AUDITORS MOVING FROM GUIDANCE TO REQUIREMENTS: ARRIVING AT THE RISK ASSESSMENT STANDARDS

1. AUDITORS MOVING FROM GUIDANCE TO REQUIREMENTS:ARRIVING AT THE RISK ASSESSMENT STANDARDS Brian Patrick Green, CPA, Ph.D. University of Michigan-Dearborn bpgreen@umd.umich.edu Alan Reinstein, CPA, D.B.A. Wayne State University a.reinstein@wayne.edu

2. PURPOSE • 1970’s audit standards offered minimal guidance for risk-based audit planning. • Practitioners did not apply standards consistently. • 1980’s standards provide more structured guidance for auditor’s • assessment of identified risks • audit planning focus on internal control environment • plan respond to risks • Evolved into auditing risk assessment standards. • Purpose: • describe the evolution of risk assessment • discuss the possible effect of the current standards on future practice. INT

3. INTRODUCTION • ASB did not exist 35 years ago • Statements on Auditing Procedures provided limited audit guidance • 1972: auditor would assert that audit procedures selected were based on evaluation of internal control. However, would hard pressed to provide evidence. • ASB 1973, audit standard focus relating audit procedures to the strengths and weaknesses of internal control environment. • ASB’s 2006 Risk Assessment Standards (RAS) (SAS Nos. 104-111) issuing standards and guidance on matching audit risk with audit effort. INT

4. Foundation Standards • Early ASB’s focus: • guide auditors plan for timing, nature and extent of audit procedures • evaluate the procedure’s results • Auditor professional judgment • Standards combine good/leading practice • General guidance vs specific rules • Review IC as audit by-product INT

5. Trend Towards Assessing Risk • SAS No. 31, Evidential Matter (1980) • Planned evidence followed the link between management objective, specific audit objectives, and substantive procedures • consider the accounting system’s internal consistency • used professional judgment to assess inherent and control risk FS

6. “Guidance” versus “Requirements,” • SAS No. 39 (1981), Audit Sampling • factors that should anchor the quantitative decision to meet the sufficient evidence criteria • consider item’s dollar amount, risk created by the item under audit, and expected frequency of misstatement • linked sample size directly to the auditor’s plan to rely on internal control FS

7. Supporting Auditor Judgment • SAS No 41 (1982), Working Papers • Content based on judgment of sufficient • Described what auditor “should” do • Document internal control, but not required to test • Listed factors that might affect judgment • SAS No 47 (1983), Audit Risk and Materiality • Too theoretical/no definitive method • Should gain an understanding of controls…judgment to test FS

8. Expectation Gap Standards • Sustained SAS No. 47’s distinction between control and inherent risks • Moved from guidance to some requirements • Began to require specific audit documentation EGS

9. Internal Control & Fraud • SAS No 53 (1988) • Must plan the audit to provide reasonable assurance • Must report discovered fraud • Documentation requirements • Still conceptual • SAS No 55 (1988) • Must gain an understanding • Should document understanding • Few specifics/not required to test controls EGS

10. Fraud Risks Affect on Requirements • SAS No 82 (1997) • Move from guidance to requirements • Required to assess and documentrisk of fraud, develop and document specific response, and communicate potential fraud • SAS No 99 (2002) • Added more requirements • What is risk of fraud (revenue, management IC) • Brain storm EGS

11. Redefining Due Professional Care • RAS, SAS No. 104-111 (2006) for Private companies • Required in-depth understanding of statements, operations, and control environment • Anchored on IC and ability to mitigate risk • Link assessed risk to timing, nature, and extent • Adds consistency to “due professional care” • Increased use of must and should RAS

12. Must vs Should: Intent of Standards • PCAOB defined the terminology to state expressly the auditor’s “degree of responsibility” in complying with professional standards. • Public Company Accounting Oversight Board defined in Rule 3101 (PCAOB 2004). Certain Terms Used in Auditing and Related Professional Practice Standards and an Amendment to Rule 1001: • “Must,” …indicate unconditional responsibilities. The auditor must fulfill responsibilities of this type in all cases… • “Should” indicates responsibilities that are presumptively mandatory… comply with requirements unless the auditor demonstrates that alternative actions… were sufficient RAS

13. Added Requirements to Achieve Due Professional Care • SAS No 103 (2005) Audit Documentation • Lists required audit documentation for risk, response, evidence, procedures, 5 year rule • SAS No 105 (2006) Amendment GAAS • Links risk, IC, audit procedures…document • SAS No 107 (2006) Risk and Materiality • Must obtain an understanding, • Should consider analytics RAS

14. Added Requirements to Achieve Due Professional Care • SAS No 109 (2006), Understanding the Entity • Must gain an understanding of entity, environment, and IC • Audit Risk = Risk of Misstatement * Detection Risk • Should collect and document nature of client evidence • Should obtain an understanding of external risks • Control risk is not 1.0 • Audit team should discuss understanding and risks • Team must consider significance and likelihood of risks RAS

15. RAS Requirements: Examples of “Must” “Must” involves critical steps in the audit process. RAS

16. RAS Requirements: Examples of “Should”“Should” describes audit procedures that are used to help satisfy the critical steps

17. Impact on Practice • Move from guidance to requirements • Specific use of “must” “should” “should consider” • Lessened professional judgment in key areas: • Risk • Planning • Internal control • Documentation • Due professional care is supported by increasing requirements and less professional judgment • Other thoughts • ASB and PCAOB are becoming consistent • Big GAAS, Little GAAS Consistent practice RAS