• PRESS ROOMRESOURCES
• STUDENTSCANDIDATES
• CONTACT USNEED A CPA?
• HELPADVERTISE/
  PLACE AD
  
• SEARCH
  

• Maryland CPA license
• CPAs in firms
  • Firm administrator resources
• CPAs in industry
• Areas of interest
• Books / reference materials
• Classifieds/Career Center
• Communications
• Join our Referral Bureau
• Legislation / regulation
• News / articles
• Peer review
• Products / services
• Promoting the CPA
• Tax resources
• Leadership

Risk assessment standards: FAQs

internal control programs

Webcast! Auditing Bits in Bytes™: Session 3 Internal Control Considerations - 11/25/2009 - Internet Internal Control Procedures for QuickBooks Users - 12/4/2009 - Columbia Construction Contractors -- Accounting, Auditing and Tax - 12/21/2009 - Salisbury Webcast: Auditing Bits in Bytes™ Session 7: Identifying, Evaluating and Communicating Internal Control Deficiencies - 12/23/2009 - Internet Ray's Review of Accounting Standards for Industry - 2/5/2010 - Towson More internal control courses >

risk-related programs

Webcast! Auditing Bits in Bytes™: Session 3 Internal Control Considerations - 11/25/2009 - Internet Webcast! Auditing Bits in Bytes™ Session 4 Assessing & Responding to Risk - 12/2/2009 - Internet Virtual Seminar: Enterprise Risk Management in Innovation and Learning Initiatives - 12/2/2009 - Internet Lean Accounting for the Lean Enterprise - 12/7/2009 - Towson Troublesome Tax Issues for Federal Payroll Taxes, Benefits and Form 1099s - 12/7/2009 - Rockville More risk-related courses >

Note: The following information is provided by the Private Companies Practice Section of the American Institute of CPAs.

This document is intended to address many general practitioner questions and concerns related to applying Statements on Auditing Standards Nos. 104-111. It is a complement piece to the SASs No. 104-111 Overview, which summarizes the key points and changes with the risk assessment standards to help ensure you are applying the new standards appropriately in your financial statement audits. It also is intended to be used with a SASs No. 104-111 Glossary of Terms, which provides the definition for important concepts to understand when applying the risk assessment standards and considering IT. 

In addition, there is much guidance available on the new risk assessment standards, including that offered by the AICPA, such as the Audit Risk Alert, the AICPA Audit Guide, published articles and additional CPE.

The AICPA has also created a unique online research tool, AICPA Resource, which includes the AICPA, FASB and GASB libraries. The AICPA IT Section has published tools, discussion papers and web seminars related to the IT considerations of risk based auditing. IT Section members can access the tools here.

Why were the eight risk assessment standards developed? Is risk-based auditing a new approach to auditing?

While many perceive these standards as driving a great deal of change to auditing, they really require you to return to the basics of auditing and focus your audits on risk. These standards were developed based on research which showed that auditors could do a better job of assessing risk (whether caused by error or fraud) and designing and performing appropriate audit procedures in response to assessed risks. The risk assessment standards were designed to be applied in tandem with the existing fraud standard, SAS 99, because the intent of the Audit Standards Board was to strengthen audit quality by guiding auditors to the areas of greatest risk (whether caused by error or fraud). 

Should I project a cost increase for my clients as we implement these new standards? If so, how much should I project and how can we minimize the increase?

There is no one–size-fits-all answer for determining the costs of implementing the risk based standards in your firm or the cost increase for client audit engagements based on the new risk assessment standards. We hear that some auditors are projecting potential percentage increases in audit engagement fees across the board, but we believe that a single increase may not apply ratably across all clients. One suggestion you may consider is implementing these standards on a small sample of the firm engagements to get a better idea of the incremental costs and then determining how you can apply the cost impacts to the remaining client engagements.

Any increases in fees will also depend on your current audit methodology and the extent to which your firm has already implemented a risk based approach. Many firms have already implemented a risk based approach, in whole or in part, and changes in their audit methodology may not be as profound.

When contemplating the fee increase for clients’ audit engagements, consider the following cost implications that could affect the audit engagement fees: 

Auditor-based cost implications

• If you have an adequate understanding of the entity, its internal control and processes, the entity’s environment and other factors, the cost increase will likely be less because you will have a reduced learning curve. The cost increase will likely be higher if you need to allocate time learning and documenting your understanding of the entity’s internal control and processes, the entity’s environment and other factors.
• If you apply, or “layer,” the new standards on top of your current audit methodologies, without exploring changes to your methodology holistically or leveraging Computer Assisted Audit Tools and Techniques (CAATTs) to drive efficiencies and incorporate test of controls into their further audit procedures, the cost increase will likely be higher because you may perform redundant or additional tasks that are not necessary. If you modify your current audit methodologies and processes and incorporate the application of the new standards within these processes, the cost to make these internal audit methodology changes could be significant in the first year you apply these standards, but it is likely to increase the efficiency with which you conduct your audits, minimizing audit fee increases to the less complex clients.

Entity-based cost implications

• Entities can better manage their audit costs by ensuring they have appropriate internal control in place and adequate documentation of their policies and procedures and design of the entity’s IT-related controls. This will assist auditors in obtaining an understanding of internal control and eventually develop an appropriate audit approach. The ability to do so could impact audit costs. Auditors can help clients reduce the fees by meeting with clients and recommending that they begin the documentation process now. Examples include documenting internal control policies and procedures, creating flow charts of the information flow for significant classes of transactions, and documenting the procedures for initiating, authorizing, recording, processing and reporting those procedures.    

