Overview of the ASB Risk Assessment Standards Indexed to

Auditing and Assurance Services: An Integrated Approach 11th Edition

In March 2006 the AICPAs Auditing Standards Board issued SAS Nos. 104-111, eight
standards relating to the assessment of risks in a financial statement audit. The ASB also
issued SAS No. 112 in May 2006 on communication of internal control related matters.
The Risk Assessment Standards and SAS No. 112 are effective for audits of financial
statements for periods beginning on or after December 15, 2006, with early application
permissible.
The Risk Assessment Standards establish standards and provide guidance in financial
statement audits for private companies concerning the auditors assessment of the risks of
material misstatements (whether caused by error or fraud), and the design and
performance of audit procedures that are responsive to those risks. In addition, these
Statements establish standards and provide guidance on planning and supervision, the
nature of audit evidence, and evaluating whether the audit evidence affords a reasonable
basis for the auditors opinion on the financial statements under audit.
The primary objective of the Statements is to enhance auditors application of the
risk model, including specifying:

More in-depth understanding of the entity and its environment, including its
internal control, to identify the risks of material misstatement in the financial
statements and entity actions to mitigate those risks.
More rigorous assessment of the risks of material misstatement of the financial
statements based on that understanding.
Improved linkage between the assessed risks and the nature, timing and extent of
audit procedures performed in response to those risks.

These standards introduce many changes in terminology. However, these

standards were first exposed in 2002 and the audit methodology presented in Auditing
and Assurance Services: An Integrated Approach 11th Edition is largely consistent with
these standards. We first provide an analysis of how these standards affect individual
chapters in the 11th Edition. This is followed by a summary of the key provisions of each
individual standard.

Chapter 2 The CPA Profession

SAS No. 105 includes revisions to the 10 auditing standards in Table 2-3 on p. 34 of the
11th edition. A comparison of the revised and original standards is included below:
Original Standard
General Standards
1. The audit is to be performed by a
person or persons having adequate
technical training and proficiency as
an auditor.
Standards of Field Work
1. The work is to be adequately
planned and assistants, if any, are to
be properly supervised.
2. A sufficient understanding of
internal control is to be obtained to
plan the audit and determine the
nature, timing, and extent of tests to
be performed.
3. Sufficient competent evidential
matter is to be obtained through
inspection, observation, inquiries,
and confirmations to afford a
reasonable basis for an opinion
regarding the financial statements
under audit.

Revised Standard
General Standards
1. The audit must be performed by a
person or persons having adequate
technical training and proficiency as
an auditor.
Standards of Field Work
1. The auditor must adequately plan the
work and must properly supervise
any assistants.
2. The auditor must obtain a sufficient
understanding of the entity and its
environment, including its internal
control, to assess the risk of material
misstatement whether due to error or
fraud, and to design the nature,
timing, and extent of further audit
procedures.
3. The auditor must obtain sufficient
appropriate audit evidence by
performing audit procedures to afford
a reasonable basis for an opinion
regarding the financial statements
under audit.

The effects of the changes to the three standards of field work are included in the
discussion of the impact of the standards on other chapters.
Chapter 6 Audit Responsibilities and Objectives
1. SAS No. 104 expands the definition of reasonable assurance to indicate that it is a
high, but not absolute level of assurance.
2. SAS No. 106, Audit Evidence expands the five management assertions included on p.
145 of the 11th edition into three categories: 1) assertions about classes of transactions
and events; 2) assertions about account balances at the period end; and 3) assertions
about presentation and disclosure. The assertions in each category are included in
Table 1; the assertions are presented so that related assertions are included in each
table row.
3. Table 2 indicates how the transaction objectives in Table 6-2 (p. 147) relate to the
assertions about transactions and events.
4. Table 3 indicates how the balance objectives in Table 6-3 (p. 150) relate to assertions
about account balances. These are substantially unchanged from the 11th edition.

