US U.S. AAM vs. DTTL AAM A Refresher Deloitte Touche Tohmatsu

Transcription

1 US U.S. AAM vs. DTTL AAM A Refresher 2008 Deloitte Touche Tohmatsu

2 Objectives Participants will refresh their knowledge on: Applying the AICPA and the PCAOB Standards. Utilizing the U.S. Audit Approach Manual and other guidance to locate the requirements specific to standards of the AICPA or PCAOB. Planning an audit in accordance with the standards of the AICPA or PCAOB. Conducting an audit of internal control over financial reporting in accordance with the standards of the AICPA or PCAOB. Locating and using resources to support conducting an integrated audit. 2

3 U.S. AAM Refresher 3

4 Engagement letters A properly executed engagement letter shall be obtained for all engagements, including all necessary signatures, before beginning significant portions of fieldwork. The illustrative engagement letters contained in INFORM within the U.S. Technical Library shall be used when preparing an engagement letter. <U.S. Audit Approach Manual Process a and c, emphasis added> 4

5 Engagement letters which form? Which U.S. illustrative engagement letter form would be applicable for the audit of a non-accelerated filer (i.e., an issuer that is not required to have an integrated audit)? FORM 1310SP-FS, IILLUSTRATIVE FINANCIAL STATEMENT AUDIT ENGAGEMENT LETTER PUBLIC ENTITY 5

6 Engagement letters which form? Which U.S. illustrative engagement letter form would be applicable for an integrated audit of a public entity? FORM 1310SP, IILLUSTRATIVE INTEGRATED AUDIT ENGAGEMENT LETTER PUBLIC ENTITY 6

7 Materiality If we are performing an integrated audit, is the determination of materiality different for a financial statement audit and the audit of internal control over financial reporting? No. If we are performing an integrated audit, we shall use the same materiality used to audit the financial statements in planning and performing our audit of internal control over financial reporting. <U.S. Audit Approach Manual b, emphasis added> 7

8 Materiality Benchmark Profit before tax from continuing operations Typically what users of the financial statements focus on Determination of Materiality Typically 5%-10% of estimated profit before tax Engagement partner may use professional judgment to determine use of other percentages <based on DTTL Audit Approach Manual > 8

9 Performance materiality For audits of SEC listed entities, for purposes of determining the amount to be deducted from materiality to arrive at performance materiality, we shall use the greater of the amounts determined using the iron curtain approach and the approach in U.S. AAM <U.S. Audit Approach Manual b, emphasis added> 9

10 Iron Curtain approach The iron curtain approach quantifies a misstatement based on the effects of correcting the misstatement existing in the balance sheet at the end of the current year, irrespective of the misstatement s year(s) of origination. <Based on U.S. Audit Approach Manual Glossary> 10

11 Rollover approach Under the rollover approach, uncorrected misstatements include those that have an impact on net income and include the current period carryover effects of misstatements identified in prior periods <U.S. Audit Approach Manual Glossary> 11

12 Rollover vs. Iron Curtain example Assume that in 20X2, Registrant A began over-accruing a liability each year by $20. Therefore, at the end of 20X6, liabilities are overstated by $100. The $20 annual over-accrual was not considered material to any of the individual prior period financial statements. In 20X6, should the registrant evaluate the error in the current year as a $100 overstatement of liabilities (iron curtain approach), or as a $20 overstatement of expenses (rollover approach)? 12

13 Rollover vs. Iron Curtain example 20x6 Iron Curtain A 20x6 Rollover B Overstatement of expenses $ 20 $ 20 Entry to adjust (100) (20) Understatement of expenses (as adjusted) $ (80) $ Overstatement of liabilities $ 100 $ 100 Entry to adjust (100) (20) Overstatement of liabilities (as adjusted) $ $ 80 A Under the Iron Curtain approach, after the adjustment, entries will be correct but expenses will be understated by $ B

14 Rollover vs. Iron Curtain example: Solution In 20X6, should the registrant evaluate the error in the current year as a $100 overstatement of liabilities (iron curtain approach), or as a $20 overstatement of expenses (rollover approach)? Evaluate the errors using both approaches and adjust the Financial statements if either approach results in quantifying a misstatement that is material. The 100 overstatement in 2006 under the iron curtain approach is material, thus the FS should be adjusted. The 80 understatement of expenses is also material for 2006, thus prior year FS should be corrected regardless of materiality for those years. 14

