Information technology controls (IT controls) are getting increased attention with the implementation of SAS 145, Understanding the Entity and Its Environment and Assessing the Risks of Material Misstatements.
IT Controls Video
In the following video, I provide an overview of what you need to do regarding IT controls including general and information processing controls.
Consider general controls and transaction processing controls as you plan your financial statement audits.
General Controls
Examples of general controls include:
Passwords
Intrusion detection
Backup and recovery
Logical access to software
Change control
Physical protection of IT systems
Transaction Processing Controls
An example of a transaction processing control is a software requirement that information in purchase orders, invoices, and shipping documents agree (known as a three-way match) before processing the payment.
Design and Implementation
Review the design and implementation of these IT controls, and do so in the planning phase of your audit. Weak IT controls may require you to perform additional audit procedures to lower detection risk. Why? Because weak general controls or transaction processing controls might allow material misstatements to occur without detection.
We'll look at the objectives of SAS 143, auditor responsibilities (including risk assessment and responses), the nature of estimates, documentation requirements, and overall evaluation of your work to ensure appropriateness and completeness.
Estimate Examples
To get us started, here are a few examples of estimates:
So, what is an accounting estimate? It's a monetary amount for which the measurement is subject to estimation uncertainty. Of course, you need to consider the financial reporting framework as you think about the estimate. For example, an estimate might be significantly different when using GAAP versus a regulatory basis.
But what is estimation uncertainty? It's the susceptibility of an estimate to an inherent lack of precision in measurement. In layperson's terms, it's an estimate that is hard to pin down.
SAS 143 Objectives
The objective of SAS 143 is to see if the accounting estimate and related disclosures are reasonable by obtaining sufficient appropriate audit evidence.
Nature of Estimates
Some estimates are simple, while others are difficult. For example, estimating the economic life of a vehicle is straightforward, but computing an allowance for uncollectible receivables might be complex.
But even one type of estimate, such as an allowance for uncollectible, can vary in complexity. For example, the allowance computation for uncollectible receivables is usually more complex for a healthcare entity (e.g., more payor types) than for a small business. Why? Because it is more complex and more challenging to determine. Therefore, the estimation uncertainty for a healthcare entity (with many payor types) is higher than that of a small business with one type of customer. Additionally, the volume of transactions could be higher for a healthcare entity versus a small business.
Estimation Uncertainty
So, the inherent subjectivity of an estimate creates estimation uncertainty.
Consider estimation uncertainty in this manner: ask twenty people to compute the allowance for a hospital and then ask them to do the same for the small business's uncollectible estimate. How much variation would you expect? Yes, much more for the hospital because the inherent risk is higher.
SAS 143 tells us to increase our risk assessment procedures and further audit procedures as the estimation uncertainty increases. We perform more risk assessment work concerning the hospital's allowance than that of the small business. Moreover, we complete more extensive further audit procedures for the hospital's allowance than for the small business's estimate.
More risk, more work.
To understand SAS 143, we need to know the underlying concepts.
SAS 143 Concepts
Relevant Assertions
You need to assess the risk of material misstatement at the relevant assertion level. Further, you are required to assess inherent risk and control risk separately. And as you assess inherent risk, you might encounter significant risks.
The Spectrum of Inherent Risk
Usually, a hospital's valuation assertion related to receivables is relevant, and the inherent risk is often high due to its subjectivity, complexity, and volume of transactions (i.e., inherent risk factors). Therefore, the valuation assertion's risk might fall toward the end of the spectrum of inherent risk. On a ten-point scale, we might assess the inherent risk as a nine or a ten. And if we do, it is a significant risk, affecting our professional skepticism.
Professional Skepticism and Estimates
Our professional skepticism increases as the estimation uncertainty rises (or at least, it should). Why? The potential for management bias may be present since it's easier to manipulate complex estimates. And complexity can be a smokescreen to hide bias, increasing the need for internal controls.
