Introduction
Audit risk model
GAAP and GAAS 2007/2008
Highlights: An Update on
Assurance Standards — The
Audit Risk Model and Related
Sections
Section 5095, Reasonable
assurance and audit risk
By STEPHEN SPECTOR, MA, FCGA
Section 5135, The
auditor’s responsibility to
consider fraud
This is the second of three articles by Mr. Spector on GAAP and GAAS Highlights to
be published on PD Net.
Section 5141,
Understanding the entity
and its environment and
assessing the risks of
material misstatement
Section 5142, Materiality
Section 5143, The
auditor’s procedures in
response to assessed
risks
Section 5300, Audit
evidence
Section 5301, Analysis
Section 5370,
Management
representations
Section 5150, Planning
Section 5110, Terms of
the engagement
Section 5145,
Documentation
Introduction
Two years ago, the AASB issued a comprehensive update to assurance standards to reflect
changes in the audit risk model. Based on U.S. and international auditing standards, the
revised sections increased the emphasis on risk assessment, going so far as to rephrase the
key objective of the audit as “ensuring that the financial statements are free of material
misstatements.”
The changes were effective with respect to financial statements and financial reports for
periods beginning on or after January 1, 2006. Along with the amendments specifically
required because of the changes to the risk model, a number of other sections also were
implemented and/or modified to conform to, or provide supporting guidance for, the audit
risk model.
The material that follows provides a brief overview of these changes; because of the extent
of the changes, reference to the CICA Handbook is recommended. The audit risk model
revisions were released as part of the May 2005 Handbook update. The other sections were
released during 2005 and early 2006. All of the standards apply to all audits in Canada, for
both small and large entities. The requirements are effective with respect to financial
statements and financial reports for periods beginning on or after January 1, 2006.
Audit risk model
The audit risk model is codified in GAAS (although not by name). It was formalized in the
AICPA’s Statement of auditing standards, SAS No. 47, issued in 1983. SAS No. 82,
Consideration of fraud in a financial statement audit, amended SAS 47 in 1997. In Canada,
the Handbook was amended to reflect a similar approach. Since 1984, auditors have been
required to employ the audit risk model.
© CGA-Canada 2007
The fallout from the U.S. corporate failures in 2002 highlighted some of the weaknesses of
the current methodology. Consequently, a call for revisions to the audit risk model began to
circulate in the U.S. In the hubbub over the U.S. audit failures, the fact that the audit risk
model is a planning model seems to have been overlooked. It is not a magic bullet that allows
the auditor to conclusively establish the amount and/or type of testing that needs to be
performed. Moreover, it is used mainly for conceptual purposes.
The auditor uses the audit risk model to estimate the amount of assurance needed from the
substantive procedures (analysis and tests of details of balances) when considering the desired
level of audit risk (AR) for the audit and the assessed levels of inherent risk (IR) and control
risk (CR) for a particular management assertion or account balance.
In practice, most firms will use a “high, medium, and low” scheme to assign risk within this
model. Not only would it be difficult to calculate and assign absolute percentages, but also it
would be hard to establish or defend a rationale for making the calculation (for example, in a
lawsuit).
The importance of the audit risk model is not that it quantifies audit risk, but, rather, that it
forces the auditor to consider each of the component risks in context and to document each
decision made. The auditor must first determine the acceptable level of audit risk for the
audit. Next, IR is usually assessed for each of the assertions made by client management as
well as for the entity as a whole. Then CR must be assessed on an assertion-by-assertion
basis. Finally, audit procedures are developed such that the detection risk (DR), when
combined with IR and CR, can be expected to reduce audit risk to the level deemed to be
acceptable at the outset of the process.
It is against that focus that one must assess the success of the model. In the wake of the
collapse of Enron, a great deal of analysis has been expended trying to find out how and why
Arthur Andersen’s audits failed to detect the fraud that had taken place.
Post-Enron activities
Spurred by the demand for improvements to the audit risk model, the Auditing Standards
Board approved changes for the U.S. in October 2002. Subsequently, IFAC’s International
Auditing and Assurance Standards Board approved the international versions of the amended
standards in October 2003.
One of the key notions associated with these revisions was recognition of the fact that the
auditor is often exposed to risks that are not embraced in the audit risk model. For example,
auditors may be exposed to loss or injury to their professional practice from litigation,
adverse publicity, or other events arising in connection with financial statements they audited
and on which they reported. This exposure is present even though the auditor has performed
the audit in accordance with GAAS and has reported appropriately on the financial
statements. Even if the auditor assesses this exposure as low, the auditor is not permitted to
perform less extensive procedures than otherwise would be appropriate under GAAS.
