As a frequent business traveler across the United States, I have interacted with many external audit firms this year. As we enter the heavy audit season, it is clear that risk is a topic of primary interest for audit teams, especially for partners and managers who oversee the process. For auditors of private companies and nonprofit organizations, the talk has been about beefed-up peer review focus on how the audit team addresses risk. For auditors of public companies a bit of apprehension is in the air regarding the new risk assessment standards effective for the first time in 2011.
Although there are two sets of risk-related audit standards from different sources, one for public company auditors and another for private companies, they indeed share the same fundamentals. The intent of this article is not to discuss the differences, but rather to summarize practical implications for auditors and the companies they audit. Although the following perspective is primarily for auditors of public companies, all auditors and organizations subject to an external audit benefit from better understanding risk standards.
The Sarbanes-Oxley Act of 2002 authorized the Public Company Accounting Oversight Board (PCAOB) to establish auditing and related professional practice standards to be used by registered public accounting firms. Auditors of public companies must be registered with PCAOB and refer to “the standards of the Public Company Accounting Oversight Board (United States)” in their audit reports. PCAOB Rule 3100, Compliance with Auditing and Related Professional Practice Standards, requires the auditor to comply with all applicable auditing and related professional practice standards of the PCAOB.
The PCAOB auditing standards, numbers 8 through 15, are collectively referred to as the “risk assessment standards.” These standards are effective for audits of fiscal years beginning on or after Dec. 15, 2010:
AS No. 8: Audit Risk – The objective of the auditor is to conduct the audit of financial statements in a manner that reduces audit risk to an appropriately low level. To form an appropriate basis for expressing an opinion on the financial statements, the auditor must plan and perform the audit to obtain reasonable assurance about whether the financial statements are free of material misstatement due to error or fraud. Reasonable assurance is obtained by reducing audit risk to an appropriately low level through applying due professional care, including obtaining sufficient appropriate audit evidence.
AS No. 9: Audit Planning – The objective of the auditor is to plan the audit so that the audit is conducted effectively. Planning the audit includes establishing the overall audit strategy for the engagement and developing an audit plan, which includes planned risk assessment procedures and planned responses to the risks of material misstatement. Planning is not a discrete phase of an audit but, rather, a continual and iterative process.
AS No. 10: Supervision of the Audit Engagement – The objective of the auditor is to supervise the audit engagement, including supervising the work of engagement team members so that the work is performed as directed and supports the conclusions reached. The engagement partner is responsible for the engagement and its performance. Accordingly, the engagement partner is responsible for proper supervision of the work of engagement team members and for compliance with PCAOB standards, which extends to the work of specialists, other auditors, internal auditors, and others who are involved in testing controls.
AS No. 11: Consideration of Materiality in Planning and Performing an Audit – The objective of the auditor is to apply the concept of materiality appropriately in planning and performing audit procedures. The auditor should evaluate whether, in light of the particular circumstances, there are certain accounts or disclosures for which there is a substantial likelihood that misstatements of lesser amounts than the materiality level established for the financial statements as a whole would influence the judgment of a reasonable investor. If so, the auditor should establish separate materiality levels for those accounts or disclosures to plan the nature, timing, and extent of audit procedures for those accounts or disclosures.
AS No. 12: Identifying and Assessing Risks of Material Misstatement – The objective of the auditor is to identify and appropriately assess the risks of material misstatement, thereby providing a basis for designing and implementing responses to the risks of material misstatement. Risks of material misstatement can arise from a variety of sources, including external factors, such as conditions in the company’s industry and environment, and company-specific factors, such as the nature of the company, its activities, and internal control over financial reporting. For example, external or company-specific factors can affect the judgments involved in determining accounting estimates or create pressures to manipulate the financial statements to achieve certain financial targets. Also, risks of material misstatement may relate to personnel who lack the necessary financial reporting competencies, information systems that fail to accurately capture business transactions or financial reporting processes that are not adequately aligned with the requirements in the applicable financial reporting framework.
AS No. 13: The Auditor’s Responses to the Risks of Material Misstatement – The objective of the auditor is to address the risks of material misstatement through appropriate overall audit responses and audit procedures.
AS No. 14: Evaluating Audit Results – The objective of the auditor is to evaluate the results of the audit to determine whether the audit evidence obtained is sufficient and appropriate to support the opinion to be expressed in the auditor’s report. When evaluating the results of the audit, the auditor should evaluate whether the accumulated results of auditing procedures and other observations affect the assessment of the fraud risks made throughout the audit and whether the audit procedures need to be modified to respond to those risks.
AS No. 15: Audit Evidence – The objective of the auditor is to plan and perform the audit to obtain appropriate audit evidence that is sufficient to support the opinion expressed in the auditor’s report.
