Proposed Auditing Standards Related to the Auditor's Assessment of and Response to Risk

The recommendation before the Board today is to re-propose a suite of seven standards that focus on the risk assessment process and on the auditor’s response to identified risks. The Board first published these standards for comment in October 2008. Based on the comments received, the standards have been refined and revised. For a project of this magnitude and significance, it is important to afford the public and the profession a full opportunity to comment before taking final action, and I support re-proposal of the revised standards.

A sound and sophisticated understanding of the risks of material misstatement, and planning and executing the audit to respond to those risks, are essential to affording investors reasonable assurance that financial statements are free of material error. For that reason, these seven standards – once finalized – will serve as the bedrock for much of the Board’s future standards-setting. These standards will provide a base that focuses on appropriate risk identification and on audit planning tailored to those risks. Future standards will build on that foundation.

In response to the original proposals, the staff received 33 comment letters. These comment letters were generally supportive of the proposed standards, but offered many ideas for ways to enhance and improve the risk assessment framework. The revised standards are not fundamentally different in approach from the first version. The new standards do, however, reflect numerous enhancements and clarifications. Three are particularly significant:

• First, the proposed standards have been revised to better align with Auditing Standard No. 5 -- the standard governing audits of internal control over financial reporting. In some cases, the auditor must perform an audit of only the financial statements; in other cases, he or she must perform an integrated financial statement and internal control audit. However, the risk assessment process is basically the same, regardless of whether the task at hand is an integrated audit or a financial statement-only audit. The revised standards better harmonize their risk assessment procedures with those in Auditing Standard No. 5.
• The revised standards more explicitly emphasize the need to evaluate financial statement disclosures as part of assessing the risk of material misstatement. Consideration of whether financial statements are fairly stated includes an evaluation of the adequacy of disclosures in the notes, not just of the numbers on the face of the statements. Focusing during the planning stage on the importance of disclosures can improve the auditor’s approach to testing and to evaluating audit results. As a consequence of the changes to address disclosures, the revised proposals would supersede the existing standard in this area, AU 431, Adequacy of Disclosures in Financial Statements.
• The new proposed standards also contain beefed-up requirements relating to the auditor’s responsibility to consider the possibility of fraud. These include increased emphasis on consideration of potential management bias and of risks related to missing or incomplete disclosures.

I want to touch briefly on two other points. First, as I noted at the October, 2008 meeting, the staff began formulating these standards by looking at the comparable provisions of the International Standards on Auditing -- the ISAs. While the Board received support in the comments for this approach, many commenters thought we had not gone far enough and offered suggestions to further reduce differences between these standards and the ISAs. The revised proposals take some additional steps in that direction. And, like the 2008 release, the document before the Board today includes an appendix that provides a high-level comparison between the revised proposals and the ISAs. I hope commenters will again consider whether we have struck the right balance.

Second, I am sensitive to comments that urged the Board to do more to promote transparency in its standards-setting. I am certainly pleased that the staff is recommending a second comment period on these proposals. Further, I hope that, depending on the nature of the next set of comments, we will consider discussing these standards again with the Board’s Standing Advisory Group before they are finalized. The SAG will be holding its next public meeting in April. Beyond that, I would urge the Board to continue to explore ways of making its standards-setting -- and the thinking that underlies its proposals -- more open.

* * *

I would like to thank all of the Office of the Chief Auditor staff members who have worked so diligently on these proposed standards – including Hasnat Ahmad, Diane Jules, Jessica Watts, and Hong Zhao. In particular, I would like to single out Keith Wilson, who has been the champion of the risk assessment project for over four years and who spearheaded both the first proposal and this re-proposal. Keith, I am afraid your work isn’t over yet, but perhaps the finish-line is starting to come into view.