May 9, 2003
Ms. Julie Anne Dilley, CPA
Senior Technical Manager
Audit and Attest Standards, File No. 3044
American Institute of Certified Public Accountants
1211 Avenue of the Americas
New York, NY 10036-8775
Re: Exposure Drafts of seven Statements on Auditing Standards (SAS’s) related to audit
risk:
• Amendment to SAS 95, Generally Accepted Auditing Standards
• Audit Evidence
• Audit Risk and Materiality in Conducting an Audit (Audit Risk & Materiality ED)
• Planning and Supervision
• Understanding the Entity and Its Environment and Assessing the Risks of Material
Misstatement (Understanding and Assessing Risk ED)
• Performing Audit Procedures in Response to Assessed Risks and Evaluating the Audit
Evidence Obtained (Performing Procedures ED); and
• Amendment to SAS 39, Audit Sampling
Dear Ms. Dilley:
One of the objectives that the Council of the American Institute of Certified Public
Accountants established for the PCPS Executive Committee is to act as an advocate for
all local and regional firms and represent those firms' interests on professional issues,
primarily through the Technical Issues Committee (TIC). This communication is in
accordance with that objective.
TIC has reviewed the above referenced exposure drafts (ED’s) and is providing the
following comments for your consideration.
GENERAL COMMENTS
TIC agrees that the proposed revisions in the seven ED’s represent important changes in
practice that are conceptually valid. The suggested enhancements to the audit process
contained in these documents may result in more effective and efficient audits if
appropriately followed.
TIC believes, however, that improvements are needed to ensure that the desired changes
in practice may be accomplished. The Board needs to provide more balanced coverage of
certain important concepts and to improve clarity in certain areas. Certain corrections to
the ED’s are also suggested. Some of our suggestions for improvement relate to
paragraphs in the ED that were taken from existing authoritative standards. We believe it
is appropriate to take the opportunity to comment on these paragraphs now so that any
May 9, 2003
old guidance that needs improvement is not arbitrarily carried over into the new
standards.
Finally, TIC urges the Board to develop wrap-around guidance for the ED’s that will
highlight key changes in practice and provide concise, substantive guidance that will
promote a better understanding of the linkage elements in the risk assessment process.
SPECIFIC COMMENTS
In evaluating the audit risk assessment ED’s, TIC members focused their attention on the
changes in audit practice that the Board expects to occur once the new standards are
implemented. TIC not only decided whether it could concur with the proposed changes
but also tried to assess how successful the proposed standards would be in meeting the
Board’s objectives, as discussed in the Explanatory Memorandum that accompanied the
ED’s. TIC also reviewed the revised audit risk process and the expanded documentation
requirements for clarity, completeness and logical presentation, especially from the point
of view of those practitioners who audit small and mid-sized entities. We offer the
following suggestions for the Board’s consideration based on this review.
TIC cannot overstate the need to develop permanent “wrap-around” guidance to
supplement the revised audit risk standards. The authoritative standards cannot highlight
the necessary changes in practice or address all of the implementation issues that
practitioners will face. Initially, practitioners need a practice aid that will:
•
•
•
•
•
Focus their attention on what’s new in the standards—to name a few:
o terminology changes, especially expanding the scope of “audit procedures” to
include risk assessment procedures and tests of controls
o walkthroughs are now required,
o elimination of the option to assess audit risk at the maximum without support
o new audit procedure for testing management bias in accounting estimates
o enhanced emphasis on testing disclosures
o increased documentation requirements
Explain why the changes will lead to more effective audits,
Reinforce their understanding of existing standards that have not been well
understood in the past,
Give them a roadmap for navigating the standards efficiently, yet thoroughly,
Provide application guidance that will serve as a “how to” guide.
The comments below will attempt to highlight other specific issues that should be
addressed in the wraparound guidance.
Linkage Issues
The ED states that the linkage between assessed risks and audit procedures responsive to
those risks will be improved when the proposed standards are implemented. (See
2
May 9, 2003
Explanatory Memorandum, page 7.) TIC believes that the revised audit risk process still
does not provide enough guidance for practitioners who can support a decision not to test
controls. These practitioners need guidance to link the risks identified during the risk
assessment process to the appropriate design of substantive procedures that will reduce
the risk of material misstatement in the financial statements to an appropriately low level.
Although the Board’s emphasis may be the encouragement of control testing, TIC
believes it is still important to provide balanced coverage for the substantive test
approach. The standard needs to provide the linkage that will show how an enhanced
understanding of the entity and its controls contributes to the design of more effective
substantive audit procedures even when no control testing will be performed. Perhaps
“Application to Small and Midsized Entities” paragraphs could be added to the
Performing Audit Procedures ED to provide some general guidance on these linkage
principles. For example, these paragraphs could be used to point out that even if controls
can’t be relied upon, practitioners should use the enhanced understanding of controls to
design appropriate substantive tests.