TABLE 1
Assertions About Classes of
Transactions and Events
Occurrence Transactions and events
that have been recorded have occurred
and pertain to the entity.
Completeness All transactions and
events that should have been recorded
have been recorded.
Accuracy Amounts and other data
relating to recorded transactions and
events have been recorded
appropriately.
Classification Transactions and
events have been recorded in the
proper accounts.

Management Assertions for Each Category of Assertions

Assertions About Account
Assertions About Presentation and
Balances
Disclosure
Existence Assets, liabilities, and
Occurrence and rights and obligations
equity interests exist.
Disclosed events and transactions
have occurred and pertain to the entity.
Completeness All assets,
Completeness All disclosures that
liabilities, and equity interests that
should have been included in the
should have been recorded have
financial statements have been
been recorded.
included.
Valuation and allocation Assets,
Accuracy and valuation Financial and
liabilities, and equity interests are
other information are disclosed fairly
included in the financial statements
and at appropriate amounts.
at appropriate amounts and any
resulting valuation adjustments are
appropriately recorded.
Classification and understandability
Financial and other information is
appropriately presented and described
and disclosures are clearly expressed.

Cutoff Transactions and events have

been recorded in the correct
accounting period.
Rights and obligations The entity
holds or controls the rights to assets,
and liabilities are the obligation of
the entity.

TABLE 2

Transaction-Related Audit Objectives and Management Assertions for

Sales Transactions

Management Assertions
About Classes of Transactions
and Events
Occurrence

General Transaction-Related
Audit Objectives
Occurrence

Completeness
Accuracy

Completeness
Accuracy
Posting and summarization

Classification
Cutoff

Classification
Timing

Specific Sales Transaction-Related

Audit Objectives
Recorded sales are for shipments made to
nonfictitious customers.
Existing sales transactions are recorded.
Recorded sales are for the amount of
goods shipped and are correctly
recorded.
Sales transactions are properly included in
the master file and are correctly
summarized.
Sales transactions are properly classified.
Sales are recorded on the correct dates.

TABLE 3
Management Assertions
About Account Balances
Existence
Completeness
Valuation and allocation

Rights and obligations

Hillsburg Hardware Co.: Balance-Related Audit Objectives and

Management Assertions Applied to Inventory
General Balance-Related
Specific Balance-Related Audit
Audit Objectives
Objectives Applied to Inventory
Existence
All recorded inventory exists at the
balance sheet date.
Completeness
All existing inventory has been counted
and included in the inventory
summary.
Accuracy
Inventory quantities on the clients
perpetual records agree with items
physically on hand.
Prices used to value inventories are
materially correct.
Extensions of price times quantity are
correct and details are correctly
added.
Classification
Inventory items are properly classified
as to raw materials, work in process,
and finished goods.
Cutoff
Purchase cutoff at year-end is proper.
Sales cutoff at year-end is proper.
Detail tie-in
Total of inventory items agrees with
general ledger.
Net realizable value
Inventories have been written down
where net realizable value is
impaired.
Rights and obligations
The company has title to all inventory
items listed.
Inventories are not pledged as
collateral.

Chapter 7 Audit Evidence

1. The term sufficient competent evidential matter is replaced with the term
sufficient appropriate audit evidence in SAS No. 106.
2. The standard also defines audit procedures for obtaining audit evidence in the
following categories:
Inspection of records or documents
Inspection of tangible assets
Observation
Inquiry
Confirmation
Recalculation
Reperformance
Analytical procedures

