Audit Risk Assessment Audits of Non-Issuers (Portfolio 5409)

Bloomberg BNA Tax and Accounting Portfolio 5409-2nd, Audit Risk Assessment in Audits of Non-Issuers (Accounting Policy and Practice Series), analyzes the standards to which auditors must adhere in planning and performing audits to obtain sufficient appropriate audit evidence to express an opinion on an entity's financial statements.

To access this Portfolio, take a free trial to the Bloomberg BNA Financial Accounting Resource Center


This Portfolio is part of the Accounting Policy and Practice Series, an essential resource including more than 70 accounting Portfolios and the latest news and developments.



Bloomberg BNA Tax and Accounting Portfolio 5409-2nd, Audit Risk Assessment in Audits of Non-Issuers (Accounting Policy and Practice Series), analyzes the standards to which auditors must adhere in planning and performing audits to obtain sufficient appropriate audit evidence to express an opinion on an entity's financial statements.
The AICPA's auditing standards provide guidance concerning the auditor's assessment of the risks of material misstatement (whether caused by error or fraud) in a financial statement audit, and the design and performance of audit procedures whose nature, timing, and extent are responsive to the assessed risks. Additionally, the standards provide guidance on planning and supervision, the nature of audit evidence, and evaluating whether the audit evidence obtained affords a reasonable basis for an opinion regarding the financial statements under audit.
The primary objective of the standards is to enhance auditors' application of the audit risk model in practice by specifying, among other things:

• More in-depth understanding of the entity and its environment, including its internal control, to identify the risks of material misstatement in the financial statements and what the entity is doing to mitigate them.
• More rigorous assessment of the risks of material misstatement of the financial statements based on that understanding.
• Improved linkage between the assessed risks and the nature, timing, and extent of audit procedures performed in response to those risks.

This Portfolio focuses on the general approach to conducting audits responsive to assessed risks. Specifically, it focuses on the key issues identified in the risk assessment standards. Since the focus of this Portfolio is on the audit process, this Portfolio does not cover specific audit procedures. It also does not cover standards related to audit reports or other auditor communications. Auditors are reminded that professional standards provide detailed guidance in these areas that must be followed in the performance of an audit.
The Portfolio may be cited as Bloomberg BNA Tax and Accounting Portfolio 5409-2nd, Madray, Benedict & Brown. Audit Risk Assessment in Audits of Non-Issuers (Accounting Policy and Practice Series).


J. Russell Madray, CPA, Master of Professional Accountancy, Clemson University (1988); B.S. in Accounting, Clemson University (1986). President of The Madray Group Inc., which helps businesses, accounting firms, and other organizations understand and implement technical accounting and auditing issues; senior lecturer at Clemson University's School of Accountancy and Legal Studies; former member, AICPA Accounting and Review Services Committee; former member, Board of Directors, South Carolina Association of CPAs. Author of Attestation and Other Special Engagements (CCH), Compilations and Reviews (CCH), OCBOA Guide (CCH), and the AICPA's annual Compilation and Review Alert.

Carrie Benedict, CPA, Master of Accountancy, Case Western Reserve University (2002); B.S. (Accounting and English), Heidelberg College (2001). Candidate for J.D., Ohio State University (May 2010); former assurance manager, Grant Thornton LLP.

Paul Brown, CPA is the technical reviewer for a large state CPA Society in the state society's American Institute of Certified Public Accountants (AICPA) Peer Review Program. The program administers approximately 450 reviews annually and oversees approximately 125 peer reviewers. Paul has previously been an instructor and author of continuing education programs, for which he had received several outstanding discussion leader and author awards. He also served on the AICPA's Technical Reviewers Advisory Task Force to the Peer Review Board and serves as staff liaison to two committees and one section at the state society level. Prior to joining the state society, Paul was an audit manager with the regional firm in Florida. He holds a Bachelor of Science degree in accounting and finance from Florida State University.