TIC also noted that the proposed standards did not contain enough guidance to encourage
the testing of controls, especially for those auditors who now default to assessing audit
risk at the maximum without support. The ED’s would eliminate the “default without
support” option and require an enhanced understanding of internal control. The ED’s also
discuss the circumstances that would require the testing of controls. However, the
proposed standards fail to link an improved understanding of internal controls to the
potential benefits of testing controls and do not provide the application guidance needed
to understand when and how internal control testing would be beneficial. The standards
should clarify when control testing is encouraged, and the wraparound guidance should
explain why tests of controls are beneficial and provide detailed application guidance.
Within the standards, the paragraphs labeled “Application to Small and Mid-sized
Entities” already set the stage for encouraging control testing. (See the Understanding
and Assessing Risk ED, paragraphs B4, B7, B13, B16 and B21.). The above paragraphs
focus on management oversight as a mitigating factor for the usual control elements.
These paragraphs would be more helpful to local practitioners if they also discussed:
•
•
The importance of designing risk assessment procedures that will determine whether
an entity’s owner exerts “control at the top.”
How active owner involvement may afford the auditor the opportunity to rely on
management controls. This would require auditors to test the operating effectiveness
of the relevant controls but could have the benefit of reducing substantive tests in
certain areas.
Other linkage issues between assessed risks and the audit procedures responsive to those
risks were also noted. Appendix C of the Understanding and Assessing Risk ED lists
“Conditions and Events That May Indicate Risks of Material Misstatement.” The
wraparound guidance, if not the final standard, should at least discuss or provide
examples of the types of tests that would be needed to address these risks.
3
May 9, 2003
The Performing Procedures ED doesn’t provide enough linkage between the risks
identified and the nature of the audit procedures performed. Par. 8 of the ED says that the
nature of audit procedures is of the utmost importance in responding to the assessed risks,
but it seems this aspect of testing received the least coverage. TIC believes more
guidance is needed in the following areas to help practitioners:
•
•
•
•
•
•
•
•
Understand how to identify the assertions that are most important to a particular
account balance or class of transactions. The appendix to the ED provides some
examples, but more general guidance is needed that would help practitioners identify
assertions for other kinds of business and non-business transactions and account
balances.
Understand how to identify when tests of controls v. substantive tests are appropriate
for testing a particular assertion and what types of procedures (inspection,
observation, etc.) are normally linked to particular assertions. (Some examples are
provided in paragraphs 10, 47 and the appendix, but more are needed.)
Provide examples and guidance (beyond that in paragraph 48 of the ED) for
designing tests of details for all assertions (not just a few).
Understand when to test a class of transactions (e.g., the revenue cycle) v. an account
balance (accounts receivable) and how tests for income statement accounts differ
from those for balance sheet accounts.
Identify substantive procedures that would be responsive to significant risks of
material misstatement associated with a given assertion. (One example is provided in
paragraph 45 of the ED.)
Understand how the substantive procedures in the appendix of the ED would change
if tests of controls had been performed.
Understand how to identify a test (audit procedure) that may be used to fulfill
multiple objectives relating to risk assessment, test of controls, or substantive tests
Understand that reliance on controls is not an all-or-nothing decision. The auditor
may rely on tests of controls for some classes of transactions (revenue), but not for
others (purchasing).This reflects the reality that some clients have controls that are
stronger in some areas than in others. This notion is alluded to in paragraphs 8-9 of
the ED. An example would be helpful.
Suggested Clarifications and Corrections
Assessing risk at the financial statement level
Paragraph 20 of the Audit Risk & Materiality ED places too little emphasis on the
importance of qualitative materiality. It states, “Although the auditor should be alert for
misstatements that could be qualitatively material, it ordinarily is not practical to design
audit procedures to detect them.” TIC understands that this statement is based on existing
guidance in AICPA Professional Standards, AU Section 312.20. However, it now seems
inconsistent to say that it ordinarily would not be practical to design procedures to detect
qualitative materiality in view of other requirements in paragraphs 80 and 83g of the
Performing Procedures ED. Par. 80 of the Performing Procedures ED talks about
qualitative factors that the auditor has to consider before concluding whether identified
misstatements are material. The paragraph includes a list of 16 qualitative factors that the
4
May 9, 2003
auditor “may consider relevant to his or her consideration of whether misstatements are
material.” TIC believes that audit procedures could easily be developed to detect
misstatements that were qualitatively material based on those factors. Furthermore, it
appears that paragraph 80 would require that such procedures be performed. The auditor
is responsible for and must document (see also paragraph 83g) the qualitative factors
considered in evaluating whether identified misstatements cause the financial statements
to be materially misstated. Designing audit procedures to detect such misstatements are
possible, although they may be more difficult than designing audit procedures to detect
quantitatively material misstatements. TIC suggests that paragraph 20 in the Audit Risk
& Materiality ED be revised to remove this inconsistency. This could be accomplished by
saying that it may be more difficult to design/perform procedures to detect qualitative
materiality v. quantitative materiality.