15 Develop overall audit strategy and audit plan for group audits AICPA and PCAOB audits When an entity has components, the group engagement team is required to identify material classes of transactions, account balances, and disclosures and their relevant assertions based on the consolidated financial statements <U.S. Audit Approach Manual G860.01b and a> The group engagement team is required to determine the extent to which audit procedures should be performed at selected components to obtain sufficient appropriate audit evidence to obtain reasonable assurance about whether the group financial statements are free of material misstatement. Note: This includes determining the components at which to perform audit procedures, as well as the nature, timing, and extent of the procedures to be performed at those individual components. In determining the components at which to perform audit procedures, the group engagement team is required to assess the risks of material misstatement to the group financial statements associated with the component and correlate the amount of audit attention devoted to the component with the degree of risk of material misstatement associated with that component. <U.S. Audit Approach Manual G860.01c> 15

16 Develop overall audit strategy and audit plan for group audits AICPA and PCAOB audits Consider these factors when assessing the risks of material misstatement associated with a particular component and the determination of the necessary audit procedures: The nature and amount of assets, liabilities, and transactions executed at the component The materiality of the component The risks associated with the component that present a reasonable possibility of material misstatement to the group financial statements Whether the risks of material misstatement associated with the component apply to other components such that, in combination, they present a reasonable possibility of material misstatements to the group financial statements The degree of centralization of records or information processing The effectiveness of the control environment, particularly with respect to management s control over the exercise of authority delegated to others and its ability to effectively supervise activities at the component The frequency, timing, and scope of monitoring activities by the entity or others at the component Whether significant changes have occurred during the period under audit The length of time since a particular component was last selected and the results of the audit procedures performed. <U.S. Audit Approach Manual G860.01d> 16

17 Scope the group audit AICPA and PCAOB audits Determine whether there is a reasonable possibility of material misstatement in the residual balance of a consolidated material balance In order to determine whether our audit plan is sufficient, it is important to evaluate whether our plan will allow us to conclude that we have obtained sufficient appropriate audit evidence to obtain reasonable assurance about whether the group financial statements are free of material misstatement. As such, the group engagement team is required to evaluate whether the portion of each material balance at the group level * for which no substantive procedures are planned at the group or component level (i.e., the residual balance of the material balance at the group level) presents a reasonable possibility of material misstatement to the group financial statements. *Material balances at the group level include income statement and balance sheet accounts that are material to the group financial statements, considering both quantitative and qualitative factors <U.S. Audit Approach Manual G860.02g> 17

18 Scope the group audit AICPA and PCAOB audits Example: The group engagement team s planned scope is as follows Horizontal scoping : Subjected to Substantive Procedures in the CY Residual Balance Cash 79% 21% Accounts Receivable 70% 30% Other Current Assets 77% 23% Goodwill 100% 0 Significant Components Residual Balance - Consolidated Material Account Balances Assets Total Balance at Significant Components % of balance tested at significant components U.S. 3 EMEA 1 EMEA 3 APAC Total % Remaining Cash $9,180,733 79% $492,000 $264,000 $700,000 $980,820 $2,436,820 21% Accounts Receivable 6,073,946 70% 800, ,000 1,000,000 2,600,000 30% Other Current Assets 630,000 77% 50,000 40, , ,000 23% Goodwill 20,970, % 0% 18

19 Scope the group audit AICPA and PCAOB audits Determine whether there is a reasonable possibility of material misstatement in the residual balance of a consolidated material balance (continued) Considerations (AS 9.12 and G860.01d): The nature and amount of assets, liabilities and transactions executed at the component The materiality of the component The risks associated with the component that present a reasonable possibility of material misstatement to the group financial statements Whether the risks of material misstatement associated with the component apply to other components such that, in combination, they present a reasonable possibility of material misstatement to the group financial statements The degree of centralization of records or information processing The effectiveness of the control environment The frequency, timing, and scope of monitoring activities Whether significant changes have occurred during the period under audit The length of time since a particular component was last selected and the results of the audit procedures performed. 19

20 Scope the group audit AICPA and PCAOB audits Determine Whether there is a Reasonable Possibility of Material Misstatement in the Residual Balance of a Consolidated Material Balance If, after performing the analysis on the preceding slides, the group engagement team determines that a reasonable possibility of material misstatement to the group financial statements exists in the residual balance of one or more material balances at the group level, the group engagement team is required to modify the audit plan accordingly. <U.S. Audit Approach Manual G860.02h> 20

21 Communicate with component auditors PCAOB audits The ISAs require the group engagement team to request the component auditor to communicate matters relevant to the group engagement team s conclusion with regard to the group audit. <U.S. Audit Approach Manual G885.06> The standards of the PCAOB have specific requirements on the documentation that must be obtained, reviewed, and retained by the group engagement team related to the work performed by the component auditors. Some of this documentation may have been obtained in connection with complying with U.S. AAM G (See next slide for detail listing) <U.S. Audit Approach Manual G885.06b> The standards of the PCAOB, also require the group engagement team to determine that the component auditors' audit documentation is prepared and retained in compliance with the standards of the PCAOB. <U.S. Audit Approach Manual G885.07ab> 21