How should I incorporate a projected increase in audit fees into my audit pricing?

When contemplating how to allocate the potential cost increase in your audit engagements, consider the following ideas:

• The cost of your audit CPE and methodology changes can either be seen as an internal cost that is part of the cost of running your audit practice, to be absorbed by your firm, or allocated ratably to client engagements based on their projected audit complexity.
• To develop your audit fees for the upcoming year, determine the increase by client based upon their projected audit complexity (based upon the factors discussed in the previous question) and incorporate the fee increase into this year’s client engagement letter.

If you project an increase in a client’s audit engagement, we suggest you communicate that increase proactively to them as early as possible. Consider scheduling an in-person meeting to explain the standards and the changes they will drive to the audit process using the PCPS SASs No. 104-111 Talking Points Document that you can download for all your audit clients, but especially those clients for whom you are projecting a significant increase (due to their complexity, your lack of understanding of the entity and its environment and internal control, their lack of internal control documentation and/or your perception that they have a potentially higher RMM). Then, follow that communication with either a new engagement letter and / or the sample communication letter “Risk Based Auditing Standards Communication."

What additional types of communications should I consider for my clients?

You are required to obtain an understanding of the internal controls in order to assess the risks of material misstatement, and in doing this, you may identify areas of improvements, significant deficiencies or material weaknesses. Your client may ask you to perform additional services to assist them in addressing these matters. The additional services could be considered as separate services from your audit engagement and billed separately. Additional services you could provide your clients include:

• assisting your clients in making recommendations to design and document controls;
• documenting controls, processes, and procedures; and
• additional education or meetings with clients and their stakeholders to discuss how an auditor views controls and why financial controls and documentation are important in producing reliable financial information. 

Other communications that you may want to consider, some of which are included in the AICPA Audit Guide’s appendix, include:

• client questionnaires that can be leveraged for understanding the client, their environment and internal control (perhaps leveraged for clients in similar industries);
• a document to share with clients that describes what they need to do to prepare for their audit;
• communications with the audit committee or those in governance to educate them on the new standards, changes in the audit methodology, etc.;
• a document to understand what your client can expect as the final deliverables as a result of their audit, which can then be incorporated into your engagement letter; and
• the summary of the auditor’s response to the assessed risks of material misstatement.

Where can I access tools that may help us implement the new risk assessment standards?

Some tools and samples your firm may use to help implement these standards can be found in the Audit Guide.

Where does IT fit in related to the implementation of these standards?

Because information technology (IT) is integral in the financial reporting of most entities today, ranging from simplistic small business accounting systems to sophisticated, enterprise-wide systems, auditors need to identify the changes that may need to be made to their audit methodology to ensure that IT-related risks are appropriately considered.

The AICPA Information Technology Executive Committee has developed several tools that address the IT implications in risk based auditing, including the IT Considerations in Risk Based Auditing discussion paper and web seminars, available to IT Section members here.

What are CAATTs and how are they used in the audit process?

CAATTs are Computer Assisted Audit Tools and Techniques, in which auditors use computers to automate or simplify the audit process. CAATTs may be used to facilitate tests of details of transactions, account balances and disclosures provided you have comfort that the integrity of the data is sound and there are controls over that data. Once those conditions have been met, CAATTs can increase your efficiency, allowing you to use the entity’s data files to assess transactional and supporting data and take vast amounts of normalized data and integrate and analyze that data, creating stratification of data to identify data that is potentially an outlier or anomaly or assist in sample selection.

The following are examples of substantive procedures the auditor may perform using CAATTs:

• Recalculation including the use of CAATTs to recalculate report balance.
• Reperformance.
• Analytical procedures including using CAATTs to test journal entry files for unusual entries (e.g., Benford tests).

What types of training programs should I consider providing for my staff?

Training programs for all audit staff, managers and partners should be considered to educate them on the new standards, your firm’s audit methodologies, and any industry-specific application of the standards or audit procedures. Topics to consider in your firm’s training curriculum could include, but not be limited to:

• training on the new standards which is likely to take a minimum of 16 hours;
• education on the five components of internal control, why they are important and the role of the auditor in making recommendations on developing and/or documenting internal controls;
• effective documentation for both the client in the documentation of their internal control, policies and procedures and for the auditor’s documentation during and after the audit engagement;
• implications of fraud and how to identify fraud during an audit engagement;
• your firm’s audit methodology and processes; and
• industry-specific issues related to audits

The training can be conducted in a variety of methods, including self-study DVDs or web seminars, conferences or workshops or in-firm training. For additional training resources, visit the AICPA Web site or the CPA2Biz Web site.

I have read all the materials suggested and still have questions. Who can I contact?

Members may call the Accounting and Auditing Technical Hotline at (888) 777-7077, menu option number 5, followed by menu option number 3. You may also submit questions to the online Accounting and Auditing Technical Hotline.

DISCLAIMER: This publication has not been approved, disapproved or otherwise acted upon by any senior technical committees of, and does not represent an official position of, the American Institute of Certified Public Accountants. It is distributed with the understanding that the contributing authors and editors, and the publisher, are not rendering legal, accounting, or other professional services in this publication. If legal advice or other expert assistance is required, the services of a competent professional should be sought.

HOME | HELP | RSS | DRIVING DIRECTIONS | SPONSOR | PRIVACY POLICY | SEARCH | SITE MAP
© Copyright 2009 Maryland Association of Certified Public Accountants, Inc. All Rights Reserved.