In particular, the auditor is exposed to what is called “business risk.” Business risk can be
defined as “the risk that an entity’s business objectives will not be achieved because of
external and internal pressures and forces.” In other words, business risk is the risk associated
with the entity’s profitability and survival.
Therefore, to properly perform the audit, the auditor must have extensive knowledge about
the nature of the client’s business and industry in order to determine whether financial report
assertions are valid. Some assertions cannot be appraised meaningfully without auditor
attention being given to the client’s interactions with its environment. The auditor must
understand the strategic business risks faced by the client, as well as the risks that affect the
traditional processing and recording of transactions. The auditor needs to know the client’s
The Audit Risk Model and Related Sections • 2
business strategy and how it plans to respond to or control changes in its business
environment.
The revisions
So what exactly are the changes?
• Assurance standards have been adjusted to meet the objective of gaining an expanded
understanding of the entity and its environment, including its internal control structure.
They now detail requirements and guidance on where and how the auditor should obtain
the expanded understanding of the entity and its environment, including its internal control.
The auditor must now interact with personnel other than those involved in financial
reporting and management by contacting individuals with operational roles within the
entity.
• Information obtained as the auditor gains an expanded understanding of the entity and its
environment may constitute valid audit evidence. It is not, however, sufficient in and of
itself to support the auditor’s opinion. Note that this is consistent with the notion that the
auditor must perform risk assessment procedures in all audits to obtain the necessary
understanding. This includes updating information obtained in prior audits, especially if
that information is to be used in the current audit.
• The assessment of control risk and inherent risk as determinants of audit risk will give way
to the goal of assessing the risk of material misstatement. Given that the auditor will now
have an expanded understanding of the entity and its environment, they will have a better
starting point to identify the risks of material misstatement. In performing the risk
assessment procedures necessary to obtain evidence regarding the risks of material
misstatements, the auditor is required to
o
assess these risks at the assertion level
o
identify risks that are significant in the auditor’s judgment
o
identify assertions where substantive procedures alone will not be sufficient — in
other words, where testing the internal controls would be necessary to obtain
sufficient comfort over a balance or assertion
To meet these goals, the risk assessment must ultimately combine the assessment of
inherent risk and control risk, but the auditor may perform combined or separate
assessments.
• In keeping with the above change, the term “significant risks” is introduced. A “significant
risk” is a risk that is so significant as to require special audit consideration.
• The assessment of risks “at maximum” without evaluation or support is proscribed. The
auditor must support risk assessments, at whatever level, based on the understanding of the
entity and its environment, including its internal control. Thus, testing controls is
encouraged. In circumstances where assessing risks “at maximum” is warranted, the
auditor must document the basis for that conclusion.
• Consistent with existing guidance, the auditor is not required to perform tests of controls
unless
o
they intend to rely on the operating effectiveness of controls to alter the nature,
timing, or extent of substantive procedures; or
o
the auditor has determined that evidence obtained from substantive procedures alone
will not reduce risk to an appropriate level and that audit evidence about the
effectiveness of controls must be obtained.
• For significant risks, the auditor will be required to perform substantive procedures,
consisting of tests of details alone or tests of details combined with substantive analytical
procedures that are specifically responsive to those risks.
The Audit Risk Model and Related Sections • 3
• The auditor’s “required understanding of internal control” now compels the auditor to
evaluate the design of controls over significant risks, including relevant control procedures,
and to determine whether the controls have been implemented. In particular, the auditor has
to evaluate the design and determination of how the controls are implemented — both
controls that address significant risks and those that relate to assertions for which
substantive procedures alone are not sufficient.
• There is greater emphasis on the entity’s risk assessment process. The auditor needs to gain
an understanding of the entity’s risk assessment process as a component of internal control.
Such an analysis assists the auditor in assessing the entity’s objectives and strategies and
any related business risks, allowing the auditor to identify and respond to risks to the
achievement of the entity’s objectives, including its financial reporting objectives. If the
auditor identifies risks that may result in material misstatement of the financial statements
that the entity’s risk assessment process has failed to identify, the auditor has to address
why the process failed to do so and whether the process is appropriate in the circumstances.