22 Communicate with component auditors PCAOB audits PCAOB AS 3.19 and PCAOB AU require that the following be obtained, reviewed, and retained by the group engagement team: An audit summary memorandum, including all cross-referenced supporting working papers relating to significant matters and significant documentation matters A list of significant risks, the component auditors' response, and the results of the component auditors' related procedures Sufficient information relating to any significant matters that are inconsistent with or contradict the final conclusions Any findings affecting the consolidating or combining of accounts in the consolidated financial statements Sufficient information to enable the office issuing the audit report to agree or to reconcile the financial statement amounts to the information underlying the consolidated financial statements A schedule of accumulated misstatements, including a description of the nature and cause of each accumulated misstatement, and an evaluation of uncorrected misstatements, including the quantitative and qualitative factors the component auditor considered to be relevant to the evaluation All significant deficiencies and material weaknesses in internal control over financial reporting, including a clear distinction between those categories Letters of representations from management All matters to be communicated to those charged with governance. <U.S. Audit Approach Manual G885.06b>: 22

23 Information produced by the entity When using information produced by the entity we shall evaluate whether the information is sufficiently reliable for our purposes, including as necessary in the circumstances (1)Obtaining audit evidence about the accuracy and completeness of the information, and (2)Evaluating whether the information is sufficiently precise and detailed for our purposes. <U.S. Audit Approach Manual G510.11> 23

24 Reliance on information produced by the entity When information produced by the entity is used by us to perform audit procedures, we should obtain audit evidence about the completeness and accuracy of the information Controls over preparation and maintenance of information produced by the entity include the following elements: Controls over the accuracy and completeness of the source data Controls over the creation and modification of the applicable report logic and parameters. Controls over the accuracy and completeness of the source data may be addressed by our tests of controls of the related classes of transactions, account balances, and disclosures. Additional testing of general IT controls may provide audit evidence that the program and data sources are protected from unauthorized access or changes. <Based on U.S. Audit Approach Manual G b> 24

25 Illustrative example 1 Information produced by the entity is tested through typical substantive procedures The engagement team is evaluating the following control: The assistant controller reviews an Accounts Receivable (AR) Aging Report on a monthly basis in determining the appropriateness of the reserve for bad debt. The AR Aging report is a standard report (non-customized) generated out of the SAP ERP application. The following procedures were performed by the engagement team during their substantive testing of AR. Foot and crossfoot aging report (Accuracy); Agree Total Aging Balance to G/L (Completeness); Selected a sample of A/R confirms and traced them into the Aging Report (Accuracy); AND Determine appropriateness of aging for a sample of line items in the Aging Report (Accuracy Aging) 25

26 Illustrative example 2 Information produced by the entity is used to perform a control The engagement team is evaluating the following control: The Assistant Controller reviews an ERP report that identifies the number of units sold by SKU and units in ending inventory by SKU to compute the number of months sales on hand. This information is then used to evaluate the inventory valuation. Question #1 Controls over the accuracy and completeness of the source data are addressed by our tests of controls of the sales and inventory systems, including the proper SKU. (Note: When designing control and substantive procedures, consider the IPE that will be utilized and design control or substantive tests to incorporate appropriate testing related to the proper entry of SKU upon sales to increase efficiencies and eliminate the need for additional samples.) Question #2 Select X items from (1) the sales journal and perpetual inventory and trace back to bill of ladings or production data and (2) the bill of lading or production records and trace to the source data. Alternatively, consider integrating this testing into the detail tests of sales and inventory (i.e., use the same samples for both purposes). 26

27 Illustrative example 2 (continued) Year 1 Approach Source Data: Test the accuracy and completeness of source data through testing controls over the sales and inventory systems, including entry of SKU when a sale occurs. Report Logic: Test the report directly to determine whether the report is being appropriately created by: Reconciling sales and inventory amounts to sales journal and perpetual inventory. Select X items from the number of units sold and the units in ending inventory columns of the report and trace back to the source data by SKU (e.g., the sales journal or perpetual inventory). Foot and cross-foot report totals and recalculate Year 2 Approach Source Data: Same as Year 1 approach Report Logic: Carry forward a summary of direct testing of the report logic performed in the previous year, including a description of the report, how it was tested, and the conclusions we reached. Obtain evidence in the change management system that validates that the source code underlying the report has not been changed since it was previously tested by us. 27

28 Information produced by the entity FAQs Information produced by the entity (IPE) FAQs includes: FAQs on the requirements and guidance in U.S. AAM G510 Illustrative testing approaches by IPE type Illustrative testing approaches for certain IPE fact patterns 28

29 Access the IPE FAQs 1. Deloitte Technical Library 2. Deloitte Policies and Guidance 3. U.S. Guides, Practice Aids, and FAQs for Auditors 4. Audit Process 29

