Risk Standards (SAS 106 and 107)

In our previous posts we have discussed several of the new auditing standards that auditors are required to perform for audits with financial statements ending after December 16, 2007. Basically this impacts financial statement audits for years ending December 31, 2007. In this post, we will update you on Statements of Auditing Standard “SAS” # 106 and #107.

SAS 106 – This new standard requires auditors to utilize assertions (i.e. is the account valued correctly? Is this the complete population? Does the client have rights to that asset?), assigned to each account to assess risk and design audit programs. While this step will require additional work in the first year of implementation, it will eventually reduce the amount of testing by eliminating the previously mentioned potential of “over” auditing.

SAS 107 – This step goes hand in hand with SAS #106. Auditors will utilize the audit assertions mentioned above and identify the inherent and control risks for each account within each assertion. The statement provides definitions for the following risks:

Inherent risk - defined as the susceptibility of a material misstatement to a particular account assuming there are no related controls.

Control risk - defined as the susceptibility of a material misstatement to a particular account will go undetected by the controls that are in place.

While this probably sounds like gibberish, in layman’s terms the auditor will assess both of the above-mentioned risks for each account (i.e., cash, inventory, fixed assets, etc…), thus dictating the amount of testing that will be done. So if, for example, the auditors determine that an account has a “low” inherent risk and a “low” control risk, a “low” level or amount of audit testing will be performed. However, if inherent risk and/or control risk is assessed at “moderate” or “high”, then more audit testing will be performed.

Watch for our next post as we discuss the implications described by SAS 108-109.