PCAOB proposes seven new risk assessment auditing standards
The proposed standards would establish requirements and provide direction on audit procedures performed throughout the audit, from the initial planning stages through the evaluation of the audit results in forming the opinions in the auditor's report. The proposals build upon and attempt to improve the existing framework for risk assessment by, among other things, taking account of improvements in risk assessment methodologies, enhancing the integration of the risk assessment standards with the Board's standard for the audit of internal control over financial reporting, emphasizing the auditor's responsibilities for considering the risk of fraud as being a central part of the audit process, and reducing unnecessary differences with the risk assessment standards of other auditing standard setters.
Chairman Mark Olson said, "An appropriate assessment of risk is the foundation of a high quality audit. Today's proposals are intended to strengthen that foundation, which should result in improvements throughout the audit."
The Board is proposing these standards for a 120-day comment period, ending February 18, 2009. Interested persons are encouraged to submit their comments to the Board. The Board will carefully consider all comments received before taking final action on the proposal. Comments will be posted on the Board's Web site, www.pcaobus.org, on the Rulemaking Rocket under Rules (Rulemaking Docket No. 026). Any new auditing standard or amendment to a PCAOB standard that is adopted will be submitted to the Securities and Exchange Commission for approval.
The proposing release, text of the proposed auditing standard, and related amendments to PCAOB standards are available on the Board's Web site under Rulemaking Docket No. 026. An archive of the Webcast and a podcast of the Board's public meeting will also be available on the Board's Web site at www.pcaobus.org.
A more detailed discussion of the matters proposed for public comment follows:
The seven standards the Board proposed are, like the existing interim PCAOB standards, rooted in the concept of audit risk. Audit risk can be described as the risk that the auditor will express an inappropriate opinion when the financial statements are materially misstated. The objective of an audit of financial statements is to limit audit risk to a low level, so that the auditor can opine with reasonable assurance that the financial statements present fairly, in all material respects, a company's financial position, results of operations, and cash flows in conformity with generally accepted accounting principles.
A number of factors and developments influenced the development of the proposed standards, including improvements in audit methodologies; recommendations to the profession on ways in which auditors could improve risk assessment; advice from the Board's Standing Advisory Group ("SAG"); the adoption of Auditing Standard No. 5, An Audit of Internal Control Over Financial Reporting That Is Integrated with An Audit of Financial Statements; and observations from the Board's oversight activities.
Overview of the Proposed Standards
The proposed risk assessment standards are as follows:
- Audit Risk in an Audit of Financial Statements. This proposed standard describes the components of audit risk and the auditor's responsibilities for reducing audit risk to an appropriately low level in order to obtain reasonable assurance in an audit of financial statements.
- Audit Planning and Supervision. This proposed standard describes the auditor's responsibilities for planning the audit, including assessing matters that are important to the audit, and establishing an appropriate audit strategy and audit plan. The proposed standard also describes the responsibilities of the engagement partner and other engagement team members for supervising and reviewing the work of the engagement team.
- Identifying and Assessing Risks of Material Misstatement. This proposed standard describes the auditor's responsibilities for identifying and assessing risks of material misstatement. The risk assessment process discussed in the proposed standard includes information-gathering procedures to identify risks (e.g., obtaining an understanding of the company, its environment, and its internal control) and analysis of the identified risks.
- The Auditor's Responses to the Risks of Material Misstatement. This proposed standard sets forth the auditor's responsibilities for responding to the risks of material misstatement in the general conduct of the audit and specific audit procedures.
- Evaluating Audit Results. This proposed standard describes the auditor's responsibilities regarding the process of evaluating the results of the audit in order to form the opinion(s) to be presented in the auditor's report. This process includes evaluating uncorrected misstatements and control deficiencies identified during the audit.
- Consideration of Materiality in Planning and Performing an Audit. This proposed standard sets forth the auditor's responsibilities for applying the concept of materiality, as described by the federal securities laws, in planning the audit and determining the scope of the audit procedures.
- Audit Evidence. This proposed standard sets forth the auditor's responsibilities regarding designing and applying audit procedures to obtain sufficient appropriate evidence to support the opinion(s) in the auditor's report. In particular, it discusses the principles for determining the sufficiency and appropriateness of audit evidence.
Improvements to Audits of Issuers
The Board believes that the proposed standards, if adopted, would result in improvements to audits of issuers, such as the following:
- The proposed standards would update the existing requirements to take account of the improved risk-based audit methodologies currently in use by some auditors. While some firms are already applying many of the procedures described in the proposed standards, the Board believes that improvements in risk assessment methods should be reflected in all public company audits.
- The proposed standards should enhance integration of the audit of the financial statements with the audit of internal control over financial reporting, resulting in more effective audits. Auditing Standard No. 5 describes a risk-based audit of internal control over financial reporting that should be fully integrated with the audit of financial statements. The proposed standards describe the auditor's responsibilities for assessing risk, responding to risk, and evaluating audit results in the context of an integrated audit of financial statements and internal control over financial reporting, which should help auditors better understand how certain procedures required by Auditing Standard No. 5 can be integrated with financial statement audit procedures.
- The proposed standards would integrate the auditor's current responsibilities for considering fraud during the audit. This integration would emphasize that consideration of fraud is a central part of the audit process and should prompt auditors to make a more thoughtful and thorough assessment of fraud risks and develop appropriate audit responses.
- The proposed standards would serve as an improved foundation for future standard setting. The proposed standards set forth the auditor's responsibilities for certain fundamental aspects of the audit process, such as assessing risk and performing tests of controls and substantive procedures. Future auditing standards that address more specific aspects of the audit would build on the foundational principles in the proposed standards.
- The proposed standards reflect the Board's effort to reduce unnecessary differences with the risk assessment standards of other auditing standard setters. In developing these proposals, the Board began by considering whether the provisions of the IAASB's recently adopted risk assessment standards were appropriate for audits of issuers and consistent with the Board's statutory mandate "to oversee the audit of public companies that are subject to the securities laws…in order to protect the interests of investors and further the public interest in the preparation of informative, accurate, and independent audit reports." While many of the procedures described in the IAASB standards appear to be generally suitable for audits of issuers, the Board believes that certain changes to those standards would be necessary for the Board to adopt them as standards of the PCAOB. Accordingly, there is a degree of commonality between the proposed standards and the IAASB's recently updated risk assessment standards, though they do not mirror them word-for-word.