Auditing Standards Related to the Auditor's Assessment of and Response to Risk

Identifying the risks of material misstatement, and planning and performing an audit that properly addresses those risks, is essential to affording investors reasonable assurance that the financial statements on which they rely are free of material error. Assessing and responding to risk is at the core of what auditors do. The Board's mandate is to ensure quality auditing and to promote investor confidence in audited financial statements. Therefore, focusing on the risk assessment process and the auditor's response to risk is one of the most important steps we can take to fulfill our statutory mandate.

The road that brought us to final adoption of the eight risk assessment standards the Board is considering today has been long. In their first incarnation, these standards were published in October 2008. Based on comments received on those proposals, the Board issued revised standards for further comment in December 2009. The Board's Standing Advisory Group has also publicly discussed risk assessment on several occasions during the past three years. While the process has been lengthy, the issues are important, and I believe that the final suite of standards is substantially stronger than its 2008 predecessor as a result of the input we have received. Some observers have urged us to afford still more opportunities for public participation in our standard setting, and I hope that we will continue to experiment with concept releases, multiple proposal periods, SAG discussions, and other opportunities for feedback, such as roundtables and working groups.

The changes to the re-proposed standards that are reflected in the final version before the Board today are more in the nature of refinements than new conceptual directions. However, there are three new features that I think are worth highlighting.

First, in the final standards, planning and supervision have been separated, and each is embodied in its own standard. In my view, this makes sense because it underscores the central role that supervision plays in auditing. A separate supervision standard also affords a better platform for future development of the concept of supervision. In our inspections program we see, not infrequently, audit breakdowns that are traceable to poor supervision of the engagement team or of other aspects of the engagement, such as the use of specialists. While the content of the new supervision standard — Auditing Standard No. 10 — is not radically different than the supervision requirements of AU 311, the adoption of AS No. 10 gives us a vehicle to address in the future weaknesses and deficiencies that our inspections uncover in this area.

Second, the new stand-alone audit planning standard, Auditing Standard No. 9, has been revised to better take into account multi-location engagements in which part of the work is performed by other auditors. The use of other auditors in cross-border audits has been a hot topic recently, and the Board issued Audit Practice Alert No. 6 on that subject several weeks ago. However, most of the guidance on multi-location audits in Auditing Standard No. 9 relates to determining the level of audit risk at the various locations in which the company operates and to determining where to perform audit work. As in the case of supervision, we are considering further standard-setting regarding the use of other auditors in light of the problems found in Board inspections and described in the Practice Alert. I think it is important that we move ahead with that work promptly.

Third, the final standards contain refinements to the requirements relating to the auditor's evaluation of whether the financial statements contain all of the information essential for a fair presentation in conformity with the applicable financial reporting framework. Disclosures beyond simply the numbers on the face of the financial statements have become increasingly important to meaningful financial reporting. The risk assessment standards underscore that the auditor's responsibilities extend to those disclosures and that the risk that the disclosures will be incomplete or misstated needs to be considered as part of planning and performing an audit and evaluating the results.

I believe these eight standards will improve audit quality, and I support their adoption. Of course, most firms' audit processes already incorporate risk-based methodologies, and the changes to audit manuals and staff training needed to implement these standards should not be overwhelming. Nonetheless, I think the new risk assessment standards are a significant step forward in promoting sophisticated audit risk assessment and minimizing the risk that the audit will fail to detect material misstatements.

                 *   *   *

Many people have been involved in this project over the past several years. I would specifically like to acknowledge the contributions of Marty Baumann, the Board's Chief Auditor, and of members of his staff, including Jessica Watts, Hasnat Ahmad, Diane Jules, and Hong Zhao. Without their efforts, and those of Bob Burns and Nina Mojiri-Azad and other staff in the Office of the General Counsel, risk assessment would still be on the drawing board. Finally, saving the best for last, I want to recognize the work of Deputy Chief Auditor Keith Wilson. Keith has been both the main theoretician and the lead draftsman on this project since the beginning. Keith, thanks for all of your hard work. I'm sure you are glad to see these standards finally crossing the finish line and are more than ready to move on to other projects.