significant risks and risks for which substantive procedures alone are not adequate.
Is rotation of tests of controls
permissible?
The standards explicitly permit rotation of tests of controls over a three year cycle in
specified circumstances. The auditor has to obtain persuasive evidence that the
controls have not changed in the current period and evaluate the appropriateness of
rotation in the particular circumstance. Rotation of testing is not permitted if the
auditor plans to rely on the controls to mitigate a significant risk (as previously
defined).
Beginning at paragraph 401.73
Is testing of controls ever
mandatory?
Yes. The auditor should identify those risks for which it is not possible or practicable
to reduce detection risk at the relevant assertion level to an acceptably low level
with audit evidence obtained only from substantive procedures. In other words, in
some cases, substantive procedures alone are not effective and the audit approach
will need to include tests of controls. This tends to occur in highly automated
processing environments in which a significant amount of information is initiated,
authorized, recorded, processed, or reported electronically.
Paragraph 401.9
Other Key Concepts
Are engagement letters
required?
Yes. The auditor is explicitly required to document the understanding with the client
in an engagement letter and to do so at the beginning of the current audit
engagement.
Paragraph 201.18
Are walkthroughs required in
all audits?
Walkthroughs are not explicitly required as a mandatory audit procedure in every
audit. However, walkthroughs can sometimes be an effective way to obtain audit
evidence, especially relating to internal control. The standards stress that inquiry
alone is not sufficient for obtaining the understanding of the entity and its
environment, particularly its internal control. (This effectively prohibits
“conversational auditing.”) The standards emphasize the need to corroborate
responses to inquiries by management and employees through observation and
inspection. Performing walkthroughs may be a way to obtain the in-depth
understanding of internal control that is required or, for subsequent audits, to
determine whether changes have occurred that affect the relevance of information
obtained in prior audits.
Beginning at paragraph 205.22
Is use of the more complex
categorization of assertions
under the risk assessment
standards required?
No. As long as all aspects of the assertions are covered, a more simplified
categorization is acceptable. The standards use thirteen categories of assertions
classified separately by transactions and events, account balances, and
presentation and disclosure. The assertions related to presentation and disclosure
are particularly important. Many things can go wrong in the financial reporting
process related to preparing financial statements from the trial balance and related
schedules. Thus, the audit work on the process of preparing financial statements,
especially related to the assertions of understandability and clarity of disclosure, is
very important. The authors use six categories of assertions in this Guide, as well
as other PPC audit guides that cover all of the categories of assertions used in the
auditing standards.
Section 302
Is it necessary to test every
assertion for every account
balance and transaction
class?
No. However, the auditor is required to design and perform substantive procedures
for all relevant assertions related to each material class of transactions, account
balance, and disclosure.
Paragraph 403.2
Are there any other
substantive procedures that
must be performed on all
engagements under the risk
assessment standards?
Yes. The standards require that the auditor perform the following substantive
procedures in every audit:
1. Agree the financial statements, including the accompanying notes, to the
underlying accounting records.
2. Examine material journal entries and other adjustments made during the
course of preparing the financial statements.
Beginning at paragraph 403.4
Beginning at paragraph 201.60
Page 21 of 22Checkpoint | Document
5/23/2013https://checkpoint.riag.com/app/view/toolItem?usid=bc03cp1f2643&feature=ttoc&lastCpR...
Question Answer Reference to Discussion
in Guide
What types of audit team
meetings need to be held?
There are two required meetings that can easily be combined into one. AU-C 240
requires a brainstorming meeting among audit team members about how and where
the financial statements might be susceptible to material misstatement due to fraud.
In addition, AU-C 315 requires members of the audit team to discuss the
susceptibility of the financial statements to material misstatements. One combined
meeting can be held to cover the susceptibility of the financial statements to
material misstatement from both error and fraud.
Can the auditor use
information about the entity
and its environment obtained
in prior audits as a basis for
the understanding in the
current audit?
Yes, however, the auditor is required to determine whether changes have occurred
that may affect the relevance of such information in the current audit. The auditor is
required to perform risk assessment procedures, such as inquiries and
walkthroughs to determine if changes have occurred.
Beginning at paragraph 201.6.
© 2012 Thomson Reuters/PPC. All rights reserved.
END OF DOCUMENT -
© 2013 Thomson Reuters/RIA. All rights reserved.
Page 22 of 22Checkpoint | Document
5/23/2013https://checkpoint.riag.com/app/view/toolItem?usid=bc03cp1f2643&feature=ttoc&lastCpR...