November 18, 2020
Director of Research and Technical Activities
File Reference No: 2020-600
Submitted via email to: [email protected]
Re: Proposed Statement on Auditing Standards – Understanding the Entity and Its Environment and Assessing the Risks of Material Misstatement
Dear Technical Director:
The Virginia Society of CPAs (VSCPA) Accounting and Auditing Advisory Committee has reviewed the proposed Statement on Auditing Standards (SAS), Understanding the Entity and Its Environment and Assessing the Risks of Material Misstatement, issued by the Auditing Standards Board (ASB). The VSCPA is a leading professional association dedicated to enhancing the success of all CPAs and their profession by communicating information and vision, promoting professionalism, and advocating members’ interests. The VSCPA membership consists of more than 13,000 individual members who actively work in public accounting, private industry, government and education. We acknowledge that the ASB has issued the proposed SAS in an effort to increase stakeholder awareness to this particular topic as a part of its effort to modernize and update AU-C Section 315 for an evolving business environment. The Committee appreciates the work the ASB has undertaken on this effort and the opportunity to respond to the proposed SAS.
The Committee offers the following comments related to the proposed SAS:
Question 1: Are the requirements and application material of the proposed SAS sufficiently scalable, that is, is the proposed SAS capable of being applied to the audits of entities with a wide range of sizes, complexities, and circumstances?
The Committee feels the requirements and application are scalable for a wide range of entities that differ in size, complexity and circumstances. The effort to put forth a better understanding of Inherent Risk at both the financial statement and assertion level provides auditors the framework necessary to assess the actual risk of an account balance or disclosure. This changes greatly with size and complexity. An example of this is cash. An entity with only one bank account that is maintained in an insured US bank account has very little inherent risk associated with the presentation and disclosure of cash in its financial statement; therefore, very little audit testing needs to be done in this area. However, if there are multiple bank accounts and some are maintained in foreign currency, the inherent risk rises significantly both at the financial statement level and assertions level. Also, by separating the size from complexity and circumstances, the auditor is not locked into something simply because one of the factors change, i.e. size does not necessarily agree to complexity (Ref Par. 9, Scalability).
Question 2: Do the proposals made relating to the auditor’s understanding of the entity’s system of internal control assist with understanding the nature and extent of the work effort required and the relationship of the work effort to the identification and assessment of the risks of material misstatement? Specifically:
Question 2a: Have the requirements related to the auditor’s understanding of each component of the entity’s system of internal control been appropriately enhanced and clarified? Is it clear why the understanding is obtained and how this informs the risk identification and assessment process?
Yes, the Committee feels that the requirements for understanding each component of the entity’s system of internal controls (IC) is clarified and enhanced. It is clear why this understanding is important and how it informs the risk identification and assessment process. Par. A56 - A61 discuss how this understanding affects the quality and efficiency of the audit by gathering information that aids the auditor in focusing resources in the areas where more risk of material misstatement (due to error or fraud) likely exist. It also helps the auditor determine whether enough expertise exists on the current team (A61) or if another person with specialized skills needs to be added to assist the audit in those areas. Par. A59 discusses audit efficiency by using the understanding of the entity and its IC to reduce test work in less risky areas. Without this understanding of the entity and its environment, there would be no way to determine where these areas exist. This would create an audit that would be both inefficient (over testing in low-risk areas) and substandard in quality (under testing in high-risk areas).
Question 2b: Have the requirements related to the auditor’s identification of controls that address the risks of material misstatement been appropriately enhanced and clarified? Is it clear how controls that addressed the risks of material misstatement are identified, particularly for audits of smaller and less complex entities?
Yes, the Committee feels the requirements related to identification of controls that address risk of material misstatement have been appropriately enhanced and clarified for all types of entities including smaller and less complex entities. The layout of control activities in A169 - A171 is an excellent guide for identifying controls that have the most significant impact on material misstatement in the financials. Par A172 - A173 discuss scalability and that segregation of duties, as a risk of material misstatement, can be offset in small organization by more direct involvement of management/owners. It also discusses that this increases the risk of management override.
Question 2c: Given that COSO's 2013 Internal Control—Integrated Framework (COSO framework) is often used by entities subject to the AICPA’s generally accepted auditing standards, is the terminology in paragraphs 21–27 and related application material of the proposed SAS clear and capable of consistent interpretation for audits of entities that use the COSO framework?
Yes, the Committee feels that the terminology used in par 21 - 27 and related application material is consistent with the COSO framework.
Question 3: Are the enhanced requirements and application material related to the auditor’s understanding of the IT environment, the identification of the risks arising from the entity’s use of IT, and the identification of general IT controls clear to support the auditor’s consideration of the effects of the entity’s use of IT on the identification and assessment of the risks of material misstatement?
Yes, the Committee agrees that the enhanced requirements and application material on understanding the IT environment, its risks, and general IT control are clear and support the auditor’s consideration of the effects of IT on material misstatement. Almost all data, both financial and non-financial, that can affect the presentation of the financials goes through at least one automated system. Appendix E discusses how pervasive the affects of IT on the financial process have become. It lays out the importance of understanding the controls in the IT process as well as the interaction of manual controls that exist outside the IT system.
Question 4: Do you support the introduction in the proposed SAS of the new concepts and related definitions of significant classes of transactions, account balances, and disclosures, and their relevant assertions? Is there sufficient guidance to explain how they are determined (that is, that an assertion is relevant when there is a reasonable possibility of occurrence of a misstatement that is material with respect to that assertion), and how they assist the auditor in identifying where risks of material misstatement exist?
