Overview of the ASB Risk Assessment Standards Indexed to
Auditing and Assurance Services: An Integrated Approach 11th Edition
In March 2006 the AICPA’s Auditing Standards Board issued SAS Nos. 104-111, eight
standards relating to the assessment of risks in a financial statement audit. The ASB also
issued SAS No. 112 in May 2006 on communication of internal control related matters.
The Risk Assessment Standards and SAS No. 112 are effective for audits of financial
statements for periods beginning on or after December 15, 2006, with early application
permissible.
The Risk Assessment Standards establish standards and provide guidance in financial
statement audits for private companies concerning the auditor’s assessment of the risks of
material misstatements (whether caused by error or fraud), and the design and
performance of audit procedures that are responsive to those risks. In addition, these
Statements establish standards and provide guidance on planning and supervision, the
nature of audit evidence, and evaluating whether the audit evidence affords a reasonable
basis for the auditor’s opinion on the financial statements under audit.
The primary objective of the Statements is to enhance auditor’s application of the
risk model, including specifying:



More in-depth understanding of the entity and its environment, including its
internal control, to identify the risks of material misstatement in the financial
statements and entity actions to mitigate those risks.
More rigorous assessment of the risks of material misstatement of the financial
statements based on that understanding.
Improved linkage between the assessed risks and the nature, timing and extent of
audit procedures performed in response to those risks.
These standards introduce many changes in terminology. However, these
standards were first exposed in 2002 and the audit methodology presented in Auditing
and Assurance Services: An Integrated Approach 11th Edition is largely consistent with
these standards. We first provide an analysis of how these standards affect individual
chapters in the 11th Edition. This is followed by a summary of the key provisions of each
individual standard.
Chapter 2 – The CPA Profession
SAS No. 105 includes revisions to the 10 auditing standards in Table 2-3 on p. 34 of the
11th edition. A comparison of the revised and original standards is included below:
Original Standard
General Standards
1. The audit is to be performed by a
person or persons having adequate
technical training and proficiency as
an auditor.
Standards of Field Work
1. The work is to be adequately
planned and assistants, if any, are to
be properly supervised.
2. A sufficient understanding of
internal control is to be obtained to
plan the audit and determine the
nature, timing, and extent of tests to
be performed.
3. Sufficient competent evidential
matter is to be obtained through
inspection, observation, inquiries,
and confirmations to afford a
reasonable basis for an opinion
regarding the financial statements
under audit.
Revised Standard
General Standards
1. The audit must be performed by a
person or persons having adequate
technical training and proficiency as
an auditor.
Standards of Field Work
1. The auditor must adequately plan the
work and must properly supervise
any assistants.
2. The auditor must obtain a sufficient
understanding of the entity and its
environment, including its internal
control, to assess the risk of material
misstatement whether due to error or
fraud, and to design the nature,
timing, and extent of further audit
procedures.
3. The auditor must obtain sufficient
appropriate audit evidence by
performing audit procedures to afford
a reasonable basis for an opinion
regarding the financial statements
under audit.
The effects of the changes to the three standards of field work are included in the
discussion of the impact of the standards on other chapters.
Chapter 6 – Audit Responsibilities and Objectives
1. SAS No. 104 expands the definition of reasonable assurance to indicate that it is a
high, but not absolute level of assurance.
2. SAS No. 106, Audit Evidence expands the five management assertions included on p.
145 of the 11th edition into three categories: 1) assertions about classes of transactions
and events; 2) assertions about account balances at the period end; and 3) assertions
about presentation and disclosure. The assertions in each category are included in
Table 1; the assertions are presented so that related assertions are included in each
table row.
3. Table 2 indicates how the transaction objectives in Table 6-2 (p. 147) relate to the
assertions about transactions and events.
4. Table 3 indicates how the balance objectives in Table 6-3 (p. 150) relate to assertions
about account balances. These are substantially unchanged from the 11th edition.
TABLE 1
Assertions About Classes of
Transactions and Events
Occurrence – Transactions and events
that have been recorded have occurred
and pertain to the entity.