Estimate Controls
As estimates become more complex, entities increase internal controls (or at least, they should). And consequently, auditors need to evaluate the design and implementation of those controls. Additionally, auditors must determine whether they will test the controls for effectiveness.
Another SAS 143 concept is the reasonableness of the estimate.
Reasonableness of Estimates
For an estimate to be reasonable, the applicable financial reporting framework must be its basis. Additionally, management should consider the facts and circumstances of the entity and the related transactions. In creating a reasonable estimate, management will often use the following:
A method
Certain assumptions
Data
Let's consider these elements using the allowance for uncollectible receivables.
First, management considers the financial reporting framework. If the entity uses GAAP, it makes sense to create the estimate. No allowance is necessary if the cash basis of accounting is in use. In this example, we'll assume the company is using GAAP.
Estimate Method
In computing an allowance for uncollectible, an entity might calculate the estimate as a total of the following:
20% of receivables outstanding for more than 60 days
60% of receivables outstanding for more than 90 days
90% of receivables outstanding for more than 120 days
Estimate Assumptions
And what assumptions might management consider? Bad debt percentages have stayed the same over time. The company needs to increase the percentages if collectible amounts erode.
Estimate Data
Finally, consider the allowance data. In this example, it would typically be an aged receivable listing. Such a listing breaks receivables into aging categories (e.g., 0 to 30 days; 31 to 60 days; etc.). Such data should be consistent. Suppose the company purchases new software that computes the aged amounts differently using different data than previously. If this occurs, management and the auditors need to consider the reasonableness of the new data.
Is the Estimate Reasonable?
Most importantly, estimates need to make sense (to be reasonable) in light of the circumstances. While consistent methods, assumptions, and data are desirable, change, such as a slowdown in the economy, can require new ways of computing estimates.
One more concept is that of management's point estimate and disclosure.
Management's Point Estimate and Disclosure
The auditor will examine management's point estimate and the related disclosures to see if they are reasonable. How? Review the estimate's development (how was it computed?) and the nature, extent, and sources of estimation uncertainty.
If circumstances are similar to the prior year, then the estimate's method, assumptions, and data will typically be similar. Likewise, the disclosure will be much like the preceding period.
But if, for example, the economy slows significantly, the percentages applied to the aged receivable categories (see above) may need to increase so that the allowance for uncollectible is higher. The auditor might question the estimate if management did not raise these percentages.
The company should disclose how the estimate is created and the nature, extent, and sources of estimation uncertainty.
Now, let's see what the SAS 143 requirements are.
SAS 143 Requirements
The requirements for estimates are conceptually the same as in any area. The auditor does the following:
Perform risk assessment procedures
Identify and assess the risk of material misstatement
Develop responses to the identified risks and carry those out
1. Perform Risk Assessment Procedures for Estimates
As you consider the entity and its environment, consider the following:
Transactions and other events that give rise to the need for estimates and changes in estimates
The applicable financial reporting framework as it relates to estimates
Regulatory factors affecting estimates, if any
The nature of estimates and related disclosures
Next, as you consider internal control, ask about the following:
Nature and extent of estimate oversight (who oversees the estimate? how often is the estimate being reviewed?)
How does management identify the need for specialized skills or knowledge concerning the estimate?
How do the entity's risk assessment protocols identify and address risks related to estimates?
What are the classes of transactions, events, and conditions giving rise to estimates and related disclosures?
How does management identify the estimate's methods, assumptions, and data sources?
Regarding the degree of estimation uncertainty, how does management determine the range of potential measurement outcomes?
How does management address the estimation uncertainty, including a point estimate and related disclosures?
What are the control activities relevant to the estimate? (e.g., second-person review of the computation)
Does management review prior estimates and the outcome of those estimates? How does management respond to that review?
Additionally, the auditor reviews the outcome of prior estimates for potential management bias.
If there are any significant risks (inherent risk falling toward the end of the spectrum of risk), the auditor should understand the related controls and, after that, see if they are designed appropriately and implemented.
And finally, the auditor considers if specialized skills or knowledge are needed to perform risk assessment procedures related to estimates.