• The auditor’s ability to rely on audit evidence gathered in prior audits is strengthened in the
following ways:
o
If the auditor relies on controls that have not changed since they were last tested
(based on the auditor’s evaluation of design and whether they are implemented in the
current period), the auditor must nonetheless test the operating effectiveness of such
controls at least every third audit. The longer the elapsed time since a control has been
tested, the less audit evidence the control may provide about its effectiveness in the
current year.
o
When a significant risk is identified and the auditor intends to rely on the operating
effectiveness of controls intended to mitigate that risk, they must obtain audit
evidence about the operating effectiveness of relevant controls in every period that is
audited.
• The performance of substantive procedures for material classes of transactions and account
balances has been extended to disclosures, given their increased significance under
financial reporting frameworks. In particular, assertions related to presentation and
disclosure now requires the auditor to obtain evidence specifically related to how complete
and understandable the disclosures are to their users.
• Documentation requirements have been expanded to demonstrate that the auditor has
complied with the standards. Requirements are more specific than previous standards with
respect to
o
details of each aspect of understanding the entity and its environment, including
internal control
o
the procedures performed to obtain the understanding including the sources of
information
o
discussion with the audit team members
o
the overall responses to the risks of material misstatement at the financial statement
level
o
the linkage of the further audit procedures with the assessed risks at the assertion level
Key changes to the Handbook
Because of the pervasive nature of the changes embodied in the revisions to the audit risk
model, there have been significant changes to GAAS as reflected in many sections of the
Handbook. In addition to new sections being added, many existing sections in the Handbook
were revised. We’ll look at the most significant of these changes next. Following the
discussion on the related sections, you will find a summary of the changes.
The Audit Risk Model and Related Sections • 4
Section 5095, Reasonable assurance and audit risk
This section
• defines the concept of reasonable assurance
• notes that the auditor cannot obtain absolute assurance that the financial statements are free
from material misstatement because of various factors
• defines the concept of audit risk
• permits the auditor to make separate or combined assessments of inherent and control risk
Section 5135, The auditor’s responsibility to consider
fraud
Section 5135 has been revised to narrow its scope to address only misstatements due to fraud.
Material previously dealing with misstatements due to error has been moved to sections 5095,
5142, and 5143. Additionally, the material dealing with communication matters has been
moved to sections 5750 and 5751.
The revised section also introduces the concept of significant risk. There are two requirements
for significant risks:
• The auditor must identify risks that are significant so as to require special audit
consideration.
• The auditor must understand related control procedures to the extent that identification has
not yet been done.
Section 5141, Understanding the entity and its
environment and assessing the risks of material
misstatement
This section requires the auditor to
• understand the entity’s business risks to the extent that they are relevant to the financial
statements
• understand each component of the entity’s internal controls as defined in the Treadway
Report
• understand the design and implementation of controls on all audits
• understand an entity’s risk assessment process and its monitoring of controls
• specifically address significant risks
In addition, section 5141 places more emphasis on
• using various sources to obtain a broader understanding of the entity and its environment,
including its internal control
• supporting the assessment of the risks of material misstatement at the financial statement
level and at the assertion level
• adhering to more rigorous documentation requirements
The Audit Risk Model and Related Sections • 5
Section 5142, Materiality
This section revises and replaces section 5130, Materiality and audit risk in conducting an
audit. The scope of section 5130, which previously dealt with materiality and audit risk, has
been narrowed in section 5142 to address only materiality. Audit risk is addressed in section
5095.
Section 5143, The auditor’s procedures in response to
assessed risks
This section establishes standards and provides guidance on determining overall responses to
assessed risks. It also addresses designing and performing further audit procedures to respond
to the assessed risks of material misstatement at the financial statement and assertion levels.
Section 5143 contains requirements for specifically addressing significant risks and places
more emphasis on
• directly linking assessed risks to audit procedures that are responsive to those risks
• performing tests of controls when the auditor has determined that evidence obtained from
substantive procedures alone will not reduce risk to an acceptably low level
• assessing whether, in certain circumstances, reliance can be placed on evidence from prior
periods
• obtaining evidence about disclosures
• like section 5141, adhering to more rigorous documentation requirements
Section 5300, Audit evidence
“New” section 5300 revises and replaces the existing section 5300 to incorporate ISA 500,
Audit evidence, into the Handbook with as few changes as possible to conform to existing
Handbook references and terminology. There are no substantive changes from the material in
the previous version of section 5300.
