American Institute of CPAs chief auditor Bob Dohrer and AICPA Auditing Standards Board chair Tracy Harding discussed AICPA’s progress on some recent audit and attest standards during the Engage 2020 online conference Monday.
The conference took place online this year due to the novel coronavirus pandemic. Dohrer noted that the board issued a new standard, SAS 142, on audit evidence in May, the first major revision in that area in over a decade.
“We realized it’s very important that the AICPA, in our efforts to modernize our auditing standards and make them more relevant in today's world, that perhaps some revisions to one of our fundamental standards was really necessary,” said Dohrer. “The board undertook a project to address the evolving nature of audit services, as well as how emerging tools and techniques, including data analytics and other technology, impacts the evaluation of audit evidence. The importance is especially heightened in an electronic world of practicing and exhibiting professional skepticism, and then recognizing that through the use of technology, and just the internet and the vast amounts of information available today, that auditors are using more and more information obtained from external information sources. Those were the big drivers behind this effort.”
He acknowledged that the audit evidence project was undertaken ahead of the International Auditing and Assurance Standards Board, but the AICPA is closely monitoring the IAASB’s work on international standards for that area.
The new SAS 142 is effective for audits of periods beginning on or after Dec. 15, 2022. “If you look at what we have done with the audit evidence standard, we thought it was very important that this standard be a principles-based standard that would withstand the test of time,” said Dohrer. “The fundamentals, the conceptual underpinnings of the standard, would be robust and stand for a long time, but not so rigid and restrictive that we wouldn't allow firms and auditors to be able to innovate within those principles to achieve the objectives of today's audits.” The AICPA Auditing Standards Board made some changes to the objective of the audit evidence standard. The older standard was more focused on designing audit procedures to obtain audit evidence. The new standard focuses more on how, once the audit evidence has been obtained, understanding what criteria and what factors, should be taken into account in assessing whether the information is sufficient and appropriate, and meets the requirements of U.S. auditing standards.
“What we have done is to develop a framework for evaluating the attributes of audit evidence so that we could continue to evaluate sufficiency and appropriateness,” said Dohrer. “Those are two concepts that we have not abandoned. We think those have served as well. When we think about sufficiency, it is not just the quantity of evidence. In today's electronic world, it is difficult to manage or measure information in terms of inches or centimeters, or how thick your file is, but rather sufficiency is thinking about non-quantitative measures also. Appropriateness deals with the relevance and reliability of the information being used as audit evidence. The thought in this new audit standard is that when you bring together sufficiency and appropriateness, the goal is to obtain persuasive audit evidence. Persuasive is when it’s sufficient enough for the auditor to draw appropriate conclusions for the intended purpose, whatever your reporting purposes.”
In the new standard, the ASB incorporated the concept of understanding and considering whether information cooperates or contradicts management assertions. “In today's environment, when information can be obtained from external sources so readily, sometimes it is difficult to get our arms around the reliability of that information because we can't test controls in an external source,” said Dohrer. “We wanted to make sure to bring in this concept of contradiction, so that auditors didn't just dismiss the information that was contradictory because they weren’t able to test controls around it, or something of that nature. As long as we are using those basic fundamental concepts, continuing to consider whether the information is sufficiently precise and detailed, we feel that forms a good, robust framework for evaluating sufficiency and appropriateness of audit evidence.”
In the new audit evidence standard, the AICPA included a quick explanation of some of the relationships between it and other auditing standards, such as one about performing audit procedures standards in section 330 have to say about audit evidence. “The higher the risk of a material misstatement, the more persuasive the audit evidence should be,” said Dohrer.
Harding discussed another recent standard from the AICPA’s Auditing Standards Board, SAS 143 on auditing accounting estimates and related disclosures, which was finalized in May. “If you think about all of the ways in which audits are affected by estimates and financial reporting is affected by estimates nowadays, it has certainly become a bigger and bigger focus of the audit,” he said. He pointed to the changing accounting rules in recent years from the Financial Accounting Standards Board on fair value, impairment, business combinations, revenue recognition, equity, investments and share-based payments, and their impact on the auditor. “We felt it was important to update our auditing standard for that to reflect the need to robustly consider the risks that arise from accounting estimates, and make sure that our guidance is appropriate for auditors,” said Harding.