Of course, after you do your risk assessment work, it's time to assess the risk.
2. Identify and Assess the Risk of Material Misstatement
SAS 143, as we have already seen, requires a separate assessment of inherent risk and control risk for each relevant assertion.
In assessing inherent risk, the auditor will consider risk factors such as complexity, subjectivity, and change. It's also important to consider the estimate method and the data used in computing management's point estimate.
Some estimates represent significant risks. So, for example, if the computation of warranty liability is complex or has a high degree of estimation uncertainty, then identify the liability as a significant risk since the valuation assertion is high risk (toward the upper end of the spectrum of inherent risk).
3. Responses to Assessed Risk of Material Misstatement
Once the assessment of risk is complete, you are in a position to create responses. As usual, document linkage from the risk level to the planned procedures. Higher risk calls for more extensive actions.
If, for example, the auditor identifies an estimate as a significant risk, go beyond basic techniques (i.e., more than a basic audit program).
Additionally, base those responses on the reasons for the assessments. In other words, create audit procedures based on the nature of the risk. Performing more procedures unrelated to the identified risk is of no help.
Three Responses to Risks Related to Estimates
The audit procedures need to include one or more of the following three steps:
Obtain audit evidence from events occurring up to the date of the auditor's report
Test how management made the accounting estimate by reviewing the following:
Methods in light of:
Reporting framework
Potential management bias
The estimation computation (is it mathematically correct?)
Use of complex modeling, if applicable
Maintenance of the assumptions and data integrity (does this information have integrity?)
Assumptions; address the following:
Whether the assumptions are appropriate
Whether the judgments made in selecting the assumptions give rise to potential bias
Whether assumptions are consistent with each other
When applicable, whether management has the intent and ability to carry out specific courses of action
Data; address the following:
Whether the data is appropriate
Whether judgments made in selecting the data give rise to management bias
Whether the data is relevant and reliable
Whether management appropriately understands and interprets the data
Management's point estimate and related disclosure; address the following:
How management understands estimation uncertainty
See if management took appropriate steps in developing the point estimate and related disclosure
If the auditor believes management has not sufficiently addressed estimation uncertainty, the following should occur:
Request management perform additional procedures to understand the estimation uncertainty; consider disclosing more information about the estimation uncertainty
Develop an auditor's point estimate or range if management's response to the auditor's request in the prior step is not sufficient
Develop an auditor's point estimate or range; do the following:
Include procedures to evaluate whether methods, assumptions, or data are appropriate
When the auditor develops a range,
Determine whether the range includes only amounts supported by sufficient audit evidence and are reasonable in the context of the reporting framework
Review disclosures related to estimation uncertainty, design and perform procedures regarding the risk of material misstatement (i.e., determine if the disclosure provides sufficient information regarding estimation uncertainty)
Once you complete your audit work related to estimates, evaluate what you've done.
Overall Evaluation of Estimate Work
Evaluate the sufficiency of your estimate work by considering the following:
Are the risk assessments at the relevant assertion level still appropriate?
Do management's decisions regarding recognition, measurement, presentation, and disclosure of the estimates agree with the financial reporting framework?
Has sufficient appropriate evidential matter been obtained?
Significant judgments related to estimates and related disclosures in light of the reporting framework
Governance Communication Regarding Estimates
Finally, consider whether you should communicate estimate matters to those charged with governance, especially if a high estimation uncertainty is present.
SAS 143 Summary
While SAS 143 requires that auditors understand the estimation process and then perform procedures to ensure the reasonableness of the numbers and disclosures, there's nothing unusual about this. We gain an understanding of the estimates, assess the risk, and create responses.
Many estimates, such as plant, property, and equipment depreciation, are simple. In those areas, there's little to do. But as always, our risk assessment and responses will increase as complexity and uncertainty increase.
Preliminary analytical procedures are used to identify material misstatements in financial statements. In this article, I explain how to create planning analytics and how to use them to identify potential misstatements. I also provide documentation tips.