Chapter 8 Audit Planning and Analytical Procedures

SAS No. 109 requires the auditor to perform risk assessment procedures to obtain an
understanding of the entity and its environment, including its internal control. This
requirement is consistent with the audit approach to gaining an understanding of the
clients business and industry in the 11th edition.
1. SAS No. 108, Planning and Supervision, clarifies that the auditor should establish an
understanding with the client through a written communication with the client. The
new standard requires the communication to be in the form of an engagement letter.
2. SAS No. 108 also requires the auditor to establish an overall strategy for the audit,
and develop an audit plan that includes:
A description of the nature, timing, and extent of planned risk assessment
procedures sufficient to assess the risks of material misstatement as determined
under SAS No. 109.
A description of the nature, timing, and extent of planned further audit procedures
at the relevant assertion level for each material class of transactions, account
balance, and presentation and disclosure as determined under SAS No. 110.
3. SAS No. 109 indicates that the members of the audit team should discuss the
susceptibility of the entitys financial statements to material misstatements. This
discussion can be held concurrently with the discussion of the susceptibility of the
entitys financial statements to fraud required by SAS No. 99.
Chapter 9 Materiality and Risk
The risk assessment process in Chapter 9 of the 11th edition is consistent with the risk
assessment standards.
1. SAS No. 107, Audit Risk and Materiality in Conducting an Audit, identifies two types
of misstatements: known and likely. Likely misstatements include projections of
misstatements based on a sample, and differences between managements and the
auditors judgments for accounting estimates that the auditor considers unreasonable
or inappropriate.
2. SAS No. 107 also notes that closest reasonable estimate for estimated amounts such
as inventory obsolescence may be a range of acceptable amounts or a point estimate.
If managements estimate falls outside the auditors range of acceptable amounts, the
difference between the clients recorded amounts and the amount at the closest end of
the auditors range should be aggregated as a likely misstatement. For example, if the
auditor determines that an allowance for doubtful accounts of $120,000 to $150,000
is reasonable and the clients recorded allowance is $100,000, then $20,000, the
difference between the lower end of the auditors range and the clients estimate
should be aggregated as a likely misstatement. In addition, the auditor should
consider whether the differences between the estimates best supported by audit
evidence and the clients evidence, which may be individually reasonable, indicate a
possible bias by the entitys management.

3. The auditor should request management to record an adjustment for all known
misstatements except for those considered trivial. Trivial amounts are amounts
below the auditors threshold for accumulating misstatements. The auditor should
request management to examine the class of transactions or account balance to
identify and correct likely misstatements, and review the assumptions for estimates
where the auditor has identified a likely misstatement.
4. SAS No. 109 notes that in assessing risks, the auditor should assess whether they are
at the overall financial statement level or pertain to relevant assertions related to
classes of transactions, account balances, and disclosures.
5. The auditor should also consider whether any of the identified risks represent
significant risks that require special audit attention. In making this determination, the
auditor should consider:
Whether the risk is a risk of fraud
Whether the risk is related to recent significant economic, accounting, or other
developments requiring specific attention
The complexity of the transactions
Whether the risk involves significant transactions with related parties
The degree of subjectivity in the measurement of financial information related to
the risks, especially those involving a wide range of measurement uncertainty
Whether the risk involves significant nonroutine transactions that are outside the
normal course of business for the entity, or that otherwise appear to be unusual.
6. SAS No. 110, Performing Audit Procedures in Response to Assessed Risks and
Evaluating the Audit Evidence Obtained is also consistent with Chapter 9. Page 248
in the 11th edition discusses two overall responses to risk use of more experienced
staff and a more careful review. SAS No. 110 includes additional overall responses,
including the need for professional skepticism and incorporating more elements of
unpredictability in testing.
7. SAS No. 109 notes that the auditor may assess inherent risk and control risk on a
separate or combined basis, which was also allowed under existing standards.
However, the auditor can no longer default to control risk at maximum and perform a
substantive audit. Instead, auditors must obtain an understanding of internal controls
and then assess control risk based on that understanding.
Chapter 10 Section 404 Audits of Internal Control and Control Risk
SAS No. 109 and SAS No. 110 together supersede SAS No. 55, Consideration of
Internal Control in a Financial Statement Audit, but do not significantly alter the
approach to understanding internal control in Ch. 10. Similarly, the reporting of
significant deficiencies and material weaknesses for nonpublic companies discussed in
Ch. 10 is consistent with SAS No. 112.
1. SAS No. 109 discusses manual and IT controls and notes that because of the inherent
consistency of IT controls, audit procedures to test whether an automated control has
been implemented may serve as a test of the controls operating effectiveness,
depending on the auditors assessment and testing of IT general controls.