Section 5301, Analysis
This section was revised to incorporate into the Handbook concepts related to the new audit
risk model. The key changes to the section are
• increased emphasis on the use of analysis and analytical procedures as risk assessment
procedures to obtain an understanding of the entity and its environment, including its
internal control
• additional guidance provided when analytical procedures are used as substantive
procedures, when their use can be more effective or efficient than tests of details in
reducing the risk of material misstatement at the assertion level to an acceptably low level
• additional guidance provided related to the use of analytical procedures as an overall
review of the financial statements at or near the end of the audit
Section 5370, Management representations
Handbook section 5090, Audit of financial statements — an introduction, stipulates that the
auditor must maintain an attitude of professional scepticism regarding management
assertions. Moreover, revisions to the audit risk model and the standards dealing with fraud
both stressed the importance of obtaining and using management representations by the
The Audit Risk Model and Related Sections • 6
public accountant as part of the process of obtaining sufficient appropriate audit evidence to
support the conclusion in a report on financial statements.
Consequently, the AASB undertook a project dealing with management representations. The
goal was to develop specific assurance recommendations requiring the practitioner to obtain
written representations from management as part of the evidence obtained to support the
conclusion in their report providing assurance on financial statements. Why? There were
recommendations in various sections throughout the Handbook regarding management
representations and the need for the public accountant to obtain them, but there was no single
standard within Canadian GAAS that established basic principles and essential procedures.
Section 5370, Management representations, incorporates the basic principles and essential
procedures included in International Standard on Auditing 580, Management representations
(ISA 580), and in AICPA Statement of Auditing Standards No. 85, Management
representations (SAS 85). By drawing on U.S. and international standards, the AASB
ensured that Canadian GAAS was aligned with U.S. and international standards on
management representations. Section 5370 provides guidance regarding the corroboration of
management’s representations and the auditor’s actions when other audit evidence refutes
management’s representations. The Handbook requires that in an engagement to audit
financial statements presented in accordance with generally accepted accounting principles,
or on a disclosed basis of accounting described in the notes to the financial statements, the
auditor obtain management’s written confirmation of representations that relate to the
following matters:
• financial statements
• completeness of information
• fraud and error
• recognition, measurement, and disclosure
Specifically, paragraph 5370.03 states that
Management’s representations include, but are not limited to:
(a) matters communicated in discussions with the auditor, whether solicited or unsolicited;
(b) matters communicated electronically to the auditor;
(c) schedules, analyses, and reports prepared by the entity, and management’s notations
and comments thereon, whether or not in response to a request by the auditor;
(d) internal and external memoranda or correspondence;
(e) minutes of meetings of the board of directors or similar bodies such as audit
committees and compensation committees;
(f) a signed copy of the financial statements; and
(g) a representation letter from management.
Similarly, paragraph 5370.08 requires that when a representation made by management is
contradicted by evidence obtained through the performance of other audit procedures,
additional procedures should be performed to either support or refute that representation. If
the representation turns out to be false, the auditor has to assess the likelihood that other
representations are also false, in which case the issue of whether reliance can be placed on
management’s other representations must be addressed. Again, this is not something new —
it is a fundamental aspect of any audit. If management lies about one thing, what else have
they lied about?
Although much of section 5370 simply codifies existing practice, there are also important
new requirements that must be addressed. For example, management representations must be
The Audit Risk Model and Related Sections • 7
in writing, with oral representations subsequently confirmed in writing by management.
Previously, it was assumed that the auditor would obtain written representations; now it is
mandatory.
Current management on the hook
Paragraph 5370.26 requires that management’s written representations be signed by those
members of management with overall responsibility for financial and operating matters —
members the auditor believes to be responsible for, directly or indirectly, the matters covered
by the representations. What is new is that even if current management was not present during
all periods covered by the auditor’s report, current management is responsible for the
representations provided on all such periods. This directive may generate considerable
difficulty for an auditor, especially if current management is unwilling to provide the
representations because they (current management) cannot satisfy themselves that all
representations are accurate. What happens in a case like this?
If current management refuses to provide a written representation required by the auditor, the
auditor faces a scope limitation. The auditor would then express a qualified opinion or deny
an opinion. Furthermore, the auditor has no choice: A refusal by management to provide a
written representation required by the auditor is a limitation imposed by the entity and
constitutes a scope limitation, regardless of whether the auditor is able to obtain the necessary
evidence by performing alternative procedures.