Preliminary Analytical Procedures
The auditing standards provide four risk assessment procedures:
Inquiry
Observation
Inspection
Analytical procedures
I previously provided you with information about the first three risk assessment procedures. Today, I provide you with the fourth, analytical procedures.
While analytical procedures should occur at the beginning and the end of an audit, this post focuses on preliminary analytical procedures (sometimes called a preliminary analytical review).
Below I provide the quickest and best way to develop audit planning analytics.
What are Analytics?
If you're not an auditor, you may be wondering, "what are analytics?" Think of analytics as the use of numbers to determine reasonableness. For example, if a company's cash balance at December 31, 2020, was $100 million, is it reasonable for the account to be $5 million at December 31, 2021? Comparisons such as this one assist auditors in their search for errors and fraud.
Preliminary Analytical Procedures Overview
We'll cover the following:
The purpose of preliminary analytical procedures
When to create planning analytics (at what stage of the audit)
Analytical procedures used in planning an audit should focus on identifying risks of material misstatement. Your goal as an auditor is to render an opinion regarding the fairness of the financial statements. So, like a good sleuth, you are surveying the accounting landscape to see if material misstatements exist.
A detective investigates a crime scene using various tools: fingerprints, forensic tests, interviews, timelines. Auditors have their own tools: inquiry, observation, inspection, analytical procedures. Sherlock Holmes looks for the culprit. The auditor (and I know this isn't as sexy) looks for material misstatements.
The detective and the auditor are both looking for the same thing: evidence. And the deft use of tools can lead to success. A key instrument (procedure) available to auditors is preliminary analytical procedures.
When to Create Planning Analytics
Create your preliminary analytics after gaining an understanding of the entity. Why? Context determines reasonableness of numbers. And without context (your understanding of the entity), changes in numbers from one year to the next may not look like a red flag--though maybe they should.
Therefore, learn about the entity first. Are there competitive pressures? What are the company's objectives? Are there cash flow issues? What is the normal profit margin percentage? Does the organization have debt? Context creates meaning.
Additionally, create your comparisons of numbers prior to creating your risk assessments. After all, the purpose of the analytical comparisons is to identify risk.
But before creating your planning analytics, you first need to know what to expect.
Developing Expectations
Knowing what to expect provides a basis for understanding the changes in numbers from year to year.
Expectations can include:
Increases in numbers
Decrease in numbers
Stable numbers (no significant change)
In other words, you can have reasons to believe payroll (for example) will increase or decrease. Or you might anticipate that salaries will remain similar to last year.
Examples of Expectations Not Met
Do you expect sales to decrease 5% based on decreases in the last two years? If yes, then an increase of 15% is a flashing light.
Or maybe you expect sales to remain about the same as last year? Then a 19% increase might be an indication of financial statement fraud.
But where does an auditor obtain expectations?
Sources of Expectations
Expectations of changes can come from (for example):
Past changes in numbers
Discussions with management about current year operations
Reading the company minutes
Staffing reductions
Non-financial statistics (e.g., decrease the number of widgets sold)
A major construction project
While you'll seldom know about all potential changes (and that's not the goal), information--such as that above--will help you intuit whether change (or a lack of change) in an account balance is a risk indicator.
Now, let's discuss the best types of planning analytics.
The Best Types of Planning Analytics
Auditing standards don't specify what types of planning analytics to use. But some, in my opinion, are better than others. Here's my suggested approach (for most engagements).
Comparative Numbers
First, create your planning analytics at the financial statement reporting level. Why? Well, that's what the financial statement reader sees. So, why not use this level (if you can)? (There is one exception in regard to revenues. See Analytics for Fraudulent Revenue Recognition below.)
The purpose of planning analytics is to ferret out unexpected change. Using more granular information (e.g., trial balance) muddies the water. Why? There's too much information. You might have three hundred accounts in the trial balance and only fifty at the financial statement level. Chasing down trial-balance-level changes can be a waste of time. At least, that's the way I look at it.