Completeness – All transactions and
events that should have been recorded
have been recorded.
Accuracy – Amounts and other data
relating to recorded transactions and
events have been recorded
appropriately.
Classification – Transactions and
events have been recorded in the
proper accounts.
Management Assertions for Each Category of Assertions
Assertions About Account
Assertions About Presentation and
Balances
Disclosure
Existence – Assets, liabilities, and
Occurrence and rights and obligations
equity interests exist.
– Disclosed events and transactions
have occurred and pertain to the entity.
Completeness – All assets,
Completeness – All disclosures that
liabilities, and equity interests that
should have been included in the
should have been recorded have
financial statements have been
been recorded.
included.
Valuation and allocation – Assets,
Accuracy and valuation – Financial and
liabilities, and equity interests are
other information are disclosed fairly
included in the financial statements
and at appropriate amounts.
at appropriate amounts and any
resulting valuation adjustments are
appropriately recorded.
Classification and understandability –
Financial and other information is
appropriately presented and described
and disclosures are clearly expressed.
Cutoff – Transactions and events have
been recorded in the correct
accounting period.
Rights and obligations – The entity
holds or controls the rights to assets,
and liabilities are the obligation of
the entity.
TABLE 2
Transaction-Related Audit Objectives and Management Assertions for
Sales Transactions
Management Assertions
About Classes of Transactions
and Events
Occurrence
General TransactionRelated Audit Objectives
Occurrence
Specific Sales Transaction-Related
Audit Objectives
Recorded sales are for shipments made to
nonfictitious customers.
Completeness
Completeness
Existing sales transactions are recorded.
Accuracy
Accuracy
Recorded sales are for the amount of
goods shipped and are correctly
recorded.
Sales transactions are properly included
in the master file and are correctly
summarized.
Posting and summarization
Classification
Classification
Sales transactions are properly classified.
Cutoff
Timing
Sales are recorded on the correct dates.
TABLE 3
Management Assertions
About Account Balances
Existence
Completeness
Valuation and allocation
Rights and obligations
Hillsburg Hardware Co.: Balance-Related Audit Objectives and
Management Assertions Applied to Inventory
General Balance-Related
Specific Balance-Related Audit
Audit Objectives
Objectives Applied to Inventory
Existence
All recorded inventory exists at the
balance sheet date.
Completeness
All existing inventory has been counted
and included in the inventory
summary.
Accuracy
Inventory quantities on the client’s
perpetual records agree with items
physically on hand.
Prices used to value inventories are
materially correct.
Extensions of price times quantity are
correct and details are correctly
added.
Classification
Inventory items are properly classified
as to raw materials, work in
process, and finished goods.
Cutoff
Purchase cutoff at year-end is proper.
Sales cutoff at year-end is proper.
Detail tie-in
Total of inventory items agrees with
general ledger.
Net realizable value
Inventories have been written down
where net realizable value is
impaired.
Rights and obligations
The company has title to all inventory
items listed.
Inventories are not pledged as
collateral.
Chapter 7 – Audit Evidence
1. The term “sufficient competent evidential matter” is replaced with the term
“sufficient appropriate audit evidence” in SAS No. 106.
2. The standard also defines audit procedures for obtaining audit evidence in the
following categories:
 Inspection of records or documents
 Inspection of tangible assets
 Observation
 Inquiry
 Confirmation
 Recalculation
 Reperformance
 Analytical procedures
Chapter 8 – Audit Planning and Analytical Procedures
SAS No. 109 requires the auditor to perform risk assessment procedures to obtain an
understanding of the entity and its environment, including its internal control. This
requirement is consistent with the audit approach to gaining an understanding of the
client’s business and industry in the 11th edition.
1. SAS No. 108, Planning and Supervision, clarifies that the auditor should establish an
understanding with the client through a written communication with the client. The
new standard requires the communication to be in the form of an engagement letter.
2. SAS No. 108 also requires the auditor to establish an overall strategy for the audit,
and develop an audit plan that includes:
 A description of the nature, timing, and extent of planned risk assessment
procedures sufficient to assess the risks of material misstatement as determined
under SAS No. 109.