Yes, the Committee supports the introduction of the proposed SAS and believes there is sufficient guidance to explain how the new concepts were determined. By moving the focus to a spectrum of inherent risk, see par 5, it helps focus the auditor on those areas (classes of transactions, account balances, and disclosures) where there is the highest likelihood that a misstatement may occur. This creates a more efficient, higher quality audit.
Question 5: Do you support the introduction of the spectrum of inherent risk into the proposed SAS?
Yes, the Committee supports the introduction of the spectrum of inherent risk. By apply a spectrum that integrates both the size and likelihood of inherent risk, you have a clearer picture of how to determine what is, and is not, a significant risk. As stated in A181, it would also be beneficial in evaluating the need and benefit of control testing in reducing the Risk of Material Misstatement (RMM) to an acceptable level. In addition, using the spectrum still leaves auditor judgement intact for those items that rank high in one category while low in another. It will force the auditor to truly think about inherent risk in a broad way vs just a H, M, L perspective.
Question 6: Do you support the separate assessments of inherent and control risk in relation to all risks of material misstatement at the assertion level?
Yes, the Committee agrees with the separate assessments of inherent and control risk. As discussed in the revision to .A44 with .A45, GAAS already requires inherent risk to be assessed without consideration of controls. With this being the case, clarifying that inherent risk must be assessed separately emphasizes that requirement. In addition, placing any reliance on internal controls is a test step in the audit process that helps mitigate the risk associated with the financials or an assertion. Inherent risk is the only risk assessment that requires no actual procedures be performed outside gaining an understanding of the client and its environment. The need to perform any testing of IC is dependent on how that affects RMM; therefore, it is impossible to determine what needs to be done without a complete and separate assessment of inherent risk prior to consideration of controls in place.
Question 7: What are your views regarding the clarity of the requirement to assess the control risk, in particular, when the auditor does not plan to test the operating effectiveness of controls?
The Committee feels there is some confusion on why there is a need to identify and understand the client’s internal controls, if there will be no reliance on the effectiveness of controls, A252. If the identification and understanding have no effect on the testwork to be performed, what is gained through the identification and understanding. We do understand that gaining this understanding will aid with determining what controls to test, if needed to reduce RMM. However, a requirement to gain an understanding and identify controls that will then be ignored seems to be an inefficient way to run an audit. Also, a walkthrough of controls that provides no audit evidence that reduces overall risk seems to be an inefficient use of resources. If there was wording related to the need to identify and gain an understanding of IC to document whether there are any controls that can be tested to reduce overall RMM, it would provide a clearer understanding of this need for doing something that may be ignored during the audit. An understanding of controls is necessary to determine if the system of IC is ineffective; therefore, cannot be tested.
Question 8: What are your views regarding the clarity of the requirement in paragraph 26d of the proposed SAS to evaluate design and determine implementation of certain control activities (including, specifically, the requirement related to controls over journal entries)?
The Committee feels that the explanations in A194 – A202 provide greater clarity related to the need to identify and understand the entity’s IC. As this focuses on fraud prevention and the need to inform the client about any IC that are improperly designed or are not actually in place. As journal entries are at the highest risk for the occurrence of fraud or misstatement, an entity’s lack of control over journal entries has the potential to create a significant misstatement on the financials with little other documentation to support the transaction. Par. .A49 addresses the significance of this risk.
Question 9: Do you support the revised definition, and related material, on the determination of significant risks? What are your views on the matters previously presented relating to how significant risks are determined based on the spectrum of inherent risk?
The Committee supports the revised definition, and related material, on the determination of significant risk. In par A13, the definition provided for significant risk is considered in context with likelihood and magnitude and how those two items intersect. This seems to provide a much better framework by isolating a risk and its significance to the financial statement and related disclosures. By removing the CR through specifically associating Significant Risk with Inherent Risk, it enables the auditor to focus on what truly makes something a Significant Risk. Internal controls are a test to help mitigate the Significant Risk of a disclosure or account balance and should not come into consideration of Significant Risk. You would not consider a lawn mower when assessing the risk that your grass would grow too tall. The lawn mower is a tool to mitigate that risk, not assess it.
Question 10: What are your views about the proposed stand-back requirement in paragraph 36 of the proposed SAS and the conforming amendments proposed to paragraph .18 of AU-C section 330?
The Committee supports the stand-back requirements in par 36.
Question 11: What are your views with respect to the clarity and appropriateness of the documentation requirements?
The Committee feels the guidance on the documentation requirements is appropriate. Overall document requirements are to allow an experienced auditor to follow what is documented in the workpapers and be able to understand the conclusion without having to need additional verbal explanation from the auditor. Par. A259 - A263, lay out what needs to be covered in the documentation and discuss that the complexity of the client has a significant influence on how much documentation would be required. Less complex entities would need far less documentation to cover their IC, Inherent Risk, and what areas are significant risks.
Again, the Committee appreciates the opportunity to respond to this ED. Please direct any questions or concerns to VSCPA Vice President, Advocacy Emily Walker, CAE, at [email protected] or (804) 612-9428.
Natalya Yashina, CPA
VSCPA Accounting & Auditing Advisory Committee
VSCPA Accounting & Auditing Advisory Committee:
Natalya Yashina, CPA — Chair
Tamara Greear, CPA – Vice Chair
Zach Borgerding, CPA
Michael Cahill, CPA
George Crowell, CPA
Scott Davis, CPA
Bo Garner, CPA
M. James Hartson Jr., CPA
Josh Keene, CPA
Zach Morris, CPA
Michael Phillips, CPA
Charlie Valadez, CPA