Comparative Ratios
Second, add any key industry ratios tracked by management and those charged with governance. Often, you include these numbers in your exit conference with the board (maybe in a slide presentation). If those ratios are important at the end of an audit, then they're probably important in the beginning.
Other metrics such as earnings before interest, taxes, depreciation, and amortization (EBITDA) are consequential for some companies. If relevant, include those.
Hence, create planning analytics that align with the company’s focal points. And how do you know what those are? Read the company’s minutes before you create your preliminary analytics. Most of the time you’ll see the tracked numbers there.
One last thought about analytical types. When relevant, use nonfinancial information, such as the number of products sold. If a company sells just three or four products and you have the sales statistics, why not compute the estimated revenue and compare it to the recorded revenue? It makes sense to do so. After all, the auditing standards say that preliminary analytics may include both financial and nonfinancial information.
Okay, so we know what analytics to create, but how should we document them?
Analytics for Fraudulent Revenue Recognition
AU-C 240 says the auditor should include preliminary analytics relating to revenue accounts.
AU-C 240 suggests a more detailed form of analytics for revenues such as:
a comparison of sales volume with production capacity
a trend analysis of revenues by month and sales returns by month
a trend analysis of sales by month compared with units shipped to customers
In light of these suggested procedures, it may be prudent to create revenue analytics at a more granular level than that shown in the financial statements.
How to Document Preliminary Planning Analytics
Here are my suggestions for documenting preliminary planning analytics.
Document overall expectations.
Include comparisons of prior-year/current-year numbers at the financial statement level. (You might also include multiple prior year comparisons if you have that information.)
Document key industry ratio comparisons.
Summarize your conclusions. Are there indicators of increased risks of material misstatement? Is yes, say so. If no, say so.
Once you create your conclusions, place any identified risks on your summary risk assessment work paper (where you assess risk at the transaction level--e.g., inventory).
Use Filtered Analytical Reports with Caution (if at all)
Some auditors use filtered trial balance reports for their analytics. For instance, all accounts with changes of greater than $30,000. There is a danger in using such thresholds.
What if you expect a change in sales of 20% (approximately $200,000) but your filters include:
all accounts with changes greater than $50,000, and
all accounts with changes of more than 15%
If sales remain constant, then this risk of material misstatement (you expected change of 20%, but it did not happen) fails to appear in the filtered report. The filters remove the sales account because the change was minimal. Now, the risk may go undetected.
Developing Conclusions
I am a believer in documenting conclusions on key work papers. So, how do I develop those conclusions? And what does a conclusion look like on a planning analytics work paper?
First, develop your conclusions. How? Scan the comparisons of prior year/current year numbers and ratios. We use our expectations to make judgments concerning the appropriateness of changes and of numbers that remain stable. Remember this is a judgment, so, there's no formula for this.
No Risk Identified
Now, you'll document your conclusions. But what if there are no unexpected changes? You expected the numbers to move in the manner they did. Then no identified risk is present. Your conclusion will read, (for example):
Conclusion: I reviewed the changes in the accounts and noted no unexpected changes. Based on the planning analytics, no risks of material misstatement were noted.
Risk Identified
Alternatively, you might see unexpected changes. You thought certain numbers would remain constant, but they moved significantly. Or you expected material changes to occur, but they did not. Again, document your conclusion. For example:
Conclusion: I expected payroll to remain constant since the company's workforce stayed at approximately 425 people. Payroll expenses increased, however, by 15% (almost $3.8 million). I am placing this risk of material misstatement on the summary risk assessment work paper at 0360 and will create audit steps to address the risk.
Now, it's time to place the identified risks (if there are any) on your summary risk assessment form.
Identification of the risks of material misstatement
Creation of audit steps to respond to the identified risks (linkage)
Summary of Preliminary Analytical Procedure Considerations
So, now you know how to use planning analytics to search for risks of material misstatement--and how this powerful tool impacts your audit plan.