 A description of the nature, timing, and extent of planned further audit procedures
at the relevant assertion level for each material class of transactions, account
balance, and presentation and disclosure as determined under SAS No. 110.
3. SAS No. 109 indicates that the members of the audit team should discuss the
susceptibility of the entity’s financial statements to material misstatements. This
discussion can be held concurrently with the discussion of the susceptibility of the
entity’s financial statements to fraud required by SAS No. 99.
Chapter 9 – Materiality and Risk
The risk assessment process in Chapter 9 of the 11th edition is consistent with the risk
assessment standards.
1. SAS No. 107, Audit Risk and Materiality in Conducting an Audit, identifies two types
of misstatements: known and likely. Likely misstatements include projections of
misstatements based on a sample, and differences between management’s and the
auditor’s judgments for accounting estimates that the auditor considers unreasonable
or inappropriate.
2. SAS No. 107 also notes that “closest reasonable estimate” for estimated amounts such
as inventory obsolescence may be a range of acceptable amounts or a point estimate.
If management’s estimate falls outside the auditor’s range of acceptable amounts, the
difference between the client’s recorded amounts and the amount at the closest end of
the auditor’s range should be aggregated as a likely misstatement. For example, if the
auditor determines that an allowance for doubtful accounts of $120,000 to $150,000
is reasonable and the client’s recorded allowance is $100,000, then $20,000, the
difference between the lower end of the auditor’s range and the client’s estimate
should be aggregated as a likely misstatement. In addition, the auditor should
consider whether the differences between the estimates best supported by audit
evidence and the client’s evidence, which may be individually reasonable, indicate a
possible bias by the entity’s management.
3. The auditor should request management to record an adjustment for all known
misstatements except for those considered “trivial.” Trivial amounts are amounts
below the auditor’s threshold for accumulating misstatements. The auditor should
request management to examine the class of transactions or account balance to
identify and correct likely misstatements, and review the assumptions for estimates
where the auditor has identified a likely misstatement.
4. SAS No. 109 notes that in assessing risks, the auditor should assess whether they are
at the overall financial statement level or pertain to relevant assertions related to
classes of transactions, account balances, and disclosures.
5. The auditor should also consider whether any of the identified risks represent
significant risks that require special audit attention. In making this determination, the
auditor should consider:
 Whether the risk is a risk of fraud
 Whether the risk is related to recent significant economic, accounting, or other
developments requiring specific attention
 The complexity of the transactions
 Whether the risk involves significant transactions with related parties
 The degree of subjectivity in the measurement of financial information related to
the risks, especially those involving a wide range of measurement uncertainty
 Whether the risk involves significant nonroutine transactions that are outside the
normal course of business for the entity, or that otherwise appear to be unusual.
6. SAS No. 110, Performing Audit Procedures in Response to Assessed Risks and
Evaluating the Audit Evidence Obtained is also consistent with Chapter 9. Page 248
in the 11th edition discusses two overall responses to risk – use of more experienced
staff and a more careful review. SAS No. 110 includes additional overall responses,
including the need for professional skepticism and incorporating more elements of
unpredictability in testing.
7. SAS No. 109 notes that the auditor may assess inherent risk and control risk on a
separate or combined basis, which was also allowed under existing standards.
However, the auditor can no longer default to control risk at maximum and perform a
substantive audit. Instead, auditors must obtain an understanding of internal controls
and then assess control risk based on that understanding.
Chapter 10 – Section 404 Audits of Internal Control and Control Risk
SAS No. 109 and SAS No. 110 together supersede SAS No. 55, Consideration of
Internal Control in a Financial Statement Audit, but do not significantly alter the
approach to understanding internal control in Ch. 10. Similarly, the reporting of
significant deficiencies and material weaknesses for nonpublic companies discussed in
Ch. 10 is consistent with SAS No. 112.
1. SAS No. 109 discusses manual and IT controls and notes that because of the inherent
consistency of IT controls, audit procedures to test whether an automated control has
been implemented may serve as a test of the control’s operating effectiveness,
depending on the auditor’s assessment and testing of IT general controls.