2. SAS No. 110 indicates that the auditor should perform tests of controls when the
auditors risk assessment includes an expectation of the operating effectiveness of
controls or when substantive procedures alone do not provide sufficient audit
evidence at the relevant assertion level. Substantive procedures alone may not be
sufficient when the entity relies on IT and no documentation of transactions is
maintained, other than through the IT system.
3. Auditors may test controls that have not changed on a rotational basis. The operating
effectiveness of such controls should be tested at least every third audit. The decision
to rely on evidence on the effectiveness of controls obtained in prior audits depends
on the overall effectiveness of other elements of internal control, the effectiveness of
the control being relied upon, and the risks arising from characteristics of the control,
including whether it is manual or automated.
Chapter 13 Overall Audit Plan and Audit Program
1. One of the five types of tests in Chapter 13 is procedures to obtain an understanding
of internal control. These procedures should also include procedures to obtain an
understanding of the entity and its environment and risk assessment procedures,
consistent with the changes to the second standard of field work.
2. In designing the audit program, the auditor should document the linkages of
procedures with identified specific risks.

Overview of Risk Assessment Standards

SAS No. 104, Amendment to Statement on Auditing Standards No. 1, Codification of
Auditing Standards and Procedures (Due Professional Care in the Performance of
Work) Amends paragraph 10 to expand the definition of the term reasonable
assurance to indicate that it is a high, but not absolute level of assurance.
SAS No. 105, Amendment to Statement on Auditing Standards No. 95, Generally
Accepted Auditing Standards
1. Expands the scope of the second standard of field work from internal control to
the entity and its environment, including its internal control and extends its purpose
from planning the audit to assessing the risk of material misstatement in the
financial statements, whether due to error or fraud.
2. Revises the third standard of field work to eliminate references to specific audit
procedures which might imply that they encompass all audit procedures. Replaces the
term evidential matter with audit evidence.
The amended standards are as follows:
General Standards
1. The audit must is to be performed by a person or persons having adequate technical
training and proficiency as an auditor.
Standards of Field Work
1. The auditor must The work is to be adequately planned the work and must properly
supervise any assistants, if any, are to be properly supervised.
2. The auditor must obtain a A sufficient understanding of the entity and its
environment, including its internal control is to be obtained to assess the risk of
material misstatement of the financial statements whether due to error or fraud,
plan the audit and to design determine the nature, timing, and extent of further audit
procedures tests to be performed.
3. The auditor must obtain sSufficient appropriate audit evidence competent evidential
matter is to be obtained by performing audit procedures inspection, observation,
inquiries, and confirmations to afford a reasonable basis for an opinion regarding the
financial statements under audit.
SAS No. 106, Audit Evidence (Supersedes Statement on Auditing Standards No. 31,
Evidential Matter)
1. Replaces the term sufficient competent evidential matter with sufficient
appropriate audit evidence.
2. Defines management assertions as falling into three categories: 1) assertions about
classes of transactions and events; 2) assertions about account balances at period end;
and 3) assertions about presentation and disclosure.