He noted, however, that the standard may not actually change that much what auditors are already doing. “We did feel it was important that the estimate standard be beefed up a little bit in terms of the requirements,” he added. “This one is effective for calendar 2023 audits. We thought the 2023 effective date would be particularly appropriate given that the so-called CECL standard, Current Expected Credit Losses, is going to be effective for 2023 for audits done according to our standards, so there again another big estimate for some guidance may be appropriate.”
The new standard is converged with both the IAASB’s new standard on estimates and is consistent with the Public Company Accounting Oversight Board’s recent standard on auditing estimates.
“We did try to address scalability, recognizing that some estimates are relatively straightforward, like depreciation, and some others in certain circumstances are straightforward, whereas others are very complex,” said Harding. “So the effort needs to be scaled up or down to reflect that. It all comes down to risk assessment and response.”
The AICPA has a risk assessment project that requires a separate assessment of inherent risk and control risk. Because of those risks and some of the differences between them, we thought it would be important the assessments of those be done separately. The risk assessment requirements specific to estimates address the increasing complexity of the business environment and of the accounting rules and how those can increase risks.
“We did focus in particular on management’s process for making the estimate,” said Harding. “They came up with an amount, but what sort of methodology did they use? What sort of assumptions did they make? Did they use a specialist in coming up with that estimate? If the auditor thinks about the risk and applies professional skepticism, the auditor needs to think about that process and those assumptions and really challenge them to see if they make sense.”
The AICPA’s Auditing Standards Board has also been updating its standards for attestation engagements. “One might ask yourself, what was wrong with the old agreed-upon procedure standard, or what was the ASB trying to accomplish here? I think based on feedback and input we received, particularly from many of our smaller practitioners and member firms, there were some things with our old standard that got in the way or weren’t as flexible as they could be,” said Dohrer. “So, the ASB undertook some work and I think they have done a really good job with this and came up with a good new standard issued back in December 2019. The big thing is it no longer requires an assertion from the responsible party.”
The feedback received by the board cast doubt on the substance behind the assertion and whether it’s based on an actual measurement.
“So, we have taken away the requirement for that assertion,” said Dohrer. “We think that will make it more widely usable, and allow it to be performed on subject matters that are evolving and new, and therefore the responsible party perhaps, although they are responsible for the subject matter, don't quite understand or have the capabilities in-house to do the measurement themselves. We also no longer require that the procedures be known at the beginning of the engagement. And, we allow the flexibility by allowing those procedures to be ongoing during the course of the engagement. And the practitioner can assist in developing those procedures.”
This should make it easier with engagement letters. “We all knew the old drill with the requirement to have your list of agreed-upon procedures that was in your original letter, and then the responsible party or the engaging party would have to acknowledge that those were agreed to,” said Dohrer. “And, every time throughout the engagement there was a change in procedures, you had to amend the arrangement letter, or perhaps at the end of the engagement, you updated what you actually did and then got a signature indicating they were acceptable to the responsible party and engaging party. We have done away with that busy work, if you will, in an engagement. We now just say that the practitioner can assist in developing the procedures, as long as the engaging party acknowledges that those procedures are appropriate for the intended purpose of the engagement prior to issuance of the report. So, there’s no more of this back-and-forth and that sort of thing. As long as everybody agrees on the procedures to be performed, or that were performed, and their appropriateness before the report was issued, that is all that is required. It also doesn't require stated responsibility for the sufficiency of the procedures.”
The standard also now permits general use reports. “We still say that if the subject matter is such that the report should be restricted, the practitioner certainly still has the ability to restrict the engagement,” said Dohrer. “But we generally permit general use reports, because we just think that is in the public interest. The public generally can benefit from the information contained in these reports, so we freed that up in that regard. We hope this will be a well-received change and make these engagements more useful and more frequently done and better meet the intended purpose.”
That attest standard is effective for reports dated on or after July 2021, but early implementation is permitted. “Based on feedback we have received already, we are aware this standard is being implemented early quite a lot because of its flexibility and better use,” said Dohrer.