2. SAS No. 110 indicates that the auditor should perform tests of controls when the
auditor’s risk assessment includes an expectation of the operating effectiveness of
controls or when substantive procedures alone do not provide sufficient audit
evidence at the relevant assertion level. Substantive procedures alone may not be
sufficient when the entity relies on IT and no documentation of transactions is
maintained, other than through the IT system.
3. Auditors may test controls that have not changed on a rotational basis. The operating
effectiveness of such controls should be tested at least every third audit. The decision
to rely on evidence on the effectiveness of controls obtained in prior audits depends
on the overall effectiveness of other elements of internal control, the effectiveness of
the control being relied upon, and the risks arising from characteristics of the control,
including whether it is manual or automated.
Chapter 13 – Overall Audit Plan and Audit Program
1. One of the five types of tests in Chapter 13 is procedures to obtain an understanding
of internal control. These procedures should also include procedures to obtain an
understanding of the entity and its environment and risk assessment procedures,
consistent with the changes to the second standard of field work.
2. In designing the audit program, the auditor should document the linkages of
procedures with identified specific risks.
Overview of Risk Assessment Standards
SAS No. 104, Amendment to Statement on Auditing Standards No. 1, Codification of
Auditing Standards and Procedures (“Due Professional Care in the Performance of
Work”) – Amends paragraph 10 to expand the definition of the term reasonable
assurance to indicate that it is a high, but not absolute level of assurance.
SAS No. 105, Amendment to Statement on Auditing Standards No. 95, Generally
Accepted Auditing Standards
1. Expands the scope of the second standard of field work from “internal control” to
“the entity and its environment, including its internal control” and extends its purpose
from “planning the audit” to assessing the risk of material misstatement in the
financial statements, whether due to error or fraud.”
2. Revises the third standard of field work to eliminate references to specific audit
procedures which might imply that they encompass all audit procedures. Replaces the
term “evidential matter” with “audit evidence.”
The amended standards are as follows:
General Standards
1. The audit must is to be performed by a person or persons having adequate technical
training and proficiency as an auditor.
Standards of Field Work
1. The auditor must The work is to be adequately planned the work and must properly
supervise any assistants, if any, are to be properly supervised.
2. The auditor must obtain a A sufficient understanding of the entity and its
environment, including its internal control is to be obtained to assess the risk of
material misstatement of the financial statements whether due to error or fraud,
plan the audit and to design determine the nature, timing, and extent of further audit
procedures tests to be performed.
3. The auditor must obtain sSufficient appropriate audit evidence competent evidential
matter is to be obtained by performing audit procedures inspection, observation,
inquiries, and confirmations to afford a reasonable basis for an opinion regarding the
financial statements under audit.
SAS No. 106, Audit Evidence (Supersedes Statement on Auditing Standards No. 31,
Evidential Matter)
1. Replaces the term “sufficient competent evidential matter” with “sufficient
appropriate audit evidence.”
2. Defines management assertions as falling into three categories: 1) assertions about
classes of transactions and events; 2) assertions about account balances at period end;
and 3) assertions about presentation and disclosure.
SAS No. 107, Audit Risk and Materiality in Conducting an Audit (Supersedes
Statement on Auditing Standards No. 47, Audit Risk and Materiality in Conducting
an Audit)
1. Identifies two types of misstatements: known and likely. Likely misstatements
include projections of misstatements based on a sample, and differences between
management’s and the auditor’s judgments for accounting estimates that the auditor
considers unreasonable or inappropriate.
2. Indicates that the “closest reasonable estimate” for estimated amounts such as
inventory obsolescence may be a range of acceptable amounts or a point estimate. If
management’s estimate falls outside the auditor’s range of acceptable amounts, the
difference between the client’s recorded amounts and the amount at the closest end of
the auditor’s range should be aggregated as a likely misstatement. In addition, the
auditor should consider whether the differences between the estimates best supported
by audit evidence and the client’s evidence, which may be individually reasonable,
indicate a possible bias by the entity’s management.