Let's summarize what we've covered:
Planning analytics are created for the purpose of identifying risks of material misstatement
Develop your expectations before creating your planning analytics (learn about the entity's operations and objectives; review past changes in numbers for context--assuming you've performed the audit in prior years)
Create analytics at the financial statement level, if possible
Use key industry ratios
Conclude about whether risks of material misstatement are present
Link your identified risks of material misstatement to your audit program
So there you are. I hope you've found this article useful. For more information about risk assessment, check out my book Audit Risk Assessment Made Easy, available on Amazon.
First-Year Businesses and Planning Analytics
You may be wondering, "but what if I my client is new?" New entities don't have prior numbers. So, how can you create planning analytics?
First Option
One option is to compute expected numbers using non-financial information. Then compare the calculated numbers to the general ledger to search for unexpected variances.
Second Option
A second option is to calculate ratios common to the entity’s industry and compare the results to industry benchmarks.
While industry analytics can be computed, I’m not sure how useful they are for a new company. An infant company often does not generate numbers comparable to more mature entities. But we’ll keep this choice in our quiver--just in case.
Third Option
A more useful option is the third: comparing intraperiod numbers.
Discuss the expected monthly or quarterly revenue trends with the client before you examine the accounting records. The warehouse foreman might say, “We shipped almost nothing the first six months. Then things caught fire. My head was spinning the last half of the year.” Does the general ledger reflect this story? Did revenues and costs of goods sold significantly increase in the latter half of the year?
Fourth Option
The last option we’ve listed is a review of the budgetary comparisons. Some entities, such as governments, lend themselves to this alternative. Others, not so–those that don’t adopt budgets.
Summary
So, yes, it is possible to create useful risk assessment analytics–even for a first-year company.
Here are 15 risk assessment mistakes. Have you seen these?
Assessing control risk at high with no understanding of internal controls and no walkthroughs (in other words, defaulting to high control risk)
Seeing significant internal control problems, assessing control risk at high, then performing routine audit procedures (and no extended procedures)
Assessing inherent risk too high (resulting in unnecessary responses–audit procedures)
Assessing inherent risk too low (resulting in adequate responses–audit procedures)
Not documenting why inherent risks are assessed as they are
Seeing risks of material misstatement in the performance of risk assessment procedures (e.g., preliminary analytics), but not documenting those on the summary risk assessment form
Adding audit procedures for assertions that are not relevant (wasted hours of work)
Not documenting linkage between the risks of material misstatement by assertion to the planned audit procedures
Assessing control risk below high without the support of a test of controls
Defaulting to a test of details rather than performing a test of controls for effectiveness when the test of details takes more time than the test of controls (not necessarily wrong, just takes more time)
Not identifying significant risks (and not performing needed extended procedures)
Not understanding how weak internal controls affect the risk of material misstatement
Not giving sufficient attention to internal controls because “my controls risk will be assessed at high anyway”
Doing the same-as-last-year without determining if last year’s approach was correct and without determining if new risks of material misstatement are present
Review one of your audit files and see if any of these risk assessment mistakes are present.
Peer reviews find that many CPA firms don't identify significant risks in audits, and that's a problem. Why? Because they are the seedbed of many material misstatements. And when material misstatements are not identified, audit failure often occurs.
Below, I will tell you how to identify, assess, and respond to significant risks.
I also explain the new requirement to communicate significant risks to those charged with governance.
Defining Significant Risk
The Auditing Standards Board previously defined significant risks as those deserving special audit consideration. They've amended this definition in SAS 145 to focus on the inherent risk characteristics rather than the response.
For example, a highly complex receivable allowance is inherently risky because it's subjective and complicated. Yes, we will give it special audit consideration. But it's a significant risk because of its nature (subjective and complex), not because of our response (re-computing the estimate and comparing it with prior periods, for example).
How Many Significant Risks?
At least one significant risk exists in most audits, and frequently there are more. The number depends on the entity, its environment, the types of services it provides or goods it sells, the complexity of its accounts, the subjectivity of determining balances, the susceptibility of accounts to bias or fraud, and the level of change.
