Skip Navigation Links Home   »  About CGA-Canada  »  CGA Magazine  »  2004  »  Sep-Oct  »  Improving Audits

Improving Audits 

Select the archived issue you wish to view: 

 

Standards

Improving Audits

Auditing standards boards continue to look at ways to reduce audit risk. Here's an overview of one of the latest Exposure Drafts on this hot topic.

 

FROM: SEP-OCT 2004 ISSUE | BY STEPHEN SPECTOR

Internationally, the audit risk model has been the basis for audit planning for most of the past 20 years. However, the fallout from corporate failures in the United States in 2002 highlighted some of the model's weaknesses, and a call for revisions to the model began to circulate.

Even so, the fact remains that the audit risk model is a planning model. It is not a magic bullet allowing auditors to conclusively establish the amount and type of testing that needs to be performed. Rather, it is a model to estimate the amount of assurance needed from substantive procedures when considering the level of audit risk, as well as assessed levels of inherent risk and control risk for management assertions or account balances.

The importance of the audit risk model is not that it quantifies audit risk, but rather, that it forces the auditor to consider each of the component risks in context and to document each decision made. The auditor must first determine the acceptable level of risk for the audit. Next, inherent risk is usually assessed for each of the assertions made by the client's management as well as for the entity as a whole. Then control risk must be assessed on an assertion-by-assertion basis.

In practice, most firms assign risk as high, medium, or low within this model. But not only is it difficult to calculate and assign absolute percentages, establishing or defending a rationale for making the calculation is also challenging.

Spurred by the demand for improvements to the audit risk model, the Auditing Standards Board approved changes for the United States in October 2002. Subsequently, IFAC's International Auditing and Assurance Standards Board approved the international versions of the amended standards in October 2003 (see Audit Risk, May-June 2003 issue of CGA Magazine).

One of the key notions associated with these revisions was recognition of the fact that the auditor is often exposed to risks not embraced in the audit risk model. For example, auditors may be faced with loss or injury to their professional practice from litigation, adverse publicity, or other events arising in connection with financial statements they have audited and reported on. This exposure is present even though the auditor has performed the audit in accordance with generally accepted auditing standards and has reported appropriately on the financial statements.

So what exactly are the changes? According to the May 2004 Exposure Draft on audit risk:

  • The auditor must now gain an expanded understanding of the entity and its environment, including internal control. In particular, the auditor is required to obtain an understanding of business risks to the extent that they are relevant to the financial statements. Business risks are defined as significant conditions, events, circumstances, or actions that could adversely affect the entity's ability to achieve its objectives and execute its strategies. Such an understanding facilitates the auditor's identification and assessment of where material misstatement may occur; it also assists the auditor in making judgments about materiality and evaluating audit evidence.
  • In order to meet this objective, the standards will prescribe requirements and guidance on where and how the auditor should obtain the expanded understanding of the entity and its environment, including internal control. The auditor will now have to interact with personnel other than those involved in financial reporting and management — specifically, individuals with operational roles. Further, while information obtained during this phase of the auditor's work may constitute valid audit evidence, it is not sufficient in and of itself to support the auditor's opinion.
  • Given that the auditor will now have an expanded understanding of the entity and its environment, the auditor will have a better starting point to identify the risks of material misstatement. In performing the risk assessment procedures necessary to obtain evidence about the risks of material misstatements, the auditor is required to assess these risks at the financial statement level and at the assertion level, identify risks that are significant in the auditor's judgment, and identify assertions where substantive procedures alone will not be sufficient. In other words, the risk assessment must combine the assessment of inherent risk and control risk. To that end, the auditor may perform combined or separate assessments.
  • Consistent with existing guidance, the auditor is not required to perform tests of controls unless the auditor intends to rely on the operating effectiveness of controls to alter the nature, timing, or extent of substantive procedures, or the auditor has determined that evidence obtained from substantive procedures alone will not reduce risk to an appropriate level and that audit evidence about the effectiveness of controls must be obtained.
  • For significant risks, the auditor will be required to perform substantive procedures, consisting of tests of details either alone or combined with substantive analytical procedures specifically responsive to those risks.
  • The auditor's "required understanding of internal control" will now compel the auditor to evaluate the design of controls and control procedures, over significant risks, and whether or not the controls have been implemented. In particular, the auditor will have to complete an evaluation of the design and implementation of controls that address significant risks, as well as controls on assertions for which substantive procedures alone are not sufficient.
  • There will be greater emphasis on the entity's risk assessment process. The auditor will need to gain an understanding of the entity's risk assessment process as a component of internal control. Such an analysis will assist the auditor in assessing the entity's objectives, strategies, and related business risks. If the auditor identifies risks that may result in material misstatement of the financial statements that the entity's risk assessment process has failed to identify, the auditor will have to address why the process failed to do so and whether the process is appropriate in the circumstances.
  • The current requirement to perform substantive procedures for material classes of transactions and account balances will be extended to disclosures, given their increased significance under financial reporting frameworks. Assertions related to presentation and disclosure will now require the auditor to obtain evidence specifically related to the completeness of disclosures and understandability to users. Finally, documentation requirements will be expanded to demonstrate that the auditor has complied with the standards.

The revisions to Canadian standards are expected to be completed later this fall, and will likely be effective for fiscal periods beginning on or after December 16, 2004.

[ TOP ]

Stephen Spector, MA, FCGA, owns Spector and Associates and teaches Financial and Managerial Accounting at Simon Fraser University. He also serves on CGA-BC’s board of governors. E-mail shspector@shaw.ca.

© 2008 CGA-Canada

Please Upgrade Your Browser

This site's design is only visible in a graphical browser that supports web standards, but its content is accessible to any browser or Internet device.