Smooth Sailing Through New Audit Standards
California CPA magazine: December 2008
by Marcia J. Hein, CPA
Peer review season is in high gear and there are lessons to be learned about implementing the new audit risk standards. Following are some of the hot spots seen in peer reviews so far.
1. Failure to document observation and inspection procedures.
SAS 109 tells us that observation and inspection procedures should be performed to support inquiries of management regarding the entity and its environment. These procedures would typically include some or all of the following:
• Observation of entity operations;
• Inspection of documents;
• Reading management reports, interim financial statements and board minutes; and
While firms may be performing these procedures, they often are not documented in the workpapers.
2. Failure to document risk assessment procedures.
Most firms understand the risks of their audit clients and properly identify significant transaction classes, material balances and significant fraud and other risks. Once the identification process occurs, the new standards require auditors to gain further knowledge of the flow of transactions and controls over these significant areas, and to document the knowledge obtained. This documentation is often missing from working papers.
3. Failure to link risk assessments to actual procedures performed.
Risk assessments may be properly identified, but some practitioners do not properly
link those assessments to procedures performed. For instance, if the risk of material misstatement for accounts receivable is moderate or high, and receivables are a material balance, the “basic” audit procedures from our Practitioners Publishing Company programs should be supplemented by extended procedures.
Conversely, if the risk of material misstatement for an area is low and the balance is not considered material, then
basic procedures (or even analytical review) will suffice.
Many firms do not understand this link and continue to perform all of the procedures they always have performed. Others just perform the basic procedures for all sections and disregard the extended procedures, even when some of these procedures are necessary.
4. Failure to properly use electronic third-party practice aids.
Our friends at PPC try to make our lives easier. In addition to the normal practice aids for audits of non-public companies, PPC has electronic practice aids that will increase our audit efficiency. Unfortunately, there may be a big learning curve in the first year of implementation and, like all programs, they are only as good as the information you put in. So reviewers have seen a variety of problems in using these electronic practice aids.
First, firms need to make certain that the risk assessments they have made actually get input into the summary form because
that is the form that the software uses to formulate the audit procedures to perform. For instance, if you have identified cash as a significant risk, but forget to check that box on the summary form, the suggested audit procedures won’t be sufficient to lower audit risk to an appropriate level.
Also, if circumstances change during the audit, and the firm decides to change the audit plan (for example, the number and type of procedures), they often don’t go back and change the risk assessments to accurately reflect their final decisions. Instead, they use an “override” feature on the programs. This often causes a failure to link risk assessments to audit procedures as described above.
Firms need to understand the standards and the practice aids to make certain that the standards are implemented correctly. Firms that use PPC should consider purchasing PPC’s Guide to Audit Risk Assessment, which gives examples of the completed forms as guidance.
Additional CPE on the standards themselves (search “audit risk assessment” at CalCPA's event registration page) and on use of applicable software also may be necessary. Firm personnel assigned to the review of engagements should emphasize the link between risk assessments and audit procedures performed during the review of engagements.
Marcia J. Hein, CPA is a past chair of the California Peer Review Committee, technical reviewer for the California peer review program and peer review instructor for the California CPA Education Foundation. You can reach her at Marcia@mjh-cpa.com.