In the first blog in this series, we looked at the identification and assessment of risks of material misstatement. In this second post, we’ll dig into ensuring audit quality. Specifically, we’ll look at the need for auditors to maintain professional skepticism and document their work thoroughly to improve audit effectiveness and efficiency.
Revised audit documentation requirements
Among the new provisions in SAS 145 is the revision of the audit documentation requirements. This now includes the following:
- Documentation of the evaluation of the design of certain identified controls and determination of whether such controls have been implemented.
- The rationale for significant judgments made regarding the identified and assessed risks of material misstatement. In other words, how did the auditor identify a risk of material misstatement? And why did they assess it the way they did?
There may be opportunities for efficiencies with regard to documentation around design and implementation of internal controls. The extant standard is somewhat vague in this regard, leading many auditors to test design and implementation for a number of controls relevant to the audit. SAS 145 clarifies which controls auditors are required to evaluate for design and determine implementation. These are referred to as “identified controls” and include:
- Controls addressing significant risks.
- Controls over journal entries similar adjustments.
- Controls for which the auditor plans to test operating effectiveness, including controls that address risks for which substantive procedures do not provide sufficient appropriate audit evidence.
- Other controls based on auditor judgment.
For the second item, as outlined in the Executive Summary: “The form, content, and extent of audit documentation that is sufficient to enable an experienced auditor having no previous experience with the audit to understand the nature, timing, and extent of the risk assessment procedures performed and the results of those procedures, including the conclusions reached and the rationale for the significant professional judgments made, depend on various factors, including the need to document a conclusion or the basis for a conclusion otherwise not readily determinable from the documentation of the work performed or audit evidence obtained.”
The key here is for auditors to document the rationale behind their risk assessment work and the conclusions they reached as a result of that work. Again, this is an opportunity for firms to improve audit efficiencies and effectiveness.
Maintaining professional skepticism
Professional skepticism is a pillar of audit quality and essential in analyzing audit information in an unbiased fashion. So it likely comes as little surprise that SAS 145 highlights the importance of maintaining professional skepticism and issues new and enhanced guidance.
Within SAS 145 there are several key provisions that are designed to enhance and emphasize the auditor’s professional skepticism. These include:
Clarifying that an appropriate understanding of the entity and its environment, and the applicable financial reporting framework, provides a foundation for being able to maintain professional skepticism throughout the audit.
Highlighting the benefits of maintaining professional skepticism during the required engagement team discussion.
Highlighting that contradictory evidence may be obtained as part of the auditor’s risk assessment procedures.
When auditors maintain professional skepticism, they can effectively do the following:
- Take into account contradictory information that comes to their attention.
- Be alert to conditions that may indicate possible misstatement due to fraud or error.
- Consider information that may be used as audit evidence.
- Determine whether audit evidence supports their identification and assessment of the risks of material misstatement in light of the entity’s nature and circumstances.
- Consider responses to inquiries and other information obtained from management and those charged with governance.
A new ‘stand-back’ requirement
SAS No. 145 includes a new “stand-back” requirement. This requires auditors to stop and reflect on the completeness of their identification of significant classes of transactions, account balances, and disclosures.
Specifically, if they have determined that any material classes of transactions, account balances, or disclosures are not significant (that is, there are no relevant assertions identified), SAS 145 requires the auditor to “stand back” and evaluate whether that determination remains appropriate.
In light of the new “stand-back” requirement, firms may want to consider embracing a top-down approach, as noted in an AICPA blog, which stated that a top-down approach “aligns well with the new stand-back requirement in SAS No. 145 as well as the new guidance on scalability.”
As outlined in the conforming amendments to SAS 145, a top-down approach involves:
- Beginning at the financial statement level;
- Using the auditor’s understanding of the overall risks to ICFR;
- Focusing on entity-level controls, which may be indirect or direct controls as described in SAS No. 145;
- Working down to significant classes of transactions, account balances, and disclosures, and their relevant assertions, which directs attention to classes of transactions, accounts, disclosures, and assertions that present a reasonable possibility of material misstatement of the financial statements;
- Directing attention to classes of transactions, accounts, disclosures, and assertions that present a reasonable possibility of material misstatement of the financial statements;
- Verifying the auditor’s understanding of the risks in the entity’s processes; and
- Selecting controls for testing that sufficiently address the assessed risk of material misstatement to each relevant assertion.
Firms may find that such an approach can help drive more efficient and effective audits.
Conclusion
Being mindful of audit documentation and maintaining professional skepticism can go a long way toward ensuring a quality audit as well as avoiding potential risks. Take action now to ensure that your firm is fully prepared for SAS 145. To learn more, view our webinar offering early guidance on SAS No. 145.