New Risk-Assessment Audit Standards Seek to Spotlight Fraud

Companies can expect more scrutiny from their audit firms this coming annual report season, thanks to new standards the audit firms themselves must meet to assess risk, especially a requirement to weave the risk of fraud into the entire audit process.

The good news: Most of those changes should be specific and focused, rather than sweeping and dramatic.

The Public Company Accounting Oversight Board adopted eight new standards that take effect for 2011 financial statements for calendar-year companies, giving auditors new directives on how to conduct risk-based audits. The eight new standards give auditors detailed instructions on how to assess the risk of material misstatements in financial statements, how to respond to any risks that are identified, and how to evaluate the ultimate audit conclusions. They cover defining audit risk and outlining the auditor's responsibility to consider it, planning the audit with risk in mind, supervising the audit engagement, considering materiality while planning and performing the audit, identifying and assessing risks of material misstatements, responding to those risks, evaluating audit evidence with risk in mind, and evaluating the audit evidence that results from the entire process.

The PCAOB modeled the standards on a similar suite of risk standards implemented in 2007 by the Auditing Standards Board of the American Institute of Certified Public Accountants, which governs audits of private businesses. The International Auditing and Assurance Standards Board also developed a similar batch of risk standards well ahead of the PCAOB. “It's not as if the PCAOB was starting from scratch,” says Susan Lister, a partner and national director of auditing for BDO USA.

Audit firms are generally familiar with the standards, and many have been following similar guidelines for several years, she says. BDO, like most major firms, develops a single audit methodology for all companies based on the most rigorous set of auditing standards, she explains, and then layers in any differences that might arise because of different national standards. That means since at least 2007 the major firms have already been auditing public company financial statements following the AICPA and IAASB risk standards, which are substantially similar to what the PCAOB is now putting in effect, she says.

“As a practical matter, these standards don't lead me to believe there will be a radical departure from current practice,” says Chris Wright, managing director at consulting firm Protiviti. “This will not be the advent of risk-based auditing. That being said, for a given a company, it really depends on who your auditor is and what the communication has been with the auditor in the past around risk-based auditing.”

The PCAOB standards do have some subtle but important differences that could affect how auditors conduct their audits, says James Comito, a shareholder at audit firm Mayer Hoffman McCann. One important difference is how auditors are required to look at fraud risk, he says.

“We have to quit treating fraud risk as a bolt-on, as if it's an exercise separate from the others,” he says. “There will be a constant process of assessing audit results against the backdrop of fraud.” As an example, if auditors notice an audit adjustment, they will ask a lot more questions about what motivated it and whether it might suggest fraud.

Andy Ray, an assurance partner with audit firm Clifton Gunderson and leader of the firm's national Securities and Exchange Commission group, says the PCAOB standards contain specific requirements for auditors to ask more questions around fraud risk. For example, auditors are required to ask company personnel about instances of management override and whether they've ever been asked to make unsupported journal entries. “That's not in the ASB's requirements,” Ray says.

The new standards also give auditors some new instructions on how they can rely on earlier tests of internal controls, says Ray. “Before you can rely on a prior year test of internal control, you are required to specifically evaluate the changes in internal control from the prior year and any effect it could have on inadvertent reliance,” he says.

Auditors are also required to consider the effects of uncorrected misstatements on the risk assessment they originally performed as part of the planning process. “If you discover uncorrected misstatements, you need to go back and make sure the initial risk assessments are still appropriate,” Rays says. “Or do you need to modify them?”

Another important difference: the PCAOB's standards define materiality in a way that is likely to expand the audit scope to lower-level entities in a consolidated group of companies, says Peter Bible, head of the public companies group at audit firm EisnerAmper. That's because the standards require auditors to follow a tiered approach to materiality, such as the approach the SEC established in Staff Accounting Bulletin No. 99, he says.

AUDIT STANDARD 8

The following excerpt from PCAOB Audit Standard 8 discusses the auditor's consideration of audit risk in an audit of financial statements as part of an integrated audit or an audit of financial statements only:

Audit Risk

To form an appropriate basis for expressing an opinion on the financial statements, the auditor must plan and perform the audit to obtain reasonable assurance about whether the financial statements are free of material misstatement due to error or fraud. Reasonable assurance is obtained by reducing audit risk to an appropriately low level through applying due professional care, including obtaining sufficient appropriate audit evidence.

In an audit of financial statements, audit risk is the risk that the auditor expresses an inappropriate audit opinion when the financial statements are materially misstated, i.e., the financial statements are not presented fairly in conformity with the applicable financial reporting framework. Audit risk is a function of the risk of material misstatement and detection risk.

Note: The auditor should look to the requirements of the Securities and Exchange Commission for the company under audit with respect to the accounting principles applicable to that company.

Risk of Material Misstatement

The risk of material misstatement refers to the risk that the financial statements are materially misstated. Auditing Standard No. 12, Identifying and Assessing Risks of Material Misstatement, indicates that the auditor should assess the risks of material misstatement at two levels: (1) at the financial statement level and (2) at the assertion level.

Risks of material misstatement at the financial statement level relate pervasively to the financial statements as a whole and potentially affect many assertions. Risks of material misstatement at the financial statement level may be especially relevant to the auditor's consideration of the risk of material misstatement due to fraud. For example, an ineffective control environment, a lack of sufficient capital to continue operations, and declining conditions affecting the company's industry might create pressures or opportunities for management to manipulate the financial statements, leading to higher risk of material misstatement.

Risk of material misstatement at the assertion level consists of the following components:

a.Inherent risk, which refers to the susceptibility of an assertion to a misstatement, due to error or fraud, that could be material, individually or in combination with other misstatements, before consideration of any related controls.

b. Control risk, which is the risk that a misstatement due to error or fraud that could occur in an assertion and that could be material, individually or in combination with other misstatements, will not be prevented or detected on a timely basis by the company's internal control. Control risk is a function of the effectiveness of the design and operation of internal control.

Inherent risk and control risk are related to the company, its environment, and its internal control, and the auditor assesses those risks based on evidence he or she obtains. The auditor assesses inherent risk using information obtained from performing risk assessment procedures and considering the characteristics of the accounts and disclosures in the financial statements. The auditor assesses control risk using evidence obtained from tests of controls (if the auditor plans to rely on those controls to assess control risk at less than maximum) and from other sources.

Source: PCAOB Audit Standard 8: Audit Risk.

Under that approach, materiality is not a flat threshold applied across the audit, but is scaled to fit the area of the balance sheet or the income statement that is being audited, he explained. As a result, “a lot of companies may have subsidiaries, divisions, or overseas branches that will be subject to the audit that weren't before,” he says.

Most firms are comparing the PCAOB's new standards, word by word, with the AICPA and IAASB requirements they've already baked into their audit methodologies, says BDO's Lister, to determine where they need to make changes. “It's a painstaking, laborious task,” she says. Most firms are getting their audit planning under way now based on those changes, she adds.

Ray says it will be helpful to companies and auditors alike that the specific instructions in the eight new standards are more closely aligned with Auditing Standard No. 5, which governs the audit of internal control over financial reporting. And while auditors aren't expecting dramatic changes as a result of the new standards, companies can be sure that auditors will leave no stone unturned. “We know when the PCAOB is doing its inspections they are sure to focus on these areas, so companies are going to see that the firms will be diligent,” he says.