AS 3301: The Auditor’s Response to Assessed Risks

The standard AS 2301 is a directive from the Public Company Accounting Oversight Board (PCAOB), which sets auditing standards for U.S. public companies. AS 2301 establishes the framework for how an independent auditor must respond to the risks of material misstatements discovered while examining a company’s financial statements.

Overall Responses to Financial Statement Risks

When an auditor identifies risks that could affect the financial statements as a whole, AS 2301 requires them to implement broad, strategic responses. These responses are adjustments to the overall audit approach, creating a more rigorous audit environment tailored to the heightened risk level.

One response involves the assignment and supervision of the audit team. The standard dictates that team members with responsibilities must have knowledge and skills that align with the specific risks identified. For instance, if a company has complex financial instruments, an auditor with expertise in that area must be assigned. The level of supervision over the audit team is also increased to match the assessed risk.

Auditors are required to approach the engagement with professional skepticism. This means maintaining a questioning mind and critically assessing all audit evidence, rather than simply accepting management’s explanations without corroboration. For example, if management provides a reason for a sudden increase in revenue, the auditor must seek independent evidence to support that claim.

Another response is incorporating unpredictability into the audit plan by performing procedures on accounts or at locations not normally selected for testing. The element of surprise prevents management from anticipating the auditor’s moves, making it more difficult to conceal misstatements. This approach is similar to a surprise inspection, designed to get a more honest view of how processes are working.

Audit Procedures for Assessed Risks

To address specific risks at the assertion level—claims made by management about individual accounts or disclosures—auditors perform targeted audit procedures. AS 2301 classifies these into two main categories, and their design is responsive to the risk’s nature and severity. A higher assessed risk demands more persuasive audit evidence.

The first category is tests of controls. An internal control is a company process designed to ensure reliable financial reporting, such as requiring a second person to approve large payments. The auditor tests these controls to determine if they are designed effectively and have operated as intended. For example, to test a sales control, an auditor might examine a sample of invoices for proper authorization.

The second category, substantive procedures, is designed to directly detect material misstatements in financial figures and disclosures. These procedures provide evidence about the dollar amounts and details of accounts to determine if the financial statements are correct.

Substantive procedures are divided into two types, the first being tests of details. These tests involve examining individual transactions, account balances, or disclosure items. An example is confirming accounts receivable by communicating directly with a company’s customers. Another is the physical observation of inventory to confirm its existence and condition.

The other type is substantive analytical procedures, which evaluate financial information by studying plausible relationships among data. For instance, an auditor might analyze the relationship between a hotel’s reported revenue and its occupancy rates. If the reported revenue is higher than what occupancy rates suggest, it could indicate a misstatement requiring further investigation.

Evaluating Audit Evidence

After performing audit procedures, the auditor must evaluate the evidence gathered to form a final judgment.

The first step is to accumulate all misstatements found during the audit, other than those that are clearly trivial. This includes both factual misstatements and those arising from judgment or estimation differences. The auditor maintains a running tally of these items throughout the engagement.

Next, the auditor must assess whether the accumulated misstatements are material, individually or when combined. A misstatement is material if it could reasonably be expected to influence the economic decisions of those using the financial statements. This evaluation requires professional judgment and considers both the quantitative size and qualitative nature of the misstatements.

Finally, the auditor must conclude whether they have obtained sufficient appropriate audit evidence to reduce audit risk to an acceptably low level. This conclusion, based on all procedures and findings, directly informs the auditor’s final opinion on whether the financial statements are presented fairly.