30 Nature of tests of controls Inquiry Observation Inspection Reperformance Least Evidence Most Evidence Some types of tests, by their nature, produce greater evidence of the effectiveness of controls than other tests. 30

31 Timing for tests of controls 31

32 Illustrative example 32

33 Figure Nature of Control Frequency of Performance of the Control Number of Selections Control Addresses a Significant Risk No Deviations Planned Post-Change Pre-Change Manual Many times per day Manual Daily Manual Weekly 8 5 Manual Monthly 3 2 Manual Quarterly 2 1 Manual Annually 1 1 We may use professional judgment to determine that larger sample sizes may be appropriate <U.S. Audit Approach Manual > Effective for all audits for periods beginning on or after December 15,

34 Figure

35 OE testing strategy thought process Control Environment Risk Assessment Monitoring Risks Identified? Significant Risk Normal risk Where can we leverage knowledge obtained from prior year audits? Where do we think we need to get or are already getting our own independent evidence? Where can we leverage use of work of others? Information & Communication General IT Controls e.g., Lower risk, No significant changes e.g., Higher risk, observations, dual purpose tests e.g., Competent, objective evidence Business Cycles Options: PYK Independent testing UWO Combination 35

36 Deviations and deficiencies A deviation (or an exception) is a condition that exists if we identify circumstances that indicate that a control is not being performed in the manner described by the entity. A deficiency in internal control over financial reporting exists when the design or operation of a control does not allow management or employees, in the normal course of performing their assigned functions, to prevent or detect and correct misstatements on a timely basis. A deficiency in design exists when (a) a control necessary to meet the control objective is missing or (b) an existing control is not properly designed so that, even if the control operates as designed, the control objective would not be met. A deficiency in operation exists when a properly designed control does not operate as designed, or when the person performing the control does not possess the necessary authority or competence to perform the control effectively. 36

37 Considerations when evaluating deviations Deviation from control Specific inquiries To determine The tests of controls that have been performed provide an appropriate basis for reliance on the controls Additional tests of controls are necessary The potential risks of misstatement need to be addressed using substantive procedures. <based on US Audit Approach Manual > 37

38 Ineffective general IT controls Nature and significance Likelihood of increased risk Pervasiveness Cause and frequency Assessing impact of Ineffective general IT controls Complexity of environment Relates to material COTABD? Proximity to applications and data 38

39 General IT controls General IT controls are ordinarily not designed to address risks of material misstatement at the assertion level. Instead, general IT controls address risks arising from IT that may affect the continued effective operation of automated application controls and the reliability of information produced by the entity. Although ineffective general IT controls do not by themselves cause misstatements, they may cause application controls to operate improperly, thereby allowing misstatements to occur and not to be detected. General IT controls are assessed in relation to the associated risk arising from IT and their effect on applications and data that become part of the Financial Statements. 39

40 Concluding on an audit of ICFR Objective Express opinion on effectiveness of ICFR If material weaknesses exist, ICFR is not effective <AS 5 paragraph 2>. Auditors obtain evidence about whether material weaknesses exist at date of management s assessment. Therefore we evaluate severity of any identified deficiency(s) to assess whether they represent a material weakness. 40

41 Considerations when evaluating deficiencies Circumstances and reasons for deviation Impact statistically if using attribute sampling Effect on our test of OE of controls Management s actions Considerations Qualitative factors affecting the likelihood that a misstatement could occur 41

42 Questions on other areas of differences between US AAM and DTTL AAM 1.When performing an integrated audit, are we required to test the operating effectiveness of controls in each of the five components? 2.Could a risk of material misstatement for an assertion be related to one or a combination of relevant controls? 3.Can an engagement team perform their testing of a control subsequent to period-end? 4.For integrated audits, if an entity adopts new controls during the year, do we need to test the controls being replaced? 5.What are the required control procedures to be performed on equity method investments? 42

43 Answers 1.Yes 2.Yes 3.Yes 4.Yes 5.The selection of accounting methods for its investments. The recognition of equity method earnings and losses. The audit ordinarily would not extend to controls at the equity method investee. 43

44 Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited, a UK private company limited by guarantee, and its network of member firms, each of which is a legally separate and independent entity. Please see for a detailed description of the legal structure of Deloitte Touche Tohmatsu Limited and its member firms. This publication is for internal distribution and use only among personnel of Deloitte Touche Tohmatsu Limited, its member firms, and its and their affiliates. None of Deloitte Touche Tohmatsu Limited, Deloitte Global Services Limited, Deloitte Global Services Holdings Limited, the Deloitte Touche Tohmatsu Verein, any of their member firms, or any of the foregoing s affiliates shall be responsible for any loss whatsoever sustained by any person who relies on this publication Deloitte Touche Tohmatsu