The New Suite of Risk Assessment SASs

October 2006

OK, they aren’t that new. I am just now getting a grip on them. SASs 104–111 were published in March of 2006, and are required to be used for financial statements dated in 2007.

These new standards are applicable only to financial audits—but any auditor can learn a thing or two from them—because they synthesize several of the best practices in auditing.

This has been coming for a long time

The AICPA is finally making it clear that canned audit programs are not a good idea. The AICPA never encouraged canned audit programs, but they didn’t necessarily discourage them either.

We had an inkling of this from the chairman of the AICPA a few years ago in an interview in the Journal of Accountancy. He is warning us about the impending SASs:

“The ASB decided that, yes, we do believe that these standards will improve the effectiveness of auditing,” Landes said. “We believe that they will be an improvement to the existing way that auditors go about assessing risk, planning their engagement, designing the nature, timing and extent of their auditing procedures. So, yes, we do want to go forward.”

Landes characterized the suite of proposed standards as a lot of relatively small, nuanced rules that, considered together, constitute a sweeping reform that will make a real difference in the audits of practitioners large and small. He said that these changes will result in a more effective audit.

“These standards get back, in a certain way, to the blocking and tackling basics of good auditing,” he explained. “They say you can't use a canned audit program. For every client, you have to think where there is risk of material misstatement, control risk and inherent risk. These are part of the formula that all of us grew up with.” Now we have to sit back and say, “How do I need to design my audit program—the timing, nature and extent of what I do—to be responsive to those risks?”

Ballou said that the proposed standard on understanding the entity and its environment may give auditors something new to learn.

“The standard will include things like business risk, strategy and objectives—for some auditors, these may be some new assessments they did not do in the past,” Ballou explained. “This will help lead them to a better understanding of the organization, which in turn should lead to better assessments of the risk of material misstatement.”

The core concepts

The basics of the new risk assessment SASs can be boiled down to a few key concepts:

• The auditor should consider risk in planning his or her audit.
• The auditor should design audit procedures that respond to that risk.

It just takes about 200 pages to say it. And it’s not as if they have invented a totally new concept—they have just pulled several topics and best practices together in one place.

One of my favorite quotes is from John Lennon where he explains how the Beatles came up with all of those hits. The Beatles were praised for creating new music that shook the world, but Lennon wasn’t so impressed with himself. He realized that he was just synthesizing others’ influences. Lennon said, “The blues is a chair, not a design for a chair or a better chair… it is the first chair… We didn’t sound like anybody else, that’s all… so ‘Please Please Me’ and ‘From Me to You’ and all those were our versions of the chair. We were building our own chairs.”

In a way, that is what the AICPA has done, because risk assessment isn’t new, brainstorming isn’t new, creating fresh audit programs isn’t new—but what is new is REQUIRING CPAs to do it and to document what they have done. (And just to be clear, in no way am I saying that the AICPA is as wondrous as the Beatles.

“Take a sad song… and make it better…”

Now if your heart is filling with dread, here is a word of hope: The auditors in the classes I have conducted so far on this subject are not crying at the end of class. Most auditors don’t think this is a radical, cruel change. It is all common sense and reasonable. It is just a mental shift, more team communication, and lots and lots of documentation.

And I have already talked with you about the majority of this stuff anyway…

Core concept #1: The auditor should consider risk in planning his or her audit

The audit should be examined from a new perspective every time because there are so many risks out there that deserve attention! Please see an earlier e-zine on risk assessments.

Core concept #2: The auditor should design audit procedures that respond to that risk

Now that you have identified the risk, what are you going to do about it? Pull out last year’s working papers and do the same audit program again? The new SASs discourages this behavior. Please see an earlier e-zine on canned audit programs.

And fresh audit programs should be written to respond to whatever risk is identified. Please see an earlier e-zine on this topic—called “How to Cook a Fresh Audit Program”.

The AICPA has done a lot of the work for you!

One of the VERY cool things about the AICPA risk assessment SASs is that they divide the universe into bite-sized chunks for you to work with. Instead of having to come up with a way dissect the universe yourself—like you have to do on most performance audits—the AICPA has divided the world into financial statement components and their related management assertions.

So, one of the hardest, most time consuming steps of the risk assessment is already taken care of for you!

I will talk about the balances on the financial statements and the related management assertions next month. Please take some time to assimilate the existing audit chairs by looking at past e-zines and then next month we will dig a little deeper. I will also refer you to two killer models that you can use to document your work.