Regulators are giving auditors some fresh reminders on how to approach the next audit to assure they properly comply with auditing standards around risk.
The Public Company Accounting Oversight Board published a report describing the deficiencies it sees in audit inspections in how firms implement and comply with Auditing Standards No. 8-15, known as the risk assessment standards. The standards address audit risk, audit planning, supervision of the engagement, materiality considerations in planning and carrying out the audit, identifying and assessing risks of material misstatement, evaluating audit results, and audit evidence.
The standards were adopted in 2010 to address how auditors assess and respond to risks of misstatement and how they evaluate the results of their work. The report focuses on compliance problems audit regulators have seen in inspections dating back to 2012.
The PCAOB says it is concerned about the number and significance of deficiencies it continues to see in complying with the risk standards. "Because risk assessment underlies the entire audit process, it is critical that audit firms address these findings of weaknesses in compliance with the risk assessment standards," said James R. Doty, chairman of the PCAOB, in a statement.
The PCAOB says 26 percent of the 632 audit engagements inspected in 2012 exhibited a deficiency in one or more of the risk standards. Similarly, inspectors found problems in 27 percent of the 848 engagements scrutinized in 2013. While complete data on 2014 inspections is not available, the PCAOB says a preliminary analysis suggests “a high rate of audit deficiencies” related to risk assessment standards.
The bulk of the problems are focused on AS 13, AS 14 and AS 15, the PCAOB says, which are focused on audit response to the risks of misstatement, evaluating audit results, and audit evidence. That suggests auditors are most troubled in how to respond to risks when they uncover them during their audit work. For example, the PCAOB says, auditors too often fail to perform substantive procedures specifically addressing fraud risks or other significant risks they identify, and they too often do not evaluate the accuracy and completeness of financial statement disclosures.
Auditors also too often fail to test the accuracy and completeness of information produced by the company, the PCAOB says. That’s been a common theme for the past few years after the PCAOB published Audit Alert No. 11 to point out to auditors that they don’t do enough to verify information contained in management reports or produced by information systems.
In addition to pointing out the problems it sees, the PCAOB’s report also explores the reasons for those problems and actions that audit firms can take to raise their game. The report says, for example, it appears sometimes auditors do not adequately understand the issuer and its internal control processes, and sometimes the tools firms provide to auditors to not enable engagement teams to tailor their audit procedures to respond to risk. Sometimes the problem is with the audit design, and sometimes senior members of the engagement team are not adequately involved. Some auditors don’t exercise enough skepticism, and some firms don’t put enough emphasis on training auditors to test journal entries, the PCAOB says.
The report also offers some questions for audit committees to asking their auditors. Are any of these risk compliance problems showing up in your inspections? Where have you identified significant risks of material misstatement, and how have you planned the audit to address that? How has it changed from last year, and why?