SAS No. 107, Audit Risk and Materiality in Conducting an Audit (Supersedes
Statement on Auditing Standards No. 47, Audit Risk and Materiality in Conducting
an Audit)
1. Identifies two types of misstatements: known and likely. Likely misstatements
include projections of misstatements based on a sample, and differences between
managements and the auditors judgments for accounting estimates that the auditor
considers unreasonable or inappropriate.
2. Indicates that the closest reasonable estimate for estimated amounts such as
inventory obsolescence may be a range of acceptable amounts or a point estimate. If
managements estimate falls outside the auditors range of acceptable amounts, the
difference between the clients recorded amounts and the amount at the closest end of
the auditors range should be aggregated as a likely misstatement. In addition, the
auditor should consider whether the differences between the estimates best supported
by audit evidence and the clients evidence, which may be individually reasonable,
indicate a possible bias by the entitys management.
3. The auditor should request management to record an adjustment for all known
misstatements except for those considered trivial. The auditor should request
management to examine the class of transactions or account balance to identify and
correct likely misstatements, and review the assumptions for assumptions for
estimates where the auditor has identified a likely misstatement.
SAS No. 108, Planning and Supervision (Supersedes Appointment of the
Independent Auditor as amended of SAS No. 1, Codification of Auditing Standards
and Procedures, and Statement on Auditing Standards No. 22, Planning and
Supervision)
1. Indicates that the auditor should establish an understanding with the client and should
document the understanding through a written communication with the client.
2. The auditor should first develop an overall audit strategy, including the scope of the
engagement, preliminary identification of materiality levels and high-risk areas, and
appropriate staffing levels.
3. Development of a more detailed audit plan that includes:
A description of the nature, timing and extent of planned risk assessment
procedures sufficient to assess the risk of material misstatement as determined
under SAS No. 109.
A description of the nature, timing, and extent of planned further audit procedures
at the relevant assertion level for each material class of transactions, account
balance, and disclosure as determined under SAS No. 110.
4. Provides guidance on supervision, including communication with members of the
audit team regarding the susceptibility of the entitys financial statements to material
misstatements due to error or fraud, with special emphasis on fraud.

SAS No. 109, Understanding the Entity and Its Environment and Assessing the
Risks of Material Misstatement (together with SAS No. 110, Supersedes SAS No. 55,
Consideration of Internal Control in a Financial Statement Audit)
This standard establishes standards and provides guidance on implementing the second
standard of fieldwork, which requires the auditor to obtain a sufficient understanding of
the entity and its environment, including its internal control, to assess the risk of material
misstatement of the financial statements whether due to error or fraud, and to design the
nature, timing, and extent of further audit procedures.
1. The auditor should perform risk assessment procedures to obtain an understanding of
the entity and its environment, including internal control. Risk assessment procedures
include inquiries of management and others within the organization, analytical
procedures, and observation and inspection.
2. The members of the audit team should discuss the susceptibility of the entitys
financial statements to material misstatements. This discussion can be held
concurrently with the discussion of the susceptibility of the entitys financial
statements to fraud required by SAS No. 99.
3. The auditor should obtain an understanding of the following aspects of the entity and
its environment, including its internal control:
Industry, regulatory and other external factors
Nature of the entity
Objectives and strategies and related business risks that may result in a material
misstatement of the financial statements
Measurement and review of the entitys financial performance
Internal control, including the selection and application of accounting policies
4. The auditor should identify and assess the risk of material misstatements at the
financial statement level and at the relevant assertion level related to classes of
transactions, account balances, and disclosures. The auditor should:
Identify risk throughout the process of obtaining an understanding of the entity
and its environment, including relevant controls that relate to the risks.
Relate the identified risks to what can go wrong at the relevant assertion level.
Consider whether the risks are of sufficient magnitude that could result in a
material misstatement of the financial statements.
Consider the likelihood that the risks could result in a material misstatement of
the financial statements.
5. The auditor should determine which of the risks are significant risks that require
special audit attention. In making this determination, the auditor should consider:
Whether the risk is a risk of fraud
Whether the risk is related to recent significant economic, accounting, or other
developments requiring specific attention
The complexity of the transactions
Whether the risk involves significant transactions with related parties
The degree of subjectivity in the measurement of financial information related to
the risks, especially those involving a wide range of measurement uncertainty

