I support releasing the proposed risk assessment standards for public comment. The proposal incorporates into the financial statement audit important concepts related to audit risk developed in the Board’s auditing standard on internal control (Auditing Standard No. 5). For auditors who perform internal control audits, these concepts will be familiar and should encourage even closer integration of the audits.
The proposed standards also reflect an effort to evaluate and adapt certain procedures developed by the auditing profession under the auspices of the International Federation of Accountants. It has been useful to look at best practices and other ideas the firms have developed, and I hope and expect that the Board will continue to do so in future standards-setting projects.
I must say, though, that the instruction to begin with IFAC’s standards as a template made the drafting of our proposals more complicated. I suspect we would have before us a much simpler document if we had started with a clean slate. Moreover, people who are familiar with IFAC’s standards are not necessarily going to recognize them in the proposal, after all is said and done; and yet, the exercise of starting with those standards and adapting them for our purposes has consumed considerable resources. The Board may well want to consider the cost-benefit balance before doing so again in another standards-setting project.
This leads me to a point about form that I hope commenters will consider. Each of the proposed standards contains a statement of an objective, adapted generally from such statements in corresponding IFAC standards. To my mind, well-crafted objectives could be a good way of describing a required outcome while giving auditors flexibility to design effective and efficient ways to achieve that outcome. For the most part, though, the objectives that IFAC provides and that the proposed standards adapted do not state required outcomes, but rather just summarize the topic of the standard.
Without required objectives, the standards are left to requiring specific procedures. There may indeed be some procedures that we believe must be performed. But as we continue to develop these standards, I’d like to consider whether straying from the IFAC model might allow us to be more flexible in suggesting procedures and also permitting auditors to develop different techniques, so long as they demonstrate that they have successfully achieved the desired outcome.
Finally, the great effort put into adapting IFAC’s standards may have distracted the initiative from some areas that deserve more attention, such as evaluating risk in large or multi-location audits. These are particularly thorny challenges in auditing, and I suspect auditors would welcome some new thinking on techniques to address those challenges. I encourage commenters to consider these areas too.