3. The auditor should request management to record an adjustment for all known
misstatements except for those considered “trivial.” The auditor should request
management to examine the class of transactions or account balance to identify and
correct likely misstatements, and review the assumptions for assumptions for
estimates where the auditor has identified a likely misstatement.
SAS No. 108, Planning and Supervision (Supersedes “Appointment of the
Independent Auditor” as amended of SAS No. 1, Codification of Auditing Standards
and Procedures, and Statement on Auditing Standards No. 22, Planning and
Supervision)
1. Indicates that the auditor should establish an understanding with the client and should
document the understanding through a written communication with the client.
2. The auditor should first develop an overall audit strategy, including the scope of the
engagement, preliminary identification of materiality levels and high-risk areas, and
appropriate staffing levels.
3. Development of a more detailed audit plan that includes:
 A description of the nature, timing and extent of planned risk assessment
procedures sufficient to assess the risk of material misstatement as determined
under SAS No. 109.
 A description of the nature, timing, and extent of planned further audit procedures
at the relevant assertion level for each material class of transactions, account
balance, and disclosure as determined under SAS No. 110.
4. Provides guidance on supervision, including communication with members of the
audit team regarding the susceptibility of the entity’s financial statements to material
misstatements due to error or fraud, with special emphasis on fraud.
SAS No. 109, Understanding the Entity and Its Environment and Assessing the
Risks of Material Misstatement (together with SAS No. 110, Supersedes SAS No. 55,
Consideration of Internal Control in a Financial Statement Audit)
This standard establishes standards and provides guidance on implementing the second
standard of fieldwork, which requires the auditor to obtain a sufficient understanding of
the entity and its environment, including its internal control, to assess the risk of material
misstatement of the financial statements whether due to error or fraud, and to design the
nature, timing, and extent of further audit procedures.
1. The auditor should perform risk assessment procedures to obtain an understanding of
the entity and its environment, including internal control. Risk assessment procedures
include inquiries of management and others within the organization, analytical
procedures, and observation and inspection.
2. The members of the audit team should discuss the susceptibility of the entity’s
financial statements to material misstatements. This discussion can be held
concurrently with the discussion of the susceptibility of the entity’s financial
statements to fraud required by SAS No. 99.
3. The auditor should obtain an understanding of the following aspects of the entity and
its environment, including its internal control:
 Industry, regulatory and other external factors
 Nature of the entity
 Objectives and strategies and related business risks that may result in a material
misstatement of the financial statements
 Measurement and review of the entity’s financial performance
 Internal control, including the selection and application of accounting policies
4. The auditor should identify and assess the risk of material misstatements at the
financial statement level and at the relevant assertion level related to classes of
transactions, account balances, and disclosures. The auditor should:
 Identify risk throughout the process of obtaining an understanding of the entity
and its environment, including relevant controls that relate to the risks.
 Relate the identified risks to what can go wrong at the relevant assertion level.
 Consider whether the risks are of sufficient magnitude that could result in a
material misstatement of the financial statements.
 Consider the likelihood that the risks could result in a material misstatement of
the financial statements.
5. The auditor should determine which of the risks are significant risks that require
special audit attention. In making this determination, the auditor should consider:
 Whether the risk is a risk of fraud
 Whether the risk is related to recent significant economic, accounting, or other
developments requiring specific attention
 The complexity of the transactions
 Whether the risk involves significant transactions with related parties
 The degree of subjectivity in the measurement of financial information related to
the risks, especially those involving a wide range of measurement uncertainty
 Whether the risk involves significant nonroutine transactions that are outside the
normal course of business for the entity, or that otherwise appear to be unusual.
6. SAS No. 109 notes that the auditor may assess inherent risk and control risk on a
separate or combined basis, which has been allowed under existing standards.
However, the auditor can no longer default to control risk at maximum and perform a
substantive audit. Instead, auditors must obtain an understanding of internal controls
and then assess control risk based on that understanding.
