Thomas Noce

New Tool for Documentation of Audits

Finally some help for auditors dealing with the new (and somewhat confusing) documentation requirements.

November 17, 2008
Sponsored by CPE Link

by Thomas Noce, CPA, CFE

In response to increases in audit failures, peer review deficiencies and other perceived practitioner quality of work issues, today’s auditors have been mandated to document their files to an almost burdensome level. Within the past 12 months, SAS Nos. 104 through 111 became effective for periods beginning after December 15, 2006. These standards made obsolete the methodology of performing audits using a “default” to maximum risk. This has left auditors struggling procedurally on how to implement this new “risk-based” approach to auditing and having to deal with expanded and sometimes confusing documentation requirements. For a demonstration of a step-by-step approach to meeting the documentation standards, tune in to a free one-hour Webcast on Wednesday, November 26.

Audits Under SAS 55

Before these new standards were adopted, our profession’s audits were governed procedurally by SAS No. 55. This standard contained a provision stating that once the auditor had gained an understanding of the control environment and performed a risk assessment, they had available to them the concept of “maximum risk.” Various commercial publishers latched on to this concept of “maximum risk” and began to lead auditors down a path of a fully substantive audit, claiming that reliance on controls was never an efficient approach in an audit of a small business. Once auditors accepted this methodology as gospel, increasingly less time and attention was spent by the auditor gaining understanding of controls. Some believe this has created a “connect-the-dots” audit approach — audit procedures performed by rote, without an understanding of why the procedures were performed. This approach became commonly known as the “default to maximum risk.”

Assertion-based Auditing

With the adoption of the AICPA’s risk assessment standards, this approach to auditing has become a thing of the past. In order to effectively implement this risk-based approach, auditors must gather, understand and document substantially more information than ever before about the entity and its environment, including its internal control. Additionally, these new standards have reinforced the long-standing concept of assertion-based auditing. For each significant audit area, auditors must identify relevant assertions and document the controls that the company has in place to prevent material misstatement, whether caused by error or fraud. In performing and documenting the risk assessment, the auditor should consider these controls, while evaluating and documenting the risk of material misstatement. In response to the risk assessment, the auditor must then develop further audit procedures. Many feel the intent of the Auditing Standards Board (ASB) was to eliminate the use of “standard” commercial audit programs.

The Need for New Documentation Methodology

This new audit methodology, paired with the enhanced documentation requirements, has left many auditors confused. Some existing commercial providers of practice aids have taken the approach of modifying their existing products to conform to these new requirements. In many instances, it appears that these products add an additional layer of documentation and then take auditors back to the inefficient programs that the provider had previously published. If properly implemented, the new suite of risk assessment standards should make auditors more efficient by identifying risk areas and only performing procedures that are necessary to mitigate that risk. The changes embodied in these standards are so pervasive that they mandate new documentation methodology.

A Practitioner-designed Solution

A solution is available! CPE Link has just released the Risk Assessment Toolkit. The Toolkit was designed by practitioners, Thomas Noce CPA, CFE and Thad Scott, CPA, CFE, from the bottom up to provide a concise format to document compliance with the new standards. The Toolkit is an integrated set of templates designed as a practice aid to assist practitioners in complying with the increased professional standards.

The Risk Assessment Toolkit provides systematic documentation of the following audit areas:

  • Pre-engagement activities
  • Initiation audit strategy
  • Materiality
  • Interview documentation
  • Understanding of entity and operating environment
  • Engagement team meeting
  • Overall and assertion level risk assessment
  • Fraud risk documentation including mandatory procedures required by SAS No. 99
  • Significant area summary
  • Audit strategy worksheets for assertion level risk assessment

The key to the Risk Assessment Toolkit is the Audit Strategy Worksheets. These worksheets will guide the practitioner through the steps necessary to comply with the assertion based approach required. The worksheets guide the practitioner step-by-step through:

  • Mandatory risk assessment procedures
  • Documentation of relevant assertions
  • Understanding of controls in place for each assertion
  • Summary as to whether controls have been appropriately designed and are in place
  • Risk assessment by assertion
  • Documentation of further audit procedures responsive to the risk assessment

Check out the Risk Assessment Toolkit today!

Thomas Noce, CPA, CFE, is a graduate of Rutgers University with a degree in accounting. He holds a Certificate in Personal Financial Planning from UC Riverside and is a Certified Fraud Examiner.

Noce’s professional experience includes a variety of clients, including tribal entities, hotels, real estate, construction, homeowners associations, country clubs and nonprofit organizations. In addition to his tax and accounting practice, Noce performs special engagements dealing with internal controls and fraud prevention and detection. He has written and taught numerous CPE courses focusing on the new risk assessment standards and has recently partnered with fellow CPA and CFE, Thad H. Scott to develop the Risk Assessment Toolkit to assist practitioners in complying with the standards.