Whether the risk involves significant nonroutine transactions that are outside the
normal course of business for the entity, or that otherwise appear to be unusual.
6. SAS No. 109 notes that the auditor may assess inherent risk and control risk on a
separate or combined basis, which has been allowed under existing standards.
However, the auditor can no longer default to control risk at maximum and perform a
substantive audit. Instead, auditors must obtain an understanding of internal controls
and then assess control risk based on that understanding.
SAS No. 110, Performing Audit Procedures in Response to Assessed Risks and
Evaluating the Audit Evidence Obtained (Supersedes Substantive Tests Prior to the
Balance Sheet Date of SAS No. 45 and, together with SAS No. 110, Supersedes SAS
No. 55, Consideration of Internal Control in a Financial Statement Audit)
The statement establishes standards and provides guidance on determining overall
responses and designing and performing further audit procedures to respond to the
assessed risks of material misstatement at the financial statement and relevant assertion
levels in a financial statement audit. The standard also addresses evaluating the
sufficiency and appropriateness of the audit evidence obtained, including guidance about
implementing the third standard of field work.
1. Responses to the risk of significant misstatement include:
Overall responses Addressing the risk of significant misstatement at the financial
statement level may include:
Emphasizing the need to maintain professional skepticism in gathering and
evaluating audit evidence
Assigning more experienced staff or those with specialized skills, or using
specialists
Providing more supervision
Incorporating additional elements of unpredictability in the selection of further
audit procedures to be performed
General changes to the nature, timing, or extent of further audit procedures, such
as performing substantive procedures at year-end rather than an interim date
Response to Risks of Material Misstatement at Relevant Assertion Level the
auditor should design and perform further audit procedures whose nature, timing, and
extent are responsive to the assessed risks of material misstatement at the relevant
assertion level.
2. The auditor must also evaluate the sufficiency and appropriateness of the audit
evidence obtained and should document:
The overall responses to address the assessed risks of misstatement at the
financial statement level
The nature, timing, and extent of the further audit procedures
The linkages of those procedures with the assessed risks at the relevant assertion
level
The results of the audit procedures

The conclusions reached with regard to the use in the current audit of audit
evidence about the operating effectiveness of controls that was obtained in a prior
audit
3. Auditors may test controls that have not changed on a rotational basis. The operating
effectiveness of such controls should be tested at least every third audit. The decision
to rely on evidence on the effectiveness of controls obtained in prior audits depends
on the overall effectiveness of other elements of internal control, the effectiveness of
the control being relied upon, and the risks arising from characteristics of the control,
including whether it is manual or automated.
SAS No. 111, Amendment to Statement on Auditing Standards No. 39, Audit
Sampling
The statement amends SAS No. 39, Audit Sampling to move guidance from the Appendix
into SAS No. 107, Audit Risk and Materiality in Conducting an Audit and into the text of
SAS No. 111. The Statement also incorporates guidance from SAS No. 99, Consideration
of Fraud in a Financial Statement Audit, and from SAS No. 110, Performing Audit
Procedures in Response to Assessed Risks and Evaluating the Audit Evidence Obtained.
The statement also provides enhanced guidance about establishing tolerable misstatement
for a specific audit procedure and on the application of sampling to tests of controls.
Specific provisions include the following:
1. Auditors should normally set tolerable misstatement for a specific audit procedure at
less than financial statement materiality so that when the results of audit procedures
are aggregated, the required overall assurance is attained.
2. Clarifies that in determining the sample size for a test of details, the auditor should
consider tolerable misstatement and the expected misstatement, the audit risk, the
characteristics of the population, the assessed risk of material misstatement (inherent
risk and control risk), and the assessed risk for other substantive procedures related to
the same assertion.
3. Indicates that the sample sizes for statistical and nonstatistical samples should be
comparable, considering the same sampling parameters.
4. Clarifies that risk assessment procedures to obtain an understanding of internal
control do not involve sampling. Sampling concepts also do not apply for some tests
of controls. Tests of automated application controls are tested only once or a few
times when effective IT general controls are present.
5. When performing a dual-purpose test of the effectiveness of a control and testing
whether monetary misstatements are present, the absence of monetary misstatements
does not necessarily imply that related controls are effective. However, misstatements
that the auditor detects should be considered a possible indication of a control failure
when assessing the operating effectiveness of controls.
SAS No. 112, Communicating Internal Control Related Matters Identified in an
Audit

1. Defines the terms significant deficiency and material weakness.

2. Requires the auditor to communicate significant deficiencies and material weaknesses
in writing to those charged with governance.