Many requirements and guidance points are imbedded in these eight risk assessment standards. It is essential for auditors to comply with these standards to ensure a robust audit in accordance with the standards, thus enabling the audit firm to minimize potential deficiencies identified per PCAOB inspections as well as risks associated with potential adverse legal actions. While it is beyond the scope of this article to cover the risk assessment standards in detail, here are some practical implications for the auditor:
Organizations subject to an external audit do not need to become experts on external audit standards; however it does help to become familiar with the general process and key standards. This is especially true for AS No. 12 as this is a standard requiring the auditor to gain a solid grasp of the company’s operating and control environments. This includes inquiries of the audit committee, or equivalent (or its chair), management, the internal audit function, and others within the company who might reasonably be expected to have information that is important to the identification and assessment of risks of material misstatement.
For example, AS No. 12 explicitly mentions the following inquiries that the auditor should ask of the audit committee, or equivalent, or its chair regarding fraud risks:
Remember that it is the company that owns their financial statements, disclosures, and underlying controls. The auditor owns their audit opinion. As a result, it is the company’s responsibility to have a solid grasp of the risks of fraud and error relating to financial statements. Auditees should never rely on the external auditor to catch fraudulent acts and errors as this is a fundamental responsibility of the company. Indeed, if the auditor concludes that the company does not have their act together on this front, the auditor must consider reporting a material weakness, significant deficiency, qualified opinion, or even a disclaimed report.
AS No. 12 goes on to identify factors relevant in identifying fraud risks. While these are written from the perspective of the auditor, they are all areas owned by the company. As a result, the following (as well as additional significant risks identified by the organization) should be on the agendas of management, disclosure committees, and audit committees:
The bottom line is that companies are well advised to give AS No. 12 a thorough reading so they can better prepare and understand their auditor’s focus points.
While risk considerations have always been an important part of the audit process, this topic is becoming more explicit through the standards. The PCAOB and state peer review programs are taking notice through a closer attention on how the audit team addresses risks. The risk assessment standards do not identify all possible risk considerations but rather provide for an overarching spirit requiring the auditor to always be on the lookout for fraud and material errors. Management, audit committees, and their auditors must constantly be aware of financial statement risks and how to adequately respond.
 U.S. Generally Accepted Auditing Standards (GAAS), as authored by the American Institute of Certified Public Accountants’ (AICPA) Auditing Standards Board (ASB), apply to private companies and non-profit organizations. Standards of the Public Company Accounting Oversight Board (PCAOB), apply to public company audits. The PCAOB adopted as interim standards, on an initial and transitional basis, GAAS in existence on April 16, 2003.
About the Author
Ron Kral is the managing partner of Candela Solutions. He educates and advises public and private companies on governance, risk and compliance matters. He is available for inquiries and can be reached at rkral@CandelaSolutions.com.
Sign up for our free weekly e-newsletter for more GRC articles, job postings, GRC events, white papers & more…..click here
Ron Kral (CPA, CMA, CGMA) is a Member of Candela Solutions LLC, a public accounting firm with a national focus on governance, SEC compliance, and internal auditing. He is an educator, advisor and internal auditor for boards and management teams, especially for public companies registered with the SEC. Ron has worked with hundreds of clients as a Public Accountant, many through Big-4 firms. He brings practical expertise on controls, regulations, accounting and auditing as a catalyst to protect and grow client shareholder value.
Prior to forming Candela Solutions in 2003, Ron was a General Manager of a subsidiary for a multibillion-dollar company traded on the NYSE. Previously, he was a Principal Consultant with PricewaterhouseCoopers, where he led operational audits and internal control projects. He began his public accounting career with a California CPA firm as a Financial Auditor, where he signed audit opinions upon becoming Managing Director of the firm’s Orange County office. Ron worked extensively with Big-4 firms on consulting projects as a leader of the California CPA firm. He launched his career as a Performance Auditor with the California State Auditor.
Ron is a nationally recognized speaker on boardroom effectiveness, corporate compliance, risk assessments, SEC disclosures, COSO control and ERM frameworks, auditing standards and accounting matters. He has authored numerous articles and currently leads educational sessions for the AICPA. He also conducts in-house training sessions for external audit firms and public companies on SEC rules and PCAOB standards. Ron is a co-author of The Board of Directors and Audit Committee Guide to Fiduciary Responsibilities. He has a keen focus on business realities and practical approaches anchored in professional and regulatory standards. Ron is a member of four of the five COSO-sponsoring organizations; the AICPA, FEI, IIA and IMA. He served on FEI’s working group for the development of COSO’s 2013 Internal Control – Integrated Framework and he is a facilitator for COSO’s Internal Control Certification Program under contract with the AICPA. Ron currently serves on FEI’s Research Committee. He holds an MBA from Arizona State University and a BBA from the University of Wisconsin, Madison. Ron resides in Las Vegas, Nevada. He can be reached at rkral@CandelaSolutions.com.