I was in Las Vegas the first part of this week for training on what is being called The Risk Assessment Standards. The Auditing Standards Board has issued 11 new Statements on Auditing Standards over the last 18 months, and all become effective for this year end (some were effective for the 2006 year end).
The vast majority of audits I have performed over the last 12 years or so have been primarily substantive in nature. That means you do a tremendous amount of testing of details - agree account balances to vendor invoices, confirm accounts receivable, etc. And it has meant placing little or no reliance on the entity's internal control structure. Frankly, this was usually the most efficient approach. Why would I want to spend say 8 hours testing controls if it would only save me 2 hours of audit testing time.
This primarily substantive approach is still possible under the risk assessment standards, but now instead of just saying "control risk at maximum" you have to document how you came to that conclusion.
Instead, we will be working on getting an even better understanding of the business, and then ask "what could go wrong?" Perhaps the business is a construction contractor that uses the percentage of completion method - that is a complicated calculation and it "could go wrong." Once you have identified these risks, you determine how you are going to respond.
Result: auditors should be more focused on the risk areas and should do a better audit.
More on this coming.