Detailed Analysis

I. Introduction, Background, and Scope of Portfolio

A. Purpose of Portfolio

B. Background and History

1. AICPA Statements on Auditing Standards Established by the AICPA

2. Auditing Standards Established by the PCAOB

C. Risk Assessment Standards

II. Key Concepts of Audit Risk Assessment

Introductory Material

A. Reasonable Assurance

B. Audit Risk and the Risk of Material Misstatement

1. Audit Risk Model

2. Risk of Material Misstatement

3. Detection Risk

4. Historical Perspective of the Audit Risk Model in GAAS

C. Materiality and Tolerable Misstatement

1. Materiality in the Audit Environment

2. Financial Statement Users

3. Nature of Misstatements

4. Qualitative Considerations

5. Tolerable Misstatement

D. Financial Statement Assertions

E. Internal Control

1. Internal Control Defined

2. Components

a. Control Environment

(1) Communication and Enforcement of Integrity and Ethical Values

(2) Commitment to Competence

(3) Board of Directors or Audit Committee Participation

(4) Management's Philosophy and Operating Style

(5) Organizational Structure

(6) Assignment of Authority and Responsibility

(7) Human Resource Policies and Practices

(8) Application to Small and Mid-Size Entities

b. Entity's Risk Assessment Process

c. Information and Communication

(1) Information Systems

(2) Communication

(3) Application to Small and Mid-Sized Entities

d. Control Activities

(1) Performance Reviews

(2) Information Processing

(3) Physical Controls

(4) Segregation of Duties

(5) Application to Small and Mid-Sized Entities

e. Monitoring of Controls

(1) In General

(2) Application to Small and Mid-Sized Entities

3. Nature of Controls

4. Control Design

5. Control Operation

6. Other Characteristics of Internal Control

a. Significance of Controls

b. Complementary Controls

c. Preventive Versus Detective Controls

7. Control Deficiencies

F. Information Technology

1. Implications for Internal Control

2. Implications for Audit Planning

G. Audit Evidence

1. In General

2. Sufficiency of Audit Evidence

3. Appropriateness of Audit Evidence

III. Steps in the Audit Risk Model

IV. Engagement Planning and Supervision

A. In General

B. Relationship Between the Overall Audit Strategy and the Audit Plan

1. Overall Audit Strategy

2. Audit Plan

C. Establishing an Understanding With the Client

D. Preliminary Engagement Activities

1. Procedures for Engagements With Existing Clients

2. Procedures for Engagements With New Clients

E. Establishing Planning Materiality and Tolerable Misstatement

1. Lesser Materiality for Particular Items

2. Tolerable Misstatement

a. Estimation Approach

b. Rule-of-Thumb Approach

3. Considerations as the Audit Progresses

F. Supervising Assistants

1. Required Discussions and Communications With Assistants

2. Reviewing the Work Performed by Assistants

3. Differences of Opinion

G. Extent of Involvement of Professionals Having Specialized Skills

H. Discussions With Management and Those Charged With Governance

I. Documenting Audit Planning

V. Gathering Information About the Entity and Its Environment, Including Internal Control

Introductory Material

A. Scope of Necessary Information

1. Sufficiency of Understanding

2. Extent and Purpose of Understanding

a. External Factors

b. Nature of Entity

c. Objectives and Strategies and Business Risks

d. Measurement and Review of Financial Performance

e. Internal Control

B. Performing Procedures to Gather Information

1. Risk Assessment Procedures

a. Inquiries of Management and Others Within the Entity

b. Analytical Procedures

c. Observation and Inspection of Documents

(1) In General

(2) Walkthroughs

2. Other Procedures

3. Using Information Obtained in Prior Periods

C. Discussion Among the Audit Team

D. Gathering Information About Internal Control

1. Documentation of Internal Control

a. Management's Documentation of Internal Control

b. Auditor's Documentation

c. Ability to Assess Control Design

d. Communications Component of the Entity's Internal Control

2. Initial Determination of the Overall Scope of Evaluation of Internal Control

3. Consideration of IT Systems

4. Consideration of Controls at a Service Organization

5. Outsourcing

6. Relevant Entity-Level Controls

a. Elements of the COSO Control Components

b. IT General Controls

c. Antifraud Programs and Controls

d. Controls Related to Significant Financial Statement-Level Risks

e. Other Relevant Entity-Level Controls

7. Relevant Activity-Level Controls

a. Elements of the COSO Components and Antifraud Controls

b. Revenue Recognition

c. Controls Related to Significant Activity-Level Risks

d. Other Controls That Are Relevant to the Audit

8. Perform Risk Assessment and Other Procedures

a. Information Obtained in Prior Audits

b. Performing Risk Assessment Procedures to Gather Information About Internal Control

(1) Inquiries

(2) Analytical Procedures

(3) Observation and Inspection

(4) Other Procedures

(5) Walkthroughs

E. Documenting Risk Assessment and Other Procedures

VI. Gaining an Understanding of the Entity and Its Environment

Introductory Material

A. External Factors

B. Nature of the Entity

C. Objectives, Strategies, and Related Business Risks

D. Measurement and Review of Financial Performance

E. Internal Control

1. Relevant Controls

a. Controls Related to Preparation of Financial Statements

b. Controls Over Completeness and Accuracy of Information

c. Controls Over Safeguarding of Assets

2. Depth of Understanding of Internal Control

a. Control Environment

b. Entity's Risk Assessment Process

c. Information and Communication Systems

(1) Information Systems

(2) Communication Systems

d. Control Activities

(1) IT Application Controls

(2) IT General Controls

e. Monitoring of Controls

3. Automated Internal Control Elements

4. Manual Internal Control Elements

5. Limitations of Internal Control

F. Evaluation of the Design and Implementation of Internal Control

1. Evaluating Control Design

2. Determining if the Control Has Been Implemented

3. Distinguishing Between the Evaluation and Assessment of Operating Effectiveness

4. Absence of Control Documentation

5. Evaluating Entity-Level Controls

a. Control Environment

b. Risk Assessment Process

c. Information and Communication

d. Monitoring of Controls

e. Other Entity-Level Controls

(1) Antifraud Programs and Controls

(2) IT General Controls

(3) Controls Over Nonroutine Transactions, Judgmental Matters, and the Selection and Application of Significant Accounting Policies

