Joanne M. Flood

Wiley Practitioner's Guide to GAAS 2020


Скачать книгу

Auditing Standards) and the assignment of audit work to the team members, including the assignment of appropriately experienced team members to areas in which there may be higher risks of material misstatement.

       Engagement budgeting, including considering the appropriate amount of time to set aside for areas in which there may be higher risks of material misstatement.

       Scope

       Technical Alert

       Definitions of Terms

       Objective of AU-C Section 315

       Overview

       Requirements

       Step 1. Perform Risk Assessment Procedures

       Step 2. Identification of Significant Risks

       Step 3. Assessing the Risk of Material Misstatement

       Documentation

       Examples of Matters to Consider When Obtaining an Understanding of the Entity and Its Environment

       The Economy

       The Client’s Industry

       The Client’s Business: New Client

       The Client’s Business: Continuing Client

       Using a Risk-Based, Top-Down Approach to Evaluate Internal Control

       Effect of IT on Internal Control

       AU-C 315 Illustrations

      SCOPE

      AU-C 315 provides guidance for the auditor to identify and assess the risks of material misstatements. The auditor does this by achieving an understanding the entity and its environment, including internal control. (AU-C 315.01)

      TECHNICAL ALERT

      Through the AICPA’s initiative on Enhancing Audit Quality (EAQ), data surfaced that indicated firms often fail to perform appropriate risk assessments and link those risk assessments to their audit procedures in compliance with AU-C Section 315 and AU-C Section 330. As a result, the AICPA Peer Review Board has developed stronger, more precise guidance. The Peer Review Board in its September 2018 Alert, as clarified in October 2018, announced an updated focus on risk assessment documentation and a new section in the Peer Review Manual, Evaluation of Non-Compliance with the Risk Assessment Standards. This new guidance is effective for peer reviews scheduled from October 2018 through September 2021.1

       Failure to gain an understanding of internal control

       Improperly assessing control risk

       Insufficient risk assessment

       Failure to link procedures performed to the risk assessment

      Failure to Gain an Understanding of Internal Control

      According to the AICPA, 40% of identified issues related to failure to gain an understanding of internal control. Auditors must understand internal control in order to identify related risks and design proper responses. Auditors are reminded to:

       Consider what could go wrong in financial statement preparation,

       Identify the controls intended to mitigate identified risks, and

       Evaluate the likelihood those controls can prevent, detect, and correct material misstatements.

      Auditors are cautioned that it is incorrect to think that AU-C 315.14 does not apply to an engagement where the client has no controls. Similarly, auditors are reminded that even when they do not plan to rely on internal control, defaulting to setting control risk at the maximum level is not permitted.

      Improperly Assessing Control Risk

      Improperly assessing control risk as less than high without appropriately testing controls accounted for 13% of the violations. Auditors are reminded not to reduce control risk to less than high without appropriately testing the relevant controls. Reducing control risk to less than maximum can only be done if the auditors have tested controls and are comfortable relying on their operating effectiveness.

      Insufficient Risk Assessment

      This risk comprises 14% of identified issues related to risk assessment. Failure to assess risk can result in over-auditing or worse, a failure to obtain sufficient appropriate audit evidence. The alert reminds auditors that:

       Regardless of the nature and extent of substantive procedures, they must:Identify the client’s risk of material misstatement through an understanding of its internal control,Assess the risk of material misstatement, andDesign or select procedures in response to those risks.

       Failure to identify at least one significant risk is likely to mean the auditor has failed to comply with AU-C 315.28.Auditors are reminded of the presumption of fraud in revenue recognition and that should be treated as a significant risk. (AU-C 240.26–.27)

       They must identify risk at both the financial statement and relevant assertion levels (AU-C 315.26)

       It is not necessary to document the risk of material misstatement for every audit area. Some assertions are not relevant.

      Failure to Link Procedures Performed to the Risk Assessment

      Of the most common risk assessment violations, 24% related to not linking risk assessment to auditors’ responses. The Alert reminds auditors to be responsive to the financial statement and relevant assertion level risks and that the linkage is at the assertion, not account, level. The AICPA discovered that auditors are not designing procedures with regard to the results of their risk assessment. Therefore, the risk is not reduced to an appropriate level, and the standards are not complied with.

      DEFINITIONS