Review engagements
One of the issues under consideration when the topic was exposed was whether the need to
obtain written representations from management would be more than just an audit
engagement requirement. The conclusion of the AASB was that there should be something
similar for review engagements. However, the moderate degree of assurance provided by a
review engagement meant that the review engagement representation letter would be much
less detailed and extensive. Why?
In a review engagement, the emphasis is on plausibility as opposed to reasonableness. The
objective of the review is to enable the practitioner to conclude that the financial statements
are plausible — assuming nothing comes to the practitioner’s attention that would lead to a
different conclusion. As part of that assessment, the practitioner makes enquiries of
management, and they make representations as to the state of the entity’s affairs. The
practitioner must then decide whether management’s representations are plausible. That is,
are these representations consistent with evidence obtained through enquiry and analytical
procedures? If so, then the practitioner may conclude that the statements are plausible.
However, if the assessment is not positive, this may lead the practitioner to doubt the
plausibility of representations made by management. In turn, the practitioner would then have
to perform sufficient additional or more extensive procedures so as to resolve such doubt, or
to confirm that a reservation is required in the review engagement report. Accordingly,
section 8200, Public accountant’s review of financial statements, was amended to require the
practitioner to obtain written representations from management relating to “important
matters.”
Further, section 8200 was amended to mirror section 5370 with respect to the role of current
management. As with an audit, should current management decline to provide written
representations covering all periods under review, the same outcome occurs: there is a scope
limitation and the practitioner would have to express negative assurance with a qualification
or even a denial of opinion.
The Audit Risk Model and Related Sections • 8
Section 5150, Planning
Handbook section 5150, formerly entitled Planning and supervision, is now titled Planning.
It is harmonized with International Standard on Auditing 300, Planning the audit (ISA 300),
which was itself revised and issued by the IAASB in July 2004. The revisions to section 5150
also conform to the Handbook amendments arising from the audit risk model project.
The “new” audit risk standards require audit procedures, or “risk assessment procedures,” to
be performed by the auditor in order to obtain an understanding of the entity’s business. The
procedures have been broadened to encompass a more in-depth understanding of the entity
and its environment, including its internal control.
Section 5150 builds on the new audit risk standards. The revisions also address matters raised
in Handbook section 5049, Use of specialists in assurance engagements; section 5030,
Quality control procedures for assurance engagements; and the firm-specific quality control
standards set out in General standards of quality control for firms performing assurance
engagements.
ISA 300 emphasizes that planning is a continual and repeated process throughout the
engagement and that unexpected events, changes in conditions, or other circumstances may
lead the auditor to re-evaluate the planned audit procedures. It also requires the auditor to
establish the overall strategy for the audit that sets the scope, timing, and direction of the
audit. As well, ISA 300 recognizes that audit planning plays a critical role in setting the tone
and direction of the audit, and in ensuring that the right resources are allocated to the higher
risk areas at the appropriate time. The establishment of the overall audit strategy helps guide
the development of the more detailed audit plan and ensures that risk assessment procedures
and further detailed audit procedures are appropriately targeted.
Section 5150 is intended to provide the necessary requirements and guidance for the auditor
to perform this important aspect of the audit. It introduces the ISA 300 notion of an “overall
audit strategy.” It stresses that planning an audit involves establishing an overall audit
strategy for the engagement and developing an audit plan, in order to reduce audit risk to an
acceptably low level. The process of developing the overall audit strategy helps the auditor to
ascertain the nature, timing, and extent of resources necessary to perform the engagement.
Section 5150 requires the auditor to
• plan the audit so that the engagement will be performed in an effective manner
• perform preliminary engagement activities including engagement acceptance and
continuance procedures, evaluating compliance with ethical requirements, and establishing
an understanding of the terms of the engagement
• establish the overall audit strategy
• develop an audit plan
• during the course of the audit, update and change as necessary the overall audit strategy
and audit plan
• plan the nature, timing, and extent of direction and supervision of engagement team
members and review of their work
• document the overall audit strategy and audit plan
• prior to starting an initial audit engagement, perform client and engagement acceptance
procedures and communicate with the predecessor auditor
What the section makes clear is that planning is not a discrete phase of an audit, but rather a
continual and repeated process that should begin shortly after (or in connection with) the
completion of the previous audit (if applicable) and continue until the completion of the
current audit engagement. The section also makes the point that preliminary planning has a
The Audit Risk Model and Related Sections • 9
special role: to ensure that the auditor has considered events or circumstances that could
adversely affect the planning and performing of the audit engagement such that it reduces
audit risk to an acceptably low level.
