Financial crisis aftermath leads to new risk assessment considerations by PCAOB
By CHRIS GAETANO
Since the events of the financial crisis, auditors can no longer afford to consider fraud risk as something separate from other risk assessments, according to C. Gregory Scates, deputy chief auditor of the Public Company Accounting Oversight Board (PCAOB), who spoke at the Forum on Auditing in the Small Business Environment on July 27 in New York. The forum, held annually at various locations throughout the country, is organized by the PCAOB to keep representatives of the small business community up-to-date on the board’s activities.
Looking for fraud needs to be an “integral part of the risk assessment standards,” Scates said.
The PCAOB recently made “substantive changes” to the risk assessment standards—including instructions to take risk into account more often when performing audits—which were approved by the Securities and Exchange Commission on Dec. 23, 2010, and are effective for audits of fiscal years beginning on or after Dec. 15, 2010.
For example, Auditing Standard (AS) 12, Identifying and Assessing Risks of Material Misstatement, introduces a new term—“significant risks”—which refers to the risk of a material misstatement on the financial statement that would require special audit concerns. The standard requires the identification of these significant risks, Scates said, although he added that, in his opinion, all fraud risks are considered significant risks.
In another instance, AS 13, The Auditor’s Responses to the Risks of Material Misstatement, also bundles fraud risks with other risk elements.
“Was it error or was it fraud? Doesn’t matter,” said Scates. “The only difference between fraud and error is intent.”
Regardless of whether the material misstatement is a result of fraud or error, the auditing standard prompts the use of procedures that are specifically responsive to these specific risks, such as substantive tests of details and controls.
The Society’s Technology Assurance Committee responded to this issue with a comment letter in February 2009, stating its view that the standards promulgated by the PCAOB in this area should indicate that reliance on automated controls must be based on testing similar to that which is applied to nonautomated controls. Reliance, according to the Society, “should not be placed on results from previous periods’ testing without other testing being performed by the auditor,” a view that the PCAOB ultimately adopted.
Fraud risk should also be incorporated when looking at the results of an audit in the manner described in AS 14, Evaluating Audit Results, Scates said. This standard covers the evaluation of analytical procedures in the overall review of the audit, including any misstatements found during the audit, qualitative aspects of the company’s accounting practices, conditions identified that relate to the assessment of fraud risk and presentation of the financial statements, such as disclosures and the sufficiency and appropriateness of the evidence obtained.
The standard also requires that special consideration be given to misstatements relating to accounting estimates, including expanded discussion of potential management bias, particularly when it comes to additional procedures regarding offsetting adjustments identified by management, said Scates. These adjustments are a significant cause of concern because they make the auditor wonder why management only came up with the new information at that later point in time, rather than earlier in the audit.
It makes you question the integrity of the management,” said Scates.
The new standards also give the engagement partner a more prominent role than before. For example, AS 9, Audit Planning, requires increased collaboration between the auditor and the engagement partner when arranging how an audit will be carried out.
“The engagement partner is to play an integral role in planning the audit … the engagement partner is not going to just sit on the sidelines and do nothing,” said Scates, adding that engagement partners have a great deal of experience that can help shed light on certain issues that may come up during an audit.
The PCAOB risk assessment standards also realign what is and is not considered to be material during an audit. For example, under the new risk assessment standards, auditors need to examine audits from the perspective of investors to see what is “meaningful” and “important” to them, especially “since the PCAOB’s mission is to protect the interests of the investors through the preparation of [an] informative audit report,” said Scates.
This viewpoint is outlined in AS 11, Consideration of Materiality in Planning and Performing an Audit, which uses the concept of materiality as it currently applies to federal securities law by reflecting “a reasonable investor’s perspective.” The standard requires that the auditor establish a materiality level for the financial statement as a whole, though he or she must also establish lower materiality levels for particular accounts and disclosures when lesser misstatements are likely to influence a reasonable investor’s judgment.
It also requires that the auditor determine what misstatements are tolerable at both the account and disclosure level, and reevaluate these materiality levels as necessary when the auditor becomes aware of any new circumstances or additional information.
The new standard was the result of discussions between the PCAOB and various investors to see what value the latter were gleaning from audit reports. Many investors reported feeling dissatisfied with the conventional pass/fail audit report model, saying that they wanted more information to better understand the company in which they invested, according to Scates.
Potential changes to the auditor reporting model
The PCAOB, in response to public feedback, also issued a concept release on June 21 that, if implemented, could create vast changes to the audit reporting model, including required and expanded use of emphasis paragraphs—which Scates said are currently not used that often—mandated auditor assurance on other information outside the financial statement and clarification of language in the standard auditor’s report. Essentially, the proposed changes would increase the qualitative information, in addition to the quantitative information, issued with the auditor’s report, said Scates.
“Where we end up, I’m not sure,” said Scates. “But I’m pretty convinced that the auditor’s report is going to change.”
At the time of this writing, the Society was in the process of completing a comment letter to the PCAOB on its concept release. Comments were due Sept. 30.