SAS No. 110, Performing Audit Procedures in Response to Assessed Risks and
Evaluating the Audit Evidence Obtained (Supersedes “Substantive Tests Prior to
the Balance Sheet Date of SAS No. 45 and, together with SAS No. 110, Supersedes
SAS No. 55, Consideration of Internal Control in a Financial Statement Audit)
The statement establishes standards and provides guidance on determining overall
responses and designing and performing further audit procedures to respond to the
assessed risks of material misstatement at the financial statement and relevant assertion
levels in a financial statement audit. The standard also addresses evaluating the
sufficiency and appropriateness of the audit evidence obtained, including guidance about
implementing the third standard of field work.
1. Responses to the risk of significant misstatement include:
Overall responses – Addressing the risk of significant misstatement at the financial
statement level may include:
 Emphasizing the need to maintain professional skepticism in gathering and
evaluating audit evidence
 Assigning more experienced staff or those with specialized skills, or using
specialists
 Providing more supervision
 Incorporating additional elements of unpredictability in the selection of further
audit procedures to be performed
 General changes to the nature, timing, or extent of further audit procedures, such
as performing substantive procedures at year-end rather than an interim date
Response to Risks of Material Misstatement at Relevant Assertion Level – the
auditor should design and perform further audit procedures whose nature, timing, and
extent are responsive to the assessed risks of material misstatement at the relevant
assertion level.
2. The auditor must also evaluate the sufficiency and appropriateness of the audit
evidence obtained and should document:
 The overall responses to address the assessed risks of misstatement at the
financial statement level
 The nature, timing, and extent of the further audit procedures
 The linkages of those procedures with the assessed risks at the relevant assertion
level
 The results of the audit procedures
 The conclusions reached with regard to the use in the current audit of audit
evidence about the operating effectiveness of controls that was obtained in a prior
audit
3. Auditors may test controls that have not changed on a rotational basis. The operating
effectiveness of such controls should be tested at least every third audit. The decision
to rely on evidence on the effectiveness of controls obtained in prior audits depends
on the overall effectiveness of other elements of internal control, the effectiveness of
the control being relied upon, and the risks arising from characteristics of the control,
including whether it is manual or automated.
SAS No. 111, Amendment to Statement on Auditing Standards No. 39, Audit
Sampling
The statement amends SAS No. 39, Audit Sampling to move guidance from the Appendix
into SAS No. 107, Audit Risk and Materiality in Conducting an Audit and into the text of
SAS No. 111. The Statement also incorporates guidance from SAS No. 99, Consideration
of Fraud in a Financial Statement Audit, and from SAS No. 110, Performing Audit
Procedures in Response to Assessed Risks and Evaluating the Audit Evidence Obtained.
The statement also provides enhanced guidance about establishing tolerable misstatement
for a specific audit procedure and on the application of sampling to tests of controls.
Specific provisions include the following:
1. Auditors should normally set tolerable misstatement for a specific audit procedure at
less than financial statement materiality so that when the results of audit procedures
are aggregated, the required overall assurance is attained.
2. Clarifies that in determining the sample size for a test of details, the auditor should
consider tolerable misstatement and the expected misstatement, the audit risk, the
characteristics of the population, the assessed risk of material misstatement (inherent
risk and control risk), and the assessed risk for other substantive procedures related to
the same assertion.
3. Indicates that the sample sizes for statistical and nonstatistical samples should be
comparable, considering the same sampling parameters.
4. Clarifies that risk assessment procedures to obtain an understanding of internal
control do not involve sampling. Sampling concepts also do not apply for some tests
of controls. Tests of automated application controls are tested only once or a few
times when effective IT general controls are present.
5. When performing a dual-purpose test of the effectiveness of a control and testing
whether monetary misstatements are present, the absence of monetary misstatements
does not necessarily imply that related controls are effective. However, misstatements
that the auditor detects should be considered a possible indication of a control failure
when assessing the operating effectiveness of controls.
SAS No. 112, Communicating Internal Control Related Matters Identified in an
Audit
1. Defines the terms significant deficiency and material weakness.
2. Requires the auditor to communicate significant deficiencies and material weaknesses
in writing to those charged with governance.