Section 5150 stipulates also that for first-time engagements, the auditor must perform
procedures regarding the acceptance of the client relationship and the specific audit
engagement as discussed in section 5030, as well as communicate with the predecessor
auditor (where there has been a change of auditors) in compliance with relevant ethical
requirements.
Section 5110, Terms of the engagement
The AASB released Handbook section 5110, Terms of the engagement, to establish standards
and provide guidance regarding agreeing with the client on the terms of the engagement
relating to the audit of financial statements. In addition, section 8200, Public accountant’s
review of financial statements, was revised to incorporate guidance for agreeing on the terms
of the engagement relating to the review of financial statements.
As with section 5370, the AASB drew on U.S. and international pronouncements. The auditrelated section is based on the AICPA’s Audit Section 310, Appointment of the independent
auditor (AU 310), and the IAASB’s International Standard on Auditing 210, Terms of audit
engagements (ISA 210), while section 8200 incorporated material contained in AICPA
Statements on Standards for Accounting and Review Services, AR 100, Compilation and
review of financial statements, and IAASB ISA 910, Engagements to review financial
statements.
Requirements
The purpose of this section is to reduce the risk that either the auditor or the client may
misinterpret the needs or expectations of the other party. It is in the interest of both parties,
preferably before the engagement commences, to establish an understanding of the objective,
scope, and limitations of the audit, as well as the respective responsibilities of the auditor and
management. In addition, it is appropriate for the engagement letter to document other
matters relevant and important to the engagement.
Therefore, the engagement letter must set out the mutual understandings of the auditor and
the client, beginning with the scope of the financial statement audit, including reference to
applicable legislation, regulations, contracts, and pronouncements. In addition, the
engagement letter must state that the following:
• The objective of the engagement is to express an opinion on the financial statements, and
that there may be circumstances where the auditor is unable to report without reservation.
• Financial statement audits cannot provide absolute assurance because of factors such as the
use of judgment, the inherent limitations of internal control, the use of testing, and the fact
that much of the evidence is persuasive rather than conclusive in nature.
• Fraud, error, and illegal acts may not be detected.
Why should these items be raised? As noted, the goal is to prevent misunderstandings
between the auditor and the client. Setting out just what the audit can and cannot do, and what
the auditor is expected to do, is essential to that goal. In particular, the specific responsibilities
of the auditor should be noted in the terms of the engagement. For example, while it is
obvious, it needs to be explicitly noted that the auditor will keep the client’s information
confidential and maintain independence. Likewise, the engagement letter lets the client know
that the auditor will communicate with management or the audit committee or equivalent. It
also alerts the client to the fact that the auditor will have to obtain an understanding of
internal control to identify types of potential misstatements, as well as consider factors that
The Audit Risk Model and Related Sections • 10
affect the risks of material misstatement, in order to design the nature, timing, and extent of
further audit procedures.
The engagement letter is a two-way street. Not only does it specify the auditor’s
responsibilities, it also clarifies what is expected of management. The engagement letter must
describe management’s responsibility for
• the financial statements
• completeness of information related to the engagement
• fraud and error
• recognition, measurement, and disclosure of specific items
• providing written confirmation of significant representations to the auditor (as required by
section 5370)
Finally, the engagement letter should address items necessary to prevent misunderstanding.
For a practitioner, paramount are arrangements regarding fees and billings. Specifying up
front the services to be provided and the compensation expected can alleviate disputes after
the engagement is concluded. Another key matter is management’s acknowledgment that all
working papers and files, other materials, reports, and work created, developed, or performed
by the auditor during the course of the engagement are the property of the auditor. Having
this condition agreed to prevents awkward exchanges during and after the engagement.
In addition, the engagement letter can cover a diverse range of issues, including
• arrangements relating to dispute resolution
• arrangements concerning involvement of specialists, internal auditors, or reliance on
another auditor
• additional services provided in relation to regulatory requirements or clarification of
responsibilities regarding personal information collected by the entity that will be used in
the engagement
The scope is open-ended — anything that clarifies the expectations and obligations of both
parties to the engagement is fair game for the letter. Of course, it is of little value if it is not
signed — and getting it signed at the end of the engagement is not an option.