The audit standard defines the risk as one close to the upper end of the spectrum of inherent risk without regard for controls. In other words, we consider the inherent risk factors, and we disregard internal controls as we identify these risks.
Align Inherent Risk with Significant Risk
Notice that significant risks are based solely upon inherent risk. So don’t make the mistake of identifying such a risk and then assessing inherent risk below high. After all, the definition says close to the upper end of the spectrum of inherent risk.
Suppose, for example, you identify a significant risk for the allowance for uncollectible receivables, an estimate, due the concerns about the valuation assertion (because it's complex and subjective; see inherent risk factors below). Then the inherent risk for the valuation assertion must be high (or max).
It's useful to think of inherent risk on a scale of 1 to 10, with 10 being high risk. If you believe the inherent risk is a 9 or a 10 (close to the upper end of the spectrum of inherent risk), then a significant risk is present. Though auditors commonly use low, moderate, high to measure inherent risk, the audit standards don't specify how this is to be done. I'm not saying don't use low, moderate, high, only that thinking of inherent risks on scale of 1 to 10 helps me evaluate risk and to determine whether a significant risk is present.
Inherent Risk Factors
And what are the inherent risk factors?
Complexity
Subjectivity
Change
Uncertainty
Susceptibility to misstatement due to management bias or other fraud risk factors (in terms of how they affect inherent risk)
Two Questions to Consider
So the auditor reviews an assertion and asks, "In light of these risk factors, what is the probability of misstatement without regard for controls?" The auditor also asks, "Would a material misstatement occur?" So we consider two things:
Is it highly likely that a misstatement will occur for the assertion (without regard for controls)?
Will the misstatement be material?
If both answers are yes, it's a significant risk.
Responses to Significant Risks
Peer reviews find that auditors sometimes identify these risks but plan inadequate responses. If the risk is significant, then a strong response is necessary.
For example, if inventory obsolescence is an issue, the auditor should plan procedures to identify the impaired items and test for appropriate valuation. You may need a specialist in such a situation. So, what would be an inadequate response? Performing basic inventory procedures. Additional procedures, sometimes referred to as extended steps, are necessary to address the inventory valuation assertion.
As you plan the additional audit procedures, link them from the identified risk (usually on your summary risk assessment form) to your responses (usually on your audit program). In the inventory example, you would link the risk for the valuation assertion to the inventory audit steps (the extended steps to identify and value the impaired items).
You must also communicate these risks to those charged with governance.
Present guidance states that significant risks are those that deserve special audit consideration, so you'll use that definition until SAS 145 is implemented. (Even so SAS 145 will help you understand these risks now.)
How to Communicate
You can communicate significant risks in one of three ways:
Engagement letter
Planning letter to those charged with governance
Verbally to the board with documentation of that communication in the audit file--this could be a separate Word document that says who you talked with, when, and the significant risk areas communicated.
The Communication Change
SAS 134 amended AU-C 260.11 (AU-C 260 The Auditor's Communication with Those Charged with Governance) as follows (amended language is underlined):
The auditor should communicate with those charged with governance an overview of the planned scope and timing of the audit, which includes communicating about the significant risks identified by the auditor.
Sample Significant Risk Language
Here's an example of the language to be used in any of the three options above:
The anticipated significant risk areas in the audit are:
receivables/revenues,
the allowance for uncollectibles
the pension liability and disclosure.
Aligning the Communication with Workpapers
The significant risk areas communicated to the board during planning should align with those identified in your workpapers. You could, however, not know all of the risk areas when you create your initial communication. It's even possible you might not identify a these risks until you are well into the engagement. So the initial significant risk communication and the identified risks in the audit file could be different. You can communicate any additional risks in your final communication to those charged with governance.
Why are we making this communication the board? Well the board governs the entity, so they need to be aware of areas with a higher risk of potential misstatements.
Optional Communication
The explanatory information that accompanies AU-C 260 (specifically .A21) states you may include in the governance communication how you (as the auditor) are going to address the significant risks, but this is optional.