Assessing risk at the assertion level
In assessing the risk of material misstatement, the auditor has to relate the identified risks
to what could go wrong at the assertion level and design appropriate audit procedures
based on the assessments made. Paragraph 23 of the Audit Risk and Materiality ED talks
about the existence of “an inverse relationship between audit risk and materiality
considerations.” TIC believes the meaning of this entire paragraph is obscured by the
language used to express the effect of risk and materiality thresholds on the audit
procedures performed. TIC recommends that the entire paragraph be rewritten for clarity
so that it is more readily understandable. TIC would agree that a decrease in either the
tolerable audit risk or the tolerable amount of misstatement at the individual account
balance/class of transactions/or disclosure level would require the auditor to alter the
nature, timing and extent of his/her audit procedures. If this is the point of the paragraph,
the existing example is not helpful in understanding that and it should also be revised.
The Performing Procedures ED, paragraph 16, states that a sufficient understanding of
the entity and its environment may be obtained “by performing less extensive risk
assessment procedures.” TIC was uncertain whether the phrase is referring to just the
quantity of risk assessment procedures or also the nature of the procedures performed.
TIC believes the Board’s meaning could be misinterpreted if not clarified. TIC also
believes there is an editorial error in the last sentence of paragraph 16 in that “more
extensive audit procedures” should be “more extensive risk assessment procedures.”
TIC would like to suggest different wording for one of the substantive tests in the
appendix to the Performing Audit Procedures ED, specifically for the assertion for the
completeness of financial statement disclosures. (TIC noted that this appendix is very
similar to the language in AU 326.26.) The description of the substantive test needs to be
changed to “Review GAAP to ensure all required disclosures have been made.” As
currently stated in the ED, the procedure would only ensure the accuracy and
completeness of the footnotes presented in the financial statements and would not
necessarily detect a footnote that was omitted.
5
May 9, 2003
Documentation Requirements
The Planning and Supervision ED, paragraph 16, talks about documenting the audit
program. The paragraph includes a sentence that says that, “In developing the program,
the auditor should consider the results of the risk assessment procedures performed to
obtain an understanding of the entity and its environment, including its internal control,
and to assess risks.” This sentence is unclear. Given its inclusion in this particular
paragraph, it implies that the linkage between the results of the risk assessment
procedures and the audit program steps should be documented. Paragraph 83c of the
Performing Procedures ED says that one of the documentation requirements is the
“linkage with the assessed risks at the assertion level.” TIC suggests that the above
paragraphs be revised to more explicitly state whether this linkage must be documented
in the audit program.
TIC did not understand why the documentation requirement in paragraph 114 of the
Understanding and Assessing Risks ED was segregated from the list of other
documentation requirements. Paragraph 114 states, “The documentation of the discussion
among the audit team includes the decisions relevant to the audit procedures.” TIC
suggests that paragraph 114 be suitably placed within paragraph 113. If there is a specific
reason why that should not be done, the final standard should further explain the
requirement so that practitioners may understand when this documentation would occur.
Paragraphs 70-72 of the Performing Procedures ED emphasize the importance of the
proper determination and assessment of quantitative measures of materiality. Given the
number of paragraphs devoted to this discussion in the ED, TIC was surprised that
paragraph 83g of the ED did not require the auditor to state the quantitative, as well as the
qualitative, factors that the auditor considered in evaluating whether misstatements are
material.
Paragraph 77 of the Performing Procedures ED provides guidance on an audit procedure
that requires auditors to evaluate all of management’s financial statement estimates for
reasonableness when compared to the individual amounts supported by the audit
evidence. TIC could not find any documentation requirement in the ED for the procedure.
However, TIC noted that SAS 99, paragraph. 83, 5th bullet, requires documentation of a
similar procedure, the retrospective review of significant accounting estimates reflected
in the financial statements of the prior year. Since the intent of the two procedures is to
detect management bias in the recognition of accounting estimates, TIC believes the
results of the procedures performed in paragraph 77 should be added to the
documentation requirements in paragraph 83 of the Performing Procedures ED to ensure
that the procedures are not overlooked by the auditor and to be consistent with SAS 99.
TIC appreciates the opportunity to present these comments on behalf of PCPS member
firms. We would be pleased to discuss our comments with you at your convenience.
6
May 9, 2003
Sincerely,
Stephen M. McEachern, Chair
PCPS Technical Issues Committee
cc: PCPS Executive and Technical Issues Committees
7