PCAOB Urges Auditors to Be Better at Assessing Risk

The Public Company Accounting Oversight Board (PCAOB) is urging audit firms to make reviewing and improving their risk assessment processes a “significant priority.”

Why? According to a report issued by the US audit regulator on Oct. 15, inspectors continue to find deficiencies in firms' implementation of and compliance with certain auditing standards related to risk.

The board's risk assessment standards – Auditing Standards (AS) No. 8 through No. 15 – are designed to address the auditor's assessment of audit risk, responses to the risks of material misstatement, and evaluation of the results of procedures performed in an audit. The standards were adopted by the PCAOB in 2010.

“The procedures required by these standards underlie the entire audit process, including the procedures that the auditor performs to support the opinion expressed in the auditor's report,” the PCAOB states in the report. “For that reason, noncompliance with these standards can have serious implications for the audit of internal control over financial reporting or the audit of the financial statements and may affect whether the auditor performs enough work to support the auditor's opinion.”

The risk assessment standards include:

• AS No. 8, Audit Risk
• AS No. 9, Audit Planning
• AS No. 10, Supervision of the Audit Engagement
• AS No. 11, Consideration of Materiality in Planning and Performing an Audit
• AS No. 12, Identifying and Assessing Risks of Material Misstatement
• AS No. 13, The Auditor's Responses to the Risks of Material Misstatement
• AS No. 14, Evaluating Audit Results
• AS No. 15, Audit Evidence

The report, Inspection Observations Related to PCAOB “Risk Assessment” Auditing Standards (No. 8 through No. 15), discusses findings under the eight standards for inspections conducted in 2012, 2013, and 2014.

In 26 percent of the 632 engagements inspected in 2012 where the risk assessment standards were applicable, PCAOB inspections staff found an audit deficiency related to one or more of those standards that contributed to an insufficiently supported audit opinion. That rate increased to 27 percent for the 848 engagements inspected in 2013.

In 2014, inspections staff inspected 789 audits, and the standards were applicable in 780 of those audits. The results of those inspections, while not yet fully and finally quantified, include a high number of audit deficiencies related to the risk assessment standards, according to the PCAOB.

Audit deficiencies related to the risk assessment standards spanned a wide variety of issuers and firms and most frequently related to AS No. 13, AS No. 14, and AS No. 15.

Examples of common deficiencies under those auditing standards include:

• Failing to perform substantive procedures specifically responsive to fraud risks and other significant risks identified.
• Not evaluating the accuracy and completeness of financial statement disclosures.
• Not testing the accuracy and completeness of information produced by the company.

Inspections staff identified the following factors that may have contributed to the deficiencies related to the risk assessment standards:

• The firm did not have an adequate understanding of the issuer and its processes, and related internal control over financial reporting.
• Firm tools had not been appropriately designed to enable engagement teams to tailor their risk assessment procedures on the audit.
• The firm did not adequately design and perform audit procedures to address identified and assessed risks of material misstatement.
• Senior members of the engagement team, including the engagement partner, may not devote sufficient attention to the performance of risk assessment procedures or the supervision, including review of the work of engagement team members.
• Some firm professionals may not exercise due care, including professional skepticism (e.g., overreliance upon management assertions, reliance on perceived knowledge of the issuer, and insufficient evaluation of contradictory evidence).
• Firms may not place the appropriate level of importance on, or may not provide adequate training with respect to, testing journal entries.

“Firms should perform their own root-cause analyses for the deficiencies identified in this report, if applicable, and take appropriate corrective action,” the PCAOB states. “Firms also need to monitor and evaluate whether their corrective actions adequately address the deficiencies.”