Review engagements
As with the section dealing with management representations, one of the issues under
consideration when this topic was exposed was whether the need to obtain a written
engagement letter would be more than just an audit engagement requirement. The conclusion
of the AASB was that there should be something similar for review engagements. However,
the moderate degree of assurance provided by a review engagement meant that the
engagement letter could be somewhat less detailed than that required for an audit — mainly
because the responsibilities of the practitioner were less.
As with an audit, the specific responsibilities of the practitioner should be noted in the terms
of the engagement. And, as with an audit, the engagement should indicate that the practitioner
will keep the client’s information confidential and maintain independence. Likewise, the
engagement letter lets the client know that the practitioner will communicate with those
having financial oversight responsibility. Where it differs is in the specific matters for which
the practitioner is responsible. The engagement letter must state the reduced role of the
practitioner (as compared to an audit) and ensure that the expectations of the client are
similarly reduced.
Management is more or less responsible for the same set of factors as noted for an audit. One
difference is that management representations related to significant matters are crossThe Audit Risk Model and Related Sections • 11
referenced to paragraphs 8200.25 to 8200.41, rather than to section 5370. A second difference
is the list of issues contained in paragraph 5110.19. The list is the same for a review
engagement, except for matters related to fraud and error. Instead of the five sub-factors cited
under the heading “providing the auditor with information related to fraud and error,”
management’s obligations in a review engagement are reduced to the design and
implementation of internal control to prevent and detect fraud and error.
Section 5145, Documentation
In keeping with the revisions to the audit risk model, section 5145, Documentation, was
updated. The section was harmonized with ISA 230, Documentation and AICPA SAS 96,
Audit documentation. In addition to revising section 5145, the AASB modified the Handbook
section entitled General standards of quality control for firms performing assurance
engagements, GSF-QC, to incorporate guidance on policies and procedures designed to
maintain the confidentiality, safe custody, and retention of engagement documentation.
Section 5145 now provides recommendations establishing the overarching requirement for
sufficient audit documentation. It requires that the auditor document significant issues and
findings in what is to be called an “engagement completion document.” The auditor will have
to document the identifying characteristics of specific items tested during the audit, and will
also have to document audit evidence that the auditor has identified as being contradictory or
inconsistent with the final conclusions. Moreover, the auditor will have to explain how the
contradiction or inconsistency was addressed. Further, section 5145 includes guidance on
making changes to audit documentation between the audit report date and the date the
auditor’s report is issued.
Section 5145 stipulates the following requirements:
• The auditor will have to assemble and complete the final audit file within 45 days after the
date the auditor’s report is issued, after which nothing can be deleted from the file and any
additions or modifications must be explained and currently dated.
• An experienced auditor must serve as a “point of reference” for assessing the adequacy of
documentation.
• The preparer and reviewer of audit documentation must be explicitly identified in the file.
In addition, section 5145 requires the auditor to document
• significant issues and findings in an engagement completion document
• audit evidence the auditor has identified as contradictory or inconsistent with the final
conclusions, and how the auditor addressed the contradiction or inconsistency
• the identifying characteristics of the specific items tested during the audit
The changes to GSF-QC focus on three key issues:
1) A new element will have to be added to the firm’s system of quality control, namely
engagement documentation.
2) A firm will have to explicitly establish policies and procedures designed to maintain
the confidentiality, safe custody, integrity, accessibility, and retrievability of
engagement documentation.
3) A firm must establish policies and procedures requiring the retention of engagement
documentation for a period sufficient to meet the needs of the firm, or as required by
law or regulation.
The Audit Risk Model and Related Sections • 12
This article provides an update on the audit risk model and related sections. The
comprehensive GAAP/GAAS Highlights 2007/2008 online course is available on PD Net.
You must be registered to access and purchase the course. Register now — it’s fast, easy, and
free.
A CGA, Stephen Spector also holds a master’s degree in economics. In 1999 he received the
Fellow Certified General Accountant (FCGA) award for distinguished service to the
Canadian accounting profession. Stephen has served on the International Accounting
Standards Committee’s Canadian Advisory Group and he was also one of Canada’s technical
advisors to the IFAC Ethics Committee from 1999 to 2003. He is a member of the Canadian
Academic Accounting Association, where he served as an executive member from 1992 to
1997. Currently, he is a Lecturer at Simon Fraser University, where he teaches courses on
financial and managerial accounting.
The Audit Risk Model and Related Sections • 13