(4) Responsibilities of Those Charged With Governance

6. Evaluating Activity-Level Controls

a. Information Systems

b. Control Activities

7. Identifying Control Deficiencies

G. Documenting the Understanding of the Entity and Its Environment

VII. Assessing the Risk of Material Misstatement

Introductory Material

A. Considerations at the Financial Statement Level

B. Considering Internal Control When Assessing Risks

C. Significant Risks

1. Significant Financial Statement-Level Risks

2. Significant Assertion-Level Risks

D. Situations in Which Substantive Procedures Alone Are Not Effective

E. Revising Risk Assessment

F. Considerations at the Assertion Level

G. Documenting Assessment of Risk and Design of Further Audit Procedures

VIII. Responding to the Assessed Risks

Introductory Material

A. Overall Responses

B. Responses to Risks of Material Misstatement at the Relevant Assertion Level

C. Further Audit Procedures

1. Nature of Further Audit Procedures

2. Timing of Further Audit Procedures

3. Extent of Further Audit Procedures

D. Tests of Controls

1. Nature of Tests of Controls

2. Timing of Tests of Controls

3. Extent of Tests of Controls

E. Substantive Procedures

1. Nature of Substantive Procedures

2. Timing of Substantive Procedures

3. Extent of Substantive Procedures

F. Generic Audit Programs

G. Adequacy of Presentation and Disclosure

H. Documenting Further Audit Procedures

IX. Evaluating Audit Findings, Audit Evidence, and Control Deficiencies

Introductory Material

A. Consideration of Misstatements

B. Communicating Material Misstatements to Management

C. Considering and Evaluating Uncorrected Misstatements

1. Evaluating Uncorrected Misstatements Individually

2. Evaluating Uncorrected Misstatements in the Aggregate

D. Evaluating Whether the Financial Statements Taken as a Whole Are Free of Material Misstatement

E. Evaluating the Sufficiency and Appropriateness of the Audit Evidence

1. Inconsistencies in Audit Evidence, Findings, and Estimates

2. Deviations From Prescribed Controls and Misstatements in Substantive Tests

F. Identifying and Evaluating Control Deficiencies

1. Definitions

2. Evaluating Control Deficiencies

a. Compensating Controls

b. Prudent Official Test

c. Examples of Circumstances That May Be Deficiencies, Significant Deficiencies, or Material Weaknesses

3. Communication Requirements

a. Timing of Communication

b. Communication of Other Matters Related to Internal Control

c. Management's Written Response to the Auditor's Communication

d. Auditor's Responsibility for Significant Deficiencies and Material Weaknesses Not Corrected by the Client

e. Inclusion of Additional Statements in the Communication Regarding Inherent Limitations of Internal Control

4. Issues for Audits of Smaller Entities

G. Documenting Evaluation of Audit Findings

Working Papers



Worksheet 1 Glossary

Worksheet 2 Acronyms

Worksheet 3 The GAAS Hierarchy

Worksheet 4 Generally Accepted Auditing Standards

Worksheet 5 Illustrative Audit Engagement Letter

Worksheet 6 Examples of Matters the Auditor May Consider in Establishing the Overall Audit Strategy

Worksheet 7 Understanding the Entity and Its Environment

Worksheet 8 Illustrative Financial Statement Assertions and Examples of Substantive Procedures-Illustrations for Inventories of a Manufacturing Company

Worksheet 9 Conditions and Events That May Indicate Risks of Material Misstatement

Worksheet 10 Examples of Circumstances That May Be Control Deficiencies, Significant Deficiencies, or Material Weaknesses

Worksheet 11 Evaluation Questions

Worksheet 12 Illustrative Written Communication of Internal Control Related Matters Identified in an Audit

Worksheet 13 Illustrative Written Communication of Internal Control Related Matters Identified in an Audit When the Auditor Has Not Identified Any Material Weaknesses

Worksheet 14 Control Deficiency Case Studies




Case Law

SEC Regulations

SEC Releases

SEC Staff Accounting Bulletins


PCAOB Releases

FASB Statements

FASB Concepts Statements

AICPA Statements on Auditing Standards

AICPA Statements on Quality Control Standards

AICPA Code of Professional Conduct

AICPA Audit Guides and Audit Risk Alerts

Office of Management and Budget



BNA Portfolios